Since this feature's inception, we've compiled a binary that uses OpenSSL
to perform PBKDF-SHA512 during the extra-utils build. In addition to this
being inefficient, it broke as of 6ea1a2a1be,
which switched the extra-utils derivation to use stdenvNoCC.
For now, I think the path of least resistence is to move the pbkdf-sha512
build to its own derivation, to fix the breakage, as well as improving
the efficiency of the extra-utils build.
(I do believe that at some point, we should revisit this binary -- perhaps
rewriting it -- as Clang even just on its default settings emits more
warnings than you'd want to see in a security-related codebase when
compiling it.)
We shouldn't be creating a systemd.services.systemd-binfmt value when
the upstream unit isn't being pulled in, because it results in a
service unit file with no ExecStart line
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
Previously, secrets were named according to the initrd they were
associated with. This created a problem: If secrets were changed whilst
the initrd remained the same, there were two versions of the secrets
with one initrd. The result was that only one version of the secrets would
by recorded into the /boot partition and get used. AFAICT this would
only be the oldest version of the secrets for the given initrd version.
This manifests as #114594, which I found frustrating while trying to use
initrd secrets for the first time. While developing the secrets I found
I could not get new versions of the secrets to take effect.
Additionally, it's a nasty issue to run into if you had cause to change
the initrd secrets for credential rotation, etc, if you change them and
discover you cannot, or alternatively that you can't roll back as you
would expect.
Additional changes in this patch.
* Add a regression test that switching to another grub configuration
with the alternate secrets works. This test relies on the fact that it
is not changing the initrd. I have checked that the test fails if I
undo my change.
* Persist the useBootLoader disk state, similarly to other boot state.
* I had to do this, otherwise I could not find a route to testing the
alternate boot configuration. I did attempt a few different ways of
testing this, including directly running install-grub.pl, but what
I've settled on is most like what a user would do and avoids
depending on lots of internal details.
* Making tests that test the boot are a bit tricky (see hibernate.nix
and installer.nix for inspiration), I found that in addition to
having to copy quite a bit of code I still couldn't get things to
work as desired since the bootloader state was being clobbered.
My change to persist the useBootLoader state could break things,
conceptually. I need some help here discovering if that is the case,
possibly by letting this run through a staging CI if there is one.
Fix#114594.
cc potential reviewers:
@lopsided98 (original implementer) @joachifm (original reviewer),
@wkennington (numerous fixes to grub-install.pl), @lheckemann (wrote
original secrets test).
On some systems, EFI variables are not supported or otherwise wonky.
bootctl attempting to access them causes failures during bootloader
installations and updates. For such systems, NixOS provides the options
`boot.loader.efi.canTouchEfiVariables` and
`boot.loader.systemd-boot.graceful` which pass flags to bootctl that
change whether and how EFI variables are accessed.
Previously, these flags were only passed to bootctl during an install
operation. However, they also apply during an update operation, which
can cause the same sorts of errors. This change passes the flags during
update operations as well to prevent those errors.
Fixes https://github.com/NixOS/nixpkgs/issues/151336
The build of initrd-secrets can routinely fail for old boot entries
if the secrets have been removed or renamed in a later generation.
This always happens for generation 1, because it's built from the
NixOS installer and the paths differs by the mount point (i.e. /mnt).
The error is very confusing because it fails to mention it's about
an older generation and that it's somewhat harmless.
This commit turns the error into a warning for all generations but the
current, adds the name of the failed entry to the message and a note
explaining why it can happen.
apparently pandoc has changed behavior over the past releases, so the
files are no longer in sync. occasionally this requires edits
to the markdown source to not remove an anchor that was there
before (albeit wth a very questionable id), or where things were simply
being misrendered due to syntax errors.
This reverts commit da905d4cf9.
See the commit linked above for further information on why this was
needed. Apparently this is not needed anymore because the need for
LD_LIBRARY_PATH (which is needed for `modprobe(8)` to find
`libpthread.so.0`) doesn't exist anymore.
Since d33e52b253 the library path of each
binary in extra-utils is patched correctly.
nixos-enter sets up /etc/resolv.conf as a bind mount from the host
system, so trying to activate a system that sets
`environment.etc."resolv.conf"` (e.g. with systemd-resolved enabled)
results in an unhelpful warning.
Skip linking /etc/resolv.conf if we're in a nixos-enter environment, as
determined by the IN_NIXOS_ENTER environment variable.
Make the warnings more helpful, indicating which file we failed to link.
Unlink temporary files in case of failure.
That version has a regression that leaves some machines unbootable.
While we wait for the fix (252.2) to land in master, this is a workaround that
should save people some pain.
To reduce size, stage 1 (the initrd) is populated by copying specific
binaries in, then copying the libraries specifically needed by those
binaries. `patchelf` is then used to make the binaries search in the
directory where these libraries are copied to instead of their original
store paths.
Some filesystems (e.g. ZFS) do not guarantee that copying the same files
in the same order into a given directory will result in `find` returning
them in any particular order (though the order appears consistent so
long as the directory is not modified).
Therefore, when the binaries are scanned for libraries to copy in, they
might be scanned in a different order each time the derivation is built.
If two binaries need two different libraries with the same name, then a
different instance of the library might be copied in first, changing the
derivation contents and breaking reproducibility.
This turns out to be the case with `libudev.so.1` from both `systemd`
(needed by e.g. `mdadm`) and `systemdMinimal` (needed by e.g.
`dmsetup`). This issue is fixed by sorting the list of binaries to be
scanned instead of relying on filesystem order so that the same instance
always gets seen and copied first.
Both before this change (at least on ext4) and after this change
(without any options that affect stage 1), this is the `libudev.so.1`
from `systemdMinimal` by way of `dmsetup`. Whether this is appropriate
and how much the two different systemd configurations and udev libraries
need to be involved is a topic left for future work.
We separate the different steps (injecting the toplevel and injecting
the specialisations) so that it's easy to document what each snippet is
actually doing.
Yes I know it's dirty to link the rendered HTML, but linking
`#sec-kernel-config` breaks the manual build for me with the following
error:
element link: validity error : IDREF attribute linkend references an unknown ID "sec-kernel-config"
This is something that should probably be fixed, but for the current
change I'd argue that this is good enough (in fact even the
`nix.settings`-option uses that hack).
- The default cipher is BF-CBC, which openvpn refuses to use by default.
Switched to AES-256-CBC.
- openvpn does not require an external "ip" executable anymore, and does
not support the "ipconfig" option by default, so remove that option.
When no interfaces are managed by systemd-networkd, it will
unconditionally fail. This option allows it to be disabled in those
situations where it prevents system switches from succeeding.
The placement of this option under `nix` was misleading, as it is not
configuration of the Nix daemon, but rather configuration of the NixOS
boot process and how it mounts the Nix store. As such, make it an option
of `boot` to clarify what it actually affects, and imply that it will
only take effect on a reboot.
Since it no longer has the context of nix, adjust the name to include
it.
Or else systemd-oomd gets marked as failed due to
"Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
and cause the system to enter degraded state.
Ref https://github.com/NixOS/nixpkgs/issues/195085
mountFS adds these strings to fstab and then relies on `mount` parsing fstab. If
they have spaces or tabs in them, that would break fstab and therefore not mount
with the unhelpful error: No such file or directory.
Co-authored-by: Lily Foster <lily@lily.flowers>
Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
Systemd 250:
> DHCPv4 client support in systemd-networkd learnt a new Label= option
> for configuring the address label to apply to configure IPv4
> addresses.
> The [IPv6AcceptRA] section of .network files gained support for a new
> UseMTU= setting that may be used to control whether to apply the
> announced MTU settings to the local interface.
> The [DHCPv4] section in .network file gained a new Use6RD= boolean
> setting to control whether the DHCPv4 client request and process the
> DHCP 6RD option.
> The [DHCPv6] section in .network file gained a new setting
> UseDelegatedPrefix= to control whether the delegated prefixes will be
> propagated to the downstream interfaces.
> The [IPv6AcceptRA] section of .network files now understands two new
> settings UseGateway=/UseRoutePrefix= for explicitly configuring
> whether to use the relevant fields from the IPv6 Router Advertisement
> records.
> The [RoutingPolicyRule] section of .network file gained a new
> SuppressInterfaceGroup= setting.
> The IgnoreCarrierLoss= setting in the [Network] section of .network
> files now allows a duration to be specified, controlling how long to
> wait before reacting to carrier loss.
Systemd 246:
> systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
> which may be used to turn off use of the gateway information provided
> by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
> used to configure how to process leases that lack a lifetime option.
> The IPv6Token= section in the [Network] section is deprecated, and
>> the [IPv6AcceptRA] section gained the Token= setting for its
>> replacement. The [IPv6Prefix] section also gained the Token= setting.
>> The Token= setting gained 'eui64' mode to explicitly configure an
>> address with the EUI64 algorithm based on the interface MAC address.
>> The 'prefixstable' mode can now optionally take a secret key. The
>> Token= setting in the [DHCPPrefixDelegation] section now supports all
>> algorithms supported by the same settings in the other sections.
* Remove `ForceDHCPv6PDOtherInformation=`
* Add a missing `WithoutRA=` option
Systemd 250:
> The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
> has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
> settings in the [DHCPv6] section and the DHCPv6Client= setting in the
> [IPv6AcceptRA] section to control when the DHCPv6 client is started
> and how the delegated prefixes are handled by the DHCPv6 client.
Adapt to changes introduced in Systemd 250:
> The [DHCPv6PrefixDelegation] section in .network file is renamed to
> [DHCPPrefixDelegation], as now the prefix delegation is also
> supported with DHCPv4 protocol by enabling the Use6RD= setting.
Replaces the `dhcpV6PrefixDelegationConfig` with
`dhcpPrefixDelegationConfig` and throws an error if the old option is
used.
Also adapt the respective IPv6 prefix delegation test.
Before this patch, the entry match condition always fails, causing all
entries being removed. The error is not noticed because later they are
re-generated.
Before this patch, the gen_number found by regex contains
"-specialisation-foo" if specialisation is used. As a result, applying
int() to gen_number raises ValueError, causing entries containing
a specialisation part not being removed.
most of these are hidden because they're either part of a submodule that
doesn't have its type rendered (eg because the submodule type is used in
an either type) or because they are explicitly hidden. some of them are
merely hidden from nix-doc-munge by how their option is put together.
conversions were done using https://github.com/pennae/nix-doc-munge
using (probably) rev f34e145 running
nix-doc-munge nixos/**/*.nix
nix-doc-munge --import nixos/**/*.nix
the tool ensures that only changes that could affect the generated
manual *but don't* are committed, other changes require manual review
and are discarded.
mostly no rendering changes. some lists (like simplelist) don't have an
exact translation to markdown, so we use a comma-separated list of
literals instead.
most of the screen tags used in option docs are actually listings of
some sort. nsd had a notable exception where its screen usage was pretty
much a raw markdown block that made most sense to convert into docbook lists.
the way these are written they introduce lots of whitespace in each
line, which will cause those lines to render as code when converted to
markdown. override the whole description instead.
commit 0507725061 ("setup-hooks/strip.sh: run RANLIB on static
archives after stripping") added an extra argument to `stripDirs()`
helper.
I did not realize it's used outside the strip hook itself. Restore
stripping by passing $RANLIB as a new argument.
now nix-doc-munge will not introduce whitespace changes when it replaces
manpage references with the MD equivalent.
no change to the manpage, changes to the HTML manual are whitespace only.
Call dbus by using `$cur_systemd/busctl --json=...` and core modules
JSON::PP and IPC::Cmd to slim down dependencies for baseSystem.
perlPackages.NetDBus pulls in quite a few other dependencies, like
XML::Twig, LWP, and HTTP::Daemon. These are not really neccecary for
s-t-c, and some of them have caused issues particularly with cross
builds after updates to perlPackages.
make (almost) all links appear on only a single line, with no
unnecessary whitespace, using double quotes for attributes. this lets us
automatically convert them to markdown easily.
the few remaining links are extremely long link in a gnome module, we'll
come back to those at a later date.
we can't embed syntactic annotations of this kind in markdown code
blocks without yet another extension. replaceable is rare enough to make
this not much worth it, so we'll go with «thing» instead. the module
system already uses this format for its placeholder names in attrsOf
paths.
our xslt already replaces double line breaks with a paragraph close and
reopen. not using explicit para tags lets nix-doc-munge convert more
descriptions losslessly.
only whitespace changes to generated documents, except for two
strongswan options gaining paragraph two breaks they arguably should've
had anyway.
Now the tool will only strip binaries if a strip executable is passed
via the STRIP environment variable. This is exposed via the strip
option for makeInitrdNG and the NixOS option boot.initrd.systemd.strip.
The systemd-coredump module required systemd to be built with
withCoredump=true, even if the module was disabled.
- allow systemd to be missing systemd-coredump if the module is disabled
- switch to mkDefault for the sysctl config to allow user overrides when
the module is disabled
- add nixos tests for both the enabled and disabled cases
the conversion procedure is simple:
- find all things that look like options, ie calls to either `mkOption`
or `lib.mkOption` that take an attrset. remember the attrset as the
option
- for all options, find a `description` attribute who's value is not a
call to `mdDoc` or `lib.mdDoc`
- textually convert the entire value of the attribute to MD with a few
simple regexes (the set from mdize-module.sh)
- if the change produced a change in the manual output, discard
- if the change kept the manual unchanged, add some text to the
description to make sure we've actually found an option. if the
manual changes this time, keep the converted description
this procedure converts 80% of nixos options to markdown. around 2000
options remain to be inspected, but most of those fail the "does not
change the manual output check": currently the MD conversion process
does not faithfully convert docbook tags like <code> and <package>, so
any option using such tags will not be converted at all.
The ConditionFileNotEmpty override patch wasn't correct for stage1, which
does have the modules in /lib. So, remove the patch and set
the right path with overrides in the final system.
Also, make sure systemd-tmpfiles-setup-dev is pulled in to create
all the necessary symlinks.
Some plymouth themes use assets of others, like is the case with our
default bgrt depending on spinner. Missing assets would cause the
splashscreen to not render at all in stage 1.
Preliminary dependency resolution code seemed to be broken, and this
should fix it.
Only direct dependencies of selected theme are pulled in.
`boot.initrd.systemd.emergencyAccess` expects passwd(5) formatted
strings, hence `singleLineStr` is too broad.
Use the same type as `users.users.*.hashedPassword` to ensure
consistency across all options where password hashes are used.
From `modules/config/users-groups.nix`:
```
hashedPassword = mkOption {
type = with types; nullOr (passwdEntry str);
...
};
```
Handling of the string length condition in should_update
was broken, as evident with the log message
> leaving systemd-boot 246 in place (250.4 is not newer)
Discussion with @mweinelt came to the conclusion
that Python's "<" operator already does what we need,
so the should_update function can be dropped.
Fixes a30de3b849
Since, 4ddc78818e systemd-boot-builder
is broken in two ways:
* if no systemd-boot is currently installed *and* the NIXOS_INSTALL_BOOTLOADER
env variable is not set, it will try to run "bootctl update", which will fail
* if the currently installed systemd-boot version is newer than the version
we're about to install, it will also try to run "bootctl update", which will fail
This patch changes the behaviour,
* for the first case to still fail, but not even bother to try running
"bootctl update" and instead erroring out with an exception
* for the second case to leave the newer version in place, restoring
the pre - 4ddc78818e behaviour
To do the proper version check a new "should_update" helper function was introduced,
mimicing the compare_product C function from bootctl. If the following systemd
issue gets resolved, we would have a nice way to get rid of this function:
> https://github.com/systemd/systemd/issues/23450
This change allows to again switch to a different NixOS configuration which contains
an older systemd-boot.
Co-authored-by: Martin Weinelt <mweinelt@users.noreply.github.com>
