Fail pattern:
1. Unsuspecting `qemu-kvm` notice:
```
server # qemu-kvm: at most 2047 MB RAM can be simulated
```
2. Hard fail
```
self.shell.send(out_command.encode())
BrokenPipeError: [Errno 32] Broken pipe
```
(Took me a while to consider those lines are related)
Fail pattern:
1. Unsuspecting `qemu-kvm` notice:
```
server # qemu-kvm: at most 2047 MB RAM can be simulated
```
2. Hard fail
```
self.shell.send(out_command.encode())
BrokenPipeError: [Errno 32] Broken pipe
```
(Took me a while to consider those lines are related)
the non-networkd backend does not wait for slaac to finish (ie, ipv6
addresses coming out of tentative state), and that breaks the mosquitto
bind_interface test slightly. if slaac takes too long the test will run
into mosquitto restart limits and fail.
Because llvmPackages_latest is used in Nixpkgs, by quite a few
packages, it's difficult to keep it up to date, because updating it
requires some level of confidence that every package that uses it is
going to keep working after the update. The result of this is that
llvmPackages_latest is not updated, and so we end up in the situation
that "latest" is two versions older than the latest version we
actually provide. This is confusing and unexpected.
"But won't this end up fragmenting our LLVM versions, if every package
previously using _latest is separately pinned to LLVM 14?", I hear you
ask. No. That fragmentation is already happening, even with an
llvmPackages_latest, because packages that actually require the
_latest_ version of LLVM (15/16), have already been decoupled from
llvmPackages_latest since it hasn't been upgraded. So like it or not,
we can't escape packages depending on specific recent LLVMs. The only
real fix is to get better at keeping the default LLVM up to
date (which I'm reasonably confident we're getting into a better
position to be feasibly better able to do).
So, unless we want to double down on providing a confusingly named
"llvmPackages_latest" attribute that refers to some arbitrary LLVM
version that's probably not the latest one (or even the latest one
available in Nixpkgs), we only have two options here: either we don't
provide such an attribute at all, or we don't use it in Nixpkgs so we
don't become scared to bump it as soon as we have a new LLVM available.
commit fd5d7b2586 ("tests/bpf: add module BTF test") added a new test
for module BTF, but that test does not work on aarch64. (merged in
https://github.com/NixOS/nixpkgs/pull/214001 )
This is not a regression (kfuncs didn't work on bpftrace 0.16,
even if you do not use features requiring BTF like argument name
or type), so just disable the test on aarch64 until it is fixed.
* add sector size parameter to swap randomEncryption
* add key size parameter to swap randomEncryption
* allow deviceName to be overridden for encrypted swap
* create test for swap random encryption
* update release notes
To reduce the danger of accidentally exposing sensitive files processed
by a restic backup to other services/users, enable the `PrivateTmp=`
feature of restic service units, which provides a per service isolation
of `/tmp` and `/var/tmp`.
Co-authored-by: Daniel Nagy <danielnagy@posteo.de>
This removes the feature preview warning, enable by default bootspec,
adds a validation flag to prevent Go to go into build-time closure.
This will break all downstream users of bootspec as those changes are
not backward-compatible.
This option has been introduced in 678eed323f without realizing there was this
PR inflight, unfortunately, it collide with what this PR does and make
it irrelevant.
Therefore, I remove it here.
Bind mount the base dirs of the tls key and chain into the service.
Make sure to bind every directory just once. The test failed on ofborg
when /nix/store and the certificate path in /nix/store/<some path> were
bound.
I think this is required for the gdbus invocations used to implement
the test, rather than for power-profiles-daemon itself.
Fixes: a813be071c ("nixos/polkit: don't enable by default")
