Kapitel 5. Ting man skal være opmærksom på i forbindelse med bullseye

Indholdsfortegnelse

5.1. Upgrade specific items for bullseye
5.1.1. New VA-API default driver for Intel GPUs
5.1.2. The XFS file system no longer supports barrier/nobarrier option
5.1.3. Changed security archive layout
5.1.4. Password hashing uses yescrypt by default
5.1.5. NSS NIS and NIS+ support require new packages
5.1.6. Config file fragment handling in unbound
5.1.7. rsync parameter deprecation
5.1.8. Vim addons handling
5.1.9. OpenStack and cgroups v1
5.1.10. Værd at bemærke forældede pakker
5.1.11. Deprecated components for bullseye
5.1.12. Ting at gøre efter opgradering og før genstart
5.2. Begrænsninger i sikkerhedsunderstøttelse
5.2.1. Security status of web browsers and their rendering engines
5.3. Pakkespecifikke problemstillinger
5.3.1. Accessing GNOME Settings app without mouse
5.3.2. sendmail downtime during upgrade

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Afsnit 6.1, “Yderligere læsning”.

5.1. Upgrade specific items for bullseye

This section covers items related to the upgrade from buster to bullseye.

5.1.1. New VA-API default driver for Intel GPUs

For Intel GPUs available with Broadwell and newer, the Video Acceleration API (VA-API) implementation now defaults to intel-media-va-driver for hardware accelerated video decoding. Systems which have va-driver-all installed will automatically be upgraded to the new driver.

The legacy driver package i965-va-driver is still available and offers support up to the Cannon Lake micro architecture. To prefer the legacy driver over the new default one, set the environment variable LIBVA_DRIVER_NAME to i965, for instance by setting the variable in /etc/environment. For more information, please see the Wiki's page on hardware video acceleration.

5.1.2. The XFS file system no longer supports barrier/nobarrier option

Support for the barrier and nobarrier mount options has been removed from the XFS file system. It is recommended to check /etc/fstab for the presence of either keyword and remove it. Partitions using these options will fail to mount.

5.1.3. Changed security archive layout

For bullseye, the security suite is now named bullseye-security instead of buster/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

deb https://deb.debian.org/debian-security bullseye-security main contrib

5.1.4. Password hashing uses yescrypt by default

The default password hash for local system accounts has been changed to yescrypt. This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.

To take advantage of this improved security, change local passwords; for example use the passwd command.

Old passwords will continue to work using whatever password hash was used to create them.

Yescrypt is not supported by Debian 10 (buster). As a result, shadow password files (/etc/shadow) cannot be copied from a bullseye system back to a buster system. If these files are copied, passwords that have been changed on the bullseye system will not work on the buster system. Similarly, password hashes cannot be cut&pasted from a bullseye to a buster system.

If compatibility is required for password hashes between bullseye and buster, modify /etc/pam.d/common-password. Find the line that looks like:

        password [success=1 default=ignore] pam_unix.so obscure yescrypt
      

and replace yescrypt with sha512.

5.1.5. NSS NIS and NIS+ support require new packages

NSS NIS and NIS+ support has been moved to separate packages called libnss-nis and libnss-nisplus. Unfortunately, glibc can't depend on those packages, so they are now only recommended.

On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.

5.1.6. Config file fragment handling in unbound

The DNS resolver unbound has changed the way it handles configuration file fragments. If you are relying on an include: directive to merge several fragments into a valid configuration, you should read the NEWS file.

5.1.7. rsync parameter deprecation

The rsync parameters --copy-devices and --noatime have been renamed to --write-devices and --open-noatime. The old forms are no longer supported; if you are using them you should see the NEWS file. Transfer processes between systems running different Debian releases may require the buster side to be upgraded to a version of rsync from the backports repository.

5.1.8. Vim addons handling

The addons for vim historically provided by vim-scripts are now managed by Vim's native package functionality rather than by vim-addon-manager. Vim users should prepare before upgrading by following the instructions in the NEWS file.

5.1.9. OpenStack and cgroups v1

OpenStack Victoria (released in bullseye) requires cgroup v1 for block device QoS. Since bullseye also changes to using cgroupv2 by default (see Afsnit 2.2.4, “Control groups v2”), the sysfs tree in /sys/fs/cgroup will not include cgroup v1 features such as /sys/fs/cgroup/blkio, and as a result cgcreate -g blkio:foo will fail. For OpenStack nodes running nova-compute or cinder-volume, it is strongly advised to add the parameters systemd.unified_cgroup_hierarchy=false and systemd.legacy_systemd_cgroup_controller=false to the kernel command line in order to override the default and restore the old cgroup hierarchy.

5.1.10. Værd at bemærke forældede pakker

Den følgende liste viser kendte og værd at bemærke forældede pakker (se Afsnit 4.8, “Forældede pakker” for en beskrivelse).

Listen over forældede pakker inkluderer:

  • The lilo package has been removed from bullseye. The successor of lilo as boot loader is grub2.

  • The Mailman mailing list manager suite version 3 is the only available version of Mailman in this release. Mailman has been split up into various components; the core is available in the package mailman3 and the full suite can be obtained via the mailman3-full metapackage.

    The legacy Mailman version 2.1 is no longer available (this used to be the package mailman). This branch depends on Python 2 which is no longer available in Debian.

    For upgrading instructions, please see the project's migration documentation.

  • The Linux kernel no longer provides isdn4linux (i4l) support. Consequently, the related userland packages isdnutils, isdnactivecards, drdsl and ibod have been removed from the archives.

  • The deprecated libappindicator libraries are no longer provided. As a result, the related packages libappindicator1, libappindicator3-1 and libappindicator-dev are no longer available. This is expected to cause dependency errors for third-party software that still depends on libappindicator to provide system tray and indicator support.

    Debian is using libayatana-appindicator as the successor of libappindicator. For technical background see this announcement.

  • Debian no longer provides chef. If you use Chef for configuration management, the best upgrade path is probably to switch to using the packages provided by Chef Inc.

    For background on the removal, see the removal request.

5.1.11. Deprecated components for bullseye

With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.

Dette inkluderer de følgende funktioner:

  • Python 2 is already beyond its End Of Life, and will receive no security updates. It is not supported for running applications. However, Debian bullseye does still include a version of Python 2.7, as well as a small number of Python 2 build tools such as python-setuptools. These are present only because they are required for a few application build processes that have not yet been converted to Python 3.

  • The historical justifications for the filesystem layout with /bin, /sbin, and /lib directories separate from their equivalents under /usr no longer apply today; see the Freedesktop.org summary. Debian bullseye will be the last Debian release that supports the non-merged-usr layout; for systems with a legacy layout that have been upgraded without a reinstall, the usrmerge package exists to do the conversion if desired.

5.1.12. Ting at gøre efter opgradering og før genstart

When apt full-upgrade has finished, the formal upgrade is complete. For the upgrade to bullseye, there are no special actions needed before performing a reboot.

5.2. Begrænsninger i sikkerhedsunderstøttelse

Der er nogle pakker hvor Debian ikke kan love at tilbyde minimale tilbageporteringer for sikkerhedsmæssige problemstillinger. Disse dækkes i de følgende underafsnit.

[Bemærk]Bemærk

The package debian-security-support helps to track the security support status of installed packages.

5.2.1. Security status of web browsers and their rendering engines

Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.

5.3. Pakkespecifikke problemstillinger

In most cases, packages should upgrade smoothly between buster and bullseye. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.

5.3.1. Accessing GNOME Settings app without mouse

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.

5.3.2. sendmail downtime during upgrade

In contrast to normal upgrades of sendmail, during the upgrade of buster to bullseye the sendmail service will be stopped, causing more downtime than usual. For generic advice on reducing downtime see Afsnit 4.1.3, “Forbered nedetid for tjenester”.



[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk.