|
|
|
---
|
|
|
|
title: TPA-RFC-80: Debian trixie upgrade schedule
|
|
|
|
title: TPA-RFC-80: Debian 13 ("trixie") upgrade schedule
|
|
|
|
costs: staff, 4+ weeks
|
|
|
|
approval: TPA, service admins
|
|
|
|
affected users: TPA, service admins
|
|
|
|
deadline: 2 weeks, 2025-03-18
|
|
|
|
deadline: 2 weeks, 2025-04-01
|
|
|
|
status: proposed
|
|
|
|
discussion: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41990
|
|
|
|
---
|
|
|
|
|
|
|
|
Summary: start upgrading servers during the Debian "trixie" freeze, if
|
|
|
|
it goes well, complete most of the fleet upgrade in around June 2025,
|
|
|
|
with full completion by the end of 2025, with a 2026 year free of
|
|
|
|
major upgrades entirely. Improve automation.
|
|
|
|
Summary: start upgrading servers during the Debian 13 ("trixie")
|
|
|
|
freeze, if it goes well, complete most of the fleet upgrade in around
|
|
|
|
June 2025, with full completion by the end of 2025, with a 2026 year
|
|
|
|
free of major upgrades entirely. Improve automation, retire old
|
|
|
|
container images.
|
|
|
|
|
|
|
|
# Background
|
|
|
|
|
|
|
|
Debian 13 "trixie", currently "testing" is going into freeze soon, which
|
|
|
|
Debian 13 ("trixie"), currently "testing", is going into freeze soon, which
|
|
|
|
means we should have a new Debian stable release in 2025. It has been
|
|
|
|
a long-standing tradition at TPA to collaborate in the Debian
|
|
|
|
development process and part of that process is to upgrade our servers
|
| ... | ... | @@ -30,9 +31,14 @@ The [freeze dates announced by the debian.org release team][] are: |
|
|
|
packages without autopkgtests
|
|
|
|
To be announced - Milestone 4 - Full Freeze
|
|
|
|
|
|
|
|
We have entered the "transition and toolchain freeze" which locks
|
|
|
|
changes on packages like compilers and interpreters unless
|
|
|
|
exceptions. See the [Debian freeze policy](https://release.debian.org/testing/freeze_policy.html) for an explanation of
|
|
|
|
each step.
|
|
|
|
|
|
|
|
Even though we've just completed the Debian 11 ("bullseye") and 12
|
|
|
|
("bookworm") upgrades in late 2024, we feel it's a good idea to start
|
|
|
|
*and* complete the trixie upgrades in 2025. That way, we can hope of
|
|
|
|
*and* complete the Debian 13 upgrades in 2025. That way, we can hope of
|
|
|
|
having a year or two (2026-2027?) *without* any major upgrades.
|
|
|
|
|
|
|
|
This proposal is part of the [Debian 13 trixie upgrade milestone][],
|
| ... | ... | @@ -63,10 +69,46 @@ and a proposal like this one would link against the upstream release |
|
|
|
notes. Unfortunately, at the time writing, upstream hasn't yet
|
|
|
|
produced release notes (as we're still in testing).
|
|
|
|
|
|
|
|
We're hoping the procedure will be fine-tuned by the time we're ready
|
|
|
|
We're hoping the documentation will be refined by the time we're ready
|
|
|
|
to coordinate the second batch of updates, around May 2025, when we
|
|
|
|
will send reminders to affected teams.
|
|
|
|
|
|
|
|
We do expect the Debian 13 upgrade to be less disruptive than bookworm,
|
|
|
|
mainly because Python 2 is already retired.
|
|
|
|
|
|
|
|
## Notable changes
|
|
|
|
|
|
|
|
For now, here are some known changes that are already in Debian 13:
|
|
|
|
|
|
|
|
| Package | 12 (bookworm) | 13 (trixie) |
|
|
|
|
|--------------------|---------------|-------------|
|
|
|
|
| Ansible | 7.7 | 11.2 |
|
|
|
|
| Apache | 2.4.62 | 2.4.63 |
|
|
|
|
| Bash | 5.2.15 | 5.2.37 |
|
|
|
|
| Emacs | 28.2 | 30.1 |
|
|
|
|
| Fish | 3.6 | 4.0 |
|
|
|
|
| Git | 2.39 | 2.45 |
|
|
|
|
| GCC | 12.2 | 14.2 |
|
|
|
|
| Golang | 1.19 | 1.24 |
|
|
|
|
| Linux kernel image | 6.1 series | 6.12 series |
|
|
|
|
| LLVM | 14 | 19 |
|
|
|
|
| MariaDB | 10.11 | 11.4 |
|
|
|
|
| Nginx | 1.22 | 1.26 |
|
|
|
|
| OpenJDK | 17 | 21 |
|
|
|
|
| OpenLDAP | 2.5.13 | 2.6.9 |
|
|
|
|
| OpenSSL | 3.0 | 3.4 |
|
|
|
|
| PHP | 8.2 | 8.4 |
|
|
|
|
| Podman | 4.3 | 5.4 |
|
|
|
|
| PostgreSQL | 15 | 17 |
|
|
|
|
| Prometheus | 2.42 | 2.53 |
|
|
|
|
| Puppet | 7 | 8 |
|
|
|
|
| Python | 3.11 | 3.13 |
|
|
|
|
| Rustc | 1.63 | 1.85 |
|
|
|
|
| Vim | 9.0 | 9.1 |
|
|
|
|
|
|
|
|
Most of those, except "tool chains" (e.g. LLVM/GCC) can still change,
|
|
|
|
as we're not in the full freeze yet.
|
|
|
|
|
|
|
|
## Upgrade schedule
|
|
|
|
|
|
|
|
The upgrade is split in multiple batches:
|
| ... | ... | @@ -95,11 +137,22 @@ again. |
|
|
|
|
|
|
|
### Upgrade automation and installer changes
|
|
|
|
|
|
|
|
First, we tweak the installers to deploy trixie by default to avoid
|
|
|
|
First, we tweak the installers to deploy Debian 13 by default to avoid
|
|
|
|
installing further "old" systems. This includes the bare-metal
|
|
|
|
installers but also and especially the virtual machine installers and
|
|
|
|
container images.
|
|
|
|
|
|
|
|
Concretely, we're planning on changing the `latest` container image
|
|
|
|
tag to point to `trixie` in early April. A full *year* later, the
|
|
|
|
`bookworm` container images will be retired. Note that we are already
|
|
|
|
planning the retirement of the "old stable" (`bullseye`) container
|
|
|
|
images, see [tpo/tpa/base-images#19](https://gitlab.torproject.org/tpo/tpa/base-images/-/issues/19), for which you may have
|
|
|
|
already been contacted.
|
|
|
|
|
|
|
|
New `idle` canary servers will be setup in Debian 13 to test
|
|
|
|
integration with the rest of the infrastructure, and future new
|
|
|
|
machine installs will be done in Debian 13.
|
|
|
|
|
|
|
|
We also want to work on automating the upgrade procedure
|
|
|
|
further. We've had catastrophic errors in the PostgreSQL upgrade
|
|
|
|
procedure in the past, in particular, but the whole procedure is now
|
| ... | ... | @@ -108,7 +161,7 @@ details. |
|
|
|
|
|
|
|
[tpo/tpa/team#41485]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41485
|
|
|
|
|
|
|
|
### Batch 1: low complexity, April-May 2025
|
|
|
|
### Batch 1: low complexity
|
|
|
|
|
|
|
|
This is scheduled during two weeks: TPA boxes will be upgraded in
|
|
|
|
the last week of April, and Tails in the first week of May.
|
| ... | ... | @@ -183,7 +236,7 @@ Feedback and coordination of this batch happens in [issue batch 1][]. |
|
|
|
|
|
|
|
[issue batch 1]: "https://gitlab.torproject.org/tpo/tpa/team/-/issues/42071"
|
|
|
|
|
|
|
|
### Batch 2: moderate complexity, May-June 2025
|
|
|
|
### Batch 2: moderate complexity
|
|
|
|
|
|
|
|
This is scheduled for the last week of may for TPA machines, and the
|
|
|
|
first week of June for Tails.
|
| ... | ... | @@ -268,7 +321,7 @@ Feedback and coordination of this batch happens in [issue batch 2][]. |
|
|
|
|
|
|
|
[issue batch 2]: https://gitlab.torproject.org/tpo/tpa/team/-/issues/42070
|
|
|
|
|
|
|
|
### Batch 3: high complexity, 2025 Q3-Q4
|
|
|
|
### Batch 3: high complexity
|
|
|
|
|
|
|
|
Those machines are harder to upgrade, or more critical. In the case of
|
|
|
|
TPA machines, we typically regroup the Ganeti servers and all the
|
| ... | ... | @@ -339,6 +392,28 @@ up. |
|
|
|
This process has been historically neglected, but we're hoping to wrap
|
|
|
|
this up, worst case in 2026.
|
|
|
|
|
|
|
|
## Timeline
|
|
|
|
|
|
|
|
- 2025-Q2
|
|
|
|
- W14 (first week of April): default container image changed to
|
|
|
|
`trixie`, installer defaults changed and first tests in
|
|
|
|
production
|
|
|
|
- W18 (last week of April): Batch 1 upgrades, TPA machines
|
|
|
|
- W19 (first week of May): Batch 1 upgrades, Tails machines
|
|
|
|
- W22 (last week of May): Batch 2 upgrades, TPA machines
|
|
|
|
- W23 (first week of June): Batch 2 upgrades, Tails machines
|
|
|
|
- 2025-Q3 to Q4: Batch 3 upgrades
|
|
|
|
- 2026-Q2: bookworm container image retired
|
|
|
|
|
|
|
|
## Deadline
|
|
|
|
|
|
|
|
The community has until the beginning of the above timeline to
|
|
|
|
manifest concerns or objections.
|
|
|
|
|
|
|
|
Two weeks before performing the upgrades of each batch, a new
|
|
|
|
announcement will be sent with details of the changes and impacted
|
|
|
|
services.
|
|
|
|
|
|
|
|
# Alternatives considered
|
|
|
|
|
|
|
|
## Retirements or rebuilds
|
| ... | ... | |
| ... | ... | |
