UCS 5.2 Upgrade Fails During Pre-Update Checks

Environment

• UCS system attempting to upgrade from UCS 5.0-10 to UCS 5.2-0 using the Univention Updater.
• Update initiated via the Software Update module or by running:

univention-upgrade --updateto=5.2-0 --ignoressh --ignoreterm

Problem:

When attempting to upgrade to UCS 5.2-0, the update process stops during the pre-update phase with multiple errors.
The updater log (/var/log/univention/updater.log) contains the following output:

04.09.25 15:54:57.780  DEBUG_INIT
**** Starting univention-updater 5.0-10 with parameter=['/usr/share/univention-updater/univention-updater', 'net', '--updateto', '5.2-0', '--ignoressh', '--ignoreterm']
--->DBG:update_available(mode=net)
Checking network repository
Update to = 5.1-0
**** Downloading scripts at Thu Sep  4 15:55:31 2025
**** Starting actual update at Thu Sep  4 15:56:08 2025

Starting /tmp/tmpc4m64mde/https:__updates.software-univention.de_dists_ucs510_preup.sh (Thu Sep  4 15:56:08 IST 2025):

HINT:
Please check the release notes carefully BEFORE updating to UCS 5.1-0:

UCS 5.1-0 is an intermediate release and must not be used in production.
After the update to UCS 5.1-0 make sure to immediately update to UCS 5.2-0,
the updater will ask you to do so.

All the necessary information is therefore in the release notes for UCS 5.2-0.

 English version: https://docs.software-univention.de/release-notes/5.2-0/en/
 German version:  https://docs.software-univention.de/release-notes/5.2-0/de/

Please also consider documents of following release updates and
3rd party components.

Do you want to continue [Y/n]?
Custom preupdate script /var/lib/local-preup.sh not found
Checking auth_faillog ...                         OK
Checking blocking_apps ...                        Unable to cache apps
Unable to cache apps
OK
Checking cool_solutions ...                       OK
Checking disk_space ...                           FAIL
Checking docker_storage_driver ...                OK
Checking failed_ldif ...                          OK
Checking for_postgresql96 ...                     FAIL
Checking hold_packages ...                        OK
Checking keycloak_migration ...                   FAIL
Checking ldap_connection ...                      OK
Checking ldap_schema ...                          OK
Checking legacy_objects ...                       FAIL
Checking master_version ...                       OK
Checking min_version ...                          OK
Checking minimum_ucs_version_of_all_systems_in_domain ... OK
Checking openldap_bdb ...                         OK
Checking overwritten_umc_templates ...            OK
Checking package_status ...                       OK
Checking role_package_removed ...                 OK
Checking selinux_deactivated ...                  OK
Checking slapd_on_member ...                      OK
Checking ssh ...                                  OK
Checking system_date_too_old ...                  OK
Checking term ...                                 OK
Checking user_country_mapping ...                 OK
Checking valid_machine_credentials ...            OK
Checking verify_translog_schema ...               OK

The system can not be updated to UCS 5.1 due to the following reasons:

keycloak_migration:

	Starting with UCS 5.2 the Keycloak app replaces SimpleSAMLphp
	and the Kopano Konnect app as the default identity provider in UCS.
	Before the update to 5.2 can start, this domain has to be migrated
	to Keycloak.

	This migration has not happend yet!

	Please read the UCS 5.2 release notes <https://docs.software-univention.de/release-notes/5.2-0/en/index.html>
	and the Keycloak migration guide: <https://docs.software-univention.de/keycloak-migration/index.html>
	for how to migrate your domain to Keycloak.

		- The following old SimpleSAMLphp/Kopano Konnect objects have been found.
		  They need to be removed before the update can happen:

			* SAMLServiceProviderIdentifier=google.com,cn=saml-serviceprovider,cn=univention,dc=seascope,dc=in
			* SAMLServiceProviderIdentifier=https://sp.testshib.org/shibboleth-sp,cn=saml-serviceprovider,cn=univention,dc=seascope,dc=in
			* SAMLServiceProviderIdentifier=https://saml.salesforce.com,cn=saml-serviceprovider,cn=univention,dc=seascope,dc=in
			* SAMLServiceProviderIdentifier=https://home.seascope.in/univention/saml/metadata,cn=saml-serviceprovider,cn=univention,dc=seascope,dc=in

	Migration to Keycloak incomplete, update to UCS 5.2 not possible
	Checking Keycloak migration status ...

		 - ucs/server/sso/uri (None) exists or is not relevant

disk_space:
	Not enough space in /boot, need at least 300 MB.
	This may interrupt the update and result in an inconsistent system!

	Old kernel versions on /boot/ can be pruned by manully by running
	'univention-prune-kernels' or automatically during
	next update attempt by setting config registry variable
	update52/pruneoldkernel to "yes".

	This check can be disabled by setting the UCR variable 'update52/ignore_free_space' to 'yes'.
	But be aware that this is not recommended!

for_postgresql96:
WARNING: PostgreSQL-9.6 is no longer supported by UCS-5.2 and must be migrated to
         a newer version of PostgreSQL. See https://help.univention.com/t/17531 for
         more details.

	This check can be disabled by setting the UCR variable 'update52/ignore_postgresql96' to 'yes'.
	But be aware that this is not recommended!

legacy_objects:
	The following objects are no longer supported with UCS 5.2:
		dn: cn=24x7,cn=nagios,dc=seascope,dc=in
		dn: cn=WorkHours,cn=nagios,dc=seascope,dc=in
		dn: cn=NonWorkHours,cn=nagios,dc=seascope,dc=in
	They must be removed before the update can be done.

	See <https://help.univention.com/t/22252> for details.

	This check can be disabled by setting the UCR variable 'update52/ignore_legacy_objects' to 'yes'.

Error: Update aborted by pre-update script of release 5.1-0
Notifications
Notification
An update for UCS is available. Please visit the "Software update" module to install the updates.
Warning
The update to UCS 5.1-0 failed. Please visit the "Software update" module for more information.

Root Cause

The UCS pre-update checks prevent the upgrade due to several critical issues:

1. Incomplete Keycloak migration
   SimpleSAMLphp and Kopano Konnect SSO objects are still present in LDAP.
2. Insufficient disk space in /boot
   Less than 300 MB available.
3. Unsupported PostgreSQL 9.6 installation
   PostgreSQL 9.6 must be upgraded before UCS 5.2.
4. Legacy Nagios “timeperiod” LDAP objects
   Old Nagios objects are incompatible with UCS 5.2.

Solution:

Follow these steps to resolve each issue and proceed with the UCS 5.2 upgrade.

1. Complete the Keycloak Migration

From UCS 5.2 onward, Keycloak replaces SimpleSAMLphp and Kopano Konnect as the default Identity Provider.
Remove legacy SSO objects and configure the new SSO URI using:

• univention-keycloak-migration-status --delete --create-sso-uri-setting

This command deletes obsolete UDM objects and creates the UCR variable ucs/server/sso/uri.
After this migration, legacy SimpleSAMLphp-based login will no longer work (expected behavior).

Refer to the Prepare for the update to UCS 5.2 for details.

2. Free Space in /boot

Ensure at least 300 MB of free space in /boot.
You can safely remove old kernel packages using:

• apt autoremove -y
• apt autoclean -y
• univention-prune-kernels

Then check available space:

df -h /boot

If less than 300 MB is free, manually remove additional kernel or initramfs files.
Reference: How to Free Space and Clean Up UCS

3. Upgrade PostgreSQL 9.6

PostgreSQL 9.6 is no longer supported in UCS 5.2.
Upgrade first to version 11 using the documented procedure:

[ -f /usr/sbin/univention-pkgdb-scan ] && chmod -x /usr/sbin/univention-pkgdb-scan
service postgresql stop
rm -rf /etc/postgresql/11
apt-get install --reinstall postgresql-11
ucr set postgres11/autostart='yes'
systemctl unmask postgresql@11-main.service
pg_dropcluster 11 main --stop
service postgresql start
[ -e /var/lib/postgresql/11/main ] && mv /var/lib/postgresql/11/main /var/lib/postgresql/11/main.old
pg_lsclusters -h | grep -q '^9\.6 ' && pg_upgradecluster 9.6 main
pg_lsclusters -h | grep -q '^9\.4 ' && pg_upgradecluster 9.4 main
univention-install --yes univention-postgresql-11
ucr commit /etc/postgresql/11/main/*
chown -R postgres:postgres /var/lib/postgresql/11
[ ! -e /etc/postgresql/11/main/conf.d/ ] && mkdir /etc/postgresql/11/main/conf.d/ && chown postgres:postgres /etc/postgresql/11/main/conf.d/
service postgresql restart
[ -f /usr/sbin/univention-pkgdb-scan ] && chmod +x /usr/sbin/univention-pkgdb-scan

pg_lsclusters -h

Reference: Updating from PostgreSQL 9.6 to 11
Afterward, plan the final upgrade from PostgreSQL 11 → 15 as described in
KB 22162.

4. Remove Legacy Nagios LDAP Objects

UCS 5.2 no longer supports old Nagios timeperiod objects such as:

cn=24x7,cn=nagios,dc=seascope,dc=in
cn=WorkHours,cn=nagios,dc=seascope,dc=in
cn=NonWorkHours,cn=nagios,dc=seascope,dc=in

Use the official Univention script to check and delete these:

• wget https://raw.githubusercontent.com/univention/univention-corporate-server/5.2-0/base/univention-updater/script/check.sh
• chmod +x check.sh
• bash check.sh update_check_legacy_objects
• bash check.sh delete_legacy_objects

Reference: Remove Legacy UDM LDAP Objects (KB 22252)

5. Re-Run the UCS Update

After completing all remediation steps, re-run the update:

univention-upgrade --updateto=5.2-0 --ignoressh --ignoreterm --noninteractive

or use the Software Update module in Univention Management Console (UMC).

The update will first move the system to UCS 5.1 and then automatically proceed to UCS 5.2.

Additional Notes

• Do not disable the pre-update checks (update52/ignore_*) unless explicitly advised by Univention Support.
• Always review the UCS 5.2 Release Notes before starting the upgrade.
• Ensure a valid system backup before major version upgrades.

Summary

See also: