SIMP 5.2.0-0¶
Contents
This release is known to work with:
- RHEL 7.2 x86_64
- CentOS 7.0 1511 x86_64
This update is backwards-compatible for the SIMP core functionality, but contains breaking changes in some of the optional modules.
Please read this CHANGELOG thoroughly if you are using the following components:
- NFS
- KRB5
- MCollective
- ELK
SIMP 6 is Coming¶
Due to Puppet 3.X going EOL in December of 2016, the SIMP stack will be releasing SIMP 6 as the next major release. Among major changes:
- SIMP 6 will use Puppet 4, which is distributed as a single RPM by the Puppet all-in-one (AIO) installer.
- Starting with 6.0.0, the SIMP numbering scheme will follow Semantic Versioning 2.0.0.
- 6.0.0 and will support all operating systems under that numbering scheme henceforth.
Manual Changes Required for Pre-5.1.0 Upgrades¶
Note
This only affects you if you did not have a separate partition for /tmp
!
- There were issues in the
secure_mountpoints
class that caused/tmp
and/var/tmp
to be mounted against the root filesystem. While the new code addresses this, it cannot determine if your system has been modified incorrectly in the past. - To fix the issue, you need to do the following:
- Unmount
/var/tmp
(may take multiple unmounts) - Unmount
/tmp
(may take multiple unmounts) - Remove the
'bind'
entries for/tmp
and/var/tmp
from/etc/fstab
- Run
puppet
with the new code in place
- Unmount
SSSD¶
Warning
SSSD enforces password strength at login time! This means that, should you have old passwords that do not meet the present password policy on the host, you will not be able to authenticate with your old password!
Deprecations¶
- The
simp-sysctl
module will be deprecated in the6.0.0
release of SIMP. Current users should migrate to using theaugeasproviders_sysctl
module provided with SIMP going forward.
Breaking Changes¶
NFS¶
NFS now supports full integration with Kerberos via the SIMP KRB5 module, or an external KRB5 resource of your choice.
Please take time to look at the updated NFS profile code in the simp puppet module as well as the new acceptance tests for the NFS puppet module for a full understanding of the new features.
Note
The system should not enable the KRB5 and Stunnel options simultaneously
Warning
Bugs discovered during acceptance testing found long standing issues in the NFS module that required API breaking changes to remedy. Please carefully validate your use of the NFS module as well as your Hiera data.
KRB5¶
The KRB5 module has been completely rewritten to support the entire KRB5 stack, including setting up a KDC and auto-creating and distributing keytabs to all nodes that are known via keydist. Please see the krb5 module documentation and the HOWTO Enable Kerberos HOWTO for details.
MCollective¶
The MCollective module has been updated from the upstream repositories and the
simp::mcollective
profile has been updated, per new acceptance tests, to
ensure that MCollective works out of the box. Very little input is now required
to add MCollective to your environment. All usernames and passwords are
randomly generated and you will need to pull the usage passwords out of the
system for your users to be able to connect to ActiveMQ and send commands. The
simp mcollective acceptance test provides an excellent full stack example of
using the new module.
See simp passgen --help
for usage information.
ELK¶
The Elasticsearch, Logstash, and Kibana components have been updated to support Elasticsearch and Logstash 2.3. Kibana has been replaced by Grafana for inbuilt LDAP and multi-tenant support.
Please see the new Elasticsearch, Logstash, and Grafana documentation for usage information.
Significant Updates¶
HAVEGED Installed by Default¶
Particularly affecting Virtual Machines, the volume of cryptographic operations
that the SIMP system performs by default was causing system entropy to run low
on a regular basis. To fix this, we have incorporated the
HArdware Volatile Entropy Gathering and Expansion Daemon. The haveged
process will use a hardware RNG if present so no risk to hardware generated
entropy is present. We understand that any PRNG system will not effect true
Cryptographic entropy. Please read the document linked above and see the online
discussion around the suitability of HAVEGED if you have concerns.
Note
There is also now a new global catalyst use_haveged
which is enabled by
default on SIMP systems. If you set this to false
in Hiera, HAVEGED will
be disabled on your system(s).
ISO Auto-Boot is Now Disabled¶
You must now explicitly select an entry when booting the SIMP ISO. There were too many instances of the ISO being left mounted and performing a constant re-install loop without this change.
HTTPS Kickstarts¶
The system now encourages the use of HTTPS kickstarts by default to ensure that any potentially sensitive data is protected in transit.
Client validation is not configured in this case since the SIMP project does not dictate how you kickstart your system.
See the Configuring the Clients section of the SIMP User Guide for instructions.
UEFI Boot¶
The system now supports UEFI booting from the SIMP ISO. This provides better support for newer systems as well as the foundation for Trusted Boot.
Full Disk Encryption (FDE)¶
SIMP now provides Full Disk Encryption capabilities directly from the ISO build and within the supplied kickstart files. Please read the documentation on this capability as found in the Disk Encryption section of the SIMP Server Installation Guide.
Warning
The default FDE setup ensures that your systems will automatically boot without intervention. For better protection, please read the documentation referenced above so that you understand the ramifications of this behavior.
Puppet 4 Support¶
All of our modules have been tested against Puppet 4 and should work in a Puppet 4 system. SIMP will natively ship with Puppet 4 by the end of 2016.
IPSec Support via LibreSwan¶
A libreswan module has been added to provide IPSec support to SIMP. We are awaiting the advent of X.509-based opportunistic IPSec to have a fully automated integrated trust system. Presently, half of the connection needs to know about the remote systems for a successful IPSec connection.
Upgrade Guidance¶
Detailed upgrade guidance can be found in the HOWTO Upgrade SIMP portion of the SIMP User Guide.
Warning
You must have at least 2.4GB of free RAM on your system to upgrade to this release.
Note
Upgrading from releases older than 5.0 is not supported.
Security Announcements¶
CVEs Addressed¶
- CVE-2015-7331
- Remote Code Execution in mcollective-puppet-agent plugin
- CVE-2016-2788
- Improper validation of fields in MCollective pings
- CVE-2016-5696
net/ipv4/tcp_input.c
in the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.
RPM Updates¶
Note
The naming convention for Puppet module packages was re-codified from pupmod-<module_name> to pupmod-<author>-<module_name>. This accounts for a large number of apparent deprecations and additions in this release’s RPM Updates list.
Package | Old Version | New Version |
---|---|---|
clamav | 0.99-2 | 0.99.2-1 |
clamav-data | 0.99-2 | 0.99.2-1 |
clamav-data-empty | 0.99-2 | 0.99.2-1 |
clamav-devel | 0.99-2 | 0.99.2-1 |
clamav-filesystem | 0.99-2 | 0.99.2-1 |
clamav-lib | 0.99-2 | 0.99.2-1 |
clamav-scanner | 0.99-2 | 0.99.2-1 |
clamav-scanner-systemd | 0.99-2 | 0.99.2-1 |
clamav-scanner-sysvinit | 0.99-2 | 0.99.2-1 |
clamav-server | 0.99-2 | 0.99.2-1 |
clamav-server-systemd | 0.99-2 | 0.99.2-1 |
clamav-server-sysvinit | 0.99-2 | 0.99.2-1 |
clamav-update | 0.99-2 | 0.99.2-1 |
elasticsearch [5] | N/A | 2.3.5-1 |
elasticsearch [noarch] | 1.3.2-1 | N/A |
es2unix | 1.6.1-0el7 | N/A |
etcd | 2.0.11-0.SIMP | N/A |
grafana | N/A | 3.1.1-1470047149 |
kibana | 3.1.0.SIMP-0 | N/A |
libevent | N/A | 2.0.21-4 |
libreswan | N/A | 3.15-5 |
logstash | 1.4.2-1_2c0f5a1 | 2.3.4-1 |
logstash-contrib | 1.4.2-1_efd53ef | N/A |
mcollective | 2.8.4-1 | 2.8.9-1 |
mcollective-client | 2.8.4-1 | 2.8.9-1 |
mcollective-common | 2.8.4-1 | 2.8.9-1 |
mcollective-puppet-agent | 1.10.0-1 | 1.11.1-1 |
mcollective-puppet-client | 1.10.0-1 | 1.11.1-1 |
mcollective-puppet-common | 1.10.0-1 | 1.11.1-1 |
pupmod-acpid | 0.0.1-1 | N/A |
pupmod-aide | 4.1.0-9 | N/A |
pupmod-apache | 4.1.1-0 | N/A |
pupmod-auditd | 5.0.0-4 | N/A |
pupmod-augeasproviders | 2.1.3-0 | N/A |
pupmod-augeasproviders_apache | 2.0.1-0 | N/A |
pupmod-augeasproviders_base | 2.0.1-0 | N/A |
pupmod-augeasproviders_core | 2.0.1-0 | N/A |
pupmod-augeasproviders_grub | 2.3.1-0 | N/A |
pupmod-augeasproviders_mounttab | 2.0.1-0 | N/A |
pupmod-augeasproviders_nagios | 2.0.1-0 | N/A |
pupmod-augeasproviders_pam | 2.0.1-0 | N/A |
pupmod-augeasproviders_postgresql | 2.0.1-0 | N/A |
pupmod-augeasproviders_puppet | 2.0.1-0 | N/A |
pupmod-augeasproviders_shellvar | 2.0.1-0 | N/A |
pupmod-augeasproviders_ssh | 2.5.0-0 | N/A |
pupmod-augeasproviders_sysctl | 2.1.0-0 | N/A |
pupmod-autofs | 4.1.1-0 | N/A |
pupmod-bfraser-grafana | N/A | 2.5.0-2016 |
pupmod-clamav | 4.1.0-8 | N/A |
pupmod-dhcp | 4.1.0-5 | N/A |
pupmod-elasticsearch-elasticsearch | N/A | 0.11.0-2016 |
pupmod-elasticsearch-logstash | N/A | 0.6.4-2016 |
pupmod-electrical-file_concat | N/A | 1.0.1-2016 |
pupmod-foreman | 0.1.0-1 | N/A |
pupmod-freeradius | 5.0.0-0 | N/A |
pupmod-ganglia | 5.0.0-0 | N/A |
pupmod-herculesteam-augeasproviders | N/A | 2.1.3-2016 |
pupmod-herculesteam-augeasproviders_apache | N/A | 2.0.1-2016 |
pupmod-herculesteam-augeasproviders_base | N/A | 2.0.1-2016 |
pupmod-herculesteam-augeasproviders_core | N/A | 2.1.1-2016 |
pupmod-herculesteam-augeasproviders_grub | N/A | 2.3.1-2016 |
pupmod-herculesteam-augeasproviders_mounttab | N/A | 2.0.1-2016 |
pupmod-herculesteam-augeasproviders_nagios | N/A | 2.0.1-2016 |
pupmod-herculesteam-augeasproviders_pam | N/A | 2.0.3-2016 |
pupmod-herculesteam-augeasproviders_postgresql | N/A | 2.0.3-2016 |
pupmod-herculesteam-augeasproviders_puppet | N/A | 2.0.2-2016 |
pupmod-herculesteam-augeasproviders_shellvar | N/A | 2.1.1-2016 |
pupmod-herculesteam-augeasproviders_ssh | N/A | 2.5.0-2016 |
pupmod-herculesteam-augeasproviders_sysctl | N/A | 2.1.0-2016 |
pupmod-iptables | 4.1.0-15 | N/A |
pupmod-libvirt | 4.1.0-17 | N/A |
pupmod-logrotate | 4.1.0-4 | N/A |
pupmod-mcafee | 4.1.0-2 | N/A |
pupmod-mozilla | 4.1.0-1 | N/A |
pupmod-named | 4.2.0-9 | N/A |
pupmod-network | 4.1.0-6 | N/A |
pupmod-nfs | 4.4.2-0 | N/A |
pupmod-nscd | 5.0.1-0 | N/A |
pupmod-ntpd | 4.1.0-10 | N/A |
pupmod-oddjob | 1.0.0-2 | N/A |
pupmod-onyxpoint-compliance_markup | 0.1.0-0 | N/A |
pupmod-onyxpoint-gpasswd | 1.0.0-1 | 1.0.0-2016 |
pupmod-openldap | 4.1.4-0 | N/A |
pupmod-openscap | 4.2.0-3 | N/A |
pupmod-pam | 4.2.1-0 | N/A |
pupmod-pki | 4.2.1-0 | N/A |
pupmod-polkit | 4.1.0-2 | N/A |
pupmod-postfix | 4.1.0-7 | N/A |
pupmod-pupmod | 6.0.0-24 | N/A |
pupmod-puppetlabs-apache | 1.0.1-2 | N/A |
pupmod-puppetlabs-inifile | 1.2.0-1 | 1.5.0-2016 |
pupmod-puppetlabs-java | 1.2.0-0 | 1.2.0-2016 |
pupmod-puppetlabs-java_ks | N/A | 1.4.0-2016 |
pupmod-puppetlabs-mysql | 2.2.3-1 | 2.2.3-2016 |
pupmod-puppetlabs-puppetdb | N/A | 5.0.0-2016 |
pupmod-puppetlabs-puppetlabs_apache | N/A | 1.0.1-2016 |
pupmod-puppetlabs-stdlib | N/A | 4.9.0-2016 |
pupmod-richardc-datacat | 0.6.1-0 | 0.6.2-2016 |
pupmod-rsync | 4.2.0-5 | N/A |
pupmod-rsyslog | 5.1.0-0 | N/A |
pupmod-selinux | 1.0.0-5 | N/A |
pupmod-simp | 1.2.0-0 | N/A |
pupmod-simp-acpid | N/A | 0.0.2-2016 |
pupmod-simp-activemq | 3.0.0-0 | 3.0.0-2016 |
pupmod-simp-aide | N/A | 4.1.1-2016 |
pupmod-simp-apache | N/A | 4.1.5-2016 |
pupmod-simp-auditd | N/A | 5.0.4-2016 |
pupmod-simp-autofs | N/A | 4.1.2-2016 |
pupmod-simp-clamav | N/A | 4.1.1-2016 |
pupmod-simp-compliance_markup | N/A | 1.0.0-0 |
pupmod-simp-dhcp | N/A | 4.1.1-2016 |
pupmod-simp-elasticsearch | 2.0.0-3 | N/A |
pupmod-simp-foreman | N/A | 0.2.0-2016 |
pupmod-simp-freeradius | N/A | 5.0.2-2016 |
pupmod-simp-ganglia | N/A | 5.0.0-2016 |
pupmod-simp-haveged | N/A | 0.3.1-2016 |
pupmod-simp-iptables | N/A | 4.1.4-2016 |
pupmod-simp-jenkins | N/A | 4.1.0-2016 |
pupmod-simp-kibana | 3.0.1-5 | N/A |
pupmod-simp-krb5 | N/A | 5.0.6-2016 |
pupmod-simp-libreswan | N/A | 0.1.0-2016 |
pupmod-simp-libvirt | N/A | 4.1.1-2016 |
pupmod-simp-logrotate | N/A | 4.1.0-2016 |
pupmod-simp-logstash | 1.0.0-6 | N/A |
pupmod-simp-mcafee | N/A | 4.1.1-2016 |
pupmod-simp-mcollective | 2.3.1-0 | 2.3.2-2016 |
pupmod-simp-mozilla | N/A | 4.1.1-2016 |
pupmod-simp-named | N/A | 4.3.1-2016 |
pupmod-simp-network | N/A | 4.1.1-2016 |
pupmod-simp-nfs | N/A | 4.5.2-2016 |
pupmod-simp-nscd | N/A | 5.0.1-2016 |
pupmod-simp-ntpd | N/A | 4.1.0-2016 |
pupmod-simp-oddjob | N/A | 1.0.0-2016 |
pupmod-simp-openldap | N/A | 4.1.8-2016 |
pupmod-simp-openscap | N/A | 4.2.1-2016 |
pupmod-simp-pam | N/A | 4.2.5-2016 |
pupmod-simp-pki | N/A | 4.2.3-2016 |
pupmod-simp-polkit | N/A | 4.1.0-2016 |
pupmod-simp-postfix | N/A | 4.1.3-2016 |
pupmod-simp-postgresql | N/A | 4.1.0-2016 |
pupmod-simp-pupmod | N/A | 6.0.5-2016 |
pupmod-simp-rsync | N/A | 4.2.2-2016 |
pupmod-simp-rsyslog | N/A | 5.1.0-2016 |
pupmod-simp-selinux | N/A | 1.0.3-2016 |
pupmod-simp-simp | N/A | 1.2.7-2016 |
pupmod-simp-simp_elasticsearch | N/A | 3.0.1-2016 |
pupmod-simp-simp_grafana | N/A | 0.1.0-2016 |
pupmod-simp-simp_logstash | N/A | 2.0.0-2016 |
pupmod-simp-simpcat | N/A | 5.0.1-2016 |
pupmod-simp-simplib | N/A | 1.3.1-2016 |
pupmod-simp-site | N/A | 2.0.1-2016 |
pupmod-simp-snmpd | N/A | 4.1.0-2016 |
pupmod-simp-ssh | N/A | 4.1.10-2016 |
pupmod-simp-sssd | N/A | 4.1.3-2016 |
pupmod-simp-stunnel | N/A | 4.2.7-2016 |
pupmod-simp-sudo | N/A | 4.1.2-2016 |
pupmod-simp-sudosh | N/A | 4.1.1-2016 |
pupmod-simp-svckill | N/A | 1.1.3-2016 |
pupmod-simp-sysctl | N/A | 4.2.0-2016 |
pupmod-simp-tcpwrappers | N/A | 4.1.0-2016 |
pupmod-simp-tftpboot | N/A | 4.1.2-2016 |
pupmod-simp-tpm | N/A | 0.1.0-2016 |
pupmod-simp-upstart | N/A | 4.1.2-2016 |
pupmod-simp-vnc | N/A | 4.1.0-2016 |
pupmod-simp-vsftpd | N/A | 5.0.4-2016 |
pupmod-simp-windowmanager | N/A | 4.1.2-2016 |
pupmod-simp-xinetd | N/A | 2.1.0-2016 |
pupmod-simp-xwindows | N/A | 4.1.1-2016 |
pupmod-simpcat | 5.0.0-0 | N/A |
pupmod-simplib | 1.2.2-0 | N/A |
pupmod-site | 2.0.0-3 | N/A |
pupmod-snmpd | 4.1.0-5 | N/A |
pupmod-ssh | 4.1.2-0 | N/A |
pupmod-ssh-augeas-lenses | 4.1.2-0 | N/A |
pupmod-sssd | 4.1.2-0 | N/A |
pupmod-stunnel | 4.2.1-0 | N/A |
pupmod-sudo | 4.1.0-3 | N/A |
pupmod-sudosh | 4.1.0-4 | N/A |
pupmod-svckill | 1.1.0-0 | N/A |
pupmod-sysctl | 4.2.0-0 | N/A |
pupmod-tcpwrappers | 3.0.0-3 | N/A |
pupmod-tftpboot | 4.1.0-9 | N/A |
pupmod-tpm | 0.0.1-10 | N/A |
pupmod-upstart | 4.1.0-5 | N/A |
pupmod-vnc | 4.1.0-4 | N/A |
pupmod-vsftpd | 5.0.0-2 | N/A |
pupmod-windowmanager | 4.1.0-3 | N/A |
pupmod-xinetd | 2.1.0-5 | N/A |
pupmod-xwindows | 4.1.0-4 | N/A |
puppetlabs-java_ks | 1.4.0-0 | N/A |
puppetlabs-postgresql | 4.1.0-1.SIMP | N/A |
puppetlabs-puppetdb | 5.0.0-0 | N/A |
puppetlabs-stdlib | 4.9.0-0.SIMP | N/A |
rubygem-net-ldap | N/A | 0.6.1-2 |
rubygem-net-ldap-doc | N/A | 0.6.1-2 |
rubygem-simp-cli | 1.0.16-0 | 1.0.20-0 |
rubygem-simp-cli-doc | 1.0.16-0 | 1.0.20-0 |
simp | 5.1.0-3 | 5.2.0-0 |
simp-bootstrap | 5.2.1-4 | 5.3.2-0 |
simp-doc | N/A | 5.2.0-0 |
simp-utils | 5.0.0-8 | 5.0.1-1 |
unbound-libs | N/A | 1.4.20-26 |
RPM Deprecations¶
- pupmod-simp-kibana
- Replaced by pupmod-simp-simp_grafana (SIMP profile) and pupmod-bfraser-grafana (upstream component)
- pupmod-simp-elasticsearch
- Replaced by pupmod-simp-simp_elasticsearch (SIMP profile) and pupmod-elasticsearch-elasticsearch (upstream component)
- pupmod-simp-logstash
- Replaced by pupmod-simp-simp_logstash (SIMP profile) and pupmod-elasticsearch-logstash (upstream component)
Fixed Bugs¶
pupmod-simp-apache¶
- Fix
munge_httpd_networks
to work properly with Ruby >= 1.9 - Ensure that non-SIMP PKI certificates are copied recursively
- Add an explicit default deny to the
apache_limits()
function
pupmod-simp-auditd¶
- Fix the default audit locations for
wtmp
andbtmp
in the audit rules - Ensure that audit file locations themselves can be dynamically audited
- Added an audit rule for
renameat
to comply with CCE-26651-0
pupmod-simp-freeradius¶
- Fixed scoping issues with variables
- Updated the code to work around incompatibilities with integers in class names
pupmod-simp-iptables¶
- Removed the custom type warning in IPTables when used with Puppet 4
- Fixed a regex rule in Ruby 1.8 (EL6) that caused some rules to be dropped silently
- Changed the default provider for iptables services to
'redhat'
because the Puppet default was not functional
pupmod-simp-named¶
- Created work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1278082
- Added a named::install class and fixed the ordering across the board
pupmod-simp-nfs¶
- Several breaking changes were made
- Stunnel and KRB5 should not be used at the same time
- Removed the
create_home_dirs
cron job and migrated it to the pupmod-simp-simp module
pupmod-simp-openldap¶
- Fixed certificate location references in the
pam_ldap
configuration file - Removed the dependency on the
ruby-ldap
package - Ensure that
Exec[bootstrap_ldap]
is idempotent - Ensure that TLS support can be toggled in the
openldap::client
class
pupmod-simp-pki¶
- Removed the custom type warning in
simp::pki
when used with Puppet 4 - Fixed permissions flapping in
pki_cert_sync
pupmod-simp-pupmod¶
- Ensure that the
use_iptables
global catalyst is honored - Limited the Java heap size used by the Puppetserver to not exceed 12G of RAM due to a bug in Trapperkeeper. This will be lifted once we move to Puppet 4.
pupmod-simp-rsync¶
- Changed the default provider for iptables services to ‘redhat’ because the Puppet default was not functional
- Ensure that the
client_nets
global catalyst is properly honored
pupmod-simp-simp¶
- Set
svckill
to ignorequotaon
andmessagebus
by default
pupmod-simp-simpcat¶
- Ensure that the client
vardir
is used instead of the server variable
pupmod-simp-simplib¶
- Remove the custom type warnings from
ftpusers
,reboot_notify
, andscript_umask
- Fixed an
nsswitch
edge case that conflicted withsssd
- Added the
gdm_version
fact from thexwindows
module - Ensure that
tmpwatch
installed on EL6 systems
pupmod-simp-sssd¶
- Ensure that the LDAP default certificates are set if using TLS and LDAP
pupmod-simp-stunnel¶
- Ensure that all global catalysts are disabled when appropriate
- The chroot’d PKI certificates were not ordered correctly against the
pki
module when in use
pupmod-simp-svckill¶
- Remove the custom type warnings from the custom type
svckill::ignore
should not includesvckill
by default
pupmod-simp-upstart¶
- Ensure that the
job.erb
file kept all hash keys ordered
simp-cli¶
- Ensure that
simp passgen
can use the correct path by default - Fixed several issues in the
simp
command with command line parsing
New Features¶
pupmod-bfraser-grafana¶
- Initial import of the Grafana module into the SIMP ecosystem
pupmod-elasticsearch-elasticsearch¶
- Updated to the 0.11.0 version of the upstream module
pupmod-elasticsearch-logstash¶
- Updated to the 0.6.4 version of the upstream module
pupmod-puppetlabs-inifile¶
- Updated to the 1.5.0 upstream module
pupmod-richardc-datacat¶
- Update to version 0.6.2
pupmod-simp-simp_elasticsearch¶
- First release of the rewritten SIMP Elasticsearch component profile (to be used in conjunction with the pupmod-elasticsearch-elasticsearch module)
pupmod-simp-simp_grafana¶
- Initial release of the SIMP Grafana component profile (to be used in conjunction with the pupmod-bfraser-grafana module)
pupmod-simp-haveged¶
- First release of the SIMP HAVEGED module (which is a fork of the moding/haveged module)
pupmod-simp-krb5¶
- Full module update
- Supports auto-creation of KRB5 keytabs for all systems
- Added a native type
krb5kdc_auto_keytabs
to autogenerate keytabs from the SIMP resident PKI certificates
pupmod-simp-simp_logstash¶
- First release of the rewritten SIMP Logstash component profile (to be used in conjunction with the pupmod-elasticsearch-logstash module).
pupmod-simp-mcollective¶
- Our fork of the upstream MCollective module was updated to version 2.3.2
pupmod-simp-named¶
- Users can modify the chroot path in named-chroot.service
- Added a
named::install
class and fixed the ordering across the board
pupmod-simp-nfs¶
- Incorporated KRB5 support (optional)
- Fixed numerous logic errors and typos during acceptance testing
pupmod-simp-pam¶
- Added support for pam_tty_audit
pupmod-simp-selinux¶
- Ensure that
policycoreutils-python
is installed by default
pupmod-simp-simp¶
- Ensure that
SSLVerifyClient
can be controlled inks.conf
- Use HTTPS YUM repos by default
- Added the
create_home_dirs
script that used to be in thenfs
module
pupmod-simp-ssh¶
- Added haveged for entropy generation
- Ensure that
semanage
is used to handle non-standard ports - Added an
openssh_version
fact - Modified kex algorithm:
- No longer set kex prior to openssh v 5.7
- Curve25519 kex only set in openssh v 6.5+
pupmod-simp-windowmanager¶
- Ensure that the login banner works in EL7
- Add the ability to remove the login button in Gnome 3
pupmod-simp-xwindows¶
- Remove the
gdm_version
fact (to be placed insimplib
)
simp-bootstrap¶
- Documented the
hostgroup
Hiera usage in thehieradata/
directory - Recommendation for SHA512 password hashes to be generated for
localusers
- Added a
site_files/
directory in thesimp
environment that will be used for all generated files and is intended to be excluded from management by r10k or Code Manager. This may need to be moved again in SIMP 6.
simp-cli¶
- Removed the deprecated
simp check
command
simp-core¶
- Incorporated the ELG stack in the list of included modules
- Added
haveged
to the stack for persistent entropy - Enable HTTPS kickstarts by default
- Fall back to unvalidated YUM HTTPS connections by default so that new systems do not have to be bootstrapped with a trusted CA certificate. Our packages are signed, so this should not be an issue.
simp-doc¶
- Full restructure of the documentation to be less confusing and more concise for new users.
DVD¶
- Disable ISO auto-boot
- Support UEFI Booting
- Ensure that FIPS can be disabled at initial build
- Provide an option for FDE directly from the ISO
Known Bugs¶
- If you are running libvirtd, when
svckill
runs it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service. This does not actually kill the service but is, instead, an error of the startup script and causes no damage to your system.