====== Upgrade Bock to Debian 11 (Bullseye) ====== // SUMMARY: Upgrade Bock from Debian 10 (Buster) to Debian 11 (Bullseye) // ====== Notes of work performed ======== // SUMMARY: As work is preformed, record here // [[ Step 1 ]] - Create Bock Clone ===== Goal ===== During our recent discussions on the SysAdmin Mailing List, the decision was made to upgrade ''bock.sluug.org'' from Debian 10 (Buster) to Debian 11 (Bullseye). Both of these Debian versions support Mailman 2.x. ==== Out of Scope ==== [[replace_mailman_2|Upgrading from Mailman 2 to Mailman 3]] is out of scope for this task. Debian 11 (Bullseye) still supports Mailman 2.x. We can proceed with the upgrade to Debian 11 without making any major changes to mailman. Once we are successfully migrated to Debian 11, a [[replace_mailman_2|separate effort]] will be made to upgrade from Mailmain 2 to Mailman 3 (or switch to a different list manager altogether). ===== Configuration Details ===== * **Hostname:** bock * **Hypervisor:** [[https://xenproject.org/|Xen]] * **vCPU:** 2 * **RAM:** 4GB * **Storage:** * xvda 50GB [System] * xvdb 200GB [Media] * xvdc 20GB [Spare] ==== Externally Accessible Ports ==== Edited extracts from output of iptables -L (As of 12 Oct 2023) ------------------------------------------------------------------------ Chain IN_public_allow (1 references) pkts bytes target prot source destination 122K 6462K ACCEPT tcp 0.0.0.0/0 tcp dpt:80 ctstate NEW,UNTRACKED 1741K 103M ACCEPT tcp 0.0.0.0/0 tcp dpt:443 ctstate NEW,UNTRACKED 48901 2757K ACCEPT tcp 0.0.0.0/0 tcp dpt:25 ctstate NEW,UNTRACKED 24000 1503K ACCEPT tcp 0.0.0.0/0 tcp dpt:993 ctstate NEW,UNTRACKED 23071 1226K ACCEPT tcp 0.0.0.0/0 tcp dpt:995 ctstate NEW,UNTRACKED 61544 3294K ACCEPT tcp 0.0.0.0/0 tcp dpt:465 ctstate NEW,UNTRACKED 1279 66272 ACCEPT tcp 0.0.0.0/0 tcp dpt:53 ctstate NEW,UNTRACKED 7645 483K ACCEPT udp 0.0.0.0/0 udp dpt:53 ctstate NEW,UNTRACKED 925 54940 ACCEPT tcp 0.0.0.0/0 tcp dpt:2206 ctstate NEW,UNTRACKED ==== Services ==== These are the important services that are running on Bock. The upgrade will not be considered successful until these services are fully operational on Debian 11. === External === * Web - apache * Email - postfix, etc. * DNS - named * SSH - sshd === Internal === * Database - mysql ===== Bock-Specific PreUpgrade Concerns/Complications ===== This section describes issues raised on the mailing lists that may need to be researched or addressed prior to execution of the Plan. This section will only list complications that are specific to Bock. The [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html|Upgrading from Debian 10]] documentation describes many "general" steps to prepare the system for an upgrade. Things listed in the official documentation will not be duplicated here. ==== Firewall Woes ==== Way back in 2023, there was an attempt to use "ufw" to change ports, but it didn't seem to affect things. Probably because ports were previously configured with "firewalld". Also blocking some incoming connections with "fail2ban", which is unrelated to the ufw problem. firewalld = dynamically managed firewall with support for network zones ufw = program for managing a Netfilter firewall fail2ban = ban hosts that cause multiple authentication errors Will we be forced to change iptables to netfilter/nftables? ==== Software of special concern: ==== * Packages installed outside of Debian origins (As of 1 Jun 2023): * Dokuwiki is installed outside Debian packages: Current is 2023-04-04a "Jack Jackrum", SLUUG has 2018-04-22a "Greebo". Interestingly, the current in Debian 11 is 20180422.a-2.1, while 10 has 0.0.20180422.a-2 and 12 has 20220731.a-2. * Perhaps switch to the Debian package when upgrade to Debian 11? * 20200729-0.1~bpo11+1 in backports. * ncpa - "Nagios Cross-Platform Agent" - Not a Debian package? * [[https://en.wikipedia.org/wiki/Distributed_Checksum_Clearinghouse|Distributed Checksum Clearinghouse]] - [[bock-2018-spamassassin|SLUUG installation for SpamAssassin]]. * Abandoned, ancient, local tools, or unknown origin: * /srv/www/test.sluug.org/drupal-20070608/ * /srv/www/a.sluug.org/postfixadmin-2.3.2/ * /usr/local/*bin/ * /usr/src/certbot/ * Old web site CGI scripting? ==== Summary of packages without a replacement in Debian 12: ==== * Mailman 2 * Details discussed in depth elsewhere. * geoip-database-extra * "find the country that any IP address or hostname originates from". * Use by Spamassassin to determine countries. A better system was not used before because of licensing, etc. * multiarch-support * "Transitional package to ensure multiarch compatibility". * ncpa * "Nagios Cross-Platform Agent". * Not a Debian package. * postfixadmin * "administrators to delegate account handling" * python-backports.functools-lru-cache * "backport of functools.lru_cache from Python 3.3 to Python 2". * webalizer * "scan web server log files ... produce usage statistics". * This package is in 10 and 12, but not 11. * libcilkrts5 * "Intel Cilk Plus language extensions". * liblogging-stdlog0 * "lightweight logging library". * This is a 9 package, not in 10. * libmpx2 * "Intel memory protection extensions". * libparse-debianchangelog-perl * "parse Debian changelogs and output". * libpolkit-backend-1-0 * "policy that allows unprivileged ... speak to privileged". ^ Currently installed on bock 2, but not exactly matched in Debian 11 ^^ ^ Currently installed ^ Replacement in Debian 11 ^ | cpp-6, cpp-8 | cpp-10 | | g++-8 | g++-10 | | gcc-6, gcc-8 | gcc-10 | | gcc-6-base, gcc-7-base, gcc-8-base | gcc-10-base | | geoip-database-extra | Direct replacement not found. | | libapache2-mod-php7.0, libapache2-mod-php7.3 | libapache2-mod-php7.4 | | libapt-inst2.0 | Direct replacement not found. | | libapt-pkg5.0 | libapt-pkg6.0 | | libasan3 | libasan5 - Already installed | | libboost-iostreams1.67.0 | libboost-iostreams1.74.0 | | libboost-system1.67.0 | libboost-system1.74.0 | | libcilkrts5 | Direct replacement not found. | | libcryptsetup4 | libcryptsetup12 - Already installed | | libcwidget3v5 | libcwidget4 | | libdns-export162 | ? | | libdns-export1104 | libdns-export1110 | | libdns1104 | libdns1110 | | libevent-2.1-6 | libevent-2.1-7 | | libffi6 | libffi7 | | libgc1c2 | libgc1 | | libgcc-6-dev, libgcc-8-dev | libgcc-10-dev | | libgdbm3 | libgdbm6 - Already installed | | libhogweed4 | libhogweed6 | | libicu63 | libicu67 | | libip4tc0 | libip4tc2 | | libip6tc0 | libip6tc2 | | libipset11 | libipset13 | | libisc-export1100 | libisc-export1105 | | libisc-export160 | libisccc-export161 - Not exact name! | | libisc1100 | libisc1105 | | libisl15, libisl19 | libisl23 | | libjson-c3 | libjson-c5 | | liblinear3 | liblinear4 | | libllvm7 | libllvm9, libllvm11, libllvm13 | | liblogging-stdlog0 - This is a 9 package, not in 10 | Direct replacement not found. | | libmailutils5 | libmailutils7 | | libmpdec2 | libmpcdec6 | | libmpfr4 | libmpfr6 - Already installed | | libmpx2 | Direct replacement not found. | | libnettle6 | libnettle8 | | libnftables0 | libnftables1 | | libparse-debianchangelog-perl | Direct replacement not found. | | libperl5.28 | libperl5.32 | | libpolkit-backend-1-0 | Direct replacement not found. | | libpoppler82 | libpoppler102 | | libprocps6, libprocps7 | libprocps8 | | libpython-dev | libpython3-dev | | libpython-stdlib, libpython3.7-stdlib | libpython3.9-stdlib | | libreadline5, libreadline7 | libreadline8 | | libruby2.5 | libruby2.7 | | libsensors4 | libsensors5 - Already installed | | libssl1.0.2 | libssl1.1 - Already installed | | libstdc++-8-dev | libstdc++-10-dev | | libubsan0 | libubsan1-amd64-cross ???? | | libunistring0 | libunistring2 | | linux-compiler-gcc-8-x86 | linux-compiler-gcc-10-x86 | | linux-headers-4.19.0-??-amd64 | linux-headers-5.10.0-??-amd64 | | linux-headers-4.19.0-??-common | linux-headers-5.10.0-??-common | | linux-image-4.9.0-??-amd64, linux-image-4.19.0-??-amd64 | linux-image-5.10.0-??-amd64 | | linux-kbuild-4.19 | linux-kbuild-5.10 | | lynx-cur | lynx - Already installed | | mailman | mailman3 - Available for Debain 10 | | mariadb-client-10.1, mariadb-client-10.3 | mariadb-client-10.5 | | mariadb-server-10.1, mariadb-server-10.3 | mariadb-server-10.5 | | multiarch-support | Direct replacement not found. | | ncpa - Not a Debian package? | Direct replacement not found. | | perl-modules-5.24, perl-modules-5.28 | perl-modules-5.32 | | php7.0-cli, php7.3-cli | php7.4-cli | | php7.0-common, php7.3-common | php7.4-common | | php7.0-imap, php7.3-imap | php7.4-imap | | php7.0-json, php7.3-json | php7.4-json | | php7.0-mbstring, php7.3-mbstring | php7.4-mbstring | | php7.0-mysql, php7.3-mysql | php7.4-mysql | | php7.0-opcache, php7.3-opcache | php7.4-opcache | | php7.0-readline, php7.3-readline | php7.4-readline | | postfixadmin | Direct replacement not found. | | python-backports.functools-lru-cache| Direct replacement not found. | | python-bs4 | python3-bs4 | | python-certbot-apache | python3-certbot-apache - Already inst | | python-chardet | python3-chardet - Already installed | | python-dnspython | python3-dnspython - Already installed | | python-html5lib | python3-html5lib | | python-lxml | python3-lxml | | python-minimal | python3-minimal - Already installed | | python-pbr | python3-pbr - Already installed | | python3.7 | python3.9 | | python3.5-minimal, python3.7-minimal | python3.9-minimal | | ruby2.5 | ruby2.7 | | webalizer | Direct replacement not found. | ===== Plan ===== This section describes our plan to upgrade Bock to Debian 11. - Review documentation linked in the References section. - Create a clone of Bock (Bock-Clone) - Upgrade Bock-Clone by following the [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html|Upgrading from Debian 10]] documentation. - Document all actions taken in the Procedure section. - (?) Simulate Upgrade failure on Bock-Clone to document Rollback Procedure - Upgrade Bock by performing the steps listed in Procedure section. - Ensure important services are fully functional on Debian 11. - (If necessary) Rollback using Backout Plan. ==== Procedure ==== This section will contain all actions that need to be performed to execute the Plan. === Service Validation === This section will contain all the actions that need to be performed to ensure the important services are fully operational after the upgrade. ===== Backout Plan ===== This section describes our plan for restoring Bock to a working Debian 10 state, if the upgrade goes poorly and needs to be reverted. - (?) Rollback VM Snapshot - (?) Restore VM from backup ==== Backout Procedure ==== This section will contain all actions that need to be performed to execute the Backout Plan. ===== References ===== Debian 10 ( Buster ) Long Term Support ( LTS ) End of Life is 30 June 2024: * [[https://endoflife.date/debian ]] [[https://www.debian.org/releases/buster/|Debian 10 (Buster) * [[https://packages.debian.org/buster/mailman|Mailman Version in Package Archive]] [[https://www.debian.org/releases/bullseye/|Debian 11 (Bullseye)]] * [[https://www.debian.org/releases/bullseye/amd64/release-notes/index|Release Notes]] * [[https://www.debian.org/releases/bullseye/errata|Errata]] * [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html|Upgrading from Debian 10]] * [[https://www.debian.org/releases/oldstable/amd64/release-notes/ch-information.en.html|Issues to be aware of]] * [[https://packages.debian.org/bullseye/mailman3|Mailman Version in Package Archive]] [[https://raphaelhertzog.com/mastering-debian/|Mastering Debian and Ubuntu]]