====== Bullseye Upgrade ======
Aktueller Stand der Hosts:
[[https://etherpad.fachschaften.rwth-aachen.de/p/bullseye-upgrade]]
Aktueller Stand des Ansible:
[[https://etherpad.fachschaften.rwth-aachen.de/p/bullseye-ansible]]
Clients werden einfach wieder neu aufgesetzt. Beim Rest sollte ein Update möglich sein.
//Hard Freeze// seit 12. März, //Full Freeze// seit 17. Juli und //Release// am 14.08.
===== Wichtige Änderungen =====
* New VA-API default driver for Intel GPUs
* The XFS file system no longer supports ''barrier''/''nobarrier'' option
* Noteworthy obsolete package: ''mailman'' (version 2) (**TODO**)
* Deprecated components: ''python2'' (**TODO**), non-merged-usr-layout
* security suite is now named ''bullseye-security'' instead of ''buster/updates'' (**TODO**)
* ''aufs'' removal (**TODO** Anpassung der Guest-Overlay-Konfiguration. Siehe auch [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963964|Release Notes Bug #963964]].)
* ''bullseye'' is the final release to ship ''apt-key'' (Siehe auch [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980743|Release Notes Bug #980743]].)
* Password hashing uses ''yescrypt'' by default (incompatible to buster)
* ''rsnapshot'' removed (**TODO**), see also: [[https://github.com/rsnapshot/rsnapshot/issues/191#issuecomment-562460327]], Debian maintainer's note: [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986709]]
Bis zum Release können sich weitere Änderungen ergeben. Siehe auch [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=release-notes;dist=unstable|Release Notes Bug Reports]].
==== Weitere Beobachtungen ====
* ''audit'' subsystem spammt gern das Journal mit Debug-Messages (**TODO**)
* ''zabbix'' bisher ohne eigenes bullseye Repository (in Debian ist 5.0)
* ''sssd'' hat diverse Fehlermeldungen im Journal (u.a. ''krb5_child'' credential cache fail); unklar ob das am Update liegt
===== Beschränkungen im Security Support =====
Noch nicht final.
**non-mainstream Webbrowser**
> Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.
>
> For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.
**OpenJDK 17**
> Debian bullseye comes with an early access version of OpenJDK 17 (the next expected OpenJDK LTS version after OpenJDK 11), to avoid the rather tedious bootstrap process. The plan is for OpenJDK 17 to receive an update in bullseye to the final upstream release announced for October 2021, followed by security updates on a best effort basis, but users should not expect to see updates for every quarterly upstream security update.
**Python 2**
> Python 2 is not supported for running applications and there won't be any security updates for Python 2 in Bullseye.
Nach wie vor gilt für ''binutils'', dass man es nur mit //trusted input// benutzen darf.
===== Anleitung =====
==== Vor dem Update ====
=== Backup und Restore ===
Vor dem Update sicherstellen, dass es ein aktuelles und funktionierendes und wiederherstellbares Backup gibt.
=== Distanzminimierung ===
Bei älteren Systemen diese erst auf [[admin:buster|buster]] aktualisieren. Innerhalb von buster auch zuerst einen aktuellen Stand herstellen.
=== Recording the session ===
> It is strongly recommended that you use the ''/usr/bin/script'' program to record a transcript of the upgrade session. Then if a problem occurs, you will have a log of what happened, and if needed, can provide exact information in a bug report. To start the recording, type:
script -t 2>~/upgrade-bullseye.time -a ~/upgrade-bullseye.script
> or similar. If you have to rerun the typescript (e.g. if you have to reboot the system) use different ''step'' values to indicate which step of the upgrade you are logging. Do not put the typescript file in a temporary directory such as ''/tmp'' or ''/var/tmp'' (files in those directories may be deleted during the upgrade or during any restart).
>
> The typescript will also allow you to review information that has scrolled off-screen. If you are at the system's console, just switch to VT2 (using Alt+F2) and, after logging in, use ''less -R ~root/upgrade-bullseye.script'' to view the file.
>
> After you have completed the upgrade, you can stop ''script'' by typing ''exit'' at the prompt.
>
> ''apt'' will also log the changed package states in ''/var/log/apt/history.log'' and the terminal output in ''/var/log/apt/term.log''. ''dpkg'' will, in addition, log all package state changes in ''/var/log/dpkg.log''. If you use ''aptitude'', it will also log state changes in ''/var/log/aptitude''.
>
> If you have used the ''-t switch'' for script you can use the ''scriptreplay'' program to replay the whole session:
scriptreplay ~/upgrade-bullseye.time ~/upgrade-bullseye.script
==== Das Update ====
=== Ganeti 3.0 aus den Backports ===
Sofern anwendbar, zuerst Ganeti auf 3.0 updaten. Details:
>> during a test with piuparts I noticed your package fails to upgrade from
>> 'buster'.
>> It installed fine in 'buster', then the upgrade to 'bullseye' fails.
>>
>> In order to run 'gnt-cluster upgrade' both ganeti-3.0 and ganeti-2.16
>> need to be installed, but the package from buster needs to be removed
>> due to the removal of unversioned python and the Python 2 modules
>> (python-*) before the local admin could run 'gnt-cluster upgrade'
>>
>> I'm not sure how a clean upgrade is intended to be performed in this
>> case. This may also be an interesting question for DSA.
>
> Yes, the removal of unversioned python makes things more complicated. I
> was hoping that ganeti-2.16's dependencies would be enough to keep the
> Python 2 modules around until gnt-cluster upgrade could run.
>
> That said, I think the best way forward is to upgrade buster clusters
> to 3.0 using the packages from buster-backports, before attempting to
> dist-upgrade to bullseye. This should probably be documented in the
> release notes.
>
> Since there's really not much else we can do about it now, I'm
> downgrading to important and tagging it as wontfix. Please let me know
> what you think.
>
> Regards,
> Apollon
=== Obsolete und fremde Pakete entfernen ===
Auffinden mit:
aptitude search '~o'
aptitude search '~i(!~ODebian)'
aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
Entfernen mit:
apt autoremove --purge
Pakete, die von uns selbst eingebracht wurden, sollten konfiguriert belassen werden:
* ''tivsm-*''
* ''gskssl''
* ''gskcrypto''
* ''systemd-journal-persistent''
* ''sssd''
* ''ganeti*''
* ''adcli''
== Persistentes Journal ==
Es scheint als würde Debian den Schritt vollziehen. Wir müssen also ggf. anpassen und das Paket zum richtigen Zeitpunkt deinstallieren ohne den Ordner zu verlieren.
Siehe auch [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950447|Release Notes Bug #950447]].
=== Klebung ===
Es wird empfohlen sämtliches Pinning zu entfernen. Wir sollten aber nur auf ''nginx''-Systemen ''apache2'' aussortiert haben. Insofern unkritisch.
=== Konfigurationsdateien ===
Es wird empfohlen sich vorher um //leftover// Konfigurationsdateien zu kümmern. Finden mit:
find /etc -name '*.dpkg-*' -or -name '*.ucf-*' -or -name '*.merge-error'
=== Paketmanager prüfen ===
dpkg --audit
=== Quellen vorbereiten ===
Alle nicht-offiziellen Quellen (temporär) rausschmeissen. Die verbleibenden Quellen auf ''bullseye'' abändern. Das Update externer Quellen auf nach dem offiziellen Update vermerken.
sed -i -e s,buster/updates,bullseye-security, -e s,buster,bullseye, /etc/apt/sources.list.d/*
== Anpassung der Security-Quellen ==
> For ''bullseye'', the security suite is now named ''bullseye-security'' instead of ''buster/updates'' and users should adapt their ''sources.list'' accordingly when upgrading.
Zum Beispiel:
deb http://security.debian.org/debian-security bullseye-security main
Siehe auch [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931785|Release Notes Bug #931785]].
=== Update ===
Update im Mehrschrittprozess durchführen:
apt update
apt upgrade
apt full-upgrade
Zwischendurch auf Enter hauen. Beobachten, ob wir wie üblich immer den Default wollen.
Falls Probleme auftauchen, prüfen, [[https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#trouble|ob die Release Notes Antworten haben]].
=== Reboot ===
=== Postgres ===
Achtung mit pgBackRest: Siehe [[admin:bookworm#postgres|Anleitung zu Bookworm]], dortige Anleitung mit angepassten Versionsnummern befolgen! Auch auf den noch nicht gemergten Branch in Ansible achten!
==== Nach dem Update ====
=== Aufräumen ===
aptitude search '~c' # find removed packages
aptitude search '~o' # find obsolete packages (see before update instructions)
# purge applicable packages of both of these lists
apt autoremove --purge # purge packages installed as dependencies if not needed anymore
apt clean # remove cached package downloads
find /etc -name '*.dpkg-*' -or -name '*.ucf-*' -or -name '*.merge-error'
=== usrmerge ===
In Vorbereitung auf ''bookworm'':
apt install usrmerge
Siehe auch [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=841666|Release Notes Bug #841666]].
=== Externe Quellen wieder einbinden ===
Externe Quellen wieder einbinden und mit dem üblichen Prozedere updaten und upgraden.
=== Ansible ===
Ansible auf dem Host vollständig laufen lassen.
=== Reboot ===
=== Test des Systems ===
Manuelle Prüfung des Systems. Auch schauen, ob das Monitoring zufrieden ist.
===== Längerfristige Umstellungen =====
Bisher nichts.