From f732662bae0d0b57ef87f3ad2a1d1dd63a77279d Mon Sep 17 00:00:00 2001 From: "Ben D." Date: Mon, 27 Apr 2026 18:54:23 -0700 Subject: [PATCH] Use pfsense native php commands --- roles/pfsense_upgrade/tasks/update_check.yml | 120 +++++++++---------- 1 file changed, 55 insertions(+), 65 deletions(-) diff --git a/roles/pfsense_upgrade/tasks/update_check.yml b/roles/pfsense_upgrade/tasks/update_check.yml index 8457ab9..c607660 100644 --- a/roles/pfsense_upgrade/tasks/update_check.yml +++ b/roles/pfsense_upgrade/tasks/update_check.yml @@ -1,90 +1,80 @@ --- # roles/pfsense_upgrade/tasks/update_check.yml -# Checks for available upgrades using pfSense-upgrade -c and pkg version. -# Also queries upstream for the latest stable release on this branch. +# Dynamic upgrade detection using pfSense repository system # --------------------------------------------------------------------------- -# 1. Refresh the local pkg repository metadata +# 1. Detect available repositories and identify upgrade target # --------------------------------------------------------------------------- -- name: Update pkg repository metadata - ansible.builtin.raw: sudo pkg update -f - register: _pkg_update +- name: List available pfSense repositories + ansible.builtin.raw: | + php -r 'require_once("/etc/inc/pkg-utils.inc"); $repos = pkg_list_repos(); $upgrade = ""; foreach($repos as $r) { if (!isset($r["default"])) { echo $r["name"] . "|" . $r["descr"]; break; } } echo $upgrade ?: "UP_TO_DATE";' + register: _repo_check changed_when: false - when: pkg_repo_update | bool - timeout: "{{ upgrade_check_timeout }}" - failed_when: false + +- name: Parse repository check result + ansible.builtin.set_fact: + _repo_result: "{{ _repo_check.stdout | trim }}" + _upgrade_available: "{{ _repo_check.stdout | trim != 'UP_TO_DATE' }}" + +- name: Set upgrade target repository + ansible.builtin.set_fact: + upgrade_target_repo: "{{ _repo_result.split('|')[0] }}" + upgrade_target_description: "{{ _repo_result.split('|')[1] | default('Unknown') }}" + when: _upgrade_available # --------------------------------------------------------------------------- -# 2. Run pfSense-upgrade in check-only mode +# 2. Get current version information # --------------------------------------------------------------------------- -- name: Run pfSense-upgrade --check (dry run) - ansible.builtin.raw: > - sudo {{ pfsense_upgrade_bin }} -d -c - register: _upgrade_check +- name: Get current pfSense version + ansible.builtin.raw: | + php -r 'require_once("/etc/inc/pkg-utils.inc"); $v = get_system_pkg_version(false); echo $v["installed_version"] ?? "Unknown";' + register: _current_version changed_when: false - timeout: "{{ upgrade_check_timeout }}" - # pfSense-upgrade exits 0 when up-to-date, non-zero when upgrade available. - # We capture both cases. - failed_when: false -- name: Parse upgrade check output +- name: Set current version fact ansible.builtin.set_fact: - upgrade_check_stdout: "{{ _upgrade_check.stdout | trim }}" - upgrade_check_rc: "{{ _upgrade_check.rc }}" - # True if the tool reports an update is available - upgrade_available: >- - {{ - _upgrade_check.rc != 0 or - 'Upgraded' in _upgrade_check.stdout or - 'update' in _upgrade_check.stdout | lower and - 'up to date' not in _upgrade_check.stdout | lower - }} - # Attempt to extract the new version string from the upgrade check output - # pfSense-upgrade typically prints: "pfSense-upgrade: New version available: 2.7.3-RELEASE" - upgrade_available_version: >- - {{ - (_upgrade_check.stdout | regex_search('(\d+\.\d+\.\d+[-a-zA-Z0-9]*)', '\1') or ['unknown']) | first - }} + pfsense_current_version: "{{ _current_version.stdout | trim }}" + upgrade_available: "{{ _upgrade_available }}" # --------------------------------------------------------------------------- -# 3. Check pkg for pending package updates (captures sub-component updates) +# 3. Get current repository name # --------------------------------------------------------------------------- -- name: Check for pending pkg upgrades (outdated packages) - ansible.builtin.raw: sudo pkg version -l '<' | head -40 - register: _pkg_outdated +- name: Get current default repository + ansible.builtin.raw: | + php -r 'require_once("/etc/inc/pkg-utils.inc"); foreach(pkg_list_repos() as $r) { if (isset($r["default"])) { echo $r["name"]; } }' + register: _current_repo changed_when: false - failed_when: false -- name: Count outdated packages +- name: Set current repo fact ansible.builtin.set_fact: - pkg_outdated_count: "{{ _pkg_outdated.stdout_lines | reject('match', '^\\s*$') | list | length }}" - pkg_outdated_list: "{{ _pkg_outdated.stdout | trim }}" + current_repo: "{{ _current_repo.stdout | trim }}" # --------------------------------------------------------------------------- -# 4. Detect the latest stable release for this branch via GitHub +# 4. Display upgrade status report # --------------------------------------------------------------------------- -- name: Fetch latest stable release version from Netgate/pfSense repo - ansible.builtin.raw: > - fetch -q -o - "{{ pfsense_release_url }}" 2>/dev/null || echo "fetch_failed" - register: _upstream_version_raw - changed_when: false - failed_when: false - -- name: Parse upstream latest stable version - ansible.builtin.set_fact: - upstream_version: "{{ _upstream_version_raw.stdout | trim }}" - upstream_fetch_ok: "{{ 'fetch_failed' not in _upstream_version_raw.stdout }}" - -- name: Derive upstream branch (major.minor) - ansible.builtin.set_fact: - upstream_major_minor: >- - {{ - upstream_version - | regex_replace('^(\d+\.\d+).*$', '\1') - | default(pfsense_major_minor) - }} - when: upstream_fetch_ok | bool +- name: Display upgrade status report + ansible.builtin.debug: + msg: + - "============================================================" + - " Update Status: {{ inventory_hostname }}" + - "============================================================" + - " Current version : {{ pfsense_current_version }}" + - " Current repo : {{ current_repo }}" + - "------------------------------------------------------------" + - " Upgrade available: {{ 'YES — ' ~ upgrade_target_repo ~ ' (' ~ upgrade_target_description ~ ')' if upgrade_available else 'NO — System is up to date' }}" + - "------------------------------------------------------------" + - " perform_upgrade : {{ perform_upgrade | bool }}" + - "============================================================" +- name: Warn if perform_upgrade is false but upgrade is available + ansible.builtin.debug: + msg: > + DRY RUN — Upgrade to {{ upgrade_target_repo }} is available but perform_upgrade=false. + Re-run with -e "perform_upgrade=true" to apply. + when: + - upgrade_available | bool + - not (perform_upgrade | bool) + # --------------------------------------------------------------------------- # 5. Compare branches — detect if a newer stable branch exists upstream # ---------------------------------------------------------------------------