Releases: alan-turing-institute/data-safe-haven
v5.2.0
Release Highlights
- More logs collected in the log analytics workspace
- Storage
- Ingress and egress stores
- Desired state files
- Users' home directories
- Container configuration and persistent state
- Container services
- Firewall
- Storage
- Better CLI feedback and error messages
- Documentation improvements
Known issues
Backup is not functional. Following the notice in the documentation will not enable backup.
⚠️ Update may require manual intervention ⚠️
SRE name changes
The method of sanitising SRE names when creating remote configuration files changed in v5.1.0.
Previously, hyphens or underscores in the SRE name were removed from the name used for the remote configuration file.
If you have an SRE with a hyphen or underscore, you should download the configuration file before upgrading to v>=5.1.0.
Upload the configuration again once you have upgraded to v>=5.1.0.
Entra groups and applications
If you are upgrading from v5.0.0 you will need to delete the Microsoft Entra groups and applications previously created by dsh
.
These are now managed by Pulumi, which will not be able to run correctly if resources with identical names already exist
You will also need to rerun the dsh shm deploy
command, as some resources have been added to the SHM.
What's Changed
- Cleaner exit when user credentials are incorrect by @craddm in #2296
- Print SRE FQDN when deployment finishes by @craddm in #2297
- Add logging for container instances by @JimMadge in #2295
- Merge latest (v5.1.0) into develop by @craddm in #2304
- Bump the production-dependencies group with 8 updates by @dependabot in #2306
- Add firewall logs by @JimMadge in #2308
- Update release checklist by @JimMadge in #2305
- Add workspace log docs by @craddm in #2312
- Ingest logs for blob containers by @JimMadge in #2310
- Add logging for file shares by @JimMadge in #2319
- Bump karancode/yamllint-github-action from 2.1.1 to 3.0.0 by @dependabot in #2324
- Bump the production-dependencies group with 9 updates by @dependabot in #2323
- Correct T2/3 PyPI/CRAN proxy information by @JimMadge in #2317
- Check that a user belongs to the correct SHM domain when registering with an SRE by @craddm in #2292
- [WIP] Add downloadable template security checklist by @craddm in #2328
- Release v5.2.0 by @JimMadge in #2326
Full Changelog: v5.1.0...v5.2.0
v5.1.0
Release Highlights
- Logs from workspaces are now collected in a centralised log analytics workspace
- Research user IP address fields in the SRE configuration can now be set to
Internet
, rather than a specific IP address - Bug fixes and documentation improvements
⚠️ Update may require manual intervention ⚠️
The method of sanitising SRE names when creating remote configuration files has changed.
Previously, hyphens or underscores in the SRE name were removed from the name used for the remote configuration file.
If you have an SRE with a hyphen or underscore, you should download the configuration file before upgrading to v5.1.0
.
Upload the configuration again once you have upgraded to v5.1.0
.
What's Changed
- Bump the production-dependencies group with 13 updates by @dependabot in #2244
- Update all contributors by @JimMadge in #2257
- Merge release v5.0.1 into develop by @JimMadge in #2258
- Bump the production-dependencies group with 5 updates by @dependabot in #2259
- Update contributors names by @jemrobinson in #2260
- Bump ruff from 0.7.0 to 0.7.1 in the production-dependencies group by @dependabot in #2264
- Use Pulumi to create Entra applications by @jemrobinson in #2248
- Add confirmation checks and check for deployed SREs before teardown operations by @craddm in #2266
- Add additional documentation about the configuration of copy and paste by @craddm in #2265
- Enable monitoring agent to transmit to log analytics workspace by @craddm in #2279
- Bump lycheeverse/lychee-action from 2.0.2 to 2.1.0 by @dependabot in #2286
- Bump the production-dependencies group across 1 directory with 9 updates by @dependabot in #2287
- Allow 'Internet' for data providers IP by @JimMadge in #2247
- Change method of sanitising SRE names by @craddm in #2284
- [Documentation] Changing suggested SKU to Standard_D8s_v5 by @cptanalatriste in #2290
- docs: update @cptanalatriste as a contributor by @JimMadge in #2293
- Add documentation on updating SRE configurations by @craddm in #2291
- Bump the production-dependencies group with 8 updates by @dependabot in #2298
New Contributors
- @cptanalatriste made their first contribution in #2290
Full Changelog: v5.0.1...v5.1.0
v5.0.1
Release Highlights
- Bug fixes
- Support for deployment of SREs to different subscriptions from their SHM
- Enhanced user experience and documentation
⚠️ Update Requires Manual Intervention ⚠️
If you are upgrading from v5.0.0 you will need to delete the Microsoft Entra groups and applications previously created by dsh
.
These are now managed by Pulumi, which will not be able to run correctly if resources with identical names already exist
You will also need to rerun the dsh shm deploy
command, as some resources have been added to the SHM.
What's Changed
- ⬆️ Update Python dependencies by @github-actions in #2118
- ⬆️ Update Python dependencies by @github-actions in #2139
- Merge v5.0.0 release back into develop by @jemrobinson in #2151
- Pin pyproject dependencies by @jemrobinson in #2154
- ⬆️ Bump typer from 0.12.4 to 0.12.5 by @dependabot in #2161
- ⬆️ Bump types-requests from 2.32.0.20240622 to 2.32.0.20240712 by @dependabot in #2162
- ⬆️ Bump black from 24.4.2 to 24.8.0 by @dependabot in #2163
- ⬆️ Bump ansible-dev-tools from 24.7.2 to 24.8.0 by @dependabot in #2165
- Add project metadata to pyproject.toml by @jemrobinson in #2166
- ⬆️ Bump ruff from 0.5.0 to 0.6.2 by @dependabot in #2164
- ⬆️ Bump coverage from 7.5.4 to 7.6.1 by @dependabot in #2168
- ⬆️ Bump mypy from 1.10.1 to 1.11.2 by @dependabot in #2169
- ⬆️ Bump rich from 13.7.1 to 13.8.0 by @dependabot in #2167
- ⬆️ Bump types-pyyaml from 6.0.12.20240311 to 6.0.12.20240808 by @dependabot in #2170
- ⬆️ Bump ansible from 10.2.0 to 10.3.0 by @dependabot in #2172
- Group dependabot updates into a smaller number of PRs by @jemrobinson in #2171
- ⬆️ Bump the production-dependencies group with 4 updates by @dependabot in #2177
- Update installation instructions by @jemrobinson in #2155
- Replace emoji codes with characters in README by @JimMadge in #2178
- ⬆️ Bump ruff from 0.6.2 to 0.6.3 in the production-dependencies group by @dependabot in #2179
- ⬆️ Bump peter-evans/create-pull-request from 6.1.0 to 7.0.1 by @dependabot in #2182
- ⬆️ Bump cryptography from 43.0.0 to 43.0.1 in /.hatch by @dependabot in #2180
- ⬆️ Bump cryptography from 43.0.0 to 43.0.1 by @dependabot in #2181
- ⬆️ Bump the production-dependencies group across 1 directory with 7 updates by @dependabot in #2186
- ⬆️ Bump the production-dependencies group with 7 updates by @dependabot in #2183
- ⬆️ Bump peter-evans/create-pull-request from 7.0.1 to 7.0.2 by @dependabot in #2190
- ⬆️ Bump the production-dependencies group with 13 updates by @dependabot in #2191
- Update mount points by @JimMadge in #2092
- Add ansible vars file by @JimMadge in #2115
- ⬆️ Bump peter-evans/create-pull-request from 7.0.2 to 7.0.5 by @dependabot in #2193
- ⬆️ Bump the production-dependencies group with 11 updates by @dependabot in #2194
- Show invalid config by @JimMadge in #2189
- docs: add @mattwestby as a contributor by @JimMadge in #2198
- Tidy ansible by @JimMadge in #2192
- Replace install deb script with Ansible tasks by @JimMadge in #2205
- Add log messages for SRE deployment by @JimMadge in #2204
- Update devcontainer by @craddm in #2206
- Raise exception when admin group name is not found by @craddm in #2196
- Bump the production-dependencies group with 7 updates by @dependabot in #2208
- Update to v0.6.0 of guacamole-user-sync by @jemrobinson in #2214
- Add notes on workspace VM sizes by @JimMadge in #2213
- Only print user tables for deployed SREs by @craddm in #2216
- Switch to psycopg[binary] by @jemrobinson in #2217
- Replace DBeaver with Beekeeper Studio by @JimMadge in #2218
- Use appropriate provider for SHM DNS record by @JimMadge in #2202
- Bump the production-dependencies group with 6 updates by @dependabot in #2224
- Update smoke tests for new mount locations by @JimMadge in #2219
- Modify workspace VM cloud-init to facilitate disk mounting and LDAP login by @craddm in #2223
- Move security group creation to Pulumi by @jemrobinson in #2160
- Use correct paths to shared, input, and output drives on desktop by @craddm in #2227
- Catch config upload validation errors by @craddm in #2211
- Add list of supported regions by @JimMadge in #2230
- Remove desktop files for gitea/hedgedoc by @JimMadge in #2226
- Remove ANSI escape sequences from logfile by @JimMadge in #2231
- Bump lycheeverse/lychee-action from 1.10.0 to 2.0.1 by @dependabot in #2236
- Bump the production-dependencies group with 10 updates by @dependabot in #2235
- Simplify code for checking config availability and SRE deployment status by @craddm in #2234
- Add internet by @JimMadge in #2233
- Fix Pulumi/dsh Python mismatch by @jemrobinson in #2240
- Bump lycheeverse/lychee-action from 2.0.1 to 2.0.2 by @dependabot in #2245
- Use SHM name instead of description for Entra app by @craddm in #2243
- Merge develop changes in 5.0.1rc1 by @JimMadge in #2246
- Unchangable Pulumi workspace configuration by @JimMadge in #2237
- Improve DNS delegation feedback by @JimMadge in #2253
- Standardise subscription logging by @jemrobinson in #2255
- Management documentation updates by @craddm in #2254
- Release 5.0.1 by @jemrobinson in #2251
Full Changelog: v5.0.0...v5.0.1
v5.0.0
Release v5.0.0
Upgrading
This is a major release and it not compatible with any previous versions.
To use this version you must start a new TRE deployment.
Changes
- Complete rewrite of code in Python using IAC and configuration management tools Pulumi and Ansible
What's Changed
- Release v4.0.1 candidate by @jemrobinson in #1324
- Proof-of-concept migration to Pulumi for deployment by @jemrobinson in #1316
- Release v4.0.2 candidate by @jemrobinson in #1353
- Release v4.0.3 candidate by @jemrobinson in #1365
- Add instructions for installing documentation build dependencies by @JimMadge in #1370
- Update docs with how to resize VMs by @edwardchalstrey1 in #1367
- Update Badges by @JimMadge in #1371
- Update Powershell module requirements by @craddm in #1368
- Allow -UseDeviceAuthentication switch in
Deploy_SHM.ps1
by @craddm in #1378 - Prevent removal of backup data during dry run by @JimMadge in #1383
- Pulumi: Fix user list retrieval by @craddm in #1386
- Policy for software package requests by @jemrobinson in #1387
- Add firewall to Pulumi by @jemrobinson in #1375
- Add
arrow
CRAN package to Tier 3 allowlist by @craddm in #1391 - ⬆️ Update caching in allowlists workflow by @jemrobinson in #1395
- Update user management guide to explain adding users to security group and changing a phone number by @edwardchalstrey1 in #1389
- Add Python type-hinting throughout Pulumi codebase by @jemrobinson in #1390
- Add instructions for GPU VM resizing by @edwardchalstrey1 in #1399
- Simplify Pulumi secret handling by @jemrobinson in #1400
- Add separate docs section GPU VMs and specify NVIDIA required by @edwardchalstrey1 in #1406
- Add Linux update server proxy by @jemrobinson in #1404
- Remove reference to unused System Administrators Security Group by @edwardchalstrey1 in #1407
- Add automated updates to Pulumi by @jemrobinson in #1412
- Refactor SRD creation by @jemrobinson in #1416
- Add SHM bastion by @jemrobinson in #1417
- Fix allowlist generation by @jemrobinson in #1422
- Update SRD image by @jemrobinson in #1421
- Fix incorrect logic around automated PR creation by @jemrobinson in #1426
- Update PyPI and CRAN allow lists by @github-actions in #1425
- Add new servicebus endpoints for self-service password reset by @edwardchalstrey1 in #1423
- Update PyPI and CRAN allow lists by @github-actions in #1428
- Update PyPI and CRAN allow lists by @github-actions in #1429
- Remove egress steps not carried out by System Manager by @edwardchalstrey1 in #1434
- Update SRE user troubleshooting by @edwardchalstrey1 in #1435
- Update SRD package versions by @github-actions in #1433
- Update PyPI and CRAN allow lists by @github-actions in #1437
- Update SRD package versions by @github-actions in #1440
- Add RPostgreSQL to t3 extra cran allowlist by @edwardchalstrey1 in #1441
- Revert "Add RPostgreSQL to t3 extra cran allowlist" by @JimMadge in #1442
- Better package name matching for Nexus by @craddm in #1447
- Update PyPI and CRAN allow lists by @github-actions in #1454
- Update PyPI and CRAN allow lists by @github-actions in #1456
- Update SRD package versions by @github-actions in #1460
- Update VM resizing note to suggest stopping the VM before increasing the quota by @edwardchalstrey1 in #1408
- Add data preparation guidance (including data integrity) by @JimMadge in #1459
- Migrate docs to readthedocs.io by @JimMadge in #1453
- Create users with no password expiry on AD by @craddm in #1461
- Modify location of requirements.txt in Dockerfile by @craddm in #1464
- Merge documentation changes into release branch by @JimMadge in #1468
- cherrypick devcontainer fix to release branch by @JimMadge in #1469
- Update servicebus endpoints used for self-service password reset by @jemrobinson in #1466
- Correct path to Scriberia cartoon in README.md by @JimMadge in #1475
- Replace deprecated Set-AzDiagnosticSetting by @jemrobinson in #1470
- Update PyPI and CRAN allow lists by @github-actions in #1477
- Correct link on citation badge by @JimMadge in #1474
- Add CODEOWNERS for docs by @jemrobinson in #1478
- Update documentation dependencies by @JimMadge in #1476
- Enable pdf and html downloads on readthedocs by @JimMadge in #1462
- Update SRD package versions by @github-actions in #1482
- Updating SSL certificate doc + gitignore change + undo duplication of docs building by @edwardchalstrey1 in #1432
- Mount data and user directories in SRD by @jemrobinson in #1480
- Change servicebus firewall rule by @craddm in #1485
- Folder typo for SHM deployment by @edwardchalstrey1 in #1488
- Update SRD package versions by @github-actions in #1489
- Force az login before reading Pulumi encryption key by @jemrobinson in #1490
- Clarify PR template by @jemrobinson in #1491
- Offline linkcheck by @JimMadge in #1486
- Pulumi: Add Git and Markdown servers by @jemrobinson in #1492
- Fixing the build warnings for documentation by @craddm in #1483
- Add Nexus repositories by @jemrobinson in #1499
- Pin container images by @JimMadge in #1501
- Automate user synchronisation by @jemrobinson in #1500
- Switch CLI interface to Typer by @jemrobinson in #1502
- Refactor config files by @jemrobinson in #1510
- Add portal.azure.com to lychee ignore list by @JimMadge in #1520
- Bump certifi from 2023.5.7 to 2023.7.22 in /docs by @dependabot in https://git...
Release v5.0.0rc2
Release v5.0.0rc2
This release is not ready for production usage.
Known Issues
- ClamAV not configured
- Unstable container service IP addresses
- Lacking Nvidia utils
What's Changed
- Use pip-compile for package resolution by @jemrobinson in #1514
- Add pip-tools to NON_IMPORTABLE_PACKAGES by @edwardchalstrey1 in #1537
- Add May 2023 DSG to versioning by @jemrobinson in #1545
- Release v4.1.0 cloud init changes by @edwardchalstrey1 in #1548
- Update SRD package versions by @github-actions in #1578
- Update PyPI and CRAN allow lists by @github-actions in #1579
- Fix deployment issues with MSSQL and PyPi mirrors by @craddm in #1582
- Update PyPI and CRAN allow lists by @github-actions in #1588
- Update SRD package versions by @github-actions in #1587
- Updates for Release v4.1.0 by @craddm in #1590
- Release v4.1.0 by @craddm in #1586
- Remove CoCalc by @craddm in #1554
- Merge 'latest' into 'develop' by @craddm in #1593
- Add script to automate account deletion by @edwardchalstrey1 in #1508
- Add @craddm to CODEOWNERS by @jemrobinson in #1594
- Update PyPI and CRAN allow lists by @github-actions in #1595
- Remove pulumi testing files from develop branch by @craddm in #1597
- Update PyPI and CRAN allow lists by @github-actions in #1601
- Update SRD package versions by @github-actions in #1616
- Update SRD package versions by @github-actions in #1622
- Bump urllib3 from 2.0.2 to 2.0.6 in /docs by @dependabot in #1625
- Improve Pulumi error messages by @craddm in #1624
- Update PyPI and CRAN allow lists by @github-actions in #1627
- Update PyPI and CRAN allow lists by @github-actions in #1631
- Update SRD package versions by @github-actions in #1630
- Improve Python documentation by @jemrobinson in #1635
- Use Pulumi random provider by @jemrobinson in #1629
- Pulumi: Fix selectors not updating by @JimMadge in #1621
- Bump urllib3 from 2.0.6 to 2.0.7 in /docs by @dependabot in #1647
- Remove hyphens from SHM and SRE names by @craddm in #1650
- Update PyPI and CRAN allow lists by @github-actions in #1646
- Update SRD package versions by @github-actions in #1652
- Pulumi: Improve login flow by @JimMadge in #1617
- Update PyPI and CRAN allow lists by @github-actions in #1654
- Add all contributors table and instructions for how to update by @edwardchalstrey1 in #1649
- Update PyPI and CRAN allow lists by @github-actions in #1656
- Update PyPI and CRAN allow lists by @github-actions in #1668
- Update SRD package versions by @github-actions in #1669
- Update devcontainer configuration by @craddm in #1662
- Update outdated parameters that cause breaking change warnings by @craddm in #1663
- Change default lun from lun1 to lun0 by @craddm in #1667
- Add context command by @JimMadge in #1655
- Pulumi: Update dependencies, enable pinning by @JimMadge in #1660
- Remove unneeded opening bracket in SRE network configuration script by @craddm in #1670
- Update PyPI and CRAN allow lists by @github-actions in #1671
- Use memory for the /tmp directory by @craddm in #1672
- Factor out storage creation from SHM scripts by @craddm in #1673
- Add missing import for logging module by @JimMadge in #1681
- Update PyPI and CRAN allow lists by @github-actions in #1682
- Update help text for Powershell command
shmId
andsreId
arguments by @craddm in #1683 - Update contributors by @JimMadge in #1684
- Document removal of persistent SRE storage accounts by @craddm in #1685
- docs: update @helendduncan as a contributor by @JimMadge in #1686
- Update PyPI and CRAN allow lists by @github-actions in #1688
- Update SRD package versions by @github-actions in #1692
- Update PyPI and CRAN allow lists by @github-actions in #1693
- Update PyPI and CRAN allow lists by @github-actions in #1694
- Update DBeaver drivers using Github workflow by @craddm in #1696
- Update SRD package versions by @github-actions in #1698
- Bump jinja2 from 3.1.2 to 3.1.3 in /docs by @dependabot in #1700
- Update SRD package versions by @github-actions in #1701
- Update PyPI and CRAN allow lists by @github-actions in #1702
- Update PyPI and CRAN allow lists by @github-actions in #1703
- Handle no selected context by @JimMadge in #1691
- Add basic config commands by @JimMadge in #1674
- Fixing DBeaver driver issues on T2+ SREs by @craddm in #1704
- Use Pydantic for validation and serialisation by @JimMadge in #1661
- Improve handling of spaces in file paths by @craddm in #1705
- Update PyPI and CRAN allow lists by @github-actions in #1706
- Create pulumi container by @jemrobinson in #1711
- Fix private link scope by @jemrobinson in #1713
- Improve handling of SRE names by @JimMadge in #1699
- Apply changes from updated black version by @jemrobinson in #1718
- Bump black version by @JimMadge in #1719
- Fix some issues with context handling at deployment time by @jemrobinson in #1716
- Update SRD package versions by @github-actions in #1723
- Correct file path for clamonacc service by @craddm in #1725
- Add additional multiple data provider guidance to docs by @craddm in #1707
- Update SRD package versions by @github-actions in #1727
- Fix Pos...
Release 4.2.2 (2024-07-15)
⚠️ Update Requires Manual Intervention ⚠️
If you are using a 4.2.x
SHM and want to upgrade to 4.2.2
, please follow the steps below:
For the SHM:
- Add a
docker
section to your SHM config with a username and personal access token (following the SHM deployment instructions) - Re-run
Setup_SHM_Networking.ps1 -shmId {shm}
fromdeployment/safe_haven_management/setup
For any SRE that you deployed using an earlier 4.2.x
version:
- Delete the
GUACAMOLE-SRE-{sreId}
VM and associated resources from the
RG_SHM_{shmId}_SRE_{sreId}_REMOTE_DESKTOP
resource group - Re-run the deployment script
Deploy_SRE.ps1 -shmId {shm} -sreId {sre} -VmSizes {as before}
fromdeployment/secure_research_environment/setup
Known issues
- As for 4.2.0, 4.2.1
Bug Fixes
- Workaround for an issue where Let's Encrypt refused to provide certificates for uppercase FQDNs #1938
- Fix for change in Azure supported public IP address SKU for VPNs, which prevented deployment of the virtual network gateway for accessing domain controllers #1947
- Require supply of Docker Hub credentials to work round change in Docker download rate limits #1994
- Update approved IP address list for Ubuntu apt repositories
- Update to backup policy rules for Blob storage #1988
Full Changelog: v4.2.1...v4.2.2
Release v4.2.1 (2024-05-31)
⚠️ Update Requires Manual Intervention ⚠️
If you are using a 4.2.0
SHM and want to upgrade to 4.2.1
, please follow the steps below:
- Delete the
GUACAMOLE-SRE-{sreId}
VM and associated resources from theRG_SHM_{shmId}_SRE_{sreId}_REMOTE_DESKTOP
resource group - Re-run the deployment script
Deploy_SRE.ps1 -shmId {shm} -sreId {sre} -VmSizes {as before}
fromdeployment/secure_research_environment/setup
Known issues
- As for 4.2.0
Bug Fixes
- Update Guacamole to 1.5.5 to avoid this known bug
Full Changelog: v4.2.0...v4.2.1
Release 4.2.0 (2024-03-28)
⚠️ Update Requires Manual Intervention ⚠️
If you are using a 4.1.0
SHM and want to upgrade to 4.2.0
, please follow the steps below:
- Run
Setup_SHM_Firewall.ps1 -shmId {shmid}
- Run
Setup_SHM_Networking.ps1 -shmId {shmid}
- Delete
LINUX-UPDATES-SHM-{shmid}
VM and associated resources from theRG_SHM_{shmid}_MONITORING
resource group - Delete
RG_SHM_{shmid}_PACKAGE_REPOSITORIES
resource group and all resources - Run
Setup_SHM_Update_Servers.ps1 -shmId {shmid}
(Note that this needs to happen before any further resources are deployed, since any further Linux resources will need access to the Linux update proxy). - Run
Setup_SHM_Package_Repositories -shmId {shmid}
- Run
Setup_SHM_Monitoring.ps1 -shmId {shmid}
Known issues
- Jupyter notebook launched from GUI menu could not launch Python kernel, so it has been removed from the menu 0657647
New Features
- Remove Microsoft Remote Desktop support: #1535
- Remove CoCalc: #1554
- Install dev dependencies in container: #1747
- Add script to renew NFS share Stored Access Policies: #1739
- Add script to automate account deletion: #1508
- Factored out storage creation from SHM scripts #1673
- SRD image updated, with latest Python versions available f3e890a
Bug Fixes
- Update DBeaver drivers using Github workflow: #1696
- Fixing DBeaver driver issues on T2+ SREs: #1704
- Improve handling of spaces in file paths: #1705
- Correct file path for Clam OnAccess scanning service: #1725
- Fix PostgreSQL permissions and data schema, and relevant docs: #1708
- Update outdated parameters that cause breaking change warnings: #1663
- Change default lun from lun1 to lun0: #1667
- Increase apt proxy server disk to 64 Gb: #1726
- Remove
omsagent
from VM build image: #1732 - Remove hyphens from SHM and SRE names in #1650
- Update devcontainer configuration in #1662
- Use memory for the /tmp directory in #1672
- Remove unneeded opening bracket in SRE network configuration script #1670
- Add missing import for logging module #1681
- Fix
cloud-init
log parser using old name for event 58a85bc - Detect and remove
omsagent
installed on SRD image before generalization e168b05
Security Fixes
- Update software on Guacamole and Nginx to latest versions: #1741
- Update Nexus proxy server for T2/T3 package access: in #1744
- Update CodiMD server version: #1743
- Improve hardcoded domains and IP addresses: #1745
- Prevent Nginx version information from appearing in http headers
Documentation updates
- Add guidance on resizing NFS shares: #1749
- Update documents to reflect change to Microsoft Entra ID: #1665
- Update deprecation warning for MS RDS: #1542
- Add explanation of how to change allowed inbound IP addresses: #1484
- Add all contributors table and instructions for how to update: #1649
- Update contributors: #1684
- Document removal of persistent SRE storage accounts: #1685
- docs: update contributors: #1686
- Add additional multiple data provider guidance to docs: #1707
- Add links to guides for terminal, Xfce, and Guacamole: #1737
- Update help text for Powershell command
shmId
andsreId
arguments #1683
Full Changelog: v4.1.0...v4.2.0
Release v5.0.0-rc.1 (2023-09-27)
First version of migration to Python using Pulumi. Penetration tested in September 2023.
Known Issues
This release is not ready for production usage.
Release 4.1.0 (2023-09-06)
⚠️ Update Requires Manual Intervention ⚠️
If you are using a 4.X.Y
SHM and want to upgrade to 4.1.0
, please follow the steps below:
- Run
./deployment/safe_haven_management/setup/Setup_SHM_Networking.ps1 -shmId <your SHM ID>
- Restart the virtual machine at
RG_SHM_<SHM name>_MONITORING/LINUX-UPDATES-SHM-<SHM name>
in the Azure portal
Known Issues
Only phone call authentication works for MS RDS. This provides no on-screen MFA Prompt.
New Features
- Allow device authentication in SHM deployment #1378
- Add
arrow
CRAN package to Tier 3 core list #1391 - Update Python in SRD images #1421
Bug Fixes
- Update Powershell module requirements: #1368
- Update supported Powershell version to
7.3.6
- Prevent removal of backup data during dry run: #1383
- Better package name matching for Nexus: #1447
- Update SRD image: #1421
- Add new servicebus endpoints for self-service password reset: #1423 and #1466
- Modify location of requirements.txt in Dockerfile: #1469
- Fixes of the SRD build related to python packages: #1514 and #1537
- Fix allowlist generation: #1422
- Update badges: #1371
- Update caching in allowlists workflow: #1395
- Fix incorrect logic around automated PR creation: #1426
- Update Ubuntu apt server addresses #1548
- Add docker.io to allowed-FQDNs #1548
- Change cloud-init files to automatically select appropriate disk partition #1548
- Fix MS-SQL database deployment #1580
- Fix PyPi Tier 3 mirror failures #1581
Security Fixes
- Fix non-allowed CRAN packages beginning with allowed name being installable: #1447
- Update to firewall rules: #1519
Documentation Updates
- Add instructions for installing documentation build dependencies: #1370
- Add instructions to resize VMs: #1367
- Update user management guide to explain adding users to security group and changing a phone number: #1389
- Add instructions for GPU VM resizing: #1399
- Add note on NVIDIA GPU support: #1406
- Remove reference to unused System Administrators Security Group: #1407
- Remove egress steps not carried out by System Manager: #1434
- Update SRE user troubleshooting: #1435
- Move from GitHub pages to ReadTheDocs #1468
- Add Policy for software package requests: #1387
- Add deprecation warning for MSRDS #1542
- Add warning that MSRDS does not work with the Microsoft Authentication app. #1589
- Add step for adding SSL certificate in step-by-step instructions for Guacamole #1590
Full Changelog: v4.0.3...release-v4.1.0