diff options
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-2009.xml')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 180 |
1 files changed, 173 insertions, 7 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index e03a5f5ce5c..7a06c06fed1 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -44,6 +44,11 @@ </listitem> <listitem> <para> + PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release. + </para> + </listitem> + <listitem> + <para> Python 3 now defaults to Python 3.8 instead of 3.7. </para> </listitem> @@ -109,6 +114,17 @@ systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; </programlisting> </para> + <para> + The MySQL service no longer runs its <literal>systemd</literal> service startup script as <literal>root</literal> anymore. A dedicated non <literal>root</literal> + super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements + as a super admin user before upgrading: +<programlisting> +CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; +GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; +</programlisting> + If you use MySQL instead of MariaDB please replace <literal>unix_socket</literal> with <literal>auth_socket</literal>. If you have changed the value of <xref linkend="opt-services.mysql.user"/> + from the default of <literal>mysql</literal> to a different user please change <literal>'mysql'@'localhost'</literal> to the corresponding user instead. + </para> </listitem> <listitem> <para> @@ -135,6 +151,11 @@ systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds. </para> </listitem> + <listitem> + <para> + Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project. + </para> + </listitem> </itemizedlist> </section> @@ -518,6 +539,46 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; <listitem> <para> In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>. + </para> + </listitem> + <listitem> + <para> + Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must + upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package + version 1.6.24 is marked broken but can be used during transition to + OpenAFS 1.8.x. Use the options + <option>services.openafsClient.packages.module</option>, + <option>services.openafsClient.packages.programs</option> and + <option>services.openafsServer.package</option> to select a different + OpenAFS package. OpenAFS 1.6 will be removed in the next release. The + package <literal>openafs</literal> and the service options will then + silently point to the OpenAFS 1.8 release. + </para> + <para> + See also the OpenAFS <link + xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator + Guide</link> for instructions. Beware of the following when updating + servers: + <itemizedlist> + <listitem> + <para> + The storage format of the server key has changed and the key must be converted before running the new release. + </para> + </listitem> + <listitem> + <para> + When updating multiple database servers, turn off the database servers + from the highest IP down to the lowest with resting periods in + between. Start up in reverse order. Do not concurrently run database + servers working with different OpenAFS releases! + </para> + </listitem> + <listitem> + <para> + Update servers first, then clients. + </para> + </listitem> + </itemizedlist> </para> </listitem> <listitem> @@ -544,27 +605,90 @@ systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; to be used for every display-manager in NixOS. </para> </listitem> - <listitem> + <listitem> <para> The <literal>bitcoind</literal> module has changed to multi-instance, using submodules. - Therefore, it is now mandatory to name each instance, e.g.: + Therefore, it is now mandatory to name each instance. + To use this new multi-instance config with an existing bitcoind data directory and user, + you have to adjust the original config, e.g.: +<programlisting> + services.bitcoind = { + enable = true; + extraConfig = "..."; + ... + }; +</programlisting> + To something similar: +<programlisting> + services.bitcoind.mainnet = { + enable = true; + dataDir = "/var/lib/bitcoind"; + user = "bitcoin"; + extraConfig = "..."; + ... + }; +</programlisting> + The key settings are: + <itemizedlist> + <listitem> + <para> + <literal>dataDir</literal> - to continue using the same data directory. + </para> + </listitem> + <listitem> + <para> + <literal>user</literal> - to continue using the same user so that bitcoind maintains access to its files. + </para> + </listitem> + </itemizedlist> + </para> + </listitem> + <listitem> + <para> + Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. + When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue. + </para> + </listitem> + <listitem> + <para> + The <literal>dokuwiki</literal> module has changed to multi-instance, using submodules. + Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so + <literal>nginx.forceSSL</literal> and <literal>nginx.enableACME</literal> are no longer set to <literal>true</literal>. + To continue using your service with the original SSL settings, you have to adjust the original config, e.g.: <programlisting> -services.bitcoind = { +services.dokuwiki = { enable = true; + ... }; </programlisting> - requires a name now: + To something similar: <programlisting> -services.bitcoind."example-mainnet" = { +services.dokuwiki."mywiki" = { enable = true; + nginx = { + forceSSL = true; + enableACME = true; + }; + ... }; </programlisting> + The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading. </para> </listitem> <listitem> <para> - Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. - When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue. + The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your + <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.09</literal> or below + should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly + set this value to maintain compatibility: +<programlisting> +services.postgresql.dataDir = "/var/db/postgresql"; +</programlisting> + </para> + </listitem> + <listitem> + <para> + The USBGuard module now removes options and instead hardcodes values for <literal>IPCAccessControlFiles</literal>, <literal>ruleFiles</literal>, and <literal>auditFilePath</literal>. Audit logs can be found in the journal. </para> </listitem> </itemizedlist> @@ -604,6 +728,11 @@ services.bitcoind."example-mainnet" = { </listitem> <listitem> <para> + <literal>buildGoModule</literal> <literal>doCheck</literal> now defaults to <literal>true</literal>. + </para> + </listitem> + <listitem> + <para> Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal> mode for the <literal>checkPhase</literal> by default. </para> @@ -661,6 +790,37 @@ services.bitcoind."example-mainnet" = { </listitem> <listitem> <para> + The <literal>services.transmission</literal> module + was enhanced with the new options: + <xref linkend="opt-services.transmission.credentialsFile"/>, + <xref linkend="opt-services.transmission.openFirewall"/>, + and <xref linkend="opt-services.transmission.performanceNetParameters"/>. + </para> + <para> + <literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security. + Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link> + any use case where this is not working well. + In particular, the <literal>RootDirectory</literal> option newly set + forbids uploading or downloading a torrent outside of the default directory + configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>. + If you really need Transmission to access other directories, + you must include those directories into the <literal>BindPaths</literal> of the service: +<programlisting> +systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; +</programlisting> + </para> + <para> + Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal> + is now only available on the local network interface by default. + Use: +<programlisting> +services.transmission.settings.rpc-bind-address = "0.0.0.0"; +</programlisting> + to get the previous behavior of listening on all network interfaces. + </para> + </listitem> + <listitem> + <para> With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) @@ -741,6 +901,12 @@ services.bitcoind."example-mainnet" = { There are no functional changes, however this may require updating some configurations to use correct types for all attributes. </para> </listitem> + <listitem> + <para> + The <literal>fontconfig</literal> module stopped generating fontconfig 2.10.x config and cache. + Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore. + </para> + </listitem> </itemizedlist> </section> </section> |