* Fix test in writing-nixos-tests.section.md
That paren couldn't possibly have been in the right place.
(I do not have nix set up to generate `writing-nixos-tests.section.xml` or verify the test or anything, please do whatever is appropriate with this trivial change)
* doc: fix numpy example test value
Making the test test the right thing made it fail
see PR discussion
We need to make sure systemd-tmpfiles-setup.service ran before we
start systemd-binft.service. Otherwise it might fail to start
due to non-existant files
Fixes#295365
Right now the worst case chain of events for building an ISO on Hydra is
- copy everything to squashfs builder
- run squashfs builder
- download squashfs from builder
- compress squashfs
- upload squashfs to S3
- copy squashfs to ISO builder
- run ISO builder
- download ISO from builder
- compress ISO
- upload ISO to S3
This inlines the squashfs build into the ISO build, which makes it
- copy everything to ISO builder
- run ISO builder
- download ISO from builder
- compress ISO
- upload ISO to S3
Which should reduce queue runner load by $alot per ISO, which we have four of on small channels
(one release, one test per arch) and a lot more than four of on large channels (with various desktops)
This ensures a ".dtb" PE section makes it into the UKI so systemd-stub
can install the correct devicetree for use by the Linux kernel. This is
often needed on systems that boot with u-boot since the devicetree used
by u-boot is often a paired down version of what the Linux kernel needs.
On those kinds of boards, the lack of this PE section means that u-boot
will end up installing its internal devicetree into the UEFI
configuration table, which is what the Linux kernel ends up using.
While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.
There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.
As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.
This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.
However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.
Due to this, we instead change the service's to `027`.
And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.
ESDM 1.0.1 fixed bugs related to Linux compatibility layer with CUSE.
During these fixes, the compatibility layer was simplified behind a
target in order to start the necessary services together or none of
them (services.esdm.linuxCompatServices).
Furthermore, a small helper was added to ESDM 1.0.1 in order to deal
with resume/suspend/hibernate (FUSE needs to be unblocked).
Removed options are marked.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
