DebOps v0.8.1 Release Notes
Release Date: 2019-02-02 // about 5 years ago-
.. _debops v0.8.1: https://github.com/debops/debops/compare/v0.8.0...v0.8.1
โ Added
๐ New DebOps roles '''''''''''''''' - The :ref:`debops.redis_server` and :ref:`debops.redis_sentinel` roles, that replace the existing ``debops.redis`` Ansible role. The new roles support multiple Redis and Sentinel instances on a single host. - The :ref:`debops.freeradius` role can be used to manage FreeRADIUS service, used in network management. - ๐ง The :ref:`debops.dhcp_probe` role can be used to install and configure :command:`dhcp_probe` service, which passively detects rogue DHCP servers. - ๐ง The :ref:`debops.mount` role allows configuration of :file:`/etc/fstab` entries for local devices, bind mounts and can be used to create or modify directories, to permit access to resources by different applications. The role is included by default in the ``common.yml`` playbook. Continuous Integration '''''''''''''''''''''' - ๐ Ansible roles included in DebOps are now checked using `ansible-lint`__ tool. All existing issues found by the script have been fixed. .. __: https://docs.ansible.com/ansible-lint/ - The hosts managed by the DebOps Vagrant environment will now use Avahi to detect multiple cluster nodes and generate host records in the :file:`/etc/hosts` database on these nodes. This allows usage of real DNS FQDNs and hostnames in the test environment without reliance on an external DHCP/DNS services. General ''''''' - DebOps roles are now tagged with ``skip::<role_name>`` Ansible tags. You can use these tags to skip roles without any side-effects; for example "<role_name>/env" sub-roles will still run so that roles that depend on them will work as expected. - You can use the :command:`make versions` command in the root of the DebOps monorepo to check currently "pinned" and upstream versions of third-party software installed and managed by DebOps, usually via :command:`git` repositories. This requires the :command:`uscan` command from the Debian ``devscripts`` APT package to be present. :ref:`debops.ifupdown` role ''''''''''''''''''''''''''' - ๐ง The role will now generate configuration for the :ref:`debops.sysctl` role and use it in the playbook as a dependency, to configure kernel parameters related to packet forwarding on managed network interfaces. This functionality replaces centralized configuration of packet forwarding on all network interfaces done by the :ref:`debops.ferm` role. :ref:`debops.lxc` role '''''''''''''''''''''' - ๐ New :command:`lxc-hwaddr-static` script can be used to easily generate random but predictable MAC addresses for LXC containers. The script can be run manually or executed as a "pre-start" LXC hook to configure static MAC addresses automatically - this usage is enabled by default via common LXC container configuration. - The `lxc_ssh.py <https://github.com/andreasscherbaum/ansible-lxc-ssh>`__ Ansible connection plugin is now included by default in DebOps. This connection plugin can be used to manage remote LXC containers with Ansible via SSH and the :command:`lxc-attach` command. This requires connection to the LXC host and the LXC container via the ``root`` account directly, which is supported by the DebOps playbooks and roles. - The role can now manage LXC containers, again. This time the functionality is implemented using the ``lxc_container`` Ansible module instead of a series of shell tasks. By default unprivileged LXC containers will be created, but users can change all parameters supported by the module. - ๐ง The role will now configure a ``lxcbr0`` bridge with internal DNS/DHCP server for LXC containers, using the ``lxc-net`` service. With this change, use of the :ref:`debops.ifupdown` role to prepare a default bridge for LXC containers is not required anymore. :ref:`debops.netbase` role '''''''''''''''''''''''''' - When a large number of hosts is defined for the :file:`/etc/hosts` database, the role will switch to generating the file using the ``template`` Ansible module instead of managing individual lines using the ``lineinfile`` module, to make the operation faster. As a result, custom modifications done by other tools in the host database will not be preserved. - ๐ง The role can now configure the hostname in the :file:`/etc/hostname` file, as well as the local domain configuration in :file:`/etc/hosts` database. :ref:`debops.php` role '''''''''''''''''''''' - ๐ฆ The role will install the ``composer`` APT package on Debian Stretch, Ubuntu Xenial and their respective newer OS releases. :ref:`debops.root_account` role ''''''''''''''''''''''''''''''' - The role will reserve a set of UID/GID ranges for subordinate UIDs/GIDs owned by the ``root`` account (they are not reserved by default). This can be used to create unprivileged LXC containers owned by ``root``. See the release notes for potential issues on existing systems. - ๐ง You can now configure the state and contents of the :file:`/root/.ssh/authorized_keys` file using the :ref:`debops.root_account` role, with support for global, per inventory group and per host SSH keys. :ref:`debops.users` role '''''''''''''''''''''''' - ๐ง The role can now configure ACL entries of the user home directories using the ``item.home_acl`` parameter. This can be used for more elaborate access restrictions. ๐ Changed
Continuous Integration ''''''''''''''''''''''
- โ
The test suite will now check POSIX shell scripts along with Bash scripts for
any issues via the :command:
shellcheck
linter. Outstanding issues found in existing scripts have been fixed.
General '''''''
The :ref:
debops.root_account
role will be executed earlier in thecommon.yml
Ansible playbook to ensure that theroot
UID/GID ranges are reserved without issues on the initial host configuration.๐ Various filter and lookup Ansible plugins have been migrated from the playbook directory to the :ref:
debops.ansible_plugins
role. This role can be used as hard dependency in other Ansible roles that rely on these plugins.The order of the roles in the common playbook has been changed; the :ref:
debops.users
role will be applied before the :ref:debops.resources
role to allow for resources owned by UNIX accounts/groups other thanroot
.๐ฆ The
debops
Python package has dropped the hard dependency on Ansible. This allows DebOps to be installed in a separate environment than Ansible, allowing for example to mix Homebrew Ansible with DebOps from PyPI on macOS. The installation instructions have also been updated to reflect the change.The :command:
debops-init
script will now generate new Ansible inventory files using the hostname as well as a host FQDN to better promote the use of DNS records in Ansible inventory.
:ref:
debops.dnsmasq
role ''''''''''''''''''''''''''- ๐ง The role has been redesigned from the ground up with new configuration
pipeline, support for multiple subdomains and better default configuration.
See the :ref:
debops.dnsmasq
role documentation as well as the :ref:upgrade_notes
for more details.
๐ณ :ref:
debops.docker_server
role ''''''''''''''''''''''''''''''''- ๐ณ If the Docker host uses a local nameserver, for example :command:
dnsmasq
or :command:unbound
, Docker containers might have misconfigured DNS nameserver in :file:/etc/resolv.conf
pointing to127.0.0.1
. In these cases, the :ref:debops.docker_server
role will configure Docker to use the upstream nameservers from the host, managed by theresolvconf
APT package.
If no upstream nameservers are available, the role will not configure any nameserver and search parameters, which will tell Docker to use the Google nameservers.
:ref:
debops.gitlab
role '''''''''''''''''''''''''0๏ธโฃ The role will now install GitLab 10.8 by default, on Debian Stretch and Ubuntu Xenial. The 11.x release now requires Ruby 2.4+, therefore it will only be installed on newer OS releases (Debian Buster, Ubuntu Bionic).
โก๏ธ The role has been updated to use Ansible local facts managed by the :ref:
debops.redis_server
Ansible role. Redis Server support has been removed from the GitLab playbook and needs to be explicitly enabled in the inventory for GitLab to be installed correctly. This will allow to select between local Server or Sentinel instance, to support clustered environments.
Check the :ref:
upgrade_notes
for issues with upgrading Redis Server support on existing GitLab hosts.:ref:
debops.grub
role '''''''''''''''''''''''๐ง The GRUB configuration has been redesigned, role now uses merged variables to make configuration via Ansible inventory or dependent role variables easier. The GRUB configuration is now stored in the :file:
/etc/default/grub.d/
directory to allow for easier integration with other software. See the :ref:debops.grub
documentation for more details.The user password storage path in :file:
secret/
directory has been changed to use theinventory_hostname
variable instead of theansible_fqdn
variable. This change will force regeneration of password hashes in existing installations, but shouldn't affect host access (passwords stay the same).
:ref:
debops.gunicorn
role '''''''''''''''''''''''''''- The role depends on :ref:
debops.python
now to install the required packages. Please update your custom playbooks accordingly.
:ref:
debops.ipxe
role '''''''''''''''''''''''- 0๏ธโฃ The role will no longer install non-free firmware by default. This is done
to solve the connectivity issues with
cdimage.debian.org
host.
:ref:
debops.librenms
role '''''''''''''''''''''''''''- 0๏ธโฃ The default dashboard in LibreNMS is changed from the
:file:
pages/front/default.php
to :file:pages/front/tiles.php
which allows for better customization.
:ref:
debops.lxc
role ''''''''''''''''''''''๐ง The role will configure the default subUIDs and subGIDs for unprivileged LXC containers based on the configured subordinate UID/GID ranges for the
root
account.The :command:
lxc-prepare-ssh
script will now install SSH public keys from the user account that is running the script via :command:sudo
instead of the system'sroot
account, which is usually what you want to do if other people manage their own LXC containers on a host.๐ง The LXC configuration managed by the role will use the :command:
systemd
[email protected]
instances to manage the containers instead of using the :command:lxc-*
commands directly. This allows the containers to be shut down properly without hitting a timeout and forced killing of container processes.
:ref:
debops.owncloud
role '''''''''''''''''''''''''''The role will now use Ansible facts managed by the :ref:
debops.redis_server
role to configure Redis support.โฌ๏ธ Drop support for Nextcloud 12.0 which is EOF. Add support for Nextcloud 14.0 and 15.0 and make Nextcloud 14.0 the default Nextcloud version.
:ref:
debops.netbase
role ''''''''''''''''''''''''''- ๐ง The hostname and domain configuration during bootstrapping is now done by the
:ref:
debops.netbase
Ansible role. The default for this role is to remove the127.0.1.1
host entry from the :file:/etc/hosts
file to ensure that domain resolution relies on DNS.
If you are using local domain configured in :file:
/etc/hosts
file, you should define the :envvar:netbase__domain
variable in the Ansible inventory with your desired domain.- The role is redesigned to use list variables instead of YAML dictionaries for
the :file:
/etc/hosts
database. This allows for adding the host IPv4 and/or IPv6 addresses defined by Ansible facts when the custom local domain is enabled. See :ref:netbase__ref_hosts
for details. The role has also been included in thecommon.yml
playbook to ensure that the host database is up to date as soon as possible.
:ref:
debops.resources
role ''''''''''''''''''''''''''''- ๐ Changed behaviour of used groups for templating. Now all groups the host is
in, will be used to search for template files. Read the documentation about
:ref:
resources__ref_templates
for more details on templating withdebops
.
๐ Fixed
:ref:`debops.grub` role ''''''''''''''''''''''' - โช The role should now correctly revert custom patch to allow user authentication in :file:`/etc/grub.d/10_linux` script, when the user list is empty. :ref:`debops.kmod` role ''''''''''''''''''''''' - The role should now work correctly in Ansible ``--check`` mode before the Ansible local fact script is installed. :ref:`debops.sysctl` role ''''''''''''''''''''''''' - The role should correctly handle nested lists in role dependent variables, which are now flattened before being passed to the configuration filter. โ Removed
๐ Roles removed from DebOps '''''''''''''''''''''''''
- ๐ The old
debops.redis
Ansible role has been removed. It has been replaced by the :ref:debops.redis_server
and :ref:debops.redis_sentinel
Ansible roles. The new roles use their own Ansible inventory groups, therefore they will need to be explicitly enabled to affect existing hosts.
You can use the :ref:
debops.debops_legacy
Ansible role to clean up old configuration files, directories and diversions ofdebops.redis
role from remote hosts.General '''''''
- The
ldap_entry
andldap_attr
Ansible modules have been removed. They are now included in Ansible core, there's no need to keep a separate copy in the playbook.
:ref:
debops.core
role '''''''''''''''''''''''- The
ansible_local.root.flags
andansible_local.root.uuid
local facts have been removed. They are replaced byansible_local.tags
andansible_local.uuid
local facts, respectively.
:ref:
debops.dhcpd
role ''''''''''''''''''''''''- ๐ Support for :command:
dhcp_probe
has been removed from the :ref:debops.dhcpd
Ansible role. It's now available as a separate :ref:debops.dhcp_probe
role.
:ref:
debops.ferm
role '''''''''''''''''''''''- ๐ง Automated configuration of packet forwarding with
FORWARD
chain rules and :command:sysctl
configuration has been removed from the role. Per-interface packet forwarding is now configurable using the :ref:debops.ifupdown
role, and you can still use the :ref:debops.ferm
and :ref:debops.sysctl
roles to design custom forwarding configuration.
Support for this mechanism has also been removed from related roles like :ref:
debops.libvirtd
and :ref:debops.lxc
.:ref:
debops.netbase
role ''''''''''''''''''''''''''- ๐ง The hostname and domain configuration has been removed from the
debops.bootstrap
role. This functionality is now handled by the :ref:debops.netbase
role, which has been included in the bootstrap playbook. The relevant inventory variables have been renamed, check the :ref:upgrade_notes
for details.
:ref:
debops.resources
role ''''''''''''''''''''''''''''- The
resources__group_name
variable has been removed in favor of using all the groups the current hosts is in. This change has been reflected in the updated variableresources__group_templates
.
- โ
The test suite will now check POSIX shell scripts along with Bash scripts for
any issues via the :command: