Upstream changed the default bundled load balancer starting in RKE2 v1.36. This adapts the auto
deploy test accordingly.
From the RKE2 release notes:
Because ingress-nginx was retired upstream as of March 2026, Traefik is now the default for new
clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid
breakage). This transition brings the following structural changes:
- Airgapped Environments: The rke2-images-core tarball now contains Traefik images instead of
ingress-nginx. The standalone rke2-images-traefik tarball has been removed. Users who must continue
using ingress-nginx will now need to manually provide the rke2-images-ingress-nginx tarball.
- Future Removal: The ingress-nginx chart will not receive any additional updates and will be
completely removed in v1.37 for community users.
- Prime Customers: Please refer to the official product documentation for specific Prime
considerations.
after a2e55e31d6, `boot.zfs.forceImportRoot` defaults to false.
This leads to the ZFS installer tests failing as they have differnt
hostids in install and boot and the filesystem doesn't get exported
properly.
This change sets the hostid, so that an import without --force works.
The check phase for the config file has to replace any instances of
user and group with the current ones, since logrotate checks whether
they actually exist. However, the create/createolddir substitution
expressions didn't take all different parameter formats into
account. Mainly, if the mode was specified, but not user and group,
the result would be something like
create 0644nixbld nixbld
since it relies on matching a space at the end of the mode
specification.
To fix this, always append a space before the substituted user and
group.
Also, simplify the formatting by using extended regex and check for
word boundaries after create/createolddir to exclude any incorrect or
unsupported suffixes.
Fixes odd bulletpoints and bare URLs that are prohibited by most
Markdown linters and specs.
Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Iae14dce3d158ac11c59d9117694ccde46a6a6964
After d95261b435, the following flake.nix fails:
```nix
{
inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
outputs = { nixpkgs, ... }: {
nixosConfigurations.demo = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
({ lib, ... }: {
boot.loader.grub.enable = false;
fileSystems."/" = { device = "none"; fsType = "tmpfs"; };
nixpkgs.config.packageOverrides =
lib.mkIf false (_: { });
})
];
};
};
}
```
This is the error:
```
$ nix build /tmp/tmp.vWEVitTgK9/#nixosConfigurations.demo.config.system.build.toplevel
evaluation warning: system.stateVersion is not set, defaulting to 26.05. Read why this matters on https://nixos.org/manual/nixos/stable/options.html#opt-system.stateVersion.
error:
… while calling the 'derivationStrict' builtin
at <nix/derivation-internal.nix>:37:12:
36|
37| strict = derivationStrict drvAttrs;
| ^
38|
… while evaluating derivation 'nixos-system-nixos-26.05.20260409.4c1018d'
whose name attribute is located at /nix/store/anvdcc2arw7kqrvwnidvhw6ypkkvws68-source/pkgs/stdenv/generic/make-derivation.nix:541:11
… while evaluating attribute 'buildCommand' of derivation 'nixos-system-nixos-26.05.20260409.4c1018d'
at /nix/store/anvdcc2arw7kqrvwnidvhw6ypkkvws68-source/nixos/modules/system/activation/top-level.nix:64:7:
63| passAsFile = [ "extraDependencies" ];
64| buildCommand = systemBuilder;
| ^
65|
… while evaluating the option `environment.etc.dbus-1.source':
… while evaluating the default value of option `pythonTestDriverPackage`
… while evaluating the module argument `hostPkgs' in "/nix/store/anvdcc2arw7kqrvwnidvhw6ypkkvws68-source/nixos/lib/testing/driver.nix":
… noting that argument `hostPkgs` is not externally provided, so querying `_module.args` instead, requiring `config`
… while evaluating the option `hostPkgs':
(stack trace truncated; use '--show-trace' to show the full, detailed trace)
error: The option `hostPkgs' was accessed but has no value defined. Try setting the option.
```
Setting a `defaultText` fixes the issue.
I've also added a regression test under `nixos/tests/nixos-test-driver/` and
fixed a typo in the option description ("implemetnation").
Locally this just prefixes activation commands with `run0 --`, so the
user's normal polkit agent (graphical or pkttyagent) handles auth.
For --target-host, run0 would need a controlling terminal, which we
deliberately do not allocate over SSH. Instead the equivalent
`systemd-run --uid=0 --pipe --wait ...` form is used. Without
--ask-elevate-password this relies on a polkit rule on the target
granting the deploying user `org.freedesktop.systemd1.manage-units`.
With --ask-elevate-password the command is wrapped in
polkit-stdin-agent, which registers a per-process polkit agent for the
child and answers the PAM conversation from stdin.
A transient unit does not inherit the SSH login environment. On NixOS
the unit's PATH is just the systemd store path, so neither `env` nor
`nix-env` would be found inside it. Elevator.wrap_remote() therefore
now takes the env mapping and the command, and returns the full remote
argv: sudo keeps the existing `/bin/sh -c 'exec /usr/bin/env -i ...'`
wrapper inside itself, while run0 puts the shell wrapper *around*
systemd-run and forwards the resolved values into the unit via
--setenv. The Arg/Args/EnvValue/PRESERVE_ENV types and the env-shell
helper move from process.py into elevate.py to avoid a circular import,
and callers are updated to import them from there.
polkit-stdin-agent is resolved on the machine doing the elevation
rather than baked in as a host-arch store path, which would be wrong
for --no-reexec, cross-arch deploys (re-exec hits ENOEXEC and falls
back), --rollback/--store-path, and Darwin deployers. Locally that is
PATH. Remotely, Elevator.for_target_config() binds the elevator to the
toplevel just placed on the target, and a small /bin/sh picker tries
<toplevel>/sw/bin/polkit-stdin-agent (target-arch, in the copied
closure) then PATH, exiting with an actionable error pointing at
system.tools.nixos-rebuild.enableRun0Elevation when neither resolves.
That option (added here) puts the agent in environment.systemPackages
and asserts security.polkit.enable.
A nixos-rebuild-target-host subtest exercises the full remote run0
path (polkit-stdin-agent + systemd-run + activation) end-to-end.
Drop the now-unused stdenv argument from package.nix while here.
Closes#507054.
TL;DR add `assert` to correct location for type-narrowing
typeshed recently updated their definition of `select` in bcb6399e15.
The result is that the members of the lists passed to `select` now
require an upper bound of `FileDescriptorLike`.
The `self.shell` variable is typed as `socket | None`, but previously
passed checking against typeshed due to the missing upper-bound.
Despite the source code including a type-narrowing `assert`, `ty` does
not make use of it within the inner function that `select` is used in,
meaning `self.shell` wasn't narrowed at the appropriate place.
Now that typeshed has added this upper-bound, type-checking starts to fail, as evidenced in
https://github.com/NixOS/nixpkgs/pull/523288#issuecomment-4529738483.
So the correct fix is just to add the `assert` into the inner function.
