Auto-restarting engine after auto-update of opnsensi in OpnSense
I have numerous IT clients and just started replacing some SonicWalls with OpnSense (DEC 850).
In OpnSense 25.7.2 I have auto-updates enabled via the os-sensei-updater plugin and it works.
However, as everyone knows, after any update, the ZenArmor engine needs to be manually restarted in order to apply the update.
Because this OpnSense device isn't my own, I have to schedule with the owner to have me manually restart ZenArmor quite often after the sensei updates. I never allow WAN access to the admin login so I either have to remote into a computer on their LAN or physically go into their office. Obviously, I remote it for the ZenArmor engine restarts.
But this is a big hassle and prone to skipping.
I strongly recommend ZenArmor provide a cron job engine restart option or other way to apply the updates automatically.
I read that ZenArmor doesn't want to do it because of risks x, y, z, but I would schedule the cron job when no one in that business is working, e.g., 3am or 4am.
What's a bigger risk, not restarting the ZenArmor engine after consecutive sensei updates or restarting the engine automatically at 3am?
ZenArmor might as well not offer the auto-update feature since it lacks the means to auto-apply it.
Imagine a computer antivirus product that updated itself regularly but never applied the updates until the user restarted the antivirus product manually.
I may have to train the very nontechnical office manager to login into OpnSense weekly just to restart the ZenArmor engine.
It's a glaring flaw in ZenArmor's design.
-
Official comment
Hi John,
Thank you for your valuable feedback; it's greatly appreciated. Zenarmor does not automatically restart the engine to avoid network interruptions after an update and does not update the engine on its own. You'll need to perform updates manually and can arrange for the engine to restart post-update. Did you configure an automatic engine update via a script?
However, the Zenconsole agent and Application DB do update automatically, and essential services restart automatically as well. Zenarmor updates can be managed in the cloud by registering Zenarmor with Zenconsole, allowing for remote updates.
Please don't hesitate to reach out if you have any further questions.
Comment actions -
Yes, I created a script to test if there's an update and restart the engine if there was. Then I added it to GUI cron menu. Running the script manually seems to work. Via the GUI I schedule the cron job to run at 3am every day.
(1) SCRIPT (saved as /usr/local/opnsense/scripts/restart_zenarmor_if_updated.sh made executable with chmod 755.
#!/bin/sh
CURRENT_VERSION=$(pkg info os-sensei | sed -n '1p' | cut -d'-' -f3)
AVAILABLE_VERSION=$(pkg rquery '%v' os-sensei)
if [ "$CURRENT_VERSION" = "$AVAILABLE_VERSION" ]; then
echo "no restart necessary"
else
# os-sensei was updated so restart Zenarmor engine/service
/usr/local/sbin/zenarmorctl engine restart
fi
(2) ADDED IT TO CRON JOB
Created /usr/local/opnsense/service/conf/actions.d/actions_zenrestart.conf containing these lines:
[restart]
command:/usr/local/opnsense/scripts/restart_zenarmor_if_updated.sh
parameters:
type:script
message:restart zenarmor
description:Restart Zenarmor Engine
(3) ran service configd restart
(4) went to the GUI cron and selected if from the menu and scheduled it.
NOTE: used SSH as root. After finishing, I disabled SSH and root option, deleted the keypairs from client machines and the public key from opnsense's root user and disabled root user, etc. All from the LAN.
Please sign in to leave a comment.
Comments
2 comments