Benutzer:MathiasMahnke/Debian Bookworm 2024
Aus Opennet
< Benutzer:MathiasMahnke
Version vom 3. Januar 2024, 10:03 Uhr von MathiasMahnke (Diskussion | Beiträge)
Status: In Arbeit.
Debian Bookworm Update Status der Opennet Server - Debian Release von 06/2023.
Status
Virtualisierungsserver:
- Server/akito -
- Server/tamago -
- Server/ryoko - Erledigt, 2024/01/02
- Server/aqua -
- Vorlage VMs in vhost-admin.sh - Erledigt, 2024/01/01, offen: eth1 WAN NIC DHCP + KVM PC Type?
Gateway-Server:
- Server/erina - offen: speedtest?
- Server/gai - offen: speedtest?
- Server/itsuki - Erledigt, 2023/12/28; offen: speedtest?
- Server/megumi - offen: speedtest?
- Server/subaru - offen: speedtest?
Dienste-Server:
- Server/amano - -- Besonderheit: cron vor Update stoppen (CA Jobs)
- Server/crimson - Debian Wheezy -- Mailserver + Wiki
- Server/goat - Erledigt, 2023/12/30 -- Besonderheit: Buildbot Web via pip installiert
- Server/haruka - derzeit kein Debian / RouterOS
- Server/heartofgold - Debian Wheezy -- DNS Hidden Primary
- Server/hikaru - Erledigt, 2024/01/01 -- Besonderheit: python(3)-mysql / mysql vs. mariadb / alte mediawiki module / /var/log/mediawiki? // Ansible Hugo Submodule Fehler
- Server/hoshino - Erledigt, 2023/12/31
- Server/howmei - Erledigt, 2024/01/03 -- Besonderheit: Nicht alle Mesh-Teilnehmer via IPv6 erreichbar.
- Server/inez - -- Besonderheit: rsnapshot nicht in Bullseye / via Upstream DEB installiert
- Server/izumi - Erledigt, 2024/01/02, offen: Installation DNS-Primary -- Besonderheit: Service Discovery Opennet zusätzlich via CA Zertifikat
- Server/jun - -- Besonderheit: slt nicht in Buster
- Server/kazama - offen: eth1 WAN NIC DHCP -- Besonderheit: wireguard Installation nicht abgeschlossen?
- Server/kinjo -
- Server/maki - Erledigt, 2024/01/03; offen: rsnapshot.conf Debian prüfen / Ansible angleichen
- Server/nagare - Debian Buster -- Besonderheit: moinmoin benötigt Python 2
- Server/ruri - Erledigt, 2024/01/02
- Server/tenkawa - Erledigt, 2024/01/02, offen: rsync Fehler? -- Besonderheit: Freifunk Media Mirror /var/log/rsyncd.log ohne logrotate (seit 2018)
- Server/yurika - Erledigt, 2023/12/29 -- Besonderheit: SmokePing Startup Workaround (seit 2023)
Sonstige Server
- Server/titan - Erledigt, 2023/12/28
- Server/server-mathias - Erledigt, 2024/01/01 -- Besonderheit: Grafana via externem APT Repository
- Server/server-christoph - Erledigt, 2023/12/31
- Server/server-matthias - Erledigt, 2024/01/01
Aktualisierung
Vorab: Ansible Ausführung.
Ablauf:
screen cat /etc/debian_version apt update && apt upgrade apt autoremove apt list '?narrow(?installed, ?not(?origin(Debian)))' find /etc -name '*.dpkg-*' -o -name '*.ucf-*' -o -name '*.merge-error' ## HIER: Ggf. alte Konfigurationsdateien entfernen. # rm /etc/cron.daily/bsdmainutils.dpkg-remove /etc/ca-certificates.conf.dpkg-old # rm /etc/ssh/sshd_config.ucf-old /etc/olsrd/olsrd.conf.dpkg-dist cat /etc/apt/preferences ls /etc/apt/preferences.d/ dpkg --audit apt-mark showhold apt list '~c' ## HIER: ehem. installierte Pakete & Konfigurationen final entfernen # apt purge '~c' apt clean df -h ## HIER: apt sources list anpassen (:%s/bullseye/bookworm/g) + Ansible host_vars ## -> Umstellung apt non-free nach non-free-firmware beachten ## -> ggf. via apt.conf.d: 'APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";' apt update && apt upgrade --without-new-pkgs apt full-upgrade ## *** adduser.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** sshd_config (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** security.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** ssl.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? Y ## *** rsnapshot.conf (Y/I/N/O/D/Z) [Vorgabe=N] ? N ## HIER: ggf. Ansible Lauf reboot apt autoremove apt list '~o' ## HIER: veraltete Pakete entfernen (sehr genau prüfen!; i.d.R. nicht alles entfernen) # apt #CHECKTWICE# purge '~o' # apt remove gcc-10-base hddtemp libffi7 libruby2.7 libsepol1 libssl1.1 linux-image-5.10.0-26-amd64 # apt remove gcc-9-base libidn11 libldap-2.4-2 netcat apt autoremove apt list '~c' ## HIER: entfernte Pakete bereinigen # apt purge '~c' ## HIER: Nachkontrolle von Diensten, ggf. manuelle Neustarts echo /nhdpinfo neighbor | nc localhost 2009 systemctl --type=service systemctl status <name.service> journalctl -u <name.service> systemctl restart <name.service> ip -6 addr show ip -6 route show ping -6 jun.opennet-initiative.de -c 3 ping -6 jun.on -c 3
Anschließend: Ansible Ausführung
Bei WAN DHCP Schnittstelle:
echo -en "[Match]\nName=eth1\n\n[Network]\nDHCP=ipv4" > /etc/systemd/network/eth1.network vi /etc/network/interfaces # internet uplink #allow-hotplug eth1 #iface eth1 inet dhcp # # see also systemd-networkd config apt remove isc-dhcp-client isc-dhcp-common networkctl networkctl reload networkctl IDX LINK TYPE OPERATIONAL SETUP 1 lo loopback routable configured 2 eth0 ether routable unmanaged 3 eth1 ether routable configured systemctl status systemd-networkd
Bei Reboot-Fehlermeldung:
# reboot Failed to set wall message, ignoring: Unit dbus-org.freedesktop.login1.service failed to load properly, please adjust/correct and reload service manager: File exists Call to Reboot failed: Unit dbus-org.freedesktop.login1.service failed to load properly, please adjust/correct and reload service manager: File exists systemctl umask systemd-logind.service systemctl status systemd-logind.service ● systemd-logind.service - User Login Management Loaded: loaded (/lib/systemd/system/systemd-logind.service; static) Active: active (running) since Mon 2024-01-01 07:04:46 CET; 1min 57s ago
Bei KVM-Fehlermeldung:
# virsh start <host> Fehler: Failed to start domain '<host>' Fehler: Nicht unterstützte Konfiguration: Emulator '/usr/bin/kvm' does not support machine type 'pc-1.1' virsh edit <host> <type arch='x86_64' machine='pc'>hvm</type> virsh start <host>
Vorbereitungen
Gedanken zum Debian Release:
- systemd-timesyncd für NTP Client Timesync - Umstellung via Ansible
- GRUB ohne OS-Prober via /etc/default/grub: "GRUB_DISABLE_OS_PROBER=true" - keine Anpassung notwendig
- isc-dhcp geht EoL, alternativen DHCP (Client) verwenden - Umstellung manuell
- OpenSSH scp deaktiviert, sftp zu verwenden - keine Anpassung notwendig
- SSH Keys vollständig auf ED25519 umstellen?
Hinweise Changelog:
bridge-utils (1.7-2) unstable; urgency=medium We have changed the way we deal with disabling IPv6 on the interfaces, now we don't disable IPv6 but instead we disable creation of link-local addresses on them. We also added a new setting in etc/default/bridge-utils named BRIDGE_DISABLE_LINKLOCAL_IPV6_ALSO_PHYS so that you can avoid disabling creation of link-local addresses on the physical interfaces on which we create vlan ports. The default setting is "yes" so that we preserve the old behaviour, but if you set it to no, the physical interface will receive its link-local address.
isc-dhcp-client (4.4.3-1) unstable; urgency=medium ISC has decided to stop maintaining the client and relay parts of isc-dhcp, and they will be removed after the 4.4.3 release, keeping only the server component. Please, consider using an alternative for isc-dhcp-client (dhclient). More information can be found in the ISC official announcement: https://www.isc.org/blogs/dhcp-client-relay-eom/
shadow (1:4.11.1+dfsg1-0exp1) experimental; urgency=medium Login now prevents an empty password field to be interpreted as "no authentication required" for UID 0 (root account). The historical default of letting all users with empty password field in without authentication can be restored in /etc/login.defs setting PREVENT_NO_AUTH to "no".
systemd (251.3-2) unstable; urgency=medium systemd-resolved has been split into a separate package. This new systemd-resolved package will not be installed automatically on upgrades. If you are using systemd-resolved, please install this new package manually.
openssh (1:9.2p1-1) unstable; urgency=medium OpenSSH 9.2 includes a number of changes that may affect existing configurations: * ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. This option defaults to "no", disabling the ~C command-line that was previously enabled by default. Turning off the command-line allows platforms that support sandboxing of the ssh(1) client (currently only OpenBSD) to use a stricter default sandbox policy.
openssh (1:9.1p1-1) unstable; urgency=medium OpenSSH 9.1 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config are now first-match-wins to match other directives. Previously if an environment variable was multiply specified the last set value would have been used. * ssh-keygen(8): ssh-keygen -A (generate all default host key types) will no longer generate DSA keys, as these are insecure and have not been used by default for some years.
openssh (1:9.0p1-1) unstable; urgency=medium OpenSSH 9.0 includes a number of changes that may affect existing configurations: * This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag.
openssh (1:8.8p1-1) unstable; urgency=medium OpenSSH 8.8 includes a number of changes that may affect existing configurations: * This release disables RSA signatures using the SHA-1 hash algorithm by default. This change has been made as the SHA-1 hash algorithm is cryptographically broken, and it is possible to create chosen-prefix hash collisions for <USD$50K. For most users, this change should be invisible and there is no need to replace ssh-rsa keys. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible. Incompatibility is more likely when connecting to older SSH implementations that have not been upgraded or have not closely tracked improvements in the SSH protocol. For these cases, it may be necessary to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options. For example, the following stanza in ~/.ssh/config will enable RSA/SHA1 for host and user authentication for a single destination host: Host old-host HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa We recommend enabling RSA/SHA1 only as a stopgap measure until legacy implementations can be upgraded or reconfigured with another key type (such as ECDSA or Ed25519).
openssh (1:8.7p1-1) unstable; urgency=medium OpenSSH 8.7 includes a number of changes that may affect existing configurations: * scp(1): this release changes the behaviour of remote to remote copies (e.g. "scp host-a:/path host-b:") to transfer through the local host by default. This was previously available via the -3 flag. This mode avoids the need to expose credentials on the origin hop, avoids triplicate interpretation of filenames by the shell (by the local system, the copy origin and the destination) and, in conjunction with the SFTP support for scp(1) mentioned below, allows use of all authentication methods to the remote hosts (previously, only non-interactive methods could be used). A -R flag has been added to select the old behaviour. * ssh(1)/sshd(8): both the client and server are now using a stricter configuration file parser. The new parser uses more shell-like rules for quotes, space and escape characters. It is also more strict in rejecting configurations that include options lacking arguments. Previously some options (e.g. DenyUsers) could appear on a line with no subsequent arguments. This release will reject such configurations. The new parser will also reject configurations with unterminated quotes and multiple '=' characters after the option name. * ssh(1): when using SSHFP DNS records for host key verification, ssh(1) will verify all matching records instead of just those with the specific signature type requested. This may cause host key verification problems if stale SSHFP records of a different or legacy signature type exist alongside other records for a particular host. bz#3322 * ssh-keygen(1): when generating a FIDO key and specifying an explicit attestation challenge (using -Ochallenge), the challenge will now be hashed by the builtin security key middleware. This removes the (undocumented) requirement that challenges be exactly 32 bytes in length and matches the expectations of libfido2. * sshd(8): environment="..." directives in authorized_keys files are now first-match-wins and limited to 1024 discrete environment variable names. OpenSSH 8.5 includes a number of changes that may affect existing configurations: * ssh(1), sshd(8): this release changes the first-preference signature algorithm from ECDSA to ED25519. * ssh(1), sshd(8): set the TOS/DSCP specified in the configuration for interactive use prior to TCP connect. The connection phase of the SSH session is time-sensitive and often explicitly interactive. The ultimate interactive/bulk TOS/DSCP will be set after authentication completes. * ssh(1), sshd(8): remove the pre-standardization cipher rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc before it was standardized in RFC4253 (2006), has been deprecated and disabled by default since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001. * ssh(1), sshd(8): update/replace the experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime coupled with X25519. The previous sntrup4591761x25519-sha512@tinyssh.org method is replaced with sntrup761x25519-sha512@openssh.com. Per its designers, the sntrup4591761 algorithm was superseded almost two years ago by sntrup761. (note this both the updated method and the one that it replaced are disabled by default) * ssh(1): disable CheckHostIP by default. It provides insignificant benefits while making key rotation significantly more difficult, especially for hosts behind IP-based load-balancers.
rsync (3.2.3-5) unstable; urgency=medium The --copy-devices option has been reintroduced, it was previously removed in favor of the new one --write-devices, but it turns out they are not equivalent enough and upstream is providing the copy-devices patch on rsync-patches. Please beware that although the --copy-devices option is provided by upstream, it is not part of the official rsync package and it could be dropped or changed in ways that are not backwards compatible, though this would only happen between Debian releases. That being said, we will not drop this option from the Debian packaging as long as upstream keeps providing the patch under rsync-patches.
pyjwt (2.1.0-1) unstable; urgency=medium Commandline script was removed upstream and there is not an alternative. Who needs it should write something to cover the features they were using.
https://www.debian.org/releases/bookworm/amd64/release-notes/ch-upgrading.de.html