DuckCorp » DuckCorp Infrastructure

• migrate opendnssec
• update /etc/fail2ban/jail.conf

fail2ban config split so the main file is now the package default. Plan to add this in Ansible.

• systemctl stop opendnssec-signer.service
• systemctl stop opendnssec-enforcer.service
• cp /var/lib/opendnssec/db/kasp.db /var/lib/opendnssec/db/kasp.db.jessie
• cat /usr/share/opendnssec/migrate_1_4_8.sqlite3 | sqlite3 /var/lib/opendnssec/db/kasp.db
• cd /usr/share/opendnssec/
• ./convert_sqlite -i /var/lib/opendnssec/db/kasp.db -o /var/lib/opendnssec/db/kasp2.db
• mv /var/lib/opendnssec/db/kasp2.db /var/lib/opendnssec/db/kasp.db
• chown opendnssec: /var/lib/opendnssec/db/kasp.db
• cp /etc/opendnssec/zonelist.xml /var/lib/opendnssec/enforcer/zones.xml
• chown opendnssec: /var/lib/opendnssec/enforcer/zones.xml
• systemctl start opendnssec-signer.service
• systemctl start opendnssec-enforcer.service

Fixed cups TLS config. Now /etc/cups/ssl has to contain symlinks named after the canonical host and the directives were replaced by one giving only the directory.

Fixed smokeping JS path in /etc/smokeping/basepage.html.

clamav-daemon fails to load because some bytecode do not pass the paranoid security validation:

LibClamAV Warning: [Bytecode JIT] in function bc12f2: Verification found errors!

Downgrading to BytecodeSecurity TrustSigned allows the daemon to start. No one seem to care about making this work on the Internet… so not sure what to do.

So I forgot to upgrade softhsm to version 2. It worked as long as the old packages where still installed.

So there are a few bugs (Debian#863989, Debian#836886) and the tool was not very clear in it error message. Also I saw nowhere you needed to create a slot before migrating (why is it not created automatically is beyond my comprehension). So the steps are here (see /etc/opendnssec/conf.xml for the PIN):

mkdir /var/lib/softhsm/tokens
chgrp softhsm /var/lib/softhsm/tokens
chmod g+rwx /var/lib/softhsm/tokens
softhsm2-util --init-token --slot 0 --label OpenDNSSEC
softhsm2-migrate --db /var/lib/softhsm/slot0.db --token OpenDNSSEC --pin <PIN>

setfacl -m d:user:opendnssec:rx <opendnssec-token>
setfacl -m user:opendnssec:rwX -R <opendnssec-token>

The backlight pronlem is tracked in Debian#824898.

Details on the networking problem:

Jul 20 16:12:21 Elwing systemd[1]: Starting Raise network interfaces...
Jul 20 16:12:26 Elwing ifup[1054]: Waiting for DAD... Done
Jul 20 16:12:27 Elwing ifup[1054]: RTNETLINK answers: Invalid argument
Jul 20 16:12:27 Elwing ifup[1054]: ifup: failed to bring up vlan255
Jul 20 16:12:32 Elwing ifup[1054]: Waiting for DAD... Done
Jul 20 16:12:32 Elwing ifup[1054]: ifup: waiting for lock on /run/network/ifstate.eth-wan
Jul 20 16:12:36 Elwing systemd[1]: networking.service: Main process exited, code=exited, status=1/FAILURE
Jul 20 16:12:36 Elwing systemd[1]: Failed to start Raise network interfaces.
Jul 20 16:12:36 Elwing systemd[1]: networking.service: Unit entered failed state.
Jul 20 16:12:36 Elwing systemd[1]: networking.service: Failed with result 'exit-code'.

So this is an iproute-related problem which was fixed in our Ansible rules in commit 5323bb0.

It seems there is still some race conditions, but that's outside this BR.