This fixes two bugs:
* When socket activation is detected, the service itself is added to stop-start list instead of its sockets.
* When service is marked to restart instead of stop (`StopIfChanged = no`) we don't need to restart sockets.
This ensures that most "trivial" derivations used to build NixOS
configurations no longer depend on GCC. For commands that do invoke
gcc, there is runCommandCC.
This is a standard environment that doesn't contain a C/C++
compiler. This is mostly to prevent trivial builders like runCommand
and substituteAll from pulling in gcc for simple configuration changes
on NixOS.
Using "tmpfs" as a script part for system.activationScripts is a bit
misleading since 6efcfe03ae.
We no longer solely mount tmpfs within this script, so using "specialfs"
fits more nicely in terms of naming.
Tested against the "simple" NixOS installer test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Regression introduced by 79d4636d50.
The mentioned commit moves /run/keys from stage 2 to
boot.specialFileSystems, the latter being remounted during system
activation.
Unfortunately, the specialMount function in the activation script does
this unconditionally and thus will fail if it can't be remounted because
the mount point simply doesn't exist.
We now check the mount point for existance and only remount if it exists
but mkdir + mount it if it doesn't.
Tested against the "simple" NixOS installer test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
When Grub is to be used with UEFI, it is not going to write to any MBR
of any disk. As such, it is safe to use multiple "nodev" device entries
when mirroring the ESP partition to multiple disks.
E.g.:
```
boot.loader.grub = {
enable = true;
version = 2;
zfsSupport = true;
efiSupport = true;
mirroredBoots = [
{ devices = [ "nodev" ]; path = "/boot1"; efiSysMountPoint = "/boot1"; }
{ devices = [ "nodev" ]; path = "/boot2"; efiSysMountPoint = "/boot2"; }
{ devices = [ "nodev" ]; path = "/boot3"; efiSysMountPoint = "/boot3"; }
];
};
boot.loader.efi.canTouchEfiVariables = true;
```
Fixes #18584
All swap device option sets "have" a label, it's just that sometimes it's
undefined. Because we set a `device` attribute when we have a label anyway it's
ok to just check device prefix.
Fixes #18891.
See #18319 for details. Starting network-online.target manually does not
work as it hangs indefinitely.
Additionally, don't treat avahi and dhcpcd special and sync their systemd units
with the respective upstream suggestion.
Systemd upstream provides targets for networking. This also includes a target network-online.target.
In this PR I remove / replace most occurrences since some of them were even wrong and could delay startup.
This partially reverts commit ab9537ca22.
From the manpage of systemd-nspawn(1):
Note that systemd-nspawn will mount file systems private to the
container to /dev, /run and similar.
Testing this in a shell turns out:
$ sudo systemd-nspawn --bind-ro=/nix/store "$(readlink "$(which ls)")" /proc
Spawning container aszlig on /home/aszlig.
Press ^] three times within 1s to kill container.
/etc/localtime does not point into /usr/share/zoneinfo/, not updating
container timezone.
1 execdomains kpageflags stat
acpi fb loadavg swaps
asound filesystems locks sys
buddyinfo fs meminfo sysrq-trigger
bus interrupts misc sysvipc
cgroups iomem modules thread-self
cmdline ioports mounts timer_list
config.gz irq mtrr timer_stats
consoles kallsyms net tty
cpuinfo kcore pagetypeinfo uptime
crypto key-users partitions version
devices keys scsi vmallocinfo
diskstats kmsg self vmstat
dma kpagecgroup slabinfo zoneinfo
driver kpagecount softirqs
Container aszlig exited successfully.
So the test on whether PID 1 exists in /proc is enough, because if we
use PID namespaces there actually _is_ a PID 1 (as shown above) and the
special file systems are already mounted. A test on the $containers
variable actually mounts them twice.
This unbreaks NixOS containers and I've tested this against the
containers-imperative NixOS test.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @rickynils, @shlevy, @edolstra
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.
That's very unfortunate because one might lose sudo binary.
Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.
Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.
Tested:
- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
Both btrfs-progs and utillinux are ~5MB, we may discuss in future
to handle this better but I see no better way at the moment than
increaing purity in the install process.
OnCalendar entrys can be specified multiple times in a systemd timer, to
make more complex scheduling possible.
Tested by manually checking the timer generated by the following:
systemd = {
services.huhu = {
description = "meh";
wantedBy = [ "default.target" ];
serviceConfig.ExecStart = "/bin/sh -c 'printf HUHU!'";
startAt = [ "*:*:0/30" "*:0/1:15" ];
};
};
It prints HUHU to the log at seconds 0, 15 and 30 of each minute.
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems. Options for them are updated according to systemd
defaults.