DuckCorp » DuckCorp Infrastructure

h1. OS Upgrade

This is a list of steps as guidelines for OS upgrades.

* create a temporary _group_vars/<new-suite>/system.yml_ in a git branch:

<pre>

---

system:

  distribution:

    debian:

      codename: bullseye

    dc:

      codename: bullseye

</pre>

* (I often choose Elwing first) ansible-playbook --diff -l Elwing -t apt playbooks/common.yml | tee /tmp/dc.log

* apt upgrade

* apt full-upgrade (check if removed packages are problematic)

** accept new version of:

*** /etc/services and copy-paste content of _local services_ from _/etc/services.dpkg-old_ to avoid having to redeploy all services

*** /etc/grub.d/10_linux but see warning below

*** /etc/ssh/ssh_config (we use ssh_config.d in Ansible now) BUT NOT sshd_config!

** do not accept new versions for:

*** /etc/smartd.conf

*** /etc/snmp/snmp.conf

*** /etc/oidentd.conf

*** /etc/sudoers

*** /etc/rsyslog.conf

*** /etc/apt-cacher-ng/acng.conf

*** /etc/zabbix/*

*** /etc/logrotate.d/*

** check the diff manually for other files

* if PHP FPM: (to avoid having to redeploy all vhosts) (example for PHP 7.3->7.4)

** rm /etc/php/7.4/fpm/pool.d/www.conf

** cp /etc/php/7.3/fpm/pool.d/* /etc/php/7.4/fpm/pool.d/

** sed -i 's/7\.3/7.4/g' /etc/php/7.4/fpm/pool.d/*

** systemctl restart php7.4-fpm.service

** run common web playbook _playbooks/tenants/duckcorp/web.yml_ with _-t web-common_

* apt purge libpython2.7-minimal

* run the _playbooks/common.yml_ playbook with _--skip-tags monitoring_ (until a recent zabbix-cli is packaged)

It is critical that the common playbook is run successfully before rebooting. Especially _/etc/grub.d/10_linux_ must contain the _--unrestricted_ option and the GRUB config must be regenerated or the server will block at the GRUB screen waiting for a login.