Upgrading to Debian 10 - Buster

PUBLISHED ON 08/07/2019 — SYSOPS

Intro

After 25 months of development the Debian project is proud to present its new stable version 10 (code name buster), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and of the Debian Long Term Support team.

Important stuff first, Buster is a dog, from Toy Story movies. Andy recieves it as a Christmas present.

Howto

Read the release notes, yeah long peice of text, but well worth it to avoid problems with your puppies.

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade
# sed -i 's/stretch/buster/g' /etc/apt/sources.list
# apt-get upgrade
# apt-get dist-upgrade

Also check files in /etc/apt/sources.list.d/ and fix the repos to buster or stable.

Problems on the way

Command not found for root user

If you are anything like me, you use su to enter the word of superuser, you are wrong. I am wrong. Everybody is wrong. As we all should really use su -, that provides an environment similar to direct root login. Debian this year is here to teach us that important lesson. And please, do not force changes to the $PATH variable for your own sanity. Probably we should all finally embrace sudo instead, but hey, old habits die hard…

So for now:

$ su -

Source

Enable iptables

Just until you figure out how to work with nftables.

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy

Postfix

The problem with my Postfix install was that I have kept old config files. One of them got some lines added, stuff changed and is now breaking the mail extravaganza.

Corresponding error:

# cat /var/log/mail.err
...
Jul  8 08:11:58 sablun postfix/smtpd[2132]: error: unsupported dictionary type: mysql
...

Solution:

# cp /usr/share/postfix/dynamicmaps.cf /etc/postfix/

Unbound

Reading the release notes really helped here. Misconfiguration was again a culprit.

# cat /var/log/unbound/unbound.log
...
error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
...

Source

Working configuration file on my machine:

# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

# Ads overrides
include: "/var/unbound/ads.conf"

server:
    interface: 127.0.0.1
    access-control: 127.0.0.1 allow
    port: 53
    do-daemonize: yes
    num-threads: 2
    use-caps-for-id: yes
    harden-glue: yes
    hide-identity: yes
    hide-version: yes
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    verbosity: 1
    statistics-cumulative: yes
    extended-statistics: yes
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    prefetch: yes


forward-zone:
    name:"."
    forward-tls-upstream: yes
    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net
    forward-addr: 1.0.0.1@853#one.one.one.one
    forward-addr: 1.1.1.1@853#one.one.one.one

Strongswan

As with postfix, some minor config file changes have borked the VPN solution.

$ systemctl status ipsec 
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2019-07-08 09:13:14 CEST; 1s ago
  Process: 22782 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, status=0/SUCCESS)
 Main PID: 22782 (code=exited, status=0/SUCCESS)

Jul 08 09:13:14 sablun.org ipsec[22782]: 00[CFG] /etc/strongswan.d/charon-logging.conf:8: syntax error, unexpected ., expecting : or '{' or '=' [.]
Jul 08 09:13:14 sablun.org ipsec[22782]: 00[CFG] invalid config file '/etc/strongswan.conf'
Jul 08 09:13:14 sablun.org ipsec[22782]: 00[LIB] abort initialization due to invalid configuration
Jul 08 09:13:14 sablun.org ipsec[22782]: charon has quit: integrity test of libstrongswan failed
Jul 08 09:13:14 sablun.org ipsec[22782]: charon refused to be started
Jul 08 09:13:14 sablun.org ipsec[22782]: ipsec starter stopped
Jul 08 09:13:14 sablun.org systemd[1]: strongswan.service: Succeeded.
Jul 08 09:13:14 sablun.org ipsec_starter[22782]: charon has quit: integrity test of libstrongswan failed
Jul 08 09:13:14 sablun.org ipsec_starter[22782]: charon refused to be started
Jul 08 09:13:14 sablun.org ipsec_starter[22782]: ipsec starter stopped
cp /usr/share/strongswan/templates/config/strongswan.d/charon-logging.conf /etc/strongswan.d

See Also