diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/configuration.xml | 9 | ||||
-rw-r--r-- | nixos/modules/config/users-groups.nix | 2 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-install.sh | 2 | ||||
-rw-r--r-- | nixos/modules/installer/tools/nixos-rebuild.sh | 5 | ||||
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/programs/nano.nix | 35 | ||||
-rw-r--r-- | nixos/modules/security/setuid-wrappers.nix | 3 | ||||
-rw-r--r-- | nixos/modules/services/x11/desktop-managers/gnome3.nix | 25 | ||||
-rw-r--r-- | nixos/modules/system/activation/activation-script.nix | 5 | ||||
-rw-r--r-- | nixos/modules/system/boot/stage-2-init.sh | 4 | ||||
-rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/container-config.nix | 2 | ||||
-rw-r--r-- | nixos/modules/virtualisation/containers.nix | 92 | ||||
-rw-r--r-- | nixos/modules/virtualisation/nixos-container.pl | 54 | ||||
-rw-r--r-- | nixos/release.nix | 52 |
15 files changed, 245 insertions, 48 deletions
diff --git a/nixos/doc/manual/configuration.xml b/nixos/doc/manual/configuration.xml index 051f0fb8c1e0..d35a5fff4aa4 100644 --- a/nixos/doc/manual/configuration.xml +++ b/nixos/doc/manual/configuration.xml @@ -1499,10 +1499,11 @@ are specific to the kernel version, such as the NVIDIA video drivers. This ensures that driver packages are consistent with the kernel.</para> -<para>The default Linux kernel configuration should be fine for most -users. You can see the configuration of your current kernel in -<filename>/run/booted-system/kernel-modules/config</filename>. If you -want to change the kernel configuration, you can use the +<para>The default Linux kernel configuration should be fine for most users. You can see the configuration of your current kernel with the following command: +<programlisting> +cat /proc/config.gz | gunzip +</programlisting> +If you want to change the kernel configuration, you can use the <option>packageOverrides</option> feature (see <xref linkend="sec-customising-packages" />). For instance, to enable support for the kernel debugger KGDB: diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 5de81a773424..7783f13b14b1 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -404,7 +404,7 @@ in { uid = ids.uids.root; description = "System administrator"; home = "/root"; - shell = cfg.defaultUserShell; + shell = mkDefault cfg.defaultUserShell; group = "root"; extraGroups = [ "grsecurity" ]; hashedPassword = mkDefault config.security.initialRootPassword; diff --git a/nixos/modules/installer/tools/nixos-install.sh b/nixos/modules/installer/tools/nixos-install.sh index 9d62ba131dc7..a55eda1cb8fd 100644 --- a/nixos/modules/installer/tools/nixos-install.sh +++ b/nixos/modules/installer/tools/nixos-install.sh @@ -81,7 +81,7 @@ mount -t tmpfs -o "mode=0755" none $mountPoint/var/setuid-wrappers rm -rf $mountPoint/var/run ln -s /run $mountPoint/var/run rm -f $mountPoint/etc/{resolv.conf,hosts} -cp -f /etc/resolv.conf /etc/hosts $mountPoint/etc/ +cp -Lf /etc/resolv.conf /etc/hosts $mountPoint/etc/ if [ -n "$runChroot" ]; then diff --git a/nixos/modules/installer/tools/nixos-rebuild.sh b/nixos/modules/installer/tools/nixos-rebuild.sh index be37e61151aa..52b64c37578e 100644 --- a/nixos/modules/installer/tools/nixos-rebuild.sh +++ b/nixos/modules/installer/tools/nixos-rebuild.sh @@ -225,7 +225,10 @@ fi # If we're not just building, then make the new configuration the boot # default and/or activate it now. if [ "$action" = switch -o "$action" = boot -o "$action" = test ]; then - $pathToConfig/bin/switch-to-configuration "$action" + if ! $pathToConfig/bin/switch-to-configuration "$action"; then + echo "warning: there were error switching to the new configuration" >&2 + exit 1 + fi fi diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index d90c56f2412a..453899175e01 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -53,6 +53,7 @@ ./programs/dconf.nix ./programs/environment.nix ./programs/info.nix + ./programs/nano.nix ./programs/screen.nix ./programs/shadow.nix ./programs/shell.nix diff --git a/nixos/modules/programs/nano.nix b/nixos/modules/programs/nano.nix new file mode 100644 index 000000000000..b8803eec7be1 --- /dev/null +++ b/nixos/modules/programs/nano.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: + +let + cfg = config.programs.nano; +in + +{ + ###### interface + + options = { + programs.nano = { + + nanorc = lib.mkOption { + type = lib.types.lines; + default = ""; + description = '' + The system-wide nano configuration. + See <citerefentry><refentrytitle>nanorc</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + ''; + example = '' + set nowrap + set tabstospaces + set tabsize 4 + ''; + }; + }; + }; + + ###### implementation + + config = lib.mkIf (cfg.nanorc != "") { + environment.etc."nanorc".text = cfg.nanorc; + }; + +} diff --git a/nixos/modules/security/setuid-wrappers.nix b/nixos/modules/security/setuid-wrappers.nix index 4cdc1023baab..373afffd3fb5 100644 --- a/nixos/modules/security/setuid-wrappers.nix +++ b/nixos/modules/security/setuid-wrappers.nix @@ -97,8 +97,7 @@ in }: '' - source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"} - if test -z "$source"; then + if ! source=${if source != "" then source else "$(PATH=$SETUID_PATH type -tP ${program})"}; then # If we can't find the program, fall back to the # system profile. source=/nix/var/nix/profiles/default/bin/${program} diff --git a/nixos/modules/services/x11/desktop-managers/gnome3.nix b/nixos/modules/services/x11/desktop-managers/gnome3.nix index df50ca8c905c..06bcb6dbb8be 100644 --- a/nixos/modules/services/x11/desktop-managers/gnome3.nix +++ b/nixos/modules/services/x11/desktop-managers/gnome3.nix @@ -35,6 +35,14 @@ in { description = "Enable Gnome 3 desktop manager."; }; + services.xserver.desktopManager.gnome3.sessionPath = mkOption { + default = []; + example = "[ pkgs.gnome3.gpaste ]"; + description = "Additional list of packages to be added to the session search path. + Useful for gnome shell extensions or gsettings-conditionated autostart."; + apply = list: list ++ [ gnome3.gnome_shell ]; + }; + environment.gnome3.packageSet = mkOption { default = pkgs.gnome3; example = literalExample "pkgs.gnome3_12"; @@ -86,10 +94,19 @@ in { export XDG_MENU_PREFIX=gnome - # Don't let epiphany depend upon gnome-shell - # Don't let gnome-session depend upon vino (for .desktop autostart condition) + ${concatMapStrings (p: '' + if [ -d "${p}/share/gsettings-schemas/${p.name}" ]; then + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${p}/share/gsettings-schemas/${p.name} + fi + + if [ -d "${p}/lib/girepository-1.0" ]; then + export GI_TYPELIB_PATH=$GI_TYPELIB_PATH''${GI_TYPELIB_PATH:+:}${p}/lib/girepository-1.0 + export LD_LIBRARY_PATH=$LD_LIBRARY_PATH''${LD_LIBRARY_PATH:+:}${p}/lib + fi + '') cfg.sessionPath} + # Override default mimeapps - export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${gnome3.gnome_shell}/share/gsettings-schemas/${gnome3.gnome_shell.name}:${gnome3.vino}/share/gsettings-schemas/${gnome3.vino.name}:${mimeAppsList}/share + export XDG_DATA_DIRS=$XDG_DATA_DIRS''${XDG_DATA_DIRS:+:}${mimeAppsList}/share # Let gnome-control-center find gnome-shell search providers export GNOME_SEARCH_PROVIDERS_DIR=${config.system.path}/share/gnome-shell/search-providers/ @@ -123,7 +140,7 @@ in { gnome3.gnome_settings_daemon gnome3.gnome_shell gnome3.gnome_themes_standard - ] ++ (removePackagesByName [ + ] ++ cfg.sessionPath ++ (removePackagesByName [ gnome3.baobab gnome3.empathy gnome3.eog diff --git a/nixos/modules/system/activation/activation-script.nix b/nixos/modules/system/activation/activation-script.nix index b1bad956b4bb..2e5a70b3aa54 100644 --- a/nixos/modules/system/activation/activation-script.nix +++ b/nixos/modules/system/activation/activation-script.nix @@ -66,6 +66,9 @@ in PATH=$PATH:$i/bin:$i/sbin done + _status=0 + trap "_status=1" ERR + # Ensure a consistent umask. umask 0022 @@ -84,6 +87,8 @@ in # Prevent the current configuration from being garbage-collected. ln -sfn /run/current-system /nix/var/nix/gcroots/current-system + + exit $_status ''; }; diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index fcefdfa88a36..6fff776f8581 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -29,7 +29,9 @@ setPath "@path@" # Normally, stage 1 mounts the root filesystem read/writable. # However, in some environments, stage 2 is executed directly, and the # root is read-only. So make it writable here. -mount -n -o remount,rw none / +if [ "$container" != systemd-nspawn ]; then + mount -n -o remount,rw none / +fi # Likewise, stage 1 mounts /proc, /dev and /sys, so if we don't have a diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 455c40693b00..e353e9246b0e 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -744,7 +744,7 @@ in # Make all journals readable to users in the wheel and adm # groups, in addition to those in the systemd-journal group. # Users can always read their own journals. - ${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal + ${pkgs.acl}/bin/setfacl -nm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal || true ''; # Target for ‘charon send-keys’ to hook into. diff --git a/nixos/modules/virtualisation/container-config.nix b/nixos/modules/virtualisation/container-config.nix index b81f97f2b4ec..84e3aa283520 100644 --- a/nixos/modules/virtualisation/container-config.nix +++ b/nixos/modules/virtualisation/container-config.nix @@ -89,6 +89,8 @@ with lib; restartIfChanged = false; }; + systemd.services.systemd-remount-fs.enable = false; + }; } diff --git a/nixos/modules/virtualisation/containers.nix b/nixos/modules/virtualisation/containers.nix index d0d04d9a1e5d..292b96e6eb24 100644 --- a/nixos/modules/virtualisation/containers.nix +++ b/nixos/modules/virtualisation/containers.nix @@ -32,7 +32,10 @@ let fi fi - exec "$1" + # Start the regular stage 1 script, passing the bind-mounted + # notification socket from the host to allow the container + # systemd to signal readiness to the host systemd. + NOTIFY_SOCKET=/var/lib/private/host-notify exec "$1" ''; system = config.nixpkgs.system; @@ -168,17 +171,18 @@ in preStart = '' - mkdir -p -m 0755 $root/var/lib + # Clean up existing machined registration and interfaces. + machinectl terminate "$INSTANCE" 2> /dev/null || true - # Create a named pipe to get a signal when the container - # has finished booting. - rm -f $root/var/lib/startup-done - mkfifo -m 0600 $root/var/lib/startup-done + if [ "$PRIVATE_NETWORK" = 1 ]; then + ip link del dev "ve-$INSTANCE" 2> /dev/null || true + fi ''; script = '' mkdir -p -m 0755 "$root/etc" "$root/var/lib" + mkdir -p -m 0700 "$root/var/lib/private" if ! [ -e "$root/etc/os-release" ]; then touch "$root/etc/os-release" fi @@ -187,6 +191,8 @@ in "/nix/var/nix/profiles/per-container/$INSTANCE" \ "/nix/var/nix/gcroots/per-container/$INSTANCE" + cp -f /etc/resolv.conf "$root/etc/resolv.conf" + if [ "$PRIVATE_NETWORK" = 1 ]; then extraFlags+=" --network-veth" fi @@ -203,12 +209,16 @@ in fi ''} + # Run systemd-nspawn without startup notification (we'll + # wait for the container systemd to signal readiness). + EXIT_ON_REBOOT=1 NOTIFY_SOCKET= \ exec ${config.systemd.package}/bin/systemd-nspawn \ --keep-unit \ -M "$INSTANCE" -D "$root" $extraFlags \ --bind-ro=/nix/store \ --bind-ro=/nix/var/nix/db \ --bind-ro=/nix/var/nix/daemon-socket \ + --bind=/run/systemd/notify:/var/lib/private/host-notify \ --bind="/nix/var/nix/profiles/per-container/$INSTANCE:/nix/var/nix/profiles" \ --bind="/nix/var/nix/gcroots/per-container/$INSTANCE:/nix/var/nix/gcroots" \ --setenv PRIVATE_NETWORK="$PRIVATE_NETWORK" \ @@ -220,12 +230,6 @@ in postStart = '' - # This blocks until the container-startup-done service - # writes something to this pipe. FIXME: it also hangs - # until the start timeout expires if systemd-nspawn exits. - read x < $root/var/lib/startup-done - rm -f $root/var/lib/startup-done - if [ "$PRIVATE_NETWORK" = 1 ]; then ifaceHost=ve-$INSTANCE ip link set dev $ifaceHost up @@ -240,23 +244,42 @@ in preStop = '' - machinectl poweroff "$INSTANCE" + machinectl poweroff "$INSTANCE" || true ''; restartIfChanged = false; #reloadIfChanged = true; # FIXME - serviceConfig.ExecReload = pkgs.writeScript "reload-container" - '' - #! ${pkgs.stdenv.shell} -e - SYSTEM_PATH=/nix/var/nix/profiles/system - echo $SYSTEM_PATH/bin/switch-to-configuration test | \ - ${pkgs.socat}/bin/socat unix:$root/var/lib/run-command.socket - - ''; + serviceConfig = { + ExecReload = pkgs.writeScript "reload-container" + '' + #! ${pkgs.stdenv.shell} -e + SYSTEM_PATH=/nix/var/nix/profiles/system + echo $SYSTEM_PATH/bin/switch-to-configuration test | \ + ${pkgs.socat}/bin/socat unix:$root/var/lib/run-command.socket - + ''; + + SyslogIdentifier = "container %i"; + + EnvironmentFile = "-/etc/containers/%i.conf"; + + Type = "notify"; + + NotifyAccess = "all"; - serviceConfig.SyslogIdentifier = "container %i"; + # Note that on reboot, systemd-nspawn returns 10, so this + # unit will be restarted. On poweroff, it returns 0, so the + # unit won't be restarted. + Restart = "on-failure"; - serviceConfig.EnvironmentFile = "-/etc/containers/%i.conf"; + # Hack: we don't want to kill systemd-nspawn, since we call + # "machinectl poweroff" in preStop to shut down the + # container cleanly. But systemd requires sending a signal + # (at least if we want remaining processes to be killed + # after the timeout). So send an ignored signal. + KillMode = "mixed"; + KillSignal = "WINCH"; + }; }; # Generate a configuration file in /etc/containers for each @@ -290,5 +313,30 @@ in environment.systemPackages = [ nixos-container ]; + # Start containers at boot time. + systemd.services.all-containers = + { description = "All Containers"; + + wantedBy = [ "multi-user.target" ]; + + unitConfig.ConditionDirectoryNotEmpty = "/etc/containers"; + + serviceConfig.Type = "oneshot"; + + script = + '' + res=0 + shopt -s nullglob + for i in /etc/containers/*.conf; do + AUTO_START= + source "$i" + if [ "$AUTO_START" = 1 ]; then + systemctl start "container@$(basename "$i" .conf).service" || res=1 + fi + done + exit $res + ''; # */ + }; + }; } diff --git a/nixos/modules/virtualisation/nixos-container.pl b/nixos/modules/virtualisation/nixos-container.pl index 5083abd84489..bf6f16fc6c77 100644 --- a/nixos/modules/virtualisation/nixos-container.pl +++ b/nixos/modules/virtualisation/nixos-container.pl @@ -17,25 +17,31 @@ umask 0022; sub showHelp { print <<EOF; Usage: nixos-container list - nixos-container create <container-name> [--config <string>] [--ensure-unique-name] + nixos-container create <container-name> [--system-path <path>] [--config <string>] [--ensure-unique-name] [--auto-start] nixos-container destroy <container-name> nixos-container start <container-name> nixos-container stop <container-name> + nixos-container status <container-name> nixos-container login <container-name> nixos-container root-login <container-name> nixos-container run <container-name> -- args... nixos-container set-root-password <container-name> <password> nixos-container show-ip <container-name> + nixos-container show-host-key <container-name> EOF exit 0; } +my $systemPath; my $ensureUniqueName = 0; +my $autoStart = 0; my $extraConfig; GetOptions( "help" => sub { showHelp() }, "ensure-unique-name" => \$ensureUniqueName, + "auto-start" => \$autoStart, + "system-path=s" => \$systemPath, "config=s" => \$extraConfig ) or exit 1; @@ -122,17 +128,13 @@ if ($action eq "create") { push @conf, "PRIVATE_NETWORK=1\n"; push @conf, "HOST_ADDRESS=$hostAddress\n"; push @conf, "LOCAL_ADDRESS=$localAddress\n"; + push @conf, "AUTO_START=$autoStart\n"; write_file($confFile, \@conf); close($lock); print STDERR "host IP is $hostAddress, container IP is $localAddress\n"; - mkpath("$root/etc/nixos", 0, 0755); - - my $nixosConfigFile = "$root/etc/nixos/configuration.nix"; - writeNixOSConfig $nixosConfigFile; - # The per-container directory is restricted to prevent users on # the host from messing with guest users who happen to have the # same uid. @@ -141,10 +143,21 @@ if ($action eq "create") { $profileDir = "$profileDir/$containerName"; mkpath($profileDir, 0, 0755); - system("nix-env", "-p", "$profileDir/system", - "-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>", - "--set", "-A", "system") == 0 - or die "$0: failed to build initial container configuration\n"; + # Build/set the initial configuration. + if (defined $systemPath) { + system("nix-env", "-p", "$profileDir/system", "--set", $systemPath) == 0 + or die "$0: failed to set initial container configuration\n"; + } else { + mkpath("$root/etc/nixos", 0, 0755); + + my $nixosConfigFile = "$root/etc/nixos/configuration.nix"; + writeNixOSConfig $nixosConfigFile; + + system("nix-env", "-p", "$profileDir/system", + "-I", "nixos-config=$nixosConfigFile", "-f", "<nixpkgs/nixos>", + "--set", "-A", "system") == 0 + or die "$0: failed to build initial container configuration\n"; + } print "$containerName\n" if $ensureUniqueName; exit 0; @@ -152,8 +165,16 @@ if ($action eq "create") { my $root = "/var/lib/containers/$containerName"; my $profileDir = "/nix/var/nix/profiles/per-container/$containerName"; +my $gcRootsDir = "/nix/var/nix/gcroots/per-container/$containerName"; my $confFile = "/etc/containers/$containerName.conf"; -die "$0: container ‘$containerName’ does not exist\n" if !-e $confFile; +if (!-e $confFile) { + if ($action eq "destroy") { + exit 0; + } elsif ($action eq "status") { + print "gone\n"; + } + die "$0: container ‘$containerName’ does not exist\n" ; +} sub isContainerRunning { my $status = `systemctl show 'container\@$containerName'`; @@ -172,6 +193,7 @@ if ($action eq "destroy") { stopContainer if isContainerRunning; rmtree($profileDir) if -e $profileDir; + rmtree($gcRootsDir) if -e $gcRootsDir; rmtree($root) if -e $root; unlink($confFile) or die; } @@ -185,6 +207,10 @@ elsif ($action eq "stop") { stopContainer; } +elsif ($action eq "status") { + print isContainerRunning() ? "up" : "down", "\n"; +} + elsif ($action eq "update") { my $nixosConfigFile = "$root/etc/nixos/configuration.nix"; @@ -239,6 +265,12 @@ elsif ($action eq "show-ip") { print "$1\n"; } +elsif ($action eq "show-host-key") { + my $fn = "$root/etc/ssh/ssh_host_ecdsa_key.pub"; + exit 1 if ! -f $fn; + print read_file($fn); +} + else { die "$0: unknown action ‘$action’\n"; } diff --git a/nixos/release.nix b/nixos/release.nix index ed413d3e928f..0620b46d46ad 100644 --- a/nixos/release.nix +++ b/nixos/release.nix @@ -78,6 +78,16 @@ let }; + makeClosure = module: forAllSystems (system: (import ./lib/eval-config.nix { + inherit system; + modules = [ module ] ++ lib.singleton + ({ config, lib, ... }: + { fileSystems."/".device = lib.mkDefault "/dev/sda1"; + boot.loader.grub.device = lib.mkDefault "/dev/sda"; + }); + }).config.system.build.toplevel); + + in rec { channel = @@ -242,4 +252,46 @@ in rec { tests.udisks2 = callTest tests/udisks2.nix {}; tests.xfce = callTest tests/xfce.nix {}; + + /* Build a bunch of typical closures so that Hydra can keep track of + the evolution of closure sizes. */ + + closures = { + + smallContainer = makeClosure ({ pkgs, ... }: + { boot.isContainer = true; + services.openssh.enable = true; + }); + + tinyContainer = makeClosure ({ pkgs, ... }: + { boot.isContainer = true; + imports = [ modules/profiles/minimal.nix ]; + }); + + ec2 = makeClosure ({ pkgs, ... }: + { imports = [ modules/virtualisation/amazon-image.nix ]; + }); + + kde = makeClosure ({ pkgs, ... }: + { services.xserver.enable = true; + services.xserver.displayManager.kdm.enable = true; + services.xserver.desktopManager.kde4.enable = true; + }); + + xfce = makeClosure ({ pkgs, ... }: + { services.xserver.enable = true; + services.xserver.desktopManager.xfce.enable = true; + }); + + # Linux/Apache/PostgreSQL/PHP stack. + lapp = makeClosure ({ pkgs, ... }: + { services.httpd.enable = true; + services.httpd.adminAddr = "foo@example.org"; + services.postgresql.enable = true; + services.postgresql.package = pkgs.postgresql93; + environment.systemPackages = [ pkgs.php ]; + }); + + }; + } |