- Upgrades from Debian Edu etch
- Upgrades from older Debian Edu / Skolelinux installations (before etch)
Before explaining how to upgrade, please note, that you do this update on your productive server on your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.
Please read this chapter completly before attempting to upgrade.
General notes on upgrading
Upgrading Debian from one distribution to the next is generally rather easy. For Debian Edu this is unfortunatly not yet true as we heavily modify configuration files in ways we shouldn't do. (See Debian bug 311188 for more information.) Upgrading is still possible but might requiere some work.
In general, upgrading the servers is more difficult than the workstations and the main-server is the most difficult to upgrade. The diskless machines are easy, as their chroot environment can be deleted and recreated, if you haven't modified it. If you have, the chroot is basically a workstation chroot anyway, so rather easy to upgrade.
If you want to be sure that after the upgrade everything works like before , you should test the upgrade on (a) test systems, which are configured the same way as your production machines. There you can test the upgrade without risk and see if everything works as it should.
Make sure to also read the information about the Debian lenny release from its installation manual.
Also it might be wise to wait a bit and keep running etch for some more weeks, so that others can test the upgrade, experience problems and document them here. Debian Edu etch will receive continued support for some time in the future, but when Debian ceases support for etch, Debian Edu will (have to) do that too. This is expected to happen on Febrary 16th, 2010.
Upgrades from Debian Edu etch
Be prepared: make sure you have tested the upgrade from Etch in a test environment or have backups ready to be able to go back.
The basic upgrade operation
Edit /etc/apt/sources.list and replace all occurances of "etch" with "lenny".
run apt-get update
run apt-get upgrade
run apt-get dist-upgrade
LDAP service needs to repaired
Upgrading the debian-edu-config package on tjener is likely to disrupt some services:
slapd wouldn't start.
It may keep running until next restart, then if it gives:
tjener:~# invoke-rc.d slapd start Starting OpenLDAP: slapd - failed. The operation failed but no output was produced. For hints on what went wrong please refer to the system's logfiles (e.g. /var/log/syslog) or try running the daemon in Debug mode like via "slapd -d 16383" (warning: this will create copious output). Below, you can find the command line options used by this script to run slapd. Do not forget to specify those options if you want to look to debugging output: slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf -4
And searching /var/log/syslog yelds something like:
tjener slapd: could not stat config file "/etc/ldap/schema/dnsdomain2.schema": No such file or directory (2)
then as a temporary measure to get it running until DNS is sorted.
Comment out the line include /etc/ldap/schema/dnsdomain2.schema in /etc/ldap/slapd.conf.
Run invoke-rc.d slapd start
Some new indexes have been added to openldap's configuration. in order to benefit from these you need to regenerate indexes:
stop slapd. invoke-rc.d slapd stop
- check syslog or ps output that it have truly stopped.
run sudo -u openldap slapindex
start slapd with invoke-rc.d slapd start
DHCP service needs to repaired
dhcp3-server wouldn't start.
If starting dhcp3-server gives:
tjener:~# invoke-rc.d dhcp3-server start dhcpd self-test failed. Please fix the config file. The error was: Internet Systems Consortium DHCP Server V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ /etc/dhcp3/dhcpd.conf line 2: semicolon expected. ldap-server "ldap" ^ /etc/dhcp3/dhcpd.conf line 3: semicolon expected. ldap-port 389; ^ /etc/dhcp3/dhcpd.conf line 4: semicolon expected. ldap-base-dn "dc=skole,dc=skolelinux,dc=no" ^ /etc/dhcp3/dhcpd.conf line 5: semicolon expected. ldap-dhcp-server-cn "dhcp" ^ /etc/dhcp3/dhcpd.conf line 6: semicolon expected. ldap-method dynamic; ^ Configuration file errors encountered -- exiting invoke-rc.d: initscript dhcp3-server, action "start" failed.
Then installing dhcp3-server-ldap is needed install it. Use your favorite package management front-end or run:
tjener:~# apt-get -q=2 update tjener:~# apt-get -q=2 install dhcp3-server-ldap
If starting dhcp3-server gives:
tjener:~# invoke-rc.d dhcp3-server start dhcpd self-test failed. Please fix the config file. The error was: Internet Systems Consortium DHCP Server V3.1.1 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/ Connecting to LDAP server ldap:389 Successfully logged into LDAP server ldap Cannot find host LDAP entry dhcp (&(objectClass=dhcpServer)(cn=dhcp)) Configuration file errors encountered -- exiting invoke-rc.d: initscript dhcp3-server, action "start" failed.Then DHCP configuration needs loading into LDAP. Two ways to do it are:
- To load an existing configuration into the database:
Locate the appropriate dhcp.conf, the last one should be in /etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old or get one from backups.
Set /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl executable.
Run /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl, optionaly with --help first or read the comments in code.
View and check the resulting ldif file. Though DHCP is likely to function fine with this file, to keep as close as possible to the default configuration it is probably best to keep the entries for the configured individual hosts and replace the general entries (i.e. dhcpService, dhcpSharedNetwork, dhcpSubnet, etc.) with those from etc/ldap/dhcp.ldif.
- Load the resulting ldif file to the LDAP database.
tjener:~# cd /usr/share/doc/dhcp3-server-ldap/ tjener:/usr/share/doc/dhcp3-server-ldap# gunzip dhcpd-conf-to-ldap.pl.gz tjener:/usr/share/doc/dhcp3-server-ldap# chmod 0744 dhcpd-conf-to-ldap.pl tjener:/usr/share/doc/dhcp3-server-ldap# tjener:/usr/share/doc/dhcp3-server-ldap# ./dhcpd-conf-to-ldap.pl --server "dhcp" \ > --basedn "dc=skole,dc=skolelinux,dc=no" \ > --dhcpdn "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" \ > --conf "/etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old" --ldif "/etc/ldap/migrate-dhcp.ldif" Creating LDAP Configuration with the following options: Base DN: dc=skole,dc=skolelinux,dc=no DHCP DN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no Server DN: cn=dhcp, dc=skole,dc=skolelinux,dc=no Done. tjener:/usr/share/doc/dhcp3-server-ldap# tjener:/usr/share/doc/dhcp3-server-ldap# cd /etc/ldap/ tjener:/etc/ldap# tjener:/etc/ldap# tjener:/etc/ldap# # At this point it's recommended to view migrate-dhcp.ldif side by side tjener:/etc/ldap# # with dhcp.ldif and make some manual adjustments, before running: tjener:/etc/ldap# tjener:/etc/ldap# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ > -f /etc/ldap/migrate-dhcp.ldif Enter LDAP Password: adding new entry "cn=dhcp, dc=skole,dc=skolelinux,dc=no" .... tjener:/etc/ldap# tjener:/etc/ldap# invoke-rc.d dhcp3-server start * Starting DHCP server dhcpd3 [ ok ] tjener:/etc/ldap#
To load The fresh configuration into the database:
If there are only few configured host and adding them later to the configuration is no bother just run ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -f /etc/ldap/dhcp.ldif
- To load an existing configuration into the database:
Squid wouldn't start.
If starting Squid gives:
tjener:~# invoke-rc.d squid start * Starting Squid HTTP proxy squid 2009/08/23 00:20:56| ACL name 'localnet' not defined! FATAL: Bungled squid.conf line 2577: http_access allow localnet Squid Cache (Version 2.7.STABLE3): Terminated abnormally.It's complaint is self explanatory. Two options to overcome this are:
To keep the old /etc/squid/squid.conf just comment-out or remove the offending line http_access allow localnet.
- To stay current copy the new squid.conf distributed in the squid package:
tjener:~# cd /etc/squid/ tjener:/etc/squid# mv squid.conf etch-squid.conf tjener:/etc/squid# cp /usr/share/doc/squid/examples/squid.conf squid.conf
To have the default Debian Edu configuration run cfengine-debian-edu
Any customized settings in the old configuration should be copied from the old file ( dropping lines acl schoolnet*, acl ltspnet*, http_access allow schoolnet and http_access allow ltspnet these were replaced by the acl localnet* and *access allow localnet lines).
User logins from Windows machines needs to repaired
Users can't login from Windows machines.
A change in Samba that has become apparent in Lenny (see 532859) prevents users login to Samba unless sambaPwdLastSet attribute is set other than zero in their LDAP entry.
To add the 'sambaPwdLastSet' attribute for new users to be created in lwat make sure /etc/lwat/admin.ini contain the line 'sambaPwdLastSet = 1' for each group. See also: Debian Edu bug#1364.
- To find which users are affected try:
ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(|(!(sambaPwdLastSet=*))(sambaPwdLastSet=0)))' uid | less
To add the 'sambaPwdLastSet' attribute to users where it isn't set try:
ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(!(sambaPwdLastSet=*)))' dn | sed '/.\+/a\changetype: modify\nadd:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ -f /etc/ldap/fixamba.ldif
If users with 'sambaPwdLastSet = 0' were found and allowing them to login is desired, try:
ldapsearch -xZLLLWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -b 'ou=People,dc=skole,dc=skolelinux,dc=no' -s one '(&(objectClass=sambaSamAccount)(sambaPwdLastSet=0))' dn | sed '/.\+/a\changetype: modify\nreplace:sambaPwdLastSet\nsambaPwdLastSet: 2\n-' > /etc/ldap/fixamba.ldif ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ -f /etc/ldap/fixamba.ldif
See also SambaLDAP.
DNS service needs to repaired
For lenny Debian Edu has switched to powerdns as nameserver. It's however possible to stay with bind9.
If you want to continue running bind, you must add the RFC 2782 entries in /etc/bind/debian-edu/db.intern:
;RFC2782 _ldap._tcp IN SRV 0 100 389 tjener _syslog._udp IN SRV 0 100 514 tjener
To switch to powerdns:
install the packages pdns-server, pdns-recursor and pdns-backend-ldap.
tjener:~# apt-get -q=2 update tjener:~# apt-get -q=2 install pdns-server pdns-recursor pdns-backend-ldap
Uncomment the line include /etc/ldap/schema/dnsdomain2.schema, if it was commented-out earlier (1.1).
It's recommended to index associatedDomain, at the indices area add the lines:
# PowerDNS index index associatedDomain pres,eq,sub
Restart slapd invoke-rc.d slapd restart.
- Load the DNS data into LDAP either using the default Debian Edu or the existing Bind9 configuration:
- To use the default Debian Edu configuration:
Add the contents of /etc/ldap/dns_skole.ldif and /etc/ldap/dns_arpa.ldif using ldapadd.
tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ > -f '/etc/ldap/dns_skole.ldif' tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ > -f '/etc/ldap/dns_arpa.ldif'
To migrate Bind's configuration:
There is a utility called zone2ldap provided in the PowerDNS distribution which convert zone files used by BIND to the ldif format, it is broken in Lenny (504061), fixed packages are available in Squeeze.
To use the one from Etch:
Unpack it using dpkg or dpkg-deb and replace the faulty /usr/bin/zone2ldap:
tjener:/tmp# dpkg-deb -x pdns-backend-ldap_2.9.20-8+etch1_i386.deb \ > pdns-backend-ldap_2.9.20 tjener:/tmp# cp pdns-backend-ldap_2.9.20/usr/bin/zone2ldap /usr/bin/zone2ldap
Apparently PowerDNS in Lenny (220.127.116.11) doesn't understand AFSDB records same for `zone2ldap', when reading an AFSDB record it will quit with an error message.
To workaround this limitation comment-out (with ' ; ') AFSDB records in the named db.* files, grep -rl AFSDB /etc/bind/* will disclose them.
- At last the conversion can be executed:
tjener:~# zone2ldap --basedn='ou=hosts,dc=skole,dc=skolelinux,dc=no' --layout=tree \ > --named-conf='/etc/bind/debian-edu/named-bind9.conf' --resume \ > > /etc/ldap/skole-zone2ldap
- Before the data in the new ldif file can be added to the database the "basedn" must be created:
tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' Enter LDAP Password: dn: ou=hosts,dc=skole,dc=skolelinux,dc=no objectClass: organizationalUnit objectClass: domainRelatedObject ou: hosts associatedDomain: intern
The format of the ldif file created by zone2ldap is suitable for `ldapmodify':
tjener:~# ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \ > -f /etc/ldap/skole-zone2ldap
- To use the default Debian Edu configuration:
Time to stop bind9 and start pdns and pdns-recursor:
tjener:~# invoke-rc.d bind9 stop tjener:~# invoke-rc.d pdns start tjener:~# invoke-rc.d pdns-recursor start
- After testing the new PowerDNS setup Bind9 may be disabled/removed/purged.
Nagios setup has changed
Nagios2 is not available in lenny anymore, so nagios3 is now installed.
The nagios3 configuration will already be installed and functional, though the nagios2 configuration won't be functional anymore. If you changed the nagios2 configuration, your changes will be saved in .dpkg-old files, but the changes will not be applied to the nagios3 configuration. So these changes have to be redone manually.
Recreating an LTSP chroot
On the LTSP server(s) the LTSP chroot should be recreated. The new chroot will automatically support both thin-clients and diskless workstations.
Remove /opt/ltsp/i386 (or /opt/ltsp/amd64, depending on your setup. If you have enough diskspace, consider backing it up.
Recreate the chroot by running debian-edu-ltsp && ltsp-make-client as root.
Upgrades from older Debian Edu / Skolelinux installations (before etch)
To upgrade from any older release, you will need to upgrade to the etch based Debian Edu release first, before you can follow the instructions provided above. How to upgrade to etch is described in the Manual for Debian Edu etch.