Upgrade Scripts for non-interactive major release upgrades (2->3, 3->4, 4->5)

z0rk · Feb 5th 2021

Quote from dleidert

JFTR. I'm currently working on improving the scripts so if one fails the user can fix an occurring issue and then continue at the point the script left.

Sweet

pbertra · Feb 7th 2021

Quote from dleidert

JFTR. I'm currently working on improving the scripts so if one fails the user can fix an occurring issue and then continue at the point the script left.

Would be nice indeed...
In my case, I took esxi snapshots before each upgrade trial. If it failed, I reverted and tried again after some cleanup but I had to redo evrything.

dci2u · Feb 8th 2021

I ran upgrade script on my RPI4 OMV 4 install to upgrade it to 5 and had the following problem show up:

The following NEW packages will be installed:

apt-show-versions

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 32.6 kB of archives.

After this operation, 93.2 kB of additional disk space will be used.

Get:1 https://deb.debian.org/debian buster/main armhf apt-show-versions all 0.22.11 [32.6 kB]

Fetched 32.6 kB in 0s (150 kB/s)

Selecting previously unselected package apt-show-versions.

(Reading database ...

Preparing to unpack .../apt-show-versions_0.22.11_all.deb ...

Unpacking apt-show-versions (0.22.11) ...

Setting up apt-show-versions (0.22.11) ...

** initializing cache. This may take a while **

Error: No information about packages! (Maybe no deb entries?)

dpkg: error processing package apt-show-versions (--configure):

installed apt-show-versions package post-installation script subprocess returned error exit status 255

Processing triggers for man-db (2.8.5-2) ...

Errors were encountered while processing:

apt-show-versions

E: Sub-process /usr/bin/dpkg returned an error code (1)

run-parts: /root/openmediavault-upgrade-4.7/post.d/50-apt-install exited with return code 100

root@RPINAS2:~/openmediavault-upgrade-4.7# sudo apt-show-versions

Error: No information about packages! (Maybe no deb entries?)

I then checked how far the upgrade had proceeded and it appears to have not upgraded any parts of OMV

root@RPINAS2:~/openmediavault-upgrade-4.7# dpkg -l | grep openm

rc openmediavault 4.1.36-1 all openmediavault - The open network attached storage solution

rc openmediavault-flashmemory 4.2.2 all folder2ram plugin for OpenMediaVault

ii openmediavault-keyring 1.0 all GnuPG archive keys of the OpenMediaVault archive

rc openmediavault-omvextrasorg 4.1.16 all OMV-Extras.org Package Repositories for OpenMediaVault

I'm not sure if this is salvageable. Any suggestions?

dleidert · Feb 8th 2021

Quote from dci2u

I ran upgrade script on my RPI4 OMV 4 install to upgrade it to 5 and had the following problem show up:

Please provide the full log!

Quote from dci2u

Preparing to unpack .../apt-show-versions_0.22.11_all.deb ...
Unpacking apt-show-versions (0.22.11) ...
Setting up apt-show-versions (0.22.11) ...
** initializing cache. This may take a while **
Error: No information about packages! (Maybe no deb entries?)
dpkg: error processing package apt-show-versions (--configure):
installed apt-show-versions package post-installation script subprocess returned error exit status 255
Processing triggers for man-db (2.8.5-2) ...
Errors were encountered while processing:
apt-show-versions
E: Sub-process /usr/bin/dpkg returned an error code (1)

Display More

You hit the same bug of apt-show-versions as described here.

Quote from dci2u

I then checked how far the upgrade had proceeded and it appears to have not upgraded any parts of OMV

root@RPINAS2:~/openmediavault-upgrade-4.7# dpkg -l | grep openm
rc openmediavault 4.1.36-1 all openmediavault - The open network attached storage solution
rc openmediavault-flashmemory 4.2.2 all folder2ram plugin for OpenMediaVault
ii openmediavault-keyring 1.0 all GnuPG archive keys of the OpenMediaVault archive
rc openmediavault-omvextrasorg 4.1.16 all OMV-Extras.org Package Repositories for OpenMediaVault

I'm not sure if this is salvageable. Any suggestions?

Display More

Actually the rc-state means that the package has been removed except for its configuration files. These packages should already been as version 5 here. But again I need the full log to understand what happened.

dci2u · Feb 8th 2021

Sorry, here is the log file.

omv_release_upgrade_to_buster.2021-02-07-133626.zip

dleidert · Feb 8th 2021

Quote from dci2u

Sorry, here is the log file.

omv_release_upgrade_to_buster.2021-02-07-133626.zip

The log is weird. Can you please tell me what apt-cache policy chrony says?

dci2u · Feb 9th 2021

Says this...

root@RPINAS2:~/openmediavault-upgrade-4.7# apt-cache policy chrony

chrony:

Installed: (none)

Candidate: 3.4-4+deb10u1

Version table:

3.4-4+deb10u1 990

990 https://deb.debian.org/debian buster/main armhf Packages

3.0-4+deb9u2 900

900 http://httpredir.debian.org/debian stretch/main armhf Packages

dleidert · Feb 9th 2021

You have a pinning for stretch in /etc/apt/preferences or /etc/apt/preferences.d/*. This leads to packages from stretch having a pin-priority of 900. Unfortunately when openmediavault is to be upgraded by the scripts this pinning leads to packages not being pulled from buster repositories but from stretch thus getting openmediavault removed from your system because of unsatisfiable dependencies:

Quote

[..]
The following packages will be REMOVED:

ntp openmediavault openmediavault-flashmemory openmediavault-omvextrasorg

The following NEW packages will be installed:

chrony libtomcrypt0 libtommath1

The following packages will be upgraded:

monit

1 upgraded, 3 newly installed, 4 to remove and 0 not upgraded.

Need to get 863 kB of archives.

After this operation, 13.5 MB disk space will be freed.

Get:1 http://httpredir.debian.org/debian stretch/main armhf libtommath1 armhf 1.0-4 [44.4 kB]

Get:2 http://httpredir.debian.org/debian stretch/main armhf libtomcrypt0 armhf 1.17-9 [307 kB]

Get:3 http://packages.openmediavault.org/public usul/main armhf monit armhf 1:5.26.0-1 [313 kB]

Get:4 http://httpredir.debian.org/debian stretch/main armhf chrony armhf 3.0-4+deb9u2 [198 kB]
[..]

Display More

Please remove the pinning for stretch (and please send me the pinning entry, so I can find a way to overwrite this in future situations). Then finish the broken installation of apt-show-versions using:

sudo apt-get -o Acquire::GzipIndexes=false update && sudo apt-get install -f

If that worked try to install openmediavault:

sudo apt-get install -t usul openmediavault

This should pull in OMV5. If it works reinstall omv-extras:

wget -qO- https://github.com/OpenMediaVault-Plugin-Developers/packages/raw/master/install | sudo bash

Then run the remaining upgrade scripts:

. inc/envvars

sudo run-parts -v --exit-on-error post.d

which hopefully succeed without any further error. Now you have to install openmediavault-flashmemory.

dci2u · Feb 9th 2021

I'm sorry, I'm not sure what change I need to make in the preferences.d directory (there was no preferences directory) to remove the offending pinning entry. I've attached the files from that folder for your reference. The only file I noticed with a 900 priority was the 99raspberrypiorg. pref_files.zip pref_files.zip

dleidert · Feb 9th 2021

Comment out (means: prefix each of the following lines with a #) in 99raspberrypiorg so it looks like this:

Code

#Package: *
#Pin: release n=stretch, origin httpredir.debian.org
#Pin-Priority: 900

This will remove the pin priority for stretch. Then proceed as suggested above.

dci2u · Feb 10th 2021

I continued to get installation errors after commenting out the lines in 99raspberrypiorg file. However, the messages led me to believe these were not fatal faults. I then tried to install omv5 but it also faulted out. I ended up installing a new copy of omv5 from scratch and it's back in service.

Bodenseematze · Feb 12th 2021

I also had / have problems when trying to upgrade from OMV 3 -> OMV4 -> OMV5
Upgrade from 3 to 4 works without problems, but after that I tried to do an upgrade from 4 to 5 with "openmediavault-upgrade-4.7"-script and that failed and left back an unusable system.

The original problem was that I imported a SSL certificate in OMV made by my own CA which seems to be too weak now:

Code

nginx: [emerg] SSL_CTX_use_certificate("/etc/ssl/certs/openmediavault-a39391e1-ca69-452a-b0b1-e31adeb24be4.crt") failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)

After that I had a Debian buster system but still old OMV parts?!
I tried to solve it by changing nginx configuration, removing / purging / reinstalling packages, ... and a lot more.
My final situation is now, that "apt-get update; apt-get dist-upgrade" doesn't show any error anymore but the OMV part is not installed and I'm unable to install it because it complains about some "salt-minion" dependencies which it cannot solve:

Code

> apt-get --yes --auto-remove --show-upgraded --allow-downgrades --allow-change-held-packages --no-install-recommends --option Dpkg::Options::="--force-confdef" --option DPkg::Options::="--force-confold" install openmediavault
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 openmediavault : Depends: salt-minion (>= 3000.2) but 2018.3.4+dfsg1-6+deb10u2 is to be installed
E: Unable to correct problems, you have held broken packages.

Display More

Does anybody have any idea how to solve it?
What information / files from my system is/are needed to help me?

[EDIT]

I now did the following:
apt-get install -u -d -o Debug::pkgProblemResolver=true salt-minion=3002.2+ds-1 salt-common=3002.2+ds-1

and then

apt-get install -y --no-install-recommends --no-install-suggests -u -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" openmediavault

that seems to do the job - at least it installs something (I'll see if it completes it successfully later).

BTW (a bit OT): back to my original problem, that my CA's certificate is too weak - is it possible to change that without to regenerate all my existing certificates which are signed by this CA?

[EDIT2]

it still has configure problems (now with lvm2):

Code

Setting up samba-common-bin (2:4.9.5+dfsg-5+deb10u1) ...
Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

Done
Setting up samba (2:4.9.5+dfsg-5+deb10u1) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding those services.
(samba-ad-dc.service already masked)
Failed to preset unit: Unit file /etc/systemd/system/samba-ad-dc.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on samba-ad-dc.service: No such file or directory
Setting up wsdd (0.6.2-1) ...
Setting up liblvm2cmd2.03:amd64 (2.03.02-3) ...
Setting up dmeventd (2:1.02.155-3) ...
dm-event.service is a disabled or a static unit not running, not starting it.
Setting up lvm2 (2.03.02-3) ...
update-initramfs: deferring update (trigger activated)
Failed to restart lvm2-lvmpolld.service: Unit lvm2-lvmpolld.socket is masked.
invoke-rc.d: initscript lvm2-lvmpolld, action "restart" failed.
● lvm2-lvmpolld.service - LVM2 poll daemon
   Loaded: loaded (/lib/systemd/system/lvm2-lvmpolld.service; static; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:lvmpolld(8)
dpkg: error processing package lvm2 (--configure):
 installed lvm2 package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of openmediavault:
 openmediavault depends on lvm2; however:
  Package lvm2 is not configured yet.

dpkg: error processing package openmediavault (--configure):
 dependency problems - leaving unconfigured
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for rsyslog (8.1901.0-1) ...
Processing triggers for systemd (241-7~deb10u6) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for dbus (1.12.20-0+deb10u1) ...
Processing triggers for initramfs-tools (0.133+deb10u1) ...
update-initramfs: Generating /boot/initrd.img-4.19.0-14-amd64
Errors were encountered while processing:
 lvm2
 openmediavault
E: Sub-process /usr/bin/dpkg returned an error code (1)

Display More

dleidert · Feb 12th 2021

Quote from Bodenseematze
After that I had a Debian buster system but still old OMV parts?!
I tried to solve it by changing nginx configuration, removing / purging / reinstalling packages, ... and a lot more.
My final situation is now, that "apt-get update; apt-get dist-upgrade" doesn't show any error anymore but the OMV part is not installed and I'm unable to install it because it complains about some "salt-minion" dependencies which it cannot solve:
Code
> apt-get --yes --auto-remove --show-upgraded --allow-downgrades --allow-change-held-packages --no-install-recommends --option Dpkg::Options::="--force-confdef" --option DPkg::Options::="--force-confold" install openmediavault
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 openmediavault : Depends: salt-minion (>= 3000.2) but 2018.3.4+dfsg1-6+deb10u2 is to be installed
E: Unable to correct problems, you have held broken packages.
Display More
Does anybody have any idea how to solve it?
What information / files from my system is/are needed to help me?

That's caused by temporarily setting APT::Default-Release. Because OMV provides its own release names it is not pinned by APT::Default-Release as well. So the scripts install OMV by explicitely using -t usul:

sudo apt-get install -t usul openmediavault

I'm working on an improvement which will use pinning instead.

Quote from Bodenseematze
The original problem was that I imported a SSL certificate in OMV made by my own CA which seems to be too weak now:
Code
nginx: [emerg] SSL_CTX_use_certificate("/etc/ssl/certs/openmediavault-a39391e1-ca69-452a-b0b1-e31adeb24be4.crt") failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)
BTW (a bit OT): back to my original problem, that my CA's certificate is too weak - is it possible to change that without to regenerate all my existing certificates which are signed by this CA?

https://www.debian.org/release….en.html#openssl-defaults maybe?

Although I would recommend to harden your certificate.

Quote from Bodenseematze

[EDIT2]

it still has configure problems (now with lvm2):

Code

Setting up lvm2 (2.03.02-3) ...
update-initramfs: deferring update (trigger activated)
Failed to restart lvm2-lvmpolld.service: Unit lvm2-lvmpolld.socket is masked.
invoke-rc.d: initscript lvm2-lvmpolld, action "restart" failed.
● lvm2-lvmpolld.service - LVM2 poll daemon
   Loaded: loaded (/lib/systemd/system/lvm2-lvmpolld.service; static; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:lvmpolld(8)
dpkg: error processing package lvm2 (--configure):
 installed lvm2 package post-installation script subprocess returned error exit status 1
dpkg: dependency problems prevent configuration of openmediavault:
 openmediavault depends on lvm2; however:
  Package lvm2 is not configured yet.

dpkg: error processing package openmediavault (--configure):
 dependency problems - leaving unconfigured

Display More

You should find out what the problem is: sudo systemctl status lvm2, sudo journalctl -xe. Also the log files may contain useful information.

Bodenseematze · Feb 19th 2021

ySorry to be such late with my reaction - I had no time for the OMV server lately

Here are the outputs / logs - there are still a lot failures, but they don't seem to be related with lvm?!

# systemctl status lvm2

● lvm2.service

Loaded: masked (Reason: Unit lvm2.service is masked.)

Active: inactive (dead)

Logfile of journalctl -xe is attached, relevant entries from syslog also...

Quote from dleidert

https://www.debian.org/release….en.html#openssl-defaults maybe?

Although I would recommend to harden your certificate.

Yes, I also would like to do that - harden the certificate of my internal CA - but how do I do this without the need to regenerate all my certificates which all have already be signed by that CA?

dleidert · Feb 19th 2021

Quote from Bodenseematze

Here are the outputs / logs - there are still a lot failures, but they don't seem to be related with lvm?!
[..]
Logfile of journalctl -xe is attached, relevant entries from syslog also...

I find it quite hard to help you. The upgrade scripts bailed out very early in the minimal upgrade scripts. Then instead of setting the openssl defaults back or asking how to deal with the situation you tried to solve the certificate issue by pondering around with package removals and (re)installations?! I have no idea in which state the system is, or if any of the scripts run after run.d/50-apt-upgrade have been run at all. I think it is salvageable. I'll send you a DM later.

Quote from Bodenseematze

Yes, I also would like to do that - harden the certificate of my internal CA - but how do I do this without the need to regenerate all my certificates which all have already be signed by that CA?

Well, the truth probably is: you can't. If the certificates use algorithms, ciphers, or key lengths considered too weak they have to be regenerated.

Upgrade Scripts for non-interactive major release upgrades (2->3, 3->4, 4->5)

Post by kkottikas (Thursday, 11:38 am).

Participate now!