-
-
Save tobiasmuecksch/2573f198622bc46fa35d3e78b10bcf1d to your computer and use it in GitHub Desktop.
Migration from Debian Buster to Bullseye
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Please also refer to http://www.debian.org/releases/bullseye/releasenotes and use your brain! If you can’t figure out what one of the commands below does, this is not for you. Expert mode only :) | |
# Crossgrading ?!? | |
[ "$(dpkg --print-architecture)" == "i386" ] && echo "How about crossgrading to amd64 as described in https://stbuehler.de/blog/article/2017/06/28/debian_buster__upgrade_32-bit_to_64-bit.html?" | |
# upgrade to UTF-8 locales (http://www.debian.org/releases/bullseye/amd64/release-notes/ap-old-stuff.en.html#switch-utf8) | |
dpkg-reconfigure locales | |
# remove unused config file | |
rm -rf /etc/network/options /etc/environment | |
# are there 3rd party packages installed? (https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.de.html#system-status) | |
aptitude search '~i(!~ODebian)' | |
# check for ftp protocol in sources lists (https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#deprecation-of-ftp-apt-mirrors) | |
rgrep --color "deb ftp" /etc/apt/sources.list* | |
# Transition and remove entries from older releases | |
sed -i /lenny/d /etc/apt/sources.list* | |
sed -i /sarge/d /etc/apt/sources.list* | |
sed -i /squeeze/d /etc/apt/sources.list* | |
sed -i /wheezy/d /etc/apt/sources.list* | |
sed -i /jessie/d /etc/apt/sources.list* | |
sed -i /volatile/d /etc/apt/sources.list* | |
sed -i /proposed-updates/d /etc/apt/sources.list* | |
# change distro (please move 3rd party sources to /etc/apt/sources.list.d/), maybe look into http://ftp.cyconet.org/debian/sources.list.d/ | |
sed -i s/buster/bullseye/g /etc/apt/sources.list* | |
sed -i "s/ stable/ bullseye/g" /etc/apt/sources.list* | |
sed -i s/buster/bullseye/g /etc/apt/preferences* | |
sed -i s/buster/bullseye/g /etc/apt/sources.list.d/*buster* | |
# Fix secuity suite (https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information#security-archive) | |
sed -i "s/bullseye\/updates/bullseye-security/" /etc/apt/sources.list* | |
rename.ul buster bullseye /etc/apt/sources.list.d/*buster* | |
rgrep --color buster /etc/apt/sources.list* | |
apt update | |
# check package status | |
dpkg --audit | |
aptitude search "~ahold" | grep "^.h" | |
dpkg --get-selections | grep hold | |
dpkg --get-selections "*" > ~/curr-pkgs.txt | |
# unmark packages auto | |
aptitude unmarkauto vim net-tools && \ | |
aptitude unmarkauto libapache2-mpm-itk && \ | |
aptitude unmarkauto monitoring-plugins-contrib && \ | |
aptitude unmarkauto $(dpkg-query -W 'linux-image-4.19.0*' | cut -f1) | |
# have a look into required and free disk space | |
apt-get -o APT::Get::Trivial-Only=true dist-upgrade || df -h | |
# purge already remove packages | |
apt purge $(dpkg -l | awk '/^rc/ { print $2 }') | |
# check for a linux-image meta package | |
dpkg -l "linux-image*" | grep ^ii | grep -i meta || echo "Please have a look into https://www.debian.org/releases/bullseye/amd64/release-notes/ch-upgrading.en.html#kernel-metapackage!" | |
# record session | |
script -t 2>~/upgrade-bullseye.time -a ~/upgrade-bullseye.script | |
# install our preseed so libc doesn't whine | |
cat > /tmp/buster.preseed <<EOF | |
libc6 glibc/upgrade boolean true | |
libc6 glibc/restart-services string | |
libc6 libraries/restart-without-asking boolean true | |
EOF | |
/usr/bin/debconf-set-selections /tmp/buster.preseed | |
# transition sshd port changes and adjusted authkeyfile before starting the update | |
if [ ! -d /etc/ssh/sshd_config.d ]; then mkdir -p /etc/ssh/sshd_config.d; fi | |
if [ ! $(grep ^Port /etc/ssh/sshd_config | tee /etc/ssh/sshd_config.d/port.conf | wc -l) -gt 0 ]; then rm /etc/ssh/sshd_config.d/port.conf; fi | |
if [ ! $(grep ^AuthorizedKeysFile /etc/ssh/sshd_config | tee /etc/ssh/sshd_config.d/authorizedkeysfile.conf | wc -l) -gt 0 ]; then rm /etc/ssh/sshd_config.d/authorizedkeysfile.conf ; fi | |
# transition ssh changes | |
if [ ! -d /etc/ssh/ssh_config.d ]; then mkdir -p /etc/ssh/ssh_config.d; fi | |
if [ ! $(grep "^ *Port" /etc/ssh/ssh_config | tee /etc/ssh/ssh_config.d/port.conf | wc -l) -gt 0 ]; then rm /etc/ssh/ssh_config.d/port.conf; fi | |
# update aptitude and apt first | |
[ "$(which aptitude)" = "/usr/bin/aptitude" ] && apt install aptitude && \ | |
[ "$(which apt)" = "/usr/bin/apt" ] && apt install apt | |
# minimal system upgrade | |
apt upgrade --without-new-pkgs | |
# (re)enable wheel | |
if [ -f /etc/pam.d/su.dpkg-new ]; then CFG=/etc/pam.d/su.dpkg-new; else CFG=/etc/pam.d/su; fi | |
sed -i "s/# auth required pam_wheel.so/auth required pam_wheel.so/" $CFG | |
# chrony update, modify the new config to our needs and place it where it is expected. | |
if [ ! -d /etc/chrony/conf.d/ ]; then mkdir -p /etc/chrony/conf.d/; fi; echo "pool 0.de.pool.ntp.org iburst" > /etc/chrony/conf.d/pool.conf | |
# full-upgrade | |
apt full-upgrade | |
# (re)configure snmpd | |
COMMUNITY="$(grep ^rocommunity /etc/snmp/snmpd.conf | cut -d" " -f2)"; \ | |
if [ -f /etc/snmp/snmpd.conf.dpkg-new ]; then CFG=/etc/snmp/snmpd.conf.dpkg-new; \ | |
else CFG=/etc/snmp/snmpd.conf; fi | |
sed -i "s/^agentaddress.*/agentaddress udp:161,udp6:[::1]:161/g" $CFG | |
sed -i "s/public default.*/$COMMUNITY default/g" $CFG | |
grep ^extend /etc/snmp/snmpd.conf >> $CFG | |
# reintroduce our own bridge script in xen | |
SCRIPT="$(grep ^vif.default.script /etc/xen/xl.conf)"; \ | |
if [ ${SCRIPT} ]; then sed -i "s/#\?vif.default.script=.*/$SCRIPT/g" /etc/xen/xl.conf.dpkg-new; fi | |
# migrate unattended-upgrades config, modify the new config to our needs and place it where it is expected. | |
# Keep LOCAL config if asked when upgrading (and run this snippet afterwards, when dpkg is not blocked anymore and choose 'package maintainer version' then, cause this is the one we are adjusting here) | |
if [ -f /etc/apt/apt.conf.d/50unattended-upgrades.ucf-old ]; then CFG=/etc/apt/apt.conf.d/50unattended-upgrades.ucf-old; else CFG=/etc/apt/apt.conf.d/50unattended-upgrades; fi && \ | |
cp /usr/share/unattended-upgrades/50unattended-upgrades /tmp/ && \ | |
MAIL=$(grep ^Unattended-Upgrade::Mail $CFG | awk -F\" '{print $2}'); sed -i 's#//Unattended-Upgrade::Mail ".*";#Unattended-Upgrade::Mail "'${MAIL}'";#g' /tmp/50unattended-upgrades && \ | |
TIME=$(grep ^Unattended-Upgrade::Automatic-Reboot-Time $CFG | awk -F\" '{print $2}'); if [ "${TIME}" != "" ]; then sed -i 's#//Unattended-Upgrade::Automatic-Reboot-Time "02:00"#Unattended-Upgrade::Automatic-Reboot-Time "'${TIME}'"#' /tmp/50unattended-upgrades; fi | |
sed -i 's#// "origin=Debian,codename=${distro_codename}-updates"# "origin=Debian,codename=${distro_codename}-updates"#' /tmp/50unattended-upgrades && \ | |
sed -i 's#//Unattended-Upgrade::Remove-Unused-Dependencies "false"#Unattended-Upgrade::Remove-Unused-Dependencies "true"#' /tmp/50unattended-upgrades && \ | |
sed -i 's#//Unattended-Upgrade::Automatic-Reboot "false"#Unattended-Upgrade::Automatic-Reboot "true"#' /tmp/50unattended-upgrades && \ | |
sed -i '/codename=..distro_codename.-updates/ s#^//# #' /tmp/50unattended-upgrades && \ | |
sed -i 's#//Unattended-Upgrade::MailReport "on-change"#Unattended-Upgrade::MailReport "on-change"#' /tmp/50unattended-upgrades && \ | |
/bin/bash /usr/bin/ucf --three-way --debconf-ok /tmp/50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades && \ | |
[ "$CFG" == "/etc/apt/apt.conf.d/50unattended-upgrades.ucf-old" ] && mv $CFG /etc/apt/apt.conf.d/50unattended-upgrades.ucf-save | |
# Migrate (webserver) from php7.3 to php7.4 | |
apt install $(dpkg -l |grep php7.3 | awk '/^i/ { print $2 }' |grep -v ^php7.3-opcache |sed s/php7.3/php/) | |
[ -L /etc/apache2/mods-enabled/mpm_prefork.load ] && a2dismod php7.3 && a2enmod php7.4 && systemctl restart apache2; ls -la /etc/php/7.3/*/conf.d/ | |
# php-fpm | |
tail -10 /etc/php/7.3/fpm/pool.d/www.conf | |
vi /etc/php/7.4/fpm/pool.d/www.conf | |
systemctl disable php7.3-fpm && systemctl stop php7.3-fpm && systemctl restart php7.4-fpm | |
# nginx | |
rename s/php73/php74/g /etc/nginx/conf.d/*php73*.conf | |
sed -i s/php7.3-fpm/php7.4-fpm/g /etc/nginx/conf.d/*.conf /etc/nginx/snippets/*.conf /etc/nginx/sites-available/* | |
systemctl restart nginx | |
# transition docker-ce to bullseye package | |
DOCKER_VER="$(apt-cache policy docker-ce | grep debian-bullseye | head -1 | awk '{print $1}')" && [ -n "${DOCKER_VER}" ] && apt install docker-ce=${DOCKER_VER} docker-ce-cli=${DOCKER_VER} | |
# transition icingaweb2 to bullseye package | |
ICINGAWEB2_VER="$(apt-cache policy icingaweb2 | grep "\.bullseye" | head -1 | awk '{print $1}')" && [ -n "${ICINGAWEB2_VER}" ] && apt install icingaweb2=${ICINGAWEB2_VER} icingaweb2-common=${ICINGAWEB2_VER} icingaweb2-module-monitoring=${ICINGAWEB2_VER} php-icinga=${ICINGAWEB2_VER} icingacli=${ICINGAWEB2_VER} | |
# transition icinga2 to bullseye packages | |
apt-get install $(dpkg -l | grep icinga2 | grep -v common | awk '{print $2"/icinga-bullseye"}') | |
# Mitigate #991235 (fail2ban and bsd-mailx) | |
if [ $(dpkg -l | grep -cE "(bsd-mailx|fail2ban)") -ge 2 ]; then sed -i "s/mail -E 'set escape'/mail/g" /etc/fail2ban/action.d/mail*.conf && service fail2ban reload; fi | |
# Remove libgcc1 so cpp-8 can be updated | |
apt remove libgcc1 && apt full-upgrade | |
# remove old squeeze packages left around (keep eyes open!) | |
apt autoremove && \ | |
apt purge $(aptitude search ?obsolete | grep -v -E 'linux-image|mailscanner|check-openmanage|check-linux-bonding|webalizer|icinga' | awk '/^i *A/ { print $3 }') && \ | |
apt purge $(aptitude search ?obsolete | grep -v -E 'linux-image|mailscanner|check-openmanage|check-linux-bonding|webalizer|icinga' | awk '/^i/ { print $2 }') && \ | |
apt purge $(dpkg -l | grep etch | grep -v xen | grep -v unbound | grep -v finch | awk '/^rc/ { print $2 }') && \ | |
apt purge $(dpkg -l | grep lenny | grep -v xen | awk '/^rc/ { print $2 }') && \ | |
apt purge $(dpkg -l | grep -E 'deb6|squeeze' | grep -v xen | awk '/^rc/ { print $2 }') && \ | |
apt purge $(dpkg -l | grep -E 'deb7|wheezy' | grep -v xen | grep -v -E 'linux-image|mailscanner|openswan|debian-security-support' | awk '/^rc/ { print $2 }') && \ | |
apt purge $(dpkg -l | grep -E 'deb8|jessie' | grep -v xen | grep -v -E 'linux-image|debian-security-support' | awk '{ print $2 }') && \ | |
apt purge $(dpkg -l | grep -E 'deb9|stretch' | grep -v xen | grep -v -E 'linux-image|debian-security-support|icinga2|phpmyadmin' | awk '{ print $2 }') && \ | |
apt purge $(dpkg -l | grep -E 'deb10|buster' | grep -v xen | grep -v -E 'linux-image|debian-security-support|icinga2|phpmyadmin' | awk '{ print $2 }') && \ | |
apt -y install deborphan && apt purge $(deborphan | grep -v xen | grep -v -E 'libpam-cracklib|libapache2-mpm-itk') | |
apt purge $(dpkg -l | awk '/^rc/ { print $2 }') | |
# for the brave YoloOps crowd | |
reboot && sleep 180; echo u > /proc/sysrq-trigger ; sleep 2 ; echo s > /proc/sysrq-trigger ; sleep 2 ; echo b > /proc/sysrq-trigger | |
### not needed until now | |
# randomize crontab | |
if [ -f /etc/crontab.dpkg-new ]; then CFG=/etc/crontab.dpkg-new; else CFG=/etc/crontab; fi | |
sed -i 's#root cd#root perl -e "sleep int(rand(300))" \&\& cd#' $CFG | |
sed -i 's#root\ttest#root\tperl -e "sleep int(rand(3600))" \&\& test#' $CFG | |
## phpmyadmin | |
if [ -f /etc/phpmyadmin/config.inc.php.dpkg-new ]; then CFG=/etc/phpmyadmin/config.inc.php.dpkg-new; \ | |
else CFG=/etc/phpmyadmin/config.inc.php; fi | |
sed -i "s/\['auth_type'\] = 'cookie'/\['auth_type'\] = 'http'/" $CFG | |
sed -i "s#//\$cfg\['Servers'\]\[\$i\]\['auth_type'\] = 'http';#\$cfg['Servers'][\$i]['auth_type'] = 'http';#" $CFG | |
# Update old postfix configurations | |
cp /etc/postfix/main.cf /tmp/main.cf && \ | |
if [ $(postconf -n smtpd_relay_restrictions | wc -l) -eq 0 ]; then sed -i '/^myhostname.*/i smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination' /etc/postfix/main.cf; fi && \ | |
if [ -z $(postconf -nh compatibility_level) ]; then sed -iE 's/^readme_directory = no/readme_directory = no\n\n# See http:\/\/www.postfix.org\/COMPATIBILITY_README.html -- default to 2 on\n# fresh installs.\ncompatibility_level = 2\n\n/' /etc/postfix/main.cf; fi && \ | |
diff -Nur /tmp/postfix/main.cf /etc/postfix/main.cf && \ | |
postfix reload | |
# Upgrade postgres | |
# See also https://www.debian.org/releases/buster/amd64/release-notes/ch-information.de.html#plperl | |
if [ "$(dpkg -l | grep "postgresql-9.4" | awk {'print $2'})" = "postgresql-9.4" ]; then \ | |
apt install postgresql-9.6 && \ | |
pg_dropcluster --stop 9.6 main && \ | |
/etc/init.d/postgresql stop && \ | |
pg_upgradecluster -v 9.6 9.4 main && \ | |
sed -i "s/^manual/auto/g" /etc/postgresql/9.6/main/start.conf && \ | |
sed -i "s/^port = .*/port = 5432/" /etc/postgresql/9.6/main/postgresql.conf && \ | |
sed -i "s/^shared_buffers = .*/shared_buffers = 128MB/" /etc/postgresql/9.6/main/postgresql.conf && \ | |
/etc/init.d/postgresql restart; \ | |
fi | |
pg_dropcluster 9.4 main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment