Bullseye upgrade et connectivity issues

Hello everyone,

Rien ne va plus depuis ma tentative de passage à Bullseye.
Sur une Lime1, j’ai :

# yunohost --version
yunohost: 
  repo: stable
  version: 4.4.2.1
yunohost-admin: 
  repo: stable
  version: 4.4.1
moulinette: 
  repo: stable
  version: 4.4.1
ssowat: 
  repo: stable
  version: 4.4.1

#  lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 11 (bullseye)
Release:	11
Codename:	bullseye

Mais …

`# yunohost diagnosis show --issue
reports: 
  0: 
    description: Internet connectivity
    id: ip
    items: 
      details: Having a working IPv6 is not mandatory for your server to work, but it is better for the health of the Internet as a whole. IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: https://yunohost.org/#/ipv6. If you cannot enable IPv6 or if it seems too technical for you, you can also safely ignore this warning.
      status: WARNING
      summary: The server does not have working IPv6.
  1: 
    description: Ports exposure
    id: ports
    items: 
      0: 
        details: 
          - Exposing this port is needed for email features (service postfix)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 25 is not reachable from outside.
      1: 
        details: 
          - Exposing this port is needed for email features (service postfix)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 587 is not reachable from outside.
      2: 
        details: 
          - Exposing this port is needed for email features (service dovecot)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 993 is not reachable from outside.
      3: 
        details: 
          - Exposing this port is needed for [?] features (service ssh)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 1532 is not reachable from outside.
      4: 
        details: 
          - Exposing this port is needed for xmpp features (service metronome)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 5222 is not reachable from outside.
      5: 
        details: 
          - Exposing this port is needed for xmpp features (service metronome)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 5269 is not reachable from outside.
      6: 
        details: 
          - Exposing this port is needed for [?] features (service syncthing)
          - To fix this issue, you most probably need to configure port forwarding on your internet router as described in https://yunohost.org/isp_box_config
        status: ERROR
        summary: Port 22000 is not reachable from outside.
  2: 
    description: Email
    id: mail
    items: 
      0: 
        details: 
          - You should first try to unblock outgoing port 25 in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).
          - Some providers won't let you unblock outgoing port 25 because they don't care about Net Neutrality.
 - Some of them provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
- A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
- You can also consider switching to a more net neutrality-friendly provider
        status: ERROR
        summary: The SMTP mail server cannot send emails to other servers because outgoing port 25 is blocked in IPv4.
      1: 
        details: Could not open a connection on port 25 to your server in IPv4. It appears to be unreachable.
1. The most common cause for this issue is that port 25 is not correctly forwarded to your server.
2. You should also make sure that service postfix is running.
3. On more complex setups: make sure that no firewall or reverse-proxy is interfering.
        status: ERROR
        summary: The SMTP mail server is unreachable from the outside on IPv4. It won't be able to receive emails.
      2: 
        details: 
          - Current reverse DNS: 77.109.97.197.adsl.dyn.edpnet.net
Expected value: harpo-bzh.nohost.me
          - You should first try to configure the reverse DNS with harpo-bzh.nohost.me in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).
          - Some providers won't let you configure your reverse DNS (or their feature might be broken...). If you are experiencing issues because of this, consider the following solutions:
 - Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
- A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
- Or it's possible to switch to a different provider
        status: ERROR
        summary: The reverse DNS is not correctly configured in IPv4. Some emails may fail to get delivered or may get flagged as spam.
      3: 
        details: 
          - The blacklist reason is: "http://www.barracudanetworks.com/reputation/?pr=1&ip=77.109.97.197"
          - After identifying why you are listed and fixed it, feel free to ask for your IP or domaine to be removed on https://barracudacentral.org/rbl/
        status: ERROR
        summary: Your IP or domain 77.109.97.197 is blacklisted on Barracuda Reputation Block List
      4: 
        details: 
          - The blacklist reason is: "SPAMRATS IP Addresses See: http://www.spamrats.com/bl?77.109.97.197"
          - After identifying why you are listed and fixed it, feel free to ask for your IP or domaine to be removed on http://www.spamrats.com/
        status: ERROR
        summary: Your IP or domain 77.109.97.197 is blacklisted on SpamRATS! all
  3: 
    description: Services status check
    id: services
    items: 
      0: 
        details: You can try to restart the service, and if it doesn't work, have a look at the service logs in the webadmin (from the command line, you can do this with 'yunohost service restart fail2ban' and 'yunohost service log fail2ban').
        status: ERROR
        summary: Service fail2ban is failed :(
      1: 
        details: You can try to restart the service, and if it doesn't work, have a look at the service logs in the webadmin (from the command line, you can do this with 'yunohost service restart ynh-vpnclient' and 'yunohost service log ynh-vpnclient').
        status: ERROR
        summary: Service ynh-vpnclient is failed :(
      2: 
        details: You can try to restart the service, and if it doesn't work, have a look at the service logs in the webadmin (from the command line, you can do this with 'yunohost service restart yunohost-firewall' and 'yunohost service log yunohost-firewall').
        status: ERROR
        summary: Service yunohost-firewall is failed :(
  4: 
    description: System configurations
    id: regenconf
    items: 
      0: 
        details: This is probably OK if you know what you're doing! YunoHost will stop updating this file automatically... But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with 'yunohost tools regen-conf dnsmasq --dry-run --with-diff' and force the reset to the recommended configuration with 'yunohost tools regen-conf dnsmasq --force'
        status: WARNING
        summary: Configuration file /etc/resolv.dnsmasq.conf appears to have been manually modified.
      1: 
        details: This is probably OK if you know what you're doing! YunoHost will stop updating this file automatically... But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with 'yunohost tools regen-conf ssh --dry-run --with-diff' and force the reset to the recommended configuration with 'yunohost tools regen-conf ssh --force'
        status: WARNING
        summary: Configuration file /etc/ssh/sshd_config appears to have been manually modified.
      2: 
        details: This is probably OK if you know what you're doing! YunoHost will stop updating this file automatically... But beware that YunoHost upgrades could contain important recommended changes. If you want to, you can inspect the differences with 'yunohost tools regen-conf ssl --dry-run --with-diff' and force the reset to the recommended configuration with 'yunohost tools regen-conf ssl --force'
        status: WARNING
        summary: Configuration file /usr/share/yunohost/yunohost-config/ssl/yunoCA/openssl.cnf appears to have been manually modified.`

Avec…

# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2022-08-29 14:06:17 UTC; 8min ago
       Docs: man:fail2ban(1)
    Process: 727 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
    Process: 854 ExecStart=/usr/bin/fail2ban-server -xf start (code=exited, status=255/EXCEPTION)
   Main PID: 854 (code=exited, status=255/EXCEPTION)
        CPU: 2.329s
root@MonServeur:/home/Userssh# systemctl status ynh-vpnclient
● ynh-vpnclient.service - YunoHost VPN Client.
     Loaded: loaded (/etc/systemd/system/ynh-vpnclient.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2022-08-29 14:12:58 UTC; 2min 19s ago
    Process: 4114 ExecStart=/usr/local/bin/ynh-vpnclient start (code=exited, status=1/FAILURE)
   Main PID: 4114 (code=exited, status=1/FAILURE)
        CPU: 4.401s
root@MonServeur:/home/Userssh# systemctl status yunohost-firewall
● yunohost-firewall.service - YunoHost Firewall
     Loaded: loaded (/lib/systemd/system/yunohost-firewall.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Mon 2022-08-29 14:06:25 UTC; 9min ago
    Process: 816 ExecStart=/usr/bin/yunohost firewall reload (code=exited, status=1/FAILURE)
   Main PID: 816 (code=exited, status=1/FAILURE)
        CPU: 3.522s

Je ne sais pas bien par quel bout prendre ces petits soucis.

Si vous avez des pistes, n’hésitez pas !

Merci d’avance !

Voilà ce que donne

# yunohost service restart fail2ban

/var/log est de nouveau full !
:-/

avec des centaines de lignes du style :

-rw-r----- 1 root systemd-journal     256 Aug 29 14:07 user-1000@0005e761c8b65b06-2b32bae4259ee745.journal~

Quand j’essaye de relancer le firewall, j’obtiens un rapport d’erreur kilométrique avec par exemple :

Message: 'Could not restart the service \'yunohost-firewall\'\n\nRecent service logs:\x1b[0;1;38;5;185mJournal file /var/log/journal/b0e4ef9d3a924ca9912091e75c532e2c/system.journal is truncated

Comme d’hab je ne comprends toujours pas pourquoi les gens ne respectent pas le template de support qui demande les informations classiques … Genre là j’ai besoin de savoir si tu as accès à la webadmin et je ne sais pas

Dans ce cas est-ce qu’on peut avoir le log complet de la migration vers Bullseye qui apriori s’est mal passée

Comme d’hab je ne comprends toujours pas pourquoi les gens ne respectent pas le template de support qui demande les informations classiques … Genre là j’ai besoin de savoir si tu as accès à la webadmin et je ne sais pas

Bonjour Aleks. Je n’avais pas vérifié ce point, vu que je suis par un moment où je n’avais plus accès au webmin, puis plus accès à rien. Même mes login habituels étaient refusés.
J’ai débloqué la situation en utilisant screen et un câble série, come décrit ici : Utiliser un câble série | Neutrinet
J’ai pu redémarrer dnsmasq, rspamd, redis-server pour un problème récurrent de droits. voir : Services rspamd et redis-server hors service - #7 by aoz

Je viens de vérifier que j’avais de nouveau accès au webadmin.

Pour revenir à l’origine de mes soucis, je n’ai pas pu sortir correctement de la migration pour un problème de /var/log/ comme je l’expliquais ici : No Space left on device, systemd qui bégaie

# ls -l /var/log/journal/b0e4ef9d3a924ca9912091e75c532e2c me donne une infinité de petits fichiers temporaires de 256ko qui saturent le répertoire.

# df -h me donne armbian-ramlog 50M 50M 0 100% /var/log

Voici ce que donnent le diagnostic actuellement : https://paste.yunohost.org/raw/utatufesiv

J’ai 443 mails en attente qui sont probablement des message d’alerte que mon système est à la ramasse !

Merci @Aleks , de m’aider à remettre un peu d’ordre dans ma briqette.

Le service VPN et le Firewall ne démarrent pas à cause du manque d’espace : OSError: [Errno 28] No space left on device

Le journal de systemd est tronqué.

Voilà ce que donne # journalctl --verify

Mouarf du coup ouai c’est armbian qui cassent les pieds à faire une partition de seulement 50Mo pour /var/log … Du coup il faut trouver des trucs “gros et inutiles” qu’il est possible de supprimer …

Si tu peux, fait un apt install ncdu

Puis ncdu /var/log pour avoir une interface interactive pour naviguer dans l’arborescence et voir ce qui prends de la place (et q pour quitter)

J’ai 47 MiB pour /journal avec 1600 fichiers temporaires system@ ----.journal~ dans /b0e4ef9d3a924ca9912091e75c532e2c/ qui font chacun 4 kib.
J’ai aussi 2 fichiers temporaires de 8Mib et 3 .journal de 8 Mib
J’ai une quinzaine de user- ... .journal~ de 4 kiB

Bref, rien de vraiment gros mais beaucoup de petites crottes. Quant à savoir ce qui est utile ou pas, je ne sais pas comment faire pour le savoir.

De quelle façon peut-on avoir un /var/log/journal/trucbazar/ un peu clean?

Sur un thread stackoverflow, j’ai trouvé cette commande pour ne garder que les X “plus récents” Mo :

sudo journalctl --vacuum-size=10M

Aussi pour le futur, le thread mentionne que grep 'SystemMaxUse' /etc/systemd/journald.conf montre un paramètre qui permet de fixer la limite pour les logs de journalctl ? (faudrait que on ou armbian configure ça …)

Mon souci, c’est plutôt qu’il y a plein de petits fichiers, plus de 1600 !

Est-ce que je peux nettoyer ces petits fichiers avec un truc genre :

journalctl --vacuum-size<5ko

Autre piste, existe-t-il un moyen de démarrer sans que le systeme mette à jour le journal, pour pouvoir corriger ce qui provoque cette accumulation de petits journaux actifs qui prennent toute la place?

De ce que je comprends de la commande, l’argument --vacuum-size ne veut pas dire “supprime tous les fichiers qui ont une taille de X”, il veut dire “garde au total X Mo maximum de log”, d’où ma proposition de --vacuum-size=10M

Warf ! il a libéré 39,4M et a créé une archive de sauvegarde.

On va pouvoir (peut-être) commencer à rectifier le bazar.

Pour le VPN :

# yunohost service restart ynh-vpnclient

Job for ynh-vpnclient.service failed because the control process exited with error code.
See "systemctl status ynh-vpnclient.service" and "journalctl -xe" for details.
Warning: Could not execute the command 'systemctl restart ynh-vpnclient'
Error: Could not restart the service 'ynh-vpnclient'

Aug 31 15:36:31 ynh-vpnclient[29220]: 2022-08-31 15:36:31 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2)
Aug 31 15:36:31 ynh-vpnclient[29220]: 2022-08-31 15:36:31 Exiting due to fatal error

Pour le firewall :

# yunohost service restart yunohost-firewall

Job for yunohost-firewall.service failed because the control process exited with error code.
See "systemctl status yunohost-firewall.service" and "journalctl -xe" for details.
Warning: Could not execute the command 'systemctl restart yunohost-firewall'
Error: Could not restart the service 'yunohost-firewall'

Aug 31 15:42:01 yunohost[29829]: You cannot play with iptables here. You are either in a container or your kernel does not support it
Aug 31 15:42:01 yunohost[29829]: You cannot play with ip6tables here. You are either in a container or your kernel does not support it
Aug 31 15:42:01 yunohost[29829]: Could not reload the firewall

Est-ce que je tente la migration, maintenant, avec un diagnostic comme celui-ci ?

https://paste.yunohost.org/raw/ewarajoyof

Ben mouarf oui dans l’absolu je dirais que le problème avec le VPN / firewall n’empêchera pas la migration de tourner

Aug 31 15:42:01 yunohost[29829]: You cannot play with iptables here. You are either in a container or your kernel does not support it
Aug 31 15:42:01 yunohost[29829]: You cannot play with ip6tables here. You are either in a container or your kernel does not support it

C’est chelou ce truc, peut-être que le kernel a été mis à jour récemment et qu’il n’y a pas eu de reboot ou un truc du genre ? (Je n’arrive jamais à comprendre à quoi est dû ce problème)

On m’attend pour l’apéro, alors je lance la re-migration par la webadmin.

!

Hips…
La migration est passée mais j’ai du redémarrer php.7.0

# yunohost service restart php7.0-fpm

Postgesql pose des problèmes. le service est failed et si je le redémarre

# yunohost service restart postgresql
Success! Service 'postgresql' restarted

et le diagnostic le garde en erreur.

Si je retourne dans migration du webadmin, la migrations de posgresql 11 vers 13 est en attente.

# yunohost service status

me donne :

postgresql: 
  configuration: unknown
  description: Stores app data (SQL database)
  last_state_change: 1970-01-01 00:00:00
  start_on_boot: enabled
  status: dead
ynh-vpnclient: 
  configuration: unknown
  description: Tunnels the internet traffic through a VPN
  last_state_change: 2022-08-31 18:34:47
  start_on_boot: enabled
  status: failed
yunohost-firewall: 
  configuration: unknown
  description: Manages open and close connection ports to services
  last_state_change: 2022-08-31 15:42:02
  start_on_boot: enabled
  status: failed

# apt update && apt dist-upgrade

m’informe qu’il y a des paquets à “autoremove” mais passe crème.

Pour ce qui est des applications, avec le problème de postgesql, Noalyss ne passe pas.

Pour Roundcube, ça passe mais :

W: Failed to fetch http://forge.yunohost.org/debian/dists/bullseye/InRelease Cannot initiate the connection to forge.yunohost.org:80 (2001:910:1410::1). - connect (101: Network is unreachable) Could not connect to forge.yunohost.org:80 (80.67.172.144), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.

Je shutdown et on verra demain soir.

Merci @Aleks !

Bon.
Je redémarre la briquett : No route to host

Pas d’accès avec l’adresse habituelle. Pourquoi elle a changé? Je ne sais pas.

sudo arp-scan --local me donne une autre adresse où j’ai le message connection refused

Unjour plus tard après un redémarrage, l’adresse IP est de nouveau opérationnelle.
Je retrouve la saturation de /var/log/journal/
J’applique la panacée # journalctl --vacuum-size=10M
Et on revient à l’étape précédente.

https://paste.yunohost.org/raw/etecidukin

Qu’est-ce qu’il y aurait lieu de faire pour régler ces différents problèmes?

Merci !

Je n’avance pas beaucoup.

Sinon, la commande # systemctl --failed me donne:

  UNIT                         LOAD   ACTIVE SUB    DESCRIPTION
● haveged.service              loaded failed failed Entropy Daemon based on the>
● logrotate.service            loaded failed failed Rotate log files
● systemd-modules-load.service loaded failed failed Load Kernel Modules
● user@1000.service            loaded failed failed User Manager for UID 1000
● ynh-vpnclient.service        loaded failed failed YunoHost VPN Client.
● yunohost-firewall.service    loaded failed failed YunoHost Firewall

LOAD   = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB    = The low-level unit activation state, values depend on unit type.
6 loaded units listed.

Est-ce que ça peut aider à voir ce qui coince ?

Merci mille fois !

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.