* Fix test in writing-nixos-tests.section.md
That paren couldn't possibly have been in the right place.
(I do not have nix set up to generate `writing-nixos-tests.section.xml` or verify the test or anything, please do whatever is appropriate with this trivial change)
* doc: fix numpy example test value
Making the test test the right thing made it fail
see PR discussion
We need to make sure systemd-tmpfiles-setup.service ran before we
start systemd-binft.service. Otherwise it might fail to start
due to non-existant files
Fixes#295365
When build using 'nix build' if we hit this default we will fail to
evaluate. Most instances that this should break have been fixed so
we remove this to prevent this from happening further in the future.
Right now the worst case chain of events for building an ISO on Hydra is
- copy everything to squashfs builder
- run squashfs builder
- download squashfs from builder
- compress squashfs
- upload squashfs to S3
- copy squashfs to ISO builder
- run ISO builder
- download ISO from builder
- compress ISO
- upload ISO to S3
This inlines the squashfs build into the ISO build, which makes it
- copy everything to ISO builder
- run ISO builder
- download ISO from builder
- compress ISO
- upload ISO to S3
Which should reduce queue runner load by $alot per ISO, which we have four of on small channels
(one release, one test per arch) and a lot more than four of on large channels (with various desktops)
This ensures a ".dtb" PE section makes it into the UKI so systemd-stub
can install the correct devicetree for use by the Linux kernel. This is
often needed on systems that boot with u-boot since the devicetree used
by u-boot is often a paired down version of what the Linux kernel needs.
On those kinds of boards, the lack of this PE section means that u-boot
will end up installing its internal devicetree into the UEFI
configuration table, which is what the Linux kernel ends up using.
While `/var/lib/lldap` isn't technically accessible by unprivileged
users thanks to `DynamicUser=true`, a user might prefer and change it to
`DynamicUser=false`.
There is currently also a PR open that intends to make `DynamicUser`
configurable via module option.
As such, `jwt_secret_file`, if bootstrapped by the service start
procedure, might be rendered world-readable due to its permissions
(`0644/-rw-r--r--`) defaulting to the service's umask (`022`) and
`/var/lib/lldap` to `0755/drwxr-xr-x` due to `StateDirectoryMode=0755`.
This would usually be fixed by using `(umask 027; openssl ...)` instead
of just `openssl ...`.
However, it was found that another file (`users.db`), this time
bootstrapped by `lldap` itself, also had insufficient permissions
(`0644/-rw-r--r--`) inherited by the global umask and would be left
world-readable as well.
Due to this, we instead change the service's to `027`.
And to lower the impact for already bootstrapped files on existing
instances like `users.db`, set `StateDirectoryMode=0750`.
ESDM 1.0.1 fixed bugs related to Linux compatibility layer with CUSE.
During these fixes, the compatibility layer was simplified behind a
target in order to start the necessary services together or none of
them (services.esdm.linuxCompatServices).
Furthermore, a small helper was added to ESDM 1.0.1 in order to deal
with resume/suspend/hibernate (FUSE needs to be unblocked).
Removed options are marked.
Signed-off-by: Markus Theil <theil.markus@gmail.com>
