Release 2024_031 (2024-11-11)

Impact

24.05

• NFS clients will be rebooted to activate the new configuration. This happens as a side effect of a kernel update. In the future changes to NFS client settings will cause explicit reboot requests.

• Activate DDoS SSH rules in fail2ban for non-production machines

• Machines will schedule a maintenance reboot to activate the new kernel.

NixOS 24.05 platform

• Make NFS clients more resilient against missing servers during bootstrap, upgrades, and reboot scenarios. (PL-133062)

• Activate DDoS SSH rules in fail2ban for non-production machines. (PL-132477) This may have impact if you have multiple unauthenticated SSH connections in a short time. We will roll out this change to production VMs too if no problems occur.

• Explain how to use the the new release metadata URLs in DevHosts. (FC-41601)

• varnish: Fix syntax error handling during hot reloads. We silently did not fail on errors which masked issues until the next reboot causing varnish to then fail e.g. during scheduled maintenance. We now fail more visibly but keep running the old config, still. (FC-41403)

• Pull upstream NixOS changes, security fixes and package updates:

  • chromium: 129.0.6668.100 -> 130.0.6723.69 (CVE-2024-10229, CVE-2024-10230, CVE-2024-10231)

  • discourse: 3.2.5 -> 3.3.2

  • docker: 27.3.0 -> 27.3.1

  • element-web: 1.11.81 -> 1.11.82

  • firefox: 131.0.3 -> 132.0

  • github-runner: 2.319.1 -> 2.320.0

  • gitlab: 17.2.8 -> 17.3.6

  • grafana: 10.4.10 -> 10.4.11

  • linux: 5.15.164 -> 5.15.169

  • nss_latest: 3.105 -> 3.106

  • unifi8: 8.4.62 -> 8.5.6

• Production channel URL for this release: https://hydra.flyingcircus.io/build/1168991/download/1/nixexprs.tar.xz

NixOS 21.05 platform

Note

This is an internal release not available to customer VMs. As this release powers the Flyingcircus Infrastructure, changes resulting in customer-facing behaviour are included here nonetheless.

• Implement automatic (offline) migration of VM disks between different pools (SSD <-> HDD). (PL-131857)

• Switch our central DNS recursive resolvers to prefer the default Quad9 servers to alleviate reliability issues. We used to prefer the Quad9 servers with improved geolocation capabilities, but experienced subtle DNS issues while using them and were advised by Quad9 to switch to the default servers. (PL-133125)

• Improve central DNS recursive resolver debugging capabilities. (PL-133125)

Detailed Changes

• NixOS 24.05: platform code, nixpkgs/upstream changes

• NixOS 21.05 (internal): platform code,