Ticket #847 (new maintenance)

Opened 19 months ago

Last modified 6 months ago

Upgrade Servers to Debian Jessie

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Live server Keywords:
Cc: ade, paul, annesley, sam Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0.9

Description

The latest version of Debian, Jessie, 8.0, came out over the weekend, we should consider upgrading the three servers, PuffinServer, PenguinServer and ParrotServer and what issues would arrise when we do.

See the documentation on Upgrades from Debian 7 (wheezy) and Issues to be aware of for jessie, specifically:

Change History

comment:1 follow-ups: ↓ 2 ↓ 3 Changed 19 months ago by ade

Hi Chris,
Have had a quick chat internally, and the initial thoughts are do we need
to?
Unless there is a security implication, then the amount of time we are
looking at to upgrade could well need to be replicated come October once we
have a new framework in place.

Can you foresee any issues that may arise by not doing the upgrade..?
Are there any issues that may arise by doing the upgrade?
You have put the Estimated Number of Hours down as 0hrs. Is this correct?
What will be the impact on the live servers of doing this..for example site
down time?
We are in a shared environment, is there an impact on our VM if we do not
upgrade?

Many thanks
Ade

On 27 April 2015 at 10:30, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:

> #847: Upgrade Servers to Debian Jessie
> -------------------------------------+-------------------------------------
>                  Reporter:  chris    |                Owner:  chris
>                      Type:           |               Status:  new
>   maintenance                        |            Milestone:  Maintenance
>                  Priority:  major    |             Keywords:
>                 Component:  Live     |  Add Hours to Ticket:  0
>   server                             |          Total Hours:  0
> Estimated Number of Hours:  0        |
>                 Billable?:  1        |
> -------------------------------------+-------------------------------------
>  The latest version of [https://www.debian.org/News/2015/20150426 Debian,
>  Jessie, 8.0], came out over the weekend, we should consider upgrading the
>  three servers, PuffinServer, PenguinServer and ParrotServer and what
>  issues would arrise when we do.
>
>  See the documentation on [https://www.debian.org/releases/jessie/amd64
>  /release-notes/ch-upgrading.en.html Upgrades from Debian 7 (wheezy)] and
>  [https://www.debian.org/releases/stable/amd64/release-notes/ch-
>  information.en.html Issues to be aware of for jessie], specifically:
>
>  * [https://www.debian.org/releases/stable/amd64/release-notes/ch-
>  information.en.html#libv8 Lack of security support for the ecosystem
>  around libv8 and Node.js]
>  * [https://www.debian.org/releases/stable/amd64/release-notes/ch-
>  information.en.html#apache-httpd-incomat Incompatible changes in Apache
>  HTTPD 2.4]
>  * [https://www.debian.org/releases/stable/amd64/release-notes/ch-
>  information.en.html#php-incompat PHP 5.6 upgrade has behavioral changes]
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/847>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>



-- 
Ade Stuart
Web Manager - Transition network

07595 331877

The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

comment:2 in reply to: ↑ 1 Changed 19 months ago by chris

Replying to ade:

Have had a quick chat internally, and the initial thoughts are do we need
to?

Not yet, we have "a year or so":

At any given time, there is one stable release of Debian, which has the support of the Debian security team. When a new stable version is released, the security team will usually cover the previous version for a year or so, while they also cover the new/current version. Only stable is recommended for production use.

https://wiki.debian.org/DebianReleases

Unless there is a security implication, then the amount of time we are
looking at to upgrade could well need to be replicated come October once we
have a new framework in place.

I agree it doesn't make sense to upgrade PuffinServer if it is due to be replaced in October 2015. The other two servers however I expect will still be needed this time next year?

Can you foresee any issues that may arise by not doing the upgrade..?

No, but it should be done before security support for Wheezy ends.

Are there any issues that may arise by doing the upgrade?

Yes, things like some Apache config would need changing on ParrotServer.

You have put the Estimated Number of Hours down as 0hrs. Is this correct?

No, I haven't estimated the time it would take, last time, for all 3 servers, it took just under 18 hours, see ticket:535.

What will be the impact on the live servers of doing this..for example site
down time?

Minimal.

We are in a shared environment, is there an impact on our VM if we do not
upgrade?

No.

comment:3 in reply to: ↑ 1 Changed 19 months ago by chris

Replying to ade:

Unless there is a security implication, then the amount of time we are
looking at to upgrade could well need to be replicated come October once we
have a new framework in place.

18 months ago the time to upgrade from Drupal 6 to Drupal 7 or 8 was estimated to be 45 days (45 x 8 = 360 hours) and the new site was due to be launched in March 2014. Now the Research and Design for TNv3 ticket has 311 hours on it and I'm not sure if there is a beta version of the new site available (has it been agreed to use WordPress or Drupal or something else?) so although I can appreciate that the target is to replace the current Drupal 6 site by October 2015 I hope you can understand why I see the need to also consider how we can keep the existing site up and running just in case the timetable for the new site slips.

Last edited 19 months ago by chris (previous) (diff)

comment:4 Changed 17 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.0 to 0.1

Piwik is discussing dropping support for PHP 5.4 in September 2015, PenguinServer is running PHP 5.4.41-0+deb7u1, if it was upgraded to Jessie it would have PHP 5.6.9-0+deb8u1:

PHP 5.4 gets security support only until 14 Sep 2015. Source: http://php.net/supported-versions.php PHP 5.5 goes into security support only tomorrow.

Dropping support for PHP 5.3 is planned for Piwik 3.0 and was announced here: http://piwik.org/blog/2014/10/announcing-piwik-will-end-php-5-3-support-six-months-may-2015/
refs #7323 Drop PHP 5.3 support, Require PHP 5.4

If we release Piwik 3.0 after September 2015 (what we will most likely do), it might be worth dropping support for PHP 5.4 as well.

https://github.com/piwik/piwik/issues/8156

comment:5 Changed 10 months ago by chris

The next Piwik upgrade will require that PenguinServer is updated from Wheezy to Jessie, see ticket:902#Warning

Last edited 10 months ago by chris (previous) (diff)

comment:6 Changed 7 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 0.1 to 0.25

Debian Wheezy, which is running PuffinServer, PenguinServer and ParrotServer has been handed over to the LTS team today but this time, (as opposed to when Squeeze was handed over) we don't need to updates the /etc/apt/sources.list, see Using Debian Long Term Support (LTS).

comment:7 Changed 7 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.4
  • Total Hours changed from 0.25 to 0.65

The Wheezy LTS announcement:

As of 25 April, one year after the release of Debian 8, alias "Jessie",
and nearly three years after the release of Debian 7, alias "Wheezy",
regular security support for Wheezy comes to an end. The Debian Long
Term Support (LTS) Team will take over security support.

Information for users
=====================

Wheezy LTS will be supported from 26 April 2016 to 31 May 2018.

For Debian 7 Wheezy LTS there will be no requirement to add a separate
wheezy-lts suite to your sources.list any more and your current setup
will continue to work without further changes.

For how to use Debian Long Term Support please read

	https://wiki.debian.org/LTS/Using

Important information and changes regarding Wheezy LTS can be found at

	https://wiki.debian.org/LTS/Wheezy

Most notably OpenJDK 7 will be made the new Java default JRE/JDK on 26
June 2016 to ensure full security support until Wheezy LTS reaches its
end-of-life.

You should also subscribe to the announcement mailing list for
security updates for Wheezy LTS:

	https://lists.debian.org/debian-lts-announce/

A few packages are not covered by the Wheezy LTS support. These can be
detected by installing the debian-security-support package. If
debian-security-support detects an unsupported package which is critical
to you, please get in touch with debian-lts@lists.debian.org.

So debian-security-support was installed on all 3 servers and check-support-status was run, but it might not work on PuffinServer as this machine has been trashed by BOA, the install errors messages:

/usr/bin/check-support-status: 8: .: Can't open /usr/bin/gettext.sh

So trying to fix this...

chmod 755 /usr/bin/gettext.sh
aptitude remove debian-security-support ; aptitude install debian-security-support

Results in:

/usr/bin/check-support-status: 18: /usr/bin/check-support-status: basename: Permission denied

So trying to fix that:

chmod 755 /usr/bin/basename
aptitude remove debian-security-support ; aptitude install debian-security-support

Results in:

/usr/bin/check-support-status: 21: /usr/bin/check-support-status: getopt: Permission denied

So trying to fix that:

chmod 755 /usr/bin/getopt 
aptitude remove debian-security-support ; aptitude install debian-security-support

Results in:

/usr/bin/check-support-status: 115: /usr/bin/check-support-status: mktemp: Permission denied

Repeating the above for /bin/mktemp, /usr/bin/awk, /bin/rm, /usr/bin/sort, /bin/grep and /usr/bin/comm and it finally works... and there are currently no unsupported packages so all three servers can be kept ticking over, if needs be, until 31st May 2018.

comment:8 Changed 7 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.15
  • Total Hours changed from 0.65 to 0.8

The notes at PuffinServer#Puffin have been updated to reflect the status and plans for the server.

comment:9 Changed 6 months ago by chris

  • Add Hours to Ticket changed from 0.0 to 0.1
  • Total Hours changed from 0.8 to 0.9

Another reason to upgrade / rebuild server servers using Jessie is that there is currently no security support for the packages from Backports, see this thread:

This doesn't affect PuffinServer or ParrotServer but on PenguinServer we have these packages for wiki:TransitionResearchWagn

aptitude search '~S ~i ~O"Debian Backports"'
i A libv8-3.14.5                                                              - V8 JavaScript engine - runtime library                                              
i A nodejs                                                                    - evented I/O for V8 javascript                                                       
i   nodejs-legacy                                                             - evented I/O for V8 javascript (legacy symlink)  
Note: See TracTickets for help on using tickets.