Debian 12 Transition: Difference between revisions
No edit summary |
Add a Kerberos section for potential libk5crypto3 issues |
||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 47: | Line 47: | ||
</pre> |
</pre> |
||
== |
=== Kerberos === |
||
If Kerberos and consequently, the NFS mount breaks, see [[New CSC Machine#apt|the new machine apt guide]] and make sure that <code>/etc/apt/preferences.d/99-csclub</code> exists and run <code>apt install --reinstall libk5crypto3</code>. |
|||
| ⚫ | |||
Here are some places to look and sample errors for the <code>libk5crypto3</code> issue: |
|||
=== General-use servers === |
|||
* <code>mount.nfs: access denied by server while mounting fs00[...]:/users</code> |
|||
* corn-syrup: low on disk space (<10G) |
|||
* <code>journalctl -u rpc-svcgssd.service</code>: <code>ERROR: GSS-API: [...] GSS_S_FAILURE [...] - No key table entry found matching nfs/[...]</code> |
|||
* hfcs: won't boot because it's not accepting password on IPMI |
|||
* (Auth1) <code>journalctl -u krb5-kdc.service -r</code>: <code>BAD_ENCRYPTION_TYPE: authtime 0 [...] KDC has no support for encryption type</code> |
|||
** will need to enter the server room to turn it on one day |
|||
* carbonated-water: carbonated-water-ipmi doesn't seem to be valid |
|||
== Pending machines == |
|||
| ⚫ | |||
| ⚫ | |||
=== Syscom Only === |
=== Syscom Only === |
||
| Line 66: | Line 67: | ||
* yerba-mate |
* yerba-mate |
||
* cobalamin |
* cobalamin |
||
| ⚫ | |||
=== Cloud === |
=== Cloud === |
||
Latest revision as of 20:21, 12 April 2025
Upgrade steps
1. Create the /etc/apt/keyrings folder.
2. Download the CSC keyring into it:
wget -O /etc/apt/keyrings/csclub.gpg http://debian.csclub.uwaterloo.ca/csclub.gpg
3. Make sure that the CSC keyring is the only one in /etc/apt/trusted.gpg:
gpg --no-options --show-keys /etc/apt/trusted.gpg
4. Delete /etc/apt/trusted.gpg and its backup file:
rm -f /etc/apt/trusted.gpg /etc/apt/trusted.gpg~
5. Replace the old-style /etc/apt/sources.list and /etc/apt/sources.list.d/*.list files with the new Deb822 "sources" style (see /etc/apt/sources.list.d/*.sources on sorbitol; don't copy the one for the Dell repo). Add a helpful note in /etc/apt/sources.list for other syscom members:
# See /etc/apt/sources.list.d/*.sources
6. apt update && apt dist-upgrade
7. apt autoremove --purge
8. During the upgrade, accept the new configuration files (choose the 'Y' option) for the following files:
- /etc/fail2ban/fail2ban.conf
- /etc/fail2ban/jail.conf
- /etc/fail2ban/filter.d/sshd.conf
Everything else should keep the old file.
9. Copy the following files from sorbitol:
- /etc/fail2ban/fail2ban.local
- /etc/fail2ban/jail.local
- /etc/fail2ban/filter.d/sshd.local
Then restart fail2ban.
10. If the 'ntp' package is installed, purge it and install systemd-timesyncd instead. Enable the systemd-timesyncd service and copy /etc/systemd/timesyncd.conf.d/csclub.conf from sorbitol. Start the service and make sure it's working.
11. Get rid of python2 if it's still installed:
apt purge python2.7-minimal apt autoremove --purge
Kerberos
If Kerberos and consequently, the NFS mount breaks, see the new machine apt guide and make sure that /etc/apt/preferences.d/99-csclub exists and run apt install --reinstall libk5crypto3.
Here are some places to look and sample errors for the libk5crypto3 issue:
mount.nfs: access denied by server while mounting fs00[...]:/usersjournalctl -u rpc-svcgssd.service:ERROR: GSS-API: [...] GSS_S_FAILURE [...] - No key table entry found matching nfs/[...]- (Auth1)
journalctl -u krb5-kdc.service -r:BAD_ENCRYPTION_TYPE: authtime 0 [...] KDC has no support for encryption type
Pending machines
Machines/containers that have yet to upgrade to Debian 12. Remove entry when upgrade is done.
Syscom Only
- xylitol: later?
- xylitol runs all sort of critical services
- phosphoric-acid: later?
- phosphoric-acid runs web
- yerba-mate
- cobalamin
- potassium-benzoate: ugh ubuntu and we can't shut down the mirror
Cloud
Everything. We will need to wait until ceph supports bookworm.
Containers
- on xylitol
- auth1
- chat
- on phosphoric-acid
- caffeine
- coffee
- prometheus