Aktueller Stand der Hosts: https://etherpad.fachschaften.rwth-aachen.de/p/bullseye-upgrade
Aktueller Stand des Ansible: https://etherpad.fachschaften.rwth-aachen.de/p/bullseye-ansible
Clients werden einfach wieder neu aufgesetzt. Beim Rest sollte ein Update möglich sein.
Hard Freeze seit 12. März, Full Freeze seit 17. Juli und Release am 14.08.
barrier/nobarrier optionmailman (version 2) (TODO)python2 (TODO), non-merged-usr-layoutbullseye-security instead of buster/updates (TODO)aufs removal (TODO Anpassung der Guest-Overlay-Konfiguration. Siehe auch Release Notes Bug #963964.)yescrypt by default (incompatible to buster)rsnapshot removed (TODO), see also: https://github.com/rsnapshot/rsnapshot/issues/191#issuecomment-562460327, Debian maintainer's note: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986709Bis zum Release können sich weitere Änderungen ergeben. Siehe auch Release Notes Bug Reports.
audit subsystem spammt gern das Journal mit Debug-Messages (TODO)zabbix bisher ohne eigenes bullseye Repository (in Debian ist 5.0)sssd hat diverse Fehlermeldungen im Journal (u.a. krb5_child credential cache fail); unklar ob das am Update liegtNoch nicht final.
non-mainstream Webbrowser
Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.
For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.
OpenJDK 17
Debian bullseye comes with an early access version of OpenJDK 17 (the next expected OpenJDK LTS version after OpenJDK 11), to avoid the rather tedious bootstrap process. The plan is for OpenJDK 17 to receive an update in bullseye to the final upstream release announced for October 2021, followed by security updates on a best effort basis, but users should not expect to see updates for every quarterly upstream security update.
Python 2
Python 2 is not supported for running applications and there won't be any security updates for Python 2 in Bullseye.
Nach wie vor gilt für binutils, dass man es nur mit trusted input benutzen darf.
Vor dem Update sicherstellen, dass es ein aktuelles und funktionierendes und wiederherstellbares Backup gibt.
Bei älteren Systemen diese erst auf buster aktualisieren. Innerhalb von buster auch zuerst einen aktuellen Stand herstellen.
It is strongly recommended that you use the/usr/bin/scriptprogram to record a transcript of the upgrade session. Then if a problem occurs, you will have a log of what happened, and if needed, can provide exact information in a bug report. To start the recording, type:
script -t 2>~/upgrade-bullseye<step>.time -a ~/upgrade-bullseye<step>.script
or similar. If you have to rerun the typescript (e.g. if you have to reboot the system) use differentstepvalues to indicate which step of the upgrade you are logging. Do not put the typescript file in a temporary directory such as/tmpor/var/tmp(files in those directories may be deleted during the upgrade or during any restart).
The typescript will also allow you to review information that has scrolled off-screen. If you are at the system's console, just switch to VT2 (using Alt+F2) and, after logging in, useless -R ~root/upgrade-bullseye.scriptto view the file.
After you have completed the upgrade, you can stopscriptby typingexitat the prompt.
aptwill also log the changed package states in/var/log/apt/history.logand the terminal output in/var/log/apt/term.log.dpkgwill, in addition, log all package state changes in/var/log/dpkg.log. If you useaptitude, it will also log state changes in/var/log/aptitude.
If you have used the-t switchfor script you can use thescriptreplayprogram to replay the whole session:
scriptreplay ~/upgrade-bullseye<step>.time ~/upgrade-bullseye<step>.script
Sofern anwendbar, zuerst Ganeti auf 3.0 updaten. Details:
during a test with piuparts I noticed your package fails to upgrade from
'buster'.
It installed fine in 'buster', then the upgrade to 'bullseye' fails.
In order to run 'gnt-cluster upgrade' both ganeti-3.0 and ganeti-2.16
need to be installed, but the package from buster needs to be removed
due to the removal of unversioned python and the Python 2 modules
(python-*) before the local admin could run 'gnt-cluster upgrade'
I'm not sure how a clean upgrade is intended to be performed in this
case. This may also be an interesting question for DSA.
Yes, the removal of unversioned python makes things more complicated. I
was hoping that ganeti-2.16's dependencies would be enough to keep the
Python 2 modules around until gnt-cluster upgrade could run.
That said, I think the best way forward is to upgrade buster clusters
to 3.0 using the packages from buster-backports, before attempting to
dist-upgrade to bullseye. This should probably be documented in the
release notes.
Since there's really not much else we can do about it now, I'm
downgrading to important and tagging it as wontfix. Please let me know
what you think.
Regards,
Apollon
Auffinden mit:
aptitude search '~o' aptitude search '~i(!~ODebian)' aptitude search '?narrow(?installed, ?not(?origin(Debian)))'
Entfernen mit:
apt autoremove --purge <packages>
Pakete, die von uns selbst eingebracht wurden, sollten konfiguriert belassen werden:
tivsm-*gsksslgskcryptosystemd-journal-persistentsssdganeti*adcliEs scheint als würde Debian den Schritt vollziehen. Wir müssen also ggf. anpassen und das Paket zum richtigen Zeitpunkt deinstallieren ohne den Ordner zu verlieren.
Siehe auch Release Notes Bug #950447.
Es wird empfohlen sämtliches Pinning zu entfernen. Wir sollten aber nur auf nginx-Systemen apache2 aussortiert haben. Insofern unkritisch.
Es wird empfohlen sich vorher um leftover Konfigurationsdateien zu kümmern. Finden mit:
find /etc -name '*.dpkg-*' -or -name '*.ucf-*' -or -name '*.merge-error'
dpkg --audit
Alle nicht-offiziellen Quellen (temporär) rausschmeissen. Die verbleibenden Quellen auf bullseye abändern. Das Update externer Quellen auf nach dem offiziellen Update vermerken.
sed -i -e s,buster/updates,bullseye-security, -e s,buster,bullseye, /etc/apt/sources.list.d/*
Forbullseye, the security suite is now namedbullseye-securityinstead ofbuster/updatesand users should adapt theirsources.listaccordingly when upgrading.
Zum Beispiel:
deb http://security.debian.org/debian-security bullseye-security main
Siehe auch Release Notes Bug #931785.
Update im Mehrschrittprozess durchführen:
apt update apt upgrade apt full-upgrade
Zwischendurch auf Enter hauen. Beobachten, ob wir wie üblich immer den Default wollen. Falls Probleme auftauchen, prüfen, ob die Release Notes Antworten haben.
Achtung mit pgBackRest: Siehe Anleitung zu Bookworm, dortige Anleitung mit angepassten Versionsnummern befolgen! Auch auf den noch nicht gemergten Branch in Ansible achten!
aptitude search '~c' # find removed packages
aptitude search '~o' # find obsolete packages (see before update instructions)
# purge applicable packages of both of these lists
apt autoremove --purge # purge packages installed as dependencies if not needed anymore
apt clean # remove cached package downloads
find /etc -name '*.dpkg-*' -or -name '*.ucf-*' -or -name '*.merge-error'
Externe Quellen wieder einbinden und mit dem üblichen Prozedere updaten und upgraden.
Ansible auf dem Host vollständig laufen lassen.
Manuelle Prüfung des Systems. Auch schauen, ob das Monitoring zufrieden ist.
Bisher nichts.