Release 4.2.0 (2024-03-28)

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.1.0 SHM and want to upgrade to 4.2.0, please follow the steps below:

1. Run Setup_SHM_Firewall.ps1 -shmId {shmid}
2. Run Setup_SHM_Networking.ps1 -shmId {shmid}
3. Delete LINUX-UPDATES-SHM-{shmid} VM and associated resources from the RG_SHM_{shmid}_MONITORING resource group
4. Delete RG_SHM_{shmid}_PACKAGE_REPOSITORIES resource group and all resources
5. Run Setup_SHM_Update_Servers.ps1 -shmId {shmid} (Note that this needs to happen before any further resources are deployed, since any further Linux resources will need access to the Linux update proxy).
6. Run Setup_SHM_Package_Repositories -shmId {shmid}
7. Run Setup_SHM_Monitoring.ps1 -shmId {shmid}

Known issues

• Jupyter notebook launched from GUI menu could not launch Python kernel, so it has been removed from the menu 0657647

New Features

• Remove Microsoft Remote Desktop support: #1535
• Remove CoCalc: #1554
• Install dev dependencies in container: #1747
• Add script to renew NFS share Stored Access Policies: #1739
• Add script to automate account deletion: #1508
• Factored out storage creation from SHM scripts #1673
• SRD image updated, with latest Python versions available f3e890a

Bug Fixes

• Update DBeaver drivers using Github workflow: #1696
• Fixing DBeaver driver issues on T2+ SREs: #1704
• Improve handling of spaces in file paths: #1705
• Correct file path for Clam OnAccess scanning service: #1725
• Fix PostgreSQL permissions and data schema, and relevant docs: #1708
• Update outdated parameters that cause breaking change warnings: #1663
• Change default lun from lun1 to lun0: #1667
• Increase apt proxy server disk to 64 Gb: #1726
• Remove omsagent from VM build image: #1732
• Remove hyphens from SHM and SRE names in #1650
• Update devcontainer configuration in #1662
• Use memory for the /tmp directory in #1672
• Remove unneeded opening bracket in SRE network configuration script #1670
• Add missing import for logging module #1681
• Fix cloud-init log parser using old name for event 58a85bc
• Detect and remove omsagent installed on SRD image before generalization e168b05

Security Fixes

• Update software on Guacamole and Nginx to latest versions: #1741
• Update Nexus proxy server for T2/T3 package access: in #1744
• Update CodiMD server version: #1743
• Improve hardcoded domains and IP addresses: #1745
• Prevent Nginx version information from appearing in http headers

Documentation updates

• Add guidance on resizing NFS shares: #1749
• Update documents to reflect change to Microsoft Entra ID: #1665
• Update deprecation warning for MS RDS: #1542
• Add explanation of how to change allowed inbound IP addresses: #1484
• Add all contributors table and instructions for how to update: #1649
• Update contributors: #1684
• Document removal of persistent SRE storage accounts: #1685
• docs: update contributors: #1686
• Add additional multiple data provider guidance to docs: #1707
• Add links to guides for terminal, Xfce, and Guacamole: #1737
• Update help text for Powershell command shmId andsreId arguments #1683

Full Changelog: v4.1.0...v4.2.0

Release 5.0.0-rc.1 (2023-09-27)

First version of migration to Python using Pulumi. Penetration tested in September 2023.

Known Issues

⚠️ This release is not ready for production usage. ⚠️

Release 4.1.0 (2023-09-06)

⚠️ Update Requires Manual Intervention ⚠️

If you are using a 4.X.Y SHM and want to upgrade to 4.1.0, please follow the steps below:

• Run ./deployment/safe_haven_management/setup/Setup_SHM_Networking.ps1 -shmId <your SHM ID>
• Restart the virtual machine at RG_SHM_<SHM name>_MONITORING/LINUX-UPDATES-SHM-<SHM name> in the Azure portal

Known Issues

Only phone call authentication works for MS RDS. This provides no on-screen MFA Prompt.

New Features

• Allow device authentication in SHM deployment #1378
• Add arrow CRAN package to Tier 3 core list #1391
• Update Python in SRD images #1421

Bug Fixes

• Update Powershell module requirements: #1368
• Update supported Powershell version to 7.3.6
• Prevent removal of backup data during dry run: #1383
• Better package name matching for Nexus: #1447
• Update SRD image: #1421
• Add new servicebus endpoints for self-service password reset: #1423 and #1466
• Modify location of requirements.txt in Dockerfile: #1469
• Fixes of the SRD build related to python packages: #1514 and #1537
• Fix allowlist generation: #1422
• Update badges: #1371
• Update caching in allowlists workflow: #1395
• Fix incorrect logic around automated PR creation: #1426
• Update Ubuntu apt server addresses #1548
• Add docker.io to allowed-FQDNs #1548
• Change cloud-init files to automatically select appropriate disk partition #1548
• Fix MS-SQL database deployment #1580
• Fix PyPi Tier 3 mirror failures #1581

Security Fixes

• Fix non-allowed CRAN packages beginning with allowed name being installable: #1447
• Update to firewall rules: #1519

Documentation Updates

• Add instructions for installing documentation build dependencies: #1370
• Add instructions to resize VMs: #1367
• Update user management guide to explain adding users to security group and changing a phone number: #1389
• Add instructions for GPU VM resizing: #1399
• Add note on NVIDIA GPU support: #1406
• Remove reference to unused System Administrators Security Group: #1407
• Remove egress steps not carried out by System Manager: #1434
• Update SRE user troubleshooting: #1435
• Move from GitHub pages to ReadTheDocs #1468
• Add Policy for software package requests: #1387
• Add deprecation warning for MSRDS #1542
• Add warning that MSRDS does not work with the Microsoft Authentication app. #1589
• Add step for adding SSL certificate in step-by-step instructions for Guacamole #1590

Full Changelog: v4.0.3...release-v4.1.0

Release 4.0.3 (2023-01-27)

Bug fixes

• Update maximum allowed Powershell version
• Fix disk mounting issue when upgrading SRDs

Documentation updates

• Minor fixes

Release 4.0.2 (2023-01-05)

Bug fixes

• Add missing Powershell module imports
• Fix -Upgrade option when adding new SRD
• Fix tensorflow installation in SRD base image
• Register Microsoft.DataProtection on subscriptions that an SRE will be deployed into
• Support cross-subscription role assignments for backup
• Switch to correct subscription before deploying update automation
• Update Powershell version requirements to avoid upstream bug
• Update SRD package versions
• Use process-scope when retrieving Graph authorization tokens with Connect-MgGraph

Security fixes

• Remove unnecessary information from deployment logging

Documentation updates

• Add link to teardown docs to deployment page
• Add a VSCode .devcontainer for use in deployment
• Clarify that IP addresses are required in SRE config file
• Consolidate MFA setup description
• Update documentation build triggers to also run on latest

Release 4.0.1 (2022-10-24)

Bug fixes

• Add additional modules to requirements checker
• Add check for non-existing AzureAD security group
• Switch CI tests from Travis to GitHub Actions

Documentation updates

• Updated issue templates
• Fix documentation building

Release 4.0.0 (2022-10-06)

New features

• Add apt update server
• Add backup for blob storage
• Add backup for VM disks
• Add DNS server capabilities to DC2
• Enable automated VM updates
• Relicence to BSD 3-Clause
• Simplify deployment configuration
• Simplify NPS setup
• Simplify Powershell modules
• Switch to using DSC when configuring domain controllers
• Unify deployment of repository mirrors/proxies

Bug fixes

• Fix AAD domain verification
• Fix database logic so that either 0,1 or 2 databases can be deployed in an SRE
• Fix DNS recursion on domain controllers
• Fix htmlproofer issues by version pinning
• Fix network/firewall rules that were stopping the installation of gitlab-ce
• Fix NSG rules that were blocking LDAP connections from webapps
• Fix SHM teardown failure
• Fix Tier-3 allowlist scripts
• Fix updating of Guacamole dashboard when reading users from LDAP
• Improve tear down scripts
• Make RDS cipher suite setting more robust
• Make template deployments more robust
• Modify SHM requirements script to optionally install missing modules
• Restrict repository updates to this SRE
• Set Az.Storage minimum version
• Update NVIDIA repository key
• Update QGIS repository key
• Update SRD package versions
• Update to SSIS 16.0 in lockdown script

Security fixes

• Add ClamAV to all Linux VMs
• Drop support for Atom text editor
• Drop support for sbt
• Switch storage to GRS

Documentation updates

• Add administrator documentation for backups
• Add backup test to security checklist
• Add citation file
• Add disclaimer text to main repository README
• Add instructions to remove Conditional Access policies when reusing an AzureAD
• Add user backup instructions
• Fix various typographical errors in the documentation
• Make deployment instructions more visible
• Make documentation less prescriptive
• Update GitHub issue templates
• Update password writeback instructions
• Update SHM deployment instructions
• Update user guide

Release 3.4.0 (2022-02-26)

New features

• Whitelisted SSL Labs for analysing remote desktop entrypage.
• Updated SRD image with new packages and increased automation.
• Re-organised and standardised NSG rules
• Added tier 3 support for Nexus repositories

Bug fixes

• Fixed CoCalc NSG rules.
• Updated PyPI and CRAN allow lists.
• Switched to Mustache for all templating.
• Ensured that allow list generation does not time out.
• Replaced SHM networking ARM template.
• Switched from AzureAD.Standard preview to mainline version.
• Switched from AzureAD.Standard to Microsoft.Graph.
• Deprecated use of Write-Host.
• Ensured that pyenv virtual environment work correctly.
• Standarised NSG rule naming.
• Fixed overlapping IP ranges in example configs.
• Tidied up cloud-init files, moving scripts into dedicated files where appropriate.
• Switched Guacamole Docker deployment to use a non-root user.
• Simplified domain joining logic.
• Fixed check for tensorflow so that it is only applied if on the required package list.
• Fixed check for CoCalc deployment termination
• Set correct Graph permissions for changing user passwords

Documentation updates

• Fixed broken data classification flowchart.
• Added HTML checker to CI.
• Renamed DSVM to SRD throughout.
• Updated GitHub issue templates.
• Switched to GitHub discussions where relevant.
• Fixed GitHub Actions PR generation.
• Warned against using special characters in usernames.
• Added a Jupyter notebook for interactive testing, together with updates to the documentation.
• Fixed GitHub Actions cron jobs.

Release 3.3.1 (2021-12-10)

Bug fixes

• Allow Tier 0/1 SREs to access the internet as expected
• Correct NSG rule to allow connection to webapps from dashboard
• Ensure that CoCalc VM can connect to the package repositories

Documentation

• Fixed a broken link in the code of conduct

View and clone the repository at this version

Release 3.3.0 (2021-06-16)

New features

• Added support for Guacamole remote desktop
• Added single-script SRE deployment (for Guacamole only)
• Added CoCalc webapp
• Added support for more Mustache features when expanding templates
• Added syslog collection for Linux hosts
• Added instructions for migrating users from one SHM to another

Bug fixes

• Allow VMs that were stopped due to lack of credit to be restarted
• Ensure that parameters are passed to remote scripts in a consistent way
• Work-around when using "allow" in the AzurePlatformDNS NSG rule
• Better method of identifying resource groups when tearing down SHM/SRE

Documentation

• Improved style and clarity of deployment documentation
• Improved documentation around image building
• First draft of DSPT documentation
• Better documentation for ingress/egress
• Changed some names to be more inclusive
• Updated security checklist
• Switched to GitFlow and added some explanatory text
• Added automated documentation building

View and clone the repository at this version