Aktueller Stand der Hosts: https://etherpad.fachschaften.rwth-aachen.de/p/bullseye-upgrade

Aktueller Stand des Ansible: https://etherpad.fachschaften.rwth-aachen.de/p/bullseye-ansible

Clients werden einfach wieder neu aufgesetzt. Beim Rest sollte ein Update möglich sein.

Hard Freeze seit 12. März, Full Freeze seit 17. Juli und Release am 14.08.

• New VA-API default driver for Intel GPUs
• The XFS file system no longer supports barrier/nobarrier option
• Noteworthy obsolete package: mailman (version 2) (TODO)
• Deprecated components: python2 (TODO), non-merged-usr-layout
• security suite is now named bullseye-security instead of buster/updates (TODO)
• aufs removal (TODO Anpassung der Guest-Overlay-Konfiguration. Siehe auch Release Notes Bug #963964.)
• bullseye is the final release to ship apt-key (Siehe auch Release Notes Bug #980743.)
• Password hashing uses yescrypt by default (incompatible to buster)
• rsnapshot removed (TODO), see also: https://github.com/rsnapshot/rsnapshot/issues/191#issuecomment-562460327, Debian maintainer's note: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986709

Bis zum Release können sich weitere Änderungen ergeben. Siehe auch Release Notes Bug Reports.

• audit subsystem spammt gern das Journal mit Debug-Messages (TODO)
• zabbix bisher ohne eigenes bullseye Repository (in Debian ist 5.0)
• sssd hat diverse Fehlermeldungen im Journal (u.a. krb5_child credential cache fail); unklar ob das am Update liegt

Noch nicht final.

non-mainstream Webbrowser

Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.

OpenJDK 17

Debian bullseye comes with an early access version of OpenJDK 17 (the next expected OpenJDK LTS version after OpenJDK 11), to avoid the rather tedious bootstrap process. The plan is for OpenJDK 17 to receive an update in bullseye to the final upstream release announced for October 2021, followed by security updates on a best effort basis, but users should not expect to see updates for every quarterly upstream security update.

Python 2

Python 2 is not supported for running applications and there won't be any security updates for Python 2 in Bullseye.

Nach wie vor gilt für binutils, dass man es nur mit trusted input benutzen darf.

Vor dem Update sicherstellen, dass es ein aktuelles und funktionierendes und wiederherstellbares Backup gibt.

Bei älteren Systemen diese erst auf buster aktualisieren. Innerhalb von buster auch zuerst einen aktuellen Stand herstellen.

It is strongly recommended that you use the /usr/bin/script program to record a transcript of the upgrade session. Then if a problem occurs, you will have a log of what happened, and if needed, can provide exact information in a bug report. To start the recording, type:

script -t 2>~/upgrade-bullseye<step>.time -a ~/upgrade-bullseye<step>.script

or similar. If you have to rerun the typescript (e.g. if you have to reboot the system) use different step values to indicate which step of the upgrade you are logging. Do not put the typescript file in a temporary directory such as /tmp or /var/tmp (files in those directories may be deleted during the upgrade or during any restart).

The typescript will also allow you to review information that has scrolled off-screen. If you are at the system's console, just switch to VT2 (using Alt+F2) and, after logging in, use less -R ~root/upgrade-bullseye.script to view the file.

After you have completed the upgrade, you can stop script by typing exit at the prompt.

apt will also log the changed package states in /var/log/apt/history.log and the terminal output in /var/log/apt/term.log. dpkg will, in addition, log all package state changes in /var/log/dpkg.log. If you use aptitude, it will also log state changes in /var/log/aptitude.

If you have used the -t switch for script you can use the scriptreplay program to replay the whole session:

scriptreplay ~/upgrade-bullseye<step>.time ~/upgrade-bullseye<step>.script

Sofern anwendbar, zuerst Ganeti auf 3.0 updaten. Details:

during a test with piuparts I noticed your package fails to upgrade from
'buster'.
It installed fine in 'buster', then the upgrade to 'bullseye' fails.

In order to run 'gnt-cluster upgrade' both ganeti-3.0 and ganeti-2.16
need to be installed, but the package from buster needs to be removed
due to the removal of unversioned python and the Python 2 modules
(python-*) before the local admin could run 'gnt-cluster upgrade'

I'm not sure how a clean upgrade is intended to be performed in this
case. This may also be an interesting question for DSA.

Yes, the removal of unversioned python makes things more complicated. I
was hoping that ganeti-2.16's dependencies would be enough to keep the
Python 2 modules around until gnt-cluster upgrade could run.

That said, I think the best way forward is to upgrade buster clusters
to 3.0 using the packages from buster-backports, before attempting to
dist-upgrade to bullseye. This should probably be documented in the
release notes.

Since there's really not much else we can do about it now, I'm
downgrading to important and tagging it as wontfix. Please let me know
what you think.

Regards,
Apollon

Auffinden mit:

aptitude search '~o'
aptitude search '~i(!~ODebian)'
aptitude search '?narrow(?installed, ?not(?origin(Debian)))'

Entfernen mit:

apt autoremove --purge <packages>

Pakete, die von uns selbst eingebracht wurden, sollten konfiguriert belassen werden:

• tivsm-*
• gskssl
• gskcrypto
• systemd-journal-persistent
• sssd
• ganeti*
• adcli

Es scheint als würde Debian den Schritt vollziehen. Wir müssen also ggf. anpassen und das Paket zum richtigen Zeitpunkt deinstallieren ohne den Ordner zu verlieren.

Siehe auch Release Notes Bug #950447.

Es wird empfohlen sämtliches Pinning zu entfernen. Wir sollten aber nur auf nginx-Systemen apache2 aussortiert haben. Insofern unkritisch.

Es wird empfohlen sich vorher um leftover Konfigurationsdateien zu kümmern. Finden mit:

find /etc -name '*.dpkg-*' -or -name '*.ucf-*' -or -name '*.merge-error'

dpkg --audit

Alle nicht-offiziellen Quellen (temporär) rausschmeissen. Die verbleibenden Quellen auf bullseye abändern. Das Update externer Quellen auf nach dem offiziellen Update vermerken.

sed -i -e s,buster/updates,bullseye-security, -e s,buster,bullseye, /etc/apt/sources.list.d/*

For bullseye, the security suite is now named bullseye-security instead of buster/updates and users should adapt their sources.list accordingly when upgrading.

Zum Beispiel:

deb http://security.debian.org/debian-security bullseye-security main

Siehe auch Release Notes Bug #931785.

Update im Mehrschrittprozess durchführen:

apt update
apt upgrade
apt full-upgrade

Zwischendurch auf Enter hauen. Beobachten, ob wir wie üblich immer den Default wollen. Falls Probleme auftauchen, prüfen, ob die Release Notes Antworten haben.

Achtung mit pgBackRest: Siehe Anleitung zu Bookworm, dortige Anleitung mit angepassten Versionsnummern befolgen! Auch auf den noch nicht gemergten Branch in Ansible achten!

aptitude search '~c'    # find removed packages
aptitude search '~o'    # find obsolete packages (see before update instructions)
                        # purge applicable packages of both of these lists
apt autoremove --purge  # purge packages installed as dependencies if not needed anymore
apt clean               # remove cached package downloads
find /etc -name '*.dpkg-*' -or -name '*.ucf-*' -or -name '*.merge-error'

In Vorbereitung auf bookworm:

apt install usrmerge

Siehe auch Release Notes Bug #841666.

Externe Quellen wieder einbinden und mit dem üblichen Prozedere updaten und upgraden.

Ansible auf dem Host vollständig laufen lassen.

Manuelle Prüfung des Systems. Auch schauen, ob das Monitoring zufrieden ist.

Bisher nichts.