1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DOC

  • release-notes: no new ssh connections during upgrade

    From Paul Gevers@21:1/5 to All on Fri Aug 6 18:00:01 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --WCtNZtOS7V2Tukam7Oov759buqEiWBntE
    Content-Type: multipart/mixed;
    boundary="------------1C6967ADA225AFDEDFB61A7F"
    Content-Language: en-US

    This is a multi-part message in MIME format. --------------1C6967ADA225AFDEDFB61A7F
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable

    Hi,

    Please find attached my proposal for the release notes to cover bug #990069.

    Disclaimer: I (or somebody else) still have (has) to verify that the
    procedure works as intended. One can clearly start a very limited
    upgrade with only openssh-server, but what needs checking is that:
    a) ssh login works after the partial upgrade
    b) with openssh-server upgraded, the downtime for accepting new
    connections is greatly reduced.

    Paul

    --------------1C6967ADA225AFDEDFB61A7F
    Content-Type: text/x-patch; charset=UTF-8;
    name="0001-issues.dbk-no-new-ssh-connections-possible-during-up.patch" Content-Transfer-Encoding: quoted-printable
    Content-Disposition: attachment;
    filename*0="0001-issues.dbk-no-new-ssh-connections-possible-during-up.pa";
    filename*1="tch"

    From 6f71007b1c0bf282dc3a9a17c5b958b1489e9ace Mon Sep 17 00:00:00 2001
    From: Paul Gevers <elbrus@debian.org>
    Date: Fri, 6 Aug 2021 17:50:07 +0200
    Subject: [PATCH] issues.dbk: no new ssh connections possible during upgrade

    Bug: #990069
    ---
    en/issues.dbk | 15 +++++++++++++++
    1 file changed, 15 insertions(+)

    diff --git a/en/issues.dbk b/en/issues.dbk
    index d3386a9b..9b0687a2 100644
    --- a/en/issues.dbk
    +++ b/en/issues.dbk
    @@ -539,6 +539,21 @@ data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
    </para>
    </section>

    + <section id="ssh-not-available">
    + <title>No new ssh connections possible during upgrade</title>
    + <para>
    + Due to unfortunate circumstances it's not possible to establish
    + new <command>ssh</command> connections for a bigger part of the
    + upgrade than during previous release upgrades. As usual,
    + existing connections should continue to work, but if the upgrade
    + is done over <command>ssh</command> and the
    + <command>ssh</command> connection is not trusted to last for the
    + full upgrade period, it's adviced to upgrade <systemitem
    + role="package">openssh-server</systemitem> before upgrading the
    + full system.
    + </para>
    + </
  • From Justin B Rye@21:1/5 to Paul Gevers on Fri Aug 6 19:30:01 2021
    Paul Gevers wrote:
    Please find attached my proposal for the release notes to cover bug #990069.

    Disclaimer: I (or somebody else) still have (has) to verify that the procedure works as intended. One can clearly start a very limited
    upgrade with only openssh-server, but what needs checking is that:
    a) ssh login works after the partial upgrade
    b) with openssh-server upgraded, the downtime for accepting new
    connections is greatly reduced.

    Unfortunately my own testing facilities are currently limited until
    replacement parts arrive for my testbed machine...

    + <section id="ssh-not-available">
    + <title>No new ssh connections possible during upgrade</title>
    ^^^
    I think the protocol (as opposed to the executable) should be "SSH";
    if convenient we might even want to say "Secure Shell (SSH)" the first
    time we refer to it in the body.

    I was considering changing the title to
    <title>No new connections possible during SSH upgrade</title>
    since some parts of the dist-upgrade process are perfectly safe, but
    apparently it's more complicated than that.

    + <para>
    + Due to unfortunate circumstances it's not possible to establish
    + new <command>ssh</command> connections for a bigger part of the

    I'd like to avoid "big(ger) part" for a period of time.

    + upgrade than during previous release upgrades. As usual,
    + existing connections should continue to work, but if the upgrade
    + is done over <command>ssh</command> and the
    + <command>ssh</command> connection is not trusted to last for the

    Express the "trust" part in terms of a risk of interruption rather
    than a fear of betrayal.

    + full upgrade period, it's adviced to upgrade <systemitem
    ^
    "Advised" (and not "-ized" even in en_US), except that "it's advised"
    seems somehow more impersonal than "it's recommended/suggested" (other approaches: "it's advisable", "you're advised").

    + role="package">openssh-server</systemitem> before upgrading the
    + full system.
    + </para>
    + </section>

    Thinking about the overall structure, it might work better to move the
    "good news" part to the start...

    <section id="ssh-not-available">
    <title>No new SSH connections possible during upgrade</title>
    <para>
    Although existing Secure Shell (SSH) connections should continue to
    work through the upgrade as usual, due to unfortunate circumstances
    the period when new SSH connections cannot be established is longer
    than usual. If the upgrade is being carried out over an SSH
    connection which might be interrupted, it's recommended to upgrade
    <systemitem role="package">openssh-server</systemitem> before
    upgrading the full system.
    </para>
    --
    JBR with qualifications in linguistics, experience as a Debian
    sysadmin, and probably no clue about this particular package

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Gevers@21:1/5 to Justin B Rye on Fri Aug 6 19:40:01 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --esYNsHWak4MogoVtiib9sFjYXA0eo5Gx5
    Content-Type: text/plain; charset=utf-8
    Content-Language: en-US
    Content-Transfer-Encoding: quoted-printable

    Hi Justin, all,

    On 06-08-2021 19:23, Justin B Rye wrote:
    Thinking about the overall structure, it might work better to move the
    "good news" part to the start...

    <section id="ssh-not-available">
    <title>No new SSH connections possible during upgrade</title>
    <para>
    Although existing Secure Shell (SSH) connections should continue to
    work through the upgrade as usual, due to unfortunate circumstances
    the period when new SSH connections cannot be established is longer
    than usual. If the upgrade is being carried out over an SSH
    connection which might be interrupted, it's recommended to upgrade
    <systemitem role="package">openssh-server</systemitem> before
    upgrading the full system.
    </para>

    I like this. Thanks for the review (and major overhaul).

    Regarding part a): ssh works when only openssh-server (and required dependencies) are upgraded.

    Paul


    --esYNsHWak4MogoVtiib9sFjYXA0eo5Gx5--

    -----BEGIN PGP SIGNATURE-----

    wsB5BAABCAAjFiEEWLZtSHNr6TsFLeZynFyZ6wW9dQoFAmENch4FAwAAAAAACgkQnFyZ6wW9dQoM 5Qf/VU6ddCCGP6IX4AvE3tLs3GrL9VQlkrIK8Z2WGO0iPgHwN/r7j5iSLH+552IbgAWHRgHEbYoA SCKt81pJDqJE5A7gupqbFtbCcjtb5bvrOhWdAyFyjoEkUcM+mtMsBpj/EjVHZYftlcraGdc/Wj7n //SsrMaRPc7N7NMcBz3mno1OjltqbGPmXpr0XtsuK6FVHAhgGDPrSo2rOpJymJTrV7dMuBL9PkxK iyzRSkXO9mq/hy3GW0CdO+4I2Fm7uLvh77DA/XxvDyF82FzMlrNRwqdv6uyMa9+1XEXFcx9qFvWE vic5Wv9L1IPN7EejfXU6pyopbTRJm1A8CXq3UsUSBw==
    =sH26
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)