Upgrade from Debian 11 Bullseye to Debian 12 Bookworm

[Krinkle]

Main differences:

• node 12 -> 18. https://packages.debian.org/bullseye/nodejs https://packages.debian.org/bookworm/nodejs
• php 7.4 -> 8.2. https://packages.debian.org/bullseye/php https://packages.debian.org/bookworm/php

Debian 11 Bullseye hosts today:

• wp-02.stage.ops.jquery.net
• builder-04.stage.ops.jquery.net
• puppet-03.ops.jquery.net
• search-02.ops.jquery.net Upgrade TypeSense from 0.24 to 0.25.1 #36
• codeorigin-02.stage.ops.jquery.net
• codeorigin-02.ops.jquery.net
• wpblogs-01.ops.jquery.net
• gruntjs-02.stage.ops.jquery.net
• gruntjs-02.ops.jquery.net
• miscweb-01.ops.jquery.net
• contentorigin-02.ops.jquery.net
• swarm-02.ops.jquery.net (decommissioned) swarm: decom swarm-02.ops.jquery.net #51

The following went straight from legacy Debian 7 to Debian 12 Bookworm, via #8, and were never on Debian Bullseye.

• wp-*.ops
• builder-*.ops
• filestash-*.ops

[Krinkle]

provision-instance.sh is meant to be non-interactive, but during the upgrade of sshd it asks the following

A new version (/tmp/tmp.s8CAJsQh4K) of configuration file /etc/ssh/sshd_config
is available, but the version installed currently has been locally modified.

  1. install the package maintainer's version
  2. keep the local version currently installed
  3. show the differences between the versions
  4. show a side-by-side difference between the versions
  5. show a 3-way difference between available versions
  6. do a 3-way merge between available versions
  7. start a new shell to examine the situation
What do you want to do about modified configuration file sshd_config? 3

Line by line differences between versions

--- /etc/ssh/sshd_config root.root 0644 2023-06-27 17:58:59
+++ /tmp/tmp.s8CAJsQh4K root.root 0644 2023-11-12 19:39:52
@@ -78,7 +78,7 @@
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication. Depending on your PAM configuration,
 # PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin yes
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
@@ -120,4 +120,3 @@
 # AllowTcpForwarding no
 # PermitTTY no
 # ForceCommand cvs server
-ClientAliveInterval 120

I'm guessing this from apt-get -o Dpkg::Options::="--force-confold" upgrade -y where perhaps force-confold is insufficient in this case.

In practice, the answer doesn't matter since Puppet will replace this file on the first run a few seconds later. But, for now I picked 2: keep the local version since that's closest to what we provision.

[Krinkle]

gruntjs-02.stage.ops.jquery.net

I'm replacing this with gruntjs-03.stage.ops.jquery.net to move from Node.js 12 (Debian 11) to Node.js 18 (Debian 12).

[Krinkle]

The Debian 12 nodes (gruntjs-03.stage, and gruntjs-03) are up-and-running. After quick testing via the instance's own web address, I switched over https://stage.gruntjs.com and shortly thereafter https://grunts.com. I've also shutdown both the old gruntjs-02 droplets, and updated the web hooks in the repo settings at https://github.com/gruntjs/gruntjs.com to point at the gruntjs-03 droplets instead.

The site has been working fine from what I can tell over the past 24 hours with traffic levels by status code (in the Cloudflare panel) holding the ballpark numbers as before, and no (new/surprising/unexplained) errors in the syslog that I can on either droplet.

I've now deleted the old droplets and removed their definitions from DNS and Puppet.