1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-27 16:11:58 +00:00
Commit graph

780 commits

Author SHA1 Message Date
Nikolay Amiantov a63ca1bf3d stage-1 module: remove check that swap device has a label
All swap device option sets "have" a label, it's just that sometimes it's
undefined. Because we set a `device` attribute when we have a label anyway it's
ok to just check device prefix.

Fixes #18891.
2016-09-24 13:06:27 +03:00
Nikolay Amiantov f42e0dc9fd Merge pull request #18691 from abbradar/keys-fs
stage-2 init: move /run/keys mount to boot.specialFileSystems
2016-09-24 13:34:28 +04:00
Domen Kožar 80437576f9 /var/empty: silently ignore errors (if on tmpfs) #18781 2016-09-21 10:29:14 +02:00
Nikolay Amiantov 00f444d0c1 initrd-ssh service: check that authorized keys are added 2016-09-20 12:16:10 +03:00
Nikolay Amiantov 79d4636d50 stage-2 init: move /run/keys mount to boot.specialFileSystems 2016-09-17 15:39:24 +03:00
obadz 93974eb98b grub: fix manual build 2016-09-16 19:12:47 +01:00
obadz eda4f5d409 grub: clarify efiInstallAsRemovable docstring 2016-09-16 18:09:50 +01:00
obadz 1c9ac8aabc grub: add boot.loader.grub.efiInstallAsRemovable
Closes #16374
2016-09-16 18:02:36 +01:00
Eelco Dolstra 32d00f50ec Merge pull request #18573 from peterhoeg/systemd_user_cfg
systemd: support setting defaults for user instances
2016-09-14 13:39:57 +02:00
Alexander Ried e90471d792 systemd-networkd.service: remove network-interfaces.target ordering 2016-09-13 11:19:23 +02:00
Alexander Ried 2d46004b74 multi-user.target should not pull network.target 2016-09-13 11:19:22 +02:00
Eric Sagnes 79f72966e6 systemd module: optionSet -> submodule 2016-09-13 12:56:36 +09:00
Eric Sagnes 78858f2f8d networkd module: optionSet -> submodule 2016-09-13 12:56:05 +09:00
Eric Sagnes 12a1de8305 etc module: optionSet -> submodule 2016-09-13 12:53:13 +09:00
Eric Sagnes 96f5788346 luksroot module: optionSet -> submodule 2016-09-13 12:53:13 +09:00
Eric Sagnes 55e437806a grub module: optionSet -> submodule 2016-09-13 12:53:12 +09:00
Franz Pletz c58654e2b7
treewide: fix fallout of ip-up deprecation
See #18319 for details. Starting network-online.target manually does not
work as it hangs indefinitely.

Additionally, don't treat avahi and dhcpcd special and sync their systemd units
with the respective upstream suggestion.
2016-09-11 08:13:04 +02:00
Alexander Ried 27bc34f1e4 treewide: deprecate ip-up.target (#18319)
Systemd upstream provides targets for networking. This also includes a target network-online.target.

In this PR I remove / replace most occurrences since some of them were even wrong and could delay startup.
2016-09-10 18:03:59 +02:00
Lengyel Balázs 127924954b Linux-kernel: Workaround for https://github.com/NixOS/nixpkgs/issues/18451
remove after upstream gets fixed
2016-09-09 11:47:48 +02:00
Peter Hoeg 23b76b23f5 support user config 2016-09-08 16:40:54 +08:00
aszlig dd98b6fb9f
nixos/stage2: Fix mounting special filesystems
This partially reverts commit ab9537ca22.

From the manpage of systemd-nspawn(1):

  Note that systemd-nspawn will mount file systems private to the
  container to /dev, /run and similar.

Testing this in a shell turns out:

$ sudo systemd-nspawn --bind-ro=/nix/store "$(readlink "$(which ls)")" /proc
Spawning container aszlig on /home/aszlig.
Press ^] three times within 1s to kill container.
/etc/localtime does not point into /usr/share/zoneinfo/, not updating
container timezone.
1          execdomains  kpageflags    stat
acpi       fb           loadavg       swaps
asound     filesystems  locks         sys
buddyinfo  fs           meminfo       sysrq-trigger
bus        interrupts   misc          sysvipc
cgroups    iomem        modules       thread-self
cmdline    ioports      mounts        timer_list
config.gz  irq          mtrr          timer_stats
consoles   kallsyms     net           tty
cpuinfo    kcore        pagetypeinfo  uptime
crypto     key-users    partitions    version
devices    keys         scsi          vmallocinfo
diskstats  kmsg         self          vmstat
dma        kpagecgroup  slabinfo      zoneinfo
driver     kpagecount   softirqs
Container aszlig exited successfully.

So the test on whether PID 1 exists in /proc is enough, because if we
use PID namespaces there actually _is_ a PID 1 (as shown above) and the
special file systems are already mounted. A test on the $containers
variable actually mounts them twice.

This unbreaks NixOS containers and I've tested this against the
containers-imperative NixOS test.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @rickynils, @shlevy, @edolstra
2016-09-07 18:10:08 +02:00
Shea Levy 03b888e205 Merge branch 'stage2-generalise-containers' of https://github.com/rickynils/nixpkgs 2016-09-07 05:39:22 -04:00
Domen Kožar 8f95e6f6aa hardcode e2fsprogs, idempotent chmod, remove care condition 2016-09-07 10:49:27 +02:00
Rickard Nilsson ab9537ca22 nixos: Generalise the container tests in stage-2 boot
This way, stage-2 behaves correctly also for libvirt-lxc containers.

Some more discussion on this:
a7a08188bf
bfe46a653b
2016-09-07 07:50:04 +00:00
Domen Kožar 3877ec5b2f Make /var/empty immutable
Fixes #14910 and #18358

Deployed to an existing server, restarted sshd and polkit to verify
they don't fail.
2016-09-06 20:13:33 +02:00
Alexander Ried 53f3c2a278 systemd: add some missing upstream units 2016-09-05 15:03:46 +02:00
Alexander Ried 2fd6b36c51 networkd.module: remove before network-online
this is already upstream default
2016-09-05 15:03:35 +02:00
Alexander Ried 992c514a20 (network,remote-fs)-pre: remove duplicate wantedBy and before
this is part of (network,remote-fs).target, repectively
2016-09-05 15:03:35 +02:00
Domen Kožar a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00
Domen Kožar d163882770 Merge pull request #18172 from Profpatsch/startAt-type
systemd-unit-options: startAt can be a list
2016-09-01 20:44:32 +02:00
Domen Kožar f5271680c4 Fixes #14831 by using full path for binaries used in install-grub.pl
Both btrfs-progs and utillinux are ~5MB, we may discuss in future
to handle this better but I see no better way at the moment than
increaing purity in the install process.
2016-09-01 10:36:38 +02:00
Domen Kožar 2a7293fd9d install-grub.pl: fix a double slash prefix bug 2016-09-01 10:14:44 +02:00
Domen Kožar 5e5b0d039c install-grub.pl: add comments 2016-09-01 10:14:44 +02:00
Profpatsch 488f0d9cb3 systemd-unit-options: startAt can be a list
OnCalendar entrys can be specified multiple times in a systemd timer, to
make more complex scheduling possible.

Tested by manually checking the timer generated by the following:

    systemd = {
      services.huhu = {
        description = "meh";
        wantedBy = [ "default.target" ];
        serviceConfig.ExecStart = "/bin/sh -c 'printf HUHU!'";
        startAt = [ "*:*:0/30" "*:0/1:15" ];
      };
    };

It prints HUHU to the log at seconds 0, 15 and 30 of each minute.
2016-09-01 00:39:36 +02:00
Nikolay Amiantov 509733a343 Merge pull request #17822 from abbradar/systemd-mounts
nixos filesystems: unify special filesystems handling
2016-08-30 22:42:19 +04:00
obadz c7142c1aa3 Merge branch 'master' into staging 2016-08-28 13:33:13 +01:00
Domen Kožar 4af09e0031 Merge pull request #14311 from Profpatsch/mkRemovedOptionModule-replacement
mkRemovedOptionModule: add replacement argument
2016-08-28 13:55:28 +02:00
obadz 3de6e5be50 Merge branch 'master' into staging
Conflicts:
      pkgs/applications/misc/navit/default.nix
      pkgs/applications/networking/mailreaders/alpine/default.nix
      pkgs/applications/networking/mailreaders/realpine/default.nix
      pkgs/development/compilers/ghc/head.nix
      pkgs/development/libraries/openssl/default.nix
      pkgs/games/liquidwar/default.nix
      pkgs/games/spring/springlobby.nix
      pkgs/os-specific/linux/kernel/perf.nix
      pkgs/servers/sip/freeswitch/default.nix
      pkgs/tools/archivers/cromfs/default.nix
      pkgs/tools/graphics/plotutils/default.nix
2016-08-27 23:54:54 +01:00
Nikolay Amiantov 6efcfe03ae nixos filesystems: unify early filesystems handling
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems.  Options for them are updated according to systemd
defaults.
2016-08-27 13:38:20 +03:00
Jan Malakhovski b267785c43 nixos: generalize copy-paste from stage-1 and zfs to utils 2016-08-23 18:14:06 +00:00
Jan Malakhovski 8da59c406c nixos: copy resize2fs only for stage-1 fileSystems 2016-08-23 18:14:05 +00:00
Jan Malakhovski 65d26c4dc1 nixos: apply toposort to fileSystems to support bind and move mounts
And use new `config.system.build.fileSystems` property everywhere.
2016-08-23 18:14:05 +00:00
obadz 0e8d2725dc Merge branch 'master' into staging 2016-08-23 18:50:06 +01:00
Jan Malakhovski 1266852fd8 Revert a soon to be useless pice of "nixos/stage-1: add mechanism which lustrates all impurities from / (#17784)"
This reverts a pice of commit 3d16af70bf.
2016-08-23 17:48:14 +00:00
Nikolay Amiantov 1df4dd6bf5 initrd-ssh service: ensure that keys got copied into initrd
Fixes #17927.
2016-08-23 16:20:26 +03:00
obadz 24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz ba50fd7170 Merge branch 'master' into staging 2016-08-22 01:18:11 +01:00
obadz 3d16af70bf nixos/stage-1: add mechanism which lustrates all impurities from / (#17784)
lustrate /ˈlʌstreɪt/ verb.
  purify by expiatory sacrifice, ceremonial washing, or some other
  ritual action.

- sudo touch /etc/NIXOS_LUSTRATE
  ⇒ on next reboot, during stage 1, everything but /nix and /boot
  is moved to /old-root
- echo "etc/passwd" | sudo tee -a /etc/NIXOS_LUSTRATE
  ⇒ on next reboot, during stage 1, everything but /nix and /boot
  is moved to /old-root; except /etc/passwd is copied back.

Useful for installing NixOS in place on another distro. For instance:

$ nix-env -iE '_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config manual.manpages ]'
$ sudo mkdir /etc/nixos
$ sudo `which nixos-generate-config`

… edit the configuration files in /etc/nixos using man configuration.nix
  if needed

  maybe add: users.extraUsers.root.initialHashedPassword = "" ?

… Build the entire NixOS system and link it to the system profile:
$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -A system --set

… If you were using a single user install:
$ sudo chown -R 0.0 /nix

… NixOS is about to take over
$ sudo touch /etc/NIXOS
$ sudo touch /etc/NIXOS_LUSTRATE

… Let's keep the configuration files we just created
$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE

$ sudo mv -v /boot /boot.bak &&
  sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
$ sudo reboot

… NixOS boots, Stage 1 moves all the old distro stuff in /old-root.
2016-08-22 01:15:13 +01:00
Nikolay Amiantov 6b41f1132c nixos treewide: don't set MODULE_DIR 2016-08-19 17:56:54 +03:00
Nikolay Amiantov 5ff6e98486 modprobe service: drop kmod wrapper 2016-08-19 17:56:49 +03:00
Shea Levy 2942895d55 Merge branch 'install-bootloader-flag' 2016-08-17 21:16:29 -04:00
Julien Langlois 552c30c155 stage-1: exclude zram devices from resumeDevices 2016-08-17 00:21:47 -07:00
Shea Levy b4954a8f38 Deprecate --install-grub in favor of --install-bootloader for nixos-rebuild.
Fixes #14293
2016-08-16 07:51:58 -04:00
Shea Levy 9adad8612b Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs"
Was meant to go into staging, sorry

This reverts commit 57b2d1e9b0, reversing
changes made to 760b2b9048.
2016-08-15 19:05:52 -04:00
Nikolay Amiantov 1f63958772 nixos treewide: don't set MODULE_DIR 2016-08-16 00:19:25 +03:00
Nikolay Amiantov b2ebecd9e5 modprobe service: drop kmod wrapper 2016-08-16 00:19:25 +03:00
Robin Gloster b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
Thomas Tuegel 68922e3f74 nixos/stage-1: use readlink -e in builder
The builder has this convoluted `while` loop which just replicates
`readlink -e`. I'm sure there was a reason at one point, because the
loop has been there since time immemorial. It kept getting copied
around, I suspect because nobody bothered to understand what it actually
did.

Incidentally, this fixes #17513, but I have no idea why.
2016-08-08 09:45:45 -05:00
Thomas Tuegel ee36bb8588 nixos/stage-1: fix antiquotation 2016-08-08 09:28:17 -05:00
Wout Mertens db8401f603 Merge pull request #17100 from abbradar/resume-delay
nixos stage-1: wait for resume devices to appear
2016-08-08 11:34:38 +02:00
Nikolay Amiantov 986a40421a nixos stage-1: wait for devices during resumption attempt
Also a microimprovement -- use `test -n` instead of `test -e`
since we have already checked that the file exists.
2016-08-08 01:35:43 +03:00
Nikolay Amiantov 3ae468e835 nixos stage-1: move resumption below helper functions' definitions 2016-08-08 01:34:23 +03:00
Nikolay Amiantov 59aa3bb5c8 nixos stage-1: factor device waiting into a function 2016-08-08 01:32:18 +03:00
Tuomas Tynkkynen 2ea72fa9c8 nixos/luksroot: Reference correct output of openssl 2016-08-04 23:12:39 +03:00
Robin Gloster 63c7b4f9a7 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-31 20:51:34 +00:00
Wout Mertens 3bb18c68d2 Merge pull request #17042 from rasendubi/etc
etc: remove obsolete directories
2016-07-26 09:04:10 +02:00
Alexey Shmalko fe9cabedf0
etc: remove obsolete directories
This patch adds handling of a directory becoming a symlink in
/etc. Before this patch, the directory wasn't removed and then
symlinking failed, which caused directory not being updated at all.

The idea for the patch goes to @abbradar at
https://github.com/NixOS/nixpkgs/issues/16978#issuecomment-232921903:
> A heuristic idea for this -- a function `isStatic :: Path -> Bool`:
>
> * if path `/etc/foo` is a file, return True iff it's a symlink to `/etc/static/foo`.
> * if path is a directory, return True iff for all items in it `isStatic` is True.
>
> On any conflicts, if old path is static, it's safe to replace and/or
> delete stale. Otherwise make a backup and notify the user via a
> journal entry and console output.

The only difference here -- it will not replace user configs.

This also fixes https://github.com/NixOS/nixpkgs/issues/16978.
2016-07-25 15:50:53 +03:00
Robin Gloster 1f04b4a566 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-21 00:56:43 +00:00
Nikolay Amiantov 3cc54bbad9 Merge pull request #17082 from abbradar/fix-early-kbd
Use new early kbd-setting code in initrd and fix layouts from external packages
2016-07-20 23:52:45 +04:00
Robin Gloster 203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Christian Kauhaus 3530f3f20a systemd: make ctrl-alt-del target configurable. (#16911)
We currently only allow upstream's default of "reboot.target" due to the
way the symlinks are initialized. I made this configurable similar to the
default unit.
2016-07-19 09:42:53 +02:00
Nikolay Amiantov 7bed3d0cb3 nixos stage-1: move keymap handling to kbd module 2016-07-18 23:27:45 +03:00
Nikolay Amiantov 3d69653d6b plymouth service: stop splash screen before a failure prompt 2016-07-18 13:45:37 +03:00
Nikolay Amiantov 7513a1d2f5 plymouth service: update root fs before stage 2 2016-07-18 13:45:37 +03:00
Nikolay Amiantov 9cab592abd plymouth service: style fixes 2016-07-18 13:45:37 +03:00
Nikolay Amiantov 86ad25625f nixos stage-1: add custom pre failure dialog commands 2016-07-18 13:45:37 +03:00
Nikolay Amiantov 193ab8be67 Revert "nixos stage-1: try to quit plymouth if started on failure"
This reverts commit c69c76ca7e.

This patch was messed up during a rebase -- the commit title doesn't match what
it really does at all (it is actually a broken attempt to get LUKS passphrase
prompts in Plymouth).
2016-07-17 15:03:13 +03:00
Robin Gloster 5185bc1773 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-15 14:41:01 +00:00
Nikolay Amiantov 1848bfc92d Merge branch 'plymouth' into staging 2016-07-13 03:54:38 +03:00
Nikolay Amiantov c69c76ca7e nixos stage-1: try to quit plymouth if started on failure 2016-07-12 22:22:29 +03:00
Nikolay Amiantov a2d4235fe1 plymouth service: init 2016-07-12 22:22:29 +03:00
Nikolay Amiantov d3e3e643cb nixos stage-1: set extraUtils variable 2016-07-12 22:22:29 +03:00
Nikolay Amiantov 3508918da2 nixos stage-1: replace udevadm in udevRules 2016-07-12 22:22:28 +03:00
Nikolay Amiantov e02b5ace0b nixos stage-1: guard udevRules from extra references 2016-07-12 22:22:28 +03:00
Nikolay Amiantov bd0ab027c1 nixos stage-1: recursively process binaries and libraries 2016-07-12 22:22:28 +03:00
Nikolay Amiantov 90ad879753 nixos stage-1: unconditionally mount /dev/pts 2016-07-12 22:22:28 +03:00
Bjørn Forsman 2eb8aab42c nixos/systemd: disable timer units with service
A disabled systemd service with a "startAt" attribute, like this:

  systemd.services.foo-service = {
    enable = false;
    startAt = "*-*-* 05:15:00";
    ...
  };

will cause the following errors in the system journal:

  systemd[1]: foo-service.timer: Refusing to start, unit to trigger not loaded.
  systemd[1]: Failed to start foo-service.timer.

Fix it by not generating the corresponding timer unit when the service
is disabled.
2016-07-11 22:42:47 +02:00
Jookia b187c869f4 systemd-coredump: Add systemd service and fix sysctl pattern. 2016-07-10 18:07:37 +10:00
Tuomas Tynkkynen 931706cdc1 extlinux-conf-builder: Choose whether to use DTBs on per-generation basis
Previously, the value from stdenv.platform.kernelDTB was used. That
doesn't work well if both kinds (DTB and non-DTB) of generations exist
in the system profile.
2016-07-10 03:03:51 +03:00
Bjørn Forsman aeb516c741 nixos/grub: change state file device separator from ':' to ','
':' is currently used as separator in /boot/grub/state for the list of
devices GRUB should be installed to. The problem is that ':' itself may
appear in a device path:

  /dev/disk/by-id/usb-SanDisk_Cruzer_20043512300546C0B317-0:0

With such a path, NixOS will install GRUB *every* time, because it
thinks the configuration differs from the state file (due to the wrong
list split). Fix it by using ',' as separator.

For existing systems with GRUB installed on multiple devices, this
change means that GRUB will be installed one extra time.
2016-07-06 00:11:57 +02:00
Joachim Fasting 2f45a7a3f4 Merge pull request #16568 from layus/reload-logind
systemd-logind: reload when logind.conf changed
2016-07-03 13:47:28 +02:00
Guillaume Maudoux 86dfaafad2 systemd-logind: reload when logind.conf changed 2016-07-03 00:38:37 +02:00
Bjørn Forsman 9050077cff switch-to-configuration: use absolute path to systemd-escape
Fixes issue when upgrading from very old NixOS systems that don't have
systemd-escape in $PATH:

  $ sudo nixos-rebuild switch
  ...
  building the system configuration...
  updating GRUB 2 menu...
  Can't exec "systemd-escape": No such file or directory at /nix/var/nix/profiles/system/bin/switch-to-configuration line 264.
  Unable to escape /!
2016-07-01 08:35:38 +02:00
Alexander Ried a31e07fc11 modules.resolved: Enhance by upstream options (#15897) 2016-06-26 22:58:04 +02:00
Eelco Dolstra d0b2524633 Merge pull request #16021 from Baughn/systemd-linger
systemd: Set KillUserProcesses=no in logind.conf
2016-06-20 14:54:03 +02:00
Robin Gloster 8031cba2ab Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-06-10 09:27:04 +00:00
Svein Ove Aas 93c160fabc systemd: Set KillUserProcesses=no in logind.conf
Full discussion at
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=825394

NixOS is even more of a server OS than Debian, and I can think of no
reason to make users jump through this sort of hoop.
2016-06-06 11:51:51 +01:00
Shea Levy 83c2629f15 Merge pull request #15895 from cerana/stage2-sysfs
stage2: if no /proc, also mount /sys
2016-06-03 11:32:57 -04:00
Nahum Shalman 9b0a5ced13 stage2: if no /proc, also mount /sys 2016-06-01 13:26:14 +00:00
Eelco Dolstra e8ad22be12 Rename gummiboot module 2016-06-01 12:55:56 +02:00
Eelco Dolstra 9f0e137338 Rename boot.loader.gummiboot.enable -> boot.loader.systemd-boot.enable 2016-06-01 12:55:52 +02:00
Eelco Dolstra f222689aba Use systemd-boot instead of gummiboot
Gummiboot is part of systemd now so we may as well use it.
2016-05-31 17:02:47 +02:00
Robin Gloster 2d382f3d98 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-30 19:39:34 +00:00
Profpatsch 16c923cef2 modules/mkRemovedOptionModule: add replacement doc
When displaying a warning about a removed Option we should always
include reasoning why it was removed and how to get the same
functionality without it.

Introduces such a description argument and patches occurences (mostly
with an empty string).

startGnuPGAgent: further notes on replacement
2016-05-29 00:42:08 +02:00
Vladimír Čunát 81039713fa Merge branch 'master' into staging
... to get the systemd update (rebuilding ~7k jobs).
2016-05-26 16:50:22 +02:00
Eelco Dolstra 845c9b50bf boot.initrd.luks.devices: Change into an attribute set
This allows setting options for the same LUKS device in different
modules. For example, the auto-generated hardware-configuration.nix
can contain

  boot.initrd.luks.devices.crypted.device = "/dev/disk/...";

while configuration.nix can add

  boot.initrd.luks.devices.crypted.allowDiscards = true;

Also updated the examples/docs to use /disk/disk/by-uuid instead of
/dev/sda, since we shouldn't promote the use of the latter.
2016-05-25 18:04:21 +02:00
Eelco Dolstra 32bed83b18 Remove boot.loader.grub.timeout and boot.loader.gummiboot.timeout
There is a generic boot.loader.timeout option.
2016-05-25 11:39:17 +02:00
Eelco Dolstra 0c5ebbd744 Merge pull request #15598 from rnhmjoj/systemd
Remove systemd shell aliases
2016-05-23 10:28:34 +02:00
Vladimír Čunát 0b192a0976 Merge branch 'master' into staging
That's to get mesa rebuild from master, as it's nontrivial.
2016-05-23 09:02:10 +02:00
rnhmjoj 1d9651e723
Remove systemd shell aliases 2016-05-21 19:25:21 +02:00
Nikolay Amiantov 53b8852498 initrd-ssh service: add assertions for host keys 2016-05-20 23:34:28 +03:00
Tuomas Tynkkynen 2a73de6e6c treewide: Make explicit that 'dev' output of openssl is used 2016-05-19 10:02:23 +02:00
Franz Pletz f8d481754c
Merge remote-tracking branch 'origin/master' into hardened-stdenv 2016-05-18 17:10:02 +02:00
Vladimír Čunát 65a9fa8cdc Merge branch 'master' into staging 2016-05-08 21:24:48 +02:00
Nikolay Amiantov 17e4803de7 initrd-ssh service: fix build 2016-05-07 15:38:46 +03:00
aszlig 67223ee205
nixos/stage-1: Don't kill kernel threads
Unfortunately, pkill doesn't distinguish between kernel and user space
processes, so we need to make sure we don't accidentally kill kernel
threads.

Normally, a kernel thread ignores all signals, but there are a few that
do. A quick grep on the kernel source tree (as of kernel 4.6.0) shows
the following source files which use allow_signal():

  drivers/isdn/mISDN/l1oip_core.c
  drivers/md/md.c
  drivers/misc/mic/cosm/cosm_scif_server.c
  drivers/misc/mic/cosm_client/cosm_scif_client.c
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
  drivers/staging/rtl8188eu/core/rtw_cmd.c
  drivers/staging/rtl8712/rtl8712_cmd.c
  drivers/target/iscsi/iscsi_target.c
  drivers/target/iscsi/iscsi_target_login.c
  drivers/target/iscsi/iscsi_target_nego.c
  drivers/usb/atm/usbatm.c
  drivers/usb/gadget/function/f_mass_storage.c
  fs/jffs2/background.c
  fs/lockd/clntlock.c
  fs/lockd/svc.c
  fs/nfs/nfs4state.c
  fs/nfsd/nfssvc.c

While not all of these are necessarily kthreads and some functionality
may still be unimpeded, it's still quite harmful and can cause
unexpected side-effects, especially because some of these kthreads are
storage-related (which we obviously don't want to kill during bootup).

During discussion at #15226, @dezgeg suggested the following
implementation:

for pid in $(pgrep -v -f '@'); do
    if [ "$(cat /proc/$pid/cmdline)" != "" ]; then
        kill -9 "$pid"
    fi
done

This has a few downsides:

 * User space processes which use an empty string in their command line
   won't be killed.
 * It results in errors during bootup because some shell-related
   processes are already terminated (maybe it's pgrep itself, haven't
   checked).
 * The @ is searched within the full command line, not just at the
   beginning of the string. Of course, we already had this until now, so
   it's not a problem of his implementation.

I posted an alternative implementation which doesn't suffer from the
first point, but even that one wasn't sufficient:

for pid in $(pgrep -v -f '^@'); do
    readlink "/proc/$pid/exe" &> /dev/null || continue
    echo "$pid"
done | xargs kill -9

This one spawns a subshell, which would be included in the processes to
kill and actually kills itself during the process.

So what we have now is even checking whether the shell process itself is
in the list to kill and avoids killing it just to be sure.

Also, we don't spawn a subshell anymore and use /proc/$pid/exe to
distinguish between user space and kernel processes like in the comments
of the following StackOverflow answer:

http://stackoverflow.com/a/12231039

We don't need to take care of terminating processes, because what we
actually want IS to terminate the processes.

The only point where this (and any previous) approach falls short if we
have processes that act like fork bombs, because they might spawn
additional processes between the pgrep and the killing. We can only
address this with process/control groups and this still won't save us
because the root user can escape from that as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15226
2016-05-06 16:24:42 +02:00
Robin Gloster c92bca56f8 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-05-02 22:58:02 +00:00
William A. Kennington III 60b3484928 dbus: Fix for new 1.10 version
(cherry picked from commit 68a4a6df3971d66aa988bba680351a30fbadbed3)
2016-05-02 13:04:20 -05:00
Tuomas Tynkkynen 4ff8f377af Merge remote-tracking branch 'upstream/master' into staging 2016-04-28 00:13:53 +03:00
Graham Christensen 56f8206b85 Update etc example to not use a real config file
A user noticed the example for `hosts`, took the `mode` permissions literally, and ended up with surprising behavior on their system. Updating the documentation to not reference a real config file which might have real permissions requirements.
2016-04-27 10:27:52 -05:00
Nikolay Amiantov 5f19542581 Merge commit 'refs/pull/14694/head' of git://github.com/NixOS/nixpkgs into staging 2016-04-25 18:02:23 +03:00
Tuomas Tynkkynen 1d4b21ef42 treewide: Use correct output of config.nix.package in non-string contexts 2016-04-25 16:44:38 +02:00
Nikolay Amiantov 5ff40ddedf add get* helper functions and mass-replace manual outputs search with them 2016-04-25 13:24:39 +03:00
Nikolay Amiantov ab0a0c004e makeSearchPathOutputs: refactor to makeSearchPathOutput 2016-04-25 13:24:39 +03:00
Alexander Ried 1d6990db06 boot.loader.grub: fix variable name (#14855) 2016-04-20 22:27:34 +02:00
Robin Gloster d020caa5b2 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-18 13:49:22 +00:00
Tuomas Tynkkynen ab428dce14 stage-1: Remove doublePatchelf hack
No longer needed with the new patchelf version.
2016-04-15 01:53:34 +03:00
Eelco Dolstra 840f3230a2 Restore default core limit of 0:infinity
Continuation of 79c3c16dcb. Systemd 229
sets the default RLIMIT_CORE to infinity, causing systems to be
littered with core dumps when systemd.coredump.enable is disabled.

This restores the 15.09 soft limit of 0 and hard limit of infinity.
2016-04-14 13:18:09 +02:00
Nikolay Amiantov 8b7ebaffeb replace makeSearchPath tree-wise to take care of possible multiple outputs 2016-04-13 22:09:41 +03:00
Vladimír Čunát 39ebb01d6e Merge branch 'staging', containing closure-size #7701 2016-04-13 09:25:28 +02:00
Vladimír Čunát 30f14243c3 Merge branch 'master' into closure-size
Comparison to master evaluations on Hydra:
  - 1255515 for nixos
  - 1255502 for nixpkgs
2016-04-10 11:17:52 +02:00
Moritz Ulrich e366d8294e systemd.generators: Generate folders via environment.etc. 2016-04-08 14:50:20 +02:00
Moritz Ulrich 88e2cc480f systemd.generator-packages: Option to specify packages providing generators. 2016-04-08 14:50:20 +02:00
Robin Gloster 3e68106afd Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-04-07 21:52:26 +00:00
Robin Gloster a73a28de7b fix grammar errors 2016-04-06 16:16:23 +00:00
joachifm 97c8bf61ef Merge pull request #14474 from MatrixAI/fixed-stage1
nixos/stage-1: Removed logCommands conditional for resetting the file descriptors after completion of logging
2016-04-05 22:39:14 +02:00
Roger Qiu 53e8e93939 nixos/stage-1: Removed logCommands conditional for resetting the file descriptors after completion of logging 2016-04-06 00:27:18 +10:00
Eelco Dolstra f2af8874e8 Revert "initrd: Use modprobe from busybox"
This reverts commit 45c218f893.

Busybox's modprobe causes numerous "Unknown symbol" errors in the
kernel log, even though the modules do appear to load correctly.
2016-04-01 17:39:09 +02:00
Vladimír Čunát ab15a62c68 Merge branch 'master' into closure-size
Beware that stdenv doesn't build. It seems something more will be needed
than just resolution of merge conflicts.
2016-04-01 10:06:01 +02:00
Eelco Dolstra 54ca7e9f75 Restore core dumps
Systemd 229 sets kernel.core_pattern to "|/bin/false" by default,
unless systemd-coredump is enabled. Revert back to the default of
writing "core" in the current directory.
2016-03-25 17:29:29 +01:00
kklas aac666e302 sw-raid: make mdmon start from initrd
Also add required systemd services for starting/stopping mdmon.

Closes #13447.
abbradar: fixed `mdadmShutdown` service name according to de facto conventions.
2016-03-09 21:03:49 +03:00
Vladimír Čunát 09af15654f Merge master into closure-size
The kde-5 stuff still didn't merge well.
I hand-fixed what I saw, but there may be more problems.
2016-03-08 09:58:19 +01:00
Nathan Zadoks 1904ef7f09 systemd: enable upstream systemd-binfmt.service
Since we don't restart sysinit.service in switch-to-configuration, this
additionally overrides systemd-binfmt.service to depend on
proc-sys-fs-binfmt_misc.automount, which is normally provided by
sysinit.service.
2016-03-02 21:00:47 +01:00
Eelco Dolstra f3d94cfc23 Revert "Add the tool "nixos-typecheck" that can check an option declaration to:"
This reverts commit cad8957eab. It
breaks NixOps, but more importantly, such major changes to the module
system really need to be reviewed.
2016-03-01 20:52:06 +01:00
Thomas Strobel cad8957eab Add the tool "nixos-typecheck" that can check an option declaration to:
- Enforce that an option declaration has a "defaultText" if and only if the
   type of the option derives from "package", "packageSet" or "nixpkgsConfig"
   and if a "default" attribute is defined.

 - Enforce that the value of the "example" attribute is wrapped with "literalExample"
   if the type of the option derives from "package", "packageSet" or "nixpkgsConfig".

 - Warn if a "defaultText" is defined in an option declaration if the type of
   the option does not derive from "package", "packageSet" or "nixpkgsConfig".

 - Warn if no "type" is defined in an option declaration.
2016-02-29 01:09:00 +01:00
Vladimír Čunát f8516a0717 nixos copySystemConfiguration: fix when chrooted
Fixes #7974. Also makes the description more informative.
2016-02-28 10:08:42 +01:00
Leroy Hopson 392ca77d4c nixos/activation-script: fix formatting of example 2016-02-27 22:25:40 +13:00
zimbatm b73c5ae291 Merge pull request #10546 from aszlig/nixops-issue-350
Fixes for NixOps issue #350
2016-02-26 00:33:49 +00:00
Roger Qiu 5cf823e1f4 nixos/stage-1/2: Added -r option to read so that read interprets backslashes literally, and corrected the comment about optional logging. 2016-02-24 18:54:25 +11:00
Eelco Dolstra deae4eff7b Make stage-1/2 logging unconditional, and drop log level to "debug"
Using "debug" level prevents spamming the console with messages twice
(once directly and once via kmsg).
2016-02-23 11:56:09 +01:00
Roger Qiu 474d5a7bd0 nixos/stage-2: Added boot.logCommands 2016-02-23 11:56:09 +01:00
Roger Qiu 142f65e07a nixos/stage-1: Added boot.initrd.logCommands 2016-02-23 11:56:08 +01:00
Vladimír Čunát d039c87984 Merge branch 'master' into closure-size 2016-02-14 08:33:51 +01:00
Peter Simons a1fa485378 Revert "Remove double-backslashes from grub conf file".
This reverts commit b861bf8ddf, because according to @mdorman [1] this
change rendered his NixOS systems unbootable, and we probably don't want that.

[1] b861bf8ddf (commitcomment-16058598)
2016-02-12 13:14:34 +01:00
Ben Booth b861bf8ddf Remove double-backslashes from grub conf file
The double-backspashes in the splashimage, kernel, and initrd sections serve no purpose and confuse pygrub
2016-02-11 12:05:15 -08:00
Nikolay Amiantov 5396a01b6c init-script-builder: handle containers without a kernel 2016-02-10 02:05:47 +03:00
Robin Gloster 0ee88cffca Merge pull request #10417 from puffnfresh/nixos/mmc_block
initrd: add mmc_block to default available modules
2016-02-08 23:51:46 +01:00
Aneesh Agrawal 3c5fca9618 filesystems: use list of strings for fs options
Allow usage of list of strings instead of a comma-separated string
for filesystem options. Deprecate the comma-separated string style
with a warning message; convert this to a hard error after 16.09.
15.09 was just released, so this provides a deprecation period during
the 16.03 release.

closes #10518

Signed-off-by: Robin Gloster <mail@glob.in>
2016-02-06 19:48:30 +00:00
Vladimír Čunát 54299b60c4 Merge #12779: Mass replace pkg}/bin-style strings
... to refer to correct outputs
2016-02-03 17:25:22 +01:00
Vladimír Čunát ae74c356d9 Merge recent 'staging' into closure-size
Let's get rid of those merge conflicts.
2016-02-03 16:57:19 +01:00
Eelco Dolstra 42709fb4e9 switch-to-configuration: Handle failure to read /proc/1/exe
It's not entirely clear why this happens, but sometimes /proc/1/exe
returns a bogus value, like
/ar3a3j6b9livhy5fcfv69izslhgk4gcz-systemd-217/lib/systemd/systemd. In
any case, we can just conservatively assume that we need to restart
systemd when this happens.

Fixes #10261.
2016-02-03 15:01:18 +01:00
Nikolay Amiantov 1dce7c0b82 initrd-ssh module: don't check if network is up
We already do this in initrd-network.
2016-02-03 16:37:10 +03:00
Nikolay Amiantov b4528a696a initrd-network: call postCommands only if network is up 2016-02-03 16:35:21 +03:00
aszlig 8ecd3a5e1d
nixos/stage-1: Fix references to readlink/basename
Fixes references coming from the mdadm udev rules.

This addresses #12722 (mdadm udev rules have references to /usr/bin) but
still won't fix the warning, though (if we want to fix the warnings, we
will have to patch the udev rules generater in services/hardware/udev).

For common mdraid functionality, this shouldn't fix anything, because
the wrong references seem to only apply to containers, see these
(wrapped) lines from ${mdadm}/lib/udev/rules.d/63-md-raid-arrays.rules:

  # Tell systemd to run mdmon for our container, if we need it.
  ENV{MD_LEVEL}=="raid[1-9]*",
    ENV{MD_CONTAINER}=="?*",
  PROGRAM="/usr/bin/readlink $env{MD_CONTAINER}",
    ENV{MD_MON_THIS}="%c"
    ENV{MD_MON_THIS}=="?*",
    PROGRAM="/usr/bin/basename $env{MD_MON_THIS}",
    ENV{SYSTEMD_WANTS}+="mdmon@%c.service"

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-02-03 14:19:24 +01:00
Nikolay Amiantov 1d70e2fb75 initrd modules: move passwd and nsswitch back to initrd-ssh
Partially reverts commit 901163c0c7.
This has broken remote SSH into initrd because ${cfg.shell} is not
expanded. Also, nsswitch is useless without libnss_files.so which
are installed by initrd-ssh.
2016-02-03 14:56:55 +03:00
Nikolay Amiantov 815ff00ee0 initrd-ssh module: enable only if initrd network is enabled 2016-02-03 14:55:52 +03:00
Nikolay Amiantov cc70183cee initrd-network module: initialize network before other pre-LVM commands
This is needed to ensure that network will be initialized before LUKS
passphrase is asked.
2016-02-03 14:55:42 +03:00
Eelco Dolstra cc925d0506 boot.initrd.network: Support DHCP
This allows us to use it for EC2 instances.
2016-02-02 19:59:27 +01:00
Eelco Dolstra 901163c0c7 Split the initrd sshd support into a separate module
Also, drop boot.initrd.postEarlyDeviceCommands since preLVMCommands
should work fine.
2016-02-02 19:59:27 +01:00
Tuomas Tynkkynen 13b3f3f246 treewide: Mass replace 'openssl}/bin' to refer the 'bin' output 2016-02-01 20:46:16 +02:00
Eelco Dolstra 45c218f893 initrd: Use modprobe from busybox 2016-02-01 18:19:24 +01:00
Tuomas Tynkkynen d91c7347d1 treewide: Mass replace 'openssl}/lib' to refer the 'out' output 2016-01-24 10:03:38 +02:00
Tuomas Tynkkynen a1909d7380 treewide: Mass replace 'glibc}/lib' to refer the 'out' output 2016-01-24 10:03:35 +02:00
Peter Simons 9ee5a6b858 Merge pull request #12481 from nathan7/usrbinenv-option
activation-script module: add environment.usrbinenv option
2016-01-22 11:18:37 +01:00
Robin Gloster eac8cb1ce1 Merge pull request #11896 from mayflower/upstream-networkd
networkd: add IPForward IPMasquerade options,  DHCPServer section
2016-01-20 13:06:44 +01:00
Nathan Zadoks df82096af0 activation-script module: add environment.usrbinenv option 2016-01-19 23:29:48 +01:00
Vladimír Čunát 716aac2519 Merge branch 'staging' into closure-size 2016-01-19 09:55:31 +01:00
Nikolay Amiantov 148396c022 systemd service: add *.busname upstream units 2016-01-18 19:42:25 +03:00
Robin Gloster 4a0692a5fb types: remove references to new packageSet
Reverts part of a04a7272aa

packageSet is slated to be introduced in #11866 but currently causes
evalation errors.

/cc @ts468
2016-01-17 19:49:38 +00:00
Thomas Strobel a04a7272aa Add missing 'type', 'defaultText' and 'literalExample' in module definitions
- add missing types in module definitions
- add missing 'defaultText' in module definitions
- wrap example with 'literalExample' where necessary in module definitions
2016-01-17 19:41:23 +01:00
Evgeny Egorochkin 01130e502a systemd: backslashes are no longer allowed in script names 2016-01-10 11:31:38 +02:00
Arseniy Seroka c03fe79265 Merge pull request #10996 from oxij/nixos-label
nixos: introduce system.nixosLabel support
2016-01-09 20:52:08 +03:00
Jan Malakhovski 119c8f91e7 nixos: introduce system.nixosLabel option and use it where appropriate
Setting nixosVersion to something custom is useful for meaningful GRUB
menus and /nix/store paths, but actuallly changing it rebulids the
whole system path (because of `nixos-version` script and manual
pages). Also, changing it is not a particularly good idea because you
can then be differentitated from other NixOS users by a lot of
programs that read /etc/os-release.

This patch introduces an alternative option that does all you want
from nixosVersion, but rebuilds only the very top system level and
/etc while using your label in the names of system /nix/store paths,
GRUB and other boot loaders' menus, getty greetings and so on.
2016-01-08 22:26:15 +00:00
Daniel Peebles 57cb5ab17a Merge pull request #12198 from mayflower/remove-upstart-layer
Remove upstart layer
2016-01-07 13:47:39 -05:00
Eelco Dolstra e4b4e9b986 linux: Make Unix domain sockets builtin
This hopefully fixes intermittent initrd failures where udevd cannot
create a Unix domain socket:

  machine# running udev...
  machine# error getting socket: Address family not supported by protocol
  machine# error initializing udev control socket
  machine# error getting socket: Address family not supported by protocol

The "unix" kernel module is supposed to be loaded automatically, and
clearly that works most of the time, but maybe there is a race
somewhere. In any case, no sane person would run a kernel without Unix
domain sockets, so we may as well make it builtin.

http://hydra.nixos.org/build/30001448
2016-01-07 13:20:53 +01:00
Robin Gloster 88292fdf09 jobs -> systemd.services 2016-01-07 06:39:06 +00:00
Eelco Dolstra 6d02d7e740 NixOS tests: Increase hung_task_timeout_secs
This hopefully fixes intermittent test failures like

  http://hydra.nixos.org/build/29962437

  router# [  240.128835] INFO: task mke2fs:99 blocked for more than 120 seconds.
  router# [  240.130135]       Not tainted 3.18.25 #1-NixOS
  router# [  240.131110] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.

assuming that these are caused by high load on the host.
2016-01-04 16:53:42 +01:00
Vladimír Čunát 0e1fe66aad kernel: do not load configs module (close #10912)
... because we make it built-in by default.
I can't imagine anyone who wanted to purge this module from his/her system,
so let's keep it simple, at least for now.
2016-01-04 13:59:53 +01:00
Tobias Geerinckx-Rice 82419575aa btrfsProgs -> canonical btrfs-progs 2016-01-03 20:38:44 +01:00
Vladimír Čunát f9f6f41bff Merge branch 'master' into closure-size
TODO: there was more significant refactoring of qtbase and plasma 5.5
on master, and I'm deferring pointing to correct outputs to later.
2015-12-31 09:53:02 +01:00
Eelco Dolstra e78bad5262 etc: Use a friendlier name than "etc-file" 2015-12-30 15:17:30 +01:00
Eelco Dolstra 1ba2015450 install-grub: Make more robust against GC'ed system profile entries
Previously this barfed with:

  updating GRUB 2 menu...
  fileparse(): need a valid pathname at /nix/store/zldbbngl0f8g5iv4rslygxwp0dbg1624-install-grub.pl line 391.
  warning: error(s) occured while switching to the new configuration
2015-12-30 15:07:18 +01:00
Christian Albrecht 83a64cecc9 networkd: add DHCPServer config section 2015-12-23 06:04:39 +01:00
Christian Albrecht 2307d24544 networkd: add IPForward and IPMasquerade options
to Network config section
2015-12-23 06:02:59 +01:00
Thomas Strobel d856841ba4 nixos trustedGRUB: add support for HP laptops 2015-12-22 03:12:30 +01:00
Luca Bruno 5b0352a6a4 Merge branch 'master' into closure-size 2015-12-11 18:31:00 +01:00
Nicole Angel c840974c24 grub: fix typo in variable name (trivial) 2015-12-10 19:52:08 +01:00
Gabriel Ebner f4c01fc004 systemd: enable timedated, hostnamed, localed. 2015-12-07 20:25:53 +01:00
Luca Bruno a412927924 Merge remote-tracking branch 'origin/master' into closure-size 2015-11-25 21:37:30 +01:00
Vladimír Čunát 333d69a5f0 Merge staging into closure-size
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
2015-11-20 14:32:58 +01:00