Merge branch 'staging'

It's only half-rebuilt on Hydra, but it brings a security fix.
This commit is contained in:
Vladimír Čunát 2018-06-03 13:52:13 +02:00
commit 448d7d648d
No known key found for this signature in database
GPG Key ID: E747DF1F9575A3AA
19 changed files with 151 additions and 31 deletions

View File

@ -788,6 +788,7 @@
./virtualisation/lxd.nix
./virtualisation/amazon-options.nix
./virtualisation/hyperv-guest.nix
./virtualisation/kvmgt.nix
./virtualisation/openvswitch.nix
./virtualisation/parallels-guest.nix
./virtualisation/qemu-guest-agent.nix

View File

@ -0,0 +1,64 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.virtualisation.kvmgt;
kernelPackages = config.boot.kernelPackages;
vgpuOptions = {
uuid = mkOption {
type = types.string;
description = "UUID of VGPU device. You can generate one with <package>libossp_uuid</package>.";
};
};
in {
options = {
virtualisation.kvmgt = {
enable = mkEnableOption ''
KVMGT (iGVT-g) VGPU support. Allows Qemu/KVM guests to share host's Intel integrated graphics card.
Currently only one graphical device can be shared
'';
# multi GPU support is under the question
device = mkOption {
type = types.string;
default = "0000:00:02.0";
description = "PCI ID of graphics card. You can figure it with <command>ls /sys/class/mdev_bus</command>.";
};
vgpus = mkOption {
default = {};
type = with types; attrsOf (submodule [ { options = vgpuOptions; } ]);
description = ''
Virtual GPUs to be used in Qemu. You can find devices via <command>ls /sys/bus/pci/devices/*/mdev_supported_types</command>
and find info about device via <command>cat /sys/bus/pci/devices/*/mdev_supported_types/i915-GVTg_V5_4/description</command>
'';
example = {
"i915-GVTg_V5_8" = {
uuid = "a297db4a-f4c2-11e6-90f6-d3b88d6c9525";
};
};
};
};
};
config = mkIf cfg.enable {
assertions = singleton {
assertion = versionAtLeast kernelPackages.kernel.version "4.16";
message = "KVMGT is not properly supported for kernels older than 4.16";
};
boot.kernelParams = [ "i915.enable_gvt=1" ];
systemd.services = mapAttrs' (name: value:
nameValuePair "kvmgt-${name}" {
description = "KVMGT VGPU ${name}";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.runtimeShell} -c 'echo ${value.uuid} > /sys/bus/pci/devices/${cfg.device}/mdev_supported_types/${name}/create'";
ExecStop = "${pkgs.runtimeShell} -c 'echo 1 > /sys/bus/pci/devices/${cfg.device}/${value.uuid}/remove'";
};
wantedBy = [ "multi-user.target" ];
}
) cfg.vgpus;
};
meta.maintainers = with maintainers; [ gnidorah ];
}

View File

@ -1,7 +1,7 @@
{ stdenv, fetchurl, pkgconfig, intltool, glib, libxml2, gtk3, gtkvnc, gmp
, libgcrypt, gnupg, cyrus_sasl, shared-mime-info, libvirt, yajl, xen
, gsettings-desktop-schemas, makeWrapper, libvirt-glib, libcap_ng, numactl
, libapparmor
, libapparmor, gst_all_1
, spiceSupport ? true
, spice-gtk ? null, spice-protocol ? null, libcap ? null, gdbm ? null
}:
@ -30,11 +30,14 @@ stdenv.mkDerivation rec {
xen
] ++ optionals spiceSupport [
spice-gtk spice-protocol libcap gdbm
gst_all_1.gst-plugins-base gst_all_1.gst-plugins-good
];
postInstall = ''
for f in "$out"/bin/*; do
wrapProgram "$f" --prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH"
wrapProgram "$f" \
--prefix XDG_DATA_DIRS : "$GSETTINGS_SCHEMAS_PATH" \
--prefix GST_PLUGIN_SYSTEM_PATH_1_0 : "$GST_PLUGIN_SYSTEM_PATH_1_0"
done
'';

View File

@ -10,14 +10,14 @@
assert glSupport -> libGL != null;
let
version = "1.15.10";
version = "1.15.12";
inherit (stdenv.lib) optional optionals;
in stdenv.mkDerivation rec {
name = "cairo-${version}";
src = fetchurl {
url = "http://cairographics.org/${if stdenv.lib.mod (builtins.fromJSON (stdenv.lib.versions.minor version)) 2 == 0 then "releases" else "snapshots"}/${name}.tar.xz";
sha256 = "14l3jll98pjdlpm8f972v0spzcsf6y5nz85y2k8iybyg6ihj5jk2";
sha256 = "1jcl0mnqq6j2xip8p506g2cj54sfycm339rrd3p4g2jljhdhh8vn";
};
outputs = [ "out" "dev" "devdoc" ];

View File

@ -5,7 +5,7 @@ with lib;
assert elem precision [ "single" "double" "long-double" "quad-precision" ];
let
version = "3.3.7";
version = "3.3.8";
withDoc = stdenv.cc.isGNU;
in
@ -14,7 +14,7 @@ stdenv.mkDerivation rec {
src = fetchurl {
url = "ftp://ftp.fftw.org/pub/fftw/fftw-${version}.tar.gz";
sha256 = "0wsms8narnbhfsa8chdflv2j9hzspvflblnqdn7hw8x5xdzrnq1v";
sha256 = "00z3k8fq561wq2khssqg0kallk0504dzlx989x3vvicjdqpjc4v1";
};
outputs = [ "out" "dev" "man" ]

View File

@ -1,14 +1,15 @@
{ stdenv, fetchurl, fetchpatch, glib, meson, ninja, pkgconfig, gettext
, gobjectIntrospection, dbus
, fixDarwinDylibNames
, gobjectIntrospection, dbus, fixDarwinDylibNames, gnome3
}:
stdenv.mkDerivation rec {
name = "json-glib-${minVer}.2";
minVer = "1.4";
let
pname = "json-glib";
version = "1.4.2";
in stdenv.mkDerivation rec {
name = "${pname}-${version}";
src = fetchurl {
url = "mirror://gnome/sources/json-glib/${minVer}/${name}.tar.xz";
url = "mirror://gnome/sources/${pname}/${stdenv.lib.versions.majorMinor version}/${name}.tar.xz";
sha256 = "2d7709a44749c7318599a6829322e081915bdc73f5be5045882ed120bb686dc8";
};
@ -28,9 +29,15 @@ stdenv.mkDerivation rec {
doCheck = true;
passthru = {
updateScript = gnome3.updateScript {
packageName = pname;
};
};
meta = with stdenv.lib; {
homepage = http://live.gnome.org/JsonGlib;
description = "A library providing (de)serialization support for the JavaScript Object Notation (JSON) format";
homepage = https://wiki.gnome.org/Projects/JsonGlib;
license = licenses.lgpl2;
maintainers = with maintainers; [ lethalman ];
platforms = with platforms; unix;

View File

@ -49,6 +49,11 @@ stdenv.mkDerivation rec {
"--enable-pax_emutramp"
];
preCheck = ''
# The tests use -O0 which is not compatible with -D_FORTIFY_SOURCE.
NIX_HARDENING_ENABLE=''${NIX_HARDENING_ENABLE/fortify/}
'';
inherit doCheck;
dontStrip = hostPlatform != buildPlatform; # Don't run the native `strip' when cross-compiling.

View File

@ -3,13 +3,13 @@
stdenv.mkDerivation rec {
name = "p11-kit-${version}";
version = "0.23.10";
version = "0.23.12";
src = fetchFromGitHub {
owner = "p11-glue";
repo = "p11-kit";
rev = version;
sha256 = "0n0wqv028flzvnxllqv8i6x9nv705csl7ddzi0fzvppc9fp2yinp";
sha256 = "0pb3qlddzbw7dglwnrl7fs9g71vhqk7qzxnb1i4nw633qgy21ga1";
};
outputs = [ "out" "dev"];
@ -31,6 +31,7 @@ stdenv.mkDerivation rec {
installFlags = [ "exampledir=\${out}/etc/pkcs11" ];
doInstallCheck = false; # probably a bug in this derivation
enableParallelBuilding = true;
meta = with stdenv.lib; {
homepage = https://p11-glue.freedesktop.org/;

View File

@ -2,7 +2,7 @@
, openssl, libpulseaudio, pixman, gobjectIntrospection, libjpeg_turbo, zlib
, cyrus_sasl, python2Packages, autoreconfHook, usbredir, libsoup
, withPolkit ? true, polkit, acl, usbutils
, vala, gtk3, epoxy, libdrm }:
, vala, gtk3, epoxy, libdrm, gst_all_1, phodav }:
# If this package is built with polkit support (withPolkit=true),
# usb redirection reqires spice-client-glib-usb-acl-helper to run setuid root.
@ -46,8 +46,8 @@ in stdenv.mkDerivation rec {
'';
buildInputs = [
spice-protocol celt_0_5_1 openssl libpulseaudio pixman
libjpeg_turbo zlib cyrus_sasl python pygtk usbredir gtk3 epoxy libdrm
spice-protocol celt_0_5_1 openssl libpulseaudio gst_all_1.gst-plugins-base pixman
libjpeg_turbo zlib cyrus_sasl python pygtk usbredir gtk3 epoxy libdrm phodav
] ++ optionals withPolkit [ polkit acl usbutils ] ;
nativeBuildInputs = [ pkgconfig gettext libsoup autoreconfHook vala gobjectIntrospection ];

View File

@ -66,6 +66,11 @@ stdenv.mkDerivation rec {
echo ""
'';
postInstall = ''
# Do not contaminate dependent libtool-based projects with sqlite dependencies.
sed -i $out/lib/libsqlite3.la -e "s/dependency_libs=.*/dependency_libs='''/"
'';
meta = {
description = "A self-contained, serverless, zero-configuration, transactional SQL database engine";
downloadPage = http://sqlite.org/download.html;

View File

@ -1,4 +1,4 @@
{ stdenv, fetchurl, boost, sqlite, zlib }:
{ stdenv, fetchurl, boost, sqlite }:
stdenv.mkDerivation rec {
name = "vsqlite-${version}";
@ -9,7 +9,7 @@ stdenv.mkDerivation rec {
sha256 = "17fkj0d2jh0xkjpcayhs1xvbnh1d69f026i7vs1zqnbiwbkpz237";
};
buildInputs = [ boost sqlite zlib ];
buildInputs = [ boost sqlite ];
prePatch = stdenv.lib.optionalString stdenv.isDarwin ''
substituteInPlace Makefile.in \

View File

@ -2,11 +2,13 @@
# We need the same Python as is used to build libxml2Python
stdenv.mkDerivation rec {
name = "itstool-2.0.4";
# 2.0.3+ breaks the build of gnome3.gnome-desktop
# https://github.com/itstool/itstool/issues/17
name = "itstool-2.0.2";
src = fetchurl {
url = "http://files.itstool.org/itstool/${name}.tar.bz2";
sha256 = "0q7b4qrc758zfx3adsgvz0r93swdbxjr42w37rahngm33nshihlp";
sha256 = "bf909fb59b11a646681a8534d5700fec99be83bb2c57badf8c1844512227033a";
};
buildInputs = [ python2 libxml2Python ];

View File

@ -1,14 +1,14 @@
{ stdenv, hostPlatform, fetchurl, m4, perl, help2man }:
stdenv.mkDerivation rec {
name = "bison-3.0.4";
name = "bison-3.0.5";
src = fetchurl {
url = "mirror://gnu/bison/${name}.tar.gz";
sha256 = "b67fd2daae7a64b5ba862c66c07c1addb9e6b1b05c5f2049392cfd8a2172952e";
sha256 = "0rnml9spd6p0i5qy9g4r82drwdr09r1z9cf4p89agbrkxqmrsffd";
};
patches = stdenv.lib.optional hostPlatform.isDarwin stdenv.secure-format-patch;
patches = []; # remove on another rebuild
nativeBuildInputs = [ m4 perl ] ++ stdenv.lib.optional stdenv.isSunOS help2man;
propagatedBuildInputs = [ m4 ];

View File

@ -33,14 +33,14 @@ let
in
stdenv.mkDerivation rec {
name = "busybox-1.28.3";
name = "busybox-1.28.4";
# Note to whoever is updating busybox: please verify that:
# nix-build pkgs/stdenv/linux/make-bootstrap-tools.nix -A test
# still builds after the update.
src = fetchurl {
url = "http://busybox.net/downloads/${name}.tar.bz2";
sha256 = "0via6faqj9xcyi8r39r4n0wxlk8r2292yk0slzwrdri37w1j43dd";
sha256 = "0smfn8hlds6nx8war62kyaykg3n7mxbjjfcpsgz84znwk4v4mhg3";
};
hardeningDisable = [ "format" ] ++ lib.optionals enableStatic [ "fortify" ];

View File

@ -214,6 +214,11 @@ with stdenv.lib;
${optionalString (versionOlder version "4.3") ''
DRM_I915_KMS y
''}
# iGVT-g support
${optionalString (versionAtLeast version "4.16") ''
DRM_I915_GVT y
DRM_I915_GVT_KVMGT m
''}
# Allow specifying custom EDID on the kernel command line
DRM_LOAD_EDID_FIRMWARE y
VGA_SWITCHEROO y # Hybrid graphics support

View File

@ -2,12 +2,12 @@
stdenv.mkDerivation rec {
name = "procps-${version}";
version = "3.3.14";
version = "3.3.15";
# The project's releases are on SF, but git repo on gitlab.
src = fetchurl {
url = "mirror://sourceforge/procps-ng/procps-ng-${version}.tar.xz";
sha256 = "0v3j6rkzzscqds37i105cxx3q4dk04rsgpqfd5p7hzcvk59h5njy";
sha256 = "0r84kwa5fl0sjdashcn4vh7hgfm7ahdcysig3mcjvpmkzi7p9g8h";
};
buildInputs = [ ncurses ];

View File

@ -1,11 +1,11 @@
{ fetchurl, stdenv, perl, makeWrapper, procps }:
stdenv.mkDerivation rec {
name = "parallel-20180422";
name = "parallel-20180522";
src = fetchurl {
url = "mirror://gnu/parallel/${name}.tar.bz2";
sha256 = "0xsfpbxwgd4197gra981iv0nmjfk58c0d88dxx6dh6yrqz523klx";
sha256 = "1khcz9pm7rjnq4gw8pn30k1d40x337a204dxj4y4qijpx8m7w0gb";
};
nativeBuildInputs = [ makeWrapper perl ];

View File

@ -0,0 +1,25 @@
{ stdenv, fetchurl
, intltool, pkgconfig, glib, libsoup }:
let
version = "2.2";
in stdenv.mkDerivation rec {
name = "phodav-${version}";
src = fetchurl {
url = "http://ftp.gnome.org/pub/GNOME/sources/phodav/${version}/${name}.tar.xz";
sha256 = "1hap0lncbcmivnflh0fbx7y58ry78p9wgj7z03r64ic0kvf0a0q8";
};
buildInputs = [ intltool glib libsoup ];
nativeBuildInputs = [ pkgconfig ];
meta = with stdenv.lib; {
description = "WebDav server implementation and library using libsoup";
homepage = https://wiki.gnome.org/phodav;
license = licenses.lgpl21;
maintainers = with maintainers; [ gnidorah ];
platforms = platforms.linux;
};
}

View File

@ -4400,6 +4400,8 @@ with pkgs;
philter = callPackage ../tools/networking/philter { };
phodav = callPackage ../tools/networking/phodav { };
pinentry = callPackage ../tools/security/pinentry {
libcap = if stdenv.isDarwin then null else libcap;
};