5. Issues to be aware of for trixie — release-notes documentation (original) (raw)

Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages’ documentation, bug reports, and other information mentioned in Further reading.

5.1. Things to be aware of while upgrading to trixie

This section covers items related to the upgrade from bookworm to trixie.

5.1.1. Interrupted remote upgrades

An issue in OpenSSH in bookworm can lead to inaccessible remote systems if an upgrade being supervised over an SSH connection is interrupted. Users may be unable to re-connect to the remote system to resume the upgrade.

Updated packages for bookworm will resolve this issue in Debian 12.12, but this release was still in preparation at the time of releasing trixie. Instead, users planning upgrades to remote systems over an SSH connection are advised to first update OpenSSH to version 1:9.2p1-2+deb12u7 or greater through thestable-updates mechanism.

5.1.2. Reduced support for i386

From trixie, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Fewer packages are available for i386 because many projects no longer support it. The architecture’s sole remaining purpose is to support running legacy code, for example, by way ofmultiarch or a chroot on a 64-bit (amd64) system.

The i386 architecture is now only intended to be used on a 64-bit (amd64) CPU. Its instruction set requirements include SSE2 support, so it will not run successfully on most of the 32-bit CPU types that were supported by Debian 12.

Users running i386 systems should not upgrade to trixie. Instead, Debian recommends either reinstalling them as amd64, where possible, or retiring the hardware.Cross-grading without a reinstall is a technically possible, but risky, alternative.

5.1.3. Last release for armel

From trixie, armel is no longer supported as a regular architecture: there is no Debian installer for armel systems, and only Raspberry Pi 1, Zero, and Zero W are supported by the kernel packages.

Users running armel systems can upgrade to trixie, provided their hardware is supported by the kernel packages, or they use a third-party kernel.

trixie will be the last release for the armel architecture. Debian recommends, where possible, reinstalling armel systems as armhf or arm64, or retiring the hardware.

5.1.4. MIPS architectures removed

From trixie, the architectures mipsel and mips64el are no longer supported by Debian. Users of these architectures are advised to switch to different hardware.

5.1.5. Ensure /boot has enough free space

The Linux kernel and firmware packages have increased considerably in size in previous Debian releases and in trixie. As a result your /bootpartition might be too small, causing the upgrade to fail. If your system was installed with Debian 10 (buster) or earlier, your system is very likely to be affected.

Before starting the upgrade, make sure your /boot partition is at least 768 MB in size, and has about 300 MB free. If your system does not have a separate/boot partition, there should be nothing to do.

If /boot is in LVM and too small, you can use lvextend toincrease the size of an LVM partition. if /boot is a separate partition it is likely easier to reinstall the system.

5.1.6. The temporary-files directory /tmp is now stored in a tmpfs

From trixie, the default is for the /tmp/ directory to be stored in memory using a tmpfs(5) filesystem. This should make applications using temporary files faster, but if you put large files there, you may run out of memory.

For systems upgraded from bookworm, the new behavior only starts after a reboot. Files left in /tmp will be hidden after the new tmpfs is mounted which will lead to warnings in the system journal or syslog. Such files can be accessed using a bind-mount (see mount(1)): running mount --bind / /mnt will make the underlying directory accessible at /mnt/tmp (run umount /mnt once you have cleaned up the old files).

The default is to allocate up to 50% of memory to /tmp (this is a maximum: memory is only used when files are actually created in/tmp). You can change the size by running systemctl edit tmp.mount as root and setting, for example:

[Mount] Options=mode=1777,nosuid,nodev,size=2G

(see systemd.mount(5)).

You can return to /tmp being a regular directory by runningsystemctl mask tmp.mount as root and rebooting.

The new filesystem defaults can also be overridden in /etc/fstab, so systems that already define a separate /tmp partition will be unaffected.

5.1.7. openssh-server no longer reads ~/.pam_environment

The Secure Shell (SSH) daemon provided in the openssh-server package, which allows logins from remote systems, no longer reads the user’s~/.pam_environment file by default; this feature has a history of security problems and has been deprecated in current versions of the Pluggable Authentication Modules (PAM) library. If you used this feature, you should switch from setting variables in ~/.pam_environment to setting them in your shell initialization files (e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism instead.

Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see Prepare for recovery.

5.1.8. OpenSSH no longer supports DSA keys

Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell (SSH) protocol, are inherently weak: they are limited to 160-bit private keys and the SHA-1 digest. The SSH implementation provided by theopenssh-client and openssh-server packages has disabled support for DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9 (“stretch”), although it could still be enabled using theHostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options for host and user keys respectively.

The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.

As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with the above configuration options. If you have a device that you can only connect to using DSA, then you can use the ssh1 command provided by theopenssh-client-ssh1 package to do so.

In the unlikely event that you are still using DSA keys to connect to a Debian server (if you are unsure, you can check by adding the -v option to the ssh command line you use to connect to that server and looking for the “Server accepts key:” line), then you must generate replacement keys before upgrading. For example, to generate a new Ed25519 key and enable logins to a server using it, run this on the client, replacingusername@server with the appropriate user and host names:

$ ssh-keygen -t ed25519 $ ssh-copy-id username@server

5.1.9. The last, lastb and lastlog commands have been replaced

The util-linux package no longer provides the last or lastb commands, and the login package no longer provides lastlog. These commands provided information about previous login attempts using /var/log/wtmp, /var/log/btmp, /var/run/utmp and/var/log/lastlog, but these files will not be usable after 2038 because they do not allocate enough space to store the login time (theYear 2038 Problem), and the upstream developers do not want to change the file formats. Most users will not need to replace these commands with anything, but theutil-linux package provides a lslogins command which can tell you when accounts were last used.

There are two direct replacements available:last can be replaced by wtmpdb from the wtmpdb package (thelibpam-wtmpdb package also needs to be installed) and lastlog can be replaced by lastlog2 from the lastlog2 package (libpam-lastlog2 also needs to be installed). If you want to use these, you will need to install the new packages after the upgrade, see the util-linux NEWS.Debianfor further information. The command lslogins --failed provides similar information to lastb.

If you do not install wtmpdb then we recommend you remove old log files /var/log/wtmp*. If you do install wtmpdb it will upgrade/var/log/wtmp and you can read older wtmp files with wtmpdb import -f <dest>. There is no tool to read /var/log/lastlog*or /var/log/btmp* files: they can be deleted after the upgrade.

5.1.10. Encrypted filesystems need systemd-cryptsetup package

Support for automatically discovering and mounting encrypted filesystems has been moved into the new systemd-cryptsetup package. This new package is recommended by systemd so should be installed automatically on upgrades.

Please make sure the systemd-cryptsetup package is installed before rebooting, if you use encrypted filesystems.

5.1.11. Default encryption settings for plain-mode dm-crypt devices changed

The default settings for dm-crypt devices created usingplain-mode encryption (see crypttab(5)) have changed to improve security. This will cause problems if you did not record the settings used in /etc/crypttab. The recommended way to configure plain-mode devices is to record the options cipher,size, and hash in /etc/crypttab; otherwise cryptsetupwill use default values, and the defaults for cipher and hash algorithm have changed in trixie, which will cause such devices to appear as random data until they are properly configured.

This does not apply to LUKS devices because LUKS records the settings in the device itself.

To properly configure your plain-mode devices, assuming they were created with the bookworm defaults, you should addcipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160 to/etc/crypttab.

To access such devices with cryptsetup on the command line you can use --cipher aes-cbc-essiv:sha256 --key-size 256 --hash ripemd160. Debian recommends that you configure permanent devices with LUKS, or if you do use plain mode, that you explicitly record all the required encryption settings in /etc/crypttab. The new defaults arecipher=aes-xts-plain64 and hash=sha256.

5.1.12. RabbitMQ no longer supports HA queues

High-availability (HA) queues are no longer supported by rabbitmq-serverstarting in trixie. To continue with an HA setup, these queues need to be switched to “quorum queues”.

If you have an OpenStack deployment, please switch the queues to quorum before upgrading. Please also note that beginning with OpenStack’s “Caracal” release in trixie, OpenStack supports only quorum queues.

5.1.13. RabbitMQ cannot be directly upgraded from bookworm

There is no direct, easy upgrade path for RabbitMQ from bookworm to trixie. Details about this issue can be found in bug 1100165.

The recommended upgrade path is to completely wipe the rabbitmq database and restart the service (after the trixie upgrade). This may be done by deleting/var/lib/rabbitmq/mnesia and all of its contents.

5.1.14. MariaDB major version upgrades only work reliably after a clean shutdown

MariaDB does not support error recovery across major versions. For example if a MariaDB 10.11 server experienced an abrupt shutdown due to power loss or software defect, the database needs to be restarted with the same MariaDB 10.11 binaries so it can do successful error recovery and reconcile the data files and log files to roll-forward or revert transactions that got interrupted.

If you attempt to do crash recovery with MariaDB 11.8 using the data directory from a crashed MariaDB 10.11 instance, the newer MariaDB server will refuse to start.

To ensure a MariaDB Server is shut down cleanly before going into major version upgrade, stop the service with

followed by checking server logs for Shutdown complete to confirm that flushing all data and buffers to disk completed successfully.

If it didn’t shut down cleanly, restart it to trigger crash recovery, wait, stop again and verify that second stop was clean.

For additional information about how to make backups and other relevant information for system administrators, please see/usr/share/doc/mariadb-server/README.Debian.gz.

5.1.15. /etc/sysctl.conf is no longer honored

In Debian 13, systemd-sysctl no longer reads /etc/sysctl.conf. The package linux-sysctl-defaults ships /usr/lib/sysctl.d/50-default.conf which is intended to replace the former /etc/sysctl.conf. This package is recommended by systemd, and will thus be installed by default on systems where installation of recommended packages has not been turned off.

Check whether linux-sysctl-defaults is installed on your system and whether the contents of /usr/lib/sysctl.d/50-default.conf conform to your expectations. Consider putting local configuration into file snippets named /etc/sysctl.d/*.conf.

5.1.16. Ping no longer runs with elevated privileges

The default version of ping (provided by iputils-ping) is no longer installed with access to the CAP_NET_RAW linux capability, but instead uses ICMP_PROTO datagram sockets for network communication. Access to these sockets is controlled based on the user’s Unix group membership using thenet.ipv4.ping_group_range sysctl. In normal installations, thelinux-sysctl-defaults package will set this value to a broadly permissive value, allowing unprivileged users to use ping as expected, but some upgrade scenarios may not automatically install this package. See /usr/lib/sysctl.d/50-default.conf and the kernel documentation for more information on the semantics of this variable.

5.1.17. Network interface names may change

Users of systems without easy out-of-band managment are advised to proceed with caution as we’re aware of two circumstances where network interface names assigned by trixie systems may be different from bookworm. This can cause broken network connectivity when rebooting to complete the upgrade.

It is difficult to determine if a given system is affected ahead of time without a detailed technical analysis. Configurations known to be problematic are as follows:

After apt full-upgrade, but before reboot

$ udevadm test-builtin net_setup_link /sys/class/net/enp1s0 2>/dev/null ID_NET_DRIVER=igb ID_NET_LINK_FILE=/usr/lib/systemd/network/99-default.link ID_NET_NAME=ens1 #< Notice the final ID_NET_NAME name is not "enp1s0"!

Users that need names to stay stable across the upgrade are advised to create systemd.link files to “pin” the current name before the upgrade.

5.1.18. Dovecot configuration changes

The dovecot email server suite in trixie uses a configuration format that is incompatible with previous versions. Details about the configuration changes are available at docs.dovecot.org.

In order to avoid potentially extended downtime, you are strongly encouraged to port your configuration in a staging environment before beginning the upgrade of a production mail system.

Please also note that some features were removed upstream in v2.4. In particular, the replicator is gone. If you depend on that feature, it is advisable not to upgrade to trixie until you have found an alternative.

5.1.19. Significant changes to libvirt packaging

The libvirt-daemon package, which provides an API and toolkit for managing virtualization platforms, has been overhauled in trixie. Each driver and storage backend now comes in a separate binary package, which enables much greater flexibility.

Care is taken during upgrades from bookworm to retain the existing set of components, but in some cases functionality might end up being temporarily lost. We recommend that you carefully review the list of installed binary packages after upgrading to ensure that all the expected ones are present; this is also a great time to consider uninstalling unwanted components.

In addition, some conffiles might end up marked as “obsolete” after the upgrade. The /usr/share/doc/libvirt-common/NEWS.Debian.gzfile contains additional information on how to verify whether your system is affected by this issue and how to address it.

5.1.20. Samba: Active Directory Domain Controller packaging changes

The Active Directory Domain Controller (AD-DC) functionality was split out of samba. If you are using this feature, you need to install the samba-ad-dc package.

5.1.21. Samba: VFS modules

The samba-vfs-modules package was reorganized. Most VFS modules are now included in the samba package. However the modules for_ceph_ and glusterfs have been split off into samba-vfs-cephand samba-vfs-glusterfs.

5.1.22. OpenLDAP TLS now provided by OpenSSL

The TLS support in the OpenLDAP client libldap2 and server slapdis now provided by OpenSSL instead of GnuTLS. This affects the available configuration options, as well as the behavior of them.

Details about the changed options can be found in /usr/share/doc/libldap2/NEWS.Debian.gz.

If no TLS CA certificates are specified, the system default trust store will now be loaded automatically. If you do not want the default CAs to be used, you must configure the trusted CAs explicitly.

For more information about LDAP client configuration, see theldap.conf.5 man page. For the LDAP server (slapd), see /usr/share/doc/slapd/README.Debian.gz and theslapd-config.5 man page.

5.1.23. bacula-director: Database schema update needs large amounts of disk space and time

The Bacula database will undergo a substantial schema change while upgrading to trixie.

Upgrading the database can take many hours or even days, depending on the size of the database and the performance of your database server.

The upgrade temporarily needs around double the currently used disk space on the database server, plus enough space to hold a backup dump of the Bacula database in /var/cache/dbconfig-common/backups.

Running out of disk space during the upgrade might corrupt your database and will prevent your Bacula installation from functioning correctly.

5.1.24. dpkg: warning: unable to delete old directory: …

During the upgrade, dpkg will print warnings like the following, for various packages. This is due to the finalization of the usrmerge project, and the warnings can be safely ignored.

Unpacking firmware-misc-nonfree (20230625-1) over (20230515-3) ... dpkg: warning: unable to delete old directory '/lib/firmware/wfx': Directory not empty dpkg: warning: unable to delete old directory '/lib/firmware/ueagle-atm': Directory not empty

5.1.25. Skip-upgrades are not supported

As with any other Debian release, upgrades must be performed from the previous release. Also all point release updates should be installed. See Start from “pure” Debian.

Skipping releases when upgrading is explicitly not supported.

For trixie, the finalization of the usrmerge project requires the upgrade to bookworm be completed before starting the trixie upgrade.

5.1.26. WirePlumber has a new configuration system

WirePlumber has a new configuration system. For the default configuration you don’t have to do anything; for custom setups see/usr/share/doc/wireplumber/NEWS.Debian.gz.

5.1.27. strongSwan migration to a new charon daemon

The strongSwan IKE/IPsec suite is migrating from the legacy charon-daemon(using the ipsec(8) command and configured in/etc/ipsec.conf) to charon-systemd (managed with theswanctl(8) tools and configured in /etc/swanctl/conf.d). The trixie version of the strongswan metapackage will pull in the new dependencies, but existing installations are unaffected as long ascharon-daemon is kept installed. Users are advised to migrate their installation to the new configuration following the upstream migration page.

5.1.28. udev properties from sg3-utils missing

Due to bug 1109923 in sg3-utils SCSI devices do not receive all properties in the “udev” database. If your installation relies on properties injected by the sg3-utils-udev package, either migrate away from them or be prepared to debug failures after rebooting into trixie.

5.1.29. Timezones split off into tzdata-legacy package

Timezone names not following the current tzdata naming rule of geographical region (continent or ocean) and city name were split out into the tzdata-legacypackage. This includes the US/* timezones. If your installation uses such a timezone, it will be upgraded to use an equivalent timezone. However, SQL databases like PostgreSQL and other services might have copied the name into their configuration or data files. If necessary, you can install the tzdata-legacy package.

See the tzdata-legacy file listfor the affected timezones.

5.1.30. Things to do before rebooting

When apt full-upgrade has finished, the “formal” upgrade is complete. For the upgrade to trixie, there are no special actions needed before performing a reboot.