Upgrade Bock to Debian 11 (Bullseye)

SUMMARY: Upgrade Bock from Debian 10 (Buster) to Debian 11 (Bullseye)

Notes of work performed

SUMMARY: As work is preformed, record here

Step 1 - Create Bock Clone

Goal

During our recent discussions on the SysAdmin Mailing List, the decision was made to upgrade bock.sluug.org from Debian 10 (Buster) to Debian 11 (Bullseye). Both of these Debian versions support Mailman 2.x.

Out of Scope

Upgrading from Mailman 2 to Mailman 3 is out of scope for this task. Debian 11 (Bullseye) still supports Mailman 2.x. We can proceed with the upgrade to Debian 11 without making any major changes to mailman.

Once we are successfully migrated to Debian 11, a separate effort will be made to upgrade from Mailmain 2 to Mailman 3 (or switch to a different list manager altogether).

Configuration Details

Hostname: bock
Hypervisor: Xen
vCPU: 2
RAM: 4GB
Storage:
- xvda 50GB [System]
- xvdb 200GB [Media]
- xvdc 20GB [Spare]

Externally Accessible Ports

  Edited extracts from output of iptables -L (As of 12 Oct 2023)
  ------------------------------------------------------------------------
  Chain IN_public_allow (1 references)
   pkts bytes target  prot   source     destination
   122K 6462K ACCEPT  tcp    0.0.0.0/0  tcp dpt:80 ctstate NEW,UNTRACKED
  1741K  103M ACCEPT  tcp    0.0.0.0/0  tcp dpt:443 ctstate NEW,UNTRACKED
  48901 2757K ACCEPT  tcp    0.0.0.0/0  tcp dpt:25 ctstate NEW,UNTRACKED
  24000 1503K ACCEPT  tcp    0.0.0.0/0  tcp dpt:993 ctstate NEW,UNTRACKED
  23071 1226K ACCEPT  tcp    0.0.0.0/0  tcp dpt:995 ctstate NEW,UNTRACKED
  61544 3294K ACCEPT  tcp    0.0.0.0/0  tcp dpt:465 ctstate NEW,UNTRACKED
   1279 66272 ACCEPT  tcp    0.0.0.0/0  tcp dpt:53 ctstate NEW,UNTRACKED
   7645  483K ACCEPT  udp    0.0.0.0/0  udp dpt:53 ctstate NEW,UNTRACKED
    925 54940 ACCEPT  tcp    0.0.0.0/0  tcp dpt:2206 ctstate NEW,UNTRACKED

Services

These are the important services that are running on Bock. The upgrade will not be considered successful until these services are fully operational on Debian 11.

External

Web - apache
Email - postfix, dovecot, clamav, spamasasson, etc.
DNS - unpublished master for SLUUG domains w/named
SSH - sshd

Internal

Database - mysql

Bock-Specific PreUpgrade Concerns/Complications

This section describes issues raised on the mailing lists that may need to be researched or addressed prior to execution of the Plan.

This section will only list complications that are specific to Bock. The Upgrading from Debian 10 documentation describes many "general" steps to prepare the system for an upgrade. Things listed in the official documentation will not be duplicated here.

Firewall Woes

Way back in 2023, there was an attempt to use "ufw" to change ports, but it didn't seem to affect things. Probably because ports were previously configured with "firewalld". Also blocking some incoming connections with "fail2ban", which is unrelated to the ufw problem.

  firewalld = dynamically managed firewall with support for network zones
  ufw       = program for managing a Netfilter firewall
  fail2ban  = ban hosts that cause multiple authentication errors

Will we be forced to change iptables to netfilter/nftables?

Software of special concern:

Packages installed outside of Debian origins (As of 1 Jun 2023):
- Dokuwiki is installed outside Debian packages: Current is 2023-04-04a "Jack Jackrum", SLUUG has 2018-04-22a "Greebo". Interestingly, the current in Debian 11 is 20180422.a-2.1, while 10 has 0.0.20180422.a-2 and 12 has 20220731.a-2.
  - Perhaps switch to the Debian package when upgrade to Debian 11?
  - 20200729-0.1~bpo11+1 in backports.
- ncpa - "Nagios Cross-Platform Agent" - Not a Debian package?
- Distributed Checksum Clearinghouse - SLUUG installation for SpamAssassin.
Abandoned, ancient, local tools, or unknown origin:
- /srv/www/test.sluug.org/drupal-20070608/
- /srv/www/a.sluug.org/postfixadmin-2.3.2/
- /usr/local/*bin/
- /usr/src/certbot/
- Old web site CGI scripting?

Summary of packages without a replacement in Debian 12:

Mailman 2
- Details discussed in depth elsewhere.
geoip-database-extra
- "find the country that any IP address or hostname originates from".
- Use by Spamassassin to determine countries. A better system was not used before because of licensing, etc.
multiarch-support
- "Transitional package to ensure multiarch compatibility".
ncpa
- "Nagios Cross-Platform Agent".
- Not a Debian package.
postfixadmin
- "administrators to delegate account handling"
python-backports.functools-lru-cache
- "backport of functools.lru_cache from Python 3.3 to Python 2".
webalizer
- "scan web server log files … produce usage statistics".
- This package is in 10 and 12, but not 11.
libcilkrts5
- "Intel Cilk Plus language extensions".
liblogging-stdlog0
- "lightweight logging library".
- This is a 9 package, not in 10.
libmpx2
- "Intel memory protection extensions".
libparse-debianchangelog-perl
- "parse Debian changelogs and output".
libpolkit-backend-1-0
- "policy that allows unprivileged … speak to privileged".

Currently installed on bock 2, but not exactly matched in Debian 11
Currently installed	Replacement in Debian 11
cpp-6, cpp-8	cpp-10
g++-8	g++-10
gcc-6, gcc-8	gcc-10
gcc-6-base, gcc-7-base, gcc-8-base	gcc-10-base
geoip-database-extra	Direct replacement not found.
libapache2-mod-php7.0, libapache2-mod-php7.3	libapache2-mod-php7.4
libapt-inst2.0	Direct replacement not found.
libapt-pkg5.0	libapt-pkg6.0
libasan3	libasan5 - Already installed
libboost-iostreams1.67.0	libboost-iostreams1.74.0
libboost-system1.67.0	libboost-system1.74.0
libcilkrts5	Direct replacement not found.
libcryptsetup4	libcryptsetup12 - Already installed
libcwidget3v5	libcwidget4
libdns-export162	?
libdns-export1104	libdns-export1110
libdns1104	libdns1110
libevent-2.1-6	libevent-2.1-7
libffi6	libffi7
libgc1c2	libgc1
libgcc-6-dev, libgcc-8-dev	libgcc-10-dev
libgdbm3	libgdbm6 - Already installed
libhogweed4	libhogweed6
libicu63	libicu67
libip4tc0	libip4tc2
libip6tc0	libip6tc2
libipset11	libipset13
libisc-export1100	libisc-export1105
libisc-export160	libisccc-export161 - Not exact name!
libisc1100	libisc1105
libisl15, libisl19	libisl23
libjson-c3	libjson-c5
liblinear3	liblinear4
libllvm7	libllvm9, libllvm11, libllvm13
liblogging-stdlog0 - This is a 9 package, not in 10	Direct replacement not found.
libmailutils5	libmailutils7
libmpdec2	libmpcdec6
libmpfr4	libmpfr6 - Already installed
libmpx2	Direct replacement not found.
libnettle6	libnettle8
libnftables0	libnftables1
libparse-debianchangelog-perl	Direct replacement not found.
libperl5.28	libperl5.32
libpolkit-backend-1-0	Direct replacement not found.
libpoppler82	libpoppler102
libprocps6, libprocps7	libprocps8
libpython-dev	libpython3-dev
libpython-stdlib, libpython3.7-stdlib	libpython3.9-stdlib
libreadline5, libreadline7	libreadline8
libruby2.5	libruby2.7
libsensors4	libsensors5 - Already installed
libssl1.0.2	libssl1.1 - Already installed
libstdc++-8-dev	libstdc++-10-dev
libubsan0	libubsan1-amd64-cross ????
libunistring0	libunistring2
linux-compiler-gcc-8-x86	linux-compiler-gcc-10-x86
linux-headers-4.19.0-??-amd64	linux-headers-5.10.0-??-amd64
linux-headers-4.19.0-??-common	linux-headers-5.10.0-??-common
linux-image-4.9.0-??-amd64, linux-image-4.19.0-??-amd64	linux-image-5.10.0-??-amd64
linux-kbuild-4.19	linux-kbuild-5.10
lynx-cur	lynx - Already installed
mailman	mailman3 - Available for Debain 10
mariadb-client-10.1, mariadb-client-10.3	mariadb-client-10.5
mariadb-server-10.1, mariadb-server-10.3	mariadb-server-10.5
multiarch-support	Direct replacement not found.
ncpa - Not a Debian package?	Direct replacement not found.
perl-modules-5.24, perl-modules-5.28	perl-modules-5.32
php7.0-cli, php7.3-cli	php7.4-cli
php7.0-common, php7.3-common	php7.4-common
php7.0-imap, php7.3-imap	php7.4-imap
php7.0-json, php7.3-json	php7.4-json
php7.0-mbstring, php7.3-mbstring	php7.4-mbstring
php7.0-mysql, php7.3-mysql	php7.4-mysql
php7.0-opcache, php7.3-opcache	php7.4-opcache
php7.0-readline, php7.3-readline	php7.4-readline
postfixadmin	Direct replacement not found.
python-backports.functools-lru-cache	Direct replacement not found.
python-bs4	python3-bs4
python-certbot-apache	python3-certbot-apache - Already inst
python-chardet	python3-chardet - Already installed
python-dnspython	python3-dnspython - Already installed
python-html5lib	python3-html5lib
python-lxml	python3-lxml
python-minimal	python3-minimal - Already installed
python-pbr	python3-pbr - Already installed
python3.7	python3.9
python3.5-minimal, python3.7-minimal	python3.9-minimal
ruby2.5	ruby2.7
webalizer	Direct replacement not found.

Plan

This section describes our plan to upgrade Bock to Debian 11.

Review documentation linked in the References section.
Create a clone of Bock (Bock-Clone)
Upgrade Bock-Clone by following the Upgrading from Debian 10 documentation.
1. Document all actions taken in the Procedure section.
(?) Simulate Upgrade failure on Bock-Clone to document Rollback Procedure
Upgrade Bock by performing the steps listed in Procedure section.
Ensure important services are fully functional on Debian 11.
(If necessary) Rollback using Backout Plan.

Procedure

This section will contain all actions that need to be performed to execute the Plan.

Service Validation

This section will contain all the actions that need to be performed to ensure the important services are fully operational after the upgrade.

Backout Plan

This section describes our plan for restoring Bock to a working Debian 10 state, if the upgrade goes poorly and needs to be reverted.

Clone Bock2 at each step
If the upgrade fails, the previous version is still available

Step 1 - Upgrade Bock2 Clone 0

Start with basic procedure

https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/

Update / Upgrade prior to changing sources list

apt-mark update && apt upgrade -y

sudo apt full-upgrade

apt autoremove

Modify the sources.list

vim /etc/apt/sources.list

When finished editing the file should look like the contents below:

  deb http://deb.debian.org/debian bullseye main
  deb-src http://deb.debian.org/debian bullseye main
  deb http://security.debian.org/debian-security bullseye-security main
  deb-src http://security.debian.org/debian-security bullseye-security main
  deb http://deb.debian.org/debian bullseye-updates main
  deb-src http://deb.debian.org/debian bullseye-updates main

This is what the sources.list looks like after the upgrade:

  #
  # deb cdrom:[Debian GNU/Linux 9.4.0 _Stretch_ - Official amd64 NETINST 20180310-11:21]/ stretch main
  #deb cdrom:[Debian GNU/Linux 9.4.0 _Stretch_ - Official amd64 NETINST 20180310-11:21]/ stretch main
  deb http://ftp.us.debian.org/debian/ bullseye main
  deb-src http://ftp.us.debian.org/debian/ bullseye main
  deb https://security.debian.org/debian-security bullseye-security main
  deb-src https://security.debian.org/debian-security bullseye-security main
  # stretch-updates, previously known as 'volatile'
  deb http://ftp.us.debian.org/debian/ bullseye-updates main
  deb-src http://ftp.us.debian.org/debian/ bullseye-updates main
  # Backports for Certbot
  #deb http://ftp.debian.org/debian bullseye-backports main

Update with new sources

apt update && apt upgrade -y

During the upgrade process you will be prompted:

1. Services to restart: cron atd Choose Ok 2. apparmor question: 'N' 3. sysctl file: Y

We chose to take the new file for updated comments, but we need to modify the /etc/sysctl.conf to add back the following config.

net.ipv6.conf.all.disable_ipv6=1

4. All SpamAssassin questions: N 5. SSH CLIENT - ssh_config question: Y

This will wipe out the change below, we decided that is OK.

Port 2206

6. SSH Server Config - sshd_config question: Choose the three-way merge option

Open the file with vim /etc/ssh/sshd_config.merge-error

Re-instate Port and AddressFamily lines and clean up the merge output.

Copy the cleaned up file into place.

cp /etc/ssh/sshd_config.merge-error /etc/ssh/sshd_config

Choose keep the local version.

Choose services to be restarted: None

Reboot the system

reboot

Check services

curl http://bock2.sluug.org

References

Debian 10 ( Buster ) Long Term Support ( LTS ) End of Life is 30 June 2024:

https://endoflife.date/debian

Debian 10 (Buster) * [[https://packages.debian.org/buster/mailman|Mailman Version in Package Archive

Debian 11 (Bullseye)

Mastering Debian and Ubuntu

Table of Contents