Differences between revisions 245 and 246
Revision 245 as of 2017-04-21 09:28:49
Size: 19733
Editor: ?WolfgangSchweer
Comment: add workaround if upgrade fails due to sitesummary bug.
Revision 246 as of 2017-05-06 21:25:32
Size: 19438
Editor: ?WolfgangSchweer
Comment: the sitesummary issue has been fixed in the 8.8 point release.
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
 * ATM upgrading the main server might fail due to a sitesummary issue; see DebianBug:823688, scroll to the bottom.
   Until the bug is fixed for jessie, this workaround could be used if upgrading is broken:
   dpkg -r sitesummary
   apt -f install
   apt install sitesummary

For current development, see Status/Stretch.

Status of Debian Edu "Jessie"


A multi-architecture CD / usbstick image (649 MiB) for network booting can be downloaded at the following locations:

The SHA1SUM of this image is: b82eea8a47f471a2ead0434279e2d3e2e66eed53

Alternatively an extended DVD / usbstick image (5 GiB) is also available, with more software included (saving additional download time):

The SHA1SUM of this image is: cffac38cca13a7e6be5888c21088fd6b57398f88

Sources are available from the Debian archive, see http://cdimage.debian.org/debian-cd/8.5.0/source/ for some download options.

Changes from Wheezy to Jessie

Known problems we must fix

  • none

Known problems we ought to fix but which can be worked around easily

  • Mounting of homedirs fails randomly. This is probably due to buggy nscd netgroup caching (791562). As a workaround disable netgroup caching (on tjener) in /etc/nscd.conf and remove /var/cache/nscd/netgroup. Run 'debian-edu-nscd-netgroup-cache disable' as root to achieve this.

  • On workstations the automatic setup of remote printers (configured on tjener) fails (see discussion in 791995). To get it working, install the package libnss-mdns on tjener and on the workstation(s). If LTSP is used, install the package in the LTSP chroot as well.

  • With the re-rename of Iceweasel to Firefox in Jessie, the setting of the Iceweasel default homepage, the feature to configure this URL in LDAP and the setting of the proxy type are gone (827448). As a workaround this script might be used (on tjener) until a proper fix is available:

# migrate iceweasel customization to firefox-esr.
# the cert_override.txt file is already located in the right place
# (directory /etc/skel on tjener) to work ok, so is skipped here.
# proxy settings are pulled via wpad and/or /etc/environment.
set -e
# check if host has networked profile; and yes, it's 'iceweacel-networked-prefs.js'
# by intention, the file is shipped like this since years, I guess.
if [ -e /etc/iceweasel/pref/debian-edu-networked.js ] && [ ! -e /etc/firefox-esr/debian-edu-networked.js ]; then
    ln -s /usr/share/debian-edu-config/iceweacel-networked-prefs.js /etc/firefox-esr/debian-edu-networked.js
    sed -i 's#iceweasel/pref#firefox-esr#' /usr/share/debian-edu-config/tools/update-iceweasel-homepage
    /etc/init.d/iceweasel-ldapconf force-reload
    if [ -d /opt/ltsp ] ; then
        for ltsp_chroot in `find /opt/ltsp/ -mindepth 1 -maxdepth 1 -type d`; do
            chroot $ltsp_chroot ln -s /usr/share/debian-edu-config/iceweacel-networked-prefs.js /etc/firefox-esr/debian-edu-networked.js
            chroot $ltsp_chroot sed -i 's#iceweasel/pref#firefox-esr#' /usr/share/debian-edu-config/tools/update-iceweasel-homepage
            chroot $ltsp_chroot /etc/init.d/iceweasel-ldapconf force-reload
  • The configuration concerning personal web pages needs changes:
    • Adjust the content of /etc/apache2/mods-available/debian-edu-userdir.conf to be like this:

<IfModule mod_userdir.c>
        UserDir public_html
        UserDir disabled root

        <Directory /skole/tjener/home*/*/public_html>
                AllowOverride FileInfo AuthConfig Limit
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
                <Limit GET POST OPTIONS>
                        Require all granted
                <LimitExcept GET POST OPTIONS>
                        Require all denied
  • Run 'a2enmod debian-edu-userdir' to enable the configuration.
  • Run 'service apache2 restart'.

Known problems, we want to fix eventually

  • Upgrade from wheezy should be made easier (related fixes have been committed to d-e-config branch 'upgrade-tmp'):
    • Adjust configuration to make cfengine idempotent in its operation (779642).

    • Adjust apt-get autoremoval operation (779646).

  • It takes up to 15 minutes for an updated system hostname to take effect (780461).

  • The hostname script fails to update LTSP server hostname (783087).

Fixed in git, needs upload to jessie-proposed-updates

  • shutdown-at-night fails to shut the system down if gdm is used. This is caused by gdm now running a special gnome-session as greeter (and no longer gdm-simple-greeter). Using xlsclient to tell a greeter gnome-session from a normal gnome-session seems to be impossible. (787566).

Known problems, unlikely to be fixed for jessie

  • Installations done using the two available images differ in installed packages - though it's not sure whether this is fixable or by design.

  • Usability issue: The default browser Iceweasel fail to show files with MIME types text/* (like for example diffs or source code) in the browser, and instead pop up a dialog only offering to save the file or pass it on to an external program (600266). This make it hard for users to look at fairly normal text documents. Chromium show text/* files in the browser.

  • USB sticks with some ISO images (like the Debian Edu netinst one) dd'ed to don't work (user doesn't get notified, filemanager doesn't show the stick, fdisk can't access the device due to a possibly wrong partition table). [So this is rather an ISO file problem.]
  • slbackup-php: It is not possible to log into the web service using the root password. This is caused by the new sshd configuration: root access with password is now disabled by default. A workaround has been documented in the manual how to get the gui working temporarily.
  • SMTP reject email from cron on all other machines, and refuse email from everyone without a kerberos ticket.
  • The command 'net time' causes a segmentation fault (760781) [fixed in samba-common-bin/4.1.17+dfsg-4 (testing)].

  • The installer accept weak user passwords for the first user which are rejected by Kerberos and make it impossible to log in after boot. We should extend d-i to allow us to reject passwords kerberos is going to reject. (364526)

Fixed + done (related packages migrated to jessie)

  • The subnet-change script doesn't adjust (the migrated) squid.conf (800654).

  • Automatic filesystem resizing fails cause /proc/mounts contains /dev/dm-X devices for / (and /usr if on a separate partion). See 800651 for a patch.

  • With gosa version 2.7.4+reloaded2-1+deb8u1 an annoying message pops up each time when logging into the GOsa² web gui because the default non Debian Edu configuration file has been changed (794189). To avoid this the first line of /etc/gosa/gosa.conf must be changed to be like this: <conf configVersion="3dcfa28818766382948647a15bcbcbbc">. (<conf configVersion=""> would work as well.)

  • The build-client-opts preseeding in defaults.thin-client-server breaks PXE installs including profile thin-client-server (781515). Fixes addressing this issue have been committed to d-e-config branch 'ltsp-related' and to d-e-install.

  • After upgrade from wheezy squid should be migrated to squid3 (related fixes have been committed to d-e-config branch 'squid-related'):
    • Add share/debian-edu-config/tools/migrate-squid-to-squid3.
    • Adjust cf/cf.squid to run this script (779649).

  • Unblock request needed for debian-installer-netboot-images to fix PXE installs (782267).

  • Setting up the LTSP chroot fails, if the netinst or usbstick ISO files are used to set up a combined server in a virtualbox environment (780591). Installation on real hardware using a USB stick (with BD ISO image) works.

  • shutdown-at-night fails to shut the system down if gdm is used. This is caused by the gdm3 greeter running a gnome-session as user '(unknown)' (775608), pre-approval unblock request (777527).

  • debian-edu-pxeinstall has to be adjusted to work with debian-installer-8-netboot-* (776763).

  • The kdm login no longer seem to run the scripts in /etc/X11/Xsession.d/, causing robustness fixes to not be applied in the default setup. This for example causes ~/.xsession-errors to fill up the user disk, no sensible explainatin to show up when the home directory is missing, our desktup-profiles menues (educational overrides) to not take effect, and possibly no ssh-agent to be running. [It seems to be that the scripts in Xsession.d are run, but 09debian-edu-missing-home doesn't work due to changed kdm behaviour (774392).]

  • The first user created in LDAP can log in, but the second and third can not. Changing "Password Storage" for these in GOSA from default ssha to sha and re-assigning a password helped. See mailing list. [Most probably due to 'dbnosync' set to true in slapd.conf. This should have been fixed at the time the issue was reported, but the fix had been applied to the wrong file in git (slapd-debian-edu.conf instead of slapd-squeeze_debian-edu.conf) (774610).]

    • d-e-config 1.816 which contains these changes has been uploaded to unstable and unblocked, waiting for migration to jessie
  • dovecot no longer creates ssl certificate (772162, 772163). Certificate creation and enabling of ssl is now done using cfengine/shellcommand and according script.

  • Workstations are not able to NFS mount home0 from the tjener, even if they are in the workstation-hosts netgroup granting access (772342). This is most probably caused by nslcd not daemonizing reliably (759544), which seems to have been due to 755039 (fix is in jessie) in network-manager causing long times (up to about 30 seconds) to raise the network interface. 622394 and 771943 might play a role as well.

  • New systems don't get the hostname configured in GOsa². This is caused by Network-Manager using a wrong (hardcoded) 'arping' path (755039). As a workaround execute 'update-hostname-from-ip' on the new system.

    • *needs confirmation*: the fixed network-manager package has arrived in jessie, so this should be fixed. is it? Yes.
  • PXE installation ask for mirror, while it should use the same mirror as the server used when it was installed. (770302)

  • slbackup-php: a configuration file is missing. The default backup server should be 'backup', not 'localhost' (769806).

  • Workstations (and probably other profiles) have a race condition where autofs starts before the eth0 interface is up. the syslog confirm that dhclient completes after autofs/automount complain in the log that it is unable to reach the LDAP server. This causes user home directories to be unavailable after boot. 769443 Is this systemd related? It seems to have been a problem in the past as well, see: https://bugs.launchpad.net/ubuntu/+source/autofs5/+bug/733914 Maybe network performance plays a role, too. See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=710490 Workaround in debian-edu-config implemented (dhclient hook sript).

  • Kerberos/LDAP startup with systemd is unreliable (758992). This seems to affect diskless workstations as well (homedir not mounted).

  • Duplicate entries in /etc/udev/rules.d/70-persistent-net.rules for the network card on a Thinkpad X200 caused eth0 to be missing when installing a workstation, making it impossible to log in after installation. etckeeper show that the duplicate entry originates from d-i before pre-pkgsel.d. It was present before debian-edu-config was installed by d-i. (765577) Workaround implemented in debian-edu-config (pre-pkgsel script).

  • Grub ask users to enter /dev/ path to hard drive on a single hard drive machine (712907) (763580), fixed in grub-installer version 1.98, reintroduced on purpose in version 1.99. Workaround implemented in debian-edu-config (pre-pkgsel script).

  • Usability issue: the KDE file manager fail to play Ogg Theora videos recorded by gtk-recordmydesktop because file report mime type "application/ogg" instead of "video/ogg" (762561). Video players and processors like vlc (762564), gnome-mplayer (762565), mpv (763173), advene (763174) and handbreak (763175) should be updated to list video/ogg as a supported MIME type. The dragonplayer and kaffeine package already support video/ogg.

  • The wrong Nagios configuration is used on the server. The autogenerated Nagios configuration do not seem to be enabled.
  • Shutdown/reboot of the main server takes longer due to a default setting in squid3 (shutdown_lifetime 30 seconds). [documented in manual]
  • ssh root login with password is no longer the default: '?PermitRootLogin yes' has been replaced with '?PermitRootLogin without-password'. [documented in manual]

  • The munin clients do not allow the munin server to talk to them (Denying connection from: ::ffff: in /var/log/munin/munin-node.log. This is caused by the systemd service being different from the init.d script (764594).

  • LTSP no longer installs. Probably due to 765738 affecting i386.

  • Recently made LDAP entries get lost if the system is rebooted or powered off (764225). As a workaround stop slapd before shutting the system down. [This issue seems to be unreprocubible now. Feedback?]

  • debian-edu-artwork: background of gdm3 login screen is not the Debian Edu one.
  • The Kerberos TGT is valid for 10 hours as it should be. Clicking the key symbol, the krb5-auth-dialog lacks the username; the realm is OK, though (762906).

  • The cups management site 'www:631' doesn't work any longer. Remote printer management should be documented. [this issue is gone with cups 1.7.5-7 dropping socket-activation.]
  • Gosa allow admins to add invalid DNS names in the web interface, and the LDAP to DNS export script gladly pass them on to bind (710362), which break and take down the entire installation when the LDAP server is unknown in DNS. [Seems to be fixed in the gosa version available in jessie, see mail to bug.] ldap2zone will no longer put broken zones into production.

  • On LTSP diskless workstations the homedir isn't mounted. This is caused by automounter running and blocking /skole as mountpoint for sshfs. As a workaround (to be able to test things) set RM_SYSTEM_SERVICES=autofs in /opt/ltsp/i386/etc/lts.conf.
  • debian-edu-doc.git: the jessie manual is missing.
  • exim4-config some times fail to install, reporting "Failed to acquire random data (762103). Triggered by a bug in eatmydata, affecting all GnuTLS users. Fixed by disabling eatmydata until a fixed version enter testing.

  • Automatic proxy configuration fail because WPAD is ignored by the proxy command (644373)

  • The URL http://wpad/wpad.dat is not understood by apache and give a 404 error. It should hand out /etc/debian-edu/www/wpad.dat instead.

  • Started on Jessie manual, https://wiki.debian.org/DebianEdu/Documentation/Jessie

  • www/sitesummary doesn't work
  • Unable to find /usr/bin/rpcinfo
  • pxeinstall: Unable to find PXE file /var/lib/tftpboot/pxelinux.0
  • Installation in Jessie is broken because acl uses bzip2 format (759327 og 759367).

  • Using virtual box Jessie installation is broken because hw-setup call discover-pkginstall, which hangs (760144).

  • Samba/LDAP setup fails due to a failure reading SAMBASID during bootstrap.
  • krb5kdc is not running.
  • kadmind is not running.
  • Kerberos service is not listening on kerberos/udp.
  • Kerberos service is not listening on kpasswd/tcp.
  • Kerberos service is not listening on kerberos-adm/tcp.
  • getent failed to find file group 'students'.
  • samba: missing Domain Admins in samba groupmap.
  • webcache: squid is not running.
  • Installation of desktops fail because of a postinst bug in lilypond-doc (758787), triggered by lilypond-doc being recommended by lilypond (653263), a dependency of rosegarden, but the fix fail to propagate to testing because of build failures on powerpc and mips (760794).

  • Rosegarden is no longer installed. It was removed from the music task as a workaround for a bug in lilypond (758787). When lilypond build on powerpc and mips (760794), rosegarden can be reinserted in the task.

  • Installing using desktop=lxde or xfce end up without any display manager enabled, thanks to preseeding shared/default-x-display-manager to kdm while lightdm is installed.
  • Automatic partitioning fail when reinstalling, because partman refuses to "reuse" swap partition in LVM (757818)

  • postoffice: postoffice service is not listening on imaps/tcp - (760604 and 760653).

  • ldap-client: Not only one PAM module of krb5, ldap and sss is enabled
  • Installing Thin Client server fails, from ISO because the ISO is not mounted (758500) and from PXE because /proc/ is not mounted (761401).

  • pxeinstall is broken due to a typo in debian-edu-pxeinstall.
  • debian-edu-doc.git: scripts/get_manual is broken, probably due to wiki (show content in raw/docbook layout) changes (762025).

Further ideas

Mostly stuff for Stretch (the release after Jessie)

  • make it easier to use another, already existing, directory server, be it LDAP or AD.
  • Include FAI to easily install customized machines (Skolelinux RLP and Musterösung BW use Images (why?), can we do something comparable with FAI?
  • Make the installer more flexible. Make it possible to choose KDE/GNOME/all educational packages/Debian default. (Waiting several hours installing Tjener+LTSP seems to scare away testers and developers).
  • Continue cleanup. What is left back in our d-e-packages that's not needed anymore? Strip down things to the necessary, we are not able to maintain more. What can and should be addressed in Debian?
  • Preconfigured LXDE by default as Thin-Client?
  • Preconfigured educational desktop (if chosen in the installer).
  • Make it possible to choose LTSP chroot arch (i386/amd64)