Chapter 5. Issues to be aware of for bullseye

For Intel GPUs available with Broadwell and newer, the Video Acceleration API (VA-API) implementation now defaults to intel-media-va-driver for hardware accelerated video decoding. Systems which have va-driver-all installed will automatically be upgraded to the new driver.

The legacy driver package i965-va-driver is still available and offers support up to the Cannon Lake micro architecture. To prefer the legacy driver over the new default one, set the environment variable LIBVA_DRIVER_NAME to i965, for instance by setting the variable in /etc/environment. For more information, please see the Wiki's page on hardware video acceleration.

Support for the barrier and nobarrier mount options has been removed from the XFS file system. It is recommended to check /etc/fstab for the presence of either keyword and remove it. Partitions using these options will fail to mount.

For bullseye, the security suite is now named bullseye-security instead of buster/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

deb https://deb.debian.org/debian-security bullseye-security main contrib

The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)). This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.

To take advantage of this improved security, change local passwords; for example use the passwd command.

Old passwords will continue to work using whatever password hash was used to create them.

Yescrypt is not supported by Debian 10 (buster). As a result, shadow password files (/etc/shadow) cannot be copied from a bullseye system back to a buster system. If these files are copied, passwords that have been changed on the bullseye system will not work on the buster system. Similarly, password hashes cannot be cut&pasted from a bullseye to a buster system.

If compatibility is required for password hashes between bullseye and buster, modify /etc/pam.d/common-password. Find the line that looks like:

password [success=1 default=ignore] pam_unix.so obscure yescrypt
	

and replace yescrypt with sha512.

NSS NIS and NIS+ support has been moved to separate packages called libnss-nis and libnss-nisplus. Unfortunately, glibc can't depend on those packages, so they are now only recommended.

On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.

The DNS resolver unbound has changed the way it handles configuration file fragments. If you are relying on an include: directive to merge several fragments into a valid configuration, you should read the NEWS file.

The rsync parameters --copy-devices and --noatime have been renamed to --write-devices and --open-noatime. The old forms are no longer supported; if you are using them you should see the NEWS file. Transfer processes between systems running different Debian releases may require the buster side to be upgraded to a version of rsync from the backports repository.

The addons for vim historically provided by vim-scripts are now managed by Vim's native “package” functionality rather than by vim-addon-manager. Vim users should prepare before upgrading by following the instructions in the NEWS file.

OpenStack Victoria (released in bullseye) requires cgroup v1 for block device QoS. Since bullseye also changes to using cgroupv2 by default (see Section 2.2.4, “Control groups v2”), the sysfs tree in /sys/fs/cgroup will not include cgroup v1 features such as /sys/fs/cgroup/blkio, and as a result cgcreate -g blkio:foo will fail. For OpenStack nodes running nova-compute or cinder-volume, it is strongly advised to add the parameters systemd.unified_cgroup_hierarchy=false and systemd.legacy_systemd_cgroup_controller=false to the kernel command line in order to override the default and restore the old cgroup hierarchy.

Following upstream's recommendations, OpenStack Victoria as released in bullseye switches the OpenStack API to use the new YAML format. As a result, most OpenStack services, including Nova, Glance, and Keystone, appear broken with all of the API policies written explicitly in the policy.json files. Therefore, packages now come with a folder /etc/PROJECT/policy.d containing a file 00_default_policy.yaml, with all of the policies commented out by default.

To avoid the old policy.json file staying active, the Debian OpenStack packages now rename that file as disabled.policy.json.old. In some cases where nothing better could be done in time for the release the policy.json is even simply deleted. So before upgrading, it is strongly advised to back up the policy.json files of your deployments.

More details are available in the upstream documentation.

In contrast to normal upgrades of sendmail, during the upgrade of buster to bullseye the sendmail service will be stopped, causing more downtime than usual. For generic advice on reducing downtime see Section 4.1.3, “Prepare for downtime on services”.

Some packages including gvfs-fuse, kio-fuse, and sshfs have switched to FUSE 3. During upgrades, this will cause fuse3 to be installed and fuse to be removed.

In some exceptional circumstances, e.g., when performing the upgrade by only running apt-get dist-upgrade instead of the recommended upgrade steps from Chapter 4, Upgrades from Debian 10 (buster), packages depending on fuse3 might be kept back during upgrades. Running the steps discussed in Section 4.4.5, “Upgrading the system” again with bullseye's apt or upgrading them manually will resolve the situation.

Starting with version 2.2.27-1, per-user configuration of the GnuPG suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options is no longer in use. Please rename the file if necessary, or move its contents to the new location.

From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper.

The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.

If you prefer to keep this feature restricted, set the sysctl:

kernel.unprivileged_userns_clone = 0
      

Note that various desktop and container features will not work with this restriction in place, including web browsers, WebKitGTK, Flatpak and GNOME thumbnailing.

The package redmine is not provided in bullseye, as it was too late migrating over from the old version of rails which is at the end of upstream support (receiving fixes for severe security bugs only) to the version which is in bullseye. The Ruby Extras Maintainers are following upstream closely and will be releasing a version via backports as soon as it is released and they have working packages. If you can't wait for this to happen before upgrading, you can use a VM or container running buster to isolate this specific application.

Please consider the version of Exim in bullseye a major Exim upgrade. It introduces the concept of tainted data read from untrusted sources, like e.g. message sender or recipient. This tainted data (e.g. $local_part or $domain) cannot be used among other things as a file or directory name or command name.

This will break configurations which are not updated accordingly. Old Debian Exim configuration files also will not work unmodified; the new configuration needs to be installed with local modifications merged in.

Typical nonworking examples include:

The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value.

To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer Exim. To make use of this feature add

.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
 allow_insecure_tainted_data = yes
.endif

to the Exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) before upgrading and check the logfile for taint warnings. This is a temporary workaround which is already marked for removal on introduction.

Due to changes in the Linux kernel, the probing of SCSI devices is no longer deterministic. This could be an issue for installations that rely on the disk probing order. Two possible alternatives using links in /dev/disk/by-path or a udev rule are suggested in this mailing list post.

The network protocol of versions 1 and 2 of rdiff-backup are incompatible. This means that you must be running the same version (either 1 or 2) of rdiff-backup locally and remotely. Since buster ships version 1.2.8 and bullseye ships version 2.0.5, upgrading only the local system or only the remote system from buster to bullseye will break rdiff-backup runs between the two.

Version 2.0.5 of rdiff-backup is available in the buster-backports archive, see backports. This enables users to first upgrade only the rdiff-backup package on their buster systems, and then independently upgrade systems to bullseye at their convenience.

When apt full-upgrade has finished, the “formal” upgrade is complete. For the upgrade to bullseye, there are no special actions needed before performing a reboot.

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

	Note
	The package debian-security-support helps to track the security support status of installed packages.

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.

With the implementation of sulogin used since buster, booting with the rescue option always requires the root password. If one has not been set, this makes the rescue mode effectively unusable. However it is still possible to boot using the kernel parameter init=/sbin/sulogin --force

To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
      

It might also (or instead) be useful to do this for the emergency.service unit, which is started automatically in the case of certain errors (see systemd.special(7)), or if emergency is added to the kernel command line (e.g. if the system can't be recovered by using the rescue mode).

For background and a discussion on the security implications see #802211.

The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).

The list of obsolete packages includes:

With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.

This includes the following features:

For a number of armel-based devices that were supported in buster, it is no longer viable for Debian to build the required Linux kernel, due to hardware limitations. The unsupported devices are:

Users of these platforms who wish to upgrade to bullseye nevertheless should keep the buster APT sources enabled. Before upgrading they should add an APT preferences file containing:

Package: linux-image-marvell
Pin: release n=buster
Pin-Priority: 900
	

The security support for this configuration will only last until buster's End Of Life.