diff options
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-2009.xml')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 79 |
1 files changed, 78 insertions, 1 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index f2485f7395c8..900b1103f2b1 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -94,6 +94,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' When MariaDB data directory is just upgraded (not initialized), the users are not created or modified. </para> </listitem> + <listitem> + <para> + MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options + may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when + calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required: + - allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; +</programlisting> + - allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write + access to <literal>/var/data</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; +</programlisting> + </para> + </listitem> </itemizedlist> </section> @@ -486,7 +502,7 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <itemizedlist> <listitem> - <para>SD and ISO images are now compressed by default using <literal>zstd</literal>.</para> + <para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para> </listitem> <listitem> <para> @@ -560,6 +576,67 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>. </para> </listitem> + <listitem> + <para> + The <literal>hardware.u2f</literal> module, which was installing udev rules + was removed, as udev gained native support to handle FIDO security tokens. + </para> + </listitem> + <listitem> + <para> + With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) + has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over + socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) + devices the default buffer size (currently 128MB) is not enough. + </para> + <para> + On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to + be brought up during system startup, the receive buffer size will spike for a brief period. + Eventually some of the message will be dropped since there is not enough (permitted) buffer + space available. + </para> + <para> + By having <literal>systemd-networkd</literal> start with a netlink socket created by + <literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter + in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) + without recompiling <literal>systemd-networkd</literal>. + </para> + <para> + Since the actual memory requirements depend on hardware, timing, exact + configurations etc. it isn't currently possible to infer a good default + from within the NixOS module system. Administrators are advised to + monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer + overrun</literal> spam and increase the memory limit as they see fit. + </para> + <para> + Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases + the upper bound on the kernel side. The memory allocation depends on the amount of messages that are + queued on the kernel side of the netlink socket. + </para> + </listitem> + <listitem> + <para> + Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module + as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal> + should be the key of the attribute. + </para> + <para> + This means that a configuration like this +<programlisting>{ + <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [ + { name = "Junk"; + auto = "create"; + } + ]; +}</programlisting> + should now look like this: +<programlisting>{ + <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = { + Junk.auto = "create"; + }; +}</programlisting> + </para> + </listitem> </itemizedlist> </section> </section> |