Kapitola 5. Problémy vyskytujúce sa v bullseye

Obsah

5.1. Položky týkajúce sa aktualizácie na bullseye
5.1.1. The XFS file system no longer supports barrier/nobarrier option
5.1.2. Changed security archive layout
5.1.3. Password hashing uses yescrypt by default
5.1.4. NSS NIS and NIS+ support require new packages
5.1.5. Config file fragment handling in unbound
5.1.6. rsync parameter deprecation
5.1.7. Vim addons handling
5.1.8. OpenStack and cgroups v1
5.1.9. OpenStack API policy files
5.1.10. sendmail downtime during upgrade
5.1.11. FUSE 3
5.1.12. GnuPG options file
5.1.13. Linux enables user namespaces by default
5.1.14. redmine missing in bullseye
5.1.15. Exim 4.94
5.1.16. SCSI device probing is non-deterministic
5.1.17. Čo urobiť po aktualizácii pred reštartom
5.2. Items not limited to the upgrade process
5.2.1. Obmedzenia bezpečnostnej podpory
5.2.2. Accessing GNOME Settings app without mouse
5.2.3. The rescue boot option is unusable without a root password
5.3. Obsolescence and deprecation
5.3.1. Významné zastaralé balíky
5.3.2. Zastaralé súčasti bullseye

Niekedy majú zmeny zavedené v novom vydaní vedľajšie účinky, ktorým sa nedokážeme rozumne vyhnúť alebo by spôsobili objavenie chýb inde. Tu dokumentujeme problémy, ktorých sme si vedomí. Tiež si prosím prečítajte errata, dokumentáciu relevantných balíkov, hlásenia o chybách a ďalšie informácie, ktoré spomína Oddiel 6.1, “Ďalšie čítanie”.

5.1. Položky týkajúce sa aktualizácie na bullseye

Táto časť pokrýva položky týkajúce sa aktualizácie z buster na bullseye

5.1.1. The XFS file system no longer supports barrier/nobarrier option

Support for the barrier and nobarrier mount options has been removed from the XFS file system. It is recommended to check /etc/fstab for the presence of either keyword and remove it. Partitions using these options will fail to mount.

5.1.2. Changed security archive layout

For bullseye, the security suite is now named bullseye-security instead of buster/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

deb https://deb.debian.org/debian-security bullseye-security main contrib

5.1.3. Password hashing uses yescrypt by default

The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)). This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.

To take advantage of this improved security, change local passwords; for example use the passwd command.

Old passwords will continue to work using whatever password hash was used to create them.

Yescrypt is not supported by Debian 10 (buster). As a result, shadow password files (/etc/shadow) cannot be copied from a bullseye system back to a buster system. If these files are copied, passwords that have been changed on the bullseye system will not work on the buster system. Similarly, password hashes cannot be cut&pasted from a bullseye to a buster system.

If compatibility is required for password hashes between bullseye and buster, modify /etc/pam.d/common-password. Find the line that looks like:

password [success=1 default=ignore] pam_unix.so obscure yescrypt
	

and replace yescrypt with sha512.

5.1.4. NSS NIS and NIS+ support require new packages

NSS NIS and NIS+ support has been moved to separate packages called libnss-nis and libnss-nisplus. Unfortunately, glibc can't depend on those packages, so they are now only recommended.

On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.

5.1.5. Config file fragment handling in unbound

The DNS resolver unbound has changed the way it handles configuration file fragments. If you are relying on an include: directive to merge several fragments into a valid configuration, you should read the NEWS file.

5.1.6. rsync parameter deprecation

The rsync parameters --copy-devices and --noatime have been renamed to --write-devices and --open-noatime. The old forms are no longer supported; if you are using them you should see the NEWS file. Transfer processes between systems running different Debian releases may require the buster side to be upgraded to a version of rsync from the backports repository.

5.1.7. Vim addons handling

The addons for vim historically provided by vim-scripts are now managed by Vim's native package functionality rather than by vim-addon-manager. Vim users should prepare before upgrading by following the instructions in the NEWS file.

5.1.8. OpenStack and cgroups v1

OpenStack Victoria (released in bullseye) requires cgroup v1 for block device QoS. Since bullseye also changes to using cgroupv2 by default (see Oddiel 2.2.4, “Control groups v2”), the sysfs tree in /sys/fs/cgroup will not include cgroup v1 features such as /sys/fs/cgroup/blkio, and as a result cgcreate -g blkio:foo will fail. For OpenStack nodes running nova-compute or cinder-volume, it is strongly advised to add the parameters systemd.unified_cgroup_hierarchy=false and systemd.legacy_systemd_cgroup_controller=false to the kernel command line in order to override the default and restore the old cgroup hierarchy.

5.1.9. OpenStack API policy files

Following upstream's recommendations, OpenStack Victoria as released in bullseye switches the OpenStack API to use the new YAML format. As a result, most OpenStack services, including Nova, Glance, and Keystone, appear broken with all of the API policies written explicitly in the policy.json files. Therefore, packages now come with a folder /etc/PROJECT/policy.d containing a file 00_default_policy.yaml, with all of the policies commented out by default.

To avoid the old policy.json file staying active, the Debian OpenStack packages now rename that file as disabled.policy.json.old. In some cases where nothing better could be done in time for the release the policy.json is even simply deleted. So before upgrading, it is strongly advised to back up the policy.json files of your deployments.

More details are available in the upstream documentation.

5.1.10. sendmail downtime during upgrade

In contrast to normal upgrades of sendmail, during the upgrade of buster to bullseye the sendmail service will be stopped, causing more downtime than usual. For generic advice on reducing downtime see Oddiel 4.1.3, “Pripravte sa na odstávku služieb”.

5.1.11. FUSE 3

Some packages including gvfs-fuse, kio-fuse, and sshfs have switched to FUSE 3. During upgrades, this will cause fuse3 to be installed and fuse to be removed.

In some exceptional circumstances, e.g., when performing the upgrade by only running apt-get dist-upgrade instead of the recommended upgrade steps from Kapitola 4, Aktualizácie z Debian 10 (buster), packages depending on fuse3 might be kept back during upgrades. Running the steps discussed in Oddiel 4.4.5, “Aktualizácia systému” again with bullseye's apt or upgrading them manually will resolve the situation.

5.1.12. GnuPG options file

Starting with version 2.2.27-1, per-user configuration of the GnuPG suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options is no longer in use. Please rename the file if necessary, or move its contents to the new location.

5.1.13. Linux enables user namespaces by default

From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper.

The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.

If you prefer to keep this feature restricted, set the sysctl:

kernel.unprivileged_userns_clone = 0
      

Note that various desktop and container features will not work with this restriction in place, including web browsers, WebKitGTK, Flatpak and GNOME thumbnailing.

5.1.14. redmine missing in bullseye

The package redmine is not provided in bullseye, as it was too late migrating over from the old version of rails which is at the end of upstream support (receiving fixes for severe security bugs only) to the version which is in bullseye. The Ruby Extras Maintainers are following upstream closely and will be releasing a version via backports as soon as it is released and they have working packages. If you can't wait for this to happen before upgrading, you can use a VM or container running buster to isolate this specific application.

5.1.15. Exim 4.94

Please consider the version of Exim in bullseye a major Exim upgrade. It introduces the concept of tainted data read from untrusted sources, like e.g. message sender or recipient. This tainted data (e.g. $local_part or $domain) cannot be used among other things as a file or directory name or command name.

This will break configurations which are not updated accordingly. Old Debian Exim configuration files also will not work unmodified; the new configuration needs to be installed with local modifications merged in.

Typical nonworking examples include:

  • Delivery to /var/mail/$local_part. Use $local_part_data in combination with check_local_user.

  • Using

    data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
    

    instead of

    data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
    

    for a virtual domain alias file.

The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value.

To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer Exim. To make use of this feature add

.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
 allow_insecure_tainted_data = yes
.endif

to the Exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) before upgrading and check the logfile for taint warnings. This is a temporary workaround which is already marked for removal on introduction.

5.1.16. SCSI device probing is non-deterministic

Due to changes in the Linux kernel, the probing of SCSI devices is no longer deterministic. This could be an issue for installations that rely on the disk probing order. Two possible alternatives using links in /dev/disk/by-path or a udev rule are suggested in this mailing list post.

5.1.17. Čo urobiť po aktualizácii pred reštartom

When apt full-upgrade has finished, the formal upgrade is complete. For the upgrade to bullseye, there are no special actions needed before performing a reboot.

5.2. Items not limited to the upgrade process

5.2.1. Obmedzenia bezpečnostnej podpory

Existujú niektoré balíky, pre ktoré Debian nemôže sľúbiť poskytovanie minimálnych spätných portov v prípade bezpečnostných problémov. Tieto sú popísané v nasledovných častiach.

[Poznámka]Poznámka

The package debian-security-support helps to track the security support status of installed packages.

5.2.1.1. Security status of web browsers and their rendering engines

Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.

5.2.1.2. OpenJDK 17

Debian bullseye comes with an early access version of OpenJDK 17 (the next expected OpenJDK LTS version after OpenJDK 11), to avoid the rather tedious bootstrap process. The plan is for OpenJDK 17 to receive an update in bullseye to the final upstream release announced for October 2021, followed by security updates on a best effort basis, but users should not expect to see updates for every quarterly upstream security update.

5.2.1.3. Go-based packages

The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. Before buster this wasn't a problem in practice, but with the growth of the Go ecosystem it means that Go-based packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.

If updates are warranted for Go development libraries, they can only come via regular point releases, which may be slow in arriving.

5.2.2. Accessing GNOME Settings app without mouse

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.

5.2.3. The rescue boot option is unusable without a root password

With the implementation of sulogin used since buster, booting with the rescue option always requires the root password. If one has not been set, this makes the rescue mode effectively unusable. However it is still possible to boot using the kernel parameter init=/sbin/sulogin --force

To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
      

It might also (or instead) be useful to do this for the emergency.service unit, which is started automatically in the case of certain errors (see systemd.special(7)), or if emergency is added to the kernel command line (e.g. if the system can't be recovered by using the rescue mode).

For background and a discussion on the security implications see #802211.

5.3. Obsolescence and deprecation

5.3.1. Významné zastaralé balíky

Nasleduje zoznam známych významných zastaralých balíkov (ich popis nájdete v Oddiel 4.8, “Zastaralé balíky”).

Medzi zastaralé balíky patria:

  • The lilo package has been removed from bullseye. The successor of lilo as boot loader is grub2.

  • The Mailman mailing list manager suite version 3 is the only available version of Mailman in this release. Mailman has been split up into various components; the core is available in the package mailman3 and the full suite can be obtained via the mailman3-full metapackage.

    The legacy Mailman version 2.1 is no longer available (this used to be the package mailman). This branch depends on Python 2 which is no longer available in Debian.

    For upgrading instructions, please see the project's migration documentation.

  • The Linux kernel no longer provides isdn4linux (i4l) support. Consequently, the related userland packages isdnutils, isdnactivecards, drdsl and ibod have been removed from the archives.

  • The deprecated libappindicator libraries are no longer provided. As a result, the related packages libappindicator1, libappindicator3-1 and libappindicator-dev are no longer available. This is expected to cause dependency errors for third-party software that still depends on libappindicator to provide system tray and indicator support.

    Debian is using libayatana-appindicator as the successor of libappindicator. For technical background see this announcement.

  • Debian no longer provides chef. If you use Chef for configuration management, the best upgrade path is probably to switch to using the packages provided by Chef Inc.

    For background on the removal, see the removal request.

  • Python 2 is already beyond its End Of Life, and will receive no security updates. It is not supported for running applications, and packages relying on it have either been switched to Python 3 or removed. However, Debian bullseye does still include a version of Python 2.7, as well as a small number of Python 2 build tools such as python-setuptools. These are present only because they are required for a few application build processes that have not yet been converted to Python 3.

  • The aufs-dkms package is not part of bullseye. Most aufs-dkms users should be able to switch to overlayfs, which provides similar functionality with kernel support. However, it's possible to have a Debian installation on a filesystem that is not compatible with overlayfs, e.g. xfs without d_type. Users of aufs-dkms are advised to migrate away from aufs-dkms before upgrading to bullseye.

5.3.2. Zastaralé súčasti bullseye

S ďalším vydaním Debian 12 (s kódovým označením bookworm) niektoré funkcie budú označené ako zastarané. Používatelia budú musieť migrovať na iné alternatívy, aby predišli problémom pri aktualizácii na Debian 12.

Medzi ne patria nasledovné funkcie:

  • The historical justifications for the filesystem layout with /bin, /sbin, and /lib directories separate from their equivalents under /usr no longer apply today; see the Freedesktop.org summary. Debian bullseye will be the last Debian release that supports the non-merged-usr layout; for systems with a legacy layout that have been upgraded without a reinstall, the usrmerge package exists to do the conversion if desired.

  • bullseye is the final Debian release to ship apt-key. Keys should be managed by dropping files into /etc/apt/trusted.gpg.d instead, in binary format as created by gpg --export with a .gpg extension, or ASCII armored with a .asc extension.

    A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.



[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk.