wpa_supplicant fails to start if the wireless interfaces aren't ready yet,
so we need to add a system ordering directive here to start wpa_supplicant
after the interfaces are ready. Note that Requires= is not enough since
it does not imply ordering.
This GID was used to exempt users from Grsecurity's
`/proc` restrictions; we now prefer to rely on
`security.hideProcessInformation`, which uses the `proc` group
for this purpose. That leaves no use for the grsecurity GID.
More generally, having only a single GID to, presumably, serve as the
default for all of grsecurity's GID based exemption/resriction schemes
would be problematic in any event, so if we decide to enable those
grsecurity features in the future, more specific GIDs should be added.
The new module is specifically adapted to the NixOS Grsecurity/PaX
kernel. The module declares the required kernel configurations and
so *should* be somewhat compatible with custom Grsecurity kernels.
The module exposes only a limited number of options, minimising the need
for user intervention beyond enabling the module. For experts,
Grsecurity/PaX behavior may be configured via `boot.kernelParams` and
`boot.kernel.sysctl`.
The module assumes the user knows what she's doing (esp. if she decides
to modify configuration values not directly exposed by the module).
Administration of Grsecurity's role based access control system is yet
to be implemented.
We need to use wrapped modprobe, so that it finds the right
modules. Docker needs modprobe to load overlay kernel module
for example.
This fixes an an error starting docker if the booted system's kernel
version is different from the /run/current-system profile's one.
The update-resolve-conf script from the update-resolv-conf
package is very useful and should work in most of the common
cases, so this adds an option to enable it. The option is
disabled by default for backwards compatibility.
So far the module only allowed for the ccid driver, but there are a lot
of other PCSC driver modules out there, so let's add an option called
"plugins", which boils down to a store path that links together all the
paths specified.
We don't need to create stuff in /var/lib/pcsc anymore, because we
patched pcsclite to allow setting PCSCLITE_HP_DROPDIR.
Another new option is readerConfig, which is especially useful for
non-USB readers that aren't autodetected.
The systemd service now is no longer Type=forking, because we're now
passing the -f (foreground) option to pcscd.
Tested against a YubiKey 4, SCR335 and a REINER SCT USB reader.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @wkennington
This was originally removed in d4d0e449d7.
The intent was not to maintain hydra expression at two places.
Nowadays we have enough devs to maintain this despite copy/pasta.
This should encourage more people to use Hydra, which is a really
great piece of software together with Nix.
Tested a deploy using https://github.com/peti/hydra-tutorial
Since systemd version 230, it is required to have a machine-id file
prior to the startup of the container. If the file is empty, a transient
machine ID is generated by systemd-nspawn.
See systemd/systemd#3014 for more details on the matter.
This unbreaks all of the containers-* NixOS tests.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @edolstra
Closes: #15808
The primary motivation here is to get rid of builderDefs, but now the
resulting font directory is also linked into /run/current-system/sw,
which fixes#15194.
The existence of $root/var/lib/private/host-notify as a socket
prevented a bind mount:
container foo[8083]: Failed to create mount point /var/lib/containers/foo/var/lib/private/host-notify: No such device or address
This allows setting options for the same LUKS device in different
modules. For example, the auto-generated hardware-configuration.nix
can contain
boot.initrd.luks.devices.crypted.device = "/dev/disk/...";
while configuration.nix can add
boot.initrd.luks.devices.crypted.allowDiscards = true;
Also updated the examples/docs to use /disk/disk/by-uuid instead of
/dev/sda, since we shouldn't promote the use of the latter.
... rather than ~/.xsession-errors. It might make sense to make this
the default, in order to eliminate ad hoc, uncentralised, poorly
discoverable log files.
This ensures that "journalctl -u display-manager" does what you would
expect in 2016. However, the main reason is to ensure that our VM
tests show the output of the X server.
A slight problem is that with KDE user switching, messages from the
various X servers end up in the same place. However, that's an
improvement over the previous situation, where the second X server
would overwrite the /var/log/X.0.log of the first. (This was caused by
the fact that we were passing a hard-coded value for -logfile.)
For now, leave the old implementation under `man-old` attribute.
Small warning: I had a leftover ~/.nix-profile/man from an old package,
which caused man-db's man prefer it and ignore ~/.nix-profile/share/man.
The PATH->MANPATH code just selects the first match for each PATH item.
The motivation is using sudo in chroot nix builds, a somewhat
special edge case I have and pulling system path into chroot
yields to some very nasty bug like
https://github.com/NixOS/nixpkgs/issues/15581
Previously:
$ cat /var/setuid-wrappers/sudo.real
/nix/store/3sm04dzh0994r86xqxy52jjc0lqnkn65-system-path/bin/sudo
After the change:
$ cat /var/setuid-wrappers/sudo.real
/nix/store/4g9sxbzy8maxf1v217ikp69c0c3q12as-sudo-1.8.15/bin/sudo
This reverts commit c25907d072.
I think this commit broke the NixOS service for NetworkManager. At least
with this, and the two previous reverts, everything is back to normal.
(With multiple-outputs split, it would have reduced the closure size by
3 MiB.)
This reverts commit 7ac1ef05fa.
One of a few reverts needed to unbreak networkmanager NixOS service
since the multiple-output split (to save 3 MiB of closure size).
This reverts commit 2875293615.
One of a few reverts needed to unbreak networkmanager NixOS service
since the multiple-output split (to save 3 MiB of closure size).
Move Subsonic state directory from `/var/subsonic` to
`/var/lib/subsonic`, since the general convention is for each
application to put its state directory there.
Also, automatically set the home directory of the `subsonic` user to the
value of `config.services.subsonic.home`, rather than setting it to a
value hardcoded in the module. This keeps the home directory of the
`subsonic` user and the state directory for the Subsonic application in
sync.
leveraging users.users.<user>.createHome instead of a preStart script.
preStart script is still required to ensure proper creation of logging
directory.
This properly implements revert in
0729f60697.
We used to have which='type -P' alias, but really it's best to just
rely on which package, only 88K in size.
cc @edolstra
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293
This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
The list of public proxies is updated now and again and it's probably a
good idea to always work from the most recent list, rather than the one
that is shipped with the release. This can be crucial in case of
resolvers that are revealed to have gone rogue or otherwise have been
compromised.
Unfortunately, pkill doesn't distinguish between kernel and user space
processes, so we need to make sure we don't accidentally kill kernel
threads.
Normally, a kernel thread ignores all signals, but there are a few that
do. A quick grep on the kernel source tree (as of kernel 4.6.0) shows
the following source files which use allow_signal():
drivers/isdn/mISDN/l1oip_core.c
drivers/md/md.c
drivers/misc/mic/cosm/cosm_scif_server.c
drivers/misc/mic/cosm_client/cosm_scif_client.c
drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
drivers/staging/rtl8188eu/core/rtw_cmd.c
drivers/staging/rtl8712/rtl8712_cmd.c
drivers/target/iscsi/iscsi_target.c
drivers/target/iscsi/iscsi_target_login.c
drivers/target/iscsi/iscsi_target_nego.c
drivers/usb/atm/usbatm.c
drivers/usb/gadget/function/f_mass_storage.c
fs/jffs2/background.c
fs/lockd/clntlock.c
fs/lockd/svc.c
fs/nfs/nfs4state.c
fs/nfsd/nfssvc.c
While not all of these are necessarily kthreads and some functionality
may still be unimpeded, it's still quite harmful and can cause
unexpected side-effects, especially because some of these kthreads are
storage-related (which we obviously don't want to kill during bootup).
During discussion at #15226, @dezgeg suggested the following
implementation:
for pid in $(pgrep -v -f '@'); do
if [ "$(cat /proc/$pid/cmdline)" != "" ]; then
kill -9 "$pid"
fi
done
This has a few downsides:
* User space processes which use an empty string in their command line
won't be killed.
* It results in errors during bootup because some shell-related
processes are already terminated (maybe it's pgrep itself, haven't
checked).
* The @ is searched within the full command line, not just at the
beginning of the string. Of course, we already had this until now, so
it's not a problem of his implementation.
I posted an alternative implementation which doesn't suffer from the
first point, but even that one wasn't sufficient:
for pid in $(pgrep -v -f '^@'); do
readlink "/proc/$pid/exe" &> /dev/null || continue
echo "$pid"
done | xargs kill -9
This one spawns a subshell, which would be included in the processes to
kill and actually kills itself during the process.
So what we have now is even checking whether the shell process itself is
in the list to kill and avoids killing it just to be sure.
Also, we don't spawn a subshell anymore and use /proc/$pid/exe to
distinguish between user space and kernel processes like in the comments
of the following StackOverflow answer:
http://stackoverflow.com/a/12231039
We don't need to take care of terminating processes, because what we
actually want IS to terminate the processes.
The only point where this (and any previous) approach falls short if we
have processes that act like fork bombs, because they might spawn
additional processes between the pgrep and the killing. We can only
address this with process/control groups and this still won't save us
because the root user can escape from that as well.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15226
Instead of using this option, please modify the dovecot package by means of an
override. For example:
nixpkgs.config.packageOverrides = super: {
dovecot = super.dovecot.override { withPgSQL = true; };
};
Closes https://github.com/NixOS/nixpkgs/issues/14097.
* Perform HTTP HEAD request instead of full GET (lighter weight)
* Don't log output of curl to the journal (it's noise/debug)
* Use explicit http:// URL scheme
* Reduce poll interval from 10s to 2s (respond to state changes
quicker). Probably not relevant on boot (lots of services compete for
the CPU), but online service restarts/reloads should be quicker.
* Pass --fail to curl (should be more robust against false positives)
* Use 4 space indent for shell code.
The current postStart code holds Jenkins off the "started" state until
Jenkins becomes idle. But it should be enough to wait until Jenkins
start handling HTTP requests to consider it "started".
More reasons why the current approach is bad and we should remove it,
from @coreyoconnor in
https://github.com/NixOS/nixpkgs/issues/14991#issuecomment-216572571:
1. Repeatedly curling for a specific human-readable string to
determine "Active" is fragile. For instance, what happens when jenkins
is localized?
2. The time jenkins takes to initializes is variable. This (at least
used to) depend on the number of jobs and any plugin upgrades requested.
3. Jenkins can be requested to restart from the UI. Which will not
affect the status of the service. This means that the service being
"active" does not imply jenkins is initialized. Downstream services
cannot assume jenkins is initialized if the service is active. Might
as well accept that and remove the initialized test from service
startup.
Fixes#14991.
