Merge staging-next into staging

NixOS · Feb 21, 2021 · 047da25 · 047da25
2 parents 1277332 + dc31fd0
commit 047da25
Show file tree

Hide file tree

Showing 32 changed files with 342 additions and 63 deletions.
diff --git a/nixos/doc/manual/configuration/networking.xml b/nixos/doc/manual/configuration/networking.xml
@@ -15,5 +15,6 @@
  <xi:include href="firewall.xml" />
  <xi:include href="wireless.xml" />
  <xi:include href="ad-hoc-network-config.xml" />
+ <xi:include href="renaming-interfaces.xml" />
 <!-- TODO: OpenVPN, NAT -->
 </chapter>
diff --git a/nixos/doc/manual/configuration/renaming-interfaces.xml b/nixos/doc/manual/configuration/renaming-interfaces.xml
@@ -0,0 +1,67 @@
+<section xmlns="http://docbook.org/ns/docbook"
+         xmlns:xlink="http://www.w3.org/1999/xlink"
+         xmlns:xi="http://www.w3.org/2001/XInclude"
+         version="5.0"
+         xml:id="sec-rename-ifs">
+ <title>Renaming network interfaces</title>
+
+ <para>
+  NixOS uses the udev
+  <link xlink:href="https://systemd.io/PREDICTABLE_INTERFACE_NAMES/">predictable naming scheme</link>
+  to assign names to network interfaces. This means that by default
+  cards are not given the traditional names like
+  <literal>eth0</literal> or <literal>eth1</literal>, whose order can
+  change unpredictably across reboots. Instead, relying on physical
+  locations and firmware information, the scheme produces names like
+  <literal>ens1</literal>, <literal>enp2s0</literal>, etc.
+ </para>
+
+ <para>
+  These names are predictable but less memorable and not necessarily
+  stable: for example installing new hardware or changing firmware
+  settings can result in a
+  <link xlink:href="https://github.com/systemd/systemd/issues/3715#issue-165347602">name change</link>.
+  If this is undesirable, for example if you have a single ethernet
+  card, you can revert to the traditional scheme by setting
+  <xref linkend="opt-networking.usePredictableInterfaceNames"/> to
+  <literal>false</literal>.
+ </para>
+
+ <section xml:id="sec-custom-ifnames">
+  <title>Assigning custom names</title>
+  <para>
+   In case there are multiple interfaces of the same type, it’s better to
+   assign custom names based on the device hardware address. For
+   example, we assign the name <literal>wan</literal> to the interface
+   with MAC address <literal>52:54:00:12:01:01</literal> using a
+   netword link unit:
+  </para>
+  <programlisting>
+ <link linkend="opt-systemd.network.links">systemd.network.links."10-wan"</link> = {
+   matchConfig.MACAddress = "52:54:00:12:01:01";
+   linkConfig.Name = "wan";
+ };
+  </programlisting>
+  <para>
+   Note that links are directly read by udev, <emphasis>not networkd</emphasis>,
+   and will work even if networkd is disabled.
+  </para>
+  <para>
+   Alternatively, we can use a plain old udev rule:
+  </para>
+  <programlisting>
+ <link linkend="opt-services.udev.initrdRules">services.udev.initrdRules</link> = ''
+  SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", \
+  ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="wan"
+ '';
+  </programlisting>
+
+  <warning><para>
+   The rule must be installed in the initrd using
+   <literal>services.udev.initrdRules</literal>, not the usual
+   <literal>services.udev.extraRules</literal> option. This is to avoid race
+   conditions with other programs controlling the interface.
+  </para></warning>
+ </section>
+
+</section>
diff --git a/nixos/doc/manual/release-notes/rl-2105.xml b/nixos/doc/manual/release-notes/rl-2105.xml
@@ -91,6 +91,16 @@
   </para>
 
   <itemizedlist>
+   <listitem>
+    <para>
+     If you are using <option>services.udev.extraRules</option> to assign
+     custom names to network interfaces, this may stop working due to a change
+     in the initialisation of dhcpcd and systemd networkd. To avoid this, either
+     move them to <option>services.udev.initrdRules</option> or see the new
+     <link linkend="sec-custom-ifnames">Assigning custom names</link> section
+     of the NixOS manual for an example using networkd links.
+    </para>
+   </listitem>
     <listitem>
       <para>
         The <literal>systemConfig</literal> kernel parameter is no longer added to boot loader entries. It has been unused since September 2010, but if do have a system generation from that era, you will now be unable to boot into them.

diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix
@@ -202,12 +202,26 @@ in
         '';
       };
 
-      extraRules = mkOption {
+      initrdRules = mkOption {
         default = "";
         example = ''
           SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:1D:60:B9:6D:4F", KERNEL=="eth*", NAME="my_fast_network_card"
         '';
         type = types.lines;
+        description = ''
+          <command>udev</command> rules to include in the initrd
+          <emphasis>only</emphasis>. They'll be written into file
+          <filename>99-local.rules</filename>. Thus they are read and applied
+          after the essential initrd rules.
+        '';
+      };
+
+      extraRules = mkOption {
+        default = "";
+        example = ''
+          ENV{ID_VENDOR_ID}=="046d", ENV{ID_MODEL_ID}=="0825", ENV{PULSE_IGNORE}="1"
+        '';
+        type = types.lines;
         description = ''
           Additional <command>udev</command> rules. They'll be written
           into file <filename>99-local.rules</filename>. Thus they are
@@ -284,6 +298,13 @@ in
 
     boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ];
 
+    boot.initrd.extraUdevRulesCommands = optionalString (cfg.initrdRules != "")
+      ''
+        cat <<'EOF' > $out/99-local.rules
+        ${cfg.initrdRules}
+        EOF
+      '';
+
     environment.etc =
       {
         "udev/rules.d".source = udevRules;

diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
@@ -191,9 +191,8 @@ in
       { description = "DHCP Client";
 
         wantedBy = [ "multi-user.target" ] ++ optional (!hasDefaultGatewaySet) "network-online.target";
-        wants = [ "network.target" "systemd-udev-settle.service" ];
+        wants = [ "network.target" ];
         before = [ "network-online.target" ];
-        after = [ "systemd-udev-settle.service" ];
 
         restartTriggers = [ exitHook ];
 

diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix
@@ -1553,9 +1553,6 @@ in
         wantedBy = [ "multi-user.target" ];
         aliases = [ "dbus-org.freedesktop.network1.service" ];
         restartTriggers = map (x: x.source) (attrValues unitFiles);
-        # prevent race condition with interface renaming (#39069)
-        requires = [ "systemd-udev-settle.service" ];
-        after = [ "systemd-udev-settle.service" ];
       };
 
       systemd.services.systemd-networkd-wait-online = {

diff --git a/nixos/modules/system/boot/stage-1.nix b/nixos/modules/system/boot/stage-1.nix
@@ -205,13 +205,22 @@ let
     ''; # */
 
 
+  # Networkd link files are used early by udev to set up interfaces early.
+  # This must be done in stage 1 to avoid race conditions between udev and
+  # network daemons.
   linkUnits = pkgs.runCommand "link-units" {
       allowedReferences = [ extraUtils ];
       preferLocalBuild = true;
-    } ''
+    } (''
       mkdir -p $out
       cp -v ${udev}/lib/systemd/network/*.link $out/
-    '';
+      '' + (
+      let
+        links = filterAttrs (n: v: hasSuffix ".link" n) config.systemd.network.units;
+        files = mapAttrsToList (n: v: "${v.unit}/${n}") links;
+      in
+        concatMapStringsSep "\n" (file: "cp -v ${file} $out/") files
+      ));
 
   udevRules = pkgs.runCommand "udev-rules" {
       allowedReferences = [ extraUtils ];

diff --git a/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash b/nixos/modules/virtualisation/fetch-instance-ssh-keys.bash
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+WGET() {
+    wget --retry-connrefused -t 15 --waitretry=10 --header='Metadata-Flavor: Google' "$@"
+}
+
+# When dealing with cryptographic keys, we want to keep things private.
+umask 077
+mkdir -p /root/.ssh
+
+echo "Fetching authorized keys..."
+WGET -O /tmp/auth_keys http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys
+
+# Read keys one by one, split in case Google decided
+# to append metadata (it does sometimes) and add to
+# authorized_keys if not already present.
+touch /root/.ssh/authorized_keys
+while IFS='' read -r line || [[ -n "$line" ]]; do
+    keyLine=$(echo -n "$line" | cut -d ':' -f2)
+    IFS=' ' read -r -a array <<<"$keyLine"
+    if [[ ${#array[@]} -ge 3 ]]; then
+        echo "${array[@]:0:3}" >>/tmp/new_keys
+        echo "Added ${array[*]:2} to authorized_keys"
+    fi
+done </tmp/auth_keys
+mv /tmp/new_keys /root/.ssh/authorized_keys
+chmod 600 /root/.ssh/authorized_keys
+
+echo "Fetching host keys..."
+WGET -O /tmp/ssh_host_ed25519_key http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key
+WGET -O /tmp/ssh_host_ed25519_key.pub http://metadata.google.internal/computeMetadata/v1/instance/attributes/ssh_host_ed25519_key_pub
+mv -f /tmp/ssh_host_ed25519_key* /etc/ssh/
+chmod 600 /etc/ssh/ssh_host_ed25519_key
+chmod 644 /etc/ssh/ssh_host_ed25519_key.pub
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix
@@ -69,6 +69,31 @@ in
   # GC has 1460 MTU
   networking.interfaces.eth0.mtu = 1460;
 
+  # Used by NixOps
+  systemd.services.fetch-instance-ssh-keys = {
+    description = "Fetch host keys and authorized_keys for root user";
+
+    wantedBy = [ "sshd.service" ];
+    before = [ "sshd.service" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    path = [ pkgs.wget ];
+
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = pkgs.runCommand "fetch-instance-ssh-keys" { } ''
+        cp ${./fetch-instance-ssh-keys.bash} $out
+        chmod +x $out
+        ${pkgs.shfmt}/bin/shfmt -i 4 -d $out
+        ${pkgs.shellcheck}/bin/shellcheck $out
+        patchShebangs $out
+      '';
+      PrivateTmp = true;
+      StandardError = "journal+console";
+      StandardOutput = "journal+console";
+    };
+  };
+
   systemd.services.google-instance-setup = {
     description = "Google Compute Engine Instance Setup";
     after = [ "network-online.target" "network.target" "rsyslog.service" ];

diff --git a/nixos/tests/networking.nix b/nixos/tests/networking.nix
@@ -35,7 +35,7 @@ let
         extraConfig = flip concatMapStrings vlanIfs (n: ''
           subnet 192.168.${toString n}.0 netmask 255.255.255.0 {
             option routers 192.168.${toString n}.1;
-            range 192.168.${toString n}.2 192.168.${toString n}.254;
+            range 192.168.${toString n}.3 192.168.${toString n}.254;
           }
         '')
         ;
@@ -672,6 +672,30 @@ let
             ), "The IPv6 routing table has not been properly cleaned:\n{}".format(ipv6Residue)
       '';
     };
+    rename = {
+      name = "RenameInterface";
+      machine = { pkgs, ... }: {
+        virtualisation.vlans = [ 1 ];
+        networking = {
+          useNetworkd = networkd;
+          useDHCP = false;
+        };
+      } //
+      (if networkd
+       then { systemd.network.links."10-custom_name" = {
+                matchConfig.MACAddress = "52:54:00:12:01:01";
+                linkConfig.Name = "custom_name";
+              };
+            }
+       else { services.udev.initrdRules = ''
+               SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="52:54:00:12:01:01", KERNEL=="eth*", NAME="custom_name"
+              '';
+            });
+      testScript = ''
+        machine.succeed("udevadm settle")
+        print(machine.succeed("ip link show dev custom_name"))
+      '';
+    };
     # even with disabled networkd, systemd.network.links should work
     # (as it's handled by udev, not networkd)
     link = {

diff --git a/pkgs/applications/editors/spacevim/default.nix b/pkgs/applications/editors/spacevim/default.nix
@@ -1,5 +1,5 @@
 { ripgrep, git, fzf, makeWrapper, vim_configurable, vimPlugins, fetchFromGitHub
-, lib, stdenv, formats, spacevim_config ? import ./init.nix }:
+, lib, stdenv, formats, runCommand, spacevim_config ? import ./init.nix }:
 
 let
   format = formats.toml {};
@@ -10,28 +10,37 @@ let
     # ~/.cache/vimfiles/repos
     vimrcConfig.packages.myVimPackage = with vimPlugins; { start = [ ]; };
   };
-  spacevimdir = format.generate "init.toml" spacevim_config;
+  spacevimdir = runCommand "SpaceVim.d" { } ''
+    mkdir -p $out
+    cp ${format.generate "init.toml" spacevim_config} $out/init.toml
+  '';
 in stdenv.mkDerivation rec {
   pname = "spacevim";
-  version = "1.5.0";
+  version = "1.6.0";
   src = fetchFromGitHub {
     owner = "SpaceVim";
     repo = "SpaceVim";
     rev = "v${version}";
-    sha256 = "1xw4l262x7wzs1m65bddwqf3qx4254ykddsw3c3p844pb3mzqhh7";
+    sha256 = "sha256-QQdtjEdbuzmf0Rw+u2ZltLihnJt8LqkfTrLDWLAnCLE=";
   };
 
   nativeBuildInputs = [ makeWrapper vim-customized];
   buildInputs = [ vim-customized ];
 
   buildPhase = ''
+    runHook preBuild
     # generate the helptags
     vim -u NONE -c "helptags $(pwd)/doc" -c q
+    runHook postBuild
   '';
 
-  patches = [ ./helptags.patch ];
+  patches = [
+    # Don't generate helptags at runtime into read-only $SPACEVIMDIR
+    ./helptags.patch
+  ];
 
   installPhase = ''
+    runHook preInstall
     mkdir -p $out/bin
 
     cp -r $(pwd) $out/SpaceVim
@@ -40,6 +49,7 @@ in stdenv.mkDerivation rec {
     makeWrapper "${vim-customized}/bin/vim" "$out/bin/spacevim" \
         --add-flags "-u $out/SpaceVim/vimrc" --set SPACEVIMDIR "${spacevimdir}/" \
         --prefix PATH : ${lib.makeBinPath [ fzf git ripgrep]}
+    runHook postInstall
   '';
 
   meta = with lib; {

diff --git a/pkgs/applications/editors/spacevim/helptags.patch b/pkgs/applications/editors/spacevim/helptags.patch
@@ -2,7 +2,7 @@ diff --git a/autoload/SpaceVim.vim b/autoload/SpaceVim.vim
 index 16688680..fcafd6f7 100644
 --- a/autoload/SpaceVim.vim
 +++ b/autoload/SpaceVim.vim
-@@ -1255,13 +1255,6 @@ function! SpaceVim#end() abort
+@@ -1355,13 +1355,6 @@ function! SpaceVim#end() abort
      let &helplang = 'jp'
    endif
    ""

diff --git a/pkgs/applications/misc/hugo/default.nix b/pkgs/applications/misc/hugo/default.nix
@@ -2,16 +2,16 @@
 
 buildGoModule rec {
   pname = "hugo";
-  version = "0.80.0";
+  version = "0.81.0";
 
   src = fetchFromGitHub {
     owner = "gohugoio";
     repo = pname;
     rev = "v${version}";
-    sha256 = "0xs9y5lj0mya6ag625x8j91mn9l9r13gxaqxyvl1fl40y2yjz1zm";
+    sha256 = "sha256-9YroUxcLixu+MNL37JByCulCHv0WxWGwqBQ/+FGtZLw=";
   };
 
-  vendorSha256 = "172mcs8p43bsdkd2hxg9qn6018fh8f36kxx0vgnq5q6fqsb6s1f6";
+  vendorSha256 = "sha256-5gQyoLirXajkzxKxzcuPnjECL2mJPiHS65lYkyIpKs8=";
 
   doCheck = false;
 

diff --git a/pkgs/applications/networking/ipfs/default.nix b/pkgs/applications/networking/ipfs/default.nix
@@ -2,13 +2,13 @@
 
 buildGoModule rec {
   pname = "ipfs";
-  version = "0.7.0";
+  version = "0.8.0";
   rev = "v${version}";
 
   # go-ipfs makes changes to it's source tarball that don't match the git source.
   src = fetchurl {
     url = "https://github.com/ipfs/go-ipfs/releases/download/${rev}/go-ipfs-source.tar.gz";
-    sha256 = "1fkzwm4qxxpmbjammk6s5qcyjxivfa0ydqz4mpz1w756c4jq0jf3";
+    sha256 = "sha256-uK3+Ekr5AM6mmGmjFSj1Rotm5pbH657BYUlP9B39WEw=";
   };
 
   # tarball contains multiple files/directories