NethServer · m-dilorenzi · May 8, 2026 · May 11, 2026 · May 12, 2026 · May 13, 2026
diff --git a/.agents/skills/openwrt-package/SKILL.md b/.agents/skills/openwrt-package/SKILL.md
@@ -194,7 +194,7 @@ Existing files are grandfathered; see `ruff.toml` in the repo root for details.
 After building the `.ipk`:
 
 1. Copy to a live NethSecurity device
-2. Install: `opkg install ns-myapp_<version>_all.ipk`
+2. Install: `apk add ns-myapp_<version>_all.ipk`
 3. Test functionality manually
 4. Check logs: `logread | grep ns-myapp`
 

diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -30,7 +30,7 @@ assignees: ''
 // Fill with NethSecurity version number, like: Image version: 8-23.05.5-ns.1.3.0
 // If possible, add relevant package versions. 
 // You can find the package versions typing in a shell prompt
-// opkg list ns-\* | sort
+// apk list ns-\* | sort
 //
 // Also take a look to the troubleshooting guide: https://docs.nethsecurity.org/en/latest/troubleshooting.html
 

diff --git a/config/luci.conf b/config/luci.conf
@@ -4,7 +4,6 @@ CONFIG_PACKAGE_liblucihttp=y
 CONFIG_PACKAGE_liblucihttp-lua=y
 CONFIG_PACKAGE_luci=y
 CONFIG_PACKAGE_luci-app-firewall=y
-CONFIG_PACKAGE_luci-app-opkg=y
 CONFIG_PACKAGE_luci-base=y
 CONFIG_PACKAGE_luci-lib-base=y
 CONFIG_PACKAGE_luci-lib-ip=y

diff --git a/docs/design/distfeed.md b/docs/design/distfeed.md
@@ -80,34 +80,34 @@ Updates are pushed to the subscription channel after one week from the release d
 If you have a machine with a valid subscription and want to force an update, you can use the following commands:
 
 ```bash
-cp /etc/opkg/customfeeds.conf /etc/opkg/customfeeds.conf.ori
-cat /rom/etc/opkg/distfeeds.conf | sed 's/dev/stable/g' > /etc/opkg/customfeeds.conf
-opkg update
-/bin/opkg list-upgradable | /usr/bin/cut -f 1 -d ' ' | /usr/bin/xargs -r opkg upgrade && echo "Update successful!"
+cp /etc/apk/repositories.d/customfeeds.list /etc/apk/repositories.d/customfeeds.list.ori
+cat /rom/etc/apk/repositories.d/distfeeds.list | sed 's/dev/stable/g' > /etc/apk/repositories.d/customfeeds.list
+apk update
+apk list --upgradable | grep -oP '{\w+/\K[^}]+' | /usr/bin/xargs -r apk upgrade && echo "Update successful!"
 ```
 
 The customfeed.conf file takes precedence over distfeed.conf, so you can safely
-ignore errors like `opkg_conf_parse_file: Duplicate src declaration`.
+ignore errors like `apk_conf_parse_file: Duplicate src declaration`.
 
 At the end, restore the original `customfeeds.conf`:
 ```
-mv /etc/opkg/customfeeds.conf.ori /etc/opkg/customfeeds.conf
-opkg update
+mv /etc/apk/repositories.d/customfeeds.list.ori /etc/apk/repositories.d/customfeeds.list
+apk update
 ```
 
 ## Upstream OpenWrt repositories
 
-You can add custom feeds by changing the `/etc/opkg/customfeeds.conf` file.
+You can add custom feeds by changing the `/etc/apk/repositories.d/customfeeds.list` file.
 
 To enable OpenWrt package repositories use the following commands
 ```bash
 source /etc/os-release
 VERSION=$(echo $OPENWRT_RELEASE | cut -d' ' -f3 | sed 's/^v//')
-cat << EOF > /etc/opkg/customfeeds.conf 
-src/gz core https://downloads.openwrt.org/releases/$VERSION/targets/x86/64/packages
-src/gz base https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/base
-src/gz luci https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/luci
-src/gz packages https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/packages
-src/gz routing https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/routing
+cat << EOF > /etc/apk/repositories.d/customfeeds.list
+https://downloads.openwrt.org/releases/$VERSION/targets/x86/64/packages/packages.adb
+https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/base/packages.adb
+https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/luci/packages.adb
+https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/packages/packages.adb
+https://downloads.openwrt.org/releases/$VERSION/packages/x86_64/routing/packages.adb
 EOF
 ```
diff --git a/docs/design/doh.md b/docs/design/doh.md
@@ -12,8 +12,8 @@ This is done by using the [`https-dns-proxy`](https://openwrt.org/docs/guide-use
 The package can be installed using the following command:
 
 ```bash
-opkg update
-opkg install https-dns-proxy
+apk update
+apk add https-dns-proxy
 ```
 
 By default, the proxy listens to the `127.0.0.1:5053` and `127.0.0.1:5054` addresses. The configuration for the service can be found at the

diff --git a/docs/design/nat_helpers.md b/docs/design/nat_helpers.md
@@ -15,14 +15,14 @@ Please note that after migration, all NAT helpers are loaded
 by default to preserve NethServer 7 behavior.
 
 The `kmod-nf-nathelper` package provides the following helpers:
-`opkg files kmod-nf-nathelper | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1`
+`apk info -L kmod-nf-nathelper 2>/dev/null | grep -e '\\.ko$' | sed 's|.*/||;s|\\.ko$||'`
 ```
 nf_nat_ftp
 nf_conntrack_ftp
 ```
 
 The `kmod-nf-nathelper-extra` package provides the following helpers:
-`opkg files kmod-nf-nathelper-extra | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1`
+`apk info -L kmod-nf-nathelper 2>/dev/null | grep -e '\\.ko$' | sed 's|.*/||;s|\\.ko$||'`
 ```
 nf_conntrack_pptp
 nf_conntrack_broadcast

diff --git a/docs/quickstart.md b/docs/quickstart.md
@@ -38,5 +38,5 @@ The following sections/options should not be changed from the web interface:
 - Flashstart firewall rules
 - OpenVPN instances starting with `ns_` prefix
 - XFRM network interfaces
-- opkg configuration
+- apk configuration
 - Adblock configuration
diff --git a/files/usr/sbin/ns-restore-extra-packages b/files/usr/sbin/ns-restore-extra-packages
@@ -17,19 +17,32 @@ if ! ping -c 1 -W 5 8.8.8.8 >/dev/null 2>&1 && ! ping -c 1 -W 5 1.1.1.1 >/dev/nu
     exit 1
 fi
 
-opkg update
+apk update
 if [ $? -ne 0 ]; then
     echo "Failed to update package lists, will retry later"
     exit 1
 fi
 
-grep -E '\w+\s+overlay$' /etc/backup/installed_packages.txt | awk '{print $1}' | while read package; do
-    if ! opkg status "$package" | grep -q "Installed"; then
-        opkg install "$package"
-        echo "Restored package: $package"
+# Restore packages and track failures
+failed_packages=""
+
+while IFS= read -r package; do
+    if ! apk info -e "$package" > /dev/null 2>&1; then
+        apk add "$package"
+        if [ $? -eq 0 ]; then
+            echo "Restored package: $package"
+        else
+            echo "Failed to restore package: $package"
+            failed_packages="$failed_packages $package"
+        fi
     fi
-done
+done < <(grep -E '\w+\s+overlay$' /etc/backup/installed_packages.txt | awk '{print $1}')
 
-/etc/init.d/ns-restore-extra-packages stop
-/etc/init.d/ns-restore-extra-packages disable
-exit 0
+if [ -z "$failed_packages" ]; then
+    /etc/init.d/ns-restore-extra-packages stop
+    /etc/init.d/ns-restore-extra-packages disable
+    exit 0
+else
+    echo "Some packages failed to restore, will retry later"
+    exit 1
+fi
diff --git a/packages/adblock/files/adblock.sh b/packages/adblock/files/adblock.sh
diff --git a/packages/banip/files/README.md b/packages/banip/files/README.md
@@ -109,9 +109,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
 
 ## Installation & Usage
-* Update your local opkg repository (_opkg update_)
-* Install banIP (_opkg install banip_) - the banIP service is disabled by default
-* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
+* Update your local apk repository (_apk update_)
+* Install banIP (_apk add banip_) - the banIP service is disabled by default
+* Install the LuCI companion package 'luci-app-banip' (apk add luci-app-banip)
 * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
 * To be able to use banIP in a meaningful way, you must activate the service and possibly also activate a few blocklist feeds
 * If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually

diff --git a/packages/checkmk-agent/README.md b/packages/checkmk-agent/README.md
@@ -24,7 +24,7 @@ For NethSecurity-specific plugins and utilities, install the complementary `ns-c
 
 ```bash
 # Install the package
-opkg install checkmk-agent
+apk add checkmk-agent
 
 # Start the service
 /etc/init.d/check_mk_agent start
@@ -87,7 +87,7 @@ uci commit firewall
 To add NethSecurity-specific plugins and utilities, install the `ns-checkmk-utils` package:
 
 ```bash
-opkg install ns-checkmk-utils
+apk add ns-checkmk-utils
 ```
 
 Plugins are stored in `/usr/lib/check_mk_agent/local` and are automatically executed by the agent.

diff --git a/packages/ns-api/files/ns.controller b/packages/ns-api/files/ns.controller
@@ -123,7 +123,7 @@ def info():
     ret["fqdn"] = get_hostname()
     ret["system_id"] = u.get("ns-plug", "config", "system_id", default="")
     ret["subscription_type"] = u.get("ns-plug", "config", "type", default="")
-    ret["api_version"] = subprocess.run(["opkg", "list-installed", "ns-api"], capture_output=True, text=True).stdout.split(" - ")[1].strip()
+    ret["api_version"] = subprocess.run(["apk", "list", "-I", "ns-api"], capture_output=True, text=True).stdout.strip().split()[0].removeprefix("ns-api-")
     return ret
 
 def add_ssh_key(ssh_key):

diff --git a/packages/ns-api/files/ns.nathelpers b/packages/ns-api/files/ns.nathelpers
@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 
 #
-# Copyright (C) 2024 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
@@ -58,12 +58,12 @@ DEFAULT_PARAMS = {
 
 def get_nat_helper_names():
     nat_helpers = []
-    proc = subprocess.run("/bin/opkg files kmod-nf-nathelper | grep -e '\\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1", shell=True, check=True,
+    proc = subprocess.run("/usr/bin/apk info -L kmod-nf-nathelper 2>/dev/null | grep -e '\\.ko$' | sed 's|.*/||;s|\\.ko$||'", shell=True, check=True,
                           capture_output=True, text=True)
     nat_helpers = proc.stdout.splitlines()
 
     nat_helpers_extra = []
-    proc = subprocess.run("/bin/opkg files kmod-nf-nathelper-extra | grep -e '\\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1", shell=True, check=True,
+    proc = subprocess.run("/usr/bin/apk info -L kmod-nf-nathelper-extra 2>/dev/null | grep -e '\\.ko$' | sed 's|.*/||;s|\\.ko$||'", shell=True, check=True,
                           capture_output=True, text=True)
     nat_helpers_extra = proc.stdout.splitlines()
     return nat_helpers + nat_helpers_extra

diff --git a/packages/ns-api/files/ns.update b/packages/ns-api/files/ns.update
@@ -1,13 +1,14 @@
 #!/usr/bin/python3
 
 #
-# Copyright (C) 2023 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
 # Manage packages and system updates
 
 import os
+import re
 import sys
 import json
 import time
@@ -22,9 +23,11 @@ from euci import EUci
 
 def last_package_check():
     try:
-        if not os.listdir("/tmp/opkg-lists/"):
+        cache_dir = "/var/cache/apk/"
+        files = [f for f in os.listdir(cache_dir) if f.endswith(".tar.gz")]
+        if not files:
             return 0
-        return int(os.path.getmtime("/tmp/opkg-lists/"))
+        return int(max(os.path.getmtime(os.path.join(cache_dir, f)) for f in files))
     except:
         return 0
 
@@ -50,16 +53,22 @@ def check_package_updates():
     try:
         # download metadata only if they are older than 5 minutes
         if (time.time() - last_package_check()) > 300:
-            subprocess.run(["/bin/opkg", "update"], check=True, capture_output=True)
+            subprocess.run(["/usr/bin/apk", "update"], check=True, capture_output=True)
     except Exception as e:
         print(e, file=sys.stderr)
-        return utils.generic_error("opkg_update_failed")
-    p = subprocess.run(["/bin/opkg", "list-upgradable"], check=True, capture_output=True, text=True)
+        return utils.generic_error("apk_update_failed")
+    p = subprocess.run(["/usr/bin/apk", "list", "--upgradable"], check=True, capture_output=True, text=True)
     for line in p.stdout.split("\n"):
         if not line:
             continue
-        tmp = line.split(" - ")
-        ret.append({"package": tmp[0], "currentVersion": tmp[1], "latestVersion": tmp[2]})
+        m = re.match(r'^(\S+)\s+\S+\s+\{(\S+)\}.*\[upgradable from:\s+(\S+)\]', line)
+        if m:
+            full_ver = m.group(1)
+            pkg_name = m.group(2).split("/")[-1]
+            current_full_ver = m.group(3)
+            current_ver = current_full_ver.removeprefix(pkg_name + "-")  # e.g. 26.124.63982~650a6ca
+            latest_ver = full_ver.removeprefix(pkg_name + "-")
+            ret.append({"package": pkg_name, "currentVersion": current_ver, "latestVersion": latest_ver})
     # Sort the ret array by the "package" field
     ret.sort(key=lambda package: package["package"])
     return {"updates": ret}
@@ -72,7 +81,7 @@ def install_package_updates():
         out = subprocess.check_output("/usr/sbin/screen -dmS install_package_updates /usr/sbin/update-packages", shell=True)
     except Exception as e:
         print(e, file=sys.stderr)
-        return utils.generic_error("opkg_ugrade_failed")
+        return utils.generic_error("apk_upgrade_failed")
     return {"result": "success"}
 
 def check_system_update():
@@ -86,7 +95,7 @@ def check_system_update():
         response = requests.get(f"{url}/latest_release", headers={"Accept": "application/json"}, timeout=5)
         response.raise_for_status()
         version = response.text.strip()
-        if semver.Version.compare(version, current_version) > 0:
+        if semver.compare(version, current_version) > 0:
             data["lastVersion"] = f'NethSecurity {version}'
     except requests.exceptions.ConnectionError:
         return utils.generic_error("connection_error")

diff --git a/packages/ns-clm/README.md b/packages/ns-clm/README.md
@@ -32,7 +32,7 @@ reload_config
 
 ## Service management
 
-Only if the package is installed via opkg, the service must be enabled and started via the init script. If the packages is already part of the base image, the forwarder is automatically enabled and started on first boot, so no manual action is required.
+Only if the package is installed via apk, the service must be enabled and started via the init script. If the packages is already part of the base image, the forwarder is automatically enabled and started on first boot, so no manual action is required.
 
 ```bash
 # Enable and start

diff --git a/packages/ns-migration/files/scripts/nat_helpers b/packages/ns-migration/files/scripts/nat_helpers
@@ -1,20 +1,20 @@
 #!/bin/sh
 
 #
-# Copyright (C) 2024 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
 
 > /etc/modules.d/ns-nathelpers
 
 # Configure FTP helpers
-for m in $(opkg files kmod-nf-nathelper | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1); do
+for m in $(/usr/bin/apk info -L kmod-nf-nathelper 2>/dev/null | grep -e '\\.ko$' | sed 's|.*/||;s|\\.ko$||'); do
     echo $m >> /etc/modules.d/ns-nathelpers
 done
 
 # Configure all extra helpers
-for m in $(opkg files kmod-nf-nathelper-extra | grep -e '\.ko$' | cut -d'/' -f 5 | cut -d'.' -f1); do
+for m in $(/usr/bin/apk info -L kmod-nf-nathelper-extra 2>/dev/null | grep -e '\\.ko$' | sed 's|.*/||;s|\\.ko$||'); do
     echo $m >> /etc/modules.d/ns-nathelpers
 done
 

diff --git a/packages/ns-plug/files/40_ns-plug_automatic_updates b/packages/ns-plug/files/40_ns-plug_automatic_updates
@@ -1,4 +1,4 @@
-old_cmd="sleep \$(( RANDOM % 18000 )); /bin/opkg list-upgradable | /usr/bin/cut -f 1 -d ' ' | /usr/bin/xargs -r opkg upgrade"
+old_cmd="sleep \$(( RANDOM % 18000 )); /usr/bin/apk list --upgradable | grep -oP '{\w+/\K[^}]+' | /usr/bin/xargs -r apk upgrade"
 cmd="sleep \$(( RANDOM % 18000 )); /usr/sbin/update-packages"
 
 # Remove old command from crontab and add new one

diff --git a/packages/ns-plug/files/distfeed-setup b/packages/ns-plug/files/distfeed-setup
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 #
-# Copyright (C) 2024 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
@@ -12,13 +12,13 @@ base_url="$(uci -q get ns-plug.config.repository_url)"
 source /etc/os-release
 if [ -z "$version" ]; then
     version="$VERSION"
+    version="${version%%-*}"
 fi
 
-cat << EOF > /etc/opkg/distfeeds.conf
-src/gz nethsecurity_core $base_url/$version/targets/x86/64/packages
-src/gz nethsecurity_base $base_url/$version/packages/x86_64/base
-src/gz nethsecurity_luci $base_url/$version/packages/x86_64/luci
-src/gz nethsecurity_nethsecurity $base_url/$version/packages/x86_64/nethsecurity
-src/gz nethsecurity_packages $base_url/$version/packages/x86_64/packages
-src/gz nethsecurity_routing $base_url/$version/packages/x86_64/routing
+cat << EOF > /etc/apk/repositories.d/distfeeds.list
+$base_url/$version/targets/x86/64/packages/packages.adb
+$base_url/$version/packages/x86_64/base/packages.adb
+$base_url/$version/packages/x86_64/luci/packages.adb
+$base_url/$version/packages/x86_64/nethsecurity/packages.adb
+$base_url/$version/packages/x86_64/packages/packages.adb
 EOF
diff --git a/packages/ns-plug/files/inventory b/packages/ns-plug/files/inventory
@@ -1,7 +1,7 @@
 #!/usr/bin/python3
 
 #
-# Copyright (C) 2022 Nethesis S.r.l.
+# Copyright (C) 2026 Nethesis S.r.l.
 # SPDX-License-Identifier: GPL-2.0-only
 #
 
@@ -57,7 +57,7 @@ data = {
         }
     },
     "mountpoints": mount_points,
-    "rpms": { "nethserver-firewall-base-ui": _run("opkg status ns-ui | grep Version | awk '{print $2}'") },
+    "rpms": { "nethserver-firewall-base-ui": _run("apk info ns-ui 2>/dev/null | head -1 | sed 's/ns-ui-//;s/ .*//'") },
     "public_ip": inventory.info_default_ipv4(uci),
     "features": features
 }