DebOps v1.2.0

« Changelog History

DebOps v1.2.0 Release Notes

• .. _debops v1.2.0: https://github.com/debops/debops/compare/v1.1.0...v1.2.0

  ➕ Added

  
  🆕 New DebOps roles
  ''''''''''''''''
  
  - ➕ Add :ref:`debops.postldap` Ansible role to configure and enable
    :ref:`debops.postfix` to host multiple (virtual) domains,and thus provide
    email service to several domains with just one `mail server`.
    Currently the Virtual Mail support works only with **LDAP enabled**,
    in the future `mariaDB` could be enabled.
  
  - The :ref:`debops.minio` and :ref:`debops.mcli` Ansible roles can be used to
    install and configure `MinIO`__ object storage service and its corresponding
    client binary.
  
    .. __: https://minio.io/
  
  - The :ref:`debops.tinyproxy` role can be used to set up a lightweight
    HTTP/HTTPS proxy for an upstream server.
  
  - 🔧 The :ref:`debops.libuser` Ansible role configures the `libuser`__ library and
    related commands. This library is used by some of the other DebOps roles to
    manage local UNIX accounts and groups on LDAP-enabled hosts.
  
    .. __: https://pagure.io/libuser/
  
  General
  '''''''
  
  - ➕ Add more entries to be ignored by default by the :command:`git` command in
    the DebOps project directories:
  
    - :file:`debops`: ignore DebOps monorepo cloned or symlinked into the project
      directory.
  
    - :file:`roles` and :file:`playbooks`: ignore roles and playbooks in
      development; production code should be put in the :file:`ansible/roles/`
      and the :file:`ansible/playbooks/` directories respectively.
  
  - The :command:`debops-init` script now also creates the .gitattributes file
    for use with :command:`git-crypt`. It is commented out by default.
  
  - 0️⃣ The :command:`debops-defaults` command will check what pagers
    (:command:`view`, :command:`less`, :command:`more`) are available and use the
    best one automatically.
  
  - A new Ansible module, ``dpkg_divert``, can be used to divert the
    configuration files out of the way to preserve them and avoid issues with
    package upgrades. The module is available in the
    :ref:`debops.ansible_plugins` role.
  
  LDAP
  ''''
  
  - The :file:`ldap/init-directory.yml` Ansible playbook will create the LDAP
    objects ``cn=LDAP Replicators`` and ``cn=Password Reset Agents`` to allow
    other Ansible roles to utilize them without the need for the system
    administrator to define them by hand.
  
  - The :file:`ldap/get-uuid.yml` Ansible playbook can be used to convert LDAP
    Distinguished Names to UUIDs to look up the password files if needed.
  
  :ref:`debops.apt_install` role
  ''''''''''''''''''''''''''''''
  
  - 📦 The `open-vm-tools`__ APT package will be installed by default in VMware
    virtual machines.
  
    .. __: https://github.com/vmware/open-vm-tools
  
  :ref:`debops.dnsmasq` role
  ''''''''''''''''''''''''''
  
  - The role will tell the client applications to `disable DNS-over-HTTPS
    support`__ using the ``use-application-dns.net`` DNS record. This should
    allow connections to internal sites and preserve the split-DNS functionality.
  
    .. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
  
  :ref:`debops.dokuwiki` role
  '''''''''''''''''''''''''''
  
  - 🔧 The role will configure LDAP support in DokuWiki when LDAP environment
    managed by the :ref:`debops.ldap` Ansible role is detected. Read the
    :ref:`dokuwiki__ref_ldap_support` chapter in the documentation for more
    details.
  
  :ref:`debops.cron` role
  '''''''''''''''''''''''
  
  - The execution time of the ``hourly``, ``daily``, ``weekly`` and ``monthly``
    :command:`cron` jobs will be randomized on a per-host basis to avoid large
    job execution spikes every morning. See the role documentation for more
    details.
  
  :ref:`debops.nullmailer` role
  '''''''''''''''''''''''''''''
  
  - 🔧 When the :ref:`LDAP environment <debops.ldap>` is configured on a host, the
    :ref:`debops.nullmailer` role will create the service account in the LDAP
    directory and configure the :command:`nullmailer` service to use SASL
    authentication with its LDAP credentials to send e-mails to the relayhost.
  
  :ref:`debops.pki` role
  ''''''''''''''''''''''
  
  - 🆕 Newly created PKI realms will have a new :file:`public/full.pem` file which
    contains the full X.509 certificate chain, including the Root CA certificate,
    which might be required by some applications that rely on TLS.
  
    Existing PKI realms will not be modified, but Ansible roles that use the PKI
    infrastructure might expect the new files to be present. It is advisable to
    :ref:`recreate the PKI realms <pki__ref_realm_renewal>` when possible, or
    create the missing files manually.
  
  :ref:`debops.saslauthd` role
  ''''''''''''''''''''''''''''
  
  - The role can now be used to authenticate users of different services against
    the LDAP directory via integration with the :ref:`debops.ldap` role and its
    framework. Multiple LDAP profiles can be used to provide different access
    control for different services.
  
  :ref:`debops.slapd` role
  ''''''''''''''''''''''''
  
  - Add support for :ref:`eduPerson LDAP schema <slapd__ref_eduperson>` with
    updated schema file included in the role.
  
  - 🔧 The role will configure SASL authentication in the OpenLDAP service using the
    :ref:`debops.saslauthd` Ansible role. Both humans and machines can
    authenticate to the OpenLDAP directory using their respective LDAP objects.
  
  - The :ref:`lastbind overlay <slapd__ref_lastbind_overlay>` will be enabled by
    default. This overlay records the timestamp of the last successful bind
    operation of a given LDAP object, which can be used to, for example, check
    the date of the last successful login of a given user account.
  
  - Add support for :ref:`nextcloud LDAP schema <slapd__ref_nextcloud>` which
    provides attributes needed to define disk quotas for Nextcloud user accounts.
  
  - ✅ The Access Control List rules can now be tested using the :man:`slapacl(8)`
    command via a generated :ref:`test suite script <slapd__ref_acl_tests>`.
  
  - 0️⃣ The default ACL rules have been overhauled to add support for the
    ``ou=Roles,dc=example,dc=org`` subtree and use of the ``organizationalRole``
    LDAP objects for authorization. The old set of rules is still active to
    ensure that the existing environments work as expected.
  
    If you use a modified ACL configuration, you should include the new rules as
    well to ensure that changes in the :ref:`debops.ldap` support are working
    correctly.
  
  - You can now hide specific LDAP objects from unprivileged users by adding them
    to a special ``cn=Hidden Objects,ou=Groups,dc=example,dc=org`` LDAP group.
    The required ACL rule will be enabled by default; the objects used to control
    visibility will be created by the :file:`ldap/init-directory.yml` playbook.
  
  - 🆕 New "SMS Gateway" LDAP role grants read-only access to the ``mobile``
    attribute by SMS gateways. This is needed for implementing 2-factor
    authentication via SMS messages.
  
  :ref:`debops.unbound` role
  ''''''''''''''''''''''''''
  
  - The role will tell the client applications to `disable DNS-over-HTTPS
    support`__ using the ``use-application-dns.net`` DNS record. This should
    allow connections to internal sites and preserve the split-DNS functionality.
  
    .. __: https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet
  
  - 🔧 The role will configure the :command:`unbound` daemon to allow non-recursive
    access to DNS queries when a host is managed by Ansible locally, with
    assumption that it's an Ansible Controller host. This change unblocks use of
    the :command:`dig +trace` and similar commands.
  
  🔄 Changed
  

  ⚡️ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

  • ⚡️ In the :ref:debops.gitlab role, GitLab version has been updated to 12.2. This is the last release that supports Ruby 2.5 which is included in Debian Buster.

  • In the :ref:debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.10 and 10.2 respectively.

  • ⚡️ In the :ref:debops.netbox role, the NetBox version has been updated to v2.6.3.

  Continuous Integration ''''''''''''''''''''''

  • The $DEBOPS_FROM environment variable can be used to select how DebOps scripts should be installed in the Vagrant environment: either devel (local build) or pypi (installation from PyPI repository). This makes Vagrant environment more useful on Windows hosts, where :file:/vagrant directory is not mounted due to issues with symlinks.

  • 🐳 The :command:make test command will not run the Docker tests anymore, to make the default tests faster. To run the Docker tests with all other tests, you can use the :command:make test docker command.

  General '''''''

  • External commands used in the DebOps scripts have been defined as constants to allow easier changes of the command location in various operating systems, for example Guix.

  • 0️⃣ The default Ansible callback plugin used by DebOps is changed to yaml, which gives a cleaner look for various outputs and error messages. The callback plugin will be active by default in new DebOps project directories; in existing directories users can add:

  .. code-block:: ini

   [ansible defaults]
   stdout_callback = yaml
  

  in the :file:.debops.cfg configuration file.

  LDAP ''''

  • ⚡️ The :file:ldap/init-directory.yml playbook has been updated to use the new ou=Roles,dc=example,dc=org LDAP subtree, which will contain various organizationalRole objects. After updating the OpenLDAP Access Control List using the :ref:debops.slapd role, you can use the playbook on an existing installation to create the missing objects.

  The cn=UNIX Administrators and cn=UNIX SSH users LDAP objects will be created in the ou=Groups,dc=example,dc=org LDAP subtree. On existing installations, these objects need to be moved manually to the new subtree, otherwise the playbook will try to create them and fail due to duplicate UID/GID numbers which are enforced to be unique. You can move the objects using an LDAP client, for example Apache Directory Studio.

  The ou=System Groups,dc=example=dc,org subtree will not be created anymore. On existing installations this subtree will be left intact and can be safely removed after migration.

  • 🔧 The access to the OpenLDAP service configured using the :ref:debops.slapd role now requires explicit firewall and TCP Wrappers configuration to allow access from trusted IP addresses and subnets. You can use the slapd__*_allow variables in the Ansible inventory to specify the IP addresses and subnets that can access the service.

  To preserve the old behaviour of granting access by default from anywhere, you can set the :envvar:slapd__accept_any variable to True.

  :ref:debops.apt_preferences role ''''''''''''''''''''''''''''''''''

  • Support Debian Buster in :ref:apt_preferences__list.

  :ref:debops.gitlab role '''''''''''''''''''''''''

  • 👍 The LDAP support in GitLab has been converted to use the :ref:debops.ldap infrastructure and not configure LDAP objects directly. LDAP support in GitLab will be enabled automatically if it's enabled on the host. Some of the configuration variables have been changed; see the :ref:upgrade_notes for more details.

  • 🔧 The default LDAP filter configured in the :envvar:gitlab__ldap_user_filter variable has been modified to limit access to the service to objects with specific attributes. See the :ref:GitLab LDAP access control <gitlab__ref_ldap_dit_access> documentation page for details about the required attributes and their values.

  • The GitLab project has changed its codebase structure, because of that the Gitlab CE :command:git repository has been moved to a new location, https://gitlab.com/gitlab-org/gitlab-foss/. The role has been updated accordingly. Existing installations should work fine after the new codebase is cloned, but if unsure, users should check the change first in a development environment.

  More details can be found in GitLab blog posts here__ and here, as well as the Frequently Asked Questions page.

  .. _: https://about.gitlab.com/blog/2019/02/21/merging-ce-and-ee-codebases/ .. _: https://about.gitlab.com/blog/2019/08/23/a-single-codebase-for-gitlab-community-and-enterprise-edition/ .. __: https://gitlab.com/gitlab-org/gitlab/issues/13855

  :ref:debops.golang role '''''''''''''''''''''''''

  • The role has been redesigned from the ground up, and can be used to install Go applications either from APT packages, build them from source, or download precompiled binaries from remote resources. See the role documentation for more details.

  :ref:debops.ldap role '''''''''''''''''''''''

  • The role will reset the LDAP host attributes defined in the :envvar:ldap__device_attributes variable on first configuration in case that the host has been reinstalled and some of their values changed (for example different IP addresses). This should avoid leaving the outdated attributes in the host LDAP object.

  :ref:debops.nginx role ''''''''''''''''''''''''

  • The role will create the webroot directory specified in the item.root parameter even if the item.owner and item.group parameters are not defined. This might have idempotency issues if the :ref:debops.nginx role configuration and the application role configuration try to modify the same directory attributes. To disable the webroot creation, you can set the item.webroot_create parameter to False. Alternatively, you should specify the intended owner, group and directory mode in the :command:nginx server configuration.

  :ref:debops.nullmailer role '''''''''''''''''''''''''''''

  • 0️⃣ The :envvar:nullmailer__adminaddr list is set to empty by default to not redirect all e-mail messages sent through the :command:nullmailer service to the root account. This should be done on the relayhost instead.

  :ref:debops.owncloud role '''''''''''''''''''''''''''

  • ⬆️ Drop Nextcloud 14 support because it is EOL. You need to upgrade Nextcloud manually if you are running 14 or below. Add Nextcloud 16 support. Now default to Nextcloud 15 for new installations.

  • 👍 The LDAP support in Nextcloud has been converted to use the :ref:debops.ldap infrastructure and not configure LDAP objects directly. LDAP support in Nextcloud will be enabled automatically if it's enabled on the host. Some of the configuration variables have been changed; see the :ref:upgrade_notes for more details.

  • 🔧 The default LDAP filter configured in the :envvar:owncloud__ldap_login_filter variable has been modified to limit access to the service to objects with specific attributes. See the :ref:Nextcloud LDAP access control <owncloud__ref_ldap_dit_access> documentation page for details about the required attributes and their values.

  • 🔧 The default LDAP group filter configured in the :envvar:owncloud__ldap_group_filter variable has been modified to limit the available set of groupOfNames LDAP objects to only those that have the nextcloudEnabled attribute set to true.

  • 👌 Support for disk quotas for LDAP users has been added in the default configuration, based on the :ref:nextcloud LDAP schema <slapd__ref_nextcloud>. The default disk quota is set to 10 GB and can be changed using the nextcloudQuota LDAP attribute.

  :ref:debops.postconf role '''''''''''''''''''''''''''

  • 👌 Support for the 465 TCP port for message submission over Implicit TLS is no longer deprecated (status changed by the :rfc:8314 document) and will be enabled by default with the auth capability.

  • 🔧 The role will configure Postfix to check the sender address of authenticated mail messages and block those that don't belong to the authenticated user. This will be enabled with the auth and the unauth-sender capabilities, and requires an user database to work correctly.

  :ref:debops.postfix role ''''''''''''''''''''''''''

  • 0️⃣ The default primary group of the lookup tables has been changed to postfix, default mode for new lookup tables will be set to 0640. This change helps secure lookup tables that utilize remote databases with authentication.

  • 🔧 Postfix lookup tables can now use shared connection configuration defined in a YAML dictionary to minimize data duplication. See the :ref:postfix__ref_lookup_tables documentation for more details.

  :ref:debops.resolvconf role '''''''''''''''''''''''''''''

  • 🔧 The role will install and configure :command:resolvconf APT package only on hosts with more than one network interface (not counting lo), or if local DNS services are also present on the host.

  :ref:debops.slapd role ''''''''''''''''''''''''

  • Enable substring index for the sudoUser attribute from the :ref:sudo LDAP schema <slapd__ref_sudo>. Existing installations should be updated manually via the LDAP client, by setting the value of the sudoUser index to eq,sub.

  • ➕ Add indexes for the authorizedService and host attributes from the :ref:ldapns LDAP schema <slapd__ref_ldapns> and the gid attribute from the :ref:posixGroupId LDAP schema <slapd__ref_posixgroupid>. This should improve performance in UNIX environments connected to the LDAP directory.

  • The number of rounds in SHA-512 password hashes has been increased from 5000 (default) to 100001. Existing password hashes will be unaffected.

  • The employeeNumber attribute in the ou=People,dc=example,dc=org LDAP subtree will be constrained to digits only, and the LDAP directory will enforce its uniqueness in the subtree. This allows the attribute to be used for correlation of personal LDAP objects to RDBMS-based databases.

  • The mail attribute is changed from unique for objects in the ou=People,dc=example,dc=org LDAP subtree to globally unique, due to its use for authentication purposes. The attribute will be indexed by default.

  • Access to the carLicense, homePhone and homePostalAddress attributes has been restricted to privileged accounts only (administrators, entry owner). The values cannot be seen by unprivileged and anonymous users.

  • Write access to the ou=SUDOers,dc=example,dc=org LDAP subtree has been restricted to the members of the "UNIX Administrators" LDAP group.

  :ref:debops.sshd role '''''''''''''''''''''''

  • The role will allow or deny access to the root account via password depending on the presence of the :file:/root/.ssh/authorized_keys file. See :ref:sshd__ref_root_password for more details. This requires updated :file:root_account.fact script from the :ref:debops.root_account role.

  • 📦 The role will use Ansible local facts to check if OpenSSH server package is installed to conditionally enable/disable its start on first install.

  debops-contrib.dropbear_initramfs role ''''''''''''''''''''''''''''''''''''''

  • Better default value for dropbear_initramfs__network_device by detecting the default network interface using Ansible facts instead of the previously hard-coded eth0.

  ✂ Removed

  
  🔌 :ref:`debops.ansible_plugins` role
  ''''''''''''''''''''''''''''''''''
  
  - 🚚 The ``ldappassword`` Ansible filter plugin has been removed as it is no
    longer used in DebOps roles. The preferred method for storing passwords in
    LDAP is to pass them in plaintext (over TLS) and let the directory server
    store them in a hashed form. See also: :rfc:`3062`.
  
  :ref:`debops.ldap` role
  '''''''''''''''''''''''
  
  - The use of the ``params`` option in the ``ldap_attrs`` and ``ldap_entry``
    Ansible modules is deprecated due to their insecure nature. As a consequence,
    the :ref:`debops.ldap` role has been updated to not use this option and the
    ``ldap__admin_auth_params`` variable has been removed.
  
  :ref:`debops.nginx` role
  ''''''''''''''''''''''''
  
  - Set `nginx_upstream_php5_www_data` to absent. If you are still using
    that Nginx upstream which was enabled by default then update your Ansible
    role and switch to a supported PHP release.
  
  🛠 Fixed
  ~~~~~
  
  General
  '''''''
  
  - 0️⃣ The "Edit on GitHub" links on the role default variable pages in the
    documentation have been fixed and now point to the correct source files on
    GitHub.
  
  :ref:`debops.dnsmasq` role
  ''''''''''''''''''''''''''
  
  - 🔧 On Ubuntu hosts, the role will fix the configuration installed by the
    :command:`lxd` package to use ``bind-dynamic`` option instead of
    ``bind-interfaces``. This allows the :command:`dnsmasq` service to start
    correctly.
  
  :ref:`debops.ferm` role
  '''''''''''''''''''''''
  
  - 🔧 The ``dmz`` firewall configuration will use the ``dport`` parameter instead
    of ``port``, otherwise filtering rules will not work as expected.
  
  :ref:`debops.nfs_server` role
  '''''''''''''''''''''''''''''
  
  - In the :envvar:`nfs_server__firewall_ports` variable, convert the
    ``dict_keys`` view into a list due to `change in Python 3 implementation`__
    of dictionaries.
  
    .. __: https://docs.ansible.com/ansible/latest/user_guide/playbooks_python_version.html#dictionary-views
  
  :ref:`debops.nginx` role
  ''''''''''''''''''''''''
  
  - 🛠 Fix an issue in the :file:`php.conf.j2` server template when an
    ``item.location`` parameter is specified, overridding the default set of
    ``location`` blocks defined in the :file:`default.conf.j` template. If the
    ``/`` location is not specified in the ``item.location`` dictionary,
    a default one will be included by the role.
  
  :ref:`debops.postconf` role
  '''''''''''''''''''''''''''
  
  - Disable the ``smtpd_helo_restrictions`` option on the ``submission`` and
    ``smtps`` TCP ports when the authentication and MX lookups are enabled. This
    should fix an issue where SMTP client sends the host's IP address as its
    HELO/EHLO response, which might not be configurable by the user.
  
  🔒 Security
  

  :ref:debops.nginx role ''''''''''''''''''''''''

  • Mitigation for the CVE-2019-11043__ vulnerability has been applied in the :command:nginx php and php5 configuration templates. The mitigation is based on the suggested workaround__ from the PHP Bug Tracker.

  .. _: https://security-tracker.debian.org/tracker/CVE-2019-11043 .. _: https://bugs.php.net/bug.php?id=78599

  :ref:debops.owncloud role '''''''''''''''''''''''''''

  • 🔒 Security patch for the CVE-2019-11043__ vulnerability has been applied in the Nextcloud configuration for the :ref:debops.nginx role. The patch is based on the fix suggested by upstream__.

  .. _: https://security-tracker.debian.org/tracker/CVE-2019-11043 .. _: https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/

• All Versions
• Previous v1.1.0
• Next v2.0.0
• Latest Version