= Upgrade des Debian Edu Haupt-Servers (TJENER) von Debian Edu squeeze nach Debian Edu jessie = <> == Services on TJENER == The following services / features on TJENER must be functional: * LDAP * Apache2 * GOsa² * Nagios3 * Munin * DNS * DHCP * Samba * Squid3 * Debian PXE Installer * Exim4 * lokale Mailzustellung von TJENER an TJENER * Netzwerk-Mailzustellung von Edu Clients an TJENER * Dovecot * Zugriff via Mail-Client (IMAPS) * ... == Preparations == * Perform a manual dump of your LDAP database (in case things fail on the way):{{{ root@tjener:~# slapcat > /root/slapcat-$(date +%Y%m%d%H%M%S).ldif }}} * Backup the complete TJENER system (so that you can completely restore the old state from backup, if needed). * Backup the {{{/etc/}}} configuration files and have them at hand when fixing various service settings once packages have been upgraded to Debian jessie state. == Package Upgrades == === to Debian (Edu) wheezy === * Update {{{/etc/apt/sources.list}}} and individual configurations in {{{/etc/apt/sources.list.d/}}}, so that packages for Debian wheezy will get installed with next upgrade / dist-upgrade. * Run upgrade and dist-upgrade in two steps{{{ root@tjener:~# apt-get upgrade root@tjener:~# apt-get dist-upgrade }}} * Reboot into the new Debian wheezy system, ignore if some services are broken / non-functional. === to Debian (Edu) jessie === * Update {{{/etc/apt/sources.list}}} and individual configurations in {{{/etc/apt/sources.list.d/}}}, so that packages for Debian jessie will get installed with next upgrade / dist-upgrade. * Run upgrade and dist-upgrade in two steps{{{ root@tjener:~# apt-get upgrade root@tjener:~# apt-get dist-upgrade }}} * Reboot into the new Debian jessie system, ignore if some services are broken / non-functional. === Possible mistakes === * Don't forget the reboot into the Debian wheezy system, because you will run into troubles when upgrading the {{{udev}}} package from wheezy to jessie if still running the 2.6.32 Linux kernel from Debian squeeze. === Update command-not-found database === Make sure that the command-not-found tool is aware of commands/applications available in Debian jessie:{{{ root@tjener:~# update-command-not-found }}} == Fixing the TJENER setup after package upgrade == The Debian Edu mainserver is not easily upgradable, because the mainserver installation process in Debian Edu does many modifications to the plain Debian system. === Fix UDP checksumming when on KVM (virtio_net) === If the Debian Edu mainserver TJENER runs in KVM and uses the {{{virtio_net}}} driver, you may want to disable checksum off-loading (see [[https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717215|[1]]] and [[https://forge.univention.org/bugzilla/show_bug.cgi?id=33160|[2]]] for details):{{{ auto eth0 iface eth0 inet static address 10.0.2.2 netmask 255.0.0.0 broadcast 10.255.255.255 gateway 10.0.0.1 # disable checksum off-loading pre-up ethtool -K eth0 tx off }}} Alternatively, use the e1000 driver / virtual NIC in KVM. '''Note:''' Disabling checksum off-loading is especially important for machines running {{{isc-dhcp-server}}}, but you should consider it helpful (or switching to e1000) for all KVM instances. === Fix DNS server (bind9) === During the upgrade process, the DNS server configuration (synced into text files from LDAP) gets lost. You need to rebuild the DNS server configuration files from LDAP manually. * Add{{{ 10.0.2.2 ldap.intern}}}to /etc/hosts temporarily. * Add{{{ BIND_DATA="/etc/bind"}}}at the end of {{{/etc/default/ldap2zone}}}. * Rebuild the DNS configuration (in {{{/etc/bind}}}) via {{{ldap2bind}}} command:{{{ root@tjener:~# su -s /bin/bash - bind bind@tjener:~$ PATH=/sbin:/bin:/usr/sbin:/usr/bin /usr/sbin/ldap2bind }}} === Fix Apache2 Setup === The next step is getting the Apache2 setup fixed, so you can regain access to GOsa² installed on TJENER: * Remove dangling symlinks in {{{/etc/apache2/sites-enabled}}} related to Debian Edu{{{ root@tjener:~# rm -f /etc/apache2/sites-enabled/debian-edu-*default }}} * Create proper symlinks (having a trainling {{{.conf}}} in the symlink name via the {{{a2ensite}}} utility:{{{ root@tjener:~# a2ensite debian-edu-default root@tjener:~# a2ensite debian-edu-ssl-default }}} * Don't forget to restart Apache2:{{{ root@tjener:~# invoke-rc.d apache2 restart }}} === Fix GOsa² binding to LDAP === Once Apache2 is up-and-running again, you may want to access GOsa² to check if your LDAP tree is still in shape after upgrade (it surely will be). However, access GOsa² results in this message after a fresh squeeze to jessie Upgrade: {{{ Schwerer Fehler Fehler beim Verbinden mit dem LDAP-Server: Could not bind to cn=gosa-admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no (während der Arbeit auf LDAP-Server 'ldap://ldap.intern') Bitte beheben Sie obigen Fehler und laden die Seite neu. }}} Two steps are required to get this issue fixed: * Fix {{{/etc/gosa/gosa.secrets}}} with this command{{{ root@tjener:~# sed -e 's/GOSA_KEY/GOSAKEY/g' -i /etc/gosa/gosa.secrets }}} * Fix {{{/etc/gosa/gosa.conf}}} manually after upgrade. In your new (i.e., jessie'ish) {{{gosa.conf}}} file you are likely to find {{{$GOSAPWD}}} as {{{adminPassword}}} and {{{snapshotAdminPassword}}} values. This, of course is wrong, the {{{$GOSAPWD}}} variable is only used while boot-strapping the Debian Edu mainserver at installation time. Steps to get this variable replaced by the original hashed password string: * Get {{{/etc/gosa/gosa.conf}}} from your earlier taken configuration backup * Search for the string "adminPassword" in the configuration and obtain the hash referenced there as a value * Replace {{{$GOSAPWD}}} by that hash:{{{ root@tjener:~# sed -e 's/$GOSAPWD/ - -
- - - - - - - - - - - - -
-
- + + + + + + - - - - - - - -
- - - - - - - + + + + +
+ + + + + + + + + - - - + - + + + - + + + + + + @@ -132,9 +129,9 @@ - - + ++ @@ -160,13 +157,12 @@ - - + @@ -183,62 +179,44 @@ - - - - + - - - - - - - - - - - - - + - - - + - @@ -285,33 +263,18 @@ - - - - + - + @@ -355,25 +318,25 @@ - - - - + + + + - - + + - + - +