Moving the service before multi-user.target (so the `hardened` test
continue to work the way it did before) can result in locking the kernel
too early. It's better to lock it a bit later and changing the test to
wait specifically for the disable-kernel-module-loading.service.
The current name is misleading: it doesn't contain cli arguments,
but several constants and utility functions related to qemu.
This commit also removes the use of `with import ...` for clarity.
Previously the influxdb exporter test was flaky as even after the
service has started there is still a race before the service is actually
listening and accepting connection on port 9122.
With this commit the test will wait for the port to be open before
proceeding.
Hydra accepts timeouts as value of seconds after which the test is
terminated / considered failed. Using the value 30 here has the effect
that the test was terminate after 30 seconds. That time might be
sufficient for the test execution itself but it has another downside:
Jobs on hydra inherit the timeout of their parent. In this case all the
builds that are a dependency of the herbstluftwm test *must* finish
(each) within 30s. And since not all of the dependencies are cached in
the binary cache this could lead to an issue with pacakges that take
longer than 30s to build at the time when the herbstluftwm test is built
by hydra.
It is best to not set the timeout here and let hydra deal with it. Our
default timeout for builds is two hours which is more than sufficient
for most builds and tests. If the test fails we will spent ~2h doing
something or nothing at worst but at least we wont kill the build just
because a dependency wasn't fullfilled already.
This updates systemd to version v249.4 from version v247.6.
Besides the many new features that can be found in the upstream
repository they also introduced a bunch of cleanup which ended up
requiring a few more patches on our side.
a) 0022-core-Handle-lookup-paths-being-symlinks.patch:
The way symlinked units were handled was changed in such that the last
name of a unit file within one of the unit directories
(/run/systemd/system, /etc/systemd/system, ...) is used as the name
for the unit. Unfortunately that code didn't take into account that
the unit directories themselves could already be symlinks and thus
caused all our units to be recognized slightly different.
There is an upstream PR for this new patch:
https://github.com/systemd/systemd/pull/20479
b) The way the APIVFS is setup has been changed in such a way that we
now always have /run. This required a few changes to the
confinement tests which did assert that they didn't exist. Instead of
adding another patch we can just adopt the upstream behavior. An
empty /run doesn't seem harmful.
As part of this work I refactored the confinement test just a little
bit to allow better debugging of test failures. Previously it would
just fail at some point and it wasn't obvious which of the many
commands failed or what the unexpected string was. This should now be
more obvious.
c) Again related to the confinement tests the way a file was tested for
being accessible was optimized. Previously systemd would in some
situations open a file twice during that check. This was reduced to
one operation but required the procfs to be mounted in a units
namespace.
An upstream bug was filed and fixed. We are now carrying the
essential patch to fix that issue until it is backported to a new
release (likely only version 250). The good part about this story is
that upstream systemd now has a test case that looks very similar to
one of our confinement tests. Hopefully that will lead to less
friction in the long run.
https://github.com/systemd/systemd/issues/20514https://github.com/systemd/systemd/pull/20515
d) Previously we could grep for dlopen( somewhat reliably but now
upstream started using a wrapper around dlopen that is most of the
time used with linebreaks. This makes using grep not ergonomic
anymore.
With this bump we are grepping for anything that looks like a
dynamic library name (in contrast to a dlopen(3) call) and replace
those instead. That seems more robust. Time will tell if this holds.
I tried using coccinelle to patch all those call sites using its
tooling but unfornately it does stumble upon the _cleanup_
annotations that are very common in the systemd code.
e) We now have some machinery for libbpf support in our systemd build.
That being said it doesn't actually work as generating some skeletons
doesn't work just yet. It fails with the below error message and is
disabled by default (in both minimal and the regular build).
> FAILED: src/core/bpf/socket_bind/socket-bind.skel.h
> /build/source/tools/build-bpf-skel.py --clang_exec /nix/store/x1bi2mkapk1m0zq2g02nr018qyjkdn7a-clang-wrapper-12.0.1/bin/clang --llvm_strip_exec /nix/store/zm0kqan9qc77x219yihmmisi9g3sg8ns-llvm-12.0.1/bin/llvm-strip --bpftool_exec /nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool --arch x86_64 ../src/core/bpf/socket_bind/socket-bind.bpf.c src/core/bpf/socket_bind/socket-bind.skel.h
> libbpf: elf: socket_bind_bpf is not a valid eBPF object file
> Error: failed to open BPF object file: BPF object format invalid
> Traceback (most recent call last):
> File "/build/source/tools/build-bpf-skel.py", line 128, in <module>
> bpf_build(args)
> File "/build/source/tools/build-bpf-skel.py", line 92, in bpf_build
> gen_bpf_skeleton(bpftool_exec=args.bpftool_exec,
> File "/build/source/tools/build-bpf-skel.py", line 63, in gen_bpf_skeleton
> skel = subprocess.check_output(bpftool_args, universal_newlines=True)
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 424, in check_output
> return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
> File "/nix/store/81lwy2hfqj4c1943b1x8a0qsivjhdhw9-python3-3.9.6/lib/python3.9/subprocess.py", line 528, in run
> raise CalledProcessError(retcode, process.args,
> subprocess.CalledProcessError: Command '['/nix/store/l6dg8jlbh8qnqa58mshh3d8r6999dk0p-bpftools-5.13.11/bin/bpftool', 'g', 's', '../src/core/bpf/socket_bind/socket-bind.bpf.o']' returned non-zero exit status 255.
> [102/1457] Compiling C object src/journal/libjournal-core.a.p/journald-server.c.oapture output)put)ut)
> ninja: build stopped: subcommand failed.
f) We do now have support for TPM2 based disk encryption in our
systemd build. The actual bits and pieces to make use of that are
missing but there are various ongoing efforts in that direction.
There is also the story about systemd in our initrd to enable this
being used for root volumes. None of this will yet work out of the
box but we can start improving on that front.
g) FIDO2 support was added systemd and consequently we can now use
that. Just with TPM2 there hasn't been any integration work with
NixOS and instead this just adds that capability to work on that.
Co-Authored-By: Jörg Thalheim <joerg@thalheim.io>
I currently do not have much time to work on nixpkgs. Remove
myself as a maintainer from a bunch of packages to avoid that
people are waiting on me for a review.
The primary use case is tools like sops-nix and agenix to restart units
when secrets change. There's probably other reasons to restart units as
well and a nice thing to have in general.
These are all packages that I stopped using and hence just create noise
in my inbox for each change affecting them and let's face it, while I
still enjoy contributing to nixpkgs, it doesn't really make sense to be
listed there if I can't do much anyways.
Each of these packages can be taken over by someone or removed if
people think that's reasonable.
Of course, if other maintainers face issues, I can answer some questions
if needed & possible.
This doesn't work anymore and thus breaks the installation leaving a
broken `/var/lib/nextcloud`.
It isn't a big deal since we set this value in the override config
before, so the correct table-prefix is still used. In order to confirm
that, I decided to add a custom prefix to the basic test.
twisted is used in matrix-synapse for smtp handling.
Mostly this is used for password resets, but also notifications
are delivered that way.
older versions of twisted require the e-mail server to
have TLS1.0 enabled.
Obviously, quite a lot of servers have this disabled which means
synapse won't be able to deliver mails using such servers.
matrix-synapse issue:
https://github.com/matrix-org/synapse/issues/6211
Deluge 1.x requires Python 2 which upstream has end-of-lifed. Deluge depends
on pythonPackages.twisted, Python 2 support for which upstream has
nowdropped. If pythonPackages.twisted is upgraded then Deluge 1.x breaks.
So, remove it instead of leaving it broken.
Deluge 2.x (deluge-2_x) is available and continues to work.
Perform the tests on the package that the `tests` attribute is a child
of, i.e. if `discourseAllPlugins.tests` is built, the tests will run
with the `discourseAllPlugins` package, not the `discourse` package as
previously.
The problem behind this is that the hardened patchset[1]. Quite recently
this led to a weird problem when Linux 5.12 was dropped (and thus had to
be removed from `nixpkgs`), there were no patches for 5.13, so
`linuxPackages_hardened_latest` had to be downgraded to 5.10 as base[2]
which may be rather unintuitive and unexpected.
To avoid these kind of "silent downgrades" in the future, it makes sense
to drop the attribute entirely. If somebody wants to use a hardened
kernel, it's better to explicitly pin it using the newly introduced
versioned attributes, e.g. `linuxPackages_4_14_hardened`.
[1] https://github.com/anthraxx/linux-hardened/
[2] https://github.com/NixOS/nixpkgs/pull/133587
The paperless project has moved on to paperless-ng and the original
paperless package in Nixpkgs has stopped working recently (due to
version incompatibility with the providede Django package).
Instead of investing more time into the old module we should migrate all
users to the new module instead.
Previously, for processes launched by doas the unwrapped doas binary preceded the
setuid-wrapped doas binary in PATH.
This caused error `doas: not installed setuid` when running doas from
processes launched by doas.
doas seems to short-circuit the PATH lookup when called like
`doas -u myuser doas -u myuser ...` so the error doesn't appear in this case.
I expect it suffices that the channel only blocks on one firefox ESR
test - the one for the default ESR. I didn't want to have the
information about the default in two places, so either of the tests will
be evaluated twice (but to the same *.drv I hope).
Analogous to 6325d15e90.
The test certificate expiration date was set to the default 30 days.
This certificate is generated through its own derivation. As with
every derivation, it gets cached by cache.nixos.org once we build it.
In practice, we rebuild this derivation only if one of its input
changes. The only inputs here being openssl and stdenv.
While it's not an issue on the unstable branches, it can be
problematic on a stable release: the test will fail after 30 days.
Extending the certificate lifespan from 1 month to 100 years to prevent
it from getting expired while being cached.
There is no generic services.kea.enable option. Instead kea consists of
four daemons (dhcp4, dhcp6, ddns, ctrlagent) that can be enabled
individually. In this test we're just looking at dhcp6.
The test certificate expiration date was set to the default 30 days.
This certificate is generated through its own derivation. As with
every derivation, it gets cached by cache.nixos.org once we build it.
In practice, we rebuild this derivation only if one of its input
changes. The only inputs here being openssl and stdenv.
While it's not an issue on the unstable branches, it can be
problematic on a stable release: the test will fail after 30 days.
Extending the certificate lifespan from 1 month to 100 years to prevent
it from getting expired while being cached.
See
https://github.com/NixOS/nixpkgs/pull/132898#issuecomment-894495057
for more context.
This option allows basic configuration of the compression technique
used in the backup script. Specifically it adds `none` and `zstd` as
new alternatives, keeping `gzip` as the default.
* tuxguitar: Ensure that tuxguitar is launched with java 8 comtabilbe jre and libraries as greate java version is not supported
* tuxguitar: Added test to verify application starts without problems
* tuxguitar: 1.5.2 -> 1.5.4
This should catch regressions like #131074 in the future. In that case a
glibc update caused a regression that caused most of the text to become
invisible (just not the "Web Store" we've already been checking for).
https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop_20.html
This update includes 35 security fixes.
CVEs:
CVE-2021-30565 CVE-2021-30566 CVE-2021-30567 CVE-2021-30568
CVE-2021-30569 CVE-2021-30571 CVE-2021-30572 CVE-2021-30573
CVE-2021-30574 CVE-2021-30575 CVE-2021-30576 CVE-2021-30577
CVE-2021-30578 CVE-2021-30579 CVE-2021-30580 CVE-2021-30581
CVE-2021-30582 CVE-2021-30583 CVE-2021-30584 CVE-2021-30585
CVE-2021-30586 CVE-2021-30587 CVE-2021-30588 CVE-2021-30589
Note: This won't be the smoothest update. Chromium seems to be fine but
requires gtk3 in $LD_LIBRARY_PATH to find libgtk-3.so.0 (otherwise it
crashes during startup) but Google Chrome fails to initialize
("GPU process exited unexpectedly: exit_code=132") and requires
"--use-gl=angle --use-angle=swiftshader" for hardware(?) acceleration
(which seems to work work fine and performant but SwiftShader should
actually use the CPU instead of the GPU).
The one-line test is hard to fix in a readable manner
and doesn't really add value above the hello-world test.
So rather simplify to reduce maintenance.
This can be very useful when running the test headless or e.g. when
looking at Hydra logs. Especially the chrome://gpu content contains a
lot of interesting information.
I also decided to refactor the test_new_win() function to avoid
duplicate code and rely less on xdo.
Unfortunately there are some regressions in the GPU code that cause
Chromium and Google Chrome to crash, e.g.:
machine # [0709/084047.890436:ERROR:process_memory_range.cc(75)] read out of range[ 30.153484] show_signal: 20 callbacks suppressed
machine # [ 30.153490] traps: chrome[1036] trap invalid opcode ip:55af03357b29 sp:7ffeaa69ad10 error:0 in chrome[55aefe7a4000+81ec000]
machine #
machine # [0709/084047.955039:ERROR:file_io_posix.cc(144)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq: No such file or directory (2)
machine # [0709/084047.955078:ERROR:file_io_posix.cc(144)] open /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq: No such file or directory (2)
machine # [ 30.126905] systemd[1]: Created slice system-systemd\x2dcoredump.slice.
machine # [ 30.137012] systemd[1]: Started Process Core Dump (PID 1038/UID 0).
machine # [ 30.571987] systemd-coredump[1039]: Process 1036 (chrome) of user 1000 dumped core.
machine # [992:1021:0709/084048.501937:ERROR:gpu_process_host.cc(995)] GPU process exited unexpectedly: exit_code=132
machine # [ 30.594747] systemd[1]: systemd-coredump@0-1038-0.service: Succeeded.
Hopefully this'll be fixed upstream before the final release (there are
bug reports for it) but for the meantime we have to launch the beta and
dev versions with "--use-gl=angle --use-angle=swiftshader".
In commit fbbaa4d40f, the Zsh default
prompt has changed from "walters" to "suse". So instead of:
root@default>
... we now have:
root@default:~/ >
However, in the NixOS VM test, we are matching "root@default>", which
doesn't include the current working directory and thus eventually leads
to a test failure after timing out.
To fix this, I changed the regex to include a newline at the beginning
and made sure that the hostname ends with a word boundary. This way it
doesn't matter whether the prompt is "walters" or "suse", because after
all the test is not about the prompt but about whether the history
mechanism works (or not).
Signed-off-by: aszlig <aszlig@nix.build>
I tried to make this as non-breaking as possible, but it will still
break things slightly for people expecting certain file names in the
packages themselves.
The modules overrides extraComponents which leads to a costly rebuild of
the home-assistant package with all tests. Make it less costly by not
running the tests, as does the default for the package option. The
package's tests are already run by ofborg on every pull request as well
as by Hydra when building home-assistant.
- remove check for `connected .JID: focus@auth.server` because
- log format was changed in c1945ea6cb
- connection.getUser() in jicofo also appears to be broken, returning null instead of username
- testing for this log line shouldn't be necessary, as we also test for "Authenticated as focus@auth.server"
- remove check for `External component successfully authenticated` because
- [JVB no longer uses component](https://community.jitsi.org/t/jvb-not-connecting/91157/2)
- increase VM memory
This reverts the test to be similar to its original Perl version, where
the test steps were performed as individual commands instead of what we
have now, where commands are sent to the machine as one giant string.
While this change doesn't seem like it would make a big difference, it
makes a huge difference if the test fails because you then get an error
about which command has failed exactly instead of just knowing that
"something in there" has failed.
I also switched 2 spaces indentation, because it is more in line with
Nix coding conventions.
Signed-off-by: aszlig <aszlig@nix.build>
Since commit b7749c7671, commands run as
part of VM tests are exiting immediately if an error happens.
When converting the overlayfs test to Python in commit
5ae92144ba, the individual test commands
were crammed into one big string instead of using a series of test
commands like done in the Perl version.
Additionally, the backslash-escaped dollar signs were necessary in
Perl's double-quoted strings to avoid variable interpolation, for Python
however, this results in an actual backslash being inserted into the
command.
While this obviously results in an exit code of 1 (without an error
message, since it's using bash's expression evaluation command), the
test didn't fail because putting all these commands in one string will
result in only the last error code being relevant.
With the change to "set -e" for commands sent to test machines, this has
changed and with the exit code of all commands now relevant, the test
now fails because the errors from individual command substitutions that
were prevented by escaping the dollar sign are now actually visible.
This in turn also means that until now, we wouldn't have noticed if the
overlayfs test would have failed for real.
Signed-off-by: aszlig <aszlig@nix.build>
The attributes got renamed in PR #126440 and in some places this caused
evaluation errors, e.g. the tarball job was saying (locally)
> attribute 'alsaUtils' missing, at /build/source/nixos/modules/services/audio/alsa.nix:6:4
and I suspect that trunk-combined jobset's failure to evaluate was also caused.
It failed since pipefail (b7749c7, PR #125683), due to `systemctl status`
not exiting with code=0 for inactive units (apparently).
That command is meant for humans anyway.
The test doesn't evaluate since #125469 because Linux 5.11 got removed
as it's EOL.
As this fixes the evaluation of the test and it only removes a
declaration that was apparently forgotten, I figured that a push to
unbreak the test is fine.
Firefox has been decoupled from the system certificate store since the
nss p11-kit integration in combination with our cacert package does not
expose CKA_NSS_MOZILLA_CA_POLICY, which among other things is required
for addon updates.