Enhancement #552: Upgrade to Debian Strech
Upgrade Elwing to Debian Strech
#3 Updated by Marc Dequènes almost 2 years ago
fail2ban config split so the main file is now the package default. Plan to add this in Ansible.As for opendnssec the procedure is:
- systemctl stop opendnssec-signer.service
- systemctl stop opendnssec-enforcer.service
- cp /var/lib/opendnssec/db/kasp.db /var/lib/opendnssec/db/kasp.db.jessie
- cat /usr/share/opendnssec/migrate_1_4_8.sqlite3 | sqlite3 /var/lib/opendnssec/db/kasp.db
- cd /usr/share/opendnssec/
- ./convert_sqlite -i /var/lib/opendnssec/db/kasp.db -o /var/lib/opendnssec/db/kasp2.db
- mv /var/lib/opendnssec/db/kasp2.db /var/lib/opendnssec/db/kasp.db
- chown opendnssec: /var/lib/opendnssec/db/kasp.db
- cp /etc/opendnssec/zonelist.xml /var/lib/opendnssec/enforcer/zones.xml
- chown opendnssec: /var/lib/opendnssec/enforcer/zones.xml
- systemctl start opendnssec-signer.service
- systemctl start opendnssec-enforcer.service
#4 Updated by Marc Dequènes almost 2 years ago
Fixed cups TLS config. Now /etc/cups/ssl has to contain symlinks named after the canonical host and the directives were replaced by one giving only the directory.
Fixed smokeping JS path in /etc/smokeping/basepage.html.
clamav-daemon fails to load because some bytecode do not pass the paranoid security validation:
LibClamAV Warning: [Bytecode JIT] in function bc12f2: Verification found errors!
BytecodeSecurity TrustSigned allows the daemon to start. No one seem to care about making this work on the Internet… so not sure what to do.
#5 Updated by Marc Dequènes almost 2 years ago
- % Done changed from 0 to 90
Workaround for clamav-daemon/BytecodeSecurity done.
It leaves the backlight problem which should be detected somehow by systemd, but that's minor.
There is also the
networking service in failed state but working. Leaving this ticket open to investigate.
#6 Updated by Marc Dequènes almost 2 years ago
So I forgot to upgrade softhsm to version 2. It worked as long as the old packages where still installed.
So there are a few bugs (Debian#863989, Debian#836886) and the tool was not very clear in it error message. Also I saw nowhere you needed to create a slot before migrating (why is it not created automatically is beyond my comprehension). So the steps are here (see /etc/opendnssec/conf.xml for the PIN):
mkdir /var/lib/softhsm/tokens chgrp softhsm /var/lib/softhsm/tokens chmod g+rwx /var/lib/softhsm/tokens softhsm2-util --init-token --slot 0 --label OpenDNSSEC softhsm2-migrate --db /var/lib/softhsm/slot0.db --token OpenDNSSEC --pin <PIN>
A directory is then create in /var/lib/softhsm/tokens/ I would call <opendnssec-token>.
setfacl -m d:user:opendnssec:rx <opendnssec-token> setfacl -m user:opendnssec:rwX -R <opendnssec-token>
#8 Updated by Marc Dequènes almost 2 years ago
Details on the networking problem:
Jul 20 16:12:21 Elwing systemd: Starting Raise network interfaces... Jul 20 16:12:26 Elwing ifup: Waiting for DAD... Done Jul 20 16:12:27 Elwing ifup: RTNETLINK answers: Invalid argument Jul 20 16:12:27 Elwing ifup: ifup: failed to bring up vlan255 Jul 20 16:12:32 Elwing ifup: Waiting for DAD... Done Jul 20 16:12:32 Elwing ifup: ifup: waiting for lock on /run/network/ifstate.eth-wan Jul 20 16:12:36 Elwing systemd: networking.service: Main process exited, code=exited, status=1/FAILURE Jul 20 16:12:36 Elwing systemd: Failed to start Raise network interfaces. Jul 20 16:12:36 Elwing systemd: networking.service: Unit entered failed state. Jul 20 16:12:36 Elwing systemd: networking.service: Failed with result 'exit-code'.