User Tools

Site Tools


bock_upgrade_debian_10_-_11

Upgrade Bock to Debian 11 (Bullseye)

SUMMARY: Upgrade Bock from Debian 10 (Buster) to Debian 11 (Bullseye)

Notes of work performed

SUMMARY: As work is preformed, record here

Step 1 - Create Bock Clone

Goal

During our recent discussions on the SysAdmin Mailing List, the decision was made to upgrade bock.sluug.org from Debian 10 (Buster) to Debian 11 (Bullseye). Both of these Debian versions support Mailman 2.x.

Out of Scope

Upgrading from Mailman 2 to Mailman 3 is out of scope for this task. Debian 11 (Bullseye) still supports Mailman 2.x. We can proceed with the upgrade to Debian 11 without making any major changes to mailman.

Once we are successfully migrated to Debian 11, a separate effort will be made to upgrade from Mailmain 2 to Mailman 3 (or switch to a different list manager altogether).

Configuration Details

  • Hostname: bock
  • Hypervisor: Xen
  • vCPU: 2
  • RAM: 4GB
  • Storage:
    • xvda 50GB [System]
    • xvdb 200GB [Media]
    • xvdc 20GB [Spare]

Externally Accessible Ports

  Edited extracts from output of iptables -L (As of 12 Oct 2023)
  ------------------------------------------------------------------------
  Chain IN_public_allow (1 references)
   pkts bytes target  prot   source     destination
   122K 6462K ACCEPT  tcp    0.0.0.0/0  tcp dpt:80 ctstate NEW,UNTRACKED
  1741K  103M ACCEPT  tcp    0.0.0.0/0  tcp dpt:443 ctstate NEW,UNTRACKED
  48901 2757K ACCEPT  tcp    0.0.0.0/0  tcp dpt:25 ctstate NEW,UNTRACKED
  24000 1503K ACCEPT  tcp    0.0.0.0/0  tcp dpt:993 ctstate NEW,UNTRACKED
  23071 1226K ACCEPT  tcp    0.0.0.0/0  tcp dpt:995 ctstate NEW,UNTRACKED
  61544 3294K ACCEPT  tcp    0.0.0.0/0  tcp dpt:465 ctstate NEW,UNTRACKED
   1279 66272 ACCEPT  tcp    0.0.0.0/0  tcp dpt:53 ctstate NEW,UNTRACKED
   7645  483K ACCEPT  udp    0.0.0.0/0  udp dpt:53 ctstate NEW,UNTRACKED
    925 54940 ACCEPT  tcp    0.0.0.0/0  tcp dpt:2206 ctstate NEW,UNTRACKED

Services

These are the important services that are running on Bock. The upgrade will not be considered successful until these services are fully operational on Debian 11.

External

  • Web - apache
  • Email - postfix, dovecot, clamav, spamasasson, etc.
  • DNS - unpublished master for SLUUG domains w/named
  • SSH - sshd

Internal

  • Database - mysql

Bock-Specific PreUpgrade Concerns/Complications

This section describes issues raised on the mailing lists that may need to be researched or addressed prior to execution of the Plan.

This section will only list complications that are specific to Bock. The Upgrading from Debian 10 documentation describes many "general" steps to prepare the system for an upgrade. Things listed in the official documentation will not be duplicated here.

Firewall Woes

Way back in 2023, there was an attempt to use "ufw" to change ports, but it didn't seem to affect things. Probably because ports were previously configured with "firewalld". Also blocking some incoming connections with "fail2ban", which is unrelated to the ufw problem.

  firewalld = dynamically managed firewall with support for network zones
  ufw       = program for managing a Netfilter firewall
  fail2ban  = ban hosts that cause multiple authentication errors

Will we be forced to change iptables to netfilter/nftables?

Software of special concern:

  • Packages installed outside of Debian origins (As of 1 Jun 2023):
    • Dokuwiki is installed outside Debian packages: Current is 2023-04-04a "Jack Jackrum", SLUUG has 2018-04-22a "Greebo". Interestingly, the current in Debian 11 is 20180422.a-2.1, while 10 has 0.0.20180422.a-2 and 12 has 20220731.a-2.
      • Perhaps switch to the Debian package when upgrade to Debian 11?
      • 20200729-0.1~bpo11+1 in backports.
    • ncpa - "Nagios Cross-Platform Agent" - Not a Debian package?
  • Abandoned, ancient, local tools, or unknown origin:
    • /srv/www/test.sluug.org/drupal-20070608/
    • /srv/www/a.sluug.org/postfixadmin-2.3.2/
    • /usr/local/*bin/
    • /usr/src/certbot/
    • Old web site CGI scripting?

Summary of packages without a replacement in Debian 12:

  • Mailman 2
    • Details discussed in depth elsewhere.
  • geoip-database-extra
    • "find the country that any IP address or hostname originates from".
    • Use by Spamassassin to determine countries. A better system was not used before because of licensing, etc.
  • multiarch-support
    • "Transitional package to ensure multiarch compatibility".
  • ncpa
    • "Nagios Cross-Platform Agent".
    • Not a Debian package.
  • postfixadmin
    • "administrators to delegate account handling"
  • python-backports.functools-lru-cache
    • "backport of functools.lru_cache from Python 3.3 to Python 2".
  • webalizer
    • "scan web server log files … produce usage statistics".
    • This package is in 10 and 12, but not 11.
  • libcilkrts5
    • "Intel Cilk Plus language extensions".
  • liblogging-stdlog0
    • "lightweight logging library".
    • This is a 9 package, not in 10.
  • libmpx2
    • "Intel memory protection extensions".
  • libparse-debianchangelog-perl
    • "parse Debian changelogs and output".
  • libpolkit-backend-1-0
    • "policy that allows unprivileged … speak to privileged".
Currently installed on bock 2, but not exactly matched in Debian 11
Currently installed Replacement in Debian 11
cpp-6, cpp-8 cpp-10
g++-8 g++-10
gcc-6, gcc-8 gcc-10
gcc-6-base, gcc-7-base, gcc-8-base gcc-10-base
geoip-database-extra Direct replacement not found.
libapache2-mod-php7.0, libapache2-mod-php7.3 libapache2-mod-php7.4
libapt-inst2.0 Direct replacement not found.
libapt-pkg5.0 libapt-pkg6.0
libasan3 libasan5 - Already installed
libboost-iostreams1.67.0 libboost-iostreams1.74.0
libboost-system1.67.0 libboost-system1.74.0
libcilkrts5 Direct replacement not found.
libcryptsetup4 libcryptsetup12 - Already installed
libcwidget3v5 libcwidget4
libdns-export162 ?
libdns-export1104 libdns-export1110
libdns1104 libdns1110
libevent-2.1-6 libevent-2.1-7
libffi6 libffi7
libgc1c2 libgc1
libgcc-6-dev, libgcc-8-dev libgcc-10-dev
libgdbm3 libgdbm6 - Already installed
libhogweed4 libhogweed6
libicu63 libicu67
libip4tc0 libip4tc2
libip6tc0 libip6tc2
libipset11 libipset13
libisc-export1100 libisc-export1105
libisc-export160 libisccc-export161 - Not exact name!
libisc1100 libisc1105
libisl15, libisl19 libisl23
libjson-c3 libjson-c5
liblinear3 liblinear4
libllvm7 libllvm9, libllvm11, libllvm13
liblogging-stdlog0 - This is a 9 package, not in 10 Direct replacement not found.
libmailutils5 libmailutils7
libmpdec2 libmpcdec6
libmpfr4 libmpfr6 - Already installed
libmpx2 Direct replacement not found.
libnettle6 libnettle8
libnftables0 libnftables1
libparse-debianchangelog-perl Direct replacement not found.
libperl5.28 libperl5.32
libpolkit-backend-1-0 Direct replacement not found.
libpoppler82 libpoppler102
libprocps6, libprocps7 libprocps8
libpython-dev libpython3-dev
libpython-stdlib, libpython3.7-stdlib libpython3.9-stdlib
libreadline5, libreadline7 libreadline8
libruby2.5 libruby2.7
libsensors4 libsensors5 - Already installed
libssl1.0.2 libssl1.1 - Already installed
libstdc++-8-dev libstdc++-10-dev
libubsan0 libubsan1-amd64-cross ????
libunistring0 libunistring2
linux-compiler-gcc-8-x86 linux-compiler-gcc-10-x86
linux-headers-4.19.0-??-amd64 linux-headers-5.10.0-??-amd64
linux-headers-4.19.0-??-common linux-headers-5.10.0-??-common
linux-image-4.9.0-??-amd64, linux-image-4.19.0-??-amd64 linux-image-5.10.0-??-amd64
linux-kbuild-4.19 linux-kbuild-5.10
lynx-cur lynx - Already installed
mailman mailman3 - Available for Debain 10
mariadb-client-10.1, mariadb-client-10.3 mariadb-client-10.5
mariadb-server-10.1, mariadb-server-10.3 mariadb-server-10.5
multiarch-support Direct replacement not found.
ncpa - Not a Debian package? Direct replacement not found.
perl-modules-5.24, perl-modules-5.28 perl-modules-5.32
php7.0-cli, php7.3-cli php7.4-cli
php7.0-common, php7.3-common php7.4-common
php7.0-imap, php7.3-imap php7.4-imap
php7.0-json, php7.3-json php7.4-json
php7.0-mbstring, php7.3-mbstring php7.4-mbstring
php7.0-mysql, php7.3-mysql php7.4-mysql
php7.0-opcache, php7.3-opcache php7.4-opcache
php7.0-readline, php7.3-readline php7.4-readline
postfixadmin Direct replacement not found.
python-backports.functools-lru-cache Direct replacement not found.
python-bs4 python3-bs4
python-certbot-apache python3-certbot-apache - Already inst
python-chardet python3-chardet - Already installed
python-dnspython python3-dnspython - Already installed
python-html5lib python3-html5lib
python-lxml python3-lxml
python-minimal python3-minimal - Already installed
python-pbr python3-pbr - Already installed
python3.7 python3.9
python3.5-minimal, python3.7-minimal python3.9-minimal
ruby2.5 ruby2.7
webalizer Direct replacement not found.

Plan

This section describes our plan to upgrade Bock to Debian 11.

  1. Review documentation linked in the References section.
  2. Create a clone of Bock (Bock-Clone)
  3. Upgrade Bock-Clone by following the Upgrading from Debian 10 documentation.
    1. Document all actions taken in the Procedure section.
  4. (?) Simulate Upgrade failure on Bock-Clone to document Rollback Procedure
  5. Upgrade Bock by performing the steps listed in Procedure section.
  6. Ensure important services are fully functional on Debian 11.
  7. (If necessary) Rollback using Backout Plan.

Procedure

This section will contain all actions that need to be performed to execute the Plan.

Service Validation

This section will contain all the actions that need to be performed to ensure the important services are fully operational after the upgrade.

Backout Plan

This section describes our plan for restoring Bock to a working Debian 10 state, if the upgrade goes poorly and needs to be reverted.

  1. Clone Bock2 at each step
  2. If the upgrade fails, the previous version is still available

Step 1 - Upgrade Bock2 Clone 0

Start with basic procedure

https://linuxize.com/post/how-to-upgrade-debian-10-to-debian-11/

Update / Upgrade prior to changing sources list

apt-mark update && apt upgrade -y

sudo apt full-upgrade

apt autoremove

Modify the sources.list

vim /etc/apt/sources.list

When finished editing the file should look like the contents below:

  deb http://deb.debian.org/debian bullseye main
  deb-src http://deb.debian.org/debian bullseye main
  deb http://security.debian.org/debian-security bullseye-security main
  deb-src http://security.debian.org/debian-security bullseye-security main
  deb http://deb.debian.org/debian bullseye-updates main
  deb-src http://deb.debian.org/debian bullseye-updates main
  
  

This is what the sources.list looks like after the upgrade:

  #
  # deb cdrom:[Debian GNU/Linux 9.4.0 _Stretch_ - Official amd64 NETINST 20180310-11:21]/ stretch main
  #deb cdrom:[Debian GNU/Linux 9.4.0 _Stretch_ - Official amd64 NETINST 20180310-11:21]/ stretch main
  deb http://ftp.us.debian.org/debian/ bullseye main
  deb-src http://ftp.us.debian.org/debian/ bullseye main
  deb https://security.debian.org/debian-security bullseye-security main
  deb-src https://security.debian.org/debian-security bullseye-security main
  # stretch-updates, previously known as 'volatile'
  deb http://ftp.us.debian.org/debian/ bullseye-updates main
  deb-src http://ftp.us.debian.org/debian/ bullseye-updates main
  # Backports for Certbot
  #deb http://ftp.debian.org/debian bullseye-backports main

Update with new sources

apt update && apt upgrade -y

During the upgrade process you will be prompted:

1. Services to restart: cron atd Choose Ok 2. apparmor question: 'N' 3. sysctl file: Y

We chose to take the new file for updated comments, but we need to modify the /etc/sysctl.conf to add back the following config.

net.ipv6.conf.all.disable_ipv6=1

4. All SpamAssassin questions: N 5. SSH CLIENT - ssh_config question: Y

This will wipe out the change below, we decided that is OK.

Port 2206

6. SSH Server Config - sshd_config question: Choose the three-way merge option

Open the file with vim /etc/ssh/sshd_config.merge-error

Re-instate Port and AddressFamily lines and clean up the merge output.

Copy the cleaned up file into place.

cp /etc/ssh/sshd_config.merge-error /etc/ssh/sshd_config

Choose keep the local version.

Choose services to be restarted: None

Reboot the system

reboot

Check services

References

bock_upgrade_debian_10_-_11.txt · Last modified: 2024/06/20 20:45 by SLUUG Administration