Upgrading to Debian 10 - Buster

PUBLISHED ON 08/07/2019 — SYSOP

Intro

After 25 months of development the Debian project is proud to present its new stable version 10 (code name buster), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and of the Debian Long Term Support team.

Important stuff first, Buster is a dog, from Toy Story movies. Andy recieves it as a Christmas present.

Howto

Read the release notes, yeah long peice of text, but well worth it to avoid problems with your puppies.

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade
# sed -i 's/stretch/buster/g' /etc/apt/sources.list
# apt-get upgrade
# apt-get dist-upgrade

Problems on the way

Command not found for root user

If you are anything like me, you use su to enter the word of superuser, you are wrong. I am wrong. Everybody is wrong. As we all should really use su -, that provides an environment similar to direct root login. Debian this year is here to teach us that important lesson. And please, do not force changes to the $PATH variable for your own sanity. Probably we should all finally embrace sudo instead, but hey, old habits die hard…

So for now:

$ su -

Source

Enable iptables

Just until you figure out how to work with nftables.

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Postfix

The problem with my Postfix install was that I have kept old config files. One of them got some lines added, stuff changed and is now breaking the mail extravaganza.

Corresponding error:

# cat /var/log/mail.err
...
Jul  8 08:11:58 sablun postfix/smtpd[2132]: error: unsupported dictionary type: mysql
...

Solution:

# cp /usr/share/postfix/dynamicmaps.cf /etc/postfix/

Unbound

Reading the release notes really helped here. Misconfiguration was again a culprit.

# cat /var/log/unbound/unbound.log
...
error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
...

Source

Working configuration file on my machine:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

# Ads overrides
include: "/var/unbound/ads.conf"

server:
    interface: 127.0.0.1
    access-control: 127.0.0.1 allow
    port: 53
    do-daemonize: yes
    num-threads: 2
    use-caps-for-id: yes
    harden-glue: yes
    hide-identity: yes
    hide-version: yes
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    verbosity: 1
    statistics-cumulative: yes
    extended-statistics: yes
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    prefetch: yes


forward-zone:
    name:"."
    forward-tls-upstream: yes
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net
    forward-addr: 1.0.0.1@853#one.one.one.one
    forward-addr: 1.1.1.1@853#one.one.one.one

Strongswan

As with postfix, some minor config file changes have borked the VPN solution.

$ systemctl status ipsec 
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2019-07-08 09:13:14 CEST; 1s ago
  Process: 22782 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, status=0/SUCCESS)
 Main PID: 22782 (code=exited, status=0/SUCCESS)

Jul 08 09:13:14 sablun.org ipsec[22782]: 00[CFG] /etc/strongswan.d/charon-logging.conf:8: syntax error, unexpected ., expecting : or '{' or '=' [.]
Jul 08 09:13:14 sablun.org ipsec[22782]: 00[CFG] invalid config file '/etc/strongswan.conf'
Jul 08 09:13:14 sablun.org ipsec[22782]: 00[LIB] abort initialization due to invalid configuration
Jul 08 09:13:14 sablun.org ipsec[22782]: charon has quit: integrity test of libstrongswan failed
Jul 08 09:13:14 sablun.org ipsec[22782]: charon refused to be started
Jul 08 09:13:14 sablun.org ipsec[22782]: ipsec starter stopped
Jul 08 09:13:14 sablun.org systemd[1]: strongswan.service: Succeeded.
Jul 08 09:13:14 sablun.org ipsec_starter[22782]: charon has quit: integrity test of libstrongswan failed
Jul 08 09:13:14 sablun.org ipsec_starter[22782]: charon refused to be started
Jul 08 09:13:14 sablun.org ipsec_starter[22782]: ipsec starter stopped
cp /usr/share/strongswan/templates/config/strongswan.d/charon-logging.conf /etc/strongswan.d

See Also