Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Root Partitions on SRX Series Devices

The dual-root partitions help your SRX Series Firewalls to remain functional even if the file system is corrupted. Also, it helps to recover the file system in case of corruption.

Dual-Root Partitioning Scheme on SRX Series Firewalls

Junos OS Release 10.0 and later support dual-root partitioning on SRX Series Firewalls. Dual-root partitioning allows the SRX Series Firewall to remain functional even if there is file system corruption and to facilitate easy recovery of the file system.

Note:

Starting in Junos OS Release 12.1X45, single root partitioning is not supported on SRX Series Firewalls.

SRX Series Firewalls running Junos OS Release 9.6 or earlier support a single-root partitioning scheme where there is only one root partition. Because both the primary and backup Junos OS images are located on the same root partition, the system fails to boot if there is corruption in the root file system. The dual-root partitioning scheme guards against this scenario by keeping the primary and backup Junos OS images in two independently bootable root partitions. If the primary root partition becomes corrupted, the system can still boot from the backup Junos OS image located in the other root partition and remain fully functional.

SRX Series Firewalls that ship with Junos OS Release 10.0 or later are formatted with dual-root partitions from the factory. SRX Series Firewalls that are running Junos OS Release 9.6 or earlier can be formatted with dual-root partitions when they are upgraded to Junos OS Release 10.0 or later.

Note:

Although you can install Junos OS Release 10.0 or later on SRX Series Firewalls with the single-root partitioning scheme, we strongly recommend the use of the dual-root partitioning scheme.

Boot Media and Boot Partition on SRX Series Firewalls

When the SRX Series Firewall powers on, it tries to boot the Junos OS from the default storage media. If the device fails to boot from the default storage media, it tries to boot from the alternate storage media.

Table 1 provides information on the storage media available on SRX Series Firewalls.

Table 1: Storage Media on SRX Series Firewalls

SRX Series Firewalls

Storage Media

SRX100, SRX210, and SRX240

  • Internal NAND flash (default; always present)

  • USB storage device (alternate)

SRX110, SRX220

  • CompactFlash (default; always present)

  • USB storage device (alternate)

SRX300, SRX320, and SRX340, and SRX345

  • eUSB disk (default; always present)

  • USB storage device (alternate)

SRX380

  • Internal SSD (default, always present).

  • USB storage device (alternate)

SRX550

  • Internal CF (default; always present)

  • USB storage device (alternate)

SRX550M

  • Internal CF (default; always present)

  • USB storage device (alternate)

SRX650

  • Internal CF (default; always present)

  • External flash card (alternate)

  • USB storage device (alternate)

With the dual-root partitioning scheme, the SRX Series Firewall first tries to boot Junos OS from the primary root partition and then from the backup root partition on the default storage media. If both primary and backup root partitions of a media fail to boot, then the SRX Series Firewall tries to boot from the next available type of storage media. The SRX Series Firewall remains fully functional even if it boots Junos OS from the backup root partition of the storage media.

Important Features of the Dual-Root Partitioning Scheme

The dual-root partitioning scheme has the following important features:

  • The primary and backup copies of Junos OS images reside in separate partitions. The partition containing the backup copy is mounted only when required. With the single-root partitioning scheme, there is one root partition that contains both the primary and the backup Junos OS images.

  • The request system software add command for a Junos OS package erases the contents of the other root partition. The contents of the other root partition will not be valid unless software installation is completed successfully.

  • Add-on packages, such as jais or jfirmware, can be reinstalled as required after a new Junos OS image is installed.

  • The request system software rollback command does not delete the current Junos OS image. It is possible to switch back to the image by issuing the rollback command again.

  • The request system software delete-backup and request system software validate commands do not take any action.

Understanding Automatic Recovery of the Primary Junos OS Image with Dual-Root Partitioning

The auto-snapshot feature repairs the corrupted primary root when the device reboots from the alternate root. This is accomplished by taking a snapshot of the alternate root onto the primary root automatically rather than manually from the CLI.

When this feature is enabled, and the device reboots from the alternate root (because of a corrupted primary root or power cycle during restart), the following actions take place:

  1. A prominent message is displayed indicating a failure to boot from the primary root.

  2. A system boot from backup root alarm is set. This is useful for devices that do not have console access.

  3. A snapshot of the alternate root onto the primary root is made.

  4. Once the snapshot is complete, the system boot from backup root alarm is cleared.

During the next reboot, the system determines the good image on the primary root and boots normally.

Note:

We recommend performing the snapshot once all the processes start. This is done to avoid any increase in the reboot time.

Note:

  • Auto-snapshot feature is supported on SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550M devices.

  • By default the auto-snapshot feature is disabled.

  • If you do not maintain the same version of Junos OS in both partitions, ensure that the automatic snapshot feature remains disabled. Otherwise, if you have an earlier version of Junos OS in the alternate partition and the system reboots from the alternate root partition, the automatic snapshot feature causes the later Junos OS version to be replaced with the earlier version.

  • When automatic snapshot is disabled and the system reboots from the alternate root partition, it triggers an alarm indicating that the system has rebooted from its alternate partition.

Enable this feature with the set system auto-snapshot command. Once the primary root partition is recovered using this method, the device will successfully boot from the primary root partition on the next reboot.

Execute the delete system auto-snapshot command to delete all backed up data and disable auto-snapshot, if required.

Use the show system auto-snapshot command to check the auto-snapshot status.

When auto-snapshot is in progress, you cannot run a manual snapshot command concurrently and the following error message appears:

Note:

If you log into the device when the snapshot is in progress, the following banner appears: The device has booted from the alternate partition, auto-snapshot is in progress.

Understanding How the Primary Junos OS Image with Dual-Root Partitioning Recovers Devices

If the SRX Series Services Gateway is unable to boot from the primary Junos OS image, and boots up from the backup Junos OS image in the backup root partition, a message appears on the console at the time of login indicating that the device has booted from the backup Junos OS image.

Because the system is left with only one functional root partition, you must immediately restore the primary Junos OS image using one of the following methods:

  • Install a new image using the CLI or J-Web user interface. The newly installed image will become the primary image, and the device will boot from it on the next reboot.

  • Use a snapshot of the backup root partition by entering the request system snapshot slice alternate command. Once the primary root partition is recovered using this method, the device will successfully boot from the primary root partition on the next reboot. After the procedure, the primary root partition will contain the same version of Junos OS as the backup root partition. Once the snapshot is complete, the system boot from backup root alarm is cleared.

    Note:

    You can use the CLI command request system snapshot slice alternate to back up the currently running root file system (primary or secondary) to the other root partition on the system along with following:

    • Save an image of the primary root partition in the backup root partition when the system boots from the primary root partition.

    • Save an image of the backup root partition in the primary root partition when the system boots from the backup root partition.

    Warning:

    The process of restoring the alternate root by using the CLI command request system snapshot slice alternate takes several minutes to complete. If you terminate the operation before completion, the alternate root might not have all required contents to function properly.

Understanding How Junos OS Release 10.0 or Later Upgrades with Dual-Root Partitioning

Note:

If you are upgrading to Junos OS Release 10.0 without transitioning to dual-root partitioning, use the conventional CLI and J-Web user interface installation methods.

To format the media with dual-root partitioning while upgrading to Junos OS Release 10.0 or later, use one of the following installation methods:

Note:

After upgrading to Junos OS Release 10.0 or later, the U-boot and boot loader must be upgraded for the dual-root partitioning scheme to work properly.

Dual-Root and Single-Root Partitioning (SRX Series Only)

SRX Series Firewalls that ship from the factory with Junos OS Release 10.0 or later are formatted with the dual-root partitioning scheme.

Note:

Junos OS Release 12.1X45 and later do not support single-root partitioning.
Note:

SRX100, SRX110, SRX210, SRX220, and SRX240 devices with 2 GB RAM cannot be upgraded to any Junos OS 12.1X46 Release after 12.1X46-D65. Attempting to upgrade to this release on devices with 2 GB RAM will trigger the following error: ERROR: Unsupported platform for 12.1X46 releases after 12.1X46-D65

Existing SRX Series Firewalls that are running Junos OS Release 9.6 or earlier use the single-root partitioning scheme. While upgrading these devices to Junos OS Release 10.0 or later, you can choose to format the storage media with dual-root partitioning (strongly recommended) or retain the existing single-root partitioning.

Certain Junos OS upgrade methods format the internal media before installation, whereas other methods do not. To install Junos OS Release 10.0 or later with the dual-root partitioning scheme, you must use an upgrade method that formats the internal media before installation.

Note:

If you are upgrading to Junos OS Release 10.0 without transitioning to dual-root partitioning, use the conventional CLI and J-Web user interface installation methods.

These upgrade methods format the internal media before installation:

  • Installation from the boot loader using a TFTP server

  • Installation from the boot loader using a USB storage device

  • Installation from the CLI using the partition option (available in Junos OS Release 10.0)

  • Installation using the J-Web user interface

These upgrade methods retain the existing partitioning scheme:

  • Installation using the CLI

  • Installation using the J-Web user interface

CAUTION:

Upgrade methods that format the internal media before installation wipe out the existing contents of the media. Only the current configuration is preserved. Any important data must be backed up before starting the process.
Note:

Once the media has been formatted with the dual-root partitioning scheme, you can use conventional CLI or J-Web user interface installation methods, which retain the existing partitioning and contents of the media, for subsequent upgrades.

Reinstalling the Single-Root Partition on SRX Series Firewalls

Junos OS Release 9.6 and earlier is not compatible with the dual-root partitioning scheme. These releases can only be installed if the media is reformatted with single-root partitioning. Any attempt to install Junos OS Release 9.6 or earlier on a device with dual-root partitioning without reformatting the media will fail with an error. You must install the Junos OS Release 9.6 or earlier image from the boot loader using a TFTP server or USB storage device.

Note:

Junos OS Release 12.1X45 and later do not support single root partitioning.

Note:

You do not need to reinstall the earlier version of the boot loader if you are installing Junos OS Release 9.6.

You cannot install a Junos OS Release 9.6 or earlier package on a system with dual-root partitioning using the Junos OS CLI or J-Web. If this is attempted, an error will be returned.

You can install the Junos OS Release 9.6 (9.6R3 and 9.6R4 [only]) on a system with dual-root partitioning using request system software add command with partition option.

To reinstall the single-root partition:

  1. Enter the request system software add partition command to install the previous Junos OS version (9.6R3 and 9.6R4):

    user@host>request system software add partition

  2. Reboot the device

    user@host>request system reboot

    The previous software version gets installed after rebooting the device.

Note:

Using the request system software add CLI command with the partition option to install Junos OS Release 9.6 (9.6R3 and 9.6R4) reformats the media with single-root partitioning. This process erases the dual-root partitioning scheme from the system, so the benefits of dual-root partitioning will no longer be available.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
12.1X45-D10
Starting in Junos OS Release 12.1X45, single root partitioning is not supported on SRX Series Firewalls.