diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual')
3 files changed, 171 insertions, 5 deletions
diff --git a/nixpkgs/nixos/doc/manual/administration/boot-problems.xml b/nixpkgs/nixos/doc/manual/administration/boot-problems.xml index 5fa0b29e6d62..badc374ebcfd 100644 --- a/nixpkgs/nixos/doc/manual/administration/boot-problems.xml +++ b/nixpkgs/nixos/doc/manual/administration/boot-problems.xml @@ -19,9 +19,9 @@ </term> <listitem> <para> - Start a root shell if something goes wrong in stage 1 of the boot process - (the initial ramdisk). This is disabled by default because there is no - authentication for the root shell. + Allows the user to start a root shell if something goes wrong in stage 1 + of the boot process (the initial ramdisk). This is disabled by default + because there is no authentication for the root shell. </para> </listitem> </varlistentry> @@ -51,6 +51,22 @@ </varlistentry> <varlistentry> <term> + <literal>boot.debug1mounts</literal> + </term> + <listitem> + <para> + Like <literal>boot.debug1</literal> or + <literal>boot.debug1devices</literal>, but runs stage1 until all + filesystems that are mounted during initrd are mounted (see + <option><link linkend="opt-fileSystems._name__.neededForBoot">neededForBoot</link></option> + ). As a motivating example, this could be useful if you've forgotten to set + <option><link linkend="opt-fileSystems._name__.neededForBoot">neededForBoot</link></option> + on a file system. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> <literal>boot.trace</literal> </term> <listitem> @@ -91,6 +107,15 @@ </para> <para> + Notice that for <literal>boot.shell_on_fail</literal>, + <literal>boot.debug1</literal>, <literal>boot.debug1devices</literal>, and + <literal>boot.debug1mounts</literal>, if you did <emphasis>not</emphasis> + select "start the new shell as pid 1", and you <literal>exit</literal> from + the new shell, boot will proceed normally from the point where it failed, as + if you'd chosen "ignore the error and continue". + </para> + + <para> If no login prompts or X11 login screens appear (e.g. due to hanging dependencies), you can press Alt+ArrowUp. If you’re lucky, this will start rescue mode (described above). (Also note that since most units have a diff --git a/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml b/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml index 8ed45899fd7f..45d68f8787f1 100644 --- a/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml +++ b/nixpkgs/nixos/doc/manual/installation/installing-from-other-distro.xml @@ -89,7 +89,7 @@ nixpkgs https://nixos.org/channels/nixpkgs-unstable</screen> NixOS partition. They are installed by default on NixOS, but you don't have NixOS yet.. </para> -<screen><prompt>$ </prompt>nix-env -iE "_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config nixos-install nixos-enter manual.manpages ]"</screen> +<screen><prompt>$ </prompt>nix-env -f '<nixpkgs/nixos>' --arg configuration {} -iA config.system.build.{nixos-generate-config,nixos-install,nixos-enter,manual.manpages}</screen> </listitem> <listitem> <note> diff --git a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml index e17e8ac24d13..9bbbecc05692 100644 --- a/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixpkgs/nixos/doc/manual/release-notes/rl-2009.xml @@ -44,6 +44,11 @@ </listitem> <listitem> <para> + Python 3 now defaults to Python 3.8 instead of 3.7. + </para> + </listitem> + <listitem> + <para> Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal> @@ -89,6 +94,22 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' When MariaDB data directory is just upgraded (not initialized), the users are not created or modified. </para> </listitem> + <listitem> + <para> + MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options + may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when + calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required: + - allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; +</programlisting> + - allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write + access to <literal>/var/data</literal> +<programlisting> +systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; +</programlisting> + </para> + </listitem> </itemizedlist> </section> @@ -178,6 +199,12 @@ services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' </listitem> <listitem> <para> + <literal>vmware</literal> has been removed from the <literal>services.x11.videoDrivers</literal> defaults. + For VMWare guests set <literal>virtualisation.vmware.guest.enable</literal> to <literal>true</literal> which will include the appropriate drivers. + </para> + </listitem> + <listitem> + <para> The initrd SSH support now uses OpenSSH rather than Dropbear to allow the use of Ed25519 keys and other OpenSSH-specific functionality. Host keys must now be in the OpenSSH format, and at @@ -441,6 +468,28 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; recommended to only use lower-case characters. </para> </listitem> + <listitem> + <para> + The GRUB specific option <option>boot.loader.grub.extraInitrd</option> + has been replaced with the generic option + <option>boot.initrd.secrets</option>. This option creates a secondary + initrd from the specified files, rather than using a manually created + initrd file. + + Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>, + it is not possible to directly boot an older generation that used that + option. It is still possible to rollback to that generation if the required + initrd file has not been deleted. + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> + package and NixOS module have been removed from Nixpkgs as the software is + unmaintained and can't be built. For more information see issue + <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. + </para> + </listitem> </itemizedlist> </section> @@ -453,6 +502,9 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <itemizedlist> <listitem> + <para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para> + </listitem> + <listitem> <para> <option>services.journald.rateLimitBurst</option> was updated from <literal>1000</literal> to <literal>10000</literal> to follow the new @@ -469,8 +521,31 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; </para> </listitem> <listitem> + <para> + The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>. + </para> + </listitem> + <listitem> + <para> + Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal> + mode for the <literal>checkPhase</literal> by default. + </para> + <para> + Please note that Rust packages utilizing a custom build/install procedure + (e.g. by using a <filename>Makefile</filename>) or test suites that rely on the + structure of the <filename>target/</filename> directory may break due to those assumptions. + For further information, please read the Rust section in the Nixpkgs manual. + </para> + </listitem> + <listitem> + <para> + The cc- and binutils-wrapper's "infix salt" and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> user infixes have been replaced with with a "suffix salt" and suffixes and <literal>_FOR_BUILD</literal> and <literal>_FOR_TARGET</literal>. + This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. + </para> + </listitem> + <listitem> <para> - The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>. + Additional Git documentation (HTML and text files) is now available via the <literal>git-doc</literal> package. </para> </listitem> <listitem> @@ -501,6 +576,72 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>. </para> </listitem> + <listitem> + <para> + The <literal>hardware.u2f</literal> module, which was installing udev rules + was removed, as udev gained native support to handle FIDO security tokens. + </para> + </listitem> + <listitem> + <para> + With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) + has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over + socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) + devices the default buffer size (currently 128MB) is not enough. + </para> + <para> + On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to + be brought up during system startup, the receive buffer size will spike for a brief period. + Eventually some of the message will be dropped since there is not enough (permitted) buffer + space available. + </para> + <para> + By having <literal>systemd-networkd</literal> start with a netlink socket created by + <literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter + in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) + without recompiling <literal>systemd-networkd</literal>. + </para> + <para> + Since the actual memory requirements depend on hardware, timing, exact + configurations etc. it isn't currently possible to infer a good default + from within the NixOS module system. Administrators are advised to + monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer + overrun</literal> spam and increase the memory limit as they see fit. + </para> + <para> + Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases + the upper bound on the kernel side. The memory allocation depends on the amount of messages that are + queued on the kernel side of the netlink socket. + </para> + </listitem> + <listitem> + <para> + Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module + as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal> + should be the key of the attribute. + </para> + <para> + This means that a configuration like this +<programlisting>{ + <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [ + { name = "Junk"; + auto = "create"; + } + ]; +}</programlisting> + should now look like this: +<programlisting>{ + <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = { + Junk.auto = "create"; + }; +}</programlisting> + </para> + </listitem> + <listitem> + <para> + <package>netbeans</package> was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11. + </para> + </listitem> </itemizedlist> </section> </section> |