geoip updates in debian buster

Geoip got borked in debian 10 [my blog] when maxmind changed how it could be obtained with the always free country db and other region one which are not the speciific ‘enterprise’ databases

So instead of it getting packaged via debian you sign up for a account and get it from maxmind, say once a month with an automated cron for geoipupdate -v is good enough here for the zoo.

geoipupdate 3.1.1
Opened License file /etc/GeoIP.conf
LicenseKey OpHn...
Skip unknown directive: i#000000000000
Skip unknown directive: *
Insert edition_id GeoLite2-Country
Insert edition_id GeoLite2-City
Read in license key /etc/GeoIP.conf
Number of edition IDs 2
url: https:/?product_id=GeoLite2-Country
url: https: ///databases/GeoLite2-Country/update?db_md5=
No new updates available
url: https: //_getfilename?product_id=GeoLite2-City
No new updates available

It seems a faff but they have ipv6 servers even  if no ipv6 lookups seem possible,

My cron jobs survived ok which you have seen examples of in separate topics where the location is part of the blog topic..

I do like debian and cannot fault them for this perhaps this license change is meant  to  irritate rather than screw up and it seems to be extra hard work for maxmind.

Anyhow  it works.


debian ten new things

Debian 10 (my blog) is a fast loader even on a server and here a few things different which debian deems un-news worthy.

Its been a week or so

monitor sharing [HARDWARE] – the zoo being cheap has a monitor with three interfaces on it i(vga/dvi/hdmi) n the old version debian would seed control to the thing on the hdmi interface rather than the dvi port on no interaction being debian has a dvi interface, the new version remains on the hardware screen – not a problem since the hdmi interface can be chosen from the screens menu as required.

If the zoo had billions to spend on another monitor it would be a very low priority and probably be an ex-display/return one as well.  The monitor remains turned off 99% of the time anyhow – emergency use case.

Usually we remote into it


tls 1.3  (part of openssl) works and things we use can use tls 1.3, quays tests work and confirm it in browser client and .server


/usr/sbin/amavis-services msg-forwarder
/usr/sbin/amavis-services childproc-minder
/usr/sbin/amavis-services snmp-responder

Since amavis keeps mum on changes these seem to be new binaries i hairy eyeballed.

zombie process


is a bit of a mystery the zoo’s  only non working component – think postfix got grandfathered and if your not doing sockets how it used to so nothing happens

Milters ….


The new config is baffling, our old config works  so damn it i will use that.


Debian reports large memory blobs now and the usual hidden /etc/.java directory returns and deleting it means it gets recreated regardless.  You have cron mail to read every day.

Cyrus imap

No nasty surprises a week in.


Opendmarc [milter] is a no go but everything else appears to work.

tube recycle those 1’s and 0’s

Ipv4 & Ipv6

I had to add an timeout option to systemd to make a list of open ports to load since we use a miix of static and dynamic ipv6 it seems pretty stable.  Iov4 seems to also work although the boot process still whines i have a bad interfaces file entry but wont tell me where or why.

Patches have been light so far.   The ghostscript patch stopped my desktop (i386)  from seizing in x several times a day.

Apart from our isp losing ipv6 for five minutes a day (everything also does) it does feel like a debian problem as the router is not debian based it soon returns so i am not blaming them for that.

I am not regretting this upgrade.

having a moment – upgrading raspbian to buster

The raspberry pi 3 (my blog) is something that just works but was struck on debian stretch [version 9], My prior attempts with upgrading where not good although bad sdcard’s might have helped here with that impression.

So preparation for the end of the world took time -i made backups of important files , and an iso of the disk just in case disaster struck.

Stretch does work but a better dns thing might be nice and buster has been a general success in the zoo on intel hardware.

It is easier to attempt the upgrade than do a native debian install (my blog) which is an unknown experience.

Once ready and sitting next to the thing with a keyboard things went smoothly – only two usual prompts as blogged about before the following files caused conflict

  • /etc/sysctl.conf
  • lighttp/conf-available/ 10-cgi.conf & 1–ssl.conf
  • plymouth/plymouth.conf
  • /ssh/sshd_config
  • /fail2ban/jail.conf – temp file warning as welll /var/run goes /run.
  • /bind/named.conf.options
  • /lightdm/lightdm.conf

lighttp needed help and i moved the old config file to a backup and installed the version in /etc/lighttp.

Bind9 init is a mess

named[1841]: binding TCP socket: address in use
named[1841]: unable to listen on any configured interfaces
named[1841]: loading configuration: failure
named[1841]: exiting (due to fatal error)

Despite it claiming not to work bind9 does work  – ignore systemd (my blog)| for your sanity



strange debian buster upgrade (non documentation guessing game)

If your a cave dwelling citizenand who only reads my blog* then your probably not know that a new release of Debian (my blog) is out.

it has not been out long but is mysterious as to what has been updated is a mystery – sure the gui’s have been updated but mysterious questions like tls1.3 support mean searching and getting misguided results for instance ubuntu is not debian. google mind you with alphabet worrying about hate speech who cares if there search engine goes to shit.

Apparently tls 1.3 is now supported (my blog) but i still have other questions so documentation wise Debian ten is a complete mystery if your wondering what is new.

Cyrus imap is another  mystery here – the suggested route (not here) compared with the actual is not the same. I was expecting to configure and reconstruct but just disabling imap seems to have worked – although imap apparently does not use Berkeley db’s any more i did need a roundube option create_default_folders’] = true; (not here) opposed to false

Not sure why debian cyrus did not need the linked work – i think it should have. Not complaining though.

The dist upgrade failed several times and i had to restart it.  konq-plugins was a package that failed on i386

apt remove konq-plugins


Messages are very inconsistent on upgrade nss and glibc was one prompt that started and stopped processes, so your experience will vary between x64 and i386.   Servers with sql backends used dbcommon and i kept most of my config files choosing N rather than the package file.

If you upgrading via ssh then the lines.


Will cause ssh to not reload. – be careful if your non local.

Openafs kernel module is a time consuming item to upgrade especially its kernel module.

If your into windows** nameservers dhcp needs an uograde but we dont have microshit windows here in the zoo.

Opendnssec — gets updated but i have no idea still how this awful software works.

postgresql seems to start first time in buster unlike stretch

pgctl_cluster main start

Files changed

  • crontab
  • modsecurity RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf security2.conf
  • sysctl.conf
  • opendnssec.conf.xml
  • /etc/services
  • /etc/ssl/openssl.conf
  • issue and
  • cron.daily logrotate
  • syslog.conf
  • ssh_confing & sshd_config [see above]
  • clamd conf
  • hplip.conf
  • rkhunter
  • fail2ban – action.d/mail.conf filter.d/postfix.conf
  • opendmarc.conf
  • named.conf.options
  • postfix scripts are only updated not main and master files

So my fuckup’s

I [apparently] had an extra listen address in apache2 in ports conf, ipv6 is sluggish for apache and email on startup.  Some ipv6 addresses refused to startup and cause failures.  Keeping the original conf files seems to saved me a lot of headaches.

Since i was not ssh’ed into the box not an issue for me


email worked our zoo bots are working, apache does once interfaces started manually – xserver works when required [not often]

Server boot speed is not that impressive on older hardware, but since i dont reboot often who cares.

openssl does support tls 1.3 Most things work although this is perplexing

ssl-cert-check -s -p 443 -a

Host Status Expires Days
———————————————– ———— ———— —-
unable to load certificate
3080701696:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
unable to load certificate

The second instance does not work, calling it once before does work. It worked on stetch not us, but something else is confused as apache likes the stated files fine.

Most things appear to work but your experience might vary – it took 25 minutes to download and three hours to nursemaid as described and restart.

I can probably fix the boot problems myself.

So far buster on a server seems a safe choice.

I will deal with newer features elsewhere.   Not an upgrade from hell althougth i did make media backups before hand.

*somebody might – joke **you poor sod

i hate cups (ipp version) and more debian buster upgrades.

Cups printers suck when upgrading (my blog) I have since discovered that simply deleting all printers and rebooting makes them magically work after an upgrade.


Debian buster gave me a new prompt that i had not seen on another zoo pc i have now upgraded about starting and stopping services, once again four hours for a simple workstation did it, twenty minutes of that was downloading.

One non computer literate zoo staff member even thought it was a lot faster than stretch

Debian 10 (buster) a quick look on a simple workstation

two dogs

I use debian (my blog) and with version ten out called buster i offered the monkey houses stretch* pc to upgrade it via apt dist-upgrade   Three hours later i am typing this on itin debian ten.

Being a simple pc opposed to a server not too may hiccups

Those being

  • virtualbox [oracle crap]’ has no buster repository
  • minissdp wanted attention – not that i knew what minissdp does i ignored it
  • /etc/defaults/networking was updated [prompted] i kept my file
  • /etc/ssh/ssh_config [prompted] i kept my file

kde works from a brief exploration

Some issues which i discovered and may be user [me] issues

  • ipv6 by default [no ipv4]  until i edited my /etc/network/interfaces file which looks like its been through an exorcism since i have being doing a lot of iov6 work recently.
  • bluetooth sound is controlled via the sounds app in kde on the applications tab so codecs works,
  • cups/ipp needs some help

It took half an hour to download and 2 and a bit hours to extract but this also during dinner in the monkey house so some prompts might have been ignored while the tribe ate its bananas.

Being a SIMPLE pc everything worked opposed to server changes so as a first look on a basic pc no issues.

I have client tls 1.3 support from openssl  so tle 1.3 seems to be finally here.

*the old version 9