diff options
| author | aszlig <aszlig@nix.build> | 2019-03-27 21:07:07 +0100 |
|---|---|---|
| committer | aszlig <aszlig@nix.build> | 2019-03-27 21:07:07 +0100 |
| commit | ada3239253444a6ac546f1e734988f117b3a289d (patch) | |
| tree | 27c2993c17ee14ac939c127d575d609ff476d0cb /nixos/doc | |
| parent | 52299bccf5a56f6af8a204a71c908c7b7623facb (diff) | |
| download | nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.tar nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.tar.gz nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.tar.bz2 nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.tar.lz nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.tar.xz nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.tar.zst nixpkgs-ada3239253444a6ac546f1e734988f117b3a289d.zip | |
nixos/release-notes: Add entry about confinement
First of all, the reason I added this to the "highlights" section is that we want users to be aware of these options, because in the end we really want to decrease the attack surface of NixOS services and this is a step towards improving that situation. The reason why I'm adding this to the changelog of the NixOS 19.03 release instead of 19.09 is that it makes backporting services that use these options easier. Doing the backport of the confinement module after the official release would mean that it's not part of the release announcement and potentially could fall under the radar of most users. These options and the whole module also do not change anything in existing services or affect other modules, so they're purely optional. Adding this "last minute" to the 19.03 release doesn't hurt and is probably a good preparation for the next months where we hopefully confine as much services as we can :-) I also have asked @samueldr and @lheckemann, whether they're okay with the inclusion in 19.03. While so far only @samueldr has accepted the change, we can still move the changelog entry to the NixOS 19.09 release notes in case @lheckemann rejects it. Signed-off-by: aszlig <aszlig@nix.build>
Diffstat (limited to 'nixos/doc')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index a82724d7fb5..dddf4ed6016 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -64,6 +64,17 @@ See: <xref linkend="sec-kubernetes"/> for details. </para> </listitem> + <listitem> + <para> + There is now a set of <option>confinement</option> options for + <option>systemd.services</option>, which allows to restrict services + into a <citerefentry> + <refentrytitle>chroot</refentrytitle> + <manvolnum>2</manvolnum> + </citerefentry>ed environment that only contains the store paths from + the runtime closure of the service. + </para> + </listitem> </itemizedlist> </section> |