Skip to content

Releases: tumblr/collins

2.2.0

11 Oct 15:57
Compare
Choose a tag to compare

This version of Collins includes an important security patch, as well as several new features and bug fixes.

The security patch is adding CSRF protection to the various forms of the Collins web UI. Currently, if an attacker can guess (or bruteforce) the asset tags of nodes he or she would be able to create assets, decommission assets, put assets in maintenance, etc. by getting a logged in user to visit a webpage. More information can be found in the pull request (#560).

Here is the full list of merged pull request since the last release. Many thanks to everyone who contributed!

2.1.0

28 Nov 18:14
Compare
Choose a tag to compare

Collins 2.1.0 has a very important security patch.

Collins has a feature that allows you to encrypt certain attributes on every asset. It also had a permission that restricted which users could read those encrypted tags. It did NOT have a permission that restricted which users could modify encrypted tags.

It is strongly recommended that you upgrade to collins 2.1.0 if you are using the encrypted tags feature, as well as rotate any values stored in encrypted tags.

The severity of this vulnerability depends heavily upon how you use collins in your infrastructure. If you do not use the encrypted tags feature, you are not vulnerable to this problem. If you do use the encrypted tags feature, you will need to explore your automation and consider how vulnerable you are.

If, for example, your infrastructure has automation that regularly sets the root password on servers to match a value that is in collins, an attacker without the ability to read the current password could set it to a value that they know, wait for the automation to change the password, and then gain root on a server.

This change is backwards compatible with collins v2.0.0, though once you upgrade it will stop any writes to encrypted tags by users that have not been granted feature.canWriteEncryptedTags permission. We have also renamed feature.canSeePasswords to feature.canSeeEncryptedTags, but collins will continue to respect the value of feature.canSeePasswords if feature.canSeeEncryptedTags is not set. Once feature.canSeeEncryptedTags is set, collins will ignore the value of feature.canSeePasswords.

  • Ensure that we build only with java 1.7 #473 @Primer42
  • Write encrypted tags permission #486 @Primer42

2.0.0

19 Sep 18:29
Compare
Choose a tag to compare

Collins 2.0.0 is finally released! As of this release, we will start following semantic versioning (http://semver.org/). There have been some non-backwards compatible changes to collins' functionality and configuration settings, but nothing that will be too difficult to upgrade.

Here are some highlights of what has changed since the last release:

Dropping support for java 1.6
Event firehose
Refactor of collins' caching logic, to safely support HA
Improved LDAP authentication configuration
Python collins client
Consolr gem, for executing IPMI commands on collins assets
Upgraded to play 2.3.9

Thanks to @maximedevalland, @Primer42, @andrewjkerr, @baloo, @byxorna, @davidblum, @defect, @funzoneq, @gtorre, @maddalab, @schallert, @sushruta and @unclejack for their contributions!

And here are all the pull requests included in this release, in no particular order

v1.3.0

10 Sep 20:21
Compare
Choose a tag to compare

Moved to Play 2.0.8
Tumblr supported Docker image
Reworked and greatly improved init script
Monitoring plugin
Open sourced collins-auth ruby gem
Unit test improvements
Customizable intake page fields
Provisioning profile contact and contact_notes fields, and ability to set or remove arbitrary attributes based on provisioning profile
IP allocation improvements
Removed IP allocation caching layer
Mixed authentication modes
Added new API for asset type
Improved solr integration for external solr instances
Restrict provisioning based on hardware configuration

Special thanks to @discordianfish @matthiasr @dallasmarlow @rednuopxivrec @skottler and @asheepapart for their contributions!

And here are all the pull requests in this release, in no particular order

v1.2.4

10 Mar 13:47
Compare
Choose a tag to compare

This release consists of minor bug fixes, and whatever pull requests were accepted since v1.2.3.

  • Various documentation/labeling fixes ( #95, #94, #99, #103, #104)
  • vlan names can be optional (Chris Burroughs #93)
  • squeryl session cleanup and updated deployment automation (Dallas Marlow #109)
  • Upgraded to play 2.0.4, to handle a UTF8 issue (Dallas Marlow #108)
  • Upgraded bonecp (Dallas Marlow #110)
  • Added Metrics support (Chris Burroughs #86)
  • Added dockerfiles, so users can build and run Collins with Docker, if they choose to (Johannes 'fish' Ziemke #111)
  • Minor script fixes (Will Richard and Brent Langston #97 and #113)
  • Trim whitespace from strings before sending them to solr, to get more accurate results (Will Richard #115)
  • Update Bootstrap link in docs footer (Chris Rebert #119)
  • Don't parse config yml files if plugins are disabled (Gabe Conradi #122)
  • Allow LSHW and LLDP updates in more states (Gabe Conradi #123)
  • Accept collins asset state when doing a state update or state delete (Dallas Marlow #124)
  • Created a 'contrib' directory for helpful script for running and maintaining collins (Will Richard & Gabe Conradi #126)
  • Ensured that variables provided when using text/x-shellscript API endpoint are valid POSIX (Will Richard & Gab Conradi #129)

v1.2.3

30 Dec 22:49
Compare
Choose a tag to compare

This is officially tagging the 1.2.3 release. It was mentioned in the commit that this is the correct commit, and it was released on the google group and on http://tumblr.github.io/collins/. So this is just bookkeeping.

Here are the release notes.

Graph: Ganglia GraphView support (Chris Burroughs #76)
LSHW: Include server description, vendor, etc during intake (Chris Burroughs #77)
LSHW: Allow a default speed to be specified via defaultNicCapacity (Benjamin VanEvery #91)
Bug: Evolution 11 autoinc should work with MySQL and H2 (Benjamin VanEvery #90)
Bug: Exact match search when dropdown used in UI (Chris Burroughs #88)
UI: Bookmarkable tabs and working logs refresh button in asset view (Chris Burroughs #87)
Docs: Document ganglia graphing config (Chris Burroughs #84 and #85)
UI: Display dimension of attribute in asset view (Chris Burroughs, Blake Matheny #83 and #79)
Logging: Better LDAP failure messages (Chris Burroughs #79)
Shell: Support for size and threads parameter for batch operations (Blake Matheny #72)
LSHW: Handle ghost CPUs in LSHW output (Chris Burroughs #70)

One notable thing about this release is that it is the first one with more contributions from non-Tumblr people than from Tumblr people. Love seeing that.