0

I run OPNsense as well as a few Linux systems with Webmin.

Webmin has an option to check for updates periodically and install them automatically (iirc this can be done for all updates, or just for the security-relevant ones). This ensures that the system is always up to date, or at least has all security fixes installed.

OPNsense, on the other hand, does not seem to have an option for that (correct me if I am wrong). However, if checking for updates and installing them can be done via the command line and without user input, it should be possible to run that as a cron job.

What command would I need to run for that? (Or is there an easier way?)

Btw, for a discussion of the pros and cons of automation, see https://security.stackexchange.com/q/183173/49551.

user149408
  • 1,010
  • 3
  • 15
  • 31
  • As per the OPNsense forum, the command seems to be `opnsense-update`. However, if the system is up to date, it just prints `Nothing to do`, so I’ll have to wait for the next updates. There usually is one every 3 weeks or so, the last one was 12 days ago. https://github.com/opnsense/update has some information on the update tools bundled with OPNsense. – user149408 Apr 05 '22 at 13:49
  • 1
    Today a new update became available. `opnsense-update` clains there is nothing to do, whereas the update check in the web UI finds new packages to install. Even after that check (without actually installing the packages), `opnsense-update` still finds nothing. The man page also provides no hints to any command line options I might have missed. – user149408 Apr 07 '22 at 18:09

1 Answers1

1

TL;DR:

/usr/local/opnsense/scripts/firmware/update.sh will update to the latest available firmware. In order to also update the change log in the web GUI, also run /usr/local/opnsense/scripts/firmware/check.sh.

Full answer and background:

  • opnsense-update is, as per its documentation, the tool to update OPNsense. When invoked without command line option, it just reports Nothing to do, but it is used by several of the scripts mentioned below.
  • Actions which can be triggered from the GUI are stored in configd templates, which reside in /usr/local/opnsense/service/conf/actions.d/. The template for firmware updates is actions_firmware.conf.
  • actions_firmware.conf has a few actions which look related to firmware upgrades. All of them seem to run a wrapper script which ultimately runs another script in /usr/local/opnsense/scripts/firmware/$COMMAND.sh.
  • Of these commands, update and upgrade seem to run a firmware update/upgrade, respectively (according to their description in the configd template). These terms seem to be used much like in apt on Linux: update checks what new versions are available, upgrade installs them. However, either action (potentially, not necessarily) reboots the system.
  • Checking for new versions seems to run /usr/local/opnsense/scripts/firmware/check.sh. The script checks for new versions (and updates the change log in the Web GUI) but does not install them. It always reports success, whether or not the check was successful, and whether or not new versions are available.
  • When updates are available, choosing to install then from the GUI seems to run /usr/local/opnsense/scripts/firmware/update.sh. This script checks for new updates and installs the latest one, if updates are available. When running on the latest version, this script will simply generate some output but not change anything. Running update.sh without previously running check.sh will update the system but not the change log in the web GUI.

Therefore, based on my research, the command seems to be:

/usr/local/opnsense/scripts/firmware/update.sh

Running that via a cron job once every 24 hours should keep you up to date.

For a mature script, I would additionally suggest:

  • Also run check.sh before or after, so the change log in the web GUI is kept up to date as well.
  • Redirect output of at least update.sh (maybe also check.sh) to a file or other persistent storage so you can verify if the update was successful, and have a starting point for hunting down errors if not.
user149408
  • 1,010
  • 3
  • 15
  • 31