We should not remount all filesystem types since not all filesystems
are safe to remount and some (nfs) return errors if remounted with
certain mount options.
The enable attribute of `boot.initrd.systemd.contents.<name>` was
ignored for building initrd storePaths. This resulted in building
derivations for the initrd even if it was disabled.
Found while testing a to build a nixos system with a kernel without
lodable modules[0]
[0]: https://github.com/NixOS/nixpkgs/pull/411792
We currently bypass systemd's switch-root logic by premounting
/sysroot/run. Make sure to propagate its sub-mounts with the recursive
flag, in accordance with the default switch-root logic.
This is required for creds at /run/credentials to survive the transition
from initrd -> host.
I was confused why I could not get an emergency access console despite setting systemd.emergencyMode=true.
Turns out there is another similar option `boot.initrd.systemd.emergencyAccess` that I should have used.
This is confusing and this change should make it more clear vie the docs of both these options.
Containers did not have *systemd-journald-audit.socket* in *additionalUpstreamSystemUnits*, which meant that the unit was not provided.
However the *wantedBy* was added without any additional check, therefore creating an empty unit with just the *WantedBy* on *boot.isContainer* machines.
This caused `systemd-analyze verify` to fail:
```text
systemd-journald-audit.socket: Unit has no Listen setting (ListenStream=, ListenDatagram=, ListenFIFO=, ...). Refusing.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
systemd-journald-audit.socket: Cannot add dependency job, ignoring: Unit systemd-journald-audit.socket has a bad unit file setting.
```
The upstream unit already contains the following, which should make it safe to include regardless:
```ini
[Unit]
ConditionSecurity=audit
ConditionCapability=CAP_AUDIT_READ
```
For reference, this popped up in the context of #[360426](https://redirect.github.com/NixOS/nixpkgs/issues/360426) as well as #[407696](https://redirect.github.com/NixOS/nixpkgs/pull/407696).
Co-authored-by: Bruce Toll <4109762+tollb@users.noreply.github.com>
Signed-off-by: benaryorg <binary@benary.org>
This is part of security-in-depth.
No suid binaries or devices should ever be in the nix store.
If they are, something is seriously wrong.
Disallowing this from a file system level should be non-breaking.
Thank you for making this change.
Unfortunately, and I take blame for this, this change to the module
system was not reviewed and approved by the module system maintainers.
I'm supportive of this change, but extending it on the staging-next
branch is not the right place.
This commit is also here to make sure that we don't run into conflicts
or other git trouble with the staging workflow.
Review:
It looks alright, but it didn't have tests yet, and it should be
considered in a broader context where the existence of this type
creates an incentive to be used in cases where the `<attr> = false;`
case is undesirable. I'd like to complement this with an type that
has `<attr> = {};` only.
My apologies for the lack of a timely and clear review. Often we
recommend to define the type outside the module system until
approved. This commit puts us back in that state.
attrNamesToTrue was introduced in 98652f9a90
lib/test.nix relies on `fileset.toSource` which creates a source dir
with the files of interest. `testers.shellcheck` passes all the files in
the source dir to shellcheck. The issue is related to relative path
sourcing, i.e. `source ./lib.sh` where shellcheck cannot make any
assumptions about the working directory.
Options were:
1) Disable this warning with a directive
Prior disabling in the tree:
- pkgs/tools/nix/info/info.sh
- nixos/modules/testing/test-instrumentation.nix
2) Set source-path to SCRIPTDIR with a directive
https://github.com/koalaman/shellcheck/wiki/Directive#source-path
Even though we don't enable external script following for shellcheck
with `-x` flag given every file in the source dir is passed, this
directive seems to capture the intent to help shellcheck a bit
better.
Went with option 2.
After RFC-0125 implementation, Determinate Systems was pinged multiple
times to transfer the repository ownership of the tooling to a
vendor-neutral repository.
Unfortunately, this never manifested. Additionally, the leadership of
the NixOS project was too dysfunctional to deal with this sort of
problem. It might even still be the case up to this day.
Nonetheless, nixpkgs is about enabling end users to enact their own
policies. It would be better to live in a world where there is one
obvious choice of bootspec tooling, in the meantime, we can live in a
world where people can choose their bootspec tooling.
The Lix forge possess one fork of the Bootspec tooling:
https://git.lix.systems/lix-community/bootspec which will live its own
life from now on.
Change-Id: I00c4dd64e00b4c24f6641472902e7df60ed13b55
Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
systemd-repart can be configured to not automatically issue BLKDISCARD commands
to the underlying hardware.
This PR exposes this option in the repart module.
The systemd.tmpfiles.settings.<name>.<path>.<type>.argument option may
contain arbitrary strings. This could allow intentional or unintentional
introduction of new configuration lines.
The argument field cannot be quoted, C‐style \xNN escape sequences are
however permitted. By escaping whitespace and newline characters, the
issue can be mitigated.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
Previously, all generations for the primary system profile
read their data from the currently active one rather than
their own path, and specialisations in general all used
their parent bootspec rather than their own. This fixes both issues.
This commit still uses the parent path's build date for
specialisations, but this is more minor issue and the times
shouldn't be meaningfully different in most cases anyways.
Some upstream systemd units are conditionally installed into the systemd
output, so we must make sure the feature that enables their installation
is enabled on our side prior to trying to use them.
tracefs is a special-purpose filesystem in Linux used for tracing filesystem and kernel operations.
This was added to the kernel back in 2015 to replace debugfs. For security reasons, some system do not mount debugfs at all. Tracefs reduces the attack surface by allowing to trace without mounting debugfs. Additionally it provides features not supported by debugfs (such as calls for mkdir and rmdir
Debian and Arch Linux both enable this by default.
RHEL 8 and later, they enable tracefs by default.
Signed-off-by: John Titor <50095635+JohnRTitor@users.noreply.github.com>
Closes#381822
Apparently, I swapped `path` and `tmpfiles-type` in
2be50b1efe. Sorry about that 🫠
Also giving
`systemd.tmpfiles.settings.<config-name>.<path>.<tmpfiles-type>.type` a
better default in the manual than `‹name›`, i.e. `‹tmpfiles-type›` so
that it corresponds to the placeholders in the attribute path.
We default this option to null ; which is different
from upstream which defaults this to true.
Defaulting this to true leads to log-spam in /dev/kmesg
and thus in our opinion is a bad default https://github.com/systemd/systemd/issues/15324
This allows for instance to reject switching into a configuration, while
still allowing to reboot into that same configuration.
This can be useful for instance to reject switching to a configuration
with a new systemd major version, but setting that same configuration as
the new boot default with `switch-to-configuration boot` is fine.
A couple of improvements:
1. Avoid the generally discouraged apply argument to options, as it has
quite weird semantics
2. Avoid issues when a user calls a preSwitchCheck `script`, which
would've been silently overridden by the existing implementation.
Reliance on a special attribute name like that is bound to lead to a
very-hard-to-debug problem for someone at some point
3. Use writeShellApplication so that the preSwitchChecks are checked by
shellcheck and and so that they run with basic bash guardrails
4. Fix shellcheck issue (testing the value of $?)
5. Add a positive preSwitchCheck to the nixos test, to make sure that
that works as intended
We need to take the "top" mount instead of any mount, which is the last
line printed by findmnt. Additionally, make the regex more strict, so we
don't select mount options ending in ro (like `errors=remount-ro` from
ext4, or overlay paths ending in 'ro') and accidentally leave the Nix
store RW after boot.
Prior to this change a service failure would occur when this tmpfiles
service did not finish fast enough and receive a SIGTERM from systemd.
Additionally, `initrd-nixos-activation` is already ordered with
`After=initrd-switch-root.target`.
By default, systemd-repart refuses to act on empty disk devices, i.e.
those without any existing partition table for safety reasons.
This behaviour can be customized via the `--empty` flag, which we now
expose via the module system. This makes to partition empty disks
on first boot.
These daemons should not be stopped, as they're foundational to a
proper functioning of the system. When switching configurations, they
only need a restart instead of that stop/start cycle.
Helps the following situation:
- SSH in initrd is enabled
- NixOS is waiting for a password to be typed at the console (or
provided via cryptsetup-askpass)
- The user logs in via SSH, but instead of running cryptsetup-askpass,
they run "cryptsetup open" directly (because they don't know that
they need to use NixOS's cryptsetup-askpass script, or because they
want to use a non-trivial unlocking method that is not natively
supported by this module)
Currently, in the above situation, NixOS will keep waiting for a
password to be entered even though the device is already unlocked. If
a password is entered, it will print a confusing "already exists"
error and keep asking for the same password.
We can improve on this by simply checking if the device is already
unlocked in our read loop. In this case, we don't need to do anything
other than return from the function and continue booting.
Removing the splash param only causes plymouth to display console
output by default; it still runs. Systemd stage 1 respects this flag
due to unit conditions preventing plymouth from even running. So this
brings parity to scripted stage 1.
When using nixos-enter (and so also nixos-install) on a system with etc-overlay enabled,
he activation script gets called directly, and there is no systemd running.
This violates a couple of assumptions in the etc-overlay activation script which
assumed that it only ever ran when switching into a new generation and that
the very first /etc would always have been set up by the systemd initrd.
As more and more things are being moved into systemd components (initrd services,
mount units, tmpfiles, etc), I think that it is going to become increasingly
difficult to stay compatible with these tools, but at least for now there is
no real alternative and so we probably want to be able to install systems
with etc-overlay enabled.
This makes it so that the getty units are only included if
`config.console.enable` is set to `true`. Previously, they would be
included, but disabled in that case, which is unnecessary.
The assertion is based on the availability of `move-mount-beneath`, which is only used in re-activation logic for switchable systems. Systems that have `system.switch.enable == false` should be allowed to user older kernels.
After final improvements to the official formatter implementation,
this commit now performs the first treewide reformat of Nix files using it.
This is part of the implementation of RFC 166.
Only "inactive" files are reformatted, meaning only files that
aren't being touched by any PR with activity in the past 2 months.
This is to avoid conflicts for PRs that might soon be merged.
Later we can do a full treewide reformat to get the rest,
which should not cause as many conflicts.
A CI check has already been running for some time to ensure that new and
already-formatted files are formatted, so the files being reformatted here
should also stay formatted.
This commit was automatically created and can be verified using
nix-build a08b3a4d19.tar.gz \
--argstr baseRev b32a094368
result/bin/apply-formatting $NIXPKGS_PATH
As it helps making deps easier to discover - as we don't currently
render submodule options in the module correctly - and is arguably
more technical correct: When using nixos-install to install nixos
into a chroot in i.e. /mnt, there's no gurantee that /mnt/dev exists
before the specialfs phase ran.
On recent kernels (> 6.12 ?) we get the following warning otherwise:
`mount: /tmp/nixos-etc-metadata.aHpRhO5sC4: WARNING: source write-protected, mounted read-only.`
Previously, if any unit had a socket associated with it, stc-ng
counted it as "socket-activated", meaning that the unit would get
stopped and the socket get restarted. That can wreak havoc on units
like systemd-udevd and systemd-networkd.
Instead, let units set the new flag notSocketActivated, which sets a
boolean on the unit indicating to stc-ng that the unit wants to be
treated like any other non-socket-activated unit instead. That will
stop/start or restart these units on upgrades, without unnecessarily
tearing down any machinery that the system needs to run.
