It's time for a new DebOps release, this time with support for Debian Buster
and improved Python 3.x compatibility.
New DebOps release, v1.1.0
You can find the new version of DebOps on:
Galaxy: https://galaxy.ansible.com/debops/debops/ (but see below)
You can upgrade the Python-based installation by running the command:
pip install --upgrade debops
The support for Galaxy Collections has been improved, but there are still
issues - namely, Galaxy does not support role dependencies properly, and
because of that the 'namespace.project.role' role naming scheme cannot be used
in the playbooks yet. Installation via PyPI package or directly from GitHub
repository should be preferred this time around.
Installation instructions can be found here:
The brief Changelog can also be found on the documentation page:
The Changelog format was overhauled a bit and hopefully it will be easier to
read, with separate paragraphs for each role and a few general ones.
Complete, detailed changelog can be viewed using the 'git log' command. You can
use the 'git log --no-merges' command to skip the "boring" merge commits.
The DebOps documentation has a separate page which details important changes
from previous release in the Ansible inventory or on the remote hosts which
you might need to perform manually:
The Python packages available on PyPI, as well as the tarballs available on
GitHub are signed with my GPG key. You can get it from the OpenPGP keyserver
network using the command:
gpg --keyserver hkp://pool.sks-keyservers.net \
Since the v1.0.0 release in May 2019, there were ~477 commits in the DebOps
repository, not counting merge commits. Here's the breakdown of the committers
in the v1.1.0 release:
319 Maciej Delmanowski
59 Nicolas Quiniou-Briand
29 Robin Schneider
15 Christoph Johannes Kleine
11 Imre Jonk
7 Rainer 'rei' Schuth
6 Hartmut Goebel
5 Pedro Luis López Sánchez
3 Alin Alexandru
3 Thomas Danielsson
2 Alexander Mette
2 Stefan Hornburg (Racke)
1 Aljosha Papsch
1 André Jucovsky Bianchi
1 Bao Nguyen
1 Carl Alexander
1 Chinmay Kousik
1 Florian Baumann
1 Gaudenz Steinlin
1 Leonardo Bechea
1 Marc Kohaupt
1 Patrick Hetu
1 Reto Gantenbein
1 Sergio Aguilar
1 Stuart Mumford
Thanks to everyone involved for helping shape up this project, and see you in
Goals reached since previous release
The goals from the previous release were only partially met. I managed to
fix issues with Debian Buster after it was released and proper testing
environment was available. The AppArmor role is still not integrated with the
main playbook, hopefully this will be done in the next release cycle.
The 'debops.ipxe' role has been overhauled, but I see a potential improvement
in using the 'debian-installer-*-netboot-*' Debian packages instead of
downloading the netinst tarball directly. This would help if DebOps package
gets included in the Debian repository.
Improved support for LDAP in various applications as well as Golang redesign
didn't make it this time due to time constraints. I plan to update the
'debops.golang' role just after the release to have that done early on, so
that other roles can be updated during the release cycle.
Debian Buster has been released
The Debian 10 (Buster) has been finally released in July 2019! Congratulations
to the Debian Release Team and all of the Debian Developers and Contributors
who made this release possible.
Debian Buster is the fourth release supported by DebOps - the project was
started during Debian Wheezy (2013). Hopefully the next Debian release,
Bullseye, coming in around 2 years or so, will contain a DebOps package with
a long term support. Speaking of which...
DebOps stable releases and LTS
After creating the first stable release of DebOps I realized that scheduled
stable releases would work better than random ones. After a few tries on
different ideas for stable releases, the schedule is somwhat finalized with
four releases a year, every three months. You can view the current release
schedule in the documentation page:
The "normal" stable releases will be supported for a year, with an LTS release
just before Debian Testing is frozen for the next Debian Stable, in 2021.
Hopefully by then DebOps will be included in Debian repositories and an LTS
release targeted just before the freeze will work well with 6 years of
support during Debian Bullseye lifetime.
In 2020, the release schedule will be "reset" so that releases happen in
January, April, July and October. This schedule should ensure that the DebOps
LTS release before Debian Testing freeze happens in October (freezes are
usually in November) and there's time for the LTS release to enter Debian
Testing. This may change when the final freeze policy for Bullseye is
decided, so stay tuned.
Plans for the next release
The big change that I want to implement for the next DebOps release in
November is redesigned support for Go applications. This should open up lots
of new software in DebOps - Consul, etcd, Minio, and other popular software
written in Go. The new role will allow installation of these applications from
.deb packages if they are available, or alternatively compilation of the Go
binaries from source.
Since Ansible 2.7, roles can contain multiple 'defaults/main/*.yml' files;
this allows for much larger sets of variables without sacrificing readability.
Some of the existing DebOps roles will probaly have their defaults split into
multiple files, with the documentation reorganized around them (first one will
be the new 'debops.golang' role). This is probably also a good moment to
introduce support for OpenNebula into DebOps - I have a set of few roles for
that project written some time ago, but since the number of variables required
to configure the environment was very large, I wanted to wait for better
defaults in Ansible. It seems that the time has come. I'm not sure if I will
finish adding these roles before November, we will see.
LDAP support in various roles still has to be updated to use the new
infrastructure based on 'debops.ldap' and 'debops.slapd' roles. The Samba
support will probably be my next target, to properly integrate the 'smbk5pwd'
OpenLDAP module for synchronizing passwords between basic auth, Samba and
I would also like to implement creating a set of '.deb' packages from DebOps
source code, one with the project itself, and another with the documentation.
The packages will probably be published in an official DebOps APT repositoory,
managed by the 'debops.reprepro' role which also requires an overhaul.
Until then, have fun.
/ q p \
( >(_Y_)< )
>-' `-' `-<-.
/ _.== ,=.,- \
/, )` '( )
; `._.' `--<
: \ | )
\ ) ;_/ hjw
`._ _/_ ___.'-\\\
We previously used a dedicated Ansible controller host to manage our
infrastructure here at CipherMail. Our Ansible inventory was shared with
all members of the 'admins' group with some ACL and setgid trickery.
This worked, kinda, but did eventually cause some permission problems.
Another downside was that we couldn't easily collaborate this way, as
every change had to be made centrally on the Ansible controller.
We now run the playbooks from our workstations, storing our secrets in
Git as well. These secrets are encrypted with encfs using the
debops-padlock script. This works well on Debian 10 and Ubuntu 18.04
(thanks Hartmut!), even so that we don't use the Ansible controller anymore.
There's just one problem: the encfs paths and filenames are stored in
encrypted form in Git, which makes merge conflicts a lot harder to
solve. I've been looking for ways to disable this but can't find
anything in the encfs manual (or anywhere for that matter). So, my
question is: does anyone know how to disable this?