The main focus for Platform 0.10 was to update of all client-side daemons to newest releases, like Soledad and OpenVPN. This introduces a compatibility change: by setting the platform version to 0.10, it also requires client 0.9.4 or later. We also switched the development branch to the 'master' branch and are creating a branch called 0.10.x to push hot-fixes during the 0.10 life-cycle.
Note: This will be the last major release of the LEAP Platform for Debian Jessie. We will continue to support 0.10 with minor releases with important security and bug fixes, but the next major release will require an upgrade to Stretch.
New Features:
- Tor single-hop onion service capability.
leap info
is now run after deploy- Timestamps are added to deployments
- Missing ssh host keys are generated on node init
- Private networking support for local Vagrant development
- Static sites get lets encrypt support
- add command
leap node disable
,leap node enable
,leap ping
Notable Changes:
- Removed haproxy because we don't support multi-node couchdb installations anymore (#8144).
- Disable nagios notification emails (#8772).
- Fix layout of apt repository (#8888)
- Limit what archive signing keys are accepted for the leap debian repository packages (#8425).
- Monitor the Webapp logs for errors (#5174).
- Moved development to the master branch.
- Rewrite leap_cli ssh code
- Debian wheezy was fully deprecated
- Restructure package archives to enable auto packaging, and CI testing
- Significant CI improvements
- Troubleshooting information added to
leap user ls
- Couchdb service is no longer required on soledad nodes (#8693)
- Tor service refactored (#8864), and v3 hidden service support added (#8879)
- Fixed unattended-upgrades (#8891)
- Alert on 409 responses for webapp
- Many other issues resolved, full list: https://0xacab.org/groups/leap/milestones/platform-010?title=Platform+0.10
Upgrading:
If you have a node with the service 'tor' defined, you will need to change it to be either 'tor-relay', or 'tor-exit'. Look in your provider directory under the nodes directory for any .json file that has a 'services' section with 'tor' defined, change that to the correct tor service you are wanting to deploy.
Make sure you have the correct version of leap_cli
workstation$ sudo gem install leap_cli --version=1.9
If you are upgrading from a version previous to 0.9, please follow those upgrade instructions before upgrading to 0.10.
Prepare your platform source by checking out the 0.10.x branch:
workstation$ cd leap_platform
workstation$ git fetch
workstation$ git checkout 0.10.x
Then, deploy:
workstation$ cd $PROVIDER_DIR
workstation$ leap deploy
workstation$ leap test
After deployment, if the leap test does not succeed, you should investigate. Please see below for some post-deployment upgrade steps that you may need to perform.
Starting with Soledad Server 0.9.0, the CouchDB database schema was changed to improve speed of the server side storage backend. If you provided email, you will need to run the migration script, otherwise it is unnecessary. Until you migrate, soledad will refuse to start.
To run the migration script, do the following (replacing $PROVIDER_DIR, $COUCHDB_NODE, $MX_NODE, and $SOLEDAD_NODE with your values):
First backup your couchdb databases, just to be safe. NOTE: This can take some time and will place several hundred megabytes of data into /var/backups/couchdb. The size and time depends on how many users there are on your system. For example, 15k users took approximately 25 minutes and 308M of space:
workstation$ leap ssh $COUCHDB_NODE
server# cd /srv/leap/couchdb/scripts
server# ./cleanup-user-dbs
server# time ./couchdb_dumpall.sh
Once that has finished, then its time to run the migration:
workstation$ cd $PROVIDER_DIR
workstation$ leap run 'systemctl leap_mx stop' $MX_NODE
workstation$ leap run --stream '/usr/share/soledad-server/migration/0.9/migrate.py --log-file /var/log/leap/soledad_migration --verbose --do-migrate' $SOLEDAD_NODE
wait for it to finish (will print DONE)
rerun if interrupted
workstation$ leap deploy
workstation$ leap test
Known Issues:
If you have been deploying from our master branch (ie: unstable code), you might end up with a broken sources line for apt. If you get the following: WARNING: The following packages cannot be authenticated!
Then you should remove the files on your nodes inside /var/lib/puppet/modules/apt/keys and deploy again. (#8862, #8876)
- When upgrading, sometimes systemd does not report the correct state of a
daemon. The daemon will be not running, but systemd thinks it is. The symptom
of this is that a deploy will succeed but
leap test
will fail. To fix, you can runsystemctl stop DAEMON
and thensystemctl start DAEMON
on the affected host (systemctl restart seems to work less reliably).
Includes:
- leap_web: 0.9.2
- nickserver: 0.10.0
- leap-mx: 0.10.1
- soledad-server: 0.10.5
Commits: https://0xacab.org/groups/leap/milestones/platform-010?title=Platform+0.10
For details on about all the changes included in this release please consult the LEAP platform 0.10 milestone.
The focus for Platform 0.9 was to clean house: we replaced the annoying system of puppet submodules, we cleaned up the directory structure, we removed many of the gem dependencies, and we fixed a lot of bugs.
New Features:
leap vm
-- Support for managing remote virtual servers (AWS only, for now)leap cert renew
-- Integration with Let's Encryptleap open monitor
-- for handy access to nagios- improved documentation -- open docs/index.html to see
Notable Changes:
- 86 bugs fixed
- Fixed security issues with VPN
- More tests
- Replaced git submodules with git subrepo
- Nearly all the leap_cli code has been moved to leap_platform.git
- Command-line leap_cli cleanup to be more logically consistent
- Better organization of the leap_platform.git directory structure
- Removed ugly dependency on Capistrano
- Enabled DANE/TLSA validation
- Anti-spam improvements
- Performance improvements for couchdb
- Change from httpredir.debian.org to deb.debian.org
- Reduce duplicated logging
Upgrading:
You will need the new version of leap_cli:
workstation$ sudo gem install leap_cli --version=1.9
Because 0.9 does not use submodules anymore, you must remove them before pulling the latest leap_platform from git:
workstation$ cd leap_platform
workstation$ for dir in $(git submodule | awk '{print $2}'); do
workstation$ git submodule deinit $dir
workstation$ done
workstation$ git pull
workstation$ git checkout 0.9.0
Alternately, just clone a fresh leap_platform:
workstation$ git clone https://leap.se/git/leap_platform
workstation$ cd leap_platform
workstation$ git checkout 0.9.0
Then, deploy:
workstation$ cd PROVIDER_DIR
workstation$ leap deploy
Known Issues:
- When upgrading, sometimes systemd does not report the correct state of a
daemon. The daemon will be not running, but systemd thinks it is. The symptom
of this is that a deploy will succeed but
leap test
will fail. To fix, you can runsystemctl stop DAEMON
and thensystemctl start DAEMON
on the affected host (systemctl restart seems to work less reliably).
Includes:
- leap_web: 0.8
- nickserver: 0.8
- couchdb: 1.6.0
- leap-mx: 0.8.1
- soledad-server: 0.8.0
Commits: https://leap.se/git/leap_platform.git/shortlog/refs/tags/0.9
Issues fixed: https://leap.se/code/versions/195
This release focuses on the email service.
Requirements:
- You must upgrade to Debian Jessie, see below for details
- You must migrate all data from BigCouch to CouchDB
- Soledad and couchdb services must be on the same node
WARNING: failure to migrate data from BigCouch to CouchDB will cause all user accounts to get destroyed. See UPGRADING below for how to safely do this.
UPGRADING: You must upgrade to Debian Jessie and migrate from BigCouch to Couchdb. It is tricky to upgrade the OS and migrate the database, so we have writen and tested a step-by-step guide that you can carefully follow in doc/upgrading/upgrade-0-8.md, or online at: https://leap.se/en/upgrade-0-8
Other new features:
-
It is possible to require invite codes for new users signing up.
-
Tapicero has been removed. Now user storage databases are created as needed by soledad, and deleted eventually when no longer needed.
-
Admins can now suspend/enable users and block/enable their ability to send and receive email.
-
Support for SPF and DKIM.
Compatibility:
- Now, soledad and couchdb must be on the same node.
- Requires Debian Jessie. Wheezy is no longer supported.
- Requires CouchDB, BigCouch is no longer supported.
- Requires leap_cli version 1.8
- Requires bitmask client version >= 0.9
- Includes:
- leap_mx 0.8
- webapp 0.8
- soledad 0.8
Commits: https://leap.se/git/leap_platform.git/shortlog/refs/tags/0.8 Issues fixed: https://leap.se/code/versions/189
Compatibility:
- Requires leap_cli version 1.7.4
- Requires bitmask client version >= 0.7
- Previous releases supported cookies when using the provider API. Now, only tokens are supported.
- Includes:
- leap_mx 0.7.0
- tapicero 0.7
- webapp 0.7
- soledad 0.7
Commits: https://leap.se/git/leap_platform.git/shortlog/refs/tags/0.7.1 Issues fixed: https://leap.se/code/versions/159
Upgrading:
gem install leap_cli --version 1.7.4
.cd leap_platform; git pull; git checkout 0.7.1
.leap deploy
leap test
to make sure everything is working