NS 7.9 release notes (#536)

* NS 7.9 release notes
* Add reference to accounts section
* index: move cockpit apps under the new section
* Improve SSH chapter

administrator-manual/en/base_system2.rst

@@ -98,19 +98,27 @@ The :index:`storage` section configures and monitors disks.
 The administrator can mount new local or remote disks, manage RAID arrays and LVM volumes.
 
 
+.. index: SFTP
+
 .. _ssh-section:
 
 SSH
 ---
 
-The :index:`SSH` page displays the number of current SSH connections. From this
-section the administrator can change the OpenSSH listening port, disable root
-login and password authentication.
+The :menuselection:`System > SSH` page displays the number of current SSH connections. From this
+section the administrator can change the OpenSSH listening port and disable weak ciphers, root
+login, and password authentication.
+
+By default, SSH and SFTP access is granted to the following groups of administrators:
+
+* ``root``
+* ``wheel``
+
+When an account provider is configured, the access is granted to ``domain admins``, too.
+See :ref:`admin-account-section` for details.
 
-By default, SSH access is limited to ``root`` user and all users inside the designated
-administrative group (``Domain Admins``).
-It is possible to selectively grant SSH and :index:`SFTP` access to some groups,
-while administrators are always granted access to SSH and SFTP.
+It is possible to grant access to normal users and groups with the
+:guilabel:`Allow SSH/SFTP access` selector.
 
 The administrator can harden SSH by restricting the usage of weak ciphers, algorythms and macs.
 After enabling the :guilabel:`Disable weak ciphers` option, the host key will change and clients
@@ -122,13 +130,21 @@ may not be able to connect to the server.
 
     For |product| up to version 7.7:
 
-    SSH and SFTP permissions are available once the :guilabel:`System > Settings >
-    Shell policy > Override the shell of users` has been enabled.
-    If :guilabel:`Override the shell of users` is disabled, only users with :guilabel:`Shell`
+    The :guilabel:`Allow SSH/SFTP access` selector is available once the :guilabel:`Override the shell of users`
+    option has been enabled in :menuselection:`System > Settings > Shell policy`.
+    If that option is disabled, only users the with :guilabel:`Shell`
     option can access the Server Manager, and delegation is not required any more.
 
     See :ref:`relnotes-ns78` for more information.
 
+Access of the ``wheel`` group can be revoked with the following commands: ::
+
+    config setprop sshd AllowLocalGroups ''
+    signal-event nethserver-openssh-save
+
+The ``AllowLocalGroups`` property accepts a comma separated list of ``/etc/groups`` names and can be
+adjusted according to the actual needs (e.g. ``wheel,srvadmins``).
+
 .. _settings-section:
 
 Settings

administrator-manual/en/index.rst

@@ -69,16 +69,19 @@ Administrator Manual
    :maxdepth: 1
    :caption: Applications - New Server Manager
 
+   backup
    web_server
+   web_proxy
    firewall
    mail
    shared_folder
+   blacklist
+   sandbox
 
 .. toctree::
    :maxdepth: 1
    :caption: Modules
 
-   backup
    disaster_recovery
    backup_customization
    backup_legacy
@@ -90,7 +93,6 @@ Administrator Manual
    ups
    report
    fax_server
-   web_proxy
    content_filter
    suricata
    proxy_pass
@@ -113,8 +115,6 @@ Administrator Manual
    fail2ban
    rspamd
    antivirus
-   blacklist
-   sandbox
 
 .. toctree::
    :hidden:

administrator-manual/en/nscom_releases.rst

@@ -8,6 +8,13 @@ See also the `ISO releases`_ on Developer's manual.
 
 .. _ISO releases: http://docs.nethserver.org/projects/nethserver-devel/en/v7/development_process.html#iso-releases-section
 
+7.9.2009
+--------
+
+* 2020-11-26 `final <rel79_>`_
+
+.. _rel79: https://github.com/NethServer/dev/milestone/27?closed=1
+
 7.8.2003
 --------
 

administrator-manual/en/release_notes.rst

@@ -8,9 +8,9 @@ Release notes |version|
 
 .. only:: nscom
 
-    - ISO release 7.8.2003 "final" replaces any previous ISO 7.7.1908
+    - ISO release 7.9.2009 "final" replaces any previous ISO
 
-    - This release is based on `CentOS 7 (2003) <https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7>`_
+    - This release is based on `CentOS 7 (2009) <https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7>`_
 
     - CentOS 7 will receive security updates until 2024-06-30
 
@@ -24,12 +24,75 @@ Release notes |version|
 
 .. only:: nsent
 
-    - ISO release 7.8.2003 "final" replaces any previous ISO 7.7.1908
+    - ISO release 7.9.2009 "final" replaces any previous ISO
 
-    - This release is based on `CentOS 7 (1908) <https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7>`_
+    - This release is based on `CentOS 7 (2009) <https://wiki.centos.org/Manuals/ReleaseNotes/CentOS7>`_
 
     - CentOS 7 will receive security updates until 2024-06-30
 
+Major changes on 2020-11-26
+---------------------------
+
+* ISO release 7.9.2009 "final" replaces any previous ISO 7.8.2003
+
+* The old Server Manager (namely Nethgui) is not available by default on new installations.
+  To configure the system access the new Server Manager on port ``9090``.
+
+  Old Server Manager can be still installed from :guilabel:`Software Center`.
+
+* CGP (Collectd Graph Panel), EveBox, Rspamd UI, Lightsquid and Ntopng are still available on HTTPS port 980,
+  even if the old Server Manager has not been installed.
+
+* On new installations, users belonging to the ``wheel`` group are now granted SSH and SFTP access.
+  Note that users created by the Anaconda ISO installer can be members of ``wheel``. See :ref:`ssh-section` for details.
+
+* On new installations, SSH weak ciphers are now disabled by default. To enable weak ciphers uncheck the :guilabel:`Disable weak ciphers`
+  option inside the :menuselection:`System -> SSH` page.
+
+* Default TLS policy is ``2020-05-10``. TLS 1.1, TLS 1.0, SSL v3, and SSL v2 are disabled. See :ref:`tlspolicy-section` for details.
+
+* New installations of Nextcloud honor the StartTLS setting of the Active Directory accounts provider.
+  As old installations ignore that setting and always send clear-text passwords, it is recommended
+  to upgrade them to the new behavior. Make sure the remote AD accounts provider
+  supports StartTLS, then run the following commands ::
+
+      config setprop nextcloud HonorAdStartTls enabled
+      signal-event nethserver-sssd-save
+
+  Finally check that the :guilabel:`StartTLS` option is enabled in
+  :guilabel:`System > Users & Groups > [Account provider] > Edit provider`.
+  See also :ref:`dedicated-service-account`.
+
+* To prevent errors during Nextcloud upgrades, the ``mail`` and ``theming`` have been disabled.
+  After each upgrade, both applications should be manually updated and re-enabled by accessing
+  Nextcloud administration interface.
+
+* Netdata is now installed by default to serve charts for the Server Manager.
+  Some plugins have been disabled to reduce resource usage.
+  To enable those plugins see `netdata configuration <https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-netdata.html>`_ .
+
+* After ``nethserver-ndpi`` installation a reboot is needed if the running kernel version 
+  is less than ``3.10.0-1160.6.1.el7``.
+
+* Mattermost DB was upgraded to PostgreSQL 12. The PostgreSQL 9.4 instance is stopped and disabled
+  automatically by the nethserver-mattermost upgrade procedure if no other service requires it.
+
+  1. Ensure the old service is stopped and disabled: ::
+
+      systemctl status rh-postgresql94-postgresql
+
+  2. PostgreSQL 9.4 can be uninstalled with the following command: ::
+
+      yum remove nethserver-postgresql94
+
+* DAHDI tools and kernel module are no longer installed by default as part of ``nethserver-freepbx`` package.
+  If the system needs DAHDI software for special telephony related hardware, install it from :guilabel:`Software Center`
+  by selecting the ``DAHDI drivers and tools`` module.
+
+  On updated machines where DAHDI is not required, these packages can be removed with the following command: ::
+
+      yum remove dahdi-tools-libs dahdi-linux kmod-dahdi-linux dahdi-firmware
+
 .. _relnotes-ns78:
 
 Major changes on 2020-05-05

administrator-manual/en/statistics.rst

@@ -3,11 +3,7 @@ Statistics (collectd)
 =====================
 
 :index:`Collectd` is a daemon which collects system performance :index:`statistics` periodically and stores them in RRD files.
-Statistics will be displayed inside a web interface called
-
-* Collectd Graph Panel (CGP), package *nethserver-cgp*
-
-The web interface can be accessed from the :guilabel:`Graphs`.
+Statistics will be displayed inside a web interface called Collectd Graph Panel (CGP).
 
 After installation, the system will gather following statistics:
 
@@ -24,6 +20,11 @@ After installation, the system will gather following statistics:
 
 For each check, the web interface will display a graph containing last collected value and also minimum, maximum and average values.
 
+CGP is accessible on a random URL generated on first install, something like ``https://myserver.nethserver.org:980/02bf3f8364beea0d5f23044bf14d31d93f63e98d``.
+The URL is available from the Server Manager inside the :guilabel:`Applications` page. Click the :guilabel:`Open` button
+of :guilabel:`Collectd Charts` application.
+
+From the old Server Manager, the web interface can be accessed using the :guilabel:`Graphs` section.
 
 Network latency
 ===============
@@ -38,3 +39,5 @@ Example: ::
  config setprop collectd PingHosts www.google.com,www.nethserver.org
  signal-event nethserver-collectd-update
 
+.. _cgp_restict_access-section:
+

administrator-manual/en/suricata.rst

@@ -255,7 +255,6 @@ EveBox
 
 It can be accessed from the Server Manager under the :guilabel:`Applications` page.
 
-
 .. [#]
    Categories documentation source:
    `proofpoint <https://www.proofpoint.com>`_ - `ETPro Category Descriptions <http://tools.emergingthreats.net/docs/ETPro%20Rule%20Categories.pdf>`_