DebOps v0.8.1 Release Notes

Release Date: 2019-02-02 // about 5 years ago
  • .. _debops v0.8.1: https://github.com/debops/debops/compare/v0.8.0...v0.8.1

    โž• Added

    
    ๐Ÿ†• New DebOps roles
    ''''''''''''''''
    
    - The :ref:`debops.redis_server` and :ref:`debops.redis_sentinel` roles, that
      replace the existing ``debops.redis`` Ansible role. The new roles support
      multiple Redis and Sentinel instances on a single host.
    
    - The :ref:`debops.freeradius` role can be used to manage FreeRADIUS service,
      used in network management.
    
    - ๐Ÿ”ง The :ref:`debops.dhcp_probe` role can be used to install and configure
      :command:`dhcp_probe` service, which passively detects rogue DHCP servers.
    
    - ๐Ÿ”ง The :ref:`debops.mount` role allows configuration of :file:`/etc/fstab`
      entries for local devices, bind mounts and can be used to create or modify
      directories, to permit access to resources by different applications. The
      role is included by default in the ``common.yml`` playbook.
    
    Continuous Integration
    ''''''''''''''''''''''
    
    - ๐Ÿ‘• Ansible roles included in DebOps are now checked using `ansible-lint`__ tool.
      All existing issues found by the script have been fixed.
    
      .. __: https://docs.ansible.com/ansible-lint/
    
    - The hosts managed by the DebOps Vagrant environment will now use Avahi to
      detect multiple cluster nodes and generate host records in the
      :file:`/etc/hosts` database on these nodes. This allows usage of real DNS
      FQDNs and hostnames in the test environment without reliance on an external
      DHCP/DNS services.
    
    General
    '''''''
    
    - DebOps roles are now tagged with ``skip::<role_name>`` Ansible tags. You can
      use these tags to skip roles without any side-effects; for example
      "<role_name>/env" sub-roles will still run so that roles that depend on them
      will work as expected.
    
    - You can use the :command:`make versions` command in the root of the DebOps
      monorepo to check currently "pinned" and upstream versions of third-party
      software installed and managed by DebOps, usually via :command:`git`
      repositories. This requires the :command:`uscan` command from the Debian
      ``devscripts`` APT package to be present.
    
    :ref:`debops.ifupdown` role
    '''''''''''''''''''''''''''
    
    - ๐Ÿ”ง The role will now generate configuration for the :ref:`debops.sysctl` role
      and use it in the playbook as a dependency, to configure kernel parameters
      related to packet forwarding on managed network interfaces. This
      functionality replaces centralized configuration of packet forwarding on all
      network interfaces done by the :ref:`debops.ferm` role.
    
    :ref:`debops.lxc` role
    ''''''''''''''''''''''
    
    - ๐Ÿ†• New :command:`lxc-hwaddr-static` script can be used to easily generate random
      but predictable MAC addresses for LXC containers.
    
      The script can be run manually or executed as a "pre-start" LXC hook to
      configure static MAC addresses automatically - this usage is enabled by
      default via common LXC container configuration.
    
    - The `lxc_ssh.py <https://github.com/andreasscherbaum/ansible-lxc-ssh>`__
      Ansible connection plugin is now included by default in DebOps. This
      connection plugin can be used to manage remote LXC containers with Ansible
      via SSH and the :command:`lxc-attach` command. This requires connection to
      the LXC host and the LXC container via the ``root`` account directly, which
      is supported by the DebOps playbooks and roles.
    
    - The role can now manage LXC containers, again. This time the functionality is
      implemented using the ``lxc_container`` Ansible module instead of a series of
      shell tasks. By default unprivileged LXC containers will be created, but
      users can change all parameters supported by the module.
    
    - ๐Ÿ”ง The role will now configure a ``lxcbr0`` bridge with internal DNS/DHCP server
      for LXC containers, using the ``lxc-net`` service. With this change, use of
      the :ref:`debops.ifupdown` role to prepare a default bridge for LXC
      containers is not required anymore.
    
    :ref:`debops.netbase` role
    ''''''''''''''''''''''''''
    
    - When a large number of hosts is defined for the :file:`/etc/hosts` database,
      the role will switch to generating the file using the ``template`` Ansible
      module instead of managing individual lines using the ``lineinfile`` module,
      to make the operation faster. As a result, custom modifications done by other
      tools in the host database will not be preserved.
    
    - ๐Ÿ”ง The role can now configure the hostname in the :file:`/etc/hostname` file, as
      well as the local domain configuration in :file:`/etc/hosts` database.
    
    :ref:`debops.php` role
    ''''''''''''''''''''''
    
    - ๐Ÿ“ฆ The role will install the ``composer`` APT package on Debian Stretch, Ubuntu
      Xenial and their respective newer OS releases.
    
    :ref:`debops.root_account` role
    '''''''''''''''''''''''''''''''
    
    - The role will reserve a set of UID/GID ranges for subordinate UIDs/GIDs owned
      by the ``root`` account (they are not reserved by default). This can be used
      to create unprivileged LXC containers owned by ``root``. See the release
      notes for potential issues on existing systems.
    
    - ๐Ÿ”ง You can now configure the state and contents of the
      :file:`/root/.ssh/authorized_keys` file using the :ref:`debops.root_account`
      role, with support for global, per inventory group and per host SSH keys.
    
    :ref:`debops.users` role
    ''''''''''''''''''''''''
    
    - ๐Ÿ”ง The role can now configure ACL entries of the user home directories using the
      ``item.home_acl`` parameter. This can be used for more elaborate access
      restrictions.
    
    ๐Ÿ”„ Changed
    

    Continuous Integration ''''''''''''''''''''''

    • โœ… The test suite will now check POSIX shell scripts along with Bash scripts for any issues via the :command:shellcheck linter. Outstanding issues found in existing scripts have been fixed.

    General '''''''

    • The :ref:debops.root_account role will be executed earlier in the common.yml Ansible playbook to ensure that the root UID/GID ranges are reserved without issues on the initial host configuration.

    • ๐Ÿ”Œ Various filter and lookup Ansible plugins have been migrated from the playbook directory to the :ref:debops.ansible_plugins role. This role can be used as hard dependency in other Ansible roles that rely on these plugins.

    • The order of the roles in the common playbook has been changed; the :ref:debops.users role will be applied before the :ref:debops.resources role to allow for resources owned by UNIX accounts/groups other than root.

    • ๐Ÿ“ฆ The debops Python package has dropped the hard dependency on Ansible. This allows DebOps to be installed in a separate environment than Ansible, allowing for example to mix Homebrew Ansible with DebOps from PyPI on macOS. The installation instructions have also been updated to reflect the change.

    • The :command:debops-init script will now generate new Ansible inventory files using the hostname as well as a host FQDN to better promote the use of DNS records in Ansible inventory.

    :ref:debops.dnsmasq role ''''''''''''''''''''''''''

    • ๐Ÿ”ง The role has been redesigned from the ground up with new configuration pipeline, support for multiple subdomains and better default configuration. See the :ref:debops.dnsmasq role documentation as well as the :ref:upgrade_notes for more details.

    ๐Ÿณ :ref:debops.docker_server role ''''''''''''''''''''''''''''''''

    • ๐Ÿณ If the Docker host uses a local nameserver, for example :command:dnsmasq or :command:unbound, Docker containers might have misconfigured DNS nameserver in :file:/etc/resolv.conf pointing to 127.0.0.1. In these cases, the :ref:debops.docker_server role will configure Docker to use the upstream nameservers from the host, managed by the resolvconf APT package.

    If no upstream nameservers are available, the role will not configure any nameserver and search parameters, which will tell Docker to use the Google nameservers.

    :ref:debops.gitlab role '''''''''''''''''''''''''

    • 0๏ธโƒฃ The role will now install GitLab 10.8 by default, on Debian Stretch and Ubuntu Xenial. The 11.x release now requires Ruby 2.4+, therefore it will only be installed on newer OS releases (Debian Buster, Ubuntu Bionic).

    • โšก๏ธ The role has been updated to use Ansible local facts managed by the :ref:debops.redis_server Ansible role. Redis Server support has been removed from the GitLab playbook and needs to be explicitly enabled in the inventory for GitLab to be installed correctly. This will allow to select between local Server or Sentinel instance, to support clustered environments.

    Check the :ref:upgrade_notes for issues with upgrading Redis Server support on existing GitLab hosts.

    :ref:debops.grub role '''''''''''''''''''''''

    • ๐Ÿ”ง The GRUB configuration has been redesigned, role now uses merged variables to make configuration via Ansible inventory or dependent role variables easier. The GRUB configuration is now stored in the :file:/etc/default/grub.d/ directory to allow for easier integration with other software. See the :ref:debops.grub documentation for more details.

    • The user password storage path in :file:secret/ directory has been changed to use the inventory_hostname variable instead of the ansible_fqdn variable. This change will force regeneration of password hashes in existing installations, but shouldn't affect host access (passwords stay the same).

    :ref:debops.gunicorn role '''''''''''''''''''''''''''

    • The role depends on :ref:debops.python now to install the required packages. Please update your custom playbooks accordingly.

    :ref:debops.ipxe role '''''''''''''''''''''''

    • 0๏ธโƒฃ The role will no longer install non-free firmware by default. This is done to solve the connectivity issues with cdimage.debian.org host.

    :ref:debops.librenms role '''''''''''''''''''''''''''

    • 0๏ธโƒฃ The default dashboard in LibreNMS is changed from the :file:pages/front/default.php to :file:pages/front/tiles.php which allows for better customization.

    :ref:debops.lxc role ''''''''''''''''''''''

    • ๐Ÿ”ง The role will configure the default subUIDs and subGIDs for unprivileged LXC containers based on the configured subordinate UID/GID ranges for the root account.

    • The :command:lxc-prepare-ssh script will now install SSH public keys from the user account that is running the script via :command:sudo instead of the system's root account, which is usually what you want to do if other people manage their own LXC containers on a host.

    • ๐Ÿ”ง The LXC configuration managed by the role will use the :command:systemd [email protected] instances to manage the containers instead of using the :command:lxc-* commands directly. This allows the containers to be shut down properly without hitting a timeout and forced killing of container processes.

    :ref:debops.owncloud role '''''''''''''''''''''''''''

    • The role will now use Ansible facts managed by the :ref:debops.redis_server role to configure Redis support.

    • โฌ‡๏ธ Drop support for Nextcloud 12.0 which is EOF. Add support for Nextcloud 14.0 and 15.0 and make Nextcloud 14.0 the default Nextcloud version.

    :ref:debops.netbase role ''''''''''''''''''''''''''

    • ๐Ÿ”ง The hostname and domain configuration during bootstrapping is now done by the :ref:debops.netbase Ansible role. The default for this role is to remove the 127.0.1.1 host entry from the :file:/etc/hosts file to ensure that domain resolution relies on DNS.

    If you are using local domain configured in :file:/etc/hosts file, you should define the :envvar:netbase__domain variable in the Ansible inventory with your desired domain.

    • The role is redesigned to use list variables instead of YAML dictionaries for the :file:/etc/hosts database. This allows for adding the host IPv4 and/or IPv6 addresses defined by Ansible facts when the custom local domain is enabled. See :ref:netbase__ref_hosts for details. The role has also been included in the common.yml playbook to ensure that the host database is up to date as soon as possible.

    :ref:debops.resources role ''''''''''''''''''''''''''''

    • ๐Ÿ”„ Changed behaviour of used groups for templating. Now all groups the host is in, will be used to search for template files. Read the documentation about :ref:resources__ref_templates for more details on templating with debops.

    ๐Ÿ›  Fixed

    
    :ref:`debops.grub` role
    '''''''''''''''''''''''
    
    - โช The role should now correctly revert custom patch to allow user
      authentication in :file:`/etc/grub.d/10_linux` script, when the user list is
      empty.
    
    :ref:`debops.kmod` role
    '''''''''''''''''''''''
    
    - The role should now work correctly in Ansible ``--check`` mode before the
      Ansible local fact script is installed.
    
    :ref:`debops.sysctl` role
    '''''''''''''''''''''''''
    
    - The role should correctly handle nested lists in role dependent variables,
      which are now flattened before being passed to the configuration filter.
    
    โœ‚ Removed
    

    ๐Ÿšš Roles removed from DebOps '''''''''''''''''''''''''

    • ๐Ÿšš The old debops.redis Ansible role has been removed. It has been replaced by the :ref:debops.redis_server and :ref:debops.redis_sentinel Ansible roles. The new roles use their own Ansible inventory groups, therefore they will need to be explicitly enabled to affect existing hosts.

    You can use the :ref:debops.debops_legacy Ansible role to clean up old configuration files, directories and diversions of debops.redis role from remote hosts.

    General '''''''

    • The ldap_entry and ldap_attr Ansible modules have been removed. They are now included in Ansible core, there's no need to keep a separate copy in the playbook.

    :ref:debops.core role '''''''''''''''''''''''

    • The ansible_local.root.flags and ansible_local.root.uuid local facts have been removed. They are replaced by ansible_local.tags and ansible_local.uuid local facts, respectively.

    :ref:debops.dhcpd role ''''''''''''''''''''''''

    • ๐Ÿ‘Œ Support for :command:dhcp_probe has been removed from the :ref:debops.dhcpd Ansible role. It's now available as a separate :ref:debops.dhcp_probe role.

    :ref:debops.ferm role '''''''''''''''''''''''

    • ๐Ÿ”ง Automated configuration of packet forwarding with FORWARD chain rules and :command:sysctl configuration has been removed from the role. Per-interface packet forwarding is now configurable using the :ref:debops.ifupdown role, and you can still use the :ref:debops.ferm and :ref:debops.sysctl roles to design custom forwarding configuration.

    Support for this mechanism has also been removed from related roles like :ref:debops.libvirtd and :ref:debops.lxc.

    :ref:debops.netbase role ''''''''''''''''''''''''''

    • ๐Ÿ”ง The hostname and domain configuration has been removed from the debops.bootstrap role. This functionality is now handled by the :ref:debops.netbase role, which has been included in the bootstrap playbook. The relevant inventory variables have been renamed, check the :ref:upgrade_notes for details.

    :ref:debops.resources role ''''''''''''''''''''''''''''

    • The resources__group_name variable has been removed in favor of using all the groups the current hosts is in. This change has been reflected in the updated variable resources__group_templates.