Turris OS 7.2 in RC

Dear Turris users,

We just released Turris OS 7.2 into hbt. Main new feature of this release is port forwarding now available in reForis. This is the last feature release in 7.x branch, the next big release will be Turris OS 9.0. We know that the port forwarding is still a little rough around the edges, we will improve on top of that, but not at the moment. Full release notes are as follows:

New Features
• reforis: Port forwarding integrated into WebUI
• reforis: Add link to the documentation
• diagnostics: Add mwan3, watchcat and nftables information to help debugging LTE/5G
• serial-sound: New package to play sounds over the serial

Updates
• 5g-kit: More robust and simpler setup
• common-passwords: Update to the latest list of the passwords
• python-twisted: update to version 24.7.0 (fixes CVE-2024-41671 and CVE-2024-41810)
• reforis: updated translations and dependencies

As always, if you encounter any issues, please let us know.

Thanks for the update! I hope that there will also only be few small releases in the 7.x branch, or rather I hope we can get to 9.0 quickly

We hope for the same

MOX classic, HBK branch, .5 GB, 2x WiFi, simple config. All seems OK.

Chci se zeptat, bylo by prosím možné opravit i VPN balíček reforise? Možná jste to již opravili ale vím že nedával platné konfigurace. Jinak řečeno prosím raději vše funkční než nové balíky do reforise. Mám za to že jsem dany issue kdysi daval do gitlab ale ted to nemohu najít. zkusím problém replikovat pro jistotu dnes. Problém zreplikován píše to remote list error: current remote server endpoint undefined.

@miska: updater is broken on Turris Omnia (tracking hbt)

Updating from 7.1.4:

...
INFO:Downloading packages
line not found
line not found
line not found
line not found
DIE:
corruption: The SHA256Sum sum of base-files does not match
Aborted

Edit: this is also a problem on Turris Mox.

How could this big of a failure reach HBT branch of rollout without being detected?

Same issue here. Also when running opkg update:

root@shulyaka:/# opkg update
Downloading https://repo.turris.cz/hbt/omnia/packages/core/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_core
Downloading https://repo.turris.cz/hbt/omnia/packages/core/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/base/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_base
Downloading https://repo.turris.cz/hbt/omnia/packages/base/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/cesnet/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_cesnet
Downloading https://repo.turris.cz/hbt/omnia/packages/cesnet/Packages.sig
Signature check passed.
Downloading https://repo.turris.cz/hbt/omnia/packages/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_luci
Downloading https://repo.turris.cz/hbt/omnia/packages/luci/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/node/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_node
Downloading https://repo.turris.cz/hbt/omnia/packages/node/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_packages
Downloading https://repo.turris.cz/hbt/omnia/packages/packages/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_routing
Downloading https://repo.turris.cz/hbt/omnia/packages/routing/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_telephony
Downloading https://repo.turris.cz/hbt/omnia/packages/telephony/Packages.sig
Signature check failed.
Remove wrong Signature file.
Downloading https://repo.turris.cz/hbt/omnia/packages/turrispackages/Packages.gz
Updated list of available packages in /var/opkg-lists/turrisos_turrispackages
Downloading https://repo.turris.cz/hbt/omnia/packages/turrispackages/Packages.sig
Signature check failed.
Remove wrong Signature file.

A few diagnostic results:

root@shulyaka:/# cat /etc/opkg/distfeeds.conf
src/gz turrisos_core https://repo.turris.cz/hbt/omnia/packages/core
src/gz turrisos_base https://repo.turris.cz/hbt/omnia/packages/base
src/gz turrisos_cesnet https://repo.turris.cz/hbt/omnia/packages/cesnet
src/gz turrisos_luci https://repo.turris.cz/hbt/omnia/packages/luci
src/gz turrisos_node https://repo.turris.cz/hbt/omnia/packages/node
src/gz turrisos_packages https://repo.turris.cz/hbt/omnia/packages/packages
src/gz turrisos_routing https://repo.turris.cz/hbt/omnia/packages/routing
src/gz turrisos_telephony https://repo.turris.cz/hbt/omnia/packages/telephony
src/gz turrisos_turrispackages https://repo.turris.cz/hbt/omnia/packages/turrispackages
root@shulyaka:/# usign -V -P /etc/opkg/keys -m /tmp/opkg-lists/turrisos_core
verification failed
root@shulyaka:/# usign -F -m /tmp/opkg-lists/turrisos_core
dcb20e535c62dd5b
root@shulyaka:/# cat /etc/opkg/keys/dcb20e535c62dd5b 
untrusted comment: Turris release key gen 1
RWTcsg5TXGLdW9gNlGHN/ofdsM0KAfQIRBo5OVZIYlVTfyI6FGVEOK/e
root@shulyaka:/# cat /etc/turris-version 
7.1.4
root@shulyaka:/# cat /etc/openwrt_release 
DISTRIB_ID='TurrisOS'
DISTRIB_RELEASE='7.1.4'
DISTRIB_REVISION='r20343+130-4e1d1b7df0'
DISTRIB_TARGET='mvebu/cortexa9'
DISTRIB_ARCH='arm_cortex-a9_vfpv3-d16'
DISTRIB_DESCRIPTION='TurrisOS 7.1.4 4e1d1b7df0ce6fa96d7462dc883917682f428046'
DISTRIB_TAINTS='busybox'
root@shulyaka:/# cat /etc/os-release 
NAME="TurrisOS"
VERSION="7.1.4"
ID="turrisos"
ID_LIKE="lede openwrt"
PRETTY_NAME="TurrisOS 7.1.4"
VERSION_ID="7.1.4"
HOME_URL="https://www.turris.cz/"
BUG_URL="https://gitlab.nic.cz/groups/turris/-/issues/"
SUPPORT_URL="https://www.turris.cz/support/"
BUILD_ID="r20343+130-4e1d1b7df0"
OPENWRT_BOARD="mvebu/cortexa9"
OPENWRT_ARCH="arm_cortex-a9_vfpv3-d16"
OPENWRT_TAINTS="busybox"
OPENWRT_DEVICE_MANUFACTURER="CZ.NIC"
OPENWRT_DEVICE_MANUFACTURER_URL="https://www.turris.cz/"
OPENWRT_DEVICE_PRODUCT="Turris Omnia"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="TurrisOS 7.1.4 4e1d1b7df0ce6fa96d7462dc883917682f428046"

Tak paráda … updater rozsekaný na obou routerech Omnia, co mám.

Na jednom s TurrisOS 9.0.0 z větve HBD už od minulého týdne hlásí … viz níže … a nikdo to neřeší

Oznámení o chybách
==================
Běh updateru selhal:
INFO:Target Turris OS: 9.0.0
line not found
ERROR:
inconsistent: Requested package samba4-admin that is not available.
line not found
line not found
line not found
line not found

no a teďko na hlavním routeru s Turris OS 7.1.4 v HBT větvi

Oznámení o chybách
==================
Běh updateru selhal:


Stack Traceback

===============

(1) Lua function '?' at line 57 of chunk '"logging"]'

	Local variables:

	 err = The SHA256Sum sum of base-files does not match  {msg:The SHA256Sum sum of base-files does not match, tp:error, reason:corruption (more...)}

	 err2string = Lua function '?' (defined at line 38 of chunk "logging"])

	 msg = string: "\

corruption: The SHA256Sum sum of base-files does not match"

	 (*temporary) = table: 0xb1a96900  {msg:

corruption: The SHA256Sum sum of base-files does not match}

(2)  C function 'function: 0xb1ab0080'

(3) upvalue C function 'error'

(4) Lua local 'package_verify_single' at line 112 of chunk '"updater"]'

	Local variables:

	 func = C function: 0xb6bb1a40

	 hash = string: "SHA256Sum"

	 sum = string: "940b00e4bf50001a6685f6ecd398dc39e6bf20bb62c8b9ecb46af157f49dc45e"

(5) Lua global 'package_verify' at line 118 of chunk '"updater"]'

	Local variables:

	 task = table: 0xb1dd71f0  {critical:true, action:require, modifier:table: 0xb3490c80, package:table: 0xb5c57e00 (more...)}

	 verified = boolean: false

	 package_verify_single = Lua function '?' (defined at line 108 of chunk "updater"])

(6) Lua function '?' at line 153 of chunk '"updater"]'

	Local variables:

	 uri_master = userdata: 0xb1ab5998

	 failed_uri = nil

	 (for generator) = C function: 0xb6aa8ae0

	 (for state) = table: 0xb1b01d20  {1:table: 0xb1df25c0, 2:table: 0xb1df27d0, 3:table: 0xb1dd71f0, 4:table: 0xb1d5d5a0 (more...)}

	 (for control) = number: 3

	 _ = number: 3

	 task = table: 0xb1dd71f0  {critical:true, action:require, modifier:table: 0xb3490c80, package:table: 0xb5c57e00 (more...)}
Neznámá chyba (Návratový kód: -6)

To si zase užijeme …

Zdravím,

omlouváme se, ale zjišťujeme, kde se stala chyba, protože větev HBT je v současné době stejná jako HBK, na kterou lze update bezproblému provést.

Prozatím se prosím zkuste vrátit pomocí schnapps k poslední záloze před aktualizací.

schnapps list
schnapps rollback X
reboot

Kde X je číslo zálohy. Zálohy jsou vytářeny automaticky vždy před aktualizací.

Ještě jednou se omluváme za komplikace.

UPDATE:

Dle info od @miska došlo k chybě klíče při podpisu na serveru. Prozatím tedy poprosíme o neaktualizování na HBT. Jakmile bude problém vyřešen, tak hodíme update.

Děkujeme za pochopení.

Tomáši,
I have bad feeling when Turris employees mix languages within thread. Please keep language consistent, even when other contributors forget to do so, please.

remote_list_error: current remote server endpoint is undefined (VPN) (#38) · Issues · Turris / reForis / OpenVPN Plugin · GitLab Prosím o opravu problému s VPN v reforis. včetně řešení v openvpn souboru je to popsáno zde již čtyři měsíce na vašem gitlabu

@Jiri_Kolouch

Děkuji za upozornění, bylo to psáno narychlo a nedošlo mi to, oprava provedena.

I’d say system behaves as expected - wrong signing key → no update. Security measure works.
Shit happens - we are (at least nowadays) all humans.

pkgupdate failing on HBS 7.1.4 - is there a fix?

root@omnia:~# pkgupdate
line not found
line not found
line not found
ERROR:
runtime: [string "requests"]:451: [string "utils"]:441: Getting URI (https://repo.turris.cz/hbs/omnia/lists/pkglists/nas.lua) failed: No OCSP response received

more info -

root@omnia:~# pkgupdate -e DBG
DEBUG:src/lib/events.c:554 (run_util_init):Dumping busybox to: /tmp/updater-busybox-HJgjeI/busybox
DEBUG:src/lib/locks.c:45 (lua_acquire):Trying to get a lock at /var/lock/opkg.lock
DEBUG:backend.lua:394 (status_parse):Parsing status file /usr/lib/opkg/status
DEBUG:requests.lua:453 (Globals):Running script file:////etc/updater/conf.d/turris-pkglists.lua
DEBUG:src/lib/download.c:81 (download_check_info):Download failed (https://repo.turris.cz/hbs/omnia/lists/pkglists/nas.lua): No OCSP response received
line not found
line not found
line not found
ERROR:src/pkgupdate/main.c:151 (main):
runtime: [string "requests"]:451: [string "utils"]:441: Getting URI (https://repo.turris.cz/hbs/omnia/lists/pkglists/nas.lua) failed: No OCSP response received
DEBUG:src/lib/locks.c:82 (lua_lock_release):Released lock at /var/lock/opkg.lock
DEBUG:src/lib/events.c:572 (run_util_clean):Removing temporally busybox from: /tmp/updater-busybox-HJgjeI/busybox

root@omnia:~# cat /etc/openwrt_release
DISTRIB_ID='TurrisOS'
DISTRIB_RELEASE='7.1.4'
DISTRIB_REVISION='r20343+130-4e1d1b7df0'
DISTRIB_TARGET='mvebu/cortexa9'
DISTRIB_ARCH='arm_cortex-a9_vfpv3-d16'
DISTRIB_DESCRIPTION='TurrisOS 7.1.4 4e1d1b7df0ce6fa96d7462dc883917682f428046'
DISTRIB_TAINTS='busybox'

root@omnia:~# schnapps list
    # | Type      | Size        | Date                      | Description
------+-----------+-------------+---------------------------+------------------------------------
  456 | rollback  |   208.83MiB | 2022-03-23 05:55:03 +0000 | Rollback to snapshot 455
  701 | pre       |    15.09MiB | 2025-03-22 13:46:27 -0700 | Automatic pre-update snapshot (TurrisOS 7.1.3 - hbs)
  702 | post      |    12.84MiB | 2025-03-22 13:46:39 -0700 | Automatic post-update snapshot (TurrisOS 7.1.4 - hbs)
  706 | time      |    12.84MiB | 2025-04-13 01:05:00 -0700 | Snapshot created by cron
  711 | time      |    12.86MiB | 2025-05-18 01:05:01 -0700 | Snapshot created by cron

They may be able to do a hotfix by rolling back to previous LE certificate on repo.turris.cz until it expires in most probably 30 days or less.
The issue comes from new CA/Browser forum policy that makes the OCSP cert field optional, so LE dropped OCSP support this May.
It appears that current Turris OS versions rely on this certificate parameter so unless all of the affected devices update during time frame when such cert is used on server, they would keep on failing like this. Hopefully commercial CA authorities will provide OCSP enabled certs for some time.

I’ve started to receive updater error messages like this via mail from my turris every 2 hours since midnight.

Turris Omnia on HBT

Updater execution failed:
line not found
line not found
line not found
ERROR:
runtime: [string “requests”]:451: [string “utils”]:441: Getting URI (https://repo.turris.cz/hbt/omnia/lists/pkglists/firmware_update.lua) failed: No OCSP response received

You could mention that I discovered and reported that

Wow, so this means that if CZ.NIC will not obtain a commercial cert with OCSP, any router not updated during this month will not be (auto)updatable any time in the future?

In other on-topic thread there’s a suggestion to use Google Trust Services (an ACME alternative to Let’s encrypt). But Google did also promise to deprecate OCSP “in the second half of 2025”.

Currently the cert was rolled back to previous one, so the error is not present atm.