The Express Data Path (XDP) is a way to circumvent the traditional Linux
networking stack and instead run an eBPF program on your NIC, that makes
the decision to provide Knot with certain packets. This is way faster
and more scalable but comes at the cost of reduced introspection.
Unfortunately the `knotc conf-check` command fails hard with missing
interfaces or IP addresses configured in `xdp.listen`, so we disable it
for now, once the `xdp` config section is set. We also promote the config
check condition to a proper option, so our conditions become public
documentation, and we allow users to deal with corner cases, that we have
not thought of yet.
We follow the pre-requisites documented in the Knot 3.3 manual, and set
up the required capabilities and allow the AF_XDP address family.
But on top of that, due to our strict hardening, we found two more
requirements, that were communicated upstream while debugging this.
- There is a requirement on AF_NETLINK, likely to query for and configure
the relevant network interface
- Running eBPF programs requires access to the `bpf` syscall, which we
deny through the `~@privileged` configuration.
In summary We now conditionally loosen the hardening of the unit once we
detect that an XDP configuration is wanted. And since we cannot
introspect arbitrary files from the `settingsFiles` option, we expose XDP
support through the `enableXDP` toggle option on the module.
Murmur provides an official systemd service file in their repo,
which contains various service hardening settings:
c4b5858d14/auxiliary_files/config_files/mumble-server.service.in (L7)
The service configuration in nixpkgs does not include these hardening settings.
This commit adds the hardening settings to the murmur service in nixpkgs.
This drops the `systemd-analyze security` score of murmur.service from 9.2 (UNSAFE) to 2.1 (OK).
With DefaultDependencies enabled, systemd adds "After=basic.target" to
service units. `basic.target` has a dependency on `sockets.target`, so
the `nftables` has (amongst others) the following order constraints:
* Before=network-pre.target
* After=sockets.target
Those constraints are often unsatisfiable. For example, `systemd-networkd`
has a dependency `After=network-pre.target`. When a socket unit now uses
`BindToDevice=` on a device managed by `networkd`, a timeout occurs
because `networkd` waits for `network-pre.target`, but
`network-pre.target` depends (through nftables) on `sockets.target`, but
the device to bind the socket to is never brought up, as this would
happen through `networkd`.
This is fixed by removing the implicit dependency on `basic.target`.
Since this is supposed to be a secret, use a file path as an input
instead of making it part of the expression, which would expose it in
the nix store.
In a critical setup of bird with many BGP sessions,
you want to control the exact time when configuration
changes are applied. Therefore, an option was added,
to disable automatic reloading the systemd unit,
when configuration changes are made. The administrator
how has the ability to control how changes are applied.
The ModemManager shipped fccUnlockScripts are using either qmicli or
mbimcli, to unlock wwan modems. These needs to be available for
ModemManager if you set the fccUnlockScripts link, so instead of having
every user than needs it pull it inn in different ways, we should just
provide the tools if we think they might be needed.
https://modemmanager.org/docs/modemmanager/fcc-unlock
In the past, we emitted `unicast_peer` block even with empty unicast peers list.
This now results in:
```
Keepalived_vrrp[392762]: A unicast keyword has been specified without any unicast peers. Defaulting to multicast. This usage is deprecated - please update your configuration.
```
We do not emit it anymore to avoid this warning.
This is a followup to commit bba808dbfa ("nixos/avahi-daemon:
resolve mdns only over enabled protocols, disable ipv6 by default",
2023-10-01, PR #258424). mdns occurs twice in /etc/nsswitch.conf but
that commit changed only the first one (mdns_minimal, before resolve).
This commits ensures that both occurrences are set consistently.
This is not only consistent with upstream example[1] but it also
fixes#118628 -- a longstanding issue with CUPS and printer detection.
[1] https://github.com/avahi/nss-mdns#activation
The output is expected to be a list [ hostname, port, optional ipv6 scope ], but the
current regex only outputs [ port ], when only a port is given as address.
Noticed that issue while reviewing #275633: when declaring
`ListenAddress host` without a port, all ports declared by
`Port`/`cfg.ports` will be used with `host` according to
`sshd_config(5)`.
However, if this is done and socket activation is used, only a socket
for port 22 is created instead of a sockets for each port from
`Port`/`cfg.ports`. This patch corrects that behavior.
Also added a regression test for this case.
Changed `services.zerotierone.localConf` default value to `null` and type to `nullOr attrs` per input.
Changed `systemd` preStart script to delete
`/var/lib/zerotier-one/local.conf` when it is a symlink, and rename when it is an actual file, then only create a symlink to the nix store when `services.zerotierone.localConf` is not null.
This reverts commit 413011ddf4.
Using separate lockfile directories prevents the different kea daemons
from using the interprocess sync lockfile.
Keeping the runtime directory around might be the better approach.
I saw this trace when building my system configuration this morning:
```
lazy-options.json> trace: warning: literalExample is deprecated, use literalExpression instead, or use literalMD for a non-Nix description.
```
This warning was introduced in https://github.com/NixOS/nixpkgs/pull/237557.
The option this commit changes was introduced in https://github.com/NixOS/nixpkgs/pull/137003.
#264753 mistakenly used the dataDir option to set the -data argument.
This broke existing configurations because -data used to be set to
configDir (implicitly, using the -home option, which is equivalent to
setting -config and -data to the same value).
Fix this by introducing a new databaseDir option sets -data and defaults
to configDir. This maintains the existing behavior by default while
still allowing users to specify separate config and database
directories.
