452 lines
20 KiB
XML
452 lines
20 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03">
|
|
<title>Release 21.03 (“Okapi”, 2021.03/??)</title>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-highlights">
|
|
<title>Highlights</title>
|
|
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release has the
|
|
following highlights:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Support is planned until the end of October 2021, handing over to 21.09.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="https://www.gnuradio.org/">GNURadio</link> 3.8 was
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/82263">finnally</link>
|
|
packaged, along with a rewrite to the Nix expressions, allowing users to
|
|
override the features upstream supports selecting to compile or not to.
|
|
Additionally, the attribute <code>gnuradio</code> and <code>gnuradio3_7</code>
|
|
now point to an externally wrapped by default derivations, that allow you to
|
|
also add `extraPythonPackages` to the Python interpreter used by GNURadio.
|
|
Missing environmental variables needed for operational GUI were also added
|
|
(<link xlink:href="https://github.com/NixOS/nixpkgs/issues/75478">#7547</link>).
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-new-services">
|
|
<title>New Services</title>
|
|
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="https://www.keycloak.org/">Keycloak</link>,
|
|
an open source identity and access management server with
|
|
support for <link
|
|
xlink:href="https://openid.net/connect/">OpenID Connect</link>,
|
|
<link xlink:href="https://oauth.net/2/">OAUTH 2.0</link> and
|
|
<link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML
|
|
2.0</link>.
|
|
</para>
|
|
<para>
|
|
See the <link linkend="module-services-keycloak">Keycloak
|
|
section of the NixOS manual</link> for more information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="opt-services.samba-wsdd.enable" /> Web Services Dynamic Discovery host daemon
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the following
|
|
incompatible changes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
If the <varname>services.dbus</varname> module is enabled, then
|
|
the user D-Bus session is now always socket activated. The
|
|
associated options <varname>services.dbus.socketActivated</varname>
|
|
and <varname>services.xserver.startDbusSession</varname> have
|
|
therefore been removed and you will receive a warning if
|
|
they are present in your configuration. This change makes the
|
|
user D-Bus session available also for non-graphical logins.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>rubyMinimal</literal> was removed due to being unused and
|
|
unusable. The default ruby interpreter includes JIT support, which makes
|
|
it reference it's compiler. Since JIT support is probably needed by some
|
|
Gems, it was decided to enable this feature with all cc references by
|
|
default, and allow to build a Ruby derivation without references to cc,
|
|
by setting <literal>jitSupport = false;</literal> in an overlay. See
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link>
|
|
for more info.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.
|
|
|
|
WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <option>fonts.enableFontDir</option> has been renamed to
|
|
<xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory
|
|
has also been changed to <literal>/run/current-system/sw/share/X11/fonts</literal>,
|
|
for consistency with other X11 resources.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A number of options have been renamed in the kicad interface. <literal>oceSupport</literal>
|
|
has been renamed to <literal>withOCE</literal>, <literal>withOCCT</literal> has been renamed
|
|
to <literal>withOCC</literal>, <literal>ngspiceSupport</literal> has been renamed to
|
|
<literal>withNgspice</literal>, and <literal>scriptingSupport</literal> has been renamed to
|
|
<literal>withScripting</literal>. Additionally, <literal>kicad/base.nix</literal> no longer
|
|
provides default argument values since these are provided by
|
|
<literal>kicad/default.nix</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The socket for the <literal>pdns-recursor</literal> module was moved from <literal>/var/lib/pdns-recursor</literal>
|
|
to <literal>/run/pdns-recursor</literal> to match upstream.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Paperwork was updated to version 2. The on-disk format slightly changed,
|
|
and it is not possible to downgrade from Paperwork 2 back to Paperwork
|
|
1.3. Back your documents up before upgrading. See <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this thread</link> for more details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please
|
|
be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link>
|
|
provided by upstream before upgrading. Worth specifically noting is that the service now runs
|
|
entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal>
|
|
and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from
|
|
<literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>btc1</package> has been abandoned upstream, and removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>cpp_ethereum</package> (aleth) has been abandoned upstream, and removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>riak-cs</package> package removed along with <varname>services.riak-cs</varname> module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>stanchion</package> package removed along with <varname>services.stanchion</varname> module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>mutt</package> has been updated to a new major version (2.x), which comes with
|
|
some backward incompatible changes that are described in the
|
|
<link xlink:href="http://www.mutt.org/relnotes/2.0/">release notes for Mutt 2.0</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>vim</literal> switched to Python 3, dropping all Python 2 support.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
|
|
previously did nothing, but has been fixed. However its default has been
|
|
changed to <literal>false</literal> to preserve the existing default
|
|
behaviour. If you have this explicitly set to <literal>true</literal>,
|
|
please note that your non-root pools will now be forcibly imported.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>openafs</package> now points to <package>openafs_1_8</package>,
|
|
which is the new stable release. OpenAFS 1.6 was removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>openldap</literal> module now has support for OLC-style
|
|
configuration, users of the <literal>configDir</literal> option may wish
|
|
to migrate. If you continue to use <literal>configDir</literal>, ensure that
|
|
<literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>.
|
|
</para>
|
|
<para>
|
|
As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal>
|
|
are removed. To help with migration, you can convert your <literal>slapd.conf</literal>
|
|
file to OLC configuration with the following script (find the location of this
|
|
configuration file by running <literal>systemctl status openldap</literal>, it is the
|
|
<literal>-f</literal> option.
|
|
</para>
|
|
<programlisting>
|
|
TMPDIR=$(mktemp -d)
|
|
slaptest -f /path/to/slapd.conf $TMPDIR
|
|
slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
|
|
</programlisting>
|
|
<para>
|
|
This will dump your current configuration in LDIF format, which should be
|
|
straightforward to convert into Nix settings. This does not show your schema
|
|
configuration, as this is unnecessarily verbose for users of the default schemas
|
|
and <literal>slaptest</literal> is buggy with schemas directly in the config file.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance
|
|
metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and
|
|
restarting the instance will now cause it to fetch and apply the new user data.
|
|
</para>
|
|
<warning>
|
|
<para>
|
|
Specifically, <literal>/etc/ec2-metadata</literal> is re-populated on each boot. Some NixOS scripts that read
|
|
from this directory are guarded to only run if the files they want to manipulate do not already exist, and so
|
|
will not re-apply their changes if the IMDS response changes. Examples: <literal>root</literal>'s SSH key is
|
|
only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from
|
|
user data if they do not exist in <literal>/etc/ssh</literal>.
|
|
</para>
|
|
</warning>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>rspamd</literal> services is now sandboxed. It is run as
|
|
a dynamic user instead of root, so secrets and other files may have to
|
|
be moved or their permissions may have to be fixed. The sockets are now
|
|
located in <literal>/run/rspamd</literal> instead of <literal>/run</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Enabling the Tor client no longer silently also enables and
|
|
configures Privoxy, and the
|
|
<varname>services.tor.client.privoxy.enable</varname> option has
|
|
been removed. To enable Privoxy, and to configure it to use
|
|
Tor's faster port, use the following configuration:
|
|
</para>
|
|
<programlisting>
|
|
<xref linkend="opt-services.privoxy.enable" /> = true;
|
|
<xref linkend="opt-services.privoxy.enableTor" /> = true;
|
|
</programlisting>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The options <literal>services.slurm.dbdserver.storagePass</literal>
|
|
and <literal>services.slurm.dbdserver.configFile</literal> have been removed.
|
|
Use <literal>services.slurm.dbdserver.storagePassFile</literal> instead to provide the database password.
|
|
Extra config options can be given via the option <literal>services.slurm.dbdserver.extraConfig</literal>. The actual configuration file is created on the fly on startup of the service.
|
|
This avoids that the password gets exposed in the nix store.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Starting with version 1.7.0, the project formerly named <literal>CodiMD</literal>
|
|
is now named <literal>HedgeDoc</literal>.
|
|
New installations will no longer use the old name for users, state directories and such, this needs to be considered when moving state to a more recent NixOS installation.
|
|
Based on <xref linkend="opt-system.stateVersion" />, existing installations will continue to work.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The Mailman NixOS module (<literal>services.mailman</literal>) has a new
|
|
option <xref linkend="opt-services.mailman.enablePostfix" />, defaulting
|
|
to true, that controls integration with Postfix.
|
|
</para>
|
|
<para>
|
|
If this option is disabled, default MTA config becomes not set and you
|
|
should set the options in <literal>services.mailman.settings.mta</literal>
|
|
according to the desired configuration as described in
|
|
<link xlink:href="https://mailman.readthedocs.io/en/latest/src/mailman/docs/mta.html">Mailman documentation</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The default-version of <literal>nextcloud</literal> is <package>nextcloud20</package>.
|
|
Please note that it's <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal>
|
|
across multiple major versions! This means that it's e.g. not possible to upgrade
|
|
from <package>nextcloud18</package> to <package>nextcloud20</package> in a single deploy.
|
|
</para>
|
|
<para>
|
|
The package can be manually upgraded by setting <xref linkend="opt-services.nextcloud.package" />
|
|
to <package>nextcloud20</package>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The setting <xref linkend="opt-services.redis.bind" /> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details.
|
|
</para>
|
|
<para>
|
|
All services should use <xref linkend="opt-systemd.services._name_.startLimitIntervalSec" /> or <literal>StartLimitIntervalSec</literal> in <xref linkend="opt-systemd.services._name_.unitConfig" /> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Unbound DNS resolver service (<literal>services.unbound</literal>) has been refactored to allow reloading, control sockets and to fix startup ordering issues.
|
|
</para>
|
|
|
|
<para>
|
|
It is now possible to enable a local UNIX control socket for unbound by setting the <xref linkend="opt-services.unbound.localControlSocketPath" />
|
|
option.
|
|
</para>
|
|
|
|
<para>
|
|
Previously we just applied a very minimal set of restrictions and
|
|
trusted unbound to properly drop root privs and capabilities.
|
|
</para>
|
|
|
|
<para>
|
|
As of this we are (for the most part) just using the upstream
|
|
example unit file for unbound. The main difference is that we start
|
|
unbound as <literal>unbound</literal> user with the required capabilities instead of
|
|
letting unbound do the chroot & uid/gid changes.
|
|
</para>
|
|
|
|
<para>
|
|
The upstream unit configuration this is based on is a lot stricter with
|
|
all kinds of permissions then our previous variant. It also came with
|
|
the default of having the <literal>Type</literal> set to <literal>notify</literal>, therefore we are now also
|
|
using the <literal>unbound-with-systemd</literal> package here. Unbound will start up,
|
|
read the configuration files and start listening on the configured ports
|
|
before systemd will declare the unit <literal>active (running)</literal>.
|
|
This will likely help with startup order and the occasional race condition during system
|
|
activation where the DNS service is started but not yet ready to answer
|
|
queries. Services depending on <literal>nss-lookup.target</literal> or <literal>unbound.service</literal>
|
|
are now be able to use unbound when those targets have been reached.
|
|
</para>
|
|
|
|
<para>
|
|
Aditionally to the much stricter runtime environmet the
|
|
<literal>/dev/urandom</literal> mount lines we previously had in the code (that would
|
|
randomly failed during the stop-phase) have been removed as systemd will take care of those for us.
|
|
</para>
|
|
|
|
<para>
|
|
The <literal>preStart</literal> script is now only required if we enabled the trust
|
|
anchor updates (which are still enabled by default).
|
|
</para>
|
|
|
|
<para>
|
|
Another benefit of the refactoring is that we can now issue reloads via
|
|
either <literal>pkill -HUP unbound</literal> and <literal>systemctl reload unbound</literal> to reload the
|
|
running configuration without taking the daemon offline. A prerequisite
|
|
of this was that unbound configuration is available on a well known path
|
|
on the file system. We are using the path <literal>/etc/unbound/unbound.conf</literal> as that is the
|
|
default in the CLI tooling which in turn enables us to use
|
|
<literal>unbound-control</literal> without passing a custom configuration location.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>services.dnscrypt-proxy2</literal> module now takes the upstream's example configuration and updates it with the user's settings.
|
|
|
|
An option has been added to restore the old behaviour if you prefer to declare the configuration from scratch.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
NixOS now defaults to the unified cgroup hierarchy (cgroupsv2).
|
|
See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link>
|
|
for details on why this is desirable, and how it impacts containers.
|
|
</para>
|
|
<para>
|
|
If you want to run containers with a runtime that does not yet support cgroupsv2,
|
|
you can switch back to the old behaviour by setting
|
|
<xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>;
|
|
and rebooting.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PulseAudio was upgraded to 14.0, with changes to the handling of default sinks.
|
|
See its <link xlink:href="https://www.freedesktop.org/wiki/Software/PulseAudio/Notes/14.0/">release notes</link>.
|
|
</para>
|
|
|
|
<para>
|
|
GNOME users may wish to delete their <literal>~/.config/pulse</literal> due to the changes to stream routing
|
|
logic. See <link xlink:href="https://gitlab.freedesktop.org/pulseaudio/pulseaudio/-/issues/832">PulseAudio bug 832</link>
|
|
for more information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <package>zookeeper</package> package does not provide
|
|
<literal>zooInspector.sh</literal> anymore, as that "contrib" has
|
|
been dropped from upstream releases.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="opt-users.users._name_.createHome" /> now always ensures home directory permissions to be <literal>0700</literal>.
|
|
Permissions had previously been ignored for already existing home directories, possibly leaving them readable by others.
|
|
The option's description was incorrect regarding ownership management and has been simplified greatly.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|