Upgrade OpenVZ VPS from Debian 7 (wheezy) 64-bit to Debian 8 (jessie) 64-bit

Debian 8.0 (jessie) has been released! But there is no official OpenVZ template for jessie yet, and past experience indicates that it could be a long wait. In the meantime, here is how I upgraded an OpenVZ VPS with a fresh install of the official Debian 7 (64-bit) minimal template to Debian 8. It is just a little bit tricky, since the official OpenVZ Debian 7 minimal template uses upstart, not sysvinit (the default for Debian 7) or systemd (the default for Debian 8). Since upstart is now deprecated with the adoption of systemd, these instructions include replacing upstart with systemd.

NOTE: This guide is intended only for a fresh reinstallation of the 64-bit Debian 7 minimal template. These procedures have been tested on a BuyVM OpenVZ VPS with the 64-bit Debian 7 template (BuyVM offers the minimal template only). If you are using a different Debian 7 template, or are trying to upgrade an existing system, certain commands may need to be modified in order to ensure a successful upgrade. Proceed at your own risk.

1. Open an SSH connection to your VPS and log in as root.

2. Update the Apt sources.list to point to the Jessie repositories.

rm /etc/apt/sources.list
cat > /etc/apt/sources.list << EOF
deb http://ftp.us.debian.org/debian/ jessie main non-free contrib
deb-src http://ftp.us.debian.org/debian/ jessie main non-free contrib
deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
deb http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
EOF

3. Verify that the sources.list was properly created.

cat /etc/apt/sources.list

It should look like this.

deb http://ftp.us.debian.org/debian/ jessie main non-free contrib
deb-src http://ftp.us.debian.org/debian/ jessie main non-free contrib
deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
deb http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free
deb-src http://ftp.us.debian.org/debian/ jessie-updates main contrib non-free

4. Grab the new lists of packages.

apt-get update

5. Reinstall the debian-archive-keyring package if you see any missing public key warnings.

apt-get install --reinstall debian-archive-keyring

6. Install dialog (shows nice dialog windows, used by the locales configuration and many package installations which require user input).

apt-get -y install dialog

7. Set your system locales.

dpkg-reconfigure locales

7a. In most cases, the UTF-8 version of the language you are using is the best locale to generate. For American English, this would be en_US.UTF-8.

7b. Select en_US.UTF-8 (or the UTF-8 version of the language you are using) by scrolling down in the list, hitting the spacebar to select it, and pressing enter to move on.

7c. The next dialog box will ask you to choose the default locale for the entire system. Press the up or down arrow keys to highlight “en_US.UTF-8” or the language you selected in the previous step, then press enter to finish locale generation and configuration.

8. Perform the upgrade! (This will take a while, but don’t leave, because there are a few things you need to do during the process).

apt-get -y dist-upgrade

8a. When you reach the message “Configuration file ‘/etc/bash.bashrc’ has been modified since installation”, choose ‘Y’ to install the new version.

8b. When you reach the message “Configuration file ‘/etc/init/networking.conf’ has been modified since installation”, again choose ‘Y’ to install the new version.

8c. When you reach the dialog box warning you about logging in as root over SSH using password authentication, choose “No” to keep SSH password authentication for root enabled. You will disable this later, once you have added your own user account with sudo privileges.

9. Verify that you are now running Debian 8 (it should show 8.x).

cat /etc/debian_version

10. Swap out upstart for systemd.

apt-get -y install systemd systemd-sysv

11. Force a reboot to start using the new init.

reboot -f

12. Log back in to your VPS via SSH as root.

13. Verify that systemd is running, not upstart (you should see only systemd processes, no upstart processes).

ps aux | grep -E "(systemd)|(upstart)" | grep -v "grep -E"

14. Purge upstart (it was not automatically removed when systemd was installed since it was running at that time).

apt-get -y purge upstart
rm -r /var/log/upstart

15. Remove the 32-bit packages from the package lists (just an annoyance, there is no need to see both the 32-bit and 64-bit versions of packages on a 64-bit system).

dpkg --remove-architecture i386

16. Install some more essential or handy packages.

apt-get -y install nano apt-rdepends aptitude curl sudo

17. Install one more essential package (cron), but without installing recommended packages. Cron recommends a mail server be installed, and the default mail server for Debian is the full-featured Exim package. If you plan on using Exim, do not include the “–no-install-recommends” option.

apt-get -y install --no-install-recommends cron

18. Verify that no other essential packages are missing.

aptitude search "?essential" | grep -v "^i"

19. If no results are shown, then all essential packages are already installed. If any results are found, then essential packages are missing and you need to install them. Insert the package names, each separated by a space.

apt-get -y install package_name package_name_2 package_name_3 . . .

20. Add your own user account for day-to-day administration of the server (inserting in your own username of course).

adduser justin

20a. Enter in your desired password twice. The rest of the information is optional, but I like to at least put in my full name, leaving all other fields blank. Verify that all of the information is correct, then choose “Y”.

21. Add your user account to the “sudo” group to obtain sudo privileges. I also advise adding yourself to the “adm” group, because many log files are not readable unless you are a member of that group. It just makes things easier, since you don’t have to “sudo cat /var/log/log_name” each time you want to view one of these log files.

usermod -a -G sudo,adm justin

22. Verify that your account has been added to the correct groups (you should see “justin : justin adm sudo”).

groups justin

23. Secure SSH by switching the port from the default (port 22), disabling root logins entirely, and only allowing logins by your user account you just created.

nano /etc/ssh/sshd_config

23a. Change “Port 22” to an unused port over 1024. Check this Wikipedia page to find a port that will not be used by any services you plan to run on your VPS.

23b. Under “Authentication”, change “PermitRootLogin yes” to “PermitRootLogin no” to disable root logins.

23c. Also under “Authentication”, add the following line, inserting your username, not mine of course.

AllowUsers justin

23d. If you have multiple users that need to access this VPS via SSH, use a comma to separate each username.

AllowUsers justin,brad,danielle,tom

23e. Save the file and exit by hitting Control + X, typing ‘Y’, then pressing Enter.

24. Reload the SSH daemon so the new port and security settings are applied.

systemctl reload ssh.service

25. Open a new terminal window. (Do NOT close this terminal window just yet, because if you messed up the SSH configuration, you may have inadvertently blocked yourself from opening a new SSH connection).

26. Login to your VPS using your new account and the new SSH port.

ssh -l justin -p <port_number> <server_ip_address>

27. Verify that your sudo privileges are working properly. Enter in your password when prompted after the “With great power comes great responsibility” spiel.

sudo w

28. If the ‘w’ command runs properly, you can safely close the other terminal window where you were logged in as root.

29. You’re done! You now have a fresh minimal install of Debian 8 on your VPS.