We absolutely do not want to leave an incomplete file behind in /boot
since an incomplete initrd would render the machine unbootable. Errors
while writing are relatively common, mostly due to full /boot
partitions.
systemd-boot-builder does never attempt to re-write already existing
files which means that such situations are not fixable by re-running
nixos-rebuild etc. Instead the user needs to know about internals of the
systemd-boot and manually delete the correct file to recover from a
partially written kernel or (more commonly) initrd in /boot.
Note that this used to be a non issue since systemd-boot-builder used to
always delete all kernels and initrds before copying kernels and
initrds, so dest.exist() would always return False. This was fixed in
f2ca990558, revealing the underlying bad
assumption (that copyfile() always succeeds or fails without writing
anything).
The solution is to write to a temporary file first and move it to the
destination path only after this has succeeded. This way, if an error
occurs during copying, only a file distinct from dest is left behind
which would be cleaned up by subsequent runs of remove_old_entries().
Resolves#444066.
In systems without initrd (e.g. containers) that also use system.replaceDependencies, we'd get:
error: attribute 'initialRamdisk' missing
at /nix/store/8vfhnwmmzqqzy97q9c5m4bzyaqqf63zy-source/nixos/modules/system/activation/top-level.nix:286:21:
285| cutoffPackages = mkOption {
286| default = [ config.system.build.initialRamdisk ];
| ^
Make that initialRamdisk reference conditional on the initrd being enabled.
Otherwise this gets printed to stdout when running things like
nixos-rebuild, while people rely on the toplevel store path being the only
output of such commands.
Eventually we'd like to change our posture on this, and somehow ensure
that 'init' is always our systemd binary, but for now containers
require us to do it this way.
This should be removed after systemd 258 releases, as it is a temporary drop-in fix to circumvent the issue of systemd-oomd failing to detect a valid swap (noticeable in cases of users using `zram` as swap).
I've taken the liberty to clarify which `After=` override should be dropped when, based on the systemd version on Nixpkgs.
These units are needed to be able to experiment with systemd's boot counting
functionality (e.g. with out-of-tree bootloaders like lanzaboote), and they
cannot easily be added through configuration without patching nixpkgs.
They are basically a no-op when boot entries do not contain any
counters, so AFAICT there is no disadvantage to them being enabled by default.
