Ticket #847 (new maintenance)
Upgrade Servers to Debian Jessie
Reported by: | chris | Owned by: | chris |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | Live server | Keywords: | |
Cc: | ade, paul, annesley, sam | Estimated Number of Hours: | 0.0 |
Add Hours to Ticket: | 0 | Billable?: | yes |
Total Hours: | 0.9 |
Description
The latest version of Debian, Jessie, 8.0, came out over the weekend, we should consider upgrading the three servers, PuffinServer, PenguinServer and ParrotServer and what issues would arrise when we do.
See the documentation on Upgrades from Debian 7 (wheezy) and Issues to be aware of for jessie, specifically:
Change History
comment:2 in reply to: ↑ 1 Changed 19 months ago by chris
Replying to ade:
Have had a quick chat internally, and the initial thoughts are do we need
to?
Not yet, we have "a year or so":
At any given time, there is one stable release of Debian, which has the support of the Debian security team. When a new stable version is released, the security team will usually cover the previous version for a year or so, while they also cover the new/current version. Only stable is recommended for production use.
Unless there is a security implication, then the amount of time we are
looking at to upgrade could well need to be replicated come October once we
have a new framework in place.
I agree it doesn't make sense to upgrade PuffinServer if it is due to be replaced in October 2015. The other two servers however I expect will still be needed this time next year?
Can you foresee any issues that may arise by not doing the upgrade..?
No, but it should be done before security support for Wheezy ends.
Are there any issues that may arise by doing the upgrade?
Yes, things like some Apache config would need changing on ParrotServer.
You have put the Estimated Number of Hours down as 0hrs. Is this correct?
No, I haven't estimated the time it would take, last time, for all 3 servers, it took just under 18 hours, see ticket:535.
What will be the impact on the live servers of doing this..for example site
down time?
Minimal.
We are in a shared environment, is there an impact on our VM if we do not
upgrade?
No.
comment:3 in reply to: ↑ 1 Changed 19 months ago by chris
Replying to ade:
Unless there is a security implication, then the amount of time we are
looking at to upgrade could well need to be replicated come October once we
have a new framework in place.
18 months ago the time to upgrade from Drupal 6 to Drupal 7 or 8 was estimated to be 45 days (45 x 8 = 360 hours) and the new site was due to be launched in March 2014. Now the Research and Design for TNv3 ticket has 311 hours on it and I'm not sure if there is a beta version of the new site available (has it been agreed to use WordPress or Drupal or something else?) so although I can appreciate that the target is to replace the current Drupal 6 site by October 2015 I hope you can understand why I see the need to also consider how we can keep the existing site up and running just in case the timetable for the new site slips.
comment:4 Changed 17 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.0 to 0.1
Piwik is discussing dropping support for PHP 5.4 in September 2015, PenguinServer is running PHP 5.4.41-0+deb7u1, if it was upgraded to Jessie it would have PHP 5.6.9-0+deb8u1:
PHP 5.4 gets security support only until 14 Sep 2015. Source: http://php.net/supported-versions.php PHP 5.5 goes into security support only tomorrow.
Dropping support for PHP 5.3 is planned for Piwik 3.0 and was announced here: http://piwik.org/blog/2014/10/announcing-piwik-will-end-php-5-3-support-six-months-may-2015/
refs #7323 Drop PHP 5.3 support, Require PHP 5.4
If we release Piwik 3.0 after September 2015 (what we will most likely do), it might be worth dropping support for PHP 5.4 as well.
comment:5 Changed 10 months ago by chris
The next Piwik upgrade will require PenguinServer is updated from Wheezy to Jessie, see ticket:902#Warning
comment:6 Changed 7 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 0.1 to 0.25
Debian Wheezy, which is running PuffinServer, PenguinServer and ParrotServer has been handed over to the LTS team today but this time, (as opposed to when Squeeze was handed over) we don't need to updates the /etc/apt/sources.list, see Using Debian Long Term Support (LTS).
comment:7 Changed 7 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.4
- Total Hours changed from 0.25 to 0.65
As of 25 April, one year after the release of Debian 8, alias "Jessie", and nearly three years after the release of Debian 7, alias "Wheezy", regular security support for Wheezy comes to an end. The Debian Long Term Support (LTS) Team will take over security support. Information for users ===================== Wheezy LTS will be supported from 26 April 2016 to 31 May 2018. For Debian 7 Wheezy LTS there will be no requirement to add a separate wheezy-lts suite to your sources.list any more and your current setup will continue to work without further changes. For how to use Debian Long Term Support please read https://wiki.debian.org/LTS/Using Important information and changes regarding Wheezy LTS can be found at https://wiki.debian.org/LTS/Wheezy Most notably OpenJDK 7 will be made the new Java default JRE/JDK on 26 June 2016 to ensure full security support until Wheezy LTS reaches its end-of-life. You should also subscribe to the announcement mailing list for security updates for Wheezy LTS: https://lists.debian.org/debian-lts-announce/ A few packages are not covered by the Wheezy LTS support. These can be detected by installing the debian-security-support package. If debian-security-support detects an unsupported package which is critical to you, please get in touch with debian-lts@lists.debian.org.
So debian-security-support was installed on all 3 servers and check-support-status was run, but it might not work on PuffinServer as this machine has been trashed by BOA, the install errors messages:
/usr/bin/check-support-status: 8: .: Can't open /usr/bin/gettext.sh
So trying to fix this...
chmod 755 /usr/bin/gettext.sh aptitude remove debian-security-support ; aptitude install debian-security-support
Results in:
/usr/bin/check-support-status: 18: /usr/bin/check-support-status: basename: Permission denied
So trying to fix that:
chmod 755 /usr/bin/basename aptitude remove debian-security-support ; aptitude install debian-security-support
Results in:
/usr/bin/check-support-status: 21: /usr/bin/check-support-status: getopt: Permission denied
So trying to fix that:
chmod 755 /usr/bin/getopt aptitude remove debian-security-support ; aptitude install debian-security-support
Results in:
/usr/bin/check-support-status: 115: /usr/bin/check-support-status: mktemp: Permission denied
Repeating the above for /bin/mktemp, /usr/bin/awk, /bin/rm, /usr/bin/sort, /bin/grep and /usr/bin/comm and it finally works... and there are currently no unsupported packages so all three servers can be kept ticking over, if needs be, until 31st May 2018.
comment:8 Changed 7 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.15
- Total Hours changed from 0.65 to 0.8
The notes at PuffinServer#Puffin have been updated to reflect the status and plans for the server.
comment:9 Changed 6 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.8 to 0.9
Another reason to upgrade / rebuild server servers using Jessie is that there is currently no security support for the packages from Backports, see this thread:
This doesn't affect PuffinServer or ParrotServer but on PenguinServer we have these packages for wiki:TransitionResearchWagn
aptitude search '~S ~i ~O"Debian Backports"' i A libv8-3.14.5 - V8 JavaScript engine - runtime library i A nodejs - evented I/O for V8 javascript i nodejs-legacy - evented I/O for V8 javascript (legacy symlink)