DebOps v2.0.0 Release Notes
Release Date: 2020-01-30 // about 4 years ago-
.. _debops v2.0.0: https://github.com/debops/debops/compare/v1.2.0...v2.0.0
β Added
π New DebOps roles '''''''''''''''' - π The :ref:`debops.lxd` role brings support for LXD on Debian hosts by building the Go binaries from source, without Snap installation. General ''''''' - π¦ The DebOps Python package now includes the ``debops.<role>(5)`` manual pages for most of the DebOps roles with details about role usage, variable definition and the like. The manual pages are based on the existing role documentation. - The DebOps project directories can now include the :file:`ansible/global-vars.yml` file which can be used to define :ref:`global Ansible variables <global_vars>` that can affect playbook initialization. π³ :ref:`debops.docker_registry` role '''''''''''''''''''''''''''''''''' - The :envvar:`docker_registry__basic_auth_except_get` variable allows to setup a simple authentication schema without the need to deploy a fully blown Docker Registry Token Authentication. π³ :ref:`debops.docker_server` role '''''''''''''''''''''''''''''''' - Add `docker_server__install_virtualenv` setting to disable python virtualenv installation. :ref:`debops.gitlab_runner` role '''''''''''''''''''''''''''''''' - The role can now use DNS SRV resource records to find the GitLab API host address. Additionally, GitLab Runner token can be stored in the :file:`secret/` directory in a predetermined location to avoid exposing it via the Ansible inventory. See the role documentation for details. :ref:`debops.icinga` role ''''''''''''''''''''''''' - π§ The role now configures the Icinga REST API to also listen on IPv6 addresses. It is possible to change the listen address and port through the ``icinga__api_listen`` and ``icinga__api_port`` variables. :ref:`debops.nslcd` role '''''''''''''''''''''''' - 0οΈβ£ The role will now use a LDAP host filter by default, to allow for easy control over what UNIX accounts and UNIX groups are present on which hosts using the ``host`` LDAP attribute. :ref:`debops.postgresql_server` role '''''''''''''''''''''''''''''''''''' - π§ A given PostgreSQL server cluster can be configured to enable `standby replication mode`__, and receive streaming replication data from a master PostgreSQL server. See role documentation for examples. .. __: https://www.postgresql.org/docs/current/warm-standby.html - π§ The :command:`autopostgresqlbackup` script can be configured to tell the :command:`pg_dump` command to compress the generated backup files on the fly instead of creating a separate ``.sql`` file and compressing it afterwards. This mode is currently disabled by default. :ref:`debops.resolvconf` role ''''''''''''''''''''''''''''' - π§ The role can now define static DNS configuration to be merged with other DNS data sources in the :file:`/etc/resolv.conf` configuration file. :ref:`debops.roundcube` role '''''''''''''''''''''''''''' - The Roundcube installation is now more integrated with the DebOps environment. The role will automatically configure :ref:`Redis <debops.redis_server>` and :ref:`memcached <debops.memcached>` support if they are detected on the Roundcube host, which should improve application performance. - π§ If LDAP infrastructure is detected on the host, Roundcube will be configured to use the LDAP directory managed by DebOps as an address book. - 0οΈβ£ The ManageSieve Roundcube plugin will be enabled by default to allow configuration of Sieve filter scripts. The role will use the DNS SRV resource records to find the Sieve service host and port to use. - The role can now use PostgreSQL as a database backend. The database server can be managed with the :ref:`debops.postgresql_server` role. :ref:`debops.slapd` role '''''''''''''''''''''''' - The :ref:`mailservice <slapd__ref_mailservice>` LDAP schema has been added to the :ref:`debops.slapd` role. It provides a set of object classes and attributes useful for defining e-mail recipients and simple mail distribution lists in the LDAP directory. π Changed
General '''''''
Reorder :file:
bootstrap.yml
Ansible playbook to also work for systems freshly installed from CD. :ref:debops.apt
needs to be run early to regenerate :file:/etc/apt/sources.list
which might still contain a now not functional CD entry.π Most of the role dependencies have been moved either to the playbooks or to the role task lists using the
import_role
Ansible module.The official DebOps roles have been renamed and the
debops.
prefix has been dropped from the directory names to better support Ansible Collections. Custom playbooks and role dependencies which use the DebOps roles have to be updated to work again.The :file:
<role_name>/env
"sub-roles" in various DebOps roles have been redesigned for use via theimport_role
Ansible module to improve support for Ansible Collections. Existing Ansible playbooks that use such "sub-roles" will have to be updated; check the playbooks included in DebOps for the new usage examples.π The
collections:
keyword was added in all DebOps playbooks to support usage with roles, modules and other plugins in an Ansible Collection. Due to this, Ansible 2.8+ is required to use DebOps playbooks.The paths to the passwords stored in the :file:
secret/
directory by various roles have been changed to use theinventory_hostname
variable instead of theansible_fqdn
variable. This change will result in passwords set in various services to be regenerated, which might have an impact on service availability. See :ref:upgrade_notes
for details.
β‘οΈ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''
- The RoundCube version installed by the :ref:
debops.roundcube
role has been updated to the1.4.1 release
__, which includes a new "Elastic" theme compatible with mobile devices, and other improvements.
.. __: https://github.com/roundcube/roundcubemail/releases/tag/1.4.1
β‘οΈ The Nextcloud version installed by the :ref:
debops.owncloud
role is updated to Nextcloud 16.0 release. The ownCloud version has been updated to 10.3.The Icinga Director version installed by the :ref:
debops.icinga_web
role has been updated to the v1.7.2 release. Notable changes inv1.7.x
__ are new German and Japanese translations, side-by-side sync previews, a new background daemon to replace the job runner and new module dependencies. Other Icinga Web modules have also been updated to their latest versions.
.. __: https://github.com/Icinga/icingaweb2-module-director/releases/tag/v1.7.0
LDAP ''''
- The
authorizedService
andhost
LDAP attribute values used for access control in various DebOps roles and the :file:ldap/init-directory.yml
playbook have been updated and made consistent with the :ref:ldap__ref_ldap_access
documentation. You need to update the LDAP entries that use them before applying these changes on the hosts managed by DebOps. See :ref:upgrade_notes
for detailed list of changed values.
Mail Transport Agents '''''''''''''''''''''
- The :envvar:
nullmailer__mailname
and the :envvar:postfix__mailname
variables will use the host's FQDN address instead of the DNS domain as the mailname. This was done to not include the hostnames in the e-mail addresses, however this is better handled by Postfix domain masquerading done on the mail relay host, which allows for exceptions, supports multiple DNS domains and does not break mail delivery in subtle ways. See the :ref:debops.nullmailer
role documentation for an example configuration.
π³ :ref:
debops.docker_server
role ''''''''''''''''''''''''''''''''- Replace the deprecated
docker_server__graph
variable with the :envvar:docker_server__data_root
variable.
:ref:
debops.dovecot
role ''''''''''''''''''''''''''π The role gained support for mail accounts stored in the LDAP directory, based on the :ref:
DebOps LDAP infrastructure <debops.ldap>
. When the LDAP environment is detected on the host, the LDAP support will be enabled automatically, and mail accounts based on POSIX accounts will be disabled.0οΈβ£ The default mailbox format used by Dovecot has been changed from
mbox
to Maildir; the user mailboxes will be stored by default in the :file:~/Maildir/
subdirectory of a given user account. On existing installations, the mailboxes might need to be converted and moved manually.0οΈβ£ Dovecot will use the host DNS domain as the default SASL realm when users will not specify their domain in their login username.
π The role should better integrate with the :ref:
DebOps PKI environment <debops.pki>
and gracefully disable TLS support when it has not been configured.π§ The firewall configuration has been redesigned and the :ref:
debops.dovecot
role no longer generates the :command:ferm
configuration files directly, instead using the :ref:debops.ferm
role as a dependency.β Add option to enable ManageSieve by default without the need to update the config_maps, to allow configuration of Sieve filter scripts.
Restored :envvar:
dovecot__mail_location
to original value ofmaildir:~/Maildir
. It was wrongfully changed to/var/vmail/%d/%n/mailbox
if LDAP was enabled. See also :envvar:dovecot__vmail_home
.π§ If the LDAP support is enabled, the role will no longer configure Postfix via the :ref:
debops.postfix
role to deliver local mail via Dovecot LMTP service; this breaks mail delivery to local UNIX accounts (for exampleroot
) which might not have corresponding aliases in the virtual mail database. Instead,virtual_transport
option will be configured to pass mail via LMTP to Dovecot, which then will deliver it to the virtual mailboxes in :file:/var/vmail/
subdirectories.
:ref:
debops.icinga_web
role '''''''''''''''''''''''''''''- π· The
icinga2-director-jobs.service
systemd service has been replaced withicinga-director.service
. This service manages a new daemon that is required for Icinga Director v1.7.0+.
:ref:
debops.memcached
role ''''''''''''''''''''''''''''- All variables in the role have been renamed from
memcached_*
tomemcached__*
to create the role namespace. You need to update the inventory accordingly.
:ref:
debops.nullmailer
role '''''''''''''''''''''''''''''- The upstream SMTP relay will be detected automatically using DNS SRV resource records, if they are defined.
:ref:
debops.owncloud
role '''''''''''''''''''''''''''- β¬οΈ Drop Nextcloud 15 support because it is EOL. You need to upgrade Nextcloud manually if you are running version 15 or below. The role now defaults to Nextcloud 16 for new installations.
:ref:
debops.postconf
role '''''''''''''''''''''''''''- If both :ref:
Dovecot <debops.dovecot>
and :ref:Cyrus <debops.saslauthd>
services are installed on a host, Postfix will be configured to prefer Cyrus for SASL authentication. This permits mail relay via the authenticated :ref:nullmailer <debops.nullmailer>
Mail Transfer Agents with accounts in the LDAP directory. The preference can be changed using the :envvar:postconf__sasl_auth_method
variable.
:ref:
debops.roundcube
role ''''''''''''''''''''''''''''The variable that defines the FQDN address of the RoundCube installation has been changed from :envvar:
roundcube__domain
to :envvar:roundcube__fqdn
. The default subdomain has also been changed fromroundcube
towebmail
to offer a more widely used name for the application.0οΈβ£ The default RoundCube installation path defined in the :envvar:
roundcube__git_dest
variable has been changed and no longer uses the web application FQDN. This should make changing the web application address independent from the installation directory.
Due to this change, existing installations will be re-installed in the new deployment path. Checking the changes in a development environment is recommended before deploying them in production environment.
The role will use DNS SRV resource records to find the IMAP and/or SMTP (submission) services to use in the RoundCube Webmail configuration, with a fallback to static subdomains. See :ref:
roundcube__ref_srv_records
for more details.RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.
π User logins that don't specify a domain will have the host domain automatically appended to them during authentication. This solves an issue where use of logins with or without domain for authentication would result in separate RoundCube profiles created in the database.
π§ The Roundcube configuration has been redesigned and now uses the custom Ansible filter plugins to generate the :file:
config/config.inc.php
configuration file. The format of the configuration variables has been changed, you will need to update the Ansible inventory. See :ref:roundcube__ref_configuration
for more details.Roundcube installation tasks have been cleaned up and the old method of keeping track of the :command:
git
checkout is replaced by new functionality of thegit
Ansible module. This requires full reinstallation of Roundcube application; see :ref:upgrade_notes
for more details.π Support for Roundcube plugins has been redesigned and now uses custom Ansible filters included in DebOps to manage plugins. The role can install plugins from the Roundcube plugin repository and manage their configuration files. A :envvar:
set of default plugins <roundcube__default_plugins>
has been defined to make the default Roundcube installation a bit more user-friendly.
:ref:
debops.ntp
role ''''''''''''''''''''''Chrony will not listen on udp control port on loopback anymore. Unix sockets are a better way for chronyc to talk to chronyd where local access is controlled by file permissions. This is suggested in the Chrony FAQ "How can I make chronyd more secure?".
Chrony: Support :envvar:
ntp__listen
value*
to make transitioning away fromntpd
easier.0οΈβ£ Chrony: Reduce default NTP servers considered as time source from 4 pool addresses (from which Chrony used 4 NTP servers each β 16 in total) to just 1 pool address β 4 NTP time sources in total.
β Removed
General ''''''' - Old ``[debops_<role_name>]`` Ansible inventory groups have been removed from DebOps playbooks. Users should use the ``[debops_service_<role_name>]`` group names instead. π Fixed ~~~~~ π³ :ref:`debops.docker_server` role '''''''''''''''''''''''''''''''' - Do not add empty entries from `docker_server__listen` to daemon.json. This causes the docker daemon to not parse the config and crash. :ref:`debops.ferm` role ''''''''''''''''''''''' - π§ The ``dmz`` firewall configuration will now not interpret the port as part of a IPv6 address anymore. We now protect the IPv6 address by surrounding it by ``[]``. :ref:`debops.gitlab_runner` role '''''''''''''''''''''''''''''''' - π Fix issue with GitLab Runner failing test jobs due to the default :file:`~/.bash_logout` script wiping the terminal on logout. The role will skip copying the :file:`/etc/skel/` contents on the new installations; existing script will be removed. :ref:`debops.nullmailer` role ''''''''''''''''''''''''''''' - Again, redirect the e-mail messages for local recipients to the central ``root`` e-mail account (but local to the SMTP relay). This fixes an issue where e-mail messages were left in the mail queue and filled the disk space. :ref:`debops.php` role '''''''''''''''''''''' - π Change the default list of preferred PHP versions to include PHP 7.3 as the preferred version. This should ensure that on hosts with the OndΕej SurΓ½ PHP repositories enabled, PHP 7.3 will be installed by default even though newer versions are available. This should solve installation issues with many PHP applications that don't have full support for PHP 7.4+ release yet.