Postgres was taking a long time to shutdown. This is because we were
sending SIGINT to all processes, apparently confusing the autovacuum
launcher. Instead it should only be sent to the main process (which
takes care of shutting down the others).
The downside is that systemd will also send the final SIGKILL only to
the main process, so other processes in the cgroup may be left behind.
There should be an option for this...
libvirtd puts the full path of the emulator binary in the machine config
file. But this path can unfortunately be garbage collected while still
being used by the virtual machine. Then this happens:
Error starting domain: Cannot check QEMU binary /nix/store/z5c2xzk9x0pj6x511w0w4gy9xl5wljxy-qemu-1.5.2-x86-only/bin/qemu-kvm: No such file or directory
Fix by updating the emulator path on each service startup to something
valid (re-scan $PATH).
You can now say:
systemd.containers.foo.config =
{ services.openssh.enable = true;
services.openssh.ports = [ 2022 ];
users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-dss ..." ];
};
which defines a NixOS instance with the given configuration running
inside a lightweight container.
You can also manage the configuration of the container independently
from the host:
systemd.containers.foo.path = "/nix/var/nix/profiles/containers/foo";
where "path" is a NixOS system profile. It can be created/updated by
doing:
$ nix-env --set -p /nix/var/nix/profiles/containers/foo \
-f '<nixos>' -A system -I nixos-config=foo.nix
The container configuration (foo.nix) should define
boot.isContainer = true;
to optimise away the building of a kernel and initrd. This is done
automatically when using the "config" route.
On the host, a lightweight container appears as the service
"container-<name>.service". The container is like a regular NixOS
(virtual) machine, except that it doesn't have its own kernel. It has
its own root file system (by default /var/lib/containers/<name>), but
shares the Nix store of the host (as a read-only bind mount). It also
has access to the network devices of the host.
Currently, if the configuration of the container changes, running
"nixos-rebuild switch" on the host will cause the container to be
rebooted. In the future we may want to send some message to the
container so that it can activate the new container configuration
without rebooting.
Containers are not perfectly isolated yet. In particular, the host's
/sys/fs/cgroup is mounted (writable!) in the guest.
The attribute ‘config.systemd.services.<service-name>.runner’
generates a script that runs the service outside of systemd. This is
useful for testing, and also allows NixOS services to be used outside
of NixOS. For instance, given a configuration file foo.nix:
{ config, pkgs, ... }:
{ services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql92;
services.postgresql.dataDir = "/tmp/postgres";
}
you can build and run PostgreSQL as follows:
$ nix-build -A config.systemd.services.postgresql.runner -I nixos-config=./foo.nix
$ ./result
This will run the service's ExecStartPre, ExecStart, ExecStartPost and
ExecStopPost commands in an appropriate environment. It doesn't work
well yet for "forking" services, since it can't track the main
process. It also doesn't work for services that assume they're always
executed by root.
Fixes this:
Nov 09 16:18:54 nixos-laptop systemd[1]: Starting Libvirt Virtual Machine Management Daemon...
Nov 09 16:18:54 nixos-laptop dnsmasq[15809]: read /etc/hosts - 2 addresses
Nov 09 16:18:54 nixos-laptop dnsmasq[15809]: failed to load names from /var/lib/libvirt/dnsmasq/default.addnhosts: Permission denied
Nov 09 16:18:54 nixos-laptop dnsmasq[15809]: cannot read /var/lib/libvirt/dnsmasq/default.hostsfile: Permission denied
Nov 09 16:18:55 nixos-laptop systemd[1]: Started Libvirt Virtual Machine Management Daemon.
I don't understand the reason for the original 700 permission bits.
Apparently read-access is needed and Ubuntu also use 755 perms.
Use "chmod" instead of "mkdir -m" to set permissions because mkdir doesn't
modify permissions on existing directories.
(systemd service descriptions that is, not service descriptions in "man
configuration.nix".)
Capitalizing each word in the description seems to be the accepted
standard.
Also shorten these descriptions:
* "Munin node, the agent process" => "Munin Node"
* "Planet Venus, an awesome ‘river of news’ feed reader" => "Planet Venus Feed Reader"
- It now uses JavaScript for configuration (only),
so I had to "convert" config for NetworkManager.
- I tested suspend/restart/(un)mount on KDE/Xfce,
Phreedom tested NetworkManager config conversion.
* Use smaller instances to generate HVM images
* Use HVM base image that has 4 ephemeral disks in device mapping
* As grub is not on the base images anymore, install it first before copying parts of its contents
Gnome doesn't work at least since I started using NixOS half a year
ago, let's not give wrong impressions to newcomers. Packaging gnome3
is still something on horizon.
A null password allows logging into local PAM services such as "login"
(agetty) and KDM. That's not actually a security problem for EC2
machines, since they do not have "local" logins; for VirtualBox
machines, if you local access, you can do anything anyway. But it's
better to be on the safe side and disable password-based logins for
root.
E.g.
The unique option `fileSystems./.device' is defined multiple times, in `/etc/nixos/configuration.nix' and `/etc/nixos/foo.nix'.
This requires passing file/value tuples to the merge functions.
They fail randomly due to a hard-coded 30-second timeout in udev
waiting for /dev/sda1 to appear:
systemd-udevd[1151]: worker [1168] /devices/pci0000:00/0000:00:04.0/host2/target2:0:0/2:0:0:0/block/sda/sda1 timeout; kill it
systemd-udevd[1151]: seq 1059 '/devices/pci0000:00/0000:00:04.0/host2/target2:0:0/2:0:0:0/block/sda/sda1' killed
Hopefully we can use virtio in the future for the EFI tests.
http://hydra.nixos.org/build/6695897
Now that overriding fileSystems in qemu-vm.nix works again, it's
important that the VM tests that add additional file systems use the
same override priority. Instead of using the same magic constant
everywhere, they can now use mkVMOverride.
http://hydra.nixos.org/build/6695561
For instance, if time.timeZone is defined multiple times, you now get
the error message:
error: user-thrown exception: The unique option `time.timeZone' is defined multiple times, in `/etc/nixos/configurations/misc/eelco/x11vnc.nix' and `/etc/nixos/configuration.nix'.
while previously you got:
error: user-thrown exception: Multiple definitions of string. Only one is allowed for this option.
and only an inspection of the stack trace gave a clue as to what
option caused the problem.
The major changes are:
* The evaluation is now driven by the declared options. In
particular, this fixes the long-standing problem with lack of
laziness of disabled option definitions. Thus, a configuration like
config = mkIf false {
environment.systemPackages = throw "bla";
};
will now evaluate without throwing an error. This also improves
performance since we're not evaluating unused option definitions.
* The implementation of properties is greatly simplified.
* There is a new type constructor "submodule" that replaces
"optionSet". Unlike "optionSet", "submodule" gets its option
declarations as an argument, making it more like "listOf" and other
type constructors. A typical use is:
foo = mkOption {
type = type.attrsOf (type.submodule (
{ config, ... }:
{ bar = mkOption { ... };
xyzzy = mkOption { ... };
}));
};
Existing uses of "optionSet" are automatically mapped to
"submodule".
* Modules are now checked for unsupported attributes: you get an error
if a module contains an attribute other than "config", "options" or
"imports".
* The new implementation is faster and uses much less memory.
Virsh/virt-manager uses ssh to connect to master, there it expects openbsd netcat(which
has support for unix sockets) to be avalible, to make a tunnel.
Close#1087.
It's already set in hardware-configuration.nix so this just confuses
people.
Also get rid of boot.initrd.kernelModules, since
hardware-configuration.nix is supposed to figure that out as well.
Commit 31203732b3 dropped the reference to
<nixos> from NIX_PATH (nixos/modules/programs/environment.nix) and thus
prevents systems that are not using channels from rebuilding.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
So, we get the old behaviour of nixos-hardware-scane if we run the
following command:
nixos-generate-config --no-filesystems --show-hardware-config
This allows to use scripts in order to fetch NixOS specific hardware
information, without the need to duplicate code elsewhere.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
The attributes swapDevices and imports add a space character after the
eqals sign, which is unnecessary. I know, I'm a pedantic douche bag but
it hurts my eyes.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This is to get back the old behavior of nixos-hardware-scan, which
didn't include fileSystems and swapDevices.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
* simplify directory layout
* clean up option descriptions
* let the user override Firebird package
* create firebird user
* clarify TODO comment
Close # 1061.
This enables to override which plugins to include with nginx by allowing to change
nginx package. I also removed webdav option in nginx nixos module, because you
can now specify this by overriding nginx package.
Those tests are flapping and redundant to some degree, as two
configurations are tested in NixOps as well. So, let's deactivate them
until the 1.0 release of nixpart, which has a more general approach for
automatically partitioning NixOS installations.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Previously changing the value of certain options in configuration.nix
would cause the manual to be regenerated, because some option defaults
depend on the configuration. This is undesirable because rebuilding
the manual is kind of slow. So now the manual reflects an empty
configuration.
The downside is that this requires another call to fixMergeModules,
which adds about 14% to evaluation time. Probably worth it.
It requires a writable /nix/store to store the build result. Also,
wait until we've reached multi-user.target before doing the build, and
do a sync at the end to ensure all data to $out is properly written.
http://hydra.nixos.org/build/6496716
Suggested by Marc Weber. Fixes#1059.
Generate /etc/nix.machines only if buildMachines is not empty. Thus,
if you want to manage /etc/nix.machines in some other way, you can set
nix.distributedBuilds to true but not set nix.buildMachines.
Note that there is a subtle difference in Nix that causes
nixos-rebuild to work and NixOps to fail:
$ nix-instantiate '<nixos>' -A config.system.nixosVersion --eval-only
"13.10pre34915.50f4822"
$ nix-instantiate '<nixos/default.nix>' -A config.system.nixosVersion --eval-only
error: opening file `/nix/var/nix/profiles/per-user/root/channels/nixos/.version': No such file or directory
FixesNixOS/nixops#145.
Sshd *must* use PAM because we depend on it for proper session
management. The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
That is, you can say
security.pam.services.sshd = { options... };
instead of
security.pam.services = [ { name = "sshd"; options... } ];
making it easier to override PAM settings from other modules.
Previously logging in via SLiM more than once didn't work because SLiM
doesn't clean up its PAM session properly (that is, in a child rather
than in the parent). Thus the slim process becomes part of the user
session's cgroup, among other things. This patch causes SLiM to exit
after the session has finished, after which systemd will restart
display-manager.service.
FixesNixOS/nixops#137.