debian changing kernels from i686 to amd64

If you see a message that your kernel can run amd64 but you used an ancient i686 media years and years ago (my blog) then you may be able to  use it.

Try

grep -q '^flags.* lm ' < /proc/cpuinfo && echo yes

If it replied yes Then this

dpkg --add-architecture amd64
apt install linux-image-amd64

Installs the kernel stuff, but your old kernels do remain just in case it does go tits up and can be selected via the grub menu.   Doing this remotely might be dicey and something your hosting company might have to help with but that is not a zoo problem.

To remove

dpkg --remove-architecture <x>

Other cravats, virtual box and other outside kernel modules not included by default might not work so openafs and other daemons might need your kind attention – it works but i have not bothered to fix with kernel headers but several days have passed and the debian box in question has not suffered any serious faults making me want to revoke the changes.

I also am running i686 binaries and performance wise there’s not much of a performance boost yet.   I want a stable server so being courageous is something that can wait.

Do this at your own risk.

x display woefinder general (further tales of the intel i915)

Following on from this (my blog) it also appears i needed.

apt install mesa-vulkan-drivers

Not the i386 version – Anyhow it appears that the intel 915 driver or software is compiled against vulkan and for some fucking reason nobody tells you this and so your x display hangs at times your never guess why it did you might have this issue.

Female fortune teller with crystal ball, mouth open, portrait

This also affects steam who also do not tell you about it either.  Another tale at a latter date.

Its been a good day without an pc unplug  to reset for my workstation but it appears i need to go to tea leaves and tarrot card lessons since debian and steam are not exactly making it easy.

So debian users who is your tea leaves reader who can decode kernel messages*..  I need your help because i never knew i had to be one..

It still occasionally crashes so more later.

*I am perhaps the Matthew Hopkins from imdb:tt0063285 ?

 

docker voodoo

I passed the topic of docker in this (my blog) and i still regard it as hipster it,  having a docker daemon is when the adventures begin  .  I have no idea what the fuck i am doing and have pulled a docker instance but i have no idea where it is on the disk*.

Reading awful webpages leads you to syntax  that don’ work, and you need bridge utils on the docker instance.  Er sure i am not a member of the docker secret society – time for me to get on the penny farthing and wear a top hat more tea vicar.

you will run a docker instance after meeting her.

Eventually i discover a docker0 lan interface  with an ip address i have no idea where it is specified and can run anything dockerish with the debian repository version of docker.io – docker being a remote xserver thing pre docker.

Off i go to docker.com since this does not work, batton twirling that moustache because its hipster tea leaves reading time.

docker run hello-world

results in:

Hello from Docker!
This message shows that your installation appears to be working correctly.

To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the “hello-world” image from the Docker Hub.

Pretty useless but this shit sort of works.

The inability to manage docker images is awful and the docker networking is awful. Thus docker is hipster it at its worst and best avoided.

*paid cloud storage if your a hipster

 

our unnecessary ancient debian antivirus cockup.

The zoo has detected one virus via an email in a year, since the mail server blocks microsoft (microshit) attachments and we hate microsoft products having a scanner is a bit of a waste of time since it is something it will not find.

But .. after the upgrade to buster (my blog) all the updates stopped (my blog) or the config got passed over and is not the most important thing in the universe to fix.  Since the server only gets definition updates four times a month i decided it was time to have antivirus in buster rather than continue with useless cron warnings about missing gpg keys four times a month.

I deleted the extra clamd debian package, set up some logins and used the recent script from extemeshok which now is on version 6 and have used in the past being version 2 something.   Things look happy and after ninety minutes i seem to have more definitions and yara rules once again.

I expect the virus scanner to do nothing most of the time as it did beforehand since most viruses seem to be opportunistic and usually sent from badly configured mail servers when they get emailed and so the mail server rules kick in and reject them before payload and does not get the scanner to run..

Maybe there will be a resurgence in them ? but the zoo is covered now.

It seems packaging is not a cure for virus software.   Since i spent very little time worrying about awful microsoft code from microsoft i think ninety minutes a year is more than ample and reminds me that microsoft products cannot be trusted.

Intel graphics i915 debian 10 fix

My debian pc has seen a few versions in its time – if your seeing (my blog)

[drm:intel_pipe_update_end [i915]] *ERROR* Atomic update f

in logs then

cat /etc/modprobe.d/i915.conf
options i915 enable_psr=0

might do something for you.   If your x display still freezes as it did for me then

apt remove xserver-xorg-video-intel

Changes the driver to x server to modeset using the firmware-misc-nonfree packaged intel 915 driver which seems to be more up to date.

I do not have to reset by unplugging the power now when the screen freezed

debian ten new things

Debian 10 (my blog) is a fast loader even on a server and here a few things different which debian deems un-news worthy.

Its been a week or so

monitor sharing [HARDWARE] – the zoo being cheap has a monitor with three interfaces on it i(vga/dvi/hdmi) n the old version debian would seed control to the thing on the hdmi interface rather than the dvi port on no interaction being debian has a dvi interface, the new version remains on the hardware screen – not a problem since the hdmi interface can be chosen from the screens menu as required.

If the zoo had billions to spend on another monitor it would be a very low priority and probably be an ex-display/return one as well.  The monitor remains turned off 99% of the time anyhow – emergency use case.

Usually we remote into it

tls

tls 1.3  (part of openssl) works and things we use can use tls 1.3, quays tests work and confirm it in browser client and .server

amavis

/usr/sbin/amavis-services msg-forwarder
/usr/sbin/amavis-services childproc-minder
/usr/sbin/amavis-services snmp-responder

Since amavis keeps mum on changes these seem to be new binaries i hairy eyeballed.

zombie process

opendmarc

is a bit of a mystery the zoo’s  only non working component – think postfix got grandfathered and if your not doing sockets how it used to so nothing happens

Milters ….

fail2ban

The new config is baffling, our old config works  so damn it i will use that.

rkhunter

Debian reports large memory blobs now and the usual hidden /etc/.java directory returns and deleting it means it gets recreated regardless.  You have cron mail to read every day.

Cyrus imap

No nasty surprises a week in.

Postfix

Opendmarc [milter] is a no go but everything else appears to work.

tube recycle those 1’s and 0’s

Ipv4 & Ipv6

I had to add an timeout option to systemd to make a list of open ports to load since we use a miix of static and dynamic ipv6 it seems pretty stable.  Iov4 seems to also work although the boot process still whines i have a bad interfaces file entry but wont tell me where or why.

Patches have been light so far.   The ghostscript patch stopped my desktop (i386)  from seizing in x several times a day.

Apart from our isp losing ipv6 for five minutes a day (everything also does) it does feel like a debian problem as the router is not debian based it soon returns so i am not blaming them for that.

I am not regretting this upgrade.

having a moment – upgrading raspbian to buster

The raspberry pi 3 (my blog) is something that just works but was struck on debian stretch [version 9], My prior attempts with upgrading where not good although bad sdcard’s might have helped here with that impression.

So preparation for the end of the world took time -i made backups of important files , and an iso of the disk just in case disaster struck.

Stretch does work but a better dns thing might be nice and buster has been a general success in the zoo on intel hardware.

It is easier to attempt the upgrade than do a native debian install (my blog) which is an unknown experience.

Once ready and sitting next to the thing with a keyboard things went smoothly – only two usual prompts as blogged about before the following files caused conflict

  • /etc/sysctl.conf
  • lighttp/conf-available/ 10-cgi.conf & 1–ssl.conf
  • plymouth/plymouth.conf
  • /ssh/sshd_config
  • /fail2ban/jail.conf – temp file warning as welll /var/run goes /run.
  • /bind/named.conf.options
  • /lightdm/lightdm.conf

lighttp needed help and i moved the old config file to a backup and installed the version in /etc/lighttp.

Bind9 init is a mess

named[1841]: binding TCP socket: address in use
named[1841]: unable to listen on any configured interfaces
named[1841]: loading configuration: failure
named[1841]: exiting (due to fatal error)

Despite it claiming not to work bind9 does work  – ignore systemd (my blog)| for your sanity

 

 

strange debian buster upgrade (non documentation guessing game)

If your a cave dwelling citizenand who only reads my blog* then your probably not know that a new release of Debian (my blog) is out.

it has not been out long but is mysterious as to what has been updated is a mystery – sure the gui’s have been updated but mysterious questions like tls1.3 support mean searching and getting misguided results for instance ubuntu is not debian. google mind you with alphabet worrying about hate speech who cares if there search engine goes to shit.

Apparently tls 1.3 is now supported (my blog) but i still have other questions so documentation wise Debian ten is a complete mystery if your wondering what is new.

Cyrus imap is another  mystery here – the suggested route (not here) compared with the actual is not the same. I was expecting to configure and reconstruct but just disabling imap seems to have worked – although imap apparently does not use Berkeley db’s any more i did need a roundube option create_default_folders’] = true; (not here) opposed to false

Not sure why debian cyrus 3.0.8.6 did not need the linked work – i think it should have. Not complaining though.

The dist upgrade failed several times and i had to restart it.  konq-plugins was a package that failed on i386

apt remove konq-plugins

Fixed.

Messages are very inconsistent on upgrade nss and glibc was one prompt that started and stopped processes, so your experience will vary between x64 and i386.   Servers with sql backends used dbcommon and i kept most of my config files choosing N rather than the package file.

If you upgrading via ssh then the lines.

#'MACs hmac-sha2-512-etm@openssh.com,
hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,
umac-128-etm@openssh.com,
hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,
umac-128@openssh.com

Will cause ssh to not reload. – be careful if your non local.

Openafs kernel module is a time consuming item to upgrade especially its kernel module.

If your into windows** nameservers dhcp needs an uograde but we dont have microshit windows here in the zoo.

Opendnssec — gets updated but i have no idea still how this awful software works.

postgresql seems to start first time in buster unlike stretch

pgctl_cluster main start

Files changed

  • crontab
  • modsecurity RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf security2.conf
  • sysctl.conf
  • opendnssec.conf.xml
  • /etc/services
  • /etc/ssl/openssl.conf
  • issue and issue.net
  • cron.daily logrotate
  • syslog.conf
  • ssh_confing & sshd_config [see above]
  • clamd conf
  • hplip.conf
  • rkhunter
  • fail2ban – action.d/mail.conf filter.d/postfix.conf
  • opendmarc.conf
  • named.conf.options
  • postfix scripts are only updated not main and master files

So my fuckup’s

I [apparently] had an extra listen address in apache2 in ports conf, ipv6 is sluggish for apache and email on startup.  Some ipv6 addresses refused to startup and cause failures.  Keeping the original conf files seems to saved me a lot of headaches.

Since i was not ssh’ed into the box not an issue for me

Overall

email worked our zoo bots are working, apache does once interfaces started manually – xserver works when required [not often]

Server boot speed is not that impressive on older hardware, but since i dont reboot often who cares.

openssl does support tls 1.3 Most things work although this is perplexing

ssl-cert-check -s zoo.com -p 443 -a

Host Status Expires Days
———————————————– ———— ———— —-
unable to load certificate
3080701696:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
unable to load certificate

The second instance does not work, calling it once before does work. It worked on stetch not us, but something else is confused as apache likes the stated files fine.

Most things appear to work but your experience might vary – it took 25 minutes to download and three hours to nursemaid as described and restart.

I can probably fix the boot problems myself.

So far buster on a server seems a safe choice.

I will deal with newer features elsewhere.   Not an upgrade from hell althougth i did make media backups before hand.

*somebody might – joke **you poor sod