Commit graph

603 commits

Author SHA1 Message Date
Parnell Springmeyer
12a23b3d91 boot: create setcap-wrappers dir as a tmpfs 2016-09-01 19:15:56 -05:00
Domen Kožar
a6670c1a0b Fixes #18124: atomically replace /var/setuid-wrappers/ (#18186)
Before this commit updating /var/setuid-wrappers/ folder introduced
a small window where NixOS activation scripts could be terminated
and resulted into empty /var/setuid-wrappers/ folder.

That's very unfortunate because one might lose sudo binary.

Instead we use two atomic operations mv and ln (as described in
https://axialcorps.com/2013/07/03/atomically-replacing-files-and-directories/)
to achieve atomicity.

Since /var/setuid-wrappers is not a directory anymore, tmpfs mountpoints
were removed in installation scripts and in boot process.

Tested:

- upgrade /var/setuid-wrappers/ from folder to a symlink
- make sure /run/setuid-wrappers-dirs/ legacy symlink is really deleted
2016-09-01 20:57:51 +02:00
Domen Kožar
d163882770 Merge pull request #18172 from Profpatsch/startAt-type
systemd-unit-options: startAt can be a list
2016-09-01 20:44:32 +02:00
Domen Kožar
f5271680c4 Fixes #14831 by using full path for binaries used in install-grub.pl
Both btrfs-progs and utillinux are ~5MB, we may discuss in future
to handle this better but I see no better way at the moment than
increaing purity in the install process.
2016-09-01 10:36:38 +02:00
Domen Kožar
2a7293fd9d install-grub.pl: fix a double slash prefix bug 2016-09-01 10:14:44 +02:00
Domen Kožar
5e5b0d039c install-grub.pl: add comments 2016-09-01 10:14:44 +02:00
Profpatsch
488f0d9cb3 systemd-unit-options: startAt can be a list
OnCalendar entrys can be specified multiple times in a systemd timer, to
make more complex scheduling possible.

Tested by manually checking the timer generated by the following:

    systemd = {
      services.huhu = {
        description = "meh";
        wantedBy = [ "default.target" ];
        serviceConfig.ExecStart = "/bin/sh -c 'printf HUHU!'";
        startAt = [ "*:*:0/30" "*:0/1:15" ];
      };
    };

It prints HUHU to the log at seconds 0, 15 and 30 of each minute.
2016-09-01 00:39:36 +02:00
Nikolay Amiantov
509733a343 Merge pull request #17822 from abbradar/systemd-mounts
nixos filesystems: unify special filesystems handling
2016-08-30 22:42:19 +04:00
obadz
c7142c1aa3 Merge branch 'master' into staging 2016-08-28 13:33:13 +01:00
Domen Kožar
4af09e0031 Merge pull request #14311 from Profpatsch/mkRemovedOptionModule-replacement
mkRemovedOptionModule: add replacement argument
2016-08-28 13:55:28 +02:00
obadz
3de6e5be50 Merge branch 'master' into staging
Conflicts:
      pkgs/applications/misc/navit/default.nix
      pkgs/applications/networking/mailreaders/alpine/default.nix
      pkgs/applications/networking/mailreaders/realpine/default.nix
      pkgs/development/compilers/ghc/head.nix
      pkgs/development/libraries/openssl/default.nix
      pkgs/games/liquidwar/default.nix
      pkgs/games/spring/springlobby.nix
      pkgs/os-specific/linux/kernel/perf.nix
      pkgs/servers/sip/freeswitch/default.nix
      pkgs/tools/archivers/cromfs/default.nix
      pkgs/tools/graphics/plotutils/default.nix
2016-08-27 23:54:54 +01:00
Nikolay Amiantov
6efcfe03ae nixos filesystems: unify early filesystems handling
A new internal config option `fileSystems.<name>.early` is added to indicate
that the filesystem needs to be loaded very early (i.e. in initrd). They are
transformed to a shell script in `system.build.earlyMountScript` with calls to
an undefined `specialMount` function, which is expected to be caller-specific.
This option is used by stage-1, stage-2 and activation script to set up and
remount those filesystems.  Options for them are updated according to systemd
defaults.
2016-08-27 13:38:20 +03:00
Jan Malakhovski
b267785c43 nixos: generalize copy-paste from stage-1 and zfs to utils 2016-08-23 18:14:06 +00:00
Jan Malakhovski
8da59c406c nixos: copy resize2fs only for stage-1 fileSystems 2016-08-23 18:14:05 +00:00
Jan Malakhovski
65d26c4dc1 nixos: apply toposort to fileSystems to support bind and move mounts
And use new `config.system.build.fileSystems` property everywhere.
2016-08-23 18:14:05 +00:00
obadz
0e8d2725dc Merge branch 'master' into staging 2016-08-23 18:50:06 +01:00
Jan Malakhovski
1266852fd8 Revert a soon to be useless pice of "nixos/stage-1: add mechanism which lustrates all impurities from / (#17784)"
This reverts a pice of commit 3d16af70bf.
2016-08-23 17:48:14 +00:00
Nikolay Amiantov
1df4dd6bf5 initrd-ssh service: ensure that keys got copied into initrd
Fixes #17927.
2016-08-23 16:20:26 +03:00
obadz
24a9183f90 Merge branch 'hardened-stdenv' into staging
Closes #12895

Amazing work by @globin & @fpletz getting hardened compiler flags by
enabled default on the whole package set
2016-08-22 01:19:35 +01:00
obadz
ba50fd7170 Merge branch 'master' into staging 2016-08-22 01:18:11 +01:00
obadz
3d16af70bf nixos/stage-1: add mechanism which lustrates all impurities from / (#17784)
lustrate /ˈlʌstreɪt/ verb.
  purify by expiatory sacrifice, ceremonial washing, or some other
  ritual action.

- sudo touch /etc/NIXOS_LUSTRATE
  ⇒ on next reboot, during stage 1, everything but /nix and /boot
  is moved to /old-root
- echo "etc/passwd" | sudo tee -a /etc/NIXOS_LUSTRATE
  ⇒ on next reboot, during stage 1, everything but /nix and /boot
  is moved to /old-root; except /etc/passwd is copied back.

Useful for installing NixOS in place on another distro. For instance:

$ nix-env -iE '_: with import <nixpkgs/nixos> { configuration = {}; }; with config.system.build; [ nixos-generate-config manual.manpages ]'
$ sudo mkdir /etc/nixos
$ sudo `which nixos-generate-config`

… edit the configuration files in /etc/nixos using man configuration.nix
  if needed

  maybe add: users.extraUsers.root.initialHashedPassword = "" ?

… Build the entire NixOS system and link it to the system profile:
$ nix-env -p /nix/var/nix/profiles/system -f '<nixpkgs/nixos>' -A system --set

… If you were using a single user install:
$ sudo chown -R 0.0 /nix

… NixOS is about to take over
$ sudo touch /etc/NIXOS
$ sudo touch /etc/NIXOS_LUSTRATE

… Let's keep the configuration files we just created
$ echo etc/nixos | sudo tee -a /etc/NIXOS_LUSTRATE

$ sudo mv -v /boot /boot.bak &&
  sudo /nix/var/nix/profiles/system/bin/switch-to-configuration boot
$ sudo reboot

… NixOS boots, Stage 1 moves all the old distro stuff in /old-root.
2016-08-22 01:15:13 +01:00
Nikolay Amiantov
6b41f1132c nixos treewide: don't set MODULE_DIR 2016-08-19 17:56:54 +03:00
Nikolay Amiantov
5ff6e98486 modprobe service: drop kmod wrapper 2016-08-19 17:56:49 +03:00
Shea Levy
2942895d55 Merge branch 'install-bootloader-flag' 2016-08-17 21:16:29 -04:00
Julien Langlois
552c30c155 stage-1: exclude zram devices from resumeDevices 2016-08-17 00:21:47 -07:00
Shea Levy
b4954a8f38 Deprecate --install-grub in favor of --install-bootloader for nixos-rebuild.
Fixes #14293
2016-08-16 07:51:58 -04:00
Shea Levy
9adad8612b Revert "Merge branch 'modprobe-fix' of git://github.com/abbradar/nixpkgs"
Was meant to go into staging, sorry

This reverts commit 57b2d1e9b0, reversing
changes made to 760b2b9048.
2016-08-15 19:05:52 -04:00
Nikolay Amiantov
1f63958772 nixos treewide: don't set MODULE_DIR 2016-08-16 00:19:25 +03:00
Nikolay Amiantov
b2ebecd9e5 modprobe service: drop kmod wrapper 2016-08-16 00:19:25 +03:00
Robin Gloster
b7787d932e Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-08-12 09:46:53 +00:00
Thomas Tuegel
68922e3f74 nixos/stage-1: use readlink -e in builder
The builder has this convoluted `while` loop which just replicates
`readlink -e`. I'm sure there was a reason at one point, because the
loop has been there since time immemorial. It kept getting copied
around, I suspect because nobody bothered to understand what it actually
did.

Incidentally, this fixes #17513, but I have no idea why.
2016-08-08 09:45:45 -05:00
Thomas Tuegel
ee36bb8588 nixos/stage-1: fix antiquotation 2016-08-08 09:28:17 -05:00
Wout Mertens
db8401f603 Merge pull request #17100 from abbradar/resume-delay
nixos stage-1: wait for resume devices to appear
2016-08-08 11:34:38 +02:00
Nikolay Amiantov
986a40421a nixos stage-1: wait for devices during resumption attempt
Also a microimprovement -- use `test -n` instead of `test -e`
since we have already checked that the file exists.
2016-08-08 01:35:43 +03:00
Nikolay Amiantov
3ae468e835 nixos stage-1: move resumption below helper functions' definitions 2016-08-08 01:34:23 +03:00
Nikolay Amiantov
59aa3bb5c8 nixos stage-1: factor device waiting into a function 2016-08-08 01:32:18 +03:00
Tuomas Tynkkynen
2ea72fa9c8 nixos/luksroot: Reference correct output of openssl 2016-08-04 23:12:39 +03:00
Robin Gloster
63c7b4f9a7 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-31 20:51:34 +00:00
Wout Mertens
3bb18c68d2 Merge pull request #17042 from rasendubi/etc
etc: remove obsolete directories
2016-07-26 09:04:10 +02:00
Alexey Shmalko
fe9cabedf0
etc: remove obsolete directories
This patch adds handling of a directory becoming a symlink in
/etc. Before this patch, the directory wasn't removed and then
symlinking failed, which caused directory not being updated at all.

The idea for the patch goes to @abbradar at
https://github.com/NixOS/nixpkgs/issues/16978#issuecomment-232921903:
> A heuristic idea for this -- a function `isStatic :: Path -> Bool`:
>
> * if path `/etc/foo` is a file, return True iff it's a symlink to `/etc/static/foo`.
> * if path is a directory, return True iff for all items in it `isStatic` is True.
>
> On any conflicts, if old path is static, it's safe to replace and/or
> delete stale. Otherwise make a backup and notify the user via a
> journal entry and console output.

The only difference here -- it will not replace user configs.

This also fixes https://github.com/NixOS/nixpkgs/issues/16978.
2016-07-25 15:50:53 +03:00
Robin Gloster
1f04b4a566 Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-21 00:56:43 +00:00
Nikolay Amiantov
3cc54bbad9 Merge pull request #17082 from abbradar/fix-early-kbd
Use new early kbd-setting code in initrd and fix layouts from external packages
2016-07-20 23:52:45 +04:00
Robin Gloster
203846b9de Merge remote-tracking branch 'upstream/master' into hardened-stdenv 2016-07-19 10:37:02 +00:00
Christian Kauhaus
3530f3f20a systemd: make ctrl-alt-del target configurable. (#16911)
We currently only allow upstream's default of "reboot.target" due to the
way the symlinks are initialized. I made this configurable similar to the
default unit.
2016-07-19 09:42:53 +02:00
Nikolay Amiantov
7bed3d0cb3 nixos stage-1: move keymap handling to kbd module 2016-07-18 23:27:45 +03:00
Nikolay Amiantov
3d69653d6b plymouth service: stop splash screen before a failure prompt 2016-07-18 13:45:37 +03:00
Nikolay Amiantov
7513a1d2f5 plymouth service: update root fs before stage 2 2016-07-18 13:45:37 +03:00
Nikolay Amiantov
9cab592abd plymouth service: style fixes 2016-07-18 13:45:37 +03:00
Nikolay Amiantov
86ad25625f nixos stage-1: add custom pre failure dialog commands 2016-07-18 13:45:37 +03:00
Nikolay Amiantov
193ab8be67 Revert "nixos stage-1: try to quit plymouth if started on failure"
This reverts commit c69c76ca7e.

This patch was messed up during a rebase -- the commit title doesn't match what
it really does at all (it is actually a broken attempt to get LUKS passphrase
prompts in Plymouth).
2016-07-17 15:03:13 +03:00