nixpkgs/nixos/doc/manual/release-notes/rl-2111.section.md

39 KiB

Release 21.11 (“Porcupine”, 2021/11/30)

  • Support is planned until the end of June 2022, handing over to 22.05.

Highlights

In addition to numerous new and upgraded packages, this release has the following highlights:

  • Nix has been updated to version 2.4, reference its release notes for more information on what has changed. The previous version of Nix, 2.3.16, remains available for the time being in the nix_2_3 package.

  • iptables now uses nf_tables backend.

  • PHP now defaults to PHP 8.0, updated from 7.4.

  • kops now defaults to 1.21.1, which uses containerd as the default runtime.

  • python3 now defaults to Python 3.9, updated from Python 3.8.

  • PostgreSQL now defaults to major version 13.

  • spark now defaults to spark 3, updated from 2. A migration guide is available.

  • Improvements have been made to the Hadoop module and package:

    • HDFS and YARN now support production-ready highly available deployments with automatic failover.
    • Hadoop now defaults to Hadoop 3, updated from 2.
    • JournalNode, ZKFS and HTTPFS services have been added.
  • Activation scripts can now, optionally, be run during a nixos-rebuild dry-activate and can detect the dry activation by reading $NIXOS_ACTION. This allows activation scripts to output what they would change if the activation was really run. The users/modules activation script supports this and outputs some of is actions.

  • KDE Plasma now finally works on Wayland.

  • bash now defaults to major version 5.

  • Systemd was updated to version 249 (from 247).

  • Pantheon desktop has been updated to version 6. Due to changes of screen locker, if locking doesn't work for you, please try gsettings set org.gnome.desktop.lockdown disable-lock-screen false.

  • kubernetes-helm now defaults to 3.7.0, which introduced some breaking changes to the experimental OCI manifest format. See HIP 6 for more details. helmfile also defaults to 0.141.0, which is the minimum compatible version.

  • GNOME has been upgraded to 41. Please take a look at their Release Notes for details.

  • LXD support was greatly improved:

    • building LXD images from configurations is now directly possible with just nixpkgs
    • hydra is now building nixOS LXD images that can be used standalone with full nixos-rebuild support
  • OpenSSH was updated to version 8.8p1

    • This breaks connections to old SSH daemons as ssh-rsa host keys and ssh-rsa public keys that were signed with SHA-1 are disabled by default now
    • These can be re-enabled, see the OpenSSH changelog for details
  • ORY Kratos was updated to version 0.8.0-alpha.3

    • This release requires you to run SQL migrations. Please, as always, create a backup of your database first!
    • The SDKs are now generated with tag v0alpha2 to reflect that some signatures have changed in a breaking fashion. Please update your imports from v0alpha1 to v0alpha2.
    • The SMTPS scheme used in courier config URL with cleartext/StartTLS/TLS SMTP connection types is now only supporting implicit TLS. For StartTLS and cleartext SMTP, please use the SMTP scheme instead.
    • for more details, see Release Notes.

New Services

Backward Incompatibilities

  • The NixOS VM test framework, pkgs.nixosTest/make-test-python.nix, now requires detaching commands such as succeed("foo &") and succeed("foo | xclip -i") to close stdout. This can be done with a redirect such as succeed("foo >&2 &"). This breaking change was necessitated by a race condition causing tests to fail or hang. It applies to all methods that invoke commands on the nodes, including execute, succeed, fail, wait_until_succeeds, wait_until_fails.

  • The services.wakeonlan option was removed, and replaced with networking.interfaces.<name>.wakeOnLan.

  • The security.wrappers option now requires to always specify an owner, group and whether the setuid/setgid bit should be set. This is motivated by the fact that before NixOS 21.11, specifying either setuid or setgid but not owner/group resulted in wrappers owned by nobody/nogroup, which is unsafe.

  • Since iptables now uses nf_tables backend and ipset doesn't support it, some applications (ferm, shorewall, firehol) may have limited functionality.

  • The paperless module and package have been removed. All users should migrate to the successor paperless-ng instead. The Paperless project has been archived and advises all users to use paperless-ng instead.

    Users can use the services.paperless-ng module as a replacement while noting the following incompatibilities:

    {
      services.paperless-ng.extraConfig = {
        # Provide languages as ISO 639-2 codes
        # separated by a plus (+) sign.
        # https://en.wikipedia.org/wiki/List_of_ISO_639-2_codes
        PAPERLESS_OCR_LANGUAGE = "deu+eng+jpn"; # German & English & Japanse
      };
    }
    
    • If you previously specified PAPERLESS_CONSUME_MAIL_* settings in services.paperless.extraConfig you should remove those options now. You now must define those settings in the admin interface of paperless-ng.

    • Option services.paperless.manage no longer exists. Use the script at ${services.paperless-ng.dataDir}/paperless-ng-manage instead. Note that this script only exists after the paperless-ng service has been started at least once.

    • After switching to the new system configuration you should run the Django management command to reindex your documents and optionally create a user, if you don't have one already.

      To do so, enter the data directory (the value of services.paperless-ng.dataDir, /var/lib/paperless by default), switch to the paperless user and execute the management command like below:

      $ cd /var/lib/paperless
      $ su paperless -s /bin/sh
      $ ./paperless-ng-manage document_index reindex
      # if not already done create a user account, paperless-ng requires a login
      $ ./paperless-ng-manage createsuperuser
      Username (leave blank to use 'paperless'): my-user-name
      Email address: me@example.com
      Password: **********
      Password (again): **********
      Superuser created successfully.
      
  • The staticjinja package has been upgraded from 1.0.4 to 4.1.1

  • Firefox v91 does not support addons with invalid signature anymore. Firefox ESR needs to be used for nix addon support.

  • The erigon ethereum node has moved to a new database format in 2021-05-04, and requires a full resync

  • The erigon ethereum node has moved it's database location in 2021-08-03, users upgrading must manually move their chaindata (see release notes).

  • users.users.<name>.group no longer defaults to nogroup, which was insecure. Out-of-tree modules are likely to require adaptation: instead of

    {
      users.users.foo = {
        isSystemUser = true;
      };
    }
    

    also create a group for your user:

    {
      users.users.foo = {
        isSystemUser = true;
        group = "foo";
      };
      users.groups.foo = {};
    }
    
  • services.geoip-updater was broken and has been replaced by services.geoipupdate.

  • ihatemoney has been updated to version 5.1.1 (release notes). If you serve ihatemoney by HTTP rather than HTTPS, you must set services.ihatemoney.secureCookie to false.

  • PHP 7.3 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 21.11 release.

  • Those making use of buildBazelPackage will need to regenerate the fetch hashes (preferred), or set fetchConfigured = false;.

  • consul was upgraded to a new major release with breaking changes, see upstream changelog.

  • fsharp41 has been removed in preference to use the latest dotnet-sdk

  • The following F#-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

    • ExtCore
    • Fake
    • Fantomas
    • FsCheck
    • FsCheck262
    • FsCheckNunit
    • FSharpAutoComplete
    • FSharpCompilerCodeDom
    • FSharpCompilerService
    • FSharpCompilerTools
    • FSharpCore302
    • FSharpCore3125
    • FSharpCore4001
    • FSharpCore4117
    • FSharpData
    • FSharpData225
    • FSharpDataSQLProvider
    • FSharpFormatting
    • FsLexYacc
    • FsLexYacc706
    • FsLexYaccRuntime
    • FsPickler
    • FsUnit
    • Projekt
    • Suave
    • UnionArgParser
    • ExcelDnaRegistration
    • MathNetNumerics
  • programs.x2goserver is now services.x2goserver

  • The following dotnet-related packages have been removed for being unmaintaned. Please use fetchNuGet for specific packages.

    • Autofac
    • SystemValueTuple
    • MicrosoftDiaSymReader
    • MicrosoftDiaSymReaderPortablePdb
    • SystemCollectionsImmutable
    • SystemCollectionsImmutable131
    • SystemReflectionMetadata
    • NUnit350
    • Deedle
    • ExcelDna
    • GitVersionTree
    • NDeskOptions
  • The antlr package now defaults to the 4.x release instead of the old 2.7.7 version.

  • The pulseeffects package updated to version 4.x and renamed to easyeffects.

  • The libwnck package now defaults to the 3.x release instead of the old 2.31.0 version.

  • The bitwarden_rs packages and modules were renamed to vaultwarden following upstream. More specifically,

    • pkgs.bitwarden_rs, pkgs.bitwarden_rs-sqlite, pkgs.bitwarden_rs-mysql and pkgs.bitwarden_rs-postgresql were renamed to pkgs.vaultwarden, pkgs.vaultwarden-sqlite, pkgs.vaultwarden-mysql and pkgs.vaultwarden-postgresql, respectively.

      • Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
      • The bitwarden_rs executable was also renamed to vaultwarden in all packages.
    • pkgs.bitwarden_rs-vault was renamed to pkgs.vaultwarden-vault.

      • pkgs.bitwarden_rs-vault is preserved as an alias for backwards compatibility, but may be removed in the future.
      • The static files were moved from /usr/share/bitwarden_rs to /usr/share/vaultwarden.
    • The services.bitwarden_rs config module was renamed to services.vaultwarden.

      • services.bitwarden_rs is preserved as an alias for backwards compatibility, but may be removed in the future.
    • systemd.services.bitwarden_rs, systemd.services.backup-bitwarden_rs and systemd.timers.backup-bitwarden_rs were renamed to systemd.services.vaultwarden, systemd.services.backup-vaultwarden and systemd.timers.backup-vaultwarden, respectively.

      • Old names are preserved as aliases for backwards compatibility, but may be removed in the future.
    • users.users.bitwarden_rs and users.groups.bitwarden_rs were renamed to users.users.vaultwarden and users.groups.vaultwarden, respectively.

    • The data directory remains located at /var/lib/bitwarden_rs, for backwards compatibility.

  • yggdrasil was upgraded to a new major release with breaking changes, see upstream changelog.

  • icingaweb2 was upgraded to a new release which requires a manual database upgrade, see upstream changelog.

  • The isabelle package has been upgraded from 2020 to 2021

  • the mingw-64 package has been upgraded from 6.0.0 to 9.0.0

  • tt-rss was upgraded to the commit on 2021-06-21, which has breaking changes. If you use services.tt-rss.extraConfig you should migrate to the putenv-style configuration. See this Discourse post in the tt-rss forums for more details.

  • The following Visual Studio Code extensions were renamed to keep the naming convention uniform.

    • bbenoist.Nix -> bbenoist.nix
    • CoenraadS.bracket-pair-colorizer -> coenraads.bracket-pair-colorizer
    • golang.Go -> golang.go
  • services.uptimed now uses /var/lib/uptimed as its stateDirectory instead of /var/spool/uptimed. Make sure to move all files to the new directory.

  • Deprecated package aliases in emacs.pkgs.* have been removed. These aliases were remnants of the old Emacs package infrastructure. We now use exact upstream names wherever possible.

  • programs.neovim.runtime switched to a linkFarm internally, making it impossible to use wildcards in the source argument.

  • The openrazer and openrazer-daemon packages as well as the hardware.openrazer module now require users to be members of the openrazer group instead of plugdev. With this change, users no longer need be granted the entire set of plugdev group permissions, which can include permissions other than those required by openrazer. This is desirable from a security point of view. The setting harware.openrazer.users can be used to add users to the openrazer group.

  • The fontconfig service's dpi option has been removed. Fontconfig should use Xft settings by default so there's no need to override one value in multiple places. The user can set DPI via ~/.Xresources properly, or at the system level per monitor, or as a last resort at the system level with services.xserver.dpi.

  • The yambar package has been split into yambar and yambar-wayland, corresponding to the xorg and wayland backend respectively. Please switch to yambar-wayland if you are on wayland.

  • The services.minio module gained an additional option consoleAddress, that configures the address and port the web UI is listening, it defaults to :9001. To be able to access the web UI this port needs to be opened in the firewall.

  • The varnish package was upgraded from 6.3.x to 7.x. varnish60 for the last LTS release is also still available.

  • The kubernetes package was upgraded to 1.22. The kubernetes.apiserver.kubeletHttps option was removed and HTTPS is always used.

  • The attribute linuxPackages_latest_hardened was dropped because the hardened patches lag behind the upstream kernel which made version bumps harder. If you want to use a hardened kernel, please pin it explicitly with a versioned attribute such as linuxPackages_5_10_hardened.

  • The nomad package now defaults to a 1.1.x release instead of 1.0.x

  • If exfat is included in boot.supportedFilesystems and when using kernel 5.7 or later, the exfatprogs user-space utilities are used instead of exfat.

  • The todoman package was upgraded from 3.9.0 to 4.0.0. This introduces breaking changes in the configuration file format.

  • The datadog-agent, datadog-integrations-core and datadog-process-agent packages were upgraded from 6.11.2 to 7.30.2, git-2018-09-18 to 7.30.1 and 6.11.1 to 7.30.2, respectively. As a result services.datadog-agent has had breaking changes to the configuration file. For details, see the upstream changelog.

  • opencv2 no longer includes the non-free libraries by default, and consequently pfstools no longer includes OpenCV support by default. Both packages now support an enableUnfree option to re-enable this functionality.

  • services.xserver.displayManager.defaultSession = "plasma5" does not work anymore, instead use either "plasma" for the Plasma X11 session or "plasmawayland" for the Plasma Wayland sesison.

  • boot.kernelParams now only accepts one command line parameter per string. This change is aimed to reduce common mistakes like "param = 12", which would be parsed as 3 parameters.

  • nix.daemonNiceLevel and nix.daemonIONiceLevel have been removed in favour of the new options nix.daemonCPUSchedPolicy, nix.daemonIOSchedClass and nix.daemonIOSchedPriority. Please refer to the options documentation and the sched(7) and ioprio_set(2) man pages for guidance on how to use them.

  • The coursier package's binary was renamed from coursier to cs. Completions which haven't worked for a while should now work with the renamed binary. To keep using coursier, you can create a shell alias.

  • The services.mosquitto module has been rewritten to support multiple listeners and per-listener configuration. Module configurations from previous releases will no longer work and must be updated.

  • The fluidsynth_1 attribute has been removed, as this legacy version is no longer needed in nixpkgs. The actively maintained 2.x series is available as fluidsynth unchanged.

  • Nextcloud 20 (pkgs.nextcloud20) has been dropped because it was EOLed by upstream in 2021-10.

  • The virtualisation.pathsInNixDB option was renamed virtualisation.additionalPaths.

  • The services.ddclient.password option was removed, and replaced with services.ddclient.passwordFile.

  • The default GNAT version has been changed: The gnat attribute now points to gnat11 instead of gnat9.

  • retroArchCores has been removed. This means that using nixpkgs.config.retroarch to customize RetroArch cores is not supported anymore. Instead, use package overrides, for example: retroarch.override { cores = with libretro; [ citra snes9x ]; };. Also, retroarchFull derivation is available for those who want to have all RetroArch cores available.

Other Notable Changes

  • The linux kernel package infrastructure was moved out of all-packages.nix, and restructured. Linux related functions and attributes now live under the pkgs.linuxKernel attribute set. In particular the versioned linuxPackages_* package sets (such as linuxPackages_5_4) and kernels from pkgs were moved there and now live under pkgs.linuxKernel.packages.*. The unversioned ones (such as linuxPackages_latest) remain untouched.

  • In NixOS virtual machines (QEMU), the virtualisation module has been updated with new options:

    In addition, the default msize parameter in 9P filesystems (including /nix/store and all shared directories) has been increased to 16K for improved performance.

  • The setting services.openssh.logLevel "VERBOSE" "INFO". This brings NixOS in line with upstream and other Linux distributions, and reduces log spam on servers due to bruteforcing botnets.

    However, if services.fail2ban.enable is true, the fail2ban will override the verbosity to "VERBOSE", so that fail2ban can observe the failed login attempts from the SSH logs.

  • The services.xserver.extraLayouts no longer cause additional rebuilds when a layout is added or modified.

  • Sway: The terminal emulator rxvt-unicode is no longer installed by default via programs.sway.extraPackages. The current default configuration uses alacritty (and soon foot) so this is only an issue when using a customized configuration and not installing rxvt-unicode explicitly.

  • python3 now defaults to Python 3.9. Python 3.9 introduces many deprecation warnings, please look at the What's New In Python 3.9 post for more information.

  • qtile hase been updated from '0.16.0' to '0.18.0', please check qtile changelog for changes.

  • The claws-mail package now references the new GTK+ 3 release branch, major version 4. To use the GTK+ 2 releases, one can install the claws-mail-gtk2 package.

  • The wordpress module provides a new interface which allows to use different webservers with the new option services.wordpress.webserver. Currently httpd, caddy and nginx are supported. The definitions of wordpress sites should now be set in services.wordpress.sites.

    Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

  • The dokuwiki module provides a new interface which allows to use different webservers with the new option services.dokuwiki.webserver. Currently caddy and nginx are supported. The definitions of dokuwiki sites should now be set in services.dokuwiki.sites.

    Sites definitions that use the old interface are automatically migrated in the new option. This backward compatibility will be removed in 22.05.

  • The order of NSS (host) modules has been brought in line with upstream recommendations:

    • The myhostname module is placed before the resolve (optional) and dns entries, but after file (to allow overriding via /etc/hosts / networking.extraHosts, and prevent ISPs with catchall-DNS resolvers from hijacking .localhost domains)
    • The mymachines module, which provides hostname resolution for local containers (registered with systemd-machined) is placed to the front, to make sure its mappings are preferred over other resolvers.
    • If systemd-networkd is enabled, the resolve module is placed before files and myhostname, as it provides the same logic internally, with caching.
    • The mdns(_minimal) module has been updated to the new priorities.

    If you use your own NSS host modules, make sure to update your priorities according to these rules:

    • NSS modules which should be queried before resolved DNS resolution should use mkBefore.
    • NSS modules which should be queried after resolved, files and myhostname, but before dns should use the default priority
    • NSS modules which should come after dns should use mkAfter.
  • The networking.wireless module (based on wpa_supplicant) has been heavily reworked, solving a number of issues and adding useful features:

    • The automatic discovery of wireless interfaces at boot has been made reliable again (issues #101963, #23196).
    • WPA3 and Fast BSS Transition (802.11r) are now enabled by default for all networks.
    • Secrets like pre-shared keys and passwords can now be handled safely, meaning without including them in a world-readable file (wpa_supplicant.conf under /nix/store). This is achieved by storing the secrets in a secured environmentFile and referring to them though environment variables that are expanded inside the configuration.
    • With multiple interfaces declared, independent wpa_supplicant daemons are started, one for each interface (the services are named wpa_supplicant-wlan0, wpa_supplicant-wlan1, etc.).
    • The generated wpa_supplicant.conf file is now formatted for easier reading.
    • A new scanOnLowSignal option has been added to facilitate fast roaming between access points (enabled by default).
    • A new networks.<name>.authProtocols option has been added to change the authentication protocols used when connecting to a network.
  • The networking.wireless.iwd module has a new networking.wireless.iwd.settings option.

  • The services.smokeping.host option was added and defaulted to localhost. Before, smokeping listened to all interfaces by default. NixOS defaults generally aim to provide non-Internet-exposed defaults for databases and internal monitoring tools, see e.g. #100192. Further, the systemd service for smokeping got reworked defaults for increased operational stability, see PR #144127 for details.

  • The services.syncoid.enable module now properly drops ZFS permissions after usage. Before it delegated permissions to whole pools instead of datasets and didn't clean up after execution. You can manually look this up for your pools by running zfs allow your-pool-name and use zfs unallow syncoid your-pool-name to clean this up.

  • Zfs: latestCompatibleLinuxPackages is now exported on the zfs package. One can use boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; to always track the latest compatible kernel with a given version of zfs.

  • Nginx will use the value of sslTrustedCertificate if provided for a virtual host, even if enableACME is set. This is useful for providers not using the same certificate to sign OCSP responses and server certificates.

  • lib.formats.yaml's generate will not generate JSON anymore, but instead use more of the YAML-specific syntax.

  • MariaDB was upgraded from 10.5.x to 10.6.x. Please read the upstream release notes for changes and upgrade instructions.

  • The MariaDB C client library, also known as libmysqlclient or mariadb-connector-c, was upgraded from 3.1.x to 3.2.x. While this should hopefully not have any impact, this upgrade comes with some changes to default behavior, so you might want to review the upstream release notes.

  • GNOME desktop environment now enables QGnomePlatform as the Qt platform theme, which should avoid crashes when opening file chooser dialogs in Qt apps by using XDG desktop portal. Additionally, it will make the apps fit better visually.

  • rofi has been updated from '1.6.1' to '1.7.0', one important thing is the removal of the old xresources based configuration setup. Read more in rofi's changelog.

  • ipfs now defaults to not listening on you local network. This setting was change as server providers won't accept port scanning on their private network. If you have several ipfs instances running on a network you own, feel free to change the setting ipfs.localDiscovery = true;. localDiscovery enables different instances to discover each other and share data.

  • lua and luajit interpreters have been patched to avoid looking into /usr/lib directories, thus increasing the purity of the build.

  • Three new options, xdg.mime.addedAssociations, xdg.mime.defaultApplications, and xdg.mime.removedAssociations have been added to the xdg.mime module to allow the configuration of /etc/xdg/mimeapps.list.

  • Kopia was upgraded from 0.8.x to 0.9.x. Please read the upstream release notes for changes and upgrade instructions.

  • The systemd.network module has gained support for the FooOverUDP link type.

  • The networking module has a new networking.fooOverUDP option to configure Foo-over-UDP encapsulations.

  • networking.sits now supports Foo-over-UDP encapsulation.

  • The virtualisation.libvirtd module has been refactored and updated with new options:

  • The cawbird Twitter client now uses its own API keys to count as different application than upstream builds. This is done to evade application-level rate limiting. While existing accounts continue to work, users may want to remove and re-register their account in the client to enjoy a better user experience and benefit from this change.

  • A new option services.prometheus.enableReload has been added which can be enabled to reload the prometheus service when its config file changes instead of restarting.

  • The option services.prometheus.environmentFile has been removed since it was causing issues and Prometheus now has native support for secret files, i.e. basic_auth.password_file and authorization.credentials_file.

  • Dokuwiki now supports caddy! However

    • the nginx option has been removed, in the new configuration, please use the dokuwiki.webserver = "nginx" instead.
    • The "${hostname}" option has been deprecated, please use dokuwiki.sites = [ "${hostname}" ] instead
  • The services.unifi module has been reworked, solving a number of issues. This leads to several user facing changes:

    • The services.unifi.dataDir option is removed and the data is now always located under /var/lib/unifi/data. This is done to make better use of systemd state direcotiry and thus making the service restart more reliable.
    • The unifi logs can now be found under: /var/log/unifi instead of /var/lib/unifi/logs.
    • The unifi run directory can now be found under: /run/unifi instead of /var/lib/unifi/run.
  • security.pam.services.<name>.makeHomeDir now uses umask=0077 instead of umask=0022 when creating the home directory.

  • Loki has had another release. Some default values have been changed for the configuration and some configuration options have been renamed. For more details, please check the upgrade guide.

  • julia now refers to julia-stable instead of julia-lts. In practice this means it has been upgraded from 1.0.4 to 1.5.4.

  • RetroArch has been upgraded from version 1.8.5 to 1.9.13.2. Since the previous release was quite old, if you're having issues after the upgrade, please delete your $XDG_CONFIG_HOME/retroarch/retroarch.cfg file.

  • hydrus has been upgraded from version 438 to 463. Since upgrading between releases this old is advised against, be sure to have a backup of your data before upgrading. For details, see the hydrus manual.

  • More jdk and jre versions are now exposed via java-packages.compiler.