Upgrade to Debian Strech
Please use the migration branch for all hosts being migrated to Stretch and master for Jessie hosts¶Let's begin with the simplest machines. I suggest this order:
- Elwing, Korutopi, Nicecity
- Jinta, Thorfinn
- Toushirou, Orfeo
When we take care of a machine we take ownership of the corresponding sub-ticket. We can then note progress, bugs…
#4 Updated by Marc Dequènes almost 2 years ago
The SSH config should be managed by Ansible completely. Here are the warnings:
/etc/ssh/sshd_config line 13: Deprecated option KeyRegenerationInterval /etc/ssh/sshd_config line 14: Deprecated option ServerKeyBits /etc/ssh/sshd_config line 25: Deprecated option UseLogin /etc/ssh/sshd_config line 34: Deprecated option RSAAuthentication /etc/ssh/sshd_config line 36: Deprecated option RhostsRSAAuthentication
#5 Updated by Marc Dequènes almost 2 years ago
Postfix changes would be needed but we can do that afterwards:
postfix: Postfix is running with backwards-compatible default settings postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
#6 Updated by Marc Dequènes almost 2 years ago
apt-file --non-interactive update does not work anymore as this option was removed, using apt update instead.
(should be Ansibilized one day too)
Changed to apt-get update because:
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
#7 Updated by Marc Dequènes almost 2 years ago
As for fail2ban, the configuration changed a bit, the list of jails is different. Previously the configuration was manual and only the whitelist was updated by the dc-base role. So I was forced to look into merging the configuration and that was utterly boring. So I decided to push things further and do something more satisfying: I created a role for fail2ban. As we have no reason to keep an old Debian, this role is then Stretch-only, and integration has been made into the migration branch.