release v3.23.01

3 weeks ago · 01c896ba63
parent 11cbf63be8
commit 01c896ba63
3 changed files with 35 additions and 1 deletions
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@ -1,3 +1,10 @@
+## v3.23.01 - 2026/01/29
+- feat: accept ``-l`` as an additional alias to specify the username (mimicking ``ssh``'s option)
+- enh: better interaction between systemd units and /home encryption
+- fix: add ``groupGidMin`` configuration option to avoid stealing an account's GID
+- fix: missing ``-regex`` following @cdbd6c7 from #550
+- chore: deprecate the use of -f and -l in selfListIngressKeys
+
 ## v3.23.00 - 2025/12/22
 - feat: switch banner if node is sealed
 - feat: httpproxy: add support for more HTTP methods (#601)
--- a/doc/sphinx/installation/upgrading.rst
+++ b/doc/sphinx/installation/upgrading.rst
@ -27,6 +27,33 @@ See the ``--help`` for a more fine-grained upgrade path if needed.
 Version-specific upgrade instructions
 =====================================

+v3.23.01 - 2026/01/29
+*********************
+
+The ``-l`` alias to ``--user`` has been added, to mimick ``ssh``'s ``-l`` option.
+The ``selfDelIngressKey`` plugin had also this alias for its ``--id-to-delete`` option, and still does,
+but the main routine's option parsing will take precedence if you don't use ``--`` to separate options.
+For this reason, the use of the short options ``-l`` and ``-f`` have been deprecated
+in ``selfDelIngressKey`` to avoid confusion.
+
+Another change is the introduction of the ``groupGidMin`` option in :file:`/etc/bastion/bastion.conf`,
+to fix an issue that could arise if you use fixed UIDs for your accounts (using ``--uid `` in ``accountCreate``
+instead of ``--uid-auto``).
+
+This minor release mainly fixes an issue where a preexisting bastion group would have reserved a GID that you
+expected to allow to a future account.
+This is only of importance if you're using fixed UIDs to create accounts, and can't let the system pick
+the UIDs itself, for example because these UIDs are referenced in some other system of your company.
+
+This change applies a GID shifting to all the bastion groups to ensure they can never take a GID that would
+pertain to a later-to-be-created account with a fixed UID/GID.
+This shift amount is configurable in bastion.conf as ``groupGidMin`` (``500000`` by default).
+
+If you use fixed UIDs for your accounts and you want to ensure any preexisting group's GID won't get in the way,
+you may use the updated :file:`bin/admin/fix-group-gid.sh` script to shift any preexisting group GID that would be
+out of the new ``groupGidMin`` range. This is optional.
+
+
 v3.23.00 - 2025/12/22
 *********************

--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@ -5,7 +5,7 @@ use common::sense;
 use Fcntl;
 use POSIX qw(strftime);

-our $VERSION = '3.23.00';
+our $VERSION = '3.23.01';

 BEGIN {
    # only used by the handler below