Due to recent changes (likely a sqlite3 update) the sqlite3 meta-command
did suddenly succeed while sqlite3 is still unable to read the still
encrypted database. It just prints the following output and doesn't
seem to try to open/read the DB (which would fail):
```
main: /home/alice/.config/Signal/sql/db.sqlite r/w
```
We can simply fix this "regression" by instructing sqlite3 to list the tables
in the database (which fails because it cannot read the encrypted DB):
```
machine: must fail: su - alice -c 'sqlite3 ~/.config/Signal/sql/db.sqlite .tables'
machine # [ 47.036720] su[1178]: Successful su for alice by root
machine # [ 47.041049] su[1178]: pam_unix(su:session): session opened for user alice(uid=1000) by (uid=0)
machine # Error: file is not a database
machine # [ 47.116070] su[1178]: pam_unix(su:session): session closed for user alice
(finished: must fail: su - alice -c 'sqlite3 ~/.config/Signal/sql/db.sqlite .tables', in 0.12 seconds)
```
Fix#181463.
Within a dual VM test-setup a strange behaviour was observed.
The two VMs are connected via one vde_switch instance
(instancevirtualisation.vlans = [ 1 ]; IMO a bad attribute name for
switch instances, has nothing to do with VLANs in sense of 802.1Q).
A ping on the base interface (eth1) works, but not on VLAN
subinterfaces (vlan1@eth1). A tcpdump of eth1 includes the ARP requests
tagged with the subinterfaces VLAN ID, but responses seems not to pass
the vde_switch. This works fine if performed on the base interface.
Putting the vde_switch in hub mode results in flooding
traffic to all vde_switch ports. This results in a expected behaviour
and a ping on a VLAN subinterface works as expected.
Signed-off-by: Philippe Schaaf <philippe.schaaf@secunet.com>
airsonic_is_up should return a bool, but machine.succeed returns a
string causing testScriptWithTypes to fail. This is fixed by executing
the cmd with machine.execute and checking the status code.
We want Openldap clients to load /etc/ldap.conf at runtime, not
${pkgs.openldap}/etc/ldap.conf which is always a sample config.
Pass sysconfdir=/etc at compile time, so that /etc/krb5.conf is embedded
in the library as the path of its config file.
Pass sysconfdir=${out}/etc at install time, so that the sample configs
and schema files are correctly included in the build output.
This hack works because the Makefiles are not smart enough to notice
that the sysconfdir variable has changed across invocations -- because
nobody ever writes their Makefiles to be that smart. :-)
Fixes#181937.
Setting `cgroup-driver=systemd` was originally necessary to match with
docker, else the kubelet would not start (#111835)
However, since then, docker support has been dropped from k3s (#177790).
As such, this option is much less necessary.
More importantly, it now seems to be actively causing issues. Due to an
upstream k3s bug, it's resulting in the kubelet and containerd having
different cgroup drivers, which seems to result in some difficult to
debug failure modes.
See
https://github.com/NixOS/nixpkgs/issues/181790#issuecomment-1188840862
for a description of this problem.
Removing this flag entirely seems reasonable to me, and it results in
k3s working again on my machine.
The group configuration parameter allow to share access to yggdrasil
control socket with the users in the system. In the version we propose,
it is null by default so that only root can access the control socket,
but let user create their own group if they need.
Remove User= durective in systemd unit. Should a user with the specified
name already exist in the system, it would be used silently instead of a
dynamic user which could be a security concern.
Since version 0.4 Yggdrasil works again using systemd's DynamicUser option.
This patch reenables it to improve security.
We tested this with both persistent and non-persistent keys. Everything
seems to work fine.