I’ve been using OPNSense for my home firewall for many years now, and I previously ran it as a VM in a Proxmox virtual server. That worked great for my purposes, but I’ve since upgraded to a dedicated physical device (Protectli) running OPNSense and I love it.
However, with the migration away from a VM, I lost the ability to create a snapshot of the system prior to an upgrade - just in case something went wrong I could easily roll back.
Recently I learned about BSD Boot Environments and the bectl utility and how they can help fill that gap!
Login via SSH and start a shell session
List any current/previoius boot environment (BE) snapshots
root@opnsense-fw:~ # bectl list
BE Active Mountpoint Space Created
22.7.2 - - 1.04G 2021-09-05 10:57
22.7.4 - - 388M 2022-09-02 09:28
22.7.5 NR / 4.09G 2022-10-05 08:58
In the “Active” column, the “N” stands for “Now” and “R” is “Reboot”, showing which BE is active now vs after the next reboot.
- Create and activate a new BE
root@opnsense-fw:~ # bectl create [new_version]
root@opnsense-fw:~ # bectl activate [new_version]
- Reboot and upgrade
- Validate BE; Remove oldest BE
root@opnsense-fw:~ # bectl list
BE Active Mountpoint Space Created
22.7.2 - - 1.04G 2021-09-05 10:57
22.7.4 - - 896M 2022-09-02 09:28
22.7.5 NR / 4.84G 2022-10-05 08:58
root@opnsense-fw:~ # bectl destroy 22.7.2
root@opnsense-fw:~ # bectl list
BE Active Mountpoint Space Created
22.7.4 - - 1.13G 2022-09-02 09:28
22.7.5 NR / 3.80G 2022-10-05 08:58