A few days ago I was attempting to install the OpenSCAP security compliance evaluation tool on a system I had running Ubuntu 16.10 (Yakkety Yak) LTS. The base package of OpenSCAP was in my distribution’s repositories and I was able to easily install it. But, it turns out the SCAP Workbench package, which I also really wanted, was only available in Ubuntu 17.04 (Zesty Zapus). My choices were to attempt to build from source with directions for Fedora or upgrade my current Ubuntu distribution to 17.04.
After some failed attempts at building from source, plus missing some key dependencies, I spoke with a trusted friend, Jon Jeffels, and he suggested I bite the bullet and perform the distribution upgrade to 17.04 (Zesty Zapus).
The upgrade process is fairly simple, but when performing it over SSH it can be a little more complicated. After putting together some forum posts I was able to come up with a method which would allow me to easily perform the upgrade via SSH and not lose access the process altogether. If you plan on doing this upgrade via SSH this is my recommend method, because during the upgrade process there will be prompts to configure certain packages. The process is not set-it-and-forget-it automated–it should be attended. SSH should already be configured and in-use, if this is your intended method, as well. This process assumes you normally access the system via SSH, but for those who do not know how, here is how to setup SSH.
If the intended system on which the upgrade will be performed is a production system or contains valuable data, please consider performing a backup. There are several methods by which to accomplish this task listed here.
1. Install Screens
First off, make sure your repositories are up-to-date in your current distribution by running:
$ sudo apt-get update
Now we can install screen:
$ sudo apt-get install screen
Enter screen for the first time by typing
screen and pressing Space key for next page or Enter key to end, in order to accept the license. You can learn more on how to use screen here. The commands to run screen for this process will be included below.
2. Check for Release and Set to Normal Release Distribution
Check if there is even an update available to you by typing the following command:
$ do-release-upgrade -c
If a newer version of Ubuntu is available, it will be shown in the returned results. If this command does not work, you will need to install the Update Manager by running the following command:
$ sudo apt-get install update-manager-core
After the package installs, run the
$ do-release-upgrade -c command again.
If there is no version available, we need to make sure we are setup to upgrade to the latest normal release, which requires a small edit to a system file. To make this edit, type the following:
$ sudo nano /etc/update-manager/release-upgrades
Find the line of the document called
prompt and make sure it says
prompt=normal. If it says
prompt=lts please change it.
If changes were made, press
ctrl+o to save changes and then
ctrl+x to exit. If no changes, just press
$ do-release-upgrade -c command once more to check for a new version. If there is not one, your distribution may be too old and you may have to consider upgrading manually to a newer version.
Beware of PPAs
Run the following command to check your repositories listed on the system:
$ grep -r --include '*.list' '^deb ' /etc/apt/sources.list /etc/apt/sources.list.d/
$ grep -r --include '*.list' '^deb ' /etc/apt/ | sed -re 's/^\/etc\/apt\/sources\.list((\.d\/)?|(:)?)//' -e 's/(.*\.list):/\[\1\] /' -e 's/deb http:\/\/ppa.launchpad.net\/(.*?)\/ubuntu .*/ppa:\1/'
If you have PPAs on the system, they may interfere with the upgrade. Consider removing them and returning any packages to default from the support repositories with the following package:
$ sudo apt-get install ppa-purge
After it installs, remove the PPAs manually with the following command:
$ sudo ppa-purge ppa-name
ppa-name with name of PPA Repository.
3. Start a New Screen and Upgrade
At this point we need to start a new screen for the upgrade process, because the upgrade process will kill the current SSH session. To do so, type the following commands:
$ screen -S upgrade
This will drop you into what seems like a new terminal session. In this screen type:
$ sudo do-release-upgrade -d
-d argument to the command tells the upgrade to download and install the development release, otherwise the upgrade would just be to the next LTS version and that is not what we want here for OpenSCAP.
IMPORTANT: When going through the upgrade process you will be given a new port on which SSH will function during the upgrade. Document this number–in my case it was 1022. CANCEL the upgrade once you find the new port.
We need to edit the firewall in order to allow access to the host on the new port by running the following command:
$ sudo iptables -I INPUT -p tcp --dport PORT# -j ACCEPT
PORT# with the new port number presented in the initial part of the canceled upgrade process.
Once again, run the
$ sudo do-release-upgrade -d command and the upgrade should resume.
Go through the process until you lose SSH access to the session and then keep following this guide.
4. Re-Establish SSH Access
Once you lose access to the default SSH port during the upgrade, you will have to use the new port number the upgrade process opened to attend the upgrade process. Complete the following steps:
$ ssh -p PORT# USERNAME@HOSTorIP
Once the new SSH connection is established on the new specified port, complete the following commands to attend the upgrade process:
$ screen -d
$ screen -r upgrade
5. Attended Upgrade
There will be multiple prompts during this upgrade process, so it is recommended you sit with it and periodically check it. The upgrade took me roughly 30 minutes in total on a 200 Mbps connection. The download will be roughly 1.1 GB in size, so the connection speed can make this process vary in time drastically.
I wish you the best of luck with the upgrade! Let me know in the comments what your experience was like. Now, I’m off to install OpenSCAP Workbench.