65eb3a590d
Also add support for wrapping binaries with firejail.
367 lines
13 KiB
XML
367 lines
13 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-18.09">
|
|
<title>Release 18.09 (“Jellyfish”, 2018/09/??)</title>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-18.09-highlights">
|
|
<title>Highlights</title>
|
|
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release has the
|
|
following highlights:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Support for wrapping binaries using <literal>firejail</literal> has been
|
|
added through <varname>programs.firejail.wrappedBinaries</varname>.
|
|
</para>
|
|
<para>
|
|
For example
|
|
</para>
|
|
<programlisting>
|
|
programs.firejail = {
|
|
enable = true;
|
|
wrappedBinaries = {
|
|
firefox = "${lib.getBin pkgs.firefox}/bin/firefox";
|
|
mpv = "${lib.getBin pkgs.mpv}/bin/mpv";
|
|
};
|
|
};
|
|
</programlisting>
|
|
<para>
|
|
This will place <literal>firefox</literal> and <literal>mpv</literal> binaries in the global path wrapped by firejail.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
User channels are now in the default <literal>NIX_PATH</literal>, allowing
|
|
users to use their personal <command>nix-channel</command> defined
|
|
channels in <command>nix-build</command> and <command>nix-shell</command>
|
|
commands, as well as in imports like <code>import
|
|
<mychannel></code>.
|
|
</para>
|
|
<para>
|
|
For example
|
|
</para>
|
|
<programlisting>
|
|
$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable
|
|
$ nix-channel --update
|
|
$ nix-build '<nixpkgsunstable>' -A gitFull
|
|
$ nix run -f '<nixpkgsunstable>' gitFull
|
|
$ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull'
|
|
</programlisting>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-18.09-new-services">
|
|
<title>New Services</title>
|
|
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
When enabled the <literal>iproute2</literal> will copy the files expected
|
|
by ip route (e.g., <filename>rt_tables</filename>) in
|
|
<filename>/run/iproute2</filename>. This allows to write aliases for
|
|
routing tables for instance.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-18.09-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the following
|
|
incompatible changes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.strict</literal> is removed. Use
|
|
<literal>builtins.seq</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>clementine</literal> package points now to the free
|
|
derivation. <literal>clementineFree</literal> is removed now and
|
|
<literal>clementineUnfree</literal> points to the package which is bundled
|
|
with the unfree <literal>libspotify</literal> package.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>netcat</literal> package is now taken directly from OpenBSD's
|
|
<literal>libressl</literal>, instead of relying on Debian's fork. The new
|
|
version should be very close to the old version, but there are some minor
|
|
differences. Importantly, flags like -b, -q, -C, and -Z are no longer
|
|
accepted by the nc command.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <varname>services.docker-registry.extraConfig</varname> object doesn't
|
|
contain environment variables anymore. Instead it needs to provide an
|
|
object structure that can be mapped onto the YAML configuration defined in
|
|
<link xlink:href="https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md">the
|
|
<varname>docker/distribution</varname> docs</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>gnucash</literal> has changed from version 2.4 to 3.x. If you've
|
|
been using <literal>gnucash</literal> (version 2.4) instead of
|
|
<literal>gnucash26</literal> (version 2.6) you must open your Gnucash data
|
|
file(s) with <literal>gnucash26</literal> and then save them to upgrade
|
|
the file format. Then you may use your data file(s) with Gnucash 3.x. See
|
|
the upgrade
|
|
<link xlink:href="https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade">documentation</link>.
|
|
Gnucash 2.4 is still available under the attribute
|
|
<literal>gnucash24</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<varname>services.munge</varname> now runs as user (and group) <literal>munge</literal> instead of root.
|
|
Make sure the key file is accessible to the daemon.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<varname>dockerTools.buildImage</varname> now uses <literal>null</literal> as default value for <varname>tag</varname>,
|
|
which indicates that the nix output hash will be used as tag.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-18.09-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>dockerTools.pullImage</literal> relies on image digest instead of
|
|
image tag to download the image. The <literal>sha256</literal> of a pulled
|
|
image has to be updated.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.attrNamesToStr</literal> has been deprecated. Use more
|
|
specific concatenation (<literal>lib.concat(Map)StringsSep</literal>)
|
|
instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.addErrorContextToAttrs</literal> has been deprecated. Use
|
|
<literal>builtins.addErrorContext</literal> directly.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.showVal</literal> has been deprecated. Use
|
|
<literal>lib.traceSeqN</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.traceXMLVal</literal> has been deprecated. Use
|
|
<literal>lib.traceValFn builtins.toXml</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.traceXMLValMarked</literal> has been deprecated. Use
|
|
<literal>lib.traceValFn (x: str + builtins.toXML x)</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>pkgs</literal> argument to NixOS modules can now be set directly using <literal>nixpkgs.pkgs</literal>. Previously, only the <literal>system</literal>, <literal>config</literal> and <literal>overlays</literal> arguments could be used to influence <literal>pkgs</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example:
|
|
<programlisting>
|
|
inherit (pkgs.nixos {
|
|
boot.loader.grub.enable = false;
|
|
fileSystems."/".device = "/dev/xvda1";
|
|
}) toplevel kernel initialRamdisk manual;
|
|
</programlisting>
|
|
|
|
This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.traceValIfNot</literal> has been deprecated. Use
|
|
<literal>if/then/else</literal> and <literal>lib.traceValSeq</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>lib.traceCallXml</literal> has been deprecated. Please complain
|
|
if you use the function regularly.
|
|
</para>
|
|
<para>
|
|
The attribute <literal>lib.nixpkgsVersion</literal> has been deprecated in
|
|
favor of <literal>lib.version</literal>. Please refer to the discussion in
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745">NixOS/nixpkgs#39416</link>
|
|
for further reference.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The module for <option>security.dhparams</option> has two new options now:
|
|
</para>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>
|
|
<option>security.dhparams.stateless</option>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
Puts the generated Diffie-Hellman parameters into the Nix store instead
|
|
of managing them in a stateful manner in
|
|
<filename class="directory">/var/lib/dhparams</filename>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<option>security.dhparams.defaultBitSize</option>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
The default bit size to use for the generated Diffie-Hellman
|
|
parameters.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<note>
|
|
<para>
|
|
The path to the actual generated parameter files should now be queried
|
|
using
|
|
<literal>config.security.dhparams.params.<replaceable>name</replaceable>.path</literal>
|
|
because it might be either in the Nix store or in a directory configured
|
|
by <option>security.dhparams.path</option>.
|
|
</para>
|
|
</note>
|
|
<note>
|
|
<title>For developers:</title>
|
|
<para>
|
|
Module implementers should not set a specific bit size in order to let
|
|
users configure it by themselves if they want to have a different bit
|
|
size than the default (2048).
|
|
</para>
|
|
<para>
|
|
An example usage of this would be:
|
|
<programlisting>
|
|
{ config, ... }:
|
|
|
|
{
|
|
security.dhparams.params.myservice = {};
|
|
environment.etc."myservice.conf".text = ''
|
|
dhparams = ${config.security.dhparams.params.myservice.path}
|
|
'';
|
|
}
|
|
</programlisting>
|
|
</para>
|
|
</note>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>networking.networkmanager.useDnsmasq</literal> has been
|
|
deprecated. Use <literal>networking.networkmanager.dns</literal> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option
|
|
<varname>services.kubernetes.apiserver.admissionControl</varname> was
|
|
renamed to
|
|
<varname>services.kubernetes.apiserver.enableAdmissionPlugins</varname>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS)
|
|
Therefore; public service port for the dashboard has changed to 443
|
|
(container port 8443) and scheme to https.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <varname>services.kubernetes.apiserver.address</varname>
|
|
was renamed to <varname>services.kubernetes.apiserver.bindAddress</varname>.
|
|
Note that the default value has changed from 127.0.0.1 to 0.0.0.0.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <varname>services.kubernetes.apiserver.publicAddress</varname>
|
|
was not used and thus has been removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <varname>services.kubernetes.addons.dashboard.enableRBAC</varname>
|
|
was renamed to <varname>services.kubernetes.addons.dashboard.rbac.enable</varname>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Kubernetes Dashboard now has only minimal RBAC permissions by default.
|
|
If dashboard cluster-admin rights are desired,
|
|
set <varname>services.kubernetes.addons.dashboard.rbac.clusterAdmin</varname> to true.
|
|
On existing clusters, in order for the revocation of privileges to take effect,
|
|
the current ClusterRoleBinding for kubernetes-dashboard must be manually removed:
|
|
<literal>kubectl delete clusterrolebinding kubernetes-dashboard</literal>
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <varname>programs.screen</varname> module provides allows to configure
|
|
<literal>/etc/screenrc</literal>, however the module behaved fairly counterintuitive as
|
|
the config exists, but the package wasn't available. Since 18.09 <literal>pkgs.screen</literal>
|
|
will be added to <literal>environment.systemPackages</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The module <option>services.networking.hostapd</option> now uses WPA2 by default.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|