howto/upgrades.md

@@ -101,10 +101,36 @@ those services directly in needrestart.
 
 At the moment the only blacklisted packages for unattended_upgrades are:
 
-- openvswitch-switch
-- openvswitch-common
+- Open vSwitch (`openvswitch-switch` and `openvswitch-common`, [bug
+  34185](https://bugs.torproject.org/34185)): to upgrade manually, empty the server, restart, OVS,
+  then migrate the machines back.
   
-See ([bug #34185]https://bugs.torproject.org/34185)
+   1. on the Ganeti master, list the instances on the Ganeti node:
+   
+        INSTANCES=$(gnt-instance list -o name --no-headers --filter "pnode == \"$NODE\"")
+
+   2. on the Ganeti master, empty the Ganeti node:
+  
+        gnt-node migrate -f $NODE
+
+   2. on the Ganeti node where OVS needs to be upgraded:
+
+        service openvswitch-nonetwork.service restart
+
+   3. on the Ganeti master, migrate all the instances back:
+
+        gnt-instance migrate -f $INSTANCES
+
+      the instance list comes from the first step
+
+  Note that this might be fixed in Debian bullseye, [bug 961746](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961746) in
+  Debian is marked as fixed, but will still need to be tested on our
+  side first.
+
+- Grub (`grub-pc`, [bug 40042](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40042)) has been known to have issues as
+  well, so it is blocked. to upgrade, make sure the install device is
+  defined, by running `dpkg-reconfigure grub-pc`. this issue might
+  actually have been fixed in the package, see [issue 40185](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40185).
 
 ### Kernel upgrades and reboots