[arvados] updated: 2.6.0-311-gaad254eb8
git repository hosting
git at public.arvados.org
Fri Jun 23 18:17:08 UTC 2023
Summary of changes:
doc/admin/upgrading.html.textile.liquid | 20 ++++++++++++++------
lib/config/config.default.yml | 18 ++++++++++++++++--
2 files changed, 30 insertions(+), 8 deletions(-)
via aad254eb85755d41927fe1809cb52c65bb8aac20 (commit)
via 4b7705bc768f79b7c7900361dc61ce210096af3d (commit)
from 9b4f22418bc26d57e4b9d4a0ba9ef3c4e34a2e51 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit aad254eb85755d41927fe1809cb52c65bb8aac20
Author: Brett Smith <brett.smith at curii.com>
Date: Fri Jun 23 14:14:38 2023 -0400
20663: Expand the default SyncIgnoredGroups
We discussed at standup that we prioritize the security of the default
configuration over backwards compatibility. This new default does that.
The list of groups is primarily informed by:
<https://wiki.debian.org/SystemGroups#Other_System_Groups>
<https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_list_of_statically_allocated_uidgid_and_corresponding_package>
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index c7db8c6b9..1e0e9a833 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -38,6 +38,12 @@ h3. Multi-node installer's domain name configuration changes
The @domain_name@ variable at @terraform/vpc/terraform.tfvars@ and @DOMAIN@ variable at @local.params@ changed their meaning. In previous versions they were used in combination with @cluster_name@ and @CLUSTER@ to build the cluster's domain name (e.g.: @cluster_name at .@domain_name@). To allow the use of any arbitrary cluster domain, now we don't enforce using the cluster prefix as part of the domain, so @domain_name@ and @DOMAIN@ need to hold the entire domain for the given cluster.
For example, if @cluster_name@ is set to @"xarv1"@ and @domain_name@ was previously set to @"example.com"@, it should now be set to @"xarv1.example.com"@ to keep using the same cluster domain.
+h3. arvados-login-sync configuration changes, including ignored groups
+
+In the @Users@ section of your cluster configuration, there are now several options to control what system resources are or are not managed by @arvados-login-sync at . These options all have names that begin with @Sync at .
+
+The defaults for all of these options match the previous behavior of @arvados-login-sync@ _except_ for @SyncIgnoredGroups at . This list names groups that @arvados-login-sync@ will never modify by adding or removing members. As a security precaution, the default list names security-sensitive system groups on Debian- and Red Hat-based distributions. If you are using Arvados to manage system group membership on shell nodes, especially @sudo@ or @wheel@, you may want to provide your own list. Set @SyncIgnoredGroups: []@ to restore the original behavior of ignoring no groups.
+
h3. UseAWSS3v2Driver option removed
The old "v1" S3 driver for keepstore has been removed. The new "v2" implementation, which has been the default since Arvados 2.5.0, is always used. The @Volumes.*.DriverParameters.UseAWSS3v2Driver@ configuration key is no longer recognized. If your config file uses it, remove it to avoid warning messages at startup.
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 6ae98157b..49d62e298 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -437,8 +437,22 @@ Clusters:
# never modify these groups. If user login permissions list any groups
# in SyncIgnoredGroups, they will be ignored. If a user's Unix account
# belongs to any of these groups, arvados-login-sync will not remove
- # the account from that group.
- SyncIgnoredGroups: []
+ # the account from that group. The default is a set of particularly
+ # security-sensitive groups across Debian- and Red Hat-based
+ # distributions.
+ SyncIgnoredGroups:
+ - adm
+ - disk
+ - kmem
+ - mem
+ - root
+ - shadow
+ - staff
+ - sudo
+ - sys
+ - utempter
+ - utmp
+ - wheel
AuditLogs:
# Time to keep audit logs, in seconds. (An audit log is a row added
commit 4b7705bc768f79b7c7900361dc61ce210096af3d
Author: Brett Smith <brett.smith at curii.com>
Date: Fri Jun 23 14:01:21 2023 -0400
20663: Merge 2.6.3 upgrading notes
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith at curii.com>
diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid
index 2afffb9a4..c7db8c6b9 100644
--- a/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@ -29,15 +29,21 @@ TODO: extract this information based on git commit messages and generate changel
</notextile>
-h2(#main). development main (as of 2023-05-11)
+h2(#main). development main (as of 2023-06-23)
-"previous: Upgrading to 2.6.2":#v2_6_2
+"previous: Upgrading to 2.6.3":#v2_6_3
h3. Multi-node installer's domain name configuration changes
The @domain_name@ variable at @terraform/vpc/terraform.tfvars@ and @DOMAIN@ variable at @local.params@ changed their meaning. In previous versions they were used in combination with @cluster_name@ and @CLUSTER@ to build the cluster's domain name (e.g.: @cluster_name at .@domain_name@). To allow the use of any arbitrary cluster domain, now we don't enforce using the cluster prefix as part of the domain, so @domain_name@ and @DOMAIN@ need to hold the entire domain for the given cluster.
For example, if @cluster_name@ is set to @"xarv1"@ and @domain_name@ was previously set to @"example.com"@, it should now be set to @"xarv1.example.com"@ to keep using the same cluster domain.
+h3. UseAWSS3v2Driver option removed
+
+The old "v1" S3 driver for keepstore has been removed. The new "v2" implementation, which has been the default since Arvados 2.5.0, is always used. The @Volumes.*.DriverParameters.UseAWSS3v2Driver@ configuration key is no longer recognized. If your config file uses it, remove it to avoid warning messages at startup.
+
+h2(#v2_6_3). v2.6.3 (2023-06-06)
+
h3. Python SDK automatically retries failed requests much more
The Python SDK has always provided functionality to retry API requests that fail due to temporary problems like network failures, by passing @num_retries=N@ to a request's @execute()@ method. In this release, API client constructor functions like @arvados.api@ also accept a @num_retries@ argument. This value is stored on the client object and used as a floor for all API requests made with this client. This allows developers to set their preferred retry strategy once, without having to pass it to each @execute()@ call.
@@ -51,10 +57,6 @@ arv_client = arvados.api('v1', num_retries=0, ...)
The first time the Python SDK fetches an Arvados API discovery document, it will ensure that @googleapiclient.http@ logs are handled so you have a way to know about early problems that are being retried. If you prefer to handle these logs your own way, just ensure that the @googleapiclient.http@ logger (or a parent logger) has a handler installed before you call any Arvados API client constructor.
-h3. UseAWSS3v2Driver option removed
-
-The old "v1" S3 driver for keepstore has been removed. The new "v2" implementation, which has been the default since Arvados 2.5.0, is always used. The @Volumes.*.DriverParameters.UseAWSS3v2Driver@ configuration key is no longer recognized. If your config file uses it, remove it to avoid warning messages at startup.
-
h2(#v2_6_2). v2.6.2 (2023-05-22)
"previous: Upgrading to 2.6.1":#v2_6_1
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list