Upgrading to Debian 10 - Buster

PUBLISHED ON 08/07/2019 — EDITED ON 11/10/2019 — SYSOPS


After 25 months of development the Debian project is proud to present its new stable version 10 (code name buster), which will be supported for the next 5 years thanks to the combined work of the Debian Security team and of the Debian Long Term Support team.

Important stuff first, Buster is a dog, from Toy Story movies. Andy recieves it as a Christmas present.


Read the release notes, yeah long peice of text, but well worth it to avoid problems with your puppies.

# apt-get update
# apt-get upgrade
# apt-get dist-upgrade
# sed -i 's/stretch/buster/g' /etc/apt/sources.list
# apt-get upgrade
# apt-get dist-upgrade

Also check files in /etc/apt/sources.list.d/ and fix the repos to buster or stable.

Problems on the way

Command not found for root user

If you are anything like me, you use su to enter the word of superuser, you are wrong. I am wrong. Everybody is wrong. As we all should really use su -, that provides an environment similar to direct root login. Debian this year is here to teach us that important lesson. And please, do not force changes to the $PATH variable for your own sanity. Probably we should all finally embrace sudo instead, but hey, old habits die hard…

So for now:

$ su -


Enable iptables

Just until you figure out how to work with nftables.

# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy


The problem with my Postfix install was that I have kept old config files. One of them got some lines added, stuff changed and is now breaking the mail extravaganza.

Corresponding error:

# cat /var/log/mail.err
Jul  8 08:11:58 sablun postfix/smtpd[2132]: error: unsupported dictionary type: mysql


# cp /usr/share/postfix/ /etc/postfix/


Reading the release notes really helped here. Misconfiguration was again a culprit.

# cat /var/log/unbound/unbound.log
error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed


Working configuration file on my machine:

# Unbound configuration file for Debian.
# See the unbound.conf(5) man page.
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include: "/etc/unbound/unbound.conf.d/*.conf"

# Ads overrides
include: "/var/unbound/ads.conf"

    access-control: allow
    port: 53
    do-daemonize: yes
    num-threads: 2
    use-caps-for-id: yes
    harden-glue: yes
    hide-identity: yes
    hide-version: yes
    logfile: "/var/log/unbound/unbound.log"
    log-time-ascii: yes
    verbosity: 1
    statistics-cumulative: yes
    extended-statistics: yes
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    prefetch: yes

    forward-tls-upstream: yes


As with postfix, some minor config file changes have borked the VPN solution.

$ systemctl status ipsec 
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Mon 2019-07-08 09:13:14 CEST; 1s ago
  Process: 22782 ExecStart=/usr/sbin/ipsec start --nofork (code=exited, status=0/SUCCESS)
 Main PID: 22782 (code=exited, status=0/SUCCESS)

Jul 08 09:13:14 ipsec[22782]: 00[CFG] /etc/strongswan.d/charon-logging.conf:8: syntax error, unexpected ., expecting : or '{' or '=' [.]
Jul 08 09:13:14 ipsec[22782]: 00[CFG] invalid config file '/etc/strongswan.conf'
Jul 08 09:13:14 ipsec[22782]: 00[LIB] abort initialization due to invalid configuration
Jul 08 09:13:14 ipsec[22782]: charon has quit: integrity test of libstrongswan failed
Jul 08 09:13:14 ipsec[22782]: charon refused to be started
Jul 08 09:13:14 ipsec[22782]: ipsec starter stopped
Jul 08 09:13:14 systemd[1]: strongswan.service: Succeeded.
Jul 08 09:13:14 ipsec_starter[22782]: charon has quit: integrity test of libstrongswan failed
Jul 08 09:13:14 ipsec_starter[22782]: charon refused to be started
Jul 08 09:13:14 ipsec_starter[22782]: ipsec starter stopped
cp /usr/share/strongswan/templates/config/strongswan.d/charon-logging.conf /etc/strongswan.d

See Also