Kapitel 5. Ting man skal være opmærksom på i forbindelse med jessie

Indholdsfortegnelse

5.1. Sikkerhedsstatus på web-browsere
5.2. OpenSSH server defaults to "PermitRootLogin without-password"
5.3. Puppet 2.7 / 3.7 compatibility
5.4. PHP 5.6 upgrade has behavioural changes
5.5. Incompatible changes in Apache HTTPD 2.4
5.6. Upgrading installs the new default init system for Jessie
5.6.1. Stricter handling of failing mounts during boot under systemd
5.6.2. Some systemd services may require a kernel configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y (non-standard setups)
5.6.3. Locally modified init-scripts may need to be ported to systemd
5.6.4. Plymouth needed for boot-prompts under systemd boots
5.7. Jessie udev needs kernel with CONFIG_DEVTMPFS=y (non-standard setups)
5.8. Upgrade considerations for LXC hosts and containers
5.8.1. Upgrading LXC guests running on wheezy hosts
5.8.2. Upgrading LXC guests running on jessie hosts
5.8.3. Further information
5.9. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)
5.10. The GNOME desktop requires basic 3D graphics
5.11. The GNOME desktop does not work with the AMD proprietary FGLRX driver
5.12. Changes in the GNOME default keyboard shortcuts
5.13. Changes to default shell of system users provided by base-passwd
5.14. Migration to new KDE E-mail, Calendar and Contacts (Kontact)
5.15. Missing virtual consoles ("getty"s) with multiple desktop environments

Sommetider kan ændringer, som er introduceret i en ny udgave, have bivirkninger som vi ikke med rimelighed kan undgå, eller disse ændringer kan afsløre fejl andre steder. Dette afsnit dokumenterer problemer som vi er bekendt med. Læs også gerne errata, dokumentationen for de relevante pakker, fejlrapporter og anden information som er nævnt i Afsnit 6.1, “Yderligere læsning”.

5.1. Sikkerhedsstatus på web-browsere

Debian 8 inkluderer adskillige browsermotorer, som er påvirket af en stadig strøm af sikkerhedsbrister. Den høje forekomst af sårbarheder og den delvist manglende støtte fra udviklerne i form af langtidsunderstøttede versionsgrene, gør det meget svært at understøtte disse browsere med bagudporterede sikkerhedsrettelser. Hertil kommer at gensidige afhængigheder mellem programbiblioteker gør det umuligt at opdatere til en nyere opstrøms-udgave. Derfor er browsere der bygger på motorerne webkit, qtwebkit og khtml inkluderet i Jessie, men de er ikke fuldt dækket af sikkerhedsunderstøttelse. Disse browsere bør ikke bruges til at tilgå upålidelige internetsider.

For general web browser use we recommend Iceweasel or Chromium.

Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable. Iceweasel and Icedove will also be kept up-to-date by rebuilding the current ESR releases for stable.

Note that the package debian-security-support, introduced in Jessie, helps to track security support status of installed packages.

5.2. OpenSSH server defaults to "PermitRootLogin without-password"

In an attempt to harden the default setup, the openssh-server configuration will now default to "PermitRootLogin without-password". If you rely on password authentication for the root user, you may be affected by this change.

The openssh-server will attempt to detect such cases and increase the priority of its debconf prompt.

If you want to keep password authentication for the root user, you can also preseed this question by using:

$ echo 'openssh-server openssh-server/permit-root-login boolean true' | debconf-set-selections
    

5.3. Puppet 2.7 / 3.7 compatibility

If you are using Puppet, please be aware that Puppet 3.7 is not backwards compatible with Puppet 2.7. Among other things, the scoping rules have changed and many deprecated constructs have been removed. See the Puppet 3.x release notes for some of the changes, although be aware that there are further changes in 3.7.

Checking the log files of your current puppetmaster for deprecation warnings and resolving all of those warnings before proceeding with the upgrade will make it much easier to complete the upgrade. Alternatively, or additionally, testing the manifests with a tool like Puppet catalog test may also find potential issues prior to the upgrade.

When upgrading a Puppet managed system from wheezy to jessie, you must ensure that the corresponding puppetmaster runs at least Puppet version 3.7. If the master is running wheezy's puppetmaster, the managed jessie system will not be able to connect to it.

For more information on incompatability changes, please have a look at Telly upgrade issues and "The Angry Guide to Puppet 3".

5.4. PHP 5.6 upgrade has behavioural changes

The upgrade to Jessie includes an upgrade of PHP from 5.4 to 5.6. This may affect any local PHP scripts and you are advised to check those scripts before upgrading. Below are a selected subset of these issues:

  • To prevent man-in-the-middle attacks against encrypted transfers client streams now verify peer certificates by default.

    As a result of this change, existing code using ssl:// or tls:// stream wrappers (e.g. file_get_contents(), fsockopen(), stream_socket_client()) may no longer connect successfully without manually disabling peer verification via the stream context's "verify_peer" setting.

    For more information about this particular issue, please read this document.

  • PHP changes the handling of case-insensitivity in many cases:

    • All internal case insensitivity handling for class, function and constant names is done according to ASCII rules. Current locale settings are ignored.

    • The keywords "self", "parent" and "static" are now always case insensitive.

    • The json_decode() function no longer accepts non-lowercase variants of "boolean" values.

  • The logo GUID functions (e.g. php_logo_guid()) have been removed.

  • It is no longer possible to overwrite keys in static scalar arrays. Please see PHP bug 66015 for an example and more information about this particular issue.

  • The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no longer accept keys or IVs with incorrect sizes. Furthermore an IV is now required if the used block cipher mode requires it.

  • For legal reasons, the JSON implementation bundled with PHP has been replaced with the version provided by the "jsonc" PECL module. Code that makes assumptions (if any) about the finer implementation details of the PHP JSON parser may need to be reviewed.

For more information or the full list of potential issues, please have a look at upstream's list of backwards incompatible changes for PHP 5.5 and 5.6.

5.5. Incompatible changes in Apache HTTPD 2.4

[Bemærk]Bemærk

This section only applies to systems, which have installed an Apache HTTPD server and configured it manually.

There has been a number of changes to the configuration of the Apache HTTPD server in version 2.4. On the upstream side, the syntax has changed. Notably, the access control directives have changed considerably and will need manual migration to the new directives.

The managing of configuration files have also been changed in the Debian packaging. In particular, all configuration files and sites must now end with ".conf" to be parsed by default. This change also replaces the existing use of /etc/apache2/conf.d/.

For more information and the full list of changes, please refer to:

  • Upgrading to 2.4 from 2.2 document provided by Apache for the upstream side.

  • The /usr/share/doc/apache2/NEWS.Debian.gz file provided by the apache2 package.

5.6. Upgrading installs the new default init system for Jessie

Jessie ships with systemd-sysv as default init system. If you have a preference for another init such as sysvinit-core or upstart, it is recommended to setup APT pinning prior to the upgrade. This may also be required if you are upgrading LXC containers before the host. In this case, please refer to Afsnit 5.8.1, “Upgrading LXC guests running on wheezy hosts”.

As an example, to prevent systemd from being installed during the upgrade, you can create a file called /etc/apt/preferences.d/local-pin-init with the following contents:

Package: systemd-sysv
Pin: release o=Debian
Pin-Priority: -1
  
[Pas på]Pas på

Be advised that some packages may have degraded behaviour or may be lacking features under a non-default init system.

Please note that the upgrade may install packages containing "systemd" in their name even with APT pinning. These alone do not change your init system. To use systemd as your init system, the systemd-sysv package must be installed first.

5.6.1. Stricter handling of failing mounts during boot under systemd

The new default init system, systemd-sysv, has a stricter handling of failing "auto" mounts during boot compared to sysvinit. If it fails to mount an "auto" mount (without the "nofail" option), systemd will drop to an emergency shell rather than continuing the boot.

We recommend that all removable or "optional" mount points (e.g. non-critical network drives) listed in /etc/fstab either have the "noauto" or the "nofail" option.

5.6.2. Some systemd services may require a kernel configured with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y (non-standard setups)

[Bemærk]Bemærk

This section is only for people, who compile their own kernel. If you use the kernels compiled by Debian, you can disregard this section.

Some systemd enabled services may require that your kernel is compiled with CONFIG_DEVPTS_MULTIPLE_INSTANCES=y. Therefore we recommend that you ensure your custom kernel is recompiled with the specified option enabled. Such service files will often contain at least one of:

PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=yes
  

5.6.3. Locally modified init-scripts may need to be ported to systemd

[Bemærk]Bemærk

This section only applies to systems where Debian provided init scripts have been modified locally.

If you have modified some of your init scripts provided by Debian, please be aware that these may now have been superseded by a systemd unit file or by systemd itself. If you have debsums installed, you can check for locally modified init scripts by using the following shell command.

debsums -c -e | grep ^/etc/init.d
  

Alternatively, the following can be used in the absence of debsums.

  dpkg-query --show -f'${Conffiles}' | sed 's, /,\n/,g' | \
    grep /etc/init.d | awk 'NF,OFS="  " {print $2, $1}' | \
    md5sum --quiet -c

If either command flags any files and their corresponding packages or the systemd now provides an systemd unit file for that service, the systemd unit file will take precedence to your locally modified init script. Depending on the nature of the change, there are different way to perform the migration.

If necessary, it is possible to override the systemd unit file to have it start the sysvinit script. For more information on systemd unit files, please have a look at the following resources.

5.6.4. Plymouth needed for boot-prompts under systemd boots

If your boot is interactive (e.g. needs a password for an encrypted disk), please ensure that you have plymouth installed.

Without plymouth, you may experience that your boot prompt might disappear. Reports suggests that the cryptsetup prompt still accepts input despite not being visible. Should you experience this issue, typing the correct password may still work.

5.7. Jessie udev needs kernel with CONFIG_DEVTMPFS=y (non-standard setups)

[Bemærk]Bemærk

This section is only for people, who compile their own kernel. If you use the kernels compiled by Debian, you can disregard this section.

The udev package in Jessie requires a kernel compiled with "CONFIG_DEVTMPFS=y". Please ensure your kernel is compiled with that option prior to upgrading. For more information see /usr/share/doc/systemd/README.gz.

5.8. Upgrade considerations for LXC hosts and containers

[Bemærk]Bemærk

This section only applies to systems that have LXC containers and hosts. Normal end user systems usually do not have these.

The upgrade from wheezy to jessie will migrate your system to the systemd init system by default (see Afsnit 5.6, “Upgrading installs the new default init system for Jessie”).

When upgrading an LXC container, respectively an LXC virtual machine, this will have different consequences depending on whether the host system has already been upgraded to jessie or not.

5.8.1. Upgrading LXC guests running on wheezy hosts

If you are upgrading an LXC guest container that is running on a Wheezy host system, then you will need to prevent the guest from being automatically migrated to systemd. You prevent the migration via pinning, as described in Afsnit 5.6, “Upgrading installs the new default init system for Jessie”.

This is required as the Wheezy host lacks functionality to boot a system running systemd.

You should be able to switch over to systemd inside the LXC guest once you have upgraded the host system to Jessie. See the next paragraph for things that need to be adapted on Jessie hosts.

5.8.2. Upgrading LXC guests running on jessie hosts

In order to be able to boot LXC guests with systemd, you need to adapt your LXC container configuration. The container configuration can usually be found in /var/lib/lxc/CONTAINER_NAME/config You need to add the following two settings to the configuration:

lxc.autodev = 1
lxc.kmsg = 0

5.8.3. Further information

You can find further information on LXC in Debian in the Debian wiki.

5.9. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)

[Bemærk]Bemærk

This section is only for people have set up LUKS encrypted disks themselves using the whirlpool hash. The debian-installer never supported creating such disks.

If you have manually setup an encrypted disk with LUKS whirlpool, you will need to migrate it manually to a stronger hash. You can check if your disk is using whirlpool by using the following command:

    # /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool
  

For more information on migrating, please see item "8.3 Gcrypt 1.6.x and later break Whirlpool" of the cryptsetup FAQ.

[Pas på]Pas på

If you have such a disk, cryptsetup will refuse to decrypt it by default. If your rootdisk or other system disks (e.g. /usr) are encrypted with whirlpool, you should migrate them prior to the first reboot after upgrading cryptsetup.

5.10. The GNOME desktop requires basic 3D graphics

The GNOME 3.14 desktop in Jessie no longer has fallback support for machines without basic 3D graphics. To run properly, it needs either a recent enough PC (any PC built in the last 10 years should have the required SSE2 support) or, for architectures other than i386 and amd64, a 3D-accelerated graphics adapter with EGL drivers.

5.11. The GNOME desktop does not work with the AMD proprietary FGLRX driver

Unlike other OpenGL drivers, the AMD FGLRX driver for Radeon adapters does not support the EGL interface. As such, several GNOME applications, including the core of the GNOME desktop, will not start at all when this driver is in use.

It is recommended to use the free radeon driver, which is the default in jessie, instead.

5.12. Changes in the GNOME default keyboard shortcuts

The default keyboard shortcuts in the GNOME desktop have changed in order to match more closely those of some other operating systems.

Shortcut settings previously modified by the user will be preserved upon upgrade. These settings can still be configured from the GNOME control center, accessible from the top right menu by clicking on the “settings” icon.

5.13. Changes to default shell of system users provided by base-passwd

The upgrade of base-passwd package will reset the shell of system users that is provided to the "nologin" shell. This includes the following users:

  • daemon

  • bin

  • sys

  • games

  • man

  • lp

  • mail

  • news

  • uucp

  • proxy

  • www-data

  • backup

  • list

  • irc

  • gnats

  • nobody

If your local setup requires that any of these users have a shell, you should say no to migrating or migrate and then change the shell of the corresponding users. Notable examples includes local backups done via the "backup" user with an "ssh-key" authentication.

[Pas på]Pas på

The migration will happen automatically if your debconf question priority is "high" or above.

If you know you want to keep the current shell of a given user, you can preseed the questions by using the following:

    echo 'base-passwd base-passwd/system/username/shell/current-shell-mangled/_usr_sbin_nologin boolean false' | debconf-set-selections
  

Where username is the name of the user in question and current-shell-mangled is the mangled name of the shell. The mangling is done by replacing all non-alphanumerical, non-dashes and non-underscores with underscores. E.g. /bin/bash becomes _bin_bash.

5.14. Migration to new KDE E-mail, Calendar and Contacts (Kontact)

The Kontact Personal Information Management system has received a major upgrade. The new version makes much greater use of metadata indexing and each user's data must be migrated into these new indices.

E-mail, calendar events and addressbook contacts are automatically migrated when the user logs in and the relevant component is started. Some advanced settings such as e-mail filters and custom templates require manual intervention. Further details and troubleshooting suggestions are collected on the Debian Wiki.

5.15. Missing virtual consoles ("getty"s) with multiple desktop environments

If you have multiple desktop environments installed, you may experience that none of the "virtual consoles" show a login prompt.

This issue seems to occur when plymouth , systemd and GNOME are all installed. This issue is reported as Debian Bug#766462.

It has been reported that remove the "splash" argument from the kernel command-line may work around the issue. Please see /etc/default/grub and remember to run update-grub after updating the file.