1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
|
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-16.09">
<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
<para>
In addition to numerous new and upgraded packages, this release has the
following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Many NixOS configurations and Nix packages now use significantly less disk
space, thanks to the
<link
xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
work on closure size reduction</link>. For example, the closure size of a
minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in
16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
</para>
</listitem>
<listitem>
<para>
To improve security, packages are now
<link
xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
using various hardening features</link>. See the Nixpkgs manual for more
information.
</para>
</listitem>
<listitem>
<para>
Support for PXE netboot. See <xref
linkend="sec-booting-from-pxe" />
for documentation.
</para>
</listitem>
<listitem>
<para>
X.org server 1.18. If you use the <literal>ati_unfree</literal> driver,
1.17 is still used due to an ABI incompatibility.
</para>
</listitem>
<listitem>
<para>
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default
Linux kernel remains 4.4.
</para>
</listitem>
</itemizedlist>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>(this will get automatically generated at release time)</literal>
</para>
</listitem>
</itemizedlist>
<para>
When upgrading from a previous release, please be aware of the following
incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
A large number of packages have been converted to use the multiple outputs
feature of Nix to greatly reduce the amount of required disk space, as
mentioned above. This may require changes to any custom packages to make
them build again; see the relevant chapter in the Nixpkgs manual for more
information. (Additional caveat to packagers: some packaging conventions
related to multiple-output packages
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were
changed</link> late (August 2016) in the release cycle and differ from the
initial introduction of multiple outputs.)
</para>
</listitem>
<listitem>
<para>
Previous versions of Nixpkgs had support for all versions of the LTS
Haskell package set. That support has been dropped. The previously provided
<literal>haskell.packages.lts-x_y</literal> package sets still exist in
name to aviod breaking user code, but these package sets don't actually
contain the versions mandated by the corresponding LTS release. Instead,
our package set it loosely based on the latest available LTS release, i.e.
LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
drop those old names entirely.
<link
xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The
motivation for this change</link> has been discussed at length on the
<literal>nix-dev</literal> mailing list and in
<link
xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github
issue #14897</link>. Development strategies for Haskell hackers who want to
rely on Nix and NixOS have been described in
<link
xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another
nix-dev article</link>.
</para>
</listitem>
<listitem>
<para>
Shell aliases for systemd sub-commands
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were
dropped</link>: <command>start</command>, <command>stop</command>,
<command>restart</command>, <command>status</command>.
</para>
</listitem>
<listitem>
<para>
Redis now binds to 127.0.0.1 only instead of listening to all network
interfaces. This is the default behavior of Redis 3.2
</para>
</listitem>
<listitem>
<para>
<literal>/var/empty</literal> is now immutable. Activation script runs
<command>chattr +i</command> to forbid any modifications inside the folder.
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> the
pull request</link> for what bugs this caused.
</para>
</listitem>
<listitem>
<para>
Gitlab's maintainance script <command>gitlab-runner</command> was removed
and split up into the more clearer <command>gitlab-run</command> and
<command>gitlab-rake</command> scripts, because
<command>gitlab-runner</command> is a component of Gitlab CI.
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.libinput.accelProfile</literal> default changed
from <literal>flat</literal> to <literal>adaptive</literal>, as per
<link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
official documentation</link>.
</para>
</listitem>
<listitem>
<para>
<literal>fonts.fontconfig.ultimate.rendering</literal> was removed because
our presets were obsolete for some time. New presets are hardcoded into
FreeType; you can select a preset via
<literal>fonts.fontconfig.ultimate.preset</literal>. You can customize
those presets via ordinary environment variables, using
<literal>environment.variables</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>audit</literal> service is no longer enabled by default. Use
<literal>security.audit.enable = true</literal> to explicitly enable it.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
kernel modules instead of the VirtualBox user space binaries. If you want
to reference the user space binaries, you have to use the new
<literal>pkgs.virtualbox</literal> instead.
</para>
</listitem>
<listitem>
<para>
<literal>goPackages</literal> was replaced with separated Go applications
in appropriate <literal>nixpkgs</literal> categories. Each Go package uses
its own dependency set. There's also a new <literal>go2nix</literal> tool
introduced to generate a Go package definition from its Go source
automatically.
</para>
</listitem>
<listitem>
<para>
<literal>services.mongodb.extraConfig</literal> configuration format was
changed to YAML.
</para>
</listitem>
<listitem>
<para>
PHP has been upgraded to 7.0
</para>
</listitem>
</itemizedlist>
<para>
Other notable improvements:
</para>
<itemizedlist>
<listitem>
<para>
Revamped grsecurity/PaX support. There is now only a single general-purpose
distribution kernel and the configuration interface has been streamlined.
Desktop users should be able to simply set
<programlisting>security.grsecurity.enable = true</programlisting>
to get a reasonably secure system without having to sacrifice too much
functionality.
</para>
</listitem>
<listitem>
<para>
Special filesystems, like <literal>/proc</literal>, <literal>/run</literal>
and others, now have the same mount options as recommended by systemd and
are unified across different places in NixOS. Mount options are updated
during <command>nixos-rebuild switch</command> if possible. One benefit
from this is improved security — most such filesystems are now mounted
with <literal>noexec</literal>, <literal>nodev</literal> and/or
<literal>nosuid</literal> options.
</para>
</listitem>
<listitem>
<para>
The reverse path filter was interfering with DHCPv4 server operation in the
past. An exception for DHCPv4 and a new option to log packets that were
dropped due to the reverse path filter was added
(<literal>networking.firewall.logReversePathDrops</literal>) for easier
debugging.
</para>
</listitem>
<listitem>
<para>
Containers configuration within
<literal>containers.<name>.config</literal> is
<link
xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
properly typed and checked</link>. In particular, partial configurations
are merged correctly.
</para>
</listitem>
<listitem>
<para>
The directory container setuid wrapper programs,
<filename>/var/setuid-wrappers</filename>,
<link
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
updated atomically to prevent failures if the switch to a new configuration
is interrupted.</link>
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.startGnuPGAgent</literal> has been removed due to
GnuPG 2.1.x bump. See
<link
xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
how to achieve similar behavior</link>. You might need to <literal>pkill
gpg-agent</literal> after the upgrade to prevent a stale agent being in the
way.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
Declarative users could share the uid due to the bug in the script handling
conflict resolution. </link>
</para>
</listitem>
<listitem>
<para>
Gummi boot has been replaced using systemd-boot.
</para>
</listitem>
<listitem>
<para>
Hydra package and NixOS module were added for convenience.
</para>
</listitem>
</itemizedlist>
</section>
|