3
0
Fork 0
forked from mirrors/nixpkgs
nixpkgs/nixos/doc/manual/release-notes/rl-1609.xml
Domen Kožar a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00

112 lines
4.2 KiB
XML

<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-16.09">
<title>Release 16.09 (“Flounder”, 2016/09/??)</title>
<para>In addition to numerous new and upgraded packages, this release
has the following highlights: </para>
<itemizedlist>
<listitem>
<para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
</listitem>
<listitem>
<para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
1.17.* is still used due to ABI incompatibility.</para>
</listitem>
</itemizedlist>
<para>The following new services were added since the last release:</para>
<itemizedlist>
<listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
</itemizedlist>
<para>When upgrading from a previous release, please be aware of the
following incompatible changes:</para>
<itemizedlist>
<listitem>
<para>A large number of packages have been converted to use the multiple outputs feature
of Nix to greatly reduce the amount of required disk space. This may require changes
to any custom packages to make them build again; see the relevant chapter in the
Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
related to multiple-output packages
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were changed</link>
late (August 2016) in the release cycle and differ from the initial introduction of multiple outputs.)
</para>
</listitem>
<listitem>
<para>Shell aliases for systemd sub-commands
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were dropped</link>:
<command>start</command>, <command>stop</command>,
<command>restart</command>, <command>status</command>.</para>
</listitem>
<listitem>
<para>Redis now binds to 127.0.0.1 only instead of listening to all network interfaces. This is the default
behavior of Redis 3.2</para>
</listitem>
<listitem>
<para>/var/setuid-wrappers/
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now a symlink so
it can be atomically updated</link>
and it's not mounted as tmpfs anymore since setuid binaries are located on /run/ as tmpfs.
</para>
</listitem>
<listitem>
<para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
</listitem>
<listitem>
<para><literal>services.xserver.libinput.accelProfile</literal> default
changed from <literal>flat</literal> to <literal>adaptive</literal>,
as per <link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
official documentation</link>.</para>
</listitem>
<listitem>
<para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
because our presets were obsolete for some time. New presets are hardcoded
into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
You can customize those presets via ordinary environment variables, using
<literal>environment.variables</literal>.</para>
</listitem>
<listitem>
<para>The <literal>audit</literal> service is no longer enabled by default.
Use <literal>security.audit.enable = true;</literal> to explicitly enable it.</para>
</listitem>
</itemizedlist>
<para>Other notable improvements:</para>
<itemizedlist>
<listitem><para>Revamped grsecurity/PaX support. There is now only a single
general-purpose distribution kernel and the configuration interface has been
streamlined. Desktop users should be able to simply set
<programlisting>security.grsecurity.enable = true</programlisting> to get
a reasonably secure system without having to sacrifice too much
functionality. See <xref linkend="sec-grsecurity" /> for documentation
</para></listitem>
</itemizedlist>
</section>