Project

General

Profile

Enhancement #552

Upgrade to Debian Strech

Added by Marc Dequènes about 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
-
Start date:
2017-06-19
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Patch Available:
Confirmed:
No
Branch:
debian_upgrade_stretch
Entity:
DuckCorp
Security:
Help Needed:

Description

Please use the migration branch for all hosts being migrated to Stretch and master for Jessie hosts

Let's begin with the simplest machines. I suggest this order:
  • Elwing, Korutopi, Nicecity
  • Jinta, Thorfinn
  • Toushirou, Orfeo

When we take care of a machine we take ownership of the corresponding sub-ticket. We can then note progress, bugs…


Files

dialog-warning.png (1.36 KB) dialog-warning.png Marc Dequènes, 2017-06-25 12:20

Subtasks

Enhancement #553: Upgrade Orfeo to Debian StrechResolvedMarc Dequènes

Actions
Enhancement #554: Upgrade Toushirou to Debian StrechResolvedMarc Dequènes

Actions
Enhancement #555: Upgrade Thorfinn to Debian StrechResolvedMarc Dequènes

Actions
Enhancement #556: Upgrade Jinta to Debian StrechResolvedMarc Dequènes

Actions
Enhancement #557: Upgrade Korutopi to Debian StrechResolvedMarc Dequènes

Actions
Enhancement #558: Upgrade Nicecity to Debian StrechResolvedMarc Dequènes

Actions
Enhancement #559: Upgrade Elwing to Debian StrechResolvedMarc Dequènes

Actions

Related issues

Related to DuckCorp Infrastructure - Review #570: Please review Fail2ban roleResolved2017-06-25Actions

History

#1

Updated by Marc Dequènes about 2 years ago

We should consider switching to UsePrivilegeSeparation sandbox for SSH; it does not seem to be Ansibilized yet.

#2

Updated by Marc Dequènes about 2 years ago

/etc/fail2ban/jail.conf should be managed more completely, It is possible to split it. Work underway around Elwing.

#3

Updated by Marc Dequènes about 2 years ago

  • Status changed from New to In Progress

Even if we upgraded quite regularly, one last upgrade on Jessie is needed to catch the new debian-archive-keyring package version and get the Stretch key because it was updated quite late.

#4

Updated by Marc Dequènes about 2 years ago

The SSH config should be managed by Ansible completely. Here are the warnings:

/etc/ssh/sshd_config line 13: Deprecated option KeyRegenerationInterval                                                                                        
/etc/ssh/sshd_config line 14: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 25: Deprecated option UseLogin
/etc/ssh/sshd_config line 34: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 36: Deprecated option RhostsRSAAuthentication

#5

Updated by Marc Dequènes about 2 years ago

Postfix changes would be needed but we can do that afterwards:

postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload" 

#6

Updated by Marc Dequènes about 2 years ago

apt-file --non-interactive update does not work anymore as this option was removed, using apt update instead.
(should be Ansibilized one day too)

Changed to apt-get update because:

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

#7

Updated by Marc Dequènes about 2 years ago

As for fail2ban, the configuration changed a bit, the list of jails is different. Previously the configuration was manual and only the whitelist was updated by the dc-base role. So I was forced to look into merging the configuration and that was utterly boring. So I decided to push things further and do something more satisfying: I created a role for fail2ban. As we have no reason to keep an old Debian, this role is then Stretch-only, and integration has been made into the migration branch.

#8

Updated by Marc Dequènes about 2 years ago

#9

Updated by Marc Dequènes about 2 years ago

  • Related to Review #570: Please review Fail2ban role added
#10

Updated by Marc Dequènes about 2 years ago

phpsysinfo is not in Stretch: https://tracker.debian.org/news/832561
also it is really useless as we have better means to gather information using supervision and Ansible inventory, so removing globally.

#11

Updated by Marc Dequènes about 2 years ago

  • Assignee changed from DC Admins to Marc Dequènes
#12

Updated by Marc Dequènes about 2 years ago

  • Status changed from In Progress to Resolved

Also available in: Atom PDF