| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | |/
| |/| |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This partially reverts commit ab9537ca22ce3fd4efc1795c58105504022d0c48.
From the manpage of systemd-nspawn(1):
Note that systemd-nspawn will mount file systems private to the
container to /dev, /run and similar.
Testing this in a shell turns out:
$ sudo systemd-nspawn --bind-ro=/nix/store "$(readlink "$(which ls)")" /proc
Spawning container aszlig on /home/aszlig.
Press ^] three times within 1s to kill container.
/etc/localtime does not point into /usr/share/zoneinfo/, not updating
container timezone.
1 execdomains kpageflags stat
acpi fb loadavg swaps
asound filesystems locks sys
buddyinfo fs meminfo sysrq-trigger
bus interrupts misc sysvipc
cgroups iomem modules thread-self
cmdline ioports mounts timer_list
config.gz irq mtrr timer_stats
consoles kallsyms net tty
cpuinfo kcore pagetypeinfo uptime
crypto key-users partitions version
devices keys scsi vmallocinfo
diskstats kmsg self vmstat
dma kpagecgroup slabinfo zoneinfo
driver kpagecount softirqs
Container aszlig exited successfully.
So the test on whether PID 1 exists in /proc is enough, because if we
use PID namespaces there actually _is_ a PID 1 (as shown above) and the
special file systems are already mounted. A test on the $containers
variable actually mounts them twice.
This unbreaks NixOS containers and I've tested this against the
containers-imperative NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @rickynils, @shlevy, @edolstra
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Follow-up to the following commits:
abdc5961c3cdf9f5893ea1e91ba08ff5089f53a4: Fix starting the firewall
e090701e2d09aec3e8866ab9a8e53c37973ffeb4: Order before sysinit
Solely use sysinit.target here instead of multi-user.target because we
want to make sure that the iptables rules are applied *before* any
socket units are started.
The reason I've dropped the wantedBy on multi-user.target is that
sysinit.target is already a part of the dependency chain of
multi-user.target.
To make sure that this holds true, I've added a small test case to
ensure that during switch of the configuration the firewall.service is
considered as well.
Tested using the firewall NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
|
| | | |
| | |
| | |
| | | |
Suggested by @aszlig.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Probably as a result of 992c514a20cf2da897db68169d7dcab721e8c7b7, it
was not being started anymore.
My understanding of systemd.special(7) (section "Special passive
system units") is that the firewall should want network-pre.target,
rather than the other way around (not very intuitive...). This in
itself does not cause the firewall to be wanted, which is why the
wanted-by relationship with multi-user.target is necessary.
http://hydra.nixos.org/build/39965589
|
| | | |
| | |
| | |
| | | |
http://hydra.nixos.org/build/40038016
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
These domains are not actually default but examples. See
https://github.com/lathiat/avahi/blob/master/avahi-daemon/avahi-daemon.conf#L24
for default config.
|
| |\ \ \
| | | |
| | | |
| | | | |
https://github.com/rickynils/nixpkgs
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This way, stage-2 behaves correctly also for libvirt-lxc containers.
Some more discussion on this:
https://github.com/NixOS/nixpkgs/commit/a7a08188bf650ababa36300a9a6f34169e2a73bf
https://github.com/NixOS/nixpkgs/commit/bfe46a653ba2f8ff9902128f485cbd87c49cbca7
|
| |\ \ \ \
| | | | |
| | | | | |
Make /var/empty immutable (with chattr +i)
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fixes #14910 and #18358
Deployed to an existing server, restarted sshd and polkit to verify
they don't fail.
|
| | |/ / /
|/| | |
| | | |
| | | | |
fixes #17702.
|
| | | | |
| | | |
| | | |
| | | | |
Closes #18377.
|
| |\ \ \ \
| | | | |
| | | | | |
security.acme: require networking for client, remove loop without fallbackHost
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Actually this can be improved since the client only needs network
connectivity if it needs to renew the certificate.
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
input-methods modules: fix engine description
|
| | | | | | | |
|
| | |_|/ / /
|/| | | |
| | | | |
| | | | | |
Fixes #14701.
|
| | | | | | |
|
| | | | | | |
|
| | |/ / /
|/| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
explicit path in nixos-install""
This partially reverts commit 0aa75206705afc71b991cceeede644c87088d583.
Fine for rsync to be in system path but we still need the explicit path
in nixos-install in case it is invoked from non-NixOS systems and also
to fix OVA test failure
See also https://github.com/NixOS/nixpkgs/commit/0aa75206705afc71b991cceeede644c87088d583
cc @edolstra
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
various: minor cleanup
|
| | | | | | |
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Added in systemd/systemd@68ac53e
|
| | | | | |
| | | | |
| | | | |
| | | | | |
this is already upstream default
|
| | | | | |
| | | | |
| | | | |
| | | | | |
this is part of (network,remote-fs).target, repectively
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
We were pulling in 44 MiB of fonts in the default configuration, which
is a bit excessive for headless configurations like EC2
instances. Note that dejavu_minimal ensures that remote X11-forwarded
applications still have a basic font regardless.
|
| | | | | | |
|
| | | | | | |
|
| |/ / / / |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It appears that packageOverrides no longer overrides aliases, so
aliases like
dbus_tools = self.dbus.out;
dbus_daemon = self.dbus.daemon;
now use the old, non-overriden version of dbus. That seems like a
pretty serious regression in general, but for this particular problem,
I've fixed it by replacing dbus_daemon by dbus.daemon and dbus_tools
by dbus.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
nixos-install"
This reverts commit 582313bafef4c81cb6df2dcf2ece4757eb5c8082.
Removing rsync is actually pointless because nixos-install depends on
it. So if it's part of the system closure, we may as well provide it
to users.
Probably with the next Nix release we can drop the use of rsync and
use "nix copy" instead.
|
| |/ / / |
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
Update etcd, improve nixos module, fix nixos tests
|
| | | | | |
|
| | | | | |
|
| | |_|/
|/| |
| | |
| | | |
fixes #13224
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
The new setuid-wrappers in /run cannot be executed by users due to:
1) the temporary directory does not allow access
2) the /run is mounted nosuid
|
| | | |
| | |
| | | |
Got lost in a6670c1a0b8cda8235296900cff950f39f60cf4f
|
| |\ \ \
| | | |
| | | | |
quagga service: init
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This one was already merged into release-16.09, so let's not have the
stable branch is ahead of master and confuse things. In addition to
that, currently we have an odd situation that master has less things
actually finished building than in staging.
Conflicts:
pkgs/data/documentation/man-pages/default.nix
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
It's "developer documentation", not "documentation developer" after
all.
|
| |\ \ \ \ \
| |_|/ / /
|/| | | | |
|