When a system has a wrong date and time timesyncd is unable to synchronize it
because DNSSEC doesn't work. In order to break this chicken and egg problem
systemd-timesync disables DNSSEC validation by setting
SYSTEMD_NSS_RESOLVE_VALIDATE=0 in the unit file. However, it doesn't work in
NixOS because it uses NSCD. This patch disables NSCD in systemd-timesyncd when
SYSTEMD_NSS_RESOLVE_VALIDATE is set to 0 so that it uses NSS libraries
directly. In order for it to be able to find the libnss_resolve.so.2 library
this patch adds the systemd directory in the nix store to the LD_LIBRARY_PATH.
The previous code did not apply any changes to the upstream defaults on being presented with an empty list.
This changes the code to use the above behaviour on a `null` value while an empty list is passed through as normal which yields a systemd configuration line with empty value which resets it to an empty value.
Signed-off-by: benaryorg <binary@benary.org>
Since 1557027, makeModulesClosure doesn't create a lib/firmware
directory if there is no firmware in the initramfs. If this happens,
systemd-stage-1 fails to build.
/lib only contains /lib/modules and /lib/firmware, both of while are
from modulesClosure. Therefore, we can just add the entirety of
${modulesClosure}/lib to the initramfs to allow for the possibility that
lib/firmware doesn't exist. This also brings systemd-stage-1 in line
with the traditional stage-1.
The CAKE section for systemd.network units allows configuring whether or
not redundant ACKs should be dropped. This option corresponds to the
respective tc-cake(8) params "ack-filter", "ack-filter-aggressive" or
"no-ack-filter".
Add support for these values in the `cakeConfig` module so that users
can configure it.
8f2babd032 was partially reverted by mistake. Original message below
---
On some systems, EFI variables are not supported or otherwise wonky.
bootctl attempting to access them causes failures during bootloader
installations and updates. For such systems, NixOS provides the options
`boot.loader.efi.canTouchEfiVariables` and
`boot.loader.systemd-boot.graceful` which pass flags to bootctl that
change whether and how EFI variables are accessed.
Previously, these flags were only passed to bootctl during an install
operation. However, they also apply during an update operation, which
can cause the same sorts of errors. This change passes the flags during
update operations as well to prevent those errors.
Fixes https://github.com/NixOS/nixpkgs/issues/151336
Previously, all available plymouth renderers were copied to the initrd,
including the X11 one. It is pretty much useless since the initrd is
exceedingly unlikely to run an X server, and causes the initrd closure to grow
by several large libraries (mostly Gtk and dependencies) and thus by a couple
of megabytes (over 5 MiB on my system). Remove it.
While this can be added via `services.journald.extraConfig`, this option
provides proper type-checking and other modules can determine
where journal data is stored. This is relevant when using e.g. promtail
to send logs to Loki and it should read from `/run/log/journal` if
volatile storage is used.
Adds a postResumeCommands option to the initramfs to allow inserting
code to execute after the device has attempted to resume, and before
filesystems are mounted. This allows to inject code for operations like
wiping the rootfs on boot; if those were instead put in
postDeviceCommands, on a hibernated device, they would execute before
the device resumes from hibernation.
Modules built in to the kernel can attempt to load firmware before
init is started. To guarantee the firmware is accessible to them
where they expect, /lib has to exist in the initramfs — it can't be
created later by init, because by that point the module may already
have tried and given up.
It hasn't expected the prefix for a long time (possibly ever). Other
documentation and patches within nixpkgs itself (such as the crashdump
module) do not have the prefix.
When using iproute2's ip binary, you can omit the dev parameter, e.g. ip link set up eth0 instead of ip link set up dev eth0.
This breaks if for some reason your device is named e.g. he, hel, … because it is interpreted as ip link set up help.
I just encountered this bug using networking.bridges trying to create an interface named he.
I used a grep on nixpkgs to try to find iproute2 invocations using variables without the dev keyword, and found a few, and fixed them by providing the dev keyword.
I merely fixed what I found, but the use of abbreviated commands makes it a bit hard to be sure everything has been found (e.g. ip l set … up instead of ip link set … up).
You can see in https://www.freedesktop.org/software/systemd/man/latest/systemd.network.html that
this should be "HairPin" not "Hairpin". Using "Hairpin" results in
```
Oct 25 18:55:03 my-host systemd-networkd[843736]: /etc/systemd/network/10-bridge.network:11:
Unknown key name 'Hairpin' in section 'Bridge', ignoring.
```
The `AUTOFS4_FS` name appears to be a legacy naming stub:
>Ok, I ran the script, and also decided that we might as well remove
>the AUTOFS4 legacy naming stub entry by now.
>
>It has been five years, and people will have either picked up the new
>name with 'make oldconfig', or they just don't use 'make oldconfig' at
>all.
https://lore.kernel.org/lkml/CAHk-=wgK9-Tx4BxYMrc0pg==mcaz3cjWF6-CBwVpM_BZAmf4JQ@mail.gmail.com/#r
That has been remove in 6.6 kernel and results in a failure:
```
error:
Failed assertions:
- CONFIG_AUTOFS4_FS is not enabled!
```
Signed-off-by: Jakub Sokołowski <jakub@status.im>
There's no reason to do this in initrd. Partitions can be resized online.
We just have to make sure it happens before we resize the file system.
This also makes grow-partition work with systemd-initrd
This reverts commit 80665d606a.
Parsing the package version broke our systemd-boot builder test.
i.e. it won't be able to parse systemd-boot efi binaries coming from
ubuntu
We no longer use the faulty systemd-boot version so this code should no
longer be needed.
A further bug to our strange multi-user.target depending on
network-online.target issue is that systemd recently changed the
behaviour of systemd-networkd-wait-online to no longer consider the
absence of interfaces with RequiredForOnline to be sufficient to be
online: https://github.com/systemd/systemd/pull/27825
On the advice of the systemd developers
(https://github.com/systemd/systemd/issues/29388), this commit changes
the configuration of systemd-networkd-wait-online to pass --any by
default, and lets the default DHCP interfaces be RequiredForOnline
as they would be by default if the option is omitted.
It is plausible that systemd-networkd-wait-online may still fail if
there are no interfaces at all. However, that probably cannot be
avoided.
This updates the documentation for the services.journald.rateLimitBurst
option, clarifying that the journal size limit may very well default to
a lot less than 4GB with small disks or disk with not much free space
(eg: virtualized machines)
Fixes#228141, which describes an issue where detaching Yubikey during the boot process
causes cryptsetup to write empty passphrase instead of the challenge-response salt stored
on the boot drive.
This fixes notably the fact that /dev/zfs was not usable anymore as a user,
and potentially other things.
Tracked in systemd upstream under issue number 28653, 28765.
This is an early preparation for systemd v254 which causes some patch reflows
and EFI-related cleanups to their new build system with elf2efi, requiring pyelftools
as a Python packge.
Historically, we allowed downgrade of DNSSEC, but some folks argue
this may decrease actually the security posture to do opportunistic DNSSEC.
In addition, the current implementation of (opportunistic) DNSSEC validation
is broken against "in the wild" servers which are usually slightly non-compliant.
systemd upstream recommended to me (in personal communication surrounding
the All Systems Go 2023 conference) to disable DNSSEC validation until
they work on it in a significant capacity, ideally, by next year.
it should be checking that it is not a broken symlink but bash
conditionals are difficult
-d was causing the directory to not be created if it does not exist
```
$ install -m 0755 -d $PWD/hello
$ ls
hello/
$ ln -s something notexist
'notexist' -> 'something'
$ ls -l
lrwxrwxrwx artturin artturin 9 B Sat Sep 9 06:59:44 2023 notexist@ ⇒ something
drwxr-xr-x artturin artturin 2 B Sat Sep 9 06:59:36 2023 hello/
$ install -m 0755 -d $PWD/notexist
install: cannot change permissions of ‘/home/artturin/nixgits/my-nixpkgs/test/notexist’: No such file or directory
```
RequiredForOnline takes a boolean or a minimum operational state and an
optional maximum operational state. In the latter case, range values are
separated with colon.
Underneath, systemd-networkd’s reload is just `networkctl reload`. Per
`man networkctl`, calling `reload` is expected to fully handle new,
modified, and removed .network files, but it only handles *new* .netdev
files. For simplicity, assume .network -> reload and .netdev -> restart.
It’s desirable to perform reload instead of restart, as restart has the
potential to bring down interfaces, resulting in a loss of network
connectivity.
Just like with system-wide tmpfiles, call `systemd-tmpfiles --create
--remove` for users during activation. This fixes an issue where new
entries in a user's tmpfiles are not reflected after activation, only at
boot when the user service systemd-tmpfiles-setup.service runs or only
after running systemd-tmpfiles manually.
Before this commit there was no way to access (boot into) specialisation of previous generations from grub,even tho they are there.
This commit will add grub submenu for each generation if the generation has any specialisation.
Which will allow you to boot into them.
Co-authored-by: Samuel Dionne-Riel <samuel@dionne-riel.com>
When I boot there's a warning `stage-2-init: install: cannot change permissions of '/etc/nixos': No such file or directory`
because my /etc/nixos is a symlink to $HOME/dotfiles.
```
/etc/nixos -> /home/artturin/dotfiles
```
These lines were added in 56b4653904
This avoids creating a build-time reference on `boot.kernelParams` if
the configuration does not use a kernel, i.e., `boot.kernel.enable` is
set to `false`.
There is only other `with` with a somewhat broad scope, `with pkgs`, but
it's used in a place where it would become awkward to change out. And
anyway its scope is rather limited still.
With a limited testing of all packaged GRUB 2 themes (pkgs.nixos-grub2-theme)
this is tested to work.
Without this change, the theme loading will error out (waiting for a key press).
With this change, the theme loads and works as expected.
The intent was to not pass the flag when installing as removable. In
reality there is a third case, where you may not want to touch EFI
variables, and not want to install as removable.
In that case, it would install to the generic \EFI\grub\grubx64.efi,
which is not a good choice in any cases. The operating system should
"own" their path under \EFI\ to be a good citizen [citation needed].
With this change, there can be only two paths GRUB can be installed to:
- \EFI\NixOS-boot\grubx64.efi
- \EFI\BOOT\bootx64.efi
This removes the surprising behaviour where GRUB may be installed to a
different location only because we configured NixOS not to touch EFI
variables.
It may be necessary under some configurations to install GRUB without
touching EFI variables, but to the NixOS-owned location.
This commit updates the binfmt magic-patterns using
f5e6786de4/scripts/qemu-binfmt-conf.sh
The patterns prior to this commit did not understand the difference
between mips32-*-* (32-bit void*,int) and mips64-*-*abin32 (32-bit
void*, 64-bit int). This commit corrects that.
In some setups, and especially with sytemd-networkd becoming more widely
used, networking.useDHCP is set to false. Despite this, it may be useful
to have dhcp in the initramfs.
Build logs show:
> configure: WARNING: non-linux system; not building mount
> configure: WARNING: non-linux system; not building swapon
So skip these on non-Linux
Using getOutput prevents eval failures on other platforms.
Things should stay eval'able with NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
Co-authored-by: Artturin <Artturin@artturin.com>
got broken in 6ea1a2a1be which changed
runCommandCC to runCommand but was not
noticed because it was failing silently
runCommand doesn't include CC or bintools
Example 10. of man page of systemd.network(5) shows:
```
Example 10. MacVTap
This brings up a network interface "macvtap-test" and attaches it to "enp0s25".
# /usr/lib/systemd/network/25-macvtap.network
[Match]
Name=enp0s25
[Network]
MACVTAP=macvtap-test
```
Which is a MACVTAP example and is currently unsupported in NixOS.
This is useful for people using "modern" technologies with virtual machines.
The whole option set was recommended against since mid-2019, and never
worked with the Raspberry Pi 4 family of devices.
We should have deprecated it in early 2020 for removal by 2021. At the
time I did not feel confident in making such a decision, and never
ended-up getting around to it.
The ***only*** supported-by-NixOS boot methods for AArch64 are
standards-based boot methods, namely UEFI or the pragmatically
almost-standard extlinux-compatible for U-Boot.
You can quote me on that.
According to networkd netdev's manpage:
```
Independent=
Takes a boolean. When true, the vxlan interface is created without any underlying network interface. Defaults to false, which means that a .network
file that requests this VXLAN interface using VXLAN= is required for the VXLAN to be created.
```
is a valid option for [VXLAN] section.
According to systemd.netdev manpage:
```
MACAddress=
Specifies the MAC address to use for the device, or takes the special value "none". When "none", systemd-networkd does not request the MAC address for
the device, and the kernel will assign a random MAC address. For "tun", "tap", or "l2tp" devices, the MACAddress= setting in the [NetDev] section is
not supported and will be ignored. Please specify it in the [Link] section of the corresponding systemd.network(5) file. If this option is not set,
"vlan" device inherits the MAC address of the master interface. For other kind of netdevs, if this option is not set, then the MAC address is
generated based on the interface name and the machine-id(5).
Note, even if "none" is specified, systemd-udevd will assign the persistent MAC address for the device, as 99-default.link has
MACAddressPolicy=persistent. So, it is also necessary to create a custom .link file for the device, if the MAC address assignment is not desired.
```
Therefore, `none` is an acceptable value.
Without this change, GRUB installation on non-PC systems (such as
aarch64-linux) only works if boot.loader.grub.devices is set to exactly
`["nodev"]`. If boot.loader.grub.devices was any other value (including
the default `[]`), users got the error:
Died at /nix/store/an9ngv2vg95bdcy0ifsxlbkasprm4dcw-install-grub.pl line 586.
install-grub.pl verifies that if both $grub and $grubEfi are set, then
$grubTarget (e.g. i386-pc) and $grubTargetEfi (e.g. x86_64-efi) must
both be set, or the script will `die`. On non-PC systems, $grubTarget
is "".
When boot.loader.grub.devices is ["nodev"], $grub is set to null,
disabling non-EFI installation. But if a user has devices set for an
x86_64 config, or is using only mirroredBoots without setting devices,
they will hit this `die`.
This change sets $grub to "" if $grubTarget is "".
This essentially backports
https://github.com/systemd/systemd/pull/27791. `systemd-networkd.service`
is sent the `SIGTERM` signal, but it is not required to be stopped
before `initrd-switch-root.target` is reached, despite the use of
`systemctl isolate initrd-switch-root.target`. This is because when
there is no ordering at all between two units, and a transaction stops
one and starts the other, the two operations can happen
simultaneously. This means the service could still be running when
`switch-root` actually occurs. Then, stage 2 systemd will see the
service still running and decide it doesn't need to add a start
operation for it to its initial transaction. Finally, the service
exits, but only after it's already too late. If, however, there is any
ordering at all between a stopping unit and a starting unit, then the
stop operation will be done first. This way, we ensure that the
service is properly exited before doing `switch-root`.
This is something to keep in mind going forward. There may be other
services that need this treatment. These `before` and `conflicts`
definitions are the correct way to ensure a unit is actually stopped
before you reach initrd-switch-root
it is now possible to supply a stratis pool uuid
for every filesystem, and if that filesystem
is required for boot, the relevant pool will be
started in the initramfs.
Enable using an erofs filesystem as one of the filesystems needed to
boot the system. This is useful for example in image based deployments
where the Nix store is mounted read only.
[erofs](https://docs.kernel.org/filesystems/erofs.html) offers multiple
benefits over older filesystems like squashfs. Skip fsck.erofs because
it is still experimental.
Store the definition files in the initrd instead of reading them from
the Nix store in /sysroot.
This way, the initrd has to be re-generated every time the definition
files change. When the path to the defintion files instead of the
definition files themselves are embedded in the initrd, however, the
initrd also has to be re-generated every time. In this regard, this
change does not improve the status quo.
However, now systemd-repart also works reliable when the Nix store is
mounted separately from the root partition.
This change also enables new use-cases like creating partitions
necessary to boot the system. However, by default, the root partition
cannot be created on first boot because the systemd-repart service
requires a /sysroot to be mounted. Otherwise, systemd-repart cannot
determine the device to operate on.
Since v253, systemd-repart tries to create temporary directories in
/var/tmp. However, this directory doesn't exist in the initrd. This
commit adds an enviroment variable to re-use the existing /tmp directory
instead of /var/tmp.
The `B` in bridge should be capitalized.
It currently leads to an evuluation error:
```
error: attribute 'sectionbridgeVLAN' missing
at /nix/store/7wmrwj0sgwg1iivxk43lpkqjhji57mq7-source/nixos/modules/system/boot/networkd.nix:2386:56:
2385| example = { VLAN = "10-20"; };
2386| type = types.addCheck (types.attrsOf unitOption) check.network.sectionbridgeVLAN;
| ^
2387| description = lib.mdDoc ''
Did you mean sectionBridgeVLAN?
```
This query yielded no results on search.nixos.org.
I don't think I can make all options magically appear, but you can
the other options by reading the text.
In order to fix
https://github.com/NixOS/nixpkgs/issues/114552 (profile name with
special characters), all OSError have been ignored while only the OSError
with errno 22 (invalid argument) could has been ignored.
The drawback of ignoring all OSError is that the "No space left on
device" error is also ignored. When the /boot doesn't have enough
available disk space, the switch-to-configuration script succeeds
while the boot menu has not been updated: the user thinks it's system
has been updated, but on the next reboot it is actually rollbacked.
Extension based matching for Windows targets define it '.exe' but kernel
documentation explicitly states it should be passed "without the .".
From https://docs.kernel.org/admin-guide/binfmt-misc.html
> * magic:
> [...] If you chose filename extension matching, this is the
> extension to be recognised (without the ., the \x0a specials are not
> allowed).
`systemd-growfs@.service` and `systemd-growfs-root.service` became real units since:
50072ccf1b
we need to add them to the nixos module so growfs works again
systemd now requires the /tmp mount point in the initrd cpio archive
since https://github.com/systemd/systemd/pull/25723
setting `"/tmp/.keep".text` will create the directory.
this fixes a boot failure:
```
(sd-gens): Failed to overmount /tmp/: No such file or directory
```
This reverts commits f5483464d5 and
6b9583e5e1.
Ideally, we shouldn't cause friction for users that bump `stateVersion`,
and I'd consider having to switch and/or manually hardcode a UID/GID
to supress the warning friction. I think it'd be more beneficial to, in
this rare case of an ID being missed, just let it be until more
discussion happens surrounding this overall issue.
See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
Being able to override `boot.initrd.systemd.initrdBin` with `boot.initrd.systemd.extraBin` is a desirable behavior, so this PR changes the `ln -s` command to `ln -sf` to force link even if the file already exists.
{manpage} already exapnds to a link but akkoma wants to link to
a specific setting. split the mention for clarity.
networkd just straight up duplicated what {manpage} generates anyway, so
that link can go away completely.
Since this feature's inception, we've compiled a binary that uses OpenSSL
to perform PBKDF-SHA512 during the extra-utils build. In addition to this
being inefficient, it broke as of 6ea1a2a1be,
which switched the extra-utils derivation to use stdenvNoCC.
For now, I think the path of least resistence is to move the pbkdf-sha512
build to its own derivation, to fix the breakage, as well as improving
the efficiency of the extra-utils build.
(I do believe that at some point, we should revisit this binary -- perhaps
rewriting it -- as Clang even just on its default settings emits more
warnings than you'd want to see in a security-related codebase when
compiling it.)
We shouldn't be creating a systemd.services.systemd-binfmt value when
the upstream unit isn't being pulled in, because it results in a
service unit file with no ExecStart line
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
Previously, secrets were named according to the initrd they were
associated with. This created a problem: If secrets were changed whilst
the initrd remained the same, there were two versions of the secrets
with one initrd. The result was that only one version of the secrets would
by recorded into the /boot partition and get used. AFAICT this would
only be the oldest version of the secrets for the given initrd version.
This manifests as #114594, which I found frustrating while trying to use
initrd secrets for the first time. While developing the secrets I found
I could not get new versions of the secrets to take effect.
Additionally, it's a nasty issue to run into if you had cause to change
the initrd secrets for credential rotation, etc, if you change them and
discover you cannot, or alternatively that you can't roll back as you
would expect.
Additional changes in this patch.
* Add a regression test that switching to another grub configuration
with the alternate secrets works. This test relies on the fact that it
is not changing the initrd. I have checked that the test fails if I
undo my change.
* Persist the useBootLoader disk state, similarly to other boot state.
* I had to do this, otherwise I could not find a route to testing the
alternate boot configuration. I did attempt a few different ways of
testing this, including directly running install-grub.pl, but what
I've settled on is most like what a user would do and avoids
depending on lots of internal details.
* Making tests that test the boot are a bit tricky (see hibernate.nix
and installer.nix for inspiration), I found that in addition to
having to copy quite a bit of code I still couldn't get things to
work as desired since the bootloader state was being clobbered.
My change to persist the useBootLoader state could break things,
conceptually. I need some help here discovering if that is the case,
possibly by letting this run through a staging CI if there is one.
Fix#114594.
cc potential reviewers:
@lopsided98 (original implementer) @joachifm (original reviewer),
@wkennington (numerous fixes to grub-install.pl), @lheckemann (wrote
original secrets test).
On some systems, EFI variables are not supported or otherwise wonky.
bootctl attempting to access them causes failures during bootloader
installations and updates. For such systems, NixOS provides the options
`boot.loader.efi.canTouchEfiVariables` and
`boot.loader.systemd-boot.graceful` which pass flags to bootctl that
change whether and how EFI variables are accessed.
Previously, these flags were only passed to bootctl during an install
operation. However, they also apply during an update operation, which
can cause the same sorts of errors. This change passes the flags during
update operations as well to prevent those errors.
Fixes https://github.com/NixOS/nixpkgs/issues/151336
The build of initrd-secrets can routinely fail for old boot entries
if the secrets have been removed or renamed in a later generation.
This always happens for generation 1, because it's built from the
NixOS installer and the paths differs by the mount point (i.e. /mnt).
The error is very confusing because it fails to mention it's about
an older generation and that it's somewhat harmless.
This commit turns the error into a warning for all generations but the
current, adds the name of the failed entry to the message and a note
explaining why it can happen.
apparently pandoc has changed behavior over the past releases, so the
files are no longer in sync. occasionally this requires edits
to the markdown source to not remove an anchor that was there
before (albeit wth a very questionable id), or where things were simply
being misrendered due to syntax errors.
This reverts commit da905d4cf9.
See the commit linked above for further information on why this was
needed. Apparently this is not needed anymore because the need for
LD_LIBRARY_PATH (which is needed for `modprobe(8)` to find
`libpthread.so.0`) doesn't exist anymore.
Since d33e52b253 the library path of each
binary in extra-utils is patched correctly.
That version has a regression that leaves some machines unbootable.
While we wait for the fix (252.2) to land in master, this is a workaround that
should save people some pain.
To reduce size, stage 1 (the initrd) is populated by copying specific
binaries in, then copying the libraries specifically needed by those
binaries. `patchelf` is then used to make the binaries search in the
directory where these libraries are copied to instead of their original
store paths.
Some filesystems (e.g. ZFS) do not guarantee that copying the same files
in the same order into a given directory will result in `find` returning
them in any particular order (though the order appears consistent so
long as the directory is not modified).
Therefore, when the binaries are scanned for libraries to copy in, they
might be scanned in a different order each time the derivation is built.
If two binaries need two different libraries with the same name, then a
different instance of the library might be copied in first, changing the
derivation contents and breaking reproducibility.
This turns out to be the case with `libudev.so.1` from both `systemd`
(needed by e.g. `mdadm`) and `systemdMinimal` (needed by e.g.
`dmsetup`). This issue is fixed by sorting the list of binaries to be
scanned instead of relying on filesystem order so that the same instance
always gets seen and copied first.
Both before this change (at least on ext4) and after this change
(without any options that affect stage 1), this is the `libudev.so.1`
from `systemdMinimal` by way of `dmsetup`. Whether this is appropriate
and how much the two different systemd configurations and udev libraries
need to be involved is a topic left for future work.
