Kapitel 5. Problemområden att känna till för utgåvan jessie

Innehållsförteckning

5.1. Limitations in security support
5.1.1. Säkerhetsläget för webbläsare
5.1.2. Lack of security support for the ecosystem around libv8 and Node.js
5.2. OpenSSH-server använder som "PermitRootLogin without-password" som standard
5.3. Puppet 2.7 / 3.7 kompatibilitet
5.4. Beteendeförändringar i PHP 5.6
5.5. Inkompatibla ändringar i Apache HTTPD 2.4
5.6. Upgrading installs the new default init system for Jessie
5.6.1. Stricter handling of failing mounts during boot under systemd
5.6.2. Obsolete init-scripts should be purged
5.6.3. Locally modified init-scripts may need to be ported to systemd
5.6.4. Plymouth behövs för kommandorad i uppstartsläge med systemd vid uppstartläge
5.7. Required kernel config options for Jessie
5.8. Upgrade considerations for LXC hosts and containers
5.8.1. Upgrading LXC guests running on wheezy hosts
5.8.2. Upgrading LXC guests running on jessie hosts
5.8.3. Ytterligare information
5.9. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)
5.10. The GNOME desktop requires basic 3D graphics
5.11. The GNOME desktop does not work with the AMD proprietary FGLRX driver
5.12. Changes in the GNOME default keyboard shortcuts
5.13. Changes to default shell of system users provided by base-passwd
5.14. Migration to new KDE E-mail, Calendar and Contacts (Kontact)
5.15. Missing virtual consoles ("getty"s) with multiple desktop environments
5.16. "VGA signal out of range" / blank screen during boot with grub-pc
5.17. Stricter validation of cron files in crontab
5.18. Change in handling of unreadable module paths by perl

Ibland innebär förändringar i en ny utgåva att sidoeffekter vi inte kunnat undvika uppstår, i vissa fall skapas nya fel någon annanstans. Här dokumenterar vi problem som vi känner till. Vänligen läs ävan erratan, dokumentationen för aktuella paket, felrapporter och annan information som nämns i Avsnitt 6.1, ”Ytterligare läsning”.

5.1. Limitations in security support

There are some packages, where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

Paketet debian-security-support håller reda på säkerhetsstatus för installerade paket. Paketet introducerades med Jessie.

5.1.1. Säkerhetsläget för webbläsare

Debian 8 innehåller flera webbläsarmotorer som påverkas av en strid ström av säkerhetshål. Den stora mängden fel och den partiella bristen på stöd uppströms i form av långsiktiga utvecklingsgrenar gör det mycket svårt att ha stöd för dessa webbläsare med bakåtporterade säkerhetslagningar. Dessutom gör biblioteksberoenden det omöjligt att uppdatera dessa till nyare versioner. Webbläsare utvecklade på webkit, qtwebkit- och khtml-motorerna ingår i Jessie men täcks inte av säkerhetsstödet. Dessa webbläsare ska inte användas tillsammans med webbplatser du inte litar på.

För generell webbsurfning rekommenderar vi Iceweasel eller Chromium.

Chromium - trots att den bygger på kodbasen Webkit - är ett löv-paket. Detta paket hålls uppdaterat genom att den aktuella Chromium-utgåvan byggs om för Debians stabila utgåva. Iceweasel och Icedove kommer också att hållas uppdaterat genom att den aktuella ESR-utgåvan byggs om för Debian stabila utgåva.

5.1.2. Lack of security support for the ecosystem around libv8 and Node.js

The Node.js platform is built on top of libv8-3.14, which receives a high volume of security issues, but there are currently no volunteers within the project or the security team sufficiently interested and willing to spend the large amount of time required to stem those incoming issues.

Unfortunately, this means that libv8-3.14, nodejs and the associated node-* package ecosystem should not currently be used with untrusted content, for example unsanitized data from the internet.

In addition, these packages will not receive any security updates during the lifetime of the jessie release.

5.2. OpenSSH-server använder som "PermitRootLogin without-password" som standard

I ett försök att förstärka standardinstallationen använder paketet openssh-server numera inställningen "PermitRootLogin without-password" som standard. Om du behöver lösenordsbaserad inloggninge för root-användaren kan detta drabba dig.

Paketet openssh-server kommer att försöka upptäcka sådana system och öka prioriteten för debconf-meddelandet om detta.

Vill du fortsätta använda lösenordsbaserad inloggning för root-användaren kan svaret på denna fråga genom att använda:

$ echo 'openssh-server openssh-server/permit-root-login boolean true' | debconf-set-selections
    

5.3. Puppet 2.7 / 3.7 kompatibilitet

Notera att Puppet 3.7 inte är bakåtkompatiblet med Puppet 2.7. Blandat har regler för omfång och ett antal utfasade konstruktioner taigts bort. Se vidare i Kommentarer till utgåvan Puppet 3.x för några av ändringarna, ytterligare justeringar har dessutom gjorts i Puppet 3.7.

Läs loggfilen för din nuvarande puppetmaster och lös problemet som orsakar varningar om utfasade konstruktioner innan du genomför uppgraderingen så blir hanteringen av uppgraderingen mycket enklare. Alternativt, eller upp till, kan testning av manifest med ett verktyg som Puppet catalog test hitta potentiella problem före uppgraderingen.

När ett system som hanteras av Puppet uppdateras från Wheezy till Jessie måste du tillse att motsvarande puppetmaster kör åtminstone version 3.7 av Puppet. Om mastern kör wheezys puppetmaster kommer det hanterade Jessie-systenet ubte att kunna ansluta till den.

För mer information om ändringar läs Telly upgrade issues (på engelska) och "The Angry Guide to Puppet 3" (på engelska).

5.4. Beteendeförändringar i PHP 5.6

Uppgraderingen till Jessie innehåller en uppgradering av PHP från 5.4 till 5.6. Detta kan påverka lokala PHP-skript och du bör kontrollera dessa skript före uppgradering. Nedan finns en mindre andel av dessa problem:

  • För att undvika mannen-i-mitten-attacker mot krypterade överföringar kontrolleras nu certifikat för klientströmmar som standard.

    Som ett resultat av detta kommer kod som använder ssl:// eller tls:// för att läsa dataströmmar (ex. file_get_contents(), fsockopen(), stream_socket_client()) inte koppla upp korrekt utan att först manuellt stänga av verifieringen av strömmens kontext med inställningen "verify_peer".

    För mer information om detta problem läs mer i detta dokument.

  • PHP har ändrat hanteringen av skiftlägeskänslighet i många fall:

    • All intern hantering av skiftlägeskänslighet för klasser, funktioner och konstanter görs enligt ASCII-reglerna. Aktuell inställning för locale ignoreras.

    • Nyckelorden "self", "parent" och "static" är numera inte skiftlägeskänsliga.

    • Funktionen json_decode() kräver numera versala varianter av de boolska värdena.

  • Logo GUID-funktionen (alltså php_logo_guid()) har tagits bort.

  • Det är inte längre möjligt att skriva över nycklar i statiska skalärfält. Läs mer på felrapport 66015 för PHP för ett exempel och mer information om just det här problemet.

  • Funktionerna mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() tar inte längre emot nycklar eller IV med felaktig storlek. Vidare krävs en IV om det aktuella block-krypto-läget kräver det.

  • Den interna JSON-implementationen har ersatts av PECL-modulen "jsonc" av juridiska skäl. Kod som aktivt nyttjar detaljer av PHPs JSON-läsare kan behöva en översyn.

För mer information och en komplett lista med potentiella problem läs mer i utvecklarens dokumentation över ändringar som inte är bakåtkompatibla för PHP 5.5 och 5.6.

5.5. Inkompatibla ändringar i Apache HTTPD 2.4

[Notera]Notera

Detta avsnitt berör bara system som har Apache HTTPD-servern installerad där inställningar gjorts manuellt.

Det finns ett antal ändringar i instälningarna för Apache HTTPD-servern i version 2.4. Sjävla syntaxen har ändrats av utvecklaren. Mest framträdande är detta i direktiven för tillgångskontroll som har ändrats så pass mycket att manuell hantering krävs för att justera inställningarna till den nya typen.

Utvecklarens dokumentation för uppgradering nämnder modulen mod_access_compat som ett alternativ till att justera inställningarna men det verkar som att denna inte alltid fungerar.

Hanteringen av inställningsfiler har också justerats i Debians paketering. Framförallt så måste nu alla inställningsfiler och webbplatsers inställningsfiler ha filnamn som slutar med ".conf" för att kunna läsas som standard. Detta ersätter också den nuvarande användningen av /etc/apache2/conf.d/.

[Notera]Notera

During the upgrade, you may also see warnings about configuration files placed in the /etc/apache2/conf.d/, which are provided by packages from Debian. This warning is unavoidable but harmless as the affected packages will move their configuration once their upgrade completes (which will generally happen after the Apache HTTPD emits its warning).

        TODO: Known issues where this is not the case: #669735,
        #718483, #669796, #669777.  Expecting them to be fixed before
        the Jessie release.
      

För mer information och en komplett lista med ändringar läs mer på:

  • Upgrading to 2.4 from 2.2(eng) som tillhandahålls av utvecklaren Apache.

  • Filen /usr/share/doc/apache2/NEWS.Debian.gz från paketet apache2.

5.6. Upgrading installs the new default init system for Jessie

Jessie ships with systemd-sysv as default init system. This package is installed automatically on upgrades.

If you have a preference for another init such as sysvinit-core or upstart, it is recommended to setup APT pinning prior to the upgrade. This may also be required if you are upgrading LXC containers before the host. In this case, please refer to Avsnitt 5.8.1, ”Upgrading LXC guests running on wheezy hosts”.

As an example, to prevent systemd-sysv from being installed during the upgrade, you can create a file called /etc/apt/preferences.d/local-pin-init with the following contents:

Package: systemd-sysv
Pin: release o=Debian
Pin-Priority: -1
  
[Observera]Observera

Be advised that some packages may have degraded behaviour or may be lacking features under a non-default init system.

Please note that the upgrade may install packages containing "systemd" in their name even with APT pinning. These alone do not change your init system. To use systemd as your init system, the systemd-sysv package must be installed first.

If APT or aptitude issues computing an upgrade path with the pin in place, you may be able to help it by manually installing both sysvinit-core and systemd-shim.

5.6.1. Stricter handling of failing mounts during boot under systemd

The new default init system, systemd-sysv, has a stricter handling of failing "auto" mounts during boot compared to sysvinit. If it fails to mount an "auto" mount (without the "nofail" option), systemd will drop to an emergency shell rather than continuing the boot.

We recommend that all removable or "optional" mount points (e.g. non-critical network drives) listed in /etc/fstab either have the "noauto" or the "nofail" option.

5.6.2. Obsolete init-scripts should be purged

If you are upgrading from previous releases, your system may contain obsolete init-scripts provided by (now) removed packages. These scrips may contain inaccurate or no dependency metadata, which can lead to dependency cycles in your init configuration.

To avoid this, we recommend that you go review the list of packages that are in the "rc" state ("Removed, but Config-files remains" state) and purge at least all that contains init-scripts.

Please see Avsnitt 4.8.1, ”Utrensning av borttagna paket” for details on finding and purging removed packages.

5.6.3. Locally modified init-scripts may need to be ported to systemd

[Notera]Notera

This section only applies to systems where Debian provided init scripts have been modified locally.

If you have modified some of your init scripts provided by Debian, please be aware that these may now have been superseded by a systemd unit file or by systemd itself. If you have debsums installed, you can check for locally modified init scripts by using the following shell command.

debsums -c -e | grep ^/etc/init.d
  

Alternatively, the following can be used in the absence of debsums.

  dpkg-query --show -f'${Conffiles}' | sed 's, /,\n/,g' | \
    grep /etc/init.d | awk 'NF,OFS="  " {print $2, $1}' | \
    md5sum --quiet -c

If either command flags any files and their corresponding packages or the systemd now provides an systemd unit file for that service, the systemd unit file will take precedence to your locally modified init script. Depending on the nature of the change, there are different way to perform the migration.

If necessary, it is possible to override the systemd unit file to have it start the sysvinit script. For more information on systemd unit files, please have a look at the following resources.

5.6.4. Plymouth behövs för kommandorad i uppstartsläge med systemd vid uppstartläge

If your boot is interactive (e.g. needs a password for an encrypted disk), please ensure that you have plymouth installed and configured. Please refer to /usr/share/doc/plymouth/README.Debian for information on how to configure plymouth.

Saknas plymouth kan du uppleva att kommandoraden i uppstartsläget försvinner. Det har rapporterats att cryptsetup fortfarande kan läsa in vad som skrivs trots att ingen visuell representation visas på skärmen. Skulle detta inträffa kan ett korrekt angivet lösenord fortfarande fungera.

5.7. Required kernel config options for Jessie

[Notera]Notera

This section is only for people, who compile their own kernel. If you use the kernels compiled by Debian, you can disregard this section.

The following kernel configuration options are now either required or recommended for Jessie (in addition to existing ones from previous releases):

# Required for udev
CONFIG_DEVTMPFS=y
# Required for *some* systemd services
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y

The systemd services, which require CONFIG_DEVPTS_MULTIPLE_INSTANCES=y, will typically contain at least one of the following directives:

PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=yes
  

If you do not use systemd, or can assert that none of the systemd services will use the above directives, the config option might not be required for your particular system.

More information about the requirements, please refer to /usr/share/doc/systemd/README.gz (from the systemd package).

5.8. Upgrade considerations for LXC hosts and containers

[Notera]Notera

This section only applies to systems that have LXC containers and hosts. Normal end user systems usually do not have these.

The upgrade from wheezy to jessie will migrate your system to the systemd init system by default (see Avsnitt 5.6, ”Upgrading installs the new default init system for Jessie”).

When upgrading an LXC container, respectively an LXC virtual machine, this will have different consequences depending on whether the host system has already been upgraded to jessie or not.

5.8.1. Upgrading LXC guests running on wheezy hosts

If you are upgrading an LXC guest container that is running on a Wheezy host system, then you will need to prevent the guest from being automatically migrated to systemd. You prevent the migration via pinning, as described in Avsnitt 5.6, ”Upgrading installs the new default init system for Jessie”.

This is required as the Wheezy host lacks functionality to boot a system running systemd.

You should be able to switch over to systemd inside the LXC guest once you have upgraded the host system to Jessie. See the next paragraph for things that need to be adapted on Jessie hosts.

5.8.2. Upgrading LXC guests running on jessie hosts

In order to be able to boot LXC guests with systemd, you need to adapt your LXC container configuration. The container configuration can usually be found in /var/lib/lxc/CONTAINER_NAME/config You need to add the following two settings to the configuration:

lxc.autodev = 1
lxc.kmsg = 0

5.8.3. Ytterligare information

You can find further information on LXC in Debian in the Debian wiki.

5.9. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)

[Notera]Notera

This section is only for people have set up LUKS encrypted disks themselves using the whirlpool hash. The debian-installer never supported creating such disks.

If you have manually setup an encrypted disk with LUKS whirlpool, you will need to migrate it manually to a stronger hash. You can check if your disk is using whirlpool by using the following command:

    # /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool
  

For more information on migrating, please see item "8.3 Gcrypt 1.6.x and later break Whirlpool" of the cryptsetup FAQ.

[Observera]Observera

If you have such a disk, cryptsetup will refuse to decrypt it by default. If your rootdisk or other system disks (e.g. /usr) are encrypted with whirlpool, you should migrate them prior to the first reboot after upgrading cryptsetup.

5.10. The GNOME desktop requires basic 3D graphics

The GNOME 3.14 desktop in Jessie no longer has fallback support for machines without basic 3D graphics. To run properly, it needs either a recent enough PC (any PC built in the last 10 years should have the required SSE2 support) or, for architectures other than i386 and amd64, a 3D-accelerated graphics adapter with EGL drivers.

5.11. The GNOME desktop does not work with the AMD proprietary FGLRX driver

Unlike other OpenGL drivers, the AMD FGLRX driver for Radeon adapters does not support the EGL interface. As such, several GNOME applications, including the core of the GNOME desktop, will not start at all when this driver is in use.

It is recommended to use the free radeon driver, which is the default in jessie, instead.

5.12. Changes in the GNOME default keyboard shortcuts

The default keyboard shortcuts in the GNOME desktop have changed in order to match more closely those of some other operating systems.

Shortcut settings previously modified by the user will be preserved upon upgrade. These settings can still be configured from the GNOME control center, accessible from the top right menu by clicking on the “settings” icon.

5.13. Changes to default shell of system users provided by base-passwd

The upgrade of base-passwd package will reset the shell of system users that is provided to the "nologin" shell. This includes the following users:

  • daemon

  • bin

  • sys

  • games

  • man

  • lp

  • mail

  • news

  • uucp

  • proxy

  • www-data

  • backup

  • list

  • irc

  • gnats

  • nobody

If your local setup requires that any of these users have a shell, you should say no to migrating or migrate and then change the shell of the corresponding users. Notable examples includes local backups done via the "backup" user with an "ssh-key" authentication.

[Observera]Observera

The migration will happen automatically if your debconf question priority is "high" or above.

If you know you want to keep the current shell of a given user, you can preseed the questions by using the following:

    echo 'base-passwd base-passwd/system/username/shell/current-shell-mangled/_usr_sbin_nologin boolean false' | debconf-set-selections
  

Where username is the name of the user in question and current-shell-mangled is the mangled name of the shell. The mangling is done by replacing all non-alphanumerical, non-dashes and non-underscores with underscores. E.g. /bin/bash becomes _bin_bash.

5.14. Migration to new KDE E-mail, Calendar and Contacts (Kontact)

The Kontact Personal Information Management system has received a major upgrade. The new version makes much greater use of metadata indexing and each user's data must be migrated into these new indices.

E-mail, calendar events and addressbook contacts are automatically migrated when the user logs in and the relevant component is started. Some advanced settings such as e-mail filters and custom templates require manual intervention. Further details and troubleshooting suggestions are collected on the Debian Wiki.

5.15. Missing virtual consoles ("getty"s) with multiple desktop environments

If you have multiple desktop environments installed, you may experience that none of the "virtual consoles" show a login prompt.

This issue seems to occur when plymouth, systemd and GNOME are all installed. This issue is reported as Debian Bug#766462.

It has been reported that remove the "splash" argument from the kernel command-line may work around the issue. Please see /etc/default/grub and remember to run update-grub after updating the file.

5.16. "VGA signal out of range" / blank screen during boot with grub-pc

There is a compatibility issue in grub-pc with older graphics cards (e.g. the "ATI Rage 128 Pro Ultra TR") that can cause it to show a blank screen during boot. The display may issue a "VGA signal out of range" message (or something similar).

A simple work around is to set GRUB_TERMINAL=console in /etc/default/grub.

5.17. Stricter validation of cron files in crontab

The crontab program is now more strict and may refuse to save a changed cron file if it is invalid. If you experience issues with crontab -e, please review your crontab for existing mistakes.

5.18. Change in handling of unreadable module paths by perl

From version 5.18 (and 5.20, which is included in jessie), perl will exit with a fatal error if it encounters unreadable module paths in @INC. The previous behaviour was to skip such entries. It is recommended to check the contents of @INC in your environment for directories which are not world-readable, and take appropriate action.

You can see the default @INC for perl by running perl -V.