Commit Graph

2958 Commits

Author SHA1 Message Date
Rickard Nilsson
5a0c8ff040 Merge pull request #2548 from proger/sysdig-0.1.81
sysdig: update to 0.1.81
2014-05-08 10:45:18 +02:00
Austin Seipp
130cb5d005 criu: upgrade, hopefully fix Hydra build
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-05-07 16:43:48 -05:00
Vladimir Kirillov
bf9612e797 sysdig: update to 0.1.81 2014-05-07 11:46:02 +03:00
Ricardo M. Correia
5b4006cddb paxctl: Update from 0.7 -> 0.8 2014-05-06 20:29:06 +02:00
Vladimír Čunát
1796a939d4 b43-fwcutter: update 015 -> 018 2014-05-06 18:43:01 +02:00
Eelco Dolstra
24cbe874d6 systemd-journal-flush: Require /var/log/journal rather than all filesystems
Backport: 14.04
2014-05-05 16:47:43 +02:00
Eelco Dolstra
014fe1a3c3 sysinit.target: Don't depend on systemd-tmpfiles-setup.service
systemd-tmpfiles-setup.service pulls in local-fs.target, which
interferes with NixOps' send-keys feature (since sshd.service depends
indirectly on sysinit.target). Since in NixOS we don't use
systemd-tmpfiles for creating files (that's done by activation scripts
and preStart scripts), it's not a problem to start it a bit later.

Backport: 14.04
2014-05-05 16:47:02 +02:00
Vladimír Čunát
07aaea85d4 pam: upstream patch to fix CVE-2014-2583 2014-05-03 21:30:48 +02:00
Eelco Dolstra
cb45ecad34 systemd: Look for fsck.* in the right place
Fixes #2464.
2014-05-01 14:32:58 +02:00
Austin Seipp
7faaa9e6da lockdep: 3.14 -> 3.14.2
Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-28 17:34:35 -05:00
Bjørn Forsman
6859853045 psmisc: (from upstream) Typo in fuser makes -M on all the time 2014-04-27 20:19:31 +02:00
Austin Seipp
92f7781f00 kernel/grsecurity: stable/longterm/testing updates
kernels:

  - longterm: 3.4.87  -> 3.4.88
  - longterm: 3.10.37 -> 3.10.38
  - stable:   3.13.10 -> 3.13.11
  - stable:   3.14.1  -> 3.14.2

grsecurity:

  - test: 3.0-3.14.1-201404241722 -> 3.0-3.14.2-201404270907

NOTE: technically the 3.13 stable kernel is now EOL. However, it will
become the long-term grsecurity stable kernel, and will have ongoing
support from Canonical.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-27 08:41:42 -05:00
Ricardo M. Correia
efae8ce543 grsecurity: Update all patches
stable:  3.0-3.2.57-201404182109            -> 3.0-3.2.57-201404241714
test:    3.0-3.14.1-201404201132            -> 3.0-3.14.1-201404241722
vserver: 3.0-3.2.57-vs2.3.2.16-201404182110 -> 3.0-3.2.57-vs2.3.2.16-201404241715
2014-04-25 04:41:58 +02:00
Vladimír Čunát
116d52c6df linux-3.12: bump .17 -> .18 2014-04-24 20:02:34 +02:00
Lluís Batlle i Rossell
8ef1d4ecdb Making nvidia build with linux 3.14. Patch not needed anymore. 2014-04-23 16:06:15 +02:00
Ricardo M. Correia
419a71e1e5 spl, zfs: Add git versions, based on recent commits
Upstream has not been tagging new versions for a long time, but we need
compatibility with newer kernels. The 0.6.2 versions already have a bunch of
backported compatibility patches, but 3.14 kernels need even more.

Also, the git versions have fixed a bunch of crashes and other bugs, so perhaps
we should just bite the bullet and just use recent git versions (as sometimes
upstream recommends, when people run into bugs).

This adds a new "boot.zfs.useGit" boolean option, so that a user can
easily opt into using the git versions.
2014-04-23 01:42:52 +02:00
Eelco Dolstra
fb3629df49 systemd: Re-allow Restart=yes with Type=oneshot 2014-04-22 23:53:21 +02:00
Rickard Nilsson
5db9287b7c rtkit: Update from 0.10 to 0.11 2014-04-21 23:22:10 +02:00
Ricardo M. Correia
5d5ca7b260 grsecurity: Update all patches
stable:  3.0-3.2.57-201404131252            -> 3.0-3.2.57-201404182109
test:    3.0-3.13.10-201404141717           -> 3.0-3.14.1-201404201132
vserver: 3.0-3.2.57-vs2.3.2.16-201404131253 -> 3.0-3.2.57-vs2.3.2.16-201404182110
2014-04-21 18:46:41 +02:00
Eelco Dolstra
4e8c2f0ff9 Merge branch 'systemd-update' 2014-04-20 19:31:01 +02:00
Eelco Dolstra
660d38e838 nvidia-x11: Update to 331.67 2014-04-18 21:50:00 +02:00
Eelco Dolstra
5da309fcaa linux: Enable SND_DYNAMIC_MINORS
This is necessary if you get:

  kernel: Too many HDMI devices
  kernel: Consider building the kernel with CONFIG_SND_DYNAMIC_MINORS=y
2014-04-18 21:50:00 +02:00
Eelco Dolstra
890d0cc3a5 firmware-linux-nonfree: Update to 0.41 2014-04-18 15:34:10 +02:00
Eelco Dolstra
7ea51b1c6c Enable kmod-static-nodes.service
This creates static device nodes such as /dev/fuse or
/dev/snd/seq. The kernel modules for these devices will be loaded on
demand when the device node is opened.
2014-04-17 14:35:05 +02:00
Eelco Dolstra
9594421617 kmod: Respect $MODULE_DIR in ‘kmod static-nodes’ 2014-04-17 13:52:30 +02:00
Eelco Dolstra
51a1e0a4a9 kmod: Update to 17 2014-04-17 13:46:48 +02:00
Eelco Dolstra
3f01caa89f linux: Enable transparent hugepages 2014-04-16 22:40:07 +02:00
Eelco Dolstra
2503e7e0c8 systemd: Apply patch to make container logins work again 2014-04-16 18:15:48 +02:00
Eelco Dolstra
c21ef84810 linux-pam: Update to 1.1.8 2014-04-16 16:44:05 +02:00
Eelco Dolstra
7438b95437 util-linux: Update to 2.24.1 2014-04-16 16:31:58 +02:00
Eelco Dolstra
c81565f6cf Remove hack for using upstream getty units
Also, enable the container-getty@ unit so that "machinectl login"
works.
2014-04-16 16:11:17 +02:00
Eelco Dolstra
19d4e40dfc systemd: Build on i686-linux 2014-04-16 15:25:37 +02:00
Eelco Dolstra
0ac322c7a0 systemd-nspawn: Fix starting NixOS containers 2014-04-16 11:34:34 +02:00
William A. Kennington III
171a58bcd6 cpupower: Add package to replace cpufrequtils 2014-04-16 01:09:57 +02:00
Eelco Dolstra
ee9c068b0c systemd: Update to 212
Note that systemd no longer depends on dbus, so we're rid of the
cyclic dependency problem between systemd and dbus.

This commit incorporates from wkennington's systemd branch
(203dcff45002a63f6be75c65f1017021318cc839,
1f842558a95947261ece66f707bfa24faf5a9d88).
2014-04-16 00:59:26 +02:00
Eelco Dolstra
07cb7451d9 lvm2: Update to 2.02.106 2014-04-15 18:02:07 +02:00
Eelco Dolstra
a37edbbb63 linux-headers: Add 3.14 2014-04-15 16:59:19 +02:00
Eelco Dolstra
0fc9f65ff2 linux-headers-2.6.28: Remove, no longer used 2014-04-15 16:50:29 +02:00
Peter Simons
e572b5c104 Merge pull request #2253 from jwiegley/watch
Add a recipe for installing "watch" from procps (#2227)
2014-04-15 16:12:27 +02:00
Austin Seipp
ba2f861f05 kernel: stable/longterm updates
- stable:   3.14    -> 3.14.1
 - longterm: 3.10.36 -> 3.10.37
 - longterm: 3.4.86  -> 3.4.86

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-14 19:46:39 -05:00
Ricardo M. Correia
1b113178ee grsecurity: Update test patch from 3.0-3.13.9-201404131254 -> 3.0-3.13.10-201404141717 2014-04-15 00:16:29 +02:00
Ricardo M. Correia
3a1c9a2945 linux: Update to 3.13.10 2014-04-15 00:16:29 +02:00
Eelco Dolstra
73b4b287bb linux: Don't use underscores in the timestamp 2014-04-14 21:06:04 +02:00
John Wiegley
7a59054dce Add a recipe for installing "watch" from procps (#2227) 2014-04-14 09:10:10 -05:00
Bjørn Forsman
1296372681 cifs-utils: update 6.2 -> 6.3
January 9, 2014: Release 6.3:
* fixes for various bugs turned up by Coverity
* clean unused cruft out of upcall binary
* add new pam_cifscreds PAM module for establishing NTLM creds on login
* https://lists.samba.org/archive/samba-technical/2014-January/097124.html
2014-04-13 22:56:21 +02:00
Bjørn Forsman
5e50b35a26 bluez5: remove unneeded libusb dependency
bluez >= 5.9 does not depend on libusb[1].

[1] http://www.bluez.org/release-of-bluez-5-9/
2014-04-13 22:46:47 +02:00
Austin Seipp
788d9a13fb grsecurity: stable/vserver/testing updates
- stable:  201404111812            -> 201404131252
 - vserver: vs2.3.2.16-201404111814 -> vs2.3.2.16-201404131253
 - testing: 201404111815            -> 201404131254

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-13 13:11:17 -05:00
Michael Raskin
e86e76e560 Adding sysdig system call tracer for Linux 2014-04-13 20:49:37 +04:00
Bjørn Forsman
d1f875c6af lttng project: update from 2.3.0 to 2.4.1
(And update liburcu to 0.8.4 according to release notes for lttng 2.4.x.)

In addition to new features and bug fixes, version 2.4.x is needed to build
against Linux 3.12 (our new stable kernel).
2014-04-13 10:47:16 +02:00
Austin Seipp
172dc1336f nixos: add grsecurity module (#1875)
This module implements a significant refactoring in grsecurity
configuration for NixOS, making it far more usable by default and much
easier to configure.

 - New security.grsecurity NixOS attributes.
   - All grsec kernels supported
   - Allows default 'auto' grsec configuration, or custom config
   - Supports custom kernel options through kernelExtraConfig
   - Defaults to high-security - user must choose kernel, server/desktop
     mode, and any virtualisation software. That's all.
   - kptr_restrict is fixed under grsecurity (it's unwriteable)
 - grsecurity patch creation is now significantly abstracted
   - only need revision, version, and SHA1
   - kernel version requirements are asserted for sanity
   - built kernels can have the uname specify the exact grsec version
     for development or bug reports. Off by default (requires
     `security.grsecurity.config.verboseVersion = true;`)
 - grsecurity sysctl support
   - By default, disabled.
   - For people who enable it, NixOS deploys a 'grsec-lock' systemd
     service which runs at startup. You are expected to configure sysctl
     through NixOS like you regularly would, which will occur before the
     service is started. As a result, changing sysctl settings requires
     a reboot.
 - New default group: 'grsecurity'
   - Root is a member by default
   - GRKERNSEC_PROC_GID is implicitly set to the 'grsecurity' GID,
     making it possible to easily add users to this group for /proc
     access
 - AppArmor is now automatically enabled where it wasn't before, despite
   implying features.apparmor = true

The most trivial example of enabling grsecurity in your kernel is by
specifying:

    security.grsecurity.enable          = true;
    security.grsecurity.testing         = true;      # testing 3.13 kernel
    security.grsecurity.config.system   = "desktop"; # or "server"

This specifies absolutely no virtualisation support. In general, you
probably at least want KVM host support, which is a little more work.
So:

    security.grsecurity.enable = true;
    security.grsecurity.stable = true; # enable stable 3.2 kernel
    security.grsecurity.config = {
      system   = "server";
      priority = "security";
      virtualisationConfig   = "host";
      virtualisationSoftware = "kvm";
      hardwareVirtualisation = true;
    }

This module has primarily been tested on Hetzner EX40 & VQ7 servers
using NixOps.

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2014-04-11 22:43:51 -05:00