Project

General

Profile

Enhancement #559

Enhancement #552: Upgrade to Debian Strech

Upgrade Elwing to Debian Strech

Added by Marc Dequènes almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
-
Start date:
2017-06-19
Due date:
% Done:

100%

Patch Available:
Confirmed:
No
Branch:
Entity:
DuckCorp
Security:
Help Needed:

History

#1 Updated by Marc Dequènes almost 2 years ago

  • Status changed from New to In Progress
  • Assignee set to Marc Dequènes

WIP, one of the major change, also preparing for the future upgrade of Orfeo, is opendnssec.

#2 Updated by Marc Dequènes almost 2 years ago

TODO:
  • migrate opendnssec
  • update /etc/fail2ban/jail.conf

#3 Updated by Marc Dequènes almost 2 years ago

fail2ban config split so the main file is now the package default. Plan to add this in Ansible.

As for opendnssec the procedure is:
  • systemctl stop opendnssec-signer.service
  • systemctl stop opendnssec-enforcer.service
  • cp /var/lib/opendnssec/db/kasp.db /var/lib/opendnssec/db/kasp.db.jessie
  • cat /usr/share/opendnssec/migrate_1_4_8.sqlite3 | sqlite3 /var/lib/opendnssec/db/kasp.db
  • cd /usr/share/opendnssec/
  • ./convert_sqlite -i /var/lib/opendnssec/db/kasp.db -o /var/lib/opendnssec/db/kasp2.db
  • mv /var/lib/opendnssec/db/kasp2.db /var/lib/opendnssec/db/kasp.db
  • chown opendnssec: /var/lib/opendnssec/db/kasp.db
  • cp /etc/opendnssec/zonelist.xml /var/lib/opendnssec/enforcer/zones.xml
  • chown opendnssec: /var/lib/opendnssec/enforcer/zones.xml
  • systemctl start opendnssec-signer.service
  • systemctl start opendnssec-enforcer.service

#4 Updated by Marc Dequènes almost 2 years ago

Fixed cups TLS config. Now /etc/cups/ssl has to contain symlinks named after the canonical host and the directives were replaced by one giving only the directory.

Fixed smokeping JS path in /etc/smokeping/basepage.html.

clamav-daemon fails to load because some bytecode do not pass the paranoid security validation:

LibClamAV Warning: [Bytecode JIT] in function bc12f2: Verification found errors!

Downgrading to BytecodeSecurity TrustSigned allows the daemon to start. No one seem to care about making this work on the Internet… so not sure what to do.

#5 Updated by Marc Dequènes almost 2 years ago

  • % Done changed from 0 to 90

Workaround for clamav-daemon/BytecodeSecurity done.

It leaves the backlight problem which should be detected somehow by systemd, but that's minor.

There is also the networking service in failed state but working. Leaving this ticket open to investigate.

#6 Updated by Marc Dequènes almost 2 years ago

So I forgot to upgrade softhsm to version 2. It worked as long as the old packages where still installed.

So there are a few bugs (Debian#863989, Debian#836886) and the tool was not very clear in it error message. Also I saw nowhere you needed to create a slot before migrating (why is it not created automatically is beyond my comprehension). So the steps are here (see /etc/opendnssec/conf.xml for the PIN):

mkdir /var/lib/softhsm/tokens
chgrp softhsm /var/lib/softhsm/tokens
chmod g+rwx /var/lib/softhsm/tokens
softhsm2-util --init-token --slot 0 --label OpenDNSSEC
softhsm2-migrate --db /var/lib/softhsm/slot0.db --token OpenDNSSEC --pin <PIN>

A directory is then create in /var/lib/softhsm/tokens/ I would call <opendnssec-token>.
setfacl -m d:user:opendnssec:rx <opendnssec-token>
setfacl -m user:opendnssec:rwX -R <opendnssec-token>

#7 Updated by Marc Dequènes almost 2 years ago

The backlight pronlem is tracked in Debian#824898.

#8 Updated by Marc Dequènes almost 2 years ago

Details on the networking problem:

Jul 20 16:12:21 Elwing systemd[1]: Starting Raise network interfaces...
Jul 20 16:12:26 Elwing ifup[1054]: Waiting for DAD... Done
Jul 20 16:12:27 Elwing ifup[1054]: RTNETLINK answers: Invalid argument
Jul 20 16:12:27 Elwing ifup[1054]: ifup: failed to bring up vlan255
Jul 20 16:12:32 Elwing ifup[1054]: Waiting for DAD... Done
Jul 20 16:12:32 Elwing ifup[1054]: ifup: waiting for lock on /run/network/ifstate.eth-wan
Jul 20 16:12:36 Elwing systemd[1]: networking.service: Main process exited, code=exited, status=1/FAILURE
Jul 20 16:12:36 Elwing systemd[1]: Failed to start Raise network interfaces.
Jul 20 16:12:36 Elwing systemd[1]: networking.service: Unit entered failed state.
Jul 20 16:12:36 Elwing systemd[1]: networking.service: Failed with result 'exit-code'.

#9 Updated by Marc Dequènes almost 2 years ago

So this is an iproute-related problem which was fixed in our Ansible rules in commit 5323bb0.

It seems there is still some race conditions, but that's outside this BR.

#10 Updated by Marc Dequènes almost 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF