Debian 9 - What Actually Changed

                
                    Christian Lehnert •
                
                2017-07-02 •
                ~7 min read

Debian 9, codenamed Stretch after the rubber octopus from Toy Story 3, released on June 17 and ended Jessie's two-year run as stable. Stretch is a conservative release in the way Debian is always conservative — packages are newer but the philosophy hasn't moved, and the surprises are mostly in the corners. The migration is straightforward for most users, painful for some, and worth doing within a year because Jessie's standard support ends in mid-2018.

This post covers what's actually new, what to do before you migrate, the migration itself, and the gotchas worth knowing.

What's actually new

The headline package versions:

Linux kernel 4.9 LTS (up from 3.16 in Jessie). Significantly better hardware support, especially for newer Intel and AMD chipsets, and full support for the SATA Express and NVMe stacks.
systemd 232 (up from 215). Many new directives, better cgroup v2 support, and a generally more capable init system. If you wrote systemd unit files for Jessie, almost all of them work unchanged on Stretch.
GCC 6.3 as the default compiler (up from 4.9). C++14 is fully supported. C++17 partially.
Python 3.5 as default Python 3, Python 2.7 still available but increasingly second-class.
OpenJDK 8 as default Java. OpenJDK 9 was packaged but not selected as default; the JDK 9 module system was too disruptive at release time.
GnuPG 2.1 as default gpg (Jessie shipped 1.4 as default with 2.x available). The 2.1 series uses a different keyring format, and old ~/.gnupg/pubring.gpg files migrate automatically on first use, but the migration is one-way.
The defaults that matter:
MariaDB 10.1 replaces MySQL as the default mysql-server. Most things that worked on MySQL 5.5 will work on MariaDB 10.1, but if you have replication, stored procedures, or anything depending on InnoDB internals, test the migration on a copy first.
Apache 2.4.25 and nginx 1.10.3 are both current; nginx 1.13 (mainline) is not in main.
PostgreSQL 9.6 as default.
AppArmor enabled by default, with profiles for several daemons. SELinux is still available but not preferred.
iptables remains the default firewall front-end, but nftables 0.7 is packaged and is where the long-term direction lies. Stretch is the last Debian release where you should be writing new iptables rules from scratch; on a fresh Stretch install for new infrastructure, learning nftables is the better investment.
The architectures: amd64 and arm64 are first-class. The 32-bit i386 architecture is still supported but its days are numbered — Buster (Debian 10) is widely expected to be the last release where i386 has a desktop installer. If you have 32-bit-only hardware, plan accordingly.

What to do before you migrate

Three things, in order:

1. Read the release notes. Specifically, the section on incompatibilities. Debian's release notes are unusually honest about what will break, and reading the Stretch release notes for Jessie users will tell you, by name, the packages and configurations that need attention. Time well spent — call it twenty minutes.

2. Audit your custom apt sources. Anything in /etc/apt/sources.list.d/ that references "jessie" needs to be either updated to point at "stretch" or temporarily disabled before the migration. Third-party repositories (Docker, nginx mainline, PostgreSQL APT, NodeSource) often have a Stretch repository ready by mid-July, but not always. Disable the ones that don't, do the migration, then re-enable when upstream catches up.

3. Take a snapshot. If your host is a VM, snapshot it before the upgrade and verify you can roll back. If your host is bare metal, take a Borg backup or an LVM snapshot of /. The Stretch upgrade is reliable, but "reliable" is not "infallible," and a forty-minute upgrade that fails halfway through on a remote server is a bad afternoon.

The migration

Stretch upgrades from Jessie via the standard apt path. From a clean Jessie system:

1apt-get update
2apt-get upgrade   # ensure jessie is fully up to date first
3apt-get dist-upgrade

Then update sources:

1sed -i 's/jessie/stretch/g' /etc/apt/sources.list
2sed -i 's/jessie/stretch/g' /etc/apt/sources.list.d/*.list

If you had jessie-backports, replace with stretch-backports (or remove entirely — Stretch is fresh enough that backports is rarely needed in the first months).

Then the actual upgrade:

1apt-get update
2apt-get upgrade --without-new-pkgs   # minimal upgrade first
3apt-get full-upgrade                  # full upgrade including new dependencies

The Debian release notes recommend the upgrade --without-new-pkgs first step before full-upgrade because it reduces the number of half-installed states the system can end up in if the upgrade is interrupted. Worth following.

The actual upgrade takes between twenty minutes (small server, fast disk, fast mirror) and two hours (large desktop, lots of packages). During this time, debconf will ask you several questions about whether to keep modified configuration files. The default is "keep your version" (N); the safe choice unless you know you have not customized the file. For files where the new default is meaningfully better (e.g., /etc/ssh/sshd_config if you have not hardened it), accept the maintainer's version with Y and re-apply your changes after.

After the upgrade, reboot:

1reboot

Verify:

1cat /etc/debian_version    # should now read 9.0 or 9.1
2uname -r                   # should be 4.9.x
3systemctl --version        # should be 232

The gotchas

These are what will bite you, in rough order of frequency.

MySQL → MariaDB. If you had mysql-server on Jessie, the upgrade replaces it with default-mysql-server which pulls in MariaDB. The data files migrate cleanly in 99% of cases, but the configuration file location moves from /etc/mysql/my.cnf to a more layered structure under /etc/mysql/mariadb.conf.d/. Custom tunings need to be reviewed.

GnuPG keyring migration. The first invocation of gpg after the upgrade migrates your ~/.gnupg/ to the 2.1 format. Before this happens, copy the directory somewhere safe. The migration usually works, but if it fails (rare, but possible with corrupted old keyrings), recovering from a backup is much easier than rebuilding.

iptables-save format change. The output of iptables-save on Stretch differs slightly from Jessie in how it handles certain modules. If you have firewall rules saved to a file and reloaded at boot, the rules will still load correctly, but if you run any tooling that diffs the saved rules against the live rules, expect spurious differences.

PHP 7.0 replaces PHP 5.6. If you run any web application written before 2015, test it on PHP 7 before the upgrade. Most things work; some things — old WordPress plugins, ancient phpBB customizations, the kind of code you find in admin panels written by people who have moved on — break in subtle ways.

NetworkManager + systemd-networkd interaction on desktops. If you have configured both, Stretch may handle the precedence differently than Jessie did. Pick one and disable the other.

The interface name change is not new — Jessie already moved away from eth0 to predictable names like enp0s3, eno1 — but if you skipped Jessie and are coming from Wheezy, this is the upgrade where it bites you. Update any hardcoded references to eth0 in scripts, firewall rules, and /etc/network/interfaces.

Should you upgrade now or wait

Stretch released two weeks ago. The first .1 point release is expected in around a month; the bug-fix patches in 9.1 will smooth out the rough edges that always exist in a fresh major release. For production servers, the conservative answer is to wait for 9.1 (mid-August) before migrating, run a small fleet on Stretch for a few weeks, and only then migrate the rest.

For development machines, laptops, and home servers, upgrading now is fine. The kernel and userspace are noticeably better, the new GnuPG and Java versions matter for ongoing work, and the rough edges that exist will be discovered and reported by people who upgraded early.

Jessie's standard security support continues until June 2018, with LTS support to June 2020. There is no rush on the calendar, but there is also no reason to put Stretch off indefinitely. Most servers will end up on it within a year, and the migration is easier when you do it deliberately on a Tuesday afternoon than when you do it under pressure because Jessie security support ended last week.

The summary

Stretch is a solid Debian release. The kernel is much newer, systemd is meaningfully better, and the toolchain is current enough that building modern software is no longer a fight. The migration path is clean, the gotchas are documented, and the surprises are minor. By this time next year, Stretch will be on most of your machines whether you plan it or not.

Plan it. Upgrade a non-critical machine first. Read the release notes. The forty-five minutes you invest in preparation buys you a smooth upgrade and a year of better defaults.

                Tagged:
            

#linux #debian #selfhosted

                
                   ← Back to posts