From systemd 243 release note[1]:
This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
kernel for the whole UNIX group range, i.e. all processes.
So this wrapper is not needed any more.
See also [2] and [3].
This patch also removes:
- apparmor profiles in NixOS for ping itself and the wrapped one
- other references for the wrapped ping
[1]: 8e2d9d40b3/NEWS (L6457-L6464)
[2]: https://github.com/systemd/systemd/pull/13141
[3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
3.7 KiB
Activation script
The activation script is a bash script called to activate the new
configuration which resides in a NixOS system in $out/activate
. Since its
contents depend on your system configuration, the contents may differ.
This chapter explains how the script works in general and some common NixOS
snippets. Please be aware that the script is executed on every boot and system
switch, so tasks that can be performed in other places should be performed
there (for example letting a directory of a service be created by systemd using
mechanisms like StateDirectory
, CacheDirectory
, ... or if that's not
possible using preStart
of the service).
Activation scripts are defined as snippets using . They can either be a simple multiline string or an attribute set that can depend on other snippets. The builder for the activation script will take these dependencies into account and order the snippets accordingly. As a simple example:
system.activationScripts.my-activation-script = {
deps = [ "etc" ];
# supportsDryActivation = true;
text = ''
echo "Hallo i bims"
'';
};
This example creates an activation script snippet that is run after the etc
snippet. The special variable supportsDryActivation
can be set so the snippet
is also run when nixos-rebuild dry-activate
is run. To differentiate between
real and dry activation, the $NIXOS_ACTION
environment variable can be
read which is set to dry-activate
when a dry activation is done.
An activation script can write to special files instructing
switch-to-configuration
to restart/reload units. The script will take these
requests into account and will incorporate the unit configuration as described
above. This means that the activation script will "fake" a modified unit file
and switch-to-configuration
will act accordingly. By doing so, configuration
like systemd.services.<name>.restartIfChanged is
respected. Since the activation script is run after services are already
stopped, systemd.services.<name>.stopIfChanged
cannot be taken into account anymore and the unit is always restarted instead
of being stopped and started afterwards.
The files that can be written to are /run/nixos/activation-restart-list
and
/run/nixos/activation-reload-list
with their respective counterparts for
dry activation being /run/nixos/dry-activation-restart-list
and
/run/nixos/dry-activation-reload-list
. Those files can contain
newline-separated lists of unit names where duplicates are being ignored. These
files are not create automatically and activation scripts must take the
possibility into account that they have to create them first.
NixOS snippets
There are some snippets NixOS enables by default because disabling them would most likely break your system. This section lists a few of them and what they do:
binsh
creates/bin/sh
which points to the runtime shelletc
sets up the contents of/etc
, this includes systemd units and excludes/etc/passwd
,/etc/group
, and/etc/shadow
(which are managed by theusers
snippet)hostname
sets the system's hostname in the kernel (not in/etc
)modprobe
sets the path to themodprobe
binary for module auto-loadingnix
prepares the nix store and adds a default initial channelspecialfs
is responsible for mounting filesystems like/proc
andsys
users
creates and removes users and groups by managing/etc/passwd
,/etc/group
and/etc/shadow
. This also creates home directoriesusrbinenv
creates/usr/bin/env
var
creates some directories in/var
that are not service-specificwrappers
creates setuid wrappers likesudo