DebOps v2.2.0 Release Notes
Release Date: 2021-01-31 // about 3 years ago-
.. _debops v2.2.0: https://github.com/debops/debops/compare/v2.1.0...v2.2.0
โ Added
๐ New DebOps roles '''''''''''''''' - The :ref:`debops.dhcrelay` role can be used to manage the ISC DHCP Relay Agent, which forwards DHCP traffic between networks. This role replaces the dhcrelay functionality in :ref:`debops.dhcpd`. - The :ref:`debops.global_handlers` Ansible role provides a central place to maintain handlers for other Ansible roles. Keeping them centralized allows Ansible roles to use handlers from different roles without including them entirely in the playbook. - ๐ง The :ref:`debops.filebeat` role can be used to install and configure `Filebeat`__, a log shipping agent from Elastic, part of the Elastic Stack. .. __: https://www.elastic.co/beats/filebeat General ''''''' - The :file:`tools/reboot.yml` can be used to reboot DebOps hosts even if they are secured by the ``molly-guard`` package. - The code in the DebOps monorepo is now checked using `GitHub Actions`__, which will replace Travis-CI. Thank you, Travis, for years of service. :) .. __: https://github.com/features/actions LDAP '''' - The :ref:`next available UID and GID values <ldap__ref_next_uid_gid>` can now be tracked using special LDAP objects in the directory. These can be used by the client-side account and group management applications to easily allocate unique UID/GID numbers for newly created accounts and groups. The objects will be created automatically with the next available UID/GID values by the :file:`ldap/init-directory.yml` playbook. In existing environments users might want to create them manually to ensure that the correct ``uidNumber`` and ``gidNumber`` values are stored instead of the default ones which might already be allocated. - The ``root`` UNIX account will now have full write access to the main directory via the ``ldapi://`` external authentication and can create and modify the LDAP objects and their attributes. This is required so that the :ref:`debops.slapd` role can initialize the directory tree and create/remove the ACL test objects as needed. :ref:`debops.apt` role '''''''''''''''''''''' - The role facts now include the main APT architecture (``amd64``, for example) and a list of foreign architectures if any are enabled. The ``ansible_local.apt.architecture`` fact can be used in other roles that need that information. :ref:`debops.apt_install` role '''''''''''''''''''''''''''''' - ๐ฆ The role now installs CPU microcode packages on physical hosts by default. These firmware updates correct CPU behaviour and mitigate vulnerabilities like Spectre and Meltdown. You still need to take measures to protect your virtual machines; for this, take a look at the `QEMU documentation`__. .. __: https://www.qemu.org/docs/master/system/target-i386.html#important-cpu-features-for-intel-x86-hosts :ref:`debops.icinga` role ''''''''''''''''''''''''' - ๐ง The role can now create Icinga configuration on the Icinga "master" node via task delegation. This can be useful in centralized environments without Icinga Director support. :ref:`debops.lvm` role '''''''''''''''''''''' - ๐ง Default LVM2 configuration for Debian Stretch and Buster has been added. :ref:`debops.owncloud` role ''''''''''''''''''''''''''' - โฌ๏ธ Drop Nextcloud 16, 17 and 18 support because it is EOL. You need to upgrade Nextcloud manually if you are running version 18 or below. The role now defaults to Nextcloud 19 for new installations. :ref:`debops.postgresql` role ''''''''''''''''''''''''''''' - ๐ The role can now drop PostgreSQL databases and remove roles when their state is set to ``absent`` in the Ansible inventory. :ref:`debops.resources` role '''''''''''''''''''''''''''' - ๐ Support manipulating file privileges using the Linux :manpage:`capabilities(7)` with the help of the Ansible capabilities module. :ref:`debops.roundcube` role '''''''''''''''''''''''''''' - 0๏ธโฃ The role will enable more plugins by default: ``help``, ``markasjunk``, ``password`` (only with LDAP). - 0๏ธโฃ Roundcube will offer local spell checking support by default with ``Enchant`` library. English language is supported by default, more languages can be added via Ansible inventory. :ref:`debops.slapd` role '''''''''''''''''''''''' - ๐ Support for the dynamic LDAP groups maintained by the :ref:`slapd__ref_autogroup_overlay` has been implemented in the role. Debian Buster or newer is recommended for this feature to work properly. - A set of `FreeRADIUS`__ LDAP schema has been added to the role. RADIUS Profiles, Clients and FreeRADIUS DHCP configuration can be stored in the LDAP directory managed by DebOps and used by the :ref:`debops.freeradius` Ansible role. .. __: https://freeradius.org/ - ๐ Support for empty LDAP groups has been added via the :ref:`groupfentries schema <slapd__ref_groupofentries>` with a corresponding ``memberOf`` overlay. This change changes the order of existing overlays in the LDAP database which means that the directory server will have to be rebuilt. - New :ref:`orgstructure schema <slapd__ref_orgstructure_schema>` provides the ``organizationalStructure`` LDAP object class which is used to define the base directory objects, such as ``ou=People``, ``ou=Groups``, etc. - Members of the ``cn=LDAP Administrator`` LDAP role can now manage the server configuration stored in the ``cn=config`` LDAP subtree. :ref:`debops.sysctl` role ''''''''''''''''''''''''' - The role can now be enabled or disabled conditionally via Ansible inventory. This might be required in certain cases, for example LXD containers or systems protected with AppArmor rules, which make the :file:`/proc/sys/` directory read-only. ๐ Changed
โก๏ธ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''
In the :ref:
debops.ipxe
role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.13 and 10.7 respectively.In the :ref:
debops.roundcube
role, the Roundcube version installed by default has been updated to1.4.10
.In the :ref:
debops.owncloud
role, the Nextcloud version installed by default has been updated tov18.0
.0๏ธโฃ In the :ref:
debops.phpipam
role, the phpIPAM version installed by default has been updated tov1.4.1
.โก๏ธ In the :ref:
debops.netbox
role, the NetBox version has been updated tov2.10.3
. The plugin support added inv2.8.0
can be configured from DebOps. The NetBox Request Queue Worker service is configured to support background jobs like reports to work.๐ The :ref:
debops.mariadb
and :ref:debops.mariadb_server
roles now support installation of Percona Server/Client v8.0 from upstream APT repositories.
General '''''''
The
debops.debops
role has been renamed to the :ref:debops.controller
role to allow for thedebops__
variable namespace to be used for global variables. All role variables have been renamed along with the role inventory group, you will have to update your inventory.๐ Most of the handers from different DebOps roles have been moved to the new :ref:
debops.global_handlers
role to allow for easier cross-role handler notification. The role has been imported in roles that rely on the handlers.The
debops-contrib.*
roles included in the DebOps monorepo have been renamed to drop the prefix. This is enforced by the new release of the :command:ansible-lint
linter. These roles are not yet cleaned up and integrated with the main playbook.๐ The dependency on
pyOpenSSL
has been removed. This dependency was required in Ansible < 2.8.0 because these versions were unable to use thecryptography
module, but DebOps is nowadays developed against Ansible 2.9. pyOpenSSL was used only to generate private RSA keys for the :ref:debops.opendkim
role. Switching tocryptography
is also a security precaution and the Python Cryptographic Authorityrecommends
__ doing so.
.. __: https://github.com/pyca/cryptography/blob/master/docs/faq.rst#why-use-cryptography)
LDAP ''''
The :ref:
LDAP-POSIX integration <ldap__ref_posix>
can now be disabled using a default variable. This will disable LDAP support in the POSIX environment and specific services (user accounts, PAM, :command:sshd
, :command:sudo
) while leaving higher-level services unaffected.๐ The LDAP directory structure creation has been moved from a separate :file:
ansible/playbooks/ldap/init-directory.yml
playbook into the :ref:debops.slapd
role to allow for better ACL testing. The playbook is still used for administrator account creation.The base directory objects created by the :ref:
debops.slapd
role (ou=People
,ou=Groups
, etc.) as well as other DebOps roles (:ref:debops.dokuwiki
, :ref:debops.ldap
, :ref:debops.postldap
) changed their structural object type fromorganizationalUnit
toorganizationalStructure
. Existing directories should not be affected by this change, but users might want to update them using the :ref:backup and restore procedure <slapd__ref_backup_restore>
to allow for more extensive ACL rules in the future.
:ref:
debops.core
role '''''''''''''''''''''''- The fact script will generate the list of private e-mail addresses used to
send administrative mail notifications based on the list of admin accounts
and the detected domain of the host; this can be overriden via the
:envvar:
core__admin_private_email
variable. The change is done to avoid sending mail messages to 'account-only' addresses on hosts without local mail support.
:ref:
debops.dhcpd
role ''''''''''''''''''''''''๐ The
debops.dhcpd
role has been largely rewritten in order to support both IPv4 and IPv6 on the same server, and to modernize many aspects of the role.๐ The DHCP Relay Agent functionality has been moved to :ref:
debops.dhcrelay
.
๐ณ :ref:
debops.docker_server
role ''''''''''''''''''''''''''''''''- 0๏ธโฃ The role's virtual environment is no longer created by default when
:envvar:
docker_server__upstream
isFalse
. This does not impact existing virtualenvs. You can remove/usr/local/lib/docker/virtualenv
yourself if you like.
:ref:
debops.etckeeper
role ''''''''''''''''''''''''''''- 0๏ธโฃ The role now installs etckeeper on all hosts by default, not just on hosts that have a Python 2 environment. etckeeper is also installed from buster-backports instead of the main Debian 10 repository.
:ref:
debops.fhs
role ''''''''''''''''''''''- 0๏ธโฃ The role will create the :file:
/srv/www/
directory by default to allow for home directories used by web applications.
:ref:
debops.gitlab
role '''''''''''''''''''''''''The :command:
systemd
services no longer require Redis to be installed on the same host as GitLab itself.๐ Improved support for GitLab Pages, including optional access control and fixed configuration of the :command:
systemd
service.
:ref:
debops.grub
role '''''''''''''''''''''''- The role will now activate both the serial console and the (previously
disabled) native platform console when
grub__serial_console
isTrue
.
:ref:
debops.icinga_web
role '''''''''''''''''''''''''''''๐ง The role now automatically configures LDAP user and group support.
๐ง The role will install and configure the
Icinga Certificate Monitoring
__ module.
.. __: https://icinga.com/docs/icinga-certificate-monitoring/latest/
:ref:
debops.lvm
role ''''''''''''''''''''''- ๐ง Linux Software RAID devices are now scanned by default.
:ref:
debops.lxd
role ''''''''''''''''''''''- During installation, the role will enable trust for the GitHub's GPG signing
key to allow for verification of the LXD source code. Check the
:ref:
lxd__ref_install_details
for more information.
:ref:
debops.nginx
role ''''''''''''''''''''''''- โก๏ธ The default SSL configuration used by the role has been updated to bring it
to the modern standards. By default only TLSv1.2 and TLSv1.3 protocols are
enabled, along with an improved set of ciphers. The HTTP Strict Transport
Security age has been increased from 6 months to 2 years. The configuration
is based on the
intermediate Mozilla SSL recommendations
__ to support wide range of possible clients.
- ๐ง The server can be configured to support TLSv1.3 protocol only using the
:envvar:
nginx_default_tls_protocols
variable, which will disable the use of custom Diffie-Hellman parameters and allow the HTTPS clients to select their own preferred ciphers to use for connections. The preferred set of ciphers will also change toMozilla modern
__ variant. Keep in mind that not all clients support this configuration.
:ref:
debops.postfix
role ''''''''''''''''''''''''''๐ง Postfix :file:
main.cf
configuration overrides are now written to the :file:master.cf
configuration file using 'long form' notation supported since Postfix 3.0. This allows specifying parameter values that contain whitespace.0๏ธโฃ The
DSN command
__ is now disabled by default. DSN (:rfc:3464
) gives senders control over successful and failed delivery status notifications. This allows spammers to learn about an organization's internal mail infrastructure, and gives them the ability to confirm that an address is in use. When DSN support is disabled, Postfix will still let the SMTP client know that their message has been received as part of the SMTP transaction; they just will not get successful delivery notices from your internal systems.
.. __: http://www.postfix.org/DSN_README.html
- 0๏ธโฃ The
ETRN command
__ is now disabled by default. ETRN, also known as Remote Message Queue Starting (:rfc:1985
), was designed for sites that have intermittent Internet connectivity, but is rarely used nowadays.
.. __: http://www.postfix.org/ETRN_README.html
:ref:
debops.resolvconf
role '''''''''''''''''''''''''''''- ๐ The 'domain', 'nameservers' and 'search' variables have been removed from the
resolvconf Ansible local facts script. You are encouraged to use the
ansible_domain
,ansible_dns.nameservers
andansible_dns.search
variables instead.
:ref:
debops.slapd
role ''''''''''''''''''''''''The role will set up an additional instance of the
memberof
OpenLDAP overlay to update role membership in theorganizationalRole
LDAP objects. This change modifies the list of overlays and will require re-initialization of the OpenLDAP directory.๐ New equality indexes have been added to the :command:
slapd
service:roleOccupant
,memberOf
andemployeeNumber
.The :file:
eduperson.schema
LDAP schema has been extended with additional attributes not present in the official specification. The new schema will not be applied automatically on existing installations.In the OpenLDAP ACL rules, authenticated object owners can now re-authenticate themselves using the
userPassword
attribute. This is needed for the LDAP Password Modify Extended Operation (:rfc:3062
) to work correctly in Roundcube.In the :file:
mailservice.schema
LDAP schema, themailACLGroups
attribute has been renamed tomailGroupACL
since this seems to be the name used by different applications like Dovecot and Roundcube.
This change will not be applied automatically in an existing LDAP directories
they will need to be rebuilt to apply new schema changes.
- The role will install a modified :ref:
OpenSSH-LPK schema <slapd__ref_openssh_lpk>
instead of the version from the FusionDirectory project, to add support for storing SSH public key fingerprints in the LDAP directory. Existing installations shouldn't be affected. - โ
The :command:
slapacl
test map with additional object RDNs has been redesigned into a list of test LDAP objects which can be created or removed by the role as needed. They will not be added to the directory by default and can be enabled via Ansible inventory. - ๐ The support for OpenLDAP monitoring is improved. The
root
UNIX account as well as members of the "LDAP Administrator" and "LDAP Monitor" roles can now read thecn=Monitor
information.
- The role will install a modified :ref:
โ Removed
:ref:`debops.ldap` role ''''''''''''''''''''''' - Creation of various LDAP directory objects (``ou=People``, ``ou=Groups``, ...) has been removed from the default list of LDAP tasks performed by the role. These objects are now automatically created by the :ref:`debops.slapd` role. The :ref:`debops.ldap` role will still ensure that all LDAP objects needed to maintain the hosts' directory information are present. ๐ Fixed ~~~~~ General ''''''' - ๐ Fixed an issue where the :command:`debops` scripts did not expand the :file:`~/` prefix of the file and directory paths in user home directories. - ๐ Fixed an issue with custom lookup plugins (:file:`task_src`, :file:`file_src`, :file:`template_src`) which resulted in Ansible 2.10 not finding them correctly. LDAP '''' - The :file:`ldap/init-directory.yml` playbook will correctly initialize the LDAP directory when the local UNIX account does not have any GECOS information. :ref:`debops.apt` role '''''''''''''''''''''' - ๐ Fixed an issue where the role would attempt to add APT keys from a PGP keyserver without installing the :command:`gnupg` package first. :ref:`debops.dokuwiki` role ''''''''''''''''''''''''''' - ๐ A few custom DokuWiki plugins will be removed if installed, otherwise they will not be installed anymore due to issues with newest DokuWiki release. Affected plugins: ``advrack``, ``rst``, ``gitlab``, ``ghissues``. - ๐ Ensure that the ``authldap`` DokuWiki plugin is enabled when LDAP support is configured by the role. :ref:`debops.etherpad` role ''''''''''''''''''''''''''' - ๐ Fixed the installation of Etherpad with the PostgreSQL backend by removing unused dependent variables. :ref:`debops.fail2ban` role ''''''''''''''''''''''''''' - ๐ Fixed the configuration support on Ubuntu Focal due to bantime feature changes in the :command:`fail2ban` v0.11. :ref:`debops.fcgiwrap` role ''''''''''''''''''''''''''' - The role can now be used in check mode without throwing an AnsibleFilterError. :ref:`debops.gitlab` role ''''''''''''''''''''''''' - ๐ Fixed an issue where the ``git`` UNIX account was not added to the ``_sshusers`` local group when LDAP support was enabled on the host. This prevented the usage of GitLab via SSH. :ref:`debops.ifupdown` role ''''''''''''''''''''''''''' - ๐ง Network configuration with bonded interfaces should now be correctly applied by the reconfiguration script. :ref:`debops.iscsi` role '''''''''''''''''''''''' - Fixed uninitialized local fact ``ansible_local.iscsi.discovered_portals``. :ref:`debops.ldap` role ''''''''''''''''''''''' - ๐ Fixed multiple issues with adding and updating hosts to the LDAP directory when these hosts were configured for network bonding. :ref:`debops.lvm` role '''''''''''''''''''''' - ๐ Fixed an issue where the role would fail in check mode. The role tries to simulate creating a filesystem, but this failed when the underlying LVM volume did not actually exist (which is to be expected when running in check mode). - ๐ Made default behaviour match the documentation: the role now automatically takes care of mounting a filesystem on an LVM volume if the mount point is specified with ``item.mount``. This previously required setting the ``item.fs`` parameter to ``True`` as well. :ref:`debops.nginx` role '''''''''''''''''''''''' - Disabled gzip compression of text/vcard MIME types. Vcards contain, by nature, sensitive information and should not be gzipped to prevent successful BREACH attacks. :ref:`debops.netbox` role ''''''''''''''''''''''''' - ๐ Fixed initial superuser account creation. :ref:`debops.nslcd` role '''''''''''''''''''''''' - Enabled idle_timelimit to make sure that connections to the LDAP server are properly closed. A disabled or too high idle_timelimit causes the LDAP server to time out, resulting in nslcd errors like "ldap_result() failed: Can't contact LDAP server". :ref:`debops.nfs` role '''''''''''''''''''''' - 0๏ธโฃ Ensure that with default mount options disabled, options specified by the user still are added in the configuration. :ref:`debops.ntp` role '''''''''''''''''''''' - Don't try to disable or stop the ``systemd-timesyncd`` service when using an alternative NTP service implementation and ``systemd-timesyncd`` is not available. :ref:`debops.owncloud` role '''''''''''''''''''''''''''' - ๐ Fixed multiple issues which caused dry runs of the :ref:`debops.owncloud` role to incorrectly show pending changes or fail altogether. :ref:`debops.php` role '''''''''''''''''''''' - Set correct APT preferences for the Backports or Sury APT repository to the ``libapache2-mod-php*`` APT packages to ensure that the selected repository is the same as the ``php*`` APT packages. :ref:`debops.pki` role '''''''''''''''''''''' - The :command:`acme-tiny` script will be installed from Debian/Ubuntu repositories on Debian Buster, Ubuntu Focal and newer OS releases. This solves the issue with ``acme-tiny`` script in upstream having ``#!/usr/bin/env python`` shebang hard-coded which makes the script unusable on hosts without Python 2.7 installed. The installation location of the script from upstream is changed from :file:`/usr/local/lib/pki/` to :file:`/usr/local/bin/` to leverage the ``$PATH`` variable so that the OS version is used without issues. The script is now also symlinked into place instead of copied over. :ref:`debops.postgresql_server` role '''''''''''''''''''''''''''''''''''' - Rename the ``wal_keep_segments`` PostgreSQL configuration option to ``wal_keep_size`` on PostgreSQL 13 and later to avoid issues with starting the database service. You might need to update the inventory configuration if you use this parameter. - ๐ Fixed an issue with the role always reporting "changed" state due to ``postgresql_privs`` Ansible module not detecting changes in the ``PUBLIC`` PostgreSQL role. :ref:`debops.python` role ''''''''''''''''''''''''' - ๐ The ``python-pip`` APT package will be installed only on older OS releases, since it has been removed from newer OS releases like Debian Bullseye and Ubuntu Focal. :ref:`debops.rsnapshot` role '''''''''''''''''''''''''''' - ๐ Fixed an issue which caused dry runs of the :ref:`debops.rsnapshot` role to fail. :ref:`debops.rsyslog` role '''''''''''''''''''''''''' - Fixed the forgotten :envvar:`rsyslog__send_permitted_peers` variable which defines what server is accepted by the client during TLS handshakes. The value will now be defined using the ``streamDriverPermittedPeers`` parameter in :command:`rsyslog` configuration. :ref:`debops.saslauthd` role '''''''''''''''''''''''''''' - ๐ Fixed SMTP AUTH e-mail authentication for satellite hosts. Mail messages sent by :command:`nullmailer` and authenticated using LDAP should now be accepted by the SMTP server. :ref:`debops.slapd` role '''''''''''''''''''''''' - Modify the :file:`mailservice.schema` LDAP schema so that various mail-related attributes do not use the ``mail`` attribute as SUPerior attribute. This fixes an issue where searching for ``mail`` attribute values returned entries with the values present in related attributes, for example ``mailForwardTo``, causing problems with account lookups. This change will require the rebuild of the OpenLDAP directory to be applied correctly. The role will not apply the changes on existing installations automatically due to the :file:`mailservice.schema` being loaded into the database. - The :command:`slapd-snapshot` script will now correctly create database snapshots when the ``cn=Monitor`` database is disabled or not configured. :ref:`debops.snmpd` role '''''''''''''''''''''''' - Don't create or modify the home directory of the :command:`snmpd` UNIX account to avoid issues on Ubuntu 20.04. :ref:`debops.system_users` role ''''''''''''''''''''''''''''''' - ๐ Fixed an issue where the role execution broke if the :envvar:`system_users__self_name` variable was set to an UNIX account which does not exist on the Ansible Controller, for example ``ansible``. The role will now correctly create such UNIX accounts on the remote hosts with default GECOS and shell values. :ref:`debops.tinc` role ''''''''''''''''''''''' - ๐ Fix issue with Tinc VPN interfaces starting before the general host networking is set up and failing to bind to the selected bridge interface. The Tinc :command:`systemd` service will wait for the ``network-online.target`` unit to start up before activation. - ๐ Fixed an issue with the role where setting :envvar:`tinc__modprobe` variable to ``False`` did not turn off support for loading required kernel modules.