Release 2025_030 (2025-08-25)

Impact

25.05

• Machines will reboot to activate the updated kernel.

NixOS 25.05 platform

• Added a patch to libmodsecurity to fix a problem that caused nginx installations with modsecurity to segfault on reloads (PL-133894)

• Switch Ceph monitor connection config to IP addresses. (PL-133752)

  After a refactoring of our Ceph client library bindings, switching from C-based bindings to CLI calls we are now more prone to any DNS issues causing problems when instrumenting live migrations. We now connect to mons directly using their IP addresses which takes DNS out of the loop as a potential failure point.

• Kubernetes events are now shipped to both our custom monitoring platform as well as RG-specific loki instances to be used in grafana dashboards etc. (PL-133636)

• nginx: re-enable proxy buffering, but only in memory. (FC-47149)

• Pull upstream NixOS changes, security fixes, and package updates:

  • apacheHttpd: 2.4.62 -> 2.4.65

  • chromedriver: 139.0.7258.66 -> 139.0.7258.127

  • chromium: 139.0.7258.66 -> 139.0.7258.127

  • element-web: 1.11.108 -> 1.11.109

  • gitaly: 18.2.1 -> 18.2.2

  • gitlab: 18.2.1 -> 18.2.2

  • gitlab-container-registry: 4.25.0 -> 4.26.0

  • gitlab-ee: 18.2.1 -> 18.2.2

  • gitlab-pages: 18.2.1 -> 18.2.2

  • gitlab-workhorse: 18.2.1 -> 18.2.2

  • imagemagick: 7.1.1-47 -> 7.1.2-0

  • linuxKernelStable: 6.12.41 -> 6.12.42

  • linuxKernelVerify: 6.12.41 -> 6.12.42

  • matrix-synapse: 1.135.0 -> 1.136.0

  • nginxMainline: 1.27.5 -> 1.29.1

  • postgresql: 17.5 -> 17.6

  • postgresql_13: 13.21 -> 13.22

  • postgresql_14: 14.18 -> 14.19

  • postgresql_15: 15.13 -> 15.14

  • postgresql_16: 16.9 -> 16.10

  • postgresql_17: 17.5 -> 17.6

  • tomcat10: 10.1.43 -> 10.1.44

  • tomcat9: 9.0.107 -> 9.0.108

  • varnish: 7.7.1 -> 7.7.2

Detailed Changes

• NixOS 25.05: platform code, nixpkgs/upstream changes, metadata, channel url