Debian 7.0 “wheezy” was officially released about a week ago. I’ve been running it on a couple of systems for a few months already because of the more recent software versions available on it. Today I upgraded one of the shell servers, a couple of days ahead of the originally posted schedule due to security updates to MySQL (DSA-2667). As usual for Debian, the upgrade process is well documented1 and robust. However, here are some notes for upgrading the next instance.
MySQL
I’ve been running MySQL 5.5 from Dotdeb on squeeze. Running apt-get dist-upgrade reported a conflict when installing the mysql-client-5.5 package. On wheezy there is no mysql-client-core-5.5 package. I probably should have (read the release notes and) run:
dpkg -r --force-depends mysql-client-core-5.5
Instead I used apt-get remove to uninstall all the MySQL server and client packages, completed the upgrade, and re-installed MySQL. (Using remove preserves the databases.)
Since I didn’t have MySQL installed during the rest of the upgrade, I deferred upgrading the phpMyAdmin database as well. I actually then removed and re-installed the package, as dpkg-reconfigure phpmyadmin didn’t present me with the upgrade option.
Uncomplicated FireWall
I run ufw as a (typically simple) per-host firewall. I had modified /etc/ufw/before{,6}.rules to allow traffic for the default port range for mosh. These modifications can now be discarded in favor of:
ufw allow mosh
I also needed to add the IRC connection tracking modules:
sed -i -e '/^IPT_MODULES=/ s/"$/ nf_conntrack_irc nf_nat_irc"/' \ /etc/default/ufw
FastCGI wrapper
Per-user instances of fcgiwrap had previously run into socket permission issues when using service fcgiwrap start to create them. I had addressed this by adding a FCGI_SOCKET_MODE setting for providing a value for the -M switch of spawn-fcgi. This change needed to be preserved.
It might be possible to use the new FCGI_SOCKET_OWNER and FCGI_SOCKET_GROUP settings instead (for the -U and -G options respectively), but I didn’t want to delay the upgrade.
MantisBT
MantisBT failed to install, because it wants to create a symlink in /etc/apache2/conf.d even when Apache is not installed.
mkdir -p /etc/apache2/conf.d
The captcha image for new signups is broken with PHP 5.4 (the default version in wheezy). Changed the second argument of the ImageJPEG() call from an empty string to NULL:
sed -i -e "/ImageJPEG/ s/, '', /, NULL, /" \ /usr/share/mantis/www/make_captcha_img.php
No prepared configuration for nginx is provided — this is what I’m using now.
upstream www-php { server unix:/run/php5-fpm.sock; } server { listen *:80; listen [::]:80; server_name bugs.example.com bugs; root /usr/share/mantis/www; index index.php; location / { try_files $uri $uri/ =404; } location ^~ /admin { auth_basic "Mantis Admin"; auth_basic_user_file /etc/mantis/htaccess.dat; allow 10.0.0.0/8; deny all; location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass www-php; } } location ~ \.php$ { # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini # http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP try_files $uri =404; include fastcgi_params; fastcgi_pass www-php; } location ~ /\.ht { deny all; } }
Read the README.Debian.gz notes carefully before re-running the installation procedure to properly upgrade the database. The newer package is nice in that it provides password-protected access to the admin directory.
http://bugs.example.com/admin/install.php
Open Virtual Machine Tools
I don’t like some of the recommends in packages, so I’ve turned them off. However, this doesn’t play well with Open Virtual Machine Tools. I had to remove and re-install them:
apt-get remove open-vm-tools apt-get install --install-recommends open-vm-tools
In particular this pulls in open-vm-dkms and its recommends and then successfully builds the kernel modules.
Other configuration files
I recommend using the diff option to review changes to configuration files during package upgrades. It makes it easier to pick an interim version until you can adjust it with an editor.
The suffix to the “other” file versions depends on the underlying tool used by each package. For a quick list of files to review use this:
find /etc -name '*.dpkg-*' -o -name '*.ucf-*'
Time requirement
It only took about an hour to complete the upgrade, including the configuration review. I’m using a fast mirror so downloading didn’t take long. In comparison, it took me almost four hours to write this post…