Chapter 5. Issues to be aware of for bullseye

Table of Contents

5.1. Upgrade specific items for bullseye
5.1.1. New VA-API default driver for Intel GPUs
5.1.2. The XFS file system no longer supports barrier/nobarrier option
5.1.3. Changed security archive layout
5.1.4. Password hashing uses yescrypt by default
5.1.5. NSS NIS and NIS+ support require new packages
5.1.6. Config file fragment handling in unbound
5.1.7. rsync parameter deprecation
5.1.8. Vim addons handling
5.1.9. OpenStack and cgroups v1
5.1.10. OpenStack API policy files
5.1.11. sendmail downtime during upgrade
5.1.12. FUSE 3
5.1.13. GnuPG options file
5.1.14. Linux enables user namespaces by default
5.1.15. Linux disables unprivileged calls to bpf() by default
5.1.16. redmine missing in bullseye
5.1.17. Exim 4.94
5.1.18. SCSI device probing is non-deterministic
5.1.19. rdiff-backup require lockstep upgrade of server and client
5.1.20. Intel CPU microcode issues
5.1.21. Upgrades involving libgc1c2 need two runs
5.1.22. fail2ban can't send e-mail using mail from bsd-mailx
5.1.23. No new SSH connections possible during upgrade
5.1.24. Open vSwitch upgrade requires interfaces(5) change
5.1.25. Things to do post upgrade before rebooting
5.2. Items not limited to the upgrade process
5.2.1. Limitations in security support
5.2.2. Accessing GNOME Settings app without mouse
5.2.3. The rescue boot option is unusable without a root password
5.2.4. 32-bit Xen PV guests are not supported
5.3. Obsolescence and deprecation
5.3.1. Noteworthy obsolete packages
5.3.2. Deprecated components for bullseye
5.4. Known severe bugs

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages' documentation, bug reports, and other information mentioned in Section 6.1, “Further reading”.

5.1. Upgrade specific items for bullseye

This section covers items related to the upgrade from buster to bullseye.

5.1.1. New VA-API default driver for Intel GPUs

For Intel GPUs available with Broadwell and newer, the Video Acceleration API (VA-API) implementation now defaults to intel-media-va-driver for hardware accelerated video decoding. Systems which have va-driver-all installed will automatically be upgraded to the new driver.

The legacy driver package i965-va-driver is still available and offers support up to the Cannon Lake micro architecture. To prefer the legacy driver over the new default one, set the environment variable LIBVA_DRIVER_NAME to i965, for instance by setting the variable in /etc/environment. For more information, please see the Wiki's page on hardware video acceleration.

5.1.2. The XFS file system no longer supports barrier/nobarrier option

Support for the barrier and nobarrier mount options has been removed from the XFS file system. It is recommended to check /etc/fstab for the presence of either keyword and remove it. Partitions using these options will fail to mount.

5.1.3. Changed security archive layout

For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

deb https://deb.debian.org/debian-security bullseye-security main contrib

If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:

APT::Default-Release "/^bullseye(|-security|-updates)$/";

which takes advantage of APT's support for regular expressions (inside /).

5.1.4. Password hashing uses yescrypt by default

The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)). This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.

To take advantage of this improved security, change local passwords; for example use the passwd command.

Old passwords will continue to work using whatever password hash was used to create them.

Yescrypt is not supported by Debian 10 (buster). As a result, shadow password files (/etc/shadow) cannot be copied from a bullseye system back to a buster system. If these files are copied, passwords that have been changed on the bullseye system will not work on the buster system. Similarly, password hashes cannot be cut&pasted from a bullseye to a buster system.

If compatibility is required for password hashes between bullseye and buster, modify /etc/pam.d/common-password. Find the line that looks like:

password [success=1 default=ignore] pam_unix.so obscure yescrypt
	

and replace yescrypt with sha512.

5.1.5. NSS NIS and NIS+ support require new packages

NSS NIS and NIS+ support has been moved to separate packages called libnss-nis and libnss-nisplus. Unfortunately, glibc can't depend on those packages, so they are now only recommended.

On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.

5.1.6. Config file fragment handling in unbound

The DNS resolver unbound has changed the way it handles configuration file fragments. If you are relying on an include: directive to merge several fragments into a valid configuration, you should read the NEWS file.

5.1.7. rsync parameter deprecation

The rsync parameter --noatime has been renamed --open-noatime. The old form is no longer supported; if you are using it you should see the NEWS file. Transfer processes between systems running different Debian releases may require the buster side to be upgraded to a version of rsync from the backports repository. The version of rsync in the initial release of bullseye also deprecated --copy-devices in favor of --write-devices, but version 3.2.3-4+deb11u1 (included in bullseye point release 11.1) reverts this deprecation and supports both options.

5.1.8. Vim addons handling

The addons for vim historically provided by vim-scripts are now managed by Vim's native package functionality rather than by vim-addon-manager. Vim users should prepare before upgrading by following the instructions in the NEWS file.

5.1.9. OpenStack and cgroups v1

OpenStack Victoria (released in bullseye) requires cgroup v1 for block device QoS. Since bullseye also changes to using cgroupv2 by default (see Section 2.2.4, “Control groups v2”), the sysfs tree in /sys/fs/cgroup will not include cgroup v1 features such as /sys/fs/cgroup/blkio, and as a result cgcreate -g blkio:foo will fail. For OpenStack nodes running nova-compute or cinder-volume, it is strongly advised to add the parameters systemd.unified_cgroup_hierarchy=false and systemd.legacy_systemd_cgroup_controller=false to the kernel command line in order to override the default and restore the old cgroup hierarchy.

5.1.10. OpenStack API policy files

Following upstream's recommendations, OpenStack Victoria as released in bullseye switches the OpenStack API to use the new YAML format. As a result, most OpenStack services, including Nova, Glance, and Keystone, appear broken with all of the API policies written explicitly in the policy.json files. Therefore, packages now come with a folder /etc/PROJECT/policy.d containing a file 00_default_policy.yaml, with all of the policies commented out by default.

To avoid the old policy.json file staying active, the Debian OpenStack packages now rename that file as disabled.policy.json.old. In some cases where nothing better could be done in time for the release the policy.json is even simply deleted. So before upgrading, it is strongly advised to back up the policy.json files of your deployments.

More details are available in the upstream documentation.

5.1.11. sendmail downtime during upgrade

In contrast to normal upgrades of sendmail, during the upgrade of buster to bullseye the sendmail service will be stopped, causing more downtime than usual. For generic advice on reducing downtime see Section 4.1.3, “Prepare for downtime on services”.

5.1.12. FUSE 3

Some packages including gvfs-fuse, kio-fuse, and sshfs have switched to FUSE 3. During upgrades, this will cause fuse3 to be installed and fuse to be removed.

In some exceptional circumstances, e.g., when performing the upgrade by only running apt-get dist-upgrade instead of the recommended upgrade steps from Chapter 4, Upgrades from Debian 10 (buster), packages depending on fuse3 might be kept back during upgrades. Running the steps discussed in Section 4.4.5, “Upgrading the system” again with bullseye's apt or upgrading them manually will resolve the situation.

5.1.13. GnuPG options file

Starting with version 2.2.27-1, per-user configuration of the GnuPG suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options is no longer in use. Please rename the file if necessary, or move its contents to the new location.

5.1.14. Linux enables user namespaces by default

From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper.

The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.

If you prefer to keep this feature restricted, set the sysctl:

user.max_user_namespaces = 0
      

Note that various desktop and container features will not work with this restriction in place, including web browsers, WebKitGTK, Flatpak and GNOME thumbnailing.

The Debian-specific sysctl kernel.unprivileged_userns_clone=0 has a similar effect, but is deprecated.

5.1.15. Linux disables unprivileged calls to bpf() by default

From Linux 5.10, Debian disables unprivileged calls to bpf() by default. However, an admin can still change this setting later on, if needed, by writing 0 or 1 to the kernel.unprivileged_bpf_disabled sysctl.

If you prefer to keep unprivileged calls to bpf() enabled, set the sysctl:

kernel.unprivileged_bpf_disabled = 0
      

For background on the change as default in Debian see bug 990411 for the change request.

5.1.16. redmine missing in bullseye

The package redmine is not provided in bullseye, as it was too late migrating over from the old version of rails which is at the end of upstream support (receiving fixes for severe security bugs only) to the version which is in bullseye. The Ruby Extras Maintainers are following upstream closely and will be releasing a version via backports as soon as it is released and they have working packages. If you can't wait for this to happen before upgrading, you can use a VM or container running buster to isolate this specific application.

5.1.17. Exim 4.94

Please consider the version of Exim in bullseye a major Exim upgrade. It introduces the concept of tainted data read from untrusted sources, like e.g. message sender or recipient. This tainted data (e.g. $local_part or $domain) cannot be used among other things as a file or directory name or command name.

This will break configurations which are not updated accordingly. Old Debian Exim configuration files also will not work unmodified; the new configuration needs to be installed with local modifications merged in.

Typical nonworking examples include:

  • Delivery to /var/mail/$local_part. Use $local_part_data in combination with check_local_user.

  • Using

    data = ${lookup{$local_part}lsearch{/some/path/$domain/aliases}}
    

    instead of

    data = ${lookup{$local_part}lsearch{/some/path/$domain_data/aliases}}
    

    for a virtual domain alias file.

The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value.

To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer Exim. To make use of this feature add

.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
 allow_insecure_tainted_data = yes
.endif

to the Exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) before upgrading and check the logfile for taint warnings. This is a temporary workaround which is already marked for removal on introduction.

5.1.18. SCSI device probing is non-deterministic

Due to changes in the Linux kernel, the probing of SCSI devices is no longer deterministic. This could be an issue for installations that rely on the disk probing order. Two possible alternatives using links in /dev/disk/by-path or a udev rule are suggested in this mailing list post.

5.1.19. rdiff-backup require lockstep upgrade of server and client

The network protocol of versions 1 and 2 of rdiff-backup are incompatible. This means that you must be running the same version (either 1 or 2) of rdiff-backup locally and remotely. Since buster ships version 1.2.8 and bullseye ships version 2.0.5, upgrading only the local system or only the remote system from buster to bullseye will break rdiff-backup runs between the two.

Version 2.0.5 of rdiff-backup is available in the buster-backports archive, see backports. This enables users to first upgrade only the rdiff-backup package on their buster systems, and then independently upgrade systems to bullseye at their convenience.

5.1.20. Intel CPU microcode issues

The intel-microcode package currently in bullseye and buster-security (see DSA-4934-1) is known to contain two significant bugs. For some CoffeeLake CPUs this update may break network interfaces that use firmware-iwlwifi, and for some Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot.

If you held back the update from DSA-4934-1 due to either of these issues, or do not have the security archive enabled, be aware that upgrading to the intel-microcode package in bullseye may cause your system to hang on boot or break iwlwifi. In that case, you can recover by disabling microcode loading on boot; see the instructions in the DSA, which are also in the intel-microcode README.Debian.

5.1.21. Upgrades involving libgc1c2 need two runs

Packages that depend on libgc1c2 in buster (e.g. guile-2.2-libs) may be held back during the first full upgrade run to bullseye. Doing a second upgrade normally solves the issue. The background of the issue can be found in bug #988963.

5.1.22. fail2ban can't send e-mail using mail from bsd-mailx

The fail2ban package can be configured to send out e-mail notifications. It does that using mail, which is provided by multiple packages in Debian. A security update (needed on systems that use mail from mailutils) just before the release of bullseye broke this functionality for systems that have mail provided by bsd-mailx. Users of fail2ban in combination with bsd-mailx who wish fail2ban to send out e-mail should either switch to a different provider for mail or manually unapply the upstream commit (which inserted the string "-E 'set escape'" in multiple places under /etc/fail2ban/action.d/).

5.1.23. No new SSH connections possible during upgrade

Although existing Secure Shell (SSH) connections should continue to work through the upgrade as usual, due to unfortunate circumstances the period when new SSH connections cannot be established is longer than usual. If the upgrade is being carried out over an SSH connection which might be interrupted, it's recommended to upgrade openssh-server before upgrading the full system.

5.1.24. Open vSwitch upgrade requires interfaces(5) change

The openvswitch upgrade may fail to recover bridges after boot. The workaround is:

        sed -i s/^allow-ovs/auto/ /etc/network/interfaces
     

For more info, see bug #989720.

5.1.25. Things to do post upgrade before rebooting

When apt full-upgrade has finished, the formal upgrade is complete. For the upgrade to bullseye, there are no special actions needed before performing a reboot.

5.2. Items not limited to the upgrade process

5.2.1. Limitations in security support

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

[Note]Note

The package debian-security-support helps to track the security support status of installed packages.

5.2.1.1. Security status of web browsers and their rendering engines

Debian 11 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in bullseye, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk and wpewebkit engines are covered by security support.

For general web browser use we recommend Firefox or Chromium. They will be kept up-to-date by rebuilding the current ESR releases for stable. The same strategy will be applied for Thunderbird.

5.2.1.2. OpenJDK 17

Debian bullseye comes with an early access version of OpenJDK 17 (the next expected OpenJDK LTS version after OpenJDK 11), to avoid the rather tedious bootstrap process. The plan is for OpenJDK 17 to receive an update in bullseye to the final upstream release announced for October 2021, followed by security updates on a best effort basis, but users should not expect to see updates for every quarterly upstream security update.

5.2.1.3. Go-based packages

The Debian infrastructure currently has problems with rebuilding packages of types that systematically use static linking. Before buster this wasn't a problem in practice, but with the growth of the Go ecosystem it means that Go-based packages will be covered by limited security support until the infrastructure is improved to deal with them maintainably.

If updates are warranted for Go development libraries, they can only come via regular point releases, which may be slow in arriving.

5.2.2. Accessing GNOME Settings app without mouse

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.

5.2.3.  The rescue boot option is unusable without a root password

With the implementation of sulogin used since buster, booting with the rescue option always requires the root password. If one has not been set, this makes the rescue mode effectively unusable. However it is still possible to boot using the kernel parameter init=/sbin/sulogin --force

To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
      

It might also (or instead) be useful to do this for the emergency.service unit, which is started automatically in the case of certain errors (see systemd.special(7)), or if emergency is added to the kernel command line (e.g. if the system can't be recovered by using the rescue mode).

For background and a discussion on the security implications see #802211.

5.2.4. 32-bit Xen PV guests are not supported

The Linux kernel (from version 5.9) no longer supports 32-bit xen virtual machines using PV mode. Such virtual machines need to be converted to the 64-bit PC architecture.

You can check which mode a Xen guest is running (inside the virtual machine):

$ cat /sys/hypervisor/guest_type
PV
        

Virtual machines that return, for example, PVH or HVM are not affected.

5.3. Obsolescence and deprecation

5.3.1. Noteworthy obsolete packages

The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).

The list of obsolete packages includes:

  • The lilo package has been removed from bullseye. The successor of lilo as boot loader is grub2.

  • The Mailman mailing list manager suite version 3 is the only available version of Mailman in this release. Mailman has been split up into various components; the core is available in the package mailman3 and the full suite can be obtained via the mailman3-full metapackage.

    The legacy Mailman version 2.1 is no longer available (this used to be the package mailman). This branch depends on Python 2 which is no longer available in Debian.

    For upgrading instructions, please see the project's migration documentation.

  • The Linux kernel no longer provides isdn4linux (i4l) support. Consequently, the related userland packages isdnutils, isdnactivecards, drdsl and ibod have been removed from the archives.

  • The deprecated libappindicator libraries are no longer provided. As a result, the related packages libappindicator1, libappindicator3-1 and libappindicator-dev are no longer available. This is expected to cause dependency errors for third-party software that still depends on libappindicator to provide system tray and indicator support.

    Debian is using libayatana-appindicator as the successor of libappindicator. For technical background see this announcement.

  • Debian no longer provides chef. If you use Chef for configuration management, the best upgrade path is probably to switch to using the packages provided by Chef Inc.

    For background on the removal, see the removal request.

  • Python 2 is already beyond its End Of Life, and will receive no security updates. It is not supported for running applications, and packages relying on it have either been switched to Python 3 or removed. However, Debian bullseye does still include a version of Python 2.7, as well as a small number of Python 2 build tools such as python-setuptools. These are present only because they are required for a few application build processes that have not yet been converted to Python 3.

  • The aufs-dkms package is not part of bullseye. Most aufs-dkms users should be able to switch to overlayfs, which provides similar functionality with kernel support. However, it's possible to have a Debian installation on a filesystem that is not compatible with overlayfs, e.g. xfs without d_type. Users of aufs-dkms are advised to migrate away from aufs-dkms before upgrading to bullseye.

  • The network connection manager wicd will no longer be available after the upgrade, so to avoid the danger of losing connectivity users are recommended to switch before the upgrade to an alternative such as network-manager or connman.

5.3.2. Deprecated components for bullseye

With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.

This includes the following features:

  • The historical justifications for the filesystem layout with /bin, /sbin, and /lib directories separate from their equivalents under /usr no longer apply today; see the Freedesktop.org summary. Debian bullseye will be the last Debian release that supports the non-merged-usr layout; for systems with a legacy layout that have been upgraded without a reinstall, the usrmerge package exists to do the conversion if desired.

  • bullseye is the final Debian release to ship apt-key. Keys should be managed by dropping files into /etc/apt/trusted.gpg.d instead, in binary format as created by gpg --export with a .gpg extension, or ASCII armored with a .asc extension.

    A replacement for apt-key list to manually investigate the keyring is planned, but work has not started yet.

  • The slapd database backends slapd-bdb(5), slapd-hdb(5), and slapd-shell(5) are being retired and will not be included in Debian 12. LDAP databases using the bdb or hdb backends should be migrated to the slapd-mdb(5) backend.

    Additionally, the slapd-perl(5) and slapd-sql(5) backends are deprecated and may be removed in a future release.

    The OpenLDAP Project does not support retired or deprecated backends. Support for these backends in Debian 11 is on a best effort basis.

5.4. Known severe bugs

Although Debian releases when it's ready, that unfortunately doesn't mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing bullseye can be found in the Debian Bug Tracking System. The following bugs were affecting bullseye at the time of the release and worth mentioning in this document:

Bug numberPackage (source or binary)Description
922981ca-certificates-javaca-certificates-java: /etc/ca-certificates/update.d/jks-keystore doesn't update /etc/ssl/certs/java/cacerts
990026croncron: Reduced charset in MAILTO causes breakage
991081gir1.2-diodon-1.0gir1.2-diodon-1.0 lacks dependencies
990318python-pkg-resourcespython-pkg-resources: please add Breaks against the unversioned python packages
991449fail2banfix for CVE-2021-32749 breaks systems with mail from bsd-mailx
990708mariadb-server-10.5,galera-4mariadb-server-10.5: upgrade problems due to galera-3 -> galera-4 switch
980429src:gcc-10g++-10: spurious c++17 mode segmentation fault in append_to_statement_list_1 (tree-iterator.c:65)
980609src:gcc-10missing i386-cpuinfo.h
984574gcc-10-basegcc-10-base: please add Breaks: gcc-8-base (<< 8.4)
984931git-elgit-el,elpa-magit: fails to install: /usr/lib/emacsen-common/packages/install/git emacs failed at /usr/lib/emacsen-common/lib.pl line 19, <TSORT> line 7.
987264git-elgit-el: fails to install with xemacs21
991082gir1.2-gtd-1.0gir1.2-gtd-1.0 has empty Depends
948739gpartedgparted should not mask .mount units
984714gpartedgparted should suggest exfatprogs and backport the commit that rejects exfat-utils
984760grub-efi-amd64grub-efi-amd64: upgrade works, boot fails (error: symbol `grub_is_lockdown` not found)
968368ifenslaveifenslave: Option bond-master fails to add interface to bond
990428ifenslaveifenslave: Bonding not working on bullseye (using bond-slaves config)
991113libpam-chrootlibpam-chroot installs pam_chroot.so into the wrong directory
989545src:llvm-toolchain-11libgl1-mesa-dri: si_texture.c:1727 si_texture_transfer_map - failed to create temporary texture to hold untiled copy
982459mdadmmdadm --examine in chroot without /proc,/dev,/sys mounted corrupts host's filesystem
981054openipmiopenipmi: Missing dependency on kmod
948318openssh-serveropenssh-server: Unable to restart sshd restart after upgrade to version 8.1p1-2
991151procpsprocps: dropped the reload option from the init script, breaking corekeeper
989103pulseaudiopulseaudio regressed on control=Wave configuration
984580libpython3.9-devlibpython3.9-dev: missing dependency on zlib1g-dev
990417src:qemuopenjdk-11-jre-headless: running java in qemu s390 gives a SIGILL at C [linux-vdso64.so.1+0x6f8] __kernel_getcpu+0x8
859926speech-dispatcherbreaks with pulse-audio as output when spawned by speechd-up from init system
932501src:squid-deb-proxysquid-deb-proxy: daemon does not start due to the conf file not being allowed by apparmor
991588tpm2-abrmdtpm2-abrmd should not use Requires=systemd-udev-settle.service in its unit
991939libjs-bootstrap4libjs-bootstrap4: broken symlinks: /usr/share/javascript/bootstrap4/css/bootstrap*.css.map -> ../../../nodejs/bootstrap/dist/css/bootstrap*.css.map
991822src:winesrc:wine: dh_auto_clean deletes unrelated files outside of package source
988477src:xenxen-hypervisor-4.14-amd64: xen dmesg shows (XEN) AMD-Vi: IO_PAGE_FAULT on sata pci device
991788xfce4-settingsxfce4-settings: black screen after suspend when laptop lid is closed and re-opened


[6] These engines are shipped in a number of different source packages and the concern applies to all packages shipping them. The concern also extends to web rendering engines not explicitly mentioned here, with the exception of webkit2gtk and the new wpewebkit.