2.2. SIMP Community Edition (CE) 6.4.0-0¶
Contents
This release is known to work with:
- CentOS 6.10 x86_64
- CentOS 7.0 1810 x86_64
- OEL 6.10 x86_64
- OEL 7.6 x86_64
- RHEL 6.10 x86_64
- RHEL 7.6 x86_64
Warning
Local modules installed in the modules directory can get deleted during upgrade. Make sure you read the upgrade instructions carefully.
2.2.1. Breaking Changes¶
- Puppet 4 is no longer supported.
2.2.2. Significant Updates¶
The most significant change with SIMP 6.4.0 is a redesign of the packaging of SIMP RPMs, in order to support management of one or more Puppet environments.
The change allows SIMP users to easily use r10K or Code Manager to maintain these environments, even when their systems are on isolated networks.
Multiple environments are key to implementing standard DevOps work flows such as DTAP (Development > Testing > Acceptance > Production).
At the root of this change are the following major features:
- Puppet modules installed via SIMP-packaged RPMs are now imported
into local, SIMP-managed Git repositories at
/usr/share/simp/git/puppet_modules
, in addition to being installed in/usr/share/simp/modules
. - No SIMP component RPM install/upgrade/erase operation will modify an active
Puppet environment or SIMP secondary environment,
/var/simp/environments/simp
. - SIMP’s CLI provides commands that help users create and maintain
one or more SIMP Omni-Environments, each of
which is comprised of the following:
- A Puppet environment in
/etc/puppetlabs/code/environments
- A SIMP Secondary Environment in
/var/simp/environments
- A SIMP Writable Environment in
/opt/puppetlabs/server/data/puppetserver/simp/environments
.
- A Puppet environment in
- The
simp-environment-skeleton
andsimp-rsync-skeleton
packages install a SIMP Omni-Environment skeleton at/usr/share/simp/environment-skeleton
. - Unless a
production
SIMP Omni-Environment already exists,simp config
will create aproduction
SIMP Omni-Environment from SIMP’s skeleton and local Git repositories.
2.2.2.1. Module RPM Installation¶
In SIMP 6 versions <= 6.3.3, when a SIMP Puppet module RPM was installed,
its contents could also be automatically copied into the simp
Puppet
environment, the standard active Puppet environment for a SIMP server. This
copy was affected by the simp_rpm_helper
script of the simp-adapter
.
In SIMP 6.4.0, the simp_rpm_helper
’s behavior has been redesigned as shown
in the following figure:
In lieu of the auto-updating /etc/puppetlabs/code/environments/simp
, the
simp_rpm_helper
now creates and maintains local Git repositories for Puppet
modules installed via SIMP-packaged RPMs. This change allows SIMP users on
isolated networks to manage one or more Puppet environments easily, using r10K
or Code Manager. The use of r10K/Code Manager, in turn, provides Puppet module
installation that aligns with current Puppet best practices.
2.2.2.2. Other SIMP Asset RPM Installation¶
The packaging of key non-module SIMP assets (previously named
simp-environment
and simp-rsync
) has been redesigned to no
longer modify directories actively being used by deployed Puppet
environments. This change has several benefits:
- Asset RPM installs/upgrades/erases have no unintended consequences on active Puppet environments. These operations are completely safe! Previously, RPM erase operations could remove files or rename them (add ‘.rpmsave’ suffixes), even when they were actively being used by the ‘simp’ Puppet environment.
- Sample files will always be available. Previously, for any asset file that was locally modified, changes to that file during RPM upgrade were hidden. The user had to manually extract files from the RPM to view the changes.
In addition, the naming and dependency tree of these assets have been reworked:
- The
simp-environment
package has been split intosimp-environment-skeleton
andsimp-selinux-policy
packages. - The
simp-rsync
package has been deprecated. Its replacement is namedsimp-rsync-skeleton
. - The asset RPMs no longer require specific versions of
puppet-agent
andpuppetserver
RPMs. Users now have more flexibility in the versions of Puppet artifacts they can use in their infrastructure.
2.2.2.3. SIMP CLI Enhancements¶
New commands have been added to the SIMP CLI in order to support Git-based module deploy.
simp puppetfile generate
has been added to generate two different flavors of a SIMP-specific Puppetfile.simp environment new
andsimp environment fix
have been added to help users manage the SIMP omni environment.
In addition, simp config
has been updated to allow users to opt-out of
SIMP-provided LDAP capabilities.
2.2.2.4. Puppet 3 API Function Deprecations¶
In preparation for full Puppet 6 support, all SIMP-provided Puppet 3 API functions are officially deprecated and will be removed in the next SIMP release. The affected functions and their replacements, as appropriate, are listed in sub-sections below.
In addition, SIMP deprecation warnings have been enabled by default. To
disable SIMP deprecation warnings set environment variable
SIMP_NOLOG_DEPRECATIONS=true
on the Puppet server.
2.2.2.4.1. simp-compliance_markup Deprecated Functions¶
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
compliance_map | compliance_markup::compliance_map | simp-compliance_markup >= 3.0.0 |
2.2.2.4.2. simp-simp_apache Deprecated Functions¶
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
apache_auth | simp_apache::auth | simp-simp_apache >= 6.0.1 |
apache_limits | simp_apache::limits | simp-simp_apache >= 6.0.1 |
munge_httpd_networks | simp_apache::munge_httpd_networks | simp-simp_apache >= 6.0.1 |
2.2.2.4.3. simp-simplib Deprecated Functions¶
Important
Most but not all deprecated functions in the table below have replacements. If any deprecated function without a replacement is essential to you, please enter a feature request.
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
array_include | Puppet language in or Puppet built-in any or all | Puppet >= 5.2.0 |
array_size | Puppet built-in length | Puppet >= 5.5.0 |
array_union | Puppet language + operator combined with Puppet built-in unique | Puppet >= 5.0.0 |
bracketize | simplib::bracketize | simp-simplib >= 3.15.0 |
generate_reboot_msg | None | N/A |
get_ports | None | N/A |
h2n | None | N/A |
host_is_me | simplib::host_is_me | simp-simplib >= 3.15.0 |
inspect | simplib::inspect | simp-simplib >= 3.3.0 |
ipaddresses | simplib::ipaddresses | simp-simplib >= 3.5.0 |
ip_is_me | simplib::host_is_me (checks hostnames and IP addresses) | simp-simplib >= 3.15.0 |
ip_to_cron | simplib::ip_to_cron | simp-simplib >= 3.5.0 |
join_mount_opts | simplib::join_mount_opts | simp-simplib >= 3.8.0 |
localuser | None | N/A |
mapval | None | N/A |
nets2cidr | simplib::nets2cidr | simp-simplib >= 3.7.0 |
nets2ddq | simplib::nets2ddq | simp-simplib >= 3.8.0 |
parse_hosts | simplib::parse_hosts | simp-simplib >= 3.5.0 |
passgen | simplib::passgen | simp-simplib >= 3.5.0 |
rand_cron | simplib::rand_cron | simp-simplib >= 3.5.0 |
simp_version | simplib::simp_version | simp-simplib >= 3.15.0 |
simplib_deprecation | simplib::deprecation | simp-simplib >= 3.5.0 |
slice_array slice_array | Puppet built-in slice Puppet built-in slice | Puppet >= 4.0.0 Puppet >= 4.0.0 |
strip_ports | simplib::strip_ports | simp-simplib >= 3.5.0 |
to_integer | Puppet built-in Integer or simplib::to_integer | Integer: Puppet >= 4.0.0; simplib::to_integer: simp-simplib >= 3.5.0 |
to_string | Puppet built-in String or simplib::to_string | String: Puppet >= 4.0.0; simplib::to_string: simp-simplib >= 3.5.0 |
validate_array_member | simplib::validate_array_member | simp-simplib >= 3.8.0 |
validate_array_of_hashes | Use a custom Puppet data type such as Array[Hash] | Puppet >= 4.0.0 |
validate_between | simplib::validate_between | simp-simplib >= 3.8.0 |
validate_bool_simp | Use Puppet Boolean data type or simplib::validate_bool | Puppet: >= 4.0.0; simp-simplib >= 3.8.0 |
validate_deep_hash | simplib::validate_deep_hash | simp-simplib >= 3.8.0 |
validate_float | Use Puppet Float data type or a check using is_float from puppetlabs-stdlib | Puppet: >= 4.0.0; is_float: puppetlabs-stdlib >= 2.2.0 |
validate_macaddress | Use Simplib::Macaddress data type | simp-simplib >= 3.7.0 |
validate_net_list | Use Simplib::Netlist data type or simplib::validate_net_list | simp-simplib >= 3.5.0 |
validate_port | Use Simplib::Port data type or simplib::validate_net_list | simp-simplib >= 3.5.0 |
validate_re_array | simplib::validate_re_array | simp-simplib >= 3.7.0 |
validate_sysctl_value | simplib::validate_sysctl_value | simp-simplib >= 3.7.0 |
validate_umask | Use Simplib::Umask data type | simp-simplib >= 3.7.0 |
validate_uri_list | simplib::validate_sysctl_value | simp-simplib >= 3.7.0 |
2.2.2.4.4. simp-ssh Deprecated Functions¶
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
ssh_autokey | ssh::autokey | simp-ssh >= 6.2.0 |
ssh_global_known_hosts | ssh::global_know-hosts | simp-ssh >= 6.2.0 |
2.2.2.5. Other important changes for SIMP 6.4.0¶
- Non-breaking dependent module updates. SIMP updated as many dependent
modules as possible. While numerous of these updates were major version
bumps, the actual changes did not affect much of the SIMP infrastructure.
The dependency version bumps did, however, require quite a few of the
SIMP modules to update their respective
metadata.json
files. These metadata changes, in turn, required SIMP module version updates. - Non-breaking use of new
Simplib::Cron::*
types. Many modules were converted to use the newcron
types provided bysimp-simplib
. These changes allow more flexiblecron
scheduling. - Puppet 6 support for many of the modules.
- Added v2
compliance_markup
data to many of the modules. - Increase in the minimum RAM requirement for a SIMP server. It is now 3.4G. See System Requirements for more information.
2.2.3. Security Announcements¶
None at this time.
2.2.4. RPM Updates¶
2.2.4.1. rubygem-simp-cli 5.0.1¶
- Added
simp puppetfile generate
,simp environment new
andsimp environment fix
commands. - Changed the environment created by
simp config
to beproduction
, notsimp
linked toproduction
. The link is not appropriate for sites that use r10K or Code Manager. - Changed
simp config
to create a newproduction
SIMP omni-environment from the new environment skeletons installed in/usr/share/simp/environment-skeleton
. This new environment includes Puppetfilessimp config
used to deploy the modules into the environment. - Reworked
simp config
queries to allow users to opt-out of SIMP-provided LDAP capabilities. Since this change affects the keys in the answers file, be sure to regenerate any answers files you routinely input tosimp config
. - Added a
--force-config
option tosimp config
to minimize unexpected modification of an active Puppet environment. This option must be used when the user runssimp config
and theproduction
environment has already been populated with modules. - Improved some documentation, logging, and validation in
simp config
andsimp bootstrap
.
2.2.4.2. simp-adapter 1.0.1¶
Beginning with simp-adapter
1.0.0, the (optional) auto-update to the
simp
Puppet environment has been replaced with creation/maintenance of
a local Git repository for each Puppet module that SIMP packages as an RPM.
The simp_adapter
’s simp_rpm_helper
now ensures that each Puppet
module is imported from its RPM installation location,
/usr/share/simp/modules/<module name>
, into a local, SIMP-managed,
Git repository, /usr/share/simp/git/puppet_modules/<owner>-<module name>
.
The name of the repository is the top-level name
field from the module’s
metadata.json
.
The specific behavior of simp_rpm_helper
during RPM operations is as
follows:
- Upon module RPM install/upgrade/downgrade, the
simp_rpm_helper
- Updates the master branch of the repository to be the contents of the RPM, excluding any empty directories.
- Adds a Git tag to the repository that matches the version number in the
module’s
metadata.json
file, as necessary. If the tag for the version already exists but doesn’t match the contents of the RPM,simp_rpm_helper
will overwrite the tag with the correct content.
- Upon module RPM erase, the
simp_rpm_helper
does NOT remove the local module Git repo, but leaves it intact, in case it is still being used by r10K or Code Manager for an active Puppet environment.
In addition to the change in simp_rpm_helper
behavior, simp-adapter
1.0.1 has three other significant packaging changes:
- It no longer has dependencies upon a specific version of
puppet-agent
, just a minimum version. - It no longer has any dependency on the Puppet Enterprise or FOSS versions of
puppetserver
. - Since it now works for both Puppet Enterprise and the FOSS editions of Puppet,
simp-adapter-pe
andsimp-adapter-foss
packages are no longer created.
2.2.4.3. Puppet RPMs¶
The following Puppet RPMs are packaged with the SIMP 6.4.0 ISOs:
Package | Version |
---|---|
puppet-agent | 5.5.14-1 |
puppet-client-tools | 1.2.6-1 |
puppetdb | 5.2.8-1 |
puppetdb-termini | 5.2.8-1 |
puppetserver | 5.3.8-1 |
2.2.5. Removed Modules¶
2.2.5.1. Elasticsearch-Logstash-Grafana (ELG) Modules¶
The following modules were removed because they are significantly out of date and, in some cases, only work with application versions that are no longer supported:
- pupmod-elastic-elasticsearch
- pupmod-elastic-logstash
- pupmod-puppet-grafana
- pupmod-simp-simp_elasticsearch
- pupmod-simp-simp_logstash
- pupmod-simp-simp_grafana
The corresponding RPM GPG keys were also removed from simp-gpgkeys
and
the SIMP ISOs:
- RPM-GPG-KEY-elasticsearch
- RPM-GPG-KEY-grafana
- RPM-GPG-KEY-grafana-legacy
2.2.5.2. pupmod-simp-dirtycow¶
This module only applies to an old version of CentOS/RHEL 7.
2.2.5.3. pupmod-simp-simpcat¶
This module is no longer necessary and uses the obsolete Puppet 3 function API.
Within SIMP, all uses of this module have been replaced with uses of the
puppetlabs-concat
module.
2.2.5.4. pupmod-simp-site¶
This module skeleton is no longer useful. While it had been useful for some beginning users, the roles and profiles pattern is generally stable and should be used instead.
2.2.6. Fixed Bugs¶
2.2.6.1. pupmod-simp-auditd¶
- The
/etc/audit
directory is now managed in the same way as the/etc/audit/rules.d
directory. Both will have the same permissions, ownership, and utilize purge and recurse. - Fixed a bug in which
auditd
failed to start becausespace_left
configuration parameter was not ensured to always be larger than theadmin_space_left
configuration parameter. - Fixed a bug in which
restorecon
was not explicitly audited in the STIG audit profile. - Fixed a bug where trailing newlines may not be present on custom rule profiles, particularly with rules defined in an Array.
2.2.6.2. pupmod-simp-compliance_markup¶
- Fixed a bug in Array merging.
- Remove management of
simp::sssd::client::ldap_domain
from the mappings since use of LDAP is not guaranteed. - Fixed a bug in the compliance report functionality that did not correctly record the percent compliant in each report summary.
- Fixed a bug in the call to
Hiera.warn
in the compliance mapper. - Fixed a bug in compliance markup validation for Defined Types.
2.2.6.3. pupmod-simp-dconf¶
- Fixed an issue with duplicate resources when creating multiple
dconf::settings
resources under the same namespace.
2.2.6.4. pupmod-simp-deferred_resources¶
- Fixed an issue to allow users to set
absent
orpurged
when removing packages, working around a bug in the Puppetpackage
provider on EL systems whereyum
is only used if you callpurged
.
2.2.6.5. pupmod-simp-gdm¶
- Fixed an issue where
gdm::settings
was not being applied to the system.
2.2.6.6. pupmod-simp-ima¶
- Fixed a bug in which the
ima_security_attr `` fact was not properly confined to require the ``cmdline
fact.
2.2.6.7. pupmod-simp-incron¶
- Fixed a bug in the
incrond_version
fact in which an error message was displayed during fact resolution, on systems for whichincron
was not installed.
2.2.6.8. pupmod-simp-iptables¶
- Fixed a bug in which port ranges specified by
iptables::listen::tcp_stateful::dports
oriptables::listen::udp::dports
could be erroneously split over multipleiptables
rules.
2.2.6.9. pupmod-simp-libvirt¶
- Fixed a bug in which
vm_create
did not work with Puppet > 4.
2.2.6.10. pupmod-simp-network¶
- Fixed a bug in which
network::global
could break networking. - Fixed a bug in which failures of
exec
operations during network-related activity were hidden.
2.2.6.11. pupmod-simp-ntpd¶
- Fixed minor typos in some templates.
2.2.6.12. pupmod-simp-pam¶
- Fix bug where the ending
faillock
items were not being called due to thesufficient
lines onpam_unix
andpam_sssd
. - Fix bug where
authsucc
was not set at the end of theauth
section forfaillock
.
2.2.6.13. pupmod-simp-pupmod¶
- Add missing
gem-path
setting topuppetserver.conf
template. - Fixed ordering issues with managing the installation of Puppet Server.
- Fixed an issue preventing Puppet from running in environments
other than
production
. - Fixed a bug where the Java memory maximum size setting on the
puppetserver
command line,-Xmx
, could be empty and prevent the process from starting. This happened when the user specified a fixed RAM size forpupmod::master::sysconfig::java_max_memory
, instead of a percentage.
2.2.6.14. pupmod-simp-postfix¶
- Fixed unrecognized escape error in
/root/.muttrc
.
2.2.6.15. pupmod-simp-rsync¶
- Fixed a template bug that prevented catalog compilation when
rsync::server::section::user_pass
was set.
2.2.6.16. pupmod-simp-simp¶
- Fixed a bug where the root password field was attempting to set an
undef
value asSensitive
. - Fixed a bug in which the the
simp_version
fact was broken becausepuppet
did not have access to/etc/simp
and/etc/simp/simp/version
. - Fixed a bug on EL6 systems in which the
puppetdb-dlo-cleanup
cron job from thepuppetdb
module could not be created. - Excluded the
yum
class from all Windows nodes.
2.2.6.17. pupmod-simp-simp_apache¶
- Fixed a bug in which the
/etc/httpd/conf
and/etc/httpd/conf.d
directories were not being correctly purged. - Fixed a bug in which the
listen
configuration parameter could only be specified as a port. It can now be specified as either a port or a host address with port. - Fixed an issue where the
simp_apache::munge_httpd_networks
function was modifying passed parameters.
2.2.6.18. pupmod-simp-simp_gitlab¶
- Fixed a bug in which both
simp_gitlab
and thegitlab
application were attempting to manage CA certificate hash links.
2.2.6.19. pupmod-simp-simp_ipa¶
- Fixed a bug in which
ntp-server
was not passed into the client install.
2.2.6.20. pupmod-simp-simplib¶
- Fixed a bug in the signature for the
simplib::ipaddresses
function. - Fixed a bug in
simplib::nets2ddq
where it would incorrectly try to expand an IPv6 CIDR. It now passes IPv6 addresses through untouched. - Fixed a bug in which
simp_version
function could cause a GLIBC error in JRuby 9K by using backticks.
2.2.6.21. pupmod-simp-ssh¶
- Fixed bug in which the
sshd
‘Subsystem’ configuration specified byssh::server::conf::subsystem
was erroneously stripped of whitespace.
2.2.6.22. pupmod-simp-stunnel¶
- Fixed a bug in which the stunnel
RNDoverwrite
configuration parameter could not be set tono
.
2.2.6.23. pupmod-simp-swap¶
- Fixed a bug in which
/usr/local/sbin/dynamic_swappiness.rb
pointed to system Ruby, which may not be installed, instead of Puppet-provided Ruby, which will always be installed.
2.2.6.24. pupmod-simp-tcpwrappers¶
- Fix template bug that prevented some IPv6 addresses from being
properly formatted in
/etc/hosts.allow
.
2.2.6.25. pupmod-simp-tpm2¶
- Fixed a bug in which the
tmp2
fact was not confined to the presence of the tools required for the fact execution.
2.2.6.26. pupmod-simp-vsftpd¶
- Fixed an ordering issue between the kernel module loading for
iptables
and thevsftpd
service being started.
2.2.6.27. pupmod-simp-xinetd¶
- Fixed bug in which the
xinetd::disabled
parameter would only be included inxinetd.conf
, if thexinetd::no_access
parameter was not empty.
2.2.6.28. rubygem-simp-cli¶
- Fixed a bug in which
simp config
failed to find the template SIMP server host YAML file,puppet.your.domain.yaml
, from/usr/share simp/environments/simp
. This bug caused subsequentsimp config
runs to fail, when the SIMP server hostname had changed from the hostname used in the firstsimp config
run. - Fixed bugs in which
simp config
andsimp bootstrap
did not ensure the server had a valid FQDN. - Fixed a bug in which
simp bootstrap
could fail unless thepuppetserver
was reloaded after the port change to 8140. - Fixed a bug where the web-routes.conf file was not being overwritten with a
pristine copy. This meant that multiple calls to
simp bootstrap
would fail due to leftover CA entries in the file. - Fixed a bug in log message processing that would cause
simp bootstrap
to fail if it had already been successfully run. - Fixed a bug in which the tftpboot images copied into the rsync space in SIMP’s secondary environment were not world readable, preventing clients from PXE booting.
- Fixed a bug in which
simp config
’s lockfile instructions on how to prevent possible root lockout from the SIMP server were incomplete.
2.2.6.29. simp-environment-skeleton¶
- Fixed a bug in which
simp_options::ldap
was totrue
in thesimp
andsimp_lite
scenarios. The use of LDAP is not required, and so these values should have beenfalse
. - Fix a regression in which
simp_options::selinux
was inadvertently reinserted intopuppet.your.domain.yaml
.
2.2.6.30. simp-rsync¶
- Fixed a bug in which the permissions and owner on
/var/lib/clamav
were incorrect because they were incorrect on/var/simp/environments/simp/rsync/Global/clamav
.
2.2.6.31. SIMP ISO¶
- Fixed a bug in which the generated disk encryption key used to encrypt the
disk during a client kickstart was not being stored in the
/boot
partition. This rendered the client unusable, as the disk was effectively permanently locked with an unknown key. The source of the problem was a missingSYSIMAGE
variable in the sample client kickstart file.
2.2.7. Modules Replacements¶
The following modules are current and actively maintained replacements for obsolete modules or temporary SIMP versions of modules.
2.2.7.1. pupmod-camptocamp-systemd¶
- Replacement for the
simp-systemd
module. SIMP had temporarily publishedsimp-systemd
while we were waiting for important updates tocamptocamp
to be published.
2.2.7.2. pupmod-puppet-gitlab¶
- Replacement for the OBE
vshn-gitlab
module. The Vox Pupuli project has assumed ownership of this module.
2.2.7.3. pupmod-puppet-snmp¶
- Replacement for the OBE
razorsedge-snmp
module. The Vox Pupuli project has assumed ownership of this module.
2.2.7.4. pupmod-saz-timezone¶
- Replacement for the
simp-timezone
module. SIMP had temporarily publishedsimp-timezone
while we were waiting for important updates tosaz-timezone
to be published.
2.2.7.5. pupmod-simp-journald¶
- Replacement for the OBE
cristifalcas-journald
module.
2.2.8. New Features¶
2.2.8.1. pupmod-simp-auditd¶
- Added a
custom
audit profile that accepts either an Array of rules or a template path for ease of setting full rule sets via Hiera. - Allow users to optimize their audit processing by only collecting on specific SELinux types.
2.2.8.2. pupmod-simp-compliance_markup¶
- Improved migration capabilities of the
compliance_map_migrate
utility:- Added ability to merge values from multiple input files.
- Made
check_header
consistent with other v2 data. - Reordered output to match other v2 data.
- Fixed controls, oval-ids, and identifiers output.
- Normalized identifier strings.
- Added an option to supply confinement.
- Added capability to avoid anchors in the output.
- Added an option to append a string to the checks key.
- Added additional helper scripts for v1 to v2 migration.
- Made the ‘timestamp’ in the client-side report optional to prevent puppet from triggering file resource changes every time.
- Removed experimental v1 data since it is no longer used.
- Removed partial v2 data sets.
- Added v2 data for the non-SIMP
puppet-yum
module. - Added confinement on modules and facts to SIMP Compliance Engine.
2.2.8.3. pupmod-simp-deferred_resources¶
- Added
deferred_resources::files
,deferred_resources::users
, anddeferred_resources::groups
. - Added
override_existing_attributes
capability to thedeferred_resources
native type to allow file attributes to be overridden with more useful messages than what you get with resource collectors - Ensure that an override attribute is defined prior to removal.
- Defined deep merge strategies for the Hash and Array class arguments.
- Switched all FIPS checks to use top level inherited checks.
2.2.8.4. pupmod-simp-freeradius¶
- Refactored the API for ease of use and for Puppet 5 compatibility.
- Created an
ldap
site and module to be used to integratefreeradius
with an LDAP server. - Added a failsafe for FIPS mode. The module now fails compilation if the
server is in FIPS mode, because
freeradius
does not run when FIPS is enabled. - Removed support for freeradius version 2 and CentOS 6.
- Removed addition of inter-tunnel and SQL sites by default.
2.2.8.5. pupmod-simp-hirs_provisioner¶
- New module to install the HIRS Provisioner and check-in with the Attestation Certificate Authority.
2.2.8.6. pupmod-simp-iptables¶
- Added a rule to allow outbound communication over OUTPUT to the loopback device by default.
- Added a rule to drop 127.0.0.0/8 addresses as defined in RFC 1122 - Section: 3.2.1.3(g). This will exclude 127.0.0.1 as it is allowed in an earlier rule.
- Added
iptables_default_policy
for modifying the default policy of thefilter
table on either IPv4 or IPv6. - Added
iptables::rules::default_drop
to allow users to easily toggle the default drop behavior of the default filter policies. - Allow the
proto
key for and entry iniptables::ports
to be an array.
2.2.8.7. pupmod-simp-issue¶
- Added a
source
parameter which can be used to specify a file resource to use for the banner content.
2.2.8.8. pupmod-simp-journald¶
- Forked from
cristifalcas-puppet-journald
. - Refactored the API for ease of use and for Puppet 5 compatibility.
2.2.8.9. pupmod-simp-network¶
- Added experimental
NetworkManager
support.
2.2.8.10. pupmod-simp-ntpd¶
- Ensure that users can change the default
restrict
parameters. - Allow users to add arbitrary extra content to the
ntpd.conf
. - Allow users to define the entire
ntpd.conf
content. - Restrict
ntpd::allow::rules
to newNtpd::Restrict
data type. - Added ability for users to enable a default server capability directly from Hiera.
2.2.8.11. pupmod-simp-oath¶
- New module to install
oathtool
, a command line utility for generating one-time passwords, and, optionally, install and configure thepam_oath
andliboath
packages.
2.2.8.12. pupmod-simp-pam¶
- Added
pam::access::access_file_mode parameter
to allow users to manageaccess.conf
file permissions. - Added TOTP support through
pam_oath
. - Added option to allow users to disable
faillock
if desired.
2.2.8.13. pupmod-simp-pki¶
- Updated the
pki_cert_sync
type to also generate an aggregate CA certificates file with X.509 certificate headers removed,cacerts_no_headers.pem
. This new CA certificates file is useful for applications that cannot handle certificate headers. - Add a new option to the
pki_cert_sync
type,generate_pem_hash_links
, which controls whetherpki_cert_sync
should generate and maintain the PEM file hash links in the target directory. Disabling automatic PEM hash link generation is useful if an application is managing those links in the target directory, itself.
2.2.8.14. pupmod-simp-pupmod¶
- No longer hardcode the puppet uid and puppet gid to 52.
- Added management of
ssldir
andrundir
. - Ensure that the puppet client environment is set to that which is provided by the server by default.
- Added a fact to list all the
jruby
jar files in the puppetserver installation directory. - Allow user to change the jar file used to run puppetserver via
pupmod::master::sysconfig::jruby_jar
. - Change the default jar file for puppetserver to
jruby-9k.jar
for the FOSS puppetserver. (It is already set to that for PE.) - Added a
pupmod::server_distribution
function for more accurately determining the version of the puppet server installed on the target system. - Refactored some of the underlying code to use the new function and be safer for PE installations.
- Added Certificate Authority parameters for authorization extensions and subject alternative names.
2.2.8.15. pupmod-simp-resolv¶
- Deprecated the ‘spoof’ option in
/etc/host.conf
since it has not done anything in recent history: https://bugzilla.redhat.com/show_bug.cgi?id=1577265
2.2.8.16. pupmod-simp-rkhunter¶
- New module to install and configure
rkhunter
andunhide
for EL7 hosts.
2.2.8.17. pupmod-simp-rsync¶
- Added the ability to have a server support being both a SIMP rsync server and a SIMP rsync client of another server, simultaneously. This configuration is useful for a PE Compile Master <-> Master of Masters host configuration scenario.
- Added a
preserve_perms
attribute to disable preservation of server-side permissions.
2.2.8.18. pupmod-simp-rsyslog¶
- Changed default
rsyslog::rule::local::file_create_mode
to0640
. - Changed default
rsyslog::rule::local::dir_create_mode
to0750
. - Allow the following to be set directly via Hiera using
simplib::dlookup
:rsyslog::rule::local::file_create_mode
rsyslog::rule::local::dir_create_mode
rsyslog::rule::local::queue_max_file_size
2.2.8.19. pupmod-simp-selinux¶
- Added
selinux::kernel_enforce
for toggling the enforcement of the selinux state at the kernel command line. - Ensure that the
selinux::login_resources
Hash performs a deep merge by default.
2.2.8.20. pupmod-simp-simp¶
- Added SELinux login context management to
simp::admin
. - Refactored the
simp::mountpoints::tmp
to usesystemd
’stmp.mount
target, if the system supportssystemd
. - Added
net.ipv6.conf.all.accept_ra
andnet__ipv4__conf__default__log_martians
tosimp::sysctl
management. - Added exceptions to SIMP’s management of
filebucket
andvardir
to support running puppet from Bolt. - Switched out
chkrootkit
forrkhunter
on El7 instances. - Added the, inert by default,
deferred_resources
class to all class lists, to allow users to easily use this functionality to meet specific compliance requirements. - Deprecated
simp::puppetdb::read_database_ssl
. Instead, usesimp::puppetdb::read_database_jdbc_ssl_properties
which maps directly topuppetdb::server::read_database_jdbc_ssl_properties
(puppetdb version >= 7.0.0). - Add the ability to set the root user password in
simp::root_user
- Added a
sysctl
value to increase max number ofinotify
user watches. - Added 2 configuration parameters to
simp::puppetdb
:simp::puppetdb::automatic_dlo_cleanup
andsimp::puppetdb::dlo_max_age
. - Update the URLS to the EPEL GPG keys. The URLS have changed.
2.2.8.21. pupmod-simp-simp_apache¶
- Split out service management into a
simp_apache::service
class and provided users with a Hiera-driveable option to not manage the service.
2.2.8.22. pupmod-simp-simp_bolt¶
- New module that provides a profile that allows Puppet Bolt to operate in a SIMP environment.
2.2.8.23. pupmod-simp-simp_gitlab¶
- Switched from
vshn-gitlab
1.13.3 to its replacementpuppet-gitlab
3.0.2 and reworked the manifests, as appropriate, to work with the newer module. - Added
manage_package
andpackage_ensure
parameters tosimp_gitlab
.
2.2.8.24. pupmod-simp-simp_grub¶
- New module that provides a Hiera-friendly interface to GRUB configuration activities. It currently supports setting administrative GRUB passwords on both GRUB 2 and legacy GRUB systems.
2.2.8.25. pupmod-simp-simp_ipa¶
- Added Puppet Tasks for joining and leaving an IPA domain.
2.2.8.26. pupmod-simp-simp_pki_service¶
- Modified API. These are minor breaking changes for this experimental module.
2.2.8.27. pupmod-simp-simplib¶
- Added a
simplib__sshd_config
fact to check the contents of thesshd_config
file. - Added a
simplib_networkmanager
fact to provide useful information about the state of NetworkManager components. - Added a
simplib::in_bolt
function to detect if the current puppet run is happening during a Bolt run. - Added a set of
Simplib::Cron::####
data types for specifying minute, hour, month, monthday, and weekday parameters for thecron
resource. - Removed
simplib
’sdeep_merge
3.x function that conflicts withstdlib
’s fully-equivalentdeep_merge
function. - Removed
simplib
’svalidate_integer
3.x function that conflicts withstdlib
’s fully-equivalentvalidate_integer
function. - Converted the following Puppet 3 functions to Puppet 4:
simplib::simp_version
replaces deprecatedsimp_version
.simplib::host_is_me
replaces deprecatedhost_is_me
.simplib::bracketize
replaces deprecatedbracketize
.
- Added a capability for
simplib::bracketize
to accept a string delimited by commas, spaces, and/or semi-colons. - Deprecated the remaining
simplib
Puppet 3.x functions and re-enabledsimplib
deprecation warnings by default. - Defer to inbuilt
fips_enabled
fact if it exists. - Added a check for the environment variable,
SIMPLIB_NOLOG_DEPRECATIONS
, to disable SIMP function deprecation warnings.
2.2.8.28. pupmod-simp-ssh¶
- Switched to
selinux_port
type for alternate SSH ports - Added the ability for users to set custom sshd config entries via a Hash in Hiera.
- Made
ListenAddress
optional and documented the corresponding EL6 bug. - Added OATH support
- Added support for the following SSH server configuration parameters:
AllowGroups
AllowUsers
DenyGroups
DenyUsers
LoginGraceTime
LogLevel
MaxAuthTries
- Added a new class,
ssh::authorized_keys
, that allows users to specify public keys in Hiera. - Added multiple port support
- The ssh::server::conf::port entry can now take an Array of ports
selinux_port
resources are created for each non-standard entry
2.2.8.29. pupmod-simp-sssd¶
- Change the
sssd::provider::ldap::ldap_access_order
defaults to['ppolicy','pwd_expire_policy_renew']
to prevent accidental user lockout.
2.2.8.30. pupmod-simp-sudo¶
- Allow additional options to be specified by a Hash in
sudo::user_specification
.
2.2.8.31. pupmod-simp-xinetd¶
- Added a capability to purge unknown
xinetd
services. This capability is similar to that ofsvckill
, but for thexinetd
subsystem.
2.2.8.32. simp-environment-skeleton¶
- Renamed the package from
simp-environment
tosimp-environment-skeleton
to more accurately portray its purpose. - Moved all SELinux components to a new package,
simp-selinux-policy
, and then added a dependency on that package. - Changed the install location to
/usr/share/simp/environments-skeleton
for all files. The files are now located within apuppet
orsecondary
sub-directory. - Removed use of the
simp_rpm_helper script
during the post-install, so that the potentially active/var/simp/environments/simp
directory is no longer modified during initial install or erase. - Removed the execution of SELinux
fixfiles
on/var
. - Removed creation of
cacertkey
in/var/simp/environments/simp/FakeCA
. - Replaced the sample
environment.conf
file with a template,environment.conf.template
.
2.2.8.33. simp-rsync¶
This package has been deprecated. Its final release provides a stub with
to ensure any files it delivered into /var/simp/environments/simp/rsync
,
a potentially active secondary environment, are not erased. You can
remove this package if your site is not using a simp
environment.
2.2.8.34. simp-rsync-skeleton¶
- Replacement moving forward for deprecated
simp-rsync
package. - All files are now installed in
/usr/share/simp/environments-skeleton/rsync
.
2.2.8.35. simp-selinux-policy¶
New package containing policies originally packaged in the
simp-environment
package.
2.2.8.36. simp-utils¶
- Added
simpenv
script to facilitate creation of a new SIMP omni-environment whensimp
CLI cannot be used. - Updated the
updaterepo
script to change permissions on the repo files as well asrepodata
. - Updated the
unpack_dvd
script as follows:- Added an option to allow user to not link the extracted files to the major version.
- Added an option to change what group is used to own the files.
- Ensure permissions on all directories containing RPMs for the repo are correct.
- Only attempt to change ownership of files if run as
root
. - Put
noarch
RPMs under thenoarch
directory for the SIMP repo. - Allow the user to specify the version directory for the OS, because
the CentOS
.treeinfo
file only contains the major OS version number. - Use Puppet Ruby instead of system Ruby.
2.2.8.37. SIMP ISO¶
- Appropriate GPG keys delivered with
simp-gpgkeys
package are now imported into therpm
database during installation. - The initial password validation settings now match the defaults provided
the
simp-pam
module.
2.2.9. Known Bugs¶
Nothing significant at this time.
The SIMP project in JIRA can be used to file bugs.