-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #24045: Add initial release notes for 8.1 #795
Merged
amousset
merged 6 commits into
Normation:master
from
amousset:arch_24045/add_initial_release_notes_for_8_1
Apr 2, 2024
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
a543b97
Fixes #24045: Add initial release notes for 8.1
amousset ebb69f0
fixup! Fixes #24045: Add initial release notes for 8.1
amousset 5744e38
fixup! fixup! Fixes #24045: Add initial release notes for 8.1
amousset 4affbe3
fixup! fixup! fixup! Fixes #24045: Add initial release notes for 8.1
amousset 84d1804
fixup! fixup! fixup! fixup! Fixes #24045: Add initial release notes f…
amousset 111eb7a
fixup! fixup! fixup! fixup! fixup! Fixes #24045: Add initial release …
amousset File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,193 @@ | ||
|
||
= Rudder 8.1 release notes | ||
|
||
We're thrilled to announce the availability of Rudder 8.1. | ||
The 8.X versions are mainly dedicated to developing the compliance | ||
axis, and the first results are now available! | ||
|
||
== Compliance | ||
|
||
=== 📊 Rudder score | ||
|
||
The major addition to the 8.1 release is the Rudder score concept. | ||
Rudder has always had a focus on compliance and strives to provide | ||
excellent visibility to its users on the state of their infrastructure, | ||
thanks to various compliance views, and other dedicated views like available | ||
upgrades or known vulnerabilities. | ||
|
||
We're going a step further with the scores, which provide a synthetic overview | ||
of a node status. Various components are aggregated to provide a global score for the node, | ||
reflecting how in line it is with the security and configuration policies on a 360° horizon. | ||
This allows spotting at a glance the systems with the most associated risk and target | ||
remediation more efficiently. | ||
|
||
The scores have been added in node details, where the score | ||
is detailed with its sub-scores. | ||
Scores are also visible in the node list for overview, sorting, etc. | ||
|
||
image::images/score.png[] | ||
image::images/score2.png[] | ||
|
||
=== Compliance view for groups | ||
|
||
The policy compliance view that already existed for nodes, rules and directives has | ||
also been added in the group pages. | ||
You can now explore the detailed compliance at the group level: | ||
|
||
image::images/group.png[] | ||
|
||
We added two visualization modes: | ||
|
||
* Global compliance will show the compliance of all rules that apply directives to a node within this group. | ||
* Targeted compliance will show only the compliance of rules that explicitly include this group in their target. | ||
|
||
image::images/targeted.png[] | ||
|
||
== 📗 Policies | ||
|
||
=== Policy mode override by method | ||
|
||
The technique editor and YAML policies now allow overriding the policy | ||
mode at the block or method level. | ||
The policy mode is usually set at the node, directive or global level, | ||
and configures whether the policy should be audited or enforced. | ||
This new feature is different in the way it is designed to operate inside the technique | ||
itself. | ||
It allows two things, lifting a long-time constraint of techniques: | ||
|
||
* overriding a policy part to enforce, to make an action necessary for an audit but not modifying the system, for example, running an audit script, creating a temporary file required for audit. | ||
* overriding a policy part to audit, to make the checks necessary in enforce mode without modifying the system, for example, checking for the presence of a user or package. | ||
|
||
image::images/override.png[] | ||
|
||
[source, yaml] | ||
---- | ||
items: | ||
- name: "Check chrony package" | ||
condition: "debian" | ||
method: package_present | ||
params: | ||
name: "chrony" | ||
# either "enforce", "audit" or "none" (default) | ||
policy_mode_override: "audit" | ||
---- | ||
|
||
=== Select parameters in the technique editor's techniques | ||
|
||
Technique parameters can now be restricted to a limited set of values. | ||
This is available both in the technique editor and in YAML techniques, and | ||
allows creating more robust interfaces, and prevents users of the technique | ||
from entering invalid values. | ||
|
||
There are two fields, one for the value actually used in the directive technique, | ||
and one to display in the directive form. | ||
|
||
image::images/select1.png[] | ||
|
||
[source, yaml] | ||
---- | ||
params: | ||
- name: ntp_server | ||
constraints: | ||
select: | ||
- value: "192.123.23.21" | ||
# If omitted, uses "value" as name | ||
name: "DC1" | ||
- value: "192.123.22.21" | ||
name: "DC2" | ||
---- | ||
|
||
In the directive form: | ||
|
||
image::images/select2.png[] | ||
|
||
== Identity and Access Management | ||
|
||
=== Multi-tenant server | ||
|
||
We are introducing a major new concept in Rudder ACLs, representing | ||
different teams working on the same Rudder server but | ||
operating different sets of nodes, called tenants. | ||
|
||
A Rudder server can be used by different tenants, which are | ||
defined as a set of users and a set of node groups. | ||
These users will only be able to read information about the nodes part of their tenant. | ||
A dedicated interface is also part of the feature, allowinf to manage the tenants of the server. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Allowing |
||
|
||
NOTE: It is for now limited to read-only users. | ||
|
||
image::images/tenant.png[] | ||
|
||
=== OIDC-based user provisioning | ||
|
||
You can now provision your Rudder users on the fly directly from | ||
an OpenID Connect server. | ||
This allows managing them dynamically, and integrating smoothly | ||
in a user provisioning process. | ||
|
||
=== 👥 Extended user information | ||
|
||
In addition to the login and roles, it is now possible to store | ||
other information about the users: | ||
|
||
image::images/user.png[] | ||
|
||
We also now store all session history for users in the database, | ||
and the last login date is available in the user | ||
management page. | ||
|
||
== 🛠️ Under the hood | ||
|
||
=== New rudder package command | ||
|
||
The plugin manager has been rewritten, and its command-line interface is now simpler | ||
and more user-friendly. | ||
All commands taking plugin names now accept multiple values. | ||
|
||
The new interface is not compatible with the earlier one, and the arguments and options | ||
were reworked. For most used commands, the changes are: | ||
|
||
* `rudder package install-file <file>` -> `rudder package install <file>` | ||
* `rudder package plugin enable/disable <plugin>` -> `rudder package enable/disable <plugin>` | ||
* `rudder package check-connection` -> `rudder package update --check` | ||
|
||
You can still use the previous implementation with `RUDDER_PKG_COMPAT=1 rudder package ...`, but it will | ||
be removed in an upcoming release. | ||
|
||
image::images/package.png[] | ||
|
||
=== 🔒 CSP headers | ||
|
||
To continue to strengthen the security of Rudder, we are introducing new | ||
`Content-Security-Policy` HTTP headers for Rudder's interface, | ||
achieving https://csp.withgoogle.com/docs/strict-csp.html[strict CSP], | ||
by leveraging the latest features of the browsers (CSP level 3 and `strict-dynamic`), | ||
for modern XSS protection. | ||
This is for now restricted to the _Health check_ page and will be extended in upcoming versions. | ||
|
||
=== Python dependency for Linux agents | ||
|
||
We added the system Python package as a dependency for our agent, | ||
as it was already required for package management features, and jinja2 templating. | ||
|
||
=== ZIO JSON | ||
|
||
In the internals of the Web application, as part of our migration | ||
to the ZIO framework, we've rewritten a lot of our JSON/YAML serializers and deserializers using ZIO JSON. | ||
|
||
=== Refactoring of our Rust projects | ||
|
||
We now have a common cargo workspace for all our projects, enabling | ||
more consistent dependency management. We also have a common library for | ||
Rudder CLIs written in Rust, providing a consistent terminal UI/UX. | ||
|
||
=== SASS preprocessor & Bootstrap 5 | ||
|
||
We upgraded our main CSS library, https://getbootstrap.com/[Bootstrap], to its latest major version. | ||
This required important refactoring that also leads to the introduction of a CSS compilation | ||
using SASS preprocessor. | ||
|
||
// === CycloneDX SBOM | ||
|
||
== 💾 Installing, upgrading and testing | ||
|
||
* Install docs for https://docs.rudder.io/reference/8.1/installation/server/debian.html[Debian/Ubuntu], | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Users or api tokens