Debian 12 Transition: Difference between revisions

From CSCWiki
Jump to navigation Jump to search
Content deleted Content added
VisualWikitext
Created page with "This page records the pending debian 12 upgrades on various systems. Remove corresponding entry if upgrade is done without issues. == General-use servers == * corn-syrup: lo..."
 
Add a Kerberos section for potential libk5crypto3 issues
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Upgrade steps ==
This page records the pending debian 12 upgrades on various systems. Remove corresponding entry if upgrade is done without issues.
1. Create the /etc/apt/keyrings folder.


2. Download the CSC keyring into it:
== General-use servers ==
<pre>
wget -O /etc/apt/keyrings/csclub.gpg http://debian.csclub.uwaterloo.ca/csclub.gpg
</pre>


3. Make sure that the CSC keyring is the only one in /etc/apt/trusted.gpg:
* corn-syrup: low on disk space (&lt;10G)
<pre>
* hfcs: won't boot because it's not accepting password on IPMI
gpg --no-options --show-keys /etc/apt/trusted.gpg
** will need to enter the server room to turn it on one day
</pre>
* carbonated-water: carbonated-water-ipmi doesn't seem to be valid
* potassium-benzoate: ugh ubuntu and we can't shut down the mirror


4. Delete /etc/apt/trusted.gpg and its backup file:
== Syscom Only ==
<pre>
rm -f /etc/apt/trusted.gpg /etc/apt/trusted.gpg~
</pre>

5. Replace the old-style /etc/apt/sources.list and /etc/apt/sources.list.d/*.list files with the new Deb822 "sources" style (see /etc/apt/sources.list.d/*.sources on sorbitol; don't copy the one for the Dell repo). Add a helpful note in /etc/apt/sources.list for other syscom members:
<pre>
# See /etc/apt/sources.list.d/*.sources
</pre>

6. apt update && apt dist-upgrade

7. apt autoremove --purge

8. During the upgrade, accept the new configuration files (choose the 'Y' option)
for the following files:
* /etc/fail2ban/fail2ban.conf
* /etc/fail2ban/jail.conf
* /etc/fail2ban/filter.d/sshd.conf
Everything else should keep the old file.

9. Copy the following files from sorbitol:
* /etc/fail2ban/fail2ban.local
* /etc/fail2ban/jail.local
* /etc/fail2ban/filter.d/sshd.local
Then restart fail2ban.

10. If the 'ntp' package is installed, purge it and install systemd-timesyncd instead. Enable the systemd-timesyncd service and copy /etc/systemd/timesyncd.conf.d/csclub.conf from sorbitol. Start the service and make sure it's working.

11. Get rid of python2 if it's still installed:
<pre>
apt purge python2.7-minimal
apt autoremove --purge
</pre>

=== Kerberos ===
If Kerberos and consequently, the NFS mount breaks, see [[New CSC Machine#apt|the new machine apt guide]] and make sure that <code>/etc/apt/preferences.d/99-csclub</code> exists and run <code>apt install --reinstall libk5crypto3</code>.

Here are some places to look and sample errors for the <code>libk5crypto3</code> issue:

* <code>mount.nfs: access denied by server while mounting fs00[...]:/users</code>
* <code>journalctl -u rpc-svcgssd.service</code>: <code>ERROR: GSS-API: [...] GSS_S_FAILURE [...] - No key table entry found matching nfs/[...]</code>
* (Auth1) <code>journalctl -u krb5-kdc.service -r</code>: <code>BAD_ENCRYPTION_TYPE: authtime 0 [...] KDC has no support for encryption type</code>

== Pending machines ==
Machines/containers that have yet to upgrade to Debian 12. Remove entry when upgrade is done.

=== Syscom Only ===


* xylitol: later?
* xylitol: later?
Line 17: Line 67:
* yerba-mate
* yerba-mate
* cobalamin
* cobalamin
* potassium-benzoate: ugh ubuntu and we can't shut down the mirror


== Cloud ==
=== Cloud ===


Everything. We will need to wait until ceph supports bookworm.
Everything. We will need to wait until ceph supports bookworm.


== Containers ==
=== Containers ===


* on xylitol
* on xylitol

Latest revision as of 20:21, 12 April 2025

Upgrade steps

1. Create the /etc/apt/keyrings folder.

2. Download the CSC keyring into it: 

wget -O /etc/apt/keyrings/csclub.gpg http://debian.csclub.uwaterloo.ca/csclub.gpg

3. Make sure that the CSC keyring is the only one in /etc/apt/trusted.gpg: 

gpg --no-options --show-keys /etc/apt/trusted.gpg

4. Delete /etc/apt/trusted.gpg and its backup file: 

rm -f /etc/apt/trusted.gpg /etc/apt/trusted.gpg~

5. Replace the old-style /etc/apt/sources.list and /etc/apt/sources.list.d/*.list files with the new Deb822 "sources" style (see /etc/apt/sources.list.d/*.sources on sorbitol; don't copy the one for the Dell repo). Add a helpful note in /etc/apt/sources.list for other syscom members: 

# See /etc/apt/sources.list.d/*.sources

6. apt update && apt dist-upgrade

7. apt autoremove --purge

8. During the upgrade, accept the new configuration files (choose the 'Y' option) for the following files:

  • /etc/fail2ban/fail2ban.conf
  • /etc/fail2ban/jail.conf
  • /etc/fail2ban/filter.d/sshd.conf

Everything else should keep the old file.

9. Copy the following files from sorbitol:

  • /etc/fail2ban/fail2ban.local
  • /etc/fail2ban/jail.local
  • /etc/fail2ban/filter.d/sshd.local

Then restart fail2ban.

10. If the 'ntp' package is installed, purge it and install systemd-timesyncd instead. Enable the systemd-timesyncd service and copy /etc/systemd/timesyncd.conf.d/csclub.conf from sorbitol. Start the service and make sure it's working.

11. Get rid of python2 if it's still installed: 

apt purge python2.7-minimal
apt autoremove --purge

Kerberos

If Kerberos and consequently, the NFS mount breaks, see the new machine apt guide and make sure that /etc/apt/preferences.d/99-csclub exists and run apt install --reinstall libk5crypto3.

Here are some places to look and sample errors for the libk5crypto3 issue:

  • mount.nfs: access denied by server while mounting fs00[...]:/users
  • journalctl -u rpc-svcgssd.service: ERROR: GSS-API: [...] GSS_S_FAILURE [...] - No key table entry found matching nfs/[...]
  • (Auth1) journalctl -u krb5-kdc.service -r: BAD_ENCRYPTION_TYPE: authtime 0 [...] KDC has no support for encryption type

Pending machines

Machines/containers that have yet to upgrade to Debian 12. Remove entry when upgrade is done.

Syscom Only

  • xylitol: later?
    • xylitol runs all sort of critical services
  • phosphoric-acid: later?
    • phosphoric-acid runs web
  • yerba-mate
  • cobalamin
  • potassium-benzoate: ugh ubuntu and we can't shut down the mirror

Cloud

Everything. We will need to wait until ceph supports bookworm.

Containers

  • on xylitol
    • auth1
    • mail
    • chat
  • on phosphoric-acid
    • caffeine
    • coffee
    • prometheus
Retrieved from "https://wiki.csclub.uwaterloo.ca/index.php?title=Debian_12_Transition&oldid=5348"