Table of Contents
Upgrading to TLD Linux 2019.01
Note: only upgrade from TLD Linux 2018.02 is supported. If you are running TLD Linux 2018.01 please use this howto.
Getting started
Please backup at least entire system configuration before proceeding! If possible, backup entire host or take snapshot of its current state if it is a virtual machine.
First of all update your poldek indexes:
poldek --upa
Now get rid of all *.rpmnew files from /etc to be sure you will have newest default configurations for all packages for which old one cannot be adjusted or updated.
You should remove all the packages that are no longer part of TLD or your upgrade may be blocked by unresolved package dependencies. Following script will create list of these packages for you:
#!/bin/sh rpm -qa --qf="%{name}\n" > installed_packages.txt poldek --cmd "ls --qf=%{name}\n" > dist_packages.txt sed -i -e 's/\+/\\\+/g;' installed_packages.txt rm -f removed_packages.txt for pkg in $(cat installed_packages.txt); do if ! grep -q -E "^"$pkg"$" dist_packages.txt && [ "$pkg" != "ldconfig" ]; then echo "$pkg" >> removed_packages.txt fi done rm -f installed_packages.txt dist_packages.txt
Carefully inspect contents of file removed_packages.txt created by above script to see what packages must be removed.
When ready remove packages with:
rpm -ev --nodeps $(cat removed_packages.txt)
Upgrading
Warning! TLD 2019.01 brings some changes that may prevent your services from running correctly! Please read package notes for details.
Perform system upgrade:
poldek -v --nohold --upgrade-dist
If you'll run into some unresolved dependencies you may try following things:
1. Remove problematic package. If it hauls half of your system use:
rpm -e --nodeps pakcage
2. Do forced upgrade of problematic package via poldek command line:
poldek --cmd "upgrade --force package"
Add –nodeps if necessary.
Finishing
When upgrade is finished please follow below package notes to get everything running.
Known problems
1. TLD 2019.01 comes with OpenSSL 1.1.1 which may cause bootup delays on some hosts, especially virtual ones.
Delay can be from few minutes to even few hours. This is because /dev/random is blocked by system, waiting for required entropy which at boot may be insufficient to get system running.
To workaround this problem TLD now comes with Haveged system service preinstalled by default. Be sure to install it before rebooting into your upgraded system. If you are running KVM based virtual machine and can manage it you may instead add RNG device.
2. You may not be able to install/download any packages and poldek will be returning errros like:
Retrieving ti::packages.ndir.md... error: vfff: unknown error Retrying...(#2)
That is caused by missing /etc/localtime symlink which is now (with newer glibc) required for some time functions to work. To fix this problem simply make sure that /etc/localtime link exist and points to valid time zone file.
Notes for some packages
Apache
Default Apache configuration in TLD Linux now allows 128 bit ciphers again (to keep high security without sacrificing client compatibility) but still do not allow any weak ciphers. With OpenSSL 1.1.1 this will prevent some clients from accessing your websites.
Please check and adjust your mod_ssl configuration to fit your needs. There are now four predefined cipher suit configurations to choose from. If you don't see them in mod_ssl configuration check if 40_mod_ssl.conf.rpmnew file was created during upgrade and copy relevant lines to your configuration.
FreeRADIUS
FreeRADIUS sever has been updated from 2.x.x series which reached EOL to 3.x series. It is required to migrate configuration to new version to get service running.
Grub
TLD 2019.01 contains updated version of Grub bootloader. It is good idea to reinstall Grub on your system after upgrade.
Kernel
Preferred kernel (and installed by default) for TLD 2019.01 is series 4.14.x. You may consider upgrading from previous versions, but it is not necessary as all versions available in TLD 2018.02 are still available and supported in 2019.01.
Mail and FTP daemons, OpenSSL
In TLD 2019.01 we moved away from old style /etc/mail and /etc/ftpd configuration directories shared among multiple daemons. Every package now has its own configuration directory. Additionally we moved openssl configuration to /etc.
Most configurations should be migrated automatically during upgrade, but it is recommended to check manually if everything is ok. Be warned that any custom files added to configuration will not be migrated. You will have to move and adjust them by hand.
Below you will find list of all affected daemons:
exim: /etc/mail changed to /etc/exim
openssl: /var/lib/openssl changed to /etc/openssl
postfix and postgrey: /etc/mail changed to /etc/postfix
proftpd: /etc/ftpd changed to /etc/proftpd
pure-ftpd: /etc/ftpd changed to /etc/pure-ftpd
vsftpd: /etc changed to /etc/vsftpd
spamassassin: /etc/mail/spamassassin changed to /etc/spamassassin