Commit graph

4849 commits

Author SHA1 Message Date
Franz Pletz
431a98b12b nixos/nat: Allow nat without an externalInterface 2016-05-12 01:52:13 +02:00
Nikolay Amiantov
700e2952be Merge pull request #15012 from abbradar/unixodbc
UnixODBC updates
2016-05-11 17:42:33 +03:00
Joachim Fasting
a0e8d542c7 Merge pull request #15377 from womfoo/sniproxy
sniproxy: init at 0.4.0 with dependency udns: init at 0.4
2016-05-11 15:14:33 +02:00
Shea Levy
67d430096f Add kerberos mappings for MIT exchange server 2016-05-11 09:09:24 -04:00
Domen Kožar
ccbcf1b6c2 nixos: require pkgs.which
This properly implements revert in
0729f60697.

We used to have which='type -P' alias, but really it's best to just
rely on which package, only 88K in size.

cc @edolstra
2016-05-11 10:37:46 +01:00
Kranium Gikos Mendoza
356f1bdac8 sniproxy service: init 2016-05-11 13:27:28 +08:00
Joachim Fasting
d4d7bfe07b
grsecurity: add option to disable chroot caps restriction
The chroot caps restriction disallows chroot'ed processes from running
any command that requires `CAP_SYS_ADMIN`, breaking `nixos-rebuild`. See
e.g., https://github.com/NixOS/nixpkgs/issues/15293

This significantly weakens chroot protections, but to break
nixos-rebuild out of the box is too severe.
2016-05-10 16:17:08 +02:00
Joachim Fasting
e38e3dcdb6
dnscrypt-proxy service: allow user to specify their own resolver list 2016-05-10 07:08:37 +02:00
Joachim Fasting
bd448b7139
dnscrypt-proxy service: use up-to-date dnscrypt-resolvers list
The list of public proxies is updated now and again and it's probably a
good idea to always work from the most recent list, rather than the one
that is shipped with the release.  This can be crucial in case of
resolvers that are revealed to have gone rogue or otherwise have been
compromised.
2016-05-10 07:07:58 +02:00
rnhmjoj
e8fff51947
unclutter: prevent service restarting too soon 2016-05-09 23:28:30 +02:00
Joachim Fasting
87a28c9385
transmission service: fix libcap lib output reference
After 7382afac40
2016-05-07 21:48:54 +02:00
Joachim Fasting
c5d1bff2b6
apparmor-suid module: fix libcap lib output reference
After 7382afac40
2016-05-07 21:48:29 +02:00
obadz
364a4373cf ec2/create-amis.sh: specify the approriate size on snapshots
Should help with #15148
2016-05-07 19:44:39 +01:00
Joachim Fasting
1d2fcde841
dnscrypt-proxy service: fix libcap output reference
After 7382afac40 shared objects are in
`libcap.lib`
2016-05-07 20:18:27 +02:00
Joachim Fasting
5b90702cd6 Merge pull request #15243 from sindikat/patch-1
update docs for services.dictd.* config options
2016-05-07 16:44:41 +02:00
Nikolay Amiantov
17e4803de7 initrd-ssh service: fix build 2016-05-07 15:38:46 +03:00
Nikolay Amiantov
f7c02f8670 ejabberd service: add image thumbnailing support 2016-05-07 14:31:16 +03:00
aszlig
64ca91cac9
nixos/tests/boot-stage1: Add myself to maintainers
As @edolstra pointed out that the kernel module might be painful to
maintain. I strongly disagree because it's only a small module and it's
good to have such a canary in the tests no matter how the bootup process
looks like, so I'm going the masochistic route and try to maintain it.

If it *really* becomes too much maintenance burden, we can still drop or
disable kcanary.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 21:32:21 +02:00
aszlig
eb6e366446
nixos/release-combined: Add boot-stage1 test
We don't want to push out a channel update whenever this test fails,
because that might have unexpected and confused side effects and it
*really* means that stage 1 of our boot up is broken.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 16:56:54 +02:00
aszlig
4f796c28d5
nixos/tests: Add a test for boot stage 1
We already have a small regression test for #15226 within the swraid
installer test. Unfortunately, we only check there whether the md
kthread got signalled but not whether other rampaging processes are
still alive that *should* have been killed.

So in order to do this we provide multiple canary processes which are
checked after the system has booted up:

 * canary1: It's a simple forking daemon which just sleeps until it's
            going to be killed. Of course we expect this process to not
            be alive anymore after boot up.
 * canary2: Similar to canary1, but tries to mimick a kthread to make
            sure that it's going to be properly killed at the end of
            stage 1.
 * canary3: Like canary2, but this time using a @ in front of its
            command name to actually prevent it from being killed.
 * kcanary: This one is a real kthread and it runs until killed, which
            shouldn't be the case.

Tested with and without 67223ee and everything works as expected, at
least on my machine.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 16:56:43 +02:00
aszlig
dc6d003011
nixos/tests/installer/swraid: Check for safemode
This is a regression test for #15226, so that the test will fail once we
accidentally kill one or more of the md kthreads (aka: if safe mode is
enabled).

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-06 16:51:38 +02:00
aszlig
67223ee205
nixos/stage-1: Don't kill kernel threads
Unfortunately, pkill doesn't distinguish between kernel and user space
processes, so we need to make sure we don't accidentally kill kernel
threads.

Normally, a kernel thread ignores all signals, but there are a few that
do. A quick grep on the kernel source tree (as of kernel 4.6.0) shows
the following source files which use allow_signal():

  drivers/isdn/mISDN/l1oip_core.c
  drivers/md/md.c
  drivers/misc/mic/cosm/cosm_scif_server.c
  drivers/misc/mic/cosm_client/cosm_scif_client.c
  drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
  drivers/staging/rtl8188eu/core/rtw_cmd.c
  drivers/staging/rtl8712/rtl8712_cmd.c
  drivers/target/iscsi/iscsi_target.c
  drivers/target/iscsi/iscsi_target_login.c
  drivers/target/iscsi/iscsi_target_nego.c
  drivers/usb/atm/usbatm.c
  drivers/usb/gadget/function/f_mass_storage.c
  fs/jffs2/background.c
  fs/lockd/clntlock.c
  fs/lockd/svc.c
  fs/nfs/nfs4state.c
  fs/nfsd/nfssvc.c

While not all of these are necessarily kthreads and some functionality
may still be unimpeded, it's still quite harmful and can cause
unexpected side-effects, especially because some of these kthreads are
storage-related (which we obviously don't want to kill during bootup).

During discussion at #15226, @dezgeg suggested the following
implementation:

for pid in $(pgrep -v -f '@'); do
    if [ "$(cat /proc/$pid/cmdline)" != "" ]; then
        kill -9 "$pid"
    fi
done

This has a few downsides:

 * User space processes which use an empty string in their command line
   won't be killed.
 * It results in errors during bootup because some shell-related
   processes are already terminated (maybe it's pgrep itself, haven't
   checked).
 * The @ is searched within the full command line, not just at the
   beginning of the string. Of course, we already had this until now, so
   it's not a problem of his implementation.

I posted an alternative implementation which doesn't suffer from the
first point, but even that one wasn't sufficient:

for pid in $(pgrep -v -f '^@'); do
    readlink "/proc/$pid/exe" &> /dev/null || continue
    echo "$pid"
done | xargs kill -9

This one spawns a subshell, which would be included in the processes to
kill and actually kills itself during the process.

So what we have now is even checking whether the shell process itself is
in the list to kill and avoids killing it just to be sure.

Also, we don't spawn a subshell anymore and use /proc/$pid/exe to
distinguish between user space and kernel processes like in the comments
of the following StackOverflow answer:

http://stackoverflow.com/a/12231039

We don't need to take care of terminating processes, because what we
actually want IS to terminate the processes.

The only point where this (and any previous) approach falls short if we
have processes that act like fork bombs, because they might spawn
additional processes between the pgrep and the killing. We can only
address this with process/control groups and this still won't save us
because the root user can escape from that as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Fixes: #15226
2016-05-06 16:24:42 +02:00
Lluís Batlle i Rossell
9f6afb7d78 Fixing nfsd service, wait on local-fs.
Otherwise, mountd was started exporting directories before local-fs was ready,
and it failed to start nfsd on missing fs.
2016-05-06 15:03:30 +02:00
Vladimír Čunát
25960a52c3 tested job: fix evaluation of chromium tests
It's a bit inconsistent now, but I want mainly unblock the channel.
/cc maintainer @aszlig.
2016-05-06 10:56:17 +02:00
Peter Simons
d270604117 nixos: remove redundant services.dovecot2.package option
Instead of using this option, please modify the dovecot package by means of an
override. For example:

  nixpkgs.config.packageOverrides = super: {
    dovecot = super.dovecot.override { withPgSQL = true; };
  };

Closes https://github.com/NixOS/nixpkgs/issues/14097.
2016-05-06 10:10:06 +02:00
zimbatm
3ade1e7d3e Merge branch 'pr/14911' 2016-05-05 21:28:27 +01:00
Joaquim Pedro França Simão
133dc10e5a open-vm-tools: fixes host VMware errors 2016-05-05 21:27:54 +01:00
zimbatm
f076f36f8f Merge pull request #14957 from dezgeg/gummiboot-test
NixOS installer tests: Add a test using Gummiboot
2016-05-05 21:14:30 +01:00
Mirzhan Irkegulov
0d28a8a501 update docs for services.dictd.* config options
added types for both options and an example for services.dictd.DBs
2016-05-05 20:11:16 +01:00
Eric Litak
3531c42e5d
factorio: module fixes 2016-05-05 20:11:52 +02:00
Joachim Fasting
23fd70b719 Merge pull request #15018 from ericsagnes/pkg-fix/php
php: add default php.ini
2016-05-05 19:16:04 +02:00
Joachim Fasting
5f09248ae8 Merge pull request #15228 from rnhmjoj/master
unclutter: switch to user service and add options
2016-05-05 18:37:27 +02:00
Tuomas Tynkkynen
df310048e5 release-combined.nix: More Chromium test evaluation fixes
Follow-up to f35e9386bd.
2016-05-05 06:23:12 +03:00
rnhmjoj
e34814e317
unclutter: switch to user service and add options 2016-05-04 21:15:49 +02:00
aszlig
acf7bc898a
nixos/tests/containers: Remove unused module arg
Just removing the system argument because it doesn't exist (it's
actually config.nixpkgs.system, which we're already using). We won't get
an error anyway if we're not actually using it, so this is just an
aesthetics fix.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-04 20:51:01 +02:00
aszlig
9fa30d3bad
nixos/tests/containers-imperative: Fix test
Make sure that we always have everything available within the store of
the VM, so let's evaluate/build the test container fully on the host
system and propagate all dependencies to the VM.

This way, even if there are additional default dependencies that come
with containers in the future we should be on the safe side as these
dependencies should now be included for the test as well.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
Cc: @kampfschlaefer, @edolstra
2016-05-04 20:18:27 +02:00
aszlig
f35e9386bd
nixos/tests/chromium: Re-add map for all channels
This partially reverts f2d24b9840.

Instead of disabling the channels via removing the channel mapping from
the tests themselves, let's just explicitly reference the stable test in
release.nix. That way it's still possible to run the beta and dev tests
via something like "nix-build nixos/tests/chromium.nix -A beta" and
achieve the same effect of not building beta and dev versions on Hydra.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-04 18:45:44 +02:00
Eelco Dolstra
f2d24b9840 chromium: Disable Hydra builds of -dev and -beta
It's not the job of Nixpkgs to distribute beta versions of upstream
packages. More importantly, building these delays channel updates by
several hours, which is bad for our security fix turnaround time.
2016-05-04 18:16:27 +02:00
Joachim Fasting
0a61ab5845 Merge pull request #15200 from Pleune/fix/bspwm-java-noreparenting
bspwm: add _JAVA_AWT_WM_NONREPARENTING=1
2016-05-04 06:18:38 +02:00
Joachim Fasting
da767356f2
grsecurity: support disabling TCP simultaneous connect
Defaults to OFF because disabling TCP simultaneous connect breaks some
legitimate use cases, notably WebRTC [1], but it's nice to provide the
option for deployments where those features are unneeded anyway.

This is an alternative to https://github.com/NixOS/nixpkgs/pull/4937

[1]: http://article.gmane.org/gmane.linux.documentation/9425
2016-05-04 03:53:24 +02:00
Mitchell Pleune
571e9b5f1f bspwm: add _JAVA_AWT_WM_NONREPARENTING=1
bspwm is not in java's internal list of non-reparrenting
window managers. See https://awesomewm.org/wiki/Problems_with_Java
2016-05-03 17:46:48 -04:00
Bjørn Forsman
78b6e8c319 jenkins service: improve curl call in postStart
* Perform HTTP HEAD request instead of full GET (lighter weight)
* Don't log output of curl to the journal (it's noise/debug)
* Use explicit http:// URL scheme
* Reduce poll interval from 10s to 2s (respond to state changes
  quicker). Probably not relevant on boot (lots of services compete for
  the CPU), but online service restarts/reloads should be quicker.
* Pass --fail to curl (should be more robust against false positives)
* Use 4 space indent for shell code.
2016-05-03 23:12:45 +02:00
Bjørn Forsman
51e5beca42 jenkins service: remove unneeded (and brittle) part of postStart
The current postStart code holds Jenkins off the "started" state until
Jenkins becomes idle. But it should be enough to wait until Jenkins
start handling HTTP requests to consider it "started".

More reasons why the current approach is bad and we should remove it,
from @coreyoconnor in
https://github.com/NixOS/nixpkgs/issues/14991#issuecomment-216572571:

  1. Repeatedly curling for a specific human-readable string to
  determine "Active" is fragile. For instance, what happens when jenkins
  is localized?

  2. The time jenkins takes to initializes is variable. This (at least
  used to) depend on the number of jobs and any plugin upgrades requested.

  3. Jenkins can be requested to restart from the UI. Which will not
  affect the status of the service. This means that the service being
  "active" does not imply jenkins is initialized. Downstream services
  cannot assume jenkins is initialized if the service is active. Might
  as well accept that and remove the initialized test from service
  startup.

Fixes #14991.
2016-05-03 22:24:13 +02:00
aszlig
e7d3166656
nixos/tests/netboot: Fix evaluation error
Regression introduced by dfe608c8a2.

The commit turns the two arguments into one attrset argument so we need
to adapt that to use the new calling convention.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2016-05-03 22:05:11 +02:00
Vladimír Čunát
1b1e587aaf Merge #15105: nixos manual: rephrase indented strings 2016-05-02 11:58:45 +02:00
Joachim Fasting
60a27781d6
grsecurity module: fix grsec-lock unit ordering
Requirement without ordering implies parallel execution; it is crucial
that sysctl tunables are finalized before the lock is engaged, however.
2016-05-02 11:28:24 +02:00
aszlig
d2c64031a0
Merge pull request #14700: olinks for NixOS manual
This allows to use <olink> tags inside NixOS options to reference
sections from the manual. I've originally introduced it in #14476 to
reference the Taskserver specific documentation from the options
reference but as suggested by @nbp, this was done as a separate pull
request to ensure greater visibility rather than being "hidden" in the
Taskserver branch.

The build time for the manual is around 30s on my machine without this
change and 34s with this change, so it shouldn't have a very big impact
on the build time of the manual.

Olinks between the options reference and the manual now will look like
this:

"More instructions about NixOS in conjuction with Taskserver can be
found in the NixOS manual at Chapter 15, Taskserver."

More documentation about olinks can be found here:

http://www.sagehill.net/docbookxsl/Olinking.html

Acked-by: Eelco Dolstra <eelco.dolstra@logicblox.com>
2016-05-02 11:01:13 +02:00
Arseniy Seroka
48b739cc25 Merge pull request #15094 from jraygauthier/jrg/brscan4_init_rebased
brscan4: init at 0.4.3-3
2016-05-01 21:48:30 +03:00
Raymond Gauthier
758e8bd1a1 brscan4: init at 0.4.3-3
A sane backend for recent brother scanners.

Depends on the presence of etc files generated by the
nixos module of the same name.

Supports network scanner specification through the
nixos module.
2016-05-01 14:42:25 -04:00
Tobias Geerinckx-Rice
5508687ec2
Remove now useless proprietary Copy.com client and service
<https://techlib.barracuda.com/Copy/FAQ>

SaaS.
2016-05-01 14:38:08 +02:00