462 lines
20 KiB
XML
462 lines
20 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03">
|
||
<title>Release 20.03 (“Markhor”, 2020.03/??)</title>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-highlights">
|
||
<title>Highlights</title>
|
||
|
||
<para>
|
||
In addition to numerous new and upgraded packages, this release has the
|
||
following highlights:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
Support is planned until the end of October 2020, handing over to 20.09.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Postgresql for NixOS service now defaults to v11.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The graphical installer image starts the graphical session automatically.
|
||
Before you'd be greeted by a tty and asked to enter <command>systemctl start display-manager</command>.
|
||
It is now possible to disable the display-manager from running by selecting the <literal>Disable display-manager</literal>
|
||
quirk in the boot menu.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
By default zfs pools will now be trimmed on a weekly basis.
|
||
Trimming is only done on supported devices (i.e. NVME or SSDs)
|
||
and should improve throughput and lifetime of these devices.
|
||
It is controlled by the <varname>services.zfs.trim.enable</varname> varname.
|
||
The zfs scrub service (<varname>services.zfs.autoScrub.enable</varname>)
|
||
and the zfs autosnapshot service (<varname>services.zfs.autoSnapshot.enable</varname>)
|
||
are now only enabled if zfs is set in <varname>config.boot.initrd.supportedFilesystems</varname> or
|
||
<varname>config.boot.supportedFilesystems</varname>. These lists will automatically contain
|
||
zfs as soon as any zfs mountpoint is configured in <varname>fileSystems</varname>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<command>nixos-option</command> has been rewritten in C++, speeding it up, improving correctness,
|
||
and adding a <option>--all</option> option which prints all options and their values.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<option>services.xserver.desktopManager.default</option> and <option>services.xserver.windowManager.default</option> options were replaced by a single <xref linkend="opt-services.xserver.displayManager.defaultSession"/> option to improve support for upstream session files. If you used something like:
|
||
<programlisting>
|
||
services.xserver.desktopManager.default = "xfce";
|
||
services.xserver.windowManager.default = "icewm";
|
||
</programlisting>
|
||
you should change it to:
|
||
<programlisting>
|
||
services.xserver.displayManager.defaultSession = "xfce+icewm";
|
||
</programlisting>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-new-services">
|
||
<title>New Services</title>
|
||
|
||
<para>
|
||
The following new services were added since the last release:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
The kubernetes kube-proxy now supports a new hostname configuration
|
||
<literal>services.kubernetes.proxy.hostname</literal> which has to
|
||
be set if the hostname of the node should be non default.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
UPower's configuration is now managed by NixOS and can be customized
|
||
via <option>services.upower</option>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-incompatibilities">
|
||
<title>Backward Incompatibilities</title>
|
||
|
||
<para>
|
||
When upgrading from a previous release, please be aware of the following
|
||
incompatible changes:
|
||
</para>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
GnuPG is now built without support for a graphical passphrase entry
|
||
by default. Please enable the <literal>gpg-agent</literal> user service
|
||
via the NixOS option <literal>programs.gnupg.agent.enable</literal>.
|
||
Note that upstream recommends using <literal>gpg-agent</literal> and
|
||
will spawn a <literal>gpg-agent</literal> on the first invocation of
|
||
GnuPG anyway.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>dynamicHosts</literal> option has been removed from the
|
||
<link linkend="opt-networking.networkmanager.enable">networkd</link>
|
||
module. Allowing (multiple) regular users to override host entries
|
||
affecting the whole system opens up a huge attack vector.
|
||
There seem to be very rare cases where this might be useful.
|
||
Consider setting system-wide host entries using
|
||
<link linkend="opt-networking.hosts">networking.hosts</link>, provide
|
||
them via the DNS server in your network, or use
|
||
<link linkend="opt-environment.etc">environment.etc</link>
|
||
to add a file into <literal>/etc/NetworkManager/dnsmasq.d</literal>
|
||
reconfiguring <literal>hostsdir</literal>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>99-main.network</literal> file was removed. Maching all
|
||
network interfaces caused many breakages, see
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/18962">#18962</link>
|
||
and <link xlink:href="https://github.com/NixOS/nixpkgs/pull/71106">#71106</link>.
|
||
</para>
|
||
<para>
|
||
We already don't support the global <link linkend="opt-networking.useDHCP">networking.useDHCP</link>,
|
||
<link linkend="opt-networking.defaultGateway">networking.defaultGateway</link> and
|
||
<link linkend="opt-networking.defaultGateway6">networking.defaultGateway6</link> options
|
||
if <link linkend="opt-networking.useNetworkd">networking.useNetworkd</link> is enabled,
|
||
but direct users to configure the per-device
|
||
<link linkend="opt-networking.interfaces">networking.interfaces.<name>.…</link> options.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The stdenv now runs all bash with <literal>set -u</literal>, to catch the use of undefined variables.
|
||
Before, it itself used <literal>set -u</literal> but was careful to unset it so other packages' code ran as before.
|
||
Now, all bash code is held to the same high standard, and the rather complex stateful manipulation of the options can be discarded.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The SLIM Display Manager has been removed, as it has been unmaintained since 2013.
|
||
Consider migrating to a different display manager such as LightDM (current default in NixOS),
|
||
SDDM, GDM, or using the startx module which uses Xinitrc.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The BEAM package set has been deleted. You will only find there the different interpreters.
|
||
You should now use the different build tools coming with the languages with sandbox mode disabled.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
There is now only one Xfce package-set and module. This means attributes, <literal>xfce4-14</literal>
|
||
<literal>xfce4-12</literal>, and <literal>xfceUnstable</literal> all now point to the latest Xfce 4.14
|
||
packages. And in future NixOS releases will be the latest released version of Xfce available at the
|
||
time during the releases development (if viable).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.phpfpm.pools">phpfpm</link> module now sets
|
||
<literal>PrivateTmp=true</literal> in its systemd units for better process isolation.
|
||
If you rely on <literal>/tmp</literal> being shared with other services, explicitly override this by
|
||
setting <literal>serviceConfig.PrivateTmp</literal> to <literal>false</literal> for each phpfpm unit.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
KDE’s old multimedia framework Phonon no longer supports Qt 4. For that reason, Plasma desktop also does not have <option>enableQt4Support</option> option any more.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The BeeGFS module has been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The osquery module has been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Going forward, <literal>~/bin</literal> in the users home directory will no longer be in <literal>PATH</literal> by default.
|
||
If you depend on this you should set the option <literal>environment.homeBinInPath</literal> to <literal>true</literal>.
|
||
The aforementioned option was added this release.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>buildRustCrate</literal> infrastructure now produces <literal>lib</literal> outputs in addition to the <literal>out</literal> output.
|
||
This has led to drastically reduced closed sizes for some rust crates since development dependencies are now in the <literal>lib</literal> output.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Pango was upgraded to 1.44, which no longer uses freetype for font loading. This means that type1
|
||
and bitmap fonts are no longer supported in applications relying on Pango for font rendering
|
||
(notably, GTK application). See <link xlink:href="https://gitlab.gnome.org/GNOME/pango/issues/386">
|
||
upstream issue</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The packages <literal>openobex</literal> and <literal>obexftp</literal>
|
||
are no longer installed when enabling Bluetooth via
|
||
<option>hardware.bluetooth.enable</option>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>dump1090</literal> derivation has been changed to use FlightAware's dump1090
|
||
as its upstream. However, this version does not have an internal webserver anymore. The
|
||
assets in the <literal>share/dump1090</literal> directory of the derivation can be used
|
||
in conjunction with an external webserver to replace this functionality.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The fourStore and fourStoreEndpoint modules have been removed.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Polkit no longer has the user of uid 0 (root) as an admin identity.
|
||
We now follow the upstream default of only having every member of the wheel
|
||
group admin privileged. Before it was root and members of wheel.
|
||
The positive outcome of this is pkexec GUI popups or terminal prompts
|
||
will no longer require the user to choose between two essentially equivalent
|
||
choices (whether to perform the action as themselves with wheel permissions, or as the root user).
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
NixOS containers no longer build NixOS manual by default. This saves evaluation time,
|
||
especially if there are many declarative containers defined. Note that this is already done
|
||
when <literal><nixos/modules/profiles/minimal.nix></literal> module is included
|
||
in container config.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <literal>kresd</literal> services deprecates the <literal>interfaces</literal> option
|
||
in favor of the <literal>listenPlain</literal> option which requires full
|
||
<link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.socket.html#ListenStream=">systemd.socket compatible</link>
|
||
declaration which always include a port.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
Virtual console options have been reorganized and can be found under
|
||
a single top-level attribute: <literal>console</literal>.
|
||
The full set of changes is as follows:
|
||
</para>
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleFont</literal> renamed to
|
||
<link linkend="opt-console.font">console.font</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleKeyMap</literal> renamed to
|
||
<link linkend="opt-console.keyMap">console.keyMap</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleColors</literal> renamed to
|
||
<link linkend="opt-console.colors">console.colors</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consolePackages</literal> renamed to
|
||
<link linkend="opt-console.packages">console.packages</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>i18n.consoleUseXkbConfig</literal> renamed to
|
||
<link linkend="opt-console.useXkbConfig">console.useXkbConfig</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>boot.earlyVconsoleSetup</literal> renamed to
|
||
<link linkend="opt-console.earlySetup">console.earlySetup</link>
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>boot.extraTTYs</literal> renamed to
|
||
<link linkend="opt-console.extraTTYs">console.extraTTYs</link>
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The <link linkend="opt-services.awstats.enable">awstats</link> module has been rewritten
|
||
to serve stats via static html pages, updated on a timer, over <link linkend="opt-services.nginx.virtualHosts">nginx</link>,
|
||
instead of dynamic cgi pages over <link linkend="opt-services.httpd.enable">apache</link>.
|
||
</para>
|
||
<para>
|
||
Minor changes will be required to migrate existing configurations. Details of the
|
||
required changes can seen by looking through the <link linkend="opt-services.awstats.enable">awstats</link>
|
||
module.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The httpd module no longer provides options to support serving web content without defining a virtual host. As a
|
||
result of this the <link linkend="opt-services.httpd.logPerVirtualHost">services.httpd.logPerVirtualHost</link>
|
||
option now defaults to <literal>true</literal> instead of <literal>false</literal>. Please update your
|
||
configuration to make use of <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts</link>.
|
||
</para>
|
||
<para>
|
||
The <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name></link>
|
||
option has changed type from a list of submodules to an attribute set of submodules, better matching
|
||
<link linkend="opt-services.nginx.virtualHosts">services.nginx.virtualHosts.<name></link>.
|
||
</para>
|
||
<para>
|
||
This change comes with the addition of the following options which mimic the functionality of their <literal>nginx</literal> counterparts:
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.addSSL</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.forceSSL</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.onlySSL</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.enableACME</link>,
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.acmeRoot</link>, and
|
||
<link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.useACMEHost</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
For NixOS configuration options, the <literal>loaOf</literal> type has
|
||
been deprecated and will be removed in a future release. In nixpkgs,
|
||
options of this type will be changed to <literal>attrsOf</literal>
|
||
instead. If you were using one of these in your configuration, you will
|
||
see a warning suggesting what changes will be required.
|
||
</para>
|
||
<para>
|
||
For example, <link linkend="opt-users.users">users.users</link> is a
|
||
<literal>loaOf</literal> option that is commonly used as follows:
|
||
<programlisting>
|
||
users.users =
|
||
[ { name = "me";
|
||
description = "My personal user.";
|
||
isNormalUser = true;
|
||
}
|
||
];
|
||
</programlisting>
|
||
This should be rewritten by removing the list and using the
|
||
value of <literal>name</literal> as the name of the attribute set:
|
||
<programlisting>
|
||
users.users.me =
|
||
{ description = "My personal user.";
|
||
isNormalUser = true;
|
||
};
|
||
</programlisting>
|
||
</para>
|
||
<para>
|
||
For more information on this change have look at these links:
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/issues/1800">issue #1800</link>,
|
||
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/63103">PR #63103</link>.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
For NixOS modules, the types <literal>types.submodule</literal> and <literal>types.submoduleWith</literal> now support
|
||
paths as allowed values, similar to how <literal>imports</literal> supports paths.
|
||
Because of this, if you have a module that defines an option of type
|
||
<literal>either (submodule ...) path</literal>, it will break since a path
|
||
is now treated as the first type instead of the second. To fix this, change
|
||
the type to <literal>either path (submodule ...)</literal>.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
|
||
<section xmlns="http://docbook.org/ns/docbook"
|
||
xmlns:xlink="http://www.w3.org/1999/xlink"
|
||
xmlns:xi="http://www.w3.org/2001/XInclude"
|
||
version="5.0"
|
||
xml:id="sec-release-20.03-notable-changes">
|
||
<title>Other Notable Changes</title>
|
||
|
||
<itemizedlist>
|
||
<listitem>
|
||
<para>SD images are now compressed by default using <literal>bzip2</literal>.</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The nginx web server previously started its master process as root
|
||
privileged, then ran worker processes as a less privileged identity user.
|
||
This was changed to start all of nginx as a less privileged user (defined by
|
||
<literal>services.nginx.user</literal> and
|
||
<literal>services.nginx.group</literal>). As a consequence, all files that
|
||
are needed for nginx to run (included configuration fragments, SSL
|
||
certificates and keys, etc.) must now be readable by this less privileged
|
||
user/group.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
OpenSSH has been upgraded from 7.9 to 8.1, improving security and adding features
|
||
but with potential incompatibilities. Consult the
|
||
<link xlink:href="https://www.openssh.com/txt/release-8.1">
|
||
release announcement</link> for more information.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
<literal>PRETTY_NAME</literal> in <literal>/etc/os-release</literal>
|
||
now uses the short rather than full version string.
|
||
</para>
|
||
</listitem>
|
||
<listitem>
|
||
<para>
|
||
The ACME module has switched from simp-le to <link xlink:href="https://github.com/go-acme/lego">lego</link>
|
||
which allows us to support DNS-01 challenges and wildcard certificates. The following options have been added:
|
||
<link linkend="opt-security.acme.acceptTerms">security.acme.acceptTerms</link>,
|
||
<link linkend="opt-security.acme.certs">security.acme.certs.<name>.dnsProvider</link>,
|
||
<link linkend="opt-security.acme.certs">security.acme.certs.<name>.credentialsFile</link>,
|
||
<link linkend="opt-security.acme.certs">security.acme.certs.<name>.dnsPropagationCheck</link>.
|
||
As well as this, the options <literal>security.acme.acceptTerms</literal> and either
|
||
<literal>security.acme.email</literal> or <literal>security.acme.certs.<name>.email</literal>
|
||
must be set in order to use the ACME module.
|
||
Certificates will be regenerated from new on the next renewal date. The credentials for simp-le are
|
||
preserved and thus it is possible to roll back to previous versions without breaking certificate
|
||
generation.
|
||
</para>
|
||
</listitem>
|
||
</itemizedlist>
|
||
</section>
|
||
</section>
|