Chapter 5. Issues to be aware of for bullseye

Support for the barrier and nobarrier mount options has been removed from the XFS file system. It is recommended to check /etc/fstab for the presence of either keyword and remove it. Partitions using these options will fail to mount.

For bullseye, the security suite is now named bullseye-security instead of codename/updates and users should adapt their APT source-list files accordingly when upgrading.

The security line in your APT configuration may look like:

deb https://deb.debian.org/debian-security bullseye-security main contrib

If your APT configuration also involves pinning or APT::Default-Release, it is likely to require adjustments as the codename of the security archive no longer matches that of the regular archive. An example of a working APT::Default-Release line for bullseye looks like:

APT::Default-Release "/^bullseye(|-security|-updates)$/";

which takes advantage of APT's support for regular expressions (inside /).

The default password hash for local system accounts has been changed from SHA-512 to yescrypt (see crypt(5)). This is expected to provide improved security against dictionary-based password guessing attacks, in terms of both the space and time complexity of the attack.

To take advantage of this improved security, change local passwords; for example use the passwd command.

Old passwords will continue to work using whatever password hash was used to create them.

Yescrypt is not supported by Debian 10 (buster). As a result, shadow password files (/etc/shadow) cannot be copied from a bullseye system back to a buster system. If these files are copied, passwords that have been changed on the bullseye system will not work on the buster system. Similarly, password hashes cannot be cut&pasted from a bullseye to a buster system.

If compatibility is required for password hashes between bullseye and buster, modify /etc/pam.d/common-password. Find the line that looks like:

password [success=1 default=ignore] pam_unix.so obscure yescrypt
	

and replace yescrypt with sha512.

NSS NIS and NIS+ support has been moved to separate packages called libnss-nis and libnss-nisplus. Unfortunately, glibc can't depend on those packages, so they are now only recommended.

On systems using NIS or NIS+, it is therefore recommended to check that those packages are correctly installed after the upgrade.

The DNS resolver unbound has changed the way it handles configuration file fragments. If you are relying on an include: directive to merge several fragments into a valid configuration, you should read the NEWS file.

The rsync parameter --noatime has been renamed --open-noatime. The old form is no longer supported; if you are using it you should see the NEWS file. Transfer processes between systems running different Debian releases may require the buster side to be upgraded to a version of rsync from the backports repository. The version of rsync in the initial release of bullseye also deprecated --copy-devices in favor of --write-devices, but version 3.2.3-4+deb11u1 (included in bullseye point release 11.1) reverts this deprecation and supports both options.

The addons for vim historically provided by vim-scripts are now managed by Vim's native “package” functionality rather than by vim-addon-manager. Vim users should prepare before upgrading by following the instructions in the NEWS file.

OpenStack Victoria (released in bullseye) requires cgroup v1 for block device QoS. Since bullseye also changes to using cgroupv2 by default (see Section 2.2.4, “Control groups v2”), the sysfs tree in /sys/fs/cgroup will not include cgroup v1 features such as /sys/fs/cgroup/blkio, and as a result cgcreate -g blkio:foo will fail. For OpenStack nodes running nova-compute or cinder-volume, it is strongly advised to add the parameters systemd.unified_cgroup_hierarchy=false and systemd.legacy_systemd_cgroup_controller=false to the kernel command line in order to override the default and restore the old cgroup hierarchy.

Following upstream's recommendations, OpenStack Victoria as released in bullseye switches the OpenStack API to use the new YAML format. As a result, most OpenStack services, including Nova, Glance, and Keystone, appear broken with all of the API policies written explicitly in the policy.json files. Therefore, packages now come with a folder /etc/PROJECT/policy.d containing a file 00_default_policy.yaml, with all of the policies commented out by default.

To avoid the old policy.json file staying active, the Debian OpenStack packages now rename that file as disabled.policy.json.old. In some cases where nothing better could be done in time for the release the policy.json is even simply deleted. So before upgrading, it is strongly advised to back up the policy.json files of your deployments.

More details are available in the upstream documentation.

In contrast to normal upgrades of sendmail, during the upgrade of buster to bullseye the sendmail service will be stopped, causing more downtime than usual. For generic advice on reducing downtime see Section 4.1.3, “Prepare for downtime on services”.

Some packages including gvfs-fuse, kio-fuse, and sshfs have switched to FUSE 3. During upgrades, this will cause fuse3 to be installed and fuse to be removed.

In some exceptional circumstances, e.g., when performing the upgrade by only running apt-get dist-upgrade instead of the recommended upgrade steps from Chapter 4, Upgrades from Debian 10 (buster), packages depending on fuse3 might be kept back during upgrades. Running the steps discussed in Section 4.4.5, “Upgrading the system” again with bullseye's apt or upgrading them manually will resolve the situation.

Starting with version 2.2.27-1, per-user configuration of the GnuPG suite has completely moved to ~/.gnupg/gpg.conf, and ~/.gnupg/options is no longer in use. Please rename the file if necessary, or move its contents to the new location.

From Linux 5.10, all users are allowed to create user namespaces by default. This will allow programs such as web browsers and container managers to create more restricted sandboxes for untrusted or less-trusted code, without the need to run as root or to use a setuid-root helper.

The previous Debian default was to restrict this feature to processes running as root, because it exposed more security issues in the kernel. However, as the implementation of this feature has matured, we are now confident that the risk of enabling it is outweighed by the security benefits it provides.

If you prefer to keep this feature restricted, set the sysctl:

user.max_user_namespaces = 0
      

Note that various desktop and container features will not work with this restriction in place, including web browsers, WebKitGTK, Flatpak and GNOME thumbnailing.

The Debian-specific sysctl kernel.unprivileged_userns_clone=0 has a similar effect, but is deprecated.

From Linux 5.10, Debian disables unprivileged calls to bpf() by default. However, an admin can still change this setting later on, if needed, by writing 0 or 1 to the kernel.unprivileged_bpf_disabled sysctl.

If you prefer to keep unprivileged calls to bpf() enabled, set the sysctl:

kernel.unprivileged_bpf_disabled = 0
      

For background on the change as default in Debian see bug 990411 for the change request.

The package redmine is not provided in bullseye, as it was too late migrating over from the old version of rails which is at the end of upstream support (receiving fixes for severe security bugs only) to the version which is in bullseye. The Ruby Extras Maintainers are following upstream closely and will be releasing a version via backports as soon as it is released and they have working packages. If you can't wait for this to happen before upgrading, you can use a VM or container running buster to isolate this specific application.

Please consider the version of Exim in bullseye a major Exim upgrade. It introduces the concept of tainted data read from untrusted sources, like e.g. message sender or recipient. This tainted data (e.g. $local_part or $domain) cannot be used among other things as a file or directory name or command name.

This will break configurations which are not updated accordingly. Old Debian Exim configuration files also will not work unmodified; the new configuration needs to be installed with local modifications merged in.

Typical nonworking examples include:

The basic strategy for dealing with this change is to use the result of a lookup in further processing instead of the original (remote provided) value.

To ease upgrading there is a new main configuration option to temporarily downgrade taint errors to warnings, letting the old configuration work with the newer Exim. To make use of this feature add

.ifdef _OPT_MAIN_ALLOW_INSECURE_TAINTED_DATA
 allow_insecure_tainted_data = yes
.endif

to the Exim configuration (e.g. to /etc/exim4/exim4.conf.localmacros) before upgrading and check the logfile for taint warnings. This is a temporary workaround which is already marked for removal on introduction.

Due to changes in the Linux kernel, the probing of SCSI devices is no longer deterministic. This could be an issue for installations that rely on the disk probing order. Two possible alternatives using links in /dev/disk/by-path or a udev rule are suggested in this mailing list post.

The network protocol of versions 1 and 2 of rdiff-backup are incompatible. This means that you must be running the same version (either 1 or 2) of rdiff-backup locally and remotely. Since buster ships version 1.2.8 and bullseye ships version 2.0.5, upgrading only the local system or only the remote system from buster to bullseye will break rdiff-backup runs between the two.

Version 2.0.5 of rdiff-backup is available in the buster-backports archive, see backports. This enables users to first upgrade only the rdiff-backup package on their buster systems, and then independently upgrade systems to bullseye at their convenience.

The intel-microcode package currently in bullseye and buster-security (see DSA-4934-1) is known to contain two significant bugs. For some CoffeeLake CPUs this update may break network interfaces that use firmware-iwlwifi, and for some Skylake R0/D0 CPUs on systems using a very outdated firmware/BIOS, the system may hang on boot.

If you held back the update from DSA-4934-1 due to either of these issues, or do not have the security archive enabled, be aware that upgrading to the intel-microcode package in bullseye may cause your system to hang on boot or break iwlwifi. In that case, you can recover by disabling microcode loading on boot; see the instructions in the DSA, which are also in the intel-microcode README.Debian.

Packages that depend on libgc1c2 in buster (e.g. guile-2.2-libs) may be held back during the first full upgrade run to bullseye. Doing a second upgrade normally solves the issue. The background of the issue can be found in bug #988963.

The fail2ban package can be configured to send out e-mail notifications. It does that using mail, which is provided by multiple packages in Debian. A security update (needed on systems that use mail from mailutils) just before the release of bullseye broke this functionality for systems that have mail provided by bsd-mailx. Users of fail2ban in combination with bsd-mailx who wish fail2ban to send out e-mail should either switch to a different provider for mail or manually unapply the upstream commit (which inserted the string "-E 'set escape'" in multiple places under /etc/fail2ban/action.d/).

Although existing Secure Shell (SSH) connections should continue to work through the upgrade as usual, due to unfortunate circumstances the period when new SSH connections cannot be established is longer than usual. If the upgrade is being carried out over an SSH connection which might be interrupted, it's recommended to upgrade openssh-server before upgrading the full system.

The openvswitch upgrade may fail to recover bridges after boot. The workaround is:

        sed -i s/^allow-ovs/auto/ /etc/network/interfaces
     

For more info, see bug #989720.

When apt full-upgrade has finished, the “formal” upgrade is complete. For the upgrade to bullseye, there are no special actions needed before performing a reboot.

There are some packages where Debian cannot promise to provide minimal backports for security issues. These are covered in the following subsections.

	Note
	The package debian-security-support helps to track the security support status of installed packages.

Without a pointing device, there is no direct way to change settings in the GNOME Settings app provided by gnome-control-center. As a work-around, you can navigate from the sidebar to the main content by pressing the Right Arrow twice. To get back to the sidebar, you can start a search with Ctrl+F, type something, then hit Esc to cancel the search. Now you can use the Up Arrow and Down Arrow to navigate the sidebar. It is not possible to select search results with the keyboard.

With the implementation of sulogin used since buster, booting with the rescue option always requires the root password. If one has not been set, this makes the rescue mode effectively unusable. However it is still possible to boot using the kernel parameter init=/sbin/sulogin --force

To configure systemd to do the equivalent of this whenever it boots into rescue mode (also known as single mode: see systemd(1)), run sudo systemctl edit rescue.service and create a file saying just:

[Service]
Environment=SYSTEMD_SULOGIN_FORCE=1
      

It might also (or instead) be useful to do this for the emergency.service unit, which is started automatically in the case of certain errors (see systemd.special(7)), or if emergency is added to the kernel command line (e.g. if the system can't be recovered by using the rescue mode).

For background and a discussion on the security implications see #802211.

The Linux kernel (from version 5.9) no longer supports 32-bit xen virtual machines using PV mode. Such virtual machines need to be converted to the 64-bit PC architecture.

You can check which mode a Xen guest is running (inside the virtual machine):

$ cat /sys/hypervisor/guest_type
PV
        

Virtual machines that return, for example, PVH or HVM are not affected.

The following is a list of known and noteworthy obsolete packages (see Section 4.8, “Obsolete packages” for a description).

The list of obsolete packages includes:

With the next release of Debian 12 (codenamed bookworm) some features will be deprecated. Users will need to migrate to other alternatives to prevent trouble when updating to Debian 12.

This includes the following features: