This option allows adding the build closure of the system to its
runtime closure, enabling fully-offline rebuilds (as long as no new
packages are added).
Extension based matching for Windows targets define it '.exe' but kernel
documentation explicitly states it should be passed "without the .".
From https://docs.kernel.org/admin-guide/binfmt-misc.html
> * magic:
> [...] If you chose filename extension matching, this is the
> extension to be recognised (without the ., the \x0a specials are not
> allowed).
`systemd-growfs@.service` and `systemd-growfs-root.service` became real units since:
50072ccf1b
we need to add them to the nixos module so growfs works again
systemd now requires the /tmp mount point in the initrd cpio archive
since https://github.com/systemd/systemd/pull/25723
setting `"/tmp/.keep".text` will create the directory.
this fixes a boot failure:
```
(sd-gens): Failed to overmount /tmp/: No such file or directory
```
This reverts commits f5483464d5 and
6b9583e5e1.
Ideally, we shouldn't cause friction for users that bump `stateVersion`,
and I'd consider having to switch and/or manually hardcode a UID/GID
to supress the warning friction. I think it'd be more beneficial to, in
this rare case of an ID being missed, just let it be until more
discussion happens surrounding this overall issue.
See https://github.com/NixOS/nixpkgs/pull/217785 for more context.
Being able to override `boot.initrd.systemd.initrdBin` with `boot.initrd.systemd.extraBin` is a desirable behavior, so this PR changes the `ln -s` command to `ln -sf` to force link even if the file already exists.
{manpage} already exapnds to a link but akkoma wants to link to
a specific setting. split the mention for clarity.
networkd just straight up duplicated what {manpage} generates anyway, so
that link can go away completely.
Since this feature's inception, we've compiled a binary that uses OpenSSL
to perform PBKDF-SHA512 during the extra-utils build. In addition to this
being inefficient, it broke as of 6ea1a2a1be,
which switched the extra-utils derivation to use stdenvNoCC.
For now, I think the path of least resistence is to move the pbkdf-sha512
build to its own derivation, to fix the breakage, as well as improving
the efficiency of the extra-utils build.
(I do believe that at some point, we should revisit this binary -- perhaps
rewriting it -- as Clang even just on its default settings emits more
warnings than you'd want to see in a security-related codebase when
compiling it.)
We shouldn't be creating a systemd.services.systemd-binfmt value when
the upstream unit isn't being pulled in, because it results in a
service unit file with no ExecStart line
this converts meta.doc into an md pointer, not an xml pointer. since we
no longer need xml for manual chapters we can also remove support for
manual chapters from md-to-db.sh
since pandoc converts smart quotes to docbook quote elements and our
nixos-render-docs does not we lose this distinction in the rendered
output. that's probably not that bad, our stylesheet didn't make use of
this anyway (and pre-23.05 versions of the chapters didn't use quote
elements either).
also updates the nixpkgs manual to clarify that option docs support all
extensions (although it doesn't support headings at all, so heading
anchors don't work by extension).
Previously, secrets were named according to the initrd they were
associated with. This created a problem: If secrets were changed whilst
the initrd remained the same, there were two versions of the secrets
with one initrd. The result was that only one version of the secrets would
by recorded into the /boot partition and get used. AFAICT this would
only be the oldest version of the secrets for the given initrd version.
This manifests as #114594, which I found frustrating while trying to use
initrd secrets for the first time. While developing the secrets I found
I could not get new versions of the secrets to take effect.
Additionally, it's a nasty issue to run into if you had cause to change
the initrd secrets for credential rotation, etc, if you change them and
discover you cannot, or alternatively that you can't roll back as you
would expect.
Additional changes in this patch.
* Add a regression test that switching to another grub configuration
with the alternate secrets works. This test relies on the fact that it
is not changing the initrd. I have checked that the test fails if I
undo my change.
* Persist the useBootLoader disk state, similarly to other boot state.
* I had to do this, otherwise I could not find a route to testing the
alternate boot configuration. I did attempt a few different ways of
testing this, including directly running install-grub.pl, but what
I've settled on is most like what a user would do and avoids
depending on lots of internal details.
* Making tests that test the boot are a bit tricky (see hibernate.nix
and installer.nix for inspiration), I found that in addition to
having to copy quite a bit of code I still couldn't get things to
work as desired since the bootloader state was being clobbered.
My change to persist the useBootLoader state could break things,
conceptually. I need some help here discovering if that is the case,
possibly by letting this run through a staging CI if there is one.
Fix#114594.
cc potential reviewers:
@lopsided98 (original implementer) @joachifm (original reviewer),
@wkennington (numerous fixes to grub-install.pl), @lheckemann (wrote
original secrets test).
On some systems, EFI variables are not supported or otherwise wonky.
bootctl attempting to access them causes failures during bootloader
installations and updates. For such systems, NixOS provides the options
`boot.loader.efi.canTouchEfiVariables` and
`boot.loader.systemd-boot.graceful` which pass flags to bootctl that
change whether and how EFI variables are accessed.
Previously, these flags were only passed to bootctl during an install
operation. However, they also apply during an update operation, which
can cause the same sorts of errors. This change passes the flags during
update operations as well to prevent those errors.
Fixes https://github.com/NixOS/nixpkgs/issues/151336
The build of initrd-secrets can routinely fail for old boot entries
if the secrets have been removed or renamed in a later generation.
This always happens for generation 1, because it's built from the
NixOS installer and the paths differs by the mount point (i.e. /mnt).
The error is very confusing because it fails to mention it's about
an older generation and that it's somewhat harmless.
This commit turns the error into a warning for all generations but the
current, adds the name of the failed entry to the message and a note
explaining why it can happen.
apparently pandoc has changed behavior over the past releases, so the
files are no longer in sync. occasionally this requires edits
to the markdown source to not remove an anchor that was there
before (albeit wth a very questionable id), or where things were simply
being misrendered due to syntax errors.
This reverts commit da905d4cf9.
See the commit linked above for further information on why this was
needed. Apparently this is not needed anymore because the need for
LD_LIBRARY_PATH (which is needed for `modprobe(8)` to find
`libpthread.so.0`) doesn't exist anymore.
Since d33e52b253 the library path of each
binary in extra-utils is patched correctly.
nixos-enter sets up /etc/resolv.conf as a bind mount from the host
system, so trying to activate a system that sets
`environment.etc."resolv.conf"` (e.g. with systemd-resolved enabled)
results in an unhelpful warning.
Skip linking /etc/resolv.conf if we're in a nixos-enter environment, as
determined by the IN_NIXOS_ENTER environment variable.
Make the warnings more helpful, indicating which file we failed to link.
Unlink temporary files in case of failure.
That version has a regression that leaves some machines unbootable.
While we wait for the fix (252.2) to land in master, this is a workaround that
should save people some pain.
To reduce size, stage 1 (the initrd) is populated by copying specific
binaries in, then copying the libraries specifically needed by those
binaries. `patchelf` is then used to make the binaries search in the
directory where these libraries are copied to instead of their original
store paths.
Some filesystems (e.g. ZFS) do not guarantee that copying the same files
in the same order into a given directory will result in `find` returning
them in any particular order (though the order appears consistent so
long as the directory is not modified).
Therefore, when the binaries are scanned for libraries to copy in, they
might be scanned in a different order each time the derivation is built.
If two binaries need two different libraries with the same name, then a
different instance of the library might be copied in first, changing the
derivation contents and breaking reproducibility.
This turns out to be the case with `libudev.so.1` from both `systemd`
(needed by e.g. `mdadm`) and `systemdMinimal` (needed by e.g.
`dmsetup`). This issue is fixed by sorting the list of binaries to be
scanned instead of relying on filesystem order so that the same instance
always gets seen and copied first.
Both before this change (at least on ext4) and after this change
(without any options that affect stage 1), this is the `libudev.so.1`
from `systemdMinimal` by way of `dmsetup`. Whether this is appropriate
and how much the two different systemd configurations and udev libraries
need to be involved is a topic left for future work.
We separate the different steps (injecting the toplevel and injecting
the specialisations) so that it's easy to document what each snippet is
actually doing.
Yes I know it's dirty to link the rendered HTML, but linking
`#sec-kernel-config` breaks the manual build for me with the following
error:
element link: validity error : IDREF attribute linkend references an unknown ID "sec-kernel-config"
This is something that should probably be fixed, but for the current
change I'd argue that this is good enough (in fact even the
`nix.settings`-option uses that hack).
- The default cipher is BF-CBC, which openvpn refuses to use by default.
Switched to AES-256-CBC.
- openvpn does not require an external "ip" executable anymore, and does
not support the "ipconfig" option by default, so remove that option.
When no interfaces are managed by systemd-networkd, it will
unconditionally fail. This option allows it to be disabled in those
situations where it prevents system switches from succeeding.
The placement of this option under `nix` was misleading, as it is not
configuration of the Nix daemon, but rather configuration of the NixOS
boot process and how it mounts the Nix store. As such, make it an option
of `boot` to clarify what it actually affects, and imply that it will
only take effect on a reboot.
Since it no longer has the context of nix, adjust the name to include
it.
Or else systemd-oomd gets marked as failed due to
"Userspace Out-Of-Memory (OOM) Killer was skipped because of a failed condition check (ConditionControlGroupController=v2)."
and cause the system to enter degraded state.
Ref https://github.com/NixOS/nixpkgs/issues/195085
mountFS adds these strings to fstab and then relies on `mount` parsing fstab. If
they have spaces or tabs in them, that would break fstab and therefore not mount
with the unhelpful error: No such file or directory.
Co-authored-by: Lily Foster <lily@lily.flowers>
Co-authored-by: Luflosi <Luflosi@users.noreply.github.com>
Systemd 250:
> DHCPv4 client support in systemd-networkd learnt a new Label= option
> for configuring the address label to apply to configure IPv4
> addresses.
> The [IPv6AcceptRA] section of .network files gained support for a new
> UseMTU= setting that may be used to control whether to apply the
> announced MTU settings to the local interface.
> The [DHCPv4] section in .network file gained a new Use6RD= boolean
> setting to control whether the DHCPv4 client request and process the
> DHCP 6RD option.
> The [DHCPv6] section in .network file gained a new setting
> UseDelegatedPrefix= to control whether the delegated prefixes will be
> propagated to the downstream interfaces.
> The [IPv6AcceptRA] section of .network files now understands two new
> settings UseGateway=/UseRoutePrefix= for explicitly configuring
> whether to use the relevant fields from the IPv6 Router Advertisement
> records.
> The [RoutingPolicyRule] section of .network file gained a new
> SuppressInterfaceGroup= setting.
> The IgnoreCarrierLoss= setting in the [Network] section of .network
> files now allows a duration to be specified, controlling how long to
> wait before reacting to carrier loss.
Systemd 246:
> systemd-networkd's [DHCPv4] section gained a new setting UseGateway=
> which may be used to turn off use of the gateway information provided
> by the DHCP lease. A new FallbackLeaseLifetimeSec= setting may be
> used to configure how to process leases that lack a lifetime option.
> The IPv6Token= section in the [Network] section is deprecated, and
>> the [IPv6AcceptRA] section gained the Token= setting for its
>> replacement. The [IPv6Prefix] section also gained the Token= setting.
>> The Token= setting gained 'eui64' mode to explicitly configure an
>> address with the EUI64 algorithm based on the interface MAC address.
>> The 'prefixstable' mode can now optionally take a secret key. The
>> Token= setting in the [DHCPPrefixDelegation] section now supports all
>> algorithms supported by the same settings in the other sections.
* Remove `ForceDHCPv6PDOtherInformation=`
* Add a missing `WithoutRA=` option
Systemd 250:
> The ForceDHCPv6PDOtherInformation= setting in the [DHCPv6] section
> has been removed. Please use the WithoutRA= and UseDelegatedPrefix=
> settings in the [DHCPv6] section and the DHCPv6Client= setting in the
> [IPv6AcceptRA] section to control when the DHCPv6 client is started
> and how the delegated prefixes are handled by the DHCPv6 client.
Adapt to changes introduced in Systemd 250:
> The [DHCPv6PrefixDelegation] section in .network file is renamed to
> [DHCPPrefixDelegation], as now the prefix delegation is also
> supported with DHCPv4 protocol by enabling the Use6RD= setting.
Replaces the `dhcpV6PrefixDelegationConfig` with
`dhcpPrefixDelegationConfig` and throws an error if the old option is
used.
Also adapt the respective IPv6 prefix delegation test.
Before this patch, the entry match condition always fails, causing all
entries being removed. The error is not noticed because later they are
re-generated.
Before this patch, the gen_number found by regex contains
"-specialisation-foo" if specialisation is used. As a result, applying
int() to gen_number raises ValueError, causing entries containing
a specialisation part not being removed.
