Benutzer:MathiasMahnke/Debian Bookworm 2024

Aus Opennet
Wechseln zu: Navigation, Suche

Status: In Arbeit.

Debian Bookworm Update Status der Opennet Server - Debian Release von 06/2023.

Status

Virtualisierungsserver:

Gateway-Server:

Dienste-Server:

  • Server/amano - -- Besonderheit: cron vor Update stoppen (CA Jobs)
  • Server/crimson - Debian Wheezy -- Mailserver + Wiki
  • Server/goat - Erledigt, 2023/12/30 -- Besonderheit: Buildbot Web via pip installiert
  • Server/haruka - derzeit kein Debian / RouterOS
  • Server/heartofgold - Debian Wheezy -- DNS Hidden Primary
  • Server/hikaru - Erledigt, 2024/01/01 -- Besonderheit: python(3)-mysql / mysql vs. mariadb / alte mediawiki module / /var/log/mediawiki? // Ansible Hugo Submodule Fehler
  • Server/hoshino - Erledigt, 2023/12/31
  • Server/howmei - In Arbeit, 2024/01/03 -- Besonderheit: Nicht alle Mesh-Teilnehmer via IPv6 erreichbar.
  • Server/inez - -- Besonderheit: rsnapshot nicht in Bullseye / via Upstream DEB installiert
  • Server/izumi - Erledigt, 2024/01/02, offen: Installation DNS-Primary -- Besonderheit: Service Discovery Opennet zusätzlich via CA Zertifikat
  • Server/jun - -- Besonderheit: slt nicht in Buster
  • Server/kazama - offen: eth1 WAN NIC DHCP -- Besonderheit: wireguard Installation nicht abgeschlossen?
  • Server/kinjo -
  • Server/maki - In Arbeit, 2024/01/03; offen: rsnapshot.conf Debian prüfen / Ansible angleichen
  • Server/nagare - Debian Buster -- Besonderheit: moinmoin benötigt Python 2
  • Server/ruri - Erledigt, 2024/01/02
  • Server/tenkawa - Erledigt, 2024/01/02, offen: rsync Fehler? -- Besonderheit: Freifunk Media Mirror /var/log/rsyncd.log ohne logrotate (seit 2018)
  • Server/yurika - Erledigt, 2023/12/29 -- Besonderheit: SmokePing Startup Workaround (seit 2023)

Sonstige Server

Aktualisierung

Vorab: Ansible Ausführung.

Ablauf: 

screen
cat /etc/debian_version
apt update && apt upgrade
apt autoremove
apt list '?narrow(?installed, ?not(?origin(Debian)))'
find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error'
## HIER: Ggf. alte Konfigurationsdateien entfernen.
# rm /etc/cron.daily/bsdmainutils.dpkg-remove /etc/ca-certificates.conf.dpkg-old
# rm /etc/ssh/sshd_config.ucf-old /etc/olsrd/olsrd.conf.dpkg-dist
cat /etc/apt/preferences
ls /etc/apt/preferences.d/
dpkg --audit
apt-mark showhold
apt list '~c'
## HIER: ehem. installierte Pakete & Konfigurationen final entfernen
# apt purge '~c'
apt clean
df -h
## HIER: apt sources list anpassen (:%s/bullseye/bookworm/g) + Ansible host_vars
## -> Umstellung apt non-free nach non-free-firmware beachten
## -> ggf. via apt.conf.d: 'APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";'
apt update && apt upgrade --without-new-pkgs
apt full-upgrade
## *** adduser.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y
## *** sshd_config (Y/I/N/O/D/Z) [Vorgabe=N] ? Y
## *** security.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y
## *** ssl.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y
## *** rsnapshot.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? N
## HIER: ggf. Ansible Lauf
reboot
apt autoremove
apt list '~o'
## HIER: veraltete Pakete entfernen (sehr genau prüfen!; i.d.R. nicht alles entfernen)
# apt #CHECKTWICE# purge '~o'
# apt remove gcc-10-base hddtemp libffi7 libruby2.7 libsepol1 libssl1.1 linux-image-5.10.0-26-amd64
# apt remove gcc-9-base libidn11 libldap-2.4-2 netcat
## HIER: Nachkontrolle von Diensten, ggf. manuelle Neustarts
apt autoremove
apt list '~c'
## HIER: entfernte Pakete bereinigen
# apt purge '~c'
echo /nhdpinfo neighbor | nc localhost 2009
systemctl --type=service
systemctl status <name.service>
journalctl -u <name.service>
systemctl restart <name.service>
ip -6 addr show
ip -6 route show
ping -6 jun.opennet-initiative.de -c 3
ping -6 jun.on -c 3

Anschließend: Ansible Ausführung

Bei WAN DHCP Schnittstelle: 

echo -en "[Match]\nName=eth1\n\n[Network]\nDHCP=ipv4" > /etc/systemd/network/eth1.network
vi /etc/network/interfaces
   # internet uplink
   #allow-hotplug eth1
   #iface eth1 inet dhcp
   #
   # see also systemd-networkd config
apt remove isc-dhcp-client isc-dhcp-common
networkctl
networkctl reload
networkctl
   IDX LINK TYPE     OPERATIONAL SETUP     
   1 lo   loopback routable    configured
   2 eth0 ether    routable    unmanaged
   3 eth1 ether    routable    configured
systemctl status systemd-networkd

Bei Reboot-Fehlermeldung: 

 # reboot
    Failed to set wall message, ignoring: Unit dbus-org.freedesktop.login1.service failed to load properly, please 
    adjust/correct and reload service manager: File exists
    Call to Reboot failed: Unit dbus-org.freedesktop.login1.service failed to load properly, please adjust/correct 
    and reload service manager: File exists
 systemctl umask systemd-logind.service
 systemctl status systemd-logind.service
    ● systemd-logind.service - User Login Management
    Loaded: loaded (/lib/systemd/system/systemd-logind.service; static)
    Active: active (running) since Mon 2024-01-01 07:04:46 CET; 1min 57s ago

Bei KVM-Fehlermeldung: 

 # virsh start <host>
    Fehler: Failed to start domain '<host>'
    Fehler: Nicht unterstützte Konfiguration: Emulator '/usr/bin/kvm' does not support machine type 'pc-1.1'
 virsh edit <host>
    <type arch='x86_64' machine='pc'>hvm</type>
 virsh start <host>

Vorbereitungen

Gedanken zum Debian Release:

  • systemd-timesyncd für NTP Client Timesync - Umstellung via Ansible
  • GRUB ohne OS-Prober via /etc/default/grub: "GRUB_DISABLE_OS_PROBER=true" - keine Anpassung notwendig
  • isc-dhcp geht EoL, alternativen DHCP (Client) verwenden - Umstellung manuell
  • OpenSSH scp deaktiviert, sftp zu verwenden - keine Anpassung notwendig
  • SSH Keys vollständig auf ED25519 umstellen?

Hinweise Changelog: 

bridge-utils (1.7-2) unstable; urgency=medium
 We have changed the way we deal with disabling IPv6 on the interfaces, now
 we don't disable IPv6 but instead we disable creation of link-local
 addresses on them.
 We also added a new setting in etc/default/bridge-utils named
 BRIDGE_DISABLE_LINKLOCAL_IPV6_ALSO_PHYS so that you can avoid disabling
 creation of link-local addresses on the physical interfaces on which we
 create vlan ports. The default setting is "yes" so that we preserve the
 old behaviour, but if you set it to no, the physical interface will
 receive its link-local address.

isc-dhcp-client (4.4.3-1) unstable; urgency=medium
 ISC has decided to stop maintaining the client and relay parts of isc-dhcp,
 and they will be removed after the 4.4.3 release, keeping only the server
 component. Please, consider using an alternative for isc-dhcp-client
 (dhclient).
 More information can be found in the ISC official announcement:
 https://www.isc.org/blogs/dhcp-client-relay-eom/

shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium
 Login now prevents an empty password field to be interpreted as
 "no authentication required" for UID 0 (root account).
 The historical default of letting all users with empty password field
 in without authentication can be restored in /etc/login.defs setting
 PREVENT_NO_AUTH to "no".

systemd (251.3-2) unstable; urgency=medium
 systemd-resolved has been split into a separate package.
 This new systemd-resolved package will not be installed automatically on
 upgrades. If you are using systemd-resolved, please install this new
 package manually.

openssh (1:9.2p1-1) unstable; urgency=medium
 OpenSSH 9.2 includes a number of changes that may affect existing
 configurations:
  * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
    controls whether the client-side ~C escape sequence that provides a
    command-line is available. Among other things, the ~C command-line
    could be used to add additional port-forwards at runtime.
    This option defaults to "no", disabling the ~C command-line that was
    previously enabled by default. Turning off the command-line allows
    platforms that support sandboxing of the ssh(1) client (currently only
    OpenBSD) to use a stricter default sandbox policy.

openssh (1:9.1p1-1) unstable; urgency=medium
 OpenSSH 9.1 includes a number of changes that may affect existing
 configurations:
  * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are
    now first-match-wins to match other directives. Previously if an
    environment variable was multiply specified the last set value would
    have been used.
  * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will
    no longer generate DSA keys, as these are insecure and have not been
    used by default for some years.

openssh (1:9.0p1-1) unstable; urgency=medium
 OpenSSH 9.0 includes a number of changes that may affect existing
 configurations:
  * This release switches scp(1) from using the legacy scp/rcp protocol to
    using the SFTP protocol by default.
    Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
    "scp host:* .") through the remote shell. This has the side effect of
    requiring double quoting of shell meta-characters in file names
    included on scp(1) command-lines, otherwise they could be interpreted
    as shell commands on the remote side.
    This creates one area of potential incompatibility: scp(1) when using
    the SFTP protocol no longer requires this finicky and brittle quoting,
    and attempts to use it may cause transfers to fail. We consider the
    removal of the need for double-quoting shell characters in file names
    to be a benefit and do not intend to introduce bug-compatibility for
    legacy scp/rcp in scp(1) when using the SFTP protocol.
    Another area of potential incompatibility relates to the use of remote
    paths relative to other user's home directories, for example - "scp
    host:~user/file /tmp". The SFTP protocol has no native way to expand a
    ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a
    protocol extension "expand-path@openssh.com" to support this.
    In case of incompatibility, the scp(1) client may be instructed to use
    the legacy scp/rcp using the -O flag.

openssh (1:8.8p1-1) unstable; urgency=medium
 OpenSSH 8.8 includes a number of changes that may affect existing
 configurations:
  * This release disables RSA signatures using the SHA-1 hash algorithm by
    default. This change has been made as the SHA-1 hash algorithm is
    cryptographically broken, and it is possible to create chosen-prefix
    hash collisions for <USD$50K.
    For most users, this change should be invisible and there is no need to
    replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512
    signatures since release 7.2 and existing ssh-rsa keys will
    automatically use the stronger algorithm where possible.
    Incompatibility is more likely when connecting to older SSH
    implementations that have not been upgraded or have not closely tracked
    improvements in the SSH protocol. For these cases, it may be necessary
    to selectively re-enable RSA/SHA1 to allow connection and/or user
    authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
    options. For example, the following stanza in ~/.ssh/config will enable
    RSA/SHA1 for host and user authentication for a single destination
    host:
        Host old-host
            HostkeyAlgorithms +ssh-rsa
            PubkeyAcceptedAlgorithms +ssh-rsa
    We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
    implementations can be upgraded or reconfigured with another key type
    (such as ECDSA or Ed25519).

openssh (1:8.7p1-1) unstable; urgency=medium
 OpenSSH 8.7 includes a number of changes that may affect existing
 configurations:
  * scp(1): this release changes the behaviour of remote to remote copies
    (e.g. "scp host-a:/path host-b:") to transfer through the local host by
    default. This was previously available via the -3 flag. This mode
    avoids the need to expose credentials on the origin hop, avoids
    triplicate interpretation of filenames by the shell (by the local
    system, the copy origin and the destination) and, in conjunction with
    the SFTP support for scp(1) mentioned below, allows use of all
    authentication methods to the remote hosts (previously, only
    non-interactive methods could be used). A -R flag has been added to
    select the old behaviour.
  * ssh(1)/sshd(8): both the client and server are now using a stricter
    configuration file parser. The new parser uses more shell-like rules
    for quotes, space and escape characters. It is also more strict in
    rejecting configurations that include options lacking arguments.
    Previously some options (e.g. DenyUsers) could appear on a line with no
    subsequent arguments. This release will reject such configurations. The
    new parser will also reject configurations with unterminated quotes and
    multiple '=' characters after the option name.
  * ssh(1): when using SSHFP DNS records for host key verification, ssh(1)
    will verify all matching records instead of just those with the
    specific signature type requested. This may cause host key verification
    problems if stale SSHFP records of a different or legacy signature type
    exist alongside other records for a particular host. bz#3322
  * ssh-keygen(1): when generating a FIDO key and specifying an explicit
    attestation challenge (using -Ochallenge), the challenge will now be
    hashed by the builtin security key middleware. This removes the
    (undocumented) requirement that challenges be exactly 32 bytes in
    length and matches the expectations of libfido2.
  * sshd(8): environment="..." directives in authorized_keys files are now
    first-match-wins and limited to 1024 discrete environment variable
    names.
 OpenSSH 8.5 includes a number of changes that may affect existing
 configurations:
  * ssh(1), sshd(8): this release changes the first-preference signature
    algorithm from ECDSA to ED25519.
  * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for
    interactive use prior to TCP connect. The connection phase of the SSH
    session is time-sensitive and often explicitly interactive.  The
    ultimate interactive/bulk TOS/DSCP will be set after authentication
    completes.
  * ssh(1), sshd(8): remove the pre-standardization cipher
    rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it
    was standardized in RFC4253 (2006), has been deprecated and disabled by
    default since OpenSSH 7.2 (2016) and was only briefly documented in
    ssh.1 in 2001.
  * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid
    key exchange method based on Streamlined NTRU Prime coupled with
    X25519.
    The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced
    with sntrup761x25519-sha512@openssh.com. Per its designers, the
    sntrup4591761 algorithm was superseded almost two years ago by
    sntrup761.
    (note this both the updated method and the one that it replaced are
    disabled by default)
  * ssh(1): disable CheckHostIP by default. It provides insignificant
    benefits while making key rotation significantly more difficult,
    especially for hosts behind IP-based load-balancers.

rsync (3.2.3-5) unstable; urgency=medium
 The --copy-devices option has been reintroduced, it was previously removed in
 favor of the new one --write-devices, but it turns out they are not equivalent
 enough and upstream is providing the copy-devices patch on rsync-patches.
 Please beware that although the --copy-devices option is provided by
 upstream, it is not part of the official rsync package and it could be
 dropped or changed in ways that are not backwards compatible, though this would
 only happen between Debian releases.
 That being said, we will not drop this option from the Debian packaging as
 long as upstream keeps providing the patch under rsync-patches.

pyjwt (2.1.0-1) unstable; urgency=medium
 Commandline script was removed upstream and there is not an alternative.
 Who needs it should write something to cover the features they were using.

https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.de.html

Von „http://wiki.opennet-initiative.de/w/index.php?title=Benutzer:MathiasMahnke/Debian_Bookworm_2024&oldid=38959
Meine Werkzeuge
Namensräume

Varianten
Aktionen
Start
Opennet
Kommunikation
Karten
Werkzeuge