Merge pull request #56 from ns1/release/2.5.1

Release 2.5.1
ns1 · May 22, 2020 · f1eb084 · f1eb084
2 parents 94b40b5 + 947b7b0
commit f1eb084
Show file tree

Hide file tree

Showing 14 changed files with 332 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,29 @@
+## 2.5.1 (May 22, 2020)
+- New Features
+  - AD DDNS: Connect remote servers, remote zones and Scope Groups to configure NS1 DHCP to send insecure- or GSS-TSIG secured DDNS updates to a Microsoft DNS server on behalf of a DHCP client
+  - IAM: Tag-based permissions allow granular access control of IPAM and DHCP resources (API only)
+- Feature Enhancements
+  - DNS: Added validation and controls to prevent requests removing required configurations of filter chains
+  - IAM: Team names now allow special characters < > and &
+  - Portal: Usernames can now be up to 64 characters in length
+  - System: Container disk space footprint reduced by as much as 33%
+- What’s fixed?
+  - Security: Recursive resolver has been patched to prevent CVE-2020-12662 and CVE-2020-12663 (NXNSAttack)
+  - API: Character validation of usernames is now working as expected
+  - API: Made response consistent with other DELETE methods for the v1/ipam/address/{id}/pool/{id} endpoint
+  - API: Fixed issue with API pagination for a domain with multiple record types where records could be truncated from the next page’s list
+  - API: Service definitions no longer require the properties field when created
+  - DHCP: Fixed an issue where lease information did not appear under scopes in the portal
+  - DHCP: Fixed an issue where DHCP options would sometimes fail to apply to leases
+  - DHCP: Fixed an issue where an extra, blank scope could be generated when adding a subnet to a scope group
+- Known issues
+  - AD DDNS: GSS-TSIG updates fails when using principal with AES256-SHA1 encryption
+  - DHCP: Updates are poorly formatted when sending to an AD DNS server where the DHCID record exists
+  - System: Enabling strict communication between containers causes inter-container connectivity to fail
+  - Portal: Creating a new Remote Connection after creating one will pre-populate the fields with the existing info.
+  - Portal: Bootstrap UI does not create DHCP service group and definition
+
+
 ## 2.5.0 (May 8, 2020)
 - New Features
   - API: Added bulk operations endpoints for IPAM and DHCP tagging at scale

diff --git a/docker-compose/control-compose.yml b/docker-compose/control-compose.yml
@@ -2,7 +2,7 @@
 version: '3.2'
 services:
   data:
-    image: ns1inc/privatedns_data:${TAG:-2.5.0}
+    image: ns1inc/privatedns_data:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -55,7 +55,7 @@ services:
       --server_id            ${SERVER_ID:-myserver}
       --expose_ops_metrics   true
   core:
-    image: ns1inc/privatedns_core:${TAG:-2.5.0}
+    image: ns1inc/privatedns_core:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -92,7 +92,7 @@ services:
       --hostmaster_email   ${HOSTMASTER_EMAIL:[email protected]}
       --enable_ops_metrics true
   xfr:
-    image: ns1inc/privatedns_xfr:${TAG:-2.5.0}
+    image: ns1inc/privatedns_xfr:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:

diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml
@@ -2,7 +2,7 @@
 version: '3.2'
 services:
   data:
-    image: ns1inc/privatedns_data:${TAG:-2.5.0}
+    image: ns1inc/privatedns_data:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -42,7 +42,7 @@ services:
       --server_id            ${SERVER_ID:-myserver}
       --expose_ops_metrics   true
   core:
-    image: ns1inc/privatedns_core:${TAG:-2.5.0}
+    image: ns1inc/privatedns_core:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -79,7 +79,7 @@ services:
       --hostmaster_email   ${HOSTMASTER_EMAIL:[email protected]}
       --enable_ops_metrics true
   xfr:
-    image: ns1inc/privatedns_xfr:${TAG:-2.5.0}
+    image: ns1inc/privatedns_xfr:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -110,7 +110,7 @@ services:
       --core_host           ${CORE_HOSTS:-core}
       --enable_ops_metrics  true
   dns:
-    image: ns1inc/privatedns_dns:${TAG:-2.5.0}
+    image: ns1inc/privatedns_dns:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -142,7 +142,7 @@ services:
       --operation_mode      ${OPERATION_MODE:-authoritative}
       --enable_ops_metrics  true
   dhcp:
-    image: ns1inc/privatedns_dhcp:${TAG:-2.5.0}
+    image: ns1inc/privatedns_dhcp:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -181,7 +181,7 @@ services:
       --dhcp_service_def_id 2
       --enable_ops_metrics  true
   dist:
-    image: ns1inc/privatedns_dist:${TAG:-2.5.0}
+    image: ns1inc/privatedns_dist:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -212,6 +212,38 @@ services:
       --server_id            ${SERVER_ID:-myserver}
       --core_host            ${CORE_HOSTS:-core}
       --enable_ops_metrics   true
+  monitoring_edge:
+    image: ns1inc/privatedns_monitoring_edge:${TAG:-2.5.1}
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "10"
+    environment:
+      CONFIG_PORT: 3308
+      CONTAINER_NAME: ${MONITORING_EDGE_CONTAINER_NAME:-monitoring_edge}
+    restart: unless-stopped
+    ports:
+      - "3308:3300" # http configuration
+    healthcheck:
+      test: supd health --check
+      interval: 15s
+      timeout: 10s
+      retries: 3
+    volumes:
+      - type: volume
+        source: ns1monitoringedge
+        target: /ns1/data
+        volume:
+          nocopy: true
+    command: >-
+      --pop_id                 ${POP_ID:-mypop}
+      --server_id              ${SERVER_ID:-myserver}
+      --core_host              ${CORE_HOSTS:-dist}
+      --enable_ops_metrics     true
+      --digest_service_def_id  3
+      --inst_id                1
+      --use_privileged_ping    true
 networks:
   default:
     driver: bridge
@@ -226,3 +258,4 @@ volumes:
   ns1dns:
   ns1dist:
   ns1dhcp:
+  ns1monitoringedge:
diff --git a/docker-compose/edge-compose.yml b/docker-compose/edge-compose.yml
@@ -2,7 +2,7 @@
 version: '3.2'
 services:
   dns:
-    image: ns1inc/privatedns_dns:${TAG:-2.5.0}
+    image: ns1inc/privatedns_dns:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -34,7 +34,7 @@ services:
       --operation_mode      ${OPERATION_MODE:-authoritative}
       --enable_ops_metrics  true
   dhcp:
-    image: ns1inc/privatedns_dhcp:${TAG:-2.5.0}
+    image: ns1inc/privatedns_dhcp:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -73,7 +73,7 @@ services:
       --dhcp_service_def_id 2
       --enable_ops_metrics  true
   dist:
-    image: ns1inc/privatedns_dist:${TAG:-2.5.0}
+    image: ns1inc/privatedns_dist:${TAG:-2.5.1}
     logging:
       driver: "json-file"
       options:
@@ -106,6 +106,38 @@ services:
       --server_id            ${SERVER_ID:-myserver}
       --core_host            ${CORE_HOSTS}
       --enable_ops_metrics   true
+  monitoring_edge:
+    image: ns1inc/privatedns_monitoring_edge:${TAG:-2.5.1}
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "10"
+    environment:
+      CONFIG_PORT: 3308
+      CONTAINER_NAME: ${MONITORING_EDGE_CONTAINER_NAME:-monitoring_edge}
+    restart: unless-stopped
+    ports:
+      - "3308:3300" # http configuration
+    healthcheck:
+      test: supd health --check
+      interval: 15s
+      timeout: 10s
+      retries: 3
+    volumes:
+      - type: volume
+        source: ns1monitoringedge
+        target: /ns1/data
+        volume:
+          nocopy: true
+    command: >-
+      --pop_id                 ${POP_ID:-mypop}
+      --server_id              ${SERVER_ID:-myserver}
+      --core_host              ${CORE_HOSTS:-dist}
+      --enable_ops_metrics     true
+      --digest_service_def_id  3
+      --inst_id                1
+      --use_privileged_ping    true
 networks:
   default:
     driver: bridge
@@ -117,3 +149,4 @@ volumes:
   ns1dns:
   ns1dist:
   ns1dhcp:
+  ns1monitoringedge:
diff --git a/terraform/examples/multi-node-cluster/main.tf b/terraform/examples/multi-node-cluster/main.tf
@@ -276,3 +276,20 @@ module "dist" {
   pop_id                   = var.edge01_pop_id
   server_id                = var.edge01_host
 }
+
+module "monitoring_edge" {
+  source                   = "../../modules/monitoring_edge"
+  docker_host              = "${var.docker_protocol}${var.edge01_host}"
+  docker_network           = docker_network.edge01.name
+  docker_image_username = var.docker_image_username
+  docker_image_repository = "${var.docker_image_repository}_monitoring_edge"
+  docker_image_tag = var.docker_image_tag
+  docker_registry_address  = var.docker_registry_address
+  docker_registry_username = var.docker_registry_username
+  docker_registry_password = var.docker_registry_password
+  docker_log_driver     = var.docker_log_driver
+  hostname    = var.monitoring_edge_hostname
+  pop_id                   = var.edge01_pop_id
+  server_id                = var.edge01_host
+  core_hosts = [element(split("@", var.control01_host), 1)]
+}
diff --git a/terraform/examples/multi-node-cluster/variables.tf b/terraform/examples/multi-node-cluster/variables.tf
@@ -11,7 +11,7 @@ variable "docker_registry_address" {
 }
 
 variable "docker_image_tag" {
-  default     = "2.5.0"
+  default     = "2.5.1"
   description = "The image tag of the Docker image. Defaults to the latest GA version number."
 }
 
@@ -149,3 +149,9 @@ variable "docker_log_driver" {
   default     = "json-file"
   description = "Docker log driver to use, see https://docs.docker.com/config/containers/logging/configure/"
 }
+
+variable "monitoring_edge_hostname" {
+  default     = "monitoring_edge"
+  description = "Hostmaster email address used in SOA records"
+}
+
diff --git a/terraform/modules/core/variables.tf b/terraform/modules/core/variables.tf
@@ -1,5 +1,5 @@
 variable "docker_image_tag" {
-  default     = "2.5.0"
+  default     = "2.5.1"
   description = "The image tag of the Docker image. Defaults to the latest GA version number."
 }
 

diff --git a/terraform/modules/data/variables.tf b/terraform/modules/data/variables.tf
@@ -1,5 +1,5 @@
 variable "docker_image_tag" {
-  default     = "2.5.0"
+  default     = "2.5.1"
   description = "The image tag of the Docker image. Defaults to the latest GA version number."
 }
 

diff --git a/terraform/modules/dhcp/variables.tf b/terraform/modules/dhcp/variables.tf
@@ -1,5 +1,5 @@
 variable "docker_image_tag" {
-  default     = "2.5.0"
+  default     = "2.5.1"
   description = "The image tag of the Docker image. Defaults to the latest GA version number."
 }
 

diff --git a/terraform/modules/dist/variables.tf b/terraform/modules/dist/variables.tf
@@ -1,5 +1,5 @@
 variable "docker_image_tag" {
-  default     = "2.5.0"
+  default     = "2.5.1"
   description = "The image tag of the Docker image. Defaults to the latest GA version number."
 }
 

diff --git a/terraform/modules/dns/variables.tf b/terraform/modules/dns/variables.tf
@@ -1,5 +1,5 @@
 variable "docker_image_tag" {
-  default     = "2.5.0"
+  default     = "2.5.1"
   description = "The image tag of the Docker image. Defaults to the latest GA version number."
 }
 

diff --git a/terraform/modules/monitoring_edge/main.tf b/terraform/modules/monitoring_edge/main.tf
@@ -0,0 +1,95 @@
+terraform {
+  required_version = ">= 0.12"
+}
+
+locals {
+  docker_image_name = "${var.docker_image_username}/${var.docker_image_repository}:${var.docker_image_tag}"
+}
+
+provider "docker" {
+  host = var.docker_host
+
+  # If registry address is provided, configure registry_auth
+  dynamic "registry_auth" {
+    for_each = var.docker_registry_address != null ? list(var.docker_registry_address) : []
+    iterator = address
+    content {
+      address  = address.value
+      username = var.docker_registry_username
+      password = var.docker_registry_password
+    }
+  }
+}
+
+data "docker_registry_image" "monitoring_edge" {
+  count = var.docker_registry_address != null ? 1 : 0
+  name  = local.docker_image_name
+}
+
+resource "docker_image" "monitoring_edge" {
+  count         = var.docker_registry_address != null ? 1 : 0
+  name          = data.docker_registry_image.monitoring_edge[count.index].name
+  pull_triggers = [data.docker_registry_image.monitoring_edge[count.index].sha256_digest]
+  keep_locally  = true
+}
+
+resource "docker_volume" "monitoring_edge" {
+  name = "ns1monitoring_edge"
+}
+
+resource "docker_container" "monitoring_edge" {
+  name = "monitoring_edge"
+  # If using registry, use sha of found image, otherwise use name that should be found on docker host
+  image = var.docker_registry_address != null ? docker_image.monitoring_edge[0].latest : local.docker_image_name
+
+  env = [
+    # "CONFIG_PORT=3305",
+    "CONTAINER_NAME=${var.container_name}",
+  ]
+
+  restart = "unless-stopped"
+
+  hostname = var.hostname
+
+  log_driver = var.docker_log_driver
+
+  healthcheck {
+    test     = ["CMD", "supd", "health"]
+    interval = "15s"
+    timeout  = "10s"
+    retries  = 3
+  }
+
+  volumes {
+    volume_name    = docker_volume.monitoring_edge.name
+    container_path = "/ns1/data"
+  }
+
+
+  command = [
+    "--pop_id",
+    var.pop_id,
+    "--server_id",
+    var.server_id,
+    "--core_host",
+    join(",", var.core_hosts),
+    "--monitoring_region",
+    var.monitoring_region,
+    "--digest_service_def_id",
+    var.digest_service_def_id,
+    "--log_level",
+    var.log_level,
+    "--metrics_addr_base",
+    var.metrics_addr_base,
+    "--inst_id",
+    var.inst_id,
+    "--use_privileged_ping",
+    var.use_privileged_ping,
+    "--jitter_seconds",
+    var.jitter_seconds,
+]
+
+  network_mode = "host"
+
+  privileged = true
+}