Release 2023_005 (2023-03-15)¶
[NixOS 22.11] Gitlab will restart. Most services will restart because of a core dependency change. Machines will schedule a reboot to activate the changed kernel.
NixOS 22.11 platform¶
This is the first production release of the 22.11 platform. The default for new production VMs is still 22.05 which will be changed in the next weeks.
We rolled out the upgrade to most of the customer staging systems on Tuesday, 2023-03-07.
Some production systems are already using 22.11, for example Gitlab instances. They will be updated with this release.
Significant breaking changes¶
nginx: now uses the nginx user to run the master process. This may cause problems when certificates are read from arbitrary directories, for example deployments. Normally, the built-in support for Letsencrypt should be used instead to avoid permission problems and make sure that certificates are rotated automatically. If using external certificates cannot be avoided, make sure that permissions allow read access for the nginx user, for example by applying
setfacl -Rm u:nginx:rXto the certificate directory. It’s also possible to keep the old behavior by adding
services.nginx.masterUser = "root";as Custom NixOS-native configuration.
logrotate.extraConfighave been removed. Please convert any uses to
services.logrotate.settingsinstead before upgrading.
kibanaroles have been removed. Machines that use kibana should stay on 22.05 for now and move to OpenSearch/OpenSearch Dashboards later.
loghostroles have been removed. Machines that use these roles should stay on 22.05. We are working on a new logging stack on 22.11+ which is planned to be based on Grafana Loki.
Other notable changes¶
PHP is now built in NTS (Non-Thread Safe) mode by default. For Apache and mod_php usage, we enable ZTS (Zend Thread Safe) mode. This has been a common practice for a long time in other distributions.
postgresql15role is now available.
openssh was updated to version 9.1, disabling the generation of DSA keys when using
ssh-keygen -Aas they are insecure. Also,
sshd_configare now first-match-wins.
Python now defaults to 3.10, updated from 3.9. Python 3.11 is now stable.
PHP now defaults to PHP 8.1, updated from 8.0.
OpenSSL now defaults to OpenSSL 3, updated from 1.1.1.
nodePackagespackage set now defaults to the LTS release in the
nodejspackage again, instead of being pinned to
nodejs-10_xhas been removed.
services.grafana.extraOptionshas been removed. For a detailed migration guide, please review the release notes of NixOS 22.11.
See the release notes of NixOS 22.11 for more details.
Significant package updates¶
docker-compose: 1.29 -> 2.12
git: 2.36 -> 2.38
gitlab: 15.4.6 -> 15.8.4
glibc: 2.34 -> 2.35
haproxy: 2.5 -> 2.6
k3s: 1.23 -> 1.25
keycloak: 18 -> 20
nix: 2.8 -> 2.11
openssh: 9.0 -> 9.1
postfix: 3.6.6 -> 3.7.3
powerdns: 4.6 -> 4.7
rabbitmq: 3.9 -> 3.10
roundcube: 1.5 -> 1.6
systemd: 250 -> 251
telegraf: 1.22 -> 1.24
varnish: 7.1 -> 7.2
zlib: 1.2.12 -> 1.2.13
zsh: 5.8 -> 5.9
Changes compared to the pre-production version of 22.11¶
These are the changes which will be applied to VMs already running fc-22.11-production.
Pull upstream NixOS changes, security fixes and package updates (#PL-131338):
containerd: 1.6.10 -> 1.6.18
curl: fix CVE-2023-23914, CVE-2023-23915, CVE-2023-23916,
git: 2.38.3 -> 2.38.4 (CVE-2023-22490, CVE-2023-23946)
grafana: 9.3.6 -> 9.4.3
haproxy: 2.6.6 -> 2.6.9 (CVE-2023-25725)
linux: 5.15.94 -> 5.15.97
matrix-synapse: 1.77.0 -> 1.78.0
nodejs-14_x: 14.21.1 -> 14.21.3 (CVE-2023-23918, CVE-2023-23920)
nodejs-16_x: 16.18.1 -> 16.19.1 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920)
nodejs-18_x: 18.12.1 -> 18.14.1 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920, CVE-2023-23936, CVE-2023-24807)
nodejs-19_x: 19.1.0 -> 19.6.1 (CVE-2023-23918, CVE-2023-23919, CVE-2023-23920)
postgresql_11: 11.18 -> 11.19
postgresql_12: 12.13 -> 12.14 (CVE-2022-41862)
postgresql_13: 13.9 -> 13.10 (CVE-2022-41862)
postgresql_14: 14.6 -> 14.7 (CVE-2022-41862)
postgresql_15: 15.1 -> 15.2 (CVE-2022-41862)
strace: 6.1 -> 6.2
strongswan: fix CVE-2023-26463
systemd: 251.11 -> 251.12
xorg.libX11: 1.8.1 -> 1.8.3
statshost-master: also use nginx as user, like the webgateway role does on 22.11 (#PL-131347).
Production channel URL for this release: https://hydra.flyingcircus.io/build/237037/download/1/nixexprs.tar.xz