769 lines
30 KiB
XML
769 lines
30 KiB
XML
|
<section xmlns="http://docbook.org/ns/docbook"
|
||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
|
version="5.0"
|
||
|
xml:id="sec-release-19.03">
|
||
|
<title>Release 19.03 (“Koi”, 2019/04/11)</title>
|
||
|
|
||
|
<section xmlns="http://docbook.org/ns/docbook"
|
||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
|
version="5.0"
|
||
|
xml:id="sec-release-19.03-highlights">
|
||
|
<title>Highlights</title>
|
||
|
|
||
|
<para>
|
||
|
In addition to numerous new and upgraded packages, this release has the
|
||
|
following highlights:
|
||
|
</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
End of support is planned for end of October 2019, handing over to 19.09.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The default Python 3 interpreter is now CPython 3.7 instead of CPython
|
||
|
3.6.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Added the Pantheon desktop environment. It can be enabled through
|
||
|
<varname>services.xserver.desktopManager.pantheon.enable</varname>.
|
||
|
</para>
|
||
|
<note>
|
||
|
<para>
|
||
|
By default, <varname>services.xserver.desktopManager.pantheon</varname>
|
||
|
enables LightDM as a display manager, as pantheon's screen locking
|
||
|
implementation relies on it.
|
||
|
</para>
|
||
|
<para>
|
||
|
Because of that it is recommended to leave LightDM enabled. If you'd like
|
||
|
to disable it anyway, set
|
||
|
<option>services.xserver.displayManager.lightdm.enable</option> to
|
||
|
<literal>false</literal> and enable your preferred display manager.
|
||
|
</para>
|
||
|
</note>
|
||
|
<para>
|
||
|
Also note that Pantheon's LightDM greeter is not enabled by default,
|
||
|
because it has numerous issues in NixOS and isn't optimal for use here
|
||
|
yet.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
A major refactoring of the Kubernetes module has been completed.
|
||
|
Refactorings primarily focus on decoupling components and enhancing
|
||
|
security. Two-way TLS and RBAC has been enabled by default for all
|
||
|
components, which slightly changes the way the module is configured. See:
|
||
|
<xref linkend="sec-kubernetes"/> for details.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
There is now a set of <option>confinement</option> options for
|
||
|
<option>systemd.services</option>, which allows to restrict services
|
||
|
into a <citerefentry>
|
||
|
<refentrytitle>chroot</refentrytitle>
|
||
|
<manvolnum>2</manvolnum>
|
||
|
</citerefentry>ed environment that only contains the store paths from
|
||
|
the runtime closure of the service.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
</section>
|
||
|
|
||
|
<section xmlns="http://docbook.org/ns/docbook"
|
||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
|
version="5.0"
|
||
|
xml:id="sec-release-19.03-new-services">
|
||
|
<title>New Services</title>
|
||
|
|
||
|
<para>
|
||
|
The following new services were added since the last release:
|
||
|
</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>./programs/nm-applet.nix</literal>
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
There is a new <varname>security.googleOsLogin</varname> module for using
|
||
|
<link xlink:href="https://cloud.google.com/compute/docs/instances/managing-instance-access">OS
|
||
|
Login</link> to manage SSH access to Google Compute Engine instances,
|
||
|
which supersedes the imperative and broken
|
||
|
<literal>google-accounts-daemon</literal> used in
|
||
|
<literal>nixos/modules/virtualisation/google-compute-config.nix</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>./services/misc/beanstalkd.nix</literal>
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
There is a new <varname>services.cockroachdb</varname> module for running
|
||
|
CockroachDB databases. NixOS now ships with CockroachDB 2.1.x as well,
|
||
|
available on <literal>x86_64-linux</literal> and
|
||
|
<literal>aarch64-linux</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>./security/duosec.nix</literal>
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo
|
||
|
Security</link> has been enabled for use. One can configure it using the
|
||
|
<option>security.duosec</option> options along with the corresponding PAM
|
||
|
option in
|
||
|
<option>security.pam.services.<name?>.duoSecurity.enable</option>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
</section>
|
||
|
|
||
|
<section xmlns="http://docbook.org/ns/docbook"
|
||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
|
version="5.0"
|
||
|
xml:id="sec-release-19.03-incompatibilities">
|
||
|
<title>Backward Incompatibilities</title>
|
||
|
|
||
|
<para>
|
||
|
When upgrading from a previous release, please be aware of the following
|
||
|
incompatible changes:
|
||
|
</para>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The minimum version of Nix required to evaluate Nixpkgs is now 2.0.
|
||
|
</para>
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
For users of NixOS 18.03 and 19.03, NixOS defaults to Nix 2.0, but
|
||
|
supports using Nix 1.11 by setting <literal>nix.package =
|
||
|
pkgs.nix1;</literal>. If this option is set to a Nix 1.11 package, you
|
||
|
will need to either unset the option or upgrade it to Nix 2.0.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
For users of NixOS 17.09, you will first need to upgrade Nix by setting
|
||
|
<literal>nix.package = pkgs.nixStable2;</literal> and run
|
||
|
<command>nixos-rebuild switch</command> as the <literal>root</literal>
|
||
|
user.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
For users of a daemon-less Nix installation on Linux or macOS, you can
|
||
|
upgrade Nix by running <command>curl https://nixos.org/nix/install |
|
||
|
sh</command>, or prior to doing a channel update, running
|
||
|
<command>nix-env -iA nix</command>.
|
||
|
</para>
|
||
|
<para>
|
||
|
If you have already run a channel update and Nix is no longer able to
|
||
|
evaluate Nixpkgs, the error message printed should provide adequate
|
||
|
directions for upgrading Nix.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
For users of the Nix daemon on macOS, you can upgrade Nix by running
|
||
|
<command>sudo -i sh -c 'nix-channel --update && nix-env -iA
|
||
|
nixpkgs.nix'; sudo launchctl stop org.nixos.nix-daemon; sudo launchctl
|
||
|
start org.nixos.nix-daemon</command>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <varname>buildPythonPackage</varname> function now sets
|
||
|
<varname>strictDeps = true</varname> to help distinguish between native
|
||
|
and non-native dependencies in order to improve cross-compilation
|
||
|
compatibility. Note however that this may break user expressions.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <varname>buildPythonPackage</varname> function now sets <varname>LANG
|
||
|
= C.UTF-8</varname> to enable Unicode support. The
|
||
|
<varname>glibcLocales</varname> package is no longer needed as a build
|
||
|
input.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The Syncthing state and configuration data has been moved from
|
||
|
<varname>services.syncthing.dataDir</varname> to the newly defined
|
||
|
<varname>services.syncthing.configDir</varname>, which default to
|
||
|
<literal>/var/lib/syncthing/.config/syncthing</literal>. This change makes
|
||
|
possible to share synced directories using ACLs without Syncthing
|
||
|
resetting the permission on every start.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>ntp</literal> module now has sane default restrictions. If
|
||
|
you're relying on the previous defaults, which permitted all queries and
|
||
|
commands from all firewall-permitted sources, you can set
|
||
|
<varname>services.ntp.restrictDefault</varname> and
|
||
|
<varname>services.ntp.restrictSource</varname> to <literal>[]</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Package <varname>rabbitmq_server</varname> is renamed to
|
||
|
<varname>rabbitmq-server</varname>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>light</literal> module no longer uses setuid binaries, but
|
||
|
udev rules. As a consequence users of that module have to belong to the
|
||
|
<literal>video</literal> group in order to use the executable (i.e.
|
||
|
<literal>users.users.yourusername.extraGroups = ["video"];</literal>).
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Buildbot now supports Python 3 and its packages have been moved to
|
||
|
<literal>pythonPackages</literal>. The options
|
||
|
<option>services.buildbot-master.package</option> and
|
||
|
<option>services.buildbot-worker.package</option> can be used to select
|
||
|
the Python 2 or 3 version of the package.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Options
|
||
|
<literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.userName</literal>
|
||
|
and
|
||
|
<literal>services.znc.confOptions.networks.<replaceable>name</replaceable>.modulePackages</literal>
|
||
|
were removed. They were never used for anything and can therefore safely
|
||
|
be removed.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Package <literal>wasm</literal> has been renamed
|
||
|
<literal>proglodyte-wasm</literal>. The package <literal>wasm</literal>
|
||
|
will be pointed to <literal>ocamlPackages.wasm</literal> in 19.09, so make
|
||
|
sure to update your configuration if you want to keep
|
||
|
<literal>proglodyte-wasm</literal>
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
When the <literal>nixpkgs.pkgs</literal> option is set, NixOS will no
|
||
|
longer ignore the <literal>nixpkgs.overlays</literal> option. The old
|
||
|
behavior can be recovered by setting <literal>nixpkgs.overlays =
|
||
|
lib.mkForce [];</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
OpenSMTPD has been upgraded to version 6.4.0p1. This release makes
|
||
|
backwards-incompatible changes to the configuration file format. See
|
||
|
<command>man smtpd.conf</command> for more information on the new file
|
||
|
format.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The versioned <varname>postgresql</varname> have been renamed to use
|
||
|
underscore number seperators. For example, <varname>postgresql96</varname>
|
||
|
has been renamed to <varname>postgresql_9_6</varname>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Package <literal>consul-ui</literal> and passthrough
|
||
|
<literal>consul.ui</literal> have been removed. The package
|
||
|
<literal>consul</literal> now uses upstream releases that vendor the UI
|
||
|
into the binary. See
|
||
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/48714#issuecomment-433454834">#48714</link>
|
||
|
for details.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Slurm introduces the new option
|
||
|
<literal>services.slurm.stateSaveLocation</literal>, which is now set to
|
||
|
<literal>/var/spool/slurm</literal> by default (instead of
|
||
|
<literal>/var/spool</literal>). Make sure to move all files to the new
|
||
|
directory or to set the option accordingly.
|
||
|
</para>
|
||
|
<para>
|
||
|
The slurmctld now runs as user <literal>slurm</literal> instead of
|
||
|
<literal>root</literal>. If you want to keep slurmctld running as
|
||
|
<literal>root</literal>, set <literal>services.slurm.user =
|
||
|
root</literal>.
|
||
|
</para>
|
||
|
<para>
|
||
|
The options <literal>services.slurm.nodeName</literal> and
|
||
|
<literal>services.slurm.partitionName</literal> are now sets of strings to
|
||
|
correctly reflect that fact that each of these options can occour more
|
||
|
than once in the configuration.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>solr</literal> package has been upgraded from 4.10.3 to 7.5.0
|
||
|
and has undergone some major changes. The <literal>services.solr</literal>
|
||
|
module has been updated to reflect these changes. Please review
|
||
|
http://lucene.apache.org/solr/ carefully before upgrading.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Package <literal>ckb</literal> is renamed to <literal>ckb-next</literal>,
|
||
|
and options <literal>hardware.ckb.*</literal> are renamed to
|
||
|
<literal>hardware.ckb-next.*</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The option
|
||
|
<literal>services.xserver.displayManager.job.logToFile</literal> which was
|
||
|
previously set to <literal>true</literal> when using the display managers
|
||
|
<literal>lightdm</literal>, <literal>sddm</literal> or
|
||
|
<literal>xpra</literal> has been reset to the default value
|
||
|
(<literal>false</literal>).
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Network interface indiscriminate NixOS firewall options
|
||
|
(<literal>networking.firewall.allow*</literal>) are now preserved when
|
||
|
also setting interface specific rules such as
|
||
|
<literal>networking.firewall.interfaces.en0.allow*</literal>. These rules
|
||
|
continue to use the pseudo device "default"
|
||
|
(<literal>networking.firewall.interfaces.default.*</literal>), and
|
||
|
assigning to this pseudo device will override the
|
||
|
(<literal>networking.firewall.allow*</literal>) options.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>nscd</literal> service now disables all caching of
|
||
|
<literal>passwd</literal> and <literal>group</literal> databases by
|
||
|
default. This was interferring with the correct functioning of the
|
||
|
<literal>libnss_systemd.so</literal> module which is used by
|
||
|
<literal>systemd</literal> to manage uids and usernames in the presence of
|
||
|
<literal>DynamicUser=</literal> in systemd services. This was already the
|
||
|
default behaviour in presence of <literal>services.sssd.enable =
|
||
|
true</literal> because nscd caching would interfere with
|
||
|
<literal>sssd</literal> in unpredictable ways as well. Because we're using
|
||
|
nscd not for caching, but for convincing glibc to find NSS modules in the
|
||
|
nix store instead of an absolute path, we have decided to disable caching
|
||
|
globally now, as it's usually not the behaviour the user wants and can
|
||
|
lead to surprising behaviour. Furthermore, negative caching of host
|
||
|
lookups is also disabled now by default. This should fix the issue of dns
|
||
|
lookups failing in the presence of an unreliable network.
|
||
|
</para>
|
||
|
<para>
|
||
|
If the old behaviour is desired, this can be restored by setting the
|
||
|
<literal>services.nscd.config</literal> option with the desired caching
|
||
|
parameters.
|
||
|
<programlisting>
|
||
|
services.nscd.config =
|
||
|
''
|
||
|
server-user nscd
|
||
|
threads 1
|
||
|
paranoia no
|
||
|
debug-level 0
|
||
|
|
||
|
enable-cache passwd yes
|
||
|
positive-time-to-live passwd 600
|
||
|
negative-time-to-live passwd 20
|
||
|
suggested-size passwd 211
|
||
|
check-files passwd yes
|
||
|
persistent passwd no
|
||
|
shared passwd yes
|
||
|
|
||
|
enable-cache group yes
|
||
|
positive-time-to-live group 3600
|
||
|
negative-time-to-live group 60
|
||
|
suggested-size group 211
|
||
|
check-files group yes
|
||
|
persistent group no
|
||
|
shared group yes
|
||
|
|
||
|
enable-cache hosts yes
|
||
|
positive-time-to-live hosts 600
|
||
|
negative-time-to-live hosts 5
|
||
|
suggested-size hosts 211
|
||
|
check-files hosts yes
|
||
|
persistent hosts no
|
||
|
shared hosts yes
|
||
|
'';
|
||
|
</programlisting>
|
||
|
See
|
||
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/50316">#50316</link>
|
||
|
for details.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
GitLab Shell previously used the nix store paths for the
|
||
|
<literal>gitlab-shell</literal> command in its
|
||
|
<literal>authorized_keys</literal> file, which might stop working after
|
||
|
garbage collection. To circumvent that, we regenerated that file on each
|
||
|
startup. As <literal>gitlab-shell</literal> has now been changed to use
|
||
|
<literal>/var/run/current-system/sw/bin/gitlab-shell</literal>, this is
|
||
|
not necessary anymore, but there might be leftover lines with a nix store
|
||
|
path. Regenerate the <literal>authorized_keys</literal> file via
|
||
|
<command>sudo -u git -H gitlab-rake gitlab:shell:setup</command> in that
|
||
|
case.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>pam_unix</literal> account module is now loaded with its
|
||
|
control field set to <literal>required</literal> instead of
|
||
|
<literal>sufficient</literal>, so that later PAM account modules that
|
||
|
might do more extensive checks are being executed. Previously, the whole
|
||
|
account module verification was exited prematurely in case a nss module
|
||
|
provided the account name to <literal>pam_unix</literal>. The LDAP and
|
||
|
SSSD NixOS modules already add their NSS modules when enabled. In case
|
||
|
your setup breaks due to some later PAM account module previosuly
|
||
|
shadowed, or failing NSS lookups, please file a bug. You can get back the
|
||
|
old behaviour by manually setting <literal>
|
||
|
<![CDATA[security.pam.services.<name?>.text]]>
|
||
|
</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>pam_unix</literal> password module is now loaded with its
|
||
|
control field set to <literal>sufficient</literal> instead of
|
||
|
<literal>required</literal>, so that password managed only by later PAM
|
||
|
password modules are being executed. Previously, for example, changing an
|
||
|
LDAP account's password through PAM was not possible: the whole password
|
||
|
module verification was exited prematurely by <literal>pam_unix</literal>,
|
||
|
preventing <literal>pam_ldap</literal> to manage the password as it
|
||
|
should.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>fish</literal> has been upgraded to 3.0. It comes with a number
|
||
|
of improvements and backwards incompatible changes. See the
|
||
|
<literal>fish</literal>
|
||
|
<link xlink:href="https://github.com/fish-shell/fish-shell/releases/tag/3.0.0">release
|
||
|
notes</link> for more information.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The ibus-table input method has had a change in config format, which
|
||
|
causes all previous settings to be lost. See
|
||
|
<link xlink:href="https://github.com/mike-fabian/ibus-table/commit/f9195f877c5212fef0dfa446acb328c45ba5852b">this
|
||
|
commit message</link> for details.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
NixOS module system type <literal>types.optionSet</literal> and
|
||
|
<literal>lib.mkOption</literal> argument <literal>options</literal> are
|
||
|
deprecated. Use <literal>types.submodule</literal> instead.
|
||
|
(<link xlink:href="https://github.com/NixOS/nixpkgs/pull/54637">#54637</link>)
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>matrix-synapse</literal> has been updated to version 0.99. It
|
||
|
will <link xlink:href="https://github.com/matrix-org/synapse/pull/4509">no
|
||
|
longer generate a self-signed certificate on first launch</link> and will
|
||
|
be
|
||
|
<link xlink:href="https://matrix.org/blog/2019/02/05/synapse-0-99-0/">the
|
||
|
last version to accept self-signed certificates</link>. As such, it is now
|
||
|
recommended to use a proper certificate verified by a root CA (for example
|
||
|
Let's Encrypt). The new <link linkend="module-services-matrix">manual
|
||
|
chapter on Matrix</link> contains a working example of using nginx as a
|
||
|
reverse proxy in front of <literal>matrix-synapse</literal>, using Let's
|
||
|
Encrypt certificates.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>mailutils</literal> now works by default when
|
||
|
<literal>sendmail</literal> is not in a setuid wrapper. As a consequence,
|
||
|
the <literal>sendmailPath</literal> argument, having lost its main use,
|
||
|
has been removed.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>graylog</literal> has been upgraded from version 2.* to 3.*. Some
|
||
|
setups making use of extraConfig (especially those exposing Graylog via
|
||
|
reverse proxies) need to be updated as upstream removed/replaced some
|
||
|
settings. See
|
||
|
<link xlink:href="http://docs.graylog.org/en/3.0/pages/upgrade/graylog-3.0.html#simplified-http-interface-configuration">Upgrading
|
||
|
Graylog</link> for details.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The option <literal>users.ldap.bind.password</literal> was renamed to <literal>users.ldap.bind.passwordFile</literal>,
|
||
|
and needs to be readable by the <literal>nslcd</literal> user.
|
||
|
Same applies to the new <literal>users.ldap.daemon.rootpwmodpwFile</literal> option.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>nodejs-6_x</literal> is end-of-life.
|
||
|
<literal>nodejs-6_x</literal>, <literal>nodejs-slim-6_x</literal> and
|
||
|
<literal>nodePackages_6_x</literal> are removed.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
</section>
|
||
|
|
||
|
<section xmlns="http://docbook.org/ns/docbook"
|
||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
|
version="5.0"
|
||
|
xml:id="sec-release-19.03-notable-changes">
|
||
|
<title>Other Notable Changes</title>
|
||
|
|
||
|
<itemizedlist>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <option>services.matomo</option> module gained the option
|
||
|
<option>services.matomo.package</option> which determines the used Matomo
|
||
|
version.
|
||
|
</para>
|
||
|
<para>
|
||
|
The Matomo module now also comes with the systemd service
|
||
|
<literal>matomo-archive-processing.service</literal> and a timer that
|
||
|
automatically triggers archive processing every hour. This means that you
|
||
|
can safely
|
||
|
<link xlink:href="https://matomo.org/docs/setup-auto-archiving/#disable-browser-triggers-for-matomo-archiving-and-limit-matomo-reports-to-updating-every-hour">
|
||
|
disable browser triggers for Matomo archiving </link> at
|
||
|
<literal>Administration > System > General Settings</literal>.
|
||
|
</para>
|
||
|
<para>
|
||
|
Additionally, you can enable to
|
||
|
<link xlink:href="https://matomo.org/docs/privacy/#step-2-delete-old-visitors-logs">
|
||
|
delete old visitor logs </link> at <literal>Administration > System >
|
||
|
Privacy</literal>, but make sure that you run <literal>systemctl start
|
||
|
matomo-archive-processing.service</literal> at least once without errors
|
||
|
if you have already collected data before, so that the reports get
|
||
|
archived before the source data gets deleted.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
<literal>composableDerivation</literal> along with supporting library
|
||
|
functions has been removed.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The deprecated <literal>truecrypt</literal> package has been removed and
|
||
|
<literal>truecrypt</literal> attribute is now an alias for
|
||
|
<literal>veracrypt</literal>. VeraCrypt is backward-compatible with
|
||
|
TrueCrypt volumes. Note that <literal>cryptsetup</literal> also supports
|
||
|
loading TrueCrypt volumes.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The Kubernetes DNS addons, kube-dns, has been replaced with CoreDNS. This
|
||
|
change is made in accordance with Kubernetes making CoreDNS the official
|
||
|
default starting from
|
||
|
<link xlink:href="https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.11.md#sig-cluster-lifecycle">Kubernetes
|
||
|
v1.11</link>. Please beware that upgrading DNS-addon on existing clusters
|
||
|
might induce minor downtime while the DNS-addon terminates and
|
||
|
re-initializes. Also note that the DNS-service now runs with 2 pod
|
||
|
replicas by default. The desired number of replicas can be configured
|
||
|
using: <option>services.kubernetes.addons.dns.replicas</option>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The quassel-webserver package and module was removed from nixpkgs due to
|
||
|
the lack of maintainers.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The manual gained a <link linkend="module-services-matrix"> new chapter on
|
||
|
self-hosting <literal>matrix-synapse</literal> and
|
||
|
<literal>riot-web</literal> </link>, the most prevalent server and client
|
||
|
implementations for the
|
||
|
<link xlink:href="https://matrix.org/">Matrix</link> federated
|
||
|
communication network.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The astah-community package was removed from nixpkgs due to it being
|
||
|
discontinued and the downloads not being available anymore.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The httpd service now saves log files with a .log file extension by
|
||
|
default for easier integration with the logrotate service.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The owncloud server packages and httpd subservice module were removed from
|
||
|
nixpkgs due to the lack of maintainers.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
It is possible now to uze ZRAM devices as general purpose ephemeral block
|
||
|
devices, not only as swap. Using more than 1 device as ZRAM swap is no
|
||
|
longer recommended, but is still possible by setting
|
||
|
<literal>zramSwap.swapDevices</literal> explicitly.
|
||
|
</para>
|
||
|
<para>
|
||
|
ZRAM algorithm can be changed now.
|
||
|
</para>
|
||
|
<para>
|
||
|
Changes to ZRAM algorithm are applied during <literal>nixos-rebuild
|
||
|
switch</literal>, so make sure you have enough swap space on disk to
|
||
|
survive ZRAM device rebuild. Alternatively, use <literal>nixos-rebuild
|
||
|
boot; reboot</literal>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Flat volumes are now disabled by default in
|
||
|
<literal>hardware.pulseaudio</literal>. This has been done to prevent
|
||
|
applications, which are unaware of this feature, setting their volumes to
|
||
|
100% on startup causing harm to your audio hardware and potentially your
|
||
|
ears.
|
||
|
</para>
|
||
|
<note>
|
||
|
<para>
|
||
|
With this change application specific volumes are relative to the master
|
||
|
volume which can be adjusted independently, whereas before they were
|
||
|
absolute; meaning that in effect, it scaled the device-volume with the
|
||
|
volume of the loudest application.
|
||
|
</para>
|
||
|
</note>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The
|
||
|
<link xlink:href="https://github.com/DanielAdolfsson/ndppd"><literal>ndppd</literal></link>
|
||
|
module now supports <link linkend="opt-services.ndppd.enable">all config
|
||
|
options</link> provided by the current upstream version as service
|
||
|
options. Additionally the <literal>ndppd</literal> package doesn't contain
|
||
|
the systemd unit configuration from upstream anymore, the unit is
|
||
|
completely configured by the NixOS module now.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
New installs of NixOS will default to the Redmine 4.x series unless
|
||
|
otherwise specified in <literal>services.redmine.package</literal> while
|
||
|
existing installs of NixOS will default to the Redmine 3.x series.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <link linkend="opt-services.grafana.enable">Grafana module</link> now
|
||
|
supports declarative
|
||
|
<link xlink:href="http://docs.grafana.org/administration/provisioning/">datasource
|
||
|
and dashboard</link> provisioning.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The use of insecure ports on kubernetes has been deprecated. Thus options:
|
||
|
<varname>services.kubernetes.apiserver.port</varname> and
|
||
|
<varname>services.kubernetes.controllerManager.port</varname> has been
|
||
|
renamed to <varname>.insecurePort</varname>, and default of both options
|
||
|
has changed to 0 (disabled).
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Note that the default value of
|
||
|
<varname>services.kubernetes.apiserver.bindAddress</varname> has changed
|
||
|
from 127.0.0.1 to 0.0.0.0, allowing the apiserver to be accessible from
|
||
|
outside the master node itself. If the apiserver insecurePort is enabled,
|
||
|
it is strongly recommended to only bind on the loopback interface. See:
|
||
|
<varname>services.kubernetes.apiserver.insecurebindAddress</varname>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The option
|
||
|
<varname>services.kubernetes.apiserver.allowPrivileged</varname> and
|
||
|
<varname>services.kubernetes.kubelet.allowPrivileged</varname> now
|
||
|
defaults to false. Disallowing privileged containers on the cluster.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The kubernetes module does no longer add the kubernetes package to
|
||
|
<varname>environment.systemPackages</varname> implicitly.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
The <literal>intel</literal> driver has been removed from the default list
|
||
|
of <link linkend="opt-services.xserver.videoDrivers">X.org video
|
||
|
drivers</link>. The <literal>modesetting</literal> driver should take over
|
||
|
automatically, it is better maintained upstream and has less problems with
|
||
|
advanced X11 features. This can lead to a change in the output names used
|
||
|
by <literal>xrandr</literal>. Some performance regressions on some GPU
|
||
|
models might happen. Some OpenCL and VA-API applications might also break
|
||
|
(Beignet seems to provide OpenCL support with
|
||
|
<literal>modesetting</literal> driver, too). Kernel mode setting API does
|
||
|
not support backlight control, so <literal>xbacklight</literal> tool will
|
||
|
not work; backlight level can be controlled directly via
|
||
|
<literal>/sys/</literal> or with <literal>brightnessctl</literal>. Users
|
||
|
who need this functionality more than multi-output XRandR are advised to
|
||
|
add `intel` to `videoDrivers` and report an issue (or provide additional
|
||
|
details in an existing one)
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
Openmpi has been updated to version 4.0.0, which removes some deprecated
|
||
|
MPI-1 symbols. This may break some older applications that still rely on
|
||
|
those symbols. An upgrade guide can be found
|
||
|
<link xlink:href="https://www.open-mpi.org/faq/?category=mpi-removed">here</link>.
|
||
|
</para>
|
||
|
<para>
|
||
|
The nginx package now relies on OpenSSL 1.1 and supports TLS 1.3 by
|
||
|
default. You can set the protocols used by the nginx service using
|
||
|
<xref linkend="opt-services.nginx.sslProtocols"/>.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
<listitem>
|
||
|
<para>
|
||
|
A new subcommand <command>nixos-rebuild edit</command> was added.
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</itemizedlist>
|
||
|
</section>
|
||
|
</section>
|