51e09efdfc
GitOrigin-RevId: 296793637b22bdb4d23b479879eba0a71c132a66
362 lines
16 KiB
XML
362 lines
16 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03">
|
|
<title>Release 21.03 (“Okapi”, 2021.03/??)</title>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-highlights">
|
|
<title>Highlights</title>
|
|
|
|
<para>
|
|
In addition to numerous new and upgraded packages, this release has the
|
|
following highlights:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Support is planned until the end of October 2021, handing over to 21.09.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>GNOME desktop environment was upgraded to 3.38, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.38/">release notes</link>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-new-services">
|
|
<title>New Services</title>
|
|
|
|
<para>
|
|
The following new services were added since the last release:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<link xlink:href="https://www.keycloak.org/">Keycloak</link>,
|
|
an open source identity and access management server with
|
|
support for <link
|
|
xlink:href="https://openid.net/connect/">OpenID Connect</link>,
|
|
<link xlink:href="https://oauth.net/2/">OAUTH 2.0</link> and
|
|
<link xlink:href="https://en.wikipedia.org/wiki/SAML_2.0">SAML
|
|
2.0</link>.
|
|
</para>
|
|
<para>
|
|
See the <link linkend="module-services-keycloak">Keycloak
|
|
section of the NixOS manual</link> for more information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<xref linkend="opt-services.samba-wsdd.enable" /> Web Services Dynamic Discovery host daemon
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-incompatibilities">
|
|
<title>Backward Incompatibilities</title>
|
|
|
|
<para>
|
|
When upgrading from a previous release, please be aware of the following
|
|
incompatible changes:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
<literal>systemd-journal2gelf</literal> no longer parses json and expects the receiving system to handle it. How to achieve this with Graylog is described in this <link xlink:href="https://github.com/parse-nl/SystemdJournal2Gelf/issues/10">GitHub issue</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
If the <varname>services.dbus</varname> module is enabled, then
|
|
the user D-Bus session is now always socket activated. The
|
|
associated options <varname>services.dbus.socketActivated</varname>
|
|
and <varname>services.xserver.startDbusSession</varname> have
|
|
therefore been removed and you will receive a warning if
|
|
they are present in your configuration. This change makes the
|
|
user D-Bus session available also for non-graphical logins.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>rubyMinimal</literal> was removed due to being unused and
|
|
unusable. The default ruby interpreter includes JIT support, which makes
|
|
it reference it's compiler. Since JIT support is probably needed by some
|
|
Gems, it was decided to enable this feature with all cc references by
|
|
default, and allow to build a Ruby derivation without references to cc,
|
|
by setting <literal>jitSupport = false;</literal> in an overlay. See
|
|
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/90151">#90151</link>
|
|
for more info.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Setting <option>services.openssh.authorizedKeysFiles</option> now also affects which keys <option>security.pam.enableSSHAgentAuth</option> will use.
|
|
|
|
WARNING: If you are using these options in combination do make sure that any key paths you use are present in <option>services.openssh.authorizedKeysFiles</option>!
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The option <option>fonts.enableFontDir</option> has been renamed to
|
|
<xref linkend="opt-fonts.fontDir.enable"/>. The path of font directory
|
|
has also been changed to <literal>/run/current-system/sw/share/X11/fonts</literal>,
|
|
for consistency with other X11 resources.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
A number of options have been renamed in the kicad interface. <literal>oceSupport</literal>
|
|
has been renamed to <literal>withOCE</literal>, <literal>withOCCT</literal> has been renamed
|
|
to <literal>withOCC</literal>, <literal>ngspiceSupport</literal> has been renamed to
|
|
<literal>withNgspice</literal>, and <literal>scriptingSupport</literal> has been renamed to
|
|
<literal>withScripting</literal>. Additionally, <literal>kicad/base.nix</literal> no longer
|
|
provides default argument values since these are provided by
|
|
<literal>kicad/default.nix</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The socket for the <literal>pdns-recursor</literal> module was moved from <literal>/var/lib/pdns-recursor</literal>
|
|
to <literal>/run/pdns-recursor</literal> to match upstream.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Paperwork was updated to version 2. The on-disk format slightly changed,
|
|
and it is not possible to downgrade from Paperwork 2 back to Paperwork
|
|
1.3. Back your documents up before upgrading. See <link xlink:href="https://forum.openpaper.work/t/paperwork-2-0/112/5">this thread</link> for more details.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
PowerDNS has been updated from <literal>4.2.x</literal> to <literal>4.3.x</literal>. Please
|
|
be sure to review the <link xlink:href="https://doc.powerdns.com/authoritative/upgrading.html#x-to-4-3-0">Upgrade Notes</link>
|
|
provided by upstream before upgrading. Worth specifically noting is that the service now runs
|
|
entirely as a dedicated <literal>pdns</literal> user, instead of starting as <literal>root</literal>
|
|
and dropping privileges, as well as the default <literal>socket-dir</literal> location changing from
|
|
<literal>/var/lib/powerdns</literal> to <literal>/run/pdns</literal>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>btc1</package> has been abandoned upstream, and removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>cpp_ethereum</package> (aleth) has been abandoned upstream, and removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>riak-cs</package> package removed along with <varname>services.riak-cs</varname> module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>stanchion</package> package removed along with <varname>services.stanchion</varname> module.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>mutt</package> has been updated to a new major version (2.x), which comes with
|
|
some backward incompatible changes that are described in the
|
|
<link xlink:href="http://www.mutt.org/relnotes/2.0/">release notes for Mutt 2.0</link>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<literal>vim</literal> switched to Python 3, dropping all Python 2 support.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<link linkend="opt-boot.zfs.forceImportAll">boot.zfs.forceImportAll</link>
|
|
previously did nothing, but has been fixed. However its default has been
|
|
changed to <literal>false</literal> to preserve the existing default
|
|
behaviour. If you have this explicitly set to <literal>true</literal>,
|
|
please note that your non-root pools will now be forcibly imported.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
<package>openafs</package> now points to <package>openafs_1_8</package>,
|
|
which is the new stable release. OpenAFS 1.6 was removed.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>openldap</literal> module now has support for OLC-style
|
|
configuration, users of the <literal>configDir</literal> option may wish
|
|
to migrate. If you continue to use <literal>configDir</literal>, ensure that
|
|
<literal>olcPidFile</literal> is set to <literal>/run/slapd/slapd.pid</literal>.
|
|
</para>
|
|
<para>
|
|
As a result, <literal>extraConfig</literal> and <literal>extraDatabaseConfig</literal>
|
|
are removed. To help with migration, you can convert your <literal>slapd.conf</literal>
|
|
file to OLC configuration with the following script (find the location of this
|
|
configuration file by running <literal>systemctl status openldap</literal>, it is the
|
|
<literal>-f</literal> option.
|
|
</para>
|
|
<programlisting>
|
|
TMPDIR=$(mktemp -d)
|
|
slaptest -f /path/to/slapd.conf $TMPDIR
|
|
slapcat -F $TMPDIR -n0 -H 'ldap:///???(!(objectClass=olcSchemaConfig))'
|
|
</programlisting>
|
|
<para>
|
|
This will dump your current configuration in LDIF format, which should be
|
|
straightforward to convert into Nix settings. This does not show your schema
|
|
configuration, as this is unnecessarily verbose for users of the default schemas
|
|
and <literal>slaptest</literal> is buggy with schemas directly in the config file.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Amazon EC2 and OpenStack Compute (nova) images now re-fetch instance meta data and user data from the instance
|
|
metadata service (IMDS) on each boot. For example: stopping an EC2 instance, changing its user data, and
|
|
restarting the instance will now cause it to fetch and apply the new user data.
|
|
</para>
|
|
<warning>
|
|
<para>
|
|
Specifically, <literal>/etc/ec2-metadata</literal> is re-populated on each boot. Some NixOS scripts that read
|
|
from this directory are guarded to only run if the files they want to manipulate do not already exist, and so
|
|
will not re-apply their changes if the IMDS response changes. Examples: <literal>root</literal>'s SSH key is
|
|
only added if <literal>/root/.ssh/authorized_keys</literal> does not exist, and SSH host keys are only set from
|
|
user data if they do not exist in <literal>/etc/ssh</literal>.
|
|
</para>
|
|
</warning>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The <literal>rspamd</literal> services is now sandboxed. It is run as
|
|
a dynamic user instead of root, so secrets and other files may have to
|
|
be moved or their permissions may have to be fixed. The sockets are now
|
|
located in <literal>/run/rspamd</literal> instead of <literal>/run</literal>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
version="5.0"
|
|
xml:id="sec-release-21.03-notable-changes">
|
|
<title>Other Notable Changes</title>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
The default-version of <literal>nextcloud</literal> is <package>nextcloud20</package>.
|
|
Please note that it's <emphasis>not</emphasis> possible to upgrade <literal>nextcloud</literal>
|
|
across multiple major versions! This means that it's e.g. not possible to upgrade
|
|
from <package>nextcloud18</package> to <package>nextcloud20</package> in a single deploy.
|
|
</para>
|
|
<para>
|
|
The package can be manually upgraded by setting <xref linkend="opt-services.nextcloud.package" />
|
|
to <package>nextcloud20</package>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The setting <xref linkend="opt-services.redis.bind" /> defaults to <literal>127.0.0.1</literal> now, making Redis listen on the loopback interface only, and not all public network interfaces.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
NixOS now emits a deprecation warning if systemd's <literal>StartLimitInterval</literal> setting is used in a <literal>serviceConfig</literal> section instead of in a <literal>unitConfig</literal>; that setting is deprecated and now undocumented for the service section by systemd upstream, but still effective and somewhat buggy there, which can be confusing. See <link xlink:href="https://github.com/NixOS/nixpkgs/issues/45785">#45785</link> for details.
|
|
</para>
|
|
<para>
|
|
All services should use <xref linkend="opt-systemd.services._name_.startLimitIntervalSec" /> or <literal>StartLimitIntervalSec</literal> in <xref linkend="opt-systemd.services._name_.unitConfig" /> instead.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
The Unbound DNS resolver service (<literal>services.unbound</literal>) has been refactored to allow reloading, control sockets and to fix startup ordering issues.
|
|
</para>
|
|
|
|
<para>
|
|
It is now possible to enable a local UNIX control socket for unbound by setting the <xref linkend="opt-services.unbound.localControlSocketPath" />
|
|
option.
|
|
</para>
|
|
|
|
<para>
|
|
Previously we just applied a very minimal set of restrictions and
|
|
trusted unbound to properly drop root privs and capabilities.
|
|
</para>
|
|
|
|
<para>
|
|
As of this we are (for the most part) just using the upstream
|
|
example unit file for unbound. The main difference is that we start
|
|
unbound as <literal>unbound</literal> user with the required capabilities instead of
|
|
letting unbound do the chroot & uid/gid changes.
|
|
</para>
|
|
|
|
<para>
|
|
The upstream unit configuration this is based on is a lot stricter with
|
|
all kinds of permissions then our previous variant. It also came with
|
|
the default of having the <literal>Type</literal> set to <literal>notify</literal>, therefore we are now also
|
|
using the <literal>unbound-with-systemd</literal> package here. Unbound will start up,
|
|
read the configuration files and start listening on the configured ports
|
|
before systemd will declare the unit <literal>active (running)</literal>.
|
|
This will likely help with startup order and the occasional race condition during system
|
|
activation where the DNS service is started but not yet ready to answer
|
|
queries. Services depending on <literal>nss-lookup.target</literal> or <literal>unbound.service</literal>
|
|
are now be able to use unbound when those targets have been reached.
|
|
</para>
|
|
|
|
<para>
|
|
Aditionally to the much stricter runtime environmet the
|
|
<literal>/dev/urandom</literal> mount lines we previously had in the code (that would
|
|
randomly failed during the stop-phase) have been removed as systemd will take care of those for us.
|
|
</para>
|
|
|
|
<para>
|
|
The <literal>preStart</literal> script is now only required if we enabled the trust
|
|
anchor updates (which are still enabled by default).
|
|
</para>
|
|
|
|
<para>
|
|
Another benefit of the refactoring is that we can now issue reloads via
|
|
either <literal>pkill -HUP unbound</literal> and <literal>systemctl reload unbound</literal> to reload the
|
|
running configuration without taking the daemon offline. A prerequisite
|
|
of this was that unbound configuration is available on a well known path
|
|
on the file system. We are using the path <literal>/etc/unbound/unbound.conf</literal> as that is the
|
|
default in the CLI tooling which in turn enables us to use
|
|
<literal>unbound-control</literal> without passing a custom configuration location.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
NixOS now defaults to the unified cgroup hierarchy (cgroupsv2).
|
|
See the <link xlink:href="https://www.redhat.com/sysadmin/fedora-31-control-group-v2">Fedora Article for 31</link>
|
|
for details on why this is desirable, and how it impacts containers.
|
|
</para>
|
|
<para>
|
|
If you want to run containers with a runtime that does not yet support cgroupsv2,
|
|
you can switch back to the old behaviour by setting
|
|
<xref linkend="opt-systemd.enableUnifiedCgroupHierarchy"/> = <literal>false</literal>;
|
|
and rebooting.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</section>
|