====== Upgrade Bock to Debian 11 (Bullseye) ====== // SUMMARY: Upgrade Bock from Debian 10 (Buster) to Debian 11 (Bullseye) // ====== Notes of work performed ======== // SUMMARY: As work is preformed, record here // [[ Step 1 ]] - Create Bock Clone ===== Goal ===== During our recent discussions on the SysAdmin Mailing List, the decision was made to upgrade ''bock.sluug.org'' from Debian 10 (Buster) to Debian 11 (Bullseye). Both of these Debian versions support Mailman 2.x. ==== Out of Scope ==== [[replace_mailman_2|Upgrading from Mailman 2 to Mailman 3]] is out of scope for this task. Debian 11 (Bullseye) still supports Mailman 2.x. We can proceed with the upgrade to Debian 11 without making any major changes to mailman. Once we are successfully migrated to Debian 11, a [[replace_mailman_2|separate effort]] will be made to upgrade from Mailmain 2 to Mailman 3 (or switch to a different list manager altogether). ===== Configuration Details ===== * **Hostname:** bock * **Hypervisor:** [[https://xenproject.org/|Xen]] * **vCPU:** 2 * **RAM:** 4GB * **Storage:** * xvda 50GB [System] * xvdb 200GB [Media] * xvdc 20GB [Spare] ==== Externally Accessible Ports ==== Edited extracts from output of iptables -L (As of 12 Oct 2023) ------------------------------------------------------------------------ Chain IN_public_allow (1 references) pkts bytes target prot source destination 122K 6462K ACCEPT tcp 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED 1741K 103M ACCEPT tcp 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED 48901 2757K ACCEPT tcp 0.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED 24000 1503K ACCEPT tcp 0.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED 23071 1226K ACCEPT tcp 0.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED 61544 3294K ACCEPT tcp 0.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED 1279 66272 ACCEPT tcp 0.0.0.0/0 tcp dpt:53 ctstate NEW,UNTRACKED 7645 483K ACCEPT udp 0.0.0.0/0 udp dpt:53 ctstate NEW,UNTRACKED 925 54940 ACCEPT tcp 0.0.0.0/0 tcp dpt:2206 ctstate NEW,UNTRACKED ==== Services ==== These are the important services that are running on Bock. The upgrade will not be considered successful until these services are fully operational on Debian 11. === External === * Web - apache * Email - postfix, dovecot, clamav, spamasasson, etc. * DNS - unpublished master for SLUUG domains w/named * SSH - sshd === Internal === * Database - mysql ===== Bock-Specific PreUpgrade Concerns/Complications ===== This section describes issues raised on the mailing lists that may need to be researched or addressed prior to execution of the Plan. This section will only list complications that are specific to Bock. The [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html|Upgrading from Debian 10]] documentation describes many "general" steps to prepare the system for an upgrade. Things listed in the official documentation will not be duplicated here. ==== Firewall Woes ==== Way back in 2023, there was an attempt to use "ufw" to change ports, but it didn't seem to affect things. Probably because ports were previously configured with "firewalld". Also blocking some incoming connections with "fail2ban", which is unrelated to the ufw problem. firewalld = dynamically managed firewall with support for network zones ufw = program for managing a Netfilter firewall fail2ban = ban hosts that cause multiple authentication errors Will we be forced to change iptables to netfilter/nftables? ==== Software of special concern: ==== * Packages installed outside of Debian origins (As of 1 Jun 2023): * Dokuwiki is installed outside Debian packages: Current is 2023-04-04a "Jack Jackrum", SLUUG has 2018-04-22a "Greebo". Interestingly, the current in Debian 11 is 20180422.a-2.1, while 10 has 0.0.20180422.a-2 and 12 has 20220731.a-2. * Perhaps switch to the Debian package when upgrade to Debian 11? * 20200729-0.1~bpo11+1 in backports. * ncpa - "Nagios Cross-Platform Agent" - Not a Debian package? * [[https://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse|Distributed Checksum Clearinghouse]] - [[bock-2018-spamassassin|SLUUG installation for SpamAssassin]]. * Abandoned, ancient, local tools, or unknown origin: * /srv/www/test.sluug.org/drupal-20070608/ * /srv/www/a.sluug.org/postfixadmin-2.3.2/ * /usr/local/*bin/ * /usr/src/certbot/ * Old web site CGI scripting? ==== Summary of packages without a replacement in Debian 12: ==== * Mailman 2 * Details discussed in depth elsewhere. * geoip-database-extra * "find the country that any IP address or hostname originates from". * Use by Spamassassin to determine countries. A better system was not used before because of licensing, etc. * multiarch-support * "Transitional package to ensure multiarch compatibility". * ncpa * "Nagios Cross-Platform Agent". * Not a Debian package. * postfixadmin * "administrators to delegate account handling" * python-backports.functools-lru-cache * "backport of functools.lru_cache from Python 3.3 to Python 2". * webalizer * "scan web server log files ... produce usage statistics". * This package is in 10 and 12, but not 11. * libcilkrts5 * "Intel Cilk Plus language extensions". * liblogging-stdlog0 * "lightweight logging library". * This is a 9 package, not in 10. * libmpx2 * "Intel memory protection extensions". * libparse-debianchangelog-perl * "parse Debian changelogs and output". * libpolkit-backend-1-0 * "policy that allows unprivileged ... speak to privileged". ^ Currently installed on bock 2, but not exactly matched in Debian 11 ^^ ^ Currently installed ^ Replacement in Debian 11 ^ | cpp-6, cpp-8 | cpp-10 | | g++-8 | g++-10 | | gcc-6, gcc-8 | gcc-10 | | gcc-6-base, gcc-7-base, gcc-8-base | gcc-10-base | | geoip-database-extra | Direct replacement not found. | | libapache2-mod-php7.0, libapache2-mod-php7.3 | libapache2-mod-php7.4 | | libapt-inst2.0 | Direct replacement not found. | | libapt-pkg5.0 | libapt-pkg6.0 | | libasan3 | libasan5 - Already installed | | libboost-iostreams1.67.0 | libboost-iostreams1.74.0 | | libboost-system1.67.0 | libboost-system1.74.0 | | libcilkrts5 | Direct replacement not found. | | libcryptsetup4 | libcryptsetup12 - Already installed | | libcwidget3v5 | libcwidget4 | | libdns-export162 | ? | | libdns-export1104 | libdns-export1110 | | libdns1104 | libdns1110 | | libevent-2.1-6 | libevent-2.1-7 | | libffi6 | libffi7 | | libgc1c2 | libgc1 | | libgcc-6-dev, libgcc-8-dev | libgcc-10-dev | | libgdbm3 | libgdbm6 - Already installed | | libhogweed4 | libhogweed6 | | libicu63 | libicu67 | | libip4tc0 | libip4tc2 | | libip6tc0 | libip6tc2 | | libipset11 | libipset13 | | libisc-export1100 | libisc-export1105 | | libisc-export160 | libisccc-export161 - Not exact name! | | libisc1100 | libisc1105 | | libisl15, libisl19 | libisl23 | | libjson-c3 | libjson-c5 | | liblinear3 | liblinear4 | | libllvm7 | libllvm9, libllvm11, libllvm13 | | liblogging-stdlog0 - This is a 9 package, not in 10 | Direct replacement not found. | | libmailutils5 | libmailutils7 | | libmpdec2 | libmpcdec6 | | libmpfr4 | libmpfr6 - Already installed | | libmpx2 | Direct replacement not found. | | libnettle6 | libnettle8 | | libnftables0 | libnftables1 | | libparse-debianchangelog-perl | Direct replacement not found. | | libperl5.28 | libperl5.32 | | libpolkit-backend-1-0 | Direct replacement not found. | | libpoppler82 | libpoppler102 | | libprocps6, libprocps7 | libprocps8 | | libpython-dev | libpython3-dev | | libpython-stdlib, libpython3.7-stdlib | libpython3.9-stdlib | | libreadline5, libreadline7 | libreadline8 | | libruby2.5 | libruby2.7 | | libsensors4 | libsensors5 - Already installed | | libssl1.0.2 | libssl1.1 - Already installed | | libstdc++-8-dev | libstdc++-10-dev | | libubsan0 | libubsan1-amd64-cross ???? | | libunistring0 | libunistring2 | | linux-compiler-gcc-8-x86 | linux-compiler-gcc-10-x86 | | linux-headers-4.19.0-??-amd64 | linux-headers-5.10.0-??-amd64 | | linux-headers-4.19.0-??-common | linux-headers-5.10.0-??-common | | linux-image-4.9.0-??-amd64, linux-image-4.19.0-??-amd64 | linux-image-5.10.0-??-amd64 | | linux-kbuild-4.19 | linux-kbuild-5.10 | | lynx-cur | lynx - Already installed | | mailman | mailman3 - Available for Debain 10 | | mariadb-client-10.1, mariadb-client-10.3 | mariadb-client-10.5 | | mariadb-server-10.1, mariadb-server-10.3 | mariadb-server-10.5 | | multiarch-support | Direct replacement not found. | | ncpa - Not a Debian package? | Direct replacement not found. | | perl-modules-5.24, perl-modules-5.28 | perl-modules-5.32 | | php7.0-cli, php7.3-cli | php7.4-cli | | php7.0-common, php7.3-common | php7.4-common | | php7.0-imap, php7.3-imap | php7.4-imap | | php7.0-json, php7.3-json | php7.4-json | | php7.0-mbstring, php7.3-mbstring | php7.4-mbstring | | php7.0-mysql, php7.3-mysql | php7.4-mysql | | php7.0-opcache, php7.3-opcache | php7.4-opcache | | php7.0-readline, php7.3-readline | php7.4-readline | | postfixadmin | Direct replacement not found. | | python-backports.functools-lru-cache| Direct replacement not found. | | python-bs4 | python3-bs4 | | python-certbot-apache | python3-certbot-apache - Already inst | | python-chardet | python3-chardet - Already installed | | python-dnspython | python3-dnspython - Already installed | | python-html5lib | python3-html5lib | | python-lxml | python3-lxml | | python-minimal | python3-minimal - Already installed | | python-pbr | python3-pbr - Already installed | | python3.7 | python3.9 | | python3.5-minimal, python3.7-minimal | python3.9-minimal | | ruby2.5 | ruby2.7 | | webalizer | Direct replacement not found. | ===== Plan ===== This section describes our plan to upgrade Bock to Debian 11. - Review documentation linked in the References section. - Create a clone of Bock (Bock-Clone) - Upgrade Bock-Clone by following the [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html|Upgrading from Debian 10]] documentation. - Document all actions taken in the Procedure section. - (?) Simulate Upgrade failure on Bock-Clone to document Rollback Procedure - Upgrade Bock by performing the steps listed in Procedure section. - Ensure important services are fully functional on Debian 11. - (If necessary) Rollback using Backout Plan. ==== Procedure ==== This section will contain all actions that need to be performed to execute the Plan. === Service Validation === This section will contain all the actions that need to be performed to ensure the important services are fully operational after the upgrade. ===== Backout Plan ===== This section describes our plan for restoring Bock to a working Debian 10 state, if the upgrade goes poorly and needs to be reverted. - Clone Bock2 at each step - If the upgrade fails, the previous version is still available ===== Step 1 - Upgrade Bock2 Clone 0 ===== ==== Start with basic procedure ==== https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/ Update / Upgrade prior to changing sources list ''apt-mark update && apt upgrade -y'' ''sudo apt full-upgrade'' ''apt autoremove'' Modify the sources.list ''vim /etc/apt/sources.list'' When finished editing the file should look like the contents below: deb http://deb.debian.org/debian bullseye main deb-src http://deb.debian.org/debian bullseye main deb http://security.debian.org/debian-security bullseye-security main deb-src http://security.debian.org/debian-security bullseye-security main deb http://deb.debian.org/debian bullseye-updates main deb-src http://deb.debian.org/debian bullseye-updates main This is what the sources.list looks like after the upgrade: # # deb cdrom:[Debian GNU/Linux 9.4.0 _Stretch_ - Official amd64 NETINST 20180310-11:21]/ stretch main #deb cdrom:[Debian GNU/Linux 9.4.0 _Stretch_ - Official amd64 NETINST 20180310-11:21]/ stretch main deb http://ftp.us.debian.org/debian/ bullseye main deb-src http://ftp.us.debian.org/debian/ bullseye main deb https://security.debian.org/debian-security bullseye-security main deb-src https://security.debian.org/debian-security bullseye-security main # stretch-updates, previously known as 'volatile' deb http://ftp.us.debian.org/debian/ bullseye-updates main deb-src http://ftp.us.debian.org/debian/ bullseye-updates main # Backports for Certbot #deb http://ftp.debian.org/debian bullseye-backports main Update with new sources ''apt update && apt upgrade -y'' During the upgrade process you will be prompted: 1. Services to restart: ''cron atd'' Choose **Ok** 2. apparmor question: 'N' 3. sysctl file: ''Y'' We chose to take the new file for updated comments, but we need to modify the ''/etc/sysctl.conf'' to add back the following config. ''net.ipv6.conf.all.disable_ipv6=1'' 4. All SpamAssassin questions: ''N'' 5. SSH CLIENT - ssh_config question: ''Y'' This will wipe out the change below, we decided that is OK. ''Port 2206'' 6. SSH Server Config - sshd_config question: Choose the three-way merge option Open the file with ''vim /etc/ssh/sshd_config.merge-error'' Re-instate Port and AddressFamily lines and clean up the merge output. Copy the cleaned up file into place. ''cp /etc/ssh/sshd_config.merge-error /etc/ssh/sshd_config'' Choose keep the local version. Choose services to be restarted: ''None'' Reboot the system ''reboot'' ==== Check services ==== curl http://bock2.sluug.org ===== References ===== Debian 10 ( Buster ) Long Term Support ( LTS ) End of Life is 30 June 2024: * [[https://endoflife.date/debian ]] [[https://www.debian.org/releases/buster/|Debian 10 (Buster) * [[https://packages.debian.org/buster/mailman|Mailman Version in Package Archive]] [[https://www.debian.org/releases/bullseye/|Debian 11 (Bullseye)]] * [[https://www.debian.org/releases/bullseye/amd64/release-notes/index|Release Notes]] * [[https://www.debian.org/releases/bullseye/errata|Errata]] * [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html|Upgrading from Debian 10]] * [[https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html|Issues to be aware of]] * [[https://packages.debian.org/bullseye/mailman3|Mailman Version in Package Archive]] [[https://raphaelhertzog.com/mastering-debian/|Mastering Debian and Ubuntu]]