This option requests compatibility with older NixOS releases with
respect to stateful data, in cases where new releases have defaults
that might be incompatible with system state of existing NixOS
deployments. For instance, if we change the default version of
PostgreSQL, existing deployments will break if the new version can't
read databases created by the old version.
So for example, setting
system.stateVersion = "15.07";
requests that options like services.postgresql.package use defaults
corresponding to the 15.07 release branch. Note that
nixos-generate-config emits this option. (In the future, NixOps may
set system.stateVersion to the NixOS release in use when the machine
was created.)
See also #7939 for another motivating example.
The resulting image can be copied to a SD card with `dd` and is directly
bootable by a suitably configured U-Boot. Though depending on the board, some
extra steps are required for copying U-Boot itself to the SD card.
Inside the image is a partition table, with a FAT32 /boot and a normal
writable EXT4 rootfs. It's possible to directly reuse the SD image's
partition layout and "install" NixOS on the same SD card by replacing
the default configuration.nix and nixos-rebuild, and actually is the
preferred way to use these images. To assist in this installation
method, the boot scripts on the image automatically resize the rootfs
partition to fit the SD card on the first boot.
The SD images come in two flavors; one for the ARMv6 Raspberry Pi,
and one multiplatform image for all the boards supported by the
mainline kernel's multi_v7_defconfig config target. At the moment, these
have been tested on:
- Raspberry Pi Model B (512MB model)
- NVIDIA Jetson TK1
- Linksprite pcDuino3 Nano
To build, run:
nix-build '<nixpkgs/nixos>' -A config.system.build.sdImage \
-I nixos-config='<nixpkgs/nixos/modules/installer/cd-dvd/sd-image-armv7l-multiplatform.nix>'
When using extlinux-conf-builder in a nix build using chroots, the
following error message could be seen:
/nix/store/XXX-extlinux-conf-builder.sh: line 121: cd: /nix/var/nix/profiles: No such file or directory
To avoid this, just skip the code path parsing /nix/var/nix/profiles
when $numGenerations (passed from the command line) is 0 (which is the
only legal value of $numGenerations in a nix build context).
The rationale for disabling this is: 1) systemd timers are better; 2)
it gets rid of one usually unnecessary process, which makes containers
more light-weight.
Note that cron is still enabled if services.cron.systemCronJobs is
non-empty, so this only matters if you have no declarative cron jobs
but do have user cron jobs.
Without a menu title, U-Boot's distro scripts just autoboot the first
entry by default.
When I initially wrote this, my board wasn't apparently running stock
U-Boot but had some local hacks saved in the U-Boot's environment
which made it always display the prompt.
When calling addEntry inside a subshell, the filesCopied array would
be updated only in the subshell's environment. This would only cause an
issue if no -g flag was passed to the script, causing no kernels
to be copied.
This fixes a failing assert in systemd-timesyncd (issue #5913) as it
expects the directory /run/systemd/netif/links/ to exist, and nothing in
NixOS currently creates it.
Also we get a net reduction in our code as rules for /run/utmp and
/var/log/journal are also provided by the same upstream file.
(cherry picked from commit a278a9224a)
This shuts up this error from dbus:
May 11 13:52:16 machine dbus-daemon[259]: Unknown username "systemd-network" in message bus configuration file
May 11 13:52:16 machine dbus-daemon[259]: Unknown username "systemd-resolve" in message bus configuration file
which happens because the D-Bus config for networkd/resolved is
enabled unconditionally, and we don't have an easy way to turn it off.
(cherry picked from commit f19b58fb6a)
Enables attaching AppArmor profiles at the user/group level.
This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
Xen required a few changes in order to be usable:
* Include xenfs module in initrd as loading it in the activation
script was failing.
* Include /etc/default/xendomains, which is needed by
xen-domains service.
* Create /var/log/xen and /var/lib/xen directories in
the xen-store service, which are needed by the xl command.
The directories could be created by any other script as long as
they are guaranteed to exist before xl is called.
* Fix a reference to /bin/ls in the xendomains script.
Currently there are no tests that depend on the JDK. Since we don't
want a release with a broken JDK, make it an explicit dependency of
the "tested" jobs.
The systemd service was ignoring ExecStart because the path to the
paster executable was not absolute. Because ExecStart was ignored, the
service would not start.
In general, you don't want a .tar.gz file to be served with
"Content-Encoding: x-gzip", because this causes browsers (like Chrome
or "curl --compressed") to decompress the file on the fly. So you end
up with a .tar rather than .tar.gz file, which is unexpected.
If people want such encodings, they should set them in their own NixOS
configuration.
Some filesystems like fat32 don't support symlinking and need to be
supported on /boot as an efi system partition. Instead of creating the symlink directly in boot, create the symlink in
a temporary directory which has to support symlinking.
It seems that with the latest update to `udisks2`, the ExecStart path
for the daemon changed from `/lib/udisks2` to `/libexec/udisks2`. This
commit reflects that change for our purposes.
Changes:
- gettext is needed to build
- Switched to using non-legacy ffmpeg.
- Removed ffmpeg stuff from include path since it causes build errors related to
a time.h header.
- Removed unneeded patch.
- Adjusted NixOS service due to the binary being renamed.
We no longer need have "SUID sandbox" enabled in the chrome://sandbox
status page and we now also check for "You are adequately sandboxed." to
be absolutely sure that we're running with proper sandboxing.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Authentication methods are tried in order, so if another NixOS module
defines a specific ident mapping like
local hydra all ident map=hydra-users
it should appear before the generic
local all all ident
It comes in handy to alter the menu label if you're not building a NixOS
installer image but for example if you want to build a live system and
still want to re-use the iso-image.nix module.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
These are just trusted-users and allowed-users in nix.conf. It's
useful to have options for them so that different modules can specify
trusted/allowed users.
This reverts commit 88f4b75a00 and fixes the
recipientDelimiter config option. Till then the camel case variant was used
while recipient_delimiter would have been right.
This is needed by most window managers. Desktop environments
usually launch dbus-launch if a session hasn't been started yet
so this shouldn't hurt. The worst it can happen is that one
dbus session will be unused in case it's started twice.
The GDM change is backported from recent gdm.
With this patch, systemd-inhibit outputs a descriptive message when
desktopManagerHandlesLidAndPower=true (the default).
Before the patch:
$ systemd-inhibit
Who: /nix/store/[...]-xsession [...] (UID 1000/cassou, PID 18561/systemd-inhibit)
What: handle-power-key:handle-lid-switch
Why: Unknown reason
Mode: block
After the patch:
$ systemd-inhibit
Who: /nix/store/[...]-xsession [...] (UID 1000/cassou, PID 18561/systemd-inhibit)
What: handle-power-key:handle-lid-switch
Why: See NixOS configuration option 'services.xserver.displayManager.desktopManagerHandlesLidAndPower' for more information.
Mode: block
This solves the problem that modprobe does not know about $MODULE_DIR
when run via sudo, and instead wrongly tries to read /lib/modules/:
$ sudo strace -efile modprobe foo |& grep modules
open("/lib/modules/3.14.37/modules.softdep", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/modules/3.14.37/modules.dep.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/modules/3.14.37/modules.dep.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/modules/3.14.37/modules.alias.bin", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Without this patch, one would have to use sudo -E (preserves environment
vars). But that option is reserved for sudo users with extra rights
(SETENV), so it's not a solution.
environment.sessionVariables are set by PAM, so they are included in the
environment used by sudo.
The socket definition is derived from upstream with the
exception that it does not depend on network.target, as
this creates a cycle between basic.target and sockets.target.
The apparmor profile has been updated to account for additional
runtime dependencies introduced by enabling systemd support.
We already have separate tests for checking whether the ISO boots
correctly, so it's not necessary to do that here. So now
tests/installer.nix just tests nixos-install, from a regular NixOS VM
that uses the host's Nix store. This makes running the tests more
convenient because we don't have to build a new ISO after every
change.
install-cd: Include nixos-artwork to fix installer tests
With the move from storing grub images in the nixpkgs repo to storing them in the nix store, we broke the installer tests as the iso does not contain the artwork needed for the grub splash. This commit fixes the inclusion of the artwork in the iso.
Should fix at least nixos.tests.installer.simple.x86_64-linux
http://hydra.nixos.org/build/23001712:
machine# error: cannot download Encode-Locale-1.03.tar.gz from any mirror
machine# builder for ‘/nix/store/y8gbx2d2fdcvvjy1z53xksfgq66ydlx0-Encode-Locale-1.03.tar.gz.drv’ failed with exit code 1
machine# cannot build derivation ‘/nix/store/y1knci7rix3asnh2b4kfv8jhl2j99xih-perl-Encode-Locale-1.03.drv’: 1 dependencies couldn't be built
machine# cannot build derivation ‘/nix/store/7xspjwh48kg16drv1jjg5cffaqbxbp8p-perl-libwww-perl-6.05.drv’: 1 dependencies couldn't be built
machine# cannot build derivation ‘/nix/store/8qsmz3bbk1jwhh50c3i9700bkmn8ns5c-nss-cacert-3.19.1.drv’: 1 dependencies couldn't be built
machine# cannot build derivation ‘/nix/store/0rgf2l3mdszs4a989ympwc9gk2k8wq6z-nixos-artwork-e71b684.drv’: 1 dependencies couldn't be built
...
This solves the problem of e.g. mutt not finding mail unless the user
sets MAIL=/var/spool/mail/$USER.
The default MAIL variable seems come from bash. Reasons for adding
symlink instead of changing MAIL default in bash:
- No need to rebuild world
- FHS recommends /var/mail over /var/spool/mail anyway[1]. Better fix
NixOS mail location than change MAIL in bash to something that doesn't
work on non-NixOS (however unlikely that users run nixpkgs bash on a
non-NixOS distro...).
[1] http://www.pathname.com/fhs/pub/fhs-2.3.html#VARMAILUSERMAILBOXFILES
Commit 159fed47bc (nixos/grub: Fix video display on efi) changed BIOS
systems to start in non-text mode as well. Enable FB_VESA to get a
framebuffer console on BIOS systems. Change FRAMEBUFFER_CONSOLE to 'y'
instead of the default 'm' to so the user doesn't need to manually load
the fbcon module anymore.
Other distros have similar defaults, at least on Arch:
CONFIG_FB_VESA=y
CONFIG_FRAMEBUFFER_CONSOLE=y
and on Ubuntu (12.04):
CONFIG_FB_VESA=m
CONFIG_FRAMEBUFFER_CONSOLE=y
Fixes#8139
Better replace the double quotes in 'echo "${commands}"' with single
quotes, to prevent the shell from doing command substitution etc. at
configuration build time.
The issue was that grub was not building the default entry which would
leave systems unbootable. This can now be safely reverted as the default
entry is being built once again.
This reverts commit fd1fb0403c.
Currently the module hardcodes the systemd service user to "marathon".
With this change one would not need to create an extra systemd config to
override the user.
So why would one need to override the Marathon user? Some apps require
root access to run. You can't run those with Marathon unless you
override the default user to root. Marathon also provides a
`--mesos_user` command line flag which allows you to run apps using
arbitrary users. You need to run the framework as root to enable this
functionality.
JVMs exit with exit code 128+signal when receiving a (terminating)
signal. This means graceful termination of a JVM will result in 143, so
add that to `SuccessExitStatus` in systemd service unit.
- Usage of docker containerizer is currently hardcoded, this PR makes it
optional. Default is to enable it if docker is enabled.
- Make IP address to listen on part of service configuration.
Serves as a regression test for #7902.
It's not yet referenced in release(-combined)?.nix because it will fail
until the issue is resolved. Tested successfully against libgcrypt with
libcap passed as null however.
As for the test itself, I'm not quite sure whether checking for the time
displayed by IceWM is a good idea, but we can still fix that if it turns
out to be a problem.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>