Upgrade from Debian 11 Bullseye to Debian 12 Bookworm

[Krinkle]

Main differences:

• node 12 -> 18. https://packages.debian.org/bullseye/nodejs https://packages.debian.org/bookworm/nodejs
• php 7.4 -> 8.2. https://packages.debian.org/bullseye/php https://packages.debian.org/bookworm/php

Debian 11 Bullseye hosts today:

• [x] wp-02.stage.ops.jquery.net
• [x] builder-04.stage.ops.jquery.net
• [x] puppet-03.ops.jquery.net
• [ ] search-02.ops.jquery.net https://github.com/jquery/infrastructure-puppet/issues/36
• [ ] codeorigin-02.stage.ops.jquery.net
• [ ] codeorigin-02.ops.jquery.net
• [ ] wpblogs-01.ops.jquery.net
• [ ] gruntjs-02.stage.ops.jquery.net
• [ ] gruntjs-02.ops.jquery.net
• [ ] miscweb-01.ops.jquery.net
• [ ] contentorigin-02.ops.jquery.net
• [x] ~swarm-02.ops.jquery.net~ (decommissioned) #51

The following went straight from legacy Debian 7 to Debian 12 Bookworm, via https://github.com/jquery/infrastructure-puppet/issues/8, and were never on Debian Bullseye.

• [x] wp-*.ops
• [x] builder-*.ops
• [x] filestash-*.ops

[Krinkle]

provision-instance.sh is meant to be non-interactive, but during the upgrade of sshd it asks the following

A new version (/tmp/tmp.s8CAJsQh4K) of configuration file /etc/ssh/sshd_config
is available, but the version installed currently has been locally modified.

  1. install the package maintainer's version
  2. keep the local version currently installed
  3. show the differences between the versions
  4. show a side-by-side difference between the versions
  5. show a 3-way difference between available versions
  6. do a 3-way merge between available versions
  7. start a new shell to examine the situation
What do you want to do about modified configuration file sshd_config? 3

Line by line differences between versions

--- /etc/ssh/sshd_config root.root 0644 2023-06-27 17:58:59
+++ /tmp/tmp.s8CAJsQh4K root.root 0644 2023-11-12 19:39:52
@@ -78,7 +78,7 @@
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication. Depending on your PAM configuration,
 # PAM authentication via KbdInteractiveAuthentication may bypass
-# the setting of "PermitRootLogin yes
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
@@ -120,4 +120,3 @@
 # AllowTcpForwarding no
 # PermitTTY no
 # ForceCommand cvs server
-ClientAliveInterval 120

I'm guessing this from apt-get -o Dpkg::Options::="--force-confold" upgrade -y where perhaps force-confold is insufficient in this case.

In practice, the answer doesn't matter since Puppet will replace this file on the first run a few seconds later. But, for now I picked 2: keep the local version since that's closest to what we provision.