Turris OS 7.0 is in rc!

Dear Turris users,

after a long testing period and multiple breakouts and fixes, we are releasing Turris OS 7.0 into RC! The main change is that it is based on newer version of OpenWrt - with Turris OS 7.0 we are migrating to OpenWrt 22.03. We are still keeping iptables and we are still on 5.15 kernels. There are no other new features except change in the underlying OpenWrt - and thus in most of the packages. Reason is simple - minimize the impact and provide as smooth experience as possible. We are releasing this into rc soon so you can play with it over the weekend. There are at least two things we want to fix before final release, but those are quite minor and we are more interested in overall feedback and what we missed.

Known bugs:

  • hostname tab in reForis doesn’t work.
  • mwan3 might not work due to it’s integration with iptables -don’t relly on failover in the first rc.

As this release is quite big, update may take some time during which internet might go down temporarily and web interface might not work. That is to be expected. Give it some time, and it will come back up.

If you encounter any issues with migration or within Turris OS 7.0 itself, please let us know. We expect this release to stay in rc phase for some time, but it will all depend on your feedback.


Hmm… is this expected?

 • Remove sentinel-firewall 
 • Remove ebtables 
 • Remove ip6tables 
 • Remove tc-mod-iptables 
 • Remove iptables 

Ahh, I see:

 • Install xtables-legacy 1.8.7-7
 • Install iptables-zz-legacy 1.8.7-7
 • Install ip6tables-zz-legacy 1.8.7-7
 • Install ebtables-legacy 2018-06-27-48cff25d-1

RC means hbk branch?

No … RC is HBT branch …


Experimental knot-resolver6 seems to be broken:

root@omnia:~# kresd 
[system] warning: hard limit for number of file-descriptors is only 4096 but recommended value is 524288
[system] error /usr/lib/knot-resolver/kres.lua:14: Error loading shared library /home/beast/workspace/TurrisOS/packages-hbk-omnia/build/staging_dir/target-arm_cortex-a9+vfpv3-d16_musl_eabi/usr/lib/libknot.so.14: No such file or directory

Reverting to traditional kresd works around the issue.

1 Like

Even the older knot-resolver seems to be cursed. It works in default config but as soon as I include custom config file snippet containing:

modules = { 'dns64', 'view' }

it crashes with Segfault.

1 Like


reForis 1.4.1
Turris OS 6.5.2

I’ve had such a mistake since yesterday:

Updater execution failed:
INFO:Target Turris OS: 7.0.0
WARN:Request not satisfied to install package: luci-app-vpn-policy-routing
line not found
inconsistent: Requested package luci-i18n-vpn-policy-routing-pl that is not available.
line not found
line not found
line not found
line not found

Relatively minor issue, but I got the email notification, went to reForris to reboot but the Notifications were empty. So no way to reboot the device. I hunted around in reForris for a while, but there was nothing. Not sure if this is linked to the recent breakage with Notifications in 6.5.1 RC?

In the end I went into LuCI to reboot from there. Was strange not to have any option to reboot in reForris though.

That was after the update? On 6.5.2 i see it loud and clear:

Both WiFi crashed during the night and are not accessible. Reboot helped.

Turris MOX
Qualcomm Atheros QCA9880 802.11acbgn
Marvell 88W8997 802.11acbgn

Feb 17 07:32:35 turris kernel: [44790.310393] ------------[ cut here ]------------
Feb 17 07:32:35 turris kernel: [44790.315190] NETDEV WATCHDOG: wlan1 (mwifiex_sdio): transmit queue 1 timed out
Feb 17 07:32:35 turris kernel: [44790.322615] WARNING: CPU: 0 PID: 0 at dev_watchdog+0x304/0x310
Feb 17 07:32:35 turris kernel: [44790.328646] Modules linked in: pppoe ppp_async iptable_nat ath9k xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_FLOWOFFLOAD xt_CT pppox ppp_generic nft_redir nft_ct nf_nat_ftp nf_nat nf_flow_table nf_conntrack_netlink nf_conntrack_ftp nf_conntrack ipt_REJECT ebtable_nat ebtable_filter ebtable_broute ath9k_common xt_time xt_tcpudp xt_tcpmss xt_statistic xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_ecn xt_dscp xt_comment xt_TCPMSS xt_LOG xt_HL xt_DSCP xt_CLASSIFY ums_usbat ums_sddr55 ums_sddr09 ums_karma ums_jumpshot ums_isd200 ums_freecom ums_datafab ums_cypress ums_alauda slhc sch_cake rtc_ds1307 rfcomm nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_quota nft_objref nft_numgen nft_log nft_limit nft_hash nft_counter nft_compat nf_tables nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 mwifiex_sdio mwifiex mt7915e mt76_connac_lib mt76 iptable_mangle iptable_filter ipt_ECN ip_tables hidp hci_uart ebtables ebt_vlan ebt_stp ebt_redirect
Feb 17 07:32:35 turris kernel: [44790.328933]  ebt_pkttype ebt_mark_m ebt_mark ebt_limit ebt_among ebt_802_3 crc_ccitt btusb btmrvl_sdio btmrvl btintel br_netfilter bnep bluetooth ath9k_hw ath10k_pci ath10k_core ath sch_tbf sch_ingress sch_htb sch_hfsc em_u32 cls_u32 cls_route cls_matchall cls_fw cls_flow cls_basic act_skbedit act_mirred act_gact configs hid evdev mwlwifi mac80211 cfg80211 compat ledtrig_activity i2c_pxa xt_set ip_set_list_set ip_set_hash_netportnet ip_set_hash_netport ip_set_hash_netnet ip_set_hash_netiface ip_set_hash_net ip_set_hash_mac ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_hash_ipport ip_set_hash_ipmark ip_set_hash_ipmac ip_set_hash_ip ip_set_bitmap_port ip_set_bitmap_ipmac ip_set_bitmap_ip ip_set nfnetlink ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 ifb sit ip6_tunnel netlink_diag tunnel6 tunnel4 ip_tunnel nls_utf8 zram zsmalloc ecdh_generic ecc seqiv jitterentropy_rng drbg md5 kpp hmac ecb cmac uas ahci fsl_mph_dr_of ehci_fsl gpio_button_hotplug
Feb 17 07:32:35 turris kernel: [44790.508262] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.15.148 #0
Feb 17 07:32:35 turris kernel: [44790.514550] Hardware name: CZ.NIC Turris Mox Board (DT)
Feb 17 07:32:35 turris kernel: [44790.519937] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
Feb 17 07:32:35 turris kernel: [44790.527120] pc : dev_watchdog+0x304/0x310
Feb 17 07:32:35 turris kernel: [44790.531261] lr : dev_watchdog+0x304/0x310
Feb 17 07:32:35 turris kernel: [44790.535396] sp : ffffffc008003da0
Feb 17 07:32:35 turris kernel: [44790.538809] x29: ffffffc008003da0 x28: 0000000000000140 x27: 00000000ffffffff
Feb 17 07:32:35 turris kernel: [44790.546176] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
Feb 17 07:32:35 turris kernel: [44790.553542] x23: ffffff8003f224c0 x22: 0000000000000001 x21: ffffffc008c76000
Feb 17 07:32:35 turris kernel: [44790.560908] x20: ffffff8003f22000 x19: 0000000000000001 x18: 0000000000000030
Feb 17 07:32:35 turris kernel: [44790.568273] x17: 756f2064656d6974 x16: 2031206575657571 x15: 2074696d736e6172
Feb 17 07:32:35 turris kernel: [44790.575639] x14: 74203a296f696473 x13: 00000000000002e1 x12: ffffffc008003ac0
Feb 17 07:32:35 turris kernel: [44790.583005] x11: ffffffc008ce1a70 x10: 00000000fffff000 x9 : ffffffc008ce1a70
Feb 17 07:32:35 turris kernel: [44790.590371] x8 : 0000000000000000 x7 : ffffffc008c89a70 x6 : 0000000000000001
Feb 17 07:32:35 turris kernel: [44790.597736] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
Feb 17 07:32:35 turris kernel: [44790.605102] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffffc008c7eb80
Feb 17 07:32:35 turris kernel: [44790.612467] Call trace:
Feb 17 07:32:35 turris kernel: [44790.614986]  dev_watchdog+0x304/0x310
Feb 17 07:32:35 turris kernel: [44790.618764]  call_timer_fn.constprop.0+0x20/0x80
Feb 17 07:32:35 turris kernel: [44790.623529]  run_timer_softirq+0x2d4/0x3b0
Feb 17 07:32:35 turris kernel: [44790.627752]  _stext+0x11c/0x278
Feb 17 07:32:35 turris kernel: [44790.630991]  irq_exit+0x68/0x90
Feb 17 07:32:35 turris kernel: [44790.634233]  handle_domain_irq+0x60/0x90
Feb 17 07:32:35 turris kernel: [44790.638283]  gic_handle_irq+0xe4/0x154
Feb 17 07:32:35 turris kernel: [44790.642152]  call_on_irq_stack+0x20/0x34
Feb 17 07:32:35 turris kernel: [44790.646198]  do_interrupt_handler+0x4c/0x54
Feb 17 07:32:35 turris kernel: [44790.650511]  el1_interrupt+0x2c/0x4c
Feb 17 07:32:35 turris kernel: [44790.654202]  el1h_64_irq_handler+0x14/0x20
Feb 17 07:32:35 turris kernel: [44790.658424]  el1h_64_irq+0x78/0x7c
Feb 17 07:32:35 turris kernel: [44790.661931]  arch_cpu_idle+0x14/0x20
Feb 17 07:32:35 turris kernel: [44790.665616]  default_idle_call+0x1c/0x68
Feb 17 07:32:35 turris kernel: [44790.669663]  do_idle+0x1d8/0x214
Feb 17 07:32:35 turris kernel: [44790.672996]  cpu_startup_entry+0x24/0x60
Feb 17 07:32:35 turris kernel: [44790.677043]  rest_init+0xc4/0xd0
Feb 17 07:32:35 turris kernel: [44790.680370]  arch_call_rest_init+0xc/0x14
Feb 17 07:32:35 turris kernel: [44790.684508]  start_kernel+0x628/0x664
Feb 17 07:32:35 turris kernel: [44790.688285]  __primary_switched+0xa0/0xa8
Feb 17 07:32:35 turris kernel: [44790.692422] ---[ end trace 074b96f6e2ee9aae ]---
Feb 17 07:32:35 turris kernel: [44790.697297] mwifiex_sdio mmc1:0001:1: 4299416742 : Tx timeout(#1), bss_type-num = 1-0
Feb 17 07:32:35 turris kernel: [44790.705772] ath10k_pci 0000:03:00.0: SWBA overrun on vdev 1, skipped old beacon
Feb 17 07:32:35 turris kernel: [44790.713372] ath10k_pci 0000:03:00.0: SWBA overrun on vdev 0, skipped old beacon

I switched to non -ct driver and firmware. Let’t see if it fixes at least ath10k.

1 Like

We will be glad for your feedback!

1 Like Which is “Firewall Status” in Luci is empty. “No rules in this chain.” displayed everywhere. Unfortunately I don’t know if it worked before update.

Input, output and forward rules for IPv4 and IPv6 present on TOS 6.5.1.

All rules on my Turris Omnia with TurrisOS 7.0.0 are present …

1 Like

Good evening everyone.
Quite smooth update from 6.5.2 to 7.0.0 on my side.

2 things I’ve noticed until now :

  • one small side effect which is probably not link directly to TOS, from luci the lxc web interface is not displaying the containers and their status (but they are still running though).
  • lxc doesn’t support apparmor (lxc.apparmor.profile) anymore (that said I couldn’t remember what I was using that option for and simply disabled the options and everything has been back to normal.

thanks again for the incredible work!

Best regards,


And what did you find?

6.5.2 → 7.0.0 RC1 update not okay due to kresd6, otherwise it would probably be almost smooth (see further). Cable/wifi/internet went down during the update and came back up after update and before restart (but DNS was broken due to kresd6). Restart was needed. The update took about 15 minutes.

To fix kresd by unchecking the Kresd6 package list, I first had to add nameserver at the beginning of /etc/resolv.conf to get the updater to resolve hostnames. If anybody is planning the update, uninstall kresd6 before the update, you’ll save yourself some time.

I first wanted to fix DNS by switching to unbound, but it is not installed! There is no binary called unbound or unbound-control, and restarting resolver ends up with an error about not finding unbound-control. opkg says unbound is not installed. I thought it gets installed by default to be ready to be used instead of kresd. But maybe I’m wrong.

IKEv2 VPN installed according to this guide got broken - but that is expected because the guide depends on overwriting installed strongswan scripts. However, even the installed script is buggy - there are 3 references to swanctl_append4 function which is not defined. They should be swanctl_xappend4. To fix the strongswan server from the guide, just replace /etc/init.d/strongswan again with the file from the guide.

OpenVPN worked without issues after the update (even with broken DNS as it actually does not depend on it).

PPtP VPN server got broken, I don’t know why. On a connection attempt, Omnia says: GRE: read(fd=6,buffer=421422,len=8196) from PTY failed: status = -1 error = I/O error, usually caused by unexpected termination of pppd, check option syntax and pppd logs. Not sure if it’s related to: Plugin /usr/lib/pptpd/pptpd-logwtmp.so is for pppd version 2.4.8, this is 2.4.9.

After the update, I’ve also noticed transmission service hogging one CPU core (as already reported), even though I don’t actually use it for anything (I probably enabled it for some torrent download and forgot to disable). I’ve disabled it for now.

fail2ban did not work after the update. Reinstall helped. The error before was:

# fail2ban-client status openvpn
Traceback (most recent call last):
  File "/usr/bin/fail2ban-client", line 34, in <module>
    from fail2ban.client.fail2banclient import exec_command_line, sys
ModuleNotFoundError: No module named 'fail2ban'

Last, I also see some of this error which is new in the logs:

(Command failed: ubus call service signal { "name": "rainbow-animator", "signal": 10 } (Not found))

Thanks a lot for your work regarding this update!

Turris Omnia 2017, 1 GB RAM, dead eMMC, system running from mSATA SSD, original wifi cards, UBoot 2022.10. Storage plugin enabled, LXC containers, tor relay, USB HDD shared over samba4 and minidlna, Syncthing, SQM, Hardwario gateway + MQTT IoT bridge, OpenVPN, PPtP VPN, Strongswan IKEv2 VPN, morce.

1 Like