diff --git a/doc/CHANGELOG.md b/doc/CHANGELOG.md index aea6de8..a6ef088 100644 --- a/doc/CHANGELOG.md +++ b/doc/CHANGELOG.md @@ -1,3 +1,10 @@ +## v3.23.01 - 2026/01/29 +- feat: accept ``-l`` as an additional alias to specify the username (mimicking ``ssh``'s option) +- enh: better interaction between systemd units and /home encryption +- fix: add ``groupGidMin`` configuration option to avoid stealing an account's GID +- fix: missing ``-regex`` following @cdbd6c7 from #550 +- chore: deprecate the use of -f and -l in selfListIngressKeys + ## v3.23.00 - 2025/12/22 - feat: switch banner if node is sealed - feat: httpproxy: add support for more HTTP methods (#601) diff --git a/doc/sphinx/installation/upgrading.rst b/doc/sphinx/installation/upgrading.rst index 42ca23c..1f27ff1 100644 --- a/doc/sphinx/installation/upgrading.rst +++ b/doc/sphinx/installation/upgrading.rst @@ -27,6 +27,33 @@ See the ``--help`` for a more fine-grained upgrade path if needed. Version-specific upgrade instructions ===================================== +v3.23.01 - 2026/01/29 +********************* + +The ``-l`` alias to ``--user`` has been added, to mimick ``ssh``'s ``-l`` option. +The ``selfDelIngressKey`` plugin had also this alias for its ``--id-to-delete`` option, and still does, +but the main routine's option parsing will take precedence if you don't use ``--`` to separate options. +For this reason, the use of the short options ``-l`` and ``-f`` have been deprecated +in ``selfDelIngressKey`` to avoid confusion. + +Another change is the introduction of the ``groupGidMin`` option in :file:`/etc/bastion/bastion.conf`, +to fix an issue that could arise if you use fixed UIDs for your accounts (using ``--uid `` in ``accountCreate`` +instead of ``--uid-auto``). + +This minor release mainly fixes an issue where a preexisting bastion group would have reserved a GID that you +expected to allow to a future account. +This is only of importance if you're using fixed UIDs to create accounts, and can't let the system pick +the UIDs itself, for example because these UIDs are referenced in some other system of your company. + +This change applies a GID shifting to all the bastion groups to ensure they can never take a GID that would +pertain to a later-to-be-created account with a fixed UID/GID. +This shift amount is configurable in bastion.conf as ``groupGidMin`` (``500000`` by default). + +If you use fixed UIDs for your accounts and you want to ensure any preexisting group's GID won't get in the way, +you may use the updated :file:`bin/admin/fix-group-gid.sh` script to shift any preexisting group GID that would be +out of the new ``groupGidMin`` range. This is optional. + + v3.23.00 - 2025/12/22 ********************* diff --git a/lib/perl/OVH/Bastion.pm b/lib/perl/OVH/Bastion.pm index 549e88d..ba12740 100644 --- a/lib/perl/OVH/Bastion.pm +++ b/lib/perl/OVH/Bastion.pm @@ -5,7 +5,7 @@ use common::sense; use Fcntl; use POSIX qw(strftime); -our $VERSION = '3.23.00'; +our $VERSION = '3.23.01'; BEGIN { # only used by the handler below