Β« Changelog History


DebOps v1.0.0 Release Notes

Release Date: 2019-05-22 // almost 5 years ago

  • .. _debops v1.0.0: https://github.com/debops/debops/compare/v0.8.1...v1.0.0

    βž• Added

    
πŸ†• New DebOps roles
''''''''''''''''

- 🐳 The :ref:`debops.docker_registry` role provides support for Docker Registry.
  The role can be used as standalone or as a backend for the GitLab Container
  Registry service, with :ref:`debops.gitlab` role.

- πŸ”§ The :ref:`debops.ldap` role sets up the system-wide LDAP configuration on
  a host, and is used as the API to the LDAP directory by other Ansible roles,
  playbooks, and users via Ansible inventory. The role is included in the
  ``common.yml`` playbook, but is disabled by default.

- πŸ”§ The :ref:`debops.nslcd` role can be used to configure LDAP lookups for NSS
  and PAM services on a Linux host.

- The :ref:`debops.pam_access` role manages PAM access control files located in
  the :file:`/etc/security/` directory. The role is designed to allow other
  Ansible roles to easily manage their own PAM access rules.

- The :ref:`debops.yadm` role installs the `Yet Another Dotfiles Manager`__
  script and ensures that additional shells are available. It can also mirror
  dotfiles locally. The role is included in the common playbook.

  .. __: https://yadm.io/

- The :ref:`debops.system_users` role replaces the ``debops.bootstrap`` role
  and is used to manage the local system administrator accounts. It is included
  in the :file:`common.yml` playbook as well as the bootstrap playbooks.

General
'''''''

- The DebOps project has been registered `in the IANA Private Enterprise
  Numbers`__ registry, with PEN number ``53622``. The project documentation
  contains :ref:`an OID registry <debops_oid_registry>` to track custom LDAP
  schemas, among other things.

  .. __: https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

- πŸ‘Œ Support for Ansible Collections managed by the `Mazer`__ Content Manager has
  been implemented in the repository. Ansible Collections will be usable after
  June 2019, when support for them is enabled in the Ansible Galaxy service.

  .. __: https://github.com/ansible/mazer

LDAP
''''

- A new :file:`bootstrap-ldap.yml` Ansible playbook can be used to bootstrap
  Debian/Ubuntu hosts with LDAP support enabled by default. The playbook will
  configure only the services required for secure LDAP access (PKI, SSH,
  PAM/NSS), the rest should be configured using the common playbook.

πŸ”Œ :ref:`debops.ansible_plugins` role
''''''''''''''''''''''''''''''''''

- A new ``ldap_attrs`` Ansible module has been added to the role. It's
  a replacement for the ``ldap_attr`` core Ansible module, that's more in line
  with the ``ldap_entry`` module. Used by the :ref:`debops.slapd` and
  :ref:`debops.ldap` roles to manage the LDAP directory contents.

:ref:`debops.apt` role
''''''''''''''''''''''

- πŸš€ Systems with the End of Life Debian releases (``wheezy``) installed will be
  configured to use the Debian Archive repository as the main APT sources
  instead of the normal Debian repository mirrors. These releases have been
  moved out of the main repositories and are not fully available through normal
  means. The periodic updates of the APT archive repositories on these systems
  will be disabled via the :ref:`debops.unattended_upgrades` role, since the
  EOL releases no longer receive updates.

  The Debian LTS release (``jessie``) APT repository sources will use only the
  main and security repositories, without updates or backports. See the
  `information about the Debian LTS support`__ for more details.

  .. __: https://wiki.debian.org/LTS

:ref:`debops.lxc` role
''''''''''''''''''''''

- 0️⃣ Users can now disable default route advertisement in the ``lxc-net`` DHCP
  service. This is useful in cases where LXC containers have multiple network
  interfaces and the default route should go through a different gateway than
  the LXC host.

- The :command:`lxc-new-unprivileged` script will add missing network interface
  stanzas in the container's :file:`/etc/network/interfaces` file, by default
  with DHCP configuration. This will happen only on the initialization of the
  new container, when a given LXC container has multiple network interfaces
  defined in its configuration file.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- πŸ”§ The role will automatically generate configuration which redirects short
  hostnames or subdomains to their FQDN equivalents. This allows HTTP clients
  to reach websites by specifying their short names via DNS suffixes from
  :file:`/etc/resolv.conf` file, or using ``*.local`` domain names managed by
  Avahi/mDNS to redirect HTTP clients to the correct FQDNs.

:ref:`debops.resources` role
''''''''''''''''''''''''''''

- πŸ”§ Some lists can now configure ACL entries on the destination files or
  directories using the ``item.acl`` parameter. Take a look to
  :ref:`resources__ref_acl` section to have the list of compatibles variables.

- New :ref:`resources__ref_commands` variables can be used to define simple
  shell commands or scripts that will be executed at the end of the
  :ref:`debops.resources` role. Useful to start new services, but it shouldn't
  be used as a replacement for a fully-fledged Ansible roles.

:ref:`debops.sudo` role
'''''''''''''''''''''''

- The role is now integrated with the :ref:`debops.ldap` Ansible role and can
  configure the :command:`sudo` service to read ``sudoers`` configuration from
  the LDAP directory.

:ref:`debops.users` role
''''''''''''''''''''''''

- πŸ”§ The role can now configure UNIX accounts with access restricted to SFTP
  operations (SFTPonly) with the new ``item.chroot`` parameter. This is
  a replacement for the ``debops.sftpusers`` role.

πŸ”„ Changed

    ⚑️ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

    • πŸ‘ The :ref:debops.gitlab role will install GitLab 11.10 on supported platforms (Debian Buster, Ubuntu Bionic), existing installations will be upgraded.

    • In the :ref:debops.phpipam role, the relevant inventory variables have been renamed, check the :ref:upgrade_notes for details. The role now uses the upstream phpIPAM repository and it installs version 1.3.2.

    • πŸš€ In the :ref:debops.php role, because of the PHP 7.0 release status changed to End of life__ at the beginning of 2019, OndΕ™ej SurΓ½ APT repository with PHP 7.2 packages will be enabled by default on Debian Jessie and Stretch as well as Ubuntu Trusty and Xenial. Existing :ref:debops.php installations shouldn't be affected, but the role will not try to upgrade the PHP version either. Users should consider upgrading the packages manually or reinstalling services from scratch with the newer version used by default.

    .. __: https://secure.php.net/supported-versions.php

    • πŸ‘ In the :ref:debops.rstudio_server role, the supported version has been updated to v1.2.1335. The role no longer installs libssl1.0.0 from Debian Jessie on Debian Stretch, since the current version of the RStudio Server works in the default Stretch environment. The downloaded .deb package will be verified using the RStudio Inc. GPG signing key before installation.

    • 🐳 In the :ref:debops.docker_gen role, the docker-gen version that this role installs by default has been updated to version 0.7.4. This release notably adds IPv6 and docker network support.

    General '''''''

    • The :ref:debops.cron role will be applied much earlier in the common.yml playbook because the :ref:debops.pki role depends on presence of the :command:cron daemon on the host.

    • Bash scripts and shell/command Ansible modules now use relative :command:bash interpreter instead of an absolute :file:/bin/bash. This should help make the DebOps roles more portable, and prepare the project for the merged :file:/bin and :file:/usr/bin directories in a future Debian release.

    Mail Transport Agents '''''''''''''''''''''

    • πŸ”§ The :file:/etc/mailname configuration file will contain the DNS domain of a host instead of the FQDN address. This will result in the mail senders that don't specify the domain part to have the DNS domain, instead of the full host address, added by the Mail Transport Agent. This configuration should work better in clustered environments, where there is a central mail hub/MX that receives the mail and redirects it.

    :ref:debops.gitlab role '''''''''''''''''''''''''

    • 🐳 The GitLab playbook will import the :ref:debops.docker_registry playbook to ensure that configuration related to Docker Registry defined in the GitLab service is properly applied during installation/management.

    :ref:debops.lxc role ''''''''''''''''''''''

    • The :command:lxc-prepare-ssh script will read the public SSH keys from specific files (root key file, and the $SUDO_USER key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's root account.

    The :command:lxc-new-unprivileged script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via :command:sudo. The default LXC configuration file used by the script can be configured in :file:/etc/lxc/lxc.conf configuration file.

    :ref:debops.mariadb_server role '''''''''''''''''''''''''''''''''

    • The MariaDB user root is no longer dropped. This user is used for database maintenance and authenticates using the unix_auth plugin. However, DebOps still maintains and sets a password for the root UNIX account, stored in the :file:/root/.my.cnf config file.

    :ref:debops.netbase role ''''''''''''''''''''''''''

    • 🐳 The role will be disabled by default in Docker containers. In this environment, the :file:/etc/hosts file is managed by Docker and cannot be modified from inside of the container.

    :ref:debops.owncloud role '''''''''''''''''''''''''''

    • The role will not perform any tasks related to :command:occ command if the automatic setup is disabled in the :envvar:owncloud__autosetup variable. In this mode, the :command:occ tasks cannot be performed by the role because the ownCloud/Nextcloud installation is not finished. The users are expected to perform necessary tasks themselves if they decide to opt-out from the automatic configuration.

    :ref:debops.php role ''''''''''''''''''''''

    • The PHP version detection has been redesigned to use the :command:apt-cache madison command to find the available versions. The role will now check the current version of the php APT package to select the available stable PHP version. This unfortunately breaks support for the php5 packages, but the php5.6 packages from OndΕ™ej SurΓ½ APT repository work fine.

    • The role will install the :command:composer command from the upstream GitHub repository on older OS releases, including Debian Stretch (current Stable release). This is due to incompatibility of the composer APT package included in Debian Stretch and PHP 7.3.

    The custom composer command installation tasks have been removed from the :ref:debops.roundcube and :ref:debops.librenms roles, since :ref:debops.php will take care of the installation.

    :ref:debops.root_account role '''''''''''''''''''''''''''''''

    • If the :ref:debops.ldap Ansible role has been applied on a host, the :ref:debops.root_account role will use the UID/GID ranges defined by it, which include UIDs/GIDs used in the LDAP directory, to define subUID/subGID range of the root account. This allows usage of the LDAP directory as a source of UNIX accounts and groups in unprivileged containers. Existing systems will not be changed.

    • 🚚 Management of the root dotfiles has been removed from the :ref:debops.users role and is now done in the :ref:debops.root_account role, using the :command:yadm script. Users might need to clean out the existing dotfiles if they were managed as symlinks, otherwise :command:yadm script will not be able to correctly deploy the new dotfiles.

    :ref:debops.slapd role ''''''''''''''''''''''''

    • πŸ‘ The role has been redesigned from the ground up, with support for N-Way Multi-Master replication, custom LDAP schemas, Password Policy and other functionality. The role uses custom ldap_attrs Ansible module included in the :ref:debops.ansible_plugins role for OpenLDAP management.

    The OpenLDAP configuration will definitely break on existing installations. It's best to set up a new OpenLDAP server (or replicated cluster) and import the LDAP directory to it afterwards. See :ref:role documentation <debops.slapd> for more details.

    :ref:debops.sshd role '''''''''''''''''''''''

    • The access control based on UNIX groups defined in the :file:/etc/ssh/sshd_config file has been removed. Instead, the OpenSSH server uses the PAM access control configuration, managed by the :ref:debops.pam_access Ansible role, to control access by users/groups/origins. OpenSSH service uses its own access control file, separate from the global :file:/etc/security/access.conf file.

    • The role will enable client address resolving using DNS by setting the UseDNS yes option in OpenSSH server configuration. This parameter is disabled by default in Debian and upstream, however it is required for the domain-based access control rules to work as expected.

    • πŸ”§ When the LDAP support is configured on a host by the :ref:debops.ldap role, the :ref:debops.sshd role will use the resulting infrastructure to connect to the LDAP directory and create the sshd LDAP account object for each host, used for lookups of the SSH keys in the directory. The SSH host public keys will be automatically added or updated in the LDAP device object to allow for centralized generation of the ~/.ssh/known_hosts files based on the data stored in LDAP.

    The role will no longer create a separate sshd-lookup UNIX account to perform LDAP lookups; the existing sshd UNIX account will be used instead. The :command:ldapsearch command used for lookups will default to LDAP over TLS connections instead of LDAPS.

    :ref:debops.system_groups role ''''''''''''''''''''''''''''''''

    • πŸ‘ If the LDAP support is enabled on a host via the :ref:debops.ldap role, the UNIX system groups created by the :ref:debops.system_groups role by default will use a _ prefix to make them separate from any LDAP-based groups of the same name. Existing installations should be unaffected, as long as the updated :ref:debops.system_groups role was applied before the :ref:debops.ldap role.

    ⬆️ :ref:debops.unattended_upgrades role ''''''''''''''''''''''''''''''''''''''

    • ⚑️ The packages from the stable-updates APT repository section will be automatically upgraded by default, the same as the packages from Debian Security repository. This should cover important non-security related upgrades, such as timezone changes, antivirus database changes, and similar.

    • If automatic reboots are enabled, VMs will not reboot all at the same time to avoid high load on the hypervisor host. Instead they will reboot at a particular minute in a 15 minute time window. For each host, a random-but-idempotent time is chosen. For hypervisor hosts good presets cannot be picked. You should ensure that hosts don’t reboot at the same time by defining different reboot times in inventory groups.

    :ref:debops.users role ''''''''''''''''''''''''

    • The management of the user dotfiles in the :ref:debops.users role has been redesigned and now uses the :command:yadm script to perform the actual deployment. See :ref:debops.yadm for details about installing the script and creating local dotfile mirrors. The :ref:users__ref_accounts variable documentation contains examples of new dotfile definitions.

    • The role now uses the libuser library via the Ansible group and user modules to manage local groups and accounts. This should avoid issues with groups and accounts created in the LDAP user/group ranges.

    The libuser library by default creates home directories with 0700 permissions, which is probably too restrictive. Because of that, the role will automatically change the home directory permissions to 0751 (defined in the :envvar:users__default_home_mode variable). This also affects existing UNIX accounts managed by the role; the mode can be overriden using the item.home_mode parameter.

    • The users__*_resources variables have been reimplemented as the item.resources parameter of the users__*_accounts variables. This removes the unnecessary split between user account definitions and definitions of their files/directories.

    βœ‚ Removed

    
🚚 Roles removed from DebOps
'''''''''''''''''''''''''

- 🚚 The ``debops.sftpusers`` Ansible role has been removed. Its functionality is
  now implemented by the :ref:`debops.users` role, custom bind mounts can be
  defined using the :ref:`debops.mount` role.

- 🚚 The ``debops.bootstrap`` Ansible role has been removed. Its replacement is
  the :ref:`debops.system_users` which is used to manage system administrator
  accounts, via the ``common.yml`` playbook and the bootstrap playbooks.

:ref:`debops.auth` role
'''''''''''''''''''''''

- πŸ”§ The :file:`/etc/ldap/ldap.conf` file configuration, :command:`nslcd` service
  configuration and related variables have been removed from the
  :ref:`debops.auth` role. This functionality is now available in the
  :ref:`debops.ldap` and :ref:`debops.nslcd` roles, which manage the
  client-side LDAP support.

:ref:`debops.rstudio_server` role
'''''''''''''''''''''''''''''''''

- πŸ“¦ The role will no longer install the historical ``libssl1.0.0`` APT package on
  Debian Stretch to support older RStudio Server releases. You should remove it
  on the existing installations after RStudio Server is upgraded to the newest
  release.

πŸ›  Fixed
~~~~~

:ref:`debops.authorized_keys` role
''''''''''''''''''''''''''''''''''

- Set the group for authorized_keys files to the primary group of the user
  instead of the group with the same name as the user. This is important
  because otherwise the readonly mode of the role does not work when the
  primary group of a user has a different name then the username.

:ref:`debops.lvm` role
''''''''''''''''''''''

- 0️⃣ Make sure a file system is created by default when the ``mount`` parameter is
  defined in the :envvar:`lvm__logical_volumes`.

- Stop and disable ``lvm2-lvmetad.socket`` systemd unit when disabling
  :envvar:`lvm__global_use_lvmetad` to avoid warning message when invoking LVM
  commands.

:ref:`debops.redis_server` role
'''''''''''''''''''''''''''''''

- πŸ‘‰ Use the :file:`redis.conf` file to lookup passwords via the
  :command:`redis-password` script. This file has the ``redis-auth`` UNIX group
  and any accounts in this group should now be able to look up the Redis
  passwords correctly.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The role will check if the X.509 certificate and the private key used for TLS
  communication were correctly configured in the OpenLDAP server. This fixes an
  issue where configuration of the private key and certificate was not
  performed at all, without any actual changes in the service, with subsequent
  task exiting with an error due to misconfiguration.

πŸ”’ Security

    :ref:debops.php role ''''''''''''''''''''''

    • OndΕ™ej SurΓ½ created new APT signing keys__ for his Debian APT repository with PHP packages, due to security concerns. The :ref:debops.php role will remove the old APT GPG key and add the new one automatically.

    .. __: https://www.patreon.com/posts/dpa-new-signing-25451165