nixpkgs/nixos/doc/manual/release-notes/rl-1609.xml

278 lines
9.6 KiB
XML

<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xi="http://www.w3.org/2001/XInclude"
version="5.0"
xml:id="sec-release-16.09">
<title>Release 16.09 (“Flounder”, 2016/09/30)</title>
<para>
In addition to numerous new and upgraded packages, this release has the
following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Many NixOS configurations and Nix packages now use significantly less disk
space, thanks to the
<link
xlink:href="https://github.com/NixOS/nixpkgs/issues/7117">extensive
work on closure size reduction</link>. For example, the closure size of a
minimal NixOS container went down from ~424 MiB in 16.03 to ~212 MiB in
16.09, while the closure size of Firefox went from ~651 MiB to ~259 MiB.
</para>
</listitem>
<listitem>
<para>
To improve security, packages are now
<link
xlink:href="https://github.com/NixOS/nixpkgs/pull/12895">built
using various hardening features</link>. See the Nixpkgs manual for more
information.
</para>
</listitem>
<listitem>
<para>
Support for PXE netboot. See <xref
linkend="sec-booting-from-pxe" />
for documentation.
</para>
</listitem>
<listitem>
<para>
X.org server 1.18. If you use the <literal>ati_unfree</literal> driver,
1.17 is still used due to an ABI incompatibility.
</para>
</listitem>
<listitem>
<para>
This release is based on Glibc 2.24, GCC 5.4.0 and systemd 231. The default
Linux kernel remains 4.4.
</para>
</listitem>
</itemizedlist>
<para>
The following new services were added since the last release:
</para>
<itemizedlist>
<listitem>
<para>
<literal>(this will get automatically generated at release time)</literal>
</para>
</listitem>
</itemizedlist>
<para>
When upgrading from a previous release, please be aware of the following
incompatible changes:
</para>
<itemizedlist>
<listitem>
<para>
A large number of packages have been converted to use the multiple outputs
feature of Nix to greatly reduce the amount of required disk space, as
mentioned above. This may require changes to any custom packages to make
them build again; see the relevant chapter in the Nixpkgs manual for more
information. (Additional caveat to packagers: some packaging conventions
related to multiple-output packages
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/14766">were
changed</link> late (August 2016) in the release cycle and differ from the
initial introduction of multiple outputs.)
</para>
</listitem>
<listitem>
<para>
Previous versions of Nixpkgs had support for all versions of the LTS
Haskell package set. That support has been dropped. The previously provided
<literal>haskell.packages.lts-x_y</literal> package sets still exist in
name to aviod breaking user code, but these package sets don't actually
contain the versions mandated by the corresponding LTS release. Instead,
our package set it loosely based on the latest available LTS release, i.e.
LTS 7.x at the time of this writing. New releases of NixOS and Nixpkgs will
drop those old names entirely.
<link
xlink:href="https://nixos.org/nix-dev/2016-June/020585.html">The
motivation for this change</link> has been discussed at length on the
<literal>nix-dev</literal> mailing list and in
<link
xlink:href="https://github.com/NixOS/nixpkgs/issues/14897">Github
issue #14897</link>. Development strategies for Haskell hackers who want to
rely on Nix and NixOS have been described in
<link
xlink:href="https://nixos.org/nix-dev/2016-June/020642.html">another
nix-dev article</link>.
</para>
</listitem>
<listitem>
<para>
Shell aliases for systemd sub-commands
<link xlink:href="https://github.com/NixOS/nixpkgs/pull/15598">were
dropped</link>: <command>start</command>, <command>stop</command>,
<command>restart</command>, <command>status</command>.
</para>
</listitem>
<listitem>
<para>
Redis now binds to 127.0.0.1 only instead of listening to all network
interfaces. This is the default behavior of Redis 3.2
</para>
</listitem>
<listitem>
<para>
<literal>/var/empty</literal> is now immutable. Activation script runs
<command>chattr +i</command> to forbid any modifications inside the folder.
See <link xlink:href="https://github.com/NixOS/nixpkgs/pull/18365"> the
pull request</link> for what bugs this caused.
</para>
</listitem>
<listitem>
<para>
Gitlab's maintainance script <command>gitlab-runner</command> was removed
and split up into the more clearer <command>gitlab-run</command> and
<command>gitlab-rake</command> scripts, because
<command>gitlab-runner</command> is a component of Gitlab CI.
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.libinput.accelProfile</literal> default changed
from <literal>flat</literal> to <literal>adaptive</literal>, as per
<link xlink:href="https://wayland.freedesktop.org/libinput/doc/latest/group__config.html#gad63796972347f318b180e322e35cee79">
official documentation</link>.
</para>
</listitem>
<listitem>
<para>
<literal>fonts.fontconfig.ultimate.rendering</literal> was removed because
our presets were obsolete for some time. New presets are hardcoded into
FreeType; you can select a preset via
<literal>fonts.fontconfig.ultimate.preset</literal>. You can customize
those presets via ordinary environment variables, using
<literal>environment.variables</literal>.
</para>
</listitem>
<listitem>
<para>
The <literal>audit</literal> service is no longer enabled by default. Use
<literal>security.audit.enable = true</literal> to explicitly enable it.
</para>
</listitem>
<listitem>
<para>
<literal>pkgs.linuxPackages.virtualbox</literal> now contains only the
kernel modules instead of the VirtualBox user space binaries. If you want
to reference the user space binaries, you have to use the new
<literal>pkgs.virtualbox</literal> instead.
</para>
</listitem>
<listitem>
<para>
<literal>goPackages</literal> was replaced with separated Go applications
in appropriate <literal>nixpkgs</literal> categories. Each Go package uses
its own dependency set. There's also a new <literal>go2nix</literal> tool
introduced to generate a Go package definition from its Go source
automatically.
</para>
</listitem>
<listitem>
<para>
<literal>services.mongodb.extraConfig</literal> configuration format was
changed to YAML.
</para>
</listitem>
<listitem>
<para>
PHP has been upgraded to 7.0
</para>
</listitem>
</itemizedlist>
<para>
Other notable improvements:
</para>
<itemizedlist>
<listitem>
<para>
Revamped grsecurity/PaX support. There is now only a single general-purpose
distribution kernel and the configuration interface has been streamlined.
Desktop users should be able to simply set
<programlisting>security.grsecurity.enable = true</programlisting>
to get a reasonably secure system without having to sacrifice too much
functionality.
</para>
</listitem>
<listitem>
<para>
Special filesystems, like <literal>/proc</literal>, <literal>/run</literal>
and others, now have the same mount options as recommended by systemd and
are unified across different places in NixOS. Mount options are updated
during <command>nixos-rebuild switch</command> if possible. One benefit
from this is improved security — most such filesystems are now mounted
with <literal>noexec</literal>, <literal>nodev</literal> and/or
<literal>nosuid</literal> options.
</para>
</listitem>
<listitem>
<para>
The reverse path filter was interfering with DHCPv4 server operation in the
past. An exception for DHCPv4 and a new option to log packets that were
dropped due to the reverse path filter was added
(<literal>networking.firewall.logReversePathDrops</literal>) for easier
debugging.
</para>
</listitem>
<listitem>
<para>
Containers configuration within
<literal>containers.&lt;name&gt;.config</literal> is
<link
xlink:href="https://github.com/NixOS/nixpkgs/pull/17365">now
properly typed and checked</link>. In particular, partial configurations
are merged correctly.
</para>
</listitem>
<listitem>
<para>
The directory container setuid wrapper programs,
<filename>/var/setuid-wrappers</filename>,
<link
xlink:href="https://github.com/NixOS/nixpkgs/pull/18124">is now
updated atomically to prevent failures if the switch to a new configuration
is interrupted.</link>
</para>
</listitem>
<listitem>
<para>
<literal>services.xserver.startGnuPGAgent</literal> has been removed due to
GnuPG 2.1.x bump. See
<link
xlink:href="https://github.com/NixOS/nixpkgs/commit/5391882ebd781149e213e8817fba6ac3c503740c">
how to achieve similar behavior</link>. You might need to <literal>pkill
gpg-agent</literal> after the upgrade to prevent a stale agent being in the
way.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://github.com/NixOS/nixpkgs/commit/e561edc322d275c3687fec431935095cfc717147">
Declarative users could share the uid due to the bug in the script handling
conflict resolution. </link>
</para>
</listitem>
<listitem>
<para>
Gummi boot has been replaced using systemd-boot.
</para>
</listitem>
<listitem>
<para>
Hydra package and NixOS module were added for convenience.
</para>
</listitem>
</itemizedlist>
</section>