Merge remote-tracking branch 'origin/release-16.09' into staging-16.09

2016-09-30 13:01:38 +02:00 · 2016-09-30 13:01:38 +02:00 · b6c9c0258b
commit b6c9c0258b
parent f32c4bfecd 51cf16f4b4
5 changed files with 147 additions and 43 deletions
--- a/nixos/doc/manual/release-notes/rl-1609.xml
+++ b/nixos/doc/manual/release-notes/rl-1609.xml
@ -4,7 +4,7 @@
         version="5.0"
         xml:id="sec-release-16.09">

-<title>Release 16.09 (“Flounder”, 2016/09/??)</title>
+<title>Release 16.09 (“Flounder”, 2016/09/30)</title>

 <para>In addition to numerous new and upgraded packages, this release
 has the following highlights: </para>
@ -12,22 +12,45 @@ has the following highlights: </para>
 <itemizedlist>

  <listitem>
-    <para>PXE "netboot" media has landed in <link xlink:href="https://github.com/NixOS/nixpkgs/pull/14740" />.
-    See <xref linkend="sec-booting-from-pxe" /> for documentation.</para>
+    <para>Many NixOS configurations and Nix packages now use
+    significantly less disk space, thanks to the <link
+    xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
+    work on closure size reduction</link>. For example, the closure
+    size of a minimal NixOS container went down from ~424 MiB in 16.03
+    to ~212 MiB in 16.09, while the closure size of Firefox went from
+    ~651 MiB to ~259 MiB.</para>
  </listitem>

  <listitem>
-    <para>Xorg-server-1.18.*. If you choose <literal>"ati_unfree"</literal> driver,
-    1.17.* is still used due to ABI incompatibility.</para>
+    <para>To improve security, packages are now <link
+    xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
+    using various hardening features</link>. See the Nixpkgs manual
+    for more information.</para>
  </listitem>
+
+  <listitem>
+    <para>Support for PXE netboot.  See <xref
+    linkend="sec-booting-from-pxe" /> for documentation.</para>
+  </listitem>
+
+  <listitem>
+    <para>X.org server 1.18. If you use the
+    <literal>ati_unfree</literal> driver, 1.17 is still used due to an
+    ABI incompatibility.</para>
+  </listitem>
+
+  <listitem>
+    <para>This release is based on Glibc 2.24, GCC 5.4.0 and systemd
+    231. The default Linux kernel remains 4.4.</para>
+  </listitem>
+
 </itemizedlist>

 <para>The following new services were added since the last release:</para>

-  <itemizedlist>
-    <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
-  </itemizedlist>
-
+<itemizedlist>
+  <listitem><para><literal>(this will get automatically generated at release time)</literal></para></listitem>
+</itemizedlist>

 <para>When upgrading from a previous release, please be aware of the
 following incompatible changes:</para>
@ -36,7 +59,8 @@ following incompatible changes:</para>

  <listitem>
    <para>A large number of packages have been converted to use the multiple outputs feature
-      of Nix to greatly reduce the amount of required disk space. This may require changes
+      of Nix to greatly reduce the amount of required disk space, as
+      mentioned above. This may require changes
      to any custom packages to make them build again; see the relevant chapter in the
      Nixpkgs manual for more information. (Additional caveat to packagers: some packaging conventions
      related to multiple-output packages
@ -58,16 +82,20 @@ following incompatible changes:</para>
  </listitem>

  <listitem>
-    <para>/var/setuid-wrappers/
-      <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now a symlink so
-      it can be atomically updated</link>
-      and it's not mounted as tmpfs anymore since setuid binaries are located on /run/ as tmpfs.
+    <para>
+      <literal>/var/empty</literal> is now immutable. Activation script runs <command>chattr +i</command>
+      to forbid any modifications inside the folder. See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365">
+      the pull request</link> for what bugs this caused.
    </para>
  </listitem>

  <listitem>
-    <para>Gitlab's maintainence script gitlab-runner was removed and split up into the more clearer
-      gitlab-run and gitlab-rake scripts because gitlab-runner is a component of Gitlab CI.</para>
+    <para>Gitlab's maintainance script
+    <command>gitlab-runner</command> was removed and split up into the
+    more clearer <command>gitlab-run</command> and
+    <command>gitlab-rake</command> scripts, because
+    <command>gitlab-runner</command> is a component of Gitlab
+    CI.</para>
  </listitem>

  <listitem>
@ -80,14 +108,14 @@ following incompatible changes:</para>
  <listitem>
    <para><literal>fonts.fontconfig.ultimate.rendering</literal> was removed
    because our presets were obsolete for some time. New presets are hardcoded
-    into freetype; one selects a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
+    into FreeType; you can select a preset via <literal>fonts.fontconfig.ultimate.preset</literal>.
    You can customize those presets via ordinary environment variables, using
    <literal>environment.variables</literal>.</para>
  </listitem>

  <listitem>
    <para>The <literal>audit</literal> service is no longer enabled by default.
-    Use <literal>security.audit.enable = true;</literal> to explicitly enable it.</para>
+    Use <literal>security.audit.enable = true</literal> to explicitly enable it.</para>
  </listitem>

  <listitem>
@ -100,10 +128,11 @@ following incompatible changes:</para>
  </listitem>

  <listitem>
-    <para><literal>goPackages</literal> was replaced with separated Go applications
-    in appropriate <literal>nixpkgs</literal> categories. Each Go package uses its own
-    dependency set defined in nix. There's also a new <literal>go2nix</literal>
-    tool introduced to generate Go package definition from its Go source automatically.</para>
+    <para><literal>goPackages</literal> was replaced with separated Go
+    applications in appropriate <literal>nixpkgs</literal>
+    categories. Each Go package uses its own dependency set. There's
+    also a new <literal>go2nix</literal> tool introduced to generate a
+    Go package definition from its Go source automatically.</para>
  </listitem>

  <listitem>
@ -111,6 +140,12 @@ following incompatible changes:</para>
    was changed to YAML.</para>
  </listitem>

+  <listitem>
+    <para>
+      PHP has been upgraded to 7.0
+    </para>
+  </listitem>
+
 </itemizedlist>


@ -127,10 +162,11 @@ following incompatible changes:</para>
  </para></listitem>

  <listitem><para>Special filesystems, like <literal>/proc</literal>,
-  <literal>/run</literal> and others, now have the same mount options as
-  recommended by systemd. They are now unified across different places in NixOS.
-  Options are also updated on the system switch if possible. One benefit from
-  this is improved security -- most such filesystems are now mounted with
+  <literal>/run</literal> and others, now have the same mount options
+  as recommended by systemd and are unified across different places in
+  NixOS.  Mount options are updated during <command>nixos-rebuild
+  switch</command> if possible. One benefit from this is improved
+  security — most such filesystems are now mounted with
  <literal>noexec</literal>, <literal>nodev</literal> and/or
  <literal>nosuid</literal> options.</para></listitem>

@ -140,6 +176,45 @@ following incompatible changes:</para>
  (<literal>networking.firewall.logReversePathDrops</literal>) for easier
  debugging.</para></listitem>

+  <listitem><para>Containers configuration within
+  <literal>containers.&lt;name&gt;.config</literal> is <link
+  xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
+  properly typed and checked</link>. In particular, partial
+  configurations are merged correctly.</para></listitem>
+
+  <listitem>
+    <para>The directory container setuid wrapper programs,
+    <filename>/var/setuid-wrappers</filename>, <link
+    xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
+    updated atomically to prevent failures if the switch to a new
+    configuration is interrupted.</link></para>
+  </listitem>
+
+  <listitem>
+    <para><literal>services.xserver.startGnuPGAgent</literal>
+      has been removed due to GnuPG 2.1.x bump. See <link
+        xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
+        how to achieve similar behavior</link>. You might need to
+      <literal>pkill gpg-agent</literal> after the upgrade
+      to prevent a stale agent being in the way.
+    </para>
+  </listitem>
+
+  <listitem><para>
+    <link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
+    Declarative users could share the uid due to the bug in
+    the script handling conflict resolution.
+    </link>
+  </para></listitem>
+
+  <listitem><para>
+    Gummi boot has been replaced using systemd-boot.
+  </para></listitem>
+
+  <listitem><para>
+    Hydra package and NixOS module were added for convenience.
+  </para></listitem>
+
 </itemizedlist>


--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -154,7 +154,7 @@ with lib;
    (mkRemovedOptionModule [ "services" "printing" "cupsFilesConf" ] "")
    (mkRemovedOptionModule [ "services" "printing" "cupsdConf" ] "")
    (mkRemovedOptionModule [ "services" "xserver" "startGnuPGAgent" ]
-      "See the 16.03 release notes for more information.")
+      "See the 16.09 release notes for more information.")
    (mkRemovedOptionModule [ "services" "phpfpm" "phpIni" ] "")
    (mkRemovedOptionModule [ "services" "dovecot2" "package" ] "")
  ];
--- a/nixos/modules/services/system/dbus.nix
+++ b/nixos/modules/services/system/dbus.nix
@ -8,7 +8,7 @@ let

  cfg = config.services.dbus;

-  homeDir = "/var/run/dbus";
+  homeDir = "/run/dbus";

  systemExtraxml = concatStrings (flip concatMap cfg.packages (d: [
    "<servicedir>${d}/share/dbus-1/system-services</servicedir>"
@ -20,6 +20,8 @@ let
    "<includedir>${d}/etc/dbus-1/session.d</includedir>"
  ]));

+  daemonArgs = "--address=systemd: --nofork --nopidfile --systemd-activation";
+
  configDir = pkgs.stdenv.mkDerivation {
    name = "dbus-conf";

@ -29,6 +31,14 @@ let
    buildCommand = ''
      mkdir -p $out

+      cp ${pkgs.dbus.out}/share/dbus-1/{system,session}.conf $out
+
+      # avoid circular includes
+      sed -ri 's@(<include ignore_missing="yes">/etc/dbus-1/(system|session)\.conf</include>)@<!-- \1 -->@g' $out/{system,session}.conf
+
+      # include by full path
+      sed -ri "s@/etc/dbus-1/(system|session)-@$out/\1-@" $out/{system,session}.conf
+
      sed '${./dbus-system-local.conf.in}' \
        -e 's,@servicehelper@,${config.security.wrapperDir}/dbus-daemon-launch-helper,g' \
        -e 's,@extra@,${systemExtraxml},' \
@ -75,11 +85,16 @@ in
        '';
      };

+      socketActivated = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Make the user instance socket activated.
+        '';
+      };
    };
-
  };

-
  ###### implementation

  config = mkIf cfg.enable {
@ -117,13 +132,29 @@ in
      config.system.path
    ];

-    # Don't restart dbus-daemon. Bad things tend to happen if we do.
-    systemd.services.dbus.reloadIfChanged = true;
+    systemd.services.dbus = {
+      # Don't restart dbus-daemon. Bad things tend to happen if we do.
+      reloadIfChanged = true;
+      restartTriggers = [ configDir ];
+      serviceConfig.ExecStart = [
+        ""
+        "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=${configDir}/system.conf ${daemonArgs}"
+      ];
+    };

-    systemd.services.dbus.restartTriggers = [ configDir ];
+    systemd.user = {
+      services.dbus = {
+        # Don't restart dbus-daemon. Bad things tend to happen if we do.
+        reloadIfChanged = true;
+        restartTriggers = [ configDir ];
+        serviceConfig.ExecStart = [
+          ""
+          "${lib.getBin pkgs.dbus}/bin/dbus-daemon --config-file=${configDir}/session.conf ${daemonArgs}"
+        ];
+      };
+      sockets.dbus.wantedBy = mkIf cfg.socketActivated [ "sockets.target" ];
+    };

    environment.pathsToLink = [ "/etc/dbus-1" "/share/dbus-1" ];
-
  };
-
 }
--- a/nixos/modules/services/x11/display-managers/default.nix
+++ b/nixos/modules/services/x11/display-managers/default.nix
@ -134,13 +134,8 @@ let
        (*) echo "$0: Desktop manager '$desktopManager' not found.";;
      esac

-      # FIXME: gdbus should not be in glib.dev!
-      ${optionalString (cfg.startDbusSession && cfg.updateDbusEnvironment) ''
-        ${pkgs.glib.dev}/bin/gdbus call --session \
-          --dest org.freedesktop.DBus --object-path /org/freedesktop/DBus \
-          --method org.freedesktop.DBus.UpdateActivationEnvironment \
-          "{$(env | ${pkgs.gnused}/bin/sed "s/'/\\\\'/g; s/\([^=]*\)=\(.*\)/'\1':'\2'/" \
-                  | ${pkgs.coreutils}/bin/paste -sd,)}"
+      ${optionalString cfg.updateDbusEnvironment ''
+        ${lib.getBin pkgs.dbus}/bin/dbus-update-activation-environment --systemd --all
      ''}

      test -n "$waitPID" && wait "$waitPID"
--- a/pkgs/development/libraries/dbus/default.nix
+++ b/pkgs/development/libraries/dbus/default.nix
@ -44,7 +44,11 @@ self =  stdenv.mkDerivation {
      "--localstatedir=/var"
      "--sysconfdir=/etc"
      "--with-session-socket-dir=/tmp"
+      "--with-system-pid-file=/run/dbus/pid"
+      "--with-system-socket=/run/dbus/system_bus_socket"
      "--with-systemdsystemunitdir=$(out)/etc/systemd/system"
+      "--with-systemduserunitdir=$(out)/etc/systemd/user"
+      "--enable-user-session"
      # this package installs nothing into those dirs and they create a dependency
      "--datadir=/run/current-system/sw/share"
      "--libexecdir=$(out)/libexec" # we don't need dbus-daemon-launch-helper
@ -81,4 +85,3 @@ self =  stdenv.mkDerivation {
    };
  };
 in self
-