-
Notifications
You must be signed in to change notification settings - Fork 24
/
CHANGELOG
892 lines (727 loc) · 40.1 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
* Wed Sep 11 2024 Steven Pritchard <[email protected]> - 4.23.0
- [puppetsync] Update module dependencies to support simp-iptables 7.x
* Tue Jul 09 2024 Mike Riddle <[email protected]> - 4.22.0
- Added ability for users to switch between '/bin/true' and '/bin/false' when disabling kernel modules via the kmod_blacklist class
* Tue Jul 02 2024 Steven Pritchard <[email protected]> - 4.21.0
- Clean up use of legacy facts to better support Puppet 8
* Thu Jan 25 2024 Steven Pritchard <[email protected]> - 4.20.0
- Switch from `trlinkin-nsswitch` to `puppet-nsswitch`
* Wed Jan 17 2024 Richard Gardner <[email protected]> - 4.19.1
- Updated hiera.yaml facts to support puppet 8
* Wed Oct 11 2023 Steven Pritchard <[email protected]> - 4.19.0
- [puppetsync] Updates for Puppet 8
- These updates may include the following:
- Update Gemfile
- Add support for Puppet 8
- Drop support for Puppet 6
- Update module dependencies
* Tue Oct 03 2023 Steven Pritchard <[email protected]> - 4.18.0
- Add AlmaLinux 8 support
- Add support for stdlib 9
- Update other Puppet module dependencies
- Add support for Puppet 8
- Drop support for Puppet 6
* Mon Jul 31 2023 Chris Tessmer <[email protected]> - 4.17.0
- Add RockyLinux 8 support
* Wed May 31 2023 Mike Riddle <[email protected]> - 4.16.8
- Fixed a bug in the authselect nsswitch logic
* Thu May 18 2023 Mike Riddle <[email protected]> - 4.16.7
- Stopped managing nsswitch when authselect is being used
* Thu Apr 20 2023 Mike Riddle <[email protected]> - 4.16.6
- Removed missing gpgkeys from the list of simp gpgkeys
* Mon Apr 17 2023 Mike Riddle <[email protected]> - 4.16.5
- Removed the epel-modular repo from the list of client repos
* Fri Jun 03 2022 Trevor Vaughan <[email protected]> - 4.16.4
- Allow `puppet/chrony` < `3.0.0`
- Allow `puppetlabs/stdlib` < `9.0.0`
* Fri May 13 2022 Trevor Vaughan <[email protected]> - 4.16.3
- Remove upstart as a dependency since it is not used on any of our supported
operating systems
* Mon Oct 18 2021 Jeanne Greulich <[email protected]> - 4.16.2
- Updated simp::yum::repo::local_os_updates to use the GPGKEYS installed by
simp-gpgkeys and the iso install into <yum directory>/SIMP/GPGKEYS.
This change was made because
EL8 distribution ISO no longer contains the GPG keys at the top level like
previous releases. SIMP will put the keys into SIMP/GPGKEYS no matter what
the release is so this was the best fix.
* Tue Sep 28 2021 Trevor Vaughan <[email protected]> - 4.16.1
- Fixed
- Updated simp::yum::repo::local_simp to adjust for the EL8 ISO build
- Updated simp::yum::repo::local_os_updates to adjust for the EL8 repo
set up. It has 2 OS repos, BaseOS and AppStream.
- When using the param 'baseurl' for EL8 it will create 2 repos by appending
AppStream and BaseOS to the url.
- The use of 'baseurl' for EL7 and earlier has not changed. It will use the
url as presented.
* Tue Aug 24 2021 Trevor Vaughan <[email protected]> - 4.16.0
- Added
- simp::puppetdb::disable_update_checking to disable default analytics in
accordance with NIST guidance
- PuppetDB now sets UseCodeCacheFlushing by default
- Changed
- Migrated from camptocamp/kmod to puppet/kmod
- Fixed
- Corrected the HeapDumpOnOutOfMemoryError setting for PuppetDB
- Ensure that nsswitch SSSD options for sudoers do not stop on files
- Do not include the auditors sudo user specification if the aliases have not
been included
- Add the following to sudoers defaults
- !visiblepw
- always_set_home
- match_group_by_gid
- always_query_group_plugin
* Tue Aug 17 2021 Jeanne Greulich <[email protected]> - 4.16.0
- Update the sssd client configuration to set the ldap_schema
for ldap providers based on the setting simp::sssd::client::ldap_server_type,
which uses "plain" for openldap servers and "389ds" for 389-DS servers.
SIMP configuration and documentation for each of those servers is:
- In openldap group members are added using the attribute
"memberUid" and the cn of the user entry as defined in the
rfc2307 schema.
* In 389-DS group members are added using the "member" attribute and dn
of the user as defined in the rfc2307bis schema.
- Add relative_gpgkey_path parameter to simp::yum::repo::simp_local
and default it to SIMP/GPGKEYS, the location that the simp-gpgkeys
rpm installs the gpgkeys.
The above fix is needed because SIMP local repos were split up to be
OS version specific but the GPGkeys are placed in one location by
simp-gpgkeys. This works
because simp::yum::repo::simp_local takes care to add only the OS
specific gpgkeys to the repo definition.
- Changed:
- sssd::client no longer creates a local provider.
- The version of pupmod-simp-sssd required by this module was updated to 7.0
because the version of sssd installed does not require a provider.
If you require a local provider use the sssd module to create one.
- NOTES FOR UPGRADE: The local domain was configured by default in earlier
versions of SIMP because sssd would not start without a domain. A "LOCAL"
entry was added to the list of sssd domains to create in hiera. You will
need to remove this domain from the list of domains in hiera unless you
are configuring a "LOCAL" domain somewhere else in your puppet code. The
hiera variable is sssd::domains. If you do not remove this domain from the
list of domains in hiera and are not configuring it yourself sssd will
fail to start because it will not find a provider for the "LOCAL" domain.
- Added warning if LOCAL domain was found in sssd::domains. Also added ability
to disable the warning.
- Added the latest GPG key for Puppet RPMs (RPM-GPG-KEY-20250406) to the list
of GPG keys for the local `simp` repo.
* Wed Jul 14 2021 Steven Pritchard <[email protected]> - 4.16.0
- Support all valid values for simp::pam_limits::max_logins::value
* Wed Jun 16 2021 Chris Tessmer <[email protected]> - 4.16.0
- Ensured support for Puppet 7 in requirements and stdlib
* Tue Jun 08 2021 Liz Nemsick <[email protected]> - 4.15.0
- Removed
- Drop support for Puppet 5
- Changed
- Use puppet/chrony in lieu of aboe/chrony, as VoxPupuli has now assumed
ownership of this module.
- Allow puppetlabs/concat < 8.0.0
- Allow saz/timezone < 7.0.0
* Wed May 12 2021 Trevor Vaughan <[email protected]> - 4.15.0
- Removed
- Drop support for EL 6 due to EOL
- Fixed
- Ensure that netconsole-service is installed on EL8+
- Added
- Add support for Puppet 7
- Added a JSON formatted profiling formatter for rspec
- Allow users to modify the defined type options in `simp::sssd::client`
* Wed Apr 28 2021 Jeanne Greulich <[email protected]> - 4.15.0
- As of SIMP 6.6 the SIMP yum repo is expected to OS version specific allowing the
yum server to hosts SIMP RPMs and it dependencies for more than one OS.
The SIMP repo will now be under /var/www/yum/SIMP/<osfamily>/<os major version>/<arch>
instead of /var/www/yum/SIMP/<arch>.
This updates the creation of the yum config files to point to the correct directories.
- Fix bootstrap_simp_client to use fully qualified path on call to
puppet.
* Mon Mar 29 2021 Michael Riddle <[email protected]> - 4.15.0
- Added additional parameters to simp::admin to allow for more fine-grained
control of global admin and auditor sudo rules
* Tue Jan 19 2021 Kendall Moore <[email protected]> 4.15.0
- Explicitly manage IPv6 kernel tuning parameters
* Wed Jan 13 2021 Chris Tessmer <[email protected]> - 4.15.0
- Removed EL6 from supported OSes
* Thu Nov 19 2020 Trevor Vaughan <[email protected]> - 4.14.3-0
- Call `selinux::install` prior to using native types that require the packages
to be installed.
* Thu Nov 12 2020 Trevor Vaughan <[email protected]> - 4.14.2-0
- Update the required version of simp/svckill to the puppet 6 safe version.
* Wed Oct 28 2020 Trevor Vaughan <[email protected]> - 4.14.1-0
- Fixed:
- Ensure that the sudoers rule for removing the puppet ssldir is not created
when running from bolt since the directory target is changed at each bolt
run and will result in non-idempotency.
- Un-pinned the firewalld module version in .fixtures.yml because that no
longer appears to cause issues.
- Allow the local yum repos to optionally specify gpgkey or baseurl strings
since, technically, both are optional in the `yumrepo` type if they already
exist on disk.
* Thu Oct 15 2020 Chris Tessmer <[email protected]> - 4.14.0-0
- Added:
- New parameters to `simp::yum::repo::local_simp` and
`simp::yum::repo::local_os_updates`:
`relative_repo_path`, `baseurl`, and `gpgkey`
- `baseurl` and `gpgkey` allow complete yumrepo overrides
* Wed Oct 14 2020 Liz Nemsick <[email protected]> - 4.14.0-0
- Added:
- ``simp::puppetdb::cipher_suites`` parameter to manage the
cipher suites supported by PuppetDB's HTTP interface (jetty).
- Used to set ``puppetdb::cipher_suites``.
- Value set to a safe set.
* Mon Oct 05 2020 Liz Nemsick <[email protected]> - 4.13.0-0
- Added:
- ``simp::yum::repo::internet_simp`` class:
- Uses the SIMP yum repository package (simp-community-release) to
configure yum for SIMP's internet public repositories at simp-project.com.
- simp-project.com is the new host for SIMP's yum repositories.
- packagecloud is no longer being updated.
- ``simp::yum::repo::simp_release_version`` function: Returns the SIMP release
version for use in the SIMP internet yum repositories.
- ``Simp::Version`` data type alias for valid version strings for use in the
SIMP internet repositories.
- Deprecated:
- ``simp::yum::repo::internet_simp_server`` and
``simp::yum::repo::internet_simp_dependencies`` classes:
- These resources are no longer useful because their API matches the OBE
packagecloud SIMP repositories.
- As a workaround, the classes have been modified to use
``simp::yum::repo::internet_simp`` to configure the correct repositories
at simp-project.com.
- You should switch to using ``simp::yum::repo::internet_simp``, directly, as
these classes will be removed in a future release.
- ``simp::yum::repo::sanitize_simp_release_slug`` function: a function
only useful to the deprecated classes.
* Tue Sep 15 2020 Jeanne Greulich <[email protected]> - 4.12.0-0
- Updated sssd/client configuration for EL8
- Do not configure local provider for EL8
- Use the files provider for the local domain for el7 and later
- Deprecate sssd client autofs,ssh and sudo settings. The sssd
module configures services in sssd::services list. Use that
setting to configure those entries.
- Configure sssd even if local and ldap are not configured for el8.
* Wed Sep 09 2020 Trevor Vaughan <[email protected]> - 4.12.0-0
- Updated simp::mountpoints::proc
- Due to updates to polkit that require being added to the /proc gid group
- Assign a group and gid by default
- Create a group by default
- Discover these values from the system if possible
* Wed Aug 19 2020 Jeanne Greulich <[email protected]> - 4.11.1-0
- changed the ssh settings for the wnidows node in the
win_client acceptance test
* Tue Aug 18 2020 Jeanne Greulich <[email protected]> - 4.11.1-0
- changed the upper bounds for dependencies for simp_apache and pupmod
- corrected version numbering for chrony
* Tue Aug 04 2020 Trevor Vaughan <[email protected]> - 4.11.1-0
- Align OpenLDAP terminology with vendor changes
* Mon Mar 30 2020 Trevor Vaughan <[email protected]> - 4.11.0-0
- The following applications have been removed from the base os applications
installed automatically by simp:
'man',
'man-pages',
'vim-enhanced',
'dos2unix',
'elinks',
'hunspell',
'lsof',
'mlocate',
'pax',
'pinfo',
'sos',
'star',
'symlinks',
'words',
'x86info'
- simp::base_apps::manage_elinks_config no longer has any effect
- Replace the use of augeasproviders-shellvar with a direct augeas resource
- Updated the simp::nsswitch class to have sane defaults
- Added support for mymachines and myhostname by default
- Removed all NIS references since NIS should not be in general usage any
longer and was never natively supported by SIMP
- Configuration files are now common cross all supported OSs since nsswitch
"does the right thing" when it hits a module that it does not recognize
* Mon Dec 16 2019 Jeanne Greulich <[email protected]> - 4.11.0-0
- NTP is not used by default in EL8 so moved ntp to list of OS relevant apps
for EL6 and EL7 and added chronyd for EL8.
- Added support for EL8.
- Updated the bootstrap_simp_client to use chrony if kernel version is 4 or later.
- Removed the old runpuppet kickstart scripts. The simp_bootstrap_client scripts
should be used instead.
- Deprecated parameter simp::server::kickstart::runpuppet because the runpuppet scripts
are no longer used.
* Tue Nov 19 2019 Steven Pritchard <[email protected]> - 4.11.0-0
- Allow nsswitch overrides
* Mon Oct 28 2019 Jeanne Greulich <[email protected]> - 4.11.0-0
- Removed `clamav` from the list of classes included by default in the
SIMP scenarios.
* This will not remove ClamAV from a system it is installed on, it
will stop managing it.
* To continue managing ClamAV on a system add `clamav` to `simp::classes`
in the appropriate hiera file for that SIMP client.
* See the `simp-clamav` module for information on configuring or removing
ClamAV on a system.
- Deprecated `simp::server::clamav`.
* This parameter will be removed in a future SIMP release.
* Once removed, if you want to manage ClamAV on the SIMP server, you will
have to manually add the `clamav` class to `simp::classes` in the
SIMP server's hiera file.
* Thu Aug 15 2019 Trevor Vaughan <[email protected]> - 4.11.0-0
- Add Windows acceptance tests
* Mon Aug 12 2019 Robert Vincent <[email protected]> - 4.10.2-0
- Support puppetlabs/concat 6.x.
* Mon Aug 05 2019 Trevor Vaughan <[email protected]> - 4.10.1-0
- Remove broken tasks directory
* Thu Aug 01 2019 Robert Vincent <[email protected]> - 4.10.0-0
- Exclude the `yum` class from all Windows nodes.
* Fri Jul 05 2019 Steven Pritchard <[email protected]> - 4.10.0-0
- Add v2 compliance_markup data
* Tue Jun 25 2019 Liz Nemsick <[email protected]> - 4.9.0-0
- Updated the URLs to the EPEL GPG keys. The URLs have changed.
* Tue Jun 18 2019 Trevor Vaughan <[email protected]> - 4.9.0-0
- Add SELinux login context management to `simp::admin`
- Update the version of simp-selinux
- Update the upper bound on puppetlabs-stdlib
* Thu May 09 2019 Jeanne Greulich <[email protected]> - 4.8.1-0
- Set permission on /etc/simp and /etc/simp/simp.version to world readable.
Puppet needs to be able to read it for simp_version fact.
* Mon May 06 2019 Liz Nemsick <[email protected]> - 4.8.0-0
- Fixed a bug on el6 systems in which the 'puppetdb-dlo-cleanup' cron
job from the puppetdb module could not be created. Cron rejected this
job because the puppetdb user did not have cron access.
- Added 2 'dead letter office' cleanup configuration parameters to
`simp::puppetdb`
- simp::puppetdb::automatic_dlo_cleanup which maps directly to
puppetdb::automatic_dlo_cleanup
- simp::puppetdb::dlo_max_age which maps directly to puppetdb::dlo_max_age
* Thu Apr 18 2019 Trevor Vaughan <[email protected]> - 4.8.0-0
- Refactor the simp::mountpoints::tmp to use systemd's tmp.mount target if
the system supports systemd.
- Added net.ipv6.conf.all.accept_ra to simp::sysctl management
- Fixed a bug where the root password field was attempting to set an 'undef'
value as Sensitive.
- Bumped the supported Puppet version to include Puppet 6
- Removed Puppet 4 from the supported list
* Tue Apr 09 2019 Joseph Sharkey <[email protected]> - 4.8.0-0
- Remove Elasticsearch and Grafana GPG Keys
- Added missing simp::sysctl value simp::sysctl::net__ipv4__conf__default__log_martians
- Remove Elasticsearch and Grafana GPG Keys
- Standardized cron datatypes to use the Simplib::Cron::### types. This
allows more flexibility in cron scheduling.
* Mon Mar 25 2019 Nick Miller <[email protected]> - 4.8.0-0
- Add exceptions to the filebucket management and the vardir/simp management
to support running from Bolt
* Thu Mar 21 2019 Liz Nemsick <[email protected]> - 4.8.0-0
- Replaced use of the simplib's Puppet 3 array_include function with
stdlib's member function
- Use simplib::host_is_me in lieu of simplib's Puppet 3 host_is_me
- Use simplib::simp_version in lieu of simplib's Puppet 3 simp_version
* Wed Mar 20 2019 Joseph Sharkey <[email protected]> - 4.8.0-0
- Added switched out chkrootkit for rkhunter on el7 instances
* Mon Mar 11 2019 Liz Nemsick <[email protected]> - 4.7.0-0
- Replaced simp-timezone (temporary SIMP fork) with saz-timezone
and set the lower bound to 5.1.1 in the metadata.json
* Wed Mar 06 2019 Trevor Vaughan <[email protected]> - 4.7.0-0
- Added the, inert by default, deferred_resources class to all class lists in
case the users want to use the functionality. This is particularly relevant
to various compliance profiles.
* Mon Mar 04 2019 Liz Nemsick <[email protected]> - 4.7.0-0
- Deprecated simp::puppetdb::read_database_ssl. Use
simp::puppetdb::read_database_jdbc_ssl_properties which maps
directly to puppetdb::server::read_database_jdbc_ssl_properties
(puppetdb version >= 7.0.0).
- Updated to a minimum puppetdb module version 7.1.0 in the
metadata.json and expanded the upper bound accordingly
- Expanded the upper bound for the concat and stdlib Puppet modules
in the metadata.json
- Updated URLs in the README.md
* Mon Feb 18 2019 Trevor Vaughan <[email protected]> - 4.7.0-0
- Update the dependency list in metadata.json
- Fix the one_shot scenario tests
* Fri Feb 15 2019 Liz Nemsick <[email protected]> - 4.7.0-0
- Use simplib::join_mount_opts() in lieu of join_mount_opts(), a
deprecated simplib Puppet 3 function.
- Use simplib::nets2cidr() in lieu of nets2cidr(), a deprecated
simplib Puppet 3 function.
- Use Puppet's String() in lieu of to_string(), a deprecated simplib
Puppet 3 function.
- Use simp_apache::munge_httpd_networks() in lieu of
munge_httpd_networks(), a deprecated simp_apache Puppet 3 function.
- Use ssh::global_known_hosts() in lieu of ssh_global_known_hosts(),
a deprecated ssh Puppet 3 function.
* Wed Jan 02 2019 Adam Yohrling <[email protected]> - 4.7.0-0
- Add the ability to set the root user password in `simp::root_user`
* Tue Dec 11 2018 Jeanne Greulich <[email protected]> - 4.7.0-0
- Added sysctl value to increase max number of inotify user watches.
Default = 8192, New Value 102400 which is roughly 100M on a 64 bit system.
- If max number is reached systemctl fails with "Not enough Space on Disk"
even though there is plenty of space.
- See https://unix.stackexchange.com/questions/13751/kernel-inotify-watch-limit-reached
for some helpful information.
* Thu Oct 18 2018 Nick Miller <[email protected]> - 4.6.0-0
- Added $simp::server::yum::createrepo_ensure parameter
- Changed the package from 'latest' to 'installed'
- It will also respect `simp_options::package_ensure`
* Wed Oct 17 2018 Jeanne Greulich <[email protected]> - 4.6.0-0
- Update fixtures to use correct branch of timezone. (Soma as in
the tracking file for 6.3
* Wed Oct 10 2018 Liz Nemsick <[email protected]> - 4.6.0-0
- Remove unnecessary simp/freeradius dependency in metadata.json
* Mon Sep 10 2018 Liz Nemsick <[email protected]> - 4.6.0-0
- Update Hiera 4 to Hiera 5
* Thu Aug 30 2018 Liz Nemsick <[email protected]> - 4.6.0-0
- Fix a usability bug in which simp::server::kickstart did not allow
the bootstrap scripts provided by simp::server::kickstart::runpuppet
and simp::server::kickstart::simp_client_bootstrap to be configured
via hieradata, when those classes were managed by simp::server::kickstart.
* Mon Aug 27 2018 Trevor Vaughan <[email protected]> - 4.6.0-0
- Switch from using 'sudosh' as the default logging shell to using 'tlog'
- Add a 'simp::admin::default_admin_sudo_cmnds' option to allow users to easily
change the default sudo-accessible commands from Hiera.
- Ensure that the global filebucket setting occurs prior to class inclusion to
match the new Puppet 5 method of setting resource defaults.
* Tue Jul 17 2018 Nick Miller <[email protected]> - 4.6.0-0
- Added tests and support for OEL and Puppet 5
- Setting the default filebucket in a module no longer works, so
``simp::enable_filebucketing`` will do nothing in puppet version >= 5
- Fixed some linting issues
* Wed Jun 20 2018 Trevor Vaughan <[email protected]> - 4.5.0-0
- Use the sudo::user_specification default host list which is correct for
almost all cases
- Update version range of auditd dependency in metadata.json
* Fri Jun 08 2018 Dylan Cochran <[email protected]> - 4.5.0-0
- Add Windows support
- Change /root perms to RPM default of 0550
- Change /etc/rc.d/rc.local perms to RPM default of 0755
* Thu May 03 2018 Liz Nemsick <[email protected]> - 4.5.0-0
- Created standalone SIMP client bootstrap script, bootstrap_simp_client.
- Created simp::server::kickstart::runpuppet replacement,
simp::server::kickstart::simp_client_bootstrap, that manages service
files for kickstarting a SIMP client, using bootstrap_simp_client
and either a sysv (simp_client_bootstrap) or a systemd
(simp_client_bootstrap.service) service script. This replacement
provides the following improvements:
- Exponential backoff of requests to the Puppet server, to minimize
Puppet server overload.
- Configurable bootstrap timeout.
- An option to force a client reboot on client bootstrap failure.
- More effective puppet agent processing. The bootstrapping
takes fewer puppet agent runs.
- Finer grained control of the bootstrap algorithm.
- Error handling
- Bootstrap operation errors are now detected and logged.
- Failed puppet agent runs are now retried, instead of blindly
continuing on.
- Timestamped log messages in the bootstrap log file. This includes
messages from bootstrap_simp_client, puppet agent, and fixfiles.
service start
- simp::server::kickstart::runpuppet is deprecated and will be removed
in a future release
* Fri Apr 27 2018 Nick Miller <[email protected]> - 4.5.0-0
- Add simp::netconsole class to manage the netconsole kernel feature
- Fix a few puppet-lint warnings
* Fri Apr 27 2018 Liz Nemsick <[email protected]> - 4.5.0-0
- Set permissions of /etc/rc.d/rc.local to 0750, instead of 0770,
* Mon Apr 23 2018 Jeanne Greulich <[email protected]> 4.5.0-0
- simp_options::selinux was supposed to determine if the selinux module was
included. However, this value was getting overridden by the class lists
which independently included the selinux module. This change removes the
unused simp_options::selinux setting to eliminate the confusion. See the
scenario maps in the data section to see what scenarios include the selinux
module. See the selinux module to see how to use puppet to enable/disable
selinux. This may change the defaults for selinux in the `simp_lite`
scenario.
* Tue Apr 17 2018 Trevor Vaughan <[email protected]> - 4.5.0-0
- Narrow the focus of the internal hieradata to ensure correct runs on
unsupported OSs
- Update unsupported OS tests
- Add a test to ensure that an error is throw if an invalid scenario is
specified
* Mon Apr 16 2018 Liz Nemsick <[email protected]> - 4.5.0-0
- In the runpuppet init script used to bootstrap kickstarted clients,
for EL7, persist the hostname retrieved by DHCP as a static hostname.
This prevents problems that can arise on EL7 when the DHCP lease
expires in the middle of the client bootstrap puppet runs.
* Mon Apr 02 2018 Jeanne Greulich <[email protected]> - 4.5.0-0
- changed permission on ctrl-alt-del-capture.service to prevent "no effect"
errors in system logs.
* Thu Mar 29 2018 Trevor Vaughan <[email protected]> - 4.4.1-0
- Ensure that a file exists on EL 6 if portreserve is enabled so that the
portreserve service does not flap
* Tue Mar 27 2018 Liz Nemsick <[email protected]> - 4.4.0-0
- In simp::prelink, ensure prelinking is disabled when the server is
in FIPS mode, as FIPS is incompatible with prelinking.
* Fri Mar 16 2018 Jeanne Greulich <[email protected]> - 4.4.0-0
- Updated metadata.json to include trlinkin/nsswitch
* Wed Mar 14 2018 Nick Miller <[email protected]> - 4.4.0-0
- Fixed a bug where if the `puppet_settings` fact did not exist, users in the
`%administrators` group could `rm -rf` any path
- The value in the hash was also corrected to
`$facts['puppet_settings']['main']['ssldir']`
* Fri Mar 09 2018 Liz Nemsick <[email protected]> - 4.4.0-0
- Set the ownership and permissions of puppet/puppetdb.conf in
simp::puppetdb, instead of allowing them to be set to those of
the process running puppet, if the file needs to be created.
This is part of the fix to the failure of SIMP to bootstrap on a
system on which root's umask has already been restricted to 077.
* Mon Feb 26 2018 Trevor Vaughan <[email protected]> - 4.4.0-0
- Remove management of the 'root' user's groups in the User resource
- Works around https://tickets.puppetlabs.com/browse/PUP-8470
* Mon Feb 12 2018 Liz Nemsick <[email protected]> - 4.4.0-0
- Remove non-working mcollective remnants
- Remove unnecessary dependency on puppetlabs/inifile.
* Mon Jan 22 2018 Nick Miller <[email protected]> - 4.4.0-0
- When the host is a member of an IPA domain, do not include the
`simp_openldap::client` class.
- Update upper bound for concat dependency
* Tue Jan 16 2018 Liz Nemsick <[email protected]> - 4.4.0-0
- Add simp::prelink to the class lists for both the SIMP server and
SIMP clients. By default, simp::prelink ensures any prelinking has
been removed and that the prelink package is not installed. This
satisfies the SCAP Security Guide's OVAL check
xccdf_org.ssgproject.content_rule_disable_prelink.
* Mon Nov 18 2017 Liz Nemsick <[email protected]> - 4.3.0-0
- In simp::sysctl, add parameters for net.ipv6.conf.all.accept_source_route
and net.ipv6.conf.default.accept_source_route and set them to 0 by
default. This satisfies STIG CCI-0000366.
- Small test fixes to allow acceptance tests to run on servers in FIPS mode
* Thu Oct 19 2017 Chris Tessmer <[email protected]> - 4.2.2-0
- Lowered default value of parameter simp::sssd::client::min_id to 500
* Fri Oct 06 2017 Trevor Vaughan <[email protected]> - 4.2.1-0
- Added simp/timezone to the module dependency list
* Wed Oct 04 2017 Chris Tessmer <[email protected]> - 4.2.0-0
- Fail compilation for a subset of SIMP capabilities, if they are
used on unsupported operating systems.
* Wed Oct 04 2017 Trevor Vaughan <[email protected]> - 4.2.0-0
- Add an acceptance test for the 'poss' scenario using Oracle EL6
* Wed Aug 23 2017 Dylan Cochran <[email protected]> - 4.1.1-0
- change simp::server::classes's lookup_options to be 'unique'
* Fri Aug 18 2017 Liz Nemsick <[email protected]> - 4.1.1-0
- Update concat version in metadata.json
- Add concat dependency to build/rpm_metadata/requires
* Thu Aug 17 2017 Liz Nemsick <[email protected]> - 4.1.1-0
- Add camptocamp/kmod to list of dependencies
* Mon Jul 31 2017 Jeanne Greulich <[email protected]> - 4.1.1-0
- call simp::nsswitch in simp and simp-lite scenario instead of just nsswitch
to set nsswitch according to simp_options instead of just the nsswitch defaults.
* Thu Jul 20 2017 Dylan Cochran <[email protected]> - 4.1.1-0
- Refactor classification lists to be RedHat specific to support other target
platforms
* Thu Jun 15 2017 Nick Miller <[email protected]> - 4.1.0-0
- simp::yum::internet_simp* repos now use facts in Yum repo baseurls in place
of yum macros, who's output is not reliable.
* Fri Jun 09 2017 Nick Markowski <[email protected]> - 4.1.0-0
- Due to lack of support for knockout_prefix for arrays in older versions
of Puppet, simp::knockout functionality has been moved to
simplib::knockout because multiple modules are using the function.
- A wrapper has been put around simp::knockout for backwards-compatibility
in our code.
- Update puppet requirement in metadata.json
* Tue May 30 2017 Trevor Vaughan <[email protected]> - 4.1.0-0
- Updated the simp::kmod_blacklist class to also fully disable the module
loading
- Provide the ability to override the disabled modules locally on the system by
default but also allow for enforcement
- Provide the ability to lock module loading if the underlying OS has the
capability
* Wed May 10 2017 Nick Markowski <[email protected]> - 4.1.0-0
- Added a 'remote_access' scenario
* Mon May 09 2017 Dylan Cochran <[email protected]> - 4.1.0-0
- Use the correct simp_options global catalyst for base_apps::ensure
* Mon Apr 17 2017 Nick Miller <[email protected]> - 4.1.0-0
- Set the poklit administrator group
- Merged base_services into base_apps, leaving a shim in base_services
* Thu Apr 06 2017 Nick Markowski <[email protected]> - 4.0.0-0
- Updated apache rsync hosts_allow to $trusted_nets. The previous value
of 127.0.0.1 would not allow apache to rsync if stunnel was disabled.
* Mon Apr 03 2017 Trevor Vaughan <[email protected]> - 4.0.0-0
- Updated the YUM configuration so that no repos are set up by default and it
is simple to connect to the public repos for SIMP.
- Yum repos are now individual profiles that can be included ala carte
* Wed Mar 29 2017 Dylan Cochran <[email protected]> - 4.0.0-0
- Fixed the confusion with the 'classes' global Array
- Added support for a 'simp::classes' Array with a knockout prefix of '--'
- Moved scenarios into data in modules
* Thu Mar 23 2017 Jeanne Greulich <[email protected]> - 3.1.0-0
- move fips from base scenario to simp scenario
- made the inclusion of fips module not depend on simp_options::fips setting
- it is included because it used to turn fips on and off.
* Wed Mar 01 2017 Trevor Vaughan <[email protected]> - 3.1.0-0
- Added the new Grafana GPG key to the list and retained the old one until they
re-sign their old packages.
- Add the basic SIMP scenarios to the module
- simp -> full SIMP profile
- simp_lite -> SIMP with the more aggressive parts removed
- poss -> only connect to the puppet server
* Fri Feb 24 2017 Nick Miller <[email protected]> - 3.0.1-0
- Moved runpuppet template to its own class so the rupuppet script
can be managed independently from the simp::server::kickstart class
* Fri Feb 17 2017 Nick Miller <[email protected]> - 3.0.0-0
- Refine list of GPG keys used by simp::yum::server
* Tue Feb 14 2017 Trevor Vaughan <[email protected]> - 3.0.0-0
- Ensure that the filebucket is appropriately set for both local and remote use
* Mon Feb 06 2017 Nick Markowski <[email protected]> - 3.0.0-0
- Modified rsync stunnel logic to add a connection to the rsync server
only if the machine is *not* the rsync server.
* Wed Jan 18 2017 Nick Miller <[email protected]> - 3.0.0-0
- Removing including of simp::server::* classes from the simp::server
class in favor of including them in the class list in hiera.
- Removed any dangling references or dependencies on ganglia or snmpd
- Rearranged logic in sysctl and removed the ipv6 catalyst. ipv6 will now be
unmanaged by default.
- Beefed up simp::server class to include more default classes
- Made $rsync_stunnel enabled by default
* Thu Jan 05 2017 Trevor Vaughan <[email protected]> - 3.0.0-0
- Added a 'simp::ctrl_alt_del' class for managing the behavior of giving a
system the three finger death punch
* Mon Dec 05 2016 Nick Miller <[email protected]> - 2.0.1-0
- Added simp::kmod_blacklist profile to manage the kernel blacklist using puppet-kmod
- config migrated from simplib
* Thu Dec 02 2016 Nick Markowski <[email protected]> - 2.0.1-0
- Removed pupmod-simp-sysctl in favor of augeas-sysctl
* Thu Nov 29 2016 Nicholas Hughes, Nick Markowski <[email protected]> - 2.0.0-0
- Introduced rsyslog rule orders so messages hit 'stop' rules before they
reach 'catch-alls'. By doing so, log duplication is prevented.
- Modified the spooler log local rule to ensure both uucp and news
facilities are logged in spooler.log.
* Wed Nov 23 2016 Jeanne Greulich <[email protected]> - 2.0.0-0
- update requirement versions
* Mon Nov 21 2016 Chris Tessmer <[email protected]> - 2.0.0-0
- Remove compliance map and General housekeeping
* Wed Nov 16 2016 Liz Nemsick <[email protected]> - 2.0.0-0
- Updated iptables dependency version
- Updated openldap dependency version
* Tue Oct 25 2016 Nick Markowski <[email protected]> - 2.0.0-0
- Added logic to ensure simp::puppetdb manages the puppetserver service via
pupmod::master::base, NOT puppetdb::master::config.
- Included the puppetdb::master::config class.
- Updated spec.
* Wed Oct 12 2016 Trevor Vaughan <[email protected]> - 2.0.0-0
- Updated to support Puppet 4 with the latest Puppet Server and PuppetDB
- Foundation for SIMP 6
- Will *not* work with any Puppet < 4
* Mon Oct 10 2016 Nick Markowski <[email protected]> - 1.2.10-0
- Ensured netlabel_tools is installed.
* Mon Oct 3 2016 Ralph Wright <[email protected]> - 1.2.9-0
- Added Elasticsearch and Grafana Keys to yum config
* Thu Sep 29 2016 Chris Tessmer <[email protected]> - 1.2.8-0
- Fixed beaker reference in Gemfile.
* Tue Aug 09 2016 Nick Markowski <[email protected]> - 1.2.7-0
- Fixed an invalid data type in simp::nfs::export_home.
* Tue Aug 02 2016 Trevor Vaughan <[email protected]> - 1.2.6-0
- Update to the new naming convention
* Wed Jul 20 2016 Nick Markowski <[email protected]> - 1.2.5-0
- Migrated create_home_dirs from nfs.
- Modified create_home_dirs to use ruby-net-ldap.
* Wed Jul 13 2016 Nick Miller <[email protected]> - 1.2.4-0
- Yum repos now default to https with sslverify=false
* Mon Jul 11 2016 Trevor Vaughan <[email protected]> - 1.2.3-0
- Migration to semantic versioning and fix of the build system
* Sat May 14 2016 Trevor Vaughan <[email protected]> - 1.2.2-0
- Spec test fixes
* Wed May 11 2016 Nick Markowski <[email protected]> - 1.2.2-0
- Added a hook to control SSLVerifyClient in ks.conf. Defaults
to 'optional'.
* Wed Apr 13 2016 Kendall Moore <[email protected]> - 1.2.1-0
- Svckill now ignores quotaon and messagebus in RHEL/CentOS 7
* Mon Mar 14 2016 Trevor Vaughan <[email protected]> - 1.2.0-0
- Moved to Semantic Versioning 2.0
- Ensure that SSSD is used for systems EL6.7+
- Removed RPM dependency on simp-bootstrap as it is not technically required.
- Test against Puppet 4.3.2
* Tue Mar 08 2016 Nick Markowski <[email protected]> - 1.1.0-9
- Updated a bad default for nfs_server in the home_client class, which
otherwise had the potential to render a nil server value, and
break automounting.
* Wed Feb 24 2016 Nick Markowski <[email protected]> - 1.1.0-8
- Updated the mcollective stock class and added appropriate spec and unit
testing for full functionality test coverage.
* Fri Feb 19 2016 Ralph Wright <[email protected]> - 1.1.0-8
- Added compliance function support
* Mon Dec 28 2015 Trevor Vaughan <[email protected]> - 1.1.0-7
- Updated minor logic in simp::yum for flexibility.
* Thu Dec 24 2015 Trevor Vaughan <[email protected]> - 1.1.0-6
- Add management for the paths that the simp helper commands expect. This is
particularly relevant when not installing via RPM
* Thu Nov 12 2015 Trevor Vaughan <[email protected]> - 1.1.0-5
- Now use the 'operatingsystem*' facts instead of the 'lsb*' facts
- Updated to require 'simplib' and 'simpcat' instead of 'common', 'functions', and 'concat'
- Ensure that sssd is used by EL >= 7 due to fatal bugs in nscd and nslcd on these platforms.
* Fri Oct 16 2015 Nick Markowski <[email protected]> - 1.1.0-4
- Modified stock puppetdb class defaults to conform with upgraded
puppetdb module.
* Fri Sep 18 2015 Kendall Moore <[email protected]> - 1.1.0-3
- Set the keylength to 2048 in puppet.conf during the execution of runpuppet
if FIPS is enabled.
* Thu Sep 10 2015 Nick Markowski <[email protected]> - 1.1.0-2
- In runpuppet, run fixfiles before the final passes if selinux is enabled.
- Selbool use_nfs_home_dirs set to 1 if remote nfs server used for
home directories.
* Fri Jul 31 2015 Kendall Moore <[email protected]> - 1.1.0-1
- Added support for the updated rsyslog module.
* Thu Apr 02 2015 Trevor Vaughan <[email protected]> - 1.1.0-0
- Added PuppetDB support
* Thu Apr 02 2015 Nick Markowski <[email protected]> - 1.0.0-7
- Modified runpuppet script to ensure the puppetserver service is running
before puppet runs.
* Thu Feb 19 2015 Trevor Vaughan <[email protected]> - 1.0.0-6
- Migrated to the new 'simp' environment.
* Wed Jan 14 2015 Nick Markowski <[email protected]> - 1.0.0-6
- Re-created the MCollective stock class, now with SSL fully enabled.
* Tue Nov 25 2014 Trevor Vaughan <[email protected]> - 1.0.0-5
- Updated the default GPG key list.
- Updated the rsyslog stock classes to remove stunnel support and,
instead, take advantage of the native TLS support in rsyslog.
- NOTE: This requires changing the global 'log_server' variable in
Hiera to a 'log_servers' Array which is done in the %post section of
this RPM.
* Thu Nov 06 2014 Chris Tessmer <[email protected]> - 1.0.0-5
- Removed sssd::conf as it is no longer needed and causes duplicate
concat_fragment error
* Fri Oct 31 2014 Trevor Vaughan <[email protected]> - 1.0.0-4
- Moved the mcollective IPTables and package material into the main
SIMP module.
- Update to account for the stunnel module updates in 4.2.0-0
* Fri Sep 19 2014 Trevor Vaughan <[email protected]> - 1.0.0-3
- Updated the nfs::home_client class to properly account for the port
setting in the mounts.
* Tue Aug 19 2014 Nick Markowski <[email protected]> - 1.0.0-2
- Differentiated the rsync module paths between 4.X and 5.X distributions.
4.X should not include the distribution and release in the path.
* Mon Aug 18 2014 Kendall Moore <[email protected]> - 1.0.0-2
- Updated the digest_algorithm in the runpuppet script to be SHA-256.
* Fri Aug 08 2014 Trevor Vaughan <[email protected]> - 1.0.0-1
- Ensure that runpuppet returns '1' when queried for status so that
svckill doesn't continually attempt to disable it.
* Fri Jul 25 2014 Nick Markowski <[email protected]> - 1.0.0-0
- Ensured /srv/www/yum/SIMP is created if SIMP version < 5.
* Mon Jul 21 2014 Trevor Vaughan <[email protected]> - 1.0.0-0
- /var/nfs is used for NFS in SIMP>=5 and /srv/nfs otherwise
- Updated yum and kickstart to use /var/www if SIMP>=5 and /srv/www
otherwise
* Mon Jul 21 2014 Trevor Vaughan <[email protected]> - 0.0.1-4
- Updated to use the new rsync path.
* Tue Jul 15 2014 Trevor Vaughan <[email protected]> - 0.0.1-4
- Updated to support the RHEL7 repo GPG keys.
* Tue Jul 15 2014 Kendall Moore <[email protected]> - 0.0.1-4
- Added CentOS as a supported OS as a part of CentOS 7 upgrade.
* Thu Jun 19 2014 Trevor Vaughan <[email protected]> - 0.0.1-3
- Separated out the RHEL6/7 package requirements appropriately.
* Thu Jun 12 2014 Nick Markowski <[email protected]> - 0.0.1-2
- Ntp servers can be passed to kickstart as an array of server names
or a hash of server => 'option' pairs.
* Fri May 16 2014 Kendall Moore <[email protected]> - 0.0.1-1
- Added stock classes for FreeRADIUS
- Added stock classes for Ganglia
- Added stock classes for RSyslog
- Added stock classes for krb5
- Added stock classes for MRepo
- Added stock classes for SNMP
* Tue May 13 2014 Trevor Vaughan <[email protected]> - 0.0.1-1
- Added a quiet_puppet variable to runpuppet for the cert download
segment.
* Mon May 05 2014 Kendall Moore <[email protected]> - 0.0.1-0
- Added stock classes for NFS home directories.
* Fri Mar 21 2014 Trevor Vaughan <[email protected]> - 0.0.1-0
- Initial Release
- Ported all materials from the old default_classes directory.
- Incorporated several parts of sec and common as appropriate to the
separation of duties.