The substr solution assumed a newline to be present.
The new solution will not remove the newline if it goes missing in the future.
Apparently this is idiomatic perl.
Thanks pennae for the suggestion!
According to https://grafana.com/docs/agent/latest/upgrade-guide/#v0240,
this has been deprecated/moved to -server.http.address and
-server.grpc.address (accepting ip and port) config options in v0.24.0,
and already listens on localhost and not port 80 by default.
According to https://github.com/grafana/agent/pull/1540, -prometheus.*
flages were deprecated in 0.19.0 in favor of the -metrics.*
counterparts. Same applies to `loki` being renamed to `logs`.
I'm not sure if the config file format is still supported (it could be),
but we shouldn't use deprecated configs.
Run the device tree overlays through the preprocessor before compiling it, as
is done in the kernel. This helps make overlays easier to understand, and
improves compatibility with those found in the wild.
I found the correct command line by running the kernel build with V=1, and then
removing all the arguments related to dependency tracking.
Since dtc 1.4.7 (released in 2018), there has been a much nicer syntax for
device tree overlays. This commit converts the dtsText example to use this
syntax.
Qt4 is on it's way out, according to
https://github.com/NixOS/nixpkgs/pull/174634
Barco's ClickShare driver/client requires Qt4;
an update isn't in sight anywhere.
To prepare for the removal of Qt4,
the commit at hand removes the
ClickShare package and its NixOS module.
The release notes are appended with a hint about the
removal and some alternatives that might help users
that are still in need of the driver/client functionality.
The preStart script for the IPFS service will print parts of the configuration
to stdout (and therefore, the journal) when applying profiles on startup. This
may lead to unwanted disclosure of private information, such as remote pinning
service API keys. Fix by sending stdout to /dev/null.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.parsedmarc.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash secret file paths before using them as a placeholders in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Make secret replacement more robust and futureproof:
- Allow any attribute in `services.geoipupdate.settings` to be a
secret if set to `{ _secret = "/path/to/secret"; }`.
- Hash the license key path before using it as a placeholder in the
config file to minimize the risk of conflicting file paths being
replaced instead.
Commit 8109d8a set the `StateDirectory=` option of the systemd service
configuration to the value of `cfg.workDir` which is wrong, according
to dasJ [1]. This commit resolves this issue by stripping the
`/var/lib/` prefix from `cfg.workDir`.
[1] https://github.com/NixOS/nixpkgs/pull/172824#issuecomment-1130350412
On one of the two machines I have running openldap, openldap failed to start due to a "timeout". Increasing the allowed startup delay didn't help.
I noticed the following in logs:
```
openldap.service: Got notification message from PID 5224, but reception only permitted for main PID 5223
```
It turns out that on this machine at least, openldap apparently sends the notification from a non-main process, which means that we need this NotifyAccess setting for systemd to record that it successfully started. Without it, after 30 seconds systemd kills the process because it didn't receive the sd_notify call.
Somehow the other machine I have on nixos running ldap works fine even without this, but I could not figure out what changes the behavior.
Given that AFAIU NotifyAccess still restricts to "from the cgroup of the service", I think this change should be safe.
A simpler implementation of 7d8b303e3f
that uses an assertion instead of a derivation.
`pathHasContext` seems a bit better than `hasPrefix storeDir` because it
avoids a string comparison, and catches nonsense like
`"foo${pkgs.hello}bar"`.
Apparently since systemd v250 a `ListenStream` in an override file won't
override the unit, but will be appended to a list of socket addresses.
The socket unit fails if two or more addresses have the same port,
probably because two systemd processes try to listen to it at once.
The solution is to add an empty `ListenStream=` to reset all previous
definitions.
Fix#175478.
`nixos/modules/installer/kexec/kexec-boot.nix` doesn't contain any
custom NixOS config, other than importing `netboot-minimal.nix` (which
imports `netboot-base.nix`, which imports `netboot.nix`.
`netboot.nix` really is just describing a self-contained system config,
running entirely off kernel and initrd, so we might as well move the
kexec script generation there as well.
`netboot.nix` already contains some `system.build` attributes.
Provide a `system.build.kexecTree` attribute (and `kexecScript` for
composability).
It is already installed by xdg.icons.enable.
Let’s also enable that option explicitly to prevent users from accidentally
disabling it since GNOME will be severely broken without it.
It is already installed by xdg.mime.enable.
Let’s also enable that option explicitly to prevent users from accidentally
disabling it since GNOME will be severely broken without it.
Previously, `makeInitrd` added the whole closure of the squashfs
derivation to initrd.
This closure contains the squashfs.img and some store paths which are
still referenced by the compressed squashfs.img.
These extra store paths are unused in stage 1.
With `makeInitrdNG` only the squashfs.img is added to the initrd.
(`makeInitrdNG` only resolves shared library references instead of the
whole closure).
This shrinks the netboot ramdisk by ~6% for a minimal system and
significantly decreases the size of the uncompressed root filesystem
in stage 1.
An empty LD_LIBRARY_PATH may confuse some applications into appending
:, creating an empty segment that insecurely refers to the current
directory, not the absence of directories.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
The backupPrepareCommand and backupCleanupCommand options offer a way to
run a script to prepare for backup and then cleanup it once finish.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Allow providing the repository as a file, useful when we don't want it
being stored in the Git repository as plain text.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Previously, all configuration and state data was accessible to all
users on the system running jellyfin. This included user passwords in
the Jellyfin database, as well as credentials for LDAP if configured.
The exact set of accessible data depends on system configuration.
Thanks to Sofie Finnes Øvrelid for reporting this issue.
Fixes: CVE-2022-32198
Co-Authored-By: Martin Weinelt <hexa@darmstadt.ccc.de>
Handling of the string length condition in should_update
was broken, as evident with the log message
> leaving systemd-boot 246 in place (250.4 is not newer)
Discussion with @mweinelt came to the conclusion
that Python's "<" operator already does what we need,
so the should_update function can be dropped.
Fixes a30de3b849
Raw logs are stored in a versioned binary format and must be update with
atopconvert(1) upon atop version updates.
Failure to do so results in atop.service startup failure as I found out
the hard way after the "atop: 2.6.0 -> 2.7.1"[0] bump:
```
May 31 01:49:25 <hostname> sh[2269709]: existing file /var/log/atop/atop_20220531 has incompatible header
May 31 01:49:25 <hostname> sh[2269709]: (created by version 2.6 - current version 2.7)
May 31 01:49:25 <hostname> systemd[1]: atop.service: Main process exited, code=exited, status=7/NOTRUNNING
```
Convert logs in `ExecStartPre` and replace them iff updated.
This is to avoid changing original modification times upon every service
start and thus work against atop's log rotation (see existing
`ExecStartPre`).
0: https://github.com/NixOS/nixpkgs/pull/175180#issuecomment-1141546487
systemd-247 provides a mechanism called LoadCredential for secrets and
it is better than environment file. See the section of Environment=
in the manual of systemd.exec for more information.
Some options in config.yaml need values to be strings, which currently
can be used with environmentFile but not loadCredential. But it's
possible to use loadCredential for those options, e.g. we can
substitute their values in ExecStart, but not in ExecStartPre due to
[1].
[1]: https://github.com/systemd/systemd/issues/19604
Prior to this patch:
$ nix-instantiate --eval -E '
> with import ./. {
> localSystem.config = "aarch64-unknown-linux-musl";
> };
> (nixos {}).config.nixpkgs.localSystem.config
> '
"aarch64-unknown-linux-gnu"
Because only the system triple was being passed through, the Musl part
of the system specification was lost. This patch fixes various
occurrences of NixOS evaluation when a Nixpkgs evaluation is already
available, to pass through the full elaborated system attribute set,
to avoid this loss of precision.
Since, 4ddc78818e systemd-boot-builder
is broken in two ways:
* if no systemd-boot is currently installed *and* the NIXOS_INSTALL_BOOTLOADER
env variable is not set, it will try to run "bootctl update", which will fail
* if the currently installed systemd-boot version is newer than the version
we're about to install, it will also try to run "bootctl update", which will fail
This patch changes the behaviour,
* for the first case to still fail, but not even bother to try running
"bootctl update" and instead erroring out with an exception
* for the second case to leave the newer version in place, restoring
the pre - 4ddc78818e behaviour
To do the proper version check a new "should_update" helper function was introduced,
mimicing the compare_product C function from bootctl. If the following systemd
issue gets resolved, we would have a nice way to get rid of this function:
> https://github.com/systemd/systemd/issues/23450
This change allows to again switch to a different NixOS configuration which contains
an older systemd-boot.
Co-authored-by: Martin Weinelt <mweinelt@users.noreply.github.com>
- initialSystem was keeping track of the evaluating system
- it had been used by `nesting.children`
- since, 20.09, `nesting.children` has been replaced with named
specializations
It appears that this option was left over and not cleand up properly.
`extra-utils` composes the set of programs and libraries needed by
1. copying over all programs
2. copying over all libraries any program directly links against
3. set the runtime path for every program to the library directory
It seems that this approach misses the case where a library itself links
against another library. That is to say, `extra-utils` assumes that
either only progams link against libraries or that every library linked
to by a library is already linked to by a program.
`mount.zfs` linking against `libcrypto`, in turn linking against `libdl`
shows how the current approach falls short:
```
$ objdump -p $(which mount.zfs) | grep NEEDED | grep -e libdl -e libcrypto
NEEDED libcrypto.so.1.1
$ ldd (which mount.zfs) | grep libdl
libdl.so.2 => /nix/store/ybkkrhdwdj227kr20vk8qnzqnmj7a06x-glibc-2.34-115/lib/libdl.so.2 (0x00007f9967a9a000
```
Using `mount.zfs` directly in stage 1 init still works since
`LD_LIBRARY_PATH` overrides this (as intended).
util-linux's `mount` however executes `mount.zfs` with LD_LIBRARY_PATH
removed from its environment as can be seen with strace(1) in an
interactive stage 1 init shell (`boot.shell_on_fail` kernel parameter):
```
# env -i LD_LIBRARY_PATH=$LD_LIBRARY_PATH $(which strace) -ff -e trace=/exec -v -qqq $(which mount) /mnt-root
execve("/nix/store/3gqbb3swgiy749fxd5a4k6kirkr2jr9n-extra-utils/bin/mount", ["/nix/store/3gqbb3swgiy749fxd5a4k"..., "/mnt-root"], ["LD_LIBRARY_PATH=/nix/store/3gqbb"...]) = 0
[pid 1026] execve("/sbin/mount.zfs", ["/sbin/mount.zfs", "<redacted>", "/mnt-root", "-o", "rw,zfsutil"], []) = 0
/sbin/mount.zfs: error while loading shared libraries: libdl.so.2: cannot open shared object file: No such file or directory
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=1026, si_uid=0, si_status=127, si_utime=0, si_stime=0} ---
```
env(1) is used for clarity (hence subshells for absoloute paths).
While `mount` uses the right library path, `mount.zfs` is stripped of
it, so ld.so(8) fails resolve `libdl` (as required by `libcrypto`).
To fix this and not rely on `LD_LIBRARY_PATH` to be set, fix the library
path inside libraries as well.
This finally mounts all ZFS filesystems using `zfsutil` with correct and
intended mount options.
At least pkgs/os-specific/linux/util-linux/default.nix uses
```
"--enable-fs-paths-default=/run/wrappers/bin:/run/current-system/sw/bin:/sbin"
```
which does not cover stage 1 init's PATH as all executables are put
under /bin/.
Fix util-linux's `mount` usage by symlinking /sbin to it.
Consider ZFS filesystems meant to be mounted with zfs.mount(8), e.g.
```
config.fileSystems."/media".options = [ "zfsutil" ];
config.fileSystems."/nix".options = [ "zfsutil" ];
```
`zfsutil` uses dataset properties as mount options such that zfsprops(7)
do not have to be duplicated in fstab(5) entries or manual mount(8)
invocations.
Given the example configuation above, /media is correctly mounted with
`setuid=off` translated into `nosuid`:
```
$ zfs get -Ho value setuid /media
off
$ findmnt -t zfs -no options /media
rw,nosuid,nodev,noexec,noatime,xattr,posixacl
```
/nix however was mounted with default mount(8) options:
```
$ zfs get -Ho value setuid /nix
off
$ findmnt -t zfs -no options /nix
rw,relatime,xattr,noacl
```
This holds true for all other ZFS properties/mount options, including
`exec/[no]exec`, `devices/[no]dev`, `atime/[no]atime`, etc.
/nix is mounted using BusyBox's `mount` during stage 1 init while /media
is mounted later using proper systemd and/or util-linux's `mount`.
Tracing stage 1 init showed that BusyBox never tried to execute
mount.zfs(8) as intended by `zfsutil`.
Replacing it with util-linux's `mount` and adding the mount helper
showed attempts to execute mount.zfs(8).
Ensure ZFS filesystems are mounted with correct options iff `zfsutil` is
used.
Very confusingly, the `isPowerPC` predicate in
`lib/systems/inspect.nix` does *not* match `powerpc64le`!
This is because `isPowerPC` is defined as
isPowerPC = { cpu = cpuTypes.powerpc; };
Where `cpuTypes.powerpc` is:
{ bits = 32; significantByte = bigEndian; family = "power"; };
This means that the `isPowerPC` predicate actually only matches the
subset of machines marketed under this name which happen to be 32-bit
and running in big-endian mode which is equivalent to:
with stdenv.hostPlatform; isPower && isBigEndian && is32bit
This seems like a sharp edge that people could easily cut themselves
on. In fact, that has already happened: in
`linux/kernel/common-config.nix` there is a test which will always
fail:
(stdenv.hostPlatform.isPowerPC && stdenv.hostPlatform.is64bit)
A more subtle case of the strict isPowerPC being used instead of the
moreg general isPower accidentally are the GHC expressions:
Update pkgs/development/compilers/ghc/8.10.7.nix
Update pkgs/development/compilers/ghc/8.8.4.nix
Update pkgs/development/compilers/ghc/9.2.2.nix
Update pkgs/development/compilers/ghc/9.0.2.nix
Update pkgs/development/compilers/ghc/head.nix
Since the remaining legitimate use sites of isPowerPC are so few, remove
the isPowerPC predicate completely. The alternative expression above is
noted in the release notes as an alternative.
Co-authored-by: sternenseemann <sternenseemann@systemli.org>
* origin/staging-next: (62 commits)
Re-Revert "lua: fix on darwin by using makeBinaryWrapper (#172749)"
openldap: fix cross-compilation
makeBinaryWrapper: fix codesign on aarch64-darwin
python3Packages.ldap: fix linking with openldap 2.5+
Revert "lua: fix on darwin by using makeBinaryWrapper (#172749)"
wine: enable parallel build again
pkgsi686Linux.gdb: fix formatting for 32-bit systems
gtk4: Fix incorrect merge
nixos/openldap: use upstream unit defaults
openldap: update maintainers
openldap: 2.4.58 -> 2.6.2
Revert "Add mingwW64-llvm cross-system."
lua: fix on darwin by using makeBinaryWrapper (#172749)
python310Packages.python-mimeparse: execute tests
pandas: fix darwin build
gtk3: 3.24.33 -> 3.24.33-2022-03-11
gtk4: patch fixing g-c-c crashes
e2fsprogs: patch for CVE-2022-1304
firefox-unwrapped: fix cross compilation
rustc: expose correct llvmPackages for cross compile
...
