Upgrade Puffin, Penguin and Parrot from Debian Squeeze to Wheezy

[chris]

Debian 7 is ​due out on 5th May 2013 and wiki:PuffinServer, wiki:PenguinServer and wiki:ParrotServer will need upgrading.

[chris]

The last upgrade, from Lenny to Squeeze, was done on ticket:301 and documented on the wiki wiki:LennyToSqueeze and it took almost 17 hours, hopefully this one won't be so bad!

I have started to document the packages which are installed and are not from squeeze on wiki:SqueezeToWheezy and I have read through ​the upgrade documentation.

[jim]

BOA team already on it, see this commit and a stream of updates afterwards: ​Add _SQUEEZE_TO_WHEEZY major upgrade support.

In other words, when the next BOA (2.0.9) comes out, it'll have this 'Update to Wheezy' feature as an option built in with a tweak of the .barracuda.cnf script.

I'd personally give it a few weeks so that others run the process and flush out any issues.

And per my ​comments regarding the 'right way' to update, it's absolutely essential you use the BOA scripts for updating Puffin.

[chris]

The latest BOA include a Wheezy upgrade option, see ticket:547

[chris]

Wheezy has a local root vulnerability that hasn't been fixed yet:

​http://arstechnica.com/security/2013/05/critical-linux-vulnerability-imperils-users-even-after-silent-fix/

So we should wait till this is fixed before upgrading to Wheezy, ​https://imc.li/ud1n5 :

Debian stable (wheezy) and testing (jessy) are currently vulnerable, sid and old-stable (squeeze) are not.

Also we need to reboot the server that is hosting the 3 Transition Network machines as one of the virtual machine has hit this bug:

​http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701744

And the current fix is to downgrade the host kernel, this wil be done sometime this evening and it might result in around 10 mins of downtime.

[chris]

Replying to chris:

Also we need to reboot the server that is hosting the 3 Transition Network machines as one of the virtual machine has hit this bug:

​http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701744

And the current fix is to downgrade the host kernel, this wil be done sometime this evening and it might result in around 10 mins of downtime.

This has been done, according to pingdom the server went down at Wed, 15 May 2013 23:14:24 +0100 and was back by Wed, 15 May 2013 23:23:05 +0100.

[chris]

One of the virtual machines on the physical server that the Transition virtual machines are running on got hit by debian bug 701744 again so earlier this morning the server had the patched kernel referenced in the thread here ​http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701744 installed and it was rebooted. Pingdom reported that the site was offline for 23 mins:

PingdomAlert UP:
 www.transitionnetwork.org (www.transitionnetwork.org) is UP again at 25/08/2013  07:16:57, after 23m of downtime. 

This time there wasn't the problem with the wrong version of php-fpm starting.

[ed]

I think that this re-boot re-set the user settings (see ticket #575) - I had set them to 'Visitors can create accounts and no administrator approval is required.' before, then this happened, now the settings have changed to 'Visitors can create accounts but administrator approval is required.'.

[jim]

The reboot is not related. We need to update BOA... continuing over on #575.

[jim]

(On checking it's clear it's not a BOA update issue either.)

[chris]

Note that the RAM disk location will change when we upgrade, see ticket:591#comment:2

[chris]

When we have upgraded the servers to Wheezy we will have a version of openssl which does TLS 1.1. and TLS 1.2 so we should set Nginx and Apache to use ciphers with forward secrecy to hamper GCHQ, some links on this:

• ​https://github.com/t2d/wasuptls
• ​http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
• ​http://crashmag.net/enable-tls-1-1-and-1-2-in-mozilla-firefox-24-0
• ​https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org

[ed]

I'm ambivalent about making political decisions until we have seen from TN how political it wants the web project to be. When you say 'should' I suggest using the word 'could'.

As discussed - all works we're up to now until we get into the site redesign for 2014 are operational - and mostly utilitarian to keep TN.org as quick and useful as possible.

[chris]

Replying to ed:

I'm ambivalent about making political decisions until we have seen from TN how political it wants the web project to be. When you say 'should' I suggest using the word 'could'.

I think you must misunderstand. We should follow best security practice unless there is a good reason not to and I can't think of any good reason not to set webservers to use the best available ciphers. When the servers are upgraded to Wheezy then we will have more cipher options so we should make use of these options, it's not a lot of work, it's just a matter of tweaking one or two lines in a config file.

[ed]

OK I'll get my coat.

But it therefore is a language thing for me - until we have or haven't agreed that we do or don't do things to hamper GCHQ I'd prefer it if we focus on utility.

[chris]

Replying to ed:

until we have or haven't agreed that we do or don't do things to hamper GCHQ I'd prefer it if we focus on utility.

What I'm suggesting is not radical, it's simply sensible security steps we should taken given the environment we are operating in.

Perhaps the following comment from ​Mike Hearn who works "for Google, where I spent the last three years working on account security and anti-spam systems" will help put my comment above into context?

The packet capture shown in these new NSA slides shows internal database replication traffic for the anti-hacking system I worked on for over two years. Specifically, it shows a database recording a user login as part of this system:

​http://googleblog.blogspot.ch/2013/02/an-update-on-our-war-against-account.html

Recently +Brandon Downey , a colleague of mine on the Google security team, said (after the usual disclaimers about being personal opinions and not speaking for the firm which I repeat here) - "fuck these guys":

​https://plus.google.com/108799184931623330498/posts/SfYy8xbDWGG

I now join him in issuing a giant Fuck You to the people who made these slides. I am not American, I am a Brit, but it's no different - GCHQ turns out to be even worse than the NSA.

We designed this system to keep criminals out . There's no ambiguity here. The warrant system with skeptical judges, paths for appeal, and rules of evidence was built from centuries of hard won experience. When it works, it represents as good a balance as we've got between the need to restrain the state and the need to keep crime in check. Bypassing that system is illegal for a good reason .

Unfortunately we live in a world where all too often, laws are for the little people. Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement, we therefore do what internet engineers have always done - build more secure software. The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.

Thank you Edward Snowden. For me personally, this is the most interesting revelation all summer.

​https://plus.google.com/+MikeHearn/posts/LW1DXJ2BK8k

[chris]

Another thing to note on the matter of ciphers, this is from the ​BOA Changelog for 2.1.0:

### Stable BOA-2.1.0 Release - Full Edition - Now NSA-proof
### Date: Sat Nov  2 18:15:19 EDT 2013


#-### PFS (Perfect Forward Secrecy) support in Nginx

  BOA now fully supports the most secure, yet still compatible with most
  used systems and browsers SSL configuration.

  All hosted BOA instances have been already upgraded automatically and
  you don't need to do anything to make it work -- it is already done
  for you -- both on any SSL enabled site with dedicated certificate
  and IP address and also on the standard, system-wide SSL proxy level,
  which is available for every hosted site -- just type HTTPS:// in the URL.

  On self-hosted instances it needs to be enabled by adding a line in your
  /root/.barracuda.cnf file: _NGINX_FORWARD_SECRECY=YES before the upgrade.
  Note that depending on the system used, it may auto-install some
  requirements like latest OpenSSL libraries and packages.

  Remotely managed BOA systems can have this feature enabled upon request
  submitted via https://omega8.cc/support

This appears to indicate that when we do this upgrade, we will also see openssl being updated, I'm not sure where that will come from.

We have till May to do this upgrade but perhaps we should consider doing it around the Xmas holiday when the site isn't very busy?

Or perhaps PuffinServer should be upgraded with the BOA-2.1.1 upgrade, ticket:612?

[chris]

Given the discussion on ticket:612 I think we should set a date and time for a upgrade to Wheezy within the next week. I'm happy to do it one evening starting at 9 or 10pm. It will potentially involve an hour or so of downtime so I think users should be notified in advance perhaps?

[chris]

We have agreed to upgrade wiki:PuffinServer from Squeeze to Wheezy at 10pm on Sunday 17th November.

Alan can you be around at this time to check that we have a snapshot of the filesystem prior to the upgrade in case it goes horribly wrong and we have to roll back?

In terms of upgrading wiki:PenguinServer and wiki:ParrotServer I suggest we should first migrate them to the ZFS server, I have opened a ticket for that, ticket:618, perhaps this could be done the same evening as the Puffin Wheezy upgrade?

The upgrade on Puffin will involve the following steps:

1. Adding the following to /root/.barracuda.cnf see ticket:612#comment:5 (this has been done):

_SQUEEZE_TO_WHEEZY=YES
_NGINX_FORWARD_SECRECY=YES
_NGINX_SPDY=YES

The existing config already had this set:

_BUILD_FROM_SRC=NO 

2. Run the commands documented at wiki:PuffinServer#UpgradingBOA

sudo -i
screen
cd
wget -q -U iCab http://files.aegir.cc/BOA.sh.txt
bash BOA.sh.txt
barracuda up-stable system
octopus up-stable all

3. Check the following:

• MySQL RAM disk location, see ticket:591#comment:2
• Munin, see wiki:PuffinServer#nginxconfigchanges and wiki:PuffinServer#php-fpmconfigchanges
• Logs and kill thresholds, see wiki:PuffinServer#xdragoshellscriptchanges

Anything else?

I have made a few updates on wiki:PuffinServer, closed some tickets and read through the wiki:LennyToSqueeze page

[chris]

One thing worth noting regarding the custom php-fpm changes documented at wiki:PuffinServer#php-fpmconfigchanges is that these changes have been clobbered despite the fact that we have this variable set in /root/.barracuda.cnf (but perhaps they were clobbered before this variable was set):

_CUSTOM_CONFIG_PHP_5_3=YES

It's also worth noting that we are running a lot more php-fpm processes than are needed and reducing this number would save a lot of RAM, see:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/phpfpm_status.html
• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/phpfpm_connections.html
• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/phpfpm_memory.html
• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/puffin.transitionnetwork.org/multips_memory.html

We should perhaps consider changing this variable in /root/.barracuda.cnf:

_PHP_FPM_WORKERS=AUTO

We could set it to a value such as the max active processes in the last week, 6.

[aland]

Created suitable disk images for the transition machines

snapshot the live system and copied to to the new disk images

shutdown live machines and did a final copy

booted machines on new disk images

Checked with chris that they were functioning as expected.

( purpose of initial snapshot and copy is minimise downtime )

[chris]

Alan has migrated wiki:PenguinServer and wiki:ParrotServer to the ZFS network filesystem.

Following is what was done for the wiki:PuffinServer upgrade to Wheezy:

sudo -i
screen
cd
wget -q -U iCab http://files.aegir.cc/BOA.sh.txt
bash BOA.sh.txt
  
  BOA Meta Installer setup completed
  Please check INSTALL.txt and UPGRADE.txt at http://bit.ly/boa-docs for how-to
  Bye
  
barracuda up-stable system

waiting 8 sec

That is the last thing BOA displayed, in /var/log/dpkg.log there is a list of all the packages downloaded ending with:

...
2013-11-17 22:31:33 status installed libyajl2:amd64 2.0.4-2
2013-11-17 22:31:33 configure collectd-core:amd64 5.1.0-3 <none>
2013-11-17 22:31:33 status unpacked collectd-core:amd64 5.1.0-3
2013-11-17 22:31:33 status unpacked collectd-core:amd64 5.1.0-3
2013-11-17 22:31:33 status unpacked collectd-core:amd64 5.1.0-3
2013-11-17 22:31:33 status unpacked collectd-core:amd64 5.1.0-3
2013-11-17 22:31:33 status half-configured collectd-core:amd64 5.1.0-3
2013-11-17 22:31:34 status installed collectd-core:amd64 5.1.0-3
2013-11-17 22:31:34 configure collectd:amd64 5.1.0-3 <none>
2013-11-17 22:31:34 status unpacked collectd:amd64 5.1.0-3

And in /var/log/apt/term.log there is:

Starting statistics collection and monitoring daemon: collectd.^M
Setting up collectd (5.1.0-3) ...^M
^M
Configuration file `/etc/collectd/collectd.conf'^M
 ==> Modified (by you or by a script) since installation.^M
 ==> Package distributor has shipped an updated version.^M
   What would you like to do about it ?  Your options are:^M
    Y or I  : install the package maintainer's version^M
    N or O  : keep your currently-installed version^M
      D     : show the differences between the versions^M
      Z     : start a shell to examine the situation^M
 The default action is to keep your current version.^M
*** collectd.conf (Y/I/N/O/D/Z) [default=N] ?

But there is no way to sort issues like this out as we don't have a terminal to interact with.

[chris]

This is the log of the failed upgrade using BOA, /var/backups/reports/up/barracuda/131117/barracuda-up-131117-2213.log:

 
Barracuda [Sun Nov 17 22:13:50 GMT 2013] ==> BOA Skynet welcomes you aboard!
 
Barracuda [Sun Nov 17 22:13:54 GMT 2013] ==> INFO: UPGRADE
Barracuda [Sun Nov 17 22:13:54 GMT 2013] ==> INFO: Reading your /root/.barracuda.cnf config file
Barracuda [Sun Nov 17 22:13:55 GMT 2013] ==> NOTE! Please review all config options displayed below
Barracuda [Sun Nov 17 22:13:55 GMT 2013] ==> NOTE! It will *override* all settings in the Barracuda script
 
###
### Configuration created on 121215-1545
### with Barracuda version BOA-2.0.4
###
### NOTE: the group of settings displayed bellow will *not* be overriden
### on upgrade by the Barracuda script nor by this configuration file.
### They can be defined only on initial Barracuda install.
###
_HTTP_WILDCARD=YES
_MY_OWNIP="81.95.52.103"
#_MY_OWNIP=""
_MY_HOSTN="puffin.webarch.net"
#_MY_HOSTN=""
_MY_FRONT="master.puffin.webarch.net"
_THIS_DB_HOST=localhost
#_THIS_DB_HOST=FQDN
_SMTP_RELAY_TEST=YES
_SMTP_RELAY_HOST=""
_LOCAL_NETWORK_IP=""
_LOCAL_NETWORK_HN=""
###
### NOTE: the group of settings displayed bellow
### will *override* all listed settings in the Barracuda script,
### both on initial install and upgrade.
###
_MY_EMAIL="chris@webarchitects.co.uk"
_XTRAS_LIST="PDS CSF CHV"
_AUTOPILOT=YES
_DEBUG_MODE=NO
_DB_SERVER=MariaDB
_SSH_PORT=22
_LOCAL_DEBIAN_MIRROR="ftp.debian.org"
_LOCAL_UBUNTU_MIRROR="archive.ubuntu.com"
_FORCE_GIT_MIRROR=""
_DNS_SETUP_TEST=YES
_NGINX_EXTRA_CONF=""
_NGINX_WORKERS=AUTO
_PHP_FPM_WORKERS=AUTO
_BUILD_FROM_SRC=NO
_PHP_MODERN_ONLY=YES
_PHP_FPM_VERSION=5.3
_PHP_CLI_VERSION=5.3
#_LOAD_LIMIT_ONE=1444
#_LOAD_LIMIT_TWO=888
_LOAD_LIMIT_ONE=8664
_LOAD_LIMIT_TWO=5328
_CUSTOM_CONFIG_CSF=YES
#_CUSTOM_CONFIG_SQL=NO
_CUSTOM_CONFIG_SQL=YES
_CUSTOM_CONFIG_REDIS=NO
_CUSTOM_CONFIG_PHP_5_2=NO
#_CUSTOM_CONFIG_PHP_5_3=NO
_CUSTOM_CONFIG_PHP_5_3=YES
_SPEED_VALID_MAX=3600
_NGINX_DOS_LIMIT=300
_SYSTEM_UPGRADE_ONLY=YES
_USE_MEMCACHED=NO
#_NEWRELIC_KEY=aekooZaifoov5AhkahChoo5Ehoo6mohVopheemei8ovaiXok6ka
_NEWRELIC_KEY=
_USE_STOCK=NO
###
### Configuration created on 121215-1545
### with Barracuda version BOA-2.0.4
###
### JK reinstall PHP
_EXTRA_PACKAGES=
_PHP_EXTRA_CONF=""
_STRONG_PASSWORDS=NO
_DB_BINARY_LOG=NO
_DB_ENGINE=InnoDB
_NGINX_LDAP=NO
_PHP_GEOS=NO
_PHP_MONGODB=NO
_AEGIR_UPGRADE_ONLY=NO
### Squeeze to Wheezy upgrade config
### See /trac/ticket/535
_SQUEEZE_TO_WHEEZY=YES
_NGINX_FORWARD_SECRECY=YES
_NGINX_SPDY=YES
#_BUILD_FROM_SRC=NO
_NGINX_NAXSI=NO
_PHP_ZEND_OPCACHE=YES
_PERMISSIONS_FIX=NO
_MODULES_FIX=YES
_MODULES_SKIP=""
_SSL_FROM_SOURCES=NO
_SSH_FROM_SOURCES=NO
_RESERVED_RAM=0
 
Barracuda [Sun Nov 17 22:13:57 GMT 2013] ==> INFO: Checking your system version...
 
Barracuda [Sun Nov 17 22:13:57 GMT 2013] ==> Aegir on Debian/squeeze - Skynet Agent v.BOA-2.1.2
 
Barracuda [Sun Nov 17 22:13:57 GMT 2013] ==> INFO: Running silent aptitude full-upgrade, please wait...
Barracuda [Sun Nov 17 22:13:57 GMT 2013] ==> INFO: Updating packages sources list...
Barracuda [Sun Nov 17 22:13:57 GMT 2013] ==> INFO: We will use Debian mirror ftp.debian.org
Barracuda [Sun Nov 17 22:14:10 GMT 2013] ==> INFO: Downloading little helpers...
Barracuda [Sun Nov 17 22:14:11 GMT 2013] ==> INFO: Checking BARRACUDA version...
Barracuda [Sun Nov 17 22:14:11 GMT 2013] ==> INFO: BARRACUDA version test: OK
 
Barracuda [Sun Nov 17 22:14:13 GMT 2013] ==> UPGRADE START -> checkpoint: 

  * Your e-mail address appears to be chris@webarchitects.co.uk - is that correct?
  * Your server hostname is puffin.webarch.net.
  * Your Aegir control panel is/will be available at https://master.puffin.webarch.net.

 
Barracuda [Sun Nov 17 22:14:13 GMT 2013] ==> INFO: Cleaning up temp files in /var/opt/
Barracuda [Sun Nov 17 22:14:15 GMT 2013] ==> WARN: Squeeze to Wheezy upgrade will start in 60 seconds...
Barracuda [Sun Nov 17 22:14:15 GMT 2013] ==> WARN: Now pray it will work... or hit ctrl-c to stop now!
Barracuda [Sun Nov 17 22:15:17 GMT 2013] ==> WARN: Too late! Squeeze to Wheezy upgrade in progress...
Barracuda [Sun Nov 17 22:15:17 GMT 2013] ==> HINT: Run tail -f /var/backups/barracuda-upgrade-131117-2213.log
Barracuda [Sun Nov 17 22:15:17 GMT 2013] ==> HINT: in another terminal window to watch details
Barracuda [Sun Nov 17 22:30:09 GMT 2013] ==> INFO: Testing Nginx version...
Barracuda [Sun Nov 17 22:30:11 GMT 2013] ==> INFO: Installed Nginx version nginx/1.5.2, upgrade required
Barracuda [Sun Nov 17 22:30:15 GMT 2013] ==> INFO: Upgrading Nginx...
apt-get install collectd -y --force-yes failed.  Error (if any): 0
 
Displaying the last 15 lines of /var/backups/barracuda-upgrade-131117-2213.log to help troubleshoot this problem
If you see any error with advice to run 'dpkg --configure -a', run this
command first and choose default answer, then run this installer again
 
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
Starting statistics collection and monitoring daemon: collectd.
Setting up collectd (5.1.0-3) ...

Configuration file `/etc/collectd/collectd.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** collectd.conf (Y/I/N/O/D/Z) [default=N] ? ^TBarracuda [Sun Nov 17 23:11:36 GMT 2013] ==> INFO: No errors? Then Squeeze to Wheezy upgrade was successful - congrats!
Barracuda [Sun Nov 17 23:11:36 GMT 2013] ==> HINT: Please remember to reboot when Barracuda will complete all upgrades
Barracuda [Sun Nov 17 23:11:36 GMT 2013] ==> INFO: Running aptitude update...

So doing the upgrade manually:

aptitude full-upgrade

Quite a lot of packages needed manually configuring via editing their config files to keep the local modifications and to also incorporate updates.

Then the BOA script was run again:

barracuda up-stable system
  Another BOA installer is running probably - /var/run/boa_run.pid exists
rm /var/run/boa_run.pid
barracuda up-stable system
  Some important system task is running probably - /var/run/boa_wait.pid exists
rm /var/run/boa_wait.pid
barracuda up-stable system
  waiting 8 sec

The log for this upgrade was written to /var/backups/reports/up/barracuda/131117/barracuda-up-131117-2346.log and the contents follows:

 
Barracuda [Sun Nov 17 23:46:32 GMT 2013] ==> BOA Skynet welcomes you aboard!
 
Barracuda [Sun Nov 17 23:46:36 GMT 2013] ==> INFO: UPGRADE
Barracuda [Sun Nov 17 23:46:36 GMT 2013] ==> INFO: Reading your /root/.barracuda.cnf config file
Barracuda [Sun Nov 17 23:46:37 GMT 2013] ==> NOTE! Please review all config options displayed below
Barracuda [Sun Nov 17 23:46:37 GMT 2013] ==> NOTE! It will *override* all settings in the Barracuda script
 
###
### Configuration created on 121215-1545
### with Barracuda version BOA-2.0.4
###
### NOTE: the group of settings displayed bellow will *not* be overriden
### on upgrade by the Barracuda script nor by this configuration file.
### They can be defined only on initial Barracuda install.
###
_HTTP_WILDCARD=YES
_MY_OWNIP="81.95.52.103"
#_MY_OWNIP=""
_MY_HOSTN="puffin.webarch.net"
#_MY_HOSTN=""
_MY_FRONT="master.puffin.webarch.net"
_THIS_DB_HOST=localhost
#_THIS_DB_HOST=FQDN
_SMTP_RELAY_TEST=YES
_SMTP_RELAY_HOST=""
_LOCAL_NETWORK_IP=""
_LOCAL_NETWORK_HN=""
###
### NOTE: the group of settings displayed bellow
### will *override* all listed settings in the Barracuda script,
### both on initial install and upgrade.
###
_MY_EMAIL="chris@webarchitects.co.uk"
_XTRAS_LIST="PDS CSF CHV"
_AUTOPILOT=YES
_DEBUG_MODE=NO
_DB_SERVER=MariaDB
_SSH_PORT=22
_LOCAL_DEBIAN_MIRROR="ftp.debian.org"
_LOCAL_UBUNTU_MIRROR="archive.ubuntu.com"
_FORCE_GIT_MIRROR=""
_DNS_SETUP_TEST=YES
_NGINX_EXTRA_CONF=""
_NGINX_WORKERS=AUTO
_PHP_FPM_WORKERS=AUTO
_BUILD_FROM_SRC=NO
_PHP_MODERN_ONLY=YES
_PHP_FPM_VERSION=5.3
_PHP_CLI_VERSION=5.3
#_LOAD_LIMIT_ONE=1444
#_LOAD_LIMIT_TWO=888
_LOAD_LIMIT_ONE=8664
_LOAD_LIMIT_TWO=5328
_CUSTOM_CONFIG_CSF=YES
#_CUSTOM_CONFIG_SQL=NO
_CUSTOM_CONFIG_SQL=YES
_CUSTOM_CONFIG_REDIS=NO
_CUSTOM_CONFIG_PHP_5_2=NO
#_CUSTOM_CONFIG_PHP_5_3=NO
_CUSTOM_CONFIG_PHP_5_3=YES
_SPEED_VALID_MAX=3600
_NGINX_DOS_LIMIT=300
_SYSTEM_UPGRADE_ONLY=YES
_USE_MEMCACHED=NO
#_NEWRELIC_KEY=aekooZaifoov5AhkahChoo5Ehoo6mohVopheemei8ovaiXok6ka
_NEWRELIC_KEY=
_USE_STOCK=NO
###
### Configuration created on 121215-1545
### with Barracuda version BOA-2.0.4
###
### JK reinstall PHP
_EXTRA_PACKAGES=
_PHP_EXTRA_CONF=""
_STRONG_PASSWORDS=NO
_DB_BINARY_LOG=NO
_DB_ENGINE=InnoDB
_NGINX_LDAP=NO
_PHP_GEOS=NO
_PHP_MONGODB=NO
_AEGIR_UPGRADE_ONLY=NO
### Squeeze to Wheezy upgrade config
### See /trac/ticket/535
_SQUEEZE_TO_WHEEZY=YES
_NGINX_FORWARD_SECRECY=YES
_NGINX_SPDY=YES
#_BUILD_FROM_SRC=NO
_NGINX_NAXSI=NO
_PHP_ZEND_OPCACHE=YES
_PERMISSIONS_FIX=NO
_MODULES_FIX=YES
_MODULES_SKIP=""
_SSL_FROM_SOURCES=NO
_SSH_FROM_SOURCES=NO
_RESERVED_RAM=0
 
Barracuda [Sun Nov 17 23:46:49 GMT 2013] ==> INFO: Checking your system version...
 
Barracuda [Sun Nov 17 23:46:49 GMT 2013] ==> Aegir on Debian/wheezy - Skynet Agent v.BOA-2.1.2
 
Barracuda [Sun Nov 17 23:46:49 GMT 2013] ==> INFO: Updating packages sources list...
Barracuda [Sun Nov 17 23:46:49 GMT 2013] ==> INFO: We will use Debian mirror ftp.debian.org
Barracuda [Sun Nov 17 23:47:02 GMT 2013] ==> INFO: Downloading little helpers...
Barracuda [Sun Nov 17 23:47:03 GMT 2013] ==> INFO: Checking BARRACUDA version...
Barracuda [Sun Nov 17 23:47:03 GMT 2013] ==> INFO: BARRACUDA version test: OK
 
Barracuda [Sun Nov 17 23:47:05 GMT 2013] ==> UPGRADE START -> checkpoint: 

  * Your e-mail address appears to be chris@webarchitects.co.uk - is that correct?
  * Your server hostname is puffin.webarch.net.
  * Your Aegir control panel is/will be available at https://master.puffin.webarch.net.

 
Barracuda [Sun Nov 17 23:47:05 GMT 2013] ==> INFO: Cleaning up temp files in /var/opt/
Barracuda [Sun Nov 17 23:47:07 GMT 2013] ==> INFO: Running aptitude update...
Barracuda [Sun Nov 17 23:48:22 GMT 2013] ==> INFO: Upgrading required libraries and tools
Barracuda [Sun Nov 17 23:48:22 GMT 2013] ==> NOTE! This step may take a few minutes, please wait...
Barracuda [Sun Nov 17 23:52:23 GMT 2013] ==> WARNING!

  Locales on this system are broken or not installed
  and/or not configured correctly yet. This is a known
  issue on some systems/hosts which either don't configure
  locales at all or don't use UTF-8 compatible locales
  during initial OS setup.

  We will fix this problem for you now, so you shouldn't
  use any tricks to change system/ssh settings before
  running this installer.

  You can experience problems if your SSH client
  forces locales other than en_US.UTF-8 we are using by default.

  You should log out when this installer will finish all its tasks
  and display last line with "BYE!" and then log in again
  to see the result.

  We will continue in 5 seconds...

Barracuda [Sun Nov 17 23:52:32 GMT 2013] ==> INFO: Testing Nginx version...
Barracuda [Sun Nov 17 23:52:34 GMT 2013] ==> INFO: Installed Nginx version nginx/1.5.6, OK
Barracuda [Sun Nov 17 23:52:34 GMT 2013] ==> INFO: Installed Nginx version nginx/1.5.6, forced rebuild to include purge module
Barracuda [Sun Nov 17 23:52:38 GMT 2013] ==> INFO: Upgrading Nginx...
Barracuda [Sun Nov 17 23:53:54 GMT 2013] ==> INFO: Running aptitude full-upgrade, please wait...
Barracuda [Sun Nov 17 23:54:38 GMT 2013] ==> INFO: Testing Nginx version...
Barracuda [Sun Nov 17 23:54:40 GMT 2013] ==> INFO: Installed Nginx version nginx/1.5.6, OK
Barracuda [Sun Nov 17 23:54:44 GMT 2013] ==> INFO: Installing MySecureShell 1.31...
Barracuda [Sun Nov 17 23:55:13 GMT 2013] ==> INFO: Fix #1 for libs in Debian wheezy
Barracuda [Sun Nov 17 23:55:13 GMT 2013] ==> INFO: Fix #2 for libs in Debian wheezy
Barracuda [Sun Nov 17 23:55:14 GMT 2013] ==> INFO: Checking SMTP connections...
Barracuda [Sun Nov 17 23:55:16 GMT 2013] ==> INFO: Installing VnStat monitor...
Barracuda [Sun Nov 17 23:55:29 GMT 2013] ==> INFO: Upgrading a few more tools...
Barracuda [Sun Nov 17 23:55:32 GMT 2013] ==> INFO: Checking if PHP upgrade is available
Barracuda [Sun Nov 17 23:55:34 GMT 2013] ==> INFO: PHP 5.3.27 rebuild required to include MariaDB 5.5.33a libs
Barracuda [Sun Nov 17 23:55:36 GMT 2013] ==> INFO: Installing PHP-FPM 5.3.27
Barracuda [Sun Nov 17 23:55:36 GMT 2013] ==> NOTE! This step may take longer than 8 minutes, please wait...
Barracuda [Sun Nov 17 23:55:41 GMT 2013] ==> INFO: Installing PHP-FPM 5.3.27 part 1/3
Barracuda [Sun Nov 17 23:55:44 GMT 2013] ==> INFO: Installing PHP-FPM 5.3.27 part 2/3
Barracuda [Sun Nov 17 23:57:36 GMT 2013] ==> INFO: Installing PHP-FPM 5.3.27 part 3/3
Barracuda [Mon Nov 18 00:08:20 GMT 2013] ==> INFO: Installing Imagick for PHP-FPM 5.3.27...
Barracuda [Mon Nov 18 00:08:42 GMT 2013] ==> INFO: Installing Zend OPcache for PHP-FPM 5.3.27...
Barracuda [Mon Nov 18 00:09:03 GMT 2013] ==> INFO: Installing PhpRedis for PHP-FPM 5.3.27...
Barracuda [Mon Nov 18 00:09:24 GMT 2013] ==> INFO: Installing UploadProgress for PHP-FPM 5.3.27...
Barracuda [Mon Nov 18 00:09:35 GMT 2013] ==> INFO: Installing JSMin for PHP-FPM 5.3.27...
Barracuda [Mon Nov 18 00:09:59 GMT 2013] ==> INFO: Upgrading Limited Shell to version 0.9.16.4-om8...
Barracuda [Mon Nov 18 00:10:04 GMT 2013] ==> INFO: Installed Redis version 2.6.16, OK
Barracuda [Mon Nov 18 00:10:06 GMT 2013] ==> INFO: Installing Redis update for Debian/wheezy...
Barracuda [Mon Nov 18 00:11:24 GMT 2013] ==> INFO: Generating random password for Redis server
Barracuda [Mon Nov 18 00:11:30 GMT 2013] ==> INFO: Updating MariaDB and PHP configuration
Barracuda [Mon Nov 18 00:11:31 GMT 2013] ==> INFO: OS and services upgrade completed
 
Barracuda [Mon Nov 18 00:11:33 GMT 2013] ==> INFO: Aegir Master Instance upgrade skipped
 
Barracuda [Mon Nov 18 00:11:35 GMT 2013] ==> INFO: Installing extra Drush versions
Barracuda [Mon Nov 18 00:11:37 GMT 2013] ==> INFO: Drush 4.6-dev installation complete
Barracuda [Mon Nov 18 00:11:37 GMT 2013] ==> INFO: Drush 5.10.0 installation complete
Barracuda [Mon Nov 18 00:11:38 GMT 2013] ==> INFO: Drush 6.1.0 installation complete
Barracuda [Mon Nov 18 00:11:40 GMT 2013] ==> INFO: Upgrading Chive MariaDB Manager...
Barracuda [Mon Nov 18 00:11:47 GMT 2013] ==> INFO: Restarting Redis and PHP-FPM, reloading Nginx
Barracuda [Mon Nov 18 00:11:55 GMT 2013] ==> INFO: Restarting MariaDB server
 
Barracuda [Mon Nov 18 00:12:06 GMT 2013] ==> INFO: New random password for MariaDB generated and updated
Barracuda [Mon Nov 18 00:12:08 GMT 2013] ==> INFO: New entry added to /var/log/barracuda_log.txt
 
Barracuda [Mon Nov 18 00:12:12 GMT 2013] ==> CARD: Now charging your credit card for this auto-upgrade magic...
Barracuda [Mon Nov 18 00:12:18 GMT 2013] ==> JOKE: Just kidding! Enjoy your Aegir Hosting System :)
 
Barracuda [Mon Nov 18 00:12:22 GMT 2013] ==> Final post-upgrade cleaning, please wait a moment...

Barracuda [Mon Nov 18 00:18:27 GMT 2013] ==> BYE!

The the server was rebooted into the new kernel.

It took ages to reload all the iptables rules.

And now many of the site pages display:

Site off-line

The site is currently not available due to technical problems. Please try again later. Thank you for your understanding.

Jim if you are around I think we need to look at the BOA web interface...

[chris]

So mysql wasn't running:

/etc/init.d/mysql status
  [info] MariaDB is stopped..
/etc/init.d/mysql start
  [ ok ] Starting MariaDB database server: mysqld . . . . . ..
  [info] Checking for corrupt, not cleanly closed and upgrade needing tables..

Running the octopus update:

load is 130 while maxload is 1888
Octopus upgrade for User /data/disk/tn
waiting 7 sec
 
Octopus [Mon Nov 18 01:10:57 GMT 2013] ==> BOA Skynet welcomes you aboard!
 
Octopus [Mon Nov 18 01:11:00 GMT 2013] ==> INFO: Reading your /root/.tn.octopus.cnf config file
Octopus [Mon Nov 18 01:11:01 GMT 2013] ==> NOTE! Please review all config options displayed below
 
###
### Configuration created on 121215-1617 with
### Octopus version BOA-2.0.4
###
### NOTE: the group of settings displayed bellow
### will *override* all listed settings in the Octopus script.
###
_USER="tn"
_MY_EMAIL="chris@webarchitects.co.uk"
_PLATFORMS_LIST="D7P OA7"
_ALLOW_UNSUPPORTED=NO
_AUTOPILOT=YES
_HM_ONLY=NO
_O_CONTRIB_UP=YES
_DEBUG_MODE=NO
_MY_OWNIP=
_FORCE_GIT_MIRROR=""
_THIS_DB_HOST=localhost
_DNS_SETUP_TEST=NO
_HOT_SAUCE=NO
_USE_CURRENT=YES
_REMOTE_CACHE_IP=127.0.0.1
_LOCAL_NETWORK_IP=
_PHP_FPM_VERSION=5.3
_PHP_CLI_VERSION=5.3
_USE_STOCK=NO
###
### NOTE: the group of settings displayed bellow will be *overriden*
### by config files stored in the /data/disk/tn/log/ directory,
### but only on upgrade.
###
_DOMAIN="tn.puffin.webarch.net"
_CLIENT_EMAIL="chris@webarchitects.co.uk"
_CLIENT_OPTION="SSD"
_CLIENT_SUBSCR="Y"
_CLIENT_CORES="14"
###
### Configuration created on 121215-1617 with
### Octopus version BOA-2.0.4
###
_STRONG_PASSWORDS=NO
_DEL_OLD_EMPTY_PLATFORMS=0
_SQL_CONVERT=NO
 
Octopus [Mon Nov 18 01:11:08 GMT 2013] ==> UPGRADE in progress...
 
Octopus [Mon Nov 18 01:11:12 GMT 2013] ==> START -> checkpoint: 

  * Your Aegir control panel for this instance is available at https://tn.puffin.webarch.net
  * Your Aegir system user for this instance is tn
  * This Octopus will use PHP-CLI 5.3 for all sites
  * This Octopus will use PHP-FPM 5.3 both for D6 and D7 sites
  * This Octopus includes platforms: D7P OA7 / Unsupported: NO
  * This Octopus options are listed as SSD / Y / 14 C

 
Octopus [Mon Nov 18 01:11:12 GMT 2013] ==> 8s before we will continue...
Octopus [Mon Nov 18 01:11:27 GMT 2013] ==> UPGRADE A: Aegir automated install script part A
Octopus [Mon Nov 18 01:11:27 GMT 2013] ==> UPGRADE A: Checking OCTOPUS version...
Octopus [Mon Nov 18 01:11:27 GMT 2013] ==> UPGRADE A: OCTOPUS version test: OK
Octopus [Mon Nov 18 01:11:27 GMT 2013] ==> UPGRADE A: Shared platforms code v.003 (hot new) will be created
Octopus [Mon Nov 18 01:11:27 GMT 2013] ==> UPGRADE A: Creating directories with correct permissions...
Octopus [Mon Nov 18 01:11:29 GMT 2013] ==> UPGRADE A: Syncing provision backend db_passwd...
Octopus [Mon Nov 18 01:11:33 GMT 2013] ==> UPGRADE A: Running hosting-dispatch (1/3)...
Octopus [Mon Nov 18 01:11:41 GMT 2013] ==> UPGRADE A: Running hosting-dispatch (2/3)...
Octopus [Mon Nov 18 01:11:49 GMT 2013] ==> UPGRADE A: Running hosting-dispatch (3/3)...
 
Octopus [Mon Nov 18 01:11:56 GMT 2013] ==> UPGRADE A: Syncing hostmaster frontend db_passwd...
Octopus [Mon Nov 18 01:11:58 GMT 2013] ==> UPGRADE A: Switching user and running AegirSetupB...
Octopus [Mon Nov 18 01:12:11 GMT 2013] ==> UPGRADE B: Aegir automated install script part B
Octopus [Mon Nov 18 01:12:12 GMT 2013] ==> UPGRADE B: Creating directories with correct permissions
Octopus [Mon Nov 18 01:12:14 GMT 2013] ==> UPGRADE B: Running standard installer
Octopus [Mon Nov 18 01:12:16 GMT 2013] ==> UPGRADE B: Downloading drush...
PHP Warning:  PHP Startup: Unable to load dynamic library '/opt/local/lib/php/extensions/no-debug-non-zts-20090626/newrelic.so' - /opt/local/lib/php/extensions/no-debug-non-zts-20090626/newrelic.so: cannot open shared object file: No such file or directory in Unknown on line 0
Octopus [Mon Nov 18 01:12:17 GMT 2013] ==> UPGRADE B: Drush seems to be functioning properly
Octopus [Mon Nov 18 01:12:17 GMT 2013] ==> UPGRADE B: Installing provision backend in /data/disk/tn/.drush
Octopus [Mon Nov 18 01:12:17 GMT 2013] ==> UPGRADE B: Downloading Drush and Provision extensions...
Octopus [Mon Nov 18 01:12:20 GMT 2013] ==> UPGRADE B: Testing previous install...
Octopus [Mon Nov 18 01:12:20 GMT 2013] ==> UPGRADE B: Hostmaster STATUS: upgrade start
Octopus [Mon Nov 18 01:12:22 GMT 2013] ==> UPGRADE B: Running hostmaster-migrate, please wait...
Octopus [Mon Nov 18 01:14:15 GMT 2013] ==> UPGRADE B: Hostmaster STATUS: upgrade completed
Octopus [Mon Nov 18 01:14:15 GMT 2013] ==> UPGRADE B: Simple check if Aegir upgrade is successful
Octopus [Mon Nov 18 01:14:17 GMT 2013] ==> UPGRADE B: Aegir upgrade test result: OK
Octopus [Mon Nov 18 01:14:17 GMT 2013] ==> UPGRADE B: Enhancing Aegir UI, please wait...
Octopus [Mon Nov 18 01:14:52 GMT 2013] ==> UPGRADE A: Syncing hostmaster frontend db_passwd...
Octopus [Mon Nov 18 01:14:54 GMT 2013] ==> UPGRADE A: Aegir Satellite Instance upgrade completed
 
Octopus [Mon Nov 18 01:15:11 GMT 2013] ==> UPGRADE A: Creating shared directories...
Octopus [Mon Nov 18 01:15:44 GMT 2013] ==> UPGRADE A: Running o_contrib modules check and upgrade...
Octopus [Mon Nov 18 01:16:16 GMT 2013] ==> UPGRADE A: Switching user and running Platforms build
Octopus [Mon Nov 18 01:16:18 GMT 2013] ==> UPGRADE C: Aegir automated install script part C
Octopus [Mon Nov 18 01:16:18 GMT 2013] ==> UPGRADE C: Shared platforms code v.003 (hot new) will be created
 
Octopus [Mon Nov 18 01:16:21 GMT 2013] ==> DISTRO: Drupal 7.23.3 P.003 installation in progress...
Octopus [Mon Nov 18 01:16:23 GMT 2013] ==> DISTRO: Drupal 7.23.3 P.003 installation completed
 
Octopus [Mon Nov 18 01:16:25 GMT 2013] ==> DISTRO: Open Atrium 2.0.4 7.23.3 P.003 installation in progress...
Octopus [Mon Nov 18 01:16:35 GMT 2013] ==> DISTRO: Open Atrium 2.0.4 7.23.3 P.003 installation completed
 
Octopus [Mon Nov 18 01:16:37 GMT 2013] ==> UPGRADE C: Removing some old core themes...
Octopus [Mon Nov 18 01:16:37 GMT 2013] ==> UPGRADE C: Running Platforms Save & Verify tasks, please wait...
Octopus [Mon Nov 18 01:16:47 GMT 2013] ==> UPGRADE A: Platforms installation completed
Octopus [Mon Nov 18 01:16:47 GMT 2013] ==> UPGRADE A: Cleaning up various dot files...
Octopus [Mon Nov 18 01:16:52 GMT 2013] ==> UPGRADE A: Creating ftp symlinks
Octopus [Mon Nov 18 01:16:54 GMT 2013] ==> UPGRADE A: Preparing setupmail.txt
Octopus [Mon Nov 18 01:16:56 GMT 2013] ==> UPGRADE A: Resending setup e-mail on upgrade...
Octopus [Mon Nov 18 01:16:59 GMT 2013] ==> UPGRADE A: New entry added to /data/disk/tn/log/octopus_log.txt
Octopus [Mon Nov 18 01:16:59 GMT 2013] ==> UPGRADE A: Final cleaning, please wait a moment...
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/purge with latest release
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/expire with latest release
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/httprl with latest release
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/boost with latest release
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/phpass with latest release
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/fpa with latest release
Octopus [Mon Nov 18 01:17:36 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib/views_content_cache with latest release
Octopus [Mon Nov 18 01:17:38 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/purge with latest release
Octopus [Mon Nov 18 01:17:38 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/expire with latest release
Octopus [Mon Nov 18 01:17:38 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/httprl with latest release
Octopus [Mon Nov 18 01:17:38 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/filefield_nginx_progress with latest release
Octopus [Mon Nov 18 01:17:38 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/boost with latest release
Octopus [Mon Nov 18 01:17:39 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/speedy with latest release
Octopus [Mon Nov 18 01:17:39 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/entitycache with latest release
Octopus [Mon Nov 18 01:17:39 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/taxonomy_edge with latest release
Octopus [Mon Nov 18 01:17:39 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/fpa with latest release
Octopus [Mon Nov 18 01:17:39 GMT 2013] ==> UPGRADE A: Replaced /data/all/001/o_contrib_seven/views_content_cache with latest release
Octopus [Mon Nov 18 01:17:45 GMT 2013] ==> UPGRADE A: Starting the cron now
Octopus [Mon Nov 18 01:17:45 GMT 2013] ==> UPGRADE A: All done!
Octopus [Mon Nov 18 01:17:45 GMT 2013] ==> BYE!
waiting 2 sec
Done for /data/disk/tn



OCTOPUS upgrade completed
Bye

[chris]

I did the fix for the mysql ram file system, see ticket:591#comment:2.

The admin menu at ​https://www.transitionnetwork.org/ doesn't appear to be working, I tried flushing all the caches, Jim -- this is something you need to look at, all /admin/ requests are redirected back to the home page.

The nginx changes wiki:PuffinServer#nginxconfigchanges were not needed but the wiki:PuffinServer#php-fpmconfigchanges php-fpm ones were, I just changed these lines to make munin work:

pm.status_path = /status
ping.path = /ping

And I changed these to drop the number of processes, we don't need so many to start with:

;pm.start_servers = 18
pm.start_servers = 4

;pm.max_spare_servers = 18
pm.max_spare_servers = 4

The new HTTPS ciphers look great, see ​https://www.ssllabs.com/ssltest/analyze.html?d=transitionnetwork.org

This server provides robust Forward Secrecy support.

The mysql munin plugins needed a reinstall:

cd /usr/local/src
wget https://github.com/kjellm/munin-mysql/archive/master.zip
unzip master.zip
cd munin-mysql-master
make install

Looking the the number of connections used in the recent past these values in /etc/mysql/my.cnf were edited:

#max_connections         = 75
#max_user_connections    = 75
max_connections         = 40
max_user_connections    = 40

#join_buffer_size        = 128M
join_buffer_size        = 256M

#query_cache_size        = 512M
query_cache_size        = 1024M

Changes were made to the second.sh script, see wiki:PuffinServer#xdragoshellscriptchanges and the high-load.log was rotated.

I have spent some time looking at all the munin graphs, these should be checked again tomorrow.

[ed]

good work Chris - JIM please attend: admin menu not working - not possible to do any admin functions

[jim]

Fixed.

The /var/xdrago/daily.sh script had not run for some reason, which would take the old control files and make the new ini from them.

I ran it manually. Now double-checking cron.

[jim]

Cron's fine. I guess that script didn't run because something was happening around 4am that prevented it doing its thing.

I've re-verified the main platforms to be doubly sure all is good.

[jim]

So I think it's mission accomplished.

[chris]

The upgrade of wiki:PenguinServer and wiki:ParrotServer to Wheezy are still outstanding, Parrot should be fairly simple, Penguin will potentially be more complicated due to dependencies from the Trac site, wiki:PenguinServer#tech.transitionnetwork.org and the Wagn site wiki:TransitionResearchWagn.

I suggest that we do these this month if there is time in the budget for this work. Can I suggest the evening of Sunday 8th as a good time to do it.

[ed]

Sounds sensible.

[chris]

I just got this email from wiki:PuffinServer:

From: root@puffin.webarch.net (Cron Daemon)                                                                                      
Date: Thu,  5 Dec 2013 13:00:16 +0000 (GMT)                                                                                      
To: root@puffin.webarch.net                                                                                                      
Subject: Cron <root@puffin> if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif
+[ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi                                        
                                                                                                                                 
E: The value 'testing' is invalid for APT::Default-Release as such a release is not available in the sources                     
E: The value 'unstable' is invalid for APT::Default-Release as such a release is not available in the sources  

So I have checked the repos and edited these files:

• /etc/apt/sources.list.d/dotdeb.list squeeze changed to wheezy
• /etc/apt/sources.list.d/mariadb.list squeeze changed to wheezy
• /etc/apt/sources.list.d/newrelic.list everything commented out

This caused this updates to be triggered:

libmariadbclient-dev/wheezy libmariadbclient18/wheezy libmariadbd-dev/wheezy libmysqlclient18/wheezy mariadb-client-5.5/wheezy mariadb-client-core-5.5/wheezy mariadb-common/wheezy mariadb-server-5.5/wheezy mariadb-server-core-5.5/wheezy mysql-common/wheezy

Testing the munin apt plugins, there are two:

cd /etc/munin/plugins
munin-run apt
  pending.value 10
  pending.extinfo libmariadbclient-dev libmariadbclient18 libmariadbd-dev libmysqlclient18 mariadb-client-5.5 mariadb-client-core-5.5 mariadb-common mariadb-server-5.5 mariadb-server-core-5.5 mysql-common
  hold.value 0
munin-run apt_all 
  pending_stable.value 0
  hold_stable.value 0
  pending_testing.value 0
  hold_testing.value 0
  pending_unstable.value 0
  hold_unstable.value 0

It seem clear that the apt_all one isn't working properly so I deleted the sym link for it.

[chris]

I was still getting apt errors, by email, every 5 mins, but different ones, following ​http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638024 I have reenabled the apt_all munin plugin and created a /etc/apt/apt.conf file containing:

APT::Default-Release "stable" ;

And this appears to have stopped the emails.

[chris]

I'm still getting these emails:

E: The value 'testing' is invalid for APT::Default-Release as such a release is not  +available in the sources
E: The value 'unstable' is invalid for APT::Default-Release as such a release is not +available in the sources

So I have edited apt_all and changed:

#my @releases = ("stable", "testing","unstable");
my @releases = ("stable");

Hopefully this will fix it.

[chris]

The upgrade documentation is here ​http://www.debian.org/releases/wheezy/amd64/release-notes/ch-upgrading.en.html

Things that we should check on before running the upgrades on wiki:PenguinServer and wiki:ParrotServer:

• ​Disabling APT pinning check these files: vim /etc/apt/preferences /etc/apt/preferences.d/*
• ​Checking packages status run dpkg --audit save a list of all installed packages, dpkg --get-selections "*" > ~/curr-pkgs.txt
• ​Unofficial sources and backports this is going to be an issue on wiki:PenguinServer, check vim /etc/apt/sources.list.d/*
• ​Adding APT Internet sources vim /etc/apt/sources.list /etc/apt/sources.list.d/* and :1,$s/squeeze/wheezy/gc
• ​Make sure you have sufficient space for the upgrade with apt-get update ; apt-get -o APT::Get::Trivial-Only=true dist-upgrade

Then the actual upgrade:

• ​Minimal system upgrade run apt-get update ; apt-get upgrade
• ​Upgrading the system run apt-get dist-upgrade

I might be able to get some of the above done today, prior to the upgrade tomorrow.

[chris]

List of packages on Parrot when it was running Squeeze

[chris]

Parrot Wheezy Upgrade

Deleted /etc/apt/preferences.d/drush as it's not needed.

Package: drush
Pin: release a=squeeze-backports
Pin-Priority: 1001

Deleted /etc/apt/preferences.d/varnish as it's not needed.

Package: varnish libvarnishapi1 varnish-doc
Pin: release a=squeeze-backports
Pin-Priority: 1001

No results for:

dpkg --audit 

To generate a list of packages:

dpkg --get-selections "*" > ~/curr-pkgs.txt

The output of the above has been posted here ​/trac/attachment/ticket/535/parrot-squeeze.packages.txt

The file, /etc/apt/sources.list.d/squeeze-backports.list which contained:

deb http://backports.debian.org/debian-backports squeeze-backports main

Was deleted.

The /etc/apt/sources.list files was edited to:

#
# wheezy
#
deb     http://ftp.uk.debian.org/debian/     wheezy main contrib non-free
deb-src http://ftp.uk.debian.org/debian/     wheezy main contrib non-free

# 
#  Security updates
# 
deb     http://security.debian.org/ wheezy/updates  main contrib non-free
deb-src http://security.debian.org/ wheezy/updates  main contrib non-free

File space needed was checked:

apt-get update ; apt-get -o APT::Get::Trivial-Only=true dist-upgrade
The following packages will be REMOVED:
  defoma libept1 libpango1.0-common mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php5-suhosin
  x-ttcidfont-conf
The following NEW packages will be installed:
  aptitude-common cpp-4.7 fonts-droid fonts-liberation gcc-4.7 gcc-4.7-base ghostscript git-man gnuplot
  gnuplot-nox groff gsfonts imagemagick imagemagick-common kmod krb5-locales libaio1 libapt-inst1.5
  libapt-pkg4.12 libbind9-80 libblas3 libblas3gf libboost-iostreams1.49.0 libclass-isa-perl libcroco3
  libcupsimage2 libdb5.1 libdjvulibre-text libdjvulibre21 libdns88 libencode-locale-perl libept1.4.12 libexiv2-12
  libffi5 libfile-listing-perl libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgfortran3 libgmp10 libgs9
  libgs9-common libhtml-form-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl
  libhttp-negotiate-perl libice6 libicu48 libijs-0.35 libilmbase6 libio-socket-inet6-perl libio-socket-ssl-perl
  libisc84 libisccc80 libisccfg82 libitm1 libjbig0 libjbig2dec0 libjpeg8 libjs-jquery libjs-sphinxdoc
  libjs-underscore libkmod2 liblcms1 liblcms2-2 liblensfun-data liblensfun0 liblinear-tools liblinear1
  liblist-moreutils-perl liblqr-1-0 liblwp-mediatypes-perl liblwp-protocol-https-perl liblwres80 liblzma5
  libmagickcore5 libmagickcore5-extra libmagickwand5 libmount1 libmpc2 libmysqlclient18 libnet-http-perl
  libnet-ssleay-perl libnetpbm10 libnl-3-200 libnl-genl-3-200 libopenexr6 libp11-kit0 libpam-modules-bin
  libpaper-utils libpaper1 libpipeline1 libprocps0 libquadmath0 librsvg2-2 librsvg2-common librtmp0
  libsemanage-common libsemanage1 libsensors4 libsigsegv2 libsm6 libsocket6-perl libssl-doc libssl1.0.0
  libsvm-tools libswitch-perl libsystemd-login0 libtinfo5 libtokyocabinet9 libustr-1.0-1 libwmf0.2-7
  libwww-robotrules-perl libxaw7 libxcb-shm0 libxmu6 libxt6 multiarch-support munin-plugins-core
  munin-plugins-extra mysql-client-5.5 mysql-server-5.5 mysql-server-core-5.5 ncurses-term netpbm
  php-console-table poppler-data psutils python2.7 python2.7-minimal ufraw-batch
The following packages will be upgraded:
  adduser apache2-mpm-itk apache2-utils apache2.2-bin apache2.2-common apt apt-listchanges apt-show-versions
  apt-utils apticron aptitude autoconf automake autotools-dev backupninja base-files base-passwd bash bc
  bind9-host binutils bsdmainutils bsdutils busybox bzip2 ca-certificates chrony coreutils cpio cpp cpp-4.4 cron
  curl dash dbconfig-common dbus debconf debconf-i18n debian-archive-keyring debianutils denyhosts dialog
  diffutils dmidecode dnsutils dos2unix dpkg drush e2fslibs e2fsprogs exim4 exim4-base exim4-config
  exim4-daemon-light expect file findutils firmware-linux-free fontconfig fontconfig-config gawk gcc gcc-4.4
  gcc-4.4-base geoip-database git gnupg gpgv grep groff-base gzip haveged heirloom-mailx hostname iftop ifupdown
  info initramfs-tools initscripts insserv install-info iproute iptables iptraf iputils-ping isc-dhcp-client
  isc-dhcp-common iso-codes klibc-utils less libacl1 libapache2-mod-php5 libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libapt-pkg-perl libatk1.0-0 libatk1.0-data libattr1 libavahi-client3
  libavahi-common-data libavahi-common3 libblkid1 libbsd0 libbz2-1.0 libc-bin libc-dev-bin libc6 libc6-dev
  libcairo2 libcap2 libcomerr2 libcups2 libcurl3 libcurl3-gnutls libcwidget3 libdate-manip-perl libdatrie1
  libdbd-mysql-perl libdbi-perl libdbus-1-3 libedit2 libexpat1 libfont-freetype-perl libfontconfig1 libfontenc1
  libfreetype6 libgcc1 libgcrypt11 libgd2-xpm libgdbm3 libgeoip1 libglib2.0-0 libglib2.0-data libgnutls26
  libgomp1 libgpg-error0 libgpgme11 libgpm2 libgssapi-krb5-2 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common
  libhtml-format-perl libhtml-parser-perl libhtml-template-perl libhtml-tree-perl libidn11 libio-multiplex-perl
  libjasper1 libjpeg62 libjs-mootools libk5crypto3 libkeyutils1 libklibc libkrb5-3 libkrb5support0 libldap-2.4-2
  liblocale-gettext-perl libltdl-dev libltdl7 liblua5.1-0 libmagic1 libmailtools-perl libmpfr4 libncurses5
  libncursesw5 libneon27-gnutls libnet-cidr-perl libnet-daemon-perl libnet-server-perl libnet-snmp-perl
  libnewt0.52 libnfnetlink0 libnl1 libpam-modules libpam-mysql libpam-runtime libpam0g libpango1.0-0 libpcap0.8
  libpcre3 libpixman-1-0 libpng12-0 libpopt0 libqdbm14 libreadline5 libreadline6 librsync1 libsasl2-2
  libsasl2-modules libselinux1 libsepol1 libsigc++-2.0-0c2a libslang2 libsqlite3-0 libss2 libssh2-1 libssl-dev
  libstdc++6 libsvn1 libt1-5 libtasn1-3 libtext-charwidth-perl libtext-iconv-perl libthai-data libthai0 libtiff4
  libtool libudev0 liburi-perl libusb-0.1-4 libuuid-perl libuuid1 libwrap0 libwww-perl libx11-6 libx11-data
  libxapian22 libxau6 libxcb-render-util0 libxcb-render0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxdmcp6
  libxext6 libxfixes3 libxfont1 libxft2 libxi6 libxinerama1 libxml2 libxmuu1 libxpm4 libxrandr2 libxrender1
  libyaml-syck-perl linux-base linux-libc-dev locales locate login logrotate logtail logwatch lsb-base
  lsb-release lynx lynx-cur m4 man-db manpages manpages-dev mawk metche mime-support module-init-tools mount mtr
  munin-common munin-node mutt mysql-common mysql-server nano ncurses-base ncurses-bin net-tools netbase
  netcat-traditional nmap openssh-blacklist openssh-blacklist-extra openssh-client openssh-server openssl passwd
  patch perl perl-base perl-modules php-pear php-xml-parser php5 php5-cli php5-common php5-curl php5-dev php5-gd
  php5-intl php5-mcrypt php5-mysql php5-xmlrpc phpmyadmin popularity-contest procps psmisc pwgen python
  python-apt python-apt-common python-central python-minimal python-pylibacl python-pyxattr python-support
  python2.6 python2.6-minimal quota quotatool rdate rdiff-backup readline-common rsync rsyslog screen sed
  sensible-utils sgml-base shared-mime-info ssl-cert subversion sudo sysstat sysv-rc sysvinit sysvinit-utils tar
  tasksel tasksel-data tcl8.5 tcpd tcpdump timelimit traceroute ttf-dejavu-core tzdata ucf udev unzip
  update-inetd util-linux util-linux-locales vim vim-common vim-runtime vim-tiny wget whiptail wwwconfig-common
  x11-common xauth xfonts-encodings xfonts-utils xml-core xz-utils zip zlib1g zlib1g-dev
362 upgraded, 132 newly installed, 8 to remove and 0 not upgraded.
Need to get 257 MB of archives.
After this operation, 203 MB of additional disk space will be used.
E: Trivial Only specified but this is not a trivial operation.

The MySQL databases were backed up using ninjahelper to run /etc/backup.d/20.mysql.

Initial, minimal upgrade:

apt-get update ; apt-get upgrade
The following packages have been kept back:
  apache2-mpm-itk apache2-utils apache2.2-bin apache2.2-common apt apt-utils aptitude base-files bash bind9-host binutils
  bsdmainutils bzip2 ca-certificates chrony coreutils cpp cpp-4.4 curl dbus denyhosts dialog dnsutils dpkg drush e2fslibs e2fsprogs
  exim4 exim4-base exim4-daemon-light file fontconfig fontconfig-config gawk gcc gcc-4.4 gcc-4.4-base git heirloom-mailx iftop
  ifupdown info initscripts iproute iptables iptraf iputils-ping less libacl1 libapache2-mod-php5 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libapt-pkg-perl libatk1.0-0 libattr1 libavahi-client3 libavahi-common3 libblkid1 libbsd0
  libbz2-1.0 libc-bin libc-dev-bin libc6 libc6-dev libcairo2 libcap2 libcomerr2 libcups2 libcurl3 libcurl3-gnutls libcwidget3
  libdatrie1 libdbd-mysql-perl libdbi-perl libdbus-1-3 libedit2 libexpat1 libfont-freetype-perl libfontconfig1 libfontenc1
  libfreetype6 libgcc1 libgcrypt11 libgd2-xpm libgdbm3 libglib2.0-0 libgnutls26 libgomp1 libgpg-error0 libgpgme11 libgpm2
  libgssapi-krb5-2 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libhtml-parser-perl libidn11 libjasper1 libjpeg62 libk5crypto3
  libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.4-2 liblocale-gettext-perl libltdl-dev libltdl7 liblua5.1-0 libmagic1 libmpfr4
  libncurses5 libncursesw5 libneon27-gnutls libnet-server-perl libnewt0.52 libnl1 libpam-modules libpam-mysql libpam0g libpango1.0-0
  libpcap0.8 libpcre3 libpixman-1-0 libpng12-0 libpopt0 libreadline5 libreadline6 librsync1 libsasl2-2 libsasl2-modules libselinux1
  libsepol1 libsigc++-2.0-0c2a libslang2 libsqlite3-0 libss2 libssh2-1 libssl-dev libstdc++6 libsvn1 libtasn1-3
  libtext-charwidth-perl libtext-iconv-perl libthai0 libtiff4 libudev0 libusb-0.1-4 libuuid-perl libuuid1 libwrap0 libwww-perl
  libx11-6 libx11-data libxapian22 libxau6 libxcb-render-util0 libxcb-render0 libxcb1 libxcomposite1 libxcursor1 libxdamage1
  libxdmcp6 libxext6 libxfixes3 libxft2 libxi6 libxinerama1 libxml2 libxmuu1 libxpm4 libxrandr2 libxrender1 libyaml-syck-perl
  locales lsb-release lynx lynx-cur man-db module-init-tools mount mtr munin-common munin-node mutt mysql-common mysql-server nano
  ncurses-bin netbase nmap openssh-client openssh-server openssl passwd perl perl-base perl-modules php-pear php5 php5-cli
  php5-common php5-curl php5-dev php5-gd php5-intl php5-mcrypt php5-mysql php5-xmlrpc procps psmisc python python-apt python-minimal
  python-pylibacl python-pyxattr python2.6 python2.6-minimal quota rdiff-backup rsync rsyslog screen sgml-base subversion sysstat
  sysvinit tasksel tcpdump udev util-linux util-linux-locales vim vim-common vim-runtime vim-tiny wget whiptail xml-core xz-utils
  zlib1g zlib1g-dev
The following packages will be upgraded:
  adduser apt-listchanges apt-show-versions apticron autoconf automake autotools-dev backupninja base-passwd bc bsdutils busybox
  cpio cron dash dbconfig-common debconf debconf-i18n debian-archive-keyring debianutils diffutils dmidecode dos2unix exim4-config
  expect findutils firmware-linux-free geoip-database gnupg gpgv grep groff-base gzip haveged hostname initramfs-tools insserv
  install-info isc-dhcp-client isc-dhcp-common iso-codes klibc-utils libapr1 libatk1.0-data libavahi-common-data libdate-manip-perl
  libgeoip1 libglib2.0-data libhtml-format-perl libhtml-template-perl libhtml-tree-perl libio-multiplex-perl libjs-mootools libklibc
  libmailtools-perl libnet-cidr-perl libnet-daemon-perl libnet-snmp-perl libnfnetlink0 libpam-runtime libqdbm14 libt1-5 libthai-data
  libtool liburi-perl libxfont1 linux-base linux-libc-dev locate login logrotate logtail logwatch lsb-base m4 manpages manpages-dev
  mawk metche mime-support ncurses-base net-tools netcat-traditional openssh-blacklist openssh-blacklist-extra patch php-xml-parser
  phpmyadmin popularity-contest pwgen python-apt-common python-central python-support quotatool rdate readline-common sed
  sensible-utils shared-mime-info ssl-cert sudo sysv-rc sysvinit-utils tar tasksel-data tcl8.5 tcpd timelimit traceroute
  ttf-dejavu-core tzdata ucf unzip update-inetd wwwconfig-common x11-common xauth xfonts-encodings xfonts-utils zip
120 upgraded, 0 newly installed, 0 to remove and 242 not upgraded.
Need to get 46.8 MB of archives.
After this operation, 13.7 MB disk space will be freed.
Do you want to continue [Y/n]? Y

apticron (1.1.51) unstable; urgency=low

  New config option CUSTOM_FROM allows setting a custom sender by replacing the
  default 'From:' field in the notification emails.

 -- Tiago Bortoletto Vaz <tiago@debian.org>  Mon, 29 Aug 2011 00:00:23 -0300

backupninja (1.0~rc1-1) unstable; urgency=low

  duplicity 0.6.17 and later has moved to a new sftp/scp backend
  which no longer uses sftp/scp client programs, but instead relies on
  paramiko, a Python ssh+sftp implementation.

  Therefore, the sshoptions option of the backupninja duplicity handler
  cannot be used for anything but the one supported by this new backend:
  -oIdentityfile=some_key_file -- all other ssh options are ignored.

 -- intrigeri <intrigeri@debian.org>  Fri, 27 Apr 2012 23:07:11 +0200

backupninja (0.9.10-1) unstable; urgency=low

  Being severely broken for ages (see #596935), LDAP support was removed upstream.
  It will come back once this code has found itself a maintainer.
  Interested? Get in touch!

 -- intrigeri <intrigeri+debian@boum.org>  Fri, 23 Sep 2011 17:32:11 +0200

cron (3.0pl1-119) unstable; urgency=low

    The semantics of the -L option of the cron daemon have changed: from
    now on, the value will be interpreted as a bitmask of various log
    selectors, with "1" (log only the start of jobs) being the new default.

    Additionally, since -117 (NEWS entry was overlooked), the LSBNAMES
    variable in /etc/default/cron was merged with the EXTRA_OPTS variable
    as it was redundant.

 -- Christian Kastner <debian@kvr.at>  Sun, 07 Aug 2011 21:13:19 +0200

expect (5.45-1) unstable; urgency=low

    As of Expect 5.45 expectk was removed from the upstream distribution
    and from the Debian package as well. If you're using expectk replace it
    either by 'expect' and 'package require Tk' or by 'wish' and
    'package require Expect'.

 -- Sergei Golovan <sgolovan@debian.org>  Wed, 17 Aug 2011 21:50:29 +0400

libdate-manip-perl (6.23-1) unstable; urgency=low

  Renamed one Date::Manip::Recur method

  The Date::Manip::Recur::base method has been renamed to basedate.  The
  Date::Manip::Recur::base method should return the Date::Manip::Base object
  like all the other Date::Manip modules.
 -- gregor herrmann <gregoa@debian.org>  Wed, 20 Apr 2011 22:42:38 +0200

libdate-manip-perl (6.20-1) unstable; urgency=low

  Reworked recurrences

  Recurrences were reworked in a (slightly) backward incompatible way to
  improve their usefulness (and to make them conform to the expected
  results). Most recurrences will work the same, but a few will
  differ.

  Cf. `man Date::Manip::Changes6' or `perldoc Date::Manip::Changes6'.

 -- gregor herrmann <gregoa@debian.org>  Wed, 29 Dec 2010 16:28:09 +0100

libdate-manip-perl (6.14-1) unstable; urgency=low

  As of Date::Manip 6.14, the 5.xx release is fully integrated into the
  distribution. Both will be installed automatically and you can switch
  between them. Cf. `man Date::Manip' or `perldoc Date::Manip'.

 -- gregor herrmann <gregoa@debian.org>  Tue, 26 Oct 2010 16:47:26 +0200

libhtml-tree-perl (5.00-1) unstable; urgency=low

  [THINGS THAT MAY BREAK YOUR CODE OR TESTS]
  * Use weak references to avoid memory leaks
    See "Weak References" in HTML::Element for details.
  * new_from_file now dies if the file cannot be opened.  $! records
    the specific problem.  (Previously, you got a tree with a few
    implicit elements.)
  * Some methods normally returning a scalar could return the empty
    list in certain circumstances.  This has been corrected.  The
    affected methods are: address, deobjectify_text, detach, is_inside,
    & pindex.
  * deprecate the Version sub/method.  Use the VERSION method instead.

 -- gregor herrmann <gregoa@debian.org>  Fri, 15 Jun 2012 14:50:32 +0200

linux-base (3) unstable; urgency=low

  * Some HP Smart Array controllers are now handled by the new 'hpsa'
    driver, rather than the 'cciss' driver.

    While the cciss driver presented disk device names beginning with
    'cciss/', hpsa makes disk arrays appear as ordinary SCSI disks and
    presents device names beginning with 'sd'.  In a system that already
    has other SCSI or SCSI-like devices, names may change unpredictably.

    During the upgrade from earlier versions, you will be prompted to
    update configuration files which refer to device names that may
    change.  You can choose to do this yourself or to follow an automatic
    upgrade process.  All changed configuration files are backed up with
    a suffix of '.old' (or '^old' in one case).
 -- Ben Hutchings <ben@decadent.org.uk>  Wed, 16 Mar 2011 13:19:34 +0000

logrotate (3.8.0-1) experimental; urgency=low

  Please note that this update changes the behaviour of logrotate:

  Logrotate now skips directories which are world writable or writable 
  by group which is not "root" unless the (new) "su" directive is used.

 -- Paul Martin <pm@debian.org>  Sun, 28 Aug 2011 19:16:36 +0100

lsb (4.1+Debian1) unstable; urgency=low

  This version implements a new "Fancy output" in the form of "[....] "
  blocks prepended to the daemon status messages:

  Before:
     Starting/stopping long daemon name: daemond daemon2d
  After:
     [....] Starting/stopping long daemon name: daemond daemon2d

  This block will become either a green [ ok ], a yellow [warn]
  or a red [FAIL] depending on the daemon exit status.

  The "Fancy output" can be disabled by setting the FANCYTTY variable to 0
  in the /etc/lsb-base-logging.sh configuration file.

 -- Didier Raboud <odyx@debian.org>  Thu, 19 Apr 2012 11:25:01 +0200

pam (1.1.2-1) unstable; urgency=low

  * Name of option for minimum Unix password length has changed

    The Debian-specific 'min=n' option to pam_unix for specifying minimum
    lengths for new passwords has been replaced by a new upstream option
    called 'minlen=n'.  If you are using 'min=n' in
    /etc/pam.d/common-password, this will be migrated to the new option name
    for you on upgrade.  If you have configured pam_unix password changing
    elsewhere on your system, such as in a PAM profile under
    /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
    update them by hand for this change.

 -- Steve Langasek <vorlon@debian.org>  Tue, 31 Aug 2010 23:09:30 -0700

patch (2.6.1-1) unstable; urgency=low

  The options -U --unified-reject-files and --global-reject-file have now been
  removed.

 -- Christoph Berg <myon@debian.org>  Sun, 06 Feb 2011 20:17:11 +0100

qdbm (1.8.78-1) unstable; urgency=low

    gdbm emulation (hovel) is dropped from this version (cf. #620550).
    The Debian-specific 'min=n' option to pam_unix for specifying minimum
    lengths for new passwords has been replaced by a new upstream option
    called 'minlen=n'.  If you are using 'min=n' in
    /etc/pam.d/common-password, this will be migrated to the new option name
    for you on upgrade.  If you have configured pam_unix password changing
    elsewhere on your system, such as in a PAM profile under
    /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
    update them by hand for this change.

 -- Steve Langasek <vorlon@debian.org>  Tue, 31 Aug 2010 23:09:30 -0700

patch (2.6.1-1) unstable; urgency=low

  The options -U --unified-reject-files and --global-reject-file have now been
  removed.

 -- Christoph Berg <myon@debian.org>  Sun, 06 Feb 2011 20:17:11 +0100

qdbm (1.8.78-1) unstable; urgency=low

    gdbm emulation (hovel) is dropped from this version (cf. #620550).
    It breaks symbol versioning policy to keep its old version despite
    dropping gdbm_* symbols, assuming nobody use it.
    If you've used its functionarity, please switch to gdbm, or rebuild
    source package removing "--disable-gdbm" flag.

 -- KURASHIKI Satoru <lurdan@gmail.com>  Fri, 19 Aug 2011 08:38:15 +0900

sudo (1.8.2-1) unstable; urgency=low

  The sudo package is no longer configured using --with-secure-path.
  Instead, the provided sudoers file now contains a line declaring
  'Defaults secure_path=' with the same path content that was previously
  hard-coded in the binary.  A consequence of this change is that if you
  do not have such a definition in sudoers, the PATH searched for commands
  by sudo may be empty.

  Using explicit paths for each command you want to run with sudo will work
  well enough to allow the sudoers file to be updated with a suitable entry
  if one is not already present and you choose to not accept the updated
  version provided by the package.
  
 -- Bdale Garbee <bdale@gag.com>  Wed, 24 Aug 2011 13:33:11 -0600

sysvinit-utils (2.88dsf-17) unstable; urgency=low

  bootlogd has moved from sysvinit-utils to a separate bootlogd package. If
  you wish to continue using bootlogd, please install the bootlogd package.
  Note that the configuration file /etc/default/bootlogd and its option
  BOOTLOGD_ENABLE no longer exist; if you do not wish to run bootlogd, remove
  the bootlogd package.

 -- Josh Triplett <josh@joshtriplett.org>  Mon, 19 Dec 2011 12:03:08 +0000

Participate in the package usage survey? No

┌──────────────────────────────────────────────────┤ Configuring phpmyadmin ├───────────────────────────────────────────────────┐
  │                                                                                                                               │ 
  │ The phpmyadmin package must have a database installed and configured before it can be used.  This can be optionally handled   │ 
  │ with dbconfig-common.                                                                                                         │ 
  │                                                                                                                               │ 
  │ If you are an advanced database administrator and know that you want to perform this configuration manually, or if your       │ 
  │ database has already been installed and configured, you should refuse this option.  Details on what needs to be done should   │ 
  │ most likely be provided in /usr/share/doc/phpmyadmin.                                                                         │ 
  │                                                                                                                               │ 
  │ Otherwise, you should probably choose this option.                                                                            │ 
  │                                                                                                                               │ 
  │ Configure database for phpmyadmin with dbconfig-common?                                                                       │ 
  │                                                                                                                               │ 
  │                                      <Yes>                                         <No>                                       │ 
  │                                                                                                                               │ 
  └───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

No

                     ┌────────────────────────────────┤ Configuring phpmyadmin ├────────────────────────────────┐
                     │ Please choose the web server that should be automatically configured to run phpMyAdmin.  │ 
                     │                                                                                          │ 
                     │ Web server to reconfigure automatically:                                                 │ 
                     │                                                                                          │ 
                     │    [*] apache2                                                                           │ 
                     │    [ ] lighttpd                                                                          │ 
                     │                                                                                          │ 
                     │                                                                                          │ 
                     │                         <Ok>                             <Cancel>                        │ 
                     │                                                                                          │ 
                     └──────────────────────────────────────────────────────────────────────────────────────────┘ 

Ok

Configuration file `/etc/securetty'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** securetty (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/securetty      2013-04-30 11:31:36.000000000 +0100
+++ /etc/securetty.dpkg-new     2012-05-25 22:24:43.000000000 +0100
@@ -230,6 +230,12 @@
 ttyAM14
 ttyAM15
 
+# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
+ttyAMA0
+ttyAMA1
+ttyAMA2
+ttyAMA3
+
 # DataBooster serial ports
 ttyDB0
 ttyDB1
@@ -355,6 +361,10 @@
 hvc0
 hvc1
 #...
+#IBM pSeries console ports
+hvsi0
+hvsi1
+hvsi2
 
 # Equinox SST multi-port serial boards
 ttyEQ0
@@ -363,7 +373,7 @@
 
 # ==========================================================
 #
-# Not in Documentation/Devicess.txt
+# Not in Documentation/Devices.txt
 #
 # ==========================================================
 
@@ -375,10 +385,9 @@
 ttymxc4
 ttymxc5
 
-# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
-ttyama0
-ttyama1
-ttyama2
-ttyama3
+# Serial Console for MIPS Swarm
+duart0
+duart1
 
-hvc0
+# s390 and s390x ports in LPAR mode
+ttysclp0

The diference here is to add some thing and remove:

ttyama0
ttyama1
ttyama2
ttyama3

That is fine, these are not used AFAIK, also this is to be removed:

hvc0

But that's is in twice already:

# IBM iSeries/pSeries virtual console
hvc0
hvc1

So accepting the new version.

*** securetty (Y/I/N/O/D/Z) [default=N] ? Y

 ┌───────────────────────────────────────────────────┤ Configuring linux-base ├────────────────────────────────────────────────────┐
 │                                                                                                                                 │ 
 │ The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, CD-ROM,   │ 
 │ and tape devices may change.                                                                                                    │ 
 │                                                                                                                                 │ 
 │ It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than by       │ 
 │ device name, which will work with both old and new kernel versions.                                                             │ 
 │                                                                                                                                 │ 
 │ If you choose to not update the system configuration automatically, you must update device IDs yourself before the next system  │ 
 │ reboot or the system may become unbootable.                                                                                     │ 
 │                                                                                                                                 │ 
 │ Update disk device IDs in system configuration?                                                                                 │ 
 │                                                                                                                                 │ 
 │                                      <Yes>                                         <No>                                         │ 
 │                                                                                                                                 │ 
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

No

  ┌───────────────────────────────────────────────────┤ Configuring linux-base ├───────────────────────────────────────────────────┐
  │                                                                                                                                │ 
  │ Boot loader configuration check needed                                                                                         │ 
  │                                                                                                                                │ 
  │ The boot loader configuration for this system was not recognized. These settings in the configuration may need to be updated:  │ 
  │                                                                                                                                │ 
  │  * The root device ID passed as a kernel parameter;                                                                            │ 
  │  * The boot device ID used to install and update the boot loader.                                                              │ 
  │                                                                                                                                │ 
  │                                                                                                                                │ 
  │ You should generally identify these devices by UUID or label. However, on MIPS systems the root device must be identified by   │ 
  │ name.                                                                                                                          │ 
  │                                                                                                                                │ 
  │                                                             <Ok>                                                               │ 
  │                                                                                                                                │ 
  └────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 
                                                                                                                                     
Ok

    ┌──────────────────────────────────────────────────┤ Configuring metche ├───────────────────────────────────────────────────┐
    │ A new version of configuration file /etc/metche.conf is available, but the version installed currently has been locally   │ 
    │ modified.                                                                                                                 │ 
    │                                                                                                                           │ 
    │ What do you want to do about modified configuration file metche.conf?                                                     │ 
    │                                                                                                                           │ 
    │                                install the package maintainer's version                                                   │ 
    │                                keep the local version currently installed                                                 │ 
    │                                show the differences between the versions                                                  │ 
    │                                show a side-by-side difference between the versions                                        │ 
    │                                show a 3-way difference between available versions                                         │ 
    │                                do a 3-way merge between available versions (experimental)                                 │ 
    │                                start a new shell to examine the situation                                                 │ 
    │                                                                                                                           │ 
    │                                                                                                                           │ 
    │                                                          <Ok>                                                             │ 
    │                                                                                                                           │ 
    └───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

                            ┌──────────────────────────┤ Configuring metche ├───────────────────────────┐
                            │                                                                           │ 
                            │ Line by line differences between versions                                 │ 
                            │                                                                           │ 
                            │ --- /etc/metche.conf 2013-05-01 22:12:29.000000000 +0100                  │ 
                            │ +++ /tmp/filehxCqw3 2013-12-08 15:05:11.551475766 +0000                   │ 
                            │ @@ -51,13 +51,13 @@                                                       │ 
                            │  # - "printcap" when cups browsing feature are used.                      │ 
                            │  #                                                                        │ 
                            │  # Example (default value):                                               │ 
                            │ -EXCLUDES="*.swp #* *~ *.gpg *.key ifstate adjtime ld.so.cache shadow* \  │ 
                            │ - .cache .gnupg blkid.tab* aumixrc net.enable mtab backup.d \             │ 
                            │ - vdirbase run.rev vdir run.rev \                                         │ 
                            │ - prng_exch smtp_scache.pag smtpd_scache.pag \                            │ 
                            │ - smtp_scache.dir smtpd_scache.dir local.sh \                             │ 
                            │ - ssh_host_dsa_key* ssh_host_rsa_key* \                                   │ 
                            │ - hosts.deny"                                                             │ 
                            │ +#EXCLUDES=".git _darcs .svn .bzr CVS .hg _FOSSIL_ \                      │ 
                            │ +# *.swp #* *~ *.gpg *.key ifstate adjtime ld.so.cache shadow* \          │ 
                            │ +# .cache .gnupg blkid.tab* aumixrc net.enable mtab backup.d \            │ 
                            │ +# vdirbase run.rev vdir run.rev \                                        │ 
                            │ +# prng_exch smtp_scache.pag smtpd_scache.pag \                           │ 
                            │ +# smtp_scache.dir smtpd_scache.dir local.sh \                            │ 
                            │ +# ssh_host_dsa_key* ssh_host_rsa_key*"                                   │ 
                            │                                                                           │ 
                            │  # Locale (will be used to feed LC_ALL)                                   │ 
                            │  # Warning: values different from "C" are untested.                       │ 
                            │                                                                           │ 
                            │                                  <Ok>                                     │ 
                            │                                                                           │ 
                            └───────────────────────────────────────────────────────────────────────────┘ 
                                                                                                          
install the package maintainer's version 
Ok

Configuration file `/etc/sudoers'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/sudoers        2013-04-30 11:35:55.000000000 +0100
+++ /etc/sudoers.dpkg-new       2013-03-01 05:20:20.000000000 +0000
@@ -1,11 +1,14 @@
-# /etc/sudoers
 #
 # This file MUST be edited with the 'visudo' command as root.
 #
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
 # See the man page for details on how to write a sudoers file.
 #
-
 Defaults       env_reset
+Defaults       mail_badpass
+Defaults       secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
 # Host alias specification
 
@@ -14,12 +17,11 @@
 # Cmnd alias specification
 
 # User privilege specification
-root   ALL=(ALL) ALL
+root   ALL=(ALL:ALL) ALL
 
 # Allow members of group sudo to execute any command
-# (Note that later entries override this, so you might need to move
-# it further down)
-# %sudo ALL=(ALL) ALL
-%sudo ALL=NOPASSWD: ALL
-#
+%sudo  ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
 #includedir /etc/sudoers.d

Y

Then /etc/sudoers was manually edited to add back:

%sudo ALL=NOPASSWD: ALL

Configuration file `/etc/phpmyadmin/config.inc.php'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** config.inc.php (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/phpmyadmin/config.inc.php      2013-04-30 11:40:26.000000000 +0100
+++ /etc/phpmyadmin/config.inc.php.dpkg-new     2012-03-28 19:50:54.000000000 +0100
@@ -5,7 +5,10 @@
  * This file overrides the settings made by phpMyAdmin interactive setup
  * utility.
  *
- * For example configuration see /usr/share/doc/phpmyadmin/examples/config.default.php.gz
+ * For example configuration see
+ *   /usr/share/doc/phpmyadmin/examples/config.sample.inc.php
+ * or
+ *   /usr/share/doc/phpmyadmin/examples/config.manyhosts.inc.php
  *
  * NOTE: do not add security sensitive data to this file (like passwords)
  * unless you really know what you're doing. If you do, any user that can
@@ -14,6 +17,12 @@
  * (also on the filesystem level).
  */
 
+// Load secret generated on postinst
+include('/var/lib/phpmyadmin/blowfish_secret.inc.php');
+
+// Load autoconf local config
+include('/var/lib/phpmyadmin/config.inc.php');
+
 /**
  * Server(s) configuration
  */
@@ -28,6 +37,9 @@
  */
 if (is_readable('/etc/phpmyadmin/config-db.php')) {
     require('/etc/phpmyadmin/config-db.php');
+} else {
+    error_log('phpmyadmin: Failed to load /etc/phpmyadmin/config-db.php.'
+        . ' Check group www-data has read access.');
 }
 
 /* Configure according to dbconfig-common if enabled */
@@ -38,7 +50,7 @@
     if (empty($dbserver)) $dbserver = 'localhost';
     $cfg['Servers'][$i]['host'] = $dbserver;
 
-    if (!empty($dbport)) {
+    if (!empty($dbport) || $dbserver != 'localhost') {
         $cfg['Servers'][$i]['connect_type'] = 'tcp';
         $cfg['Servers'][$i]['port'] = $dbport;
     }
@@ -59,7 +71,8 @@
     $cfg['Servers'][$i]['history'] = 'pma_history';
     $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';
     $cfg['Servers'][$i]['tracking'] = 'pma_tracking';
-    $cfg['Servers'][$i]['hide_db'] = 'information_schema';
+    $cfg['Servers'][$i]['userconfig'] = 'pma_userconfig';
+
     /* Uncomment the following to enable logging in to passwordless accounts,
      * after taking note of the associated security risks. */
     // $cfg['Servers'][$i]['AllowNoPassword'] = TRUE;
@@ -72,7 +85,6 @@
 //$cfg['Servers'][$i]['auth_type'] = 'cookie';
 /* Server parameters */
 //$cfg['Servers'][$i]['host'] = 'localhost';
-//$cfg['DefaultLang'] = 'en-iso-8859-1';
 //$cfg['Servers'][$i]['connect_type'] = 'tcp';
 //$cfg['Servers'][$i]['compress'] = false;
 /* Select mysqli if your server has it */
@@ -103,6 +115,5 @@
  */
 $cfg['UploadDir'] = '';
 $cfg['SaveDir'] = '';
-$cfg['SuhosinDisableWarning'] = TRUE;
 
-$cfg['blowfish_secret'] = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX';
+

Configuration file `/etc/phpmyadmin/config.inc.php'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** config.inc.php (Y/I/N/O/D/Z) [default=N] ? Y

  ┌───────────────────────────────────────────────────┤ Configuring phpmyadmin ├───────────────────────────────────────────────────┐
  │ A new version of configuration file /etc/phpmyadmin/config-db.php is available, but the version installed currently has been   │ 
  │ locally modified.                                                                                                              │ 
  │                                                                                                                                │ 
  │ What do you want to do about modified configuration file config-db.php?                                                        │ 
  │                                                                                                                                │ 
  │                                   install the package maintainer's version                                                     │ 
  │                                   keep the local version currently installed                                                   │ 
  │                                   show the differences between the versions                                                    │ 
  │                                   show a side-by-side difference between the versions                                          │ 
  │                                   show a 3-way difference between available versions                                           │ 
  │                                   do a 3-way merge between available versions (experimental)                                   │ 
  │                                   start a new shell to examine the situation                                                   │ 
  │                                                                                                                                │ 
  │                                                                                                                                │ 
  │                                                             <Ok>                                                               │ 
  │                                                                                                                                │ 
  └────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

                          ┌───────────────────────────┤ Configuring phpmyadmin ├───────────────────────────┐
                          │                                                                                │ 
                          │ Line by line differences between versions                                      │ 
                          │                                                                                │ 
                          │ --- /etc/phpmyadmin/config-db.php 2013-04-30 11:40:26.000000000 +0100          │ 
                          │ +++ /tmp/dbconfig-generate-include.DeeBde 2013-12-08 15:10:50.892333427 +0000  │ 
                          │ @@ -1,8 +1,19 @@                                                               │ 
                          │  <?php                                                                         │ 
                          │ +##                                                                            │ 
                          │ +## database access settings in php format                                     │ 
                          │ +## automatically generated from /etc/dbconfig-common/phpmyadmin.conf          │ 
                          │ +## by /usr/sbin/dbconfig-generate-include                                     │ 
                          │ +## Sun, 08 Dec 2013 15:10:50 +0000                                            │ 
                          │ +##                                                                            │ 
                          │ +## by default this file is managed via ucf, so you shouldn't have to          │ 
                          │ +## worry about manual changes being silently discarded. *however*,            │ 
                          │ +## you'll probably also want to edit the configuration file mentioned         │ 
                          │ +## above too.                                                                 │ 
                          │ +##                                                                            │ 
                          │  $dbuser='phpmyadmin';                                                         │ 
                          │ +$dbpass='YYYYYYYYYYY';                                                       │ 
                          │  $basepath='';                                                                 │ 
                          │ -$dbname='';                                                                   │ 
                          │ +$dbname='phpmyadmin';                                                         │ 
                          │  $dbserver='';                                                                 │ 
                          │  $dbport='';                                                                   │ 
                          │  $dbtype='mysql';                                                              │ 
                          │ -$dbpass='XXXXXXXXXXXX';                                                       │ 
                          │                                                                                │ 
                          │                                     <Ok>                                       │ 
                          │                                                                                │ 
                          └────────────────────────────────────────────────────────────────────────────────┘ 

install the package maintainer's version

 ┌───────────────────────────────────────────────────┤ Configuring phpmyadmin ├────────────────────────────────────────────────────┐
 │                                                                                                                                 │ 
 │ According to the maintainer for this package, database upgrade operations need to be performed on phpmyadmin.  Typically, this  │ 
 │ is due to changes in how a new upstream version of the package needs to store its data.                                         │ 
 │                                                                                                                                 │ 
 │ If you want to handle this process manually, you should refuse this option.  Otherwise, you should choose this option. During   │ 
 │ the upgrade, a backup of the database will be made in /var/cache/dbconfig-common/backups, from which the database can be        │ 
 │ restored in the case of problems.                                                                                               │ 
 │                                                                                                                                 │ 
 │ Perform upgrade on database for phpmyadmin with dbconfig-common?                                                                │ 
 │                                                                                                                                 │ 
 │                                      <Yes>                                         <No>                                         │ 
 │                                                                                                                                 │ 
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

Yes

  ┌───────────────────────────────────────────────────┤ Configuring phpmyadmin ├───────────────────────────────────────────────────┐
  │ Please provide the password for the administrative account with which this package should create its MySQL database and user.  │ 
  │                                                                                                                                │ 
  │ Password of the database's administrative user:                                                                                │ 
  │                                                                                                                                │ 
  │ **********____________________________________________________________________________________________________________________ │ 
  │                                                                                                                                │ 
  │                                                             <Ok>                                                               │ 
  │                                                                                                                                │ 
  └────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

Check all the aites are running:

• ​http://www.reconomy.org/
• ​http://www.intransitionmovie.com/
• ​http://www.earthinheritors.net/
• ​http://www.transitiontowntotnes.org/
• ​http://www.transitionstreets.org.uk/

And the final stage of the upgrade:

apt-get dist-upgrade

The following packages will be REMOVED:
  defoma libept1 libpango1.0-common mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php5-suhosin x-ttcidfont-conf
The following NEW packages will be installed:
  aptitude-common cpp-4.7 fonts-droid fonts-liberation gcc-4.7 gcc-4.7-base ghostscript git-man gnuplot gnuplot-nox groff gsfonts
  imagemagick imagemagick-common kmod krb5-locales libaio1 libapt-inst1.5 libapt-pkg4.12 libbind9-80 libblas3 libblas3gf
  libboost-iostreams1.49.0 libclass-isa-perl libcroco3 libcupsimage2 libdb5.1 libdjvulibre-text libdjvulibre21 libdns88
  libencode-locale-perl libept1.4.12 libexiv2-12 libffi5 libfile-listing-perl libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common
  libgfortran3 libgmp10 libgs9 libgs9-common libhtml-form-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl
  libhttp-message-perl libhttp-negotiate-perl libice6 libicu48 libijs-0.35 libilmbase6 libio-socket-inet6-perl libio-socket-ssl-perl
  libisc84 libisccc80 libisccfg82 libitm1 libjbig0 libjbig2dec0 libjpeg8 libjs-jquery libjs-sphinxdoc libjs-underscore libkmod2
  liblcms1 liblcms2-2 liblensfun-data liblensfun0 liblinear-tools liblinear1 liblist-moreutils-perl liblqr-1-0
  liblwp-mediatypes-perl liblwp-protocol-https-perl liblwres80 liblzma5 libmagickcore5 libmagickcore5-extra libmagickwand5 libmount1
  libmpc2 libmysqlclient18 libnet-http-perl libnet-ssleay-perl libnetpbm10 libnl-3-200 libnl-genl-3-200 libopenexr6 libp11-kit0
  libpam-modules-bin libpaper-utils libpaper1 libpipeline1 libprocps0 libquadmath0 librsvg2-2 librsvg2-common librtmp0
  libsemanage-common libsemanage1 libsensors4 libsigsegv2 libsm6 libsocket6-perl libssl-doc libssl1.0.0 libsvm-tools libswitch-perl
  libsystemd-login0 libtinfo5 libtokyocabinet9 libustr-1.0-1 libwmf0.2-7 libwww-robotrules-perl libxaw7 libxcb-shm0 libxmu6 libxt6
  multiarch-support munin-plugins-core munin-plugins-extra mysql-client-5.5 mysql-server-5.5 mysql-server-core-5.5 ncurses-term
  netpbm php-console-table poppler-data psutils python2.7 python2.7-minimal ufraw-batch
The following packages will be upgraded:
  apache2-mpm-itk apache2-utils apache2.2-bin apache2.2-common apt apt-utils aptitude base-files bash bind9-host binutils
  bsdmainutils bzip2 ca-certificates chrony coreutils cpp cpp-4.4 curl dbus denyhosts dialog dnsutils dpkg drush e2fslibs e2fsprogs
  exim4 exim4-base exim4-daemon-light file fontconfig fontconfig-config gawk gcc gcc-4.4 gcc-4.4-base git heirloom-mailx iftop
  ifupdown info initscripts iproute iptables iptraf iputils-ping less libacl1 libapache2-mod-php5 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libapt-pkg-perl libatk1.0-0 libattr1 libavahi-client3 libavahi-common3 libblkid1 libbsd0
  libbz2-1.0 libc-bin libc-dev-bin libc6 libc6-dev libcairo2 libcap2 libcomerr2 libcups2 libcurl3 libcurl3-gnutls libcwidget3
  libdatrie1 libdbd-mysql-perl libdbi-perl libdbus-1-3 libedit2 libexpat1 libfont-freetype-perl libfontconfig1 libfontenc1
  libfreetype6 libgcc1 libgcrypt11 libgd2-xpm libgdbm3 libglib2.0-0 libgnutls26 libgomp1 libgpg-error0 libgpgme11 libgpm2
  libgssapi-krb5-2 libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libhtml-parser-perl libidn11 libjasper1 libjpeg62 libk5crypto3
  libkeyutils1 libkrb5-3 libkrb5support0 libldap-2.4-2 liblocale-gettext-perl libltdl-dev libltdl7 liblua5.1-0 libmagic1 libmpfr4
  libncurses5 libncursesw5 libneon27-gnutls libnet-server-perl libnewt0.52 libnl1 libpam-modules libpam-mysql libpam0g libpango1.0-0
  libpcap0.8 libpcre3 libpixman-1-0 libpng12-0 libpopt0 libreadline5 libreadline6 librsync1 libsasl2-2 libsasl2-modules libselinux1
  libsepol1 libsigc++-2.0-0c2a libslang2 libsqlite3-0 libss2 libssh2-1 libssl-dev libstdc++6 libsvn1 libtasn1-3
  libtext-charwidth-perl libtext-iconv-perl libthai0 libtiff4 libudev0 libusb-0.1-4 libuuid-perl libuuid1 libwrap0 libwww-perl
  libx11-6 libx11-data libxapian22 libxau6 libxcb-render-util0 libxcb-render0 libxcb1 libxcomposite1 libxcursor1 libxdamage1
  libxdmcp6 libxext6 libxfixes3 libxft2 libxi6 libxinerama1 libxml2 libxmuu1 libxpm4 libxrandr2 libxrender1 libyaml-syck-perl
  locales lsb-release lynx lynx-cur man-db module-init-tools mount mtr munin-common munin-node mutt mysql-common mysql-server nano
  ncurses-bin netbase nmap openssh-client openssh-server openssl passwd perl perl-base perl-modules php-pear php5 php5-cli
  php5-common php5-curl php5-dev php5-gd php5-intl php5-mcrypt php5-mysql php5-xmlrpc procps psmisc python python-apt python-minimal
  python-pylibacl python-pyxattr python2.6 python2.6-minimal quota rdiff-backup rsync rsyslog screen sgml-base subversion sysstat
  sysvinit tasksel tcpdump udev util-linux util-linux-locales vim vim-common vim-runtime vim-tiny wget whiptail xml-core xz-utils
  zlib1g zlib1g-dev
242 upgraded, 132 newly installed, 8 to remove and 0 not upgraded.
Need to get 210 MB of archives.
After this operation, 217 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y

eglibc (2.13-25) unstable; urgency=medium

  Starting with the eglibc package version 2.13-5, the libraries are 
  shipped in the multiarch directory /lib/<triplet> instead of the more
  traditional /lib, where <triplet> is the multiarch triplet and can be
  retrieved with 'dpkg-architecture -qDEB_HOST_MULTIARCH'. Similarly the
  includes are now shipped in /usr/include/<triplet> instead of the more
  traditional /usr/include.
  
  The toolchain in Debian has been updated to cope with that, and most
  build systems should be unaffected. If you are using a non-Debian 
  toolchain to build your software and it is not able to cope with 
  multiarch, you might try to pass the following options to your 
  compiler:

    -B/usr/lib/<triplet> -I/usr/include/<triplet>
  
  Alternatively if the build system makes hard to pass the above options,
  you might try to set the LIBRARY_PATH and CPATH environment variables:                                                                                                                                                          
    LIBRARY_PATH=/usr/lib/<triplet>
    CPATH=/usr/include/<triplet>
    export LIBRARY_PATH CPATH

 -- Aurelien Jarno <aurel32@debian.org>  Mon, 09 Jan 2012 12:47:16 +0100 

eglibc (2.13-7) unstable; urgency=low

  Starting with version 2.13, eglibc provides an SSSE3 optimized version 
  of memcpy() on the amd64 architecture. This version might copy memory 
  backward in some conditions, which causes issues if the source and 
  destination overlap. memmove() should be used in such cases, but some 
  programs still wrongly use memcpy().

  For this reason, on the amd64 architecture the Debian package provides 
  two wrappers which can be use to workaround and/or debug the issue:
  - /usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so simply replace all 
    calls to memcpy() by a call to memmove()
  - /usr/lib/x86_64-linux-gnu/libc/memcpy-syslog-preload.so does the same,
    but in addition logs (with rate limit) the issue to syslog, so that it 
    can be detected and fixed.

  To use these wrapper on a single binary, the easiest way is to use the
  LD_PRELOAD environment variable:
  - LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so /path/to/binary
  - LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libc/memcpy-syslog-preload.so /path/to/binary

  For system-wide usage, it is possible to add the path of one of the 
  wrapper to /etc/ld.so.preload.

  For more details about the issue, please see:
    http://bugs.debian.org/625521
    http://sourceware.org/bugzilla/show_bug.cgi?id=12518

 -- Aurelien Jarno <aurel32@debian.org>  Sat, 11 Jun 2011 18:02:52 +0200

apt (0.8.11) unstable; urgency=low

  * apt-get install pkg/experimental will now not only switch the
    candidate of package pkg to the version from the release experimental
    but also of all dependencies of pkg if the current candidate can't
    satisfy a versioned dependency.

 -- David Kalnischkies <kalnischkies@gmail.com>  Fri, 03 Dec 2010 14:09:12 +0100

ca-certificates (20130119) unstable; urgency=low

  Update mozilla/certdata.txt to version 1.87
    Certificates removed (-) (none added):
    - "T?RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s?"

 -- Michael Shuler <michael@pbandjelly.org>  Sat, 19 Jan 2013 14:08:50 -0600

ca-certificates (20121105) unstable; urgency=low

  Update mozilla/certdata.txt to version 1.86
    Certificates added (+) (none removed):
    + "Actalis Authentication Root CA"
    + "Trustis FPS Root CA"
    + "StartCom Certification Authority" (renewal/rehash)
    + "StartCom Certification Authority G2"
    + "Buypass Class 2 Root CA"
    + "Buypass Class 3 Root CA"
    + "T?RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s?"
    + "T-TeleSec GlobalRoot Class 3"
    + "EE Certification Centre Root CA"

 -- Michael Shuler <michael@pbandjelly.org>  Mon, 05 Nov 2012 10:56:28 -0600

ca-certificates (20120212) unstable; urgency=low

  Update mozilla/certdata.txt to version 1.81
    Certificates added (+) and removed (-):
    + "Security Communication RootCA2"
    + "EC-ACC"
    + "Hellenic Academic and Research Institutions RootCA 2011"
    - "Verisign Class 2 Public Primary Certification Authority"
    - "Verisign Class 4 Public Primary Certification Authority - G2"
    - "TC TrustCenter, Germany, Class 2 CA"
    - "TC TrustCenter, Germany, Class 3 CA"

 -- Michael Shuler <michael@pbandjelly.org>  Sun, 12 Feb 2012 15:12:59 -0600

ca-certificates (20111211) unstable; urgency=low

  Remove French Government IGC/A CA certificates. The RSA certificate is
    included in the Mozilla bundle and the DSA certificate is not in use.
  Remove expired signet.pl CAs.
  Remove expired brasil.gov.br CA.

 -- Michael Shuler <michael@pbandjelly.org>  Sun, 11 Dec 2011 19:05:32 -0600

ca-certificates (20111025) unstable; urgency=low

  Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
    Certificates added (+) and removed (-):
    + "AffirmTrust Commercial"
    + "AffirmTrust Networking"
    + "AffirmTrust Premium"
    + "AffirmTrust Premium ECC"
    + "A-Trust-nQual-03"
    + "Certinomis - Autorit? Racine"
    + "Certum Trusted Network CA"
    + "Go Daddy Root Certificate Authority - G2"
    + "Root CA Generalitat Valenciana"
    + "Starfield Root Certificate Authority - G2"
    + "Starfield Services Root Certificate Authority - G2"
    + "TWCA Root Certification Authority"
    - "AOL Time Warner Root Certification Authority 1"
    - "AOL Time Warner Root Certification Authority 2"
    - "DigiNotar Root CA"
    - "Entrust.net Global Secure Personal CA"
    - "Entrust.net Global Secure Server CA"
    - "Entrust.net Secure Personal CA"
    - "IPS Chained CAs root"
    - "IPS CLASE1 root"
    - "IPS CLASE3 root"
    - "IPS CLASEA1 root"
    - "IPS CLASEA3 root"
    - "IPS Timestamping root"
    - "Thawte Personal Freemail CA"
    - "Thawte Time Stamping CA"
  Update CAcert-Class 3-Subroot-certificate  Closes: #630232

 -- Michael Shuler <michael@pbandjelly.org>  Sun, 23 Oct 2011 23:16:57 -0500

cyrus-sasl2 (2.1.25.dfsg1-5) unstable; urgency=low

  * Configuration of SQL engine backends have changed from database
    specific configuration (e.g. 'mysql') to generic 'sql' auxprop
    plugin.
  
    You will need to change your configuration f.e. from:
  
        auxprop_plugin: mysql
  
    to
  
        auxprop_plugin: sql
        sql_engine: mysql
  
    Also the SQL query (if used) needs to have '%u' replaced with '%u@%r'
    because now user and realm is provided separately.

 -- Ond?ej Sur? <ondrej@debian.org>  Mon, 06 Aug 2012 13:12:22 +0200
iftop (0.17-17) unstable; urgency=low

  The iftop package is now shipped with the "-DNO_SYSTEM" flag enabled.
  This disables the possibility to run commands in a subshell.  This is a
  kind of unexpected feature and could allow users, running iftop via sudo
  to get a complete root shell (if sudo is not configure properly).

  I appologise for any inconvenience caused to users of this feature and
  recommend the usage of screen or several terminal windows.

 -- Alexander Reichle-Schmehl <tolimar@debian.org>  Tue, 19 Jan 2010 14:31:29 +0100

ifupdown (0.7~rc1+experimental) experimental; urgency=low

    The --all option to ifup and ifquery can now be combined with the
    --allow option to act on all interfaces of a specific class (still
    defaulting to the class 'auto'). If you have custom hook scripts, you
    may need to update them. See interfaces(5) for details.

 -- Andrew O. Shadura <bugzilla@tut.by>  Tue, 17 Apr 2012 01:05:42 +0200

mutt (1.5.21-2) experimental; urgency=low
  mailto-mutt has been replaced by a wrapper as per #576313, because mutt is now
  able to handle the mailto: urls; additionally it will also do some checks on
  attachments and it will allow us to be as close to upstream as possible

 -- Antonio Radici <antonio@dyne.org>  Sat, 01 Jan 2011 12:56:29 +0000

php5 (5.4.4-7) unstable; urgency=low

  * As a side effect of the MIME-Type changes in the mime-support package,
    the default Apache 2 configuration will no longer perform HTTP content
    negotiation on the PHP file extensions, which was very questionable
    anyway.  If you really want to re-enable this support then please read
    /usr/share/doc/php5-common/README.Debian file for further
    instructions.
  
 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 29 Aug 2012 09:18:41 +0200

php5 (5.4.4-5) unstable; urgency=low

  * As a security measure the default configuration for Apache 2 has been
    changed to a stricter model.  Only files which have the correct
    rightmost extension, and at least one character in the filename before
    that extension, are now interpreted by PHP.  For a full list of
    handled extensions please see the Apache 2 configuration.  At the time
    of writing this paragraph, the list includes the following regular
    expressions:
  
      1. .+\.ph(p[345]?|t|tml)$ for PHP files (application/x-httpd-php)
      2. .+\.phps$ for PHP source files (application/x-httpd-php-source)

    Previously, as a side effect of system MIME type definitions, the
    default configuration would allow the interpreting of files with a
    double extension, where the second extension was either unrecognised
    or a language or content encoding to be interpreted; e.g. an uploaded
    file named blackhat.php.foobar or index.php.cs would be interpreted by
    PHP.  These non-standard definitions have been removed from the
    mime-support packages and all configuration of PHP handlers is now
    defined in the Apache 2 configuration files.
  
    The standard configuration now also denies access to files with names
    which consist of an extension and nothing more; e.g. accessing '/.php'
    will now return Access Denied instead of the output of the PHP script.
  
    You can use the following command to find whether there are any files
    on your system which would be affected by this change (change <base>
    to the directory name where you store PHP files on your system):

    # find <base> -name '*.ph[pt].*' -o -name '*.php[345s].*' -o \
                  -name '*.phtml.*' -o -name '.ph[pt]' -o \
                  -name '.php[345s]' -o -name '.phtml'

 -- Ond?ej Sur? <ondrej@debian.org>  Tue, 21 Aug 2012 09:14:47 +0200

php5 (5.4.0~rc8-1) unstable; urgency=low

  php5-fpm default www spool now listens on unix socket located
  in /var/run/php5-fpm.sock instead of localhost:9000.  If you
  have configured your webserver to use localhost:9000, you will
  have to change your settings.

 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 08 Feb 2012 08:25:30 +0100

php5 (5.4.0~rc6-2) unstable; urgency=low

  t1lib support was removed from PHP 5.4.  t1lib has many security
  issues and is unmaintained by upstream for a very long time (3 years).

  For more information see:
    + http://bugs.debian.org/637488
    + http://bugs.debian.org/638755
  
  This unfortunately also means that following functions are not
  available in PHP5 from now:
  
    - imagepsloadfont
    - imagepsfreefont
    - imagepsencodefont
    - imagepsextendfont
    - imagepsslantfont
    - imagepstext
    - imagepsbbox

  If you really need those functions you will need to install t1lib from
  sources.  You will need to install php5-dev and recompile GD extension
  (roughly) using following commands:

    cd <path_to_php5_sources>/ext/gd/
    phpize
    configure --with-gd=shared,/usr --enable-gd-native-ttf \
      --with-t1lib=<location_of_your_t1lib>
    make
    make install

 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 01 Feb 2012 18:19:45 +0100

php5 (5.3.9-4) unstable; urgency=low

  * The Suhosin patch is now disabled in the default build.

  If you want to re-enable it again for your installation, you can
  set the option PHP5_SUHOSIN=yes in debian/rules and recompile PHP.

 -- Ond?ej Sur? <ondrej@debian.org>  Sat, 28 Jan 2012 08:39:36 +0100

php5 (5.3.6-13) unstable; urgency=low

  * Updated blowfish crypt() algorithm fixes the 8-bit character handling
    vulnerability (CVE-2011-2483) and adds more self-tests.  Unfortunately
    this change is incompatible with some old (wrong) generated hashes for
    passwords containing 8-bit characters.

    It is recommended that any passwords containing characters with
    the 8th bit set be changed after this upgrade. In order to allow users
    to log in after the upgrade even if they have a potentially affected
    password, the newly introduced backwards compatibility hash encoding
    prefix of "$2x$" may be used (in place of the usual "$2a$"). Such
    password hashes should only be used during a transition period; when
    passwords are changed, the usual "$2a$" prefix is used, denoting the
    correct algorithm.

 -- Ond?ej Sur? <ondrej@debian.org>  Mon, 04 Jul 2011 10:31:16 +0200

procps (1:3.3.1-1) unstable; urgency=low

  * top has a new rcfile format from 3.3.1 which is not backwards compatible
    from a rcfile save from a pre-3.3.1 top.

 -- Craig Small <csmall@debian.org>  Mon, 23 Jan 2012 22:26:16 +1100

rsyslog (5.8.1-1) unstable; urgency=low

  The way rsyslog processes SIGHUP has changed. It no longer does a reload
  of its configuration, but simply closes all open files, which is a much more
  lightweight operation.
  To apply a changed configuration, rsyslogd needs to be restarted now.
  As a consequence, the reload action has been dropped from the init script.

  A new action called "rotate" was added to the init script, which signals
  rsyslogd to close all open files. This new action is used in the rsyslog
  logrotate configuration file.

  For more information, see:
  For more information, see:
  http://www.rsyslog.com/doc/v4compatibility.html
  http://www.rsyslog.com/doc/v5compatibility.html

 -- Michael Biebl <biebl@debian.org>  Mon, 30 May 2011 18:26:51 +0200

screen (4.1.0~20120320gitdb59704-7) unstable; urgency=low

  In case you upgrade screen from 4.0.3 to 4.1.0 while running inside
  screen and you have to reconnect to that screen session (or any other
  screen session which has been started before the upgrade), there may be
  a few screen features not working until you exit the 4.0.3-started
  session and replace it with a 4.1.0-started session.

  Known issues of 4.0.3 to 4.1.0 interoperability as of now:

  * Terminal window resizing (WINCH signal) does not propagate to the
    screen session. Detach and reattach again instead to get the size of
    the terminals inside the screen session adjusted propely.

 -- Axel Beckert <abe@debian.org>  Sun, 16 Sep 2012 12:48:44 +0200

sgml-base (1.26+nmu2) unstable; urgency=low

  Starting with this release the SGML super catalog /etc/sgml/catalog will be
  replaced with a symbolic link to /var/lib/sgml-base/supercatalog. The latter
  file can be regenerated from the contents of the /etc/sgml directory including
  all files ending in .cat using the new update-catalog --update-super option.
  This call will be (dpkg) triggered by packages placing files in /etc/sgml. The
  transition to this way of handling the super catalog will loose user changes to
  /etc/sgml/catalog. Further overwriting of user changes will happen until all
  packages using dh_installcatalogs are built with a fixed version of debhelper.
  Sorry for the inconvenience.

 -- Helmut Grohne <helmut@subdivi.de>  Mon, 30 Apr 2012 16:37:01 +0200

sysstat (10.0.5-1) unstable; urgency=low

    The default options passed to sadc(8) program through sa1(8) script
    are no longer set in Debian-specific /etc/default/sysstat file.
    The SADC_OPTIONS variable in /etc/sysstat/sysstat (upstream-provided
    configuration file) is used instead for this purpose.

 -- Robert Luberda <robert@debian.org>  Sun, 20 May 2012 11:10:04 +0200

vim (2:7.3.154+hg~74503f6ee649-1) unstable; urgency=low

  The vim-lesstif package has been removed in favor of the new vim-athena
  package.  The intent behind both packages is to provide a lighter-weight GUI
  package as well as one that allows using XFLD fonts.  The Athena toolkit,
  however,  has broader usage and reduces divergences with downstream
  distributions.

 -- James Vega <jamessan@debian.org>  Sun, 27 Feb 2011 12:45:40 -0500

         ┌─────────────────────────────────────────┤ Configuring mysql-server-5.5 ├─────────────────────────────────────────┐
         │ While not mandatory, it is highly recommended that you set a password for the MySQL administrative "root" user.  │ 
         │                                                                                                                  │ 
         │ If this field is left blank, the password will not be changed.                                                   │ 
         │                                                                                                                  │ 
         │ New password for the MySQL "root" user:                                                                          │ 
         │                                                                                                                  │ 
         │ ***************_________________________________________________________________________________________________ │ 
         │                                                                                                                  │ 
         │                                                      <Ok>                                                        │ 
         │                                                                                                                  │ 
         └──────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

 ┌─────────────────────────────────────────────────────┤ Configuring sysstat ├─────────────────────────────────────────────────────┐
 │                                                                                                                                 │ 
 │ The format of daily data statistics files has changed in version 9.1.6 of sysstat and is not compatible with the previous one.  │ 
 │                                                                                                                                 │ 
 │ If you choose this option, all existing data files in the /var/log/sysstat/ directory will be deleted.                          │ 
 │                                                                                                                                 │ 
 │ If you don't choose this option, the sar(1) command will not work properly until you remove the files manually.                 │ 
 │                                                                                                                                 │ 
 │ Remove old format statistics data files?                                                                                        │ 
 │                                                                                                                                 │ 
 │                                      <Yes>                                         <No>                                         │ 
 │                                                                                                                                 │ 
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 
                                                                                                                                     

Yes

 ┌──────────────────────────────────────────────────────┤ Configuring libc6 ├──────────────────────────────────────────────────────┐
 │                                                                                                                                 │ 
 │ There are services installed on your system which need to be restarted when certain libraries, such as libpam, libc, and        │ 
 │ libssl, are upgraded. Since these restarts may cause interruptions of service for the system, you will normally be prompted on  │ 
 │ each upgrade for the list of services you wish to restart.  You can choose this option to avoid being prompted; instead, all    │ 
 │ necessary restarts will be done for you automatically so you can avoid being asked questions on each library upgrade.           │ 
 │                                                                                                                                 │ 
 │ Restart services during package upgrades without asking?                                                                        │ 
 │                                                                                                                                 │ 
 │                                      <Yes>                                         <No>                                         │ 
 │                                                                                                                                 │ 
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ 

Yes


Restarting services possibly affected by the upgrade:
  mysql: restarting...done.
  exim4: restarting...done.
  cron: restarting...done.
  apache2: restarting...done.

Services restarted successfully.

Configuration file `/etc/denyhosts.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** denyhosts.conf (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/denyhosts.conf 2013-04-30 11:39:25.000000000 +0100
+++ /etc/denyhosts.conf.dpkg-new        2011-08-17 09:23:04.000000000 +0100
@@ -1,4 +1,4 @@
-     ############ THESE SETTINGS ARE REQUIRED ############
+       ############ THESE SETTINGS ARE REQUIRED ############
 
 ########################################################################
 #
@@ -57,7 +57,7 @@
 #            'y' = years
 #
 # never purge:
-PURGE_DENY =
+PURGE_DENY = 
 #
 # purge entries older than 1 week
 #PURGE_DENY = 1w
@@ -197,7 +197,7 @@
 #LOCK_FILE = /var/lock/subsys/denyhosts
 #
 # Debian
-LOCK_FILE = /var/run/denyhosts.pid
+LOCK_FILE = /run/denyhosts.pid
 #
 # Misc
 #LOCK_FILE = /tmp/denyhosts.lock
@@ -218,9 +218,7 @@
 # Multiple email addresses can be delimited by a comma, eg:
 # ADMIN_EMAIL = foo@bar.com, bar@foo.com, etc@foobar.com
 #
-#ADMIN_EMAIL = root@localhost
-# chris
-ADMIN_EMAIL = 
+ADMIN_EMAIL = root@localhost
 #
 #######################################################################
 
@@ -481,7 +479,7 @@
 #
 ###################################################################### 
 
-
+ 
 #######################################################################
 #
 # DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag)
@@ -621,3 +619,4 @@
 #SYNC_DOWNLOAD_RESILIENCY = 5h
 #
 #######################################################################
+


Configuration file `/etc/denyhosts.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** denyhosts.conf (Y/I/N/O/D/Z) [default=N] ? Y

Then /etc/denyhosts.conf was manually edited:

#ADMIN_EMAIL = root@localhost
ADMIN_EMAIL = 

Configuration file `/etc/logrotate.d/apache2'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** apache2 (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/logrotate.d/apache2    2013-04-30 11:39:25.000000000 +0100
+++ /etc/logrotate.d/apache2.dpkg-new   2013-03-04 22:06:48.000000000 +0000
@@ -1,32 +1,18 @@
 /var/log/apache2/*.log {
-        daily
-        missingok
-        rotate 28
-        compress
-        delaycompress
-        notifempty
-        create 640 root adm
-        sharedscripts
-        prerotate
-                /usr/local/webarch/bin/maxclients root@localhost
-        endscript
-        postrotate
-                /etc/init.d/apache2 reload > /dev/null
-        endscript
+       weekly
+       missingok
+       rotate 52
+       compress
+       delaycompress
+       notifempty
+       create 640 root adm
+       sharedscripts
+       postrotate
+               /etc/init.d/apache2 reload > /dev/null
+       endscript
+       prerotate
+               if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
+                       run-parts /etc/logrotate.d/httpd-prerotate; \
+               fi; \
+       endscript
 }
-
-/home/*/logs/*log {
-        daily
-        missingok
-        rotate 28
-        compress
-        delaycompress
-        notifempty
-        create 644 root root
-        dateext
-        sharedscripts
-        postrotate
-                /etc/init.d/apache2 reload > /dev/null
-        endscript
-}
-

Configuration file `/etc/logrotate.d/apache2'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** apache2 (Y/I/N/O/D/Z) [default=N] ? N

   
    ┌──────────────────────────────────────────────┤ Modified configuration file ├───────────────────────────────────────────────┐    
    │ A new version of configuration file /etc/php5/apache2/php.ini is available, but the version installed currently has been   │    
    │ locally modified.                                                                                                          │    
    │                                                                                                                            │    
    │ What do you want to do about modified configuration file php.ini?                                                          │    
    │                                                                                                                            │    
    │                                    install the package maintainer's version                                                │    
    │                                    keep the local version currently installed                                              │    
    │                                    show the differences between the versions                                               │    
    │                                    show a side-by-side difference between the versions                                     │    
    │                                    start a new shell to examine the situation                                              │    
    │                                                                                                                            │    
    │                                                                                                                            │    
    │                                                           <Ok>                                                             │    
    │                                                                                                                            │    
    └────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘    
                                                                                                                                  

  
 ┌─────────────────────────────────────────────────┤ Modified configuration file ├─────────────────────────────────────────────────┐  
 │                                                                                                                                 │  
 │ Line by line differences between versions                                                                                          
 │                                                                                                                                    
 │ --- /etc/php5/apache2/php.ini 2013-04-30 11:39:25.000000000 +0100                                                                  
 │ +++ /usr/share/php5/php.ini-production 2013-10-03 10:36:21.000000000 +0100                                                         
 │ @@ -19,7 +19,7 @@                                                                                                                  
 │  ; See the PHP docs for more specific information.                                                                                 
 │  ; http://php.net/configuration.file                                                                                               
 │                                                                                                                                    
 │ -; The syntax of the file is extremely simple. Whitespace and Lines                                                                
 │ +; The syntax of the file is extremely simple. Whitespace and lines                                                                
 │  ; beginning with a semicolon are silently ignored (as you probably guessed).                                                      
 │  ; Section headers (e.g. [Foo]) are also silently ignored, even though                                                             
 │  ; they might mean something in the future.                                                                                        
 │ @@ -83,6 +83,8 @@                                                                                                                  
 │  ; development version only in development environments as errors shown to                                                         
 │  ; application users can inadvertently leak otherwise secure information.                                                          
 │                                                                                                                                    
 │ +; This is php.ini-production INI file.                                                                                            
 │ +                                                                                                                                  
 │  ;;;;;;;;;;;;;;;;;;;                                                                                                               
 │  ; Quick Reference ;                                                                                                               
 │  ;;;;;;;;;;;;;;;;;;;                                                                                                               
 │ @@ -91,11 +93,6 @@                                                                                                                 
 │  ; Please see the actual settings later in the document for more details as to why                                                 
 │  ; we recommend these changes in PHP's behavior.                                                                                   
 │                                                                                                                                    
 │ -; allow_call_time_pass_reference                                                                                                  
 │ -; Default Value: On                                                                                                               
 │ -; Development Value: Off                                                                                                          
 │ -; Production Value: Off                                                                                                           
 │ -                                                                                                                                  
 │  ; display_errors                                                                                                                  
 │  ; Default Value: On                                                                                                               
 │  ; Development Value: On                                                                                                           
 │ @@ -107,25 +104,20 @@                                                                                                              
 │  ; Production Value: Off                                                                                                           
 │                                                                                                                                    
 │  ; error_reporting                                                                                                                 
 │ -; Default Value: E_ALL & ~E_NOTICE                                                                                                
 │ -; Development Value: E_ALL | E_STRICT                                                                                             
 │ -; Production Value: E_ALL & ~E_DEPRECATED                                                                                         
 │ +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED                                                                    
 │ +; Development Value: E_ALL                                                                                                        
 │ +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT                                                                             
 │                                                                                                                                    
 │  ; html_errors                                                                                                                     
 │                                                                                                                                    
 │                                                             <Ok>                                                                   
 │                                                                                                                                 │  
 └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

install the package maintainer's version 

Configuration file `/etc/munin/plugin-conf.d/munin-node'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** munin-node (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/munin/plugin-conf.d/munin-node 2013-04-30 11:40:51.000000000 +0100
+++ /etc/munin/plugin-conf.d/munin-node.dpkg-new        2013-06-09 16:41:57.000000000 +0100
@@ -118,13 +118,5 @@
 env.PGUSER postgres
 env.PGPORT 5432
 
-[apache_*]
-env.url   http://127.0.0.1:%d/server-status?auto
-env.ports 80
-
-[multips]
-env.names apache2 mysqld
-
-[multips_memory]
-env.names apache2 mysqld
-
+[fail2ban]
+user root

New version installed and then the followin was added to /etc/munin/plugin-conf.d/munin-node manually:

[fail2ban]
user root

Configuration file `/etc/munin/munin-node.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** munin-node.conf (Y/I/N/O/D/Z) [default=N] ? D

--- /etc/munin/munin-node.conf  2013-04-30 12:27:27.000000000 +0100
+++ /etc/munin/munin-node.conf.dpkg-new 2013-06-09 16:41:45.000000000 +0100
@@ -12,10 +12,9 @@
 user root
 group root
 
-# Regexps for files to ignore
 
-ignore_file ~$
-#ignore_file [#~]$  # FIX doesn't work. '#' starts a comment
+# Regexps for files to ignore
+ignore_file [\#~]$
 ignore_file DEADJOE$
 ignore_file \.bak$
 ignore_file %$
@@ -34,18 +33,18 @@
 # may repeat the allow line as many times as you'd like
 
 allow ^127\.0\.0\.1$
-# penguin.webarch.net
-allow ^81\.95\.52\.111$
-
-# If you have installed the Net::CIDR perl module, you can use
-# multiple cidr_allow and cidr_deny address/mask patterns.  A
-# connecting client must match any cidr_allow, and not match any
-# cidr_deny.  Example:
+allow ^::1$
 
+# If you have installed the Net::CIDR perl module, you can use one or more
+# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
+# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
+# *must* be provided, even if it's /32
+#
+# Example:
+#
 # cidr_allow 127.0.0.1/32
 # cidr_allow 192.0.2.0/24
 # cidr_deny  192.0.2.42/32
-#cidr_allow 93.95.226.170/32
 
 # Which address to bind to;
 host *
@@ -53,4 +52,3 @@
 
 # And which port
 port 4949
-

Configuration file `/etc/munin/munin-node.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** munin-node.conf (Y/I/N/O/D/Z) [default=N] ? Y

And /etc/munin/munin-node.conf was manually edidet to add back:

# penguin.webarch.net
allow ^81\.95\.52\.111$

All the web sites were then checked. Next phpmyadmin needs checking.

[chris]

metche was sending emails like:

From: root@parrot.webarch.net (Cron Daemon)                                                                                      
Date: Sun, 08 Dec 2013 16:50:11 +0000                                                                                            
To: root@parrot.webarch.net                                                                                                      
Subject: Cron <root@parrot> test -x /usr/sbin/metche && /usr/sbin/metche cron                                                    
                                                                                                                                 
find: `standard output': Broken pipe                                                                                             
find: write error                      

So this was tried:

dpkg -r metche
aptitude install metche
The following NEW packages will be installed:
  metche 
The following packages will be REMOVED:
  libbind9-60{u} libdb4.7{u} libdns69{u} libfont-freetype-perl{u} libfontenc1{u} libgmp3c2{u} libicu44{u} libisc62{u} 
  libisccc60{u} libisccfg62{u} libjpeg62{u} libjs-mootools{u} liblwres60{u} libmysqlclient16{u} libnl1{u} libserf-0-0{u} 
  libt1-5{u} libtokyocabinet8{u} libxcb-render-util0{u} libxfont1{u} python-central{u} xfonts-encodings{u} xfonts-utils{u} 

[chris]

Parrot root has send:

From: root@parrot.webarch.net (Cron Daemon)                                                                                      
Date: Sun, 08 Dec 2013 16:09:01 +0000                                                                                            
To: root@parrot.webarch.net                                                                                                      
Subject: Cron <root@parrot>   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 
+-maxdepth 1 -type f -ignore_readdir_race -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete      
                                                                                                                                 
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/suhosin.so' -                                  
+/usr/lib/php5/20100525/suhosin.so: cannot open shared object file: No such file or directory in Unknown on line 0  

So this was tried:

mv /etc/php5/conf.d/suhosin.ini /root/
/etc/init.d/apache2 restart

[chris]

To get the new kernel a reboot was done.

And the sites were tested again.

[chris]

The same issue from Puffin was hit, see ticket:535#comment:33

From: root@parrot.webarch.net (Cron Daemon)                                                                                      
Date: Thu, 12 Dec 2013 07:15:48 +0000                                                                                            
To: root@parrot.webarch.net                                                                                                      
Subject: Cron <root@parrot> if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi                                        
                                                                                                                                 
E: The value 'testing' is invalid for APT::Default-Release as such a release is not available in the sources                     
E: The value 'unstable' is invalid for APT::Default-Release as such a release is not available in the sources   

/etc/apt/apt.conf was created containing:

APT::Default-Release "stable" ;

And /usr/share/munin/plugins/apt_all was edited:

#my @releases = ("stable", "testing","unstable");
my @releases = ("stable");

And munin-node restarted.

[chris]

This email:

From: root@parrot.webarch.net (Cron Daemon)                                                                                      
Date: Thu, 12 Dec 2013 07:20:01 +0000                                                                                            
To: root@parrot.webarch.net                                                                                                      
Subject: Cron <root@parrot> /usr/local/webarch/munin/bw.cron                                                                     
                                                                                                                                 
File /var/run/munin/bw//earthin_access.log.tail cannot be created. Check your permissions.                                       
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//earthin_access.log: No such file or directory                      
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//earthin_access.log.monthly: No such file or directory              
cat: /var/run/munin/bw//earthin_access.log.monthly: No such file or directory                                                    
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//earthin_access.log.monthly: No such file or directory              
File /var/run/munin/bw//movie_access.log.tail cannot be created. Check your permissions.                                         
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//movie_access.log: No such file or directory                        
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//movie_access.log.monthly: No such file or directory                
cat: /var/run/munin/bw//movie_access.log.monthly: No such file or directory                                                      
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//movie_access.log.monthly: No such file or directory                
File /var/run/munin/bw//moviedev_access.log.tail cannot be created. Check your permissions.                                      
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//moviedev_access.log: No such file or directory                     
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//moviedev_access.log.monthly: No such file or directory             
cat: /var/run/munin/bw//moviedev_access.log.monthly: No such file or directory                                                   
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//moviedev_access.log.monthly: No such file or directory             
File /var/run/munin/bw//recon_access.log.tail cannot be created. Check your permissions.                                         
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//recon_access.log: No such file or directory                        
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//recon_access.log.monthly: No such file or directory                
cat: /var/run/munin/bw//recon_access.log.monthly: No such file or directory                                                      
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//recon_access.log.monthly: No such file or directory                
File /var/run/munin/bw//recondev_access.log.tail cannot be created. Check your permissions.                                      
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//recondev_access.log: No such file or directory                     
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//recondev_access.log.monthly: No such file or directory             
cat: /var/run/munin/bw//recondev_access.log.monthly: No such file or directory                                                   
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//recondev_access.log.monthly: No such file or directory             
File /var/run/munin/bw//ts_access.log.tail cannot be created. Check your permissions.                                            
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//ts_access.log: No such file or directory                           
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//ts_access.log.monthly: No such file or directory                   
cat: /var/run/munin/bw//ts_access.log.monthly: No such file or directory                                                         
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//ts_access.log.monthly: No such file or directory                   
File /var/run/munin/bw//ttt_access.log.tail cannot be created. Check your permissions.                                           
/usr/local/webarch/munin/bw.cron: line 13: /var/run/munin/bw//ttt_access.log: No such file or directory                          
/usr/local/webarch/munin/bw.cron: line 17: /var/run/munin/bw//ttt_access.log.monthly: No such file or directory                  
cat: /var/run/munin/bw//ttt_access.log.monthly: No such file or directory                                                        
/usr/local/webarch/munin/bw.cron: line 21: /var/run/munin/bw//ttt_access.log.monthly: No such file or directory   

Was addressed:

mkdir /var/run/munin/bw
chown munin:www-data /var/run/munin/bw 
chmod 775 /var/run/munin/bw

And munin-node restarted.

[chris]

There is still a metche issue, this email:

From: root <root@parrot.webarch.net>                                                                                             
Date: Thu, 12 Dec 2013 07:20:02 0000                                                                                            
To: root@localhost                                                                                                               
Subject: parrot.webarch.net - changes report : stable-201312120720                                                               
                                                                                                                                 
metche saved a new stable state: stable-201312120720.                    

Was followed by:

From: root@parrot.webarch.net (Cron Daemon)                                                                                      
Date: Thu, 12 Dec 2013 07:20:02 +0000                                                                                            
To: root@parrot.webarch.net                                                                                                      
Subject: Cron <root@parrot> test -x /usr/sbin/metche && /usr/sbin/metche cron                                                    
                                                                                                                                 
find: `standard output': Broken pipe                                                                                             
find: write error               

[chris]

There is a issue with these graphs which needs fixing:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/apache_vh_volume.html
• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/apache_user_monthly_volume.html

[chris]

Replying to chris:

There is a issue with these graphs which needs fixing:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/apache_vh_volume.html
• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/apache_user_monthly_volume.html

Nothing needed to fix these, they have started working again.

The clock on Parrot was wrong, I have just reset it.

The wiki:ParrotServer pages has been updated.

I have tested phpmyadmin and that is working fine.

I think Parrot is now basically done, so I'm going to make a start on wiki:Penguin? server.

[chris]

Packages on Penguin when it was running Squeeze

[chris]

Penguin Wheezy Upgrade

Apt pinning, currently we have, /etc/apt/preferences.d/backports.pref which contains:

Package: gawk geoip-database libcairo2 libfreetype6 libgeoip1 liblog-dispatch-perl libnet-server-perl libpixman-1-0 liburi-perl libxfont1 munin munin-common munin-doc munin-node munin-plugins-core munin-plugins-extra nginx nginx-common nginx-full python-babel trac x11-common 
Pin: release o=backports
Pin-Priority: 990

And /etc/apt/preferences.d/dotdeb.pref which contains:

Package: php-pear php5-cli php5-common php5-fpm php5-mysql php5
Pin: release o=packages.dotdeb.org
Pin-Priority: 989

And /etc/apt/preferences.d/squeeze.pref which contains:

Package: *
Pin: release a=squeeze
Pin-Priority: 990

Package: mysql-common
Pin: release a=squeeze
Pin-Priority: 995

These were all moved out of the way:

mkdir /root/squeeze
mv /etc/apt/preferences.d/* /root/squeeze/

Nothing when the following was run:

dpkg --audit

A list of installed packages was generated and attached to this ticket, ​/trac/attachment/ticket/535/penguin-squeeze.packages.txt

The MySQL databases were backed up using ninjahelper.

The following files were moved to /root/squeeze:

/etc/apt/sources.list.d/backports.list which contained:

deb http://backports.debian.org/debian-backports squeeze-backports main

/etc/apt/sources.list.d/dotdeb.list which contained:

deb http://packages.dotdeb.org squeeze all
deb-src http://packages.dotdeb.org squeeze all

The /etc/apt/sources.list was edited to:

# wheezy
#
deb     http://ftp.debian.org/debian/     wheezy main contrib non-free
deb-src http://ftp.debian.org/debian/     wheezy main contrib non-free

# 
#  Security updates
# 
deb     http://security.debian.org/ wheezy/updates  main contrib non-free
deb-src http://security.debian.org/ wheezy/updates  main contrib non-free

Disk space was checked:

apt-get update ; apt-get -o APT::Get::Trivial-Only=true dist-upgrade
The following packages will be REMOVED:
  defoma libdigest-sha1-perl libdjvulibre-dev libept1 libjpeg62-dev libmagickcore-dev libmagickwand-dev libpango1.0-common
  libtiff4-dev mysql-client-5.1 mysql-server-5.1 mysql-server-core-5.1 php5-apc php5-gd x-ttcidfont-conf
The following NEW packages will be installed:
  aptitude-common cpp-4.6 cpp-4.7 docutils-common docutils-doc fonts-droid g++-4.7 gcc-4.6 gcc-4.6-base gcc-4.7 gcc-4.7-base
  gir1.2-atk-1.0 gir1.2-freedesktop gir1.2-gdkpixbuf-2.0 gir1.2-glib-2.0 gir1.2-pango-1.0 gir1.2-rsvg-2.0 git-man
  imagemagick-common javascript-common kmod krb5-locales libapt-inst1.5 libapt-pkg4.12 libasprintf0c2 libboost-iostreams1.49.0
  libclass-isa-perl libclass-load-perl libdata-optlist-perl libdb5.1 libdbi1 libelf1 libencode-locale-perl libept1.4.12
  libexiv2-12 libfile-fcntllock-perl libfile-listing-perl libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev
  libgettextpo0 libgirepository-1.0-1 libglib2.0-bin libgmp10 libgs9 libgs9-common libhtml-form-perl libhttp-cookies-perl
  libhttp-daemon-perl libhttp-date-perl libhttp-message-perl libhttp-negotiate-perl libijs-0.35 libio-socket-ssl-perl libitm1
  libjbig-dev libjbig0 libjpeg8 libjs-jquery libjs-sphinxdoc libjs-underscore libkmod2 liblcms2-2 liblensfun-data liblensfun0
  liblockfile-bin liblwp-mediatypes-perl liblwp-protocol-https-perl liblzma5 libmagickcore5 libmagickcore5-extra libmagickwand5
  libmodule-implementation-perl libmodule-runtime-perl libmount1 libmpc2 libmysqlclient18 libnet-http-perl libnet-ssleay-perl
  libp11-kit0 libpackage-deprecationmanager-perl libpackage-stash-perl libpackage-stash-xs-perl libpam-modules-bin
  libparams-classify-perl libparams-util-perl libpcre3-dev libpcrecpp0 libpipeline1 libprocps0 libquadmath0 librsvg2-common
  librtmp0 libsemanage-common libsemanage1 libsigsegv2 libssh2-1 libssl1.0.0 libstdc++6-4.7-dev libsub-install-perl
  libswitch-perl libsystemd-login0 libtinfo5 libtokyocabinet9 libtry-tiny-perl libustr-1.0-1 libwww-robotrules-perl libx11-doc
  ncurses-term poppler-data python2.7 python2.7-minimal ruby-mysql wwwconfig-common
The following packages will be upgraded:
  adduser apt apt-listchanges apt-show-versions apt-utils apticron aptitude autopoint autotools-dev awstats backupninja
  base-files base-passwd bash bash-completion binutils bsdmainutils bsdutils busybox bzip2 ca-certificates chrony coreutils
  cpio cpp cpp-4.4 cron dash dbus debconf debconf-i18n debconf-utils debhelper debian-archive-keyring debianutils denyhosts
  dialog diffutils dmidecode dpkg dpkg-dev e2fslibs e2fsprogs exiv2 fakeroot fcgiwrap fetchmail file findutils
  firmware-linux-free fontconfig fontconfig-config g++ g++-4.4 gawk gcc gcc-4.4 gcc-4.4-base geoip-database gettext
  gettext-base ghostscript git git-core gnupg gnupg-curl gpgv grep groff-base gzip heirloom-mailx hostname httrack hwinfo
  ifupdown imagemagick info initramfs-tools initscripts insserv install-info iozone3 iproute iptables iputils-ping
  isc-dhcp-client isc-dhcp-common iso-codes klibc-utils less libacl1 libalgorithm-diff-xs-perl libapr1 libaprutil1
  libapt-pkg-perl libatk1.0-0 libatk1.0-data libatk1.0-dev libattr1 libavahi-client3 libavahi-common-data libavahi-common3
  libblkid1 libbsd0 libbz2-1.0 libbz2-dev libc-bin libc-dev-bin libc6 libc6-dev libcache-cache-perl libcairo-gobject2
  libcairo-script-interpreter2 libcairo2 libcairo2-dev libcap2 libcdt4 libcgi-fast-perl libcgraph5 libcomerr2 libcroco3
  libcups2 libcupsimage2 libcurl3-gnutls libcwidget3 libdate-manip-perl libdatrie1 libdbd-mysql-perl libdbi-perl libdbus-1-3
  libdjvulibre-text libdjvulibre21 libdpkg-perl libedit2 libexif-dev libexif12 libexpat1 libexpat1-dev libfcgi-perl
  libfcgi0ldbl libffi5 libfont-freetype-perl libfontconfig1 libfontconfig1-dev libfontenc1 libfreetype6 libfreetype6-dev
  libgcc1 libgcrypt11 libgd2-noxpm libgdbm3 libgeoip1 libglib2.0-0 libglib2.0-data libglib2.0-dev libgnutls26 libgomp1
  libgpg-error0 libgpgme11 libgpm2 libgraph4 libgraphviz-dev libgsf-1-114 libgsf-1-common libgssapi-krb5-2 libgtk2.0-0
  libgtk2.0-bin libgtk2.0-common libgtk2.0-dev libgvc5 libgvpr1 libhal1 libhd16 libhtml-format-perl libhtml-parser-perl
  libhtml-template-perl libhtml-tree-perl libhttrack2 libice-dev libice6 libidn11 libilmbase-dev libilmbase6
  libio-multiplex-perl libio-socket-inet6-perl libipc-sharelite-perl libjasper-dev libjasper1 libjbig2dec0 libjpeg62
  libk5crypto3 libkeyutils1 libklibc libkrb5-3 libkrb5support0 liblcms1 liblcms1-dev libldap-2.4-2 liblist-moreutils-perl
  liblocale-gettext-perl liblockfile1 liblog-dispatch-perl liblqr-1-0 liblqr-1-0-dev libltdl-dev libltdl7 libmagic1
  libmailtools-perl libmpfr4 libmysql-ruby libmysql-ruby1.8 libmysqlclient-dev libncurses5 libncursesw5 libneon27-gnutls
  libnet-cidr-perl libnet-daemon-perl libnet-server-perl libnet-snmp-perl libnetpbm10 libnewt0.52 libnfnetlink0 libopenexr-dev
  libopenexr6 libossp-uuid16 libpam-modules libpam-runtime libpam0g libpango1.0-0 libpango1.0-dev libpaper-utils libpaper1
  libparams-validate-perl libpathplan4 libpcre3 libpixman-1-0 libpixman-1-dev libpng12-0 libpng12-dev libpopt0
  libpthread-stubs0 libpthread-stubs0-dev libqdbm14 libreadline5 libreadline6 librrd4 librrds-perl librsvg2-2 librsvg2-dev
  librsync1 libruby1.8 libruby1.9.1 libsasl2-2 libsasl2-modules libselinux1 libsepol1 libsigc++-2.0-0c2a libslang2 libsm-dev
  libsm6 libsocket6-perl libsqlite3-0 libss2 libstdc++6 libstdc++6-4.4-dev libsvn1 libt1-5 libtasn1-3 libtext-charwidth-perl
  libtext-iconv-perl libthai-data libthai0 libtiff4 libtiffxx0c2 libtool libudev0 libunistring0 liburi-perl libusb-0.1-4
  libuuid-perl libuuid1 libwmf-dev libwmf0.2-7 libwrap0 libwww-perl libx11-6 libx11-data libx11-dev libxapian22 libxau-dev
  libxau6 libxcb-render0 libxcb-render0-dev libxcb-shm0 libxcb-shm0-dev libxcb1 libxcb1-dev libxcomposite-dev libxcomposite1
  libxcursor-dev libxcursor1 libxdamage-dev libxdamage1 libxdmcp-dev libxdmcp6 libxdot4 libxext-dev libxext6 libxfixes-dev
  libxfixes3 libxfont1 libxft-dev libxft2 libxi-dev libxi6 libxinerama-dev libxinerama1 libxml2 libxml2-dev libxml2-utils
  libxmuu1 libxpm4 libxrandr-dev libxrandr2 libxrender-dev libxrender1 libxslt1.1 libxt-dev libxt6 libyaml-0-2
  libyaml-syck-perl linux-base linux-libc-dev locales locate lockfile-progs login logrotate logwatch lsb-base lsb-release lynx
  lynx-cur make man-db manpages manpages-dev mawk metche mime-support module-init-tools mount multiarch-support munin
  munin-common munin-doc munin-node munin-plugins-core munin-plugins-extra mutt mysql-common nano ncurses-base ncurses-bin
  net-tools netbase netcat-traditional netpbm ntpdate ocaml-base-nox openssh-blacklist openssh-blacklist-extra openssh-client
  openssh-server openssl passwd patch perl perl-base perl-modules php-pear php5 php5-cli php5-common php5-fpm php5-mysql
  pkg-config po-debconf postfix procps psmisc pwgen python python-apt python-apt-common python-babel python-central
  python-chardet python-docutils python-genshi python-imaging python-lxml python-minimal python-pkg-resources python-pygments
  python-pylibacl python-pyxattr python-roman python-setuptools python-subversion python-support python-tz python2.6
  python2.6-minimal rdate rdiff-backup readline-common rrdtool rsync rsyslog ruby1.8 ruby1.8-dev ruby1.9.1 ruby1.9.1-dev
  rubygems rubygems1.8 screen sed sensible-utils sgml-base shared-mime-info sqlite3 ssl-cert subversion sudo sysv-rc sysvinit
  sysvinit-utils tar tasksel tasksel-data tcpd timelimit trac trac-email2trac traceroute ttf-dejavu ttf-dejavu-core
  ttf-dejavu-extra tzdata ucf udev ufraw-batch unzip util-linux util-linux-locales vim vim-common vim-runtime vim-tiny
  webalizer wget whiptail x11-common x11proto-composite-dev x11proto-core-dev x11proto-damage-dev x11proto-fixes-dev
  x11proto-input-dev x11proto-kb-dev x11proto-randr-dev x11proto-render-dev x11proto-xext-dev x11proto-xinerama-dev xauth
  xfonts-encodings xfonts-utils xml-core xorg-sgml-doctools xtrans-dev xz-utils zlib1g zlib1g-dev
483 upgraded, 114 newly installed, 15 to remove and 0 not upgraded.
Need to get 303 MB of archives.
After this operation, 102 MB of additional disk space will be used.
E: Trivial Only specified but this is not a trivial operation.

Now we are ready to start the upgrade.

[chris]

apt-get update ; apt-get upgrade
The following packages have been kept back:
  apt apt-utils aptitude base-files bash binutils bsdmainutils ca-certificates chrony cpp cpp-4.4 dbus debhelper denyhosts dialog dpkg exiv2 fetchmail g++
  g++-4.4 gawk gcc gcc-4.4 gcc-4.4-base gettext gettext-base ghostscript git heirloom-mailx ifupdown imagemagick info initscripts iproute iptables
  iputils-ping less libalgorithm-diff-xs-perl libaprutil1 libapt-pkg-perl libatk1.0-0 libatk1.0-dev libc-bin libc-dev-bin libc6 libc6-dev libcdt4
  libcgi-fast-perl libcgraph5 libcups2 libcupsimage2 libcurl3-gnutls libcwidget3 libdbd-mysql-perl libdbi-perl libdjvulibre-dev libdjvulibre21 libedit2
  libexif-dev libexif12 libfcgi-perl libfont-freetype-perl libgcc1 libgcrypt11 libgd2-noxpm libglib2.0-0 libglib2.0-dev libgnutls26 libgomp1 libgraph4
  libgraphviz-dev libgtk2.0-0 libgtk2.0-bin libgtk2.0-common libgtk2.0-dev libgvc5 libgvpr1 libhtml-parser-perl libilmbase-dev libilmbase6
  libipc-sharelite-perl libjasper-dev libjasper1 libjpeg62 libjpeg62-dev libldap-2.4-2 liblist-moreutils-perl liblocale-gettext-perl liblockfile1
  liblog-dispatch-perl libmagickcore-dev libmagickwand-dev libmpfr4 libmysql-ruby libmysql-ruby1.8 libmysqlclient-dev libncurses5 libncursesw5
  libneon27-gnutls libnetpbm10 libpam-modules libpango1.0-0 libpango1.0-dev libparams-validate-perl libpathplan4 libreadline5 libreadline6 librrd4
  librrds-perl librsvg2-2 librsvg2-dev libruby1.8 libruby1.9.1 libsasl2-2 libsasl2-modules libsigc++-2.0-0c2a libsocket6-perl libstdc++6 libstdc++6-4.4-dev
  libsvn1 libtext-charwidth-perl libtext-iconv-perl libtiff4 libtiff4-dev libtiffxx0c2 libuuid-perl libwmf-dev libwmf0.2-7 libwww-perl libxapian22 libxdot4
  libxml2 libxml2-dev libyaml-syck-perl locales lsb-release lynx lynx-cur man-db module-init-tools mount mutt mysql-common nano ncurses-bin netbase netpbm
  ntpdate ocaml-base-nox openssh-client openssh-server openssl passwd perl perl-base perl-modules php-pear php5 php5-cli php5-common php5-fpm php5-gd
  php5-mysql postfix procps psmisc python python-apt python-babel python-chardet python-docutils python-genshi python-imaging python-lxml python-minimal
  python-pygments python-pylibacl python-pyxattr python-tz python2.6 python2.6-minimal rdiff-backup rrdtool rsyslog ruby1.8 ruby1.8-dev ruby1.9.1
  ruby1.9.1-dev screen sgml-base subversion sysvinit tasksel trac ufraw-batch util-linux util-linux-locales vim vim-common vim-runtime vim-tiny webalizer wget
  xml-core xz-utils
The following packages will be upgraded:
  adduser apt-listchanges apt-show-versions apticron autopoint autotools-dev awstats backupninja base-passwd bash-completion bsdutils busybox bzip2 coreutils
  cpio cron dash debconf debconf-i18n debconf-utils debian-archive-keyring debianutils diffutils dmidecode dpkg-dev e2fslibs e2fsprogs fakeroot fcgiwrap file
  findutils firmware-linux-free fontconfig fontconfig-config geoip-database git-core gnupg gnupg-curl gpgv grep groff-base gzip hostname httrack hwinfo
  initramfs-tools insserv install-info iozone3 isc-dhcp-client isc-dhcp-common iso-codes klibc-utils libacl1 libapr1 libatk1.0-data libattr1 libavahi-client3
  libavahi-common-data libavahi-common3 libblkid1 libbsd0 libbz2-1.0 libbz2-dev libcache-cache-perl libcairo-gobject2 libcairo-script-interpreter2 libcairo2
  libcairo2-dev libcap2 libcomerr2 libcroco3 libdate-manip-perl libdatrie1 libdbus-1-3 libdjvulibre-text libdpkg-perl libexpat1 libexpat1-dev libfcgi0ldbl
  libffi5 libfontconfig1 libfontconfig1-dev libfontenc1 libfreetype6 libfreetype6-dev libgdbm3 libgeoip1 libglib2.0-data libgpg-error0 libgpgme11 libgpm2
  libgsf-1-114 libgsf-1-common libgssapi-krb5-2 libhal1 libhd16 libhtml-format-perl libhtml-template-perl libhtml-tree-perl libhttrack2 libice-dev libice6
  libidn11 libio-multiplex-perl libio-socket-inet6-perl libjbig2dec0 libk5crypto3 libkeyutils1 libklibc libkrb5-3 libkrb5support0 liblcms1 liblcms1-dev
  liblqr-1-0 liblqr-1-0-dev libltdl-dev libltdl7 libmagic1 libmailtools-perl libnet-cidr-perl libnet-daemon-perl libnet-server-perl libnet-snmp-perl
  libnewt0.52 libnfnetlink0 libopenexr-dev libopenexr6 libossp-uuid16 libpam-runtime libpam0g libpaper-utils libpaper1 libpcre3 libpixman-1-0 libpixman-1-dev
  libpng12-0 libpng12-dev libpopt0 libpthread-stubs0 libpthread-stubs0-dev libqdbm14 librsync1 libselinux1 libsepol1 libslang2 libsm-dev libsm6 libsqlite3-0
  libss2 libt1-5 libtasn1-3 libthai-data libthai0 libtool libudev0 libunistring0 liburi-perl libusb-0.1-4 libuuid1 libwrap0 libx11-6 libx11-data libx11-dev
  libxau-dev libxau6 libxcb-render0 libxcb-render0-dev libxcb-shm0 libxcb-shm0-dev libxcb1 libxcb1-dev libxcomposite-dev libxcomposite1 libxcursor-dev
  libxcursor1 libxdamage-dev libxdamage1 libxdmcp-dev libxdmcp6 libxext-dev libxext6 libxfixes-dev libxfixes3 libxfont1 libxft-dev libxft2 libxi-dev libxi6
  libxinerama-dev libxinerama1 libxml2-utils libxmuu1 libxpm4 libxrandr-dev libxrandr2 libxrender-dev libxrender1 libxslt1.1 libxt-dev libxt6 libyaml-0-2
  linux-base linux-libc-dev locate lockfile-progs login logrotate logwatch lsb-base make manpages manpages-dev mawk metche mime-support multiarch-support
  munin munin-common munin-doc munin-node munin-plugins-core munin-plugins-extra ncurses-base net-tools netcat-traditional openssh-blacklist
  openssh-blacklist-extra patch pkg-config po-debconf pwgen python-apt-common python-central python-pkg-resources python-roman python-setuptools
  python-subversion python-support rdate readline-common rsync rubygems rubygems1.8 sed sensible-utils shared-mime-info sqlite3 ssl-cert sudo sysv-rc
  sysvinit-utils tar tasksel-data tcpd timelimit trac-email2trac traceroute ttf-dejavu ttf-dejavu-core ttf-dejavu-extra tzdata ucf udev unzip whiptail
  x11-common x11proto-composite-dev x11proto-core-dev x11proto-damage-dev x11proto-fixes-dev x11proto-input-dev x11proto-kb-dev x11proto-randr-dev
  x11proto-render-dev x11proto-xext-dev x11proto-xinerama-dev xauth xfonts-encodings xfonts-utils xorg-sgml-doctools xtrans-dev zlib1g zlib1g-dev
284 upgraded, 0 newly installed, 0 to remove and 205 not upgraded.
Need to get 78.8 MB of archives.
After this operation, 13.2 MB disk space will be freed.
Do you want to continue [Y/n]? Y

apticron (1.1.51) unstable; urgency=low

  New config option CUSTOM_FROM allows setting a custom sender by replacing the
  default 'From:' field in the notification emails.

 -- Tiago Bortoletto Vaz <tiago@debian.org>  Mon, 29 Aug 2011 00:00:23 -0300

backupninja (1.0~rc1-1) unstable; urgency=low

  duplicity 0.6.17 and later has moved to a new sftp/scp backend
  which no longer uses sftp/scp client programs, but instead relies on
  paramiko, a Python ssh+sftp implementation.

  Therefore, the sshoptions option of the backupninja duplicity handler
  cannot be used for anything but the one supported by this new backend:
  -oIdentityfile=some_key_file -- all other ssh options are ignored.

 -- intrigeri <intrigeri@debian.org>  Fri, 27 Apr 2012 23:07:11 +0200

backupninja (0.9.10-1) unstable; urgency=low

  Being severely broken for ages (see #596935), LDAP support was removed upstream.
  It will come back once this code has found itself a maintainer.
  Interested? Get in touch!

 -- intrigeri <intrigeri+debian@boum.org>  Fri, 23 Sep 2011 17:32:11 +0200

cron (3.0pl1-119) unstable; urgency=low

    The semantics of the -L option of the cron daemon have changed: from
    now on, the value will be interpreted as a bitmask of various log
    selectors, with "1" (log only the start of jobs) being the new default.

    Additionally, since -117 (NEWS entry was overlooked), the LSBNAMES
    variable in /etc/default/cron was merged with the EXTRA_OPTS variable
    as it was redundant.

 -- Christian Kastner <debian@kvr.at>  Sun, 07 Aug 2011 21:13:19 +0200

libdate-manip-perl (6.23-1) unstable; urgency=low

  Renamed one Date::Manip::Recur method

  The Date::Manip::Recur::base method has been renamed to basedate.  The
  Date::Manip::Recur::base method should return the Date::Manip::Base object
  like all the other Date::Manip modules.

 -- gregor herrmann <gregoa@debian.org>  Wed, 20 Apr 2011 22:42:38 +0200

libdate-manip-perl (6.20-1) unstable; urgency=low

  Reworked recurrences

  Recurrences were reworked in a (slightly) backward incompatible way to
  improve their usefulness (and to make them conform to the expected
  results). Most recurrences will work the same, but a few will
  differ.

  Cf. `man Date::Manip::Changes6' or `perldoc Date::Manip::Changes6'.

 -- gregor herrmann <gregoa@debian.org>  Wed, 29 Dec 2010 16:28:09 +0100

libdate-manip-perl (6.14-1) unstable; urgency=low

  As of Date::Manip 6.14, the 5.xx release is fully integrated into the
  distribution. Both will be installed automatically and you can switch
  between them. Cf. `man Date::Manip' or `perldoc Date::Manip'.

 -- gregor herrmann <gregoa@debian.org>  Tue, 26 Oct 2010 16:47:26 +0200

libhtml-tree-perl (5.00-1) unstable; urgency=low

  [THINGS THAT MAY BREAK YOUR CODE OR TESTS]
  * Use weak references to avoid memory leaks
    See "Weak References" in HTML::Element for details.
  * new_from_file now dies if the file cannot be opened.  $! records
    the specific problem.  (Previously, you got a tree with a few
    implicit elements.)
  * Some methods normally returning a scalar could return the empty
    list in certain circumstances.  This has been corrected.  The
    affected methods are: address, deobjectify_text, detach, is_inside,
    & pindex.
  * deprecate the Version sub/method.  Use the VERSION method instead.

 -- gregor herrmann <gregoa@debian.org>  Fri, 15 Jun 2012 14:50:32 +0200

linux-base (3) unstable; urgency=low

  * Some HP Smart Array controllers are now handled by the new 'hpsa'
    driver, rather than the 'cciss' driver.

    While the cciss driver presented disk device names beginning with
    'cciss/', hpsa makes disk arrays appear as ordinary SCSI disks and
    presents device names beginning with 'sd'.  In a system that already
    has other SCSI or SCSI-like devices, names may change unpredictably.

    During the upgrade from earlier versions, you will be prompted to
    update configuration files which refer to device names that may
    change.  You can choose to do this yourself or to follow an automatic
    upgrade process.  All changed configuration files are backed up with
    a suffix of '.old' (or '^old' in one case).

 -- Ben Hutchings <ben@decadent.org.uk>  Wed, 16 Mar 2011 13:19:34 +0000

logrotate (3.8.0-1) experimental; urgency=low

  Please note that this update changes the behaviour of logrotate:

  Logrotate now skips directories which are world writable or writable 
  by group which is not "root" unless the (new) "su" directive is used.

 -- Paul Martin <pm@debian.org>  Sun, 28 Aug 2011 19:16:36 +0100

lsb (4.1+Debian1) unstable; urgency=low

  This version implements a new "Fancy output" in the form of "[....] "
  blocks prepended to the daemon status messages:

  Before:
     Starting/stopping long daemon name: daemond daemon2d
  After:
     [....] Starting/stopping long daemon name: daemond daemon2d

  This block will become either a green [ ok ], a yellow [warn]
  or a red [FAIL] depending on the daemon exit status.

  The "Fancy output" can be disabled by setting the FANCYTTY variable to 0
  in the /etc/lsb-base-logging.sh configuration file.

 -- Didier Raboud <odyx@debian.org>  Thu, 19 Apr 2012 11:25:01 +0200

pam (1.1.2-1) unstable; urgency=low

  * Name of option for minimum Unix password length has changed

    The Debian-specific 'min=n' option to pam_unix for specifying minimum
    lengths for new passwords has been replaced by a new upstream option
    called 'minlen=n'.  If you are using 'min=n' in
    /etc/pam.d/common-password, this will be migrated to the new option name
    for you on upgrade.  If you have configured pam_unix password changing
    elsewhere on your system, such as in a PAM profile under
    /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
    update them by hand for this change.

 -- Steve Langasek <vorlon@debian.org>  Tue, 31 Aug 2010 23:09:30 -0700

patch (2.6.1-1) unstable; urgency=low

  The options -U --unified-reject-files and --global-reject-file have now been
  removed.

 -- Christoph Berg <myon@debian.org>  Sun, 06 Feb 2011 20:17:11 +0100

qdbm (1.8.78-1) unstable; urgency=low

    gdbm emulation (hovel) is dropped from this version (cf. #620550).
    It breaks symbol versioning policy to keep its old version despite
    dropping gdbm_* symbols, assuming nobody use it.
    If you've used its functionarity, please switch to gdbm, or rebuild
    source package removing "--disable-gdbm" flag.

 -- KURASHIKI Satoru <lurdan@gmail.com>  Fri, 19 Aug 2011 08:38:15 +0900

rubygems (1.7.2-1) unstable; urgency=low

  * executables are now installed to /usr/local/bin, instread of
    /var/lib/gems/1.8/bin
  * but the other files created by rubygems stay in /var/lib/gems/1.8.
    Several commenters in #448639 and #403407 argued in favor of the switch to
    /usr/local/bin. Those two bugs can therefore be closed. However, the issue
    is not completely solved, as rubygems still installs files in /var/lib/gems.
    Nobody in the bug logs explained why that was an issue. If you care about
    it, please open a new bug. Closes: #448639, #403407

 -- Daigo Moriwaki <daigo@debian.org>  Fri, 29 Apr 2011 19:07:08 +0900

  This version implements a new "Fancy output" in the form of "[....] "
  blocks prepended to the daemon status messages:

  Before:
     Starting/stopping long daemon name: daemond daemon2d
  After:
     [....] Starting/stopping long daemon name: daemond daemon2d

  This block will become either a green [ ok ], a yellow [warn]
  or a red [FAIL] depending on the daemon exit status.

  The "Fancy output" can be disabled by setting the FANCYTTY variable to 0
  in the /etc/lsb-base-logging.sh configuration file.

 -- Didier Raboud <odyx@debian.org>  Thu, 19 Apr 2012 11:25:01 +0200

pam (1.1.2-1) unstable; urgency=low

  * Name of option for minimum Unix password length has changed

    The Debian-specific 'min=n' option to pam_unix for specifying minimum
    lengths for new passwords has been replaced by a new upstream option
    called 'minlen=n'.  If you are using 'min=n' in
    /etc/pam.d/common-password, this will be migrated to the new option name
    for you on upgrade.  If you have configured pam_unix password changing
    elsewhere on your system, such as in a PAM profile under
    /usr/share/pam-configs or in other files in /etc/pam.d, you will need to
    update them by hand for this change.

 -- Steve Langasek <vorlon@debian.org>  Tue, 31 Aug 2010 23:09:30 -0700

patch (2.6.1-1) unstable; urgency=low

  The options -U --unified-reject-files and --global-reject-file have now been
  removed.

 -- Christoph Berg <myon@debian.org>  Sun, 06 Feb 2011 20:17:11 +0100

qdbm (1.8.78-1) unstable; urgency=low

    gdbm emulation (hovel) is dropped from this version (cf. #620550).
    It breaks symbol versioning policy to keep its old version despite
    dropping gdbm_* symbols, assuming nobody use it.
    If you've used its functionarity, please switch to gdbm, or rebuild
    source package removing "--disable-gdbm" flag.

 -- KURASHIKI Satoru <lurdan@gmail.com>  Fri, 19 Aug 2011 08:38:15 +0900

rubygems (1.7.2-1) unstable; urgency=low

  * executables are now installed to /usr/local/bin, instread of
    /var/lib/gems/1.8/bin
  * but the other files created by rubygems stay in /var/lib/gems/1.8.
    Several commenters in #448639 and #403407 argued in favor of the switch to
    /usr/local/bin. Those two bugs can therefore be closed. However, the issue
    is not completely solved, as rubygems still installs files in /var/lib/gems.
    Nobody in the bug logs explained why that was an issue. If you care about
    it, please open a new bug. Closes: #448639, #403407

 -- Daigo Moriwaki <daigo@debian.org>  Fri, 29 Apr 2011 19:07:08 +0900

sudo (1.8.2-1) unstable; urgency=low

  The sudo package is no longer configured using --with-secure-path.
  Instead, the provided sudoers file now contains a line declaring
  'Defaults secure_path=' with the same path content that was previously
  hard-coded in the binary.  A consequence of this change is that if you
  do not have such a definition in sudoers, the PATH searched for commands
  by sudo may be empty.

  Using explicit paths for each command you want to run with sudo will work
  well enough to allow the sudoers file to be updated with a suitable entry
  if one is not already present and you choose to not accept the updated
  version provided by the package.
  
 -- Bdale Garbee <bdale@gag.com>  Wed, 24 Aug 2011 13:33:11 -0600

sysvinit-utils (2.88dsf-17) unstable; urgency=low

  bootlogd has moved from sysvinit-utils to a separate bootlogd package. If
  you wish to continue using bootlogd, please install the bootlogd package.
  Note that the configuration file /etc/default/bootlogd and its option
  BOOTLOGD_ENABLE no longer exist; if you do not wish to run bootlogd, remove
  the bootlogd package.

 -- Josh Triplett <josh@joshtriplett.org>  Mon, 19 Dec 2011 12:03:08 +0000

Configuration file `/etc/securetty'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** securetty (Y/I/N/O/D/Z) [default=N] ? D



--- /etc/securetty      2012-12-15 15:27:25.000000000 +0000
+++ /etc/securetty.dpkg-new     2012-05-25 22:24:43.000000000 +0100
@@ -230,6 +230,12 @@
 ttyAM14
 ttyAM15
 
+# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
+ttyAMA0
+ttyAMA1
+ttyAMA2
+ttyAMA3
+
 # DataBooster serial ports
 ttyDB0
 ttyDB1
@@ -355,6 +361,10 @@
 hvc0
 hvc1
 #...
+#IBM pSeries console ports
+hvsi0
+hvsi1
+hvsi2
 
 # Equinox SST multi-port serial boards
 ttyEQ0
@@ -363,7 +373,7 @@
 
 # ==========================================================
 #
-# Not in Documentation/Devicess.txt
+# Not in Documentation/Devices.txt
 #
 # ==========================================================
 
@@ -375,10 +385,9 @@
 ttymxc4
 ttymxc5
 
-# Embedded ARM AMBA PL011 ports (e.g. emulated by QEMU)
-ttyama0
-ttyama1
-ttyama2
-ttyama3
+# Serial Console for MIPS Swarm
+duart0
+duart1
 
-hvc0
+# s390 and s390x ports in LPAR mode
+ttysclp0
(END) 

Configuration file `/etc/securetty'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** securetty (Y/I/N/O/D/Z) [default=N] ? Y

  
                                                                                                                                                                
 ┌─────────────────────────────────────────────────────────────────┤ Configuring libpam0g ├──────────────────────────────────────────────────────────────────┐  
 │                                                                                                                                                           │  
 │ There are services installed on your system which need to be restarted when certain libraries, such as libpam, libc, and libssl, are upgraded. Since      │  
 │ these restarts may cause interruptions of service for the system, you will normally be prompted on each upgrade for the list of services you wish to      │  
 │ restart.  You can choose this option to avoid being prompted; instead, all necessary restarts will be done for you automatically so you can avoid being   │  
 │ asked questions on each library upgrade.                                                                                                                  │  
 │                                                                                                                                                           │  
 │ Restart services during package upgrades without asking?                                                                                                  │  
 │                                                                                                                                                           │  
 │                                               <Yes>                                                  <No>                                                 │  
 │                                                                                                                                                           │  
 └───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘  
                                                                                                                                                                
                                                                                                        Yes


dpkg: warning: unable to delete old directory '/var/lib/gems/1.8': Directory not empty
dpkg: warning: unable to delete old directory '/var/lib/gems': Directory not empty


               
                                                                                                                                                                
 ┌────────────────────────────────────────────────────────────────┤ Configuring linux-base ├─────────────────────────────────────────────────────────────────┐  
 │                                                                                                                                                           │  
 │ The new Linux kernel version provides different drivers for some PATA (IDE) controllers. The names of some hard disk, CD-ROM, and tape devices may        │  
 │ change.                                                                                                                                                   │  
 │                                                                                                                                                           │  
 │ It is now recommended to identify disk devices in configuration files by label or UUID (unique identifier) rather than by device name, which will work    │  
 │ with both old and new kernel versions.                                                                                                                    │  
 │                                                                                                                                                           │  
 │ If you choose to not update the system configuration automatically, you must update device IDs yourself before the next system reboot or the system may   │  
 │ become unbootable.                                                                                                                                        │  
 │                                                                                                                                                           │  
 │ Update disk device IDs in system configuration?                                                                                                           │  
 │                                                                                                                                                           │  
 │                                               <Yes>                                                  <No>                                                 │  
 │                                                                                                                                                           │  
 └───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘  
                                                                                                                                                                
                                                                                                                                                             
No

                    
            ┌─────────────────────────────────────────────────────┤ Configuring linux-base ├──────────────────────────────────────────────────────┐             
            │                                                                                                                                     │             
            │ Boot loader configuration check needed                                                                                              │             
            │                                                                                                                                     │             
            │ The boot loader configuration for this system was not recognized. These settings in the configuration may need to be updated:       │             
            │                                                                                                                                     │             
            │  * The root device ID passed as a kernel parameter;                                                                                 │             
            │  * The boot device ID used to install and update the boot loader.                                                                   │             
            │                                                                                                                                     │             
            │                                                                                                                                     │             
            │ You should generally identify these devices by UUID or label. However, on MIPS systems the root device must be identified by name.  │             
            │                                                                                                                                     │             
            │                                                               <Ok>                                                                  │             
            │                                                                                                                                     │             
            └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘             
                                                                                                                                                        

                   
                                                                                                                                                                
             ┌───────────────────────────────────────────────────────┤ Configuring metche ├───────────────────────────────────────────────────────┐             
             │ A new version of configuration file /etc/metche.conf is available, but the version installed currently has been locally modified.  │             
             │                                                                                                                                    │             
             │ What do you want to do about modified configuration file metche.conf?                                                              │             
             │                                                                                                                                    │             
             │                                     install the package maintainer's version                                                       │             
             │                                     keep the local version currently installed                                                     │             
             │                                     show the differences between the versions                                                      │             
             │                                     show a side-by-side difference between the versions                                            │             
             │                                     show a 3-way difference between available versions                                             │             
             │                                     do a 3-way merge between available versions (experimental)                                     │             
             │                                     start a new shell to examine the situation                                                     │             
             │                                                                                                                                    │             
             │                                                                                                                                    │             
             │                                                               <Ok>                                                                 │             
             │                                                                                                                                    │             
             └────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘             
                                                                                                                                                                
                                                                                                                                                        
                                          
                                                                                                                                                                
                                         ┌──────────────────────────┤ Configuring metche ├───────────────────────────┐                                          
                                         │                                                                           │                                          
                                         │ Line by line differences between versions                                 │                                          
                                         │                                                                           │                                          
                                         │ --- /etc/metche.conf 2013-03-22 14:33:39.000000000 +0000                  │                                          
                                         │ +++ /tmp/filesoFFGy 2013-12-08 20:25:56.380119098 +0000                   │                                          
                                         │ @@ -51,13 +51,13 @@                                                       │                                          
                                         │  # - "printcap" when cups browsing feature are used.                      │                                          
                                         │  #                                                                        │                                          
                                         │  # Example (default value):                                               │                                          
                                         │ -EXCLUDES="*.swp #* *~ *.gpg *.key ifstate adjtime ld.so.cache shadow* \  │                                          
                                         │ - .cache .gnupg blkid.tab* aumixrc net.enable mtab backup.d \             │                                          
                                         │ - vdirbase run.rev vdir run.rev \                                         │                                          
                                         │ - prng_exch smtp_scache.pag smtpd_scache.pag \                            │                                          
                                         │ - smtp_scache.dir smtpd_scache.dir local.sh \                             │                                          
                                         │ - ssh_host_dsa_key* ssh_host_rsa_key* \                                   │                                          
                                         │ - hosts.deny"                                                             │                                          
                                         │ +#EXCLUDES=".git _darcs .svn .bzr CVS .hg _FOSSIL_ \                      │                                          
                                         │ +# *.swp #* *~ *.gpg *.key ifstate adjtime ld.so.cache shadow* \          │                                          
                                         │ +# .cache .gnupg blkid.tab* aumixrc net.enable mtab backup.d \            │                                          
                                         │ +# vdirbase run.rev vdir run.rev \                                        │                                          
                                         │ +# prng_exch smtp_scache.pag smtpd_scache.pag \                           │                                          
                                         │ +# smtp_scache.dir smtpd_scache.dir local.sh \                            │                                          
                                         │ +# ssh_host_dsa_key* ssh_host_rsa_key*"                                   │                                          
                                         │                                                                           │                                          
                                         │  # Locale (will be used to feed LC_ALL)                                   │                                          
                                         │  # Warning: values different from "C" are untested.                       │                                          
                                         │                                                                           │                                          
                                         │                                  <Ok>                                     │                                          
                                         │                                                                           │                                          
                                         └───────────────────────────────────────────────────────────────────────────┘                                          
                                                                                                                                                                
                                                                                                                                 
 install the package maintainer's version

Configuration file `/etc/sudoers'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ? D




--- /etc/sudoers        2012-12-15 21:16:04.000000000 +0000
+++ /etc/sudoers.dpkg-new       2013-03-01 05:20:20.000000000 +0000
@@ -1,11 +1,14 @@
-# /etc/sudoers
 #
 # This file MUST be edited with the 'visudo' command as root.
 #
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
 # See the man page for details on how to write a sudoers file.
 #
-
 Defaults       env_reset
+Defaults       mail_badpass
+Defaults       secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 
 # Host alias specification
 
@@ -14,13 +17,11 @@
 # Cmnd alias specification
 
 # User privilege specification
-root   ALL=(ALL) ALL
+root   ALL=(ALL:ALL) ALL
 
 # Allow members of group sudo to execute any command
-# (Note that later entries override this, so you might need to move
-# it further down)
-# chris
-#%sudo ALL=(ALL) ALL
-%sudo ALL=(ALL) NOPASSWD: ALL
-#
+%sudo  ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
 #includedir /etc/sudoers.d

Configuration file `/etc/sudoers'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ? Y

The sudoers files was then manually edited to add back:

# Allow members of group sudo to execute any command
#%sudo  ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL) NOPASSWD: ALL

Configuration file `/etc/email2trac.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** email2trac.conf (Y/I/N/O/D/Z) [default=N] ? D



--- /etc/email2trac.conf        2013-02-21 19:53:26.000000000 +0000
+++ /etc/email2trac.conf.dpkg-new       2012-01-08 11:28:28.000000000 +0000
@@ -1,25 +1,22 @@
 [DEFAULT]
-project: /web/tech.transitionnetwork.org/trac 
+project: /data/trac/hpcv/project/test
 debug: 0
-umask: 022
-spam_level: 5
-reply_all : 0
-mailto_link: 0
-umask: 022
-email_header: 0
-trac_version: 0.11
-enable_syslog : 1
-alternate_notify_template :
-alternate_notify_template_update :
-drop_spam : 0
-verbatim_format: 1
-strip_signature: 0
-email_quote: >
-strip_quotes: 0
-ignore_trac_user_settings: 0
 black_list: MAILER-DAEMON@
+drop_spam : 1
 drop_alternative_html_version: 1
+email_quote: >
+html2text_cmd:
+ignore_trac_user_settings: 0
+inline_properties: 1
+reply_all : 0
+spam_level: 5
+strip_quotes: 0
+strip_signature: 0
 ticket_update: 1
+ticket_update_by_subject: 1
+umask: 022
+verbatim_format: 1
+
 
 [bas]
 project: /data/trac/bas

Configuration file `/etc/email2trac.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** email2trac.conf (Y/I/N/O/D/Z) [default=N] ? N

So far so good... these sites were tested:

• ​https://penguin.transitionnetwork.org/ OK
• ​https://trac.transitionnetwork.org/trac OK
• ​https://stats.transitionnetwork.org/ OK
• ​https://wiki.transitionnetwork.org/ OK
• ​https://patterns.transitionresearchnetwork.org/ 502 bad Gateway
• ​http://static.transitionnetwork.org/ OK
• ​http://2010.archive.transitionnetwork.org/ OK
• ​http://2011.archive.transitionnetwork.org/ OK
• ​http://totnes.transitionnetwork.org/ OK

The Wagn server we restarted:

su-wagn
wagn-start
 => Booting WEBrick
 => Rails 3.2.14 application starting in production on http://127.0.0.1:3000

And now it's OK.

[chris]

apt-get dist-upgrade

The following packages will be REMOVED:
  defoma libdigest-sha1-perl libdjvulibre-dev libept1 libjpeg62-dev libmagickcore-dev libmagickwand-dev libpango1.0-common libtiff4-dev mysql-client-5.1
  mysql-server-5.1 mysql-server-core-5.1 php5-apc php5-gd x-ttcidfont-conf
The following NEW packages will be installed:
  aptitude-common cpp-4.6 cpp-4.7 docutils-common docutils-doc fonts-droid g++-4.7 gcc-4.6 gcc-4.6-base gcc-4.7 gcc-4.7-base gir1.2-atk-1.0 gir1.2-freedesktop
  gir1.2-gdkpixbuf-2.0 gir1.2-glib-2.0 gir1.2-pango-1.0 gir1.2-rsvg-2.0 git-man imagemagick-common javascript-common kmod libapt-inst1.5 libapt-pkg4.12
  libasprintf0c2 libboost-iostreams1.49.0 libclass-isa-perl libclass-load-perl libdata-optlist-perl libdb5.1 libdbi1 libelf1 libencode-locale-perl
  libept1.4.12 libexiv2-12 libfile-listing-perl libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgettextpo0 libgirepository-1.0-1
  libglib2.0-bin libgmp10 libgs9 libgs9-common libhtml-form-perl libhttp-cookies-perl libhttp-daemon-perl libhttp-date-perl libhttp-message-perl
  libhttp-negotiate-perl libijs-0.35 libio-socket-ssl-perl libitm1 libjbig-dev libjbig0 libjpeg8 libjs-jquery libjs-sphinxdoc libjs-underscore libkmod2
  liblcms2-2 liblensfun-data liblensfun0 liblockfile-bin liblwp-mediatypes-perl liblwp-protocol-https-perl liblzma5 libmagickcore5 libmagickcore5-extra
  libmagickwand5 libmodule-implementation-perl libmodule-runtime-perl libmount1 libmpc2 libmysqlclient18 libnet-http-perl libnet-ssleay-perl libp11-kit0
  libpackage-deprecationmanager-perl libpackage-stash-perl libpackage-stash-xs-perl libpam-modules-bin libparams-classify-perl libparams-util-perl
  libpcre3-dev libpcrecpp0 libpipeline1 libprocps0 libquadmath0 librsvg2-common librtmp0 libsemanage-common libsemanage1 libsigsegv2 libssh2-1 libssl1.0.0
  libstdc++6-4.7-dev libsub-install-perl libswitch-perl libsystemd-login0 libtinfo5 libtokyocabinet9 libtry-tiny-perl libustr-1.0-1 libwww-robotrules-perl
  ncurses-term poppler-data python2.7 python2.7-minimal ruby-mysql wwwconfig-common
The following packages will be upgraded:
  apt apt-utils aptitude base-files bash binutils bsdmainutils ca-certificates chrony cpp cpp-4.4 dbus debhelper denyhosts dialog dpkg exiv2 fetchmail g++
  g++-4.4 gawk gcc gcc-4.4 gcc-4.4-base gettext gettext-base ghostscript git heirloom-mailx ifupdown imagemagick info initscripts iproute iptables
  iputils-ping less libalgorithm-diff-xs-perl libaprutil1 libapt-pkg-perl libatk1.0-0 libatk1.0-dev libc-bin libc-dev-bin libc6 libc6-dev libcdt4
  libcgi-fast-perl libcgraph5 libcups2 libcupsimage2 libcurl3-gnutls libcwidget3 libdbd-mysql-perl libdbi-perl libdjvulibre21 libedit2 libexif-dev libexif12
  libfcgi-perl libfont-freetype-perl libgcc1 libgcrypt11 libgd2-noxpm libglib2.0-0 libglib2.0-dev libgnutls26 libgomp1 libgraph4 libgraphviz-dev libgtk2.0-0
  libgtk2.0-bin libgtk2.0-common libgtk2.0-dev libgvc5 libgvpr1 libhtml-parser-perl libilmbase-dev libilmbase6 libipc-sharelite-perl libjasper-dev libjasper1
  libjpeg62 libldap-2.4-2 liblist-moreutils-perl liblocale-gettext-perl liblockfile1 liblog-dispatch-perl libmpfr4 libmysql-ruby libmysql-ruby1.8
  libmysqlclient-dev libncurses5 libncursesw5 libneon27-gnutls libnetpbm10 libpam-modules libpango1.0-0 libpango1.0-dev libparams-validate-perl libpathplan4
  libreadline5 libreadline6 librrd4 librrds-perl librsvg2-2 librsvg2-dev libruby1.8 libruby1.9.1 libsasl2-2 libsasl2-modules libsigc++-2.0-0c2a
  libsocket6-perl libstdc++6 libstdc++6-4.4-dev libsvn1 libtext-charwidth-perl libtext-iconv-perl libtiff4 libtiffxx0c2 libuuid-perl libwmf-dev libwmf0.2-7
  libwww-perl libxapian22 libxdot4 libxml2 libxml2-dev libyaml-syck-perl locales lsb-release lynx lynx-cur man-db module-init-tools mount mutt mysql-common
  nano ncurses-bin netbase netpbm ntpdate ocaml-base-nox openssh-client openssh-server openssl passwd perl perl-base perl-modules php-pear php5 php5-cli
  php5-common php5-fpm php5-mysql postfix procps psmisc python python-apt python-babel python-chardet python-docutils python-genshi python-imaging python-lxml
  python-minimal python-pygments python-pylibacl python-pyxattr python-tz python2.6 python2.6-minimal rdiff-backup rrdtool rsyslog ruby1.8 ruby1.8-dev
  ruby1.9.1 ruby1.9.1-dev screen sgml-base subversion sysvinit tasksel trac ufraw-batch util-linux util-linux-locales vim vim-common vim-runtime vim-tiny
  webalizer wget xml-core xz-utils
199 upgraded, 111 newly installed, 15 to remove and 0 not upgraded.
Need to get 220 MB of archives.
After this operation, 104 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y

eglibc (2.13-25) unstable; urgency=medium

  Starting with the eglibc package version 2.13-5, the libraries are 
  shipped in the multiarch directory /lib/<triplet> instead of the more
  traditional /lib, where <triplet> is the multiarch triplet and can be
  retrieved with 'dpkg-architecture -qDEB_HOST_MULTIARCH'. Similarly the
  includes are now shipped in /usr/include/<triplet> instead of the more
  traditional /usr/include.
  
  The toolchain in Debian has been updated to cope with that, and most
  build systems should be unaffected. If you are using a non-Debian 
  toolchain to build your software and it is not able to cope with 
  multiarch, you might try to pass the following options to your 
  compiler:

    -B/usr/lib/<triplet> -I/usr/include/<triplet>
  
  Alternatively if the build system makes hard to pass the above options,
  you might try to set the LIBRARY_PATH and CPATH environment variables:                                                                                                                                                          
    LIBRARY_PATH=/usr/lib/<triplet>
    CPATH=/usr/include/<triplet>
    export LIBRARY_PATH CPATH

 -- Aurelien Jarno <aurel32@debian.org>  Mon, 09 Jan 2012 12:47:16 +0100 

eglibc (2.13-7) unstable; urgency=low

  Starting with version 2.13, eglibc provides an SSSE3 optimized version 
  of memcpy() on the amd64 architecture. This version might copy memory 
  backward in some conditions, which causes issues if the source and 
  destination overlap. memmove() should be used in such cases, but some 
  programs still wrongly use memcpy().

  For this reason, on the amd64 architecture the Debian package provides 
  two wrappers which can be use to workaround and/or debug the issue:
  - /usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so simply replace all 
    calls to memcpy() by a call to memmove()
  - /usr/lib/x86_64-linux-gnu/libc/memcpy-syslog-preload.so does the same,
    but in addition logs (with rate limit) the issue to syslog, so that it 
    can be detected and fixed.

  To use these wrapper on a single binary, the easiest way is to use the
  LD_PRELOAD environment variable:
  - LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libc/memcpy-preload.so /path/to/binary
  - LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libc/memcpy-syslog-preload.so /path/to/binary

  For system-wide usage, it is possible to add the path of one of the 
  wrapper to /etc/ld.so.preload.

  For more details about the issue, please see:
    http://bugs.debian.org/625521
    http://sourceware.org/bugzilla/show_bug.cgi?id=12518

 -- Aurelien Jarno <aurel32@debian.org>  Sat, 11 Jun 2011 18:02:52 +0200

apt (0.8.11) unstable; urgency=low

  * apt-get install pkg/experimental will now not only switch the
    candidate of package pkg to the version from the release experimental
    but also of all dependencies of pkg if the current candidate can't
    satisfy a versioned dependency.

 -- David Kalnischkies <kalnischkies@gmail.com>  Fri, 03 Dec 2010 14:09:12 +0100

ca-certificates (20130119) unstable; urgency=low

  Update mozilla/certdata.txt to version 1.87
    Certificates removed (-) (none added):
    - "T?RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s?"

 -- Michael Shuler <michael@pbandjelly.org>  Sat, 19 Jan 2013 14:08:50 -0600

ca-certificates (20121105) unstable; urgency=low

  Update mozilla/certdata.txt to version 1.86
    Certificates added (+) (none removed):
    + "Actalis Authentication Root CA"
    + "Trustis FPS Root CA"
    + "StartCom Certification Authority" (renewal/rehash)
    + "StartCom Certification Authority G2"
    + "Buypass Class 2 Root CA"
    + "Buypass Class 3 Root CA"
    + "T?RKTRUST Elektronik Sertifika Hizmet Sa?lay?c?s?"
    + "T-TeleSec GlobalRoot Class 3"
    + "EE Certification Centre Root CA"

 -- Michael Shuler <michael@pbandjelly.org>  Mon, 05 Nov 2012 10:56:28 -0600

ca-certificates (20120212) unstable; urgency=low

  Update mozilla/certdata.txt to version 1.81
    Certificates added (+) and removed (-):
    + "Security Communication RootCA2"
    + "EC-ACC"
    + "Hellenic Academic and Research Institutions RootCA 2011"
    - "Verisign Class 2 Public Primary Certification Authority"
    - "Verisign Class 4 Public Primary Certification Authority - G2"
    - "TC TrustCenter, Germany, Class 2 CA"
    - "TC TrustCenter, Germany, Class 3 CA"

 -- Michael Shuler <michael@pbandjelly.org>  Sun, 12 Feb 2012 15:12:59 -0600

ca-certificates (20111211) unstable; urgency=low

  Remove French Government IGC/A CA certificates. The RSA certificate is
    included in the Mozilla bundle and the DSA certificate is not in use.
  Remove expired signet.pl CAs.
  Remove expired brasil.gov.br CA.

 -- Michael Shuler <michael@pbandjelly.org>  Sun, 11 Dec 2011 19:05:32 -0600

ca-certificates (20111025) unstable; urgency=low

  Update mozilla/certdata.txt to latest (NSS branch version 1.64.2.13)
    Certificates added (+) and removed (-):
    + "AffirmTrust Commercial"
    + "AffirmTrust Networking"
    + "AffirmTrust Premium"
    + "AffirmTrust Premium ECC"
    + "A-Trust-nQual-03"
    + "Certinomis - Autorit? Racine"
    + "Certum Trusted Network CA"
    + "Go Daddy Root Certificate Authority - G2"
    + "Root CA Generalitat Valenciana"
    + "Starfield Root Certificate Authority - G2"
    + "Starfield Services Root Certificate Authority - G2"
    + "TWCA Root Certification Authority"
    - "AOL Time Warner Root Certification Authority 1"
    - "AOL Time Warner Root Certification Authority 2"
    - "DigiNotar Root CA"
    - "Entrust.net Global Secure Personal CA"
    - "Entrust.net Global Secure Server CA"
    - "Entrust.net Secure Personal CA"
    - "IPS Chained CAs root"
    - "IPS CLASE1 root"
    - "IPS CLASE3 root"
    - "IPS CLASEA1 root"
    - "IPS CLASEA3 root"
    - "IPS Timestamping root"
    - "Thawte Personal Freemail CA"
    - "Thawte Time Stamping CA"
  Update CAcert-Class 3-Subroot-certificate  Closes: #630232

 -- Michael Shuler <michael@pbandjelly.org>  Sun, 23 Oct 2011 23:16:57 -0500

cyrus-sasl2 (2.1.25.dfsg1-5) unstable; urgency=low

  * Configuration of SQL engine backends have changed from database
    specific configuration (e.g. 'mysql') to generic 'sql' auxprop
    plugin.
  
    You will need to change your configuration f.e. from:
  
        auxprop_plugin: mysql
  
    to
  
        auxprop_plugin: sql
        sql_engine: mysql
  
    Also the SQL query (if used) needs to have '%u' replaced with '%u@%r'
    because now user and realm is provided separately.

 -- Ond?ej Sur? <ondrej@debian.org>  Mon, 06 Aug 2012 13:12:22 +0200

ifupdown (0.7~rc1+experimental) experimental; urgency=low

    The --all option to ifup and ifquery can now be combined with the
    --allow option to act on all interfaces of a specific class (still
    defaulting to the class 'auto'). If you have custom hook scripts, you
    may need to update them. See interfaces(5) for details.

 -- Andrew O. Shadura <bugzilla@tut.by>  Tue, 17 Apr 2012 01:05:42 +0200

imagemagick (8:6.6.9.7-3) unstable; urgency=low

  Please note that imagemagick version 6.6.9.7 has moved its global 
  configuration files from /usr/share/imagemagick to /etc/ImageMagick, 
  following the FHS. See the package imagemagick-doc or 
  http://www.imagemagick.org/script/resources.php for more information 
  on configuring ImageMagick.
  .
  This will lose any changes you may have made to these files, 
  in the extremely unlikely case that you have customized them (doing so 
  was not officially supported by either upstream or Debian versions 
  before 6.6.9).

 -- Bastien Roucari?s <roucaries.bastien+debian@gmail.com>  Sun, 01 May 2011 13:43:12 +0200

mutt (1.5.21-2) experimental; urgency=low
  mailto-mutt has been replaced by a wrapper as per #576313, because mutt is now
  able to handle the mailto: urls; additionally it will also do some checks on
  attachments and it will allow us to be as close to upstream as possible

 -- Antonio Radici <antonio@dyne.org>  Sat, 01 Jan 2011 12:56:29 +0000

php5 (5.4.4-7) unstable; urgency=low

  * As a side effect of the MIME-Type changes in the mime-support package,
    the default Apache 2 configuration will no longer perform HTTP content
    negotiation on the PHP file extensions, which was very questionable
    anyway.  If you really want to re-enable this support then please read
    /usr/share/doc/php5-common/README.Debian file for further
    instructions.
  
 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 29 Aug 2012 09:18:41 +0200

php5 (5.4.4-5) unstable; urgency=low

  * As a security measure the default configuration for Apache 2 has been
    changed to a stricter model.  Only files which have the correct
    rightmost extension, and at least one character in the filename before
    that extension, are now interpreted by PHP.  For a full list of
    handled extensions please see the Apache 2 configuration.  At the time
    of writing this paragraph, the list includes the following regular
    expressions:
  
      1. .+\.ph(p[345]?|t|tml)$ for PHP files (application/x-httpd-php)
      2. .+\.phps$ for PHP source files (application/x-httpd-php-source)

    Previously, as a side effect of system MIME type definitions, the
    default configuration would allow the interpreting of files with a
    double extension, where the second extension was either unrecognised
    or a language or content encoding to be interpreted; e.g. an uploaded
    file named blackhat.php.foobar or index.php.cs would be interpreted by
    PHP.  These non-standard definitions have been removed from the
    mime-support packages and all configuration of PHP handlers is now
    defined in the Apache 2 configuration files.
  
    The standard configuration now also denies access to files with names
    which consist of an extension and nothing more; e.g. accessing '/.php'
    will now return Access Denied instead of the output of the PHP script.
  
    You can use the following command to find whether there are any files
    on your system which would be affected by this change (change <base>
    to the directory name where you store PHP files on your system):

    # find <base> -name '*.ph[pt].*' -o -name '*.php[345s].*' -o \
                  -name '*.phtml.*' -o -name '.ph[pt]' -o \
                  -name '.php[345s]' -o -name '.phtml'

 -- Ond?ej Sur? <ondrej@debian.org>  Tue, 21 Aug 2012 09:14:47 +0200

php5 (5.4.0~rc8-1) unstable; urgency=low

  php5-fpm default www spool now listens on unix socket located
  in /var/run/php5-fpm.sock instead of localhost:9000.  If you
  have configured your webserver to use localhost:9000, you will
  have to change your settings.

 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 08 Feb 2012 08:25:30 +0100

php5 (5.4.0~rc6-2) unstable; urgency=low

  t1lib support was removed from PHP 5.4.  t1lib has many security
  issues and is unmaintained by upstream for a very long time (3 years).

  For more information see:
    + http://bugs.debian.org/637488
    + http://bugs.debian.org/638755
  
  This unfortunately also means that following functions are not
  available in PHP5 from now:
    - imagepsloadfont
    - imagepsfreefont
    - imagepsencodefont
    - imagepsextendfont
    - imagepsslantfont
    - imagepstext
    - imagepsbbox

  If you really need those functions you will need to install t1lib from
  sources.  You will need to install php5-dev and recompile GD extension
  (roughly) using following commands:

    cd <path_to_php5_sources>/ext/gd/
    phpize
    configure --with-gd=shared,/usr --enable-gd-native-ttf \
      --with-t1lib=<location_of_your_t1lib>
    make
    make install

 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 01 Feb 2012 18:19:45 +0100

procps (1:3.3.1-1) unstable; urgency=low

  * top has a new rcfile format from 3.3.1 which is not backwards compatible
    from a rcfile save from a pre-3.3.1 top.

 -- Craig Small <csmall@debian.org>  Mon, 23 Jan 2012 22:26:16 +1100

rsyslog (5.8.1-1) unstable; urgency=low

  The way rsyslog processes SIGHUP has changed. It no longer does a reload
  of its configuration, but simply closes all open files, which is a much more
  lightweight operation.
  To apply a changed configuration, rsyslogd needs to be restarted now.
  As a consequence, the reload action has been dropped from the init script.

  A new action called "rotate" was added to the init script, which signals
  rsyslogd to close all open files. This new action is used in the rsyslog
  logrotate configuration file.

  For more information, see:
  http://www.rsyslog.com/doc/v4compatibility.html
  http://www.rsyslog.com/doc/v5compatibility.html

 -- Michael Biebl <biebl@debian.org>  Mon, 30 May 2011 18:26:51 +0200

ruby1.9.1 (1.9.2.180-4) unstable; urgency=low

  * Rubygems executables are now installed to /usr/local/bin, instead of
    /var/lib/gems/1.9.2/bin
  * But the other files created by rubygems stay in /var/lib/gems/1.9.2.
    Several commenters in #448639 and #403407 argued in favor of the switch to
    /usr/local/bin. Those two bugs can therefore be closed. However, the issue
    is not completely solved, as rubygems still installs files in
    /var/lib/gems.
    Nobody in the bug logs explained why that was an issue. If you care about
    it, please open a new bug. Fixes rubygems bugs: #448639, #403407

 -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Tue, 03 May 2011 16:11:25 +0200

screen (4.1.0~20120320gitdb59704-7) unstable; urgency=low

  In case you upgrade screen from 4.0.3 to 4.1.0 while running inside
  screen and you have to reconnect to that screen session (or any other
  screen session which has been started before the upgrade), there may be
  a few screen features not working until you exit the 4.0.3-started
  session and replace it with a 4.1.0-started session.

  Known issues of 4.0.3 to 4.1.0 interoperability as of now:

  * Terminal window resizing (WINCH signal) does not propagate to the
    screen session. Detach and reattach again instead to get the size of
    the terminals inside the screen session adjusted propely.

 -- Axel Beckert <abe@debian.org>  Sun, 16 Sep 2012 12:48:44 +0200

sgml-base (1.26+nmu2) unstable; urgency=low

  Starting with this release the SGML super catalog /etc/sgml/catalog will be
  replaced with a symbolic link to /var/lib/sgml-base/supercatalog. The latter
  file can be regenerated from the contents of the /etc/sgml directory including
  all files ending in .cat using the new update-catalog --update-super option.
  This call will be (dpkg) triggered by packages placing files in /etc/sgml. The
  transition to this way of handling the super catalog will loose user changes to
  /etc/sgml/catalog. Further overwriting of user changes will happen until all
  packages using dh_installcatalogs are built with a fixed version of debhelper.
  Sorry for the inconvenience.

    cd <path_to_php5_sources>/ext/gd/
    phpize
    configure --with-gd=shared,/usr --enable-gd-native-ttf \
      --with-t1lib=<location_of_your_t1lib>
    make
    make install

 -- Ond?ej Sur? <ondrej@debian.org>  Wed, 01 Feb 2012 18:19:45 +0100

procps (1:3.3.1-1) unstable; urgency=low

  * top has a new rcfile format from 3.3.1 which is not backwards compatible
    from a rcfile save from a pre-3.3.1 top.

 -- Craig Small <csmall@debian.org>  Mon, 23 Jan 2012 22:26:16 +1100

rsyslog (5.8.1-1) unstable; urgency=low

  The way rsyslog processes SIGHUP has changed. It no longer does a reload
  of its configuration, but simply closes all open files, which is a much more
  lightweight operation.
  To apply a changed configuration, rsyslogd needs to be restarted now.
  As a consequence, the reload action has been dropped from the init script.

  A new action called "rotate" was added to the init script, which signals
  rsyslogd to close all open files. This new action is used in the rsyslog
  logrotate configuration file.

  For more information, see:
  http://www.rsyslog.com/doc/v4compatibility.html
  http://www.rsyslog.com/doc/v5compatibility.html

 -- Michael Biebl <biebl@debian.org>  Mon, 30 May 2011 18:26:51 +0200

ruby1.9.1 (1.9.2.180-4) unstable; urgency=low

  * Rubygems executables are now installed to /usr/local/bin, instead of
    /var/lib/gems/1.9.2/bin
  * But the other files created by rubygems stay in /var/lib/gems/1.9.2.
    Several commenters in #448639 and #403407 argued in favor of the switch to
    /usr/local/bin. Those two bugs can therefore be closed. However, the issue
    is not completely solved, as rubygems still installs files in
    /var/lib/gems.
    Nobody in the bug logs explained why that was an issue. If you care about
    it, please open a new bug. Fixes rubygems bugs: #448639, #403407

 -- Lucas Nussbaum <lucas@lucas-nussbaum.net>  Tue, 03 May 2011 16:11:25 +0200

screen (4.1.0~20120320gitdb59704-7) unstable; urgency=low

  In case you upgrade screen from 4.0.3 to 4.1.0 while running inside
  screen and you have to reconnect to that screen session (or any other
  screen session which has been started before the upgrade), there may be
  a few screen features not working until you exit the 4.0.3-started
  session and replace it with a 4.1.0-started session.

  Known issues of 4.0.3 to 4.1.0 interoperability as of now:

  * Terminal window resizing (WINCH signal) does not propagate to the
    screen session. Detach and reattach again instead to get the size of
    the terminals inside the screen session adjusted propely.

 -- Axel Beckert <abe@debian.org>  Sun, 16 Sep 2012 12:48:44 +0200

sgml-base (1.26+nmu2) unstable; urgency=low

  Starting with this release the SGML super catalog /etc/sgml/catalog will be
  replaced with a symbolic link to /var/lib/sgml-base/supercatalog. The latter
  file can be regenerated from the contents of the /etc/sgml directory including
  all files ending in .cat using the new update-catalog --update-super option.
  This call will be (dpkg) triggered by packages placing files in /etc/sgml. The
  transition to this way of handling the super catalog will loose user changes to
  /etc/sgml/catalog. Further overwriting of user changes will happen until all
  packages using dh_installcatalogs are built with a fixed version of debhelper.
  Sorry for the inconvenience.

 -- Helmut Grohne <helmut@subdivi.de>  Mon, 30 Apr 2012 16:37:01 +0200

vim (2:7.3.154+hg~74503f6ee649-1) unstable; urgency=low

  The vim-lesstif package has been removed in favor of the new vim-athena
  package.  The intent behind both packages is to provide a lighter-weight GUI
  package as well as one that allows using XFLD fonts.  The Athena toolkit,
  however,  has broader usage and reduces divergences with downstream
  distributions.

 -- James Vega <jamessan@debian.org>  Sun, 27 Feb 2011 12:45:40 -0500

Configuration file `/etc/mysql/my.cnf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** my.cnf (Y/I/N/O/D/Z) [default=N] ? D


--- /etc/mysql/my.cnf   2013-12-07 11:27:13.510824954 +0000
+++ /etc/mysql/my.cnf.dpkg-new  2012-06-08 21:25:42.000000000 +0100
@@ -39,7 +39,7 @@
 basedir                = /usr
 datadir                = /var/lib/mysql
 tmpdir         = /tmp
-language       = /usr/share/mysql/english
+lc-messages-dir        = /usr/share/mysql
 skip-external-locking
 #
 # Instead of skip-networking the default is now to listen only on
@@ -48,37 +48,21 @@
 #
 # * Fine Tuning
 #
-key_buffer             = 32M
-# chris
-key_buffer_size                = 512M
-max_allowed_packet     = 32M
+key_buffer             = 16M
+max_allowed_packet     = 16M
 thread_stack           = 192K
 thread_cache_size       = 8
 # This replaces the startup script and checks MyISAM tables if needed
 # the first time they are touched
 myisam-recover         = BACKUP
 #max_connections        = 100
-# chris
-max_connections        = 30
-
-# chris
 #table_cache            = 64
-table_cache            = 4096
-
 #thread_concurrency     = 10
 #
 # * Query Cache Configuration
 #
-# chris
-#query_cache_limit     = 1024M
-#query_cache_limit     = 256M
-query_cache_limit      = 128M
-
-# chris
-#query_cache_size        = 16M
-#query_cache_size        = 1024M
-#query_cache_size        = 256M
-query_cache_size        = 128M
+query_cache_limit      = 1M
+query_cache_size        = 16M
 #
 # * Logging and Replication
 #
@@ -121,8 +105,6 @@
 # ssl-cert=/etc/mysql/server-cert.pem
 # ssl-key=/etc/mysql/server-key.pem
 
-# chris
-innodb_buffer_pool_size = 128M
 
 
 [mysqldump]


Configuration file `/etc/mysql/my.cnf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** my.cnf (Y/I/N/O/D/Z) [default=N] ? N


Creating config file /etc/php5/mods-available/pdo.ini with new version
Setting up php5-fpm (5.4.4-14+deb7u5) ...

Configuration file `/etc/php5/fpm/php-fpm.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** php-fpm.conf (Y/I/N/O/D/Z) [default=N] ? D



--- /etc/php5/fpm/php-fpm.conf  2013-07-16 10:34:43.000000000 +0100
+++ /etc/php5/fpm/php-fpm.conf.dpkg-new 2013-10-03 10:36:30.000000000 +0100
@@ -76,14 +76,6 @@
 ; Default Value: 0
 ; process.max = 128
 
-; Specify the nice(2) priority to apply to the master process (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool process will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
-
 ; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
 ; Default Value: yes
 ;daemonize = yes
@@ -119,3 +111,4 @@
 ; To configure the pools it is recommended to have one .conf file per
 ; pool in the following directory:
 include=/etc/php5/fpm/pool.d/*.conf
+


Configuration file `/etc/php5/fpm/php-fpm.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** php-fpm.conf (Y/I/N/O/D/Z) [default=N] ? Y


Configuration file `/etc/php5/fpm/pool.d/www.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** www.conf (Y/I/N/O/D/Z) [default=N] ? D



--- /etc/php5/fpm/pool.d/www.conf       2013-06-07 09:29:47.000000000 +0100
+++ /etc/php5/fpm/pool.d/www.conf.dpkg-new      2013-10-03 10:36:30.000000000 +0100
@@ -30,23 +30,20 @@
 ;                            specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-; chris
-;listen = 127.0.0.1:9000
-listen = /var/run/php5-fpm/phpfpm.sock
+listen = /var/run/php5-fpm.sock
 
-; Set listen(2) backlog. A value of '-1' means unlimited.
+; Set listen(2) backlog.
 ; Default Value: 128 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = -1
+;listen.backlog = 128
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions. 
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0666
-; chris
-listen.owner = www-data
-listen.group = www-data
-listen.mode = 0666
+;listen.owner = www-data
+;listen.group = www-data
+;listen.mode = 0666
  
 ; List of ipv4 addresses of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
@@ -55,16 +52,6 @@
 ; accepted from any ip address.
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
-; chris
-listen.allowed_clients = 127.0.0.1,81.95.52.111,penguin.transitionnetwork.org,penguin.webarch.net
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; priority = -19
 
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
@@ -101,8 +88,7 @@
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
-; chris increased from 6 to 24
-pm.max_children = 24
+pm.max_children = 5
 
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
@@ -112,7 +98,7 @@
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 2
+pm.min_spare_servers = 1
 
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
@@ -227,8 +213,7 @@
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set 
-; chris
-pm.status_path = /status
+;pm.status_path = /status
  
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside

The above changes to /etc/php5/fpm/pool.d/www.conf look fine, but the change of the socket:

-listen = /var/run/php5-fpm/phpfpm.sock
+listen = /var/run/php5-fpm.sock

Will need these files editing in /etc/nginx

grep -rl phpfpm.sock .
./stats-shared
./sites-available/penguin
./sites-available/wiki.bak
./sites-available/wiki
./archive-shared

vim ./stats-shared ./sites-available/penguin ./sites-available/wiki.bak ./sites-available/wiki ./archive-shared
:1,$s;php5-fpm/phpfpm.sock;php5-fpm.sock;gc

Configuration file `/etc/php5/fpm/pool.d/www.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** www.conf (Y/I/N/O/D/Z) [default=N] ? Y
Installing new version of config file /etc/php5/fpm/pool.d/www.conf ...

 
                                                                                                                                                                
 ┌──────────────────────────────────────────────────────────────┤ Modified configuration file ├──────────────────────────────────────────────────────────────┐  
 │                                                                                                                                                           │  
 │ Line by line differences between versions                                                                                                                    
 │                                                                                                                                                              
 │ --- /etc/php5/fpm/php.ini 2013-07-16 10:36:18.000000000 +0100                                                                                                
 │ +++ /usr/share/php5/php.ini-production 2013-10-03 10:36:21.000000000 +0100                                                                                   
 │ @@ -83,6 +83,8 @@                                                                                                                                            
 │  ; development version only in development environments as errors shown to                                                                                   
 │  ; application users can inadvertently leak otherwise secure information.                                                                                    
 │                                                                                                                                                              
 │ +; This is php.ini-production INI file.                                                                                                                      
 │ +                                                                                                                                                            
 │  ;;;;;;;;;;;;;;;;;;;                                                                                                                                         
 │  ; Quick Reference ;                                                                                                                                         
 │  ;;;;;;;;;;;;;;;;;;;                                                                                                                                         
 │ @@ -91,11 +93,6 @@                                                                                                                                           
 │  ; Please see the actual settings later in the document for more details as to why                                                                           
 │  ; we recommend these changes in PHP's behavior.                                                                                                             
 │                                                                                                                                                              
 │ -; allow_call_time_pass_reference                                                                                                                            
 │ -; Default Value: On                                                                                                                                         
 │ -; Development Value: Off                                                                                                                                    
 │ -; Production Value: Off                                                                                                                                     
 │ -                                                                                                                                                            
 │  ; display_errors                                                                                                                                            
 │  ; Default Value: On                                                                                                                                         
 │  ; Development Value: On                                                                                                                                     
 │ @@ -107,25 +104,20 @@                                                                                                                                        
 │  ; Production Value: Off                                                                                                                                     
 │                                                                                                                                                              
 │  ; error_reporting                                                                                                                                           
 │ -; Default Value: E_ALL & ~E_NOTICE                                                                                                                          
 │ -; Development Value: E_ALL | E_STRICT                                                                                                                       
 │ -; Production Value: E_ALL & ~E_DEPRECATED                                                                                                                   
 │ +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED                                                                                              
 │ +; Development Value: E_ALL                                                                                                                                  
 │ +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT                                                                                                       
 │                                                                                                                                                              
 │  ; html_errors                                                                                                                                               
 │  ; Default Value: On                                                                                                                                         
 │  ; Development Value: On                                                                                                                                     
 │ -; Production value: Off                                                                                                                                     
 │ +; Production value: On                                                                                                                                      
 │                                                                                                                                                              
 │  ; log_errors                                                                                                                                                
 │  ; Default Value: Off                                                                                                                                        
 │  ; Development Value: On                                                                                                                                     
 │  ; Production Value: On                                                                                                                                      
 │                                                                                                                                                              
 │ -; magic_quotes_gpc                                                                                                                                          
 │ -; Default Value: On                                                                                                                                         
 │ -; Development Value: Off                                                                                                                                    
 │ -; Production Value: Off                                                                                                                                     
 │ -                                                                                                                                                            
 │  ; max_input_time                                                                                                                                            
 │  ; Default Value: -1 (Unlimited)                                                                                                                             
 │  ; Development Value: 60 (60 seconds)                                                                                                                        
 │ @@ -141,11 +133,6 @@                                                                                                                                         
 │  ; Development Value: Off                                                                                                                                    
 │  ; Production Value: Off                                                                                                                                     
 │                                                                                                                                                              
 │ -; register_long_arrays                                                                                                                                      
 │ -; Default Value: On                                                                                                                                         
 │ -; Development Value: Off                                                                                                                                    
 │ -; Production Value: Off                                                                                                                                     
 │ -                                                                                                                                                            
 │  ; request_order                                                                                                                                             
 │  ; Default Value: None                                                                                                                                       
 │  ; Development Value: "GP"                                                                                                                                   
 │ @@ -223,7 +210,7 @@                                                                                                                                          
 │  ; Development Value: Off                                                                                                                                    
 │  ; Production Value: Off                                                                                                                                     
 │  ; http://php.net/short-open-tag                                                                                                                             
 │ -short_open_tag = Off                                                                                                                                        
 │ +short_open_tag = On                                                                                                                                         
 │                                                                                                                                                              
 │  ; Allow ASP-style <% %> tags.                                                                                                                               
 │  ; http://php.net/asp-tags                                                                                                                                   
 │ @@ -233,10 +220,6 @@                                                                                                                                         
 │  ; http://php.net/precision                                                                                                                                  
 │  precision = 14                                                                                                                                              
 │                                                                                                                                                              
 │                                                                          <Ok>                                                                                
 │                                                                                                                                                           │  
 └───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘  
                                                                                                                                                                

 install the package maintainer's version

        
                                                                                                                                                                
          ┌─────────────────────────────────────────────────────┤ Modified configuration file ├─────────────────────────────────────────────────────┐           
          │ A new version of configuration file /etc/php5/cli/php.ini is available, but the version installed currently has been locally modified.  │           
          │                                                                                                                                         │           
          │ What do you want to do about modified configuration file php.ini?                                                                       │           
          │                                                                                                                                         │           
          │                                           install the package maintainer's version                                                      │           
          │                                           keep the local version currently installed                                                    │           
          │                                           show the differences between the versions                                                     │           
          │                                           show a side-by-side difference between the versions                                           │           
          │                                           start a new shell to examine the situation                                                    │           
          │                                                                                                                                         │           
          │                                                                                                                                         │           
          │                                                                 <Ok>                                                                    │           
          │                                                                                                                                         │           
          └─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘           
                                                                                                                                                         

                        
                                                                                                                                                                
                          ┌─────────────────────────────────────┤ Modified configuration file ├─────────────────────────────────────┐                           
                          │                                                                                                         │                           
                          │ Line by line differences between versions                                                                                           
                          │                                                                                                                                     
                          │ --- /etc/php5/cli/php.ini 2013-01-30 22:21:00.000000000 +0000                                                                       
                          │ +++ /usr/share/php5/php.ini-production.cli 2013-10-03 10:36:21.000000000 +0100                                                      
                          │ @@ -83,6 +83,8 @@                                                                                                                   
                          │  ; development version only in development environments as errors shown to                                                          
                          │  ; application users can inadvertently leak otherwise secure information.                                                           
                          │                                                                                                                                     
                          │ +; This is php.ini-production INI file.                                                                                             
                          │ +                                                                                                                                   
                          │  ;;;;;;;;;;;;;;;;;;;                                                                                                                
                          │  ; Quick Reference ;                                                                                                                
                          │  ;;;;;;;;;;;;;;;;;;;                                                                                                                
                          │ @@ -91,11 +93,6 @@                                                                                                                  
                          │  ; Please see the actual settings later in the document for more details as to why                                                  
                          │  ; we recommend these changes in PHP's behavior.                                                                                    
                          │                                                                                                                                     
                          │ -; allow_call_time_pass_reference                                                                                                   
                          │ -; Default Value: On                                                                                                                
                          │ -; Development Value: Off                                                                                                           
                          │ -; Production Value: Off                                                                                                            
                          │ -                                                                                                                                   
                          │  ; display_errors                                                                                                                   
                          │  ; Default Value: On                                                                                                                
                          │  ; Development Value: On                                                                                                            
                          │ @@ -107,25 +104,20 @@                                                                                                               
                          │  ; Production Value: Off                                                                                                            
                          │                                                                                                                                     
                          │  ; error_reporting                                                                                                                  
                          │ -; Default Value: E_ALL & ~E_NOTICE                                                                                                 
                          │ -; Development Value: E_ALL | E_STRICT                                                                                              
                          │ -; Production Value: E_ALL & ~E_DEPRECATED                                                                                          
                          │ +; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED                                                                     
                          │ +; Development Value: E_ALL                                                                                                         
                          │ +; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT                                                                              
                          │                                                                                                                                     
                          │  ; html_errors                                                                                                                      
                          │  ; Default Value: On                                                                                                                
                          │  ; Development Value: On                                                                                                            
                          │ -; Production value: Off                                                                                                            
                          │ +; Production value: On                                                                                                             
                          │                                                                                                                                     
                          │  ; log_errors                                                                                                                       
                          │  ; Default Value: Off                                                                                                               
                          │  ; Development Value: On                                                                                                            
                          │  ; Production Value: On                                                                                                             
                          │                                                                                                                                     
                          │ -; magic_quotes_gpc                                                                                                                 
                          │ -; Default Value: On                                                                                                                
                          │ -; Development Value: Off                                                                                                           
                          │ -; Production Value: Off                                                                                                            
                          │ -                                                                                                                                   
                          │  ; max_input_time                                                                                                                   
                          │  ; Default Value: -1 (Unlimited)                                                                                                    
                          │  ; Development Value: 60 (60 seconds)                                                                                               
                          │ @@ -141,11 +133,6 @@                                                                                                                
                          │  ; Development Value: Off                                                                                                           
                          │  ; Production Value: Off                                                                                                            
                          │                                                                                                                                     
                          │ -; register_long_arrays                                                                                                             
                          │ -; Default Value: On                                                                                                                
                          │ -; Development Value: Off                                                                                                           
                          │ -; Production Value: Off                                                                                                            
                          │ -                                                                                                                                   
                          │  ; request_order                                                                                                                    
                          │  ; Default Value: None                                                                                                              
                          │  ; Development Value: "GP"                                                                                                          
                          │ @@ -223,7 +210,7 @@                                                                                                                 
                          │  ; Development Value: Off                                                                                                           
                          │  ; Production Value: Off                                                                                                            
                          │  ; http://php.net/short-open-tag                                                                                                    
                          │ -short_open_tag = Off                                                                                                               
                          │ +short_open_tag = On                                                                                                                
                          │                                                                                                                                     
                          │  ; Allow ASP-style <% %> tags.                                                                                                      
                          │  ; http://php.net/asp-tags                                                                                                          
                          │ @@ -233,10 +220,6 @@                                                                                                                
                          │  ; http://php.net/precision                                                                                                         
                          │  precision = 14                                                                                                                     
                          │                                                                                                                                     
                          │                                                 <Ok>                                                                                
                          │                                                                                                         │                           
                          └─────────────────────────────────────────────────────────────────────────────────────────────────────────┘                           
                                                                                                                                                                
                                                                                                                                               

 install the package maintainer's version 



Configuration file `/etc/denyhosts.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** denyhosts.conf (Y/I/N/O/D/Z) [default=N] ? N

Installing new version of config file /etc/init.d/fetchmail ...
Installing new version of config file /etc/resolvconf/update-libc.d/fetchmail ...
[warn] Not starting fetchmail daemon, disabled via /etc/default/fetchmail ... (warning).

Then Nginx was restarted due to the socket location change.

Things that are not working:

• ​https://patterns.transitionresearchnetwork.org/ 500 Error
• ​https://wiki.transitionnetwork.org/ Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) (localhost))
• ​https://stats.transitionnetwork.org/ SQLSTATE[HY000] [2003] Can't connect to MySQL server on '127.0.0.1' (111)

So, MySQL is the issue.

It's not running and won't start:

ps -lA | grep mysql
/etc/init.d/mysql start
ps -lA | grep mysql

It looks like it isn't installed:

search mysql | grep ^i
i A libdbd-mysql-perl               - Perl5 database interface to the MySQL data
i   libmysql-ruby                   - Transitional package for ruby-mysql       
id  libmysql-ruby1.8                - Transitional package for ruby-mysql       
i   libmysqlclient-dev              - MySQL database development files          
id  libmysqlclient16                - MySQL database client library             
i A libmysqlclient18                - MySQL database client library             
i A mysql-common                    - MySQL database common files, e.g. /etc/mys
i   php5-mysql                      - MySQL module for php5                     
i   ruby-mysql                      - MySQL module for Ruby               


 aptitude search mysql-server
p   mysql-server                                               - MySQL database server (metapackage depending on the latest version)  
v   mysql-server-5.0                                           -                                                                      
c   mysql-server-5.1                                           - MySQL database server binaries and system database setup             
p   mysql-server-5.5                                           - MySQL database server binaries and system database setup             
v   mysql-server-core                                          -                                                                      
p   mysql-server-core-5.5                                      - MySQL database server binaries                                       
v   virtual-mysql-server                                       -               

So:

 aptitude install mysql-server-5.5
The following NEW packages will be installed:
  libaio1{a} mysql-client-5.5{a} mysql-server-5.5 mysql-server-core-5.5{a} 
The following packages will be REMOVED:
  gir1.2-rsvg-2.0{u} libbz2-dev{u} libcgraph5{u} libexif-dev{u} libexif12{u} libgraphviz-dev{u} libgvpr1{u} libilmbase-dev{u} 
  libjasper-dev{u} libjbig-dev{u} liblcms1-dev{u} liblqr-1-0-dev{u} libopenexr-dev{u} librsvg2-dev{u} libtiffxx0c2{u} 
  libwmf-dev{u} libxml2-dev{u} libxt-dev{u} 
0 packages upgraded, 4 newly installed, 18 to remove and 0 not upgraded.
Need to get 7616 kB of archives. After unpacking 74.8 MB will be used.
Do you want to continue? [Y/n/?] Y

[ ok ] Stopping MySQL database server: mysqld.
131208 21:34:15 [ERROR] An old style --language value with language specific part detected: /usr/share/mysql/english/
131208 21:34:15 [ERROR] Use --lc-messages-dir without language specific part instead.
131208 21:34:16 [Note] Plugin 'FEDERATED' is disabled.
131208 21:34:16 InnoDB: The InnoDB memory heap is disabled
131208 21:34:16 InnoDB: Mutexes and rw_locks use GCC atomic builtins
131208 21:34:16 InnoDB: Compressed tables use zlib 1.2.7
131208 21:34:16 InnoDB: Using Linux native AIO
131208 21:34:16 InnoDB: Initializing buffer pool, size = 128.0M
131208 21:34:16 InnoDB: Completed initialization of buffer pool
131208 21:34:16 InnoDB: highest supported file format is Barracuda.
131208 21:34:16  InnoDB: Waiting for the background threads to start
131208 21:34:17 InnoDB: 5.5.31 started; log sequence number 226134601
131208 21:34:17  InnoDB: Starting shutdown...
131208 21:34:19  InnoDB: Shutdown completed; log sequence number 226134601
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were 
not closed cleanly..

 ps -lA | grep mysql
4 S     0   601     1  0  80   0 -  1032 -      ?        00:00:00 mysqld_safe
4 S   104   979   601  5  80   0 - 246660 -     ?        00:00:00 mysqld

Now these three sites are working again:

• ​https://stats.transitionnetwork.org/
• ​https://wiki.transitionnetwork.org/
• ​https://patterns.transitionresearchnetwork.org/

Now to test if this comment will get submitted...

[chris]

Now to reboot it to test with the new kernel.

[chris]

Noted on the console:

[FAIL] Starting FastCGI wrapper: fcgiwrap failed!

But it seems OK:

/etc/init.d/fcgiwrap status
[ ok ] Checking status of FastCGI wrapper: fcgiwrap running.

However:

• ​https://penguin.transitionnetwork.org/munin/ 502 Bad Gateway

Also there was a 500 error for Trac:

tracd-start
Error writing to pid file: IOError: [Errno 2] No such file or directory: '/var/run/tracd/tracd.pid'

This was fixed thus:

mkdir /var/run/tracd ; chown tracd:tracd  /var/run/tracd

Fixing Munin is going to need checking everything against ticket:641

[chris]

These emails have been sent by penguin and need investigation:

From: root@penguin.webarch.net (Cron Daemon)                                                                                     
Date: Sun,  8 Dec 2013 21:41:08 +0000 (GMT)                                                                                      
To: root@penguin.webarch.net                                                                                                     
Subject: Cron <munin@penguin> if [ -x /usr/bin/munin-cron ]; then /usr/bin/munin-cron; fi                                        
                                                                                                                                 
Work timed out before all workers finished at /usr/share/perl5/Munin/Master/Update.pm line 162     

From: root@penguin.webarch.net (Cron Daemon)                                                                                     
Date: Sun,  8 Dec 2013 21:39:01 +0000 (GMT)                                                                                      
To: root@penguin.webarch.net                                                                                                     
Subject: Cron <root@penguin>   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete      
                                                                                                                                 
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/apc.so' - /usr/lib/php5/20100525/apc.so: cannot open shared object file: No such file or directory in Unknown on line 0                                                         
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/gd.so' - /usr/lib/php5/20100525/gd.so: cannot  open shared object file: No such file or directory in Unknown on line 0  

From: root@penguin.webarch.net (Cron Daemon)                                                                                     
Date: Sun,  8 Dec 2013 21:00:03 +0000 (GMT)                                                                                      
To: root@penguin.webarch.net                                                                                                     
Subject: Cron <www-data@penguin> [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh                 
                                                                                                                                 
Error while processing /etc/awstats/awstats.www.transitionnetwork.org.conf                                                       
Create/Update database for config "/etc/awstats/awstats.www.transitionnetwork.org.conf" by AWStats version 7.0 (build 1.971)     
From data in log file "/usr/share/awstats/tools/logresolvemerge.pl /home/puffin/nginx/puffin-nginx-20131207.log   /home/puffin/nginx/puffin-nginx-20131208.log |"...                                                                              
Error: Couldn't open log file "/home/puffin/nginx/puffin-nginx-20131207.log" : Permission denied.                 
Phase 1 : First bypass old records, searching new record...                                                       
Searching new records from beginning of log file...                                                               
Error: Command for pipe '/usr/share/awstats/tools/logresolvemerge.pl /home/puffin/nginx/puffin-nginx-20131207.log /home/puffin/nginx/puffin-nginx-20131208.log |' failed                                                                          
Setup ('/etc/awstats/awstats.www.transitionnetwork.org.conf' file, web server or permissions) may be wrong.                      
Check config file, permissions and AWStats documentation (in 'docs' directory).                                                  
Error while processing /etc/awstats/awstats.conf                                                                                 
Error: SiteDomain parameter not defined in your config/domain file. You must edit it for using this version of AWStats.          
Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong.                                                
Check config file, permissions and AWStats documentation (in 'docs' directory).          

From: root@penguin.webarch.net (Cron Daemon)                                                                                     
Date: Sun,  8 Dec 2013 21:05:09 +0000 (GMT)                                                                                      
To: root@penguin.webarch.net                                                                                                     
Subject: Cron <root@penguin> if [ -x /etc/munin/plugins/apt_all ]; then /etc/munin/plugins/apt_all update 7200 12 >/dev/null; elif [ -x /etc/munin/plugins/apt ]; then /etc/munin/plugins/apt update 7200 12 >/dev/null; fi                                   
                                                                                                                                 
E: The value 'testing' is invalid for APT::Default-Release as such a release is not available in the sources                     
E: The value 'unstable' is invalid for APT::Default-Release as such a release is not available in the sources                    
E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)                                           
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?  

Also the Javascript for adding times to trac tickets has gone.

[chris]

Fixing the timing plugin, the install notes are here wiki:TimingAndEstimationPlugin

We are now running Powered by Trac 0.12.5, so:

sudo -i
cd /usr/local/src
svn co http://trac-hacks.org/svn/timingandestimationplugin/branches/trac0.12
cd trac0.12
python setup.py bdist_egg
python: can't open file 'setup.py': [Errno 2] No such file or directory

So, RTFM and, following ​https://pypi.python.org/pypi/setuptools#unix-based-systems-including-mac-os-x

wget https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py -O - | python
python setup.py bdist_egg
cp dist/timingandestimationplugin-1.3.7-py2.7.egg /web/tech.transitionnetwork.org/trac/plugins/
trac-admin /web/tech.transitionnetwork.org/trac upgrade
Timing and Estimation needs an upgrade
Upgrading Database
Upgrading reports
Done Upgrading
Upgrade done.

You may want to upgrade the Trac documentation now by running:

  trac-admin /web/tech.transitionnetwork.org/trac wiki upgrade

trac-admin /web/tech.transitionnetwork.org/trac wiki upgrade

[chris]

Then Trac was restarted:

su-trac
tracd-stop
tracd-start

And we have the timer back!

[chris]

A link back here was added to wiki:TimingAndEstimationPlugin#Wheezyupgrade

Fixing Munin, referencing ticket:641

In the Nginx logs we have:

2013/12/08 22:32:26 [crit] 2487#0: *937 connect() to unix:/var/run/munin/fastcgi-munin-html.sock failed (2: No such file or directory) while connecting to upstream, client: 81.95.52.29, server: penguin.transitionnetwork.org, request: "GET /munin/ HTTP/1.1", upstream: "fastcgi://unix:/var/run/munin/fastcgi-munin-html.sock:", host: "penguin.transitionnetwork.org"

The socket doesn't exist:

ls -lah /var/run/munin/fastcgi-munin-html.sock 
ls: cannot access /var/run/munin/fastcgi-munin-html.sock: No such file or directory

Fast-cgi is installed:

 aptitude search fcgi | grep ^i
i   fcgiwrap                        - simple server to run CGI applications over
i   libfcgi-perl                    - helper module for FastCGI                 
i A libfcgi0ldbl                    - Shared library of FastCGI                 
i A spawn-fcgi                      - A fastcgi process spawner    

It turned out that the munin-fastcgi daemon needed restarting:

/etc/init.d/munin-fastcgi restart
Restarting Munin FCGI for Graph an HTML: 
cat: /var/run/munin/fastcgi-munin-graph.pid: No such file or directory
/etc/init.d/munin-fastcgi: 49: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
Graph not running
cat: /var/run/munin/fastcgi-munin-html.pid: No such file or directory
/etc/init.d/munin-fastcgi: 50: kill: Usage: kill [-s sigspec | -signum | -sigspec] [pid | job]... or
kill -l [exitstatus]
HTML Not running
spawn-fcgi: child spawned successfully: PID: 10165
spawn-fcgi: child spawned successfully: PID: 10176

And now we have munin graphs again:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/

But two graphs are not working:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/phpfpm_connections.html
• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/phpfpm_status.html

munin-run phpfpm_status 
idle.value U
active.value U
total.value U

munin-run phpfpm_connections 
accepted.value U

This is working:

• ​http://penguin.transitionnetwork.org/nginx_status

But these are 404's:

• ​http://penguin.transitionnetwork.org/status
• ​http://penguin.transitionnetwork.org/ping

These things were edited in /etc/php5/fpm/pool.d/www.conf:

;pm.status_path = /status
pm.status_path = /status

;ping.path = /ping
ping.path = /ping

And php-fpm was restarted:

/etc/init.d/php5-fpm restart

And now the plugins work:

munin-run phpfpm_status 
idle.value 1
active.value 1
total.value 2

munin-run phpfpm_connections 
accepted.value 8

[chris]

Regarding this error:

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/apc.so' - /usr/lib/php5/20100525/apc.so: cannot open shared object file: No such file or directory in Unknown on line 0                         

APC isn't installed:

aptitude search apc | grep ^i

Installing it again:

aptitude install php-apc
logchange "php-apc : installed"
aptitude search apc | grep ^i
i   php-apc                         - APC (Alternative PHP Cache) module for PHP

But we still have a 404 here:

http://penguin.transitionnetwork.org/apc_info.php

This is because the file is actually here:

* https://penguin.transitionnetwork.org/info/apc_info.php

However it generates this in the logs:

==> /var/log/nginx/penguin.ssl_access.log <==
XX.XX.XX.XX - - [08/Dec/2013:23:12:17 +0000] "GET /info/apc_info.php HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0"

And the php is served as HTML:

<?php
/**
 * TODO: File header.
 * TODO: Code comments.
 */

if(function_exists("apc_cache_info") && function_exists("apc_sma_info")) {

  $time = time();

  $mem = apc_sma_info();
  $mem_size = $mem['num_seg']*$mem['seg_size'];
  $mem_avail= $mem['avail_mem'];
  $mem_used = $mem_size-$mem_avail;

  // Some code taken from the file apc.php by The PHP Group.
  $nseg = $freeseg = $fragsize = $freetotal = 0;
  for($i=0; $i<$mem['num_seg']; $i++) {
    $ptr = 0;
    foreach($mem['block_lists'][$i] as $block) {
      if ($block['offset'] != $ptr) {
        ++$nseg;
      }
      $ptr = $block['offset'] + $block['size'];
      // Only consider blocks <5M for the fragmentation %
      if($block['size']<(5*1024*1024)) $fragsize+=$block['size'];
      $freetotal+=$block['size'];
    }
    $freeseg += count($mem['block_lists'][$i]);
  }

  if ($freeseg < 2) {
    $fragsize = 0;
    $freeseg = 0;
  }

  $cache_mode = 'opmode';
  $cache=@apc_cache_info($cache_mode);

  // Item hits, misses and inserts
  $hits = $cache['num_hits'];
  $misses = $cache['num_misses'];
  $inserts = $cache['num_inserts'];

  //
  $req_rate = ($cache['num_hits']+$cache['num_misses'])/($time-$cache['start_time']);
  $hit_rate = ($cache['num_hits'])/($time-$cache['start_time']); // Number of entries in cache $number_entries = $cache['num_entries'];
  $miss_rate = ($cache['num_misses'])/($time-$cache['start_time']); // Total number of cache purges $purges = $cache['expunges'];
  $insert_rate = ($cache['num_inserts'])/($time-$cache['start_time']);

  // Number of entries in cache
  $number_entries = $cache['num_entries'];

  // Total number of cache purges
  $purges = $cache['expunges'];

  //apc_clear_cache($cache_mode);

  $out = array(
    'size: ' . sprintf("%.2f", $mem_size),
    'used: ' . sprintf("%.2f", $mem_used),
    'free: ' . sprintf("%.2f", $mem_avail - $fragsize),
    'hits: ' . sprintf("%.2f", $hits * 100 / ($hits + $misses)),
    'misses: ' . sprintf("%.2f", $misses * 100 / ($hits + $misses)),
    'request_rate: ' . sprintf("%.2f", $req_rate),
    'hit_rate: ' . sprintf("%.2f", $hit_rate),
    'miss_rate: ' . sprintf("%.2f", $miss_rate),
    'insert_rate: ' . sprintf("%.2f", $insert_rate),
    'entries: ' . $number_entries,
    'inserts: ' . $inserts,
    'purges: ' . $purges,

  // TODO: Delete
	'purge_rate: ' . sprintf("%.2f", (100 - ($number_entries / $inserts) * 100)),
  // TODO: Delete
	'fragment_percentage: ' . sprintf("%.2f", ($fragsize/$mem_avail)*100),
	'fragmented: ' . sprintf("%.2f", $fragsize),
	'fragment_segments: ' . $freeseg,
  );
}
else {
  $out = array('APC-not-installed');
}
echo implode(' ', $out);

Following ​http://kevin.deldycke.com/2011/07/php-apc-debian-squeeze-munin-monitoring/ first get a new version and compare it with the existing one:

cd /usr/local/src
svn co http://munin-php-apc.googlecode.com/svn/trunk/php_apc/
diff php_apc/apc_info.php /web/penguin.transitionnetwork.org/www/info/apc_info.php

They are the same, this was edited in /etc/nginx/sites-available/penguin

        #location = /apc_info.php {
        location = /info/apc_info.php {

                #auth_basic_user_file /etc/phpmyadmin/htpasswd;
                auth_basic_user_file /web/tech.transitionnetwork.org/.htpasswd;

And now we have these working:

• ​https://penguin.transitionnetwork.org/info/apc.php
• ​https://penguin.transitionnetwork.org/info/apc_info.php
• ​https://penguin.transitionnetwork.org/info/php-info.php

Following ​http://kevin.deldycke.com/2011/07/php-apc-debian-squeeze-munin-monitoring/ to get the munin plugin working:

cd /usr/local/src/php_apc
cp php_apc_ /usr/share/munin/plugins/
cd /etc/munin/plugins/
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_hit_miss
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_purge
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_fragmentation
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_files
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_rates

Then the following was added to /etc/munin/plugin-conf.d/munin-node:

[php_apc_*]
user root
env.url http://localhost/info/apc_info.php?auto

And the plugins were tested on the command line:

munin-run php_apc_files 
used.value 32484368.00
free.value 1069928.00
hits.value 89.55
misses.value 10.45
request_rate.value 3.65
hit_rate.value 3.27
miss_rate.value 0.38
insert_rate.value 0.38
entries.value 333
inserts.value 336
purges.value 0
purge_rate.value 0.89
fragmented.value 0.00
fragment_segments.value 0
fragment_percentage.value 0.00

munin-run php_apc_files 
munin-run php_apc_purge
munin-run php_apc_usage
munin-run php_apc_fragmentation
munin-run php_apc_rates       

They all produce the same output...

And we now have graphs here:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/#php-apc

The other issues will have to wait till tomorrow, starting with:

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/gd.so' - /usr/lib/php5/20100525/gd.so: cannot open shared object file: No such file or directory in Unknown on line 0   

[chris]

I was getting Munin alert emails from the php-apc plugins:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/index.html#php-apc

So I have doubled the memory allocated by adding the following to /etc/php5/conf.d/apc.ini:

apc.shm_size="64"

[chris]

I have added a new documentation section on APC, wiki:PenguinServer#APCStatsandPHPinfo

Regarding these emails:

From: root@penguin.webarch.net (Cron Daemon)                                                                                                     
Date: Mon,  9 Dec 2013 09:40:02 +0000 (GMT)                                                                                                      
To: root@penguin.webarch.net                                                                                                                     
Subject: Cron <www-data@penguin> [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh                                 
                                                                                                                                                 
Error while processing /etc/awstats/awstats.www.transitionnetwork.org.conf                                                                       
Create/Update database for config "/etc/awstats/awstats.www.transitionnetwork.org.conf" by AWStats version 7.0 (build 1.971)                     
From data in log file "/usr/share/awstats/tools/logresolvemerge.pl /home/puffin/nginx/puffin-nginx-20131208.log /home/puffin/nginx/puffin-nginx-20131209.log |"...                                                                                              
Error: Couldn't open log file "/home/puffin/nginx/puffin-nginx-20131208.log" : Permission denied.                                                
Phase 1 : First bypass old records, searching new record...                                                                                      
Searching new records from beginning of log file...                                                                                              
Error: Command for pipe '/usr/share/awstats/tools/logresolvemerge.pl /home/puffin/nginx/puffin-nginx-20131208.log /home/puffin/nginx/puffin-nginx-20131209.log |' failed                                                                                          
Setup ('/etc/awstats/awstats.www.transitionnetwork.org.conf' file, web server or permissions) may be wrong.                                      
Check config file, permissions and AWStats documentation (in 'docs' directory).                                                                  
Error while processing /etc/awstats/awstats.conf                                                                                                 
Error: SiteDomain parameter not defined in your config/domain file. You must edit it for using this version of AWStats.                          
Setup ('/etc/awstats/awstats.conf' file, web server or permissions) may be wrong.                                                                
Check config file, permissions and AWStats documentation (in 'docs' directory).                

The install notes for the webstats are here wiki:WebServerLogs and we are not using AWStats, but it is still installed:

aptitude search awstats | grep ^i
i   awstats                         - powerful and featureful web server log ana

So it was removed:

aptitude remove awstats
logchange "awstats libnet-xwhois-perl{u} : removed"

Regarding these emails:

From: root@penguin.webarch.net (Cron Daemon)
Date: Mon,  9 Dec 2013 09:09:01 +0000 (GMT)
To: root@penguin.webarch.net                                     
Subject: Cron <root@penguin>   [ -x /usr/lib/php5/maxlifetime ] && [ -d /var/lib/php5 ] && find /var/lib/php5/ -depth -mindepth 1 -maxdepth 1 -type f -ignore_readdir_race -cmin +$(/usr/lib/php5/maxlifetime) ! -execdir fuser -s {} 2>/dev/null \; -delete
                                         
PHP Warning:  Module 'apc' already loaded in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/gd.so' - /usr/lib/php5/20100525/gd.so: cannot open shared object file: No such file or directory in Unknown on line 0

These errors, and more, can be duplicated on the command line:

php -i | grep php.ini
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/apc.ini on line 4 in Unknown on line 0
PHP Warning:  Module 'apc' already loaded in Unknown on line 0
PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php5/20100525/gd.so' - /usr/lib/php5/20100525/gd.so: cannot open shared object file: No such file or directory in Unknown on line 0
PHP Warning:  PHP Startup: apc.shm_size now uses M/G suffixes, please update your ini files in Unknown on line 0
Configuration File (php.ini) Path => /etc/php5/cli
Loaded Configuration File => /etc/php5/cli/php.ini

The /etc/php5/cli/conf.d/apc.ini files was edited:

apc.shm_size="64M"

gd isn't installed:

 aptitude search gd | grep php
c   php5-gd                         - GD module for php5                        
p   php5-gdcm                       - Grassroots DICOM PHP5 bindings            
p   php5-vtkgdcm                    - Grassroots DICOM VTK PHP bindings   

So:

aptitude install php5-gd
The following NEW packages will be installed:
  libgd2-xpm{ab} php5-gd 
0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 267 kB of archives. After unpacking 774 kB will be used.
The following packages have unmet dependencies:
 libgd2-xpm : Conflicts: libgd2 which is a virtual package.
              Conflicts: libgd2-noxpm but 2.0.36~rc1~dfsg-6.1 is installed.
 libgd2-noxpm : Conflicts: libgd2 which is a virtual package.
                Conflicts: libgd2-xpm but 2.0.36~rc1~dfsg-6.1 is to be installed.
The following actions will resolve these dependencies:

     Remove the following packages:
1)     libgd2-noxpm                



Accept this solution? [Y/n/q/?] y
The following NEW packages will be installed:
  libgd2-xpm{a} php5-gd 
The following packages will be REMOVED:
  libgd2-noxpm{a} 
0 packages upgraded, 2 newly installed, 1 to remove and 0 not upgraded.
Need to get 267 kB of archives. After unpacking 157 kB will be used.
Do you want to continue? [Y/n/?] y

This was documented and PHP processes restarted:

logchange "libgd2-noxpm : removed"
logchange "libgd2-xpm{ab} php5-gd : installed"
/etc/init.d/php5-fpm restart

We still have these issues:

php -i | grep php.ini
PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/apc.ini on line 4 in Unknown on line 0
PHP Warning:  Module 'apc' already loaded in Unknown on line 0
Configuration File (php.ini) Path => /etc/php5/cli
Loaded Configuration File => /etc/php5/cli/php.ini

For the comment issue: s/#/;/.

These doesn't seem to be a duplication of apc:

cd /etc/php5
grep -r apc .
./conf.d/apc.ini:; configuration for php apc module
./conf.d/apc.ini:extension=apc.so
./conf.d/apc.ini:apc.shm_size="64M"
./mods-available/apc.ini:extension=apc.so

All the files in /etc/php5/conf.d/ are symlinks:

lrwxrwxrwx 1 root root   25 Dec  8 21:01 10-pdo.ini -> ../mods-available/pdo.ini
lrwxrwxrwx 1 root root   25 Dec  8 22:59 20-apc.ini -> ../mods-available/apc.ini
lrwxrwxrwx 1 root root   24 Dec  9 10:03 20-gd.ini -> ../mods-available/gd.ini
lrwxrwxrwx 1 root root   27 Dec  8 21:23 20-mysql.ini -> ../mods-available/mysql.ini
lrwxrwxrwx 1 root root   28 Dec  8 21:23 20-mysqli.ini -> ../mods-available/mysqli.ini
lrwxrwxrwx 1 root root   31 Dec  8 21:23 20-pdo_mysql.ini -> ../mods-available/pdo_mysql.ini
-rw-r--r-- 1 root root   80 Dec  9 10:05 apc.ini

So the content of /etc/php5conf.d/apc.ini was copied into /etc/php5/mods-available/apc.ini.

The APT issues we had on Parrot and Puffin was addressed as before, see ticket:535#comment:41

The /etc/munin/plugin-conf.d/munin-node file was edited to track python memory usage (Wagn):

[multips_memory]
env.names php5-fpm munin-node nginx mysqld tracd python

See ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/penguin.transitionnetwork.org/multips_memory.html

The Nginx SSL config from /var/aegir/config/server_master/nginx/pre.d/nginx_wild_ssl.conf on wiki:PuffinServer was copied to the files in /etc/nginx:

        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:+RC4:RC4;
        ssl_prefer_server_ciphers    on;

The old config:

        ssl_protocols  SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers  RC4:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;

This was checked at ​https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org&s=81.95.52.111

Which reports:

Certificate:          100%
Protocol Support:     85%
Key Exchange:         90%
Cipher Strength:      80%

This site supports only older protocol versions, but not the most recent and more secure TLS 1.2. 

TLS 1.2 	No	
TLS 1.1 	No
TLS 1.0 	Yes
SSL 3 	        Yes
SSL 2 	        No

Something isn't right here -- we should be using SSL 1.2, some more digging is needed.

[chris]

We have the old and new ssl installed:

 search ssl | grep ^i
i A libio-socket-ssl-perl           - Perl module implementing object oriented i
i A libnet-ssleay-perl              - Perl module for Secure Sockets Layer (SSL)
i   libssl0.9.8                     - SSL shared libraries                      
i A libssl1.0.0                     - SSL shared libraries                      
i A openssl                         - Secure Socket Layer (SSL) binary and relat
i A ssl-cert                        - simple debconf wrapper for OpenSSL        

So:

aptitude remove libssl0.9.8
The following packages will be REMOVED:  
  libssl0.9.8 
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 2482 kB will be freed.
The following packages have unmet dependencies:
 libserf-0-0 : Depends: libssl0.9.8 (>= 0.9.8k-1) but it is not going to be installed.
 nginx-full : Depends: libssl0.9.8 (>= 0.9.8m-1) but it is not going to be installed.
The following actions will resolve these dependencies:

     Remove the following packages:              
1)     libserf-0-0                               
2)     nginx                                     
3)     nginx-full             

That's no good, so manually:

aptitude remove libserf-0-0 
logchange "libserf-0-0 : removed"

In terms of Nginx we have:

aptitude search nginx | grep ^i
i   nginx                           - small, powerful, scalable web/proxy server
i   nginx-common                    - small, powerful, scalable web/proxy server
i   nginx-full                      - nginx web/proxy server (standard version) 

nginx -v
nginx version: nginx/1.4.4

This isn't the Wheezy version, it must be the old backports one:

• ​http://packages.debian.org/source/wheezy/nginx Source Package: nginx (1.2.1-2.2+wheezy2)

We probably want the new Wheezy backports version:

• ​http://packages.debian.org/source/wheezy-backports/nginx nginx (1.4.4-1~bpo70+1)

So based on what we had before, ticket:535#comment:46 /etc/apt/preferences.d/backports.pref was created containing:

Package: nginx nginx-common nginx-full 
Pin: release o=backports
Pin-Priority: 990

And /etc/apt/sources.list.d/backports.list was created containing:

deb http://ftp.debian.org/debian/ wheezy-backports main

And:

aptitude install nginx="1.4.4-1~bpo70+1" nginx-common="1.4.4-1~bpo70+1" nginx-full="1.4.4-1~bpo70+1"
The following packages will be DOWNGRADED:
  nginx nginx-common nginx-full 
The following NEW packages will be installed:
  init-system-helpers{a} 
The following packages will be REMOVED:
  libossp-uuid16{u} 
0 packages upgraded, 1 newly installed, 3 downgraded, 1 to remove and 0 not upgraded.
Need to get 622 kB of archives. After unpacking 42.0 kB will be freed.
Do you want to continue? [Y/n/?] Y

Configuration file `/etc/nginx/nginx.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** nginx.conf (Y/I/N/O/D/Z) [default=N] ? N

logchange "libossp-uuid16{u} : removed"
logchange "nginx nginx-common nginx-full : downgraded to wheezy backports versions"

And now we are using the latest Wheezy openssl, these results are from ​https://www.ssllabs.com/ssltest/analyze.html?d=penguin.transitionnetwork.org&s=81.95.52.111

Certificate:          100%
Protocol Support:     90%
Key Exchange:         80%
Cipher Strength:      90%

This server provides robust Forward Secrecy support. 

Protocols

TLS 1.2 	Yes	
TLS 1.1 	Yes
TLS 1.0 	Yes
SSL 3    	Yes
SSL 2 	        No

Cipher Suites (SSL 3+ suites in server-preferred order, then SSL 2 suites where used)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH 256 bits (eq. 3072 bits RSA)   FS		256	
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)   FS		128	
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH 256 bits (eq. 3072 bits RSA)   FS		256	
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)   FS		128	
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH 256 bits (eq. 3072 bits RSA)   FS		256	
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH 256 bits (eq. 3072 bits RSA)   FS		128	
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256	
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256	
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256	
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256	
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128	
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128	
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128	
TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128	
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128	
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH 256 bits (eq. 3072 bits RSA)   FS		128	
TLS_RSA_WITH_RC4_128_SHA (0x5) 	128

Handshake Simulation
Bing Oct 2013 	TLS 1.0 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   FS 	256
Chrome 31 / Win 7 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   FS 	128
Firefox 17.0.7 ESR / Win 7 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
Firefox 24 / Win 7 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
Googlebot Oct 2013 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
IE 6 / XP   No FS 1	  No SNI 2		SSL 3 	TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS 	128
IE 7 / Vista 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
IE 8 / XP   No FS 1	  No SNI 2		TLS 1.0 	TLS_RSA_WITH_RC4_128_SHA (0x5)   No FS 	128
IE 8-10 / Win 7 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
IE 11 / Win 7 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 	128
IE 11 / Win 8.1 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS 	128
Java 6u45   No SNI 2		TLS 1.0 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS 	128
Java 7u25 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   FS 	128
OpenSSL 0.9.8y 	TLS 1.0 	TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   FS 	256
OpenSSL 1.0.1e 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   FS 	256
Safari 5.1.9 / OS X 10.6.8 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
Safari 6 / iOS 6.0.1 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 	256
Safari 6.0.4 / OS X 10.8.4 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
Safari 7 / OS X 10.9 	TLS 1.2 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   FS 	256
Tor 17.0.9 / Win 7 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256
Yahoo Slurp Oct 2013 	TLS 1.0 	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   FS 	256 

Basically everybody apart from XP users should now get PFS via HTTPS, this is for GCHQ and the NSA :-p.

[chris]

Oops forgot to uninstall the old openssl:

aptitude search ssl | grep ^i
i A libio-socket-ssl-perl           - Perl module implementing object oriented i
i A libnet-ssleay-perl              - Perl module for Secure Sockets Layer (SSL)
i   libssl0.9.8                     - SSL shared libraries                      
i A libssl1.0.0                     - SSL shared libraries                      
i A openssl                         - Secure Socket Layer (SSL) binary and relat
i A ssl-cert                        - simple debconf wrapper for OpenSSL        

aptitude remove libssl0.9.8  
The following packages will be REMOVED:  
  libssl0.9.8 
0 packages upgraded, 0 newly installed, 1 to remove and 0 not upgraded.

logchange "libssl0.9.8 : removed"

Checking the state of packages:

dpkg --audit
The following packages are missing the md5sums control file in the
database, they need to be reinstalled:
 git-core             fast, scalable, distributed revision control system (obso
 binutils             GNU assembler, linker and binary utilities

So:

aptitude reinstall git-core binutils 
logchange "git-core binutils : reinstalled"

There was also this issue on wiki:ParrotServer:

 dpkg --audit
The following packages are missing the md5sums control file in the
database, they need to be reinstalled:
 binutils             GNU assembler, linker and binary utilities

So:

aptitude reinstall binutils 
logchange "binutils : reinstalled"

[chris]

Sorting out APC on wiki:ParrotServer

aptitude install php-apc

The following was added to /etc/php5/mods-available/apc.ini:

apc.shm_size="64M"

Munin plugin:

cd /usr/local/src
svn co http://munin-php-apc.googlecode.com/svn/trunk/php_apc/
cd /usr/local/src/php_apc
cp php_apc_ /usr/share/munin/plugins/
cd /etc/munin/plugins/
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_hit_miss
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_purge
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_fragmentation
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_files
ln -s /usr/share/munin/plugins/php_apc_ /etc/munin/plugins/php_apc_rates
cd /usr/local/src/php_apc
cp apc_info.php /var/www/apc_info.php

This was added to the localhost apache config, /etc/apache2/conf.d/webarch.conf:

        <Location /apc_info.php>
                Order allow,deny
                Allow from 127.0.0.1 ::1
        </Location>

And the Munin plugins were tested:

munin-run php_apc_files 

The following was added to /etc/munin/plugin-conf.d/munin-node:

[php_apc_*]
user root
env.url http://localhost/info/apc_info.php?auto

Apache and munin-node were restarted and we now have some APC stats here:

• ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc

I think this ticket can now be closed!

[chris]

I have just rediscovered this page, created 8 months ago, wiki:SqueezeToWheezy yikes :-/

I'm slightly concerned that the MySQL upgrades for wiki:PenguinServer and wiki:ParrotServer were not followed up with a manual reimporting of the databases, but hopefully this won't cause any issues...

Checking the other things documented on that page, on wiki:PenguinServer:

dpkg -l | grep dotdeb
rc  php5-apc                                5.3.27-1~dotdeb.0            amd64        apc module for php5

This isn't an issue, the new version is installed and the above means that the package has been removed but config files remain.

aptitude search apc | grep ^i
i   php-apc                         - APC (Alternative PHP Cache) module for PHP

The only backports we are running is Nginx:

dpkg -l | grep bpo
ii  init-system-helpers                     1.11~bpo70.1                 all          helper tools for all init systems
ii  libpopt0:amd64                          1.16-7                       amd64        lib for parsing cmdline parameters
ii  nginx                                   1.4.4-1~bpo70+1              all          small, powerful, scalable web/proxy server
ii  nginx-common                            1.4.4-1~bpo70+1              all          small, powerful, scalable web/proxy server - common files
ii  nginx-full                              1.4.4-1~bpo70+1              amd64        nginx web/proxy server (standard version)

[chris]

I have just installed the apc.php app for checking apc status on parrot:

• ​https://parrot.webarch.net/apc.php

And doubled the RAM to 128MB based on the Munin stats at ​https://penguin.transitionnetwork.org/munin/transitionnetwork.org/parrot.transitionnetwork.org/index.html#php-apc

cp /usr/share/doc/php-apc/apc.php /var/www/

These files were then edited:

• /etc/apache2/conf.d/webarch.conf
• /var/www/apc.php

Access is limited by IP address but HTAuth could be added if anyone else needs access.