2018-03-05 18:36:11 +00:00
<section xmlns= "http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.09">
2018-05-02 00:57:09 +01:00
<title > Release 18.09 (“Jellyfish”, 2018/09/??)</title>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<section xmlns= "http://docbook.org/ns/docbook"
2018-03-05 18:36:11 +00:00
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.09-highlights">
2018-05-02 00:57:09 +01:00
<title > Highlights</title>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<para >
In addition to numerous new and upgraded packages, this release has the
following highlights:
</para>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<itemizedlist >
2018-07-14 06:25:28 +01:00
<listitem >
<para >
Support for wrapping binaries using <literal > firejail</literal> has been
added through <varname > programs.firejail.wrappedBinaries</varname> .
</para>
<para >
For example
</para>
<programlisting >
programs.firejail = {
enable = true;
wrappedBinaries = {
firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
};
};
</programlisting>
<para >
This will place <literal > firefox</literal> and <literal > mpv</literal> binaries in the global path wrapped by firejail.
</para>
</listitem>
2018-05-02 00:57:09 +01:00
<listitem >
2018-03-05 18:36:11 +00:00
<para >
2018-05-02 00:57:09 +01:00
User channels are now in the default <literal > NIX_PATH</literal> , allowing
users to use their personal <command > nix-channel</command> defined
channels in <command > nix-build</command> and <command > nix-shell</command>
commands, as well as in imports like <code > import
< mychannel> </code> .
2018-03-05 18:36:11 +00:00
</para>
<para >
2018-05-02 00:57:09 +01:00
For example
2018-03-05 18:36:11 +00:00
</para>
2018-05-02 00:57:09 +01:00
<programlisting >
2018-04-02 20:02:43 +01:00
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
$ nix-channel --update
$ nix-build '< nixpkgsunstable> ' -A gitFull
$ nix run -f '< nixpkgsunstable> ' gitFull
$ nix-instantiate -E '(import < nixpkgsunstable> {}).gitFull'
</programlisting>
2018-05-02 00:57:09 +01:00
</listitem>
</itemizedlist>
</section>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<section xmlns= "http://docbook.org/ns/docbook"
2018-03-05 18:36:11 +00:00
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.09-new-services">
2018-05-02 00:57:09 +01:00
<title > New Services</title>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<para >
The following new services were added since the last release:
</para>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<itemizedlist >
2018-08-05 14:42:29 +01:00
<listitem >
<para >
There is a new <varname > services.foundationdb</varname> module for deploying
<link xlink:href= "https://www.foundationdb.org" > FoundationDB</link> clusters.
</para>
</listitem>
2018-05-02 00:57:09 +01:00
<listitem >
2018-06-01 02:03:51 +01:00
<para >
When enabled the <literal > iproute2</literal> will copy the files expected
by ip route (e.g., <filename > rt_tables</filename> ) in
<filename > /run/iproute2</filename> . This allows to write aliases for
routing tables for instance.
</para>
2018-05-02 00:57:09 +01:00
</listitem>
2018-08-03 15:06:02 +01:00
<listitem >
<para >
<varname > services.strongswan-swanctl</varname>
is a modern replacement for <varname > services.strongswan</varname> .
You can use either one of them to setup IPsec VPNs but not both at the same time.
</para>
<para >
<varname > services.strongswan-swanctl</varname> uses the
<link xlink:href= "https://wiki.strongswan.org/projects/strongswan/wiki/swanctl" > swanctl</link>
command which uses the modern
<link xlink:href= "https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md" > vici</link>
<emphasis > Versatile IKE Configuration Interface</emphasis> .
The deprecated <literal > ipsec</literal> command used in <varname > services.strongswan</varname> is using the legacy
<link xlink:href= "https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md" > stroke configuration interface</link> .
</para>
</listitem>
2018-05-02 00:57:09 +01:00
</itemizedlist>
</section>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<section xmlns= "http://docbook.org/ns/docbook"
2018-03-05 18:36:11 +00:00
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.09-incompatibilities">
2018-05-02 00:57:09 +01:00
<title > Backward Incompatibilities</title>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<para >
When upgrading from a previous release, please be aware of the following
incompatible changes:
</para>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<itemizedlist >
<listitem >
2018-03-05 18:36:11 +00:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.strict</literal> is removed. Use
<literal > builtins.seq</literal> instead.
2018-03-05 18:36:11 +00:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-03-05 18:36:11 +00:00
<para >
2018-05-02 00:57:09 +01:00
The <literal > clementine</literal> package points now to the free
derivation. <literal > clementineFree</literal> is removed now and
<literal > clementineUnfree</literal> points to the package which is bundled
with the unfree <literal > libspotify</literal> package.
2018-03-05 18:36:11 +00:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-04-30 00:30:42 +01:00
<para >
2018-05-02 00:57:09 +01:00
The <literal > netcat</literal> package is now taken directly from OpenBSD's
<literal > libressl</literal> , instead of relying on Debian's fork. The new
version should be very close to the old version, but there are some minor
differences. Importantly, flags like -b, -q, -C, and -Z are no longer
accepted by the nc command.
2018-04-30 00:30:42 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
2018-05-02 12:12:57 +01:00
<listitem >
2018-03-26 12:54:01 +01:00
<para >
2018-06-01 02:03:51 +01:00
The <varname > services.docker-registry.extraConfig</varname> object doesn't
contain environment variables anymore. Instead it needs to provide an
object structure that can be mapped onto the YAML configuration defined in
<link xlink:href= "https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md" > the
<varname > docker/distribution</varname> docs</link> .
2018-03-26 12:54:01 +01:00
</para>
2018-05-02 12:12:57 +01:00
</listitem>
2018-05-09 18:21:38 +01:00
<listitem >
<para >
2018-06-01 02:03:51 +01:00
<literal > gnucash</literal> has changed from version 2.4 to 3.x. If you've
been using <literal > gnucash</literal> (version 2.4) instead of
<literal > gnucash26</literal> (version 2.6) you must open your Gnucash data
file(s) with <literal > gnucash26</literal> and then save them to upgrade
the file format. Then you may use your data file(s) with Gnucash 3.x. See
the upgrade
<link xlink:href= "https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade" > documentation</link> .
Gnucash 2.4 is still available under the attribute
<literal > gnucash24</literal> .
2018-05-09 18:21:38 +01:00
</para>
</listitem>
2018-06-08 23:50:28 +01:00
<listitem >
<para >
<varname > services.munge</varname> now runs as user (and group) <literal > munge</literal> instead of root.
Make sure the key file is accessible to the daemon.
</para>
</listitem>
2018-06-29 18:20:55 +01:00
<listitem >
<para >
<varname > dockerTools.buildImage</varname> now uses <literal > null</literal> as default value for <varname > tag</varname> ,
which indicates that the nix output hash will be used as tag.
</para>
</listitem>
2018-05-02 00:57:09 +01:00
</itemizedlist>
</section>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<section xmlns= "http://docbook.org/ns/docbook"
2018-03-05 18:36:11 +00:00
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-18.09-notable-changes">
2018-05-02 00:57:09 +01:00
<title > Other Notable Changes</title>
2018-03-05 18:36:11 +00:00
2018-05-02 00:57:09 +01:00
<itemizedlist >
2018-04-09 13:52:41 +01:00
<listitem >
<para >
2018-06-01 02:03:51 +01:00
<literal > dockerTools.pullImage</literal> relies on image digest instead of
image tag to download the image. The <literal > sha256</literal> of a pulled
image has to be updated.
2018-04-09 13:52:41 +01:00
</para>
</listitem>
2018-05-02 00:57:09 +01:00
<listitem >
2018-03-05 18:36:11 +00:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.attrNamesToStr</literal> has been deprecated. Use more
specific concatenation (<literal > lib.concat(Map)StringsSep</literal> )
instead.
2018-04-03 13:04:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-04-03 13:04:05 +01:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.addErrorContextToAttrs</literal> has been deprecated. Use
<literal > builtins.addErrorContext</literal> directly.
2018-04-03 13:04:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-04-03 13:04:05 +01:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.showVal</literal> has been deprecated. Use
<literal > lib.traceSeqN</literal> instead.
2018-04-03 13:04:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-04-03 13:04:05 +01:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.traceXMLVal</literal> has been deprecated. Use
<literal > lib.traceValFn builtins.toXml</literal> instead.
2018-04-03 13:04:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-04-03 13:04:05 +01:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.traceXMLValMarked</literal> has been deprecated. Use
<literal > lib.traceValFn (x: str + builtins.toXML x)</literal> instead.
2018-04-03 13:04:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-03-05 18:36:11 +00:00
<para >
2017-12-07 19:30:45 +00:00
The <literal > pkgs</literal> argument to NixOS modules can now be set directly using <literal > nixpkgs.pkgs</literal> . Previously, only the <literal > system</literal> , <literal > config</literal> and <literal > overlays</literal> arguments could be used to influence <literal > pkgs</literal> .
</para>
2018-06-10 16:10:11 +01:00
</listitem>
<listitem >
2017-12-07 19:30:45 +00:00
<para >
A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
<programlisting >
inherit (pkgs.nixos {
boot.loader.grub.enable = false;
fileSystems."/".device = "/dev/xvda1";
}) toplevel kernel initialRamdisk manual;
</programlisting>
This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
2018-03-05 18:36:11 +00:00
</para>
2018-06-10 16:10:11 +01:00
</listitem>
<listitem >
<para >
<literal > lib.traceValIfNot</literal> has been deprecated. Use
<literal > if/then/else</literal> and <literal > lib.traceValSeq</literal> instead.
2018-04-03 13:04:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
<listitem >
2018-04-03 13:04:05 +01:00
<para >
2018-05-02 00:57:09 +01:00
<literal > lib.traceCallXml</literal> has been deprecated. Please complain
if you use the function regularly.
2018-03-05 18:36:11 +00:00
</para>
2018-04-26 09:31:05 +01:00
<para >
2018-05-02 00:57:09 +01:00
The attribute <literal > lib.nixpkgsVersion</literal> has been deprecated in
favor of <literal > lib.version</literal> . Please refer to the discussion in
<link xlink:href= "https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745" > NixOS/nixpkgs#39416</link>
for further reference.
2018-04-26 09:31:05 +01:00
</para>
2018-05-02 00:57:09 +01:00
</listitem>
2018-05-08 01:09:46 +01:00
<listitem >
<para >
The module for <option > security.dhparams</option> has two new options now:
2018-03-05 18:36:11 +00:00
</para>
2018-05-07 04:02:41 +01:00
<variablelist >
2018-05-08 01:09:46 +01:00
<varlistentry >
2018-06-01 02:03:51 +01:00
<term >
<option > security.dhparams.stateless</option>
</term>
<listitem >
<para >
Puts the generated Diffie-Hellman parameters into the Nix store instead
of managing them in a stateful manner in
<filename class= "directory" > /var/lib/dhparams</filename> .
</para>
</listitem>
2018-05-08 01:09:46 +01:00
</varlistentry>
<varlistentry >
2018-06-01 02:03:51 +01:00
<term >
<option > security.dhparams.defaultBitSize</option>
</term>
<listitem >
<para >
The default bit size to use for the generated Diffie-Hellman
parameters.
</para>
</listitem>
2018-05-08 01:09:46 +01:00
</varlistentry>
2018-05-07 04:02:41 +01:00
</variablelist>
2018-06-01 02:03:51 +01:00
<note >
<para >
The path to the actual generated parameter files should now be queried
using
<literal > config.security.dhparams.params.<replaceable > name</replaceable> .path</literal>
because it might be either in the Nix store or in a directory configured
by <option > security.dhparams.path</option> .
</para>
</note>
2018-05-07 04:02:41 +01:00
<note >
2018-05-08 01:09:46 +01:00
<title > For developers:</title>
<para >
Module implementers should not set a specific bit size in order to let
users configure it by themselves if they want to have a different bit
size than the default (2048).
</para>
<para >
An example usage of this would be:
2018-05-07 04:02:41 +01:00
<programlisting >
{ config, ... }:
2018-03-05 18:36:11 +00:00
2018-05-07 04:02:41 +01:00
{
security.dhparams.params.myservice = {};
environment.etc."myservice.conf".text = ''
dhparams = ${config.security.dhparams.params.myservice.path}
'';
}
</programlisting>
2018-05-08 01:09:46 +01:00
</para>
2018-05-07 04:02:41 +01:00
</note>
2018-05-08 01:09:46 +01:00
</listitem>
2018-05-03 13:05:43 +01:00
<listitem >
<para >
2018-06-01 02:03:51 +01:00
<literal > networking.networkmanager.useDnsmasq</literal> has been
deprecated. Use <literal > networking.networkmanager.dns</literal> instead.
2018-05-03 13:05:43 +01:00
</para>
</listitem>
2018-05-26 10:19:12 +01:00
<listitem >
<para >
2018-06-01 02:03:51 +01:00
The option
<varname > services.kubernetes.apiserver.admissionControl</varname> was
renamed to
<varname > services.kubernetes.apiserver.enableAdmissionPlugins</varname> .
2018-05-26 10:19:12 +01:00
</para>
</listitem>
<listitem >
<para >
2018-06-08 09:16:43 +01:00
Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS)
2018-06-01 02:03:51 +01:00
Therefore; public service port for the dashboard has changed to 443
(container port 8443) and scheme to https.
2018-05-26 10:19:12 +01:00
</para>
</listitem>
2018-06-08 09:16:43 +01:00
<listitem >
<para >
The option <varname > services.kubernetes.apiserver.address</varname>
was renamed to <varname > services.kubernetes.apiserver.bindAddress</varname> .
Note that the default value has changed from 127.0.0.1 to 0.0.0.0.
</para>
</listitem>
<listitem >
<para >
The option <varname > services.kubernetes.apiserver.publicAddress</varname>
was not used and thus has been removed.
</para>
</listitem>
2018-06-18 12:05:01 +01:00
<listitem >
<para >
The option <varname > services.kubernetes.addons.dashboard.enableRBAC</varname>
was renamed to <varname > services.kubernetes.addons.dashboard.rbac.enable</varname> .
</para>
</listitem>
<listitem >
<para >
The Kubernetes Dashboard now has only minimal RBAC permissions by default.
If dashboard cluster-admin rights are desired,
set <varname > services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true.
On existing clusters, in order for the revocation of privileges to take effect,
the current ClusterRoleBinding for kubernetes-dashboard must be manually removed:
<literal > kubectl delete clusterrolebinding kubernetes-dashboard</literal>
</para>
</listitem>
2018-06-23 02:31:54 +01:00
<listitem >
<para >
The <varname > programs.screen</varname> module provides allows to configure
<literal > /etc/screenrc</literal> , however the module behaved fairly counterintuitive as
the config exists, but the package wasn't available. Since 18.09 <literal > pkgs.screen</literal>
will be added to <literal > environment.systemPackages</literal> .
</para>
</listitem>
2018-06-28 06:35:50 +01:00
<listitem >
<para >
The module <option > services.networking.hostapd</option> now uses WPA2 by default.
</para>
</listitem>
2018-07-22 16:03:19 +01:00
<listitem >
<para >
<varname > s6Dns</varname> , <varname > s6Networking</varname> ,
<varname > s6LinuxUtils</varname> and <varname > s6PortableUtils</varname>
renamed to
<varname > s6-dns</varname> , <varname > s6-networking</varname> ,
<varname > s6-linux-utils</varname> and <varname > s6-portable-utils</varname> respectively.
</para>
2018-07-29 10:01:55 +01:00
</listitem>
<listitem >
2018-08-01 19:21:28 +01:00
<para >
The module option <option > nix.useSandbox</option> is now defaulted to <literal > true</literal> .
</para>
</listitem>
2018-05-02 00:57:09 +01:00
</itemizedlist>
</section>
2018-03-05 18:36:11 +00:00
</section>