YunoHost 3.3 testing / Call for feedback

en

#1

Hello everyone !

We just released a new testing version for YunoHost and would be happy to receive feedback before releasing it as a stable version :yum:

This release includes various highlights :sparkles: such as:

  • the rework on the app install page, which makes it more beautiful and includes important info about the level/state of the app (c.f. screenshot)
  • the root password shall now be synced with the admin password. In addition, and in order to improve security, passwords constrains have been increased to require passwords to not be too common and at least 8 characters (advices are also displayed to encourage users to use various kind of characters).
  • the Metronome configuration has been updated! Some features which were previously disabled should now be working.
  • a few important bugs were fixed (namely dyndns update sometimes not updating properly, or a bug with php apps uninstalls breaking php-fpm)
  • many improvements on translations!

Thanks to all the (numerous!) contributors (ljf, irinia11y, Maniack, e-lie, tbille, xaloc33, Bram, flashemade, Maranda, Josue, frju365, Aleks, randomstuff, jershon, Genma, tituspijean, Quent-in, MyNameIsTroll, ButterflyOfFire, Jibec, silkevicious, Krzysztof Dmowski, tYYGH, goofy-mdn)! :heart:

Detailed changelog

:rainbow: Highlights

:hammer_and_wrench: Misc fixes / improvements

  • [enh] Add OCSP Stapling to nginx configuration if using Lets Encrypt (YunoHost#533)
  • [enh] Add CAA record in recommended DNS conf (YunoHost#528)
  • [enh] Improve cookie security (SSOwat#103)
  • [enh] Redirect after logout if r URI argument exists (SSOwat#109)
  • [helpers] Add ynh_delete_file_checksum (YunoHost#524)
  • [helpers] When using ynh_setup_source, silent unecessary messages (YunoHost#545)
  • [helpers] Use more blocks for dd in ynh_string_random (YunoHost#569)
  • [fix] Potential key error when retrieving install_time (YunoHost#551)
  • [fix] Remove unappropriate ‘whoami’ ldap warning (moulinette#173)
  • [fix] Allow - in user last names (YunoHost#565)
  • [fix] Fix possible HTTP2 issue with curl (YunoHost#547)
  • [fix] Fix BASE/URI in ldap conf (YunoHost#554)
  • [fix] Use random serial number for CA (prevent browser from complaining about some selfsigned certs) (YunoHost#557)
  • [enh] Pass Host header to YunoHost API (YunoHost#560)
  • [enh] Sort backup list according to their date (YunoHost#562)
  • [fix] Improve UX when admin tries to allocate reserved email alias (YunoHost#553)
  • [fix] Misc fixes / improvements in SSOwat (SSOwat#91, SSOwat#92)

How to participate to the beta-testing :construction_worker_woman: :construction_worker_man:

:warning: Do not do this on a critical server !

In the command line, you can launch this command to switch to testing :

curl https://install.yunohost.org/switchToTesting | bash

(if you are familiar with bash scripting, you might want to read what this does before blindly running the command)

After this command, you should see that you are running YunoHost 3.3.0.

What to test ? :space_invader: :telescope:

Here are a few specific items for which tests and feedback would be quite important ! If you tweaked nginx or metronome’s conf manually, make sure to update / regen the conf with yunohost service regen-conf nginx --force and yunohost service regen-conf metronome --force.

  • Check that the last migration (0006?) ran successfully during the upgrade;
  • Check out the new app installation page in the webadmin and report anything that shocks you or that you find is not clear;
  • Try to change a user password from the SSOwat interface (try to put a dummy password) and check that what happens make sense to you;
  • Try to navigate to apps from the SSO, especially apps that require authentication and are installed on a different domain than the main domain
  • If you are familiar with XMPP, try to see with a compliance tester if your XMPP setup got improved compared to the previous Yunohost versions

  • Check that HTTPS is still working properly with a Lets Encrypt certificate (bonus point if you find a way to validate that OCSP stapling is active ;P)

#2

Thanks for the work. Here is a quick feedback

yunohost service regen-conf

output of yunohost service regen-conf

root@yunohost:~# yunohost service regen-conf

Success! The configuration has been updated for service 'dnsmasq'
dnsmasq: 
  applied: 
    /etc/resolv.dnsmasq.conf: 
      status: updated
  pending: 
root@yunohost:~# 
root@yunohost:~# yunohost service regen-conf
Success! The configuration has been updated for service 'dnsmasq'
dnsmasq: 
  applied: 
    /etc/resolv.dnsmasq.conf: 
      status: updated
  pending: 
root@yunohost:~# 
  • Check that the last migration (0006?) ran successfully during the upgrade;

:+1:

  • Check out the new app installation page in the webadmin and report anything that shocks you or that you find is not clear;

First impression of the new panel:

  • Too many apps showned by default, it was like an “overflow” of information (and no category)
  • All apps sare howned so it made me feel that all can be installed and that they will work. The distinction between official and community is not really obvious IMO.
  • button “Only validated apps” does nothing (should list only officials apps?)
  • Try to change a user password from the SSOwat interface (try to put a dummy password) and check that what happens make sense to you;
  • changed the password twice and it worked each time.
  • Try to navigate to apps from the SSO, especially apps that require authentication and are installed on a different domain than the main domain
  • Apps on the different domain does not work anymore. The SSO login screen is displayed (freashrss, kanborad, agendac, roundcube, transmission)

main domain : a
different domain: b

  • If you are familiar with XMPP, try to see with a compliance tester if your XMPP setup got improved compared to the previous Yunohost versions

  • Check that HTTPS is still working properly with a Lets Encrypt certificate (bonus point if you find a way to validate that OCSP stapling is active ;P)

Did not tried this


#3

Bonsoir @Aleks ,

J’ai fait une sauvegarde et passĂ© la commande pour passer en testing.
Tout s’est bien passĂ©.
J’ai, comme indiquĂ©, exĂ©cutĂ© la migration 6 via l’interface web du panel.
Cette migration a eu pour consĂ©quence de changer mon mot de passe root par le mot de passe admin de l’interface web.
J’ai donc pu me reconnecter en SSH avec l’utilisateur root et du coup avec le mot de passe admin - maintenant commun au panel web.
J’ai pu me connecter Ă©galement Ă  mon NextCloud et tout y Ă©tait bien lĂ .

Bravo la Team Dev’ YunoHost :slight_smile:

ppr


#4

Hello,

I do not think this is a good idea. Or it should be optionnal. Admin and root have not the same rights on the server. I prefer having too different passwords.


#5

Do they ? If you are root, then you have all rights, and in particular you can su admin. And admin can sudo su without password so you are basically root. My understanding is that the only reasons behind the existence of the root user are :

  • Yunohost had to have some sort of root-like user in the LDAP ;
  • (more like a small, nice-to-have side effect) admin is a different name than root so you escape 90% of automatic bruteforce attacks on root

So having different passwords is just unecessary complexity in that case, and it opens a security hole if people forget to change an old / default root password somehow.

But if you really want to have different password, you can still define the admin password, then change the root password with passwd. Just be aware that if you change the admin password again, you need to re-set the root password.


#6

I did not know admin ssh connection was possible and you could sudo su without password. I don’t use this. I usually install a Debian classical machine with root and user which I use for distant connection.

On a classical Debian installation, distant root access is disabled.
You make admin the default account access on all YunoHost installations and it is not so original. Perhaps there less brute forc attacks on admin than on root, but they exist. As ftp, mail
 accounts. But that’s no the point, I ignored this behaviour (sudo su without password) and use my own custom account to connect to the server.

root password is set during Debian installation so it should not be " old ". :slight_smile:

Thanks for the answer, I understand better this change.


#7

I wish it could be that simple :wink: But one use case is to use pre-installed image, and some people run the postinstall directly from the web browser and might end up never connecting through SSH 
 So in that case, they might end up with an old/default password - so it shall be changed one way or another :confused:


#8

When running testing version, is there a way to switch back to stable ? Or to migrate from testing to the next stable when available?

( I did not break my Yunohost with this version :sweat_smile: :no_mouth:)


#9

You should edit /etc/apt/sources.list.d/yunohost.list (not 100% sure about the path) and remove 'testing'. (I’ll write a script that does this automatically at some point 
)

This way, once that more up-to-date stable packages will be available, they’ll replace your current testing packages (when doing apt update && apt dist-upgrade)


#10

Hello,

Everything seems ok after upgrading to YNH 3.3 on my raspberry 2B, great work :tada:

I have just something to say about changing user passwords :

  • From SSOwat interface : works well and error message is clear when password is too weak :+1:

  • From admin panel : putting a weak password causes an internal error. A look into the traceback can put us on the way but it’s really not explicit.
    In this case, having password inputs and advices about password strength text in red after submitting a weak password seem clearer to me


#11

I followed your instructions and upgraded smoothly to stable 3.3.1 :tada:

Apps on an an other domain run again :cowboy_hat_face:

root@yunohost:~# sudo apt-get update && sudo apt-get dist-upgrade
RĂ©ception de:1 http://debian.mirrors.ovh.net/debian stretch-updates InRelease [91,0 kB]
Ign:2 http://debian.mirrors.ovh.net/debian stretch InRelease                                   
RĂ©ception de:3 http://debian.mirrors.ovh.net/debian stretch Release [118 kB]                                              
RĂ©ception de:4 http://security.debian.org stretch/updates InRelease [94,3 kB]                                             
RĂ©ception de:5 http://forge.yunohost.org/debian stretch InRelease [18,2 kB]                                               
RĂ©ception de:7 http://security.debian.org stretch/updates/main Sources [185 kB]         
RĂ©ception de:8 http://security.debian.org stretch/updates/main amd64 Packages [460 kB]
RĂ©ception de:9 http://security.debian.org stretch/updates/main Translation-en [200 kB]
RĂ©ception de:10 http://forge.yunohost.org/debian stretch/stable amd64 Packages [4 305 B]
1 171 ko réceptionnés en 2s (400 ko/s)
Lecture des listes de paquets... Fait
Lecture des listes de paquets... Fait
Construction de l'arbre des dépendances       
Lecture des informations d'Ă©tat... Fait
Calcul de la mise Ă  jour... Fait
Les paquets suivants seront mis Ă  jour :
  ssowat yunohost yunohost-admin
3 mis à jour, 0 nouvellement installés, 0 à enlever et 0 non mis à jour.
Il est nécessaire de prendre 9 639 ko dans les archives.
AprÚs cette opération, 8 192 o d'espace disque supplémentaires seront utilisés.
Souhaitez-vous continuer ? [O/n] 
RĂ©ception de:1 http://forge.yunohost.org/debian stretch/stable amd64 ssowat all 3.3.1 [405 kB]
RĂ©ception de:2 http://forge.yunohost.org/debian stretch/stable amd64 yunohost all 3.3.1 [665 kB]
RĂ©ception de:3 http://forge.yunohost.org/debian stretch/stable amd64 yunohost-admin all 3.3.1 [8 569 kB]
9 639 ko réceptionnés en 1s (6 422 ko/s)    
(Lecture de la base de données... 61304 fichiers et répertoires déjà installés.)
Préparation du dépaquetage de .../archives/ssowat_3.3.1_all.deb ...
DĂ©paquetage de ssowat (3.3.1) sur (3.3.0) ...
Préparation du dépaquetage de .../yunohost_3.3.1_all.deb ...
DĂ©paquetage de yunohost (3.3.1) sur (3.3.0) ...
Préparation du dépaquetage de .../yunohost-admin_3.3.1_all.deb ...
DĂ©paquetage de yunohost-admin (3.3.1) sur (3.3.0) ...
Paramétrage de ssowat (3.3.1) ...
Traitement des actions différées (« triggers ») pour systemd (232-25+deb9u6) ...
Paramétrage de yunohost (3.3.1) ...
Regenerating configuration, this might take a while...
Success! The configuration has been updated for service 'ssl'
Success! The configuration has been updated for service 'dnsmasq'
Launching migrations..
Warning: No migrations to run
Restarting YunoHost firewall...
Paramétrage de yunohost-admin (3.3.1) ...

#12

How can we override this default behavior ?
Our CI will fail on every app with a password, and we need to override that behavior for all dev instances.


#13

Yes, you can run the following commands and it should disable every password strength check

$ yunohost settings set security.password.admin.strength -v -1
$ yunohost settings set security.password.user.strength -v -1