5. trixie 中需要注意的问题
Sometimes, changes introduced in a new release have side-effects we cannot reasonably avoid, or they expose bugs somewhere else. This section documents issues we are aware of. Please also read the errata, the relevant packages’ documentation, bug reports, and other information mentioned in 扩展阅读.
5.1. Things to be aware of while upgrading to trixie
本节介绍从 bookworm 升级到 trixie 的相关问题。
5.1.1. Reduced support for i386
From trixie, i386 is no longer supported as a regular architecture: there is no official kernel and no Debian installer for i386 systems. Fewer packages are available for i386 because many projects no longer support it. The architecture’s sole remaining purpose is to support running legacy code, for example, by way of multiarch or a chroot on a 64-bit (amd64) system.
The i386 architecture is now only intended to be used on a 64-bit (amd64) CPU. Its instruction set requirements include SSE2 support, so it will not run successfully on most of the 32-bit CPU types that were supported by Debian 12.
Users running i386 systems should not upgrade to trixie. Instead, Debian recommends either reinstalling them as amd64, where possible, or retiring the hardware. Cross-grading without a reinstall is a technically possible, but risky, alternative.
5.1.2. 64-bit little-endian MIPS (mips64el) removed
From trixie, mips64el is no longer supported by Debian.
5.1.3. The temporary-files directory /tmp is now stored in a tmpfs
From trixie, the default is for the /tmp/ directory to be stored in memory
using a tmpfs(5) filesystem. This should make applications
using temporary files faster, but if you put large files there, you may run out
of memory.
For systems upgraded from bookworm, the new behavior only starts
after a reboot. Files left in /tmp will be hidden after
the new tmpfs is mounted which will lead to warnings in the
system journal or syslog. Such files can
be accessed using a bind-mount (see mount(1)):
running mount --bind / /mnt will make the underlying directory
accessible at /mnt/tmp (run umount /mnt once you have cleaned
up the old files).
The default is to allocate up to 50% of memory to /tmp (this is a
maximum: memory is only used when files are actually created in
/tmp). You can change the size by running systemctl edit
tmp.mount as root and setting, for example:
[Mount]
Options=mode=1777,nosuid,nodev,size=2G
(see systemd.mount(5)).
You can return to /tmp being a regular directory by running
systemctl mask tmp.mount as root and rebooting.
The new filesystem defaults can also be overridden in /etc/fstab, so
systems that already define a separate /tmp partition will be unaffected.
5.1.4. openssh-server no longer reads ~/.pam_environment
The Secure Shell (SSH) daemon provided in the openssh-server package,
which allows logins from remote systems, no longer reads the user’s
~/.pam_environment file by default; this feature has a history of
security problems and has been
deprecated in current versions of the Pluggable Authentication Modules (PAM)
library. If you used this feature, you should switch from setting variables
in ~/.pam_environment to setting them in your shell initialization files
(e.g. ~/.bash_profile or ~/.bashrc) or some other similar mechanism
instead.
Existing SSH connections will not be affected, but new connections may behave differently after the upgrade. If you are upgrading remotely, it is normally a good idea to ensure that you have some other way to log into the system before starting the upgrade; see 准备故障恢复.
5.1.5. OpenSSH no longer supports DSA keys
Digital Signature Algorithm (DSA) keys, as specified in the Secure Shell
(SSH) protocol, are inherently weak: they are limited to 160-bit private
keys and the SHA-1 digest. The SSH implementation provided by the
openssh-client and openssh-server packages has disabled support for
DSA keys by default since OpenSSH 7.0p1 in 2015, released with Debian 9
(“stretch”), although it could still be enabled using the
HostKeyAlgorithms and PubkeyAcceptedAlgorithms configuration options
for host and user keys respectively.
The only remaining uses of DSA at this point should be connecting to some very old devices. For all other purposes, the other key types supported by OpenSSH (RSA, ECDSA, and Ed25519) are superior.
As of OpenSSH 9.8p1 in trixie, DSA keys are no longer supported even with
the above configuration options. If you have a device that you can only
connect to using DSA, then you can use the ssh1 command provided by the
openssh-client-ssh1 package to do so.
In the unlikely event that you are still using DSA keys to connect to a
Debian server (if you are unsure, you can check by adding the -v option
to the ssh command line you use to connect to that server and looking
for the “Server accepts key:” line), then you must generate replacement keys
before upgrading. For example, to generate a new Ed25519 key and enable
logins to a server using it, run this on the client, replacing
username@server with the appropriate user and host names:
$ ssh-keygen -t ed25519
$ ssh-copy-id username@server
5.1.6. The last, lastb and lastlog commands have been replaced
The util-linux package no longer provides the last or lastb commands,
and the login package no longer provides lastlog.
These commands provided information about previous login
attempts using /var/log/wtmp, /var/log/btmp, /var/run/utmp and
/var/log/lastlog, but these files will not be usable after 2038
because they do not allocate enough space to store the login time (the
Year 2038 Problem), and the
upstream developers do not want to change the file formats. Most
users will not need to replace these commands with anything, but the
util-linux package provides a lslogins command which can tell you
when accounts were last used.
There are two direct replacements available:
last can be replaced by wtmpdb from the wtmpdb package (the
libpam-wtmpdb package also needs to be installed) and lastlog can
be replaced by lastlog2 from the lastlog2 package
(libpam-lastlog2 also needs to be installed). If you want to use
these, you will need to install the new packages after the upgrade,
see the util-linux NEWS.Debian
for further information. The command lslogins --failed provides
similar information to lastb.
If you do not install wtmpdb then we recommend you remove old log
files /var/log/wtmp*. If you do install wtmpdb it will upgrade
/var/log/wtmp and you can read older wtmp files with wtmpdb
import -f <dest>. There is no tool to read /var/log/lastlog*
or /var/log/btmp* files: they can be deleted after the upgrade.
5.1.7. Encrypted filesystems need systemd-cryptsetup package
Support for automatically discovering and mounting encrypted filesystems has been moved into the new systemd-cryptsetup package. This new package is recommended by systemd so should be installed automatically on upgrades.
Please make sure the systemd-cryptsetup package is installed before rebooting, if you use encrypted filesystems.
5.1.8. Default encryption settings for plain-mode dm-crypt devices changed
The default settings for dm-crypt devices created using
plain-mode encryption (see crypttab(5)) have
changed to improve security. This will cause problems if you did not
record the settings used in /etc/crypttab. The recommended way
to configure plain-mode devices is to record the options cipher,
size, and hash in /etc/crypttab; otherwise cryptsetup
will use default values, and the defaults for cipher and hash
algorithm have changed in trixie, which will cause such devices to
appear as random data until they are properly configured.
This does not apply to LUKS devices because LUKS records the settings in the device itself.
To properly configure your plain-mode devices, assuming they were
created with the bookworm defaults, you should add
cipher=aes-cbc-essiv:sha256,size=256,hash=ripemd160 to
/etc/crypttab.
To access such devices with cryptsetup on the command line you can
use --cipher aes-cbc-essiv:sha256 --key-size 256 --hash ripemd160.
Debian recommends that you configure permanent devices with LUKS, or
if you do use plain mode, that you explicitly record all the required
encryption settings in /etc/crypttab. The new defaults are
cipher=aes-xts-plain64 and hash=sha256.
5.1.9. RabbitMQ no longer supports HA queues
High-availability (HA) queues are no longer supported by rabbitmq-server starting in trixie. To continue with an HA setup, these queues need to be switched to “quorum queues”.
If you have an OpenStack deployment, please switch the queues to quorum before upgrading. Please also note that beginning with OpenStack’s “Caracal” release in trixie, OpenStack supports only quorum queues.
5.1.10. RabbitMQ cannot be directly upgraded from bookworm
There is no direct, easy upgrade path for RabbitMQ from bookworm to trixie. Details about this issue can be found in bug 1100165.
The recommended upgrade path is to completely wipe the rabbitmq database and
restart the service (after the trixie upgrade). This may be done by deleting
/var/lib/rabbitmq/mnesia and all of its contents.
5.1.11. MariaDB major version upgrades only work reliably after a clean shutdown
MariaDB does not support error recovery across major versions. For example if a MariaDB 10.11 server experienced an abrupt shutdown due to power loss or software defect, the database needs to be restarted with the same MariaDB 10.11 binaries so it can do successful error recovery and reconcile the data files and log files to roll-forward or revert transactions that got interrupted.
If you attempt to do crash recovery with MariaDB 11.8 using the data directory from a crashed MariaDB 10.11 instance, the newer MariaDB server will refuse to start.
To ensure a MariaDB Server is shut down cleanly before going into major version upgrade, stop the service with
# service mariadb stop
followed by checking server logs for Shutdown complete to confirm that
flushing all data and buffers to disk completed successfully.
If it didn’t shut down cleanly, restart it to trigger crash recovery, wait, stop again and verify that second stop was clean.
For additional information about how to make backups and other relevant information for system administrators, please see /usr/share/doc/mariadb-server/README.Debian.gz.
5.1.12. Ping no longer runs with elevated privileges
The default version of ping (provided by iputils-ping) is no longer
installed with access to the CAP_NET_RAW linux
capability, but instead uses ICMP_PROTO datagram sockets for
network communication. Access to these sockets is controlled based on
the user’s Unix group membership using the
net.ipv4.ping_group_range sysctl. In normal installations, the
linux-sysctl-defaults package will set this value to a broadly
permissive value, allowing unprivileged users to use ping as expected,
but some upgrade scenarios may not automatically install this package.
See /usr/lib/sysctl.d/50-default.conf and the kernel
documentation for
more information on the semantics of this variable.
5.1.13. Dovecot configuration changes
The dovecot email server suite in trixie uses a configuration format that is incompatible with previous versions. Details about the configuration changes are available at docs.dovecot.org.
In order to avoid potentially extended downtime, you are strongly encouraged to port your configuration in a staging environment before beginning the upgrade of a production mail system.
Please also note that some features were removed upstream in v2.4. In particular, the replicator is gone. If you depend on that feature, it is advisable not to upgrade to trixie until you have found an alternative.
5.1.14. Significant changes to libvirt packaging
The libvirt-daemon package, which provides an API and toolkit for managing virtualization platforms, has been overhauled in trixie. Each driver and storage backend now comes in a separate binary package, which enables much greater flexibility.
Care is taken during upgrades from bookworm to retain the existing set of components, but in some cases functionality might end up being temporarily lost. We recommend that you carefully review the list of installed binary packages after upgrading to ensure that all the expected ones are present; this is also a great time to consider uninstalling unwanted components.
In addition, some conffiles might end up marked as “obsolete” after
the upgrade. The /usr/share/doc/libvirt-common/NEWS.Debian.gz
file contains additional information on how to verify whether your
system is affected by this issue and how to address it.
5.1.15. Samba: Active Directory Domain Controller packaging changes
The Active Directory Domain Controller (AD-DC) functionality was split out of samba. If you are using this feature, you need to install the samba-ad-dc package.
5.1.16. Samba: VFS modules
The samba-vfs-modules package was reorganized. Most VFS modules are now included in the samba package. However the modules for ceph and glusterfs have been split off into samba-vfs-ceph and samba-vfs-glusterfs.
5.1.17. OpenLDAP TLS now provided by OpenSSL
The TLS support in the OpenLDAP client libldap2 and server slapd is now provided by OpenSSL instead of GnuTLS. This affects the available configuration options, as well as the behavior of them.
Details about the changed options can be found in /usr/share/doc/libldap2/NEWS.Debian.gz.
If no TLS CA certificates are specified, the system default trust store will now be loaded automatically. If you do not want the default CAs to be used, you must configure the trusted CAs explicitly.
For more information about LDAP client configuration, see the
ldap.conf.5 man page. For the LDAP server (slapd),
see /usr/share/doc/slapd/README.Debian.gz and the
slapd-config.5 man page.
5.1.18. bacula-director: Database schema update needs large amounts of disk space and time
The Bacula database will undergo a substantial schema change while upgrading to trixie.
Upgrading the database can take many hours or even days, depending on the size of the database and the performance of your database server.
The upgrade temporarily needs around double the currently used disk
space on the database server, plus enough space to hold a backup dump of the
Bacula database in /var/cache/dbconfig-common/backups.
Running out of disk space during the upgrade might corrupt your database and will prevent your Bacula installation from functioning correctly.
5.1.19. dpkg: warning: unable to delete old directory: …
During the upgrade, dpkg will print warnings like the following, for various
packages. This is due to the finalization of the usrmerge project, and the
warnings can be safely ignored.
Unpacking firmware-misc-nonfree (20230625-1) over (20230515-3) ...
dpkg: warning: unable to delete old directory '/lib/firmware/wfx': Directory not empty
dpkg: warning: unable to delete old directory '/lib/firmware/ueagle-atm': Directory not empty
5.1.20. Skip-upgrades are not supported
As with any other Debian release, upgrades must be performed from the previous release. Also all point release updates should be installed. See Start from “pure” Debian.
Skipping releases when upgrading is explicitly not supported.
For trixie, the finalization of the usrmerge project requires the
upgrade to bookworm be completed before starting the trixie
upgrade.
5.1.21. WirePlumber has a new configuration system
WirePlumber has a new configuration system. For the default configuration
you don’t have to do anything; for custom setups see
/usr/share/doc/wireplumber/NEWS.Debian.gz.
5.1.22. strongSwan migration to a new charon daemon
The strongSwan IKE/IPsec suite is migrating from the legacy charon-daemon
(using the ipsec(8) command and configured in
/etc/ipsec.conf) to charon-systemd (managed with the
swanctl(8) tools and configured in /etc/swanctl/conf.d).
The trixie version of the strongswan metapackage will pull in the new
dependencies, but existing installations are unaffected as long as
charon-daemon is kept installed. Users are advised to migrate their
installation to the new configuration following the upstream migration page ``
5.1.23. Things to do before rebooting
当 apt full-upgrade 完成时,”形式上的”升级就完成了。对于向 trixie 的升级而言,重启前没有什么特别的操作需要完成。
5.2. 升级过程之外的注意事项
5.2.1. The directories /tmp and /var/tmp are now regularly cleaned
On new installations, systemd-tmpfiles will now regularly delete old
files in /tmp and /var/tmp while the system is running. This
change makes Debian consistent with other distributions. Because there
is a small risk of data loss, it has been made “opt-in”: the upgrade
to trixie will create a file /etc/tmpfiles.d/tmp.conf which reinstates
the old behavior. This file can be deleted to adopt the new default,
or edited to define custom rules. The rest of this section explains
the new default and how to customize it.
The new default behavior is for files in /tmp to be automatically
deleted after 10 days from the time they were last used (as well
as after a reboot). Files in /var/tmp are deleted after 30 days
(but not deleted after a reboot).
Before adopting the new default, you should either adapt any local
programs that store data in /tmp or /var/tmp for long periods
to use alternative locations, such as ~/tmp/, or tell
systemd-tmpfiles to exempt the data file from deletion by creating a
file local-tmp-files.conf in /etc/tmpfiles.d containing lines
such as:
x /var/tmp/my-precious-file.pdf
x /tmp/foo
Please see systemd-tmpfiles(8) and tmpfiles.d(5) for more information.
5.2.2. systemd message: System is tainted: unmerged-bin
systemd upstream, since version 256, considers systems having separate
/usr/bin and /usr/sbin directories noteworthy. At startup systemd
emits a message to record this fact: System is tainted: unmerged-bin.
It is recommended to ignore this message. Merging these directories manually is unsupported and will break future upgrades. Further details can be found in bug #1085370.
5.2.3. 安全支持上的局限性
有一些软件包,Debian 不能保证针对安全漏洞提供最小的向后移植。这些将在以下小节中介绍。
备注
debian-security-support 软件包可帮助跟踪已安装软件包的安全支持状态。
5.2.3.1. 网页浏览器及其渲染引擎的安全支持状态
Debian 13 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Applications using the webkit2gtk source package (e.g. epiphany) are covered by security support, but applications using qtwebkit (source package qtwebkit-opensource-src) are not.
对于通用网页浏览器,我们推荐 Firefox 和 Chromium。这些软件将使用最新的 ESR 版本持续在 stable 中予以更新。这同样适用于 Thunderbird。
一旦一个发布版本成为 oldstable,官方支持的浏览器的支持周期可能短于发布版本的标准支持周期。例如,Chromium 在 oldstable 中只会获得 6 个月的安全支持,而不是通常的 12 个月。
5.2.3.2. 基于 Go 和 Rust 的软件包
Debian 当前的基础架构在重新构建系统化使用静态链接的软件包时存在一些问题。随着 Go 和 Rust 生态系统的成长,这些软件包将只能得到有限的安全支持,直到基础架构得到改进使得这些软件包更加易于维护。
大多数情况下,如果 Go 或 Rust 开发库需要更新,这些更新只能通过定期的小版本更新提供。
5.2.4. Problems with VMs on 64-bit little-endian PowerPC (ppc64el)
Currently QEMU always tries to configure PowerPC virtual machines to support 64 kiB memory pages. This does not work for KVM-accelerated virtual machines when using the default kernel package.
If the guest OS can use a page size of 4 kiB, you should set the machine property
cap-hpt-max-page-size=4096. For example:$ kvm -machine pseries,cap-hpt-max-page-size=4096 -m 4G -hda guest.img
If the guest OS requires a page size of 64 kiB, you should install the linux-image-powerpc64le-64k package; see 64-bit little-endian PowerPC (ppc64el) page size.
5.3. 过时与废弃内容
5.3.1. 值得注意的过时软件包
以下是已知的和值得注意的过时软件包的列表(有关过时软件包的描述,请参阅 过时的软件包)。
过时的软件包包括:
The libnss-gw-name package has been removed from trixie. The upstream developer suggests using libnss-myhostname instead.
The pcregrep package has been removed from trixie. It can be replaced with
grep -P(--perl-regexp) orpcre2grep(from pcre2-utils).The request-tracker4 package has been removed from trixie. Its replacement is request-tracker5, which includes instructions on how to migrate your data: you can keep the now obsolete request-tracker4 package from bookworm installed while migrating.
The git-daemon-run and git-daemon-sysvinit packages have been removed from trixie due to security reasons.
The nvidia-graphics-drivers-tesla-470 packages are no longer supported upstream and have been removed from trixie.
The deborphan package has been removed from trixie. To remove unnecessary packages,
apt autoremoveshould be used, afterapt-mark minimize-manual. debfoster can also be a useful tool.
5.3.2. trixie 的废弃组件
随着下一个版本 Debian 14 (代号为 forky) 的发布,某些功能将被弃用。用户需要迁移到其他替代方案,以防止在更新到 Debian 14 时出现问题。
这包括以下特性:
The sudo-ldap package will be removed in forky. The Debian sudo team has decided to discontinue it due to maintenance difficulties and limited use. New and existing systems should use libsss-sudo instead.
Upgrading Debian trixie to forky without completing this migration may result in the loss of intended privilege escalation.
For further details, please refer to bug 1033728 and to the NEWS file in the sudo package.
The sudo_logsrvd feature, used for sudo input/output logging, may be removed in Debian forky unless a maintainer steps forward. This component is of limited use within the Debian context, and maintaining it adds unnecessary complexity to the basic sudo package.
For ongoing discussions, see bug 1101451 and the NEWS file in the sudo package.
The libnss-docker package is no longer developed upstream and requires version 1.21 of the Docker API. That deprecated API version is still supported by Docker Engine v26 (shipped by Debian trixie) but will be removed in Docker Engine v27+ (shipped by Debian forky). Unless upstream development resumes, the package will be removed in Debian forky.
The openssh-client and openssh-server packages currently support GSS-API authentication and key exchange, which is usually used to authenticate to Kerberos services. This has caused some problems, especially on the server side where it adds new pre-authentication attack surface, and Debian’s main OpenSSH packages will therefore stop supporting it starting with forky.
If you are using GSS-API authentication or key exchange (look for options starting with
GSSAPIin your OpenSSH configuration files) then you should install the openssh-client-gssapi (on clients) or openssh-server-gssapi (on servers) package now. On trixie, these are empty packages depending on openssh-client and openssh-server respectively; on forky, they will be built separately.sbuild-debian-developer-setup has been deprecated in favor of sbuild+unshare
sbuild, the tool to build Debian packages in a minimal environment, has had a major upgrade and should work out of the box now. As a result the package sbuild-debian-developer-setup is no longer needed and has been deprecated. You can try the new version with:
$ sbuild --chroot-mode=unshare --dist=unstable hello
The fcitx packages have been deprecated in favor of fcitx5
The fcitx input method framework, also known as fcitx4 or fcitx 4.x, is no longer maintained upstream. As a result, all related input method packages are now deprecated. The package fcitx and packages with names beginning with fcitx- will be removed in Debian forky.
Existing fcitx users are encouraged to switch to fcitx5 following the fcitx upstream migration guide and Debian Wiki page.
The lxd virtual machine management package is no longer being updated and users should move to incus.
After Canonical Ltd changed the license used by LXD and introduced a new copyright assignment requirement, the Incus project was started as a community-maintained fork (see bug 1058592). Debian recommends that you switch from LXD to Incus. The incus-extra package includes tools to migrate containers and virtual machines from LXD.
The isc-dhcp suite is deprecated upstream.
If you are using NetworkManager or systemd-networkd, you can safely remove the isc-dhcp-client package as they both ship their own implementation. If you are using the ifupdown package, dhcpcd-base provides a replacement. The ISC recommends the Kea package as a replacement for DHCP servers.
5.4. 已知的严重缺陷
Although Debian releases when it’s ready, that unfortunately doesn’t mean there are no known bugs. As part of the release process all the bugs of severity serious or higher are actively tracked by the Release Team, so an overview of those bugs that were tagged to be ignored in the last part of releasing trixie can be found in the Debian Bug Tracking System. The following bugs were affecting trixie at the time of the release and worth mentioning in this document:
缺陷编号 |
软件包(源码包或二进制包) |
描述 |
|---|---|---|
akonadi-backend-mysql |
akonadi server fails to start since it cannot connect to mysql database |
|
flash-kernel |
available kernels not always updated in u-boot configuration |