Upgrades

Before explaining how to upgrade, please note, that you do this update on your productive server on your own risk. Debian Edu/Skolelinux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Please read this chapter completly before attempting to upgrade.

More information about the Debian lenny release is available in its installation manual.

If you want to be sure that after the upgrade everything works like before , you should test the upgrade on a test server, which is configured the same way as your production server. There you can test the upgrade without risk and see if everything works as it should.

Also it might be wise to wait a bit and keep running etch for some more weeks, so that others can test the upgrade, experience problems and document them here. Debian Edu etch will receive continued support for some time in the future, but when Debian ceases support for etch, Debian Edu will (have to) do that too. This is expected to happen sometime in 2010.

Upgrades from Debian Edu etch

/!\ FIXME: describe how to upgrade from etch.

Upgrading the debian-edu-config package on tjener is likely to disrupt some services, please list these here.

  1. slapd wouldn't start.
    It may keep running until next restart, then if it gives:

     tjener:~# invoke-rc.d slapd start
     Starting OpenLDAP: slapd - failed.
     The operation failed but no output was produced. For hints on what went
     wrong please refer to the system's logfiles (e.g. /var/log/syslog) or
     try running the daemon in Debug mode like via "slapd -d 16383" (warning:
     this will create copious output).
    
     Below, you can find the command line options used by this script to
     run slapd. Do not forget to specify those options if you
     want to look to debugging output:
     slapd -h 'ldap:/// ldaps:///' -g openldap -u openldap -f /etc/ldap/slapd.conf                     -4

    And searching /var/log/syslog yelds something like:
    tjener slapd[8894]: could not stat config file "/etc/ldap/schema/dnsdomain2.schema": No such file or directory (2)
    then as a temporary measure to get it running until DNS is sorted.

    1. Comment out the line include   /etc/ldap/schema/dnsdomain2.schema in /etc/ldap/slapd.conf.

    2. Run invoke-rc.d slapd start

  2. dhcp3-server wouldn't start.
    If starting dhcp3-server gives:

     tjener:~# invoke-rc.d dhcp3-server start
     dhcpd self-test failed. Please fix the config file.
     The error was:
     Internet Systems Consortium DHCP Server V3.1.1
     Copyright 2004-2008 Internet Systems Consortium.
     All rights reserved.
     For info, please visit http://www.isc.org/sw/dhcp/
     /etc/dhcp3/dhcpd.conf line 2: semicolon expected.
     ldap-server "ldap"
                 ^
     /etc/dhcp3/dhcpd.conf line 3: semicolon expected.
     ldap-port 389;
               ^
     /etc/dhcp3/dhcpd.conf line 4: semicolon expected.
     ldap-base-dn  "dc=skole,dc=skolelinux,dc=no"
                   ^
     /etc/dhcp3/dhcpd.conf line 5: semicolon expected.
     ldap-dhcp-server-cn "dhcp"
                         ^
     /etc/dhcp3/dhcpd.conf line 6: semicolon expected.
     ldap-method dynamic;
                ^
     Configuration file errors encountered -- exiting
     invoke-rc.d: initscript dhcp3-server, action "start" failed.

    Then installing dhcp3-server-ldap is needed install it. Use your favorite package management front-end or run:

     tjener:~# apt-get -q=2 update
     tjener:~# apt-get -q=2 install dhcp3-server-ldap

    If starting dhcp3-server gives:

     tjener:~# invoke-rc.d dhcp3-server start
     dhcpd self-test failed. Please fix the config file.
     The error was:
     Internet Systems Consortium DHCP Server V3.1.1
     Copyright 2004-2008 Internet Systems Consortium.
     All rights reserved.
     For info, please visit http://www.isc.org/sw/dhcp/
     Connecting to LDAP server ldap:389
     Successfully logged into LDAP server ldap
     Cannot find host LDAP entry dhcp (&(objectClass=dhcpServer)(cn=dhcp))
     Configuration file errors encountered -- exiting
     invoke-rc.d: initscript dhcp3-server, action "start" failed.
    Then DHCP configuration needs loading into LDAP. Two ways to do it are:
    1. To load an existing configuration into the database:
      1. Locate the appropriate dhcp.conf, the last one should be in /etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old or get one from backups.

      2. Extract /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl.gz

      3. Set /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl executable.

      4. Run /usr/share/doc/dhcp3-server-ldap/dhcpd-conf-to-ldap.pl, optionaly with --help first or read the comments in code.

      5. View and check the resulting ldif file. Though DHCP is likely to function fine with this file, to keep as close as possible to the default configuration it is probably best to keep the entries for the configured individual hosts and replace the general entries (i.e. dhcpService, dhcpSharedNetwork, dhcpSubnet, etc.) with those from etc/ldap/dhcp.ldif.

      6. Load the resulting ldif file to the LDAP database.
      7. Start dhcp3-server.

       tjener:~# cd /usr/share/doc/dhcp3-server-ldap/
       tjener:/usr/share/doc/dhcp3-server-ldap# gunzip dhcpd-conf-to-ldap.pl.gz
       tjener:/usr/share/doc/dhcp3-server-ldap# chmod 0744 dhcpd-conf-to-ldap.pl
       tjener:/usr/share/doc/dhcp3-server-ldap#
       tjener:/usr/share/doc/dhcp3-server-ldap# ./dhcpd-conf-to-ldap.pl --server "dhcp" \
       >     --basedn "dc=skole,dc=skolelinux,dc=no" \
       >     --dhcpdn "cn=DHCP Config,dc=skole,dc=skolelinux,dc=no" \
       >     --conf "/etc/dhcp3/dhcpd-debian-edu.conf.dpkg-old" --ldif "/etc/ldap/migrate-dhcp.ldif"
      
       Creating LDAP Configuration with the following options:
              Base DN: dc=skole,dc=skolelinux,dc=no
              DHCP DN: cn=DHCP Config,dc=skole,dc=skolelinux,dc=no
              Server DN: cn=dhcp, dc=skole,dc=skolelinux,dc=no
      
       Done.
       tjener:/usr/share/doc/dhcp3-server-ldap#
       tjener:/usr/share/doc/dhcp3-server-ldap# cd /etc/ldap/
       tjener:/etc/ldap#
       tjener:/etc/ldap#
       tjener:/etc/ldap# # At this point it's recommended to view migrate-dhcp.ldif side by side
       tjener:/etc/ldap# # with dhcp.ldif and make some manual adjustments, before running:
       tjener:/etc/ldap#
       tjener:/etc/ldap# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
       >                         -f /etc/ldap/migrate-dhcp.ldif
       Enter LDAP Password:
       adding new entry "cn=dhcp, dc=skole,dc=skolelinux,dc=no"
       ....
       tjener:/etc/ldap#
       tjener:/etc/ldap# invoke-rc.d dhcp3-server start
        * Starting DHCP server dhcpd3                                            [ ok ]
       tjener:/etc/ldap#
    2. To load The fresh configuration into the database:
      If there are only few configured host and adding them later to the configuration is no bother just run ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' -f /etc/ldap/dhcp.ldif

  3. Squid wouldn't start.
    If starting Squid gives:

     tjener:~# invoke-rc.d squid start
     * Starting Squid HTTP proxy squid
     2009/08/23 00:20:56| ACL name 'localnet' not defined!
     FATAL: Bungled squid.conf line 2577: http_access allow localnet
     Squid Cache (Version 2.7.STABLE3): Terminated abnormally.
    It's complaint is self explanatory. Two options to overcome this are:
    1. To keep the old /etc/squid/squid.conf just comment-out or remove the offending line http_access allow localnet.

    2. To stay current copy the new squid.conf distributed in the squid package:
       tjener:~# cd /etc/squid/
       tjener:/etc/squid# mv squid.conf etch-squid.conf
       tjener:/etc/squid# cp /usr/share/doc/squid/examples/squid.conf squid.conf
      1. To have the default Debian Edu configuration run cfengine-debian-edu

      2. Any customized settings in the old configuration should be copyed from the old file ( dropping lines acl schoolnet*, acl ltspnet*, http_access allow schoolnet and http_access allow ltspnet these were replaced by the acl localnet* and *access allow localnet lines).

  4. Users can't login from Windows machines.
    References: bug#1364, SambaLDAP.

Domain Name System

Bind

If you want to continue running bind, you must add the RFC 2782 entries in /etc/bind/debian-edu/db.intern

;RFC2782
_ldap._tcp                      IN      SRV     0 100 389 tjener
_syslog._udp                    IN      SRV     0 100 514 tjener

powerdns

To switch to powerdns:

  1. install the packages pdns-server, pdns-recursor and pdns-backend-ldap.

     tjener:~# apt-get -q=2 update
     tjener:~# apt-get -q=2 install pdns-server pdns-recursor pdns-backend-ldap
  2. In /etc/ldap/slapd.conf:

    1. Uncomment the line include   /etc/ldap/schema/dnsdomain2.schema, if it was commented-out earlier (1.1).

    2. It's recommended to index associatedDomain, at the indices area add the lines:

       # PowerDNS index
       index associatedDomain         pres,eq,sub
  3. Restart slapd invoke-rc.d slapd restart.

  4. Load the DNS data into LDAP either using the default Debian Edu or the existing Bind9 configuration:
    1. To use the default Debian Edu configuration:
      1. Add the contents of /etc/ldap/dns_skole.ldif and /etc/ldap/dns_arpa.ldif using ldapadd.

         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                 -f '/etc/ldap/dns_skole.ldif'
         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                 -f '/etc/ldap/dns_arpa.ldif'
    2. To migrate Bind's configuration:

      1. There is a utility called zone2ldap provided in the PowerDNS distribution which convert zone files used by BIND to the ldif format, it is broken in Lenny (bug#504061) and currently also in unstable and experimental.
        To use the one from Etch:

        1. Download etch-i386-pdns-backend-ldap.

        2. Unpack it using dpkg or dpkg-deb and replace the faulty /usr/bin/zone2ldap:

           tjener:/tmp# dpkg-deb -x pdns-backend-ldap_2.9.20-8+etch1_i386.deb \
           >                     pdns-backend-ldap_2.9.20
           tjener:/tmp# cp pdns-backend-ldap_2.9.20/usr/bin/zone2ldap /usr/bin/zone2ldap
        3. Apparently PowerDNS in Lenny (2.9.21.2) doesn't understand AFSDB records same for `zone2ldap', when reading an AFSDB record it will quit with an error message.
          To workaround this limitation comment-out (with ' ; ') AFSDB records in the named db.* files, grep -rl AFSDB /etc/bind/* will disclose them.

        4. At last the conversion can be executed:
           tjener:~# zone2ldap --basedn='ou=hosts,dc=skole,dc=skolelinux,dc=no' --layout=tree \
           >                   --named-conf='/etc/bind/debian-edu/named-bind9.conf' --resume \
           >               > /etc/ldap/skole-zone2ldap
      2. Before the data in the new ldif file can be added to the database the "basedn" must be created:
         tjener:~# ldapadd -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no'
         Enter LDAP Password:
         dn: ou=hosts,dc=skole,dc=skolelinux,dc=no
         objectClass: organizationalUnit
         objectClass: domainRelatedObject
         ou: hosts
         associatedDomain: intern
      3. The format of the ldif file created by zone2ldap is suitable for `ldapmodify':

         tjener:~# ldapmodify -xZWD 'cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no' \
         >                    -f /etc/ldap/skole-zone2ldap
  5. Time to stop bind9 and start pdns and pdns-recursor:

     tjener:~# invoke-rc.d bind9 stop
     tjener:~# invoke-rc.d pdns start
     tjener:~# invoke-rc.d pdns-recursor start
  6. After testing the new PowerDNS setup Bind9 may be disabled/removed/purged.

Generate new indexes

Some new indexes have been added to openldap's configuration. in order to benefit from these you need to regenerate indexes:

  1. stop slapd.  invoke-rc.d slapd stop 

  2. check syslog or ps output that it have truly stopped.
  3. run  sudo -u openldap slapindex 

  4. start slapd with  invoke-rc.d slapd start 

Upgrading from nagios2 to nagios3

The nagios3 configuration will already be installed and functional, though the nagios2 configuration won't be functional anymore. If you changed the nagios2 configuration, your changes will be saved in .dpkg-old files, but the changes will not be applied to the nagios3 configuration. So these changes have to be redone manually.

Upgrades from Debian Edu sarge

Please read this chapter completly before you start upgrading your systems.

In case of problems you could also read the releasenotes for Debian etch. (Debian Edu/Skolelinux "2.0 Terra" installed a 2.6 kernel as default, but if you are running a 2.4 kernel, you should read the notes on upgrading from kernel 2.4 to 2.6 before you upgrade!)

Partioning scheme changed

The main problem upgrading from the sarge-based Release to Terra is that the Partition Scheme changed completly. The sarge-based Release has two volume Groups:

But the etch based release has only 1 Volume Group due to internal changes of the Installer.

The main problem is that the vg_system volumegroup is quite small since the data in this partition is mostly static. When trying the upgrade on a virtual machine with an 8GB harddrive, the upgrade failed since it was not possible to free more space on the vg_sytem. Please note that you should have about 1,5GB free space on /var and about 600MB free space on /usr. If this is not the case the upgrade will fail because of too little free space on the device.

Prepare the system

If you have enough space in the vg_system volumegroup but not in the lv_var partition, you have to resize this partition:

umount /var/spool/squid umount -fl /var }}}

mount /var/spool/squid /etc/init.d/squid start }}}

Now modify /etc/apt/sources.list to contain these lines

deb http://security.debian.org/ etch/updates main deb http://ftp.skolelinux.org/skolelinux etch local}}}

And start the upgrade with:

aptitude dist-upgrade }}}

Answers to debconf questions raising during upgrade

Here we can give you some hints, what you should answer to the debconf question during the upgrade. But please note: This upgrade HowTo is based on a very plain fresh installation of an mainserver + terminalserver.

Which questions exactly raise up in addition to the ones described here depends on what is additionally installed on your system. (Additionally to what is installed as default in the sarge based Debian Edu release). So if there are any questions which you don't know how to answer, don't hesitate to ask us at the mailinglist (debian-edu@lists.debian.org) or at IRC (irc.oftc.net): #debian-edu.

* Configure nagios-common.

* Configure console-data

* Configure openssh-server

* Configure systat

* Configure popularity-contest

* Configure libnss-ldap

  1. Change the prompt to: ldaps://ldap/

  2. Change the prompt to: dc=skole,dc=skolelinux,dc=no

  3. Use ldapversion 3 here

* Upgrade glibc now. Answer "yes".

* Restart Services. Answer "yes".

These are the debconf questions you will see if you have no additional packages installed.

Now the upgrade process will start to upgrade the packages.

Please note: You will be asked several times if you want to keep your old modified version of a configfile or if you want to get the latest. The default is to keep your modified one. Unless you really have modified something, please always choose: "Install the latest one".

The upgrade will fail with this error message: {{{Errors were encountered while processing:

E: Sub-process /usr/bin/dpkg returned an error code (1) }}} To fix this you have to edit these two files: /var/lib/dpkg/info/mozilla-firefox-locale-it.postrm and /var/lib/dpkg/info/mozilla-firefox-local-el.postrm and comment out in both the line containing: update-mozilla-firefox-chrome. Then restart the upgrade process with:

apt-get -f install

Now the upgrade continues:

* Several Modified configuration files (nagios)

Then the installation failes another time: {{{Errors were encountered while processing:

E: Sub-process /usr/bin/dpkg returned an error code (1) }}}

In order to fix this, rename this directory: /var/backups/dc=skole,dc=skolelinux,dc=no-2.2.23-8.ldapdb and since openldap now runs as user openldap (instead of as root) the permissions of the configuration files have to be changed:

{{{ chown -R openldap:openldap /etc/ldap/ apt-get -f install}}}

Then the installation should finish without an error. Since now many packages are not upgrades please restart the dist-upgrade process again with:

aptitude dist-upgrade

The next error raising up is this one: {{{Errors were encountered while processing:

E: Sub-process /usr/bin/dpkg returned an error code (1)}}}

Please remove the package: courier-ldap with

aptitude remove courier-ldap

and wait until it is finished.Then restart the dist-upgrade process again.

If you have only the default packages installed the upgrade process should now finish without raising more errors.

Problem upgrading bind

The only remaining upgrade issue is that the user of bind9 has changed, so you'll have to chown all bind-configuration files.

chown bind:root -R /etc/bind 

See #386791 for more information.

Samba groupmaps handeling changed

There has been a change in how samba handles groupmaps between sarge and etch. Samba in sarge handled groupmaps internally, so a unix group was also a samba group. In etch samba keeps groupmap information in the LDAP database. Unfortunatly this issue was discovered too late for our LDAP admin tool "lwat" to be aware of the situation.

When you upgrade your LDAP from a sarge installation, you must make sure to create the Domain Admins account, neccessary for correct samba domain operation. Create the Domain Admins account with the command:

/usr/bin/net groupmap add rid=512 unixgroup=admins \
             type=domain ntgroup="Domain Admins" \
             comment="All system administrators in the school"

If you want your Windows computers to be aware of what groups users are in, you must create the groupmaps in LDAP manually, this is explained in more detail in the HowTo/NetworkClients chapter of this manual.

Upgrades from older Debian Edu / Skolelinux installations

Upgrades from the woody based Debian Edu / Skolelinux installation are not supported. Upgrade to the sarge based version first, a howto can be found at http://wiki.debian.org/DebianEdu/HowTo/UpgradeFrom1.0. Then upgrade to Terrra (etch-based Release).

CategoryPermalink