pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / doc / manual / release-notes / rl-1809.section.md
at 25.11-pre 15 kB view raw view rendered
1# Release 18.09 ("Jellyfish", 2018/10/05) {#sec-release-18.09} 2 3## Highlights {#sec-release-18.09-highlights} 4 5In addition to numerous new and upgraded packages, this release has the following notable updates: 6 7- End of support is planned for end of April 2019, handing over to 19.03. 8 9- Platform support: x86_64-linux and x86_64-darwin as always. Support for aarch64-linux is as with the previous releases, not equivalent to the x86-64-linux release, but with efforts to reach parity. 10 11- Nix has been updated to 2.1; see its [release notes](https://nixos.org/nix/manual/#ssec-relnotes-2.1). 12 13- Core versions: linux: 4.14 LTS (unchanged), glibc: 2.26 → 2.27, gcc: 7 (unchanged), systemd: 237 → 239. 14 15- Desktop version changes: gnome: 3.26 → 3.28, (KDE) plasma-desktop: 5.12 → 5.13. 16 17Notable changes and additions for 18.09 include: 18 19- Support for wrapping binaries using `firejail` has been added through `programs.firejail.wrappedBinaries`. 20 21 For example 22 23 ```nix 24 { 25 programs.firejail = { 26 enable = true; 27 wrappedBinaries = { 28 firefox = "${lib.getBin pkgs.firefox}/bin/firefox"; 29 mpv = "${lib.getBin pkgs.mpv}/bin/mpv"; 30 }; 31 }; 32 } 33 ``` 34 35 This will place `firefox` and `mpv` binaries in the global path wrapped by firejail. 36 37- User channels are now in the default `NIX_PATH`, allowing users to use their personal `nix-channel` defined channels in `nix-build` and `nix-shell` commands, as well as in imports like `import <mychannel>`. 38 39 For example 40 41 ```ShellSession 42 $ nix-channel --add https://nixos.org/channels/nixpkgs-unstable nixpkgsunstable 43 $ nix-channel --update 44 $ nix-build '<nixpkgsunstable>' -A gitFull 45 $ nix run -f '<nixpkgsunstable>' gitFull 46 $ nix-instantiate -E '(import <nixpkgsunstable> {}).gitFull' 47 ``` 48 49## New Services {#sec-release-18.09-new-services} 50 51A curated selection of new services that were added since the last release: 52 53- The `services.cassandra` module has been reworked and was rewritten from scratch. The service has succeeding tests for the versions 2.1, 2.2, 3.0 and 3.11 of [Apache Cassandra](https://cassandra.apache.org/). 54 55- There is a new `services.foundationdb` module for deploying [FoundationDB](https://www.foundationdb.org) clusters. 56 57- When enabled the `iproute2` will copy the files expected by ip route (e.g., `rt_tables`) in `/etc/iproute2`. This allows to write aliases for routing tables for instance. 58 59- `services.strongswan-swanctl` is a modern replacement for `services.strongswan`. You can use either one of them to setup IPsec VPNs but not both at the same time. 60 61 `services.strongswan-swanctl` uses the [swanctl](https://wiki.strongswan.org/projects/strongswan/wiki/swanctl) command which uses the modern [vici](https://github.com/strongswan/strongswan/blob/master/src/libcharon/plugins/vici/README.md) _Versatile IKE Configuration Interface_. The deprecated `ipsec` command used in `services.strongswan` is using the legacy [stroke configuration interface](https://github.com/strongswan/strongswan/blob/master/README_LEGACY.md). 62 63- The new `services.elasticsearch-curator` service periodically curates or manages, your Elasticsearch indices and snapshots. 64 65Every new services: 66 67- `./config/xdg/autostart.nix` 68 69- `./config/xdg/icons.nix` 70 71- `./config/xdg/menus.nix` 72 73- `./config/xdg/mime.nix` 74 75- `./hardware/brightnessctl.nix` 76 77- `./hardware/onlykey.nix` 78 79- `./hardware/video/uvcvideo/default.nix` 80 81- `./misc/documentation.nix` 82 83- `./programs/firejail.nix` 84 85- `./programs/iftop.nix` 86 87- `./programs/sedutil.nix` 88 89- `./programs/singularity.nix` 90 91- `./programs/xss-lock.nix` 92 93- `./programs/zsh/zsh-autosuggestions.nix` 94 95- `./services/admin/oxidized.nix` 96 97- `./services/backup/duplicati.nix` 98 99- `./services/backup/restic.nix` 100 101- `./services/backup/restic-rest-server.nix` 102 103- `./services/cluster/hadoop/default.nix` 104 105- `./services/databases/aerospike.nix` 106 107- `./services/databases/monetdb.nix` 108 109- `./services/desktops/bamf.nix` 110 111- `./services/desktops/flatpak.nix` 112 113- `./services/desktops/zeitgeist.nix` 114 115- `./services/development/bloop.nix` 116 117- `./services/development/jupyter/default.nix` 118 119- `./services/hardware/lcd.nix` 120 121- `./services/hardware/undervolt.nix` 122 123- `./services/misc/clipmenu.nix` 124 125- `./services/misc/gitweb.nix` 126 127- `./services/misc/serviio.nix` 128 129- `./services/misc/safeeyes.nix` 130 131- `./services/misc/sysprof.nix` 132 133- `./services/misc/weechat.nix` 134 135- `./services/monitoring/datadog-agent.nix` 136 137- `./services/monitoring/incron.nix` 138 139- `./services/networking/dnsdist.nix` 140 141- `./services/networking/freeradius.nix` 142 143- `./services/networking/hans.nix` 144 145- `./services/networking/morty.nix` 146 147- `./services/networking/ndppd.nix` 148 149- `./services/networking/ocserv.nix` 150 151- `./services/networking/owamp.nix` 152 153- `./services/networking/quagga.nix` 154 155- `./services/networking/shadowsocks.nix` 156 157- `./services/networking/stubby.nix` 158 159- `./services/networking/zeronet.nix` 160 161- `./services/security/certmgr.nix` 162 163- `./services/security/cfssl.nix` 164 165- `./services/security/oauth2_proxy_nginx.nix` 166 167- `./services/web-apps/virtlyst.nix` 168 169- `./services/web-apps/youtrack.nix` 170 171- `./services/web-servers/hitch/default.nix` 172 173- `./services/web-servers/hydron.nix` 174 175- `./services/web-servers/meguca.nix` 176 177- `./services/web-servers/nginx/gitweb.nix` 178 179- `./virtualisation/kvmgt.nix` 180 181- `./virtualisation/qemu-guest-agent.nix` 182 183## Backward Incompatibilities {#sec-release-18.09-incompatibilities} 184 185When upgrading from a previous release, please be aware of the following incompatible changes: 186 187- Some licenses that were incorrectly not marked as unfree now are. This is the case for: 188 189 - cc-by-nc-sa-20: Creative Commons Attribution Non Commercial Share Alike 2.0 190 191 - cc-by-nc-sa-25: Creative Commons Attribution Non Commercial Share Alike 2.5 192 193 - cc-by-nc-sa-30: Creative Commons Attribution Non Commercial Share Alike 3.0 194 195 - cc-by-nc-sa-40: Creative Commons Attribution Non Commercial Share Alike 4.0 196 197 - cc-by-nd-30: Creative Commons Attribution-No Derivative Works v3.00 198 199 - msrla: Microsoft Research License Agreement 200 201- The deprecated `services.cassandra` module has seen a complete rewrite. (See above.) 202 203- `lib.strict` is removed. Use `builtins.seq` instead. 204 205- The `clementine` package points now to the free derivation. `clementineFree` is removed now and `clementineUnfree` points to the package which is bundled with the unfree `libspotify` package. 206 207- The `netcat` package is now taken directly from OpenBSD's `libressl`, instead of relying on Debian's fork. The new version should be very close to the old version, but there are some minor differences. Importantly, flags like -b, -q, -C, and -Z are no longer accepted by the nc command. 208 209- The `services.docker-registry.extraConfig` object doesn't contain environment variables anymore. Instead it needs to provide an object structure that can be mapped onto the YAML configuration defined in [the `docker/distribution` docs](https://github.com/docker/distribution/blob/v2.6.2/docs/configuration.md). 210 211- `gnucash` has changed from version 2.4 to 3.x. If you've been using `gnucash` (version 2.4) instead of `gnucash26` (version 2.6) you must open your Gnucash data file(s) with `gnucash26` and then save them to upgrade the file format. Then you may use your data file(s) with Gnucash 3.x. See the upgrade [documentation](https://wiki.gnucash.org/wiki/FAQ#Using_Different_Versions.2C_Up_And_Downgrade). Gnucash 2.4 is still available under the attribute `gnucash24`. 212 213- `services.munge` now runs as user (and group) `munge` instead of root. Make sure the key file is accessible to the daemon. 214 215- `dockerTools.buildImage` now uses `null` as default value for `tag`, which indicates that the nix output hash will be used as tag. 216 217- The ELK stack: `elasticsearch`, `logstash` and `kibana` has been upgraded from 2.\* to 6.3.\*. The 2.\* versions have been [unsupported since last year](https://www.elastic.co/support/eol) so they have been removed. You can still use the 5.\* versions under the names `elasticsearch5`, `logstash5` and `kibana5`. 218 219 The elastic beats: `filebeat`, `heartbeat`, `metricbeat` and `packetbeat` have had the same treatment: they now target 6.3.\* as well. The 5.\* versions are available under the names: `filebeat5`, `heartbeat5`, `metricbeat5` and `packetbeat5` 220 221 The ELK-6.3 stack now comes with [X-Pack by default](https://www.elastic.co/products/x-pack/open). Since X-Pack is licensed under the [Elastic License](https://github.com/elastic/elasticsearch/blob/master/licenses/ELASTIC-LICENSE.txt) the ELK packages now have an unfree license. To use them you need to specify `allowUnfree = true;` in your nixpkgs configuration. 222 223 Fortunately there is also a free variant of the ELK stack without X-Pack. The packages are available under the names: `elasticsearch-oss`, `logstash-oss` and `kibana-oss`. 224 225- Options `boot.initrd.luks.devices.name.yubikey.ramfsMountPoint` `boot.initrd.luks.devices.name.yubikey.storage.mountPoint` were removed. `luksroot.nix` module never supported more than one YubiKey at a time anyway, hence those options never had any effect. You should be able to remove them from your config without any issues. 226 227- `stdenv.system` and `system` in nixpkgs now refer to the host platform instead of the build platform. For native builds this is not change, let alone a breaking one. For cross builds, it is a breaking change, and `stdenv.buildPlatform.system` can be used instead for the old behavior. They should be using that anyways for clarity. 228 229- Groups `kvm` and `render` are introduced now, as systemd requires them. 230 231## Other Notable Changes {#sec-release-18.09-notable-changes} 232 233- `dockerTools.pullImage` relies on image digest instead of image tag to download the image. The `sha256` of a pulled image has to be updated. 234 235- `lib.attrNamesToStr` has been deprecated. Use more specific concatenation (`lib.concat(Map)StringsSep`) instead. 236 237- `lib.addErrorContextToAttrs` has been deprecated. Use `builtins.addErrorContext` directly. 238 239- `lib.showVal` has been deprecated. Use `lib.traceSeqN` instead. 240 241- `lib.traceXMLVal` has been deprecated. Use `lib.traceValFn builtins.toXml` instead. 242 243- `lib.traceXMLValMarked` has been deprecated. Use `lib.traceValFn (x: str + builtins.toXML x)` instead. 244 245- The `pkgs` argument to NixOS modules can now be set directly using `nixpkgs.pkgs`. Previously, only the `system`, `config` and `overlays` arguments could be used to influence `pkgs`. 246 247- A NixOS system can now be constructed more easily based on a preexisting invocation of Nixpkgs. For example: 248 249 ```nix 250 { 251 inherit (pkgs.nixos { 252 boot.loader.grub.enable = false; 253 fileSystems."/".device = "/dev/xvda1"; 254 }) toplevel kernel initialRamdisk manual; 255 } 256 ``` 257 258 This benefits evaluation performance, lets you write Nixpkgs packages that depend on NixOS images and is consistent with a deployment architecture that would be centered around Nixpkgs overlays. 259 260- `lib.traceValIfNot` has been deprecated. Use `if/then/else` and `lib.traceValSeq` instead. 261 262- `lib.traceCallXml` has been deprecated. Please complain if you use the function regularly. 263 264- The attribute `lib.nixpkgsVersion` has been deprecated in favor of `lib.version`. Please refer to the discussion in [NixOS/nixpkgs\#39416](https://github.com/NixOS/nixpkgs/pull/39416#discussion_r183845745) for further reference. 265 266- `lib.recursiveUpdateUntil` was not acting according to its specification. It has been fixed to act according to the docstring, and a test has been added. 267 268- The module for `security.dhparams` has two new options now: 269 270 `security.dhparams.stateless` 271 272 : Puts the generated Diffie-Hellman parameters into the Nix store instead of managing them in a stateful manner in `/var/lib/dhparams`. 273 274 `security.dhparams.defaultBitSize` 275 276 : The default bit size to use for the generated Diffie-Hellman parameters. 277 278 ::: {.note} 279 The path to the actual generated parameter files should now be queried using `config.security.dhparams.params.name.path` because it might be either in the Nix store or in a directory configured by `security.dhparams.path`. 280 ::: 281 282 ::: {.note} 283 **For developers:** 284 285 Module implementers should not set a specific bit size in order to let users configure it by themselves if they want to have a different bit size than the default (2048). 286 287 An example usage of this would be: 288 289 ```nix 290 { config, ... }: 291 292 { 293 security.dhparams.params.myservice = {}; 294 environment.etc."myservice.conf".text = '' 295 dhparams = ${config.security.dhparams.params.myservice.path} 296 ''; 297 } 298 ``` 299 300 ::: 301 302- `networking.networkmanager.useDnsmasq` has been deprecated. Use `networking.networkmanager.dns` instead. 303 304- The Kubernetes package has been bumped to major version 1.11. Please consult the [release notes](https://github.com/kubernetes/kubernetes/blob/release-1.11/CHANGELOG-1.11.md) for details on new features and api changes. 305 306- The option `services.kubernetes.apiserver.admissionControl` was renamed to `services.kubernetes.apiserver.enableAdmissionPlugins`. 307 308- Recommended way to access the Kubernetes Dashboard is via HTTPS (TLS) Therefore; public service port for the dashboard has changed to 443 (container port 8443) and scheme to https. 309 310- The option `services.kubernetes.apiserver.address` was renamed to `services.kubernetes.apiserver.bindAddress`. Note that the default value has changed from 127.0.0.1 to 0.0.0.0. 311 312- The option `services.kubernetes.apiserver.publicAddress` was not used and thus has been removed. 313 314- The option `services.kubernetes.addons.dashboard.enableRBAC` was renamed to `services.kubernetes.addons.dashboard.rbac.enable`. 315 316- The Kubernetes Dashboard now has only minimal RBAC permissions by default. If dashboard cluster-admin rights are desired, set `services.kubernetes.addons.dashboard.rbac.clusterAdmin` to true. On existing clusters, in order for the revocation of privileges to take effect, the current ClusterRoleBinding for kubernetes-dashboard must be manually removed: `kubectl delete clusterrolebinding kubernetes-dashboard` 317 318- The `programs.screen` module provides allows to configure `/etc/screenrc`, however the module behaved fairly counterintuitive as the config exists, but the package wasn't available. Since 18.09 `pkgs.screen` will be added to `environment.systemPackages`. 319 320- The module `services.networking.hostapd` now uses WPA2 by default. 321 322- `s6Dns`, `s6Networking`, `s6LinuxUtils` and `s6PortableUtils` renamed to `s6-dns`, `s6-networking`, `s6-linux-utils` and `s6-portable-utils` respectively. 323 324- The module option `nix.useSandbox` is now defaulted to `true`. 325 326- The config activation script of `nixos-rebuild` now [reloads](https://www.freedesktop.org/software/systemd/man/systemctl.html#Manager%20Lifecycle%20Commands) all user units for each authenticated user. 327 328- The default display manager is now LightDM. To use SLiM set `services.xserver.displayManager.slim.enable` to `true`. 329 330- NixOS option descriptions are now automatically broken up into individual paragraphs if the text contains two consecutive newlines, so it's no longer necessary to use `</para><para>` to start a new paragraph. 331 332- Top-level `buildPlatform`, `hostPlatform`, and `targetPlatform` in Nixpkgs are deprecated. Please use their equivalents in `stdenv` instead: `stdenv.buildPlatform`, `stdenv.hostPlatform`, and `stdenv.targetPlatform`.