systemd provides two sysctl snippets, 50-coredump.conf and
50-default.conf.
These enable:
- Loose reverse path filtering
- Source route filtering
- `fq_codel` as a packet scheduler (this helps to fight bufferbloat)
This also configures the kernel to pass coredumps to `systemd-coredump`.
These sysctl snippets can be found in `/etc/sysctl.d/50-*.conf`,
and overridden via `boot.kernel.sysctl`
(which will place the parameters in `/etc/sysctl.d/60-nixos.conf`.
Let's start using these, like other distros already do for quite some
time, and remove those duplicate `boot.kernel.sysctl` options we
previously did set.
In the case of rp_filter (which systemd would set to 2 (loose)), make
our overrides to "1" more explicit.
Add support for custom device-tree files, and applying overlays to them.
This is useful for supporting non-discoverable hardware, such as sensors
attached to GPIO pins on a Raspberry Pi.
This adds handling for WASM binaries to binfmt’s emulatedSystems. To
enable, add this to your configuration:
boot.binfmt.emulatedSystems = [ "wasm32-wasi" ];
After rebuilding with nixos-rebuild switch, you can run wasm binaries
directly.
This is a refactor of how resolvconf is managed on NixOS. We split it
into a separate service which is enabled internally depending on whether
we want /etc/resolv.conf to be managed by it. Various services now take
advantage of those configuration options.
We also now use systemd instead of activation scripts to update
resolv.conf.
NetworkManager now uses the right option for rc-manager DNS
automatically, so the configuration option shouldn't be exposed.
This is needed for tcrypt and the benchmark subcommand. If enabled,
it is also used to unlock LUKS2 volumes and therefore the kernel modules
providing this feature need to be available in our initrd.
Fixes#42163. #54019.
Somewhen between systemd v239 and v242 upstream decided to no longer run
a few system services with `DyanmicUser=1` but failed to provide a
migration path for all the state those services left behind.
For the case of systemd-timesync the state has to be moved from
/var/lib/private/systemd/timesync to /var/lib/systemd/timesync if
/var/lib/systemd/timesync is currently a symlink.
We only do this if the stateVersion is still below 19.09 to avoid
starting to have an ever growing activation script for (then) ancient
systemd migrations that are no longer required.
See https://github.com/systemd/systemd/issues/12131 for details about
the missing migration path and related discussion.
Currently if you want to properly chroot a systemd service, you could do
it using BindReadOnlyPaths=/nix/store or use a separate derivation which
gathers the runtime closure of the service you want to chroot. The
former is the easier method and there is also a method directly offered
by systemd, called ProtectSystem, which still leaves the whole store
accessible. The latter however is a bit more involved, because you need
to bind-mount each store path of the runtime closure of the service you
want to chroot.
This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages.
However, this process is a bit tedious, so the changes here implement
this in a more generic way.
Now if you want to chroot a systemd service, all you need to do is:
{
systemd.services.myservice = {
description = "My Shiny Service";
wantedBy = [ "multi-user.target" ];
confinement.enable = true;
serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
};
}
If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes script and {pre,post}Start) need to be in the chroot,
it can be specified using the confinement.packages option. By default
(which uses the full-apivfs confinement mode), a user namespace is set
up as well and /proc, /sys and /dev are mounted appropriately.
In addition - and by default - a /bin/sh executable is provided, which
is useful for most programs that use the system() C library call to
execute commands via shell.
Unfortunately, there are a few limitations at the moment. The first
being that DynamicUser doesn't work in conjunction with tmpfs, because
systemd seems to ignore the TemporaryFileSystem option if DynamicUser is
enabled. I started implementing a workaround to do this, but I decided
to not include it as part of this pull request, because it needs a lot
more testing to ensure it's consistent with the behaviour without
DynamicUser.
The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and doesn't
include/exclude the individual bind mounts or the tmpfs.
A quirk we do have right now is that systemd tries to create a /usr
directory within the chroot, which subsequently fails. Fortunately, this
is just an ugly error and not a hard failure.
The changes also come with a changelog entry for NixOS 19.03, which is
why I asked for a vote of the NixOS 19.03 stable maintainers whether to
include it (I admit it's a bit late a few days before official release,
sorry for that):
@samueldr:
Via pull request comment[1]:
+1 for backporting as this only enhances the feature set of nixos,
and does not (at a glance) change existing behaviours.
Via IRC:
new feature: -1, tests +1, we're at zero, self-contained, with no
global effects without actively using it, +1, I think it's good
@lheckemann:
Via pull request comment[2]:
I'm neutral on backporting. On the one hand, as @samueldr says,
this doesn't change any existing functionality. On the other hand,
it's a new feature and we're well past the feature freeze, which
AFAIU is intended so that new, potentially buggy features aren't
introduced in the "stabilisation period". It is a cool feature
though? :)
A few other people on IRC didn't have opposition either against late
inclusion into NixOS 19.03:
@edolstra: "I'm not against it"
@Infinisil: "+1 from me as well"
@grahamc: "IMO its up to the RMs"
So that makes +1 from @samueldr, 0 from @lheckemann, 0 from @edolstra
and +1 from @Infinisil (even though he's not a release manager) and no
opposition from anyone, which is the reason why I'm merging this right
now.
I also would like to thank @Infinisil, @edolstra and @danbst for their
reviews.
[1]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477322127
[2]: https://github.com/NixOS/nixpkgs/pull/57519#issuecomment-477548395
Currently, if you want to properly chroot a systemd service, you could
do it using BindReadOnlyPaths=/nix/store (which is not what I'd call
"properly", because the whole store is still accessible) or use a
separate derivation that gathers the runtime closure of the service you
want to chroot. The former is the easier method and there is also a
method directly offered by systemd, called ProtectSystem, which still
leaves the whole store accessible. The latter however is a bit more
involved, because you need to bind-mount each store path of the runtime
closure of the service you want to chroot.
This can be achieved using pkgs.closureInfo and a small derivation that
packs everything into a systemd unit, which later can be added to
systemd.packages. That's also what I did several times[1][2] in the
past.
However, this process got a bit tedious, so I decided that it would be
generally useful for NixOS, so this very implementation was born.
Now if you want to chroot a systemd service, all you need to do is:
{
systemd.services.yourservice = {
description = "My Shiny Service";
wantedBy = [ "multi-user.target" ];
chroot.enable = true;
serviceConfig.ExecStart = "${pkgs.myservice}/bin/myservice";
};
}
If more than the dependencies for the ExecStart* and ExecStop* (which
btw. also includes "script" and {pre,post}Start) need to be in the
chroot, it can be specified using the chroot.packages option. By
default (which uses the "full-apivfs"[3] confinement mode), a user
namespace is set up as well and /proc, /sys and /dev are mounted
appropriately.
In addition - and by default - a /bin/sh executable is provided as well,
which is useful for most programs that use the system() C library call
to execute commands via shell. The shell providing /bin/sh is dash
instead of the default in NixOS (which is bash), because it's way more
lightweight and after all we're chrooting because we want to lower the
attack surface and it should be only used for "/bin/sh -c something".
Prior to submitting this here, I did a first implementation of this
outside[4] of nixpkgs, which duplicated the "pathSafeName" functionality
from systemd-lib.nix, just because it's only a single line.
However, I decided to just re-use the one from systemd here and
subsequently made it available when importing systemd-lib.nix, so that
the systemd-chroot implementation also benefits from fixes to that
functionality (which is now a proper function).
Unfortunately, we do have a few limitations as well. The first being
that DynamicUser doesn't work in conjunction with tmpfs, because it
already sets up a tmpfs in a different path and simply ignores the one
we define. We could probably solve this by detecting it and try to
bind-mount our paths to that different path whenever DynamicUser is
enabled.
The second limitation/issue is that RootDirectoryStartOnly doesn't work
right now, because it only affects the RootDirectory option and not the
individual bind mounts or our tmpfs. It would be helpful if systemd
would have a way to disable specific bind mounts as well or at least
have some way to ignore failures for the bind mounts/tmpfs setup.
Another quirk we do have right now is that systemd tries to create a
/usr directory within the chroot, which subsequently fails. Fortunately,
this is just an ugly error and not a hard failure.
[1]: https://github.com/headcounter/shabitica/blob/3bb01728a0237ad5e7/default.nix#L43-L62
[2]: https://github.com/aszlig/avonc/blob/dedf29e092481a33dc/nextcloud.nix#L103-L124
[3]: The reason this is called "full-apivfs" instead of just "full" is
to make room for a *real* "full" confinement mode, which is more
restrictive even.
[4]: https://github.com/aszlig/avonc/blob/92a20bece4df54625e/systemd-chroot.nix
Signed-off-by: aszlig <aszlig@nix.build>
This should make the composability of kernel configurations more straigthforward.
- now distinguish freeform options from tristate ones
- will look for a structured config in kernelPatches too
one can now access the structuredConfig from a kernel via linux_test.configfile.structuredConfig
in order to reinject it into another kernel, no need to rewrite the config from scratch
The following merge strategies are used in case of conflict:
-- freeform items must be equal or they conflict (mergeEqualOption)
-- for tristate (y/m/n) entries, I use the mergeAnswer strategy which takes the best available value, "best" being defined by the user (by default "y" > "m" > "n", e.g. if one entry is both marked "y" and "n", "y" wins)
-- if one item is both marked optional/mandatory, mandatory wins (mergeFalseByDefault)
Right now it's not at all obvious that one can override this option
using `services.logind.extraConfig`; we might as well add an option
for `killUserProcesses` directly so it's clear and documented.
The new reuse behaviour is cool and really useful but it breaks one of
my use cases. When using kexec, I have a script which will unlock the
disks in my initrd. However, do_open_passphrase will fail if the disk is
already unlocked.
The previous version contained a false positive case, where boot would
continue when the stage 2 init did not exist at all, and a false
negative case, where boot would stop if the stage 2 init was a symlink
which cannot be resolved in the initramfs root.
Fixes#49519.
Thanks @michas2 for finding and reporting the issue!
* journald: forward message to syslog by default if a syslog implementation is installed
* added a test to ensure rsyslog is receiving messages when expected
* added rsyslogd tests to release.nix
* Lets container@.service be activated by machines.target instead of
multi-user.target
According to the systemd manpages, all containers that are registered
by machinectl, should be inside machines.target for easy stopping
and starting container units altogether
* make sure container@.service and container.slice instances are
actually located in machine.slice
https://plus.google.com/112206451048767236518/posts/SYAueyXHeEX
See original commit: https://github.com/NixOS/systemd/commit/45d383a3b8
* Enable Cgroup delegation for nixos-containers
Delegate=yes should be set for container scopes where a systemd instance
inside the container shall manage the hierarchies below its own cgroup
and have access to all controllers.
This is equivalent to enabling all accounting options on the systemd
process inside the system container. This means that systemd inside
the container is responsible for managing Cgroup resources for
unit files that enable accounting options inside. Without this
option, units that make use of cgroup features within system
containers might misbehave
See original commit: https://github.com/NixOS/systemd/commit/a931ad47a8
from the manpage:
Turns on delegation of further resource control partitioning to
processes of the unit. Units where this is enabled may create and
manage their own private subhierarchy of control groups below the
control group of the unit itself. For unprivileged services (i.e.
those using the User= setting) the unit's control group will be made
accessible to the relevant user. When enabled the service manager
will refrain from manipulating control groups or moving processes
below the unit's control group, so that a clear concept of ownership
is established: the control group tree above the unit's control
group (i.e. towards the root control group) is owned and managed by
the service manager of the host, while the control group tree below
the unit's control group is owned and managed by the unit itself.
Takes either a boolean argument or a list of control group
controller names. If true, delegation is turned on, and all
supported controllers are enabled for the unit, making them
available to the unit's processes for management. If false,
delegation is turned off entirely (and no additional controllers are
enabled). If set to a list of controllers, delegation is turned on,
and the specified controllers are enabled for the unit. Note that
additional controllers than the ones specified might be made
available as well, depending on configuration of the containing
slice unit or other units contained in it. Note that assigning the
empty string will enable delegation, but reset the list of
controllers, all assignments prior to this will have no effect.
Defaults to false.
Note that controller delegation to less privileged code is only safe
on the unified control group hierarchy. Accordingly, access to the
specified controllers will not be granted to unprivileged services
on the legacy hierarchy, even when requested.
The following controller names may be specified: cpu, cpuacct, io,
blkio, memory, devices, pids. Not all of these controllers are
available on all kernels however, and some are specific to the
unified hierarchy while others are specific to the legacy hierarchy.
Also note that the kernel might support further controllers, which
aren't covered here yet as delegation is either not supported at all
for them or not defined cleanly.
"machine.target" doesn't actually exist, it's misspelled version
of "machines.target". However, the "systemd-nspawn@.service"
unit already has a default dependency on "machines.target"
The improved lspci command shows all available ethernet controllers and
their kernel modules. Previously, the user had to provide the slot name
of a specific device.
The default value for journald's Storage option is "auto", which
determines whether to log to /var/log/journal based on whether that
directory already exists. So NixOS has been unconditionally creating
that directory in activation scripts.
However, we can get the same behavior by configuring journald.conf to
set Storage to "persistent" instead. In that case, journald will create
the directory itself if necessary.
Previously, the activation script was responsible for ensuring that
/etc/machine-id exists. However, the only time it could not already
exist is during stage-2-init, not while switching configurations,
because one of the first things systemd does when starting up as PID 1
is to create this file. So I've moved the initialization to
stage-2-init.
Furthermore, since systemd will do the equivalent of
systemd-machine-id-setup if /etc/machine-id doesn't have valid contents,
we don't need to do that ourselves.
We _do_, however, want to ensure that the file at least exists, because
systemd also uses the non-existence of this file to guess that this is a
first-boot situation. In that case, systemd tries to create some
symlinks in /etc/systemd/system according to its presets, which it can't
do because we've already populated /etc according to the current NixOS
configuration.
This is not necessary for any other activation script snippets, so it's
okay to do it after stage-2-init runs the activation script. None of
them declare a dependency on the "systemd" snippet. Also, most of them
only create files or directories in ways that obviously don't need the
machine-id set.
Evaluation error introduced in 599c4df46a.
There is only a "platformS" attribute in kexectools.meta, so let's use
this and from the code in the kexec module it operates on a list,
matching the corresponding platforms, so this seems to be the attribute
the original author intended.
Tested by building nixos/tests/kexec.nix on x86_64-linux and while it
evaluates now, the test still fails by timing out shortly after the
kexec:
machine: waiting for the VM to finish booting
machine# Cannot find the ESP partition mount point.
This however seems to be an unrelated issue and was also the case before
the commit mentioned above.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @edolstra, @dezgeg
* acquire DHCP on the interfaces with networking.interface.$name.useDHCP == true or on all interfaces if networking.useDHCP == true (was only only "eth0")
* respect "mtu" if it was in DHCP answer (it happens in the wild)
* acquire and set up staticroutes (unlike others clients, udhcpc does not do the query by default); this supersedes https://github.com/NixOS/nixpkgs/pull/41829
Although double '/' in paths is not a problem for GRUB supplied with nixpkgs, sometimes NixOS's grub.conf read by external GRUB and there are versions of GRUB which fail
The background color option is self-explanatory.
The mode is either `normal` or `stretch`, they are as defined by GRUB,
where normal will put the image in the top-left corner of the menu, and
stretch is the default, where it stretches the image without
consideration for the aspect ratio.
* https://www.gnu.org/software/grub/manual/grub/grub.html#background_005fimage
This fixes an issue where setting both
`boot.loader.systemd-boot.editor` to `false` and
`boot.loader.systemd-boot.consoleMode` to any value would concatenate
the two configuration lines in the output, resulting in an invalid
`loader.conf`.
From reading the source I'm pretty sure it doesn't support multiple Yubikeys, hence
those options are useless.
Also, I'm pretty sure nobody actually uses this feature, because enabling it causes
extra utils' checks to fail (even before applying any patches of this branch).
As I don't have the hardware to test this, I'm too lazy to fix the utils, but
I did test that with extra utils checks commented out and Yubikey
enabled the resulting script still passes the syntax check.
Also reuse common cryptsetup invocation subexpressions.
- Passphrase reading is done via the shell now, not by cryptsetup.
This way the same passphrase can be reused between cryptsetup
invocations, which this module now tries to do by default (can be
disabled).
- Number of retries is now infinity, it makes no sense to make users
reboot when they fail to type in their passphrase.
Rather than special-casing the dns options in networkmanager.nix, use
the module system to let unbound and systemd-resolved contribute to
the newtorkmanager config.
find-libs is currently choking when it finds the dynamic linker
as a DT_NEEDED dependency (from glibc) and bails out like this
(as glibc doesn't have a RPATH):
Couldn't satisfy dependency ld-linux-x86-64.so.2
Actually the caller of find-libs ignores the exit status, so the issue
almost always goes unnoticed and happens to work by chance. But
additionally what happens is that indirect .so dependencies are
left out from the dependency closure calculation, which breaks
latest cryptsetup as libssl.so isn't found anymore.
F2FS is used on Raspberry Pi-like devices to enhance SD card performance. Allowing F2FS resizing would help in automatic deploying of SD card images without a Linux box to resize the file system offline.
This has been reported by @qknight in his Stack Overflow question:
https://stackoverflow.com/q/50678639
The correct way to override a single value would be to use something
like this:
systemd.services.nagios.serviceConfig.Restart = lib.mkForce "no";
However, this doesn't work because the check is applied for the attrsOf
type and thus the attribute values might still contain the attribute set
created by mkOverride.
The unitOption type however did already account for this, but at this
stage it's already too late.
So now the actual value is unpacked while checking the values of the
attribute set, which should allow us to override values in
serviceConfig.
Signed-off-by: aszlig <aszlig@nix.build>
Cc: @edolstra, @qknight
When a package contains a directory in one of the systemd directories
(like flatpak does), it is symlinked into the *-units derivation.
Then later, the derivation will try to create the directory, which
will fail:
mkdir: cannot create directory '/nix/store/…-user-units/dbus.service.d': File exists
builder for '/nix/store/…-user-units.drv' failed with exit code 1
Closes: #33233
GRUB 2.0 supports png, jpeg and tga. This will use the image's suffix to
load the right module.
As jpeg module is named jpeg, jpg is renamed jpeg.
If the user uses wrong image suffix for an image, it wouldn't work anyway.
This will leave up to two additional left-over files in /boot/ if user switches
through all the supported file formats. The module already left the png
image if the user disabled the splash image.
This is apparent from the service file directory in plymouth:
├── multi-user.target.wants
│ ├── plymouth-quit.service -> ../plymouth-quit.service
│ └── plymouth-quit-wait.service -> ../plymouth-quit-wait.service
Leaving it unspecified caused gdm-wayland to crash on boot, see #39615.
The change made other display managers not quit plymouth properly however. By
removing "multi-user.target" from `plymouth-quit.after` this is resolved.
The isKexecable flag treated Linux without kexec as just a normal
variant, when it really should be treated as a special case incurring
complexity debt to support.
Resolved the following conflicts (by carefully applying patches from the both
branches since the fork point):
pkgs/development/libraries/epoxy/default.nix
pkgs/development/libraries/gtk+/3.x.nix
pkgs/development/python-modules/asgiref/default.nix
pkgs/development/python-modules/daphne/default.nix
pkgs/os-specific/linux/systemd/default.nix
This can be used to fix issues where udhcpc times out before
acquiring a lease. For example of these issues, see:
https://bugs.alpinelinux.org/issues/3105#note-8
Signed-off-by: Dino A. Dai Zovi <ddz@theta44.org>
At one point in my configuration I had:
boot.kernel.sysctl = {
# https://unix.stackexchange.com/questions/13019/description-of-kernel-printk-values
"kernel.printk" = "4 4 1 7";
};
which triggered:
error: The unique option `boot.kernel.sysctl.kernel.printk' is defined multiple times, in `/home/teto/dotfiles/nixpkgs/mptcp-unstable.nix' and `/home/teto/nixpkgs/nixos/modules/system/boot/kernel.nix'.
(use ‘--show-trace’ to show detailed location information)
Traceback (most recent call last):
File "/home/teto/nixops/scripts/nixops", line 984, in <module>
args.op()
File "/home/teto/nixops/scripts/nixops", line 406, in op_deploy
max_concurrent_activate=args.max_concurrent_activate)
File "/home/teto/nixops/nixops/deployment.py", line 1045, in deploy
self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
File "/home/teto/nixops/nixops/deployment.py", line 1034, in run_with_notify
f()
File "/home/teto/nixops/nixops/deployment.py", line 1045, in <lambda>
self.run_with_notify('deploy', lambda: self._deploy(**kwargs))
File "/home/teto/nixops/nixops/deployment.py", line 985, in _deploy
self.configs_path = self.build_configs(dry_run=dry_run, repair=repair, include=include, exclude=exclude)
File "/home/teto/nixops/nixops/deployment.py", line 653, in build_configs
raise Exception("unable to build all machine configurations")
Exception: unable to build all machine configurations
This simple addition allows to override it.
This option, if set to true, enables fallbacking to an interactive
passphrase prompt when the specified keyFile is not found.
The default is false, which is compatible with previous behavior and
doesn't prevent unattended boot.
Regression introduced by 801c920e95.
Since then, the btrfsSimple subtest of the installer VM test fails with:
Btrfs did not return a path for the subvolume at /
The reason for this is that the output for "btrfs subvol show" has
changed between version 4.8.2 and 4.13.1.
For example the output of "btrfs subvol show /" in version 4.8.2 was:
/ is toplevel subvolume
In version 4.13.1, the output now is the following and thus the regular
expressions used in nixos-generate-config.pl and install-grub.pl now
match (which results in the error mentioned above):
/
Name: <FS_TREE>
UUID: -
Parent UUID: -
Received UUID: -
Creation time: -
Subvolume ID: 5
Generation: 287270
Gen at creation: 0
Parent ID: 0
Top level ID: 0
Flags: -
Snapshot(s):
In order to fix this I've changed nixos-generate-config.pl and
install-grub.pl, because both use "btrfs subvol show" in a similar vein,
so the regex for parsing the output now doesn't match anymore whenever
the volume path is "/", which should result in the same behaviour as we
had with btrfs-progs version 4.8.2.
Tested against the btrfsSimple, btrfsSubvols and btrfsSubvolDefault
subtests of the installer VM test and they all succeed now.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* the keyboard modules in all-hardware.nix are already defaults of
boot.initrd.availableKernelModules
* ide modules, hid_lenovo_tpkbd and scsi_wait_scan have been removed
because they're not available anymore
* i8042 was a duplicate (see few lines abowe)
the systemd.unit(5) discussion of wantedBy and requiredBy is in the
[Install] section, and thus focused on stateful 'systemctl enable'.
so, clarify that in NixOS, wantedBy & requiredBy are still what most
users want, and not to be confused with enabled.
Boot fails when a keyfile is configured for all encrypted filesystems
and no other luks devices are configured. This is because luks support is only
enabled in the initrd, when boot.initrd.luks.devices has entries. When a
fileystem has a keyfile configured though, it is setup by a custom
command, not by boot.initrd.luks.
This commit adds an internal config flag to enable luks support in the
initrd file, even if there are no luks devices configured.
Grub configs include the NixOS version and date they were built, now
systemd can have fun too:
version Generation 99 NixOS 17.03.1700.51a83266d1, Linux Kernel 4.9.43, Built on 2017-08-30
version Generation 100 NixOS 17.03.1700.51a83266d1, Linux Kernel 4.9.43, Built on 2017-08-30
version Generation 101 NixOS 17.03.1700.51a83266d1, Linux Kernel 4.9.43, Built on 2017-08-31
version Generation 102 NixOS 17.03.1700.51a83266d1, Linux Kernel 4.9.43, Built on 2017-09-01
version Generation 103 NixOS 17.03.1700.51a83266d1, Linux Kernel 4.9.43, Built on 2017-09-02
version Generation 104 NixOS 17.09beta41.1b8c7786ee, Linux Kernel 4.9.46, Built on 2017-09-02
version Generation 105 NixOS 17.09.git.1b8c778, Linux Kernel 4.9.46, Built on 2017-09-02
The message buffer of the kernel lists
> Please run 'e2fsck -f /dev/disk/by-label/nixos' first.
as the output of the command `resize2fs "$device"`.
This fixesNixOS/nixpkgs#26910.
old version of blkid used to output version information including libblkid version
when invoked with --help parameter
new version does not output libblkid version when invoked with --help parameter
fix is to invoke blkid with -V parameter to output version including libblkid in both cases
* systemd-boot-builder.py: add support for profiles
This will also list the generations of other profiles than `system` in
the boot menu. See the documentation of the `--profile-name` option of
nixos-rebuild for more information on profiles.
* Fix errors introduced by previous commit
Or else `services.udev.packages = [ bcache-tools ]` cannot be used.
To not break bcache in the initrd I'm modifying this in stage-1.nix:
- --replace /bin/sh ${extraUtils}/bin/sh
+ --replace ${bash}/bin/sh ${extraUtils}/bin/sh
Reasoning behind that change:
* If not modifying the /bin/sh pattern in any way, it will also match
${bash}/bin/sh, creating a broken path like
/nix/store/HASH-bash/nix/store/HASH-bash/bin/sh in the udev rule file.
* The addition of /bin/sh was done in 775f381a9e
("stage-1: add bcache support"). It seems somewhat plausible that
no new users have appeared since then and we can take this opportunity
to back out of this change without much fear of regressions.
If there _are_ regressions, they should be in the form of build time
errors, not runtime (boot), due to how the udev rule output is checked
for invalid path references. So low risk, IMHO.
* An alternative approach could be to copy the /bin/sh substitute rule
over to the non-initrd udev rules implementation in NixOS, but I think
this way is better:
- The rules file comes with a working path out of the box.
- We can use more precise pattern matching when modifying the udev
rules for the initrd.
The default font is unreadably small on some hidpi displays. This
makes it possible to specify a TrueType or OpenType font at any point
size, and it will automatically be converted to the format the Grub
uses.
Restructure the nixos-artwork to make it easy to selectively
incorporate other components from upstream without needing to download
the full package.
Until now only the Gnome_Dark wallpaper was included. Add other
wallpapers available in the package repository.
Since fat32 provides little recovery facilities after a crash,
it can leave the system in an unbootable state, when a crash/outage
happens shortly after an update. To decrease the likelihood of this
event sync the efi filesystem after each update.
Someone on IRC wanted to boot Fedora from another disk. While I'm not
too familiar with UEFI booting in conjunction with GRUB2 it took some
time to get it to work.
So in order to safe others from frustration I'm adding this as another
example to the extraEntries option.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This has surfaced since d990aa7163.
The "simpleUefiGummiboot" installer test fails since this commit,
because that commit introduced a small check to verify whether the store
was altered.
While installing NixOS for the first time, the store is usually in
/mnt/nix/store and without the read-only bind mount that's preventing
programs from altering the store.
So after nixos-install is done creating the system closure and setting
it as the active system profile, the bootloader is written from the
closure inside the chroot. The systemd-boot-builder is invoked during
this step, which adds .pyc files for various Python modules of the
Python 3 store path, which in turn invalidates the hash of the Python 3
store path itself.
At the time the system is booted up again, the nix-store is verified and
fails with something like this:
path /nix/store/zvm545rqc4d97caqq9h7344bnd06jhzb-python3-3.5.3 was
modified! expected hash
b2c975f4b8d197443fbb09690fb3f6545e165dd44c9309d7d6df2fce0579ebeb, got
bccca19f39c9d26d857ccf1fb72818b2b817967e6d497a25a1283e36ed0acf01
Running the interpreter with the -B argument prevents Python from
writing those byte code files:
https://docs.python.org/3/using/cmdline.html#cmdoption-B
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This reverts commit c2b56626f1.
It broke creating the manual. I suspect the descriptions are
auto-wrapped by <para> and </para>.
We've been through this already in 3af715af90.
/cc #24978, @zraexy, @Mic92.
The LUKS header can be on another device (e.g. a USB stick). In my case
it can take up to two seconds until the partition on my USB stick is
available (i.e. the decryption fails without this patch). This will also
remove some redundancy by providing the shell function `wait_target` and
slightly improve the output (one "." per second and a success/failure
indication after 10 seconds instead of always printing "ok").
Restarting them is useless since the filesystem is already
checked. Worse, restarting them causes the filesystem to be unmounted.
Also remove an override for systemd-rkill@.service which no longer
exists.
When dhcpcd instead of networkd is used, the network-online.target behaved
the same as network.target, resulting in broken services that need a working
network connectivity when being started.
This commit makes dhcpcd wait for a lease and makes it wanted by
network-online.target. In turn, network-online.target is now wanted by
multi-user.target, so it will be activated at every boot.
Using toJSON on a string value works because the allowed JSON escape
sequences is almost a subset of the systemd allowed escape sequences.
The only exception is `\/` which JSON allows but systemd doesn't.
Luckily this sequence isn't required and toJSON don't produce it making
the result valid for systemd consumption.
Examples of things that this fixes are environment variables with double
quotes or newlines.
Since systemd version 232 the install subcommand of bootctl opens the
loader.conf with fopen() modes "wxe", where the "e" stands for
exclusive, so the call will fail if the file exists.
For installing the boot loader just once this is fine, but if we're
using NIXOS_INSTALL_BOOTLOADER on a systemd where the bootloader is
already present this will fail.
Exactly this is done within the simpleUefiGummiboot installer test,
where nixos-install is called twice and thus the bootloader is also
installed twice, resulting in an error during the fopen call:
Failed to open loader.conf for writing: File exists
Removing the file prior to calling bootctl should fix this.
I've tested this using the installer.simpleUefiGummiboot test and it now
succeeds.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22925
This leads to the following error when trying to install a new machine
where the machine ID wasn't yet initialized during boot:
Failed to get machine did: No such file or directory
In addition this was also detected by the simpleUefiGummiboot installer
test.
So let's generate a fallback machine ID by using
systemd-machine-id-setup before actually running bootctl.
Tested this by running the installer.simpleUefiGummiboot test, it still
fails but not because of the machine ID.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra, @shlevy, @mic92
Fixes: #22561
Since the bonds interface changed to a lot more possible values we create a
mapping of kernel bond attribute names and values to networkd attributes.
Those match for the most part, but have to transformed slightly.
There is also an assert that unknown options won’t slip through silently.
The Raspberry Pi boot loader was deleting all xx-initrd text files
(which simply contain the path to the actual initrd files) just after
having created them. The code was actually trying to delete real,
obsolete initrd files, which are named <hash>-initrd-initrd (after path
cleaning), but the glob was catching the other files as well.
This reverts commit 712e62c260.
This commit broke NixOS containers. Systemd wouldn't detect if a container
started successfully and would kill it again after a grace period.
Additionally this prints mount errors due to already mounted filesystems
at boot.
This code in amazon-image.nix:
if mountFS "$device" "$mp" "" auto; then
if [ -z "$diskForUnionfs" ]; then diskForUnionfs="$mp"; fi
fi
relies on mountFS to return a zero exit status if mounting
succeeds. But the lustrateRoot check in mountFS was causing a non-zero
exit status. As a result /disk0 would be mounted, but not used for
/tmp.
(cherry picked from commit d082ed8c35dec48aee2afd1303b3c8b2a1b242b0)
networkd options are always correct or up to date. This option allows to by
pass type checking. It is also easier to write because examples can be just copy
and paste from manpages.
Networkd units can contain secrets. In future also wireguard vpn will be supported by
networkd. To avoid leakage of private keys, those could be then also put outside
of the /nix/store
Having a writeable /etc/systemd/network also allows to quick fix network issues,
when upgrading `nixos-rebuild switch` would require network on its own (due
updates).
This reverts commit 656cc3acaf because it
causes building the manual to fail:
$ nixos-rebuild build
...
building path(s) ‘/nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb’
Writing /nix/store/s9y5z78z5pssvmixcmv9ix13gs8xj87f-manual-olinkdb/manual.db for book(book-nixos-manual)
./man-pages.xml:625: element para: Relax-NG validity error : Did not expect element para there
./man-pages.xml:3: element variablelist: Relax-NG validity error : Element refsection has extra content: variablelist
./man-pages.xml:29: element refsection: Relax-NG validity error : Element refentry has extra content: refsection
./man-pages.xml:3: element reference: Relax-NG validity error : Element reference failed to validate content
./man-pages.xml fails to validate
CC @cleverca22, @Mic92
- most nixos user only require time synchronisation,
while ntpd implements a battery-included ntp server (1,215 LOCs of C-Code vs 64,302)
- timesyncd support ntp server per interface (if configured through dhcp for instance)
- timesyncd is already included in the systemd package, switching to it would
save a little disk space (1,5M)
Using the --force option on GRUB isn't recommended, but there are very
specific instances where it makes sense. One example is installing on a
partitionless disk.
Thanks to @NeQuissimus in a5c1985fef for
updating busybox, which since version 1.25 doesn't allow local variables
outside of functions anymore (which is the desired behaviour).
See the following upstream commit of busybox which is the change that
let's this problem surface:
https://git.busybox.net/busybox/commit/?id=ef2386b80abfb22ccb697ddbdd4047aacc395c50
So this has been an error I've made on my end in
67223ee205, because I originally had a
function for killing the processes but desired to inline it because it's
only used in one place.
This fixes the boot-stage1 NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
For some reason, between Linux 4.4.19 and 4.4.20, the atkbd and libps2
kernel modules lost their dependency on i8042 in modules.dep, causing
i8042 not to be included in the initrd. This breaks keyboard in the
initrd, in turn breaking LUKS.
This only happens on the 16.03 branch; on 16.09, it appears i8042 is
pulled into the initrd anyway (through some other dependency,
presumably). But let's include it explicitly.
http://hydra.nixos.org/build/40468431
This makes it easy to specify kernel patches:
boot.kernelPatches = [ pkgs.kernelPatches.ubuntu_fan_4_4 ];
To make the `boot.kernelPatches` option possible, this also makes it
easy to extend and/or modify the kernel packages within a linuxPackages
set. For example:
pkgs.linuxPackages.extend (self: super: {
kernel = super.kernel.override {
kernelPatches = super.kernel.kernelPatches ++ [
pkgs.kernelPatches.ubuntu_fan_4_4
];
};
});
Closes#15095
This ensures that most "trivial" derivations used to build NixOS
configurations no longer depend on GCC. For commands that do invoke
gcc, there is runCommandCC.
This allows us to define system user targets in addition to the existing
services, timers and sockets.
Furthermore, we add a top-level configuration keyword:
- Documentation
When Grub is to be used with UEFI, it is not going to write to any MBR
of any disk. As such, it is safe to use multiple "nodev" device entries
when mirroring the ESP partition to multiple disks.
E.g.:
```
boot.loader.grub = {
enable = true;
version = 2;
zfsSupport = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot1"; efiSysMountPoint = "/boot1"; }
{ devices = [ "nodev" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
{ devices = [ "nodev" ]; path = "/boot3"; efiSysMountPoint = "/boot3"; }
];
};
boot.loader.efi.canTouchEfiVariables = true;
```
Fixes#18584
All swap device option sets "have" a label, it's just that sometimes it's
undefined. Because we set a `device` attribute when we have a label anyway it's
ok to just check device prefix.
Fixes#18891.
See #18319 for details. Starting network-online.target manually does not
work as it hangs indefinitely.
Additionally, don't treat avahi and dhcpcd special and sync their systemd units
with the respective upstream suggestion.
Systemd upstream provides targets for networking. This also includes a target network-online.target.
In this PR I remove / replace most occurrences since some of them were even wrong and could delay startup.
This partially reverts commit ab9537ca22.
From the manpage of systemd-nspawn(1):
Note that systemd-nspawn will mount file systems private to the
container to /dev, /run and similar.
Testing this in a shell turns out:
$ sudo systemd-nspawn --bind-ro=/nix/store "$(readlink "$(which ls)")" /proc
Spawning container aszlig on /home/aszlig.
Press ^] three times within 1s to kill container.
/etc/localtime does not point into /usr/share/zoneinfo/, not updating
container timezone.
1 execdomains kpageflags stat
acpi fb loadavg swaps
asound filesystems locks sys
buddyinfo fs meminfo sysrq-trigger
bus interrupts misc sysvipc
cgroups iomem modules thread-self
cmdline ioports mounts timer_list
config.gz irq mtrr timer_stats
consoles kallsyms net tty
cpuinfo kcore pagetypeinfo uptime
crypto key-users partitions version
devices keys scsi vmallocinfo
diskstats kmsg self vmstat
dma kpagecgroup slabinfo zoneinfo
driver kpagecount softirqs
Container aszlig exited successfully.
So the test on whether PID 1 exists in /proc is enough, because if we
use PID namespaces there actually _is_ a PID 1 (as shown above) and the
special file systems are already mounted. A test on the $containers
variable actually mounts them twice.
This unbreaks NixOS containers and I've tested this against the
containers-imperative NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @rickynils, @shlevy, @edolstra
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.
That's very unfortunate because one might lose sudo binary.
Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.
Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.
Tested:
- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
Both btrfs-progs and utillinux are ~5MB, we may discuss in future
to handle this better but I see no better way at the moment than
increaing purity in the install process.
OnCalendar entrys can be specified multiple times in a systemd timer, to
make more complex scheduling possible.
Tested by manually checking the timer generated by the following:
systemd = {
services.huhu = {
description = "meh";
wantedBy = [ "default.target" ];
serviceConfig.ExecStart = "/bin/sh -c 'printf HUHU!'";
startAt = [ "*:*:0/30" "*:0/1:15" ];
};
};
It prints HUHU to the log at seconds 0, 15 and 30 of each minute.
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems. Options for them are updated according to systemd
defaults.
lustrate /ˈlʌstreɪt/ verb.
purify by expiatory sacrifice, ceremonial washing, or some other
ritual action.
- sudo touch /etc/NIXOS_LUSTRATE
⇒ on next reboot, during stage 1, everything but /nix and /boot
is moved to /old-root
- echo "etc/passwd" | sudo tee -a /etc/NIXOS_LUSTRATE
⇒ on next reboot, during stage 1, everything but /nix and /boot
is moved to /old-root; except /etc/passwd is copied back.
Useful for installing NixOS in place on another distro. For instance:
$ nix-env -iE '_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config manual.manpages ]'
$ sudo mkdir /etc/nixos
$ sudo `which nixos-generate-config`
… edit the configuration files in /etc/nixos using man configuration.nix
if needed
maybe add: users.extraUsers.root.initialHashedPassword = "" ?
… Build the entire NixOS system and link it to the system profile:
$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -A system --set
… If you were using a single user install:
$ sudo chown -R 0.0 /nix
… NixOS is about to take over
$ sudo touch /etc/NIXOS
$ sudo touch /etc/NIXOS_LUSTRATE
… Let's keep the configuration files we just created
$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE
$ sudo mv -v /boot /boot.bak &&
sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
$ sudo reboot
… NixOS boots, Stage 1 moves all the old distro stuff in /old-root.
The builder has this convoluted `while` loop which just replicates
`readlink -e`. I'm sure there was a reason at one point, because the
loop has been there since time immemorial. It kept getting copied
around, I suspect because nobody bothered to understand what it actually
did.
Incidentally, this fixes#17513, but I have no idea why.
We currently only allow upstream's default of "reboot.target" due to the
way the symlinks are initialized. I made this configurable similar to the
default unit.
This reverts commit c69c76ca7e.
This patch was messed up during a rebase -- the commit title doesn't match what
it really does at all (it is actually a broken attempt to get LUKS passphrase
prompts in Plymouth).
A disabled systemd service with a "startAt" attribute, like this:
systemd.services.foo-service = {
enable = false;
startAt = "*-*-* 05:15:00";
...
};
will cause the following errors in the system journal:
systemd[1]: foo-service.timer: Refusing to start, unit to trigger not loaded.
systemd[1]: Failed to start foo-service.timer.
Fix it by not generating the corresponding timer unit when the service
is disabled.
Previously, the value from stdenv.platform.kernelDTB was used. That
doesn't work well if both kinds (DTB and non-DTB) of generations exist
in the system profile.
':' is currently used as separator in /boot/grub/state for the list of
devices GRUB should be installed to. The problem is that ':' itself may
appear in a device path:
/dev/disk/by-id/usb-SanDisk_Cruzer_20043512300546C0B317-0:0
With such a path, NixOS will install GRUB *every* time, because it
thinks the configuration differs from the state file (due to the wrong
list split). Fix it by using ',' as separator.
For existing systems with GRUB installed on multiple devices, this
change means that GRUB will be installed one extra time.
When displaying a warning about a removed Option we should always
include reasoning why it was removed and how to get the same
functionality without it.
Introduces such a description argument and patches occurences (mostly
with an empty string).
startGnuPGAgent: further notes on replacement
This allows setting options for the same LUKS device in different
modules. For example, the auto-generated hardware-configuration.nix
can contain
boot.initrd.luks.devices.crypted.device = "/dev/disk/...";
while configuration.nix can add
boot.initrd.luks.devices.crypted.allowDiscards = true;
Also updated the examples/docs to use /disk/disk/by-uuid instead of
/dev/sda, since we shouldn't promote the use of the latter.
Unfortunately, pkill doesn't distinguish between kernel and user space
processes, so we need to make sure we don't accidentally kill kernel
threads.
Normally, a kernel thread ignores all signals, but there are a few that
do. A quick grep on the kernel source tree (as of kernel 4.6.0) shows
the following source files which use allow_signal():
drivers/isdn/mISDN/l1oip_core.c
drivers/md/md.c
drivers/misc/mic/cosm/cosm_scif_server.c
drivers/misc/mic/cosm_client/cosm_scif_client.c
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
drivers/staging/rtl8188eu/core/rtw_cmd.c
drivers/staging/rtl8712/rtl8712_cmd.c
drivers/target/iscsi/iscsi_target.c
drivers/target/iscsi/iscsi_target_login.c
drivers/target/iscsi/iscsi_target_nego.c
drivers/usb/atm/usbatm.c
drivers/usb/gadget/function/f_mass_storage.c
fs/jffs2/background.c
fs/lockd/clntlock.c
fs/lockd/svc.c
fs/nfs/nfs4state.c
fs/nfsd/nfssvc.c
While not all of these are necessarily kthreads and some functionality
may still be unimpeded, it's still quite harmful and can cause
unexpected side-effects, especially because some of these kthreads are
storage-related (which we obviously don't want to kill during bootup).
During discussion at #15226, @dezgeg suggested the following
implementation:
for pid in $(pgrep -v -f '@'); do
if [ "$(cat /proc/$pid/cmdline)" != "" ]; then
kill -9 "$pid"
fi
done
This has a few downsides:
* User space processes which use an empty string in their command line
won't be killed.
* It results in errors during bootup because some shell-related
processes are already terminated (maybe it's pgrep itself, haven't
checked).
* The @ is searched within the full command line, not just at the
beginning of the string. Of course, we already had this until now, so
it's not a problem of his implementation.
I posted an alternative implementation which doesn't suffer from the
first point, but even that one wasn't sufficient:
for pid in $(pgrep -v -f '^@'); do
readlink "/proc/$pid/exe" &> /dev/null || continue
echo "$pid"
done | xargs kill -9
This one spawns a subshell, which would be included in the processes to
kill and actually kills itself during the process.
So what we have now is even checking whether the shell process itself is
in the list to kill and avoids killing it just to be sure.
Also, we don't spawn a subshell anymore and use /proc/$pid/exe to
distinguish between user space and kernel processes like in the comments
of the following StackOverflow answer:
http://stackoverflow.com/a/12231039
We don't need to take care of terminating processes, because what we
actually want IS to terminate the processes.
The only point where this (and any previous) approach falls short if we
have processes that act like fork bombs, because they might spawn
additional processes between the pgrep and the killing. We can only
address this with process/control groups and this still won't save us
because the root user can escape from that as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15226
Continuation of 79c3c16dcb. Systemd 229
sets the default RLIMIT_CORE to infinity, causing systems to be
littered with core dumps when systemd.coredump.enable is disabled.
This restores the 15.09 soft limit of 0 and hard limit of infinity.
This reverts commit 45c218f893.
Busybox's modprobe causes numerous "Unknown symbol" errors in the
kernel log, even though the modules do appear to load correctly.
Systemd 229 sets kernel.core_pattern to "|/bin/false" by default,
unless systemd-coredump is enabled. Revert back to the default of
writing "core" in the current directory.
Also add required systemd services for starting/stopping mdmon.
Closes#13447.
abbradar: fixed `mdadmShutdown` service name according to de facto conventions.
Since we don't restart sysinit.service in switch-to-configuration, this
additionally overrides systemd-binfmt.service to depend on
proc-sys-fs-binfmt_misc.automount, which is normally provided by
sysinit.service.
- Enforce that an option declaration has a "defaultText" if and only if the
type of the option derives from "package", "packageSet" or "nixpkgsConfig"
and if a "default" attribute is defined.
- Enforce that the value of the "example" attribute is wrapped with "literalExample"
if the type of the option derives from "package", "packageSet" or "nixpkgsConfig".
- Warn if a "defaultText" is defined in an option declaration if the type of
the option does not derive from "package", "packageSet" or "nixpkgsConfig".
- Warn if no "type" is defined in an option declaration.
This reverts commit b861bf8ddf, because according to @mdorman [1] this
change rendered his NixOS systems unbootable, and we probably don't want that.
[1] b861bf8ddf (commitcomment-16058598)
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.
closes#10518
Signed-off-by: Robin Gloster <mail@glob.in>
Fixes references coming from the mdadm udev rules.
This addresses #12722 (mdadm udev rules have references to /usr/bin) but
still won't fix the warning, though (if we want to fix the warnings, we
will have to patch the udev rules generater in services/hardware/udev).
For common mdraid functionality, this shouldn't fix anything, because
the wrong references seem to only apply to containers, see these
(wrapped) lines from ${mdadm}/lib/udev/rules.d/63-md-raid-arrays.rules:
# Tell systemd to run mdmon for our container, if we need it.
ENV{MD_LEVEL}=="raid[1-9]*",
ENV{MD_CONTAINER}=="?*",
PROGRAM="/usr/bin/readlink $env{MD_CONTAINER}",
ENV{MD_MON_THIS}="%c"
ENV{MD_MON_THIS}=="?*",
PROGRAM="/usr/bin/basename $env{MD_MON_THIS}",
ENV{SYSTEMD_WANTS}+="mdmon@%c.service"
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Partially reverts commit 901163c0c7.
This has broken remote SSH into initrd because ${cfg.shell} is not
expanded. Also, nsswitch is useless without libnss_files.so which
are installed by initrd-ssh.
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
Setting nixosVersion to something custom is useful for meaningful GRUB
menus and /nix/store paths, but actuallly changing it rebulids the
whole system path (because of `nixos-version` script and manual
pages). Also, changing it is not a particularly good idea because you
can then be differentitated from other NixOS users by a lot of
programs that read /etc/os-release.
This patch introduces an alternative option that does all you want
from nixosVersion, but rebuilds only the very top system level and
/etc while using your label in the names of system /nix/store paths,
GRUB and other boot loaders' menus, getty greetings and so on.
This hopefully fixes intermittent initrd failures where udevd cannot
create a Unix domain socket:
machine# running udev...
machine# error getting socket: Address family not supported by protocol
machine# error initializing udev control socket
machine# error getting socket: Address family not supported by protocol
The "unix" kernel module is supposed to be loaded automatically, and
clearly that works most of the time, but maybe there is a race
somewhere. In any case, no sane person would run a kernel without Unix
domain sockets, so we may as well make it builtin.
http://hydra.nixos.org/build/30001448
This hopefully fixes intermittent test failures like
http://hydra.nixos.org/build/29962437
router# [ 240.128835] INFO: task mke2fs:99 blocked for more than 120 seconds.
router# [ 240.130135] Not tainted 3.18.25 #1-NixOS
router# [ 240.131110] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
assuming that these are caused by high load on the host.
... because we make it built-in by default.
I can't imagine anyone who wanted to purge this module from his/her system,
so let's keep it simple, at least for now.
Previously this barfed with:
updating GRUB 2 menu...
fileparse(): need a valid pathname at /nix/store/zldbbngl0f8g5iv4rslygxwp0dbg1624-install-grub.pl line 391.
warning: error(s) occured while switching to the new configuration
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
mmc_block and sdhci_acpi are both necessary for a Bay Trail Chromebook with an
internal eMMC drive. The sdhci_acpi module is detectable but I can not figure
out a way to check whether the mmc_block module is needed by just looking at
/sys/
Option aliases/deprecations can now be declared in any NixOS module,
not just in nixos/modules/rename.nix. This is more modular (since it
allows for example grub-related aliases to be declared in the grub
module), and allows aliases outside of NixOS (e.g. in NixOps modules).
The syntax is a bit funky. Ideally we'd have something like:
options = {
foo.bar.newOption = mkOption { ... };
foo.bar.oldOption = mkAliasOption [ "foo" "bar" "newOption" ];
};
but that's not possible because options cannot define values in
*other* options - you need to have a "config" for that. So instead we
have functions that return a *module*: mkRemovedOptionModule,
mkRenamedOptionModule and mkAliasOptionModule. These can be used via
"imports", e.g.
imports = [
(mkAliasOptionModule [ "foo" "bar" "oldOption" ] [ "foo" "bar" "newOption" ]);
];
As an added bonus, deprecation warnings now show the file name of the
offending module.
Fixes#10385.
- systemd puts all into one output now (except for man),
because I wasn't able to fix all systemd/udev refernces
for NixOS to work well
- libudev is now by default *copied* into another path,
which is what most packages will use as build input :-)
- pkgs.udev = [ libudev.out libudev.dev ]; because there are too many
references that just put `udev` into build inputs (to rewrite them all),
also this made "${udev}/foo" fail at *evaluation* time
so it's easier to catch and change to something more specific
This way the binary gets stripped & rpath-shrinked etc. as usual.
We'd seem to get a runtime reference to gcc otherwise.
TODO: Maybe we should be able to set e.g. 'dontUnpack = true;'
to make this more pretty.
Adding the configuration option 'systemd.generators' to
specify systemd system-generators. The option allows to
either add new system-generators to systemd, or to over-
ride or disable the system-generators provided by systemd.
Internally, the configuration option 'systemd.generators'
maps onto the 'environment.etc' configuration option.
Having a convenience wrapper around 'environment.etc' helps
to group the systemd system-generator configuration more
easily with other 'systemd...' configurations.
$d should be $sd, this causes resume from hibernate to fail if
resumeDevice is not explicitly set in config. Introduced in commit:
'stage-1: Shut up warnings about swap devices that don't exist yet'
(cherry picked from commit 2a31397f53)
$d should be $sd, this causes resume from hibernate to fail if
resumeDevice is not explicitly set in config. Introduced in commit:
'stage-1: Shut up warnings about swap devices that don't exist yet'
When using extlinux-conf-builder in a nix build using chroots, the
following error message could be seen:
/nix/store/XXX-extlinux-conf-builder.sh: line 121: cd: /nix/var/nix/profiles: No such file or directory
To avoid this, just skip the code path parsing /nix/var/nix/profiles
when $numGenerations (passed from the command line) is 0 (which is the
only legal value of $numGenerations in a nix build context).
Without a menu title, U-Boot's distro scripts just autoboot the first
entry by default.
When I initially wrote this, my board wasn't apparently running stock
U-Boot but had some local hacks saved in the U-Boot's environment
which made it always display the prompt.
When calling addEntry inside a subshell, the filesCopied array would
be updated only in the subshell's environment. This would only cause an
issue if no -g flag was passed to the script, causing no kernels
to be copied.
This fixes a failing assert in systemd-timesyncd (issue #5913) as it
expects the directory /run/systemd/netif/links/ to exist, and nothing in
NixOS currently creates it.
Also we get a net reduction in our code as rules for /run/utmp and
/var/log/journal are also provided by the same upstream file.
(cherry picked from commit a278a9224a)
This shuts up this error from dbus:
May 11 13:52:16 machine dbus-daemon[259]: Unknown username "systemd-network" in message bus configuration file
May 11 13:52:16 machine dbus-daemon[259]: Unknown username "systemd-resolve" in message bus configuration file
which happens because the D-Bus config for networkd/resolved is
enabled unconditionally, and we don't have an easy way to turn it off.
(cherry picked from commit f19b58fb6a)
Some filesystems like fat32 don't support symlinking and need to be
supported on /boot as an efi system partition. Instead of creating the symlink directly in boot, create the symlink in
a temporary directory which has to support symlinking.
This solves the problem that modprobe does not know about $MODULE_DIR
when run via sudo, and instead wrongly tries to read /lib/modules/:
$ sudo strace -efile modprobe foo |& grep modules
open("/lib/modules/3.14.37/modules.softdep", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/modules/3.14.37/modules.dep.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/modules/3.14.37/modules.dep.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/modules/3.14.37/modules.alias.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Without this patch, one would have to use sudo -E (preserves environment
vars). But that option is reserved for sudo users with extra rights
(SETENV), so it's not a solution.
environment.sessionVariables are set by PAM, so they are included in the
environment used by sudo.
