tier1.jp

Debian 10.4, 9.12 and bullseye

Debian team released Debian buster 10.4 (stable) and 9.12 (oldstable). Great thanks, Debian team.

Since when buster was "testing", we are evaluating it with our preferred configuration. There were some issues around encrypted LVM and core GNOME apps such as nautilus.

Now many of them seems to be fixed, some remain unfortunately.

Our situation

First of all, we are alive. It just took long for us to update this site.

  • We are now upgrading some of machines into buster by clean installation.
    • To obtain full featured LUKS2.
    • Our local (CLI only) servers are fine.
  • We changed some of their SSD/NVMe devices.
    • Some are spare shortage, some have ECC error SMART records.

For local server, Debian buster seems fine, even with ALPM enabled AHCI and suspend-to-RAM.

troubles on "buster" GNOME workstations

However, Debian buster GNOME workstation showed some problems (using some of ex-stretch GNOME workstation machines).

  1. GNOME session itself sometimes "freeze" for seconds.
    • Sometimes syslog shows segmentation faults of GNOME shell.
    • There were also DRM GPU hangs (Intel UHD Graphics).
      • Most cases it resets rcs0 and recovers.
      • Few times all video output gone (rcs0 reset timeout).
    • We cannot figure out nor reproduce the situations.
      • Many cases are happened with Firefox (HTML5 canvas suspected).
      • A few cases are at GNOME workspace switching (no idea).
  2. GNOME sessions produce too many syslog failures.
    • e.g.) simple web browsing and typing Japanese still produces many IBus assertion failures and Firefox broken pipe errors.
    • There are many timing related GNOME mutter warnings.
    • Debian stretch, on the other hand, GNOME/X.org with Mozc/IBus does not produce such issues.

Especially we think the former could be a potential attack surface and want to avoid that kind of risk.

So we do not start using buster for such purpose yet.

Recent M/B and "oldstable" stretch driver issues

We thought using Debian on recent Intel Core SKU, including Coffee Lake and later, was okay.

We were wrong .

Apology for this

We wrote it would be okay on our Debian installation guides.

For stretch, as described below, it may not be.

One of our new Intel Coffee Lake / Intel 300 chipset machine showed NIC driver loading problem, when we attempted to install Debian "oldstable" stretch 9.12.

A typical case was Intel I219-V NIC (e1000e).

  • stretch installer could not detect it.
    • manual driver loading did not help.
    • backported kernel 4.19 might help, but we did/will not test it.
  • buster (installer and installed system) was okay.
  • so was bullseye (alpha1 installer).

Attention!

Perhaps minor revision upgrade of various devices among Intel 200 chipset motherboards and 300 series cause those kind of device driver issues.

Pitfalls of some motherboard settings about Secure Boot

First, some motherboards seems to have a issue with their "boot management" features.

  • Enabling some of those settings reproduced Secure Boot enabled buster boot failure.
    • e.g.) boot Debian installer by BIOS boot priority override.
      • Debian installer finished without any problem.
      • Initial boot fails.
    • In that case, try disabling those BIOS boot management features.

Second, Secure Boot "mode" is "Windows mode", not "other OS".

We may skip buster for GNOME workstations

Since we are still suffering resource shortage, we simply cannot test enough.

So we skip 10.4 for GNOME workstations, expecting 10.5 addresses those issues above.

  1. It would be fine if you use buster with neither GNOME nor (IBus) CJK input method packages.
  2. It may be caused by our AppArmor profiles and other security settings. We cannot tell enough about those buster GNOME workstation issues.
  3. Apology for our "frozen" guides (we stated we keep updating them while we use stretch).

We are now started testing bullseye which is "testing" release now, and reconfiguring some PAM related and other security settings including AppArmor profiles and firewall.

Debian bullseye has many changes. It would take much time for us to determine what should be done.

Thanks for reading. Have a nice day.

published: MODIFIED: