diff --git a/nixos/doc/manual/release-notes/rl-1909.xml b/nixos/doc/manual/release-notes/rl-1909.xml
index b780cba357e..ef23099f4f3 100644
--- a/nixos/doc/manual/release-notes/rl-1909.xml
+++ b/nixos/doc/manual/release-notes/rl-1909.xml
@@ -435,6 +435,48 @@
idiom or extract that anonymous mapping function to a named one. Both can still be used
but lib.forEach is preferred over lib.flip map.
+
+ The /etc/sysctl.d/nixos.conf file containing all the options set via
+ boot.kernel.sysctl was moved to
+ /etc/sysctl.d/60-nixos.conf, as
+ sysctl.d5
+ recommends prefixing all filenames in /etc/sysctl.d with a
+ two-digit number and a dash to simplify the ordering of the files.
+
+
+
+
+ We now install the sysctl snippets shipped with systemd.
+
+ This enables:
+
+ Loose reverse path filtering
+
+
+ Source route filtering
+
+
+
+ fq_codel as a packet scheduler (this helps to fight bufferbloat)
+
+
+
+
+ This also configures the kernel to pass coredumps to systemd-coredump.
+ These sysctl snippets can be found in /etc/sysctl.d/50-*.conf,
+ and overridden via boot.kernel.sysctl
+ (which will place the parameters in /etc/sysctl.d/60-nixos.conf).
+
+
+
+
+ Coredumps are now acquired by systemd-coredump by default.
+ systemd-coredump behaviour can still be modified via
+ .
+ To stick to the old behaviour (having the kernel dump to a file called core
+ in the working directory), without piping it through systemd-coredump, set
+ to "core".
+
diff --git a/nixos/modules/config/sysctl.nix b/nixos/modules/config/sysctl.nix
index 0c6a7e2431a..fb2b58eed72 100644
--- a/nixos/modules/config/sysctl.nix
+++ b/nixos/modules/config/sysctl.nix
@@ -42,22 +42,16 @@ in
config = {
- environment.etc."sysctl.d/nixos.conf".text =
+ environment.etc."sysctl.d/60-nixos.conf".text =
concatStrings (mapAttrsToList (n: v:
optionalString (v != null) "${n}=${if v == false then "0" else toString v}\n"
) config.boot.kernel.sysctl);
systemd.services.systemd-sysctl =
{ wantedBy = [ "multi-user.target" ];
- restartTriggers = [ config.environment.etc."sysctl.d/nixos.conf".source ];
+ restartTriggers = [ config.environment.etc."sysctl.d/60-nixos.conf".source ];
};
- # Enable hardlink and symlink restrictions. See
- # https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=800179c9b8a1e796e441674776d11cd4c05d61d7
- # for details.
- boot.kernel.sysctl."fs.protected_hardlinks" = true;
- boot.kernel.sysctl."fs.protected_symlinks" = true;
-
# Hide kernel pointers (e.g. in /proc/modules) for unprivileged
# users as these make it easier to exploit kernel vulnerabilities.
boot.kernel.sysctl."kernel.kptr_restrict" = 1;
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index e5f29a4eb58..bcf1f38ac8d 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -863,7 +863,6 @@
./system/activation/activation-script.nix
./system/activation/top-level.nix
./system/boot/binfmt.nix
- ./system/boot/coredump.nix
./system/boot/emergency-mode.nix
./system/boot/grow-partition.nix
./system/boot/initrd-network.nix
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix
index 3ff9a2b4fde..46417579352 100644
--- a/nixos/modules/profiles/hardened.nix
+++ b/nixos/modules/profiles/hardened.nix
@@ -95,23 +95,17 @@ with lib;
# Disable ftrace debugging
boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false;
- # Enable reverse path filtering (that is, do not attempt to route packets
- # that "obviously" do not belong to the iface's network; dropped packets are
- # logged as martians).
+ # Enable strict reverse path filtering (that is, do not attempt to route
+ # packets that "obviously" do not belong to the iface's network; dropped
+ # packets are logged as martians).
boot.kernel.sysctl."net.ipv4.conf.all.log_martians" = mkDefault true;
- boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault true;
+ boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = mkDefault "1";
boot.kernel.sysctl."net.ipv4.conf.default.log_martians" = mkDefault true;
- boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault true;
+ boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = mkDefault "1";
# Ignore broadcast ICMP (mitigate SMURF)
boot.kernel.sysctl."net.ipv4.icmp_echo_ignore_broadcasts" = mkDefault true;
- # Ignore route information from sender
- boot.kernel.sysctl."net.ipv4.conf.all.accept_source_route" = mkDefault false;
- boot.kernel.sysctl."net.ipv4.conf.default.accept_source_route" = mkDefault false;
- boot.kernel.sysctl."net.ipv6.conf.all.accept_source_route" = mkDefault false;
- boot.kernel.sysctl."net.ipv6.conf.default.accept_source_route" = mkDefault false;
-
# Ignore incoming ICMP redirects (note: default is needed to ensure that the
# setting is applied to interfaces added after the sysctls are set)
boot.kernel.sysctl."net.ipv4.conf.all.accept_redirects" = mkDefault false;
diff --git a/nixos/modules/rename.nix b/nixos/modules/rename.nix
index 3ea139fc5ce..e32fa6fded4 100644
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@@ -226,6 +226,7 @@ with lib;
(mkRemovedOptionModule [ "services" "mysql" "rootPassword" ] "Use socket authentication or set the password outside of the nix store.")
(mkRemovedOptionModule [ "services" "zabbixServer" "dbPassword" ] "Use services.zabbixServer.database.passwordFile instead.")
(mkRemovedOptionModule [ "systemd" "generator-packages" ] "Use systemd.packages instead.")
+ (mkRemovedOptionModule [ "systemd" "coredump" "enable" ] "Enabled by default. Set boot.kernel.sysctl.\"kernel.core_pattern\" = \"core\"; to disable.")
# ZSH
(mkRenamedOptionModule [ "programs" "zsh" "enableSyntaxHighlighting" ] [ "programs" "zsh" "syntaxHighlighting" "enable" ])
diff --git a/nixos/modules/system/boot/coredump.nix b/nixos/modules/system/boot/coredump.nix
deleted file mode 100644
index 30f367da766..00000000000
--- a/nixos/modules/system/boot/coredump.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-{
-
- options = {
-
- systemd.coredump = {
-
- enable = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Enables storing core dumps in systemd.
- Note that this alone is not enough to enable core dumps. The maximum
- file size for core dumps must be specified in limits.conf as well. See
- and the limits.conf(5)
- man page (these specify the core dump limits for user login sessions)
- and (where e.g.
- DefaultLimitCORE=1000000 can be specified to set
- the core dump limit for systemd system-level services).
- '';
- };
-
- extraConfig = mkOption {
- default = "";
- type = types.lines;
- example = "Storage=journal";
- description = ''
- Extra config options for systemd-coredump. See coredump.conf(5) man page
- for available options.
- '';
- };
- };
-
- };
-
- config = mkMerge [
- (mkIf config.systemd.coredump.enable {
-
- systemd.additionalUpstreamSystemUnits = [ "systemd-coredump.socket" "systemd-coredump@.service" ];
-
- environment.etc."systemd/coredump.conf".text =
- ''
- [Coredump]
- ${config.systemd.coredump.extraConfig}
- '';
-
- # Have the kernel pass core dumps to systemd's coredump helper binary.
- # From systemd's 50-coredump.conf file. See:
- #
- boot.kernel.sysctl."kernel.core_pattern" = "|${pkgs.systemd}/lib/systemd/systemd-coredump %P %u %g %s %t %c %e";
- })
-
- (mkIf (!config.systemd.coredump.enable) {
- boot.kernel.sysctl."kernel.core_pattern" = mkDefault "core";
-
- systemd.extraConfig =
- ''
- DefaultLimitCORE=0:infinity
- '';
- })
- ];
-
-}
diff --git a/nixos/modules/system/boot/systemd.nix b/nixos/modules/system/boot/systemd.nix
index 1914827d0e5..23a2dd45d49 100644
--- a/nixos/modules/system/boot/systemd.nix
+++ b/nixos/modules/system/boot/systemd.nix
@@ -76,6 +76,10 @@ let
"systemd-journald-dev-log.socket"
"syslog.socket"
+ # Coredumps.
+ "systemd-coredump.socket"
+ "systemd-coredump@.service"
+
# SysV init compatibility.
"systemd-initctl.socket"
"systemd-initctl.service"
@@ -540,6 +544,16 @@ in
'';
};
+ systemd.coredump.extraConfig = mkOption {
+ default = "";
+ type = types.lines;
+ example = "Storage=journal";
+ description = ''
+ Extra config options for systemd-coredump. See coredump.conf(5) man page
+ for available options.
+ '';
+ };
+
systemd.extraConfig = mkOption {
default = "";
type = types.lines;
@@ -795,6 +809,7 @@ in
DefaultMemoryAccounting=yes
DefaultTasksAccounting=yes
''}
+ DefaultLimitCORE=infinity
${config.systemd.extraConfig}
'';
@@ -818,6 +833,12 @@ in
${config.services.journald.extraConfig}
'';
+ "systemd/coredump.conf".text =
+ ''
+ [Coredump]
+ ${config.systemd.coredump.extraConfig}
+ '';
+
"systemd/logind.conf".text = ''
[Login]
KillUserProcesses=${if config.services.logind.killUserProcesses then "yes" else "no"}
@@ -831,6 +852,10 @@ in
[Sleep]
'';
+ # install provided sysctl snippets
+ "sysctl.d/50-coredump.conf".source = "${systemd}/example/sysctl.d/50-coredump.conf";
+ "sysctl.d/50-default.conf".source = "${systemd}/example/sysctl.d/50-default.conf";
+
"tmpfiles.d/systemd.conf".source = "${systemd}/example/tmpfiles.d/systemd.conf";
"tmpfiles.d/x11.conf".source = "${systemd}/example/tmpfiles.d/x11.conf";
diff --git a/nixos/modules/virtualisation/google-compute-config.nix b/nixos/modules/virtualisation/google-compute-config.nix
index 5c59188b68b..79766970c75 100644
--- a/nixos/modules/virtualisation/google-compute-config.nix
+++ b/nixos/modules/virtualisation/google-compute-config.nix
@@ -159,12 +159,6 @@ in
# functionality/features (e.g. TCP Window scaling).
"net.ipv4.tcp_syncookies" = mkDefault "1";
- # ignores source-routed packets
- "net.ipv4.conf.all.accept_source_route" = mkDefault "0";
-
- # ignores source-routed packets
- "net.ipv4.conf.default.accept_source_route" = mkDefault "0";
-
# ignores ICMP redirects
"net.ipv4.conf.all.accept_redirects" = mkDefault "0";
@@ -186,10 +180,10 @@ in
# don't allow traffic between networks or act as a router
"net.ipv4.conf.default.send_redirects" = mkDefault "0";
- # reverse path filtering - IP spoofing protection
+ # strict reverse path filtering - IP spoofing protection
"net.ipv4.conf.all.rp_filter" = mkDefault "1";
- # reverse path filtering - IP spoofing protection
+ # strict path filtering - IP spoofing protection
"net.ipv4.conf.default.rp_filter" = mkDefault "1";
# ignores ICMP broadcasts to avoid participating in Smurf attacks
diff --git a/nixos/tests/systemd.nix b/nixos/tests/systemd.nix
index 344d675c5fe..3168c026d51 100644
--- a/nixos/tests/systemd.nix
+++ b/nixos/tests/systemd.nix
@@ -83,5 +83,11 @@ import ./make-test.nix ({ pkgs, ... }: {
$machine->waitForUnit('multi-user.target');
$machine->succeed('test -e /tmp/shared/shutdown-test');
};
+
+ # Test settings from /etc/sysctl.d/50-default.conf are applied
+ subtest "systemd sysctl settings are applied", sub {
+ $machine->waitForUnit('multi-user.target');
+ $machine->succeed('sysctl net.core.default_qdisc | grep -q "fq_codel"');
+ };
'';
})