Upgrades
Contents
Before reading this upgrade guide, please note that live updates to your production servers are carried out at your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Please read this chapter and the New features in Bullseye chapter of this manual completely before attempting to upgrade.
General notes on upgrading
Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunately a bit more complicated as we modify configuration files in ways we shouldn't. However we have documented the needed steps below. (See Debian bug 311188 for more information how Debian Edu should modify configuration files.)
In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade.
If you want to be sure that after the upgrade everything works as before, you should test the upgrade on a test system or systems configured the same way as your production machines. There you can test the upgrade without risk and see if everything works as it should.
Make sure to also read the information about the current Debian Stable release in its installation manual.
It may also be wise to wait a bit and keep running Oldstable for a few weeks longer, so that others can test the upgrade and document any problems they experience. The Oldstable release of Debian Edu will receive continued support for some time after the next Stable release, but when Debian ceases support for Oldstable, Debian Edu will necessarily do the same.
Upgrades from Debian Edu Buster
Be prepared: make sure you have tested the upgrade from Buster in a test environment or have backups ready to be able to go back.
Please note that the following recipe applies to a default Debian Edu main server installation (desktop=xfce, profiles Main Server, Workstation, LTSP Server). (For a general overview concerning Buster to Bullseye upgrade, see: https://www.debian.org/releases/bullseye/releasenotes)
Don't use X, use a virtual console, log in as root.
If apt finishes with an error, try to fix it and/or run apt -f install and then apt -y full-upgrade once again.
Upgrading the main server
- Start by making sure the current system is up-to-date:
apt update apt full-upgrade
- Cleanup the package cache:
apt clean
- Prepare and start the upgrade to Bullseye (new security entry):
sed -i 's/buster/bullseye/g' /etc/apt/sources.list sed -i 's#/debian-security bullseye/updates# bullseye-security#g' /etc/apt/sources.list export LC_ALL=C # optional (to get English output) apt update apt full-upgrade
apt-list-changes: be prepared for a lot of NEWS to read; press <return> to scroll down, <q> to leave the pager. All information will be mailed to root so that you can read it again (using mailx or mutt).
- Read all debconf information carefully, choose 'keep the local version currently installed' unless stated differently below; in most cases hitting return will be fine.
- restart services: Choose Yes.
- openssh-server: Choose 'keep the local version currently installed'.
- /etc/plymouth/plymouthd.conf: Choose Y.
- Samba server and utilities: Choose 'keep the local version currently installed'.
- Kerberos servers: Enter 'kerberos' and hit 'OK'.
- /etc/default/slapd: Choose N.
- /etc/cups/cups-files.conf: Choose N.
- /etc/munin/munin.conf: Choose N.
- Apply and adjust configuration:
cf-agent -v -D installation service squid restart
- Setup and configure the Icinga2 web interface:
Run apt install icinga2-ido-mysql, always choose No if asked by debconf.
Run /usr/share/debian-edu-config/tools/edu-icinga-setup
- Get the new Debian Edu Homeworld artwork:
apt install debian-edu-artwork-homeworld apt purge debian-edu-artwork-buster # unless Buster artwork should be kept as an alternative
- Adjust Xfce panel configuration:
rm -f /etc/xdg/xfce4/panel/default.xml.cfsaved mv /etc/xdg/xfce4/panel/default.xml.dpkg-new /etc/xdg/xfce4/panel/default.xml
- Cope with new LTSP and related changes:
rm -f /etc/default/tftpd-hpa # to remove no longer needed modifications rm -rf /var/lib/tftpboot # to remove no longer used tftp base directory dpkg-reconfigure -p low tftpd-hpa # first prompt: keep ''tftp'' as system account, second: change TFTP root directory to ''/srv/tftp'' # third: keep address and port, last one: enter ''--secure'' as additional option service tftpd-hpa restart rm -rf /opt/ltsp # cleanup old LTSP base directory # The next steps will need quite some execution time. debian-edu-ltsp-install --arch amd64 --diskless_workstation no thin_type bare # if 64-Bit thin client support is wanted debian-edu-ltsp-install --arch i386 --diskless_workstation no thin_type bare # if 32-Bit thin client support is wanted debian-edu-ltsp-install --diskless_workstation yes # to create diskless workstation image from the server's file system debian-edu-pxeinstall # to add PXE installation files and related iPXE menu items
- Cope with move to iPXE:
Create a file ipxe.ldif with the following content:
dn: cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no changetype: modify add: dhcpOption dhcpOption: space ipxe dhcpOption: ipxe-encap-opts code 175 = encapsulate ipxe dhcpOption: ipxe.menu code 39 = unsigned integer 8 dhcpOption: ipxe.no-pxedhcp code 176 = unsigned integer 8 dhcpOption: arch code 93 = unsigned integer 16
Then run ldapadd -ZD 'cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no' -W -f ipxe.ldif to apply the changes.
Modify some more DHCP settings in LDAP, e.g. using an editor like ldapvi. Make sure, DHCP related entries match those contained in the /etc/ldap/gosa-server.ldif file. Entries concerned are:
81 cn=intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no 83 cn=subnet00.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no 85 cn=subnet01.intern,cn=dhcp,cn=tjener,ou=servers,ou=systems,dc=skole,dc=skolelinux,dc=no
- Cope with GOsa changes - use new gosa.conf, fix LDAP access:
- cp /etc/gosa/gosa.conf /etc/gosa/gosa.conf.buster # backup
- cp /usr/share/debian-edu-config/gosa.conf.template /etc/gosa/gosa.conf # new gosa.conf file
- Search for adminPassword and snapshotAdminPassword in /etc/gosa/gosa.conf and replace $GOSAPWD with the random password found in /etc/gosa/gosa.conf.orig for those entries.
- rm /etc/gosa/gosa.secrets
Run gosa-encrypt-passwords
Run service apache2 restart
- Cope with Kerberos encryption type changes:
- sed -i 's/supported_enctypes/#supported_enctypes/' /etc/krb5kdc/kdc.conf
Run service krb5-kdc restart
- Cope with Samba changes:
Add first user's Samba account: smbpasswd -a <first username>. Once users change their password, the related Samba account will be created.
- Check if the upgraded system works:
Reboot; log in as first user and test
- if the GOsa² gui is working,
- if one is able to connect LTSP clients and workstations,
- if one can add/remove a netgroup membership of a system,
- if one can send and receive internal email,
- if one can manage printers,
- and if other site specific things are working.
Upgrading a workstation
Do all the basic things like on the main-server and without doing the things not needed. If not yet done, configure the machine to use Kerberos for mounting home directories, see the getting started chapter for details.
Upgrades from older Debian Edu / Skolelinux installations (before Buster)
To upgrade from any older release, you will need to upgrade to the Buster based Debian Edu release first, before you can follow the instructions provided above. Instructions are given in the Manual for Debian Edu Buster about how to upgrade to Buster from the previous release, Stretch. Likewise the Stretch manual describes how to upgrade from Jessie.