diff options
Diffstat (limited to 'nixos/doc/manual/release-notes/rl-2009.xml')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 987 |
1 files changed, 0 insertions, 987 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml deleted file mode 100644 index 166aec25512..00000000000 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ /dev/null @@ -1,987 +0,0 @@ -<section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09"> - <title>Release 20.09 (“Nightingale”, 2020.09/??)</title> - - <section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09-highlights"> - <title>Highlights</title> - - <para> - In addition to numerous new and upgraded packages, this release has the - following highlights: - </para> - - <itemizedlist> - <listitem> - <para> - Support is planned until the end of April 2021, handing over to 21.03. - </para> - </listitem> - <listitem> - <para>GNOME desktop environment was upgraded to 3.36, see its <link xlink:href="https://help.gnome.org/misc/release-notes/3.36/">release notes</link>.</para> - </listitem> - <listitem> - <para> - <package>maxx</package> package removed along with <varname>services.xserver.desktopManager.maxx</varname> module. - Please migrate to <package>cdesktopenv</package> and <varname>services.xserver.desktopManager.cde</varname> module. - </para> - </listitem> - <listitem> - <para> - We now distribute a GNOME ISO. - </para> - </listitem> - <listitem> - <para> - PHP now defaults to PHP 7.4, updated from 7.3. - </para> - </listitem> - <listitem> - <para> - PHP 7.2 is no longer supported due to upstream not supporting this version for the entire lifecycle of the 20.09 release. - </para> - </listitem> - <listitem> - <para> - Python 3 now defaults to Python 3.8 instead of 3.7. - </para> - </listitem> - <listitem> - <para> - Two new options, <link linkend="opt-services.openssh.authorizedKeysCommand">authorizedKeysCommand</link> - and <link linkend="opt-services.openssh.authorizedKeysCommandUser">authorizedKeysCommandUser</link>, have - been added to the <literal>openssh</literal> module. If you have <literal>AuthorizedKeysCommand</literal> - in your <link linkend="opt-services.openssh.extraConfig">services.openssh.extraConfig</link> you should - make use of these new options instead. - </para> - </listitem> - <listitem> - <para> - There is a new module for Podman(<varname>virtualisation.podman</varname>), a drop-in replacement for the Docker command line. - </para> - </listitem> - <listitem> - <para> - The new <varname>virtualisation.containers</varname> module manages configuration shared by the CRI-O and Podman modules. - </para> - </listitem> - <listitem> - <para> - Declarative Docker containers are renamed from <varname>docker-containers</varname> to <varname>virtualisation.oci-containers.containers</varname>. - This is to make it possible to use <literal>podman</literal> instead of <literal>docker</literal>. - </para> - </listitem> - <listitem> - <para> - MariaDB has been updated to 10.4, MariaDB Galera to 26.4. - Before you upgrade, it would be best to take a backup of your database. - For MariaDB Galera Cluster, see <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104-with-galera-cluster/">Upgrading - from MariaDB 10.3 to MariaDB 10.4 with Galera Cluster</link> instead. - Before doing the upgrade read <link xlink:href="https://mariadb.com/kb/en/upgrading-from-mariadb-103-to-mariadb-104/#incompatible-changes-between-103-and-104">Incompatible - Changes Between 10.3 and 10.4</link>. - After the upgrade you will need to run <literal>mysql_upgrade</literal>. - MariaDB 10.4 introduces a number of changes to the authentication process, intended to make things easier and more - intuitive. See <link xlink:href="https://mariadb.com/kb/en/authentication-from-mariadb-104/">Authentication from MariaDB 10.4</link>. - unix_socket auth plugin does not use a password, and uses the connecting user's UID instead. When a new MariaDB data directory is initialized, two MariaDB users are - created and can be used with new unix_socket auth plugin, as well as traditional mysql_native_password plugin: root@localhost and mysql@localhost. To actually use - the traditional mysql_native_password plugin method, one must run the following: -<programlisting> -services.mysql.initialScript = pkgs.writeText "mariadb-init.sql" '' - ALTER USER root@localhost IDENTIFIED VIA mysql_native_password USING PASSWORD("verysecret"); -''; -</programlisting> - When MariaDB data directory is just upgraded (not initialized), the users are not created or modified. - </para> - </listitem> - <listitem> - <para> - MySQL server is now started with additional systemd sandbox/hardening options for better security. The PrivateTmp, ProtectHome, and ProtectSystem options - may be problematic when MySQL is attempting to read from or write to your filesystem anywhere outside of its own state directory, for example when - calling <literal>LOAD DATA INFILE or SELECT * INTO OUTFILE</literal>. In this scenario a variant of the following may be required: - - allow MySQL to read from /home and /tmp directories when using <literal>LOAD DATA INFILE</literal> -<programlisting> -systemd.services.mysql.serviceConfig.ProtectHome = lib.mkForce "read-only"; -</programlisting> - - allow MySQL to write to custom folder <literal>/var/data</literal> when using <literal>SELECT * INTO OUTFILE</literal>, assuming the mysql user has write - access to <literal>/var/data</literal> -<programlisting> -systemd.services.mysql.serviceConfig.ReadWritePaths = [ "/var/data" ]; -</programlisting> - </para> - <para> - The MySQL service no longer runs its <literal>systemd</literal> service startup script as <literal>root</literal> anymore. A dedicated non <literal>root</literal> - super user account is required for operation. This means users with an existing MySQL or MariaDB database server are required to run the following SQL statements - as a super admin user before upgrading: -<programlisting> -CREATE USER IF NOT EXISTS 'mysql'@'localhost' identified with unix_socket; -GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION; -</programlisting> - If you use MySQL instead of MariaDB please replace <literal>unix_socket</literal> with <literal>auth_socket</literal>. If you have changed the value of <xref linkend="opt-services.mysql.user"/> - from the default of <literal>mysql</literal> to a different user please change <literal>'mysql'@'localhost'</literal> to the corresponding user instead. - </para> - </listitem> - <listitem> - <para> - The new option <link linkend="opt-documentation.man.generateCaches">documentation.man.generateCaches</link> - has been added to automatically generate the <literal>man-db</literal> caches, which are needed by utilities - like <command>whatis</command> and <command>apropos</command>. The caches are generated during the build of - the NixOS configuration: since this can be expensive when a large number of packages are installed, the - feature is disabled by default. - </para> - </listitem> - <listitem> - <para> - <varname>services.postfix.sslCACert</varname> was replaced by <varname>services.postfix.tlsTrustedAuthorities</varname> which now defaults to system certificate authorities. - </para> - </listitem> - <listitem> - <para> - Subordinate GID and UID mappings are now set up automatically for all normal users. - This will make container tools like Podman work as non-root users out of the box. - </para> - </listitem> - <listitem> - <para> - The various documented workarounds to use steam have been converted to a module. <varname>programs.steam.enable</varname> enables steam, controller support and the workarounds. - </para> - </listitem> - <listitem> - <para> - Support for built-in LCDs in various pieces of Logitech hardware (keyboards and USB speakers). <varname>hardware.logitech.lcd.enable</varname> enables support for all hardware supported by the g15daemon project. - </para> - </listitem> - <listitem> - <para> - Zabbix now defaults to 5.0, updated from 4.4. Please carefully read through - <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade/sources">the upgrade guide</link> - and apply any changes required. Be sure to take special note of the section on - <link xlink:href="https://www.zabbix.com/documentation/current/manual/installation/upgrade_notes_500#enabling_extended_range_of_numeric_float_values">enabling extended range of numeric (float) values</link> - as you will need to apply this database migration manually. - </para> - <para> - If you are using Zabbix Server with a MySQL or MariaDB database you should note that using a character set of <literal>utf8</literal> and a collate of <literal>utf8_bin</literal> has become mandatory with - this release. See the upstream <link xlink:href="https://support.zabbix.com/browse/ZBX-17357">issue</link> for further discussion. Before upgrading you should check the character set and collation used by - your database and ensure they are correct: -<programlisting> - SELECT - default_character_set_name, - default_collation_name - FROM - information_schema.schemata - WHERE - schema_name = 'zabbix'; -</programlisting> - If these values are not correct you should take a backup of your database and convert the character set and collation as required. Here is an - <link xlink:href="https://www.zabbix.com/forum/zabbix-help/396573-reinstall-after-upgrade?p=396891#post396891">example</link> of how to do so, taken from - the Zabbix forums: -<programlisting> - ALTER DATABASE `zabbix` DEFAULT CHARACTER SET utf8 COLLATE utf8_bin; - - -- the following will produce a list of SQL commands you should subsequently execute - SELECT CONCAT("ALTER TABLE ", TABLE_NAME," CONVERT TO CHARACTER SET utf8 COLLATE utf8_bin;") AS ExecuteTheString - FROM information_schema.`COLUMNS` - WHERE table_schema = "zabbix" AND COLLATION_NAME = "utf8_general_ci"; -</programlisting> - </para> - </listitem> - <listitem> - <para> - The NixOS module system now supports freeform modules as a mix between <literal>types.attrsOf</literal> and <literal>types.submodule</literal>. These allow you to explicitly declare a subset of options while still permitting definitions without an associated option. See <xref linkend='sec-freeform-modules'/> for how to use them. - </para> - </listitem> - <listitem> - <para> - The GRUB module gained support for basic password protection, which - allows to restrict non-default entries in the boot menu to one or more - users. The users and passwords are defined via the option - <option>boot.loader.grub.users</option>. - Note: Password support is only avaiable in GRUB version 2. - </para> - </listitem> - </itemizedlist> - </section> - - <section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09-new-services"> - <title>New Services</title> - - <para> - The following new services were added since the last release: - </para> - - <itemizedlist> - <listitem> - <para> - There is a new <xref linkend="opt-security.doas.enable"/> module that provides <command>doas</command>, a lighter alternative to <command>sudo</command> with many of the same features. - </para> - </listitem> - </itemizedlist> - - </section> - - <section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09-incompatibilities"> - <title>Backward Incompatibilities</title> - - <para> - When upgrading from a previous release, please be aware of the following - incompatible changes: - </para> - - <itemizedlist> - <listitem> - <para> - <literal>buildGoModule</literal> now internally creates a vendor directory - in the source tree for downloaded modules instead of using go's <link - xlink:href="https://golang.org/cmd/go/#hdr-Module_proxy_protocol">module - proxy protocol</link>. This storage format is simpler and therefore less - likely to break with future versions of go. As a result - <literal>buildGoModule</literal> switched from - <literal>modSha256</literal> to the <literal>vendorSha256</literal> - attribute to pin fetched version data. - </para> - </listitem> - <listitem> - <para> - Grafana is now built without support for phantomjs by default. Phantomjs support has been - <link xlink:href="https://grafana.com/docs/grafana/latest/guides/whats-new-in-v6-4/">deprecated in Grafana</link> - and the <package>phantomjs</package> project is - <link xlink:href="https://github.com/ariya/phantomjs/issues/15344#issue-302015362">currently unmaintained</link>. - It can still be enabled by providing <literal>phantomJsSupport = true</literal> to the package instantiation: -<programlisting>{ - services.grafana.package = pkgs.grafana.overrideAttrs (oldAttrs: rec { - phantomJsSupport = false; - }); -}</programlisting> - </para> - </listitem> - <listitem> - <para> - The <link linkend="opt-services.supybot.enable">supybot</link> module now uses <literal>/var/lib/supybot</literal> - as its default <link linkend="opt-services.supybot.stateDir">stateDir</link> path if <literal>stateVersion</literal> - is 20.09 or higher. It also enables a number of - <link xlink:href="https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing">systemd sandboxing options</link> - which may possibly interfere with some plugins. If this is the case you can disable the options through attributes in - <option>systemd.services.supybot.serviceConfig</option>. - </para> - </listitem> - <listitem> - <para> - The <literal>security.duosec.skey</literal> option, which stored a secret in the - nix store, has been replaced by a new - <link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link> - option for better security. - </para> - <para> - <literal>security.duosec.ikey</literal> has been renamed to - <link linkend="opt-security.duosec.integrationKey">security.duosec.integrationKey</link>. - </para> - </listitem> - <listitem> - <para> - <literal>vmware</literal> has been removed from the <literal>services.x11.videoDrivers</literal> defaults. - For VMWare guests set <literal>virtualisation.vmware.guest.enable</literal> to <literal>true</literal> which will include the appropriate drivers. - </para> - </listitem> - <listitem> - <para> - The initrd SSH support now uses OpenSSH rather than Dropbear to - allow the use of Ed25519 keys and other OpenSSH-specific - functionality. Host keys must now be in the OpenSSH format, and at - least one pre-generated key must be specified. - </para> - <para> - If you used the <option>boot.initrd.network.ssh.host*Key</option> - options, you'll get an error explaining how to convert your host - keys and migrate to the new - <option>boot.initrd.network.ssh.hostKeys</option> option. - Otherwise, if you don't have any host keys set, you'll need to - generate some; see the <option>hostKeys</option> option - documentation for instructions. - </para> - </listitem> - <listitem> - <para> - Since this release there's an easy way to customize your PHP - install to get a much smaller base PHP with only wanted - extensions enabled. See the following snippet installing a - smaller PHP with the extensions <literal>imagick</literal>, - <literal>opcache</literal>, <literal>pdo</literal> and - <literal>pdo_mysql</literal> loaded: - - <programlisting> -environment.systemPackages = [ - (pkgs.php.withExtensions - ({ all, ... }: with all; [ - imagick - opcache - pdo - pdo_mysql - ]) - ) -];</programlisting> - - The default <literal>php</literal> attribute hasn't lost any - extensions. The <literal>opcache</literal> extension has been - added. - - All upstream PHP extensions are available under <package><![CDATA[php.extensions.<name?>]]></package>. - </para> - <para> - All PHP <literal>config</literal> flags have been removed for - the following reasons: - - <itemizedlist> - <listitem> - <para> - The updated <literal>php</literal> attribute is now easily - customizable to your liking by using - <literal>php.withExtensions</literal> or - <literal>php.buildEnv</literal> instead of writing config files - or changing configure flags. - </para> - </listitem> - <listitem> - <para> - The remaining configuration flags can now be set directly on - the <literal>php</literal> attribute. For example, instead of - - <programlisting> -php.override { - config.php.embed = true; - config.php.apxs2 = false; -} - </programlisting> - - you should now write - - <programlisting> -php.override { - embedSupport = true; - apxs2Support = false; -} - </programlisting> - </para> - </listitem> - </itemizedlist> - - </para> - </listitem> - <listitem> - <para> - Gollum received a major update to version 5.x and you may have to change - some links in your wiki when migrating from gollum 4.x. More information - can be found - <link xlink:href="https://github.com/gollum/gollum/wiki/5.0-release-notes#migrating-your-wiki">here</link>. - </para> - </listitem> - <listitem> - <para> - Deluge 2.x was added and is used as default for new NixOS - installations where stateVersion is >= 20.09. If you are upgrading from a previous - NixOS version, you can set <literal>service.deluge.package = pkgs.deluge-2_x</literal> - to upgrade to Deluge 2.x and migrate the state to the new format. - Be aware that backwards state migrations are not supported by Deluge. - </para> - </listitem> - <listitem> - <para> - Add option <literal>services.nginx.enableSandbox</literal> to starting Nginx web server with additional sandbox/hardening options. - By default, write access to <literal>services.nginx.stateDir</literal> is allowed. To allow writing to other folders, - use <literal>systemd.services.nginx.serviceConfig.ReadWritePaths</literal> - <programlisting> -systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/var/www" ]; - </programlisting> - </para> - </listitem> - <listitem> - <para> - The NixOS options <literal>nesting.clone</literal> and - <literal>nesting.children</literal> have been deleted, and - replaced with named <xref linkend="opt-specialisation"/> - configurations. - </para> - - <para> - Replace a <literal>nesting.clone</literal> entry with: - -<programlisting>{ -<link xlink:href="#opt-specialisation">specialisation.example-sub-configuration</link> = { - <link xlink:href="#opt-specialisation._name_.configuration">configuration</link> = { - ... - }; -};</programlisting> - - </para> - <para> - Replace a <literal>nesting.children</literal> entry with: - -<programlisting>{ -<link xlink:href="#opt-specialisation">specialisation.example-sub-configuration</link> = { - <link xlink:href="#opt-specialisation._name_.inheritParentConfig">inheritParentConfig</link> = false; - <link xlink:href="#opt-specialisation._name_.configuration">configuration</link> = { - ... - }; -};</programlisting> - </para> - - <para> - To switch to a specialised configuration at runtime you need to - run: -<programlisting> -# sudo /run/current-system/specialisation/example-sub-configuration/bin/switch-to-configuration test -</programlisting> - Before you would have used: -<programlisting> -# sudo /run/current-system/fine-tune/child-1/bin/switch-to-configuration test -</programlisting> - </para> - </listitem> - <listitem> - <para> - The Nginx log directory has been moved to <literal>/var/log/nginx</literal>, the cache directory - to <literal>/var/cache/nginx</literal>. The option <literal>services.nginx.stateDir</literal> has - been removed. - </para> - </listitem> - <listitem> - <para> - The httpd web server previously started its main process as root - privileged, then ran worker processes as a less privileged identity user. - This was changed to start all of httpd as a less privileged user (defined by - <xref linkend="opt-services.httpd.user"/> and - <xref linkend="opt-services.httpd.group"/>). As a consequence, all files that - are needed for httpd to run (included configuration fragments, SSL - certificates and keys, etc.) must now be readable by this less privileged - user/group. - </para> - <para> - The default value for <xref linkend="opt-services.httpd.mpm"/> - has been changed from <literal>prefork</literal> to <literal>event</literal>. Along with - this change the default value for - <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.<name>.http2</link> - has been set to <literal>true</literal>. - </para> - </listitem> - <listitem> - <para> - The <literal>systemd-networkd</literal> option - <literal>systemd.network.networks.<name>.dhcp.CriticalConnection</literal> - has been removed following upstream systemd's deprecation of the same. It is recommended to use - <literal>systemd.network.networks.<name>.networkConfig.KeepConfiguration</literal> instead. - See <citerefentry><refentrytitle>systemd.network</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for details. - </para> - </listitem> - <listitem> - <para> - The <literal>systemd-networkd</literal> option - <literal>systemd.network.networks._name_.dhcpConfig</literal> - has been renamed to - <xref linkend="opt-systemd.network.networks._name_.dhcpV4Config"/> - following upstream systemd's documentation change. - See <citerefentry><refentrytitle>systemd.network</refentrytitle> - <manvolnum>5</manvolnum></citerefentry> for details. - </para> - </listitem> - <listitem> - <para> - In the <literal>picom</literal> module, several options that accepted - floating point numbers encoded as strings (for example - <xref linkend="opt-services.picom.activeOpacity"/>) have been changed - to the (relatively) new native <literal>float</literal> type. To migrate - your configuration simply remove the quotes around the numbers. - </para> - </listitem> - <listitem> - <para> - When using <literal>buildBazelPackage</literal> from Nixpkgs, - <literal>flat</literal> hash mode is now used for dependencies - instead of <literal>recursive</literal>. This is to better allow - using hashed mirrors where needed. As a result, these hashes - will have changed. - </para> - </listitem> - <listitem> - <para> - The rkt module has been removed, it was archived by upstream. - </para> - </listitem> - <listitem> - <para> - The <link xlink:href="https://bazaar.canonical.com">Bazaar</link> VCS is - unmaintained and, as consequence of the Python 2 EOL, the packages - <literal>bazaar</literal> and <literal>bazaarTools</literal> were - removed. Breezy, the backward compatible fork of Bazaar (see the - <link xlink:href="https://www.jelmer.uk/breezy-intro.html">announcement</link>), - was packaged as <literal>breezy</literal> and can be used instead. - </para> - <para> - Regarding Nixpkgs, <literal>fetchbzr</literal>, - <literal>nix-prefetch-bzr</literal> and Bazaar support in Hydra will - continue to work through Breezy. - </para> - </listitem> - <listitem> - <para> - In addition to the hostname, the fully qualified domain name (FQDN), - which consists of <literal>${cfg.hostName}</literal> and - <literal>${cfg.domain}</literal> is now added to - <literal>/etc/hosts</literal>, to allow local FQDN resolution, as used by the - <literal>hostname --fqdn</literal> command and other applications that - try to determine the FQDN. These new entries take precedence over entries - from the DNS which could cause regressions in some very specific setups. - Additionally the hostname is now resolved to <literal>127.0.0.2</literal> - instead of <literal>127.0.1.1</literal> to be consistent with what - <literal>nss-myhostname</literal> (from systemd) returns. - The old behaviour can e.g. be restored by using - <literal>networking.hosts = lib.mkForce { "127.0.1.1" = [ config.networking.hostName ]; };</literal>. - </para> - </listitem> - <listitem> - <para> - The hostname (<literal>networking.hostName</literal>) must now be a valid - DNS label (see RFC 1035) and as such must not contain the domain part. - This means that the hostname must start with a letter, end with a letter - or digit, and have as interior characters only letters, digits, and - hyphen. The maximum length is 63 characters. Additionally it is - recommended to only use lower-case characters. - </para> - </listitem> - <listitem> - <para> - The GRUB specific option <option>boot.loader.grub.extraInitrd</option> - has been replaced with the generic option - <option>boot.initrd.secrets</option>. This option creates a secondary - initrd from the specified files, rather than using a manually created - initrd file. - - Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>, - it is not possible to directly boot an older generation that used that - option. It is still possible to rollback to that generation if the required - initrd file has not been deleted. - </para> - </listitem> - <listitem> - <para> - The <link xlink:href="https://github.com/okTurtles/dnschain">DNSChain</link> - package and NixOS module have been removed from Nixpkgs as the software is - unmaintained and can't be built. For more information see issue - <link xlink:href="https://github.com/NixOS/nixpkgs/issues/89205">#89205</link>. - </para> - </listitem> - <listitem> - <para> - In the <literal>resilio</literal> module, <xref linkend="opt-services.resilio.httpListenAddr"/> has been changed to listen to <literal>[::1]</literal> instead of <literal>0.0.0.0</literal>. - </para> - </listitem> - <listitem> - <para> - Users of <link xlink:href="http://openafs.org">OpenAFS 1.6</link> must - upgrade their services to OpenAFS 1.8! In this release, the OpenAFS package - version 1.6.24 is marked broken but can be used during transition to - OpenAFS 1.8.x. Use the options - <option>services.openafsClient.packages.module</option>, - <option>services.openafsClient.packages.programs</option> and - <option>services.openafsServer.package</option> to select a different - OpenAFS package. OpenAFS 1.6 will be removed in the next release. The - package <literal>openafs</literal> and the service options will then - silently point to the OpenAFS 1.8 release. - </para> - <para> - See also the OpenAFS <link - xlink:href="http://docs.openafs.org/AdminGuide/index.html">Administrator - Guide</link> for instructions. Beware of the following when updating - servers: - <itemizedlist> - <listitem> - <para> - The storage format of the server key has changed and the key must be converted before running the new release. - </para> - </listitem> - <listitem> - <para> - When updating multiple database servers, turn off the database servers - from the highest IP down to the lowest with resting periods in - between. Start up in reverse order. Do not concurrently run database - servers working with different OpenAFS releases! - </para> - </listitem> - <listitem> - <para> - Update servers first, then clients. - </para> - </listitem> - </itemizedlist> - </para> - </listitem> - <listitem> - <para> - Radicale's default package has changed from 2.x to 3.x. An upgrade - checklist can be found - <link xlink:href="https://github.com/Kozea/Radicale/blob/3.0.x/NEWS.md#upgrade-checklist">here</link>. - You can use the newer version in the NixOS service by setting the - <literal>package</literal> to <literal>radicale3</literal>, which is done - automatically if <literal>stateVersion</literal> is 20.09 or higher. - </para> - </listitem> - <listitem> - <para> - <literal>udpt</literal> experienced a complete rewrite from C++ to rust. The configuration format changed from ini to toml. - The new configuration documentation can be found at - <link xlink:href="https://naim94a.github.io/udpt/config.html">the official website</link> and example - configuration is packaged in <literal>${udpt}/share/udpt/udpt.toml</literal>. - </para> - </listitem> - <listitem> - <para> - We now have a unified <xref linkend="opt-services.xserver.displayManager.autoLogin"/> option interface - to be used for every display-manager in NixOS. - </para> - </listitem> - <listitem> - <para> - The <literal>bitcoind</literal> module has changed to multi-instance, using submodules. - Therefore, it is now mandatory to name each instance. - To use this new multi-instance config with an existing bitcoind data directory and user, - you have to adjust the original config, e.g.: -<programlisting> - services.bitcoind = { - enable = true; - extraConfig = "..."; - ... - }; -</programlisting> - To something similar: -<programlisting> - services.bitcoind.mainnet = { - enable = true; - dataDir = "/var/lib/bitcoind"; - user = "bitcoin"; - extraConfig = "..."; - ... - }; -</programlisting> - The key settings are: - <itemizedlist> - <listitem> - <para> - <literal>dataDir</literal> - to continue using the same data directory. - </para> - </listitem> - <listitem> - <para> - <literal>user</literal> - to continue using the same user so that bitcoind maintains access to its files. - </para> - </listitem> - </itemizedlist> - </para> - </listitem> - <listitem> - <para> - Graylog introduced a change in the LDAP server certificate validation behaviour for version 3.3.3 which might break existing setups. - When updating Graylog from a version before 3.3.3 make sure to check the Graylog <link xlink:href="https://www.graylog.org/post/announcing-graylog-v3-3-3">release info</link> for information on how to avoid the issue. - </para> - </listitem> - <listitem> - <para> - The <literal>dokuwiki</literal> module has changed to multi-instance, using submodules. - Therefore, it is now mandatory to name each instance. Moreover, forcing SSL by default has been dropped, so - <literal>nginx.forceSSL</literal> and <literal>nginx.enableACME</literal> are no longer set to <literal>true</literal>. - To continue using your service with the original SSL settings, you have to adjust the original config, e.g.: -<programlisting> -services.dokuwiki = { - enable = true; - ... -}; -</programlisting> - To something similar: -<programlisting> -services.dokuwiki."mywiki" = { - enable = true; - nginx = { - forceSSL = true; - enableACME = true; - }; - ... -}; -</programlisting> - The base package has also been upgraded to the 2020-07-29 "Hogfather" release. Plugins might be incompatible or require upgrading. - </para> - </listitem> - <listitem> - <para> - The <xref linkend="opt-services.postgresql.dataDir"/> option is now set to <literal>"/var/lib/postgresql/${cfg.package.psqlSchema}"</literal> regardless of your - <xref linkend="opt-system.stateVersion"/>. Users with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below - should double check what the value of their <xref linkend="opt-services.postgresql.dataDir"/> option is (<literal>/var/db/postgresql</literal>) and then explicitly - set this value to maintain compatibility: -<programlisting> -services.postgresql.dataDir = "/var/db/postgresql"; -</programlisting> - </para> - <para> - The postgresql module now expects there to be a database super user account called <literal>postgres</literal> regardless of your <xref linkend="opt-system.stateVersion"/>. Users - with an existing postgresql install that have a <xref linkend="opt-system.stateVersion"/> of <literal>17.03</literal> or below should run the following SQL statements as a - database super admin user before upgrading: -<programlisting> -CREATE ROLE postgres LOGIN SUPERUSER; -</programlisting> - </para> - </listitem> - <listitem> - <para> - The USBGuard module now removes options and instead hardcodes values for <literal>IPCAccessControlFiles</literal>, <literal>ruleFiles</literal>, and <literal>auditFilePath</literal>. Audit logs can be found in the journal. - </para> - </listitem> - <listitem> - <para> - The NixOS module system now evaluates option definitions more strictly, allowing it to detect a larger set of problems. - As a result, what previously evaluated may not do so anymore. - See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/82743#issuecomment-674520472">the PR that changed this</link> for more info. - </para> - </listitem> - </itemizedlist> - </section> - - <section xmlns="http://docbook.org/ns/docbook" - xmlns:xlink="http://www.w3.org/1999/xlink" - xmlns:xi="http://www.w3.org/2001/XInclude" - version="5.0" - xml:id="sec-release-20.09-notable-changes"> - <title>Other Notable Changes</title> - - <itemizedlist> - <listitem> - <para>SD images are now compressed by default using <literal>zstd</literal>. The compression for ISO images has also been changed to <literal>zstd</literal>, but ISO images are still not compressed by default.</para> - </listitem> - <listitem> - <para> - <option>services.journald.rateLimitBurst</option> was updated from - <literal>1000</literal> to <literal>10000</literal> to follow the new - upstream systemd default. - </para> - </listitem> - <listitem> - <para> - The <package>notmuch</package> package move its emacs-related binaries and - emacs lisp files to a separate output. They're not part - of the default <literal>out</literal> output anymore - if you relied on the - <literal>notmuch-emacs-mua</literal> binary or the emacs lisp files, access them via - the <literal>notmuch.emacs</literal> output. - </para> - </listitem> - <listitem> - <para> - The default output of <literal>buildGoPackage</literal> is now <literal>$out</literal> instead of <literal>$bin</literal>. - </para> - </listitem> - <listitem> - <para> - <literal>buildGoModule</literal> <literal>doCheck</literal> now defaults to <literal>true</literal>. - </para> - </listitem> - <listitem> - <para> - Packages built using <literal>buildRustPackage</literal> now use <literal>release</literal> - mode for the <literal>checkPhase</literal> by default. - </para> - <para> - Please note that Rust packages utilizing a custom build/install procedure - (e.g. by using a <filename>Makefile</filename>) or test suites that rely on the - structure of the <filename>target/</filename> directory may break due to those assumptions. - For further information, please read the Rust section in the Nixpkgs manual. - </para> - </listitem> - <listitem> - <para> - The cc- and binutils-wrapper's "infix salt" and <literal>_BUILD_</literal> and <literal>_TARGET_</literal> user infixes have been replaced with with a "suffix salt" and suffixes and <literal>_FOR_BUILD</literal> and <literal>_FOR_TARGET</literal>. - This matches the autotools convention for env vars which standard for these things, making interfacing with other tools easier. - </para> - </listitem> - <listitem> - <para> - Additional Git documentation (HTML and text files) is now available via the <literal>git-doc</literal> package. - </para> - </listitem> - <listitem> - <para> - Default algorithm for ZRAM swap was changed to <literal>zstd</literal>. - </para> - </listitem> - <listitem> - <para> - The scripted networking system now uses <literal>.link</literal> files in - <literal>/etc/systemd/network</literal> to configure mac address and link MTU, - instead of the sometimes buggy <literal>network-link-*</literal> units, which - have been removed. - Bringing the interface up has been moved to the beginning of the - <literal>network-addresses-*</literal> unit. - Note this doesn't require <command>systemd-networkd</command> - it's udev that - parses <literal>.link</literal> files. - Extra care needs to be taken in the presence of <link xlink:href="https://wiki.debian.org/NetworkInterfaceNames#THE_.22PERSISTENT_NAMES.22_SCHEME">legacy udev rules</link> - to rename interfaces, as MAC Address and MTU defined in these options can only match on the original link name. - In such cases, you most likely want to create a <literal>10-*.link</literal> file through <xref linkend="opt-systemd.network.links"/> and set both name and MAC Address / MTU there. - </para> - </listitem> - <listitem> - <para> - Grafana received a major update to version 7.x. A plugin is now needed for - image rendering support, and plugins must now be signed by default. More - information can be found - <link xlink:href="https://grafana.com/docs/grafana/latest/installation/upgrading/#upgrading-to-v7-0">in the Grafana documentation</link>. - </para> - </listitem> - <listitem> - <para> - The <literal>hardware.u2f</literal> module, which was installing udev rules - was removed, as udev gained native support to handle FIDO security tokens. - </para> - </listitem> - <listitem> - <para> - The <literal>services.transmission</literal> module - was enhanced with the new options: - <xref linkend="opt-services.transmission.credentialsFile"/>, - <xref linkend="opt-services.transmission.openFirewall"/>, - and <xref linkend="opt-services.transmission.performanceNetParameters"/>. - </para> - <para> - <literal>transmission-daemon</literal> is now started with additional systemd sandbox/hardening options for better security. - Please <link xlink:href="https://github.com/NixOS/nixpkgs/issues">report</link> - any use case where this is not working well. - In particular, the <literal>RootDirectory</literal> option newly set - forbids uploading or downloading a torrent outside of the default directory - configured at <link linkend="opt-services.transmission.settings">settings.download-dir</link>. - If you really need Transmission to access other directories, - you must include those directories into the <literal>BindPaths</literal> of the service: -<programlisting> -systemd.services.transmission.serviceConfig.BindPaths = [ "/path/to/alternative/download-dir" ]; -</programlisting> - </para> - <para> - Also, connection to the RPC (Remote Procedure Call) of <literal>transmission-daemon</literal> - is now only available on the local network interface by default. - Use: -<programlisting> -services.transmission.settings.rpc-bind-address = "0.0.0.0"; -</programlisting> - to get the previous behavior of listening on all network interfaces. - </para> - </listitem> - <listitem> - <para> - With this release <literal>systemd-networkd</literal> (when enabled through <xref linkend="opt-networking.useNetworkd"/>) - has it's netlink socket created through a <literal>systemd.socket</literal> unit. This gives us control over - socket buffer sizes and other parameters. For larger setups where networkd has to create a lot of (virtual) - devices the default buffer size (currently 128MB) is not enough. - </para> - <para> - On a machine with >100 virtual interfaces (e.g., wireguard tunnels, VLANs, …), that all have to - be brought up during system startup, the receive buffer size will spike for a brief period. - Eventually some of the message will be dropped since there is not enough (permitted) buffer - space available. - </para> - <para> - By having <literal>systemd-networkd</literal> start with a netlink socket created by - <literal>systemd</literal> we can configure the <literal>ReceiveBufferSize=</literal> parameter - in the socket options (i.e. <literal>systemd.sockets.systemd-networkd.socketOptions.ReceiveBufferSize</literal>) - without recompiling <literal>systemd-networkd</literal>. - </para> - <para> - Since the actual memory requirements depend on hardware, timing, exact - configurations etc. it isn't currently possible to infer a good default - from within the NixOS module system. Administrators are advised to - monitor the logs of <literal>systemd-networkd</literal> for <literal>rtnl: kernel receive buffer - overrun</literal> spam and increase the memory limit as they see fit. - </para> - <para> - Note: Increasing the <literal>ReceiveBufferSize=</literal> doesn't allocate any memory. It just increases - the upper bound on the kernel side. The memory allocation depends on the amount of messages that are - queued on the kernel side of the netlink socket. - </para> - </listitem> - <listitem> - <para> - Specifying <link linkend="opt-services.dovecot2.mailboxes">mailboxes</link> in the <package>dovecot2</package> module - as a list is deprecated and will break eval in 21.03. Instead, an attribute-set should be specified where the <literal>name</literal> - should be the key of the attribute. - </para> - <para> - This means that a configuration like this -<programlisting>{ - <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = [ - { name = "Junk"; - auto = "create"; - } - ]; -}</programlisting> - should now look like this: -<programlisting>{ - <link linkend="opt-services.dovecot2.mailboxes">services.dovecot2.mailboxes</link> = { - Junk.auto = "create"; - }; -}</programlisting> - </para> - </listitem> - <listitem> - <para> - <package>netbeans</package> was upgraded to 12.0 and now defaults to OpenJDK 11. This might cause problems if your projects depend on packages that were removed in Java 11. - </para> - </listitem> - <listitem> - <para> - <package>nextcloud</package> has been updated to <link xlink:href="https://nextcloud.com/blog/nextcloud-hub-brings-productivity-to-home-office/">v19</link>. - </para> - <para> - If you have an existing installation, please make sure that you're on - <package>nextcloud18</package> before upgrading to <package>nextcloud19</package> - since Nextcloud doesn't support upgrades across multiple major versions. - </para> - <para> - The <literal>nixos-run-vms</literal> script now deletes the - previous run machines states on test startup. You can use the - <literal>--keep-vm-state</literal> flag to match the previous - behaviour and keep the same VM state between different test runs. - </para> - </listitem> - <listitem> - <para> - The <link linkend="opt-nix.buildMachines">nix.buildMachines</link> option is now type-checked. - There are no functional changes, however this may require updating some configurations to use correct types for all attributes. - </para> - </listitem> - <listitem> - <para> - The <literal>fontconfig</literal> module stopped generating fontconfig 2.10.x config and cache. - Fontconfig 2.10.x was removed from Nixpkgs - it hasn't been used in any nixpkgs package anymore. - </para> - </listitem> - <listitem> - <para> - Nginx module <literal>nginxModules.fastcgi-cache-purge</literal> renamed to official name <literal>nginxModules.cache-purge</literal>. - Nginx module <literal>nginxModules.ngx_aws_auth</literal> renamed to official name <literal>nginxModules.aws-auth</literal>. - The packages <package>perl</package>, <package>rsync</package> and <package>strace</package> were removed from <option>systemPackages</option>. If you need them, install them again with <code><xref linkend="opt-environment.systemPackages"/> = with pkgs; [ perl rsync strace ];</code> in your <filename>configuration.nix</filename>. - </para> - </listitem> - <listitem> - <para> - The <literal>undervolt</literal> option no longer needs to apply its - settings every 30s. If they still become undone, open an issue and restore - the previous behaviour using <literal>undervolt.useTimer</literal>. - </para> - </listitem> - </itemizedlist> - </section> -</section> |