Chapter 5. Issues to be aware of for buster

Table of Contents

5.1. Upgrade specific items for buster
5.1.1. Hidepid mount option for procfs unsupported
5.1.2. ypbind fails to start with -no-dbus
5.1.3. NIS server does not answer NIS client requests by default
5.1.4. sshd fails to authenticate
5.1.5. Daemons fail to start or system appears to hang during boot
5.1.6. Migrating from legacy network interface names
5.1.7. Module configuration for bonding and dummy interfaces
5.1.8. OpenSSL default version and security level raised
5.1.9. Some applications don't work in GNOME on Wayland
5.1.10. Noteworthy obsolete packages
5.1.11. Deprecated components for buster
5.1.12. Things to do post upgrade before rebooting
5.1.13. SysV init related packages no longer required
5.2. Limitations in security support
5.2.1. Security status of web browsers and their rendering engines
5.2.2. Go based packages
5.3. Package specific issues
5.3.1. Glibc requires Linux kernel 3.2 or higher
5.3.2. Semantics for using environment variables for su changed
5.3.3. Existing PostgreSQL databases need to be reindexed
5.3.4. mutt and neomutt
5.3.5. Accessing GNOME Settings app without mouse
5.3.6. gnome-disk-utility fails to change LUKS password causing permanent data loss (buster 10.0 only)
5.3.7. evolution-ews has been dropped, and email inboxes using Exchange, Office365 or Outlook server will be removed
5.3.8. Calamares installer leaves disk encryption keys readable
5.3.9. S3QL URL changes for Amazon S3 buckets
5.3.10. Split in configuration for logrotate
5.3.11. The rescue boot option is unusable without a root password

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.

5.1. Upgrade specific items for buster

This section covers items related to the upgrade from stretch to buster.

5.1.1. Hidepid mount option for procfs unsupported

Using the hidepid mount option for /proc is known to cause problems with current versions of systemd, and is considered by systemd upstream to be an unsupported configuration. Users who have modified /etc/fstab to enable this option are advised to disable it before the upgrade, to ensure login sessions work on buster. (A possible route to re-enabling it is outlined on the wiki's Hardening page.)

5.1.2. ypbind fails to start with -no-dbus

The default options of ypbind have changed. However, if you have modified this file the old default will not be updated and you must make sure that the YPBINDARGS= option in /etc/default/nis does not include -no-dbus. With -no-dbus present, ypbind will fail to start, and you may not be able to log in. For more info see bug #906436.

5.1.3. NIS server does not answer NIS client requests by default

The default behavior of rpcbind has changed to no longer answer remote calls from NIS clients. On NIS servers you will need to add the (Debian-specific) -r flag to the command line options of rpcbind, otherwise users will not be able to log into your NIS client machines. For more info see bug #935492.

5.1.4. sshd fails to authenticate

The semantics of PubkeyAcceptedKeyTypes and the similar HostbasedAcceptedKeyTypes options for sshd have changed. These now specify signature algorithms that are accepted for their respective authentication mechanism, where previously they specified accepted key types. This distinction matters when using the RSA/SHA2 signature algorithms rsa-sha2-256, rsa-sha2-512 and their certificate counterparts. Configurations that override these options but omit these algorithm names may cause unexpected authentication failures.

No action is required for configurations that accept the default for these options.

5.1.5. Daemons fail to start or system appears to hang during boot

Due to systemd needing entropy during boot and the kernel treating such calls as blocking when available entropy is low, the system may hang for minutes to hours until the randomness subsystem is sufficiently initialized (random: crng init done). For amd64 systems supporting the RDRAND instruction this issue is avoided by the Debian kernel using this instruction by default (CONFIG_RANDOM_TRUST_CPU).

Non-amd64 systems and some types of virtual machines need to provide a different source of entropy to continue fast booting. haveged has been chosen for this within the Debian Installer project and may be a valid option if hardware entropy is not available on the system. On virtual machines consider forwarding entropy from the host to the VMs via virtio_rng.

If you read this after upgrading a remote system to buster, ping the system on the network continuously as this adds entropy to the randomness pool and the system will eventually be reachable by ssh again.

See the wiki and DLange's overview of the issue for other options.

5.1.6. Migrating from legacy network interface names

If your system was upgraded from an earlier release, and still uses the old-style network interface names that were deprecated with stretch (such as eth0 or wlan0), you should be aware that the mechanism of defining their names via /etc/udev/rules.d/70-persistent-net.rules is officially not supported by udev in buster (while it may still work in some cases). To avoid the danger of your machine losing networking after the upgrade to buster, it is recommended that you migrate in advance to the new naming scheme (usually meaning names like enp0s1 or wlp2s5, which incorporate PCI bus- and slot-numbers). Take care to update any interface names hard-coded in configuration for firewalls, ifupdown, and so on.

The alternative is to switch to a supported mechanism for enforcing the old naming scheme, such as a systemd .link file (see systemd.link(5)). The net.ifnames=0 kernel commandline option might also work for systems with only one network interface (of a given type).

To find the new-style names that will be used, first find the current names of the relevant interfaces:

$ echo /sys/class/net/[ew]*
    

For each of these names, check whether it is used in configuration files, and what name udev would prefer to use for it:

$ sudo rgrep -w eth0 /etc
$ udevadm test-builtin net_id /sys/class/net/eth0 2>/dev/null
    

This should give enough information to devise a migration plan. (If the udevadm output includes an onboard or slot name, that takes priority; MAC-based names are normally treated as a fallback, but may be needed for USB network hardware.)

Once you are ready to carry out the switch, disable 70-persistent-net.rules either by renaming it or by commenting out individual lines. On virtual machines you will need to remove the files /etc/systemd/network/99-default.link and (if using virtio network devices) /etc/systemd/network/50-virtio-kernel-names.link. Then rebuild the initrd:

$ sudo update-initramfs -u
    

and reboot. Your system should now have new-style network interface names. Adjust any remaining configuration files, and test your system.

See the wiki, upstream documentation, and the udev README.Debian for further information.

5.1.7. Module configuration for bonding and dummy interfaces

Systems using channel bonding and/or dummy interfaces, for instance to configure a machine as a router, may encounter problems upgrading to buster. New versions of systemd install a file /lib/modprobe.d/systemd.conf (intended to simplify configuration via systemd-networkd) which contains the lines

 options bonding max_bonds=0
 options dummy numdummies=0
    

Admins who were depending on different values will need to ensure they are set in the correct way to take precedence. A file in /etc/modprobe.d will override one with the same name under /lib/modprobe.d, but the names are processed in alphabetical order, so /lib/modprobe.d/systemd.conf follows and overrides (for instance) /etc/modprobe.d/dummy.conf. Make sure that any local configuration file has a name that sorts after systemd.conf, such as /etc/modprobe.d/zz-local.conf.

5.1.8. OpenSSL default version and security level raised

Following various security recommendations, the default minimum TLS version has been changed from TLSv1 to TLSv1.2.

The default security level for TLS connections has also been increased from level 1 to level 2. This moves from the 80 bit security level to the 112 bit security level and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger ECC keys, and SHA-2.

The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications might also have an application specific way to override the defaults.

In the default /etc/ssl/openssl.cnf there is a MinProtocol and CipherString line. The CipherString can also set the security level. Information about the security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage. The list of valid strings for the minimum protocol version can be found in SSL_CONF_cmd(3ssl). Other information can be found in ciphers(1ssl) and config(5ssl).

Changing the system wide defaults in /etc/ssl/openssl.cnf back to their previous values can be done by setting:

        MinProtocol = None
        CipherString = DEFAULT
      

It's recommended that you contact the remote site if the defaults cause problems.

5.1.9. Some applications don't work in GNOME on Wayland

GNOME in buster has changed its default display server from Xorg to Wayland (see Section 2.2.11, “GNOME defaults to Wayland”). Some applications, including the popular package manager synaptic, the default Simplified Chinese input method, fcitx, and most screen recording applications, have not been updated to work properly under Wayland. In order to use these packages, one needs to log in with a GNOME on Xorg session.

5.1.10. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).

The list of obsolete packages includes:

  • The package mcelog is no longer supported with kernel versions above 4.12. rasdaemon can be used as its replacement.

  • The package revelation, which is used to store passwords, is not included in buster. keepass2 can import previously exported password XML files from revelation. Please make sure you export your data from revelation before upgrading, to avoid losing access to your passwords.

  • The package phpmyadmin is not included in buster.

  • ipsec-tools and racoon have been removed from buster as their source has been lagging behind in adapting to new threats.

    Users are encouraged to migrate to libreswan, which has broader protocol compatibility and is being actively maintained upstream.

    libreswan should be fully compatible in terms of communication protocols since it implements a superset of racoon's supported protocols.

  • The simple MTA ssmtp has been dropped for buster. This is due to it currently not validating TLS certs; see bug #662960.

  • The ecryptfs-utils package is not part of buster due to an unfixed serious bug (#765854). At the time of writing this paragraph, there was no clear advice for users of eCryptfs, except not to upgrade.

5.1.11. Deprecated components for buster

With the next release of Debian 11 (codenamed bullseye) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 11.

This includes the following features:

  • Python 2 will stop being supported by its upstream on January 1, 2020. Debian hopes to drop python-2.7 for Debian 11. If users have functionality that relies on python, they should prepare to migrate to python3.

  • Icinga 1.x is EOL upstream since 2018-12-31; while the icinga package is still present, users should use the buster lifetime to migrate to Icinga 2 (icinga2 package) and Icinga Web 2 (icingaweb2 package). The icinga2-classicui package is still present to use the Icinga 1.x CGI web interface with Icinga 2, but the support for it will be removed in Icinga 2.11. Icinga Web 2 should be used instead.

  • The Mailman mailing list manager suite version 3 is newly available in this release. Mailman has been split up into various components; the core is available in the package mailman3 and the full suite can be obtained via the mailman3-full metapackage.

    The legacy Mailman version 2.1 remains available in this release in the package mailman, so you can migrate any existing installations at your own pace. The Mailman 2.1 package will be kept in working order for the foreseeable future, but will not see any major changes or improvements. It will be removed from the first Debian release after Mailman upstream has stopped support for this branch.

    Everyone is encouraged to upgrade to Mailman 3, the modern release under active development.

  • The packages spf-milter-python and dkim-milter-python are no longer actively developed upstream, but their more feature-rich replacements, pyspf-milter and dkimpy-milter, are available in buster. Users should migrate to the new packages before the old ones are removed in bullseye.

5.1.12. Things to do post upgrade before rebooting

When apt full-upgrade has finished, the formal upgrade is complete. For the upgrade to buster, there are no special actions needed before performing a reboot.

5.1.13. SysV init related packages no longer required

[Note]Note

This section does not apply if you have decided to stick with sysvinit-core.

After the switch to systemd as default init system in Jessie and further refinements in Stretch, various SysV related packages are no longer required and can now be purged safely via

apt purge initscripts sysv-rc insserv startpar

5.2. Limitations in security support

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

[Note]Note

The package debian-security-support helps to track the security support status of installed packages.

5.2.1. Security status of web browsers and their rendering engines

Debian 10 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in buster, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.

5.2.2. Go based packages

The Debian infrastructure currently doesn't properly enable rebuilding packages that statically link parts of other packages on a large scale. Until buster that hasn't been a problem in practice, but with the growth of the Go ecosystem it means that Go based packages won't be covered by regular security support until the infrastructure is improved to deal with them maintainably.

If updates are warranted, they can only come via regular point releases, which may be slow in arriving.

5.3. Package specific issues

In most cases, packages should upgrade smoothly between stretch and buster. There are a small number of cases where some intervention may be required, either before or during the upgrade; these are detailed below on a per-package basis.

5.3.1. Glibc requires Linux kernel 3.2 or higher

Starting with glibc 2.26, Linux kernel 3.2 or later is required. To avoid completely breaking the system, the preinst for libc6 performs a check. If this fails, it will abort the package installation, which will leave the upgrade unfinished. If the system is running a kernel older than 3.2, please update it before starting the distribution upgrade.

5.3.2. Semantics for using environment variables for su changed

su has changed semantics in buster and no longer preserves the user environment variables DISPLAY and XAUTHORITY. If you need to run graphical applications with su, you will have to explicitly set them to allow access to your display. See bug #905409 for an extensive discussion.

5.3.3. Existing PostgreSQL databases need to be reindexed

When upgrading from stretch to buster, the glibc locale data is upgraded. Specifically, this changes how PostgreSQL sorts data in text indexes. To avoid corruption, such indexes need to be REINDEXed immediately after upgrading the locales or locales-all packages, before putting the database back into production.

Suggested command:

sudo -u postgres reindexdb --all

Alternatively, upgrade the databases to PostgreSQL 11 using pg_upgradecluster. (This uses pg_dump by default which will rebuild all indexes. Using -m upgrade or pg_upgrade is not safe because it preserves the now-wrong index ordering.)

Refer to the PostgreSQL Wiki for more information.

5.3.4. mutt and neomutt

In stretch, the package mutt had patches applied from the sources at https://neomutt.org. Starting from buster, the package providing /usr/bin/mutt will instead be purely based on the original sources from http://www.mutt.org, and a separate neomutt package is available providing /usr/bin/neomutt.

This means that some of the features that were previously provided by mutt are no longer available. If this breaks your configuration you can install neomutt instead.

5.3.5. Accessing GNOME Settings app without mouse

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.

5.3.6.  gnome-disk-utility fails to change LUKS password causing permanent data loss (buster 10.0 only)

Users of the initial buster release images should not change the LUKS password of encrypted disks with the GNOME graphical interface for disk management. The gnome-disk-utility package in buster had a very nasty bug (#928893) when used to change the LUKS password: it deleted the old password but failed to correctly set the new one, making all data on the disk inaccessible. This has been fixed in the first point release.

5.3.7.  evolution-ews has been dropped, and email inboxes using Exchange, Office365 or Outlook server will be removed

Users using evolution as their email client and connecting to a server running Exchange, Office365 or Outlook using the evolution-ews plugin should not upgrade to buster without backing up data and finding an alternative solution beforehand, as evolution-ews has been dropped due to bug #926712 and their email inboxes, calendar, contact lists and tasks will be removed and will no longer be accessible with Evolution.

The evolution-ews package has been reintroduced via buster-backports. Users upgrading from stretch to buster can enable buster-backports after the upgrade and then they will be able to reinstall evolution-ews.

5.3.8.  Calamares installer leaves disk encryption keys readable

When installing Debian from live media using the Calamares installer (Section 2.2.13, “News from Debian Live team”) and selecting the full disk encryption feature, the disk's unlock key is stored in the initramfs which is world readable. This allows users with local filesystem access to read the private key and gain access to the filesystem again in the future.

This can be worked around by adding UMASK=0077 to /etc/initramfs-tools/conf.d/initramfs-permissions and running update-initramfs -u. This will recreate the initramfs without world-readable permissions.

A fix for the installer is being planned (see bug #931373) and will be uploaded to debian-security. In the meantime users of full disk encryption should apply the above workaround.

5.3.9.  S3QL URL changes for Amazon S3 buckets

When using s3ql with Amazon S3 buckets, the configuration needs updating for a change in the URL. The new format is:

s3://<region>/<bucket>/<prefix>

5.3.10.  Split in configuration for logrotate

The shipped configurations for /var/log/btmp and /var/log/wtmp have been split from the main configuration file (/etc/logrotate.conf) into separate standalone files (/etc/logrotate.d/btmp and /etc/logrotate.d/wtmp).

If you have modified /etc/logrotate.conf in this regard, make sure to re-adjust the two new files to your needs and drop any references to (b|w)tmp from the main file, since duplicate definitions can cause errors.

5.3.11.  The rescue boot option is unusable without a root password

With the implementation of sulogin now used, booting with the rescue option always requires the root password. If one has not been set, this makes the rescue mode effectively unusable. However it is still possible to boot using the kernel parameter init=/sbin/sulogin --force

To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
    

It might also (or instead) be useful to do this for the emergency.service unit, which is started automatically in the case of certain errors (see systemd.special(7)), or if emergency is added to the kernel command line (e.g. if the system can't be recovered by using the rescue mode).

For background and a discussion on the security implications see #802211.



[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk.