DebOps v0.8.0

« Changelog History

DebOps v0.8.0 Release Notes

• .. _debops v0.8.0: https://github.com/debops/debops/compare/v0.7.2...v0.8.0

  ➕ Added

  
  🆕 New DebOps roles
  ''''''''''''''''
  
  - The :ref:`debops.netbase` role: manage local host and network database in
    :file:`/etc/hosts` and :file:`/etc/networks` files.
  
  - The :ref:`debops.sudo` role: install and manage :command:`sudo`
    configuration on a host. The role is included in the ``common.yml``
    playbook.
  
  - 🔧 The :ref:`debops.system_groups` role: configure UNIX system groups used on
    DebOps hosts. The role is included in the ``common.yml`` playbook.
  
  - The :ref:`debops.debops_legacy` role: clean up legacy files, directories,
    APT packages or :command:`dpkg-divert` diversions created by DebOps but no
    longer used. This role needs to be executed manually, it's not included in
    the main playbook.
  
  - 👍 The :ref:`debops.python` role: manage Python environment, with support for
    multiple Python versions used at the same time. The role is included in the
    ``common.yml`` playbook.
  
  - 👍 Icinga 2 support has been implemented with :ref:`debops.icinga`,
    :ref:`debops.icinga_db` and :ref:`debops.icinga_web` Ansible roles.
  
  General
  '''''''
  
  - The DebOps installation now depends on the `dnspython`__ Python library. This
    allows usage of the ``dig`` Ansible lookup plugin in DebOps roles to gather
    data via DNS SRV records.
  
    .. __: http://www.dnspython.org/
  
  - The DebOps installation now depends on the `future`__ Python library which
    provides compatibility between Python 2.7 and Python 3.x environments. It is
    currently used in the custom Ansible filter plugin provided by DebOps, but
    its use will be extended to other scripts in the future to make the code more
    readable.
  
    .. __: http://python-future.org/
  
  :ref:`debops.dhparam` role
  ''''''''''''''''''''''''''
  
  - The role will set up a :command:`systemd` timer to regenerate Diffie-Hellman
    parameters periodically if it's available. The timer will use random delay
    time, up to 12h, to help with mass DHparam generation in multiple LXC
    containers/VMs.
  
  :ref:`debops.nginx` role
  ''''''''''''''''''''''''
  
  - 0️⃣ A ``default`` set of SSL ciphers can be specified using the
    :envvar:`nginx_default_ssl_ciphers` variable. This disables the
    ``ssl_ciphers`` option in the :command:`nginx` configuration and forces the
    server to use the defaults provided by the OS.
  
  :ref:`debops.ntp` role
  ''''''''''''''''''''''
  
  - The OpenNTPD service will now properly integrate the :command:`ifupdown` hook
    script with :command:`systemd`. During boot, NTP daemon will be started once
    network interfaces are configured and will not restart multiple times on each
    network interface change.
  
  :ref:`debops.resources` role
  ''''''''''''''''''''''''''''
  
  - The role can now generate custom files using templates, based on a directory
    structure. See :ref:`resources__ref_templates` for more details.
  
  :ref:`debops.sudo` role
  '''''''''''''''''''''''
  
  - 🔧 You can now manage configuration files located in the :file:`/etc/sudoers.d/`
    directory using :ref:`sudo__*_sudoers <sudo__ref_sudoers>` inventory
    variables, with multiple level of conditional options.
  
  :ref:`debops.users` role
  ''''''''''''''''''''''''
  
  - 🔧 Selected UNIX accounts can now be configured to linger when not logged in via
    the ``item.linger`` parameter. This allows these accounts to maintain
    long-running services when not logged in via their own private
    :command:`systemd` instances.
  
  🔄 Changed
  

  General '''''''

  • Some of the existing DebOps Policies and Guidelines have been reorganized and the concept of DebOps Enhancement Proposals (DEPs) is introduced, inspired by the Python Enhancement Proposals__.

  .. __: https://www.python.org/dev/peps/pep-0001/

  • 📜 The :command:debops script can now parse multiple playbook names specified in any order instead of just looking at the first argument passed to it.

  :ref:debops.apt_install role ''''''''''''''''''''''''''''''

  • 🔧 The :command:editor alternative symlink configuration has been moved from the debops.console role to the :ref:debops.apt_install role which also installs :command:vim by default.

  :ref:debops.apt_mark role '''''''''''''''''''''''''''

  • 🔧 The configuration of automatic removal of APT packages installed via Recommends: or Suggests: dependencies has been moved from the :ref:debops.apt role to the :ref:debops.apt_mark role which more closely reflects its intended purpose. Variable names and their default values changed; see the :ref:upgrade_notes for more details.

  :ref:debops.core role '''''''''''''''''''''''

  • The role will add any new administrator accounts to the list of existing admin accounts instead of replacing them in the Ansible local fact script. This should allow for multiple administrators to easily coexist and run the DebOps playbooks/roles from their own accounts without issues.

  :ref:debops.gitlab role '''''''''''''''''''''''''

  • Redesign the GitLab version management to read the versions of various components from the GitLab repository files instead of managing them manually in a YAML dictionary. The new :envvar:gitlab__release variable is used to specify desired GitLab version to install/manage.

  • The :command:gitaly service will be installed using the git UNIX account instead of root. Existing installations might require additional manual cleanup; see the :ref:upgrade_notes for details.

  • 👍 The role now supports installation of GitLab 10.7.

  • The usage of :envvar:gitlab__fqdn variable is revamped a bit - it's now used as the main variable that defines the GitLab installation FQDN. You might need to update the Ansible inventory if you changed the value of the gitlab_domain variable used previously for this purpose.

  :ref:debops.ifupdown role '''''''''''''''''''''''''''

  • The :ref:debops.kmod role is added as a dependency. The :ref:debops.ifupdown role will generate :command:modprobe configuration based on the type of configured network interfaces (bridges, VLANs, bonding) and the kernel modules will be automatically loaded if missing.

  :ref:debops.lxc role ''''''''''''''''''''''

  • 🔧 Redesign system-wide LXC configuration to use list of YAML dictionaries merged together instead of custom Jinja templates.

  • ➕ Add :command:lxc-prepare-ssh script on the LXC hosts that can be used to install OpenSSH and add the user's SSH authorized keys inside of the LXC containers. This is a new way to prepare the LXC containers for Ansible/DebOps management that doesn't require custom LXC template scripts and can be used with different LXC container types.

  :ref:debops.mariadb_server role '''''''''''''''''''''''''''''''''

  • The MariaDB/MySQL server and :ref:client <debops.mariadb> will now use the utf8mb4 encoding by default instead of the utf8 which is an internal MySQL character encoding. This might impact existing databases, see the :ref:upgrade_notes for details.

  :ref:debops.nodejs role '''''''''''''''''''''''''

  • The NPM version installed by the role from GitHub is changed from v5.4.2 to latest which seems to be an equivalent of a stable branch.

  • Recent versions of NPM require NodeJS 6.0.0+__ and don't work with other releases. Because of that the newest NPM release is not installable on hosts that use NodeJS packages from older OS releases.

  .. __: https://github.com/npm/npm/issues/20425

  The :ref:debops.nodejs role will install NPM v5.10.0 version in this case to allow NPM to work correctly - on Debian Jessie, Stretch and Ubuntu Xenial. Otherwise, a NPM from the latest branch will be installed, as before.

  • 🚀 Instead of NodeJS 6.x release, the role will now install NodeJS 8.x release upstream APT packages by default. This is due to the NodeJS 6.x release switching to a Maintenance LTS mode__. NodeJS 8.x will be supported as a LTS release until April 2019.

  .. __: https://github.com/nodejs/Release

  • 📦 The role will install upstream NodeSource APT packages by default. This is due to no security support in Debian Stable__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.

  .. __: https://www.debian.org/releases/stretch/amd64/release-notes/ch-information.en.html#libv8

  The existing installations shouldn't be affected, since the role will select OS/upstream package versions based on existing Ansible local facts.

  :ref:debops.owncloud role '''''''''''''''''''''''''''

  • 👌 Support Nextcloud 13 and partially ownCloud 10. Nextcloud 11 and ownCloud 9.1 are EOL, you should update. The role can help you with the update to ensure that everything works smoothly with the new versions. Currently, the role can not do the update for you.

  :ref:debops.sshd role '''''''''''''''''''''''

  • The role will now check the :ref:debops.system_groups Ansible local facts to define what UNIX groups are allowed to connect to the host via the SSH service.

  ⬆️ :ref:debops.unattended_upgrades role ''''''''''''''''''''''''''''''''''''''

  • ⬆️ On hosts without a domain set, the role enabled all upgrades, not just security updates. This will not happen anymore, the security updates are enabled everywhere by default, you need to enable all upgrades specifically via the :envvar:unattended_upgrades__release variable.

  ✂ Removed

  
  :ref:`debops.apt_install` role
  ''''''''''''''''''''''''''''''
  
  - 📦 Don't install the ``sudo`` package by default, this is now done via
    a separate :ref:`debops.sudo` role to easily support switching to the
    ``sudo-ldap`` APT package.
  
  :ref:`debops.auth` role
  '''''''''''''''''''''''
  
  - ✂ Remove configuration of UNIX system groups and accounts in the ``admins``
    UNIX group. This is now done by the :ref:`debops.system_groups` Ansible role.
  
  ``debops.console`` role
  '''''''''''''''''''''''
  
  - ✂ Remove support for copying custom files from the role. This functionality is
    covered better by the :ref:`debops.resources` role.
  
  - ✂ Remove support for managing entries in the :file:`/etc/hosts` database. This
    is now covered by the :ref:`debops.netbase` Ansible role.
  
  ``debops.bootstrap`` role
  '''''''''''''''''''''''''
  
  - 🔧 The :command:`sudo` configuration has been removed from the
    ``debops.bootstrap`` role. The ``bootstrap.yml`` playbook now includes the
    :ref:`debops.sudo` role which configures :command:`sudo` service.
  
  - 🚚 The UNIX system group management has been removed from the role, the
    ``bootstrap.yml`` playbook now uses the :ref:`debops.system_groups` role to
    create the UNIX groups used by DebOps during bootstrapping.
  
  - ✂ Remove management of Python packages from the role. The ``bootstrap.yml``
    playbook uses the :ref:`debops.python` role to configure Python support on
    the host.
  
  :ref:`debops.lxc` role
  ''''''''''''''''''''''
  
  - ✂ Remove support for direct LXC container management from the role. This
    functionality is better suited for other tools like :command:`lxc-*` set of
    commands, or the Ansible ``lxc_container`` module which should be used in
    custom playbooks. The 'debops.lxc' role focus should be configuration of LXC
    support on a host.
  
  - ✂ Remove custom LXC template support. The LXC containers can be created by the
    normal templates provided by the ``lxc`` package, and then configured using
    DebOps roles as usual.
  
  :ref:`debops.postgresql_server` role
  ''''''''''''''''''''''''''''''''''''
  
  - 0️⃣ The tasks that modified the default ``template1`` database and its schema
    have been removed to make the PostgreSQL installation more compatible with
    applications packaged in Debian that rely on the PostgreSQL service. See the
    relevant commit for more details. Existing installations shouldn't be
    affected.
  

• All Versions
• Previous v0.7.2
• Next v0.8.1
• Latest Version