DebOps v1.2.0 Release Notes
Release Date: 2019-12-01 // over 4 years ago-
.. _debops v1.2.0: https://github.com/debops/debops/compare/v1.1.0...v1.2.0
โ Added
๐ New DebOps roles '''''''''''''''' - โ Add :ref:`debops.postldap` Ansible role to configure and enable :ref:`debops.postfix` to host multiple (virtual) domains,and thus provide email service to several domains with just one `mail server`. Currently the Virtual Mail support works only with **LDAP enabled**, in the future `mariaDB` could be enabled. - The :ref:`debops.minio` and :ref:`debops.mcli` Ansible roles can be used to install and configure `MinIO`__ object storage service and its corresponding client binary. .. __: https://minio.io/ - The :ref:`debops.tinyproxy` role can be used to set up a lightweight HTTP/HTTPS proxy for an upstream server. - ๐ง The :ref:`debops.libuser` Ansible role configures the `libuser`__ library and related commands. This library is used by some of the other DebOps roles to manage local UNIX accounts and groups on LDAP-enabled hosts. .. __: https://pagure.io/libuser/ General ''''''' - โ Add more entries to be ignored by default by the :command:`git` command in the DebOps project directories: - :file:`debops`: ignore DebOps monorepo cloned or symlinked into the project directory. - :file:`roles` and :file:`playbooks`: ignore roles and playbooks in development; production code should be put in the :file:`ansible/roles/` and the :file:`ansible/playbooks/` directories respectively. - The :command:`debops-init` script now also creates the .gitattributes file for use with :command:`git-crypt`. It is commented out by default. - 0๏ธโฃ The :command:`debops-defaults` command will check what pagers (:command:`view`, :command:`less`, :command:`more`) are available and use the best one automatically. - A new Ansible module, ``dpkg_divert``, can be used to divert the configuration files out of the way to preserve them and avoid issues with package upgrades. The module is available in the :ref:`debops.ansible_plugins` role. LDAP '''' - The :file:`ldap/init-directory.yml` Ansible playbook will create the LDAP objects ``cn=LDAP Replicators`` and ``cn=Password Reset Agents`` to allow other Ansible roles to utilize them without the need for the system administrator to define them by hand. - The :file:`ldap/get-uuid.yml` Ansible playbook can be used to convert LDAP Distinguished Names to UUIDs to look up the password files if needed. :ref:`debops.apt_install` role '''''''''''''''''''''''''''''' - ๐ฆ The `open-vm-tools`__ APT package will be installed by default in VMware virtual machines. .. __: https://github.com/vmware/open-vm-tools :ref:`debops.dnsmasq` role '''''''''''''''''''''''''' - The role will tell the client applications to `disable DNS-over-HTTPS support`__ using the ``use-application-dns.net`` DNS record. This should allow connections to internal sites and preserve the split-DNS functionality. .. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet :ref:`debops.dokuwiki` role ''''''''''''''''''''''''''' - ๐ง The role will configure LDAP support in DokuWiki when LDAP environment managed by the :ref:`debops.ldap` Ansible role is detected. Read the :ref:`dokuwiki__ref_ldap_support` chapter in the documentation for more details. :ref:`debops.cron` role ''''''''''''''''''''''' - The execution time of the ``hourly``, ``daily``, ``weekly`` and ``monthly`` :command:`cron` jobs will be randomized on a per-host basis to avoid large job execution spikes every morning. See the role documentation for more details. :ref:`debops.nullmailer` role ''''''''''''''''''''''''''''' - ๐ง When the :ref:`LDAP environment <debops.ldap>` is configured on a host, the :ref:`debops.nullmailer` role will create the service account in the LDAP directory and configure the :command:`nullmailer` service to use SASL authentication with its LDAP credentials to send e-mails to the relayhost. :ref:`debops.pki` role '''''''''''''''''''''' - ๐ Newly created PKI realms will have a new :file:`public/full.pem` file which contains the full X.509 certificate chain, including the Root CA certificate, which might be required by some applications that rely on TLS. Existing PKI realms will not be modified, but Ansible roles that use the PKI infrastructure might expect the new files to be present. It is advisable to :ref:`recreate the PKI realms <pki__ref_realm_renewal>` when possible, or create the missing files manually. :ref:`debops.saslauthd` role '''''''''''''''''''''''''''' - The role can now be used to authenticate users of different services against the LDAP directory via integration with the :ref:`debops.ldap` role and its framework. Multiple LDAP profiles can be used to provide different access control for different services. :ref:`debops.slapd` role '''''''''''''''''''''''' - Add support for :ref:`eduPerson LDAP schema <slapd__ref_eduperson>` with updated schema file included in the role. - ๐ง The role will configure SASL authentication in the OpenLDAP service using the :ref:`debops.saslauthd` Ansible role. Both humans and machines can authenticate to the OpenLDAP directory using their respective LDAP objects. - The :ref:`lastbind overlay <slapd__ref_lastbind_overlay>` will be enabled by default. This overlay records the timestamp of the last successful bind operation of a given LDAP object, which can be used to, for example, check the date of the last successful login of a given user account. - Add support for :ref:`nextcloud LDAP schema <slapd__ref_nextcloud>` which provides attributes needed to define disk quotas for Nextcloud user accounts. - โ The Access Control List rules can now be tested using the :man:`slapacl(8)` command via a generated :ref:`test suite script <slapd__ref_acl_tests>`. - 0๏ธโฃ The default ACL rules have been overhauled to add support for the ``ou=Roles,dc=example,dc=org`` subtree and use of the ``organizationalRole`` LDAP objects for authorization. The old set of rules is still active to ensure that the existing environments work as expected. If you use a modified ACL configuration, you should include the new rules as well to ensure that changes in the :ref:`debops.ldap` support are working correctly. - You can now hide specific LDAP objects from unprivileged users by adding them to a special ``cn=Hidden Objects,ou=Groups,dc=example,dc=org`` LDAP group. The required ACL rule will be enabled by default; the objects used to control visibility will be created by the :file:`ldap/init-directory.yml` playbook. - ๐ New "SMS Gateway" LDAP role grants read-only access to the ``mobile`` attribute by SMS gateways. This is needed for implementing 2-factor authentication via SMS messages. :ref:`debops.unbound` role '''''''''''''''''''''''''' - The role will tell the client applications to `disable DNS-over-HTTPS support`__ using the ``use-application-dns.net`` DNS record. This should allow connections to internal sites and preserve the split-DNS functionality. .. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet - ๐ง The role will configure the :command:`unbound` daemon to allow non-recursive access to DNS queries when a host is managed by Ansible locally, with assumption that it's an Ansible Controller host. This change unblocks use of the :command:`dig +trace` and similar commands. ๐ Changed
โก๏ธ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''
โก๏ธ In the :ref:
debops.gitlab
role, GitLab version has been updated to12.2
. This is the last release that supports Ruby 2.5 which is included in Debian Buster.In the :ref:
debops.ipxe
role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.10 and 10.2 respectively.โก๏ธ In the :ref:
debops.netbox
role, the NetBox version has been updated tov2.6.3
.
Continuous Integration ''''''''''''''''''''''
The
$DEBOPS_FROM
environment variable can be used to select how DebOps scripts should be installed in the Vagrant environment: eitherdevel
(local build) orpypi
(installation from PyPI repository). This makes Vagrant environment more useful on Windows hosts, where :file:/vagrant
directory is not mounted due to issues with symlinks.๐ณ The :command:
make test
command will not run the Docker tests anymore, to make the default tests faster. To run the Docker tests with all other tests, you can use the :command:make test docker
command.
General '''''''
External commands used in the DebOps scripts have been defined as constants to allow easier changes of the command location in various operating systems, for example Guix.
0๏ธโฃ The default Ansible callback plugin used by DebOps is changed to
yaml
, which gives a cleaner look for various outputs and error messages. The callback plugin will be active by default in new DebOps project directories; in existing directories users can add:
.. code-block:: ini
[ansible defaults] stdout_callback = yaml
in the :file:
.debops.cfg
configuration file.LDAP ''''
- โก๏ธ The :file:
ldap/init-directory.yml
playbook has been updated to use the newou=Roles,dc=example,dc=org
LDAP subtree, which will contain variousorganizationalRole
objects. After updating the OpenLDAP Access Control List using the :ref:debops.slapd
role, you can use the playbook on an existing installation to create the missing objects.
The
cn=UNIX Administrators
andcn=UNIX SSH users
LDAP objects will be created in theou=Groups,dc=example,dc=org
LDAP subtree. On existing installations, these objects need to be moved manually to the new subtree, otherwise the playbook will try to create them and fail due to duplicate UID/GID numbers which are enforced to be unique. You can move the objects using an LDAP client, for example Apache Directory Studio.The
ou=System Groups,dc=example=dc,org
subtree will not be created anymore. On existing installations this subtree will be left intact and can be safely removed after migration.- ๐ง The access to the OpenLDAP service configured using the :ref:
debops.slapd
role now requires explicit firewall and TCP Wrappers configuration to allow access from trusted IP addresses and subnets. You can use theslapd__*_allow
variables in the Ansible inventory to specify the IP addresses and subnets that can access the service.
To preserve the old behaviour of granting access by default from anywhere, you can set the :envvar:
slapd__accept_any
variable toTrue
.:ref:
debops.apt_preferences
role ''''''''''''''''''''''''''''''''''- Support Debian Buster in :ref:
apt_preferences__list
.
:ref:
debops.gitlab
role '''''''''''''''''''''''''๐ The LDAP support in GitLab has been converted to use the :ref:
debops.ldap
infrastructure and not configure LDAP objects directly. LDAP support in GitLab will be enabled automatically if it's enabled on the host. Some of the configuration variables have been changed; see the :ref:upgrade_notes
for more details.๐ง The default LDAP filter configured in the :envvar:
gitlab__ldap_user_filter
variable has been modified to limit access to the service to objects with specific attributes. See the :ref:GitLab LDAP access control <gitlab__ref_ldap_dit_access>
documentation page for details about the required attributes and their values.The GitLab project has changed its codebase structure, because of that the Gitlab CE :command:
git
repository has been moved to a new location, https://gitlab.com/gitlab-org/gitlab-foss/. The role has been updated accordingly. Existing installations should work fine after the new codebase is cloned, but if unsure, users should check the change first in a development environment.
More details can be found in GitLab blog posts
here
__ andhere
, as well as theFrequently Asked Questions
page... _: https://about.gitlab.com/blog/2019/02/21/merging-ce-and-ee-codebases/ .. _: https://about.gitlab.com/blog/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/ .. __: https://gitlab.com/gitlab-org/gitlab/issues/13855
:ref:
debops.golang
role '''''''''''''''''''''''''- The role has been redesigned from the ground up, and can be used to install Go applications either from APT packages, build them from source, or download precompiled binaries from remote resources. See the role documentation for more details.
:ref:
debops.ldap
role '''''''''''''''''''''''- The role will reset the LDAP host attributes defined in the
:envvar:
ldap__device_attributes
variable on first configuration in case that the host has been reinstalled and some of their values changed (for example different IP addresses). This should avoid leaving the outdated attributes in the host LDAP object.
:ref:
debops.nginx
role ''''''''''''''''''''''''- The role will create the webroot directory specified in the
item.root
parameter even if theitem.owner
anditem.group
parameters are not defined. This might have idempotency issues if the :ref:debops.nginx
role configuration and the application role configuration try to modify the same directory attributes. To disable the webroot creation, you can set theitem.webroot_create
parameter toFalse
. Alternatively, you should specify the intended owner, group and directory mode in the :command:nginx
server configuration.
:ref:
debops.nullmailer
role '''''''''''''''''''''''''''''- 0๏ธโฃ The :envvar:
nullmailer__adminaddr
list is set to empty by default to not redirect all e-mail messages sent through the :command:nullmailer
service to theroot
account. This should be done on the relayhost instead.
:ref:
debops.owncloud
role '''''''''''''''''''''''''''โฌ๏ธ Drop Nextcloud 14 support because it is EOL. You need to upgrade Nextcloud manually if you are running 14 or below. Add Nextcloud 16 support. Now default to Nextcloud 15 for new installations.
๐ The LDAP support in Nextcloud has been converted to use the :ref:
debops.ldap
infrastructure and not configure LDAP objects directly. LDAP support in Nextcloud will be enabled automatically if it's enabled on the host. Some of the configuration variables have been changed; see the :ref:upgrade_notes
for more details.๐ง The default LDAP filter configured in the :envvar:
owncloud__ldap_login_filter
variable has been modified to limit access to the service to objects with specific attributes. See the :ref:Nextcloud LDAP access control <owncloud__ref_ldap_dit_access>
documentation page for details about the required attributes and their values.๐ง The default LDAP group filter configured in the :envvar:
owncloud__ldap_group_filter
variable has been modified to limit the available set ofgroupOfNames
LDAP objects to only those that have thenextcloudEnabled
attribute set totrue
.๐ Support for disk quotas for LDAP users has been added in the default configuration, based on the :ref:
nextcloud LDAP schema <slapd__ref_nextcloud>
. The default disk quota is set to 10 GB and can be changed using thenextcloudQuota
LDAP attribute.
:ref:
debops.postconf
role '''''''''''''''''''''''''''๐ Support for the
465
TCP port for message submission over Implicit TLS is no longer deprecated (status changed by the :rfc:8314
document) and will be enabled by default with theauth
capability.๐ง The role will configure Postfix to check the sender address of authenticated mail messages and block those that don't belong to the authenticated user. This will be enabled with the
auth
and theunauth-sender
capabilities, and requires an user database to work correctly.
:ref:
debops.postfix
role ''''''''''''''''''''''''''0๏ธโฃ The default primary group of the lookup tables has been changed to
postfix
, default mode for new lookup tables will be set to0640
. This change helps secure lookup tables that utilize remote databases with authentication.๐ง Postfix lookup tables can now use shared connection configuration defined in a YAML dictionary to minimize data duplication. See the :ref:
postfix__ref_lookup_tables
documentation for more details.
:ref:
debops.resolvconf
role '''''''''''''''''''''''''''''- ๐ง The role will install and configure :command:
resolvconf
APT package only on hosts with more than one network interface (not countinglo
), or if local DNS services are also present on the host.
:ref:
debops.slapd
role ''''''''''''''''''''''''Enable substring index for the
sudoUser
attribute from the :ref:sudo LDAP schema <slapd__ref_sudo>
. Existing installations should be updated manually via the LDAP client, by setting the value of thesudoUser
index toeq,sub
.โ Add indexes for the
authorizedService
andhost
attributes from the :ref:ldapns LDAP schema <slapd__ref_ldapns>
and thegid
attribute from the :ref:posixGroupId LDAP schema <slapd__ref_posixgroupid>
. This should improve performance in UNIX environments connected to the LDAP directory.The number of rounds in SHA-512 password hashes has been increased from 5000 (default) to 100001. Existing password hashes will be unaffected.
The
employeeNumber
attribute in theou=People,dc=example,dc=org
LDAP subtree will be constrained to digits only, and the LDAP directory will enforce its uniqueness in the subtree. This allows the attribute to be used for correlation of personal LDAP objects to RDBMS-based databases.The
mail
attribute is changed from unique for objects in theou=People,dc=example,dc=org
LDAP subtree to globally unique, due to its use for authentication purposes. The attribute will be indexed by default.Access to the
carLicense
,homePhone
andhomePostalAddress
attributes has been restricted to privileged accounts only (administrators, entry owner). The values cannot be seen by unprivileged and anonymous users.Write access to the
ou=SUDOers,dc=example,dc=org
LDAP subtree has been restricted to the members of the "UNIX Administrators" LDAP group.
:ref:
debops.sshd
role '''''''''''''''''''''''The role will allow or deny access to the
root
account via password depending on the presence of the :file:/root/.ssh/authorized_keys
file. See :ref:sshd__ref_root_password
for more details. This requires updated :file:root_account.fact
script from the :ref:debops.root_account
role.๐ฆ The role will use Ansible local facts to check if OpenSSH server package is installed to conditionally enable/disable its start on first install.
debops-contrib.dropbear_initramfs role ''''''''''''''''''''''''''''''''''''''
- Better default value for
dropbear_initramfs__network_device
by detecting the default network interface using Ansible facts instead of the previously hard-codedeth0
.
โ Removed
๐ :ref:`debops.ansible_plugins` role '''''''''''''''''''''''''''''''''' - ๐ The ``ldappassword`` Ansible filter plugin has been removed as it is no longer used in DebOps roles. The preferred method for storing passwords in LDAP is to pass them in plaintext (over TLS) and let the directory server store them in a hashed form. See also: :rfc:`3062`. :ref:`debops.ldap` role ''''''''''''''''''''''' - The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry`` Ansible modules is deprecated due to their insecure nature. As a consequence, the :ref:`debops.ldap` role has been updated to not use this option and the ``ldap__admin_auth_params`` variable has been removed. :ref:`debops.nginx` role '''''''''''''''''''''''' - Set `nginx_upstream_php5_www_data` to absent. If you are still using that Nginx upstream which was enabled by default then update your Ansible role and switch to a supported PHP release. ๐ Fixed ~~~~~ General ''''''' - 0๏ธโฃ The "Edit on GitHub" links on the role default variable pages in the documentation have been fixed and now point to the correct source files on GitHub. :ref:`debops.dnsmasq` role '''''''''''''''''''''''''' - ๐ง On Ubuntu hosts, the role will fix the configuration installed by the :command:`lxd` package to use ``bind-dynamic`` option instead of ``bind-interfaces``. This allows the :command:`dnsmasq` service to start correctly. :ref:`debops.ferm` role ''''''''''''''''''''''' - ๐ง The ``dmz`` firewall configuration will use the ``dport`` parameter instead of ``port``, otherwise filtering rules will not work as expected. :ref:`debops.nfs_server` role ''''''''''''''''''''''''''''' - In the :envvar:`nfs_server__firewall_ports` variable, convert the ``dict_keys`` view into a list due to `change in Python 3 implementation`__ of dictionaries. .. __: https://docs.ansible.com/ansible/latest/user_guide/playbooks_python_version.html#dictionary-views :ref:`debops.nginx` role '''''''''''''''''''''''' - ๐ Fix an issue in the :file:`php.conf.j2` server template when an ``item.location`` parameter is specified, overridding the default set of ``location`` blocks defined in the :file:`default.conf.j` template. If the ``/`` location is not specified in the ``item.location`` dictionary, a default one will be included by the role. :ref:`debops.postconf` role ''''''''''''''''''''''''''' - Disable the ``smtpd_helo_restrictions`` option on the ``submission`` and ``smtps`` TCP ports when the authentication and MX lookups are enabled. This should fix an issue where SMTP client sends the host's IP address as its HELO/EHLO response, which might not be configurable by the user. ๐ Security
:ref:
debops.nginx
role ''''''''''''''''''''''''- Mitigation for the
CVE-2019-11043
__ vulnerability has been applied in the :command:nginx
php
andphp5
configuration templates. The mitigation is based on thesuggested workaround
__ from the PHP Bug Tracker.
.. _: https://security-tracker.debian.org/tracker/CVE-2019-11043 .. _: https://bugs.php.net/bug.php?id=78599
:ref:
debops.owncloud
role '''''''''''''''''''''''''''- ๐ Security patch for the
CVE-2019-11043
__ vulnerability has been applied in the Nextcloud configuration for the :ref:debops.nginx
role. The patch is based on thefix suggested by upstream
__.
.. _: https://security-tracker.debian.org/tracker/CVE-2019-11043 .. _: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/