Sophos UTM up2date from command line and troubleshooting

To totally unlock this section you need to Log-in


The Up2Date installer is used to install both system and pattern up2dates.

It will by default install all available Up2Date packages first (and records whether a reboot of the UTM is required). If a reboot is required it will schedule the reboot until the successful installation of the last available Up2Date package.

You can also only install up to a specific version using the -upto switch. Running in -simulation mode will not make any changes to the file system, so this mode can be used to see the Up2Date package contents and scripts which would be triggered.

The -showdesc option will unpack the installation instruction file from the Up2Date package, so you can access the Up2Date package properties (version, required version, reboot required, urgency) as well as the description (bug fixes, news, etc.).

NOTE: The installer is very strict. If one point of the installation fails, the complete installation is considered a failure. Make sure the script hooks you want to execute do exit correctly.

When a system Up2Date installation fails because of some random issue (like a failing script), it cannot be installed via the WebAdmin again because the RPMs have already (partly) been installed and therefore the pre-installation check fails. This is also the case if you have had RPMs installed by either support or development.

The current workaround which solves the problem of partly installed RPMs is to use the -rpmargs -force command. It is not possible to run this command from the web frontend.

For 7.400, the Up2Date installer was changed to skip already installed RPM packages during the installation. Therefore, Up2Date packages can be re-installed again using the WebAdmin.
There is a new command line option to force the RPM package re-installation (-rpmreinstall) in case you need to re-install packages; in this case, you also have to use the -rpmargs -force command line switches.

Generate and show Up2Date description

Use the following command to upload an Up2Date package manually via SSH to the UTM and want to see it immediately as available Up2Date in the WebAdmin:

auisys.plx -showdesc

Download package in debug mode

The following command will provide debug output from the downloading process, include authentication, md5sum. You find the tar.gz file in /var/up2date/sys:

audld.plx -level d

Simulate installation process

The following command starts the UTM Up2Date installation process in simulation mode. This allow you to test whether the installation would work before actually installing for real.

auisys.plx -simulation

The following shows an example output:

myUTM:/root # auisys.plx -simulation
Starting Up2Date Package Installer
Simulation mode enabled!
Searching for available up2date packages for type 'sys'

Installing up2date package version 9.092008 myUTM:/root # Verifying up2date package signature Unpacking installation instructions Unpacking up2date package container Running pre-installation checks Starting up2date package installation Would do 0, 0 [ENV 300] rpm --test -U --nodeps /var/up2date//sys-install/u2d-sys-9.092008/rpms/libgmime-2_4-2-2.4.26-10.gb6ce3fc.i686.rpm Would do 0, 1 [ENV 300] rpm --test -U --nodeps /var/up2date//sys-install/u2d-sys-9.092008/rpms/libiconv-1.12-10.g1ff1a15.i686.rpm
... ... ...
Would do 7, 0 [ENV 300] sh -c exec /var/up2date//sys-install/u2d-sys-9.092008/./update9.092008post_start Would do 9, 0 [NOENV no] rm /var/up2date//sys/u2d-sys-9.091005-092008.tgz.gpg Would do 9, 1 [NOENV no] sync Would touch '/tmp/.u2d-sys-9.091-9.092-5.8.1.tgz' Would mark for reboot now
Installing up2date package version 9.100008 Verifying up2date package signature Unpacking installation instructions You are currently running Version 9.091005, but Version 9.092008 is required for this up2date package.

Force an Up2date process

auisys.plx -rpmargs -force

Pattern Up2Date

Remove actual virus patterns:

rpm -e u2d-auav -nodeps rpm -e u2d-clam -nodeps

Restore default patterns:

mount /opt/inst cd /opt/inst/rpm rpm -Uhv u2d-auav-7-103.i686.rpm -force rpm -Uhv u2d-clam-7-465.i686.rpm -force

Force pattern installation (without sys install):

auisys.plx -nosys

Up2Date Downloader audld.plx

The Up2Date downloader is used to download system up2dates as well as pattern up2dates. The default operation is to fetch all Up2Date types which are mentioned in the configuration; you can choose a subset of these by using the -types command line switch.


audld --help
audld --version
audld --level <d(ebug)|i(nfo)|w(arn)|c(rit)>
audld --configfile <path /to/file>
audld --types|modes=type,type2,type3
audld --nosys (exclude type "sys")
audld --dryrun (don't download packages)
audld --server <host:port> (preferred server)
audld --trigger (trigger pattern download/installation)
audld --proxy <(user:pass@)host:port> (preferred proxy)
audld --ha-override (override HA slave/cluster routine)

Those are gnu longopts, so abbreviations are possible.

Up2Date Installer auisys.plx


Configuration options:
--configfile  the config file
--transferdir  where to look for incoming files
--workbasedir  where to unpack the incoming file
--level [c|e|w|i|d|n] set debuglevel
Installation options:
--simulation no real work - only simulation
--[no]cleanupcleanup of workdir; default: on
--[no]reboot reboot enabled; default: on
--upto X.yyyzzz end version (default: 999.999999) (enforces sys-only run)
--oldestonly only the next version (enforces sys-only run)
--types  restrict the up2date package types
--nosys don't do system up2date installation
--rpmargs --arg1,--arg2 pass additional arguments to RPM
--rpmreinstall don't skip already installed RPM packages
Other Modes - No installation:
--help help text and exit
--version module versions and exit
--showdesc generate and show up2date description

Downloading new up2dates directly on UTM

Sometimes a new download or removal of an up2date will be required to resolve an issue if an up2date has been corrected on the up2date servers or is otherwise corrupted on a customer system. Remove any affected system up2dates from the AxG and run a new download:

cd /var/up2date/sys 
rm u2d-sys-8.301* 

If the download cannot communicate or authenticate to a server the download can be pulled directly from the Sophos ftp servers into the /var/up2date/sys directory with a wget command such as:

cd /var/up2date/sys 

Then, to make the update appear in WebAdmin:

auisys.plx --showdesc

Up2date to a specific version

This is useful for up2dating to a specific version rather than all the way to the latest in particular with up2dates making large changes as noted by our feature releases of 8.100, 8.200, 8.300. Prior to up2dating completely it is usually useful and causes less problems to first up2date to the latest in the series prior to a feature release.

auisys.plx --upto 8.203

Force and skip RPM arguments

For up2date issues the combination of the --rpmargs and --force will have the greatest effect on loading all current up2dates. In addition these can be combined with the --upto version in order to create a powerful up2date order. This command is standard to run to effectively force all up2dates present to load on a system despite previous up2date failures which may be triggered by customized RPM packages having been loaded on the system previously.

auisys.plx --rpmargs --force

Or combined with 'upto' version:

auisys.plx --rpmargs --force --upto 8.203