CAcert Code Development list.

[Jan Dittberner <jandd AT cacert.org>]

Dear CAcert community,

thanks to the help of Wytze van der Raay I could finish the upgrade of our
infrastructure host successfully. The system is now running on the Debian
Buster OS release that has been released by the Debian project last weekend.


Timing & Issues
---------------

We started this morning at around 9:30 CEST and finished the upgrades at
16:30 CEST, I took care of some of our application containers afterwards.
The system is running smoothly now.

We had some issues that we could fix during the day:

- after the Upgrade from Wheezy (Debian 7) to Jessie (Debian 8) the system
  did not boot properly because the logical volume manager was not fully
  initialized. We could fix this by adding a custom script to the inital RAM
  FS

- our ferm based firewall setup had some issues with the boot order with the
  mix of systemd units and older sysv init scripts. This works fine since
  the last upgrade step to Buster (Debian 10)

- IPv6 routing on infra02 was broken because of incomplete/wrong IPv6 setup.
  Wytze provided the needed information and I fixed our setup

- IPMI sensors had been disabled during the upgrade but Wytze found the
  necessary information to get it running again and they can be read
  properly now

What is new?
------------

The new OS release on infra02 provides some features that are important for
our infrastructure and will allow better operation of our applications in
the future:

- LXC has been upgraded from the somewhat primitive 0.8.0 pre-release to LXC
  3.0.3 that has a proper API, better security/isolation of containers and
  allows proper reboots from inside the containers which will help
  application administrators

- infra02 uses systemd which besides a faster boot provides a more stable
  startup sequence and journald for logging. Containers can now use systemd
  as their init system too. I already removed the systemd-sysv blacklisting
  from all newer containers that are managed by Puppet.

- Firewalling/forwarding/NAT is handled bei nftables now which should be
  faster then the old iptables setup. We still use ferm as a wrapper but I
  am already considering switching to native nftables rules that will
  provide a similar but faster rule set.


I'm happy that we could finish this big upgrade and that we could implement
all these changes for you. Thanks again to Wytze for his great support
during the day.

I will upgrade the documentation of infra02 in the next hours/days.

If you find any issues that might be caused by the upgrade feel free to file
bugs on https://bugs.cacert.org/ (I created a project Infrastructure >
Infrastructue hosts).


Best regards
Jan Dittberner

-- 
Jan Dittberner - CAcert Infrastructure Team Lead
Software Architect, Debian Developer
GPG-key: 4096R/0xA73E0055558FB8DD 2009-05-10
         B2FF 1D95 CE8F 7A22 DF4C  F09B A73E 0055 558F B8DD
https://jan.dittberner.info/

Attachment: smime.p7s
Description: S/MIME cryptographic signature