From fddb8bf8530631a1e8bfb3ea021d13eabad588e0 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Mon, 6 May 2024 10:30:47 -0400 Subject: [PATCH 1/5] prepare CHANGELOG for v1.9.0 WIP - https://github.com/slackhq/nebula/pulls?q=is%3Apr+milestone%3Av1.9.0+is%3Aclosed+-label%3Adependencies --- CHANGELOG.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71c3ed47b..82dfbb946 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [1.9.0] - 2024-05-07 + +### Added + +- Nebula now has an official Docker image `nebulaoss/nebula` that is + distroless and contains just the `nebula` and `nebula-cert` binaries. You + can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037) + +### Changed + +- We are now building with go1.22, which means that for Windows you need at + least Windows 10 or Windows Server 2016. This is because support for earlier + versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981) + +### Fixed + ## [1.8.2] - 2024-01-08 ### Fixed @@ -558,7 +574,8 @@ created.) - Initial public release. -[Unreleased]: https://github.com/slackhq/nebula/compare/v1.8.2...HEAD +[Unreleased]: https://github.com/slackhq/nebula/compare/v1.9.0...HEAD +[1.9.0]: https://github.com/slackhq/nebula/releases/tag/v1.9.0 [1.8.2]: https://github.com/slackhq/nebula/releases/tag/v1.8.2 [1.8.1]: https://github.com/slackhq/nebula/releases/tag/v1.8.1 [1.8.0]: https://github.com/slackhq/nebula/releases/tag/v1.8.0 From 2e37a624c87fc2bb9c64f8e8fd6ee3d521c204f3 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Tue, 7 May 2024 11:28:28 -0400 Subject: [PATCH 2/5] lots of CHANGELOG --- CHANGELOG.md | 52 +++++++++++++++++++++++++++++++++++++++++++++ README.md | 5 +++++ examples/config.yml | 4 ++-- 3 files changed, 59 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82dfbb946..7608ff98e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,20 +9,72 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [1.9.0] - 2024-05-07 +### Deprecated + +- This release adds a new setting `default_local_cidr_any` that defaults to + true to match previous behavior, but will default to false in a future + release. When set to false, `local_cidr` is matched correctly for firewall + rules on hosts acting as unsafe routers, and should be set for any firewall + rules you want to allow unsafe route hosts to access. See the issue and + example config for more details. (#1071, #1099) + ### Added - Nebula now has an official Docker image `nebulaoss/nebula` that is distroless and contains just the `nebula` and `nebula-cert` binaries. You can find it here: https://hub.docker.com/r/nebulaoss/nebula (#1037) +- Experimental binaries for `loong64` are now provided. (#1003) + +- Added example service script for OpenRC. (#711) + +- The SSH daemon now supports inlined host keys. (#1054) + +- The SSH daemon now supports certificates with `sshd.trusted_cas`. (#1098) + ### Changed +- Config setting `tun.unsafe_routes` is now reloadable. (#1083) + +- Allow `::` in `lighthouse.dns.host`. (#1115) + +- Small documentation and internal improvements. (#1065, #1067, #1069, #1108, + #1109, #1111, #1135) + +- Various dependency updates. (#1139, #1138, #1134, #1133, #1126, #1123, #1110, + #1094, #1092, #1087, #1086, #1085, #1072, #1063, #1059, #1055, #1053, #1047, + #1046, #1034, #1022) + +### Removed + +- Support for the deprecated `local_range` option has been removed. Please + change to `preferred_ranges` (which is also now reloadable). (#1043) + - We are now building with go1.22, which means that for Windows you need at least Windows 10 or Windows Server 2016. This is because support for earlier versions was removed in Go 1.21. See https://go.dev/doc/go1.21#windows (#981) +- Removed vagrant example, as it was unmaintained. (#1129) + +- Removed Fedora and Arch nebula.service files, as they are maintained in the + upstream repos. (#1128, #1132) + +- Remove the TCP round trip tracking metrics, as they never had correct data + and were an experiment to begin with. (#1114) + ### Fixed +- Fixed a potential deadlock introduced in 1.8.1. (#1112) + +- Fixed support for Linux when IPv6 has been disabled at the OS level. (#787) + +- DNS will return NXDOMAIN now when there are no results. (#845) + +- Capitalization of `NotAfter` fixed in DNS TXT response. (#1127) + +- Don't log invalid certificates. It is untrusted data and can cause a large + volume of logs. (#1116) + ## [1.8.2] - 2024-01-08 ### Fixed diff --git a/README.md b/README.md index 51e913d5d..0d1ce10b4 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,11 @@ Check the [releases](https://github.com/slackhq/nebula/releases/latest) page for $ brew install nebula ``` +- [Docker](https://hub.docker.com/r/nebulaoss/nebula) + ``` + $ docker run nebulaoss/nebula + ``` + #### Mobile - [iOS](https://apps.apple.com/us/app/mobile-nebula/id1509587936?itsct=apps_box&itscg=30200) diff --git a/examples/config.yml b/examples/config.yml index 7886f0e71..c74ffc68f 100644 --- a/examples/config.yml +++ b/examples/config.yml @@ -167,8 +167,7 @@ punchy: # Preferred ranges is used to define a hint about the local network ranges, which speeds up discovering the fastest # path to a network adjacent nebula node. -# NOTE: the previous option "local_range" only allowed definition of a single range -# and has been deprecated for "preferred_ranges" +# This setting is reloadable. #preferred_ranges: ["172.16.0.0/24"] # sshd can expose informational and administrative functions via ssh. This can expose informational and administrative @@ -233,6 +232,7 @@ tun: # `mtu`: will default to tun mtu if this option is not specified # `metric`: will default to 0 if this option is not specified # `install`: will default to true, controls whether this route is installed in the systems routing table. + # This setting is reloadable. unsafe_routes: #- route: 172.16.1.0/24 # via: 192.168.100.99 From 247a9ab50b3679db44e528d38098d338e40963c8 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Tue, 7 May 2024 12:31:44 -0400 Subject: [PATCH 3/5] Update README.md Co-authored-by: John Maguire --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d1ce10b4..65ea91f51 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ Check the [releases](https://github.com/slackhq/nebula/releases/latest) page for - [Docker](https://hub.docker.com/r/nebulaoss/nebula) ``` - $ docker run nebulaoss/nebula + $ docker pull nebulaoss/nebula ``` #### Mobile From 288c26128c2eb7216d07dc296bd45f228b1daa86 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Tue, 7 May 2024 13:09:06 -0400 Subject: [PATCH 4/5] move to Fixed --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7608ff98e..907d23e0d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,8 +36,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Config setting `tun.unsafe_routes` is now reloadable. (#1083) -- Allow `::` in `lighthouse.dns.host`. (#1115) - - Small documentation and internal improvements. (#1065, #1067, #1069, #1108, #1109, #1111, #1135) @@ -70,6 +68,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - DNS will return NXDOMAIN now when there are no results. (#845) +- Allow `::` in `lighthouse.dns.host`. (#1115) + - Capitalization of `NotAfter` fixed in DNS TXT response. (#1127) - Don't log invalid certificates. It is untrusted data and can cause a large From 49a35a9daeb01538be0b96a35f42a5defa7a3cb3 Mon Sep 17 00:00:00 2001 From: Wade Simmons Date: Tue, 7 May 2024 13:15:35 -0400 Subject: [PATCH 5/5] note the next release --- CHANGELOG.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 907d23e0d..b7b3e01fb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,11 +12,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Deprecated - This release adds a new setting `default_local_cidr_any` that defaults to - true to match previous behavior, but will default to false in a future - release. When set to false, `local_cidr` is matched correctly for firewall - rules on hosts acting as unsafe routers, and should be set for any firewall - rules you want to allow unsafe route hosts to access. See the issue and - example config for more details. (#1071, #1099) + true to match previous behavior, but will default to false in the next + release (1.10). When set to false, `local_cidr` is matched correctly for + firewall rules on hosts acting as unsafe routers, and should be set for any + firewall rules you want to allow unsafe route hosts to access. See the issue + and example config for more details. (#1071, #1099) ### Added