Release 2023_005 (2023-03-15)

Impact

  • [NixOS 22.11] Gitlab will restart. Most services will restart because of a core dependency change. Machines will schedule a reboot to activate the changed kernel.

NixOS 22.11 platform

This is the first production release of the 22.11 platform. The default for new production VMs is still 22.05 which will be changed in the next weeks.

We rolled out the upgrade to most of the customer staging systems on Tuesday, 2023-03-07.

Some production systems are already using 22.11, for example Gitlab instances. They will be updated with this release.

Significant breaking changes

  • nginx: now uses the nginx user to run the master process. This may cause problems when certificates are read from arbitrary directories, for example deployments. Normally, the built-in support for Letsencrypt should be used instead to avoid permission problems and make sure that certificates are rotated automatically. If using external certificates cannot be avoided, make sure that permissions allow read access for the nginx user, for example by applying setfacl -Rm u:nginx:rX to the certificate directory. It’s also possible to keep the old behavior by adding services.nginx.masterUser = "root"; as Custom NixOS-native configuration.

  • Deprecated settings logrotate.paths and logrotate.extraConfig have been removed. Please convert any uses to services.logrotate.settings instead before upgrading.

  • kibana roles have been removed. Machines that use kibana should stay on 22.05 for now and move to OpenSearch/OpenSearch Dashboards later.

  • graylog/loghost roles have been removed. Machines that use these roles should stay on 22.05. We are working on a new logging stack on 22.11+ which is planned to be based on Grafana Loki.

Other notable changes

  • PHP is now built in NTS (Non-Thread Safe) mode by default. For Apache and mod_php usage, we enable ZTS (Zend Thread Safe) mode. This has been a common practice for a long time in other distributions.

  • The postgresql15 role is now available.

  • openssh was updated to version 9.1, disabling the generation of DSA keys when using ssh-keygen -A as they are insecure. Also, SetEnv directives in ssh_config and sshd_config are now first-match-wins.

  • Python now defaults to 3.10, updated from 3.9. Python 3.11 is now stable.

  • PHP now defaults to PHP 8.1, updated from 8.0.

  • OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.

  • The nodePackages package set now defaults to the LTS release in the nodejs package again, instead of being pinned to nodejs-14_x. nodejs-10_x has been removed.

  • The option services.grafana.extraOptions has been removed. For a detailed migration guide, please review the release notes of NixOS 22.11.

  • See the release notes of NixOS 22.11 for more details.

Significant package updates

  • docker-compose: 1.29 -> 2.12

  • git: 2.36 -> 2.38

  • gitlab: 15.4.6 -> 15.8.4

  • glibc: 2.34 -> 2.35

  • haproxy: 2.5 -> 2.6

  • k3s: 1.23 -> 1.25

  • keycloak: 18 -> 20

  • nix: 2.8 -> 2.11

  • openssh: 9.0 -> 9.1

  • postfix: 3.6.6 -> 3.7.3

  • powerdns: 4.6 -> 4.7

  • rabbitmq: 3.9 -> 3.10

  • roundcube: 1.5 -> 1.6

  • systemd: 250 -> 251

  • telegraf: 1.22 -> 1.24

  • varnish: 7.1 -> 7.2

  • zlib: 1.2.12 -> 1.2.13

  • zsh: 5.8 -> 5.9

Changes compared to the pre-production version of 22.11

These are the changes which will be applied to VMs already running fc-22.11-production.

  • Pull upstream NixOS changes, security fixes and package updates (#PL-131338):

    • containerd: 1.6.10 -> 1.6.18

    • curl: fix CVE-2023-23914, CVE-2023-23915, CVE-2023-23916,

    • git: 2.38.3 -> 2.38.4 (CVE-2023-22490, CVE-2023-23946)

    • grafana: 9.3.6 -> 9.4.3

    • haproxy: 2.6.6 -> 2.6.9 (CVE-2023-25725)

    • linux: 5.15.94 -> 5.15.97

    • matrix-synapse: 1.77.0 -> 1.78.0

    • nodejs-14_x: 14.21.1 -> 14.21.3 (CVE-2023-23918, CVE-2023-23920)

    • nodejs-16_x: 16.18.1 -> 16.19.1 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920)

    • nodejs-18_x: 18.12.1 -> 18.14.1 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807)

    • nodejs-19_x: 19.1.0 -> 19.6.1 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920)

    • postgresql_11: 11.18 -> 11.19

    • postgresql_12: 12.13 -> 12.14 (CVE-2022-41862)

    • postgresql_13: 13.9 -> 13.10 (CVE-2022-41862)

    • postgresql_14: 14.6 -> 14.7 (CVE-2022-41862)

    • postgresql_15: 15.1 -> 15.2 (CVE-2022-41862)

    • strace: 6.1 -> 6.2

    • strongswan: fix CVE-2023-26463

    • systemd: 251.11 -> 251.12

    • xorg.libX11: 1.8.1 -> 1.8.3

  • statshost-master: also use nginx as user, like the webgateway role does on 22.11 (#PL-131347).

  • Production channel URL for this release: https://hydra.flyingcircus.io/build/237037/download/1/nixexprs.tar.xz