systemd: 252.5 -> 253

[gdamjan]

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

[gdamjan]

still to do:

1. check if the not-applied patches are really not needed any more
2. remove them if so (if not, find a new fix)
3. make sure the libp11-kit.so.0 comment is correct
4. improve the commit message with more info

if anyone can help by commenting here, that would be nice

[flokli]

@gdamjan i initially already prepared a draft PR, check #212624

Happy to close that one in favor of yours, but you might want to source some info from there :-)

[flokli]

LGTM. We should probably still do some more testing before merging.

[flokli]

I tried switching my system to this nixpkgs commit, but aiohttp and samba failed to build.

I'm not sure if it's fixed in staging since you opened that PR or not. I just merged in staging in a local branch and will kick off another build to try again.

[gdamjan]

A live upgrade (or "switch" in nixos parlance) will need to trigger the udev rules, so lets block the merging of this PR before we investigate how Nixos does that.

One of outcomes of the daemon-reexec is the change of boot.mount (for example) to use new style per-partition diskseq symlinks:

[Mount]
What=/dev/disk/by-diskseq/1-part1
Where=/boot
Type=vfat
Options=umask=0077,noexec,nosuid,nodev,rw

this will make subsequent mounting of the boot partition (or the ESP) to fail, because only the new udevd will create those symlinks.

ps.
here's the relevant change in Archlinux
archlinux/svntogit-packages@cf15dcc

[gdamjan]

I'm guessing this is where the systemd switch happens:
nixos/modules/system/activation/switch-to-configuration.pl

[flokli]

cc @dasJ for input regarding the activation script logic.

[dasJ]

I don't really understand the issue and what needs to be done tbh

[gdamjan]

I don't really understand the issue and what needs to be done tbh

so nixos-rebuild switch will run systemctl daemon-reload and daemon-reexec. That will replace some of the .mount units to use new-style What= (the source for the mount) that uses by-diskseq paths. But if udev is not re-triggered at the same time, those paths will not be created.

Now, worst case, this can potentially make /boot (or /efi) inaccessible, so updating the boot-loader will fail.

The recommendation by systemd developers is to always do udevadm control --reload; udevadm trigger when updating systemd/udev.

[dasJ]

I'd personally go with an activation script snippet rather than touching https://switch-to-configuration.pl
The main upshot is that a lot more people actually understand the shell language (compared to Perl) and it doesn't introduce yet another oddity into a script that handles tons of edge cases.
We already have a systemd-timesyncd-migration snippet there so adding another one should be no issue. I checked and the snippets get executed before systemd is restarted. This is probably wrong. So you can just write a unit name to /run/nixos/restart-list and https://switch-to-configuration.pl will restart the unit along the other ones.

You can get the old systemd version from /run/current-system (if it exists) and the new one from $systemConfig.

[arianvp]

I think we might not have this issue given we set up explicit /etc/fstab entries foor /boot with the default hardware-configuration.nix that uses /etc/disks/by-uuid/<blah> to set up the /boot mount point instead of letting systemd synthesise the .mount file

This only affects people who remove the /boot entry from fileSystems and use the systemd-builtin boot.automount. I happen to be relying on this behaviour on my hosts but it's definitely not the default in NixOS.

However retriggering udev rules is probably still a good idea; albeit maybe not a blocker?

[arianvp]

Retriggering udev rules will need wider testing. E.g. lvm might run into weird issues that we might need to test thoroughly. Would an alternative be adding a Release note that people should do a nixes-rebuild boot instead of nixes-rebuild switch if they rely on the implicit boot.mount unit instead of /etc/fstab ?

[winterqt]

Hi! Just gonna drive by here with a quick snippet from CONTRIBUTING.md:

Package version upgrades usually allow for simpler commit messages, including attribute name, old and new version, as well as a reference to the relevant release notes/changelog. Every once in a while a package upgrade requires more extensive changes, and that subsequently warrants a more verbose message.

You've definitely nailed the second half, but if any more changes are required to this commit, could you add a link to the upstream changelog?

Thank you!

[flokli]

I'd personally prefer adding a note to the release notes, rather than the activation script.

[winterqt]

I meant the commit message (that's what the quoted section concerns), not the activation script.

[gdamjan]

I meant the commit message (that's what the quoted section concerns), not the activation script.

will do later today. I understood you the first time :D

[gdamjan]

Ok, just to make it clear. Things left to do are:

• improve the commit message with the NEWS from systemd v253
• add a note in the release notes about a preference for nixes-rebuild boot rather than nixes-rebuild switch - since in some rare cases switch might fail.

[arianvp]

Correct

[gdamjan]

ps.
we will probably get v253.1 sometime next week, so if we wanna reduce rebuilds, we might want to wait for that?

[flokli]

We don't trigger builds for staging anyways, but whenever a new staging-next cycle happens. If there's no really bad regression that 253.1 will fix I'd rather see this merged in first.

[flokli]

253.1 has been released, and we're about to start a new staging cycle. As agreed on Matrix I'll give 253.1 some testing and we'll merge this in.

[flokli]

Rolling back, at least with these cherrypicked into master, I get failures in the nixosTests.systemd-initrd-shutdown tests.

Things like

[ 0.576734] (sd-g[65]: Failed to overmount /tmp/: No such file or directory

and

machine # [ 0.646526] systemd[1]: Failed to fork off sandboxing environment for executing generators: Protr

I don't see these with 252, so this needs some further testing.

[gdamjan]

yeah, the /tmp mount point is required in the initrd cpio archive now it seems (since systemd/systemd#25723 I gather).

I've fixed hacked around the issue with this change:

diff --git a/nixos/modules/system/boot/systemd/initrd.nix b/nixos/modules/system/boot/systemd/initrd.nix
index cf76704577f..ff148266225 100644
--- a/nixos/modules/system/boot/systemd/initrd.nix
+++ b/nixos/modules/system/boot/systemd/initrd.nix
@@ -358,6 +358,7 @@ in {
       };
 
       contents = {
+        "/tmp/.dummy".text = "";
         "/init".source = "${cfg.package}/lib/systemd/systemd";
         "/etc/systemd/system".source = stage1Units;
 

… since I didn't know how to create a directory in the initrd. My VM boots now.

[flokli]

@ElvishJerricco do you have any thoughts on this?

[ElvishJerricco]

I think the /tmp/.keep fix is fine. However, this currently fails to cross compile because the new ukify python script in the output refers to the build platform's python (see: disallowedReferences in systemd/default.nix). I would prefer to keep the ukify script if we can, but I'm not sure what the cleanest way would be to have it use the host platform's python. Also, it needs the pefile python package included.

[gdamjan]

I might not have the bandwidth to fix the ukify issue soon, so I'd suggest we disable it temporary, merge this PR (if there are no other issues).

Then we can tackle the ukify issue later.

[gdamjan]

ps.
with

@@ -501,6 +501,7 @@ stdenv.mkDerivation (finalAttrs: {
     # Upstream defaulted to disable manpages since they optimize for the much
     # more frequent development builds
     "-Dman=true"
+    "-Dukify=false"
 
     "-Defi=${lib.boolToString withEfi}"
     "-Dgnu-efi=${lib.boolToString withEfi}"

nix build -f . pkgsCross.aarch64-multiplatform.systemd does compile

[ElvishJerricco]

I'd suggest we disable it temporary, merge this PR (if there are no other issues).

Then we can tackle the ukify issue later.

That sounds fine to me.

[flokli]

The eval error seems to be a timeout, because ofborg started building something.