Kapitel 4. Ting man skal være opmærksom på i forbindelse med jessie

Indholdsfortegnelse

4.1. Begrænsninger i sikkerhedsunderstøttelse
4.1.1. Sikkerhedsstatus på internetbrowsere
4.1.2. Mangel på sikkerhedsmæssig understøttelse for økosystemet omkring libv8 og Node.js
4.1.3. Early termination of MediaWiki security support
4.2. OpenSSH-server har som standard »PermitRootLogin without-password«
4.3. Puppet 2.7 / 3.7-kompatibilitet
4.4. PHP 5.6-opgradering har ændringer i opførslen
4.5. Inkompatible ændringer i Apache HTTPD 2.4
4.6. Upgrading installs the new default init system for Jessie
4.6.1. Stricter handling of failing mounts during boot under systemd
4.6.2. Obsolete init-scripts should be purged
4.6.3. Locally modified init-scripts may need to be ported to systemd
4.6.4. Plymouth needed for boot-prompts under systemd boots
4.6.5. Interaction between logind and acpid
4.6.6. Unsupported crypttab features under systemd (e.g. "keyscript=...")
4.7. Required kernel config options for Jessie
4.8. Upgrade considerations for LXC hosts and containers
4.8.1. Upgrading LXC guests running on Wheezy hosts
4.8.2. Upgrading LXC guests running on Jessie hosts
4.8.3. Further information
4.9. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)
4.10. The GNOME desktop requires basic 3D graphics
4.11. The GNOME desktop does not work with the AMD proprietary FGLRX driver
4.12. Changes in the GNOME default keyboard shortcuts
4.13. Changes to default shell of system users provided by base-passwd
4.14. Migrering til ny KDE E-post, kalender og kontakter (Kontact)
4.15. Manglende virtuelle konsoller (»getty'er«) med flere skrivebordsmiljøer
4.16. »VGA signal out of range« / blank skærm under opstart med grub-pc
4.17. Strengere validering af cronfiler i crontab
4.18. Change in handling of unreadable module paths by perl
4.19. Upgrade considerations for Ganeti clusters
4.19.1. Problem upgrading Ganeti clusters with DRBD-backed instances
4.19.2. General notes on upgrading Ganeti clusters
4.20. New requirements for file execution in Samba4
4.21. Cryptsetup can break boot with BUSYBOX=n

Sommetider kan ændringer, som er introduceret i en ny udgave, have bivirkninger som vi ikke med rimelighed kan undgå, eller disse ændringer kan afsløre fejl andre steder. Dette afsnit dokumenterer problemer som vi er bekendt med. Læs også gerne errata, dokumentationen for de relevante pakker, fejlrapporter og anden information som er nævnt i Afsnit 5.1, “Yderligere læsning”.

4.1. Begrænsninger i sikkerhedsunderstøttelse

Der er nogle pakker hvor Debian ikke kan love at tilbyde minimale tilbageporteringer for sikkerhedsmæssige problemstillinger. Disse dækkes i de følgende underafsnit.

Bemærk at pakken debian-security-support, introduceret i Jessie, hjælper med at registrere status for sikkerhedsmæssig understøttelse for installerede pakker.

4.1.1. Sikkerhedsstatus på internetbrowsere

Debian 8 inkluderer adskillige browsermotorer, som er påvirket af en stadig strøm af sikkerhedsbrister. Den høje forekomst af sårbarheder og den delvist manglende støtte fra udviklerne i form af langtidsunderstøttede versionsgrene, gør det meget svært at understøtte disse browsere med bagudporterede sikkerhedsrettelser. Hertil kommer at gensidige afhængigheder mellem programbiblioteker gør det umuligt at opdatere til en nyere opstrøms-udgave. Derfor er browsere der bygger på motorerne webkit, qtwebkit og khtml inkluderet i Jessie, men de er ikke fuldt dækket af sikkerhedsunderstøttelse. Disse browsere bør ikke bruges til at tilgå upålidelige internetsider.

Som generel internetbrowser, anbefaler vi Iceweasel eller Chromium.

Chromium - selvom bygget på Webkit-kodebasen - er en leaf-pakke, som vil blive holdt opdateret ved at genbygge de nuværende Chromium-udgivelser for stable. Iceweasel og Icedove vil også blive holdt opdateret ved at genbygge den nuværende ESR-udgivelser for stable.

4.1.2. Mangel på sikkerhedsmæssig understøttelse for økosystemet omkring libv8 og Node.js

The Node.js platform is built on top of libv8-3.14, which experiences a high volume of security issues, but there are currently no volunteers within the project or the security team sufficiently interested and willing to spend the large amount of time required to stem those incoming issues.

Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package ecosystem should not currently be used with untrusted content, such as unsanitized data from the Internet.

Derudover vil disse pakker ikke modtage nogle sikkerhedsmæssige opdateringer i Jessie-udgivelsens livstid.

4.1.3. Early termination of MediaWiki security support

Upstream security support for the 1.19 series of mediawiki ends during the expected lifecycle of Jessie. The mediawiki package is included in Jessie to satisfy dependencies in other packages.

Security support for mediawiki will end in conjunction with support for Wheezy in April 2016.

4.2. OpenSSH-server har som standard »PermitRootLogin without-password«

I et forsøg på at forstærke standardopsætningen, vil konfigurationen for openssh-server nu anvende standarden »PermitRootLogin without-password«. Hvis du afhænger af en adgangskodegodkendelse for brugeren root, så er du måske påvirket af denne ændring.

openssh-server vil forsøge at detektere sådanne tilfælde og øge prioriteten for dets debconf-prompt.

Hvis du ønsker at bevare adgangskodegodkendelse for brugeren root, så kan du også forhåndskonfigurere dette spørgsmål ved at bruge:

$ echo 'openssh-server openssh-server/permit-root-login boolean true' | debconf-set-selections

4.3. Puppet 2.7 / 3.7-kompatibilitet

If you are using Puppet, please be aware that Puppet 3.7 is not backwards compatible with Puppet 2.7. Among other things, the scoping rules have changed and many deprecated constructs have been removed. See the Puppet 3.x release notes for some of the changes, although be aware that there are further changes in 3.7.

Checking the log files of your current puppetmaster for deprecation warnings and resolving all of those warnings before proceeding with the upgrade will make it much easier to complete the upgrade. Alternatively, or additionally, testing the manifests with a tool like Puppet catalog test may also find potential issues prior to the upgrade.

Når der opgraderes et Puppet-håndteret system fra Wheezy til Jessie, så skal du sikre dig, at den tilsvarende puppetmaster kører mindst Puppet version 3.7. Hvis masteren kører Wheezys puppetmaster, så vil det håndterede Jessie-system ikke kunne forbinde til denne.

For yderligere information om inkompatibilitetsændringer, så tag et kig på Telly upgrade issues og "The Angry Guide to Puppet 3".

4.4. PHP 5.6-opgradering har ændringer i opførslen

Opgraderingen til Jessie inkluderer en opgradering af PHP fra 5.4 til 5.6. Dette kan påvirke lokale PHP-skripter og du rådes til at kontrollere disse skripter før opgradering. Nedenfor er et udvalgt undersæt af disse problemstillinger:

  • To prevent man-in-the-middle attacks against encrypted transfers, client streams now verify peer certificates by default.

    As a result of this change, existing code using ssl:// or tls:// stream wrappers (e.g. file_get_contents(), fsockopen(), stream_socket_client()) may no longer connect successfully without manually disabling peer verification via the stream context's "verify_peer" setting.

    For yderligere information om denne specifikke problemstilling, så læs venligst dette dokument.

  • PHP ændrer håndteringen for versaler på mange områder:

    • Alle interne versalhåndtering for klasse-, funktion- og konstantnavne udføres jævnfør ASCII-regler. Den aktuelle sprogindstilling ignoreres.

    • Nøgleordene »self«, »parent« og »static« er nu altid versalfølsom.

    • json_decode()-funktionen accepterer ikke længere ikke-små bogstaver varianter af »booleske« værdier.

  • Logo GUID-funktionerne (f.eks. php_logo_guid()) er blevet fjernet.

  • Der er ikke længere muligt at overskrive nøgler i statiske skalartabeller. Se venligst PHP-fejl 66015 for et eksempel og yderligere information om denne specifikke problemstilling.

  • The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no longer accept keys or IVs with incorrect sizes. Furthermore an IV is now required if the used block cipher mode requires it.

  • For legal reasons, the JSON implementation bundled with PHP has been replaced with the version provided by the "jsonc" PECL module. Code that makes assumptions about the finer implementation details of the PHP JSON parser may need to be reviewed.

For more information or the full list of potential issues, please have a look at upstream's list of backwards incompatible changes for PHP 5.5 and 5.6.

4.5. Inkompatible ændringer i Apache HTTPD 2.4

[Bemærk]Bemærk

This section only applies to systems which have installed an Apache HTTPD server and configured it manually.

There have been a number of changes to the configuration of the Apache HTTPD server in version 2.4. On the upstream side, the syntax has changed. Notably, the access control directives have changed considerably and will need manual migration to the new directives.

The mod_access_compat module is mentioned in the upstream upgrade guide as a possible alternative to immediate migration. However, the reports suggest it may not always work.

The managing of configuration files has also been changed in the Debian packaging. In particular, all configuration files and sites must now end with ".conf" to be parsed by default. This change also replaces the existing use of /etc/apache2/conf.d/.

[Bemærk]Bemærk

During the upgrade, you may also see warnings about configuration files placed in /etc/apache2/conf.d/, which are provided by packages from Debian. This warning is unavoidable but harmless as the affected packages will move their configuration once their upgrade completes (which will generally happen after the Apache HTTPD emits its warning).

For more information and the full list of changes, please refer to:

  • Upgrading to 2.4 from 2.2 document provided by Apache for the upstream side.

  • The /usr/share/doc/apache2/NEWS.Debian.gz file provided by the apache2 package.

4.6. Upgrading installs the new default init system for Jessie

Jessie ships with systemd-sysv as default init system. This package is installed automatically on upgrades.

If you have a preference for another init such as sysvinit-core or upstart, it is recommended to set up APT pinning prior to the upgrade. This may also be required if you are upgrading LXC containers before the host. In this case, please refer to Afsnit 4.8.1, “Upgrading LXC guests running on Wheezy hosts”.

As an example, to prevent systemd-sysv from being installed during the upgrade, you can create a file called /etc/apt/preferences.d/local-pin-init with the following contents:

Package: systemd-sysv
Pin: release o=Debian
Pin-Priority: -1
[Pas på]Pas på

Be advised that some packages may have degraded behavior or may be lacking features under a non-default init system.

Please note that the upgrade may install packages containing "systemd" in their name even with APT pinning. These alone do not change your init system. To use systemd as your init system, the systemd-sysv package must be installed first.

If APT or aptitude has issues computing an upgrade path with the pin in place, you may be able to help it by manually installing both sysvinit-core and systemd-shim.

4.6.1. Stricter handling of failing mounts during boot under systemd

The new default init system, systemd-sysv, has a stricter handling of failing "auto" mounts during boot compared to sysvinit. If it fails to mount an "auto" mount (without the "nofail" option), systemd will drop to an emergency shell rather than continuing the boot.

We recommend that all removable or "optional" mount points (e.g. non-critical network drives) listed in /etc/fstab either have the "noauto" or the "nofail" option.

4.6.2. Obsolete init-scripts should be purged

If you are upgrading from previous releases, your system may contain obsolete init-scripts provided by (now) removed packages. These scripts may have inaccurate or no dependency metadata, which can lead to dependency cycles in your init configuration.

To avoid this, we recommend that you go and review the list of packages that are in the "rc" ("Removed, but Config-files remain") state, and purge at least all those containing init-scripts.

Please see Afsnit 3.8.1, “Fuld fjernelse af afinstallerede pakker” for details on finding and purging removed packages.

4.6.3. Locally modified init-scripts may need to be ported to systemd

[Bemærk]Bemærk

This section only applies to systems where Debian-provided init scripts have been modified locally.

If you have modified some of the init scripts provided by Debian, please be aware that these may now have been superseded by a systemd unit file or by systemd itself. If you have debsums installed, you can check for locally modified init scripts by using the following shell command.

debsums -c -e | grep ^/etc/init.d

Alternatively, the following can be used in the absence of debsums.

dpkg-query --show -f'${Conffiles}' | sed 's, /,\n/,g' | \
  grep /etc/init.d | awk 'NF,OFS="  " {print $2, $1}' | \
  md5sum --quiet -c

If either command flags any files and their corresponding packages or the systemd now provides an systemd unit file for that service, the systemd unit file will take precedence to your locally modified init script. Depending on the nature of the change, there are different way to perform the migration.

If necessary, it is possible to override the systemd unit file to have it start the sysvinit script. For more information on systemd unit files, please have a look at the following resources.

4.6.4. Plymouth needed for boot-prompts under systemd boots

If your boot is interactive (e.g. needs a password for an encrypted disk), please ensure that you have plymouth installed and configured. Please refer to /usr/share/doc/plymouth/README.Debian for information on how to configure plymouth.

Without plymouth, you may find that your boot prompt disappears. Reports suggest that the cryptsetup prompt still accepts input despite not being visible. Should you experience this issue, typing the correct password may still work.

4.6.5. Interaction between logind and acpid

ACPI events can be handled by logind or acpid. In case both services are configured to handle events in different ways, this can lead to undesired results.

We recommend to migrate any non-default settings to logind and uninstall acpid. Alternatively it is also possible to configure logind to ignore ACPI events by adding:

HandlePowerKey=ignore
HandleSuspendKey=ignore
HandleHibernateKey=ignore
HandleLidSwitch=ignore

to /etc/systemd/logind.conf. Note that this might change behaviour of desktop environments relying on logind.

4.6.6. Unsupported crypttab features under systemd (e.g. "keyscript=...")

There are some cryptsetup features that are unfortunately not supported when running with systemd as the init system. These are:

  • precheck

  • check

  • checkargs

  • noearly

  • loud

  • keyscript

If your system relies on any of these for successful booting, you will have to use sysvinit (sysvinit-core) as init system. Please refer to Afsnit 4.6, “Upgrading installs the new default init system for Jessie” for how to avoid a particular init system.

You can check if any of these options are in use on your system by running the following command:

grep -e precheck -e check -e checkargs -e noearly -e loud -e keyscript /etc/crypttab

If there is no output from the above, your system does not use any of the affected options.

4.7. Required kernel config options for Jessie

[Bemærk]Bemærk

This section is only for people who compile their own kernel. If you use the kernels compiled by Debian, you can disregard this section.

The following kernel configuration options are now either required or recommended for Jessie (in addition to existing ones from previous releases):

# Required for udev
CONFIG_DEVTMPFS=y
# Required for *some* systemd services
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y
# Required by "bluez" (GNOME)
CONFIG_BT=y
# Required for cups + systemd.
CONFIG_PPDEV=y

The systemd services which require CONFIG_DEVPTS_MULTIPLE_INSTANCES=y will typically contain at least one of the following directives:

PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=yes

If you do not use systemd, or can assert that none of the systemd services will use the above directives, the config option might not be required for your particular system.

For more information about the requirements, please refer to the section called "REQUIREMENTS" in the README file for the package systemd.

4.8. Upgrade considerations for LXC hosts and containers

[Bemærk]Bemærk

This section only applies to systems that have LXC containers and hosts. Normal end user systems usually do not have these.

The upgrade from Wheezy to Jessie will migrate your system to the systemd init system by default (see Afsnit 4.6, “Upgrading installs the new default init system for Jessie”).

When upgrading an LXC container or an LXC virtual machine, this will have different consequences depending on whether the host system has already been upgraded to Jessie or not.

4.8.1. Upgrading LXC guests running on Wheezy hosts

If you are upgrading an LXC guest container that is running on a Wheezy host system, then you will need to prevent the guest from being automatically migrated to systemd. You prevent the migration via pinning, as described in Afsnit 4.6, “Upgrading installs the new default init system for Jessie”.

This is required as the Wheezy host lacks functionality to boot a system running systemd.

You should be able to switch over to systemd inside the LXC guest once you have upgraded the host system to Jessie. See the next paragraph for things that need to be adapted on Jessie hosts.

4.8.2. Upgrading LXC guests running on Jessie hosts

In order to be able to boot LXC guests with systemd, you need to adapt your LXC container configuration. The container configuration can usually be found in /var/lib/lxc/CONTAINER_NAME/config You need to add the following two settings to the configuration:

lxc.autodev = 1
lxc.kmsg = 0

4.8.3. Further information

You can find further information on LXC in Debian in the Debian wiki.

4.9. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)

[Bemærk]Bemærk

This section is only for people who have set up LUKS encrypted disks themselves using the whirlpool hash. The debian-installer has never supported creating such disks.

If you have manually set up an encrypted disk with LUKS whirlpool, you will need to migrate it manually to a stronger hash. You can check if your disk is using whirlpool by using the following command:

# /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool

For more information on migrating, please see item "8.3 Gcrypt 1.6.x and later break Whirlpool" of the cryptsetup FAQ.

[Pas på]Pas på

If you have such a disk, cryptsetup will refuse to decrypt it by default. If your rootdisk or other system disks (e.g. /usr) are encrypted with whirlpool, you should migrate them prior to the first reboot after upgrading cryptsetup.

4.10. The GNOME desktop requires basic 3D graphics

The GNOME 3.14 desktop in Jessie no longer has fallback support for machines without basic 3D graphics. To run properly, it needs either a recent enough PC (any PC built in the last 10 years should have the required SSE2 support) or, for architectures other than i386 and amd64, a 3D-accelerated graphics adapter with EGL drivers.

4.11. The GNOME desktop does not work with the AMD proprietary FGLRX driver

Unlike other OpenGL drivers, the AMD FGLRX driver for Radeon adapters does not support the EGL interface. As such, several GNOME applications, including the core of the GNOME desktop, will not start at all when this driver is in use.

It is recommended to use the free radeon driver, which is the default in jessie, instead.

4.12. Changes in the GNOME default keyboard shortcuts

The default keyboard shortcuts in the GNOME desktop have changed in order to match more closely those of some other operating systems.

Shortcut settings previously modified by the user will be preserved upon upgrade. These settings can still be configured from the GNOME control center, accessible from the top right menu by clicking on the "settings" icon.

4.13. Changes to default shell of system users provided by base-passwd

Opgraderingen af pakken base-passwd vil nulstille skallen for nogle systembrugere til »nologin«-skallen. Dette inkluderer de følgende brugere:

  • daemon

  • bin

  • sys

  • games

  • man

  • lp

  • mail

  • news

  • uucp

  • proxy

  • www-data

  • backup

  • list

  • irc

  • gnats

  • nobody

If your local setup requires that any of these users have a shell, you should say no to migrating, or migrate and then change the shell of the corresponding users. Notable examples include local backups done via the "backup" user with "ssh-key" authentication.

[Pas på]Pas på

Migreringen vil ske automatisk, hvis din debconf-spørgsmålsprioritet er høj (»high«) eller over.

Hvis du ønsker at beholde den nuværende skal for en given bruger, så kan du forhåndsudfylde spørgsmålene ved at bruge følgende:

echo 'base-passwd base-passwd/system/username/shell/current-shell-mangled/_usr_sbin_nologin boolean false' | debconf-set-selections

Hvor username er navnet på brugeren og current-shell-mangled er det ødelagte navn på skallen. Ødelæggelsen udføres ved at erstatte alle tegn udover alfanumeriske tegn, streger og understreger med understreger. F.eks. /bin/bash bliver _bin_bash.

4.14. Migrering til ny KDE E-post, kalender og kontakter (Kontact)

The Kontact Personal Information Management system has received a major upgrade. The new version makes much greater use of metadata indexing and each user's data must be migrated into these new indices.

E-mail, calendar events, and addressbook contacts are automatically migrated when the user logs in and the relevant component is started. Some advanced settings such as e-mail filters and custom templates require manual intervention. Further details and troubleshooting suggestions are collected on the Debian Wiki.

4.15. Manglende virtuelle konsoller (»getty'er«) med flere skrivebordsmiljøer

Hvis du har flere skrivebordsmiljøet installeret, så kan du opleve at ingen af de virtuelle konsoller (»virtual consoles«) viser et logind.

This issue seems to occur when plymouth, systemd, and GNOME are all installed. This issue is reported as Debian Bug#766462.

It has been reported that removing the "splash" argument from the kernel command-line may work around the issue. Please see /etc/default/grub and remember to run update-grub after updating the file.

4.16. »VGA signal out of range« / blank skærm under opstart med grub-pc

There is a compatibility issue in grub-pc with older graphics cards (e.g. the "ATI Rage 128 Pro Ultra TR") that can cause it to show a blank screen during boot. The display may issue a "VGA signal out of range" message (or something similar).

En simpel måde at komme omkring det på er at angive GRUB_TERMINAL=console i /etc/default/grub.

4.17. Strengere validering af cronfiler i crontab

The crontab program is now more strict and may refuse to save a changed cron file if it is invalid. If you experience issues with crontab -e, please review your crontab for existing mistakes.

4.18. Change in handling of unreadable module paths by perl

From version 5.18 (and 5.20, which is included in Jessie), Perl will exit with a fatal error if it encounters unreadable module paths in @INC. The previous behavior was to skip such entries. It is recommended to check the contents of @INC in your environment for directories which are not world-readable, and take appropriate action.

Du kan se standarden @INC for Perl ved at køre perl -V.

4.19. Upgrade considerations for Ganeti clusters

4.19.1. Problem upgrading Ganeti clusters with DRBD-backed instances

The version of ganeti (2.12.0-3) released with Jessie does not support migrations from installations running 2.5 or earlier (including Wheezy) in cases where there are instances with DRBD disks. It is hoped that this issue will be fixed in a point release, and recommended that you do not upgrade affected Ganeti clusters in the meantime. You can find more information about this issue at Debian Bug#783186.

4.19.2. General notes on upgrading Ganeti clusters

The recommended procedure to upgrade a Ganeti cluster from Wheezy's ganeti version (2.5.2-1) to Jessie's (2.12.0-3) is to stop all instances and then upgrade and reboot all nodes at once. This will ensure that all instances run with Jessie's hypervisor version and that all nodes run the same versions of Ganeti and DRBD.

Note that running a cluster with mixed 2.5 and 2.12 nodes is not supported. Also note that, depending on the hypervisor, instance live migrations may not work between Wheezy and Jessie hypervisor versions.

4.20. New requirements for file execution in Samba4

If a client requests that a file should be "opened for execution", Samba4 will require the executable bit to be set on the file in addition to the regular read permissions. This also causes "netlogon" scripts to be silently ignored if they lack this executable bit.

4.21. Cryptsetup can break boot with BUSYBOX=n

[Bemærk]Bemærk

This section only applies to people that have manually changed their /etc/initramfs-tools/initramfs.conf to not use busybox.

If you have both busybox and cryptsetup installed plus configured initramfs to not use busybox, then it may render your system unbootable.

Please check the value of your BUSYBOX setting in /etc/initramfs-tools/initramfs.conf if you have both of these packages installed. At this time, known work arounds are uninstalling busybox or setting BUSYBOX=y in /etc/initramfs-tools/initramfs.conf.

[Advarsel]Advarsel

If you had to make any changes, please remember to run update-initramfs -u to update your initramfs. Otherwise, you may still end up with a broken boot.

Please see Debian Bug#783297 for more information.