| Kapitel 5. Ting man skal være opmærksom på i forbindelse med jessie | ||
|---|---|---|
 |  | |
| Kapitel 5. Ting man skal være opmærksom på i forbindelse med jessie | ||
|---|---|---|
| | | |
Indholdsfortegnelse
base-passwdperlSommetider kan ændringer, som er introduceret i en ny udgave, have bivirkninger som vi ikke med rimelighed kan undgå, eller disse ændringer kan afsløre fejl andre steder. Dette afsnit dokumenterer problemer som vi er bekendt med. Læs også gerne errata, dokumentationen for de relevante pakker, fejlrapporter og anden information som er nævnt i Afsnit 6.1, “Yderligere læsning”.
Der er nogle pakker hvor Debian ikke kan love at tilbyde minimale tilbageporteringer for sikkerhedsmæssige problemstillinger. Disse dækkes i de følgende underafsnit.
Bemærk at pakken debian-security-support, introduceret i
Jessie, hjælper med at registrere status for sikkerhedsmæssig
understøttelse for installerede pakker.
Debian 8 inkluderer adskillige browsermotorer, som er påvirket af en stadig strøm af sikkerhedsbrister. Den høje forekomst af sårbarheder og den delvist manglende støtte fra udviklerne i form af langtidsunderstøttede versionsgrene, gør det meget svært at understøtte disse browsere med bagudporterede sikkerhedsrettelser. Hertil kommer at gensidige afhængigheder mellem programbiblioteker gør det umuligt at opdatere til en nyere opstrøms-udgave. Derfor er browsere der bygger på motorerne webkit, qtwebkit og khtml inkluderet i Jessie, men de er ikke fuldt dækket af sikkerhedsunderstøttelse. Disse browsere bør ikke bruges til at tilgå upålidelige internetsider.
Som generel internetbrowser, anbefaler vi Iceweasel eller Chromium.
Chromium - selvom bygget på Webkit-kodebasen - er en leaf-pakke, som vil blive holdt opdateret ved at genbygge de nuværende Chromium-udgivelser for stable. Iceweasel og Icedove vil også blive holdt opdateret ved at genbygge den nuværende ESR-udgivelser for stable.
The Node.js platform is built on top of libv8-3.14, which experiences a high volume of
security issues, but there are currently no volunteers within the project or
the security team sufficiently interested and willing to spend the large
amount of time required to stem those incoming issues.
Unfortunately, this means that libv8-3.14, nodejs, and the associated node-* package
ecosystem should not currently be used with untrusted content, such as
unsanitized data from the Internet.
Derudover vil disse pakker ikke modtage nogle sikkerhedsmæssige opdateringer i Jessie-udgivelsens livstid.
I et forsøg på at forstærke standardopsætningen, vil konfigurationen for
openssh-server nu anvende standarden
»PermitRootLogin without-password«. Hvis du afhænger af en
adgangskodegodkendelse for brugeren root, så er du måske
påvirket af denne ændring.
openssh-server vil forsøge at
detektere sådanne tilfælde og øge prioriteten for dets debconf-prompt.
Hvis du ønsker at bevare adgangskodegodkendelse for brugeren
root, så kan du også forhåndskonfigurere dette spørgsmål
ved at bruge:
# The "false" value is in fact correct despite being confusing. $ echo 'openssh-server openssh-server/permit-root-login boolean false' | debconf-set-selections
If you are using Puppet, please be aware that Puppet 3.7 is not backwards compatible with Puppet 2.7. Among other things, the scoping rules have changed and many deprecated constructs have been removed. See the Puppet 3.x release notes for some of the changes, although be aware that there are further changes in 3.7.
Checking the log files of your current puppetmaster for deprecation warnings and resolving all of those warnings before proceeding with the upgrade will make it much easier to complete the upgrade. Alternatively, or additionally, testing the manifests with a tool like Puppet catalog test may also find potential issues prior to the upgrade.
Når der opgraderes et Puppet-håndteret system fra Wheezy til Jessie, så skal
du sikre dig, at den tilsvarende puppetmaster kører mindst Puppet version
3.7. Hvis masteren kører Wheezys puppetmaster, så vil det håndterede
Jessie-system ikke kunne forbinde til denne.
For yderligere information om inkompatibilitetsændringer, så tag et kig på Telly upgrade issues og "The Angry Guide to Puppet 3".
Opgraderingen til Jessie inkluderer en opgradering af PHP fra 5.4 til 5.6. Dette kan påvirke lokale PHP-skripter og du rådes til at kontrollere disse skripter før opgradering. Nedenfor er et udvalgt undersæt af disse problemstillinger:
To prevent man-in-the-middle attacks against encrypted transfers, client streams now verify peer certificates by default.
As a result of this change, existing code using ssl:// or tls:// stream wrappers (e.g. file_get_contents(), fsockopen(), stream_socket_client()) may no longer connect successfully without manually disabling peer verification via the stream context's "verify_peer" setting.
For yderligere information om denne specifikke problemstilling, så læs venligst dette dokument.
PHP ændrer håndteringen for versaler på mange områder:
Alle interne versalhåndtering for klasse-, funktion- og konstantnavne udføres jævnfør ASCII-regler. Den aktuelle sprogindstilling ignoreres.
Nøgleordene »self«, »parent« og »static« er nu altid versalfølsom.
json_decode()-funktionen accepterer ikke længere ikke-små bogstaver varianter af »booleske« værdier.
Logo GUID-funktionerne (f.eks. php_logo_guid()) er blevet fjernet.
Der er ikke længere muligt at overskrive nøgler i statiske skalartabeller. Se venligst PHP-fejl 66015 for et eksempel og yderligere information om denne specifikke problemstilling.
The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no longer accept keys or IVs with incorrect sizes. Furthermore an IV is now required if the used block cipher mode requires it.
For legal reasons, the JSON implementation bundled with PHP has been replaced with the version provided by the "jsonc" PECL module. Code that makes assumptions about the finer implementation details of the PHP JSON parser may need to be reviewed.
The "short_open_tag" setting is now disabled by default. The ASP variant of the short tags ("<%" and "%>") are scheduled for removal in PHP7.
For more information or the full list of potential issues, please have a look at upstream's list of backwards incompatible changes for PHP 5.5 and 5.6.
![[Bemærk]](images/note.png) | Bemærk |
|---|---|
This section only applies to systems which have installed an Apache HTTPD server and configured it manually. |
There have been a number of changes to the configuration of the Apache HTTPD server in version 2.4. On the upstream side, the syntax has changed. Notably, the access control directives have changed considerably and will need manual migration to the new directives.
The mod_access_compat module is mentioned in the upstream
upgrade guide as a possible alternative to immediate migration. However,
the reports suggest it may not always work.
The managing of configuration files has also been changed in the Debian
packaging. In particular, all configuration files and sites must now end
with ".conf" to be parsed by default. This change also replaces the
existing use of /etc/apache2/conf.d/.
| Bemærk |
|---|---|
During the upgrade, you may also see warnings about configuration files
placed in |
For more information and the full list of changes, please refer to:
Upgrading to 2.4 from 2.2 document provided by Apache for the upstream side.
The /usr/share/doc/apache2/NEWS.Debian.gz file provided
by the apache2 package.
Jessie ships with systemd-sysv as
default init system. This package is installed
automatically on upgrades.
If you have a preference for another init such as sysvinit-core or upstart, it is recommended to set up APT pinning
prior to the upgrade. This may also be required if you are upgrading LXC
containers before the host. In this case, please refer to Afsnit 5.8.1, “Upgrading LXC guests running on Wheezy hosts”.
As an example, to prevent systemd-sysv from being installed during the
upgrade, you can create a file called
/etc/apt/preferences.d/local-pin-init with the
following contents:
Package: systemd-sysv Pin: release o=Debian Pin-Priority: -1
![[Pas på]](images/caution.png) | Pas på |
|---|---|
Be advised that some packages may have degraded behavior or may be lacking features under a non-default init system. |
Please note that the upgrade may install packages containing "systemd" in
their name even with APT pinning. These alone do not
change your init system. To use systemd as your init system, the
systemd-sysv package must be
installed first.
If APT or aptitude has issues computing an upgrade path with the pin in
place, you may be able to help it by manually installing both sysvinit-core and systemd-shim.
The new default init system, systemd-sysv, has a stricter handling of failing
"auto" mounts during boot compared to sysvinit. If it fails to mount an
"auto" mount (without the "nofail" option), systemd will drop to an
emergency shell rather than continuing the boot.
We recommend that all removable or "optional" mount points (e.g.
non-critical network drives) listed in /etc/fstab
either have the "noauto" or the "nofail" option.
If you are upgrading from previous releases, your system may contain obsolete init-scripts provided by (now) removed packages. These scripts may have inaccurate or no dependency metadata, which can lead to dependency cycles in your init configuration.
To avoid this, we recommend that you go and review the list of packages that are in the "rc" ("Removed, but Config-files remain") state, and purge at least all those containing init-scripts.
Please see Afsnit 4.8.1, “Fuld fjernelse af afinstallerede pakker” for details on finding and purging removed packages.
| Bemærk |
|---|---|
This section only applies to systems where Debian-provided init scripts have been modified locally. |
If you have modified some of the init scripts provided by Debian, please be aware that these may now have been superseded by a systemd unit file or by systemd itself. If you have debsums installed, you can check for locally modified init scripts by using the following shell command.
debsums -c -e | grep ^/etc/init.d
Alternatively, the following can be used in the absence of debsums.
dpkg-query --show -f'${Conffiles}' | sed 's, /,\n/,g' | \
grep /etc/init.d | awk 'NF,OFS=" " {print $2, $1}' | \
md5sum --quiet -c
If either command flags any files and their corresponding packages
or the systemd
now provides an systemd unit file for that service, the systemd unit file
will take precedence to your locally modified init script. Depending on the
nature of the change, there are different way to perform the migration.
If necessary, it is possible to override the systemd unit file to have it start the sysvinit script. For more information on systemd unit files, please have a look at the following resources.
How Do I Convert A SysV Init Script Into A systemd Service File?
My Service Can't Get Realtime! (also contains a very short mention on invoking init scripts from unit files)
If your boot is interactive (e.g. needs a password for an encrypted disk),
please ensure that you have plymouth
installed and configured. Please refer to
/usr/share/doc/plymouth/README.Debian for information
on how to configure plymouth.
Without plymouth, you may find that
your boot prompt disappears. Reports suggest that the cryptsetup prompt
still accepts input despite not being visible. Should you experience this
issue, typing the correct password may still work.
ACPI events can be handled by logind or acpid. In case both services are configured to handle events in different ways, this can lead to undesired results.
We recommend to migrate any non-default settings to logind and uninstall acpid. Alternatively it is also possible to configure logind to ignore ACPI events by adding:
HandlePowerKey=ignore HandleSuspendKey=ignore HandleHibernateKey=ignore HandleLidSwitch=ignore
to /etc/systemd/logind.conf. Note that this might
change behaviour of desktop environments relying on logind.
There are some cryptsetup features that are unfortunately not supported when running with systemd as the init system. These are:
precheck
check
checkargs
noearly
loud
keyscript
If your system relies on any of these for successful booting, you will have
to use sysvinit (sysvinit-core) as
init system. Please refer to Afsnit 5.6, “Upgrading installs the new default init system for Jessie” for how to avoid a
particular init system.
You can check if any of these options are in use on your system by running the following command:
grep -e precheck -e check -e checkargs -e noearly -e loud -e keyscript /etc/crypttab
If there is no output from the above, your system does not use any of the affected options.
| Bemærk |
|---|---|
This issue was fixed in the 8.1 Jessie point release. |
A regression was reported in systemd after the Jessie release. The bug occurs during shutdown or reboot, where systemd does not give any reasonable delay before issuing SIGKILL to processes. This can lead to data loss in processes that have not saved all data at the time of the reboot (e.g. running databases).
This issue is tracked in the Debian bug #784720
The sysvinit implementation of the
halt command powered off the machine as well. The
systemd-sysv implementation halts
the system, but does not power off the machine. To halt the machine and turn
it off, use the poweroff command.
See also Debian bug #760923
| Bemærk |
|---|---|
This section is only for people who compile their own kernel. If you use the kernels compiled by Debian, you can disregard this section. |
The following kernel configuration options are now either required or recommended for Jessie (in addition to existing ones from previous releases):
# Required for udev CONFIG_DEVTMPFS=y # Required for *some* systemd services CONFIG_DEVPTS_MULTIPLE_INSTANCES=y # Required by "bluez" (GNOME) CONFIG_BT=y # Required for cups + systemd. CONFIG_PPDEV=y
The systemd services which require CONFIG_DEVPTS_MULTIPLE_INSTANCES=y will typically contain at least one of the following directives:
PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes ProtectSystem=yes
If you do not use systemd, or can assert that none of the systemd services will use the above directives, the config option might not be required for your particular system.
For more information about the requirements, please refer to the section
called "REQUIREMENTS" in the README
file for the package systemd.
| Bemærk |
|---|---|
This section only applies to systems that have LXC containers and hosts. Normal end user systems usually do not have these. |
The upgrade from Wheezy to Jessie will migrate your system to the systemd init system by default (see Afsnit 5.6, “Upgrading installs the new default init system for Jessie”).
When upgrading an LXC container or an LXC virtual machine, this will have different consequences depending on whether the host system has already been upgraded to Jessie or not.
If you are upgrading an LXC guest container that is running on a Wheezy host system, then you will need to prevent the guest from being automatically migrated to systemd. You prevent the migration via pinning, as described in Afsnit 5.6, “Upgrading installs the new default init system for Jessie”.
This is required as the Wheezy host lacks functionality to boot a system running systemd.
You should be able to switch over to systemd inside the LXC guest once you have upgraded the host system to Jessie. See the next paragraph for things that need to be adapted on Jessie hosts.
In order to be able to boot LXC guests with systemd, you need to adapt your
LXC container configuration. The container configuration can usually be
found in
/var/lib/lxc/
You need to add the following two settings to the configuration:
CONTAINER_NAME/config
lxc.autodev = 1 lxc.kmsg = 0
You can find further information on LXC in Debian in the Debian wiki.
| Bemærk |
|---|---|
This section is only for people who have set up LUKS encrypted disks themselves using the whirlpool hash. The debian-installer has never supported creating such disks. |
If you have manually set up an encrypted disk with LUKS whirlpool, you will need to migrate it manually to a stronger hash. You can check if your disk is using whirlpool by using the following command:
# /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool
For more information on migrating, please see item "8.3 Gcrypt 1.6.x and later break Whirlpool" of the cryptsetup FAQ.
The GNOME 3.14 desktop in Jessie no longer has fallback support for machines without basic 3D graphics. To run properly, it needs either a recent enough PC (any PC built in the last 10 years should have the required SSE2 support) or, for architectures other than i386 and amd64, a 3D-accelerated graphics adapter with EGL drivers.
Unlike other OpenGL drivers, the AMD FGLRX driver for Radeon adapters does not support the EGL interface. As such, several GNOME applications, including the core of the GNOME desktop, will not start at all when this driver is in use.
It is recommended to use the free radeon driver, which is
the default in jessie, instead.
The default keyboard shortcuts in the GNOME desktop have changed in order to match more closely those of some other operating systems.
Shortcut settings previously modified by the user will be preserved upon upgrade. These settings can still be configured from the GNOME control center, accessible from the top right menu by clicking on the "settings" icon.
Opgraderingen af pakken base-passwd
vil nulstille skallen for nogle systembrugere til »nologin«-skallen. Dette
inkluderer de følgende brugere:
daemon
bin
sys
sync
games
man
lp
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
If your local setup requires that any of these users have a shell, you should say no to migrating, or migrate and then change the shell of the corresponding users. Notable examples include local backups done via the "backup" user with "ssh-key" authentication.
| Pas på |
|---|---|
Migreringen vil ske automatisk, hvis din debconf-spørgsmålsprioritet er høj (»high«) eller over. |
Hvis du ønsker at beholde den nuværende skal for en given bruger, så kan du forhåndsudfylde spørgsmålene ved at bruge følgende:
echo 'base-passwd base-passwd/system/username/shell/current-shell-mangled/_usr_sbin_nologin boolean false' | debconf-set-selections
Hvor username er navnet på brugeren og
current-shell-mangled er det ødelagte navn på
skallen. Ødelæggelsen udføres ved at erstatte alle tegn udover alfanumeriske
tegn, streger og understreger med understreger. F.eks. /bin/bash bliver
_bin_bash.
The Kontact Personal Information Management system has received a major upgrade. The new version makes much greater use of metadata indexing and each user's data must be migrated into these new indices.
E-mail, calendar events, and addressbook contacts are automatically migrated when the user logs in and the relevant component is started. Some advanced settings such as e-mail filters and custom templates require manual intervention. Further details and troubleshooting suggestions are collected on the Debian Wiki.
| Bemærk |
|---|---|
This issue is currently reported as fixed in Jessie. Should you still be able to reproduce it, then please follow up to Debian Bug#766462. Note that you may have to unarchive the issue first (please refer to the Debian BTS control server documentation on how to unarchive bugs). |
Hvis du har flere skrivebordsmiljøet installeret, så kan du opleve at ingen af de virtuelle konsoller (»virtual consoles«) viser et logind.
This issue seems to occur when plymouth, systemd, and GNOME are all installed. This
issue is reported as Debian Bug#766462.
It has been reported that removing the "splash" argument from the kernel
command-line may work around the issue. Please see
/etc/default/grub and remember to run
update-grub after updating the file.
There is a compatibility issue in grub-pc with older graphics cards (e.g. the
"ATI Rage 128 Pro Ultra TR") that can cause it to show a blank screen during
boot. The display may issue a "VGA signal out of range" message (or
something similar).
En simpel måde at komme omkring det på er at angive
GRUB_TERMINAL=console i
/etc/default/grub.
The crontab program is now more strict and may refuse to
save a changed cron file if it is invalid. If you experience issues with
crontab -e, please review your crontab for existing
mistakes.
From version 5.18 (and 5.20, which is included in Jessie), Perl will exit
with a fatal error if it encounters unreadable module paths in
@INC. The previous behavior was to skip such entries. It
is recommended to check the contents of @INC in your
environment for directories which are not world-readable, and take
appropriate action.
Du kan se standarden @INC for Perl ved at køre
perl -V.
| Bemærk |
|---|---|
This issue was fixed in the 8.1 Jessie point release. |
The version of ganeti (2.12.0-3)
released with Jessie does not support migrations from installations running
2.5 or earlier (including Wheezy) in cases where there are instances with
DRBD disks. It is hoped that this issue will be fixed in a point release,
and recommended that you do not upgrade affected Ganeti clusters in the
meantime. You can find more information about this issue at Debian Bug#783186.
The recommended procedure to upgrade a Ganeti cluster from Wheezy's
ganeti version (2.5.2-1) to Jessie's
(2.12.0-3) is to stop all instances and then upgrade and reboot all nodes at
once. This will ensure that all instances run with Jessie's hypervisor
version and that all nodes run the same versions of Ganeti and DRBD.
Note that running a cluster with mixed 2.5 and 2.12 nodes is not supported. Also note that, depending on the hypervisor, instance live migrations may not work between Wheezy and Jessie hypervisor versions.
If a client requests that a file should be "opened for execution", Samba4 will require the executable bit to be set on the file in addition to the regular read permissions. This also causes "netlogon" scripts to be silently ignored if they lack this executable bit.
| Bemærk |
|---|---|
This section only applies to people that have manually changed their
|
If you have both busybox and cryptsetup installed plus configured initramfs
to not use busybox, then it may render your system
unbootable.
Please check the value of your BUSYBOX setting in
/etc/initramfs-tools/initramfs.conf if you have both of
these packages installed. At this time, known work arounds are uninstalling
busybox or setting
BUSYBOX=y in
/etc/initramfs-tools/initramfs.conf.
![[Advarsel]](images/warning.png) | Advarsel |
|---|---|
If you had to make any changes, please remember to run
|
Please see Debian Bug#783297 for more information.
| Bemærk |
|---|---|
This section only applies to people that have installed the squid webproxy. |
The configuration of squid has changed in an incompatible way. Notably some of the squid "helpers" have changed their name. If your configuration relies on old features no longer present or on the old names for the helpers, your squid service may fail to start after the upgrade.
Please see the upstream release notes for more information. These are:
Release notes for Squid 3.2 (The renamed helpers can be found in 2.6 Helper Name Changes)
| | | |
| Kapitel 4. Opgraderinger fra Debian 7 (wheezy) |  | Kapitel 6. Yderligere oplysninger om Debian |