Cannot install 11.0-RELEASE from freebsd-update-build

L

Laurence Pawling

Hi all,

I am setting up an internal build/poudriere server for use on our data centre network. We are using Colin Percival's freebsd-update-build package.

I have successfully performed, approved and staged builds of 11.0-RELEASE-p15 and 11.1-RELEASE-p6 (as per instructions here: https://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/index.html).

However, I'm having problems when I try to update/upgrade clients. The client is currently running 11.0-RELEASE-p1. The first step of upgrading is to perform a "freebsd-update fetch".

This errors (slightly redacted):

Code: 
root@clientname:/var/log # freebsd-update fetch
src component not installed, skipped
Looking up servername.domain mirrors... none found.
Fetching metadata signature for 11.0-RELEASE from servername.domain... done.
Fetching metadata index... done.

The update metadata is correctly signed, but
failed an integrity check.
Cowardly refusing to proceed any further.

When I dig into the actual failure, the sanity check is falling over on this line of the index file:

Code: 
kernel|generic|/|d|0|0|0755|0|9d9f290527a6be626a8f5985b26e19b237b44872b03631811df4416fc1713178|

Being a directory (|d|) this should not have a hash (at least according to the regexes used in /usr/sbin/freebsd-update). In fact this directory appears twice in the index:

Code: 
root@clientname:/var/db/freebsd-update/files # cat 9229b2af3766e954de14acdba2ab88d425c5ddab65b4692850e31f9bfe8c05c2 | grep "kernel|generic|/|"
kernel|generic|/|d|0|0|0755|0|9d9f290527a6be626a8f5985b26e19b237b44872b03631811df4416fc1713178|
kernel|generic|/|d|0|0|0755|4000||

Can anyone help me with why this entry is appearing in the index? I don't have the same problem in the index for 11.1-RELEASE, but then I can't upgrade to that without patching 11.0 up-to-date first... Has anyone met this issue before? The issue also doesn't appear in the index file on update.freebsd.org.

I assume a work-around (assuming I don't want to maintain 11.0 going forward) is just to remove this line from the index, re-hash it and update the index list accordingly, however I don't want to start making changes like this without knowing where the problem originates from.

Thanks in advance!

Laurence
 
Upgrade to 11.1, 11.0 is end-of-life since November 2017 and not supported anymore.
 
Hi SirDice,

That's exactly what I'm trying to achieve. However the first step of upgrading (as per https://www.freebsd.org/releases/11.1R/installation.html) is to perform the above fetch.

On an aside, if I try to skip this step and go straight to

freebsd-update upgrade -r 11.1-RELEASE

It still downloads and parses the same metadata. I haven't looked into that part of the freebsd-update script, but I am assuming that it performs the same steps as recommended in the linked guide as part of the upgrade process.
 
To be honest I have no idea how that script works. I would guess there's something wrong or the upgrade isn't recorded correctly. I don't see much sense in building the deltas myself. For my own situation I've set up a caching proxy for freebsd-update(8) data, much easier to set up and you always get the official updates. The caching makes sure I only have to download updates once.
 
I have resolved this myself. In case it helps anyone, here's the solution I used. I can't vouch for its safety/completeness as a solution but it did allow me to successfully update to the latest patch of 11.0, and then to 11.1:

1) Identify the offending line by manually running the greps that perform the sanity check in /usr/sbin/freebsd-update (file and line as noted above)
2) Run gzip -d on /usr/local/freebsd-update/pub/11.0-RELEASE/amd64/m/<filename>.gz and edit/remove the offending line. In my case based on similar entries I simply decided to remove the hash from the line.
3) sha256 <filename>, and rename the file to match the new hash.
4) gzip <new_filename>
5) This file will be referenced in an index file. To trace this through:
[FONT=Courier New]openssl rsautl -in latest.ssl -pubin -out latest[/FONT]
Then find the file named in latest. In my case I found it in the "t" folder (I assume that's the usual place for it).
6) unzip and edit. Find the reference to the original filename that you edited in Step #2 and replace with the new hash from Step #3
7) Repeat step 3 on this new file
8) edit latest and update to point to the new filename, then gzip again.
9) openssl rsautl -sign -in latest -inkey <your repo's private key*> -out latest.ssl.new
Remove/move the original latest.ssl and latest files and rename latest.ssl.new to latest.ssl

* If you're using the vanilla freebsd-update-server then you'll need to use the mountkey.sh script to access the private key.

SirDice - thanks for your advice. I'm certainly considering moving to a mirror!
 
You must log in or register to reply here.
Back
Top