Benutzer:MathiasMahnke/Debian Bookworm 2024
Aus Opennet
Status: Erledigt.
Debian Bookworm Update Status der Opennet Server - Debian Release von 06/2023.
Status
Virtualisierungsserver:
- Server/akito - Erledigt, 2024/01/06
- Server/tamago - Erledigt, 2024/01/06
- Server/ryoko - Erledigt, 2024/01/02
- Server/aqua - Erledigt, 2024/01/06
- Vorlage VMs in vhost-admin.sh - Erledigt, 2024/01/01, offen: systemd-networkd
- Firmware Upgrades
Gateway-Server:
- Server/erina - Erledigt, 2024/01/07
- Server/gai - Erledigt, 2024/01/08
- Server/itsuki - Erledigt, 2023/12/28
- Server/megumi - Erledigt, 2024/01/08; offen: Umzug auf neues Server-Angebot (KVM) 10/2024 + "Extension DNAT is not supported, missing kernel module"-Problem (OpenVZ Kernel 4.19)
- Server/subaru - Erledigt, 2024/01/07
Dienste-Server:
- Server/amano - Erledigt, 2024/01/04 -- Besonderheit: cron vor Update stoppen (CA Jobs) + Java (OpenJDK) für Mitgliedsantrag PDF + php-iban (Github) manuell aktualisieren
- Server/crimson - Debian Wheezy -- Mailserver + Wiki
- Server/goat - Erledigt, 2023/12/30 -- Besonderheit: Buildbot Web via pip installiert
- Server/haruka - kein Debian / MikroTik CHR
- Server/heartofgold - Debian Wheezy -- DNS Hidden Primary
- Server/hikaru - Erledigt, 2024/01/01 -- Besonderheit: python(3)-mysql / mysql vs. mariadb / alte mediawiki module / /var/log/mediawiki? // Ansible Hugo Submodule Fehler
- Server/hoshino - Erledigt, 2023/12/31
- Server/howmei - Erledigt, 2024/01/03 -- Besonderheit: Nicht alle Mesh-Teilnehmer via IPv6 erreichbar.
- Server/inez - Erledigt, 2024/01/03
- Server/izumi - Erledigt, 2024/01/02 -- Besonderheit: Installation DNS-Primary offen + Service Discovery Opennet zusätzlich via CA Zertifikat
- Server/jun - Erledigt, 2024/01/03
- Server/kazama - Erledigt, 2024/01/03 -- Besonderheit: wireguard Installation unvollständig in Ansible
- Server/kinjo - Erledigt, 2024/01/04
- Server/maki - Erledigt, 2024/01/03
- Server/nagare - Debian Buster -- Besonderheit: moinmoin benötigt Python 2; offen: Ablösung moinmoin
- Server/ruri - Erledigt, 2024/01/02
- Server/tenkawa - Erledigt, 2024/01/02 -- Besonderheit: /var/log/rsyncd.log ohne logrotate (seit 2018)
- Server/yurika - Erledigt, 2023/12/29 -- Besonderheit: SmokePing Startup Workaround (seit 2023)
Sonstige Server
- Server/titan - Erledigt, 2023/12/28
- Server/server-mathias - Erledigt, 2024/01/01 -- Besonderheit: Grafana via externem APT Repository
- Server/server-christoph - Erledigt, 2023/12/31
- Server/server-matthias - Erledigt, 2024/01/01
Aktualisierung
Vorab: Ansible Ausführung.
Ablauf:
screen cat /etc/debian_version apt update && apt upgrade apt autoremove apt list '?narrow(?installed, ?not(?origin(Debian)))' find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error' ## HIER: Ggf. alte Konfigurationsdateien entfernen. # rm /etc/cron.daily/bsdmainutils.dpkg-remove /etc/ca-certificates.conf.dpkg-old # rm /etc/ssh/sshd_config.ucf-old /etc/olsrd/olsrd.conf.dpkg-dist cat /etc/apt/preferences ls /etc/apt/preferences.d/ dpkg --audit apt-mark showhold apt list '~c' ## HIER: ehem. installierte Pakete & Konfigurationen final entfernen # apt purge '~c' apt clean df -h ## HIER: apt sources list anpassen (:%s/bullseye/bookworm/g) + Ansible host_vars ## -> Umstellung apt non-free nach non-free-firmware beachten (Virtualisierungsserver) apt update && apt upgrade --without-new-pkgs apt full-upgrade ## *** adduser.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** sshd_config (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** security.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** ssl.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** rsnapshot.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? N ## *** named.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? N ## HIER: ggf. Ansible Lauf reboot apt autoremove apt list '~o' ## HIER: veraltete Pakete entfernen (sehr genau prüfen!; i.d.R. nicht alles entfernen) # apt #CHECKTWICE# purge '~o' # apt remove gcc-10-base hddtemp libffi7 libruby2.7 libsepol1 libssl1.1 linux-image-5.10.0-26-amd64 # apt remove libidn11 libldap-2.4-2 netcat # apt remove gcc-9-base apt autoremove apt list '~c' ## HIER: entfernte Pakete bereinigen # apt purge '~c' ## HIER: Nachkontrolle von Diensten, ggf. manuelle Neustarts echo /nhdpinfo neighbor | nc localhost 2009 systemctl --type=service systemctl status <name.service> journalctl -u <name.service> systemctl restart <name.service> ip -6 addr show ip -6 route show ping -6 jun.opennet-initiative.de -c 3 ping -6 jun.on -c 3
Anschließend: Ansible Ausführung
Bei WAN DHCP Schnittstelle:
echo -en "[Match]\nName=eth1\n\n[Network]\nDHCP=ipv4" > /etc/systemd/network/eth1.network vi /etc/network/interfaces # internet uplink #allow-hotplug eth1 #iface eth1 inet dhcp # # see also systemd-networkd config apt remove isc-dhcp-client isc-dhcp-common networkctl networkctl reload networkctl IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback routable configured 2 eth0 ether routable unmanaged 3 eth1 ether routable configured systemctl status systemd-networkd
Bei Reboot-Fehlermeldung:
# reboot
Failed to set wall message, ignoring: Unit dbus-org.freedesktop.login1.service failed to load properly, please
adjust/correct and reload service manager: File exists
Call to Reboot failed: Unit dbus-org.freedesktop.login1.service failed to load properly, please adjust/correct
and reload service manager: File exists
systemctl umask systemd-logind.service
systemctl status systemd-logind.service
● systemd-logind.service - User Login Management
Loaded: loaded (/lib/systemd/system/systemd-logind.service; static)
Active: active (running) since Mon 2024-01-01 07:04:46 CET; 1min 57s ago
Bei KVM-Fehlermeldung:
# virsh start <host>
Fehler: Failed to start domain '<host>'
Fehler: Nicht unterstützte Konfiguration: Emulator '/usr/bin/kvm' does not support machine type 'pc-1.1'
virsh edit <host>
<type arch='x86_64' machine='pc'>hvm</type>
virsh start <host>
Vorbereitungen
Gedanken zum Debian Release:
- systemd-timesyncd für NTP Client Timesync - Umstellung via Ansible
- GRUB ohne OS-Prober via /etc/default/grub: "GRUB_DISABLE_OS_PROBER=true" - keine Anpassung notwendig
- isc-dhcp geht EoL, alternativen DHCP (Client) verwenden - Umstellung manuell
- OpenSSH scp deaktiviert, sftp zu verwenden - keine Anpassung notwendig
- SSH Keys vollständig auf ED25519 umstellen?
- "Dienste, die NSS verwenden", weiter notwendig?
Hinweise Changelog:
bridge-utils (1.7-2) unstable; urgency=medium We have changed the way we deal with disabling IPv6 on the interfaces, now we don't disable IPv6 but instead we disable creation of link-local addresses on them. We also added a new setting in etc/default/bridge-utils named BRIDGE_DISABLE_LINKLOCAL_IPV6_ALSO_PHYS so that you can avoid disabling creation of link-local addresses on the physical interfaces on which we create vlan ports. The default setting is "yes" so that we preserve the old behaviour, but if you set it to no, the physical interface will receive its link-local address.
isc-dhcp-client (4.4.3-1) unstable; urgency=medium ISC has decided to stop maintaining the client and relay parts of isc-dhcp, and they will be removed after the 4.4.3 release, keeping only the server component. Please, consider using an alternative for isc-dhcp-client (dhclient). More information can be found in the ISC official announcement: https://www.isc.org/blogs/dhcp-client-relay-eom/
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium Login now prevents an empty password field to be interpreted as "no authentication required" for UID 0 (root account). The historical default of letting all users with empty password field in without authentication can be restored in /etc/login.defs setting PREVENT_NO_AUTH to "no".
systemd (251.3-2) unstable; urgency=medium systemd-resolved has been split into a separate package. This new systemd-resolved package will not be installed automatically on upgrades. If you are using systemd-resolved, please install this new package manually.
openssh (1:9.2p1-1) unstable; urgency=medium
OpenSSH 9.2 includes a number of changes that may affect existing
configurations:
* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.
This option defaults to "no", disabling the ~C command-line that was
previously enabled by default. Turning off the command-line allows
platforms that support sandboxing of the ssh(1) client (currently only
OpenBSD) to use a stricter default sandbox policy.
openssh (1:9.1p1-1) unstable; urgency=medium
OpenSSH 9.1 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are
now first-match-wins to match other directives. Previously if an
environment variable was multiply specified the last set value would
have been used.
* ssh-keygen(8): ssh-keygen -A (generate all default host key types) will
no longer generate DSA keys, as these are insecure and have not been
used by default for some years.
openssh (1:9.0p1-1) unstable; urgency=medium
OpenSSH 9.0 includes a number of changes that may affect existing
configurations:
* This release switches scp(1) from using the legacy scp/rcp protocol to
using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example - "scp
host:~user/file /tmp". The SFTP protocol has no native way to expand a
~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a
protocol extension "expand-path@openssh.com" to support this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
openssh (1:8.8p1-1) unstable; urgency=medium
OpenSSH 8.8 includes a number of changes that may affect existing
configurations:
* This release disables RSA signatures using the SHA-1 hash algorithm by
default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K.
For most users, this change should be invisible and there is no need to
replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512
signatures since release 7.2 and existing ssh-rsa keys will
automatically use the stronger algorithm where possible.
Incompatibility is more likely when connecting to older SSH
implementations that have not been upgraded or have not closely tracked
improvements in the SSH protocol. For these cases, it may be necessary
to selectively re-enable RSA/SHA1 to allow connection and/or user
authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
options. For example, the following stanza in ~/.ssh/config will enable
RSA/SHA1 for host and user authentication for a single destination
host:
Host old-host
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
implementations can be upgraded or reconfigured with another key type
(such as ECDSA or Ed25519).
openssh (1:8.7p1-1) unstable; urgency=medium
OpenSSH 8.7 includes a number of changes that may affect existing
configurations:
* scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host by
default. This was previously available via the -3 flag. This mode
avoids the need to expose credentials on the origin hop, avoids
triplicate interpretation of filenames by the shell (by the local
system, the copy origin and the destination) and, in conjunction with
the SFTP support for scp(1) mentioned below, allows use of all
authentication methods to the remote hosts (previously, only
non-interactive methods could be used). A -R flag has been added to
select the old behaviour.
* ssh(1)/sshd(8): both the client and server are now using a stricter
configuration file parser. The new parser uses more shell-like rules
for quotes, space and escape characters. It is also more strict in
rejecting configurations that include options lacking arguments.
Previously some options (e.g. DenyUsers) could appear on a line with no
subsequent arguments. This release will reject such configurations. The
new parser will also reject configurations with unterminated quotes and
multiple '=' characters after the option name.
* ssh(1): when using SSHFP DNS records for host key verification, ssh(1)
will verify all matching records instead of just those with the
specific signature type requested. This may cause host key verification
problems if stale SSHFP records of a different or legacy signature type
exist alongside other records for a particular host. bz#3322
* ssh-keygen(1): when generating a FIDO key and specifying an explicit
attestation challenge (using -Ochallenge), the challenge will now be
hashed by the builtin security key middleware. This removes the
(undocumented) requirement that challenges be exactly 32 bytes in
length and matches the expectations of libfido2.
* sshd(8): environment="..." directives in authorized_keys files are now
first-match-wins and limited to 1024 discrete environment variable
names.
OpenSSH 8.5 includes a number of changes that may affect existing
configurations:
* ssh(1), sshd(8): this release changes the first-preference signature
algorithm from ECDSA to ED25519.
* ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for
interactive use prior to TCP connect. The connection phase of the SSH
session is time-sensitive and often explicitly interactive. The
ultimate interactive/bulk TOS/DSCP will be set after authentication
completes.
* ssh(1), sshd(8): remove the pre-standardization cipher
rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it
was standardized in RFC4253 (2006), has been deprecated and disabled by
default since OpenSSH 7.2 (2016) and was only briefly documented in
ssh.1 in 2001.
* ssh(1), sshd(8): update/replace the experimental post-quantum hybrid
key exchange method based on Streamlined NTRU Prime coupled with
X25519.
The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced
with sntrup761x25519-sha512@openssh.com. Per its designers, the
sntrup4591761 algorithm was superseded almost two years ago by
sntrup761.
(note this both the updated method and the one that it replaced are
disabled by default)
* ssh(1): disable CheckHostIP by default. It provides insignificant
benefits while making key rotation significantly more difficult,
especially for hosts behind IP-based load-balancers.
rsync (3.2.3-5) unstable; urgency=medium The --copy-devices option has been reintroduced, it was previously removed in favor of the new one --write-devices, but it turns out they are not equivalent enough and upstream is providing the copy-devices patch on rsync-patches. Please beware that although the --copy-devices option is provided by upstream, it is not part of the official rsync package and it could be dropped or changed in ways that are not backwards compatible, though this would only happen between Debian releases. That being said, we will not drop this option from the Debian packaging as long as upstream keeps providing the patch under rsync-patches.
pyjwt (2.1.0-1) unstable; urgency=medium Commandline script was removed upstream and there is not an alternative. Who needs it should write something to cover the features they were using.
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.de.html
