ยซ Changelog History


DebOps v2.2.0 Release Notes

Release Date: 2021-01-31 // about 3 years ago

  • .. _debops v2.2.0: https://github.com/debops/debops/compare/v2.1.0...v2.2.0

    โž• Added

    
๐Ÿ†• New DebOps roles
''''''''''''''''

- The :ref:`debops.dhcrelay` role can be used to manage the ISC DHCP Relay
  Agent, which forwards DHCP traffic between networks. This role replaces the
  dhcrelay functionality in :ref:`debops.dhcpd`.

- The :ref:`debops.global_handlers` Ansible role provides a central place to
  maintain handlers for other Ansible roles. Keeping them centralized allows
  Ansible roles to use handlers from different roles without including them
  entirely in the playbook.

- ๐Ÿ”ง The :ref:`debops.filebeat` role can be used to install and configure
  `Filebeat`__, a log shipping agent from Elastic, part of the Elastic Stack.

  .. __: https://www.elastic.co/beats/filebeat

General
'''''''

- The :file:`tools/reboot.yml` can be used to reboot DebOps hosts even if they
  are secured by the ``molly-guard`` package.

- The code in the DebOps monorepo is now checked using `GitHub Actions`__,
  which will replace Travis-CI. Thank you, Travis, for years of service. :)

  .. __: https://github.com/features/actions

LDAP
''''

- The :ref:`next available UID and GID values <ldap__ref_next_uid_gid>` can now
  be tracked using special LDAP objects in the directory. These can be used by
  the client-side account and group management applications to easily allocate
  unique UID/GID numbers for newly created accounts and groups.

  The objects will be created automatically with the next available UID/GID
  values by the :file:`ldap/init-directory.yml` playbook. In existing
  environments users might want to create them manually to ensure that the
  correct ``uidNumber`` and ``gidNumber`` values are stored instead of the
  default ones which might already be allocated.

- The ``root`` UNIX account will now have full write access to the main
  directory via the ``ldapi://`` external authentication and can create and
  modify the LDAP objects and their attributes. This is required so that the
  :ref:`debops.slapd` role can initialize the directory tree and create/remove
  the ACL test objects as needed.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role facts now include the main APT architecture (``amd64``, for example)
  and a list of foreign architectures if any are enabled. The
  ``ansible_local.apt.architecture`` fact can be used in other roles that need
  that information.

:ref:`debops.apt_install` role
''''''''''''''''''''''''''''''

- ๐Ÿ“ฆ The role now installs CPU microcode packages on physical hosts by default.
  These firmware updates correct CPU behaviour and mitigate vulnerabilities like
  Spectre and Meltdown. You still need to take measures to protect your virtual
  machines; for this, take a look at the `QEMU documentation`__.

  .. __: https://www.qemu.org/docs/master/system/target-i386.html#important-cpu-features-for-intel-x86-hosts

:ref:`debops.icinga` role
'''''''''''''''''''''''''

- ๐Ÿ”ง The role can now create Icinga configuration on the Icinga "master" node via
  task delegation. This can be useful in centralized environments without
  Icinga Director support.

:ref:`debops.lvm` role
''''''''''''''''''''''

- ๐Ÿ”ง Default LVM2 configuration for Debian Stretch and Buster has been added.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- โฌ†๏ธ Drop Nextcloud 16, 17 and 18 support because it is EOL. You need to upgrade Nextcloud
  manually if you are running version 18 or below. The role now defaults to
  Nextcloud 19 for new installations.

:ref:`debops.postgresql` role
'''''''''''''''''''''''''''''

- ๐Ÿšš The role can now drop PostgreSQL databases and remove roles when their state
  is set to ``absent`` in the Ansible inventory.

:ref:`debops.resources` role
''''''''''''''''''''''''''''

- ๐Ÿ‘Œ Support manipulating file privileges using the Linux
  :manpage:`capabilities(7)` with the help of the Ansible capabilities
  module.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- 0๏ธโƒฃ The role will enable more plugins by default: ``help``, ``markasjunk``,
  ``password`` (only with LDAP).

- 0๏ธโƒฃ Roundcube will offer local spell checking support by default with ``Enchant``
  library. English language is supported by default, more languages can be
  added via Ansible inventory.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- ๐Ÿ‘Œ Support for the dynamic LDAP groups maintained by the
  :ref:`slapd__ref_autogroup_overlay` has been implemented in the role. Debian
  Buster or newer is recommended for this feature to work properly.

- A set of `FreeRADIUS`__ LDAP schema has been added to the role. RADIUS
  Profiles, Clients and FreeRADIUS DHCP configuration can be stored in the LDAP
  directory managed by DebOps and used by the :ref:`debops.freeradius` Ansible
  role.

  .. __: https://freeradius.org/

- ๐Ÿ‘Œ Support for empty LDAP groups has been added via the :ref:`groupfentries
  schema <slapd__ref_groupofentries>` with a corresponding ``memberOf``
  overlay. This change changes the order of existing overlays in the LDAP
  database which means that the directory server will have to be rebuilt.

- New :ref:`orgstructure schema <slapd__ref_orgstructure_schema>` provides the
  ``organizationalStructure`` LDAP object class which is used to define the
  base directory objects, such as ``ou=People``, ``ou=Groups``, etc.

- Members of the ``cn=LDAP Administrator`` LDAP role can now manage the server
  configuration stored in the ``cn=config`` LDAP subtree.

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- The role can now be enabled or disabled conditionally via Ansible inventory.
  This might be required in certain cases, for example LXD containers or
  systems protected with AppArmor rules, which make the :file:`/proc/sys/`
  directory read-only.

๐Ÿ”„ Changed

    โšก๏ธ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

    • In the :ref:debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.13 and 10.7 respectively.

    • In the :ref:debops.roundcube role, the Roundcube version installed by default has been updated to 1.4.10.

    • In the :ref:debops.owncloud role, the Nextcloud version installed by default has been updated to v18.0.

    • 0๏ธโƒฃ In the :ref:debops.phpipam role, the phpIPAM version installed by default has been updated to v1.4.1.

    • โšก๏ธ In the :ref:debops.netbox role, the NetBox version has been updated to v2.10.3. The plugin support added in v2.8.0 can be configured from DebOps. The NetBox Request Queue Worker service is configured to support background jobs like reports to work.

    • ๐Ÿ‘ The :ref:debops.mariadb and :ref:debops.mariadb_server roles now support installation of Percona Server/Client v8.0 from upstream APT repositories.

    General '''''''

    • The debops.debops role has been renamed to the :ref:debops.controller role to allow for the debops__ variable namespace to be used for global variables. All role variables have been renamed along with the role inventory group, you will have to update your inventory.

    • ๐Ÿšš Most of the handers from different DebOps roles have been moved to the new :ref:debops.global_handlers role to allow for easier cross-role handler notification. The role has been imported in roles that rely on the handlers.

    • The debops-contrib.* roles included in the DebOps monorepo have been renamed to drop the prefix. This is enforced by the new release of the :command:ansible-lint linter. These roles are not yet cleaned up and integrated with the main playbook.

    • ๐Ÿšš The dependency on pyOpenSSL has been removed. This dependency was required in Ansible < 2.8.0 because these versions were unable to use the cryptography module, but DebOps is nowadays developed against Ansible 2.9. pyOpenSSL was used only to generate private RSA keys for the :ref:debops.opendkim role. Switching to cryptography is also a security precaution and the Python Cryptographic Authority recommends__ doing so.

    .. __: https://github.com/pyca/cryptography/blob/master/docs/faq.rst#why-use-cryptography)

    LDAP ''''

    • The :ref:LDAP-POSIX integration <ldap__ref_posix> can now be disabled using a default variable. This will disable LDAP support in the POSIX environment and specific services (user accounts, PAM, :command:sshd, :command:sudo) while leaving higher-level services unaffected.

    • ๐Ÿšš The LDAP directory structure creation has been moved from a separate :file:ansible/playbooks/ldap/init-directory.yml playbook into the :ref:debops.slapd role to allow for better ACL testing. The playbook is still used for administrator account creation.

    • The base directory objects created by the :ref:debops.slapd role (ou=People, ou=Groups, etc.) as well as other DebOps roles (:ref:debops.dokuwiki, :ref:debops.ldap, :ref:debops.postldap) changed their structural object type from organizationalUnit to organizationalStructure. Existing directories should not be affected by this change, but users might want to update them using the :ref:backup and restore procedure <slapd__ref_backup_restore> to allow for more extensive ACL rules in the future.

    :ref:debops.core role '''''''''''''''''''''''

    • The fact script will generate the list of private e-mail addresses used to send administrative mail notifications based on the list of admin accounts and the detected domain of the host; this can be overriden via the :envvar:core__admin_private_email variable. The change is done to avoid sending mail messages to 'account-only' addresses on hosts without local mail support.

    :ref:debops.dhcpd role ''''''''''''''''''''''''

    • ๐Ÿ‘ The debops.dhcpd role has been largely rewritten in order to support both IPv4 and IPv6 on the same server, and to modernize many aspects of the role.

    • ๐Ÿšš The DHCP Relay Agent functionality has been moved to :ref:debops.dhcrelay.

    ๐Ÿณ :ref:debops.docker_server role ''''''''''''''''''''''''''''''''

    • 0๏ธโƒฃ The role's virtual environment is no longer created by default when :envvar:docker_server__upstream is False. This does not impact existing virtualenvs. You can remove /usr/local/lib/docker/virtualenv yourself if you like.

    :ref:debops.etckeeper role ''''''''''''''''''''''''''''

    • 0๏ธโƒฃ The role now installs etckeeper on all hosts by default, not just on hosts that have a Python 2 environment. etckeeper is also installed from buster-backports instead of the main Debian 10 repository.

    :ref:debops.fhs role ''''''''''''''''''''''

    • 0๏ธโƒฃ The role will create the :file:/srv/www/ directory by default to allow for home directories used by web applications.

    :ref:debops.gitlab role '''''''''''''''''''''''''

    • The :command:systemd services no longer require Redis to be installed on the same host as GitLab itself.

    • ๐Ÿ‘Œ Improved support for GitLab Pages, including optional access control and fixed configuration of the :command:systemd service.

    :ref:debops.grub role '''''''''''''''''''''''

    • The role will now activate both the serial console and the (previously disabled) native platform console when grub__serial_console is True.

    :ref:debops.icinga_web role '''''''''''''''''''''''''''''

    • ๐Ÿ”ง The role now automatically configures LDAP user and group support.

    • ๐Ÿ”ง The role will install and configure the Icinga Certificate Monitoring__ module.

    .. __: https://icinga.com/docs/icinga-certificate-monitoring/latest/

    :ref:debops.lvm role ''''''''''''''''''''''

    • ๐Ÿง Linux Software RAID devices are now scanned by default.

    :ref:debops.lxd role ''''''''''''''''''''''

    • During installation, the role will enable trust for the GitHub's GPG signing key to allow for verification of the LXD source code. Check the :ref:lxd__ref_install_details for more information.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • โšก๏ธ The default SSL configuration used by the role has been updated to bring it to the modern standards. By default only TLSv1.2 and TLSv1.3 protocols are enabled, along with an improved set of ciphers. The HTTP Strict Transport Security age has been increased from 6 months to 2 years. The configuration is based on the intermediate Mozilla SSL recommendations__ to support wide range of possible clients.

    .. __: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6

    • ๐Ÿ”ง The server can be configured to support TLSv1.3 protocol only using the :envvar:nginx_default_tls_protocols variable, which will disable the use of custom Diffie-Hellman parameters and allow the HTTPS clients to select their own preferred ciphers to use for connections. The preferred set of ciphers will also change to Mozilla modern__ variant. Keep in mind that not all clients support this configuration.

    .. __: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6

    :ref:debops.postfix role ''''''''''''''''''''''''''

    • ๐Ÿ”ง Postfix :file:main.cf configuration overrides are now written to the :file:master.cf configuration file using 'long form' notation supported since Postfix 3.0. This allows specifying parameter values that contain whitespace.

    • 0๏ธโƒฃ The DSN command__ is now disabled by default. DSN (:rfc:3464) gives senders control over successful and failed delivery status notifications. This allows spammers to learn about an organization's internal mail infrastructure, and gives them the ability to confirm that an address is in use. When DSN support is disabled, Postfix will still let the SMTP client know that their message has been received as part of the SMTP transaction; they just will not get successful delivery notices from your internal systems.

    .. __: http://www.postfix.org/DSN_README.html

    • 0๏ธโƒฃ The ETRN command__ is now disabled by default. ETRN, also known as Remote Message Queue Starting (:rfc:1985), was designed for sites that have intermittent Internet connectivity, but is rarely used nowadays.

    .. __: http://www.postfix.org/ETRN_README.html

    :ref:debops.resolvconf role '''''''''''''''''''''''''''''

    • ๐Ÿšš The 'domain', 'nameservers' and 'search' variables have been removed from the resolvconf Ansible local facts script. You are encouraged to use the ansible_domain, ansible_dns.nameservers and ansible_dns.search variables instead.

    :ref:debops.slapd role ''''''''''''''''''''''''

    • The role will set up an additional instance of the memberof OpenLDAP overlay to update role membership in the organizationalRole LDAP objects. This change modifies the list of overlays and will require re-initialization of the OpenLDAP directory.

    • ๐Ÿ†• New equality indexes have been added to the :command:slapd service: roleOccupant, memberOf and employeeNumber.

    • The :file:eduperson.schema LDAP schema has been extended with additional attributes not present in the official specification. The new schema will not be applied automatically on existing installations.

    • In the OpenLDAP ACL rules, authenticated object owners can now re-authenticate themselves using the userPassword attribute. This is needed for the LDAP Password Modify Extended Operation (:rfc:3062) to work correctly in Roundcube.

    • In the :file:mailservice.schema LDAP schema, the mailACLGroups attribute has been renamed to mailGroupACL since this seems to be the name used by different applications like Dovecot and Roundcube.

    This change will not be applied automatically in an existing LDAP directories

    • they will need to be rebuilt to apply new schema changes.

      • The role will install a modified :ref:OpenSSH-LPK schema <slapd__ref_openssh_lpk> instead of the version from the FusionDirectory project, to add support for storing SSH public key fingerprints in the LDAP directory. Existing installations shouldn't be affected.
      • โœ… The :command:slapacl test map with additional object RDNs has been redesigned into a list of test LDAP objects which can be created or removed by the role as needed. They will not be added to the directory by default and can be enabled via Ansible inventory.
      • ๐Ÿ‘ The support for OpenLDAP monitoring is improved. The root UNIX account as well as members of the "LDAP Administrator" and "LDAP Monitor" roles can now read the cn=Monitor information.

    โœ‚ Removed

    
:ref:`debops.ldap` role
'''''''''''''''''''''''

- Creation of various LDAP directory objects (``ou=People``, ``ou=Groups``,
  ...) has been removed from the default list of LDAP tasks performed by the
  role. These objects are now automatically created by the :ref:`debops.slapd`
  role. The :ref:`debops.ldap` role will still ensure that all LDAP objects
  needed to maintain the hosts' directory information are present.

๐Ÿ›  Fixed
~~~~~

General
'''''''

- ๐Ÿ›  Fixed an issue where the :command:`debops` scripts did not expand the
  :file:`~/` prefix of the file and directory paths in user home directories.

- ๐Ÿ›  Fixed an issue with custom lookup plugins (:file:`task_src`,
  :file:`file_src`, :file:`template_src`) which resulted in Ansible 2.10 not
  finding them correctly.

LDAP
''''

- The :file:`ldap/init-directory.yml` playbook will correctly initialize the
  LDAP directory when the local UNIX account does not have any GECOS
  information.

:ref:`debops.apt` role
''''''''''''''''''''''

- ๐Ÿ›  Fixed an issue where the role would attempt to add APT keys from a PGP
  keyserver without installing the :command:`gnupg` package first.

:ref:`debops.dokuwiki` role
'''''''''''''''''''''''''''

- ๐Ÿšš A few custom DokuWiki plugins will be removed if installed, otherwise they
  will not be installed anymore due to issues with newest DokuWiki release.
  Affected plugins: ``advrack``, ``rst``, ``gitlab``, ``ghissues``.

- ๐Ÿ”Œ Ensure that the ``authldap`` DokuWiki plugin is enabled when LDAP support is
  configured by the role.

:ref:`debops.etherpad` role
'''''''''''''''''''''''''''

- ๐Ÿ›  Fixed the installation of Etherpad with the PostgreSQL backend by removing
  unused dependent variables.

:ref:`debops.fail2ban` role
'''''''''''''''''''''''''''

- ๐Ÿ›  Fixed the configuration support on Ubuntu Focal due to bantime feature
  changes in the :command:`fail2ban` v0.11.

:ref:`debops.fcgiwrap` role
'''''''''''''''''''''''''''

- The role can now be used in check mode without throwing an AnsibleFilterError.

:ref:`debops.gitlab` role
'''''''''''''''''''''''''

- ๐Ÿ›  Fixed an issue where the ``git`` UNIX account was not added to the
  ``_sshusers`` local group when LDAP support was enabled on the host. This
  prevented the usage of GitLab via SSH.

:ref:`debops.ifupdown` role
'''''''''''''''''''''''''''

- ๐Ÿ”ง Network configuration with bonded interfaces should now be correctly applied
  by the reconfiguration script.

:ref:`debops.iscsi` role
''''''''''''''''''''''''

- Fixed uninitialized local fact ``ansible_local.iscsi.discovered_portals``.

:ref:`debops.ldap` role
'''''''''''''''''''''''

- ๐Ÿ›  Fixed multiple issues with adding and updating hosts to the LDAP directory
  when these hosts were configured for network bonding.

:ref:`debops.lvm` role
''''''''''''''''''''''

- ๐Ÿ›  Fixed an issue where the role would fail in check mode. The role tries to
  simulate creating a filesystem, but this failed when the underlying LVM volume
  did not actually exist (which is to be expected when running in check mode).

- ๐Ÿ“š Made default behaviour match the documentation: the role now automatically
  takes care of mounting a filesystem on an LVM volume if the mount point is
  specified with ``item.mount``. This previously required setting the
  ``item.fs`` parameter to ``True`` as well.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- Disabled gzip compression of text/vcard MIME types. Vcards contain, by nature,
  sensitive information and should not be gzipped to prevent successful BREACH
  attacks.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- ๐Ÿ›  Fixed initial superuser account creation.

:ref:`debops.nslcd` role
''''''''''''''''''''''''

- Enabled idle_timelimit to make sure that connections to the LDAP server are
  properly closed. A disabled or too high idle_timelimit causes the LDAP server
  to time out, resulting in nslcd errors like "ldap_result() failed: Can't
  contact LDAP server".

:ref:`debops.nfs` role
''''''''''''''''''''''

- 0๏ธโƒฃ Ensure that with default mount options disabled, options specified by the
  user still are added in the configuration.

:ref:`debops.ntp` role
''''''''''''''''''''''

- Don't try to disable or stop the ``systemd-timesyncd`` service when using an
  alternative NTP service implementation and ``systemd-timesyncd`` is not
  available.

:ref:`debops.owncloud` role
''''''''''''''''''''''''''''

- ๐Ÿ›  Fixed multiple issues which caused dry runs of the :ref:`debops.owncloud` role
  to incorrectly show pending changes or fail altogether.

:ref:`debops.php` role
''''''''''''''''''''''

- Set correct APT preferences for the Backports or Sury APT repository to
  the ``libapache2-mod-php*`` APT packages to ensure that the selected
  repository is the same as the ``php*`` APT packages.

:ref:`debops.pki` role
''''''''''''''''''''''

- The :command:`acme-tiny` script will be installed from Debian/Ubuntu
  repositories on Debian Buster, Ubuntu Focal and newer OS releases. This
  solves the issue with ``acme-tiny`` script in upstream having
  ``#!/usr/bin/env python`` shebang hard-coded which makes the script unusable
  on hosts without Python 2.7 installed.

  The installation location of the script from upstream is changed from
  :file:`/usr/local/lib/pki/` to :file:`/usr/local/bin/` to leverage the
  ``$PATH`` variable so that the OS version is used without issues. The script
  is now also symlinked into place instead of copied over.

:ref:`debops.postgresql_server` role
''''''''''''''''''''''''''''''''''''

- Rename the ``wal_keep_segments`` PostgreSQL configuration option to
  ``wal_keep_size`` on PostgreSQL 13 and later to avoid issues with starting
  the database service. You might need to update the inventory configuration if
  you use this parameter.

- ๐Ÿ›  Fixed an issue with the role always reporting "changed" state due to
  ``postgresql_privs`` Ansible module not detecting changes in the ``PUBLIC``
  PostgreSQL role.

:ref:`debops.python` role
'''''''''''''''''''''''''

- ๐Ÿš€ The ``python-pip`` APT package will be installed only on older OS releases,
  since it has been removed from newer OS releases like Debian Bullseye and
  Ubuntu Focal.

:ref:`debops.rsnapshot` role
''''''''''''''''''''''''''''

- ๐Ÿ›  Fixed an issue which caused dry runs of the :ref:`debops.rsnapshot` role to
  fail.

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- Fixed the forgotten :envvar:`rsyslog__send_permitted_peers` variable which
  defines what server is accepted by the client during TLS handshakes. The
  value will now be defined using the ``streamDriverPermittedPeers`` parameter
  in :command:`rsyslog` configuration.

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

- ๐Ÿ›  Fixed SMTP AUTH e-mail authentication for satellite hosts. Mail messages sent
  by :command:`nullmailer` and authenticated using LDAP should now be accepted
  by the SMTP server.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- Modify the :file:`mailservice.schema` LDAP schema so that various
  mail-related attributes do not use the ``mail`` attribute as SUPerior
  attribute. This fixes an issue where searching for ``mail`` attribute values
  returned entries with the values present in related attributes, for example
  ``mailForwardTo``, causing problems with account lookups.

  This change will require the rebuild of the OpenLDAP directory to be applied
  correctly. The role will not apply the changes on existing installations
  automatically due to the :file:`mailservice.schema` being loaded into the
  database.

- The :command:`slapd-snapshot` script will now correctly create database
  snapshots when the ``cn=Monitor`` database is disabled or not configured.

:ref:`debops.snmpd` role
''''''''''''''''''''''''

- Don't create or modify the home directory of the :command:`snmpd` UNIX
  account to avoid issues on Ubuntu 20.04.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- ๐Ÿ›  Fixed an issue where the role execution broke if the
  :envvar:`system_users__self_name` variable was set to an UNIX account which
  does not exist on the Ansible Controller, for example ``ansible``. The role
  will now correctly create such UNIX accounts on the remote hosts with default
  GECOS and shell values.

:ref:`debops.tinc` role
'''''''''''''''''''''''

- ๐Ÿ›  Fix issue with Tinc VPN interfaces starting before the general host
  networking is set up and failing to bind to the selected bridge interface.
  The Tinc :command:`systemd` service will wait for the
  ``network-online.target`` unit to start up before activation.

- ๐Ÿ›  Fixed an issue with the role where setting :envvar:`tinc__modprobe` variable
  to ``False`` did not turn off support for loading required kernel modules.