This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Up2Date to latest package only

I just took over support of a SG230 running firmware 9.308-16. It's been up and running for a couple of years and when I had Up2Date set to auto WebAdmin showed 29 updates ready to install; however, the Up2Date log indicated that there was not enough space to proceed. The device has also been dismally slow with generating and sending out reports. I see that the downloaded GPG packages are downloaded to /var/upd2date/sys but unfortunately that is within the root partition of only 5GB. There will never be enough free space to download all 29 updates. I did delete all those packages and got back to 48% free on the root partition.

My question is ... Do I have to download each one of those updates in succession and install them one at a time, manually, or can I jump to the end of each major version. For example: can I just grab the latest 9.3xx and install that then jump to the latest 9.4xx and installed that.

I only have a 2 hour window for doing the maintenance on this device so downloading each manually, installing, and rebooting 29 times seems like a lot of effort.

Up2Date failed: Not enough free space for '/var/up2date/sys'. Required space: 362737 KB Available space: 283548 KB; inodes: 309683



This thread was automatically locked due to age.
Parents
  • As the Sophos UTM packages are incremental you can't skip any update. You have to follow the correct order.

    Depending of the space you can do a couple of updates, so a batch of 5 or 10.

    An other way could be install the complete system from an iso in an up to date version and restore a backup of your settings. But from my perspective I would prefer the updates in several batches, because of less chances to roll back if you do a complete reinstall of the appliance and anything doesn't work.

    Do you have a HA Cluster or single system?

    Best regards

    Alex

    -

  • It's a single standalone appliance. No HA. If I were to do this in batches how would I implement that. Seems I would still need to download each from the FTP site and manually load them. I suppose I could download them all and then only SCP maybe 10 at a time to /var/up2date/sys but then I'm not sure how to start the upgrade process.

  • Yes unfortunate you had to do this manually. HA would be nice in that case ;-)

    The steps should be

    1. Shell into the firewall and navigate to /var/up2date/sys -> cd /var/up2date/sys

    2. wget the patch file (.tgz.gpg extension) -> wget

    Or SCP the batch of 10 updates

    3. Invoke auisys.plx with the –showdesc paramater -> auisys.plx --showdesc

    4. Install the update. -> cc system_up2date system_update

    Alternatively you can go into the web interface and schedule the install from there.

    More info:  

    Best regards

    Alex

    -

  • Thanks much. Was just reading that article. Hopefully, I can complete this is my 2 hour window. I manage 3 other Sophos UTM 9s and I stay on top of the updates. I had about a dozen to do on another that was ignored too long but it worked out just fine. It appears I had just enough space to download 28 of the 29 but then no space to unpack and install them. I really appreciate the timely response. You beat Sophos Support by days I'm sure.

  • I keep my fingers crossed for you. The quick response is the positive aspect of sitting at home with one foot broke.

    -

  • If you do the up2date through the GUI you can install them one at a time until you have sufficient disk space then initiate the update to the latest.

    Turn off auto check for nee packages until you have completed the updating so you don't keep filling your partition.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks for that. Thinking that would reboot after each update but I suppose I don't have to reboot. So you are saying maybe do the 1st ten manually via the GUI, reboot, then turn on auto, let the appliance download the rest, and then I should be able to go back to Up2Date GUI and update to latest with only one final reboot.

  • Ok - just did a small dry run on this and used wget to download to /var/up2date/sys. I then ran auisys.plx --showdesc.

    I see that I must be very careful with which patch I download. If I download u2d-sys-9.308016-309003.tgz.gpg then I assume that means 9.308-16 to 9.309-3? I bring this up because I first mistakenly downloaded u2d-sys-9.309003-310011.tgz.gpg thinking I was getting 9.309-3 but when I refreshed the GUI it said 9.310-11. The live Up2Date log said "unpacking up2date package version: 9.310011". Looks like I would have missed 9.309.3 and that might have been bad.

    What is still not clear is the reboot. From the GUI after downloading the "correct" next patch and running auisys.plx --showdesc I see ...

    Should I click Update to latest version now or Install. Would either option NOT require a reboot. Would a reboot be required before installing another? I don't do this often but I seem to remember when there are a number of patches to install and I go through the GUI either manually or using Schedule it installs all of the patches and reboots at the end.

Reply
  • Ok - just did a small dry run on this and used wget to download to /var/up2date/sys. I then ran auisys.plx --showdesc.

    I see that I must be very careful with which patch I download. If I download u2d-sys-9.308016-309003.tgz.gpg then I assume that means 9.308-16 to 9.309-3? I bring this up because I first mistakenly downloaded u2d-sys-9.309003-310011.tgz.gpg thinking I was getting 9.309-3 but when I refreshed the GUI it said 9.310-11. The live Up2Date log said "unpacking up2date package version: 9.310011". Looks like I would have missed 9.309.3 and that might have been bad.

    What is still not clear is the reboot. From the GUI after downloading the "correct" next patch and running auisys.plx --showdesc I see ...

    Should I click Update to latest version now or Install. Would either option NOT require a reboot. Would a reboot be required before installing another? I don't do this often but I seem to remember when there are a number of patches to install and I go through the GUI either manually or using Schedule it installs all of the patches and reboots at the end.

Children
  • Usually a reboot is required after each update, but not always.

    Also, if you skip an update the next one might not install, might unpack then run its checks then do nothing. You would have to check the logs to see the result.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • It's not intuitively obvious looking at the files at ftp.astaro.com/pub/UTM/v9/up2date the exact order that these should be downloaded.

    For example: ftp.astaro.com/pub/UTM/v9/up2date/u2d-sys-9.311003-312008.tgz.gpg was updated on 6/2/15 but then ftp.astaro.com/pub/UTM/v9/up2date/u2d-sys-9.312005-312006.tgz.gpg was released on 5/13/15 and is next in order. This worries me a bit so I tried a work around and just clicked the Check for Up2Date Packages Now and let the system download them until it quit (ran out of disk space). I then deleted everything from 9.4 up and ran auisys.plx --showdesc. This resulted in all of the 9.3 patches showing up at Up2Date in the GUI. I still have about 25% free disk in root. I'm thinking I can now click the Update to Latest Version Now button and install those and reboot. I should the have the space for the 9.4 updates.

  • Hi,

    don't worry about the dates, just name order.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I was successful installing all 29 patches. I accomplished this in two rounds as described above (9.3x first then all 9.4x second). I had a single reboot after all 9.3 installed and one more reboot after all 9.4. After the final reboot everything was up and functional and the appliance was running with much less CPU and Memory consumption (had not been rebooted in over two years, though).

    I also had Sophos Support come in remotely to check my process and available disk space. They looked at the pending updates listed in the Web Interface and the available disk space via the SSH console and agreed that I should be able to follow this process and complete the updates.

    I appreciate all the help offered by this community which led me in the right direction and helped to ease my anxiety. I only had one chance to get this right and I had a lot of other tasks to complete in my maintenance window besides updating the Sophos. Thank you all.

  • Hi, Kipland, and welcome to the UTM Community!

    Thanks for coming back and closing the loop for others that need the info in your thread.

    Clear problem explanation and a thoughtful application of  the suggestions made - a great, first thread.  That got you help from two guys that know a lot about the UTM.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    Thanks for coming back and closing the loop for others that need the info in your thread.

    After being in IT for 35 years now I appreciate the value that these forums add. I could not continue my career choice without them. In the old days we had no forum except for a few private BBS boards and lots of vendor supplied documentation since everything was turnkey. I like that we can now help each other. Appreciate the Kudos.

  • I upgraded 8 versions from early 9.4xx up to 9.507-1. I didn't go to the latest or the second latest due to unresolved bugs I've read about on some other forum posts. Since I wasn't sure if i could just click on install next to 9.507-1 or if i had to manually install each patch until i got to 9.507-1, i decided to install them one by one to ensure none of them were missed. I found that by installing them one by one the appliance rebooted itself after each individual patch was installed. I didn't get to do a single reboot after doing all 9.4xx like OP describes.

  • If you only do one at a time it will reboot after each update by design. If you update to the latest my experience has been that all the updates will complete (hopefully) and then there will be one final reboot after the last update. If you did not want the last two updates you may need to remove those from the backend via ssh then update to the latest (that you currently have downloaded). I'm actually running the latest without issue on several of my Sophos UTM appliances so not aware of any bugs. 

  • You revived an old post.   Fortunately, the original problem was solved despite the bad advice given.

    Configuration files are upward compatible.   Save your configuration.   Make sure that you will be able to connect to UTM using a laptop using the factory default IP address.  Rebuild your UTM from the latest CD to an initial factory load.  Restore your configuration file.  You are done, and you do not have the baggage of all of those incremental updates.

    Learned this from Sophos Support, by necessity, when my upgrade from 9.408 to 9.506 had a fatal error during installation of one of the intermediate kits.  I was terrified, but the process was much quicker than applying each update one at a time.

    Of course, your options for doing this are limited by the ISO image versions offered by the Sophos website or that you have previously downloaded from them.