Update - when to panic?

I thought I’d do the same, but ended up with a server failing to serve any web pages (including the Plinth webUI) despite the apache2 service running. I had to restore from an evening snapshot of the server (an AWS Lightsail snapshot, not the FreedomBox backup).

During the manual upgrade ($ sudo apt update && sudo apt upgrade) I had to answer several prompts involving LDAP-related prompts (nslcd, libnss-ldapd) for which I just hit ‘Enter’, accepting the defaults, and hoped for the best. Some of these changes involved:

  • Configuring nslcd
    • LDAP sever URI : I accepted the default ldapi:/// .
  • Configuring nslcd
    • LDAP server search base: I accepted the default dc=thisbox .
  • Configuring popularity-contest
    • Participate in the package usage survey?: I accepted the default <No>.
  • Configuring libnss-ldapd
    • Name services to configure:: I kept the default choices selected:
      • [*] passwd
      • [*] group
      • [*] shadow
      • Note: Various error messages following the failed upgrade appear in journalctl logs mention nslcd and passwd which weren’t present in such logs prior to the upgrade attempt. I don’t know what to make of them.

I did get prompts for accepting or rejecting changes to configuration files I’d modified:

  • /etc/ssh/sshd_config. I accepted the package maintainer version. Some changes I noticed were:
    • PasswordAuthentication no: to disable password authentication, a change I remember making.
    • StreamLocalBindUnlink yes: to enable GnuPG Agent Forwarding; not essential to login via SSH; the change was one I made for the convenience of signing git commits with my local OpenPGP smartcard.
    • TrustedUserCAKeys /etc/ssh/lightsail_instance_ca.pub: Not my modification; a change I believe was already present in the Debian image I booted the AWS Lightsail instance from before installing the freedombox package back in 2022-05.
  • /etc/firewalld/firewalld.conf: I don’t believe I had ever touched this, so I just accepted the package maintainer version which contained, among other changes, a removal of AllowZoneDrifting=no and change of DefaultZone=external to DefaultZone=public.

At some point, failing to see the package freedombox get upgraded due to a hold, I decided to risk running $ sudo apt-mark unhold freedombox && sudo apt upgrade -y; I only did this because I had a recent backup of the entire server; the result was the Plinth webUI failing to start, and no apache2 pages being served (despite the # systemctl status apache2.service showing the service was running) despite being able to login via SSH.

After about half an hour of not seeing any significant CPU work, I decided to restore from an evening snapshot taken by Lightsail prior to the update; after starting the snapshot in a new machine instance, I unchecked the “Enable auto-update to next stable release” option in the System > Software Update section; now I’m waiting to see dust settle here on this forum before I make another upgrade attempt.

1 Like