Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I just took over support of a SG230 running firmware 9.308-16. It's been up and running for a couple of years and when I had Up2Date set to auto WebAdmin showed 29 updates ready to install; however, the Up2Date log indicated that there was not enough space to proceed. The device has also been dismally slow with generating and sending out reports. I see that the downloaded GPG packages are downloaded to /var/upd2date/sys but unfortunately that is within the root partition of only 5GB. There will never be enough free space to download all 29 updates. I did delete all those packages and got back to 48% free on the root partition.
My question is ... Do I have to download each one of those updates in succession and install them one at a time, manually, or can I jump to the end of each major version. For example: can I just grab the latest 9.3xx and install that then jump to the latest 9.4xx and installed that.
I only have a 2 hour window for doing the maintenance on this device so downloading each manually, installing, and rebooting 29 times seems like a lot of effort.
Up2Date failed: Not enough free space for '/var/up2date/sys'. Required space: 362737 KB Available space: 283548 KB; inodes: 309683
As the Sophos UTM packages are incremental you can't skip any update. You have to follow the correct order.
Depending of the space you can do a couple of updates, so a batch of 5 or 10.
An other way could be install the complete system from an iso in an up to date version and restore a backup of your settings. But from my perspective I would prefer the updates in several batches, because of less chances to roll back if you do a complete reinstall of the appliance and anything doesn't work.
Do you have a HA Cluster or single system?
In reply to Alexander Busch:
It's a single standalone appliance. No HA. If I were to do this in batches how would I implement that. Seems I would still need to download each from the FTP site and manually load them. I suppose I could download them all and then only SCP maybe 10 at a time to /var/up2date/sys but then I'm not sure how to start the upgrade process.
In reply to Kipland Iles:
Yes unfortunate you had to do this manually. HA would be nice in that case ;-)
The steps should be
1. Shell into the firewall and navigate to /var/up2date/sys -> cd /var/up2date/sys
2. wget the patch file (.tgz.gpg extension) -> wget
Or SCP the batch of 10 updates
3. Invoke auisys.plx with the –showdesc paramater -> auisys.plx --showdesc
4. Install the update. -> cc system_up2date system_update
Alternatively you can go into the web interface and schedule the install from there.
Thanks much. Was just reading that article. Hopefully, I can complete this is my 2 hour window. I manage 3 other Sophos UTM 9s and I stay on top of the updates. I had about a dozen to do on another that was ignored too long but it worked out just fine. It appears I had just enough space to download 28 of the 29 but then no space to unpack and install them. I really appreciate the timely response. You beat Sophos Support by days I'm sure.
I keep my fingers crossed for you. The quick response is the positive aspect of sitting at home with one foot broke.
If you do the up2date through the GUI you can install them one at a time until you have sufficient disk space then initiate the update to the latest.
Turn off auto check for nee packages until you have completed the updating so you don't keep filling your partition.
In reply to rfcat_vk:
Thanks for that. Thinking that would reboot after each update but I suppose I don't have to reboot. So you are saying maybe do the 1st ten manually via the GUI, reboot, then turn on auto, let the appliance download the rest, and then I should be able to go back to Up2Date GUI and update to latest with only one final reboot.
Ok - just did a small dry run on this and used wget to download to /var/up2date/sys. I then ran auisys.plx --showdesc.
I see that I must be very careful with which patch I download. If I download u2d-sys-9.308016-309003.tgz.gpg then I assume that means 9.308-16 to 9.309-3? I bring this up because I first mistakenly downloaded u2d-sys-9.309003-310011.tgz.gpg thinking I was getting 9.309-3 but when I refreshed the GUI it said 9.310-11. The live Up2Date log said "unpacking up2date package version: 9.310011". Looks like I would have missed 9.309.3 and that might have been bad.
What is still not clear is the reboot. From the GUI after downloading the "correct" next patch and running auisys.plx --showdesc I see ...
Should I click Update to latest version now or Install. Would either option NOT require a reboot. Would a reboot be required before installing another? I don't do this often but I seem to remember when there are a number of patches to install and I go through the GUI either manually or using Schedule it installs all of the patches and reboots at the end.
Usually a reboot is required after each update, but not always.
Also, if you skip an update the next one might not install, might unpack then run its checks then do nothing. You would have to check the logs to see the result.
It's not intuitively obvious looking at the files at ftp.astaro.com/pub/UTM/v9/up2date the exact order that these should be downloaded.
For example: ftp.astaro.com/pub/UTM/v9/up2date/u2d-sys-9.311003-312008.tgz.gpg was updated on 6/2/15 but then ftp.astaro.com/pub/UTM/v9/up2date/u2d-sys-9.312005-312006.tgz.gpg was released on 5/13/15 and is next in order. This worries me a bit so I tried a work around and just clicked the Check for Up2Date Packages Now and let the system download them until it quit (ran out of disk space). I then deleted everything from 9.4 up and ran auisys.plx --showdesc. This resulted in all of the 9.3 patches showing up at Up2Date in the GUI. I still have about 25% free disk in root. I'm thinking I can now click the Update to Latest Version Now button and install those and reboot. I should the have the space for the 9.4 updates.
don't worry about the dates, just name order.
I was successful installing all 29 patches. I accomplished this in two rounds as described above (9.3x first then all 9.4x second). I had a single reboot after all 9.3 installed and one more reboot after all 9.4. After the final reboot everything was up and functional and the appliance was running with much less CPU and Memory consumption (had not been rebooted in over two years, though).
I also had Sophos Support come in remotely to check my process and available disk space. They looked at the pending updates listed in the Web Interface and the available disk space via the SSH console and agreed that I should be able to follow this process and complete the updates.
I appreciate all the help offered by this community which led me in the right direction and helped to ease my anxiety. I only had one chance to get this right and I had a lot of other tasks to complete in my maintenance window besides updating the Sophos. Thank you all.
Hi, Kipland, and welcome to the UTM Community!
Thanks for coming back and closing the loop for others that need the info in your thread.
Clear problem explanation and a thoughtful application of the suggestions made - a great, first thread. That got you help from two guys that know a lot about the UTM.
Cheers - Bob
In reply to BAlfson:
BAlfsonThanks for coming back and closing the loop for others that need the info in your thread.
After being in IT for 35 years now I appreciate the value that these forums add. I could not continue my career choice without them. In the old days we had no forum except for a few private BBS boards and lots of vendor supplied documentation since everything was turnkey. I like that we can now help each other. Appreciate the Kudos.
I upgraded 8 versions from early 9.4xx up to 9.507-1. I didn't go to the latest or the second latest due to unresolved bugs I've read about on some other forum posts. Since I wasn't sure if i could just click on install next to 9.507-1 or if i had to manually install each patch until i got to 9.507-1, i decided to install them one by one to ensure none of them were missed. I found that by installing them one by one the appliance rebooted itself after each individual patch was installed. I didn't get to do a single reboot after doing all 9.4xx like OP describes.