Manu's picture

Hi all, 

I'm using TKL on PVE at home. I have not set up TKLBAM since I don't have (and want) cloud storage. 

How do I upgrade my TKL appliances to bullseye? I tried it on a couple of containers via the debian way, but since then I get an error that the TKL-repos cannot be used b/c the key is not accepted. 

 

Any suggestions?

Forum: 
Jeremy Davis's picture

[update]: This post initially noted 'buster', when it should have been 'bullseye'. I've updated it by changing all instances of 'buster' to be 'bullseye'. Note also that the Debian security repo format has changed since buster!


First up, you can use TKLBAM locally as well. Although it still will require you to sign up to the Hub to get the backup profile (or generate a profile yourself). But as Hub signup still requires an AWS account, you'll likely prefer not going that path.

As for a "Debian style upgrade", yes that's a totally legitimate path to follow. It sounds like you were heading in the right direction, however, you will need to also update the TurnKey repo keys (as per the error you noted).

The keys can be downloaded from keyservers, but in recent times, they're a bit broken, so it's probably easier to just pull them from GitHub. The easiest way is to update them would be via the commandline. Here's a script that you can copy/paste. It will download and convert the keys to the required format for all 3 repos (if you warn't using 'testing', downloading the key won't cause any issue):

CODENAME=bullseye
key_dir=/usr/share/keyrings
base_url=https://raw.githubusercontent.com/turnkeylinux/common/master/overlays/bootstrap_apt
repos=(main security testing)
for repo in ${repos[@]}; do
    local_path=$key_dir/tkl-$CODENAME-$repo
    keyring=$local_path.gpg
    keyfile=$local_path.asc
     key_url=${base_url}${keyfile}
    wget -O $keyfile $key_url
    gpg --no-default-keyring --keyring $keyring --import $keyfile
    rm $keyfile
done

Then the only other thing you should need to do is update the TurnKey repo key paths in the relevant sources.list files (/etc/apt/sources.list.d/security.sources.list & /etc/apt/sources.list.d/sources.list). E.g. your security soruces file contents should look like this:

deb [signed-by=/usr/share/keyrings/tkl-bullseye-security.gpg] http://archive.turnkeylinux.org/debian bullseye-security main

deb http://security.debian.org/ bullseye-security main
deb http://security.debian.org/ bullseye-security contrib
#deb http://security.debian.org/ bullseye-security non-free

I hope that helps.

Manu's picture

Thank you Jeremy. 

I am currently quite confused. Since I'm going the bullseye-path shouldn't I use the bullseye-repos?

This is what I have currently for my security.sources.list:

[signed-by=/usr/share/keyrings/tkl-buster-security.gpg] http://archive.turnkeylinux.org/debian bullseye-security main
deb http://security.debian.org/ bullseye-security main
deb http://security.debian.org/ bullseye-security contrib
#deb http://security.debian.org/ buster/updates non-free 

This is my sources.list:

[signed-by=/usr/share/keyrings/tkl-buster-main.gpg] http://archive.turnkeylinux.org/debian bullseye main
deb http://deb.debian.org/debian bullseye main
deb http://deb.debian.org/debian bullseye contrib
#deb http://deb.debian.org/debian buster non-free

When I try to run your script it just gives me an error

./keyimport.sh: 4: Syntax error: "(" unexpected

Thanks!

Jeremy Davis's picture

All references to 'buster' should be updated to be 'bullseye'! My bad. I'll edit my post so that it's correct...

Jeremy Davis's picture

Yep, to upgrade to bullseye, all 'buster' entries should be upgraded to 'bullseye', I'll update my post.

As for running, it, I intended for it to just be copy/pasted into the commandline (with CODENAME=bullseye to upgrade to bullseye...). That should "just work".

But you can run it from a script too if you want. Judging from the fact that the script is erroring at the bashism on line 4, my guess is that it's guessing from the filename and just running with /bin/sh (not /bin/bash). If you want to run it as a script it needs to be explicitly run by bash. You could just run it with bash, like this:

bash keyimport.sh

But better still, give it a bash shebang. Insert a new line at the top of your script:

#!/bin/bash -e

Thats called a shebang and it tell the system to run the script with '/bin/bash'. The '-e' is a bash option that makes the script exit if it encounters and error (good practice).

As noted, be usre ot change the 'CODENAME=' line to 'bullseye' - i.e.:

'CODENAME=bullseye
Jeremy Davis's picture

I've updated (i.e. fixed...) my first response and added a note to the start of it. Note the change of format for the Debian Bullseye security repo.

Add new comment