Debian releases tend to each have a good few years of security support. But even Debian distros eventually need to be dist-upgraded to the new releases.
This is reasonably straight forward with Debian. The issues that do crop up are typically standard (distro provided) config files that you have edited (you need to decide whose version to use). And sometimes issues around webapps or custom software where that software does not work with the new software (e.g. newer PHP) on the new distros.
There are a few steps to dist-upgrading a Debian server. We have automated those in our distrorejuve script on github.
To do an automated dist-upgrade:
Take a snapshot backup of your VM.
Restart your server with a new (4.14 or newer) kernel at our kernel page.
Download and run the distrorejuve script:
wget -O distrorejuve.sh --no-check-certificate https://raw.githubusercontent.com/pbkwee/distrorejuve/master/distrorejuve.sh
sudo bash -x distrorejuve.sh --dist-upgrade | tee -a ~/distrorejuve.log | egrep -v '^\+'
This script will add Debian GPG keys, update your sources.list with the new repositories. Add support for LTS repositories where applicable (e.g. with squeeze), report config file conflicts.
Expect the upgrade to take an hour or two. After the upgrade expect to spend 'a bit of time' fiddling with configs and testing things.
If you get stuck, or would prefer RimuHosting support to run the dist-upgrade, just pop in a support ticket and ask us to perform the sysadmin work.
The upgrade process typically requires some downtime, and requires you to perform checks and config tweaks. So in some cases it may be preferable to install a new server and migrate your apps to that. Or you could clone the VM (via VM ordering and install process) and run the upgrade on the clone. After the clone is upgraded and you are happy it is working as you expect, you can either change DNS settings to point to the new IP, or overwrite the original VM with the upgraded VM (to retain the IP address).
Note that this should only be done over single releases (ie don't go from Squeeze straight to Jessie)
On Debian? What does cat /etc/debian_version
say?
3.x is Woody
3.x is Sarge
4.x is Etch
5.x is Lenny
6.x is Squeeze
7.x is Wheezy
8.x is Jessie
9.x is Stretch
10.x is Buster
11.x is Bullseye (current old stable)
12.x is Bookworm (current stable)
The current stable is always here. The official upgrade guide is here.
By default, systemd will rename the network interface from eth0 to a different name. To prevent this, run the following commands before the upgrade:
mkdir -p /etc/systemd/network
ln -s /dev/null /etc/systemd/network/99-default.link
We recommend rebooting with our default-6.1 kernel once this upgrade is completed.
ref https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html
ref https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html
Issues we are aware of:
- update to our default 4.19 kernel, to match the distribution release kernel version. Some packages (such as mysql/mariadb) may not perform predictably under older kernels.
- monit and phpmyadmin packages are missing from the buster release, but may be included in debian backports repository once related packaging issues are resolved. Our support team can help to install these manually if you need them, or suggest alternatives.
- python 2.7 support is now only very minimal, buster comes with python 3.7 by default.
- postgresql databases should be reindexed following an upgrade, eg with 'sudo -u postgres reindexdb --all'
- You may want to run 'sudo bash distrorejuve.sh --remove-deprecated-packages' to clean up some leftover packages
So far this seems to be reasonably painless.
Known issues:
- Changes in glibc and the kernel mean some third party applications from *really* old installs of debian may no longer work normally
- Current webmin version 0.850 and earlier (including virtualmin) installs cannot issue or renew letsencrypt certificates.
If you are running Virtualmin check out these upgrade notes.
Firstly update the sources.list file:
sed -i 's/wheezy/jessie/g' /etc/apt/sources.list
Update the package list:
apt-get update
A minimal system upgrade first:
apt-get upgrade
Then do the full upgrade:
apt-get dist-upgrade
Jessie uses systemd, which means it needs a kernel with cgroups support. Our current 4.4 (or newer) kernels work just fine
Apache has been updated from version 2.2 to version 2.4. This means there are some configuration changes that will probably need attention. E.g. MaxClients is gone, use MaxRequestWorkers and related directives instead. Also the allow/deny syntax has changed.
There is an issue with the quotas, the patch of leaving the symlink to /dev/root does not work anymore, it gets removed. To solve edit the systemd unit file /etc/systemd/system/sysinit.target.wants/quota.service
ExecStartPre=/bin/ln -s /dev/xvda1 /dev/root
If you encounter any upgrade issues that might be useful to mention here, please let us know.
You should take a look at the official upgrade page mentioned above, but it is essentially the same process as for all versions. If you are running Virtualmin check out these notes too.
Firstly update the sources.list file:
sed -i 's/squeeze/wheezy/g' /etc/apt/sources.list
Update the package list:
apt-get update
A minimal system upgrade first:
apt-get upgrade
Then do the full upgrade:
apt-get dist-upgrade
Pay attention to the questions the upgrade process might ask, for instance I saw a question reqarding a configuration change for MySQL:
Configuration file `/etc/mysql/my.cnf'
==> Modified (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** my.cnf (Y/I/N/O/D/Z) [default=N] ?
I typed D to check the differences, and in this case there is a depercated language option being updated:
--- /etc/mysql/my.cnf 2013-05-05 03:45:09.000000000 +0000
+++ /etc/mysql/my.cnf.dpkg-new 2012-06-08 20:25:42.000000000 +0000
@@ -29,7 +29,6 @@
nice = 0
[mysqld]
-bind-address = 127.0.0.1
#
# * Basic Settings
#
@@ -40,7 +39,7 @@
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
-language = /usr/share/mysql/english
+lc-messages-dir = /usr/share/mysql
skip-external-locking
#
# Instead of skip-networking the default is now to listen only on
I went ahead and approved the maintainer version to save that change, by typing Y, since in the MySQL 5.5 documentation it says:
--lc-messages-dir and --lc-messages should be used rather than --language , which is deprecated and handled as an alias ...
Then I went back to add the "bind-address 127.0.0.1", turned out that was duplicate entry and a bind-address directive for localhost was still in place. Where you have made some custom configuratons you may just want to take notes on what has changed and see if those make sense for your setup and opt not to use the package maintainers version.
Finally go to the Rimuhosting control panel, find the kernel update page and update the kernel to the one there mentioned for use w/ Wheezy. Changing the kernel there will take care of the reboot needed.
Note the note about not using Aptitude. Seems that application is somewhat deprecated now.
Our test upgrades were run on pretty fresh setups so of course we didn't run into any problems. If you have setup some complex custom applications you may need to take this into consideration when performing a distribution upgrade. If you are running a VPS you can always run a VPS backup before trying to upgrade so that you can roll back easily in case there are any major problems.
If you are still running Lenny, you should update to Squeeze before trying to upgrade to Wheezy. Good idea to update to the latest version of the previous distro before upgrading. Lenny has reached end of life, so you will need to update your repo to point to the archives:
deb http://archive.debian.org/debian/ lenny main non-free contrib
You may see some messages about missing keys, fine to ignore them for now. After updating to the latest packages, clean up the package manager caches.
apt-get update
apt-get upgrade
apt-get clean
Now to dist upgrade to Squeeze change your /etc/apt/sources.list to look like as folows:
deb http://ftp.us.debian.org/debian/ squeeze main non-free contrib
deb http://security.debian.org/ squeeze/updates main non-free contrib
Then run...
# to minimize all those tedious 'are you sure'? messages.
export DEBIAN_PRIORITY=critical
export DEBIAN_FRONTEND=noninteractive
# run the dist upgrade
apt-get update
apt-get dist-upgrade
We have run this a few times on VPS'. And the process seems pretty safe/hassle free.
Rinse and repeat for each version you need to upgrade to.
Additionally we recomend using the corresponding kernel version available from our kernel chooser for best reliability
As always, if you are not sure, feel free to get one of our staff to assist you by popping in a support ticket.
When updating from lenny, apt may now refuse to proceed with an upgrade, due to expired keys. After enabling the squeeze sources, you can run the following, and then apt-get update should work again (at least until squeeze also becomes EOL)
apt-get install debian-archive-keyring
You may also find it helpful to add the following to /etc/apt/apt.conf (create it if it does not exist). And then remove those lines after the upgrade to squeeze is done.
APT {
Ignore {"gpg-pubkey"; }
Get { AllowUnauthenticated "1"; }
}
See our Ubuntu page here.