Skip to content

Releases: alan-turing-institute/data-safe-haven

v5.2.0

05 Dec 14:04
v5.2.0
3dfa5ce
Compare
Choose a tag to compare

Release Highlights

  • More logs collected in the log analytics workspace
    • Storage
      • Ingress and egress stores
      • Desired state files
      • Users' home directories
      • Container configuration and persistent state
    • Container services
    • Firewall
  • Better CLI feedback and error messages
  • Documentation improvements

Known issues

Backup is not functional. Following the notice in the documentation will not enable backup.

⚠️ Update may require manual intervention ⚠️

SRE name changes

The method of sanitising SRE names when creating remote configuration files changed in v5.1.0.
Previously, hyphens or underscores in the SRE name were removed from the name used for the remote configuration file.

If you have an SRE with a hyphen or underscore, you should download the configuration file before upgrading to v>=5.1.0.
Upload the configuration again once you have upgraded to v>=5.1.0.

Entra groups and applications

If you are upgrading from v5.0.0 you will need to delete the Microsoft Entra groups and applications previously created by dsh.
These are now managed by Pulumi, which will not be able to run correctly if resources with identical names already exist

You will also need to rerun the dsh shm deploy command, as some resources have been added to the SHM.

What's Changed

Full Changelog: v5.1.0...v5.2.0

v5.1.0

21 Nov 15:17
72711c5
Compare
Choose a tag to compare

Release Highlights

  • Logs from workspaces are now collected in a centralised log analytics workspace
  • Research user IP address fields in the SRE configuration can now be set to Internet, rather than a specific IP address
  • Bug fixes and documentation improvements

⚠️ Update may require manual intervention ⚠️

The method of sanitising SRE names when creating remote configuration files has changed.
Previously, hyphens or underscores in the SRE name were removed from the name used for the remote configuration file.
If you have an SRE with a hyphen or underscore, you should download the configuration file before upgrading to v5.1.0.
Upload the configuration again once you have upgraded to v5.1.0.

What's Changed

New Contributors

Full Changelog: v5.0.1...v5.1.0

v5.0.1

24 Oct 12:30
v5.0.1
2e915ef
Compare
Choose a tag to compare

Release Highlights

  • Bug fixes
  • Support for deployment of SREs to different subscriptions from their SHM
  • Enhanced user experience and documentation

⚠️ Update Requires Manual Intervention ⚠️

If you are upgrading from v5.0.0 you will need to delete the Microsoft Entra groups and applications previously created by dsh.
These are now managed by Pulumi, which will not be able to run correctly if resources with identical names already exist

You will also need to rerun the dsh shm deploy command, as some resources have been added to the SHM.

What's Changed

Full Changelog: v5.0.0...v5.0.1

v5.0.0

20 Aug 15:20
v5.0.0
3003ca4
Compare
Choose a tag to compare

Release v5.0.0

Upgrading

This is a major release and it not compatible with any previous versions.
To use this version you must start a new TRE deployment.

Changes

  • Complete rewrite of code in Python using IAC and configuration management tools Pulumi and Ansible

What's Changed

Read more

Release v5.0.0rc2

26 Jul 13:54
v5.0.0-rc2
996f54f
Compare
Choose a tag to compare
Release v5.0.0rc2 Pre-release
Pre-release

Release v5.0.0rc2

This release is not ready for production usage.

Known Issues

  • ClamAV not configured
  • Unstable container service IP addresses
  • Lacking Nvidia utils

What's Changed

  • Use pip-compile for package resolution by @jemrobinson in #1514
  • Add pip-tools to NON_IMPORTABLE_PACKAGES by @edwardchalstrey1 in #1537
  • Add May 2023 DSG to versioning by @jemrobinson in #1545
  • Release v4.1.0 cloud init changes by @edwardchalstrey1 in #1548
  • Update SRD package versions by @github-actions in #1578
  • Update PyPI and CRAN allow lists by @github-actions in #1579
  • Fix deployment issues with MSSQL and PyPi mirrors by @craddm in #1582
  • Update PyPI and CRAN allow lists by @github-actions in #1588
  • Update SRD package versions by @github-actions in #1587
  • Updates for Release v4.1.0 by @craddm in #1590
  • Release v4.1.0 by @craddm in #1586
  • Remove CoCalc by @craddm in #1554
  • Merge 'latest' into 'develop' by @craddm in #1593
  • Add script to automate account deletion by @edwardchalstrey1 in #1508
  • Add @craddm to CODEOWNERS by @jemrobinson in #1594
  • Update PyPI and CRAN allow lists by @github-actions in #1595
  • Remove pulumi testing files from develop branch by @craddm in #1597
  • Update PyPI and CRAN allow lists by @github-actions in #1601
  • Update SRD package versions by @github-actions in #1616
  • Update SRD package versions by @github-actions in #1622
  • Bump urllib3 from 2.0.2 to 2.0.6 in /docs by @dependabot in #1625
  • Improve Pulumi error messages by @craddm in #1624
  • Update PyPI and CRAN allow lists by @github-actions in #1627
  • Update PyPI and CRAN allow lists by @github-actions in #1631
  • Update SRD package versions by @github-actions in #1630
  • Improve Python documentation by @jemrobinson in #1635
  • Use Pulumi random provider by @jemrobinson in #1629
  • Pulumi: Fix selectors not updating by @JimMadge in #1621
  • Bump urllib3 from 2.0.6 to 2.0.7 in /docs by @dependabot in #1647
  • Remove hyphens from SHM and SRE names by @craddm in #1650
  • Update PyPI and CRAN allow lists by @github-actions in #1646
  • Update SRD package versions by @github-actions in #1652
  • Pulumi: Improve login flow by @JimMadge in #1617
  • Update PyPI and CRAN allow lists by @github-actions in #1654
  • Add all contributors table and instructions for how to update by @edwardchalstrey1 in #1649
  • Update PyPI and CRAN allow lists by @github-actions in #1656
  • Update PyPI and CRAN allow lists by @github-actions in #1668
  • Update SRD package versions by @github-actions in #1669
  • Update devcontainer configuration by @craddm in #1662
  • Update outdated parameters that cause breaking change warnings by @craddm in #1663
  • Change default lun from lun1 to lun0 by @craddm in #1667
  • Add context command by @JimMadge in #1655
  • Pulumi: Update dependencies, enable pinning by @JimMadge in #1660
  • Remove unneeded opening bracket in SRE network configuration script by @craddm in #1670
  • Update PyPI and CRAN allow lists by @github-actions in #1671
  • Use memory for the /tmp directory by @craddm in #1672
  • Factor out storage creation from SHM scripts by @craddm in #1673
  • Add missing import for logging module by @JimMadge in #1681
  • Update PyPI and CRAN allow lists by @github-actions in #1682
  • Update help text for Powershell command shmId andsreId arguments by @craddm in #1683
  • Update contributors by @JimMadge in #1684
  • Document removal of persistent SRE storage accounts by @craddm in #1685
  • docs: update @helendduncan as a contributor by @JimMadge in #1686
  • Update PyPI and CRAN allow lists by @github-actions in #1688
  • Update SRD package versions by @github-actions in #1692
  • Update PyPI and CRAN allow lists by @github-actions in #1693
  • Update PyPI and CRAN allow lists by @github-actions in #1694
  • Update DBeaver drivers using Github workflow by @craddm in #1696
  • Update SRD package versions by @github-actions in #1698
  • Bump jinja2 from 3.1.2 to 3.1.3 in /docs by @dependabot in #1700
  • Update SRD package versions by @github-actions in #1701
  • Update PyPI and CRAN allow lists by @github-actions in #1702
  • Update PyPI and CRAN allow lists by @github-actions in #1703
  • Handle no selected context by @JimMadge in #1691
  • Add basic config commands by @JimMadge in #1674
  • Fixing DBeaver driver issues on T2+ SREs by @craddm in #1704
  • Use Pydantic for validation and serialisation by @JimMadge in #1661
  • Improve handling of spaces in file paths by @craddm in #1705
  • Update PyPI and CRAN allow lists by @github-actions in #1706
  • Create pulumi container by @jemrobinson in #1711
  • Fix private link scope by @jemrobinson in #1713
  • Improve handling of SRE names by @JimMadge in #1699
  • Apply changes from updated black version by @jemrobinson in #1718
  • Bump black version by @JimMadge in #1719
  • Fix some issues with context handling at deployment time by @jemrobinson in #1716
  • Update SRD package versions by @github-actions in #1723
  • Correct file path for clamonacc service by @craddm in #1725
  • Add additional multiple data provider guidance to docs by @craddm in #1707
  • Update SRD package versions by @github-actions in #1727
  • Fix Pos...
Read more

Release 4.2.2 (2024-07-15)

15 Jul 14:53
008d346
Compare
Choose a tag to compare

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.2.x SHM and want to upgrade to 4.2.2, please follow the steps below:

For the SHM:

  1. Add a docker section to your SHM config with a username and personal access token (following the SHM deployment instructions)
  2. Re-run Setup_SHM_Networking.ps1 -shmId {shm} from deployment/safe_haven_management/setup

For any SRE that you deployed using an earlier 4.2.x version:

  1. Delete the GUACAMOLE-SRE-{sreId} VM and associated resources from the
    RG_SHM_{shmId}_SRE_{sreId}_REMOTE_DESKTOP resource group
  2. Re-run the deployment script Deploy_SRE.ps1 -shmId {shm} -sreId {sre} -VmSizes {as before} from deployment/secure_research_environment/setup

Known issues

  • As for 4.2.0, 4.2.1

Bug Fixes

  • Workaround for an issue where Let's Encrypt refused to provide certificates for uppercase FQDNs #1938
  • Fix for change in Azure supported public IP address SKU for VPNs, which prevented deployment of the virtual network gateway for accessing domain controllers #1947
  • Require supply of Docker Hub credentials to work round change in Docker download rate limits #1994
  • Update approved IP address list for Ubuntu apt repositories
  • Update to backup policy rules for Blob storage #1988

Full Changelog: v4.2.1...v4.2.2

Release v4.2.1 (2024-05-31)

31 May 14:42
bee9fc4
Compare
Choose a tag to compare

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.2.0 SHM and want to upgrade to 4.2.1, please follow the steps below:

  1. Delete the GUACAMOLE-SRE-{sreId} VM and associated resources from the RG_SHM_{shmId}_SRE_{sreId}_REMOTE_DESKTOP resource group
  2. Re-run the deployment script Deploy_SRE.ps1 -shmId {shm} -sreId {sre} -VmSizes {as before} from deployment/secure_research_environment/setup

Known issues

  • As for 4.2.0

Bug Fixes

Full Changelog: v4.2.0...v4.2.1

Release 4.2.0 (2024-03-28)

28 Mar 14:26
v4.2.0
9f6fe58
Compare
Choose a tag to compare

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.1.0 SHM and want to upgrade to 4.2.0, please follow the steps below:

  1. Run Setup_SHM_Firewall.ps1 -shmId {shmid}
  2. Run Setup_SHM_Networking.ps1 -shmId {shmid}
  3. Delete LINUX-UPDATES-SHM-{shmid} VM and associated resources from the RG_SHM_{shmid}_MONITORING resource group
  4. Delete RG_SHM_{shmid}_PACKAGE_REPOSITORIES resource group and all resources
  5. Run Setup_SHM_Update_Servers.ps1 -shmId {shmid} (Note that this needs to happen before any further resources are deployed, since any further Linux resources will need access to the Linux update proxy).
  6. Run Setup_SHM_Package_Repositories -shmId {shmid}
  7. Run Setup_SHM_Monitoring.ps1 -shmId {shmid}

Known issues

  • Jupyter notebook launched from GUI menu could not launch Python kernel, so it has been removed from the menu 0657647

New Features

  • Remove Microsoft Remote Desktop support: #1535
  • Remove CoCalc: #1554
  • Install dev dependencies in container: #1747
  • Add script to renew NFS share Stored Access Policies: #1739
  • Add script to automate account deletion: #1508
  • Factored out storage creation from SHM scripts #1673
  • SRD image updated, with latest Python versions available f3e890a

Bug Fixes

  • Update DBeaver drivers using Github workflow: #1696
  • Fixing DBeaver driver issues on T2+ SREs: #1704
  • Improve handling of spaces in file paths: #1705
  • Correct file path for Clam OnAccess scanning service: #1725
  • Fix PostgreSQL permissions and data schema, and relevant docs: #1708
  • Update outdated parameters that cause breaking change warnings: #1663
  • Change default lun from lun1 to lun0: #1667
  • Increase apt proxy server disk to 64 Gb: #1726
  • Remove omsagent from VM build image: #1732
  • Remove hyphens from SHM and SRE names in #1650
  • Update devcontainer configuration in #1662
  • Use memory for the /tmp directory in #1672
  • Remove unneeded opening bracket in SRE network configuration script #1670
  • Add missing import for logging module #1681
  • Fix cloud-init log parser using old name for event 58a85bc
  • Detect and remove omsagent installed on SRD image before generalization e168b05

Security Fixes

  • Update software on Guacamole and Nginx to latest versions: #1741
  • Update Nexus proxy server for T2/T3 package access: in #1744
  • Update CodiMD server version: #1743
  • Improve hardcoded domains and IP addresses: #1745
  • Prevent Nginx version information from appearing in http headers

Documentation updates

  • Add guidance on resizing NFS shares: #1749
  • Update documents to reflect change to Microsoft Entra ID: #1665
  • Update deprecation warning for MS RDS: #1542
  • Add explanation of how to change allowed inbound IP addresses: #1484
  • Add all contributors table and instructions for how to update: #1649
  • Update contributors: #1684
  • Document removal of persistent SRE storage accounts: #1685
  • docs: update contributors: #1686
  • Add additional multiple data provider guidance to docs: #1707
  • Add links to guides for terminal, Xfce, and Guacamole: #1737
  • Update help text for Powershell command shmId andsreId arguments #1683

Full Changelog: v4.1.0...v4.2.0

Release v5.0.0-rc.1 (2023-09-27)

02 Oct 14:59
afb29b4
Compare
Choose a tag to compare
Pre-release

First version of migration to Python using Pulumi. Penetration tested in September 2023.

Known Issues

This release is not ready for production usage.

Release 4.1.0 (2023-09-06)

06 Sep 10:12
v4.1.0
e9f4a1a
Compare
Choose a tag to compare

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.X.Y SHM and want to upgrade to 4.1.0, please follow the steps below:

  • Run ./deployment/safe_haven_management/setup/Setup_SHM_Networking.ps1 -shmId <your SHM ID>
  • Restart the virtual machine at RG_SHM_<SHM name>_MONITORING/LINUX-UPDATES-SHM-<SHM name> in the Azure portal

Known Issues

Only phone call authentication works for MS RDS. This provides no on-screen MFA Prompt.

New Features

  • Allow device authentication in SHM deployment #1378
  • Add arrow CRAN package to Tier 3 core list #1391
  • Update Python in SRD images #1421

Bug Fixes

  • Update Powershell module requirements: #1368
  • Update supported Powershell version to 7.3.6
  • Prevent removal of backup data during dry run: #1383
  • Better package name matching for Nexus: #1447
  • Update SRD image: #1421
  • Add new servicebus endpoints for self-service password reset: #1423 and #1466
  • Modify location of requirements.txt in Dockerfile: #1469
  • Fixes of the SRD build related to python packages: #1514 and #1537
  • Fix allowlist generation: #1422
  • Update badges: #1371
  • Update caching in allowlists workflow: #1395
  • Fix incorrect logic around automated PR creation: #1426
  • Update Ubuntu apt server addresses #1548
  • Add docker.io to allowed-FQDNs #1548
  • Change cloud-init files to automatically select appropriate disk partition #1548
  • Fix MS-SQL database deployment #1580
  • Fix PyPi Tier 3 mirror failures #1581

Security Fixes

  • Fix non-allowed CRAN packages beginning with allowed name being installable: #1447
  • Update to firewall rules: #1519

Documentation Updates

  • Add instructions for installing documentation build dependencies: #1370
  • Add instructions to resize VMs: #1367
  • Update user management guide to explain adding users to security group and changing a phone number: #1389
  • Add instructions for GPU VM resizing: #1399
  • Add note on NVIDIA GPU support: #1406
  • Remove reference to unused System Administrators Security Group: #1407
  • Remove egress steps not carried out by System Manager: #1434
  • Update SRE user troubleshooting: #1435
  • Move from GitHub pages to ReadTheDocs #1468
  • Add Policy for software package requests: #1387
  • Add deprecation warning for MSRDS #1542
  • Add warning that MSRDS does not work with the Microsoft Authentication app. #1589
  • Add step for adding SSL certificate in step-by-step instructions for Guacamole #1590

Full Changelog: v4.0.3...release-v4.1.0