Manu's picture

Hi all, 

I'm using TKL on PVE at home. I have not set up TKLBAM since I don't have (and want) cloud storage. 

How do I upgrade my TKL appliances to bullseye? I tried it on a couple of containers via the debian way, but since then I get an error that the TKL-repos cannot be used b/c the key is not accepted. 

 

Any suggestions?

Forum: 
Jeremy Davis's picture

[update]: This post initially noted 'buster', when it should have been 'bullseye'. I've updated it by changing all instances of 'buster' to be 'bullseye'. Note also that the Debian security repo format has changed since buster!


First up, you can use TKLBAM locally as well. Although it still will require you to sign up to the Hub to get the backup profile (or generate a profile yourself). But as Hub signup still requires an AWS account, you'll likely prefer not going that path.

As for a "Debian style upgrade", yes that's a totally legitimate path to follow. It sounds like you were heading in the right direction, however, you will need to also update the TurnKey repo keys (as per the error you noted).

The keys can be downloaded from keyservers, but in recent times, they're a bit broken, so it's probably easier to just pull them from GitHub. The easiest way is to update them would be via the commandline. Here's a script that you can copy/paste. It will download and convert the keys to the required format for all 3 repos (if you warn't using 'testing', downloading the key won't cause any issue):

CODENAME=bullseye
key_dir=/usr/share/keyrings
base_url=https://raw.githubusercontent.com/turnkeylinux/common/master/overlays/bootstrap_apt
repos=(main security testing)
for repo in ${repos[@]}; do
    local_path=$key_dir/tkl-$CODENAME-$repo
    keyring=$local_path.gpg
    keyfile=$local_path.asc
     key_url=${base_url}${keyfile}
    wget -O $keyfile $key_url
    gpg --no-default-keyring --keyring $keyring --import $keyfile
    rm $keyfile
done

Then the only other thing you should need to do is update the TurnKey repo key paths in the relevant sources.list files (/etc/apt/sources.list.d/security.sources.list & /etc/apt/sources.list.d/sources.list). E.g. your security soruces file contents should look like this:

deb [signed-by=/usr/share/keyrings/tkl-bullseye-security.gpg] http://archive.turnkeylinux.org/debian bullseye-security main

deb http://security.debian.org/ bullseye-security main
deb http://security.debian.org/ bullseye-security contrib
#deb http://security.debian.org/ bullseye-security non-free

I hope that helps.

Manu's picture

Thank you Jeremy. 

I am currently quite confused. Since I'm going the bullseye-path shouldn't I use the bullseye-repos?

This is what I have currently for my security.sources.list:

[signed-by=/usr/share/keyrings/tkl-buster-security.gpg] http://archive.turnkeylinux.org/debian bullseye-security main
deb http://security.debian.org/ bullseye-security main
deb http://security.debian.org/ bullseye-security contrib
#deb http://security.debian.org/ buster/updates non-free 

This is my sources.list:

[signed-by=/usr/share/keyrings/tkl-buster-main.gpg] http://archive.turnkeylinux.org/debian bullseye main
deb http://deb.debian.org/debian bullseye main
deb http://deb.debian.org/debian bullseye contrib
#deb http://deb.debian.org/debian buster non-free

When I try to run your script it just gives me an error

./keyimport.sh: 4: Syntax error: "(" unexpected

Thanks!

Hein's picture

Hi, I was able to update my Turnkey container to Bullseye with the steps provided in this topic. I used the script from the previous post to retrieve the bullseye keys to the keyring folder. Note: change the first line into CODENAME=bullseye After this I used, note the difference [signed-by=/usr/share/keyrings/tkl-bullseye-main.gpg]:  
[signed-by=/usr/share/keyrings/tkl-bullseye-main.gpg] http://archive.turnkeylinux.org/debian bullseye main

deb http://deb.debian.org/debian bullseye main
deb http://deb.debian.org/debian bullseye contrib
#deb http://deb.debian.org/debian buster non-free
Hope this helps
Jeremy Davis's picture

All references to 'buster' should be updated to be 'bullseye'! My bad. I'll edit my post so that it's correct...

Jeremy Davis's picture

Yep, to upgrade to bullseye, all 'buster' entries should be upgraded to 'bullseye', I'll update my post.

As for running, it, I intended for it to just be copy/pasted into the commandline (with CODENAME=bullseye to upgrade to bullseye...). That should "just work".

But you can run it from a script too if you want. Judging from the fact that the script is erroring at the bashism on line 4, my guess is that it's guessing from the filename and just running with /bin/sh (not /bin/bash). If you want to run it as a script it needs to be explicitly run by bash. You could just run it with bash, like this:

bash keyimport.sh

But better still, give it a bash shebang. Insert a new line at the top of your script:

#!/bin/bash -e

Thats called a shebang and it tell the system to run the script with '/bin/bash'. The '-e' is a bash option that makes the script exit if it encounters and error (good practice).

As noted, be usre ot change the 'CODENAME=' line to 'bullseye' - i.e.:

'CODENAME=bullseye
Jeremy Davis's picture

I've updated (i.e. fixed...) my first response and added a note to the start of it. Note the change of format for the Debian Bullseye security repo.

Hein's picture

Hi, I managed to upgrade to bullseye with help from this topic. I used the script provided (created a bash script and ran it) for creation of the keyring keys. Note: the bullseye codename:
	CODENAME=bullseye
	key_dir=/usr/share/keyrings
	base_url=https://raw.githubusercontent.com/turnkeylinux/common/master/overlays/bootstrap_apt
	repos=(main security testing)
	for repo in ${repos[@]}; do
	    local_path=$key_dir/tkl-$CODENAME-$repo
	    keyring=$local_path.gpg
	    keyfile=$local_path.asc
	     key_url=${base_url}${keyfile}
	    wget -O $keyfile $key_url
	    gpg --no-default-keyring --keyring $keyring --import $keyfile
	    rm $keyfile
	done
After this I have updated the source.list, it's using the tkl-bullseye-main.gpg from the keyring folder:
[signed-by=/usr/share/keyrings/tkl-bullseye-main.gpg] http://archive.turnkeylinux.org/debian bullseye main
deb http://deb.debian.org/debian bullseye main
deb http://deb.debian.org/debian bullseye contrib
#deb http://deb.debian.org/debian buster non-free
  Hope this helps!

Add new comment