nixpkgs/nixos/doc/manual/development/activation-script.section.md
Lin Jian 759ec1113d
nixos/network-interfaces: stop wrapping ping with cap_net_raw
From systemd 243 release note[1]:

This release enables unprivileged programs (i.e. requiring neither
setuid nor file capabilities) to send ICMP Echo (i.e. ping) requests
by turning on the "net.ipv4.ping_group_range" sysctl of the Linux
kernel for the whole UNIX group range, i.e. all processes.

So this wrapper is not needed any more.

See also [2] and [3].

This patch also removes:
- apparmor profiles in NixOS for ping itself and the wrapped one
- other references for the wrapped ping

[1]: 8e2d9d40b3/NEWS (L6457-L6464)
[2]: https://github.com/systemd/systemd/pull/13141
[3]: https://fedoraproject.org/wiki/Changes/EnableSysctlPingGroupRange
2023-09-21 16:52:16 +08:00

3.7 KiB

Activation script

The activation script is a bash script called to activate the new configuration which resides in a NixOS system in $out/activate. Since its contents depend on your system configuration, the contents may differ. This chapter explains how the script works in general and some common NixOS snippets. Please be aware that the script is executed on every boot and system switch, so tasks that can be performed in other places should be performed there (for example letting a directory of a service be created by systemd using mechanisms like StateDirectory, CacheDirectory, ... or if that's not possible using preStart of the service).

Activation scripts are defined as snippets using . They can either be a simple multiline string or an attribute set that can depend on other snippets. The builder for the activation script will take these dependencies into account and order the snippets accordingly. As a simple example:

system.activationScripts.my-activation-script = {
  deps = [ "etc" ];
  # supportsDryActivation = true;
  text = ''
    echo "Hallo i bims"
  '';
};

This example creates an activation script snippet that is run after the etc snippet. The special variable supportsDryActivation can be set so the snippet is also run when nixos-rebuild dry-activate is run. To differentiate between real and dry activation, the $NIXOS_ACTION environment variable can be read which is set to dry-activate when a dry activation is done.

An activation script can write to special files instructing switch-to-configuration to restart/reload units. The script will take these requests into account and will incorporate the unit configuration as described above. This means that the activation script will "fake" a modified unit file and switch-to-configuration will act accordingly. By doing so, configuration like systemd.services.<name>.restartIfChanged is respected. Since the activation script is run after services are already stopped, systemd.services.<name>.stopIfChanged cannot be taken into account anymore and the unit is always restarted instead of being stopped and started afterwards.

The files that can be written to are /run/nixos/activation-restart-list and /run/nixos/activation-reload-list with their respective counterparts for dry activation being /run/nixos/dry-activation-restart-list and /run/nixos/dry-activation-reload-list. Those files can contain newline-separated lists of unit names where duplicates are being ignored. These files are not create automatically and activation scripts must take the possibility into account that they have to create them first.

NixOS snippets

There are some snippets NixOS enables by default because disabling them would most likely break your system. This section lists a few of them and what they do:

  • binsh creates /bin/sh which points to the runtime shell
  • etc sets up the contents of /etc, this includes systemd units and excludes /etc/passwd, /etc/group, and /etc/shadow (which are managed by the users snippet)
  • hostname sets the system's hostname in the kernel (not in /etc)
  • modprobe sets the path to the modprobe binary for module auto-loading
  • nix prepares the nix store and adds a default initial channel
  • specialfs is responsible for mounting filesystems like /proc and sys
  • users creates and removes users and groups by managing /etc/passwd, /etc/group and /etc/shadow. This also creates home directories
  • usrbinenv creates /usr/bin/env
  • var creates some directories in /var that are not service-specific
  • wrappers creates setuid wrappers like sudo