Re: Lenny (Debian 5.0) approaching end of life

To: debian-user@lists.debian.org
Subject: Re: Lenny (Debian 5.0) approaching end of life
From: Camaleón <noelamac@gmail.com>
Date: Tue, 10 Jan 2012 16:24:17 +0000 (UTC)
Message-id: <[🔎] jehonh$r4p$9@dough.gmane.org>
References: <[🔎] CA+AKB6ELngvZCwqY-b=PUhCF1=Kdf_NRUVvd2FhcQAovh5=__Q@mail.gmail.com> <[🔎] pan.2012.01.04.17.37.42@gmail.com> <b67aa1be-e8f5-44e7-bf2b-5000f3331e34@email.android.com> <[🔎] 20120105153649.GB6934@stt008.linux.site> <[🔎] 20120107003342.GA13940@deathstar.hsd1.ct.comcast.net> <[🔎] pan.2012.01.07.11.20.11@gmail.com> <[🔎] CA+AKB6Ef0W3CtrWXrur2KxEczM5pmaD7mFN2KAYoZ=PsxV0Ybg@mail.gmail.com>

On Mon, 09 Jan 2012 14:47:03 -0400, francis picabia wrote:

> On Sat, Jan 7, 2012 at 7:20 AM, Camaleón <noelamac@gmail.com> wrote:

(...)

>>> disturbances?
>>> Have you upgraded a Debian from old->new stable before?
>>
>> (...)
>>
>> Nope, never ever. In Spanish I would say "jamás de los jamases" :-)
>>
>> In do run in place upgrades on my testing computers that now runs on a
>> perpetual Debian "testing" but on production systems I would never do a
>> distribution upgrade and not because is not going to work (I know
>> Debian has one of the best in site upgrades available in linux with the
>> plus of release notes which help a lot to minimize the risks) but I'm a
>> very conservative sysadmin and one of my mottos is "always keep a
>> running system" so overwriting something that is working is something
>> that the mere thought gives me gooseflesh.
>>
>> Of course, I can do this way because I don't have thousand machines to
>> administer not have to remotely access to them, in such case I would
>> reconsider the in place upgrade path :-)
>>
>>
> We run about 5 servers with Debian which have been upgraded in place,
> from Lenny to Squeeze.  A couple started life as Debian 3.0 and have
> been upgraded a version a few times.  The services offered from these
> servers varies.  One is an INN news server. One is our DHCP/DNS server
> for a network with up to 5000 nodes on it.  Another 3 servers provide
> web sites and programming platforms.
> 
> We upgrade in place because it works, and because we can't afford to buy
> a new server for every OS life cycle.

(...)

Nice to know the upgrade path (instead a full pararel install) does the 
work for you. I understand every sysadmin has developed his/her own 
maintenance techniques and sticks to those that have been working for his/
her setups over the years.

> The issues with services breaking can be mitigated by testing on a VM
> instance with your usual configuration in advance. For example, I tested
> our DHCP config and DNS config on a VM system with squeeze versions of
> bind and ISC DHCP.

I personally don't like using VM for this purpose because they don't 
provide reliable results (what usually fails when upgrading from a older 
version to another are hardware related problems more than problematic 
services). In the end, software issues are usually easier to solve than  
hardware compatibility problems (like buggy drivers).

> The other part we can take advantage of is to do the upgrade work
> between busy cycles, and for us that means when students are away. The
> downtime for my last upgrade, of the DNS/DHCP was about 30 minutes,
> mainly due to the requirement of fiddling around with kernel needs (the
> rootdelay=9 issue I mention in another thread).

I also try to reduce the downtime for the installation of a new release 
by performing the migration on holidays or over the weekends when users 
are not at the office.

> The other thing I try to do, keeping in mind Camaleón's mentioning of
> conservative practises, is to have a fall back plan for anything
> important.  Websites can be migrated to another system temporarily
> during an upgrade.  I can set up secondary DNS and have another system
> ready to start with a copy of our DHCP config.  In the case of a service
> like INN, no one would notice if it is down for awhile, and people can
> live without it for some time if needed.

That would be great but I don't have secondary machines for balancing all 
of the services (I wish I had!) so this is not always possible :-)

> I feel my practises are also conservative, but in the direction of
> keeping prepared for a zero day exploit.  I know Debian is quick to
> patch security problems, but I can't be ready to do so with an
> unsupported version of Debian.  Patching the problem may also be
> possible outside of the Debian packages, but if I need to act quickly on
> several systems and it is time consuming to determine what chain of
> dependencies may need updates, I'd prefer to avoid downtime caused by
> flawed emergency patching methods.

(...)

Yup, running an unsupported (unpattched) system is a high risk, even more 
if it is providing external services (web hosting, e-mail...) :-(

Greetings,

-- 
Camaleón

Reply to:

References:
- Lenny (Debian 5.0) approaching end of life
  - From: francis picabia <fpicabia@gmail.com>
- Re: Lenny (Debian 5.0) approaching end of life
  - From: Camaleón <noelamac@gmail.com>
- Re: Lenny (Debian 5.0) approaching end of life
  - From: Camaleón <noelamac@gmail.com>
- Re: Lenny (Debian 5.0) approaching end of life
  - From: Tony Baldwin <tonybaldwin@gmx.com>
- Re: Lenny (Debian 5.0) approaching end of life
  - From: Camaleón <noelamac@gmail.com>
- Re: Lenny (Debian 5.0) approaching end of life
  - From: francis picabia <fpicabia@gmail.com>

Prev by Date: Re: Network not working on Shuttle XS35GTV2
Next by Date: sources.list configuration
Previous by thread: Re: Lenny (Debian 5.0) approaching end of life
Next by thread: Re: Lenny (Debian 5.0) approaching end of life
Index(es):
- Date
- Thread