Newer Older
1 2
.. _changelog:

3 4 5

6 7
This project adheres to `Semantic Versioning <>`__
and `human-readable changelog <>`__.

9 10 11 12 13 14
This file contains only general overview of the changes in the DebOps project.
The detailed changelog can be seen using :command:`git log` command.

You can read information about required changes between releases in the
:ref:`upgrade_notes` documentation.

15 16 17 18

`debops master`_ - unreleased

19 20
.. _debops master:

21 22 23 24 25 26 27 28 29

- New DebOps roles:

  - :ref:`debops.docker_registry` role provides support for Docker Registry.
    The role can be used as standalone or as a backend for the GitLab Container
    Registry service, with :ref:`debops.gitlab` role.

30 31 32 33 34
  - :ref:`debops.ldap` role sets up the system-wide LDAP configuration on
    a host, and is used as the API to the LDAP directory by other Ansible
    roles, playbooks, and users via Ansible inventory. The role is included in
    the ``common.yml`` playbook, but is disabled by default.

35 36 37
  - :ref:`debops.nslcd` role can be used to configure LDAP lookups for NSS and
    PAM services on a Linux host.

38 39 40 41
  - :ref:`debops.pam_access` role manages PAM access control files located in
    the :file:`/etc/security/` directory. The role is designed to allow other
    Ansible roles to easily manage their own PAM access rules.

42 43
  - :ref:`debops.yadm` role installs the `Yet Another Dotfiles Manager`__
    script and ensures that additional shells are available. It can also mirror
    dotfiles locally. The role is included in the common playbook.
45 46 47

    .. __:

48 49 50 51
  - :ref:`debops.system_users` role replaces the ``debops.bootstrap`` role and
    is used to manage the local system administrator accounts. It is included
    in the :file:`common.yml` playbook as well as the bootstrap playbooks.

52 53 54 55 56 57
- [debops.nginx] The role will automatically generate configuration which
  redirects short hostnames or subdomains to their FQDN equivalents. This
  allows HTTP clients to reach websites by specifying their short names via DNS
  suffixes from :file:`/etc/resolv.conf` file, or using ``*.local`` domain
  names managed by Avahi/mDNS to redirect HTTP clients to the correct FQDNs.

58 59 60 61
- [debops.resources] Some lists can now configure ACL entries on the destination
  files or directories using the ``item.acl`` parameter. Take a look to
  :ref:`resources__ref_acl` section to have the list of compatibles variables.

62 63 64 65 66
- [debops.lxc] Users can now disable default route advertisement in the
  ``lxc-net`` DHCP service. This is useful in cases where LXC containers have
  multiple network interfaces and the default route should go through
  a different gateway than the LXC host.

67 68 69 70 71 72
- [debops.lxc] The :command:`lxc-new-unprivileged` script will add missing
  network interface stanzas in the container's :file:`/etc/network/interfaces`
  file, by default with DHCP configuration. This will happen only on the
  initialization of the new container, when a given LXC container has multiple
  network interfaces defined in its configuration file.

73 74 75 76 77 78 79 80 81 82 83 84 85
- [debops.ansible_plugins] A new ``ldap_attrs`` Ansible module has been added
  to the role. It's a replacement for the ``ldap_attr`` core Ansible module,
  that's more in line with the ``ldap_entry`` module. Used by the
  :ref:`debops.slapd` and :ref:`debops.ldap` roles to manage the LDAP directory

- The DebOps project has been registered `in the IANA Private Enterprise
  Numbers`__ registry, with PEN number ``53622``. The project documentation
  contains :ref:`an OID registry <debops_oid_registry>` to track custom LDAP
  schemas, among other things.

  .. __:

86 87 88 89 90
- A new ``bootstrap-ldap.yml`` Ansible playbook can be used to bootstrap
  Debian/Ubuntu hosts with LDAP support enabled by default. The playbook will
  configure only the services required for secure LDAP access (PKI, SSH,
  PAM/NSS), the rest should be configured using the common playbook.

91 92 93 94 95 96 97 98 99 100 101 102 103 104
- [debops.apt][debops.unattended_upgrades] Systems with the End of Life Debian
  releases (``wheezy``) installed will be configured to use the Debian Archive
  repository as the main APT sources instead of the normal Debian repository
  mirrors. These releases have been moved out of the main repositories and are
  not fully available through normal means. The periodic updates of the APT
  archive repositories on these systems will be disabled since the EOL releases
  no longer receive updates.

  The Debian LTS release (``jessie``) APT repository sources will use only the
  main and security repositories, without updates or backports. See the
  `information about the Debian LTS support`__ for more details.

  .. __:

105 106 107 108 109
- [debops.resources] New :ref:`resources__ref_commands` variables can be used
  to define simple shell commands or scripts that will be executed at the end
  of the :ref:`debops.resources` role. Useful to start new services, but it
  shouldn't be used as a replacement for a fully-fledged Ansible roles.

110 111 112 113
- [debops.sudo] The role is now integrated with the :ref:`debops.ldap` Ansible
  role and can configure the :command:`sudo` service to read ``sudoers``
  configuration from the LDAP directory.

114 115 116 117
- [debops.users] The role can now configure UNIX accounts with access
  restricted to SFTP operations (SFTPonly) with the new ``item.chroot``
  parameter. This is a replacement for the ``debops.sftpusers`` role.

118 119 120

121 122
- Updates of upstream application versions:

  - [debops.gitlab] The role will install GitLab 11.10 on supported platforms
124 125
    (Debian Buster, Ubuntu Bionic), existing installations will be upgraded.

126 127 128 129
  - [debops.phpipam] The relevant inventory variables have been renamed, check
    the :ref:`upgrade_notes` for details. The role now uses the upstream
    phpIPAM repository and it installs version 1.3.2.

130 131 132 133 134 135 136 137 138 139
  - [debops.php] Because of the PHP 7.0 release status changed to `End of life`__
    at the beginning of 2019, Ondřej Surý APT repository with PHP 7.2 packages
    will be enabled by default on Debian Jessie and Stretch as well as Ubuntu
    Trusty and Xenial. Existing :ref:`debops.php` installations shouldn't be
    affected, but the role will not try to upgrade the PHP version either.
    Users should consider upgrading the packages manually or reinstalling
    services from scratch with the newer version used by default.

    .. __:

140 141 142
  - [debops.rstudio_server] The supported version has been updated to
    v1.2.1335. The role no longer installs ``libssl1.0.0`` from Debian Jessie
    on Debian Stretch, since the current version of the RStudio Server works in
143 144
    the default Stretch environment. The downloaded ``.deb`` package will be
    verified using the RStudio Inc. GPG signing key before installation.

146 147 148
- [debops.lxc] The :command:`lxc-prepare-ssh` script will read the public SSH
  keys from specific files (``root`` key file, and the ``$SUDO_USER`` key file)
  and will not accept any custom files to read from, to avoid possible security
149 150
  issues. Each public SSH key listed in the key files is validated before being
  added to the container's ``root`` account.

152 153 154 155 156 157
  The :command:`lxc-new-unprivileged` script will similarly not accept any
  custom files as initial LXC container configuration to fix any potential
  security holes when used via :command:`sudo`. The default LXC configuration
  file used by the script can be configured in :file:`/etc/lxc/lxc.conf`
  configuration file.

158 159 160 161 162
- [debops.gitlab] The GitLab playbook will import the
  :ref:`debops.docker_registry` playbook to ensure that configuration related
  to Docker Registry defined in the GitLab service is properly applied during

163 164 165
- [debops.php] The PHP version detection has been redesigned to use the
  :command:`apt-cache madison` command to find the available versions. The role
  will now check the current version of the ``php`` APT package to select the
166 167 168
  available stable PHP version. This unfortunately breaks support for the
  ``php5`` packages, but the ``php5.6`` packages from Ondřej Surý APT
  repository work fine.

170 171 172 173
- [debops.mariadb_server] The MariaDB user ``root`` is no longer dropped. This
  user is used for database maintenance and authenticates using the
  ``unix_auth`` plugin. However, DebOps still maintains and sets a password for
  the ``root`` UNIX account, stored in the :file:`/root/.my.cnf` config file.

175 176 177 178
- The :ref:`debops.cron` role will be applied much earlier in the
  ``common.yml`` playbook because the :ref:`debops.pki` role depends on
  presence of the :command:`cron` daemon on the host.

179 180 181 182
- [debops.netbase] The role will be disabled by default in Docker containers.
  In this environment, the :file:`/etc/hosts` file is managed by Docker and
  cannot be modified from inside of the container.

183 184 185 186 187 188 189
- [debops.owncloud] The role will not perform any tasks related to
  :command:`occ` command if the automatic setup is disabled in the
  :envvar:`owncloud__autosetup` variable. In this mode, the :command:`occ`
  tasks cannot be performed by the role because the ownCloud/Nextcloud
  installation is not finished. The users are expected to perform necessary
  tasks themselves if they decide to opt-out from the automatic configuration.

190 191 192 193 194 195 196 197 198 199
- [debops.slapd] The role has been redesigned from the ground up, with support
  for N-Way Multi-Master replication, custom LDAP schemas, Password Policy and
  other functionality. The role uses custom ``ldap_attrs`` Ansible module
  included in the :ref:`debops.ansible_plugins` role for OpenLDAP management.

  The OpenLDAP configuration will definitely break on existing installations.
  It's best to set up a new OpenLDAP server (or replicated cluster) and import
  the LDAP directory to it afterwards. See :ref:`role documentation
  <debops.slapd>` for more details.

200 201 202 203 204 205 206
- [debops.nullmailer][debops.postfix] The :file:`/etc/mailname` configuration
  file will contain the DNS domain of a host instead of the FQDN address. This
  will result in the mail senders that don't specify the domain part to have
  the DNS domain, instad of the full host address, added by the Mail Transport
  Agent. This configuration should work better in clustered environments, where
  there is a central mail hub/MX that receives the mail and redirects it.

207 208 209 210 211 212 213
- [debops.root_account] If the :ref:`debops.ldap` Ansible role has been applied
  on a host, the :ref:`debops.root_account` role will use the UID/GID ranges
  defined by it, which include UIDs/GIDs used in the LDAP directory, to define
  subUID/subGID range of the ``root`` account. This allows usage of the LDAP
  directory as a source of UNIX accounts and groups in unprivileged containers.
  Existing systems will not be changed.

214 215 216 217 218 219 220 221
- [debops.system_groups] If the LDAP support is enabled on a host via the
  :ref:`debops.ldap` role, the UNIX system groups created by the
  :ref:`debops.system_groups` role by default will use a ``_`` prefix to make
  them separate from any LDAP-based groups of the same name. Existing
  installations should be unaffected, as long as the updated
  :ref:`debops.system_groups` role was applied before the :ref:`debops.ldap`

222 223 224 225 226 227 228 229 230 231 232 233
- [debops.sshd] The access control based on UNIX groups defined in the
  :file:`/etc/ssh/sshd_config` file has been removed. Instead, the OpenSSH
  server uses the PAM access control configuration, managed by the
  :ref:`debops.pam_access` Ansible role, to control access by
  users/groups/origins. OpenSSH service uses its own access control file,
  separate from the global :file:`/etc/security/access.conf` file.

- [debops.sshd] The role will enable client address resolving using DNS by
  setting the ``UseDNS yes`` option in OpenSSH server configuration. This
  parameter is disabled by default in Debian and upstream, however it is
  required for the domain-based access control rules to work as expected.

234 235 236 237
- [debops.sshd] When the LDAP support is configured on a host by the
  :ref:`debops.ldap` role, the :ref:`debops.sshd` role will use the resulting
  infrastructure to connect to the LDAP directory and create the ``sshd`` LDAP
  account object for each host, used for lookups of the SSH keys in the
238 239 240
  directory. The SSH host public keys will be automatically added or updated in
  the LDAP device object to allow for centralized generation of the
  ``~/.ssh/known_hosts`` files based on the data stored in LDAP.
241 242 243 244 245 246

  The role will no longer create a separate ``sshd-lookup`` UNIX account to
  perform LDAP lookups; the existing ``sshd`` UNIX account will be used
  instead. The :command:`ldapsearch` command used for lookups will default to
  LDAP over TLS connections instead of LDAPS.

247 248 249 250 251 252
- [deops.unattended_upgrades] The packages from the ``stable-updates`` APT
  repository section will be automatically upgraded by default, the same as the
  packages from Debian Security repository. This should cover important
  non-security related upgrades, such as timezone changes, antivirus database
  changes, and similar.

253 254 255 256 257 258 259 260 261
- [debops.php] The role will install the :command:`composer` command from the
  upstream GitHub repository on older OS releases, including Debian Stretch
  (current Stable release). This is due to incompatibility of the ``composer``
  APT package included in Debian Stretch and PHP 7.3.

  The custom ``composer`` command installation tasks have been removed from the
  :ref:`debops.roundcube` and :ref:`debops.librenms` roles, since
  :ref:`debops.php` will take care of the installation.

262 263 264 265 266 267 268
- [debops.users][debops.root_account] Management of the ``root`` dotfiles has
  been removed from the :ref:`debops.users` role and is now done in the
  :ref:`debops.root_account` role, using the :command:`yadm` script. Users
  might need to clean out the existing dotfiles if they were managed as
  symlinks, otherwise :command:`yadm` script will not be able to correctly
  deploy the new dotfiles.

269 270 271 272 273 274
  The management of the user dotfiles in the :ref:`debops.users` role has been
  redesigned and now uses the :command:`yadm` script to perform the actual
  deployment. See :ref:`debops.yadm` for details about installing the script
  and creating local dotfile mirrors. The :ref:`users__ref_accounts` variable
  documentation contains examples of new dotfile definitions.

275 276 277 278 279
- [debops.users] The role now uses the ``libuser`` library via the Ansible
  ``group`` and ``user`` modules to manage local groups and accounts. This
  should avoid issues with groups and accounts created in the LDAP user/group

280 281 282 283 284 285 286
  The ``libuser`` library by default creates home directories with ``0700``
  permissions, which is probably too restrictive. Because of that, the role
  will automatically change the home directory permissions to ``0751`` (defined
  in the :envvar:`users__default_home_mode` variable). This also affects
  existing UNIX accounts managed by the role; the mode can be overriden using
  the ``item.home_mode`` parameter.

287 288 289 290 291
- [debops.users] The ``users__*_resources`` variables have been reimplemented
  as the ``item.resources`` parameter of the ``users__*_accounts`` variables.
  This removes the unnecessary split between user account definitions and
  definitions of their files/directories.

292 293 294

295 296 297 298 299
- [debops.auth] The :file:`/etc/ldap/ldap.conf` file configuration,
  :command:`nslcd` service configuration and related variables have been
  removed from the :ref:`debops.auth` role. This functionality is now available
  in the :ref:`debops.ldap` and :ref:`debops.nslcd` roles, which manage the
  client-side LDAP support.

301 302 303 304 305
- [debops.rstudio_server] The role will no longer install the historical
  ``libssl1.0.0`` APT package on Debian Stretch to support older RStudio Server
  releases. You should remove it on the existing installations after RStudio
  Server is upgraded to the newest release.

306 307 308 309
- The ``debops.sftpusers`` Ansible role has been removed. Its functionality is
  now implemented by the :ref:`debops.users` role, custom bind mounts can be
  defined using the :ref:`debops.mount` role.

310 311 312 313
- The ``debops.bootstrap`` Ansible role has been removed. Its replacement is
  the :ref:`debops.system_users` which is used to manage system administrator
  accounts, via the ``common.yml`` playbook and the bootstrap playbooks.

314 315 316 317 318 319 320 321

- [debops.redis_server] Use the :file:`redis.conf` file to lookup passwords via
  the :command:`redis-password` script. This file has the ``redis-auth`` UNIX
  group and any accounts in this group should now be able to look up the Redis
  passwords correctly.

322 323 324 325 326 327
- [debops.slapd] The role will check if the X.509 certificate and the private
  key used for TLS communication were correctly configured in the OpenLDAP
  server. This fixes an issue where configuration of the private key and
  certificate was not performed at all, without any actual changes in the
  service, with subsequent task exiting with an error due to misconfiguration.

328 329 330
- [debops.lvm] Make sure a file system is created by default when the ``mount``
  parameter is defined in the :envvar:`lvm__logical_volumes`.

331 332 333 334
- [debops.lvm] Stop and disable ``lvm2-lvmetad.socket`` systemd unit when
  disabling :envvar:`lvm__global_use_lvmetad` to avoid warning message when
  invoking LVM commands.

335 336 337 338 339 340 341 342 343

- [debops.php] Ondřej Surý `created new APT signing keys`__ for his Debian APT
  repository with PHP packages, due to security concerns. The :ref:`debops.php`
  role will remove the old APT GPG key and add the new one automatically.

  .. __:

344 345 346 347 348

`debops v0.8.1`_ - 2019-02-02

.. _debops v0.8.1:

350 351 352

353 354 355 356 357 358
- New DebOps roles:

  - :ref:`debops.redis_server` and :ref:`debops.redis_sentinel` roles, that
    replace the existing ``debops.redis`` Ansible role. The new roles support
    multiple Redis and Sentinel instances on a single host.

359 360 361
  - :ref:`debops.freeradius`, an Ansible role that can be used to manage
    FreeRADIUS service, used in network management.

362 363 364
  - :ref:`debops.dhcp_probe`, can be used to install and configure
    :command:`dhcp_probe` service, which passively detects rogue DHCP servers.

365 366 367 368 369
  - :ref:`debops.mount`, the role allows configuration of :file:`/etc/fstab`
    entries for local devices, bind mounts and can be used to create or modify
    directories, to permit access to resources by different applications. The
    role is included by default in the ``common.yml`` playbook.

370 371 372 373
- [debops.users] The role can now configure ACL entries of the user home
  directories using the ``item.home_acl`` parameter. This can be used for more
  elaborate access restrictions.

374 375 376 377 378
- [debops.root_account] The role will reserve a set of UID/GID ranges for
  subordinate UIDs/GIDs owned by the ``root`` account (they are not reserved by
  default). This can be used to create unprivileged LXC containers owned by
  ``root``. See the release notes for potential issues on existing systems.

379 380 381 382
- [debops.root_account] You can now configure the state and contents of the
  :file:`/root/.ssh/authorized_keys` file using the :ref:`debops.root_account`
  role, with support for global, per inventory group and per host SSH keys.

383 384 385 386 387
- DebOps roles are now tagged with ``skip::<role_name>`` Ansible tags. You can
  use these tags to skip roles without any side-effects; for example
  "<role_name>/env" sub-roles will still run so that roles that depend on them
  will work as expected.

388 389 390 391 392 393
- [debops.ifupdown] The role will now generate configuration for the
  :ref:`debops.sysctl` role and use it in the playbook as a dependency, to
  configure kernel parameters related to packet forwarding on managed network
  interfaces. This functionality replaces centralized configuration of packet
  forwarding on all network interfaces done by the :ref:`debops.ferm` role.

- [debops.lxc] New :command:`lxc-hwaddr-static` script can be used to easily
395 396 397 398 399
  generate random but predictable MAC addresses for LXC containers.

  The script can be run manually or executed as a "pre-start" LXC hook to
  configure static MAC addresses automatically - this usage is enabled by
  default via common LXC container configuration.

401 402 403 404 405 406 407
- The ` <>`__
  Ansible connection plugin is now included by default in DebOps. This
  connection plugin can be used to manage remote LXC containers with Ansible
  via SSH and the :command:`lxc-attach` command. This requires connection to
  the LXC host and the LXC container via the ``root`` account directly, which
  is supported by the DebOps playbooks and roles.

408 409 410 411 412
- [debops.lxc] The role can now manage LXC containers, again. This time the
  functionality is implemented using the ``lxc_container`` Ansible module
  instead of a series of shell tasks. By default unprivileged LXC containers
  will be created, but users can change all parameters supported by the module.

413 414 415 416 417
- [debops.lxc] The role will now configure a ``lxcbr0`` bridge with internal
  DNS/DHCP server for LXC containers, using the ``lxc-net`` service. With this
  change, use of the :ref:`debops.ifupdown` role to prepare a default bridge
  for LXC containers is not required anymore.

418 419 420 421 422 423 424
- [debops.netbase] When a large number of hosts is defined for the
  :file:`/etc/hosts` database, the role will switch to generating the file
  using the ``template`` Ansible module instead of managing individual lines
  using the ``lineinfile`` module, to make the operation faster. As a result,
  custom modifications done by other tools in the host database will not be

425 426 427 428
- [debops.netbase] The role can now configure the hostname in the
  :file:`/etc/hostname` file, as well as the local domain configuration in
  :file:`/etc/hosts` database.

429 430 431 432 433
- Ansible roles included in DebOps are now checked using `ansible-lint`__ tool.
  All existing issues found by the script have been fixed.

  .. __:

434 435 436 437 438 439
- The hosts managed by the DebOps Vagrant environment will now use Avahi to
  detect multiple cluster nodes and generate host records in the
  :file:`/etc/hosts` database on these nodes. This allows usage of real DNS
  FQDNs and hostnames in the test environment without reliance on an external
  DHCP/DNS services.

440 441 442
- [debops.php] The role will install the ``composer`` APT package on Debian
  Stretch, Ubuntu Xenial and their respective newer OS releases.

443 444 445 446 447 448
- You can use the :command:`make versions` command in the root of the DebOps
  monorepo to check currently "pinned" and upstream versions of third-party
  software installed and managed by DebOps, usually via :command:`git`
  repositories. This requires the :command:`uscan` command from the Debian
  ``devscripts`` APT package to be present.

449 450 451 452 453 454 455

- The :ref:`debops.root_account` role will be executed earlier in the
  ``common.yml`` Ansible playbook to ensure that the ``root`` UID/GID ranges
  are reserved without issues on the initial host configuration.

456 457 458 459
- [debops.lxc] The role will configure the default subUIDs and subGIDs for
  unprivileged LXC containers based on the configured subordinate UID/GID
  ranges for the ``root`` account.

460 461 462 463 464
- [debops.gitlab] The role will now install GitLab 10.8 by default, on Debian
  Stretch and Ubuntu Xenial. The 11.x release now requires Ruby 2.4+, therefore
  it will only be installed on newer OS releases (Debian Buster, Ubuntu

465 466 467 468 469 470 471 472 473
- [debops.gitlab] The role has been updated to use Ansible local facts managed
  by the :ref:`debops.redis_server` Ansible role. Redis Server support has been
  removed from the GitLab playbook and needs to be explicitly enabled in the
  inventory for GitLab to be installed correctly. This will allow to select
  between local Server or Sentinel instance, to support clustered environments.

  Check the :ref:`upgrade_notes` for issues with upgrading Redis Server support
  on existing GitLab hosts.

474 475 476
- [debops.owncloud] The role will now use Ansible facts managed by the
  :ref:`debops.redis_server` role to configure Redis support.

477 478 479 480 481 482
- [debops.lxc] The :command:`lxc-prepare-ssh` script will now install SSH
  public keys from the user account that is running the script via
  :command:`sudo` instead of the system's ``root`` account, which is usually
  what you want to do if other people manage their own LXC containers on
  a host.

483 484 485 486
- Various filter and lookup Ansible plugins have been migrated from the
  playbook directory to the :ref:`debops.ansible_plugins` role. This role can
  be used as hard dependency in other Ansible roles that rely on these plugins.

487 488
- [debops.grub] The GRUB configuration has been redesigned, role now uses
  merged variables to make configuration via Ansible inventory or dependent
489 490 491
  role variables easier. The GRUB configuration is now stored in the
  :file:`/etc/default/grub.d/` directory to allow for easier integration with
  other software. See the :ref:`debops.grub` documentation for more details.

493 494 495 496 497 498
- [debops.grub] The user password storage path in :file:`secret/` directory has
  been changed to use the ``inventory_hostname`` variable instead of the
  ``ansible_fqdn`` variable. This change will force regeneration of password
  hashes in existing installations, but shouldn't affect host access (passwords
  stay the same).

499 500 501 502 503 504 505 506 507 508 509
- [debops.docker] If the Docker host uses a local nameserver, for example
  :command:`dnsmasq` or :command:`unbound`, Docker containers might have
  misconfigured DNS nameserver in :file:`/etc/resolv.conf` pointing to
  ````. In these cases, the :ref:`debops.docker` role will configure
  Docker to use the upstream nameservers from the host, managed by the
  ``resolvconf`` APT package.

  If no upstream nameservers are available, the role will not configure any
  nameserver and search parameters, which will tell Docker to use the Google

Maciej Delmanowski's avatar
Maciej Delmanowski committed
510 511 512 513
- The test suite will now check POSIX shell scripts along with Bash scripts for
  any issues via the :command:`shellcheck` linter. Outstanding issues found in
  existing scripts have been fixed.

514 515 516 517
- [debops.librenms] The default dashboard in LibreNMS is changed from the
  :file:`pages/front/default.php` to :file:`pages/front/tiles.php` which allows
  for better customization.

Maciej Delmanowski's avatar
Maciej Delmanowski committed
518 519 520 521 522
- The order of the roles in the common playbook has been changed; the
  :ref:`debops.users` role will be applied before the :ref:`debops.resources`
  role to allow for resources owned by UNIX accounts/groups other than

523 524 525
- [debops.gunicorn] The role depends on :ref:`debops.python` now to install the
  required packages. Please update your custom playbooks accordingly.

526 527 528 529 530 531
- [debops.lxc] The LXC configuration managed by the role will use the
  :command:`systemd` ``lxc@.service`` instances to manage the containers
  instead of using the :command:`lxc-*` commands directly. This allows the
  containers to be shut down properly without hitting a timeout and forced
  killing of container processes.

532 533 534 535
- [debops.ipxe] The role will no longer install non-free firmware by default.
  This is done to solve the connectivity issues with ````

536 537 538 539 540 541 542 543 544
- The hostname and domain configuration during bootstrapping is now done by the
  :ref:`debops.netbase` Ansible role. The default for this role is to remove
  the ```` host entry from the :file:`/etc/hosts` file to ensure that
  domain resolution relies on DNS.

  If you are using local domain configured in :file:`/etc/hosts` file, you
  should define the :envvar:`netbase__domain` variable in the Ansible inventory
  with your desired domain.

545 546 547 548
- [debops.netbase] The role is redesigned to use list variables instead of YAML
  dictionaries for the :file:`/etc/hosts` database. This allows for adding the
  host IPv4 and/or IPv6 addresses defined by Ansible facts when the custom
  local domain is enabled. See :ref:`netbase__ref_hosts` for details.
549 550
  The role has also been included in the ``common.yml`` playbook to ensure that
  the host database is up to date as soon as possible.

552 553
- [debops.resources] Changed behaviour of used groups for templating. Now all
  groups the host is in, will be used to search for template files.
554 555
  Read the documentation about :ref:`resources__ref_templates` for more details
  on templating with `debops`.

- [debops.dnsmasq] The role has been redesigned from the ground up with new
558 559 560 561
  configuration pipeline, support for multiple subdomains and better default
  configuration. See the :ref:`debops.dnsmasq` role documentation as well as
  the :ref:`upgrade_notes` for more details.

562 563 564 565
- [debops.owncloud] Drop support for Nextcloud 12.0 which is EOF. Add support
  for Nextcloud 14.0 and 15.0 and make Nextcloud 14.0 the default Nextcloud

566 567 568 569 570
- The ``debops`` Python package has dropped the hard dependency on Ansible.
  This allows DebOps to be installed in a separate environment than Ansible,
  allowing for example to mix Homebrew Ansible with DebOps from PyPI on macOS.
  The installation instructions have also been updated to reflect the change.

571 572 573 574
- The :command:`debops-init` script will now generate new Ansible inventory
  files using the hostname as well as a host FQDN to better promote the use of
  DNS records in Ansible inventory.

575 576 577 578 579 580

- [debops.kmod] The role should now work correctly in Ansible ``--check`` mode
  before the Ansible local fact script is installed.

581 582 583 584
- [debops.sysctl] The role should correctly handle nested lists in role
  dependent variables, which are now flattened before being passed to the
  configuration filter.

585 586 587 588
- [debops.grub] The role should now correctly revert custom patch to allow user
  authentication in :file:`/etc/grub.d/10_linux` script, when the user list is

589 590 591 592 593 594 595 596 597 598 599 600

- The old ``debops.redis`` Ansible role has been removed. It has been replaced
  by the :ref:`debops.redis_server` and :ref:`debops.redis_sentinel` Ansible
  roles. The new roles use their own Ansible inventory groups, therefore they
  will need to be explicitly enabled to affect existing hosts.

  You can use the :ref:`debops.debops_legacy` Ansible role to clean up old
  configuration files, directories and diversions of ``debops.redis`` role from
  remote hosts.

601 602 603 604
- The ``ldap_entry`` and ``ldap_attr`` Ansible modules have been removed. They
  are now included in Ansible core, there's no need to keep a separate copy in
  the playbook.

605 606 607 608
- Support for :command:`dhcp_probe` has been removed from the
  :ref:`debops.dhcpd` Ansible role. It's now available as a separate
  :ref:`debops.dhcp_probe` role.

609 610 611 612 613 614 615 616 617
- [debops.ferm] Automated configuration of packet forwarding with ``FORWARD``
  chain rules and :command:`sysctl` configuration has been removed from the
  role. Per-interface packet forwarding is now configurable using the
  :ref:`debops.ifupdown` role, and you can still use the :ref:`debops.ferm` and
  :ref:`debops.sysctl` roles to design custom forwarding configuration.

  Support for this mechanism has also been removed from related roles like
  :ref:`debops.libvirtd` and :ref:`debops.lxc`.

618 619 620 621
- The ``ansible_local.root.flags`` and ``ansible_local.root.uuid`` local facts
  have been removed. They are replaced by ``ansible_local.tags`` and
  ``ansible_local.uuid`` local facts, respectively.

- The hostname and domain configuration has been removed from the
  ``debops.bootstrap`` role. This functionality is now handled by the
624 625 626 627
  :ref:`debops.netbase` role, which has been included in the bootstrap
  playbook. The relevant inventory variables have been renamed, check the
  :ref:`upgrade_notes` for details.

- The ``resources__group_name`` variable has been removed in favor of using
  all the groups the current hosts is in. This change has been reflected in the
  updated variable ``resources__group_templates``.

632 633 634 635 636

`debops v0.8.0`_ - 2018-08-06

.. _debops v0.8.0:

638 639 640 641 642

- New DebOps roles:

643 644 645
  - :ref:`debops.netbase`: manage local host and network database in
    :file:`/etc/hosts` and :file:`/etc/networks` files.

  - :ref:`debops.sudo`: install and manage :command:`sudo` configuration on
647 648
    a host. The role is included in the ``common.yml`` playbook.

  - :ref:`debops.system_groups`: configure UNIX system groups used on DebOps
    hosts. The role is included in the ``common.yml`` playbook.

652 653 654 655 656
  - :ref:`debops.debops_legacy`: clean up legacy files, directories, APT
    packages or :command:`dpkg-divert` diversions created by DebOps but no
    longer used. This role needs to be executed manually, it's not included in
    the main playbook.

  - :ref:`debops.python`: manage Python environment, with support for multiple
658 659
    Python versions used at the same time. The role is included in the
    ``common.yml`` playbook.

661 662 663
  - Icinga 2 support has been implemented with :ref:`debops.icinga`,
    :ref:`debops.icinga_db` and :ref:`debops.icinga_web` Ansible roles.

664 665 666 667 668
- [debops.users] Selected UNIX accounts can now be configured to linger when
  not logged in via the ``item.linger`` parameter. This allows these accounts
  to maintain long-running services when not logged in via their own private
  :command:`systemd` instances.

669 670 671 672
- [debops.sudo] You can now manage configuration files located in the
  :file:`/etc/sudoers.d/` directory using :ref:`sudo__*_sudoers <sudo__ref_sudoers>`
  inventory variables, with multiple level of conditional options.

673 674 675 676 677
- [debops.ntp] The OpenNTPD service will now properly integrate the
  :command:`ifupdown` hook script with :command:`systemd`. During boot, NTP
  daemon will be started once network interfaces are configured and will not
  restart multiple times on each network interface change.

678 679 680 681
- [debops.resources] The role can now generate custom files using templates,
  based on a directory structure. See :ref:`resources__ref_templates` for more

682 683 684 685 686
- [debops.nginx] A ``default`` set of SSL ciphers can be specified using the
  :envvar:`nginx_default_ssl_ciphers` variable. This disables the
  ``ssl_ciphers`` option in the :command:`nginx` configuration and forces the
  server to use the defaults provided by the OS.

687 688 689 690 691
- [debops.dhparam] The role will set up a :command:`systemd` timer to
  regenerate Diffie-Hellman parameters periodically if it's available. The
  timer will use random delay time, up to 12h, to help with mass DHparam
  generation in multiple LXC containers/VMs.

692 693 694 695 696 697
- The DebOps installation now depends on the `dnspython`__ Python library. This
  allows usage of the ``dig`` Ansible lookup plugin in DebOps roles to gather
  data via DNS SRV records.

  .. __:

698 699 700 701 702 703 704 705
- The DebOps installation now depends on the `future`__ Python library which
  provides compatibility between Python 2.7 and Python 3.x environments. It is
  currently used in the custom Ansible filter plugin provided by DebOps, but
  its use will be extended to other scripts in the future to make the code more

  .. __:

706 707 708 709 710 711 712

- The :command:`editor` alternative symlink configuration has been moved from
  the ``debops.console`` role to the :ref:`debops.apt_install` role which also
  installs :command:`vim` by default.

713 714 715 716 717 718
- The configuration of automatic removal of APT packages installed via
  ``Recommends:`` or ``Suggests:`` dependencies has been moved from the
  :ref:`debops.apt` role to the :ref:`debops.apt_mark` role which more closely
  reflects its intended purpose. Variable names and their default values
  changed; see the :ref:`upgrade_notes` for more details.

719 720 721 722 723
- [debops.owncloud] Support Nextcloud 13 and partially ownCloud 10. Nextcloud
  11 and ownCloud 9.1 are EOL, you should update. The role can help you with
  the update to ensure that everything works smoothly with the new versions.
  Currently, the role can not do the update for you.

724 725 726 727
- [debops.sshd] The role will now check the :ref:`debops.system_groups` Ansible
  local facts to define what UNIX groups are allowed to connect to the host via
  the SSH service.

- [debops.nodejs] The NPM version installed by the role from GitHub is changed
729 730 731
  from ``v5.4.2`` to ``latest`` which seems to be an equivalent of a stable

- Some of the existing DebOps Policies and Guidelines have been reorganized and
733 734
  the concept of DebOps Enhancement Proposals (DEPs) is introduced, inspired by
  the `Python Enhancement Proposals`__.
735 736 737

.. __:

738 739 740 741 742
- [debops.ifupdown] The :ref:`debops.kmod` role is added as a dependency. The
  :ref:`debops.ifupdown` role will generate :command:`modprobe` configuration
  based on the type of configured network interfaces (bridges, VLANs, bonding)
  and the kernel modules will be automatically loaded if missing.

743 744 745 746 747 748 749 750 751 752
- [debops.nodejs] Recent versions of NPM `require NodeJS 6.0.0+`__ and don't
  work with other releases. Because of that the newest NPM release is not
  installable on hosts that use NodeJS packages from older OS releases.

  .. __:

  The 'debops.nodejs' role will install NPM v5.10.0 version in this case to
  allow NPM to work correctly - on Debian Jessie, Stretch and Ubuntu Xenial.
  Otherwise, a NPM from the ``latest`` branch will be installed, as before.

753 754 755 756 757 758 759
- [debops.nodejs] Instead of NodeJS 6.x release, the role will now install
  NodeJS 8.x release upstream APT packages by default. This is due to the
  NodeJS 6.x release `switching to a Maintenance LTS mode`__. NodeJS 8.x will
  be supported as a LTS release until April 2019.

  .. __:

- [debops.nodejs] The role will install upstream NodeSource APT packages by
761 762 763 764 765 766 767 768 769 770
  default. This is due to `no security support in Debian Stable`__, therefore
  an upstream packages should be considered more secure. The upstream NodeJS
  packages include a compatible NPM release, therefore it won't be separately
  installed from GitHub.

  .. __:

  The existing installations shouldn't be affected, since the role will select
  OS/upstream package versions based on existing Ansible local facts.

771 772 773 774 775
- [debops.gitlab] Redesign the GitLab version management to read the versions
  of various components from the GitLab repository files instead of managing
  them manually in a YAML dictionary. The new :envvar:`gitlab__release`
  variable is used to specify desired GitLab version to install/manage.

776 777 778 779
- [debops.gitlab] The :command:`gitaly` service will be installed using the
  ``git`` UNIX account instead of ``root``. Existing installations might
  require additional manual cleanup; see the :ref:`upgrade_notes` for details.

780 781
- [debops.gitlab] The role now supports installation of GitLab 10.7.

782 783 784 785 786 787
- [debops.gitlab] The usage of :envvar:`gitlab__fqdn` variable is revamped
  a bit - it's now used as the main variable that defines the GitLab
  installation FQDN. You might need to update the Ansible inventory if you
  changed the value of the ``gitlab_domain`` variable used previously for this

788 789 790 791 792 793 794 795 796
- [debops.lxc] Redesign system-wide LXC configuration to use list of YAML
  dictionaries merged together instead of custom Jinja templates.

- [debops.lxc] Add :command:`lxc-prepare-ssh` script on the LXC hosts that can
  be used to install OpenSSH and add the user's SSH authorized keys inside of
  the LXC containers. This is a new way to prepare the LXC containers for
  Ansible/DebOps management that doesn't require custom LXC template scripts
  and can be used with different LXC container types.

797 798 799 800 801
- [debops.core] The role will add any new administrator accounts to the list of
  existing admin accounts instead of replacing them in the Ansible local fact
  script. This should allow for multiple administrators to easily coexist and
  run the DebOps playbooks/roles from their own accounts without issues.

802 803 804 805 806
- [debops.mariadb_server] [debops.mariadb] The MariaDB/MySQL server and client
  will now use the ``utf8mb4`` encoding by default instead of the ``utf8``
  which is an internal MySQL character encoding. This might impact existing
  databases, see the :ref:`upgrade_notes` for details.

807 808 809 810 811 812
- [debops.unattended_upgrades] On hosts without a domain set, the role enabled
  all upgrades, not just security updates. This will not happen anymore, the
  security updates are enabled everywhere by default, you need to enable all
  upgrades specifically via the :envvar:`unattended_upgrades__release`

813 814 815
- The :command:`debops` script can now parse multiple playbook names specified
  in any order instead of just looking at the first argument passed to it.

816 817 818 819 820 821

- [debops.apt_install], [debops.auth]: don't install the ``sudo`` package by
  default, this is now done via a separate :ref:`debops.sudo` role to easily
  support switching to the ``sudo-ldap`` APT package.

823 824 825
- [debops.console] Remove support for copying custom files from the role. This
  functionality is covered better by the :ref:`debops.resources` role.

826 827 828 829
- [debops.console] Remove support for managing entries in the
  :file:`/etc/hosts` database. This is now covered by the :ref:`debops.netbase`
  Ansible role.

830 831 832 833
- [debops.auth] Remove configuration of UNIX system groups and accounts in the
  ``admins`` UNIX group. This is now done by the :ref:`debops.system_groups`
  Ansible role.

- [debops.bootstrap] The :command:`sudo` configuration has been removed from
  the ``debops.bootstrap`` role. The ``bootstrap.yml`` playbook now includes
836 837
  the :ref:`debops.sudo` role which configures :command:`sudo` service.

838 839 840 841
- [debops.bootstrap] The UNIX system group management has been removed from the
  role, the ``bootstrap.yml`` playbook now uses the :ref:`debops.system_groups`
  role to create the UNIX groups used by DebOps during bootstrapping.

842 843 844 845
- [debops.bootstrap] Remove management of Python packages from the role. The
  ``bootstrap.yml`` playbook uses the :ref:`debops.python` role to configure
  Python support on the host.

846 847 848 849 850 851
- [debops.lxc] Remove support for direct LXC container management from the
  role. This functionality is better suited for other tools like
  :command:`lxc-*` set of commands, or the Ansible ``lxc_container`` module
  which should be used in custom playbooks. The 'debops.lxc' role focus should
  be configuration of LXC support on a host.

852 853 854 855
- [debops.lxc] Remove custom LXC template support. The LXC containers can be
  created by the normal templates provided by the ``lxc`` package, and then
  configured using DebOps roles as usual.

856 857 858 859 860 861
- [debops.postgresql_server] The tasks that modified the default ``template1``
  database and its schema have been removed to make the PostgreSQL installation
  more compatible with applications packaged in Debian that rely on the
  PostgreSQL service. See the relevant commit for more details. Existing
  installations shouldn't be affected.

862 863 864 865 866 867 868 869 870 871

`debops v0.7.2`_ - 2018-03-28

.. _debops v0.7.2:


- Add missing ``python-ldap`` dependency as an APT package in the Dockerfile.
872 873 874 875 876 877

`debops v0.7.1`_ - 2018-03-28

.. _debops v0.7.1:

879 880 881 882 883

- New DebOps roles:

  - :ref:`debops.ansible`: install Ansible on a Debian/Ubuntu host using
Robin Schneider's avatar
Robin Schneider committed
    Ansible. The :ref:`debops.debops` role now uses the new role to install
    Ansible instead of doing it directly.

888 889 890 891
  - :ref:`debops.apt_mark`: set install state of APT packages (manual/auto) or
    specify that particular packages should be held in their current state.
    The role is included in the ``common.yml`` playbook.

892 893 894
  - :ref:`debops.kmod`: manage kernel module configuration and module loading
    at boot time. This role replaces the ``debops-contrib.kernel_module`` role.

  - The ``debops-contrib.etckeeper`` role has been integrated into DebOps as
896 897
    :ref:`debops.etckeeper`. The new role is included in the ``common.yml``

899 900 901 902
- [debops.ifupdown] The role has new tasks that manage custom hooks in other
  services. First hook is :ref:`ifupdown__ref_custom_hooks_filter_dhcp_options`
  which can be used to selectively apply DHCP options per network interface.

903 904 905 906 907 908 909

- [debops.lxc] The role will now generate the ``lxc-debops`` LXC template
  script from different templates, based on an OS release. This change should
  help fix the issues with LXC container creation on Debian Stretch.

910 911 912 913 914 915
- The test suite used on Travis-CI now checks the syntax of the YAML files, as
  well as Python and shell scripts included in the repository. The syntax is
  checked using the :command:`yamllint`, :command:`pycodestyle` and
  :command:`shellcheck` scripts, respectively. Tests can also be invoked
  separately via the :command:`make` command.

916 917 918
- [debops.etherpad] The role can now autodetect and use a PostgreSQL database
  as a backend database for Etherpad.

919 920 921 922 923 924 925
- [debops.pki] The X.509 certificate included in the default ``domain`` PKI
  realm will now have a SubjectAltName wildcard entry for the host's FQDN. This
  should allow for easy usage of services related to a particular host in the
  cluster over encrypted connections, for example host monitoring, service
  discovery, etc. which can be now published in the DNS zone at
  ``*`` resource records.

926 927 928 929 930
- [debops.pki] The role now supports Let's Encrypt ACMEv2 API via the
  `acme-tiny`__ Python script. The existing PKI realms will need to be
  re-created or updated for the new API to work, new PKI realms should work out
  of the box. Check the :ref:`upgrade_notes` for more details.

931 932 933 934 935
- [debops.proc_hidepid], [debops.lxc] The roles now use a static GID ``70`` for
  the ``procadmins`` group to synchronize the access permissions on a host and
  inside the LXC containers. You will need to remount the filesystems, restart
  services and LXC containers that rely on this functionality.

936 937 938 939 940 941
- [debops.sysctl] The configuration of the kernel parameters has been
  redesigned, instead of being based on YAML dictionaries, is now based on YAML
  lists of dictionaries and can be easily changed via Ansible inventory. You
  will need to update your inventory for the new changes to take effect, refer
  to the :ref:`role documentation <sysctl__ref_parameters>` for details.

942 943 944 945
- [debops.ferm] The role should now correctly detect what Internet Protocols
  are available on a host (IPv4, IPv6) and configure firewall only for the
  protocols that are present.

946 947
.. __:

948 949 950 951 952 953 954

- The :command:`debops` command will now generate the :file:`ansible.cfg`
  configuration file with correct path to the Ansible roles provided with the
  DebOps Python package.

955 956 957 958 959 960 961
- [debops.nginx] Fix a long standing bug in the role with Ansible failing
  during welcome page template generation with Jinja2 >= 2.9.4. It was related
  to `non-backwards compatible change in Jinja`__ that modified how variables
  are processed in a loop.

.. __:

962 963 964 965 966 967

- The ``debops-contrib.kernel_module`` Ansible role has been removed; it was
  replaced by the new :ref:`debops.kmod` Ansible role.

968 969 970 971 972 973 974
- [debops.ferm] The ``ferm-forward`` hook script in the
  :file:`/etc/network/if-pre-up.d/` directory has been removed (existing
  instances will be cleaned up). Recent changes in the :ref:`debops.ferm` role
  broke idempotency with the :ref:`debops.ifupdown` role, and it was determined
  that the functionality provided by the hook is no longer needed, recent OS
  releases should deal with it adequately.

975 976 977 978 979

`debops v0.7.0`_ - 2018-02-11

.. _debops v0.7.0:

981 982 983 984 985 986

- New Ansible roles have been imported from the ``debops-contrib``
  organization: ``apparmor``, ``bitcoind``, ``btrfs``, ``dropbear_initramfs``,
  ``etckeeper``, ``firejail``, ``foodsoft``, ``fuse``, ``homeassistant``,
987 988 989 990
  ``kernel_module``, ``kodi``, ``neurodebian``, ``snapshot_snapper``, ``tor``,
  ``volkszaehler``, ``x2go_server``. They are not yet included in the main
  playbook and still need to be renamed to fit with the rest of the
  ``debops.*`` roles.

992 993
- New DebOps roles:

994 995
  - :ref:`debops.sysfs`: configuration of the Linux kernel attributes through
    the :file:`/sys` filesystem. The role is not enabled by default.

  - :ref:`debops.locales`: configure localization and internationalization on
998 999
    a given host or set of hosts.

1000 1001 1002
  - :ref:`debops.machine`: manage the :file:`/etc/machine-info` file,
    the :file:`/etc/issue` file and a dynamic MOTD.

1003 1004
  - :ref:`debops.proc_hidepid`: configure the ``/proc`` ``hidepid=`` options.

1005 1006
  - :ref:`debops.roundcube`: manage RoundCube Webmail application

1007 1008
  - :ref:`debops.prosody`: configure an xmpp server on a given host

1009 1010
  - :ref:`debops.sysnews`: manage System News bulletin for UNIX accounts

1011 1012 1013
- You can now :ref:`use Vagrant <quick_start__vagrant>` to create an Ansible
  Controller based on Debian Stretch and use it to manage itself or other hosts
  over the network.

- You can now build an Ansible Controller with DebOps support as a Docker
1016 1017
  container. :ref:`Official Docker image <quick_start__docker>` is also
  available, automatically rebuilt on every commit.

1019 1020 1021
- You can now install DebOps on `Arch Linux <>`__
  using an included ``PKGBUILD`` file.

1022 1023 1024 1025 1026 1027
- Add new playbook, ``agent.yml``. This playbook is executed at the end of the
  main playbook, and contains applications or services which act as "agents" of
  other services. They may contact their parent applications to report about
  the state of the host they are executed on, therefore the agents are
  installed and configured at the end of the main playbook.

1028 1029 1030
- [debops.libvirtd] The role can now detect if nested KVM is enabled in
  a particular virtual machine and install KVM support.

1031 1032 1033 1034
  [debops.nodejs] The :ref:`debops.nodejs` role can now install `Yarn
  <>`_ package manager using its upstream APT repository
  (not enabled by default).

1035 1036 1037 1038
- DebOps roles and playbooks can now be tested using local or remote
  `GitLab CI <>`_ instance, with Vagrant, KVM and LXC
  technologies and some custom scripts.

1039 1040 1041 1042 1043
- DebOps roles and playbooks will be included in the Python packages released
  on PyPI. This will allow for easier installation of DebOps via :command:`pip`
  (no need to download the roles and playbooks separately) as well as simple
  stable releases. The DebOps monorepo can still be installed separately.

1044 1045 1046 1047 1048 1049 1050

- [debops-tools] The :command:`debops-update` script will now install or
  update the DebOps monorepo instead of separate ``debops-playbooks`` and
  DebOps roles git repositories. Existing installations shouldn't be affected.

1051 1052 1053 1054 1055 1056 1057 1058
- [debops-tools] The :command:`debops` script will now include the DebOps
  monorepo roles and playbooks in the generated :file:`ansible.cfg`
  configuration. The monorepo roles and playbooks are preferred over the old
  ``debops-playbooks`` ones.

  The script is backwards compatible and should work correctly with or without
  the ``debops-playbooks`` repository and roles installed.

1059 1060 1061
- The project repository is tested using :command:`pycodestyle` for compliance
  with Python's `PEP8 Style Guide <>`_.

1062 1063 1064 1065
- [debops.nodejs] The ``npm`` package has been removed from Debian Stable.
  The role will now install NPM using the GitHub source, unless upstream NodeJS is
  enabled, which includes its own NPM version.

1066 1067 1068 1069 1070
- [debops.gunicorn] Update the role to work correctly on Debian Stretch and
  newer releases. The support for multiple :command:`gunicorn` instances using
  custom Debian scripts has been removed in Debian Stretch, therefore the role
  replaces it with its own setup based on :command:`systemd` instances.

1071 1072 1073 1074
- [debops.gitlab_runner] The GitLab Runner playbook is moved to the
  ``agent.yml`` playbook; it will be executed at the end of the main playbook
  and should that way include correct information about installed services.

1075 1076 1077
- Improved Python 3 support in the DebOps scripts and throughout the
  playbooks/roles. DebOps should now be compatible with both Python versions.

1078 1079 1080 1081 1082 1083

- [DebOps playbooks] Remove the :file:`` Ansible filter plugin, it is
  now included in the Ansible core distribution.

1084 1085 1086 1087 1088
- [debops.console] Remove the ``locales`` configuration from the
  'debops.console' role, this functionality has been moved to the new
  'debops.locales' role. You will need to update the Ansible inventory
  variables to reflect the changes.

1089 1090 1091 1092 1093
- [debops.console] Remove management of the :file:`/etc/issue` and
  :file:`/etc/motd` files from the ``debops.console`` role. That functionality
  is now available in the :ref:`debops.machine` role. You will need to update
  the Ansible inventory variables to reflect the changes.

1094 1095 1096 1097
- [debops.console] Management of the ``/proc`` ``hidepid=`` option has been
  moved to a new role, :ref:`debops.proc_hidepid`. You will need to update the
  Ansible inventory variables to reflect the changes.

1098 1099 1100 1101 1102
- [debops.console] Management of the System News using the ``sysnews`` Debian
  package has been removed from the role; it's now available as a separate
  :ref:`debops.sysnews` Ansible role. You will need to update the Ansible
  inventory variables related to System News due to this changes.

1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113

debops v0.6.0 - 2017-10-21


- Various repositories that comprise the DebOps project have been merged into
  a single monorepo which will be used as the main development repository.
  Check the :command:`git` log for information about older releases of DebOps
  roles and/or playbooks.