Ferenc's picture

Hi,

First off, thank you very much for Turnkey Linux. I use TKL appliances on a Proxmox box and it makes administration a lot easier. I couldn't find much info on upgrading a TKL appliance so this may be of use to someone. 

I upgraded a fresh Turnkey Linux Core applicance to Debian Bullseye. Per the Debian docs I edited the *sources.list files (/etc/apt/sources.d) to replace 'buster' with 'bullseye' (and 'buster/updates' becomes 'bullseye-security'). 

however, apt stumbles over the turnkey linux lines: 

	deb [signed-by=/usr/share/keyrings/tkl-bullseye-main.gpg] http://archive.turnkeylinux.org/debian bullseye main
	deb [signed-by=/usr/share/keyrings/tkl-bullseye-security.gpg] http://archive.turnkeylinux.org/debian bullseye-security main

The bullseye repo simpy isn't there and for the security repo the right key is missing.

I looked into the buster repos on http://archive.turnkeylinux.org. The buster-security Release file points to main/binary-all/Packages and main/binary-amd64/Packages - both of which are empty. When I spun up a new appliance and commented out everything but the archive.turnkeylinux.org lines, an apt update reported that everything was up-to-date. Are the tkl security repos not used? 

In the end I commented out both lines in the *sources.list files and went on with apt update --without-new-pkgs. Some questions came up; I allowed services to restart, kept local versions of configuration files, let localepurge purge and did not understand dpkg --path-exclude so went with default. This finished without errors. 

I then ran apt full-update and again kept local versions of configuration files. The differences seemed not that big anyway. This too finished without errors and I ended up with a Debian 11 appliance. 

I next tried to upgrade a Lighttpd-fastcgi-php appliance, this ended with a broken Lighttpd config and no mariadb. And, of course, no tklbam. I repaired the Lighttpd config and reinstalled mariadb but I wonder if this is worth the effort and doesn't end up with a broken installation. 

cheers

Ferenc

Forum: 
Jeremy Davis's picture

Thanks for your kind words and welcome to our forums! :)

I have had a little play with Bullseye, but as you note, we haven't yet set up our Bullseye repo properly. We do have keys generated (tkl-bullseye-main & tkl-bullseye-security; as well as tkl-bullseye-testing), but again as you note, bullseye-security (and bullseye-testing) are the only repos we've created so far.

I really hope to get to Bullseye (which will be the basis for our upcoming v17.x) soon, but I have been been blocked until relatively recently (key generation is outside my role) and since I've been unblocked, I've been busy with other stuff and am yet to circle back to it. Completing (and/or fixing) the Bullseye repos will be the first step when I do, but I have no ETA on when I might get to it (I really hope to get the repos working within the next few weeks, but can't promise).

As Buster (the basis of v16.x) is still getting full Debian security support (for 12 months; plus will almost certainly get LTS support for a few more years after that), I'd currently recommend that TurnKey v16.x users don't upgrade yet at all. That is at least until we have the repos set up (and even then, in the early stages, I'll likely only have packages in the 'bullseye-testing" repo). FYI as stability is generally king on a server, personally I rarely upgrade until Debian does their first point release at the earliest (i.e. Bullseye 11.1). FWIW, one of my colleagues is still running Stretch (it's still supported by LTS until June 30, 2022 - although I'm not saying that as a recommendation)!

As it sounds like you've already committed to the upgrade, then my next recommendation would be to just leave the TKL sources.list lines as they were (i.e. still pointing to 'buster' key & repo). I suspect that we probably won't be issuing any updates to those anyway. But if we do, they'll be just as compatible with Bullseye as the current Buster packages are. Just commenting them out (as it sounds you've done) is also a legitimate option.

As for the TKL Buster security repo, to date, we've never had any need to push security updates within the life of Buster (obviously Debian did, but none of our custom packages required it). So it's expected to be empty and that would explain your experience there.

As for your broken Lighty appliance, unfortunately, I'm not 100% sure on what might be required there (mostly because I'm yet to try any of this myself yet). Although having a heads up that it might require some tweaks is good info; so thanks for sharing. If you wish to proceed with that, please feel free to share more specifics (ideally the explicit error messages it's giving as it fails) and I'm happy to try assisting with that if you wish.

Whilst we aim to support "normal" Debian upgrades, it's also worth noting that many of our appliance tweaks and security hardening steps aren't packaged. So doing a Debian upgrade of a v16.x appliance, will not strictly give you a v17.x appliance (especially before we've released v17.0; but even after we have). Because of that, generally we have recommended migrating your data to a new server instead.

>

FYI TKLBAM was originally intended to fulfil the data migration role (the 'M' is for migration), although in more recent times we've had quite a few reports of more complex appliances requiring manually intervention (which I'm always happy to assist with). TKLBAM as it currently stands will be included in v17.x, but behind the scenes, we are looking at a full rewrite of that which we hope to release ASAP. Unfortunately though, I expect it will be quite some time away as the dev working on that has been temporarily poached. When he's back on board, he will likely assist with the v17.0 release before getting back to TKLBAM2.0 development.

I hope I've covered everything and it all makes sense... Please feel free to post back if it doesn't and/or I missed something and/or you have further questions...

Also I'll try to remember to post back here re v17.0 updates, but please keep an eye on the blog (and/or mailing list) for announcements...

Add new comment