Kapitola 5. Problémy vyskytujúce sa v wheezy

Obsah

5.1. Podpora LDAP
5.2. Bezpečnostný status webových prehliadačov
5.3. ConsoleKit and alternative display managers
5.4. Zmeny a podpora pracovného prostredia GNOME
5.5. KDE desktop changes
5.6. NetworkManager
5.7. perl-suid bol odstránený
5.8. Verzie Tracker versions
5.9. Zmeny v bootlogd
5.10. /etc/mtab and _netdev
5.11. The pdksh to mksh transition
5.12. Puppet 2.6 / 2.7 compatibility
5.13. Multiarch implications for the toolchain
5.14. Cyrus SASL SQL backends
5.15. Firmware for network and graphics drivers

Niekedy majú zmeny zavedené v novom vydaní vedľajšie účinky, ktorým sa nedokážeme rozumne vyhnúť alebo by spôsobili objavenie chýb inde. Tu dokumentujeme problémy, ktorých sme si vedomí. Tiež si prosím prečítajte errata, dokumentáciu relevantných balíkov, hlásenia o chybách a ďalšie informácie, ktoré spomína Oddiel 6.1, “Ďalšie čítanie”.

5.1. Podpora LDAP

A feature in the cryptography libraries used in the LDAP libraries causes programs that use LDAP and attempt to change their effective privileges to fail when connecting to an LDAP server using TLS or SSL. This can cause problems for setuid programs on systems using libnss-ldap like sudo, su or schroot and for setuid programs that perform LDAP searches like sudo-ldap.

It is recommended to replace the libnss-ldap package with libnss-ldapd, a newer library which uses a separate daemon (nslcd) for all LDAP lookups. The replacement for libpam-ldap is libpam-ldapd.

Pamätajte, že libnss-ldapd odporúča démona vyrovnávacej pamäte NSS (nscd), ktorého vhodnosť vo vašom prostredí by ste mali zvážiť predtým, než ho nainštalujete. Za alternatívu k nscd môžete považovať unscd.

Ďalšie informácie sú dostupné v hláseniach chýb #566351 a #545414.

5.2. Bezpečnostný status webových prehliadačov

Debian 7.0 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers with backported security fixes. Additionally, library interdependencies make it impossible to update to newer upstream releases. Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites.

Ako všeobecný prehliadač odporúčame prehliadače stavajúce na jadre Mozilla xulrunner (Iceweasel a Iceape) alebo Chromium.

Xulrunner has had a history of good backportability for older releases over the previous release cycles. Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable.

5.3. ConsoleKit and alternative display managers

ConsoleKit in Debian 7.0 does not consider sessions started using startx or display managers lacking consolekit integration (e.g. xdm or slim) as local, which might prevent access to some devices.

We recommend using one of gdm3, kdm or lightdm instead.

5.4. Zmeny a podpora pracovného prostredia GNOME

By default, some accessibility tools are not enabled in the GNOME display manager (gdm3). The simplest way to enable zooming or a visual keyboard is to activate the shell greeter.

To do that, edit the /etc/gdm3/greeter.gsettings file, and uncomment the following:

session-name='gdm-shell'

while commenting

session-name='gdm-fallback'

Note that it requires a compatible 3D graphics card — which is the reason why it is not enabled by default.

5.5. KDE desktop changes

The knetworkmanager package has been deprecated, and replaced by plasma-widget-networkmanagement in the new KDE Plasma Workspace.

If you are using the deprecated knetworkmanager standalone application, you should be prepared to do some manual configuration after the upgrade. You might need to manually add plasma-widget-networkmanagement to your panel or desktop.

Also, if the network connection shouldn't depend on having a network-manager widget running, you might want to set it as a system connection.

5.6. NetworkManager

NetworkManager can detect if a network interface is managed by ifupdown in order to avoid conflicts, but is not able to do so with other network management programs such as wicd-daemon. Problems and unexpected behavior can result if two such daemons are managing the same interface when attempting to make a network connection.

For instance, if wicd-daemon and NetworkManager are both running, attempting to use a wicd client to make a connection will fail with the error message:

Connection Failed: bad password

Attempting to use a NetworkManager client may likewise fail with the message:

NetworkManager is not running.  Please start it.

It is recommended that users of GNOME consider installing and trying NetworkManager, but the NetworkManager daemon may be permanently disabled if desired using the following command:

# update-rc.d network-manager disable

After disabling the daemon, it is recommended to examine the contents of /etc/resolv.conf. This file is used to specify DNS servers for name resolution and the contents of this file may have been replaced by NetworkManager.

5.7. perl-suid bol odstránený

suidperl was removed upstream with 5.12, so the perl-suid package which used to be distributed in Debian has been removed too. Possible alternatives include using a simple setuid C wrapper to execute a Perl script from a hard-coded location, or using a more general tool like sudo.

5.8. Verzie Tracker versions

Ak máte na systéme s vydaním Squeeze nainštalovaný request-tracker3.8, všimnite si, že tento balík bol z Wheezy odstránený, aby ho nahradil request-tracker4. Aktualizácia z request-tracker3.8 na request-tracker4 vyžaduje niektoré manuálne kroky: prosím, nainštalujte request-tracker4 vedľa vášho existujúceho request-tracker3.8 a nasledujte inštrukcie na inštaláciu/aktualizáciu v súbore /usr/share/doc/request-tracker4/README.Debian.gz (sekcia: Upgrading from request-tracker3.8 to request-tracker4).

The same advice applies if you have request-tracker3.6 or older packages from previous Debian releases still in use; if this is the case it is recommended to upgrade step by step, following the appropriate upgrade documents.

5.9. Zmeny v bootlogd

bootlogd sa presunul z sysvinit-utils do samostatného balíka bootlogd. Ak chcete naďalej používať bootlogd, musíte si nainštalovať balík bootlogd. Všimnite si, že konfiguračný súbor /etc/default/bootlogd a jeho voľba BOOTLOGD_ENABLE už neexistujú; ak si neželáte spúšťať bootlogd, odstráňte balík bootlogd.

5.10. /etc/mtab and _netdev

The file /etc/mtab, used to store the list of currently mounted filesystems, has been changed to be a symbolic link to /proc/mounts. For almost every case, this change will result in a more robust system since the list can never become inconsistent with reality. However, if you use the _netdev option in /etc/fstab to indicate that a filesystem is a network filesystem requiring special handling, this will no longer be set in /proc/mounts after rebooting. This will not cause problems for standard network filesystems such as NFS, which do not rely on the _netdev option. Filesystems which are unaffected by this issue are ceph, cifs, coda, gfs, ncp, ncpfs, nfs, nfs4, ocfs2 and smbfs. For filesystems which do rely on _netdev for correct unmounting at shutdown, for example when using an NBD, a static mtab will be the only way to use _netdev in wheezy. If you have such a setup, then after completing the upgrade to wheezy restore a static /etc/mtab by doing the following:

  • Edit /etc/init.d/checkroot.sh, and comment out these lines:

            if [ "$rootmode" != "ro" ]; then
                    mtab_migrate
            fi
    

  • If you have rebooted the system, and /etc/mtab is now a symbolic link:

    # rm /etc/mtab
    # cp /proc/mounts /etc/mtab
    

    Re-add the _netdev option by remounting the affected filesystems:

    # mount -o remount filesystem
    

    /etc/mtab will be recreated fully next time you reboot the system.

5.11. The pdksh to mksh transition

The Public Domain Korn Shell (pdksh) package is being retired for the release after wheezy, since pdksh is no longer maintained (it has not been actively developed since 1999).

The MirBSD Korn Shell (mksh) package contains its successor; it has evolved from the Public Domain Korn Shell and has been kept up to date with the POSIX standard on the shell. In Debian wheezy, pdksh is a transitional package using lksh, a variant of mksh built with special compatibility options to provide a pdksh binary symlink. This compatibility binary behaves more like the traditional Public Domain Korn Shell than the current mksh. However as it contains behavior-changing bugfixes it is not a pure drop-in replacement. So, you're advised to change your

#!/bin/pdksh

scripts to

#!/bin/mksh

and test them. If the test fails, you're advised to fix your scripts. If, for some reason, this is not possible, you can change them to

#!/bin/lksh

scripts, and test them again. This test has more chances of succeeding without changing a lot of your code. However, be aware at some point in the future the transitional package will get dropped from Debian.

The compatibility binary is not suitable for interactive use, so as system administrator, adjust the login shell of your Korn Shell users. For minimal service interruption, do this before the upgrade of the O.S.: manually install the mksh package and change the login and/or interactive shells of users that use pdksh to mksh. Furthermore, you're encouraged to copy /etc/skel/.mkshrc into their home directories: this provides some shell functions like pushd, popd and dirs and a nice

PS1

(shell prompt).

5.12. Puppet 2.6 / 2.7 compatibility

When upgrading a Puppet managed system from squeeze to wheezy, you must ensure that the corresponding puppetmaster runs at least Puppet version 2.7. If the master is running squeeze's puppetmaster, the managed wheezy system will not be able to connect to it.

Such a combination will lead to the following error message during a puppet agent run:

Could not retrieve catalog from remote server: Error 400 on SERVER: No support for http method POST

In order to resolve this issue the puppetmaster must be upgraded. A 2.7 master is able to manage a 2.6 client system.

5.13. Multiarch implications for the toolchain

The introduction of multiarch (as described in Oddiel 2.2.2, “Multiarch”) changes the paths for some files, which may break assumptions made by toolchain components. Debian's toolchain has been updated, but users trying to build or use external compilers might need to be aware of this.

Some hints to work around these issues can be found in /usr/share/doc/libc6/NEWS.Debian.gz and in bugreport #637232.

5.14. Cyrus SASL SQL backends

Configuration of SQL engine backends for Cyrus SASL, as provided in the libsasl2-modules-sql package, has changed from database specific configuration (e.g. mysql) to the generic sql auxprop plugin.

Configuration files for applications using SASL have to be updated, for example:

auxprop_plugin: mysql

should be replaced by:

auxprop_plugin: sql
sql_engine: mysql

In addition, the SQL query (if used) needs to have %u replaced with %u@%r, because user and realm are now provided separately.

5.15. Firmware for network and graphics drivers

Some hardware drivers, including drivers for (wired or wireless) network cards, as well as the driver for ATI/AMD graphics chipsets, require loadable firmware in order to operate properly.

That firmware is often not free software, and as such only available from the non-free archive, in the firmware-linux and other packages.