What to expect from Debian/bookworm #newinbookworm
Debian v12 with codename bookworm was released as new stable release on 10th of June 2023. Similar to what we had with #newinbullseye and previous releases, now it’s time for #newinbookworm!
I was the driving force at several of my customers to be well prepared for bookworm. As usual with major upgrades, there are some things to be aware of, and hereby I’m starting my public notes on bookworm that might be worth also for other folks. My focus is primarily on server systems and looking at things from a sysadmin perspective.
Further readings
As usual start at the official Debian release notes, make sure to especially go through What’s new in Debian 12 + Issues to be aware of for bookworm.
Package versions
As a starting point, let’s look at some selected packages and their versions in bullseye vs. bookworm as of 2023-02-10 (mainly having amd64 in mind):
| Package | bullseye/v11 | bookworm/v12 |
|---|---|---|
| ansible | 2.10.7 | 2.14.3 |
| apache | 2.4.56 | 2.4.57 |
| apt | 2.2.4 | 2.6.1 |
| bash | 5.1 | 5.2.15 |
| ceph | 14.2.21 | 16.2.11 |
| docker | 20.10.5 | 20.10.24 |
| dovecot | 2.3.13 | 2.3.19 |
| dpkg | 1.20.12 | 1.21.22 |
| emacs | 27.1 | 28.2 |
| gcc | 10.2.1 | 12.2.0 |
| git | 2.30.2 | 2.39.2 |
| golang | 1.15 | 1.19 |
| libc | 2.31 | 2.36 |
| linux kernel | 5.10 | 6.1 |
| llvm | 11.0 | 14.0 |
| lxc | 4.0.6 | 5.0.2 |
| mariadb | 10.5 | 10.11 |
| nginx | 1.18.0 | 1.22.1 |
| nodejs | 12.22 | 18.13 |
| openjdk | 11.0.18 + 17.0.6 | 17.0.6 |
| openssh | 8.4p1 | 9.2p1 |
| openssl | 1.1.1n | 3.0.8-1 |
| perl | 5.32.1 | 5.36.0 |
| php | 7.4+76 | 8.2+93 |
| podman | 3.0.1 | 4.3.1 |
| postfix | 3.5.18 | 3.7.5 |
| postgres | 13 | 15 |
| puppet | 5.5.22 | 7.23.0 |
| python2 | 2.7.18 | – (gone!) |
| python3 | 3.9.2 | 3.11.2 |
| qemu/kvm | 5.2 | 7.2 |
| ruby | 2.7+2 | 3.1 |
| rust | 1.48.0 | 1.63.0 |
| samba | 4.13.13 | 4.17.8 |
| systemd | 247.3 | 252.6 |
| unattended-upgrades | 2.8 | 2.9.1 |
| util-linux | 2.36.1 | 2.38.1 |
| vagrant | 2.2.14 | 2.3.4 |
| vim | 8.2.2434 | 9.0.1378 |
| zsh | 5.8 | 5.9 |
Linux Kernel
The bookworm release ships a Linux kernel based on version 6.1, whereas bullseye shipped kernel 5.10. As usual there are plenty of changes in the kernel area, including better hardware support, and this might warrant a separate blog entry, but to highlight some changes:
- a.out support is gone
- initial support for Rust
- lots of io_uring related improvements
- lots of BPF improvements
- support for Intel Software Guard eXtensions (SGX)
- ID mapping for mounted filesystems
- unprivileged overlayfs mounts and ID mapping in overlayfs
- NFS re-exporting support
- eager NFS writes with new writes=lazy/eager/wait mount options
- Landlock security module
- initial support for Apple M2
- new misc cgroup and new cgroup.kill file
- new memfd_secret(2) system call
- new NTFS file system implementation
- file system monitoring with fanotify
- lots of improvements around perf, including the new daemon, kwork and iostat commands, and JSON output option for stat
See Kernelnewbies.org for further changes between kernel versions.
Configuration management
puppet‘s upstream sadly still doesn’t provide packages for bookworm (see PA-4995), though Debian provides puppet-agent and puppetserver packages, and even puppetdb is back again, see release notes for further information.
ansible is also available and made it with version 2.14 into bookworm.
Prometheus stack
Prometheus server was updated from v2.24.1 to v2.42.0 and all the exporters that got shipped with bullseye are still around (in more recent versions of course).
Virtualization
docker (v20.10.24), ganeti (v3.0.2-3), libvirt (v9.0.0-4), lxc (v5.0.2-1), podman (v4.3.1), openstack (Zed), qemu/kvm (v7.2), xen (v4.17.1) are all still around.
Vagrant is available in version 2.3.4, also Vagrant upstream provides their packages for bookworm already.
If you’re relying on VirtualBox, be aware that upstream doesn’t provide packages for bookworm yet (see ticket 21524), but thankfully version 7.0.8-dfsg-2 is available from Debian/unstable (as of 2023-06-10) (VirtualBox isn’t shipped with stable releases since quite some time due to lack of cooperation from upstream on security support for older releases, see #794466).
rsync
rsync was updated from v3.2.3 to v3.2.7, and we got a few new options:
--fsync: fsync every written file--old-dirs: works like –dirs when talking to old rsync--old-args: disable the modern arg-protection idiom--secluded-args, -s: use the protocol to safely send the args (replaces –protect-args option)--trust-sender: trust the remote sender’s file list
OpenSSH
OpenSSH was updated from v8.4p1 to v9.2p1, so if you’re interested in all the changes, check out the release notes between those version (8.5, 8.6, 8.7, 8.8, 8.9, 9.0, 9.1 + 9.2). Let’s highlight some notable new features:
- new system for restricting forwarding and use of keys added to ssh-agent(1), see SSH agent restriction for details)
- switched scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default (see release notes for v9.0 for details
- ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key
- ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys
- ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files
- ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length
- ssh(1): add a “host” line to the output of ssh -G showing the original hostname argument
- ssh-keygen -A (generate all default host key types) will no longer generate DSA keys
- ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. ssh-keyscan 192.168.0.0/24
One important change you might wanna be aware of is that as of OpenSSH v8.8, RSA signatures using the SHA-1 hash algorithm got disabled by default, but RSA/SHA-256/512 AKA RSA-SHA2 gets used instead. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible. A good overview is also available at SSH: Signature Algorithm ssh-rsa Error.
Now tools/libraries not supporting RSA-SHA2 fail to connect to OpenSSH as present in bookworm. For example python3-paramiko v2.7.2-1 as present in bullseye doesn’t support RSA-SHA2. It tries to connect using the deprecated RSA-SHA-1, which is no longer offered by default with OpenSSH as present in bookworm, and then fails. Support for RSA/SHA-256/512 signatures in Paramiko was requested e.g. at #1734, and eventually got added to Paramiko and in the end the change made it into Paramiko versions >=2.9.0. Paramiko in bookworm works fine, and a backport by rebuilding the python3-paramiko package from bookworm for bullseye solves the problem (BTDT).
Misc unsorted
- new non-free-firmware component/repository (see Debian Wiki for details)
- support only the merged-usr root filesystem layout (see Debian Wiki for details)
- the asterisk package didn’t make it into bookworm (see #1031046)
- e2fsprogs: the breaking change related to metadata_csum_seed and orphan_file (see #1031325) was reverted with v1.47.0-2 for bookworm (also see #1031622 + #1030939)
- rsnapshot is back again (see #986709)
- crmadmin of pacemaker no longer interprets the timeout option (-t/–timeout) in milliseconds (as it used to be until v2.0.5), but as of v2.1.0 (and v2.1.5 is present in bookworm) it now interprets the argument as second by default
Thanks to everyone involved in the release, happy upgrading to bookworm, and let’s continue with working towards Debian/trixie. :)