From 5b0db07ee1c86376755a7e91fc4d1cfda2a7cff6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 22 Feb 2019 08:23:48 +0000 Subject: [PATCH 01/15] systemd: 239.20190219 -> 241.20190221 --- pkgs/os-specific/linux/systemd/default.nix | 59 ++++++---------------- 1 file changed, 16 insertions(+), 43 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 84890b5691638f..69910d79d65739 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -14,11 +14,8 @@ , withKexectools ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) kexectools.meta.platforms, kexectools }: -let - pythonLxmlEnv = buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ]); - -in stdenv.mkDerivation rec { - version = "239.20190219"; +stdenv.mkDerivation rec { + version = "241.20190221"; name = "systemd-${version}"; # When updating, use https://github.com/systemd/systemd-stable tree, not the development one! @@ -27,27 +24,9 @@ in stdenv.mkDerivation rec { owner = "NixOS"; repo = "systemd"; rev = "nixos-v${version}"; - sha256 = "0aczg25ih2gfjq810x8rw6rnpr6sw1lz6z0lvlyw2qphyih68b4x"; + sha256 = "0grcf0x793k1jx4bx7p63h3f3cd8w262824mzf8iwdsy6y9wzylr"; }; - prePatch = let - # Upstream's maintenance branches are still too intrusive: - # https://github.com/systemd/systemd-stable/tree/v239-stable - patches-deb = fetchurl { - # This URL should point to a stable location that does not easily - # disappear. In the past we were using `mirror://debian` but that - # eventually causes the files to disappear. While that was a good sign - # for us to update our patch collection it does break reproducibility. - name = "systemd-debian-patches.tar.xz"; - url = http://snapshot.debian.org/archive/debian/20190301T035241Z/pool/main/s/systemd/systemd_239-12%7Ebpo9%2B1.debian.tar.xz; - sha256 = "0v9f62gyfiw5icdrdlcvjcipsqrsm49w6n8bqp9nb8s2ih6rsfhg"; - }; - # Note that we skip debian-specific patches, i.e. ./debian/patches/debian/* - in '' - tar xf ${patches-deb} - patches="$patches $(cat debian/patches/series | grep -v '^debian/' | sed 's|^|debian/patches/|')" - ''; - outputs = [ "out" "lib" "man" "dev" ]; nativeBuildInputs = @@ -56,6 +35,8 @@ in stdenv.mkDerivation rec { coreutils # meson calls date, stat etc. glibcLocales patchelf getent m4 + + (buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ])) ]; buildInputs = [ linuxHeaders libcap kmod xz pam acl @@ -65,13 +46,19 @@ in stdenv.mkDerivation rec { stdenv.lib.optional withLibseccomp libseccomp ++ [ libffi audit lz4 bzip2 libapparmor iptables gnu-efi - # This is actually native, but we already pull it from buildPackages - pythonLxmlEnv ] ++ stdenv.lib.optional withSelinux libselinux; #dontAddPrefix = true; mesonFlags = [ + "-Ddbuspolicydir=${placeholder "out"}/etc/dbus-1/system.d" + "-Ddbussessionservicedir=${placeholder "out"}/share/dbus-1/services" + "-Ddbussystemservicedir=${placeholder "out"}/share/dbus-1/system-services" + "-Dpamconfdir=${placeholder "out"}/etc/pam.d" + "-Drootprefix=${placeholder "out"}" + "-Drootlibdir=${placeholder "lib"}/lib" + "-Dpkgconfiglibdir=${placeholder "dev"}/lib/pkgconfig" + "-Dpkgconfigdatadir=${placeholder "dev"}/share/pkgconfig" "-Dloadkeys-path=${kbd}/bin/loadkeys" "-Dsetfont-path=${kbd}/bin/setfont" "-Dtty-gid=3" # tty in NixOS has gid 3 @@ -92,6 +79,7 @@ in stdenv.mkDerivation rec { "-Dquotacheck=false" "-Dldconfig=false" "-Dsmack=true" + "-Db_pie=true" "-Dsystem-uid-max=499" #TODO: debug why awking around in /etc/login.defs doesn't work "-Dsystem-gid-max=499" # "-Dtime-epoch=1" @@ -113,15 +101,6 @@ in stdenv.mkDerivation rec { preConfigure = '' mesonFlagsArray+=(-Dntp-servers="0.nixos.pool.ntp.org 1.nixos.pool.ntp.org 2.nixos.pool.ntp.org 3.nixos.pool.ntp.org") - mesonFlagsArray+=(-Ddbuspolicydir=$out/etc/dbus-1/system.d) - mesonFlagsArray+=(-Ddbussessionservicedir=$out/share/dbus-1/services) - mesonFlagsArray+=(-Ddbussystemservicedir=$out/share/dbus-1/system-services) - mesonFlagsArray+=(-Dpamconfdir=$out/etc/pam.d) - mesonFlagsArray+=(-Drootprefix=$out) - mesonFlagsArray+=(-Drootlibdir=$lib/lib) - mesonFlagsArray+=(-Dpkgconfiglibdir=$dev/lib/pkgconfig) - mesonFlagsArray+=(-Dpkgconfigdatadir=$dev/share/pkgconfig) - export LC_ALL="en_US.UTF-8"; # FIXME: patch this in systemd properly (and send upstream). # already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount @@ -139,14 +118,8 @@ in stdenv.mkDerivation rec { --replace /bin/plymouth /run/current-system/sw/bin/plymouth # To avoid dependency done - for i in tools/xml_helper.py tools/make-directive-index.py tools/make-man-index.py test/sys-script.py; do - substituteInPlace $i \ - --replace "#!/usr/bin/env python" "#!${pythonLxmlEnv}/bin/python" - done - - for i in src/basic/generate-gperfs.py src/resolve/generate-dns_type-gperf.py src/test/generate-sym-test.py ; do - substituteInPlace $i \ - --replace "#!/usr/bin/env python" "#!${buildPackages.python3Packages.python}/bin/python" + for dir in tools src/resolve test src/test; do + patchShebangs $dir done substituteInPlace src/journal/catalog.c \ From 2a0f85d882621c28b7bcfc8cbd0c9069c60bbd09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Fri, 22 Feb 2019 09:22:51 +0000 Subject: [PATCH 02/15] nixos/os-release: add documentation url --- nixos/modules/misc/version.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/misc/version.nix b/nixos/modules/misc/version.nix index c576cf4cb925eb..c9b374b6d7b1ab 100644 --- a/nixos/modules/misc/version.nix +++ b/nixos/modules/misc/version.nix @@ -95,6 +95,7 @@ in PRETTY_NAME="NixOS ${cfg.version} (${cfg.codeName})" LOGO="nix-snowflake" HOME_URL="https://nixos.org/" + DOCUMENTATION_URL="https://nixos.org/nixos/manual/index.html" SUPPORT_URL="https://nixos.org/nixos/support.html" BUG_REPORT_URL="https://github.com/NixOS/nixpkgs/issues" ''; From 8c7e588362e708ade5e782c09dbdf84d06ab4254 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Mon, 6 May 2019 08:44:02 +0200 Subject: [PATCH 03/15] systemd: 241.20190221 -> 242 --- pkgs/os-specific/linux/systemd/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index 69910d79d65739..cc708cb4a896f8 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -15,7 +15,7 @@ }: stdenv.mkDerivation rec { - version = "241.20190221"; + version = "242"; name = "systemd-${version}"; # When updating, use https://github.com/systemd/systemd-stable tree, not the development one! @@ -24,7 +24,7 @@ stdenv.mkDerivation rec { owner = "NixOS"; repo = "systemd"; rev = "nixos-v${version}"; - sha256 = "0grcf0x793k1jx4bx7p63h3f3cd8w262824mzf8iwdsy6y9wzylr"; + sha256 = "0ldyhfxdy4qlgygvpc92wp0qp6p1c9y3rnm77zwbkga48x60d9i8"; }; outputs = [ "out" "lib" "man" "dev" ]; @@ -104,7 +104,7 @@ stdenv.mkDerivation rec { export LC_ALL="en_US.UTF-8"; # FIXME: patch this in systemd properly (and send upstream). # already fixed in f00929ad622c978f8ad83590a15a765b4beecac9: (u)mount - for i in src/remount-fs/remount-fs.c src/core/mount.c src/core/swap.c src/fsck/fsck.c units/emergency.service.in units/rescue.service.in src/journal/cat.c src/core/shutdown.c src/nspawn/nspawn.c src/shared/generator.c; do + for i in src/remount-fs/remount-fs.c src/core/mount.c src/core/swap.c src/fsck/fsck.c units/emergency.service.in units/rescue.service.in src/journal/cat.c src/shutdown/shutdown.c src/nspawn/nspawn.c src/shared/generator.c; do test -e $i substituteInPlace $i \ --replace /usr/bin/getent ${getent}/bin/getent \ @@ -186,7 +186,7 @@ stdenv.mkDerivation rec { # in a backwards-incompatible way. If the interface version of two # systemd builds is the same, then we can switch between them at # runtime; otherwise we can't and we need to reboot. - passthru.interfaceVersion = 2; + passthru.interfaceVersion = 3; meta = with stdenv.lib; { homepage = http://www.freedesktop.org/wiki/Software/systemd; From 1f03f6fc43a6f71b8204adf6cd02fb3685261add Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Thu, 9 May 2019 14:13:26 +0200 Subject: [PATCH 04/15] nixos/udev: switch `networking.usePredicatableInterfaceNames` to a kernel param The udev rules we are shipping no longer work with systemd v242 and were remove upstream some time ago. It seems like the entire renaming is now done in C and not in the udev rules. --- .../services/hardware/80-net-setup-link.rules | 13 ------------- nixos/modules/services/hardware/udev.nix | 6 ++---- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 nixos/modules/services/hardware/80-net-setup-link.rules diff --git a/nixos/modules/services/hardware/80-net-setup-link.rules b/nixos/modules/services/hardware/80-net-setup-link.rules deleted file mode 100644 index 18547f170a3f9c..00000000000000 --- a/nixos/modules/services/hardware/80-net-setup-link.rules +++ /dev/null @@ -1,13 +0,0 @@ -# Copied from systemd 203. -ACTION=="remove", GOTO="net_name_slot_end" -SUBSYSTEM!="net", GOTO="net_name_slot_end" -NAME!="", GOTO="net_name_slot_end" - -IMPORT{cmdline}="net.ifnames" -ENV{net.ifnames}=="0", GOTO="net_name_slot_end" - -NAME=="", ENV{ID_NET_NAME_ONBOARD}!="", NAME="$env{ID_NET_NAME_ONBOARD}" -NAME=="", ENV{ID_NET_NAME_SLOT}!="", NAME="$env{ID_NET_NAME_SLOT}" -NAME=="", ENV{ID_NET_NAME_PATH}!="", NAME="$env{ID_NET_NAME_PATH}" - -LABEL="net_name_slot_end" diff --git a/nixos/modules/services/hardware/udev.nix b/nixos/modules/services/hardware/udev.nix index 0266286aaacf9d..cb2f1e6621ae55 100644 --- a/nixos/modules/services/hardware/udev.nix +++ b/nixos/modules/services/hardware/udev.nix @@ -116,10 +116,6 @@ let exit 1 fi - ${optionalString config.networking.usePredictableInterfaceNames '' - cp ${./80-net-setup-link.rules} $out/80-net-setup-link.rules - ''} - # If auto-configuration is disabled, then remove # udev's 80-drivers.rules file, which contains rules for # automatically calling modprobe. @@ -282,6 +278,8 @@ in services.udev.path = [ pkgs.coreutils pkgs.gnused pkgs.gnugrep pkgs.utillinux udev ]; + boot.kernelParams = mkIf (!config.networking.usePredictableInterfaceNames) [ "net.ifnames=0" ]; + environment.etc = [ { source = udevRules; target = "udev/rules.d"; From 4743ad7392152d3745dee552aebe8a6b67e189a1 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Fri, 10 May 2019 20:28:18 +0200 Subject: [PATCH 05/15] nixos/tests/radicale: be a bit more permissive when matching logs With the systemd update to v242 five lines are not longer sufficient to verify that the storage was verified. In order to reduce future test failures increasing it to 10 lines sounds like a sane amount. --- nixos/tests/radicale.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/tests/radicale.nix b/nixos/tests/radicale.nix index bf22fc9291af8b..6079642556407e 100644 --- a/nixos/tests/radicale.nix +++ b/nixos/tests/radicale.nix @@ -85,7 +85,7 @@ in $radicale->succeed('mv /tmp/collections-new/collection-root /tmp/collections'); $radicale->succeed('${switchToConfig "radicale2_verify"} >&2'); $radicale->waitUntilFails('systemctl status radicale'); - my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 5'); + my ($retcode, $logs) = $radicale->execute('journalctl -u radicale -n 10'); if ($retcode != 0 || index($logs, 'Verifying storage') == -1) { die "Radicale 2 didn't verify storage" } From a32cd7d84a7c832574ef0f09862e41bf84709baf Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sat, 11 May 2019 00:10:08 +0200 Subject: [PATCH 06/15] nixos/networkd: use `no` instead of `none` for `DHCP=` option systemd has deprecated the use of `none` and recommends using `no` instead. --- nixos/modules/tasks/network-interfaces-systemd.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index 2318bdd1d58263..dd9ba9eec42652 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -12,7 +12,7 @@ let i.ipv4.addresses ++ optionals cfg.enableIPv6 i.ipv6.addresses; - dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "none"; + dhcpStr = useDHCP: if useDHCP == true || useDHCP == null then "both" else "no"; slaves = concatLists (map (bond: bond.interfaces) (attrValues cfg.bonds)) From d600da70457a8ca8d9543eb48b73e7c5eae1656f Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sat, 11 May 2019 00:28:24 +0200 Subject: [PATCH 07/15] nixos/networkd: use the route section for default routes With systemd v242 using the `Gateway` attribute of the `[Network]` section will lead to "onlink" routes on all the device that are matched by the default configuration (typically all devices) causing multiple default routes (even on localhost). We can only avoid that - while keeping our default route option - when we mark the route as explicitly not on link. Only gateways that are within a subnet of one of the assigned interface addresses will be installed into the routing table. --- nixos/modules/tasks/network-interfaces-systemd.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index dd9ba9eec42652..b9c1387cea5ac5 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -59,7 +59,14 @@ in in { DHCP = override (dhcpStr cfg.useDHCP); } // optionalAttrs (gateway != [ ]) { - gateway = override gateway; + routes = override [ + { + routeConfig = { + Gateway = gateway; + GatewayOnlink = false; + }; + } + ]; } // optionalAttrs (domains != [ ]) { domains = override domains; }; From 1b7b1dbe2f88a3c8f0c5416d4e43de10977915cc Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sat, 11 May 2019 13:48:48 +0200 Subject: [PATCH 08/15] nixos/networkd: rename GatewayOnlink to GatewayOnLink This follows upstreams renaming of the option [1]. [1] https://github.com/systemd/systemd/commit/9cb8c5593443d24c19e40bfd4fc06d672f8c554c --- nixos/doc/manual/release-notes/rl-1909.xml | 10 ++++++++++ nixos/modules/system/boot/networkd.nix | 2 +- nixos/modules/tasks/network-interfaces-systemd.nix | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 60b4a3bc17b64c..bac642fa539f6e 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -104,6 +104,16 @@ + + + The option + was renamed to + (capital L). This follows + + upstreams renaming + of the setting. + + diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 63a6f7fbe09979..14a3832b0dc0b2 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -203,7 +203,7 @@ let checkRoute = checkUnitConfig "Route" [ (assertOnlyFields [ - "Gateway" "GatewayOnlink" "Destination" "Source" "Metric" + "Gateway" "GatewayOnLink" "Destination" "Source" "Metric" "IPv6Preference" "Scope" "PreferredSource" "Table" "Protocol" "Type" "InitialCongestionWindow" "InitialAdvertisedReceiveWindow" "QuickAck" "MTUBytes" diff --git a/nixos/modules/tasks/network-interfaces-systemd.nix b/nixos/modules/tasks/network-interfaces-systemd.nix index b9c1387cea5ac5..857aaf1e6e30c7 100644 --- a/nixos/modules/tasks/network-interfaces-systemd.nix +++ b/nixos/modules/tasks/network-interfaces-systemd.nix @@ -63,7 +63,7 @@ in { routeConfig = { Gateway = gateway; - GatewayOnlink = false; + GatewayOnLink = false; }; } ]; From bc71b6eaf6ff9451cbbaa3e62aa200845d12f4e3 Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Sat, 11 May 2019 23:33:58 +0200 Subject: [PATCH 09/15] nixosTests.containers-imperative: add tmpfiles test (cherry picked from commit 92600a90e248aa27f2aedcce4ad309f987a390df) --- nixos/tests/containers-imperative.nix | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/nixos/tests/containers-imperative.nix b/nixos/tests/containers-imperative.nix index 0c101037aa7f16..2e7e4b2f1d69ae 100644 --- a/nixos/tests/containers-imperative.nix +++ b/nixos/tests/containers-imperative.nix @@ -35,7 +35,17 @@ import ./make-test.nix ({ pkgs, ...} : { ]; }; - testScript = + testScript = let + tmpfilesContainerConfig = pkgs.writeText "container-config-tmpfiles" '' + { + systemd.tmpfiles.rules = [ "d /foo - - - - -" ]; + systemd.services.foo = { + serviceConfig.Type = "oneshot"; + script = "ls -al /foo"; + wantedBy = [ "multi-user.target" ]; + }; + } + ''; in '' # Make sure we have a NixOS tree (required by ‘nixos-container create’). $machine->succeed("PAGER=cat nix-env -qa -A nixos.hello >&2"); @@ -93,6 +103,15 @@ import ./make-test.nix ({ pkgs, ...} : { $machine->succeed("nixos-container stop $id1"); $machine->succeed("nixos-container start $id1"); + # Ensure tmpfiles are present + $machine->log("creating container tmpfiles"); + $machine->succeed("nixos-container create tmpfiles --config-file ${tmpfilesContainerConfig}"); + $machine->log("created, starting…"); + $machine->succeed("nixos-container start tmpfiles"); + $machine->log("done starting, investigating…"); + $machine->succeed("echo \$(nixos-container run tmpfiles -- systemctl is-active foo.service) | grep -q active;"); + $machine->succeed("nixos-container destroy tmpfiles"); + # Execute commands via the root shell. $machine->succeed("nixos-container run $id1 -- uname") =~ /Linux/ or die; From 024a383d64036dab02157927369ca680427aa61d Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 15 May 2019 11:05:37 +0200 Subject: [PATCH 10/15] nixos/systemd: migrate systemd-timesync state when required Somewhen between systemd v239 and v242 upstream decided to no longer run a few system services with `DyanmicUser=1` but failed to provide a migration path for all the state those services left behind. For the case of systemd-timesync the state has to be moved from /var/lib/private/systemd/timesync to /var/lib/systemd/timesync if /var/lib/systemd/timesync is currently a symlink. We only do this if the stateVersion is still below 19.09 to avoid starting to have an ever growing activation script for (then) ancient systemd migrations that are no longer required. See https://github.com/systemd/systemd/issues/12131 for details about the missing migration path and related discussion. --- nixos/doc/manual/release-notes/rl-1909.xml | 16 ++++++- nixos/modules/system/boot/systemd.nix | 2 - nixos/modules/system/boot/timesyncd.nix | 9 ++++ nixos/tests/all-tests.nix | 1 + nixos/tests/systemd-timesyncd.nix | 52 ++++++++++++++++++++++ 5 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 nixos/tests/systemd-timesyncd.nix diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index bac642fa539f6e..3b1a2d99794373 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -172,6 +172,20 @@ which is linked to fr-toutesvariantes.{aff,dic}. - + + + With the upgrade to systemd version 242 the systemd-timesyncd + service is no longer using DynamicUser=yes. In order for the + upgrade to work we rely on an activation script to move the state from the old + to the new directory. The older directory (prior 19.09) was + /var/lib/private/systemd/timesync. + + + As long as the system.config.stateVersion is below + 19.09 the state folder will migrated to its proper location + (/var/lib/systemd/timesync), if required. + + + diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix index 18ee2ef1b8f53c..8499b700d3eaf7 100644 --- a/nixos/modules/system/boot/systemd.nix +++ b/nixos/modules/system/boot/systemd.nix @@ -940,7 +940,6 @@ in # Don't bother with certain units in containers. systemd.services.systemd-remount-fs.unitConfig.ConditionVirtualization = "!container"; systemd.services.systemd-random-seed.unitConfig.ConditionVirtualization = "!container"; - }; # FIXME: Remove these eventually. @@ -949,5 +948,4 @@ in (mkRenamedOptionModule [ "boot" "systemd" "targets" ] [ "systemd" "targets" ]) (mkRenamedOptionModule [ "boot" "systemd" "services" ] [ "systemd" "services" ]) ]; - } diff --git a/nixos/modules/system/boot/timesyncd.nix b/nixos/modules/system/boot/timesyncd.nix index 8d8bfe5900a982..8282cdd6f3aadf 100644 --- a/nixos/modules/system/boot/timesyncd.nix +++ b/nixos/modules/system/boot/timesyncd.nix @@ -40,6 +40,15 @@ with lib; users.users.systemd-timesync.uid = config.ids.uids.systemd-timesync; users.groups.systemd-timesync.gid = config.ids.gids.systemd-timesync; + system.activationScripts.systemd-timesyncd-migration = mkIf (versionOlder config.system.stateVersion "19.09") '' + # workaround an issue of systemd-timesyncd not starting due to upstream systemd reverting their dynamic users changes + # - https://github.com/NixOS/nixpkgs/pull/61321#issuecomment-492423742 + # - https://github.com/systemd/systemd/issues/12131 + if [ -L /var/lib/systemd/timesync ]; then + rm /var/lib/systemd/timesync + mv /var/lib/private/systemd/timesync /var/lib/systemd/timesync + fi + ''; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 9bce49c9e30275..ddc253adbd0b93 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -237,6 +237,7 @@ in syncthing-relay = handleTest ./syncthing-relay.nix {}; systemd = handleTest ./systemd.nix {}; systemd-confinement = handleTest ./systemd-confinement.nix {}; + systemd-timesyncd = handleTest ./systemd-timesyncd.nix {}; pdns-recursor = handleTest ./pdns-recursor.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; diff --git a/nixos/tests/systemd-timesyncd.nix b/nixos/tests/systemd-timesyncd.nix new file mode 100644 index 00000000000000..d12b8eb2bf7eb4 --- /dev/null +++ b/nixos/tests/systemd-timesyncd.nix @@ -0,0 +1,52 @@ +# Regression test for systemd-timesync having moved the state directory without +# upstream providing a migration path. https://github.com/systemd/systemd/issues/12131 + +import ./make-test.nix (let + common = { lib, ... }: { + # override the `false` value from the qemu-vm base profile + services.timesyncd.enable = lib.mkForce true; + }; + mkVM = conf: { imports = [ conf common ]; }; +in { + name = "systemd-timesyncd"; + nodes = { + current = mkVM {}; + pre1909 = mkVM ({lib, ... }: with lib; { + # create the path that should be migrated by our activation script when + # upgrading to a newer nixos version + system.stateVersion = "19.03"; + system.activationScripts.simulate-old-timesync-state-dir = mkBefore '' + rm -f /var/lib/systemd/timesync + mkdir -p /var/lib/systemd /var/lib/private/systemd/timesync + ln -s /var/lib/private/systemd/timesync /var/lib/systemd/timesync + chown systemd-timesync: /var/lib/private/systemd/timesync + ''; + }); + }; + + testScript = '' + startAll; + $current->succeed('systemctl status systemd-timesyncd.service'); + # on a new install with a recent systemd there should not be any + # leftovers from the dynamic user mess + $current->succeed('test -e /var/lib/systemd/timesync'); + $current->succeed('test ! -L /var/lib/systemd/timesync'); + + # timesyncd should be running on the upgrading system since we fixed the + # file bits in the activation script + $pre1909->succeed('systemctl status systemd-timesyncd.service'); + + # the path should be gone after the migration + $pre1909->succeed('test ! -e /var/lib/private/systemd/timesync'); + + # and the new path should no longer be a symlink + $pre1909->succeed('test -e /var/lib/systemd/timesync'); + $pre1909->succeed('test ! -L /var/lib/systemd/timesync'); + + # after a restart things should still work and not fail in the activation + # scripts and cause the boot to fail.. + $pre1909->shutdown; + $pre1909->start; + $pre1909->succeed('systemctl status systemd-timesyncd.service'); + ''; +}) From d436ab07182ffee2b3447df892828137fc3767e8 Mon Sep 17 00:00:00 2001 From: Franz Pletz Date: Fri, 17 May 2019 16:26:15 +0200 Subject: [PATCH 11/15] multipath-tools: 0.6.2 -> 0.8.1 --- pkgs/os-specific/linux/multipath-tools/default.nix | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/pkgs/os-specific/linux/multipath-tools/default.nix b/pkgs/os-specific/linux/multipath-tools/default.nix index 14996fd76be539..0e90a08147678d 100644 --- a/pkgs/os-specific/linux/multipath-tools/default.nix +++ b/pkgs/os-specific/linux/multipath-tools/default.nix @@ -1,16 +1,17 @@ -{ stdenv, fetchurl, lvm2, libaio, gzip, readline, systemd, liburcu }: +{ stdenv, fetchurl, pkgconfig, perl, lvm2, libaio, gzip, readline, systemd, liburcu, json_c }: stdenv.mkDerivation rec { name = "multipath-tools-${version}"; - version = "0.6.2"; + version = "0.8.1"; src = fetchurl { name = "${name}.tar.gz"; - url = "https://git.opensvc.com/?p=multipath-tools/.git;a=snapshot;h=${version};sf=tgz"; - sha256 = "159hxvbk9kh1qay9x04w0gsqzg0hkl5yghfc1wi9kv2n5pcwbkpm"; + url = "https://git.opensvc.com/gitweb.cgi?p=multipath-tools/.git;a=snapshot;h=refs/tags/${version};sf=tgz"; + sha256 = "0669zl4dpai63dl04lf8vpwnpsff6qf19fifxfc4frawnh699k95"; }; postPatch = '' + substituteInPlace libmultipath/Makefile --replace /usr/include/libdevmapper.h ${lvm2}/include/libdevmapper.h sed -i -re ' s,^( *#define +DEFAULT_MULTIPATHDIR\>).*,\1 "'"$out/lib/multipath"'", ' libmultipath/defaults.h @@ -20,8 +21,8 @@ stdenv.mkDerivation rec { Makefile.inc ''; - nativeBuildInputs = [ gzip ]; - buildInputs = [ systemd lvm2 libaio readline liburcu ]; + nativeBuildInputs = [ gzip pkgconfig perl ]; + buildInputs = [ systemd lvm2 libaio readline liburcu json_c ]; makeFlags = [ "LIB=lib" From 81f390d2e3f0b297e7b50c779b49babcd6a1fa7e Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Fri, 17 May 2019 20:00:22 +0200 Subject: [PATCH 12/15] systemd: disable building tests We are currently not running any tests but building them takes signitifcant amounts of time since they account to about 40% of all the compilation targets. --- pkgs/os-specific/linux/systemd/default.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index cc708cb4a896f8..a94490d594bcda 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -62,7 +62,8 @@ stdenv.mkDerivation rec { "-Dloadkeys-path=${kbd}/bin/loadkeys" "-Dsetfont-path=${kbd}/bin/setfont" "-Dtty-gid=3" # tty in NixOS has gid 3 - # "-Dtests=" # TODO + # while we do not run tests we should also not build them. Removes about 600 targets + "-Dtests=false" "-Dlz4=true" "-Dhostnamed=true" "-Dnetworkd=true" From 0f93834c5e6e1e7489ab4be55c38cb1d4b9d325f Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Wed, 22 May 2019 00:07:39 +0200 Subject: [PATCH 13/15] systemd: remove references to $out/lib/systemd/catalog On aarch64 we "leak" a reference to $out/lib/systemd/catalog in the lib output. The result of that is a dependency cycle between $out and $lib. Thus nix (rightfully) marks the build as failed. That reference originates from an array of strings (catalog_file_dirs) in systemd (src/src/journal/catalog.{c,h}). The only consumer (as of v242) of the symbol is the main function of journalctl. Still libsystemd.so contains the VALUE but not the symbol. Systemd seems to be properly using function & data sections together with the linker flags to garbage collect unused sections (-Wl,--gc-sections). For unknown reasons those flags do not eliminate the unused string constants, in this case on aarch64-linux. The hacky way is to just remove the reference after we finished compiling. Since it can not be used (there is no symbol to actually refer to it) there should not be any harm. It is a bit odd and I really do not like starting these kind of hacks but there doesn't seem to be a straight forward way at this point in time. The reference will be replaced by the same reference the usual nukeRefs tooling uses. The standard tooling can not / should not be uesd since it is a bit too excessive and could potentially do us some (more) harm. --- pkgs/os-specific/linux/systemd/default.nix | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/pkgs/os-specific/linux/systemd/default.nix b/pkgs/os-specific/linux/systemd/default.nix index a94490d594bcda..8aa518ed1d01b8 100644 --- a/pkgs/os-specific/linux/systemd/default.nix +++ b/pkgs/os-specific/linux/systemd/default.nix @@ -9,6 +9,7 @@ , patchelf , getent , buildPackages +, perl , withSelinux ? false, libselinux , withLibseccomp ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) libseccomp.meta.platforms, libseccomp , withKexectools ? lib.any (lib.meta.platformMatch stdenv.hostPlatform) kexectools.meta.platforms, kexectools @@ -35,6 +36,7 @@ stdenv.mkDerivation rec { coreutils # meson calls date, stat etc. glibcLocales patchelf getent m4 + perl # to patch the libsystemd.so and remove dependencies on aarch64 (buildPackages.python3Packages.python.withPackages ( ps: with ps; [ python3Packages.lxml ])) ]; @@ -181,6 +183,30 @@ stdenv.mkDerivation rec { enableParallelBuilding = true; + # On aarch64 we "leak" a reference to $out/lib/systemd/catalog in the lib + # output. The result of that is a dependency cycle between $out and $lib. + # Thus nix (rightfully) marks the build as failed. That reference originates + # from an array of strings (catalog_file_dirs) in systemd + # (src/src/journal/catalog.{c,h}). The only consumer (as of v242) of the + # symbol is the main function of journalctl. Still libsystemd.so contains + # the VALUE but not the symbol. Systemd seems to be properly using function + # & data sections together with the linker flags to garbage collect unused + # sections (-Wl,--gc-sections). For unknown reasons those flags do not + # eliminate the unused string constants, in this case on aarch64-linux. The + # hacky way is to just remove the reference after we finished compiling. + # Since it can not be used (there is no symbol to actually refer to it) there + # should not be any harm. It is a bit odd and I really do not like starting + # these kind of hacks but there doesn't seem to be a straight forward way at + # this point in time. + # The reference will be replaced by the same reference the usual nukeRefs + # tooling uses. The standard tooling can not / should not be uesd since it + # is a bit too excessive and could potentially do us some (more) harm. + postFixup = '' + nukedRef=$(echo $out | sed -e "s,$NIX_STORE/[^-]*-\(.*\),$NIX_STORE/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-\1,") + cat $lib/lib/libsystemd.so | perl -pe "s|$out/lib/systemd/catalog|$nukedRef/lib/systemd/catalog|" > $lib/lib/libsystemd.so.tmp + mv $lib/lib/libsystemd.so.tmp $(readlink -f $lib/lib/libsystemd.so) + ''; + # The interface version prevents NixOS from switching to an # incompatible systemd at runtime. (Switching across reboots is # fine, of course.) It should be increased whenever systemd changes From 9077623324d9366041bb6628be1a5cffb7bc815d Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Tue, 28 May 2019 18:33:28 +0200 Subject: [PATCH 14/15] nixos/misc: warn when someone is using the nixops autoLuks module The autoLuks module is not really compatible with the updated systemd version anymore. We started dropping NixOS specific patches that caused unwanted side effects that we had to work around otherwise. This change points users towards the relevant PR and spits out a bit of information on how to deal with the situation. --- nixos/doc/manual/release-notes/rl-1909.xml | 24 ++++++++++++ nixos/modules/misc/nixops-autoluks.nix | 44 ++++++++++++++++++++++ nixos/modules/module-list.nix | 1 + 3 files changed, 69 insertions(+) create mode 100644 nixos/modules/misc/nixops-autoluks.nix diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml index 3b1a2d99794373..96c41edabd4e5f 100644 --- a/nixos/doc/manual/release-notes/rl-1909.xml +++ b/nixos/doc/manual/release-notes/rl-1909.xml @@ -114,6 +114,30 @@ of the setting. + + + As of this release the NixOps feature autoLuks is deprecated. It no longer works + with our systemd version without manual intervention. + + + Whenever the usage of the module is detected the evaluation will fail with a message + explaining why and how to deal with the situation. + + + A new knob named nixops.enableDeprecatedAutoLuks + has been introduced to disable the eval failure and to acknowledge the notice was received and read. + If you plan on using the feature please note that it might break with subsequent updates. + + + Make sure you set the _netdev option for each of the file systems referring to block + devices provided by the autoLuks module. Not doing this might render the system in a + state where it doesn't boot anymore. + + + If you are actively using the autoLuks module please let us know in + issue #62211. + + diff --git a/nixos/modules/misc/nixops-autoluks.nix b/nixos/modules/misc/nixops-autoluks.nix new file mode 100644 index 00000000000000..2153c6f975ad57 --- /dev/null +++ b/nixos/modules/misc/nixops-autoluks.nix @@ -0,0 +1,44 @@ +{ config, options, lib, ... }: +let + path = [ "deployment" "autoLuks" ]; + hasAutoLuksOption = lib.hasAttrByPath path options; + hasAutoLuksConfig = lib.hasAttrByPath path config && (lib.attrByPath path {} config) != {}; + + inherit (config.nixops) enableDeprecatedAutoLuks; +in { + options.nixops.enableDeprecatedAutoLuks = lib.mkEnableOption "Enable the deprecated NixOps AutoLuks module"; + + config = { + assertions = [ + { + assertion = if hasAutoLuksConfig then hasAutoLuksConfig && enableDeprecatedAutoLuks else true; + message = '' + ⚠️ !!! WARNING !!! ⚠️ + + NixOps autoLuks is deprecated. The feature was never widely used and the maintenance did outgrow the benefit. + If you still want to use the module: + a) Please raise your voice in the issue tracking usage of the module: + https://github.com/NixOS/nixpkgs/issues/62211 + b) make sure you set the `_netdev` option for each of the file + systems referring to block devices provided by the autoLuks module. + + ⚠️ If you do not set the option your system will not boot anymore! ⚠️ + + { + fileSystems."/secret" = { options = [ "_netdev" ]; }; + } + + b) set the option >nixops.enableDeprecatedAutoLuks = true< to remove this error. + + + For more details read through the following resources: + - https://github.com/NixOS/nixops/pull/1156 + - https://github.com/NixOS/nixpkgs/issues/47550 + - https://github.com/NixOS/nixpkgs/issues/62211 + - https://github.com/NixOS/nixpkgs/pull/61321 + ''; + } + ]; + }; + +} diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index bc8bcc0cd8f673..9152121d43d2c3 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -84,6 +84,7 @@ ./misc/nixpkgs.nix ./misc/passthru.nix ./misc/version.nix + ./misc/nixops-autoluks.nix ./programs/adb.nix ./programs/atop.nix ./programs/autojump.nix From 7508490770ba490ad767d230241822129da70672 Mon Sep 17 00:00:00 2001 From: Andreas Rammhold Date: Sat, 25 May 2019 09:49:06 +0200 Subject: [PATCH 15/15] nixos/test: remove the stateVersion statement from the test-instrumentation We set stateVersion to `mkDefault 18.03` in `nixos/modules/testing/test-instrumentation.nix` and in `modules/installer/cd-dvd/installation-cd-base.nix`. Accessing the stateVersion in the module system from within the tests results in the following error: > The unique option `system.stateVersion' is defined multiple times, in > `nixpkgs/nixos/modules/installer/cd-dvd/installation-cd-base.nix' and > `nixpkgs/nixos/modules/testing/test-instrumentation.nix'. There are other tests that use it as well. Namely the radicale test also verifies behaviour between state versions is as expected. It switches a package default value. Others switched on the state directory default. It seems like having the timesyncd switch as part of every rendered activationScript might cause this weird error. Removing this line seems like a reasonable thing to do since we actually set the default to the very same value in the module system. This line should have been no-op besides the issue that we've two statements setting it in this very specific case. --- nixos/modules/testing/test-instrumentation.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/testing/test-instrumentation.nix b/nixos/modules/testing/test-instrumentation.nix index ed4cfa7805e2d5..1a11d9ce7c26bf 100644 --- a/nixos/modules/testing/test-instrumentation.nix +++ b/nixos/modules/testing/test-instrumentation.nix @@ -129,9 +129,6 @@ with import ../../lib/qemu-flags.nix { inherit pkgs; }; users.users.root.initialHashedPassword = mkOverride 150 ""; services.xserver.displayManager.job.logToJournal = true; - - # set default stateVersion to avoid warnings during eval - system.stateVersion = mkDefault "18.03"; }; }