diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1909.xml | 50 | ||||
| -rw-r--r-- | nixos/modules/misc/nixops-autoluks.nix | 44 | ||||
| -rw-r--r-- | nixos/modules/misc/version.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/80-net-setup-link.rules | 13 | ||||
| -rw-r--r-- | nixos/modules/services/hardware/udev.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/system/boot/networkd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/systemd.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/system/boot/timesyncd.nix | 9 | ||||
| -rw-r--r-- | nixos/modules/tasks/network-interfaces-systemd.nix | 11 | ||||
| -rw-r--r-- | nixos/modules/testing/test-instrumentation.nix | 3 | ||||
| -rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
| -rw-r--r-- | nixos/tests/containers-imperative.nix | 21 | ||||
| -rw-r--r-- | nixos/tests/radicale.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/systemd-timesyncd.nix | 52 |
15 files changed, 190 insertions, 28 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 6c958583993a..922239998ad6 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -131,6 +131,40 @@ and <option>services.limesurvey.virtualHost</option> options. </para> </listitem> + <listitem> + <para> + The option <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnlink</option> + was renamed to <option>systemd.network.networks.<name>.routes.*.routeConfig.GatewayOnLink</option> + (capital <literal>L</literal>). This follows + <link xlink:href="https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c"> + upstreams renaming + </link> of the setting. + </para> + </listitem> + <listitem> + <para> + As of this release the NixOps feature <literal>autoLuks</literal> is deprecated. It no longer works + with our systemd version without manual intervention. + </para> + <para> + Whenever the usage of the module is detected the evaluation will fail with a message + explaining why and how to deal with the situation. + </para> + <para> + A new knob named <literal>nixops.enableDeprecatedAutoLuks</literal> + has been introduced to disable the eval failure and to acknowledge the notice was received and read. + If you plan on using the feature please note that it might break with subsequent updates. + </para> + <para> + Make sure you set the <literal>_netdev</literal> option for each of the file systems referring to block + devices provided by the autoLuks module. Not doing this might render the system in a + state where it doesn't boot anymore. + </para> + <para> + If you are actively using the <literal>autoLuks</literal> module please let us know in + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/62211">issue #62211</link>. + </para> + </listitem> </itemizedlist> </section> @@ -200,6 +234,20 @@ RuntimeDirectory and tmpfiles. </para> </listitem> - </itemizedlist> + <listitem> + <para> + With the upgrade to systemd version 242 the <literal>systemd-timesyncd</literal> + service is no longer using <literal>DynamicUser=yes</literal>. In order for the + upgrade to work we rely on an activation script to move the state from the old + to the new directory. The older directory (prior <literal>19.09</literal>) was + <literal>/var/lib/private/systemd/timesync</literal>. + </para> + <para> + As long as the <literal>system.config.stateVersion</literal> is below + <literal>19.09</literal> the state folder will migrated to its proper location + (<literal>/var/lib/systemd/timesync</literal>), if required. + </para> + </listitem> + </itemizedlist> </section> </section> diff --git a/nixos/modules/misc/nixops-autoluks.nix b/nixos/modules/misc/nixops-autoluks.nix new file mode 100644 index 000000000000..2153c6f975ad --- /dev/null +++ b/nixos/modules/misc/nixops-autoluks.nix @@ -0,0 +1,44 @@ +{ config, options, lib, ... }: +let + path = [ "deployment" "autoLuks" ]; + hasAutoLuksOption = lib.hasAttrByPath path options; + hasAutoLuksConfig = lib.hasAttrByPath path config && (lib.attrByPath path {} config) != {}; + + inherit (config.nixops) enableDeprecatedAutoLuks; +in { + options.nixops.enableDeprecatedAutoLuks = lib.mkEnableOption "Enable the deprecated NixOps AutoLuks module"; + + config = { + assertions = [ + { + assertion = if hasAutoLuksConfig then hasAutoLuksConfig && enableDeprecatedAutoLuks else true; + message = '' + ⚠️ !!! WARNING !!! ⚠️ + + NixOps autoLuks is deprecated. The feature was never widely used and the maintenance did outgrow the benefit. + If you still want to use the module: + a) Please raise your voice in the issue tracking usage of the module: + https://github.com/NixOS/nixpkgs/issues/62211 + b) make sure you set the `_netdev` option for each of the file + systems referring to block devices provided by the autoLuks module. + + ⚠️ If you do not set the option your system will not boot anymore! ⚠️ + + { + fileSystems."/secret" = { options = [ "_netdev" ]; }; + } + + b) set the option >nixops.enableDeprecatedAutoLuks = true< to remove this error. + + + For more details read through the following resources: + - https://github.com/NixOS/nixops/pull/1156 + - https://github.com/NixOS/nixpkgs/issues/47550 + - https://github.com/NixOS/nixpkgs/issues/62211 + - https://github.com/NixOS/nixpkgs/pull/61321 + ''; + } + ]; + }; + +} diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index c576cf4cb925..c9b374b6d7b1 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -95,6 +95,7 @@ in PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" + DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" SUPPORT_URL="https://nixos.org/nixos/support.html" BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues" ''; diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 3eece09f1aed..1017d25bf285 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -84,6 +84,7 @@ ./misc/nixpkgs.nix ./misc/passthru.nix ./misc/version.nix + ./misc/nixops-autoluks.nix ./programs/adb.nix ./programs/atop.nix ./programs/autojump.nix diff --git a/nixos/modules/services/hardware/80-net-setup-link.rules b/nixos/modules/services/hardware/80-net-setup-link.rules deleted file mode 100644 index 18547f170a3f..000000000000 --- a/nixos/modules/services/hardware/80-net-setup-link.rules +++ /dev/null @@ -1,13 +0,0 @@ -# Copied from systemd 203. -ACTION=="remove", GOTO="net_name_slot_end" -SUBSYSTEM!="net", GOTO="net_name_slot_end" -NAME!="", GOTO="net_name_slot_end" - -IMPORT{cmdline}="net.ifnames" -ENV{net.ifnames}=="0", GOTO="net_name_slot_end" - -NAME=="", ENV{ID_NET_NAME_ONBOARD}!="", NAME="$env{ID_NET_NAME_ONBOARD}" -NAME=="", ENV{ID_NET_NAME_SLOT}!="", NAME="$env{ID_NET_NAME_SLOT}" -NAME=="", ENV{ID_NET_NAME_PATH}!="", NAME="$env{ID_NET_NAME_PATH}" - -LABEL="net_name_slot_end" diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 0266286aaacf..cb2f1e6621ae 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -116,10 +116,6 @@ let exit 1 fi - ${optionalString config.networking.usePredictableInterfaceNames '' - cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules - ''} - # If auto-configuration is disabled, then remove # udev's 80-drivers.rules file, which contains rules for # automatically calling modprobe. @@ -282,6 +278,8 @@ in services.udev.path = [ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.utillinux udev ]; + boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; + environment.etc = [ { source = udevRules; target = "udev/rules.d"; diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 63a6f7fbe099..14a3832b0dc0 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -203,7 +203,7 @@ let checkRoute = checkUnitConfig "Route" [ (assertOnlyFields [ - "Gateway" "GatewayOnlink" "Destination" "Source" "Metric" + "Gateway" "GatewayOnLink" "Destination" "Source" "Metric" "IPv6Preference" "Scope" "PreferredSource" "Table" "Protocol" "Type" "InitialCongestionWindow" "InitialAdvertisedReceiveWindow" "QuickAck" "MTUBytes" diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 18ee2ef1b8f5..8499b700d3ea 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -940,7 +940,6 @@ in # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; - }; # FIXME: Remove these eventually. @@ -949,5 +948,4 @@ in (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ]) (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ]) ]; - } diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix index 8d8bfe5900a9..8282cdd6f3aa 100644 --- a/nixos/modules/system/boot/timesyncd.nix +++ b/nixos/modules/system/boot/timesyncd.nix @@ -40,6 +40,15 @@ with lib; users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; + system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' + # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes + # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 + # - https://github.com/systemd/systemd/issues/12131 + if [ -L /var/lib/systemd/timesync ]; then + rm /var/lib/systemd/timesync + mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync + fi + ''; }; } diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 2318bdd1d582..857aaf1e6e30 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -12,7 +12,7 @@ let i.ipv4.addresses ++ optionals cfg.enableIPv6 i.ipv6.addresses; - dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "none"; + dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no"; slaves = concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds)) @@ -59,7 +59,14 @@ in in { DHCP = override (dhcpStr cfg.useDHCP); } // optionalAttrs (gateway != [ ]) { - gateway = override gateway; + routes = override [ + { + routeConfig = { + Gateway = gateway; + GatewayOnLink = false; + }; + } + ]; } // optionalAttrs (domains != [ ]) { domains = override domains; }; diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index ed4cfa7805e2..1a11d9ce7c26 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -129,9 +129,6 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; users.users.root.initialHashedPassword = mkOverride 150 ""; services.xserver.displayManager.job.logToJournal = true; - - # set default stateVersion to avoid warnings during eval - system.stateVersion = mkDefault "18.03"; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index e14b356c2ab5..2f84850f6b3e 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -239,6 +239,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 0c101037aa7f..2e7e4b2f1d69 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -35,7 +35,17 @@ import ./make-test.nix ({ pkgs, ...} : { ]; }; - testScript = + testScript = let + tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' + { + systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; + systemd.services.foo = { + serviceConfig.Type = "oneshot"; + script = "ls -al /foo"; + wantedBy = [ "multi-user.target" ]; + }; + } + ''; in '' # Make sure we have a NixOS tree (required by ‘nixos-container create’). $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2"); @@ -93,6 +103,15 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("nixos-container stop $id1"); $machine->succeed("nixos-container start $id1"); + # Ensure tmpfiles are present + $machine->log("creating container tmpfiles"); + $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"); + $machine->log("created, starting…"); + $machine->succeed("nixos-container start tmpfiles"); + $machine->log("done starting, investigating…"); + $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"); + $machine->succeed("nixos-container destroy tmpfiles"); + # Execute commands via the root shell. $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix index bf22fc9291af..607964255640 100644 --- a/nixos/tests/radicale.nix +++ b/nixos/tests/radicale.nix @@ -85,7 +85,7 @@ in $radicale->succeed('mv /tmp/collections-new/collection-root /tmp/collections'); $radicale->succeed('${switchToConfig "radicale2_verify"} >&2'); $radicale->waitUntilFails('systemctl status radicale'); - my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 5'); + my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 10'); if ($retcode != 0 || index($logs, 'Verifying storage') == -1) { die "Radicale 2 didn't verify storage" } diff --git a/nixos/tests/systemd-timesyncd.nix b/nixos/tests/systemd-timesyncd.nix new file mode 100644 index 000000000000..d12b8eb2bf7e --- /dev/null +++ b/nixos/tests/systemd-timesyncd.nix @@ -0,0 +1,52 @@ +# Regression test for systemd-timesync having moved the state directory without +# upstream providing a migration path. https://github.com/systemd/systemd/issues/12131 + +import ./make-test.nix (let + common = { lib, ... }: { + # override the `false` value from the qemu-vm base profile + services.timesyncd.enable = lib.mkForce true; + }; + mkVM = conf: { imports = [ conf common ]; }; +in { + name = "systemd-timesyncd"; + nodes = { + current = mkVM {}; + pre1909 = mkVM ({lib, ... }: with lib; { + # create the path that should be migrated by our activation script when + # upgrading to a newer nixos version + system.stateVersion = "19.03"; + system.activationScripts.simulate-old-timesync-state-dir = mkBefore '' + rm -f /var/lib/systemd/timesync + mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync + ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync + chown systemd-timesync: /var/lib/private/systemd/timesync + ''; + }); + }; + + testScript = '' + startAll; + $current->succeed('systemctl status systemd-timesyncd.service'); + # on a new install with a recent systemd there should not be any + # leftovers from the dynamic user mess + $current->succeed('test -e /var/lib/systemd/timesync'); + $current->succeed('test ! -L /var/lib/systemd/timesync'); + + # timesyncd should be running on the upgrading system since we fixed the + # file bits in the activation script + $pre1909->succeed('systemctl status systemd-timesyncd.service'); + + # the path should be gone after the migration + $pre1909->succeed('test ! -e /var/lib/private/systemd/timesync'); + + # and the new path should no longer be a symlink + $pre1909->succeed('test -e /var/lib/systemd/timesync'); + $pre1909->succeed('test ! -L /var/lib/systemd/timesync'); + + # after a restart things should still work and not fail in the activation + # scripts and cause the boot to fail.. + $pre1909->shutdown; + $pre1909->start; + $pre1909->succeed('systemctl status systemd-timesyncd.service'); + ''; +}) |