This patch allows creation of files like
/etc/systemd/system/user-.slice.d/limits.conf with
systemd.units."user-.slice.d/limits.conf" = {
text = ''
[Slice]
CPUAccounting=yes
CPUQuota=50%
'';
};
which previously threw an error
Also renames the systemd-unit-path test to sytsemd-misc, and extends it to
test that `systemd.units` can handle directories. In this case we make
sure that resource limits specified in user slices apply.
The tests complained:
/nix/store/nm3nf5y4hzgmy00lw5s6ls68j38y84y0-gjs-1.72.0-installedTests/libexec/installed-tests/gjs/scripts/testCommandLineModules.sh: line 90: gjs-console: command not found
But they still passed.
* nixos/earlyoom: bring the module up to date
Removes deprecated option `ignoreOOMScoreAdjust`, introduces `killHook`
as a replacement for `notificationsCommand`, and adds an `extraArgs`
option for things not covered by the module.
* nixos/earlyoom: add nixos test
* nixos/earlyoom: add reportInterval
Allows setting the interval for logging a memory report. Defaults to
3600 following upstream
(https://github.com/rfjakob/earlyoom/blob/master/earlyoom.default#L5)
to avoid flooding logs.
* nixos/earlyoom: add free{Mem,Swap}KillThreshold
Fixes https://github.com/NixOS/nixpkgs/issues/83504
In https://github.com/NixOS/nixpkgs/pull/142747, the implementation
behind Machine.execute() has been changed to pipe all the command's
output into base64 on the guest machine.
Unfortunately this means that base64 is blocking until stdout is closed,
which in turn means that we now need to make sure that whenever we run a
program in background via "&" we also need to make sure to close stdout,
which we do by redirecting stdout to stderr.
Signed-off-by: aszlig <aszlig@nix.build>
some change in the last 24 hours altered the behaviour of st such that
it now dies with a non-zero exit code when the shell exits, so kill is
now necessary
It was originally impossible to login in toot without having an
interactive shell. I opened https://github.com/ihabunek/toot/pull/180
upstream to fix that and fetch this patch for this test.
The author decided to fix the issue using a slightly different
approach at a3eb5dca24
Because of this upstream fix, our custom patch does not apply anymore.
Using that stdin-based login upstream feature.
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
it's really easy to accidentally write the wrong systemd Exec* directive, ones
that works most of the time but fails when users include systemd metacharacters
in arguments that are interpolated into an Exec* directive. add a few functions
analogous to escapeShellArg{,s} and some documentation on how and when to use them.
This adds an option `services.taskserver.openFirewall` to allow the user
to choose whether or not the firewall port should be opened for the
service. This is no longer the case by default.
See also https://github.com/NixOS/nixpkgs/issues/19504.
The cntr sometimes hangs until the 10-hour hydra limit. This behaviour
appears to be an edge-case related to the type of TTY in which the cntr
command runs during test execution. We can work around this by running
the command as a background job.
I additionally added a wait_for_open_port to fix nondeterministic test
failures I observed after fixing the hanging issue.
In issue #157787 @martined wrote:
Trying to use confinement on packages providing their systemd units
with systemd.packages, for example mpd, fails with the following
error:
system-units> ln: failed to create symbolic link
'/nix/store/...-system-units/mpd.service': File exists
This is because systemd-confinement and mpd both provide a mpd.service
file through systemd.packages. (mpd got updated that way recently to
use upstream's service file)
To address this, we now place the unit file containing the bind-mounted
paths of the Nix closure into a drop-in directory instead of using the
name of a unit file directly.
This does come with the implication that the options set in the drop-in
directory won't apply if the main unit file is missing. In practice
however this should not happen for two reasons:
* The systemd-confinement module already sets additional options via
systemd.services and thus we should get a main unit file
* In the unlikely event that we don't get a main unit file regardless
of the previous point, the unit would be a no-op even if the options
of the drop-in directory would apply
Another thing to consider is the order in which those options are
merged, since systemd loads the files from the drop-in directory in
alphabetical order. So given that we have confinement.conf and
overrides.conf, the confinement options are loaded before the NixOS
overrides.
Since we're only setting the BindReadOnlyPaths option, the order isn't
that important since all those paths are merged anyway and we still
don't lose the ability to reset the option since overrides.conf comes
afterwards.
Fixes: https://github.com/NixOS/nixpkgs/issues/157787
Signed-off-by: aszlig <aszlig@nix.build>
Currently the test-watch.service gets started in a loop as long as
/testpath exists, so `rm /testpath /testpath-modified` runs into a race
condition where if the service was just getting activated, it will
create /testpath-modified and make the test fail.
This is fixed by making the service RemainAfterExit so that it only
starts once, and stopping it manually after we remove /testpath.
logrotate.timer is enough for rotating logs. Enabling logrotate.service would
make the service start on every configuration switch, leading to tests failure when
logrotate is enabled.
Also update test to make sure the timer is active and runs the service
on date change.
The test was looking at the wrong interface and relying on silly
behaviour by the dummy driver, which autocreated a `dummy0` interface on
modprobe.
Fix this by making it look at the actual `foo` interface that the test
creates.
Previously the bonding driver would create an initial `bond0` interface
when it was loaded. If the network management integration used that
interface and did not recreate it, it was stuck to the default
`balance-rr` mode.
Deploying systemds modprobe.d configuration sets `max_bonds=0`, so we
don't run into that issue anymore.
Hence we now make sure that we can indeed create `bond0` with `802.3ad`
(LACP), which is a non default mode.
systemd needs this so special characters (like the ones in wireguard
units that appear because they are part of base64) can be escaped using
the \x syntax.
Root of the issue is that `glob()` handles the backslash internally
which is obviously not what we want here.
Also add a test case and fix some perlcritic issues in the subroutine.
There are now multiple combinations of how one can pass either
extraPackages or extraComponents. We now test those passed directly to
the package via an override, and those passed indirectly via the module,
that ultimately results in a second override to the package.
This commit also changes the names of the tests for Hadoop so they use dashes instead of dots,
and makes the default `hadoop` test what would have been `hadoop-all` after the rename.
This change should mean that we're able to run
`nix build github:nixos/nixpkgs/master#nixosTests.hadoop`
which I was unable to do prior to this change.
The test failed with
> Test "test5 user should not be able to run commands under root" failed with
> error: "invalid literal for int() with base 10: ''"
since 2492da88ea.
The reason for this is that `sudo(8)` writes the lecture to the
tty[1] and only as a fallback to stdout[2]. This means that the
`base64 --wrap 0` executed by `machine.execute()` doesn't affect the
text written to the terminal, however the lecture is part of the string
that's read from the VM via `shell.recv()`.
I confirmed the problem in an interactive test session[3]:
>>> command = "sudo -u test5 sudo -n -u root true"
>>> out_command = f"( set -euo pipefail; {command} ) | (base64 --wrap 0; echo)\n"
>>> machine.shell.send(out_command.encode())
84
>>> machine # [ 99.015512] sudo[877]: root : TTY=hvc0 ; PWD=/tmp ; USER=test5 ; COMMAND=/run/wrappers/bin/sudo -n -u root true
machine # [ 99.019373] sudo[877]: pam_unix(sudo:session): session opened for user test5(uid=1005) by (uid=0)
machine # [ 99.038692] sudo[879]: pam_unix(sudo:auth): conversation failed
machine # sudo: a password is required
machine # [ 99.041860] sudo[879]: pam_unix(sudo:auth): auth could not identify password for [test5]
machine # [ 99.046901] sudo[877]: pam_unix(sudo:session): session closed for user test5
>>>
>>> x=machine._next_newline_closed_block_from_shell()
>>> print(x)
<newline>
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
<newline>
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
<newline>
<newline>
<newline>
>>>
Since the lecture isn't strictly necessary to confirm that
`security.sudo` works as expected, I decided to disable lecturing
inside the test, however we may want to fix the underlying problem in
the test-driver at some point.
[1] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/plugins/sudoers/check.c#L275-L283
[2] https://github.com/sudo-project/sudo/blob/SUDO_1_9_9/src/conversation.c#L95-L120
[3] I replaced each empty line with `<newline>` to make sure these
aren't swallowed by git.
Chrome, Chromium, VSCode, Slack, Signal, Discord, element-desktop,
schildichat.
For the latter two, the feature flag useWayland was removed and a
wrapper script was provided.
The `nix.*` options, apart from options for setting up the
daemon itself, currently provide a lot of setting mappings
for the Nix daemon configuration. The scope of the mapping yields
convience, but the line where an option is considered essential
is blurry. For instance, the `extra-sandbox-paths` mapping is
provided without its primary consumer, and the corresponding
`sandbox-paths` option is also not mapped.
The current system increases the maintenance burden as maintainers have to
closely follow upstream changes. In this case, there are two state versions
of Nix which have to be maintained collectively, with different options
avaliable.
This commit aims to following the standard outlined in RFC 42[1] to
implement a structural setting pattern. The Nix configuration is encoded
at its core as key-value pairs which maps nicely to attribute sets, making
it feasible to express in the Nix language itself. Some existing options are
kept such as `buildMachines` and `registry` which present a simplified interface
to managing the respective settings. The interface is exposed as `nix.settings`.
Legacy configurations are mapped to their corresponding options under `nix.settings`
for backwards compatibility.
Various options settings in other nixos modules and relevant tests have been
updated to use structural setting for consistency.
The generation and validation of the configration file has been modified to
use `writeTextFile` instead of `runCommand` for clarity. Note that validation
is now mandatory as strict checking of options has been pushed down to the
derivation level due to freeformType consuming unmatched options. Furthermore,
validation can not occur when cross-compiling due to current limitations.
A new option `publicHostKey` was added to the `buildMachines`
submodule corresponding to the base64 encoded public host key settings
exposed in the builder syntax. The build machine generation was subsequently
rewritten to use `concatStringsSep` for better performance by grouping
concatenations.
[1] - https://github.com/NixOS/rfcs/blob/master/rfcs/0042-config-option.md
It looks like "make-bcache" also registers the devices, so the separate
registration afterwords is unnecessary.
Previously, the separate registration right afterwords didn't cause
a problem, presumably because it won the race with make-bcache's
registration. After 1640359f33 slightly
changed the timing of command execution in tests, the separate
registration often fails with the error message "device already
registered", stopping the test.
Release notes: https://github.com/swaywm/sway/releases/tag/1.7
Notable (backward incompatible) changes:
- The default terminal changed from Alacritty to foot
Known issues:
- `swaynag` will crash when Sway 1.6.1 is still running while the Nix
package (and thus `swaynag`) is already updated to version 1.7.
- The experimental Ozone/Wayland support of Electron apps will be broken
for a while. Electron version 17 should work but the Chromium fixes
haven't yet been backported to Electron version 16.
NixOS module: programs.sway.extraPackages: The "alacritty" package was
replaced with "foot".
VM test: We switched from the OpenGL ES 2.0 renderer to Pixman. The
terminal was also changed to foot but Alacritty is still used for the
XWayland test (since foot doesn't support X11).
Co-authored-by: Patrick Hilhorst <git@hilhorst.be>
Some tests from the `nixos/tests` folder were missing in the `all-tests.nix`
file. This meant they couldn't be run from the `nixosTests` attribute
set and therefore not be linked to their packages.
As written, the nixos/quorum module will simply run forever, and has
been timing out in Hydra. Implement a fix for such by changing the final
statement from a wait_until_succeeds to simply succeed, forcing the test
to succeed or fail instead of run indefinitely.
- Fully get rid of `parseKeyValues` and use systemctl features for that
- Add some regex modifiers recommended by perlcritic
- Get rid of a postfix if
- Sort units when showing their status
- Clean the logic for showing what failed from `elif` to `next`
- Switch from `state` to `substate` for `auto-restart` because that's
actually where the value is stored
- Show status of units with one single systemctl call and get rid of
COLUMNS in favor of --full
- Add a test for failing units
Replace sleep() calls where possible, using wait_for_* methods. This
should provide more robustness in cases where tests are running on a
congested system.
Since dhcpd has been hardened (DynamicUser → NoNewPrivileges) it can't
use a setcap wrapper. Instead, we add the net_admin capability to it's
ambient set and run `ip route` directly. This is also safer that giving
everyone permisison to change the routing table.