Upgrade Debian to next major release

Start tmux session in case it's a remote session:

tmux

Check for free disk space (5G is a safe buffer):

df -h

First upgrade all packages in the old release:

apt clean
apt --fix-broken install
apt update -m
dpkg --configure -a
apt install -f
apt full-upgrade

Revisit /etc/apt/sources.list and:

• remove unneeded lines
• Change all URLs to use http://deb.debian.org/debian/

Export target release name:

export FROM=bookworm
export TO=trixie

Prepare update:

rm /etc/apt/sources.list.d/${TO}.list
sed -i "s/${FROM}/${TO}/" /etc/apt/sources.list /etc/apt/sources.list.d/*
rm /etc/apt/preferences.d/${FROM} # Remove old releases preferences
rm /etc/apt/preferences.d/${TO}.pref # Remove potential down-pinned target release
apt update
apt full-upgrade
apt autoremove --purge
reboot

Release specific notes

Trixie

• Trixie release notes
• From a quick tutorial:

If you use the mdadm package, as of Aug 22nd 2025, you'll want a workaround to avoid an issue where mdadm is updated before systemd and shows an error that it cannot find systemd. A bug report tracks this.

Additional steps

Switch to deb822 format for the sources.list. This will write /etc/apt/sources.list.d/debian.sources and /etc/apt/sources.list.d/debian-backports.sources:

apt modernize-sources
apt update
rm -rf /etc/apt/sources.list.bak
rm /etc/apt/sources.list.d/*.bak

Caveat that trixie-backports might not have a Signed-By on some 3rd-party mirrors. You can fix this by:

sed -i 's|^Signed-By: $|Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg|' /etc/apt/sources.list.d/debian-backports.sources
apt update

Issues

• Prometheus node-exporter apt_upgrades_pending metric doesn't update to 0 anymore
  • The fix it merged: Always write value for apt_upgrades_pending and apt_upgrades_held but the Trixie Debian package is behind
  • Debian bug report
  • Workarounds:
    • scp /home/varac/projects/monitoring/prometheus/exporters/node-exporter-textfile-collector-scripts/apt_info.py root@jump:/usr/share/prometheus-node-exporter-collectors/
    • or manually downgrade to the Bookworm package and pin it

Bookworm

Deprecated apt key storage

W: https://download.docker.com/linux/debian/dists/bookworm/InRelease:
   Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg),
   see the DEPRECATION section in apt-key(8) for details.

i.e. for docker repo:

W: https://download.docker.com/linux/debian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring

Fix:

apt-key del 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo tee /etc/apt/trusted.gpg.d/docker.asc
apt update

node-exporter openipmi alerts

Somehow some ipmi packages get installed during upgrade, so on non-IPMI servers remove all IPMI packages:

apt purge *ipmi*

systemd-resolved

• No DNS resolution (see ../../systemd/resolved.md)
  • systemd-resolved has been split into a separate package

Fix:

rm /etc/resolv.conf
echo 'nameserver 1.1.1.1' > /etc/resolv.conf
apt install systemd-resolved

non-free-firmware

Apt keeps reminding about the move of non-free firmware to a different location To silence this warning:

echo 'APT::Get::Update::SourceListWarnings::NonFreeFirmware "false";' > /etc/apt/apt.conf.d/no-bookworm-firmware.conf