diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/from_md/release-notes/rl-2111.section.xml | 12 | ||||
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2111.section.md | 7 | ||||
| -rw-r--r-- | nixos/modules/virtualisation/oci-containers.nix | 10 |
3 files changed, 24 insertions, 5 deletions
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml index a11baa91dea6..b61a0268dee2 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml @@ -35,7 +35,17 @@ This means, <literal>ip[6]tables</literal>, <literal>arptables</literal> and <literal>ebtables</literal> commands will actually show rules from some specific tables in - the <literal>nf_tables</literal> kernel subsystem. + the <literal>nf_tables</literal> kernel subsystem. In case + you’re migrating from an older release without rebooting, + there might be cases where you end up with iptable rules + configured both in the legacy <literal>iptables</literal> + kernel backend, as well as in the <literal>nf_tables</literal> + backend. This can lead to confusing firewall behaviour. An + <literal>iptables-save</literal> after switching will complain + about <quote>iptables-legacy tables present</quote>. It’s + probably best to reboot after the upgrade, or manually + removing all legacy iptables rules (via the + <literal>iptables-legacy</literal> package). </para> </listitem> <listitem> diff --git a/nixos/doc/manual/release-notes/rl-2111.section.md b/nixos/doc/manual/release-notes/rl-2111.section.md index f3644c32832b..310d32cfdd72 100644 --- a/nixos/doc/manual/release-notes/rl-2111.section.md +++ b/nixos/doc/manual/release-notes/rl-2111.section.md @@ -13,6 +13,13 @@ In addition to numerous new and upgraded packages, this release has the followin [Fedora](https://fedoraproject.org/wiki/Changes/iptables-nft-default). This means, `ip[6]tables`, `arptables` and `ebtables` commands will actually show rules from some specific tables in the `nf_tables` kernel subsystem. + In case you're migrating from an older release without rebooting, there might + be cases where you end up with iptable rules configured both in the legacy + `iptables` kernel backend, as well as in the `nf_tables` backend. + This can lead to confusing firewall behaviour. An `iptables-save` after + switching will complain about "iptables-legacy tables present". + It's probably best to reboot after the upgrade, or manually removing all + legacy iptables rules (via the `iptables-legacy` package). - systemd got an `nftables` backend, and configures (networkd) rules in their own `io.systemd.*` tables. Check `nft list ruleset` to see these rules, not diff --git a/nixos/modules/virtualisation/oci-containers.nix b/nixos/modules/virtualisation/oci-containers.nix index 5af9baff8bc1..f40481727830 100644 --- a/nixos/modules/virtualisation/oci-containers.nix +++ b/nixos/modules/virtualisation/oci-containers.nix @@ -22,11 +22,13 @@ let type = with types; nullOr package; default = null; description = '' - Path to an image file to load instead of pulling from a registry. - If defined, do not pull from registry. + Path to an image file to load before running the image. This can + be used to bypass pulling the image from the registry. - You still need to set the <literal>image</literal> attribute, as it - will be used as the image name for docker to start a container. + The <literal>image</literal> attribute must match the name and + tag of the image contained in this file, as they will be used to + run the container with that image. If they do not match, the + image will be pulled from the registry as usual. ''; example = literalExpression "pkgs.dockerTools.buildImage {...};"; }; |