Support Debian 12 "Bookworm"

[alexAubin]

⚠️ Thread policy : following past traumas, we will not hesitate to remove any comment which do not add anything constructive on making progress with this, such as asking "Any update on this ?", "What is the ETA ?", "Bookworm is soon to be released", "Bookworm has been release for X days zomg 1!?!!", etc. We are a volunteer team, we will release stuff when it's stable, and you are welcome to effectively help us getting shit done, but for the love of god don't pressure volunteers as if they owe you something

---

Relevant links

• What's new in Bookworm (doesnt seem super up to date, the version table thingy seems to be copypasta from Bullseye)
  • Expect Python 3.11, PHP 8.2, Postgresql 15
• List of pending blocking issues for Debian Bookworm release
• Issues/changes to be aware of for bookworm
• Debian 12 Bookworm's Installer Updated To Better Handle Non-Free Firmware
• Bookworm release expected on June 10th
• Github project to track the progess

Core TODO

• Spin a bookworm LXC container, try to build/install YunoHost in it, fix shit until it kind of works
• Adapt the .deb build chain to build and serve bookworm builds
• Adapt the install script
• Make the bookworm branch pass test on the CI
• Look at https://ssl-config.mozilla.org/ to check if some configs should be upgraded with the new softwares and openssl version, among
  • nginx,
  • ssh, https://infosec.mozilla.org/guidelines/openssh
  • dovecot, needs to add a 'modern' config https://ssl-config.mozilla.org/#server=dovecot&version=2.3.19.1&config=modern&openssl=3.0.8&guideline=5.6, -> but this is kinda a "new feature", not really mandatory to have it integrated ...
  • postfix
  • ???
• Look for old legacy stuff in the core that can be dropped out
• Add backup/restore test for archives from the 11.x era
• Should check carefully the new default configs for every major service to check if there are new important options or default stuff (typically fail2ban)
• Extensive checks of all the major features
  • Certificate install
  • Diagnosis
  • Firewall
  • Fail2ban rules for ssowat, yunohost-api
  • Email send and receive, + dovecot
  • Specific apps like vpnclient + hotspot
  • ???
• Wait for Debian Bookworm to actually be released as stable by the Debian project wink (early July ? idk, check the dev announce ML)
• Release as alpha, ... beta, ...
• Build new images for x86, RPi, armbian
• rspamd/openDKIM? we want to remove rspamd but rspamd is responsible to sign emails with DKIM
  • decide if we remove rspamd
  • if we remove it, use openDKIM to do DKIM signatures for emails

Major stuff to change in YunoHost ?

• Remove php, mysql and metronome from default installs (they are actually only in 'Recommends' since bullseye)
• Switch to aptitude instead of apt, at least for the migration procedure, to avoid all the apt/dpkg hell being absolutly stupid at resolving complex situations ...

Bullseye -> Bookworm support

• Implement the general migration (in a migrate_to_bookworm branch, to be merged in dev = current bullseye branch)
  • Draft: Bullseye->Bookworm migration yunohost#1759
• Implement the php migration (in the bookworm branch)
  • actually we could very well not have a php migration because nowadays Sury offers way more flexibility (every php versions from 5.6 to 8.3 can be installed even from Bookworm) and most apps are already using PHP8.x, only a handful are still using 7.x)
• Implement the postgresql migration (in the bookworm branch)
• We'll probably want the "rebuild Python venv" thing too
• Test the whole "basic" migration process on different servers, not just x86 but also ARM/RPi
• Test migrating a more complex setup with a bunch of apps, including PHP ones, Python ones, Nodejs ones, Postgresql, Mysql, ...

Apps

Relevant links:

• Difference between bulleyes and bookworm CI results for applications

• Start an app testing campaign to identify regressions
• Tweak dash.yunohost.org / Tartiflette to display this on a nice dashboard
• Fix regressions found in apps

[kay0u]

Look for old legacy stuff in the core that can be dropped out

I can find:

• ynh_legacy_permissions_exists and ynh_legacy_permissions_delete_all, some apps use these helpers but i think we can remove them and autopatch apps for bookworm migration
• a fix from a regression in 3.5, dunno what to do, we can probably remove it
• Legacy stuff related to --log_type dunno what to do
• legacy stuff in services looks important
• something related to php 7.3 and buster->bullseye migration, we can keep it/adjust it for bullseye->bookworm migration?
• avoid guid & uuid 1007 looks important too
• and all the stuff in utils.legacy which should be adapted for bookworm

[kay0u]

During the postinstall I get:

Warning: ls: cannot access '/etc/php//fpm/pool.d/.conf': No such file or directory
Warning: adduser: Warning: The home dir /var/vmail you specified can't be accessed: No such file or directory
Warning: grep: /run/resolvconf/resolv.conf: No such file or directory

Here the full logs, but from what I understood:

• The first warning is because we're not installing php anymore, comes from here
• The second one looks like it comes from dovecot regen conf, but I don't know why we don't have this folder anymore?
• And the last warning comes from dnsmasq regen conf

---

After the postinstall, even though YunoHost-API was started, I couldn't access the webadmin (error 502), I had to restart it

Error from nginx:

==> /var/log/nginx/bookworm.tld-error.log <==
2023/09/11 09:22:25 [error] 3616#3616: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 10.34.87.1, server: bookworm.tld, request: "GET /yunohost/api/installed?locale=fr HTTP/2.0", upstream: "http://127.0.0.1:6787/installed?locale=fr", host: "bookworm.tld", referrer: "https://bookworm.tld/yunohost/admin/"

---

During nextcloud install, fail2ban took too much time to reload (you can find some warnings). The issue here is the line_match arg we should match (Started|Reloaded) fail2ban.service - Fail2Ban Service (there is a fail2ban.service to add)
There is also a warning in fail2ban service:

fail2ban.configreader [33783]: WARNING 'allowipv6' not defined in 'Definition'. Using default one: 'auto'

Moreover, I tried to get banned by entering the wrong password several times, but I didn't succeed.

That's all I've been able to see so far after installation

[Lab-8916100448256]

Things I have noticed while upgrading non YUNoHost systems from bullseye to bookworm that could have an impact on YUNoHost :

• in default sshd_config, ChallengeResponseAuthentication has been deprecated and is now replaced by KbdInteractiveAuthentication. The old ChallengeResponseAuthentication option is still working but maybe we should swith to KbdInteractiveAuthentication?
• after the upgrade to bookworm I found that the ssh group has been renamed to _ssh, breaking ssh connection on systems that limit ssh access to the ssh group. To fix the situation I renamed the group back to ssh but maybe that was not the correct way to go. See https://www.reddit.com/r/debian/comments/148b4d5/new_name_for_ssh_group_in_debian_12/

[kay0u]

running postinstall on a fresh bookworm rebuild incus container:

postinstall fails because there is no dns resolvconf:
https://paste.yunohost.org/nukegaqoca.sql

root@ynh-dev-bookworm-unstable:/ynh-dev# cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

nameserver 127.0.0.1
root@ynh-dev-bookworm-unstable:/ynh-dev# resolvectl status
bash: resolvectl: command not found
root@ynh-dev-bookworm-unstable:/ynh-dev# systemctl status systemd-resolved
Unit systemd-resolved.service could not be found.

I think systemd-resolved should be installed, and I don't understand why it isn't.

Trying to fix it:

root@ynh-dev-bookworm-unstable:/ynh-dev# echo "nameserver 1.1.1.1" > /etc/resolv.conf 
root@ynh-dev-bookworm-unstable:/ynh-dev# apt update
Hit:1 http://forge.yunohost.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Hit:4 http://deb.debian.org/debian-security bookworm-security InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@ynh-dev-bookworm-unstable:/ynh-dev# apt install systemd-resolved
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 yunohost : Conflicts: systemd-resolved but 252.22-1~deb12u1 is to be installed
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.

Edit: no systemd-resolved shouldn't be installed. Then, I don't know what to do yet

[alexAubin]

Remaining major items :

• Fixing the major app regressions until we're left with a reasonable number like 10~5%
• Gotta reimplement DKIM signing with opendkim rather than rspamd (or bring rspamd back by default)
• Clarify whatdo with the SSO basic HTTP auth header : with-password vs without-password
• Make sure we have a smooth easy way to install / remove metronome (from the global settings maybe, similar to rspamd?)
• Further test/stabilize the bullseye->bookworm migration procedure
• ???