Debian v12 with
codename bookworm was released as new stable release
on 10th of June 2023. Similar to what we had with
#newinbullseye and previous releases, now it s time for
#newinbookworm!
I was the driving force at several of my customers to be well prepared for bookworm. As usual with major upgrades, there are some things to be aware of, and hereby I m starting my public notes on bookworm that might be worth also for other folks. My focus is primarily on server systems and looking at things from a sysadmin perspective.
Further readings
As usual start at the
official Debian release notes, make sure to especially go through
What s new in Debian 12 +
Issues to be aware of for bookworm.
Package versions
As a starting point, let s look at some selected packages and their versions in bullseye vs. bookworm as of 2023-02-10 (mainly having amd64 in mind):
Package |
bullseye/v11 |
bookworm/v12 |
ansible |
2.10.7 |
2.14.3 |
apache |
2.4.56 |
2.4.57 |
apt |
2.2.4 |
2.6.1 |
bash |
5.1 |
5.2.15 |
ceph |
14.2.21 |
16.2.11 |
docker |
20.10.5 |
20.10.24 |
dovecot |
2.3.13 |
2.3.19 |
dpkg |
1.20.12 |
1.21.22 |
emacs |
27.1 |
28.2 |
gcc |
10.2.1 |
12.2.0 |
git |
2.30.2 |
2.39.2 |
golang |
1.15 |
1.19 |
libc |
2.31 |
2.36 |
linux kernel |
5.10 |
6.1 |
llvm |
11.0 |
14.0 |
lxc |
4.0.6 |
5.0.2 |
mariadb |
10.5 |
10.11 |
nginx |
1.18.0 |
1.22.1 |
nodejs |
12.22 |
18.13 |
openjdk |
11.0.18 + 17.0.6 |
17.0.6 |
openssh |
8.4p1 |
9.2p1 |
openssl |
1.1.1n |
3.0.8-1 |
perl |
5.32.1 |
5.36.0 |
php |
7.4+76 |
8.2+93 |
podman |
3.0.1 |
4.3.1 |
postfix |
3.5.18 |
3.7.5 |
postgres |
13 |
15 |
puppet |
5.5.22 |
7.23.0 |
python2 |
2.7.18 |
(gone!) |
python3 |
3.9.2 |
3.11.2 |
qemu/kvm |
5.2 |
7.2 |
ruby |
2.7+2 |
3.1 |
rust |
1.48.0 |
1.63.0 |
samba |
4.13.13 |
4.17.8 |
systemd |
247.3 |
252.6 |
unattended-upgrades |
2.8 |
2.9.1 |
util-linux |
2.36.1 |
2.38.1 |
vagrant |
2.2.14 |
2.3.4 |
vim |
8.2.2434 |
9.0.1378 |
zsh |
5.8 |
5.9 |
Linux Kernel
The bookworm release ships a Linux kernel based on version 6.1, whereas bullseye shipped kernel 5.10. As usual there are plenty of changes in the kernel area, including better hardware support, and this might warrant a separate blog entry, but to highlight some changes:
See
Kernelnewbies.org for further changes between kernel versions.
Configuration management
puppet s upstream sadly still doesn t provide packages for bookworm (see
PA-4995), though Debian provides puppet-agent and puppetserver packages, and even puppetdb is back again, see
release notes for further information.
ansible is also available and made it with version 2.14 into bookworm.
Prometheus stack
Prometheus server was updated from v2.24.1 to v2.42.0 and all the exporters that got shipped with bullseye are still around (in more recent versions of course).
Virtualization
docker (v20.10.24), ganeti (v3.0.2-3), libvirt (v9.0.0-4), lxc (v5.0.2-1), podman (v4.3.1), openstack (
Zed), qemu/kvm (v7.2), xen (v4.17.1) are all still around.
Vagrant is available in version 2.3.4, also
Vagrant upstream provides their packages for bookworm already.
If you re relying on VirtualBox, be aware that upstream doesn t provide packages for bookworm
yet (see
ticket 21524), but thankfully version 7.0.8-dfsg-2 is available from Debian/unstable (as of 2023-06-10) (VirtualBox isn t shipped with stable releases since quite some time due to lack of cooperation from upstream on security support for older releases, see
#794466).
rsync
rsync was updated from v3.2.3 to
v3.2.7, and we got a few new options:
--fsync
: fsync every written file
--old-dirs
: works like dirs when talking to old rsync
--old-args
: disable the modern arg-protection idiom
--secluded-args, -s
: use the protocol to safely send the args (replaces protect-args option)
--trust-sender
: trust the remote sender s file list
OpenSSH
OpenSSH was updated from v8.4p1 to v9.2p1, so if you re interested in all the changes, check out the release notes between those version (
8.5,
8.6,
8.7,
8.8,
8.9,
9.0,
9.1 +
9.2). Let s highlight some notable new features:
- new system for restricting forwarding and use of keys added to ssh-agent(1), see SSH agent restriction for details)
- switched scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default (see release notes for v9.0 for details
- ssh(1): when prompting the user to accept a new hostkey, display any other host names/addresses already associated with the key
- ssh(1): allow UserKnownHostsFile=none to indicate that no known_hosts file should be used to identify host keys
- ssh(1): add a ssh_config KnownHostsCommand option that allows the client to obtain known_hosts data from a command in addition to the usual files
- ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum RSA key length
- ssh(1): add a host line to the output of ssh -G showing the original hostname argument
- ssh-keygen -A (generate all default host key types) will no longer generate DSA keys
- ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. ssh-keyscan 192.168.0.0/24
One important change you might wanna be aware of is that as of
OpenSSH v8.8, RSA signatures using the SHA-1 hash algorithm got disabled by default, but RSA/SHA-256/512 AKA RSA-SHA2 gets used instead. OpenSSH has supported RFC8332 RSA/SHA-256/512 signatures since
release 7.2 and existing ssh-rsa keys will automatically use the stronger algorithm where possible. A good overview is also available at
SSH: Signature Algorithm ssh-rsa Error.
Now tools/libraries not supporting RSA-SHA2 fail to connect to OpenSSH as present in bookworm. For example python3-paramiko v2.7.2-1 as present in bullseye doesn t support RSA-SHA2. It tries to connect using the deprecated RSA-SHA-1, which is no longer offered by default with OpenSSH as present in bookworm, and then fails. Support for RSA/SHA-256/512 signatures in Paramiko was requested e.g. at
#1734, and eventually got
added to Paramiko and in the end the change made it into Paramiko versions >=2.9.0. Paramiko in bookworm works fine, and a backport by rebuilding the python3-paramiko package from bookworm for bullseye solves the problem (
BTDT).
Misc unsorted
- new non-free-firmware component/repository (see Debian Wiki for details)
- support only the merged-usr root filesystem layout (see Debian Wiki for details)
- the asterisk package didn t make it into bookworm (see #1031046)
- e2fsprogs: the breaking change related to metadata_csum_seed and orphan_file (see #1031325) was reverted with v1.47.0-2 for bookworm (also see #1031622 + #1030939)
- rsnapshot is back again (see #986709)
- crmadmin of pacemaker no longer interprets the timeout option (-t/ timeout) in milliseconds (as it used to be until v2.0.5), but as of v2.1.0 (and v2.1.5 is present in bookworm) it now interprets the argument as second by default
Thanks to everyone involved in the release, happy upgrading to bookworm, and let s continue with working towards
Debian/trixie. :)