NixOS 23.05 released, GNU/Linux distribution
NixOS is a GNU/Linux distribution that aims to improve the state of the art in system configuration management. In existing distributions, actions such as upgrades are dangerous: upgrading a package can cause other packages to break, upgrading an entire system is much less reliable than reinstalling from scratch, you can’t safely test what the results of a configuration change will be, you cannot easily undo changes to the system, and so on. NixOS has many innovative features:
- Declarative system configuration model In NixOS, the entire operating system — the kernel, applications, system packages, configuration files, and so on — is built by the Nix package manager from a description in a purely functional build language. The fact that it’s purely functional essentially means that building a new configuration cannot overwrite previous configurations. Most of the other features follow from this.You configure a NixOS system by writing a specification of the functionality that you want on your machine in /etc/nixos/configuration.nix.
-
Reliable upgrades
Another advantage of purely functional package management is that nixos-rebuild switch will always produce the same result, regardless of what packages or configuration files you already had on your system. Thus, upgrading a system is as reliable as reinstalling from scratch.
-
Atomic upgrades
NixOS has a transactional approach to configuration management: configuration changes such as upgrades are atomic. This means that if the upgrade to a new configuration is interrupted — say, the power fails half-way through — the system will still be in a consistent state: it will either boot in the old or the new configuration. In most other systems, you’ll end up in an inconsistent state, and your machine may not even boot anymore.
-
Rollbacks
Because the files of a new configuration don’t overwrite old ones, you can (atomically) roll back to a previous configuration. For instance, if after a nixos-rebuild switch you discover that you don’t like the new configuration, you can just go back: $ nixos-rebuild switch –rollback
-
Reproducible system configurations
NixOS’s declarative configuration model makes it easy to reproduce a system configuration on another machine (for instance, to test a change in a test environment before doing it on the production server). You just copy the configuration.nix file to the target NixOS machine and run nixos-rebuild switch. This will give you the same configuration (kernel, applications, system services, and so on) except for ‘mutable state’ (such as the stuff that lives in /var).
- Safe to test changes NixOS makes it safe to test potentially dangerous changes to the system because you can always roll back. (Unless you screw up the bootloader, that is…) For instance, whether the change is as simple as enabling a system service, or as large as rebuilding the entire system with a new version of Glibc, you can test it by doing: $ nixos-rebuild test
- Source-based model, with binaries. The Nix build language used by NixOS specifies how to build packages from source. This makes it easy to adapt the system — just edit any of the ‘Nix expressions’ for NixOS or Nixpkgs in/etc/nixos, and run nixos-rebuild. However, building from source is also slow. Therefore Nix automatically downloads pre-built binaries from nixos.org if they are available. This gives the flexibility of a source-based package management model with the efficiency of a binary model.
- Consistency The Nix package manager ensures that the running system is ‘consistent’ with the logical specification of the system, meaning that it will rebuild all packages that need to be rebuilt. For instance, if you change the kernel, Nix will ensure that external kernel modules such as the NVIDIA driver will be rebuilt as well — so you never run into an X server that mysteriously fails to start after a kernel security upgrade. And if you update the OpenSSL library, Nix ensures that all packages in the system use the new version, even packages that statically link against OpenSSL.
- Multi-user package management On NixOS, you do not need to be root to install the software. In addition to the system-wide ‘profile’ (set of installed packages), all users have their own profile in which they can install packages. Nix allows multiple versions of a package to coexist, so different users can have different versions of the same package installed in their respective profiles. If two users install the same version of a package, only one copy will be built or downloaded, and Nix’s security model ensures that this is secure. Users cannot install setuid binaries.
NixOS 23.05 released.
Changelog
-
- In addition to numerous new and updated packages, this release has the following highlights:
- The default Nix version was updated from 2.11 to 2.13. In particular, this includes a small language alteration in the way floats are represented in
builtins.toJSON. See the release notes for 2.13 and 2.14 for more information. - The default Linux Kernel was updated from version 5.15 to 6.1, see Kernelnewbies for what has changed. All currently shown Kernels shown on kernel.org are available.
- systemd has been updated from v252 to v253, see the release notes for more information on the changes.
- Updating with
nixos-rebuild bootand rebooting is recommended, since in some rare cases thenixos-rebuild switchinto the new generation on a live system might fail due to missing mount units.
- Updating with
- glibc has been updated from version 2.35 to 2.37, see the release notes for what was changed.
- libxcrypt, the library providing the
crypt(3)password hashing function, is now built without support for algorithms not flaggedstrong. This affects the availability of password hashing algorithms used for system login (login(1),passwd(1)), but also Apache2 Basic-Auth, Samba, OpenLDAP, Dovecot, and many other packages. - NixOS now defaults to using nsncd, a non-caching reimplementation of nscd in Rust, as its NSS lookup dispatcher. This replaces the buggy and deprecated nscd implementation provided through glibc. When you find problems, you can switch back by disabling it:
services.nscd.enableNsncd = false; - The internal option
boot.bootspec.enableis now enabled by default because RFC 0125 was merged. This means you will have a bootspec document calledboot.jsongenerated for each system and specialisation in the top-level. This is useful to enable advanced boot use cases in NixOS, such as Secure Boot. - Two changes to
nixos-rebuildare important to highlight as well.- Support for an extra
--specialisationoption was added that can be used to change specialisation forswitchandtestcommands. - The
--target-hostand--build-hostoptions no longer treat thelocalhostvalue specially – to build on resp. deploy to a local machine, omit the relevant flag.
- Support for an extra
- Python implements PEP 668, providing better feedback to users that try to run
pip installfor system-wide or user home installations. - Cinnamon has been updated to version 5.6, see the pull request for what was changed.
- GNOME has been updated to version 44, see the the release notes for details.
- KDE Plasma has been updated to version 5.27, see the release notes for what was changed.
- The default Nix version was updated from 2.11 to 2.13. In particular, this includes a small language alteration in the way floats are represented in
- In addition to numerous new and updated packages, this release has the following highlights:
- More…
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
