https://projects.duckcorp.org/https://projects.duckcorp.org/favicon.ico?16699090422017-06-20T12:17:13ZDuckCorp ProjectsDuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12522017-06-20T12:17:13ZMarc Dequènesduck@duckcorp.org
<ul></ul><p>We should consider switching to <em>UsePrivilegeSeparation sandbox</em> for SSH; it does not seem to be Ansibilized yet.</p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12532017-06-20T12:29:04ZMarc Dequènesduck@duckcorp.org
<ul></ul><p><em>/etc/fail2ban/jail.conf</em> should be managed more completely, It is possible to split it. Work underway around Elwing.</p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12562017-06-21T12:27:38ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>In Progress</i></li></ul><p>Even if we upgraded quite regularly, one last upgrade on Jessie is needed to catch the new <em>debian-archive-keyring</em> package version and get the Stretch key because it was updated quite late.</p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12582017-06-21T18:31:42ZMarc Dequènesduck@duckcorp.org
<ul></ul><p>The SSH config should be managed by Ansible completely. Here are the warnings:<br /><pre>
/etc/ssh/sshd_config line 13: Deprecated option KeyRegenerationInterval
/etc/ssh/sshd_config line 14: Deprecated option ServerKeyBits
/etc/ssh/sshd_config line 25: Deprecated option UseLogin
/etc/ssh/sshd_config line 34: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 36: Deprecated option RhostsRSAAuthentication
</pre></p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12602017-06-21T18:58:25ZMarc Dequènesduck@duckcorp.org
<ul></ul><p>Postfix changes would be needed but we can do that afterwards:<br /><pre>
postfix: Postfix is running with backwards-compatible default settings
postfix: See http://www.postfix.org/COMPATIBILITY_README.html for details
postfix: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
</pre></p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12622017-06-22T05:17:53ZMarc Dequènesduck@duckcorp.org
<ul></ul><p><em>apt-file --non-interactive update</em> does not work anymore as this option was removed, using <em>apt update</em> instead.<br />(should be Ansibilized one day too)</p>
<p>Changed to <em>apt-get update</em> because:<br /><pre>
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
</pre></p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12792017-06-25T10:15:21ZMarc Dequènesduck@duckcorp.org
<ul></ul><p>As for fail2ban, the configuration changed a bit, the list of jails is different. Previously the configuration was manual and only the whitelist was updated by the <em>dc-base</em> role. So I was forced to look into merging the configuration and that was utterly boring. So I decided to push things further and do something more satisfying: I created a role for fail2ban. As we have no reason to keep an old Debian, this role is then Stretch-only, and integration has been made into the migration branch.</p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12802017-06-25T10:21:50ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>File</strong> <a href="/attachments/84">dialog-warning.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/84/dialog-warning.png">dialog-warning.png</a> added</li><li><strong>Description</strong> updated (<a title="View differences" href="/journals/1280/diff?detail_id=1528">diff</a>)</li><li><strong>Branch</strong> set to <i>debian_upgrade_stretch</i></li></ul> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=12812017-06-25T10:24:15ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Related to</strong> <i><a class="issue tracker-8 status-3 priority-4 priority-default closed" href="/issues/570">Review #570</a>: Please review Fail2ban role</i> added</li></ul> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=13202017-07-13T08:07:32ZMarc Dequènesduck@duckcorp.org
<ul></ul><p>phpsysinfo is not in Stretch: <a class="external" href="https://tracker.debian.org/news/832561">https://tracker.debian.org/news/832561</a><br />also it is really useless as we have better means to gather information using supervision and Ansible inventory, so removing globally.</p> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=13732017-07-20T04:43:18ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Assignee</strong> changed from <i>DC Admins</i> to <i>Marc Dequènes</i></li></ul> DuckCorp Infrastructure - Enhancement #552: Upgrade to Debian Strechhttps://projects.duckcorp.org/issues/552?journal_id=13872017-07-20T07:48:46ZMarc Dequènesduck@duckcorp.org
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li></ul>