Univention Bugzilla – Bug 46120
Check UCR templates files for Debian-Stretch&Buster updates
Last modified: 2024-03-10 23:37:32 CET
# Get list of all UCS conffiles (for non-UCS packages): sed -ne 's/^Multifile: \|^File: //p' */*/debian/*.univention-config-registry | grep -vF univention | sort -u > ./ucs-conffiles # Find corresponding Debian package: apt-file -F -f search ./ucs-conffiles | sort -k2 > ./debian-owners # Select the right Debian package if multiple packages provide the same file: uniq -f1 -D ./debian-owners # nscd: /etc/nscd.conf # unscd: /etc/nscd.conf # ftpd: /etc/pam.d/ftp # ftpd-ssl: /etc/pam.d/ftp # inetutils-ftpd: /etc/pam.d/ftp # courier-imap: /etc/pam.d/imap # cyrus-imapd: /etc/pam.d/imap # rsh-redone-server: /etc/pam.d/rlogin # rsh-server: /etc/pam.d/rlogin # rsh-redone-server: /etc/pam.d/rsh # rsh-server: /etc/pam.d/rsh # sudo: /etc/pam.d/sudo # sudo-ldap: /etc/pam.d/sudo sed -i -re '/^(unscd|courier-imap|rsh-redone-server|sudo-ldap|.*ftpd.*|debian-edu-config):/d' ./debian-owners # Get only the packages names: cut -d: -f1 ./debian-owners | sort -u > ./debian-pkgs # Install all of them: xargs -a ./debian-pkgs apt install -y # Select list of UCS packages: apt-file --substring-match -f search ./ucs-conffiles | cut -d: -f1 | grep univention | sort -u > ./ucs-pkgs # These are broken and/or cannot be installed in parallel: sed -i -re '/univention-postgresql-|univention-ldap-acl-slave|univention-samba4wins|univention-bacula|univention-mail-cyrus|univention-celery|univention-directory-listener-async|univention-docker-container-mode|univention-samba$|univention-demo-configuration/d' ./ucs-pkgs # Now install the UCS packages: xargs -a ./ucs-pkgs apt install -y # Now get list of files: cut -d' ' -f2 ./debian-owners | sort -u > ./conf-files ... Unused: base/univention-base-files/conffiles/etc/univention/templates/files/boot/boot.msg Broken @UCRWARNING@: management/univention-ldap/conffiles/var/lib/univention-ldap/ldap/DB_CONFIG Fixed: desktop/univention-mozilla-firefo (Also Bug #45863) mail/univention-spamassassin Externalized: desktop/univention-kde (Bug #46253) Removed: univention-pam/pam.d/ftp (also see Bug #38753)
See <https://git.knut.univention.de/univention/ucs/tree/phahn/4.3-0+46120ucr-templates> $ git diff --stat=$COLUMNS '@{u}..' | cat base/univention-base-files/conffiles/boot/boot.msg | 6 - base/univention-base-files/conffiles/etc/bash.bashrc | 4 +- base/univention-base-files/conffiles/etc/default/ntpdate | 19 -- base/univention-base-files/conffiles/etc/default/ssh | 13 - base/univention-base-files/conffiles/etc/init.d/networking | 32 ++- base/univention-base-files/conffiles/etc/init.d/nscd | 15 +- base/univention-base-files/conffiles/etc/init.d/rpcbind | 19 +- base/univention-base-files/conffiles/etc/issue | 54 ++--- base/univention-base-files/conffiles/etc/issue.net | 31 +-- base/univention-base-files/conffiles/etc/kernel-img.conf | 18 -- base/univention-base-files/conffiles/etc/logrotate.conf | 1 + base/univention-base-files/conffiles/etc/logrotate.d/rsyslog | 3 - base/univention-base-files/conffiles/etc/ntp.conf | 80 ++++-- base/univention-base-files/conffiles/etc/python2.6/sitecustomize.py.d/00header.py | 2 - base/univention-base-files/conffiles/etc/python2.6/sitecustomize.py.d/10apport.py | 7 - base/univention-base-files/conffiles/etc/python2.6/sitecustomize.py.d/20utf8.py | 4 - base/univention-base-files/conffiles/etc/rsyslog.conf | 47 +--- base/univention-base-files/conffiles/etc/ssh/ssh_config | 16 +- base/univention-base-files/conffiles/etc/systemd/journald.conf | 12 +- base/univention-base-files/debian/changelog | 8 +- base/univention-base-files/debian/ucslint.overrides | 3 - base/univention-base-files/debian/univention-base-files.maintscript | 16 +- base/univention-base-files/debian/univention-base-files.postinst | 17 -- base/univention-base-files/debian/univention-base-files.postrm | 1 - base/univention-base-files/debian/univention-base-files.preinst | 9 - base/univention-base-files/debian/univention-base-files.univention-config-registry | 30 --- base/univention-base-files/debian/univention-base-files.univention-config-registry-variables | 18 -- base/univention-bootsplash/conffiles/etc/plymouth/plymouthd.conf | 2 + base/univention-bootsplash/debian/changelog | 6 + base/univention-heimdal/conffiles/etc/init.d/heimdal-kdc | 140 ----------- base/univention-heimdal/debian/changelog | 6 + base/univention-heimdal/debian/ucslint.overrides | 2 - base/univention-heimdal/debian/univention-heimdal-kdc.maintscript | 1 + base/univention-heimdal/debian/univention-heimdal-kdc.univention-config-registry | 3 - base/univention-initrd/conffiles/etc/initramfs-tools/initramfs.conf | 29 +-- base/univention-initrd/conffiles/usr/share/initramfs-tools/init | 331 ------------------------- base/univention-initrd/debian/changelog | 7 + base/univention-initrd/debian/control | 2 - base/univention-initrd/debian/dirs | 2 - base/univention-initrd/debian/rules | 1 - base/univention-initrd/debian/ucslint.overrides | 2 - base/univention-initrd/debian/univention-initrd.maintscript | 1 + base/univention-initrd/debian/univention-initrd.ucslint | 1 - base/univention-initrd/debian/univention-initrd.univention-config-registry | 3 - base/univention-network-manager/conffiles/etc/dhcp/dhclient.conf | 28 +-- base/univention-network-manager/debian/changelog | 6 + base/univention-pam/conffiles/etc/nscd.conf | 59 +++-- base/univention-pam/conffiles/etc/pam.d/chfn | 13 +- base/univention-pam/conffiles/etc/pam.d/chsh | 17 +- base/univention-pam/conffiles/etc/pam.d/cron | 19 +- base/univention-pam/conffiles/etc/pam.d/ftp | 23 -- base/univention-pam/conffiles/etc/pam.d/login | 113 ++++++++- base/univention-pam/conffiles/etc/pam.d/other | 13 +- base/univention-pam/conffiles/etc/pam.d/passwd | 7 +- base/univention-pam/conffiles/etc/pam.d/ppp | 1 - base/univention-pam/conffiles/etc/pam.d/rlogin | 6 +- base/univention-pam/conffiles/etc/pam.d/rsh | 13 +- base/univention-pam/conffiles/etc/pam.d/sshd | 50 +++- base/univention-pam/conffiles/etc/pam.d/su | 57 ++++- base/univention-pam/conffiles/etc/pam.d/sudo | 4 +- base/univention-pam/conffiles/etc/security/access-ftp.conf | 19 -- base/univention-pam/conffiles/etc/security/limits.conf | 96 +++++--- base/univention-pam/conffiles/etc/security/pam_env.conf | 19 +- base/univention-pam/debian/changelog | 6 + base/univention-pam/debian/univention-pam.maintscript | 2 + base/univention-pam/debian/univention-pam.univention-config-registry | 13 - base/univention-pam/debian/univention-pam.univention-config-registry-variables | 4 +- base/univention-quota/conffiles/etc/init.d/quotarpc | 81 ------- base/univention-quota/debian/changelog | 6 + base/univention-quota/debian/dirs | 2 - base/univention-quota/debian/univention-quota.install | 1 - base/univention-quota/debian/univention-quota.maintscript | 1 + base/univention-quota/debian/univention-quota.univention-config-registry | 3 - base/univention-updater/conffiles/etc/apt/mirror.list | 22 +- base/univention-updater/debian/changelog | 6 + container/univention-docker/conffiles/etc/default/docker | 26 +- container/univention-docker/debian/changelog | 6 + desktop/univention-x-core/conffiles/etc/securetty | 35 --- desktop/univention-x-core/debian/changelog | 6 + desktop/univention-x-core/debian/univention-x-core.maintscript | 1 + desktop/univention-x-core/debian/univention-x-core.univention-config-registry | 3 - mail/univention-antivir-mail/conffiles/etc/amavis/conf.d/15-content_filter_mode | 10 +- mail/univention-antivir-mail/debian/changelog | 6 + mail/univention-fetchmail/conffiles/etc/default/fetchmail | 7 - mail/univention-fetchmail/debian/changelog | 6 + mail/univention-fetchmail/debian/univention-fetchmail-schema.dirs | 2 - mail/univention-fetchmail/debian/univention-fetchmail.dirs | 3 - mail/univention-fetchmail/debian/univention-fetchmail.maintscript | 1 + mail/univention-fetchmail/debian/univention-fetchmail.postinst | 18 -- mail/univention-fetchmail/debian/univention-fetchmail.univention-config-registry | 2 - mail/univention-mail-dovecot/conffiles/etc/init.d/dovecot | 222 ----------------- mail/univention-mail-dovecot/conffiles/etc/pam.d/dovecot | 9 +- mail/univention-mail-dovecot/conffiles/etc/{default/dovecot => systemd/system/dovecot.service.d/ucr.conf} | 9 +- mail/univention-mail-dovecot/debian/changelog | 6 + mail/univention-mail-dovecot/debian/univention-mail-dovecot.dirs | 1 - mail/univention-mail-dovecot/debian/univention-mail-dovecot.maintscript | 2 + mail/univention-mail-dovecot/debian/univention-mail-dovecot.univention-config-registry | 6 +- mail/univention-mail-postfix/conffiles/etc/init.d/postfix | 147 ------------ mail/univention-mail-postfix/conffiles/etc/pam.d/smtp | 22 +- mail/univention-mail-postfix/debian/changelog | 6 + mail/univention-mail-postfix/debian/univention-mail-postfix.maintscript | 1 + mail/univention-mail-postfix/debian/univention-mail-postfix.univention-config-registry | 4 - mail/univention-postgrey/conffiles/etc/init.d/postgrey | 184 -------------- mail/univention-postgrey/debian/changelog | 6 + mail/univention-postgrey/debian/univention-postgrey.dirs | 2 - mail/univention-postgrey/debian/univention-postgrey.maintscript | 1 + mail/univention-postgrey/debian/univention-postgrey.univention-config-registry | 3 - mail/univention-spamassassin/conffiles/etc/default/spamassassin | 7 +- mail/univention-spamassassin/debian/changelog | 6 + management/univention-ldap/conffiles/etc/init.d/slapd | 399 ++++++++++++++++++------------ management/univention-ldap/conffiles/etc/ldap/ldap.conf | 11 +- management/univention-ldap/conffiles/var/lib/univention-ldap/ldap/DB_CONFIG | 11 +- management/univention-ldap/debian/changelog | 7 +- nagios/univention-nagios/conffiles/etc/init.d/nagios | 32 +-- nagios/univention-nagios/conffiles/etc/init.d/nagios-nrpe-server | 91 ------- nagios/univention-nagios/conffiles/etc/nagios/cgi.cfg | 65 +++-- nagios/univention-nagios/conffiles/etc/nagios/nagios.cfg | 197 +++++++-------- nagios/univention-nagios/conffiles/etc/nagios/nrpe.cfg | 58 ++--- nagios/univention-nagios/debian/changelog | 6 + nagios/univention-nagios/debian/ucslint.overrides | 1 - nagios/univention-nagios/debian/univention-nagios-client.maintscript | 1 + nagios/univention-nagios/debian/univention-nagios-client.univention-config-registry | 3 - saml/univention-saml/conffiles/etc/default/stunnel4 | 8 + saml/univention-saml/conffiles/etc/simplesamlphp/config.php | 1548 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----------------------------------------------------- saml/univention-saml/conffiles/etc/simplesamlphp/metadata/00_saml20-idp-hosted.php | 5 - saml/univention-saml/debian/changelog | 6 + services/univention-apache/conffiles/etc/apache2/conf-available/ucs.conf | 3 +- services/univention-apache/conffiles/etc/apache2/mods-available/proxy.conf | 41 ++-- services/univention-apache/conffiles/etc/apache2/mods-available/ssl.conf | 27 +-- services/univention-apache/conffiles/etc/apache2/ports.conf | 4 + services/univention-apache/conffiles/etc/apache2/sites-available/ssl.d/00start | 14 +- services/univention-apache/conffiles/etc/apache2/sites-available/ssl.d/99end | 2 + services/univention-apache/conffiles/etc/apache2/ucs-sites.conf.d/ucs-sites.conf | 2 +- services/univention-apache/debian/changelog | 6 + services/univention-bind/conffiles/etc/init.d/bind9 | 316 +++++++++++++----------- services/univention-bind/conffiles/etc/network/if-down.d/bind9 | 9 +- services/univention-bind/conffiles/etc/network/if-up.d/bind9 | 10 +- services/univention-bind/debian/changelog | 6 + services/univention-dansguardian/conffiles/etc/dansguardian/dansguardian.conf | 63 +++-- services/univention-dansguardian/conffiles/etc/dansguardian/dansguardianf1.conf | 28 +-- services/univention-dansguardian/conffiles/etc/dansguardian/lists/authplugins/ipgroups | 6 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedextensionlist | 140 +++++++++-- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannediplist | 32 ++- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedmimetypelist | 14 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedphraselist | 24 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedregexpheaderlist | 10 - services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedregexpurllist | 121 ++++++++-- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedsitelist | 85 ++++++- services/univention-dansguardian/conffiles/etc/dansguardian/lists/bannedurllist | 39 ++- services/univention-dansguardian/conffiles/etc/dansguardian/lists/contentregexplist | 14 -- services/univention-dansguardian/conffiles/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist | 39 ++- services/univention-dansguardian/conffiles/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist | 34 ++- services/univention-dansguardian/conffiles/etc/dansguardian/lists/contentscanners/exceptionvirussitelist | 9 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/contentscanners/exceptionvirusurllist | 11 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionextensionlist | 15 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionfilesitelist | 32 --- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionfileurllist | 28 --- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptioniplist | 47 ++-- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionmimetypelist | 13 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionphraselist | 4 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionregexpurllist | 13 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionsitelist | 41 +++- services/univention-dansguardian/conffiles/etc/dansguardian/lists/exceptionurllist | 8 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/filtergroupslist | 20 +- services/univention-dansguardian/conffiles/etc/dansguardian/lists/greysitelist | 32 --- services/univention-dansguardian/conffiles/etc/dansguardian/lists/greyurllist | 29 --- services/univention-dansguardian/conffiles/etc/dansguardian/lists/headerregexplist | 13 - services/univention-dansguardian/conffiles/etc/dansguardian/lists/logregexpurllist | 14 -- services/univention-dansguardian/conffiles/etc/dansguardian/lists/logsitelist | 14 -- services/univention-dansguardian/conffiles/etc/dansguardian/lists/logurllist | 14 -- services/univention-dansguardian/conffiles/etc/dansguardian/lists/urlregexplist | 57 ----- services/univention-dansguardian/conffiles/etc/dansguardian/lists/weightedphraselist | 142 ++++++----- services/univention-dansguardian/debian/changelog | 15 ++ services/univention-dansguardian/debian/univention-dansguardian.maintscript | 11 + services/univention-dansguardian/debian/univention-dansguardian.univention-config-registry | 33 --- services/univention-dansguardian/debian/univention-dansguardian.univention-config-registry-variables | 2 +- services/univention-dhcp/conffiles/etc/dhcp/dhcpd.conf | 64 ++--- services/univention-dhcp/conffiles/etc/init.d/isc-dhcp-server | 2 +- services/univention-dhcp/debian/changelog | 6 + services/univention-nfs/conffiles/etc/default/nfs-common | 23 +- services/univention-nfs/conffiles/etc/default/quota | 7 +- services/univention-nfs/debian/changelog | 6 + services/univention-printserver/conffiles/etc/cups/cups-files.conf | 26 +- services/univention-printserver/conffiles/etc/cups/cups-pdf.conf | 57 ++--- services/univention-printserver/conffiles/etc/pam.d/cups | 5 - services/univention-printserver/debian/changelog | 6 + services/univention-printserver/debian/univention-printserver-pdf.dirs | 2 - services/univention-printserver/debian/univention-printserver.dirs | 6 - services/univention-printserver/debian/univention-printserver.maintscript | 1 + services/univention-printserver/debian/univention-printserver.univention-config-registry | 3 - services/univention-samba/conffiles/etc/logrotate.d/samba | 56 ++++- services/univention-samba/conffiles/etc/logrotate.d/univention-samba | 20 +- services/univention-samba/conffiles/etc/logrotate.d/winbind | 33 ++- services/univention-samba/conffiles/etc/pam.d/samba | 7 - services/univention-samba/debian/changelog | 7 + services/univention-samba/debian/univention-samba.maintscript | 1 + services/univention-samba/debian/univention-samba.univention-config-registry | 3 - services/univention-samba4/conffiles/etc/logrotate.d/samba | 66 ++++- services/univention-samba4/conffiles/etc/logrotate.d/winbind | 32 ++- services/univention-samba4/conffiles/etc/pam.d/samba | 4 +- services/univention-samba4/debian/changelog | 6 + services/univention-sasl/conffiles/etc/default/saslauthd | 15 +- services/univention-sasl/debian/changelog | 6 + services/univention-sasl/debian/univention-sasl.dirs | 1 - services/univention-snmp/conffiles/etc/snmp/snmp.conf.d/00-snmp.conf | 16 +- services/univention-snmp/debian/changelog | 6 + services/univention-snmp/debian/dirs | 1 - services/univention-snmpd/conffiles/etc/default/snmpd | 24 -- services/univention-snmpd/conffiles/etc/snmp/snmpd.conf.d/00-snmpd.conf | 4 +- services/univention-snmpd/debian/changelog | 6 + services/univention-snmpd/debian/dirs | 1 - services/univention-snmpd/debian/univention-snmpd.maintscript | 1 + services/univention-snmpd/debian/univention-snmpd.univention-config-registry | 5 - services/univention-snmpd/debian/univention-snmpd.univention-config-registry-variables | 8 +- virtualization/univention-virtual-machine-manager-node/conffiles/etc/default/libvirt-guests | 46 ++-- virtualization/univention-virtual-machine-manager-node/conffiles/etc/libvirt/libvirtd.conf | 3 +- virtualization/univention-virtual-machine-manager-node/conffiles/etc/libvirt/qemu.conf | 550 ++++++++++++++++++++++++++++++++++-------- virtualization/univention-virtual-machine-manager-node/debian/changelog | 6 + 218 files changed, 3815 insertions(+), 3998 deletions(-
Summary: * rsyslog is major different * NFSd is started by systemd and ignores all previous files * Apache protocol -SSLv2? * SimpleSamlPhp config.php is massively extended * qemu.conf is massively extended * Dovecor ulimit does not work as started by systemd * PAM misses pam_limits and uses wrong common-session[-noninteractive]
The commits mix actual changes and code cleanup, which makes it significantly harder for QA to recognize actual changes. According to the Q4 2016 state of the Code Cleanup Discussion document, the cleanup commits should be separated from commits making actual changes.
Bug #51505 logrotate [feature/ucs5] 2bae7a2df2 Bug #51505,Bug #32509 base: Update UCR template [WIP] .../conffiles/etc/bash.bashrc | 9 +- .../conffiles/etc/default/ssh | 6 - .../conffiles/etc/init.d/networking | 45 ++++--- .../conffiles/etc/init.d/nscd | 143 --------------------- .../conffiles/etc/init.d/rdate | 53 -------- .../conffiles/etc/init.d/rpcbind | 109 ---------------- base/univention-base-files/conffiles/etc/inputrc | 4 +- base/univention-base-files/conffiles/etc/issue | 27 ++-- base/univention-base-files/conffiles/etc/issue.net | 22 ++-- .../conffiles/etc/logrotate.conf | 5 + ... 26 files changed, 144 insertions(+), 436 deletions(-) Package: univention-base-files Version: 9.0.0-6A~5.0.0.202006171058 Bug #32509 grub [feature/ucs5] c9d18dc8a8 Bug #51419 grub: Update UCR template base/univention-grub/conffiles/etc/default/grub | 1 - base/univention-grub/debian/changelog | 6 ++++++ .../debian/univention-grub.univention-config-registry | 1 - Package: univention-grub Version: 13.0.0-2A~5.0.0.202006171111 Bug #45325 initramfs-tools [feature/ucs5] 8e26f5ecd5 Bug #32509 initrd: Update UCR template .../conffiles/etc/initramfs-tools/initramfs.conf | 39 +-- .../conffiles/usr/share/initramfs-tools/init | 331 --------------------- base/univention-initrd/debian/changelog | 6 + base/univention-initrd/debian/control | 4 +- base/univention-initrd/debian/ucslint.overrides | 2 - .../debian/univention-initrd.dirs | 1 - .../debian/univention-initrd.maintscript | 1 + .../debian/univention-initrd.postinst | 38 --- .../debian/univention-initrd.ucslint | 1 - .../univention-initrd.univention-config-registry | 3 - Package: univention-initrd Version: 12.0.0-2A~5.0.0.202006171109
Another Debian release where we did NOT update our UCR templates. As mentioned in comment 5 I had to touch - logrotate - initramfs-tools - grub as without those being updated UCS would not even boot anymore. None of those changes use this Bug #46120 for the ChangeLog entry. The large rest is still pending ...
The upstream changes for postgresql are: diff --git management/univention-appcenter/conffiles/etc/postgresql/15/main/pg_hba.conf.d/10-appcenter management/univention-appcenter/conffiles/etc/postgresql/15/main/pg_hba.conf.d/10-appcenter index 7d36cd1142c..a713823852f 100644 --- management/univention-appcenter/conffiles/etc/postgresql/15/main/pg_hba.conf.d/10-appcenter +++ management/univention-appcenter/conffiles/etc/postgresql/15/main/pg_hba.conf.d/10-appcenter @@ -1,6 +1,6 @@ @!@ bip = configRegistry.get('docker/daemon/default/opts/bip', '172.17.42.1/16') -print('host all all %s md5' % bip) +print('host all all %s scram-sha-256' % bip) cip = configRegistry.get('appcenter/docker/compose/network', '172.16.1.1/16') -print('host all all %s md5' % cip) +print('host all all %s scram-sha-256' % cip) @!@ diff --git services/univention-postgresql/conffiles/etc/postgresql/15/main/pg_hba.conf.d/99-pg_hba.conf services/univention-postgresql/conffiles/etc/postgresql/15/main/pg_hba.conf.d/99-pg_hba.conf index daf3df93584..fbf1789d84c 100644 --- services/univention-postgresql/conffiles/etc/postgresql/15/main/pg_hba.conf.d/99-pg_hba.conf +++ services/univention-postgresql/conffiles/etc/postgresql/15/main/pg_hba.conf.d/99-pg_hba.conf @@ -2,14 +2,14 @@ # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: -host all all 127.0.0.1/32 md5 +host all all 127.0.0.1/32 scram-sha-256 # IPv6 local connections: -host all all ::1/128 md5 +host all all ::1/128 scram-sha-256 # Allow replication connections from localhost, by a user with the # replication privilege. #local replication all peer -#host replication all 127.0.0.1/32 md5 -#host replication all ::1/128 md5 +#host replication all 127.0.0.1/32 scram-sha-256 +#host replication all ::1/128 scram-sha-256 # Start of additional configuration options defined via ucr 'postgres15/pg_hba/config/.*' @!@ I don't think we can apply this change. Marius told: postgres documentation: > To upgrade an existing installation from md5 to scram-sha-256, after having ensured that all client libraries in use are new enough to support SCRAM, set password_encryption = 'scram-sha-256' in postgresql.conf, make all users set new passwords, and change the authentication method specifications in pg_hba.conf to scram-sha-256. scram-sha-256 was introduced with postgresql 10, so UCS 5.0. Can we be sure that the client libraries of customers are recent? I would say yes, as we only support UCS 5.0 mixed environments, not UCS 4.4. The docs also say: > To ease transition from the md5 method to the newer SCRAM method, if md5 is specified as a method in pg_hba.conf but the user's password on the server is encrypted for SCRAM (see below), then SCRAM-based authentication will automatically be chosen instead. So, we can leave it as is? New postgresql installations automatically use the new hash functions, and older ones still use continue functioning. Should we mention something in the release notes?
* Can we be sure that the client libraries of customers are recent? I would also say yes, but, I'm not sure if we can check the client version for apps that use the database PostgreSQL.
All UCS template files have been compared to the Debian 12 equivalent and applicable upstream changes have been rebased onto our templates
# config file has been deleted in debian - etc/default/apache2 - deleted in Debian 9, deleted in UCS - etc/default/samba - does not exist in debian 7, deleted in UCS # config does not exist in debian - etc/apache2/sso-vhost.conf.d/01redirect.conf - etc/apache2/sso-vhost.conf.d/csp.conf - etc/apt/apt.conf.d/20secureapt - etc/network/interfaces - etc/mysql/mariadb.conf.d/60-ucr.cnf - etc/motd.setup - etc/modprobe.d/nfs-kernel-lockd.conf - etc/mailname - etc/logrotate.d/listener-modules - etc/logrotate.d/dovecot - etc/listfilter.secret - etc/dovecot/conf.d/95-quota-status.conf - etc/default/atftpd - etc/e2fsck.conf - etc/ldap/sasl2/slapd.conf - etc/docker/seccomp-systemd.json - etc/default/postgrey - does not exist in debian 7-12, but still being read, so keeping - etc/cups/client.conf - does not exist in debian 7-12, only as example but never copied/installed to /etc/cups - etc/apt/apt.conf.d/55user_agent - etc/apt/apt.conf.d/61invoke - etc/apt/apt.conf.d/80proxy - etc/bind/named.conf.proxy - etc/bind/named.conf.samba4 - etc/cron.d/sysvol-cleanup - etc/cron.d/sysvol-sync - etc/postfix/ldap.canonicalrecipient - etc/postfix/ldap.canonicalsender - etc/postfix/ldap.distlist - etc/postfix/ldap.external_aliases - etc/postfix/ldap.groups - etc/postfix/ldap.saslusermapping - etc/postfix/ldap.sharedfolderlocal - etc/postfix/ldap.sharedfolderlocal_aliases - etc/postfix/ldap.sharedfolderremote - etc/postfix/ldap.transport - etc/postfix/ldap.virtual - etc/postfix/ldap.virtual_mailbox - etc/postfix/ldap.virtualdomains - etc/postfix/ldap.virtualwithcanonical - etc/postfix/sasl/smtpd.conf - etc/postfix/tls_policy - etc/postfix/transport - etc/postgresql/pam_ldap.conf - can't even find it on preview/5.2.0@1406c597667950cff - etc/rsyslog.d/dovecot.conf - etc/security/access-chfn.conf - etc/security/access-chsh.conf - etc/security/access-cron.conf - etc/security/access-login.conf - etc/security/access-other.conf - etc/security/access-passwd.conf - etc/security/access-ppp.conf - etc/security/access-rlogin.conf - etc/security/access-rsh.conf - etc/security/access-screen.conf - etc/security/access-sshd.conf - etc/security/access-su.conf - etc/security/access-sudo.conf - etc/selinux/config - etc/security/packetfilter.d/20_docker.sh - etc/security/packetfilter.d/20_rsyslog.sh - etc/security/packetfilter.d/20squid - etc/samba/base.conf - etc/squid/allowed_ldap_groups.conf - etc/sysctl.d/local.conf - etc/systemd/system/docker.service.d/http-proxy.conf - etc/systemd/system/[getty@.service.d](mailto:getty@.service.d)/nottyreset.conf - etc/systemd/system/named.service.d/10-configure-backend.conf - etc/welcome.msg - var/www/robots.txt - etc/modprobe.d/vmgfx.conf : is this still necessary? - usr/share/dovecot/protocols.d/imapd.protocol - usr/share/dovecot/protocols.d/pop3d.protocol - var/lib/dovecot/sieve/default.sieve # debian refactored it ## etc/networks - had a fourth line in Debian 12 with the local-net. Added by using the primary network interfaces network ## etc/simplesamlphp/config.php NOTE: due to using ucs-repos as diff upstream no data pre deb10 - deb10->12 changes: - `array()` -> `[]` - comment changes / new comments - partially (surroundings) not included in ucs - partially already applied - other - new: `'assertion.allowed_clock_skew' => 180,` - `TRUE` -> `true`, `FALSE` -\> `false`, `NULL` -\> `null` - `'session.cookie.secure' => false,` -> `true` (ucs uses ucr -\> not applied) - new `'session.cookie.samesite' => true,` (ucs already uses it via ucr -> not applied) - changes to `'priorities' =>` (not included in ucs) - changes to `languages.{available,rtl}`. (ucs differed majorly -> overwritten with debian12) notes: - `'enable.saml20-idp'→ → => true,` is not commented out in deb10+12 ## etc/freeradius/3.0/sites-available/default - mostly comments and wording - newly added Autz-Type New-TLS-Connection { ok } - newly added if (EAP-Key-Name && &reply:EAP-Session-Id) { update reply { &EAP-Key-Name := &reply:EAP-Session-Id } } - radius tests pass ## etc/init.d/nagios-nrpe-server ```diff diff --git monitoring/univention-nagios/conffiles/etc/init.d/nagios-nrpe-server monitoring/univention-nagios/conffiles/etc/init.d/nagios-nrpe-server index ee7779d5dc..f69dc01bd3 100755 --- monitoring/univention-nagios/conffiles/etc/init.d/nagios-nrpe-server +++ monitoring/univention-nagios/conffiles/etc/init.d/nagios-nrpe-server @@ -46,6 +46,7 @@ if \[ "$NICENESS" \]; then NICENESS="-n $`NICENESS"; fi if [ ! -d "`$`PIDDIR" ]; then mkdir "`$`PIDDIR" chown nagios "`$PIDDIR" + \[ -x /sbin/restorecon \] && /sbin/restorecon "$PIDDIR" fi set -e @@ -58,10 +59,10 @@ case "$`1" in check_autostart nagios-client nagios/client/autostart fi if [ "`$INETD" = 1 \]; then - <span dir="">`exit 1`</span> + <span dir="">`exit 0`</span>` `<span dir="">`fi`</span>` `<span dir="">`log_daemon_msg "Starting $DESC" "$NAME"`</span> - <span dir="">`start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $DAEMON_OPTS`</span> + <span dir="">`start_daemon -p $PIDDIR/nrpe.pid $NICENESS $DAEMON -c $CONFIG -d $NRPE_OPTS`</span>` `<span dir="">`log_end_msg $?`</span>` `<span dir="">`;;`</span> stop) ``` ## etc/init.d/postfix - ucs matched debian 9, updated to debian 12 ## etc/init.d/quotarpc - ucs matches debian10, bunch of functionality has been put into a script at /usr/share/quota/quotarpc.sh ## etc/heimdal-kdc/kdc.conf - ucs config file from debian 5, completely changed in debian 7. Rebased to debian 12 ## etc/nagios/nrpe.cfg ucs uses a config from pre debian7 (deb7: `Last Modified: 11-23-2007`, ucs: `Last Modified: 02-23-2006`) - update `pid_file=` from `/var/run…` to `/run…` (deb10->12) - add `disable_syslog=0` (deb10->12) - `COMMAND DEFINITIONS`: - replace example command block after `The following examples use hardcoded…` with comments containing the ones debian has active since at least deb7 - `@QA` decide weather or not we want to keep them commented out or comment them in (like debian) - update `config file is set to '1'` (\<= deb7) - add debians examples (deb8->10) - remove ucs examples (`@QA` ?) (`check_users`, `check_load`, `check_disk`, `check_procs`) - add `INCLUDE CONFIG FILE` - replace `include_dir` comment with debians (added in deb10, updated in deb12) - comment changes - add `::1` to `allowed_hosts` example (deb8->10) - add `#log_file=` (been there since at least deb7) - update `SSL CIPHER LIST` comments (deb8->10) - remove `INCLUDE CONFIG FILE`/`DIRECTORY` (deb8->10) - add `NASTY METACHARS` (deb8->10) - minor comment updates (typos, etc) - ignored upstream typos (`commmands`, etc) ## etc/rsyslog.conf ucs matches deb10 - removed `$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat` - removed UCR variable - deb removed `Some "catch-all" log files.` section - ucs has custom stuff - deb removed `mail.info`, etc ## etc/simplesamlphp/authsources.php NOTE: due to using ucs-repos as diff upstream no data pre deb10 NOTE: ucs does not match debian at all deb10->12 changes: - `array()` -> `[]` - comment changes / new comments - partially not included in ucs (-> not changed) * partially surroundings not included in ucs (-> not added) - other - a lot of things, which are not included in ucs' version, have updated values ## etc/simplesamlphp/config.php NOTE: due to using ucs-repos as diff upstream no data pre deb10 deb10->12 changes: - `array()` -> `[]` - comment changes / new comments - partially (surroundings) not included in ucs - partially already applied - other - new: `'assertion.allowed_clock_skew' => 180,` - `TRUE` -> `true`, `FALSE` -\> `false`, `NULL` -\> `null` - `'session.cookie.secure' => false,` -> `true` (ucs uses ucr -\> not applied) - new `'session.cookie.samesite' => true,` (ucs already uses it via ucr -> not applied) - changes to `'priorities' =>` (not included in ucs) - changes to `languages.{available,rtl}`. (ucs differed majorly -> overwritten with debian12) notes: - `'enable.saml20-idp'→ → => true,` is not commented out in deb10+12 ## etc/clamav/clamd.conf UCS file was from around Debian 5. Rebased to Debian 12. Done by merging the exsiting options with the default auto generated file by Debian. This file has a lot of configurable things that might be interesting to make UCR configurable TODO: check if log is rotated by external mechanisms and switch off if necessary ## etc/clamav/freshclam.conf Similar to clamd.conf ## etc/postgresql/15/main/pg_hba.conf see [bugzilla](https://forge.univention.org/bugzilla/show_bug.cgi?id=46120#c8) ## etc/profile `\`\` -> $()\` # minor changes (comments, formatting, etc) (applied) - etc/systemd/journald.conf : ucs matches debian10 - etc/ssh/ssh_config : ucs matches debian10 - etc/apache2/mods-available/proxy.conf - etc/apache2/mods-available/ssl.conf - etc/cups/cups-pdf.conf : ucs matches debian 8 - added various comments - etc/default/dovecot : ucs matches debian 8 - removed comments - etc/default/saslauthd : ucs matches 7 - 12 removed START= - etc/default/stunnel4 : ucs matches debian 9 - 10 removed ENABLED= - etc/freeradius/3.0/mods-available/eap : ucs matches debian 9 - mostly different wording in comments - etc/freeradius/3.0/mods-available/ldap : ucs matches debian 9 - mostly different wording in comments - etc/freeradius/3.0/mods-available/mschap : ucs matches debian 9 - mostly different wording in comments - etc/freeradius/3.0/radiusd.conf : ucs matches debian 9 - mostly different wording in comments - etc/freeradius/3.0/sites-available/inner-tunnel : ucs matches debian 9 - mostly different wording in comments - etc/inputrc : ucs matches debian 7 - 3 lines of comments - etc/dovecot/conf.d/10-auth.conf - etc/dovecot/conf.d/10-logging.conf - etc/dovecot/conf.d/10-mail.conf - etc/dovecot/conf.d/10-master.conf - etc/dovecot/conf.d/10-ssl.conf - etc/dovecot/conf.d/15-lda.conf - etc/dovecot/conf.d/15-mailboxes.conf - etc/dovecot/conf.d/20-imap.conf - etc/dovecot/conf.d/20-lmtp.conf - etc/dovecot/conf.d/20-managesieve.conf - etc/dovecot/conf.d/20-pop3.conf - etc/dovecot/conf.d/90-acl.conf - etc/dovecot/conf.d/90-quota.conf - etc/dovecot/conf.d/90-sieve.conf : ucs matches debian 9 - all comments ^ - etc/heimdal-kdc/kadmind.acl : added the header comment - etc/dovecot/dovecot.conf : ucs matches debian 7 - removed 1 comment - etc/pam.d/cups - was new in deb - no changes since deb8 - deb 8 included `@include common-session`, ucs not - everything else is identical - etc/systemd/journald.conf : ucs matched debian10 - etc/ssh/ssh_config : ucs matched debian10 - etc/plymouth/plymouthd.conf - deb7->8 added `#ShowDelay=0` - debian changed the theme - ucs has ucr variable - etc/pam.d/sudo - deb10-12 added `session required pam_limits.so` - etc/cups/client.conf - updated comments - etc/postgresql/15/main/postgresql.conf - lots of new comments/commented out options - etc/ssh/sshd_config - ChallengeResponseAuthentication -> KbdInteractiveAuthentication in comments. The option and UCRV has already been renamed in `56147` # up to date - etc/bash.bashrc : ucs matches debian10+12 - etc/amavis/conf.d/15-content_filter_mode : no config changes since debian 7+12 - etc/apache2/ports.conf : ucs matches debian7+12 - etc/cups/cups-files.conf : ucs matches debian12 - etc/default/docker : ucs matches debian12 - etc/default/fetchmail - etc/default/heimdal-kdc - etc/default/nfs-common - etc/default/quota - etc/default/ssh - etc/dhcp/dhclient.conf : ucs matches debian 9 - etc/init.d/dovecot : ucs matches debian 8 matches debian 12 - etc/init.d/heimdal-kdc : ucs matches debian 8 matches debian 12 - etc/init.d/networking : identical with debian 12 except for something added in ucs - etc/init.d/postgrey : ucs matches debian 10 matches debian 12 - etc/initramfs-tools/initramfs.conf : ucs matches debian 12 - etc/logrotate.d/btmp : ucs matches debian 10 matches debian 12 - etc/logrotate.d/wtmp : ucs matches debian 12 matches debian 12 - etc/modules : ucs matches debian 12, ucs template was added in ucs - etc/krb5.conf : ucs matches debian10, newly added default config option `rdns=false` already configurable via UCRV - etc/dovecot/conf.d/auth-ldap.conf.ext : ucs matches debian 9 matches debian 12 - etc/dovecot/conf.d/auth-master.conf.ext - etc/dovecot/conf.d/auth-system.conf.ext - etc/dovecot/dovecot-ldap.conf.ext - etc/default/locale : ucs matches debian7 matches debian 12 - etc/default/keyboard : unchanged since debian 7 - etc/default/spamassassin : matches debian10, file does not exist in package anymore in debian12 but it still being read. Also still used by UCS with various UCRV, so keeping it -etc/default/nfs-kernel-server : ucs matches debian 7 matches debian 12 - etc/nslcd.conf - default generated config in Debian hasn't changed since Debian 7. UCS is heavily templated and edited in comparison to the default - etc/nsswitch.conf - etc/postgresql/15/main/pg_ident.conf - file maps system usernames to postgres usernames. File is just comments in both debian and UCS and identical - var/lib/samba/private/krb5.conf # changes, which cant be applied - etc/default/grub : due to using ucs-repos as diff upstream no data pre deb10 * deb10: `GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200"` * deb12: `GRUB_CMDLINE_LINUX="console=tty0 console=ttyS0,115200 earlyprintk=ttyS0,115200 consoleblank=0"` * ucs: `GRUB_CMDLINE_LINUX="@%@grub/append@%@"` - etc/logrotate.d/rsyslog - debian removed a bunch of files from being rotated in 10 -> 12, these files however still exist and are written to in UCS - etc/ldap/slapd.conf - wildly different config file format. UCS uses the old deprecated slapd.conf while debian, even in debian 7, already uses the "new" dynamic runtime configuration engine - etc/nscd.conf : ucs is a modified deb8 state - debian updates the values of a lot of variables, which are missing from ucs-python # ucs does not match debian at all - etc/apt/mirror.list - etc/squid/squid.conf - ucs dosnt match any of deb9,deb10,deb12 (and i cant find older records) - deb10->12 changed: lots of comments & things which are not included in the ucs config - etc/bind/named.conf - etc/dhcp/dhcpd.conf - etc/issue - etc/issue.net - etc/ldap/ldap.conf : mostly templated, debians file is mostly comments - etc/logrotate.conf : default logrotate config by debian mostly changed in ucs - etc/logrotate.d/heimdal-kdc : ucs is completely templated - etc/logrotate.d/winbind : ^ - etc/locale.gen : debian has a list of locales here, ucs only a template - etc/hostname : completely generated - etc/hosts : ^ - etc/init.d/samba : very different from upstream - maybe fix at some point but not now - etc/docker/daemon.json : UCS basically generates this file from UCRV - nothing to rebase here - etc/network/if-up.d/bind9 : deb10==deb12 - etc/apt/mirror.list - etc/squid/squid.conf - ucs dosnt match any of deb9,deb10,deb12 (and i cant find older records) - deb10->12 changed: lots of comments & things which are not included in the ucs config - etc/security/limits.conf - etc/pam.d/su : ucs does its own thing for half of the config - etc/pam.d/sshd : 100% python+ucr - half of debian7+ stuff is missing - etc/pam.d/smtp : debian uses import, ucs uses python - etc/pam.d/samba : deb10==deb12 - etc/pam.d/rsh : deb10==deb12 - etc/pam.d/rlogin : deb10==deb12 - etc/pam.d/ppp : unchanged since deb7 - etc/pam.d/passwd : unchanged since deb7 - etc/pam.d/other : deb10==deb12 - etc/pam.d/login * deb10->12 changes to `pam_motd.so` (not in ucs) - etc/pam.d/dovecot : deb uses import, ucs uses python - etc/pam.d/cron : last change in deb8 - etc/pam.d/chsh : no changes since deb7 - etc/pam.d/chfn : no changes since deb7 - etc/network/if-down.d/bind9 : deb10==deb12 - etc/cups/cupsd.conf : UCS has three different config files making up the cupsd.conf. Meanwhile Debian, at least since 7 only has 1 cupsd.conf. Major difference seems to be comments but can't really be applied - etc/ntp.conf - -> https://forge.univention.org/bugzilla/show_bug.cgi?id=56661 - etc/postfix/main.cf - UCS has a very custom postfix main.cf that is not comparable. Debian also doesn't have a singular postfix config file but rather a generated one from various options that can be set. However generating comparable config files on Debian 7 and Debian 12 doesn't reveal any major differences but the addition of some options. These options are mostly either already present in our postfix config or configurable with a UCRV. - etc/postfix/master.cf - here, again, UCS has a very much modified version of master.cf. There is chunk that closely reasambles debians version but that one seems to be up-to-date with debian 12 - etc/resolv.conf - completely templated in UCS - etc/samba/debian_config - etc/samba/smb.conf - etc/samba/smb.conf - all samba config is very different in UCS. However there are also no major changes between Debian 8 and 12, where new options that we are missing could have been introduced - etc/init.d/slapd - completely custom in UCS # new in debian12 - etc/security/faillock.conf (only comments)
OK: changelog entry OK: code review of current commits OK: Jenkins test results OK: no API changes detected Bug #46120: Add changelog entry Bug #46120: update univention-base-files templates Bug #46120: update univention-samba templates Bug #46120: updated univention-antivir-mail templates Bug #46120: update univention-printclient templates Bug #46120: update univention-mail-postfix templates Bug #46120: update univention-postgresql templates Bug #46120: update univention-pam templates Bug #46120: update univention-base-files templates Bug #46120: Update univention-radius templates Bug #46120: update univention-base-files inputrc template Bug #46120: update univention-heimdal templates Bug #46120: update univention-apache templates Bug #46120: update univention-mail-dovecot templates Bug #46120: Update univention-printserver templates Bug #46120: Update univention-saml templates Bug #46120: Update univention-sasl templates Bug #46120: Update univention-nagios templates Bug #46120: Update univention-mail-postfix templates Bug #46120: update univention-quota templates Bug #46120: Updating the UCR templates of univention-radius to Debian 12 Bug #46120: Updating the UCR templates of /etc/init.d/networking to Debian 12 Bug #46120: Updating the UCR templates of /etc/profile to Debian 12 Bug #46120: Updating the UCR templates of JournalD to Debian 12 Bug #46120: Updating the UCR templates of ssh and sshd to Debian 12 Bug #46120: Updating the UCR templates of univention-initrd to Debian 12 Bug #46120: Updating the UCR templates of univention-pam to Debian 12 Bug #46120: Removed module check from apache2 ssl and proxy config Bug #46120: rebase UCR templates (univention-saml)
eda463f0cac Bug #46120: rebase UCR templates (univention-saml) a056e0efb5c Bug #46120: Removed module check from apache2 ssl and proxy config adedb6bbcf7 Bug #46120: rebase UCR templates of univention-pam to Debian 12 7674bd23b7b Bug #46120: rebase UCR templates of univention-initrd to Debian 12 fe89c3f7f1b Bug #46120: rebase UCR templates of ssh and sshd to Debian 12 94f35b3ff70 Bug #46120: rebase UCR templates of JournalD to Debian 12 d1a677b073b Bug #46120: rebase UCR templates of /etc/profile to Debian 12 afc09b3fbe5 Bug #46120: rebase UCR templates of /etc/init.d/networking to Debian 12 42813ea21f5 Bug #46120: rebase UCR templates of univention-radius to Debian 12 ab6b31d1f2a Bug #46120: rebase univention-quota UCR templates 42513349f6a Bug #46120: rebase univention-mail-postfix UCR templates 251890ff1bb Bug #46120: rebase univention-nagios UCR templates d31084fec32 Bug #46120: rebase univention-sasl UCR templates c59a209e0b4 Bug #46120: rebase univention-saml UCR templates b5f2d5f9d60 Bug #46120: rebase univention-printserver UCR templates 60c074db353 Bug #46120: rebase univention-mail-dovecot UCR templates ba53f945531 Bug #46120: rebase univention-apache UCR templates 7af83e5d0fd Bug #46120: rebase univention-heimdal UCR templates ea45a437f5e Bug #46120: rebase univention-base-files inputrc UCR template 966f1bb3d51 Bug #46120: rebase univention-radius UCR templates 9650d6b6462 Bug #46120: rebase univention-base-files UCR templates 2edc4d2fccc Bug #46120: rebase univention-pam UCR templates 1badaaa5057 Bug #46120: rebase univention-postgresql UCR templates f22eda03599 Bug #46120: rebase univention-mail-postfix UCR templates e135bbc3df4 Bug #46120: rebase univention-printclient UCR templates ea396bb95a7 Bug #46120: rebase univention-antivir-mail UCR templates f4495dec63f Bug #46120: rebase univention-samba UCR templates 1af8a652f9c Bug #46120: rebase univention-base-files UCR templates 82ebd60a22f Bug #46120: Add changelog entry