Deep Dive into the NEW ZFS Boot Environments feature in pfSense Plus v24.03!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello Christian McDonald here from the pfSense software development team here at netgate powerful new capabilities to system startup and system update are coming in the next release of pfSense plus version 243 these new capabilities to ZFS boot environments will make the update process much faster and more reliable now you can be at ease knowing that your network is functioning and secure even during the update process but first let's talk a little bit about PFC sense plus pfSense is the world's most trusted open-source firewall router and VPN solution for Network Edge and Cloud environments with over 10 million installations across all seven continents pfSense can serve deployments ranging from the smallest home labs to the largest Federal governments pfSense plus offers top-of-the-line security at 20 to 30% lower total cost of ownership when compared to more traditional networking Solutions all while offering pre prum functionality for businesses looking to keep their Network secure no matter the circumstances with over two decades of continued development and an all holiday 24/7 Global support pfSense plus offers security and peace of mind when it comes to your network now let's take a look at the new ZFS boot environment capabilities coming in pfSense plus version 2403 until 243 pfSense software was updated by First downloading and caching all packages needed for the update while the system had Wan connectivity then these packages were installed during the first reboot now this approach is generally more a liable as the system is updated before services are ever started however a major drawback is that this process is slow particularly on Lower in Hardware such as the netgate 1100 and 2100 in this process expensive disc operations of package extraction and installation were deferred to the first reboot which meant that the system must remain offline for a significant period of time much longer than it would be otherwise during a normal system reboot this leaves your network offline during the update process which means no traffic is being routed through your network an inconvenience for administrators who have to schedule updates long after hours during quiet time previously in pfSense plus a system update simply could not be performed without also subsequently performing a system update with the new ZFS boot environment's capabilities in pfSense plus version 24 3 administrators can now update the system and then reboot at a time that's more convenient for them now this is an opt-in feature that administrators can utilize if they prefer to have more flexibility when updating their pfSense plus system in version 2403 we are harnessing the power of our past work to integrate the ZFS file system and boot environments in pfSense plus now this new approach to system update can be performed in three easy steps first we create and mount a clone of the currently running boot environment leaving the current boot environment untouched next we direct the package manager to update the packages in this offline cloned boot environment if the update was successful we mark this cloned boot environment as being a temporary boot environment that pfSense will boot into only once during the next reboot and finally we reboot the system it's important to note that all of this is taking place while the system is online and still serving clients not only are you getting the latest and greatest version of pfSense plus software but your network remains stable and secure while updating with minimal downtime if the update fails the system will automatically choose the next best boot environment and reboot into that working environment a boot verification mechanism is now implemented at system startup which automates this fallback and recovery of the system in the event of boot failure this mechanism is utilized every time the system boots when the system startup proc procedure is executed a watchdog timer is started that simply reboots the system after a fixed period of time a significant portion of the failures that we see in the field are the result of the system hanging during startup now if the system hangs for any reason the system will automatically choose the next best boot environment and try again all without any user intervention this process can continue automatically until all available boot environments have been checked administrators can also opt in to manually verify boot environments this allows the administrator to protect their network from a myriad of issues for example let's say an administrator makes a change that breaks the system like entering a wrong setting the system will start and will automatically verify the boot environment however if the administrator has opted in to manually verify the boot environment the system will not automatically verify the boot environment but instead start a timer that simply waits for the administrator to log in to manually verify the boot environment if the administrator does not log in before the timer reaches zero the system will automatically reboot and choose the next best boot environment once pfSense plus has successfully reached the end of the startup procedure this temporary boot environment is marked as verified and permanently activated thus making it the true next boot environment moving forward however if the system fails to start the system falls back to the previous functional boot environment now let's take a look at how this all works in real time here you can see two boot environments one is a good boot environment and the other is a bad boot environment now both boot environments are nearly identical but the bad environment has a bug in the pfn startup procedure that renders it nonfunctional so let's watch as the system attempts to boot into this bad boot environment the system has detected the boot failure and notifies the administrator with a summary of the failed boot environment and the boot environment it will try next now the administrator also has the option to break into a recovery shell if they're interested in manually overwriting this selection process or analyzing the reason for the failure after 60 seconds with no user interaction the system will automatically reboot and try the next boot environment Additionally you can expedite this process by pressing any key to reboot the system immediately now that the system has booted back into the good boot environment let's log in and take a look at the boot environment's interface in pfSense plus you can see that we're back into the good boot environment and everything seems to be functioning as it should however the bad boot environment has been marked that it has failed boot verification and can now be deleted keeping all of this in mind there are a few best practices to consider when using ZFS boot environments in pfSense plus administrators that are managing pfSense plus systems should have several viable backup boot environments for the system to fall back to in the event of boot failure you can think of this as like an insurance policy to keep your system safe up and running even when failures do occur it is now possible to lock specific boot environments protecting them from accidental deletion if the administrator chooses to opt into this feature it provides an easy way to maintain the system's boot environments without the anxiety of potentially losing a functional preferred environment due to Accidental deletion other improvements have also been added to pfSense plus software version 243 to start configuration history can now be compared restored and downloaded from offline boot environments without the need to boot into a different boot environment completely in previous versions of pfSense plus configuration files could only be accessed from the current environment this new capability increases visibility and insight into different configurations and finally administrators are now able to batch delete boot environments and configuration files So Gone are the days of tedious individual clicks to clear out old data saving admin time and headache well that about covers it for this deep dive into ZFS boot environments in pfSense plus software version 243 now you can rest assured knowing that your network is secure while having the flexibility to create and manage multiple boot environments if pfSense plus sounds like the right fit for your networking security needs make sure to check out the link in the video description to learn more you can also reach out to our sales team directly at sales nate.com if you'd like a more human experience the pricing for pfSense plus starts at just $29 per year for white boxes and 1 cent per hour in the cloud pfSense plus is also included with the purchase of netgate appliances starting with the netgate 1100 which costs $189 there are no hidden fees for throughput seat or connection capacity you get the complete system at sticker price as for support our worldclass technical assistance center or Tac is here to help should any issues arise netgate takes customer service very ser seriously and fully staffs Tac 247365 rain or shine holidays included thanks for tuning in with me today to learn more about the new ZFS boot environments capabilities coming in pfSense plus version 243 make sure to like And subscribe for more news updates and guides from netgate I'm Christian and I'll see you next time [Music]

Info

Channel: Netgate

Views: 1,383

Rating: undefined out of 5

Keywords: netgate, pfsense, update, oss, opensource, router, firewall, VPN, TNSR, Computer Networking, NAT, bridging, vlan, multi wan, virtual private networks, virtual LAN, OpenVPN, WireGuard, IPSec, Traffic Shaping, Network Address Translation, Edge to Cloud, Zero Trust, ZTNA, Zero Trust Networking, QAT, DHCP Server, DNS Server, Access Control Lists, BGP, FRR, Dynamic Routing, VRRP, High Availability, High Speed Routing, BFD, NETCONF, RESTCONF, OSPF, Kea, vRouter, Secure Networking, IPv4, IPv6, NGFW

Id: LKtE0zxnF4I

Channel Id: undefined

Length: 9min 33sec (573 seconds)

Published: Mon May 13 2024