You've successfully subscribed to Nuvotex Blog
Great! Next, complete checkout for full access to Nuvotex Blog
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Debian - Kernelupdate via backports

Daniel Nachtrub
Daniel Nachtrub

Working with machines running on debian is great - debian is a distribution that focuses on stable environments. Providing stability comes - as everything - with a cost: Packages provided with a distribution are not latest & greatest, they are proven.

TL;DR

Using debian backports is a good way to install newer package versions that are compiled for debian stable.

Why backports

If you require features provided with newer versions - like newer kernels - you might want to update the kernel. This is especially required when the desired features are integrated into the kernel, like a specific filesystem driver or similar.

To update kernel to newer versions on debian you might use debian backports reposority which provides packages that will be contained in upcoming debian releases.

You are running Debian stable, because you prefer the Debian stable tree. It runs great, there is just one problem: the software is a little bit outdated compared to other distributions. This is where backports come in.

Backports are packages taken from the next Debian release (called "testing"), adjusted and recompiled for usage on Debian stable. Because the package is also present in the next Debian release, you can easily upgrade your stable+backports system once the next Debian release comes out. (In a few cases, usually for security updates, backports are also created from the Debian unstable distribution.)

Backports cannot be tested as extensively as Debian stable, and backports are provided on an as-is basis, with risk of incompatibilities with other components in Debian stable. Use with care!

It is therefore recommended to only select single backported packages that fit your needs, and not use all available backports.

Enabling backports

Integrating backports is straight forward and done by adding the backports repository to apt sources.

# debian backports backports
deb http://deb.debian.org/debian buster-backports main
 
# regular sources
deb http://deb.debian.org/debian/ buster main
deb-src http://deb.debian.org/debian/ buster main
 
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
 
# buster-updates, previously known as 'volatile'
deb http://deb.debian.org/debian/ buster-updates main
deb-src http://deb.debian.org/debian/ buster-updates main
/etc/apt/sources.list

Beside common repositories you can see that debian backports has been added (second line).

Alternate configuration

If you prefer to create a dedicate source file, feel free to go this way:

# debian backports backports
deb http://deb.debian.org/debian buster-backports main
/etc/apt/sources.list.d/backports.list

Using this way you don't fiddle with the source.list file directly.

Updating the kernel

Having added the repository we now run apt update to get metadata and search for a kernel we want to install:

# search kernel
apt search linux-image-5.*

# available kernels

linux-headers-5.8.0-0.bpo.2-amd64/buster-backports 5.8.10-1~bpo10+1 amd64
Header files for Linux 5.8.0-0.bpo.2-amd64
 
linux-headers-5.8.0-0.bpo.2-cloud-amd64/buster-backports 5.8.10-1~bpo10+1 amd64
Header files for Linux 5.8.0-0.bpo.2-cloud-amd64
 
linux-headers-5.9.0-0.bpo.2-amd64/buster-backports 5.9.6-1~bpo10+1 amd64
Header files for Linux 5.9.0-0.bpo.2-amd64
 
linux-headers-5.9.0-0.bpo.2-cloud-amd64/buster-backports 5.9.6-1~bpo10+1 amd64
Header files for Linux 5.9.0-0.bpo.2-cloud-amd64
 
linux-headers-5.9.0-0.bpo.2-rt-amd64/buster-backports 5.9.6-1~bpo10+1 amd64
Header files for Linux 5.9.0-0.bpo.2-rt-amd64
 
linux-image-5.8.0-0.bpo.2-amd64/buster-backports 5.8.10-1~bpo10+1 amd64
Linux 5.8 for 64-bit PCs (signed)
 
linux-image-5.8.0-0.bpo.2-amd64-dbg/buster-backports 5.8.10-1~bpo10+1 amd64
Debug symbols for linux-image-5.8.0-0.bpo.2-amd64
 
linux-image-5.8.0-0.bpo.2-amd64-unsigned/buster-backports 5.8.10-1~bpo10+1 amd64
Linux 5.8 for 64-bit PCs
 
linux-image-5.8.0-0.bpo.2-cloud-amd64/buster-backports 5.8.10-1~bpo10+1 amd64
Linux 5.8 for x86-64 cloud (signed)
 
linux-image-5.8.0-0.bpo.2-cloud-amd64-dbg/buster-backports 5.8.10-1~bpo10+1 amd64
Debug symbols for linux-image-5.8.0-0.bpo.2-cloud-amd64
 
linux-image-5.8.0-0.bpo.2-cloud-amd64-unsigned/buster-backports 5.8.10-1~bpo10+1 amd64
Linux 5.8 for x86-64 cloud
 
linux-image-5.9.0-0.bpo.2-amd64-dbg/buster-backports 5.9.6-1~bpo10+1 amd64
Debug symbols for linux-image-5.9.0-0.bpo.2-amd64
 
linux-image-5.9.0-0.bpo.2-amd64-unsigned/buster-backports 5.9.6-1~bpo10+1 amd64
Linux 5.9 for 64-bit PCs
 
linux-image-5.9.0-0.bpo.2-rt-amd64-unsigned/buster-backports 5.9.6-1~bpo10+1 amd64
Linux 5.9 for 64-bit PCs, PREEMPT_RT
search kernel

Determining the desired kernel version

We're working on a server environment with enabled secure boot. The matching kernel package can be located using the following search criteria:

  • linux-image = Kernel
  • signed = Kernel is signed
  • cloud = Kernel for cloud ("server") edition

Searching for the newest available kernel in the output shown above you might spot kernel 5.9 which is available - which we don't want to use as it's not signed. Therefore our best match is linux-image-5.8.0-0.bpo.2-cloud-amd64 linux-headers-5.8.0-0.bpo.2-cloud-amd64.

Installing the kernel is done easily:

apt install linux-image-5.8.0-0.bpo.2-cloud-amd64 linux-headers-5.8.0-0.bpo.2-cloud-amd64
install kernel

Applying the kernel version requires a reboot. When completed, you're set and can use the new version.

Linux
Daniel Nachtrub

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.

You might also like

Linux kernel keyrings, container isolation and maybe some kerberos

Linux kernel keyrings, container isolation and maybe some kerberos

On a recent project I've been stumbling on the case that kerberos tickets have been inadvertently shared across containers on a node - which obviously caught my attention as I'm not keen on sharing such secrets across workloads. This post describes why this happens and what to do to prevent this.

Daniel Nachtrub
Daniel Nachtrub
Kubernetes
Why you should use rook ceph on kubernetes (onprem)

Why you should use rook ceph on kubernetes (onprem)

If you run kubernetes on your own, you need to provide a storage solution with it. We are using ceph (operated through rook). This article gives some short overview about it's benefits and some pro's and con's of it.

Daniel Nachtrub
Daniel Nachtrub
Cloud

Authors →

Daniel Nachtrub

Kind of likes computers. Linux foundation certified: LFCS / CKA / CKAD / CKS. Microsoft certified: Cybersecurity Architect Expert & Azure Solutions Architect Expert.

Sebastian Augustin

Lorenz Maier