2.1. SIMP Community Edition (CE) 6.5.0¶
Contents
2.1.1. OS compatibility¶
This release is known to work with:
- CentOS 6.10 x86_64
- CentOS 7.0 2003 x86_64
- CentOS 8.2 2004 x86_64 — client systems only
- OEL 6.10 x86_64
- OEL 7.8 x86_64
- OEL 8.2 x86_64 — client systems only
- RHEL 6.10 x86_64
- RHEL 7.8 x86_64
- RHEL 8.2 x86_64 — client systems only
2.1.1.1. Important OS compatibility limitations¶
OS compatibility is subject to the following limitations:
2.1.1.1.1. EL8 support is CLIENT ONLY¶
This release introduces client-only EL8 support in the core Puppet modules.
- EL8 support is limited to managing EL8 Puppet agents with the core Puppet modules.
- All Puppet modules provided as core dependencies of the simp RPM support EL8.
This release does NOT support EL8 for:
- Managing an EL8 SIMP Server
- Installing SIMP from an EL8 ISO.
- Using the unpack_dvd script on modular yum repositories found on EL8 OS ISOs
Additional limitations with EL8
- Not all modules provided by the simp-extras RPM have been updated for EL8.
- EL8 updates to the remaining simp-extras modules will be phased in over future SIMP releases.
- Support for managing an EL8 SIMP/Puppet server and installing from EL8 ISOs will be provided in a later SIMP release (SIMP 6.6.0).
- In SIMP 6.5.0,
there are known issues with
PXE kickstarting and unpacking ISOs as yum mirrors for EL8 clients. These
issues particularly affect network-isolated environments.
- For details, see: Special considerations with EL8 clients.
2.1.1.1.2. Support for managing EL6 is drawing down¶
- EL6 maintenance support is EOL for both RHEL 6 and CentOS 6, and upstream vendor support will end on 30 November 2020.
- New Puppet modules may not support EL6.
- Some optional Puppet modules (provided by the simp-extras RPM) no longer support EL6. In particular, this affects simp/autofs, simp/nfs, and simp/simp_nfs. If you need those capabilities on EL6, use earlier versions of these modules in EL6-specific Puppet environments.
2.1.2. Breaking Changes¶
2.1.2.1. IPTables Rule Refinement¶
Important
IPTables does NOT have breaking changes out of the box.
A new parameter, iptables::precise_match
was added that performs higher
precision matching on iptables rules to detect the need to restart
iptables.
It is highly recommended that you set iptables::precise_match: true
in
Hiera so that minor changes, such as subnet updates or single port
changes, will appropriately restart
iptables.
If you enable precision matching, do so with care since you may find that iptables rule updates are propagated that you thought had previously been applied.
It is highly recommended that you migrate to firewalld
if at all
possible. See the relevant section below for more details.
2.1.2.2. Deprecated Puppet 3 API Functions Removed¶
All SIMP-provided Puppet 3 API functions (originally deprecated in SIMP 6.4.0) have now been removed in order to fully support Puppet 6. The affected functions and their replacements (when available) are listed in sub-sections below.
2.1.2.2.1. Puppet 3 Functions Removed from simp/compliance_markup¶
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
compliance_map |
compliance_markup::compliance_map |
simp/compliance_markup >= 3.0.0 |
2.1.2.2.2. Puppet 3 Functions Removed from simp/simp_apache¶
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
apache_auth |
simp_apache::auth |
simp/simp_apache >= 6.0.1 |
apache_limits |
simp_apache::limits |
simp/simp_apache >= 6.0.1 |
munge_httpd_networks |
simp_apache::munge_httpd_networks |
simp/simp_apache >= 6.0.1 |
2.1.2.2.3. Puppet 3 Functions Removed from simp/simplib¶
Important
Most (but not all) of the Puppet 3 API functions in the table below have replacements. If any function that has been removed without a replacement is essential to you, let us know by submitting a feature request at https://simp-project.atlassian.net.
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
array_include |
Puppet language in operator or Puppet
built-in functions any or
all |
Puppet >= 5.2.0 |
array_size |
Puppet built-in function length |
Puppet >= 5.5.0 |
array_union |
Puppet language + (concatenation)
operator, combined with Puppet built-in
function unique |
Puppet >= 5.0.0 |
bracketize |
simplib::bracketize |
simp/simplib >= 3.15.0 |
generate_reboot_msg |
None | N/A |
get_ports |
None | N/A |
h2n |
None | N/A |
host_is_me |
simplib::host_is_me |
simp/simplib >= 3.15.0 |
inspect |
simplib::inspect |
simp/simplib >= 3.3.0 |
ipaddresses |
simplib::ipaddresses |
simp/simplib >= 3.5.0 |
ip_is_me |
simplib::host_is_me (checks
hostnames and IP addresses) |
simp/simplib >= 3.15.0 |
ip_to_cron |
simplib::ip_to_cron |
simp/simplib >= 3.5.0 |
join_mount_opts |
simplib::join_mount_opts |
simp/simplib >= 3.8.0 |
localuser |
None | N/A |
mapval |
None | N/A |
nets2cidr |
simplib::nets2cidr |
simp/simplib >= 3.7.0 |
nets2ddq |
simplib::nets2ddq |
simp/simplib >= 3.8.0 |
parse_hosts |
simplib::parse_hosts |
simp/simplib >= 3.5.0 |
passgen |
simplib::passgen |
simp/simplib >= 3.5.0 |
rand_cron |
simplib::rand_cron |
simp/simplib >= 3.5.0 |
simp_version |
simplib::simp_version |
simp/simplib >= 3.15.0 |
simplib_deprecation |
simplib::deprecation |
simp/simplib >= 3.5.0 |
slice_array |
Puppet built-in slice |
Puppet >= 4.0.0 |
strip_ports |
simplib::strip_ports |
simp/simplib >= 3.5.0 |
to_integer |
Puppet built-in Integer or
simplib::to_integer |
Integer : Puppet >= 4.0.0;
simplib::to_integer :
simp/simplib >= 3.5.0 |
to_string |
Puppet built-in String
or simplib::to_string |
String : Puppet >= 4.0.0;
simplib::to_string :
simp/simplib >= 3.5.0 |
validate_array_member |
simplib::validate_array_member |
simp/simplib >= 3.8.0 |
validate_array_of_hashes |
Use a custom Puppet data type
such as Array[Hash] |
Puppet >= 4.0.0 |
validate_between |
Puppet data types Integer or
Float or
simplib::validate_between |
simp/simplib >= 3.8.0 |
validate_bool_simp |
Use Puppet Boolean data type
or simplib::validate_bool |
Puppet: >= 4.0.0; simp/simplib >= 3.8.0 |
validate_deep_hash |
simplib::validate_deep_hash |
simp/simplib >= 3.8.0 |
validate_float |
Use Puppet Float data type
or a check using is_float
from puppetlabs/stdlib |
Puppet: >= 4.0.0;
is_float :
puppetlabs/stdlib >=
2.2.0 |
validate_macaddress |
Use Simplib::Macaddress data type |
simp/simplib >= 3.7.0 |
validate_net_list |
Use Simplib::Netlist data type
or simplib::validate_net_list |
simp/simplib >= 3.5.0 |
validate_port |
Use Simplib::Port data type or
simplib::validate_net_list |
simp/simplib >= 3.5.0 |
validate_re_array |
simplib::validate_re_array |
simp/simplib >= 3.7.0 |
validate_sysctl_value |
simplib::validate_sysctl_value |
simp/simplib >= 3.7.0 |
validate_umask |
Use Simplib::Umask data type |
simp/simplib >= 3.7.0 |
validate_uri_list |
simplib::validate_sysctl_value |
simp/simplib >= 3.7.0 |
2.1.2.2.4. Puppet 3 Functions Removed from simp/ssh¶
Puppet 3 API Function | Replacement | Replacement Source |
---|---|---|
ssh_autokey |
ssh::autokey |
simp/ssh >= 6.2.0 |
ssh_global_known_hosts |
ssh::global_known_hosts |
simp/ssh >= 6.2.0 |
2.1.2.3. Primary API Changed in Optional Modules¶
The following SIMP modules from the simp-extras RPM have had breaking API changes:
The specific changes made are described in detail in the New Features section.
2.1.2.4. EL6 Support Dropped from Some (Optional) Puppet Modules¶
The following optional SIMP modules have dropped support for EL6:
If you need EL6 for a client node, place it in an environment with older versions of the appropriate modules.
2.1.3. Significant Updates¶
2.1.3.1. EL8 SIMP Client Node Support¶
This release provides support for managing software on EL8 agents.
This includes all (appropriate) Puppet modules provided by the simp RPM, and a subset of the Puppet modules provided by the simp-extras RPM.
- The remaining changes required for an EL8 SIMP server and ISO will be available in the next SIMP minor release.
- EL8 updates to the remaining, optional, Puppet modules will be phased in over future SIMP releases. This includes the following SIMP modules:
2.1.3.2. Full Puppet 6 Support and Puppet 6 Default Components¶
All SIMP Puppet modules now work with both Puppet 5 and Puppet 6, and the SIMP-6.5.0 ISOs deliver Puppet 6 application RPMs.
2.1.3.3. firewalld Support¶
As of SIMP 6.5.0, firewalld support is available within the SIMP and is the default for all new installations on platforms that support it.
- New simp/simp_firewalld module: SIMP now includes simp/simp_firewalld which provides a profile class and defined type to manage the system’s firewalld with “safe” defaults and safety checks for firewalld rules.
- firewalld support in simp/iptables for backward compatibility: The
simp/iptables module has preliminary support for acting as a
pass-through to various firewalld capabilities using the
simp/simp_firewalld module.
- To enable ‘firewalld’ mode on supported operating systems, simply set
iptables::use_firewalld
totrue
via Hiera. - EL8 systems enable ‘firewalld’ mode by default.
- Use of any of the
iptables::listen::*
defined types will work seamlessly in ‘firewalld’ mode, as long as IP addresses are used in theirtrusted_net
parameters. - Direct calls to
iptables::rule
in ‘firewalld’ mode will emit a warning notification that directs the user to convert their rules tosimp_iptables::rule
types.
- To enable ‘firewalld’ mode on supported operating systems, simply set
Important
Be aware that firewalld rules do not support hostnames; IP
addresses must be used. This may impact any manifests that contain
iptables::listen
resources, including resources from some SIMP
modules. You will have to change any hostnames to IP addresses for the
affected resources when using firewalld.
The table below is a list of the SIMP resource parameters impacted by the lack of hostname support by firewalld.
- Many of these parameters default to
simp_options:trusted_nets
, when it is available. - Each network element can be specified as a network (CIDR notation), an IP address,
'ALL'
or'any'
. - ‘or’ in the table below indicates the default value that will be used if the previous value is not defined.
Parameter | Default Value |
---|---|
freeradius::v3::conf::trusted_nets |
simp_options::trusted_nets
or ['127.0.0.1','::1'] |
krb5::kdc::firewall::trusted_nets |
|
krb5::kdc::realm::trusted_nets |
|
libreswan::trusted_nets |
|
nfs::client::mount::nfs_server |
N/A |
nfs::server::trusted_nets |
|
ntpd::trusted_nets |
|
postfix::server::trusted_nets |
|
pupmod::master::trusted_nets |
|
rsync::server::trusted_nets |
|
rsyslog::trusted_nets |
|
simp::puppetdb::trusted_nets |
|
simp_apache::ssl::trusted_nets |
|
simp_apache::conf::allowroot |
['127.0.0.1','::1'] |
simp_nfs::home_dir_server |
N/A |
simp_nfs::mount::home::nfs_server |
N/A |
simp_openldap::server::conf::trusted_nets |
|
ssh::server::conf::trusted_nets |
['ALL'] |
stunnel::connection::trusted_nets |
|
stunnel::instance::trusted_nets |
|
vsftpd::trusted_nets |
|
xinetd::service::trusted_nets |
|
2.1.3.4. Optional Dependency Handling¶
In SIMP 6.5.0, optional dependency handling has been integrated into ~20 additional SIMP Puppet modules. These modules explicitly identify optional, dependent modules, all while providing safeguards to ensure the user is notified of any such missing dependencies at compilation time. This feature allows the user to minimize installation of unused modules in an environment, when the user is not using SIMP to manage specific capabilities.
Key details about this feature are as follows:
- Optional module dependencies are indicated in the
metadata.json
file using an ‘optional_dependencies’ key within a ‘simp’ key. For example, simp/rsyslog’s metadata.json. - The user has complete control over installation of the optional dependency
modules. These dependencies will not be installed automatically when
the module using them is installed via
puppet module install
. - Modules that use this feature will fail manifest compilation, if the user enables the optional capabilities, but the optional dependencies required to implement that capability are not installed in the environment.
2.1.3.5. Dependent Module Updates¶
SIMP updated as many dependent modules as possible. This included major version
bumps for several of the dependent modules. These changes did not have
a significant impact on the SIMP infrastructure. The dependency version bumps
did, however, require some of the SIMP modules to update their respective
metadata.json
files. These metadata changes, in turn, required SIMP
module version updates.
2.1.4. Security Announcements¶
SIMP 6.5.0 Added mitigations for the following CVEs:
2.1.5. RPM Updates¶
2.1.5.1. Puppet RPMs¶
The following Puppet RPMs are packaged with the SIMP 6.5.0 ISOs:
Package | Version |
---|---|
puppet-agent | 6.18.0-1 |
puppet-bolt | 2.29.0-1 |
puppetdb | 6.12.0-1 |
puppetdb-termini | 6.12.0-1 |
puppetserver | 6.13.0-1 |
Warning
You do NOT need to update your version of Puppet from 5.X to use the modules supplied with this version of SIMP.
If you decide to update from 5.X, back up your server and test the upgrade carefully.
2.1.6. Removed Puppet Modules¶
2.1.6.1. Unused Augeasproviders Modules¶
The following packages for unused Augeasproviders Puppet modules and one dependency were removed from the SIMP ISOs:
- pupmod-herculesteam-augeasproviders_apache
- pupmod-herculesteam-augeasproviders_mounttab
- pupmod-herculesteam-augeasproviders_nagios
- pupmod-herculesteam-augeasproviders_pam
- pupmod-herculesteam-augeasproviders_postgresql
- pupmod-herculesteam-augeasproviders_puppet
- pupmod-herculesteam-augeasproviders_shellvar
- pupmod-puppetlabs-mount_providers
2.1.6.2. Docker Modules¶
The packages for the following Docker Puppet modules have been permanently removed from the SIMP ISOs, because SIMP is moving towards podman support over docker.
- pupmod-puppetlabs-docker
- pupmod-simp-simp_docker
2.1.6.3. pupmod-simp-journald¶
The pupmod-simp-journald package has been removed from SIMP ISOs, because the functionality the simp/journald module provided is now provided by the camptocamp/systemd module. If you used simp/journald, you will need to update your manifests to use camptocamp/systemd.
2.1.7. Fixed Bugs¶
- pupmod-simp-aide
- pupmod-simp-auditd
- pupmod-simp-dconf
- pupmod-simp-compliance_markup
- pupmod-simp-freeradius
- pupmod-simp-iptables
- pupmod-simp-libvirt
- pupmod-simp-logrotate
- pupmod-simp-network
- pupmod-simp-nfs
- pupmod-simp-pam
- pupmod-simp-polkit
- pupmod-simp-pupmod
- pupmod-simp-rsyslog
- pupmod-simp-selinux
- pupmod-simp-simp
- pupmod-simp-simplib
- pupmod-simp-simp_options
- pupmod-simp-simp_snmpd
- pupmod-simp-stunnel
- pupmod-simp-tftpboot
- pupmod-simp-tlog
- pupmod-simp-tpm2
- pupmod-simp-xinetd
- rubygem-simp-cli
- simp-environment-skeleton
- simp-utils
2.1.7.1. pupmod-simp-aide¶
- Fixed a bug in Compliance Engine data.
2.1.7.2. pupmod-simp-auditd¶
- Fixed a bug in which the module could not enable auditing on a system with auditing already disabled in the kernel, when replication of the audit logs to syslog was required.
- Fixed a bug in which the auditd service was managed when the kernel was not enforcing auditing.
- Fixed a bug in which the facts were not properly confined.
- Fixed a bug in which
/etc/audit/audit.rules.prev
caused unnecessary flapping. - Fixed regex substitution for bad path characters.
- Added missing herculesteam/augeasproviders_grub module dependency.
2.1.7.3. pupmod-simp-dconf¶
- Fixed a bug in
ensure = absent
indconf::settings
.
2.1.7.4. pupmod-simp-compliance_markup¶
- Fixed merging bugs introduced in interim versions of the module.
- Fixed a regression introduced in interim versions of the module in which compliance reports were missing ‘controls’, ‘identifiers’, and ‘oval-ids’.
2.1.7.5. pupmod-simp-freeradius¶
- Fixed missing ‘group_filter’ option in LDAP.
2.1.7.6. pupmod-simp-iptables¶
- Fixed a bug in which the iptables services and rules were not
managed when
iptables::use_firewalld
was set totrue
on an EL6 system. - Fixed an ordering issue with setting
xt_recent
parameters that could occur on OEL7 nodes. However, there are other issues withxt_recent
on OEL that may prevent this module from working on OEL in some circumstances. - Fixed a bug in which the module did not check for firewalld
availability when
iptables::use_firewalld
was set totrue
.- The module now ensures that systems that do not have
firewalld
do not attempt to configure it.
- The module now ensures that systems that do not have
- Fixed bugs in iptables rule address normalization:
- Ensured that all addresses are normalized when rules are processed.
- Removed nested looped rule normalization of addresses since it is no longer required.
- Fixed
normalize_addresses()
so that it simply grabs the netmask if present and slaps on the appropriate one if not.
- Fixed some bugs in the
munge()
portions of the native types.
2.1.7.7. pupmod-simp-libvirt¶
- Fixed issues with module data.
2.1.7.8. pupmod-simp-logrotate¶
- Fixed a bug in which the ‘size’ parameter in the global logrotate configuration file was specified more than once.
2.1.7.9. pupmod-simp-network¶
- Fix a bug where both the legacy network and NetworkManager were activated in all cases.
2.1.7.10. pupmod-simp-nfs¶
- Fixed a bug in which IPv6 ‘::1’ network entries were not being created in
/etc/exports
. This could cause connections over stunnel to fail under certain conditions. - rpc.rquotad service configuration was erroneously written to
/etc/sysconfig/nfs
for EL7. It is now written to the correct file,/etc/sysconfig/rpc-rquotad
. - Fixed idmapd-related bugs:
- idmapd was erroneously only enabled when NFSv3 was allowed. idmapd is an NFSv4 service.
- The idmapd client was not configured to use nfsidmap.
An nfsidmap entry has now been added to
/etc/request-key.conf
.
- Fixed bugs in which bidirectional communication for NFSv3 was not properly
configured.
- NFSv3 lockd ports on the NFS client were not explicitly configured and thus not allowed through the firewall. This would have affected file locking using NLM.
- rpcbind, statd, and lockd service names were not allowed by TCP Wrappers for the NFS client. This would have affected server to client NFSv3 NSM and NLM protocol messages over TCP.
- Fixed bugs in mount options
- Previously used the deprecated ‘nfs4’ fstype. This has been replaced with the ‘nfs’ fstype and use of the ‘nfsvers’ option to specify the version of NFS to use.
- The mount option ‘proto’ is now set to ‘tcp’ when
stunnel
is enabled.
- Fixed a bug with a duplicate exec resource in
nfs::client::mount
when stunnel was enabled. - Fixed erroneous server-only/client-only configuration that appeared to be
able to be set independently for the NFS client and NFS server on the same
node, but because of shared services, actually applied to the node as a
whole.
- Removed
nfs::client::firewall
andnfs::server::firewall
. Usenfs::firewall
instead. - Removed
nfs::server::tcpwrappers
. Usenfs::tcpwrappers
instead. - Removed
nfs::server::nfsv3
,nfs::server::lockd_arg
,nfs::server::statdarg
,nfs::server::statd_ha_callout
,nfs::server::rpcgssdargs
, andnfs::server::rpcsvcgssdargs
. Use appropriate parameters in thenfs
class instead.
- Removed
2.1.7.11. pupmod-simp-pam¶
- Fixed a bug in which a local user password could not be set.
- Moved the ‘pam_unix.so’ check before the ‘pam_sss.so’ check in the
password section of the auth files otherwise it returns an
authentication token manipulation
error and local passwords cannot be changed.
- Moved the ‘pam_unix.so’ check before the ‘pam_sss.so’ check in the
password section of the auth files otherwise it returns an
2.1.7.12. pupmod-simp-polkit¶
- Fixed issue with
basic_policy
template that resulted in malformed rules.
2.1.7.13. pupmod-simp-pupmod¶
- Fixed a bug in which the module could not determine the appropriate Puppet
configuration for Puppet >= 6.19.0 from the internal
Puppet.settings
method, because the ‘master’ section was renamed to ‘server’. - Fixed a bug on EL6 nodes in which setting
pupmod::master::generate_types
tofalse
caused the catalog compilation to fail. - Fixed a bug in puppetserver configuration in which the ‘profiler-output-file’ parameter was incorrectly specified as ‘profiling-output-file’.
- Fixed a bug in managing group ownership of
puppet.conf
when using Puppet Enterprise.- Ensured that
pupmod::pass_two
does not conflict with the internal PE configuration code for group ownership ofpuppet.conf
.
- Ensured that
2.1.7.14. pupmod-simp-rsyslog¶
- Fixed the default security collection string for firewalld rules.
- Fixed a bug where the ‘IncludeConfig’ directive for
/etc/rsyslog.d
allowed more than just.conf
files to be parsed.
2.1.7.15. pupmod-simp-selinux¶
- Fixed a bug in which the module would attempt to create
selinux_login
resources whenselinux::login_resources
was set but selinux was disabled. This resulted in an error message Could not find a suitable provider for selinux_login during catalog compilation.
2.1.7.16. pupmod-simp-simp¶
- Ensure that the sudoers rule for removing the Puppet SSL directory is not created when running from Bolt, since the directory target is changed at each Bolt run and will result in non-idempotency.
- Fixed a bug in which the ‘gpgkey’ and ‘baseurl’ configuration strings were
required for the local YUM repositories managed by
simp::yum::repo::local_os_updates
andsimp::yum::repo::local_simp
.- Both are optional in the
yumrepo
type if they already exist on disk.
- Both are optional in the
- Removed the broken
tasks/
directory.
2.1.7.17. pupmod-simp-simplib¶
- Fixed the
simplib::puppet::metadata::os_support
data type to allowoperatingsystemrelease
to be optionally defined. - Added Amazon Linux support
- Fixed the use of
simplib::debug::inspect
when using Bolt. - Fixed bugs in the
grub_version
andinit_systems
facts. - Fixed the
simplib__auditd
fact so that it detects the state of the running auditd process. - Fixed
Simplib::Systemd::ServiceName
to accept instance services. - Fixed an issue in the
simplib__sshd_config
fact that would cause the daemon to start on an EL6 system that did not already have it running. - Fixed a bug in which
simplib__firewalls
fact was not properly confined and would trigger on Windows+ systems. - Fixed an issue in
simplib::ip::family_hash
where the ‘unknown’ entries were not properly populated. - Fixed bug in which
simplib::simp_version
did not work on Windows. - Fixed
uninitialized constant
error with thereboot_notify
custom type.
2.1.7.18. pupmod-simp-simp_options¶
- Fixed PE detection in
simp_options::puppet::server_distribution
.
2.1.7.19. pupmod-simp-simp_snmpd¶
- Fixed a bug in which the PID file option was missing from the default options for the snmpd daemon in EL6. The daemon failed to start without this option.
- Fixed a bug where the default for client security level was incorrectly set.
- The default access security level is now by the new parameter
simp_snmpd::defvacmlevel
instead ofsimp_snmpd::defsecuritylevel
. simp_snmpd::defsecuritylevel
sets the default security level for the client.
- The default access security level is now by the new parameter
- Added a missing dependency on simp/tcpwrappers.
2.1.7.20. pupmod-simp-stunnel¶
- Added the
stunnel::instance_purge
class to remedy the ‘floating services’ issue.
2.1.7.21. pupmod-simp-tftpboot¶
- Fixed a bug in which the internal rsync operation did not match the documentation.
- Fixed a manifest ordering issue.
2.1.7.22. pupmod-simp-tlog¶
- Fixed a bug in the tcsh template.
- Added a workaround to scripts in
/etc/profile
to handle a bug in tlog that would prevent logins if the system hostname could not be found.
2.1.7.23. pupmod-simp-tpm2¶
- Fixed a bug where the tpm2_* commands could return nothing which would trigger an error in further logic.
2.1.7.24. pupmod-simp-xinetd¶
- Removed ‘TRAFFIC’ from the default
log_on_success
list since it may cause information leakage and is not supported by all service types.
2.1.7.25. rubygem-simp-cli¶
- Fixed a bug in which simp config did not allow DNS domains that did not include at least one dot character. Domains are now validated per RFC 3696.
- Fixed a bug where simp config recommended the wrong SSSD domain, when the SIMP server was not the LDAP server. It recommended the ‘Local’ domain, when the appropriate SIMP-created domain with the ‘local’ (EL6) or ‘files’ (EL7) provider is named ‘LOCAL’.
- Fixed a bug in simp environment new in which the actual failure messages from a failed setfacl --restore execution were not logged.
- Fixed a bug where simp config --dry-run would prompt the user to
apply actions instead of skipping them and then writing the
~/.simp/simp_conf.yaml
file.- Users would answer ‘no’ to the unexpected apply query and then
simp config would only persist the answers to the interim
answers file (
~/.simp/.simp_conf.yaml
).
- Users would answer ‘no’ to the unexpected apply query and then
simp config would only persist the answers to the interim
answers file (
- Fixed Puppet Enterprise support for simp config and
simp bootstrap.
- Fixed a fact-loading bug that prevented the PE fact (
is_pe
) from being available. - Hardened PE-detection logic for cases in which the
is_pe
fact is not yet available during simp config. - Added support for SIMP server template Hiera data that is PE-specific.
- Fixed a bug in which the module paths containing PE modules were not excluded when simp config checked for modules in the ‘production’ Puppet environment. This forced the user to remove the skeleton ‘production’ environment installed by the puppet-agent RPM, in order to get simp config to run on a freshly installed PE system.
- Fixed a fact-loading bug that prevented the PE fact (
2.1.7.26. simp-environment-skeleton¶
- When running FakeCA certification-generation scripts in batch mode, do not request input from the user.
- Fixed a bug in which some non-script files were installed with executable permissions.
2.1.7.27. simp-utils¶
- Fixed minor bugs in unpack_dvd.
2.1.8. New Features¶
- pupmod-simp-aide
- pupmod-simp-auditd
- pupmod-simp-autofs
- pupmod-simp-clamav
- pupmod-simp-compliance_markup
- pupmod-simp-cron
- pupmod-simp-crypto_policy
- pupmod-simp-dconf
- pupmod-simp-deferred_resources
- pupmod-simp-dhcp
- pupmod-simp-fips
- pupmod-simp-freeradius
- pupmod-simp-incron
- pupmod-simp-iptables
- pupmod-simp-krb5
- pupmod-simp-libreswan
- pupmod-simp-libvirt
- pupmod-simp-logrotate
- pupmod-simp-named
- pupmod-simp-nfs
- pupmod-simp-oath
- pupmod-simp-pam
- pupmod-simp-polkit
- pupmod-simp-pupmod
- pupmod-simp-resolv
- pupmod-simp-rsyslog
- pupmod-simp-selinux
- pupmod-simp-simp
- pupmod-simp-simp_apache
- pupmod-simp-simp_banners
- pupmod-simp-simp_bolt
- pupmod-simp-simp_firewalld
- pupmod-simp-simp_gitlab
- pupmod-simp-simp_ipa
- pupmod-simp-simp_nfs
- pupmod-simp-simp_options
- pupmod-simp-simp_rsyslog
- pupmod-simp-simp_snmpd
- pupmod-simp-simpkv
- pupmod-simp-simplib
- pupmod-simp-ssh
- pupmod-simp-stunnel
- pupmod-simp-sudo
- pupmod-simp-svckill
- pupmod-simp-swap
- pupmod-simp-tcpwrappers
- pupmod-simp-tpm2
- pupmod-simp-useradd
- rubygem-simp-cli
- simp-adapter
- simp-environment-skeleton
- simp-gpgkeys
- simp-rsync-skeleton
- simp-utils
- SIMP ISO
2.1.8.1. pupmod-simp-aide¶
- Updated the EL8 ciphers to be safe on FIPS systems by default.
- Removed overrides for
aide::aliases
on EL8 since it works properly in FIPS mode. - Automatically add ‘@@include’ lines to
aide.conf
. Previously, when declaringaide::rule
resources, it was also necessary to add the rule name to theaide::rules
array. - Moved the default rules to data in modules.
2.1.8.2. pupmod-simp-auditd¶
Allow
auditd::space_left
andauditd::admin_space_left
to accept percentages on supported versions.Added ‘INCREMENTAL_ASYNC’ to possible values for
auditd::flush
.Added a
built_in
audit profile to the subsystem that provides ability to include and manage sample rulesets to be compiled into active rules.Ensured that kmod is audited in all STIG modes on EL7+.
Allow users to knockout entries from arrays specified in Hiera.
Added rules based on best practices mostly pulled from
/usr/share/doc/auditd
:- Audit 32 bit operations on 64 bit systems
- Audit calls to the auditd CLI commands
- Audit IPv4 and IPv6 inbound connections
- Optionally audit IPv4 and IPv6 outbound connections
- Audit suspicious applications
- Audit systemd
- Audit the auditd configuration space
- Ignore time daemon logs (clutter)
- Ignore ‘CRYPTO_KEY_USER’ logs (clutter)
- Add ability to set the ‘backlog_wait_time’
- Set ‘loginuid_immutable’
Set defaults for syslog parameters if auditd version is unknown.
Added a fact that determines the major version of auditd that is running on the system,
auditd_major_version
. This is used in thehiera.yaml
hierarchy to add module data specific to the versions.Added support for auditd v3.0 which is used by RedHat 8. Most of the changes in auditd v3.0 were related to how the plugins are handled but there are a few new parameters added to
auditd.conf
. They are set to their defaults according to man page ofauditd.conf
.auditd V3.0 moved the handling of plugins into auditd from audispd. The following changes were made to accommodate that:
To make sure the parameters used to handle plugins where defined in one place no matter what version of auditd was used, they were moved to
init.pp
and referenced from there by theaudisp
manifest. For backwards compatibility, they remain inaudisp.conf
and are aliased in the Hiera module data.For backwards compatibility
auditd::syslog
remains defaulting to the value ofsimp_options::syslog
although the two are not really the same thing. You might want to review this setting and setauditd::syslog
to a value that is appropriate for your system.To enable auditd logging to syslog, set the following in Hiera
--- auditd::syslog: true auditd::config::audisp::syslog::enable: true. # The drop_audit_logs is still there for backwards compatibility and # needs to be disabled. auditd::config::audisp::syslog::drop_audit_logs: false
To stop auditd logging to syslog set the following in Hiera
--- auditd::syslog: true auditd::config::plugins::syslog::enable: false.
Setting
auditd::syslog
tofalse
will stop Puppet from managing thesyslog.conf
, it will not disable auditd logging to syslog. Disable the syslog plugin as described above.
The settings for
syslog.conf
were updated to work for new and old versions of auditd.Added installation of audisp-syslog package when using auditd V3.
Added rules to monitor
/usr/share/selinux
.
2.1.8.3. pupmod-simp-autofs¶
This module was extensively refactored. Please read the updated README.md
to understand the current usage. Notable feature/API changes:
- Updated autofs service configuration to use
/etc/autofs.conf
in addition to/etc/sysconfig/autofs
. - Updated
/etc/autofs.master
to load content from/etc/auto.master.simp.d/
and/etc/auto.master.d/
in lieu of specifying map entries directly.- ‘auto.master’ entries are now written to files in
/etc/auto.master.simp.d
, a directory fully managed by this module. /etc/auto.master.d
is left unmanaged by Puppet.- Auto-converts from old maps directory to current maps directory and emits a warning. This is to help the 90% of the users who aren’t doing anything special with this module.
- ‘auto.master’ entries are now written to files in
- Added a
autofs::map
defined type that allows the user to specify all the parameters for a ‘file’ map in one place. This resource will generate the appropriate resources to create both the ‘auto.master’ entry file and the map file. - Added
autofs::masterfile
defined type to replace deprecatedautofs::master::map
.autofs::masterfile
creates an ‘auto.master’ entry file inautofs::master_conf_dir
.- Unlike
autofs::map::master
,autofs::masterfile
does not have acontent
parameter, because a user can simply use afile
resource to specify a custom ‘auto.master’ entry file.
- Added
autofs::mapfile
defined type to replace deprecatedautofs::master::entry
.autofs::mapfile
creates a mapfile for a direct mapping or one or more indirect mappings.- Unlike
autofs::master::entry
, it does not have duplicate resource naming problems (wildcard or otherwise).
autofs
class changes- Added the following new autofs service configuration parameters:
master_wait
mount_verbose
mount_nfs_default_protocol
force_standard_program_map_env
use_hostname_for_mounts
disable_not_found_message
sss_master_map_wait
use_mount_request_log_id
auth_conf_file
custom_autofs_conf_options
- Added
master_conf_dir
andmaster_include_dirs
parameters to allow users to specify directories containing ‘auto.master’ entry files. - Added
maps_dir
to specify the location of SIMP-managed maps and changed the directory name from/etc/autofs
to/etc/autofs.maps.simp.d
for clarity. - Added
maps
to allow users to specify ‘file’ type maps in Hiera data.- Each map specifies the contents of a ‘auto.master` entry file and its corresponding mapping file.
- Renamed
options
toautomount_options
for clarity. - Renamed
use_misc_device
toautomount_use_misc_device
for clarity. - Removed
autofs::master_map_name
.- This parameter is not exposed in
/etc/autofs.conf
and does not look like it is intended to be changed.
- This parameter is not exposed in
- Changed permissions of
/etc/auto.master
and/etc/sysconfig/autofs
to match those of the delivered RPM.
- Added the following new autofs service configuration parameters:
autofs::ldap_auth
class changesautofs::ldap_auth
is now a private class to ensure the name of the configuration file created by this class matches the ‘auth_conf_file’ setting in/etc/autofs.conf
.- Added
encoded_secret
optional parameter. This parameter takes precedence when bothsecret
andencoded_secret
parameters are specified.
autofs::map::master
has been deprecated byautofs::map
orautofs::masterfile
. Its behavior has changed from writing a section of/etc/auto.master
to writing an auto.master entry file inautofs::master_conf_dir
.autofs::map::entry
has been deprecated byautofs::map
orautofs::mapfile
. Its behavior has changed from writing a file in/etc/autofs
to writing a file inautofs::maps_dir
.
2.1.8.4. pupmod-simp-clamav¶
- Updated documentation to clarify what
simp_options::clamav
actually does and to note thatclamav
was removed from the SIMP’s default class list in SIMP 6.5. - Set the default for
clamav::set_schedule::enable
to lookupclamav::enable
, so that the class will remove the ‘clamscan’ cron job if management of ClamAV is disabled. - Disable SIMP’s rsync pulls by default.
2.1.8.5. pupmod-simp-compliance_markup¶
- Deep merge hash values in the Hiera backend.
- Improved confinement
- Added support for confinement in ‘profiles’, ‘controls’ and ‘ces’ (as well as ‘checks’).
- Added support for arrays of potential matches in confinement blocks.
- Added support for structured facts in confinement.
- Updated confinement logic to ensure that all possibilities are collected.
- Apply confinement before merging values.
- Improved performance:
- Reduced the amount of data passed around in the Hiera backend.
- Ensured that the Hiera backend recurses as little as possible.
- Removed useless loops in
list_puppet_params()
.
- Improved error handling and debugging:
- Ignore undefined ‘ces’ when correlating checks and profiles.
- Raise errors on malformed data.
- Added debugging logs to enforcement logic.
- Removed all support for v1 data since it was experimental and removed in 3.0.0.
- Load data from the
compliance_markup::compliance_map
Hiera key after compliance profiles in modules to allow for profile tailoring via Hiera. This means that uses may now override all settings from the underlying compliance maps across all modules to fit their environment specifics.
2.1.8.6. pupmod-simp-cron¶
- Manage cron packages by default.
2.1.8.7. pupmod-simp-crypto_policy¶
This is a new module to manage, and provide information about, the system-wide crypto policies.
2.1.8.8. pupmod-simp-dconf¶
- Allow users to set custom settings via Hiera.
2.1.8.9. pupmod-simp-deferred_resources¶
- Remove ‘ftp’ and ‘games’ users and groups when enforcing STIG compliance.
2.1.8.10. pupmod-simp-dhcp¶
- Made use of SIMP’s rsync operation optional (enabled by default for backwards compatibility).
- Added support for passing in a full
dhcpd.conf
entry. - Ensured that the SELinux user and type are set for the configuration files.
- Switched to using
iptables::listen::udp
for firewalld compatibility.
2.1.8.11. pupmod-simp-fips¶
- Ensured that EL8 updates trigger updating the global system crypto policy, since some subsystems now ignore the local configuration by default.
2.1.8.12. pupmod-simp-freeradius¶
- Added support for overriding ‘post-auth’ in LDAP.
- Added support for overriding ‘accounting’ in LDAP.
- Added support for specifying the entire file content.
- Removed
simp_options::puppet::server
from the default lookup logic forfreeradius::v3::modules::ldap::server
. In systems that use Bolt to compile and apply manifests, that setting will not be available.
2.1.8.13. pupmod-simp-incron¶
- Remove pinned versions of incron, since the upstream packages have been fixed.
2.1.8.14. pupmod-simp-iptables¶
- Added preliminary support for acting as a pass-through to various
firewalld capabilities using the simp/simp_firewalld
module.
- Using any of the
iptables::listen::*
defined types will work seamlessly in ‘firewalld’ mode but direct calls toiptables::rule
will fail. - Calls to any of the native types included in this module will result in undefined behavior and is not advised.
- To enable ‘firewalld’ mode on supported operating systems, simply set
iptables::use_firewalld
totrue
via Hiera. - EL 8 systems will enable ‘firewalld’ mode by default.
- Using any of the
- Improved the internal rule matching to handle most netmask and port updates.
- Added a
exact_match
Boolean to theiptables_optimize
andip6tables_optimize
native types to allow for more aggressive rule matching.- This change requires that inbound rules match whatever is returned by iptables-save and/or ip6tables-save to prevent iptables flapping.
- Allow ‘LOCAL-INPUT’ jump rule in ‘FORWARD’ and ‘INPUT’ chains to occur last as
a default action through the addition of an
iptables::rules::base::force_local_input
parameter. - Allow users to disable adding the ‘SIMP:’ prefix to the rule comment.
- Allow users to disable comments on rules completely.
2.1.8.15. pupmod-simp-krb5¶
- Updated SELinux hotfix for EL8.
- Migrated SELinux hotfix to
vox_selinux::module
.
2.1.8.16. pupmod-simp-libreswan¶
- Removed unused
libreswan::use_certs_parameter
parameter. - Added support for IKEv2 Mobility (RFC-4555) and mobile client connections.
- Added additional settings for DNS and Domains for Libreswan v3.23+.
2.1.8.17. pupmod-simp-libvirt¶
- Split out install and service into separate classes to give users more flexibility on what they manage with the module.
2.1.8.18. pupmod-simp-logrotate¶
- Allow all log size configuration parameters to be specified in bytes, kilobytes, megabytes, or gigabytes.
- Added ability to specify ‘maxsize’ configuration for specific logrotate rules.
2.1.8.19. pupmod-simp-named¶
- Allow users to force enabling/disabling of the chroot settings.
- Allow users to easily set the
named_write_master_zones
SELinux boolean in case they need to support dynamic DNS or zone transfers.
2.1.8.20. pupmod-simp-nfs¶
This module was extensively refactored. Read the updated README.md
to
understand the current usage. Notable feature/API changes:
- Overall changes
- Dropped stunnel support for NFSv3. This tunneling did not work
because:
- The NFS client sends the NFS server Network Status Manager (NSM) notifications via UDP, exclusively.
- At multi-NFS-server sites, a unique rpcbind port per server is required in order for a NFS client to be able to tunnel its server-specific RPC requests to the appropriate server.
nfs
class- Reworked parameters to reflect configuration of
/etc/nfs.conf
and, for limited EL7-only configuration,/etc/sysconfig/nfs
. See the class documentation for full details.
- Reworked parameters to reflect configuration of
- Removed
stunnel_systemd_deps
andstunnel_tcp_nodelay
parameters throughout the module.- These parameters were not consistently used in the manifest code (i.e., declared but not used) and were confusing.
- The corresponding
stunnel_socket_options
andstunnel_wantedby
parameters in classes/defines now use defaults that were intended to be set by those parameters.
- Now masks NFS services that are not needed, so they are not unnecessarily started when the nfs-server.service or nfs-client.target are restarted.
- Dropped stunnel support for NFSv3. This tunneling did not work
because:
nfs::client
changes- Added support for pNFS: Set
blkmap
to true to enable the pNFS service, nfs-blkmap.service. - Added
nfs::stunnel_socket_options
andstunnel_wantedby
parameters which provide the defaults for allnfs::client::mount
instances.
- Added support for pNFS: Set
nfs::client::mount
define changesnfs_server
must now be specified as an IP address. This change was necessary for firewalld.- In
options
, changed the default mount type to ‘soft’ instead of ‘hard’. Also removed deprecated ‘intr’ option, as it has no effect. - Reworked the remote autodetect logic to detect a local mount based on IP address instead of simply whether the node is also configured to be an NFS server.
- Added support for direct autofs mounts and simplified specification of
indirect mounts. When
autofs_indirect_map_key
is not specified, a direct mount is specified byname
. Whenautofs_indirect_map_key
is specified, an indirect mount is specified withname
as the mount point andautofs_indirect_map_key
as the mount key. - Renamed
autofs_map_to_user
toautofs_add_key_subst
to better reflect automount terminology. This parameter simply adds key substitution to the remote location, which although can be used for user home directories, is not restricted to that use case. - Renamed
port
tonfsd_port
to be consistent with the name of that parameter throughout the entire module. - Renamed
v4_remote_port
tostunnel_nfsd_port
for clarity and to be consistent with the name of that parameter throughout the entire module. - Exposed client stunnel configuration that was scattered
throughout the module to this API. User can now specify
stunnel_socket_options
andstunnel_verify
for each mount. When unspecified, the defaults from thenfs
class are used.
nfs::server
class changes- Exposed server stunnel configuration that was scattered
throughout the module to this API. User can now specify
stunnel_accept_address
,stunnel_nfsd_acccept_port
,stunnel_socket_options
,stunnel_verify
, andstunnel_wantedby
in this class. When unspecified, the defaults for all butstunnel_accept_address
andstunnel_wantedby
are pulled from thenfs
class. - Added the following parameters:
nfsd_vers4
,nfsd_vers4_0
,nfsd_vers4_1
,nfsd_vers4_2
, andcustom_rpcrquotad_opts
. - Renamed
nfsv3
tonfsd_vers3
to reflect its use in/etc/nfs.conf
. - Moved
nfs::rpcquotad_port
to this class and renamedrpcrquotadopts
tocustom_rpcrquotad_opts
for clarity. - Moved
nfs::mountd_port
to this class and removedrpcmountdopts
. Custom configuration for that daemon should now be made vianfs::custom_nfs_conf_opts
ornfs::custom_daemon_args
as appropriate. - Removed the obsolete
nfsd_module
parameter.
- Exposed server stunnel configuration that was scattered
throughout the module to this API. User can now specify
nfs::server::export
define changes- Added
replicas
,pnfs
, andsecurity_label
parameters to support additional export configuration parameters.
- Added
nfs::idmapd
class changes- Refactored into 3 classes to support distinct NFS server and client configuration
- Added
no_strip
andreformat_group
tonfs::idmapd::config
to support additional/etc/idmapd.conf
configuration parameters.
2.1.8.21. pupmod-simp-oath¶
- Allow
oath::config::user
to be any string. - Disabled
show_diff
option inconcat
for/etc/liboath/users.oath
to prevent that information from being exposed in logs.
2.1.8.22. pupmod-simp-pam¶
- Ensured that ‘pam_tty_audit’ is optional if auditing is not enabled on the
- system.
- Added the ability to specify
pam::limits::rules
via Hiera. - Ignore authconfig disable on EL8. Authconfig was replaced with
authselect and authselect does not overwrite settings
unless you select the
--force
option. - Remove installation of pam_pkcs11 and fprintd-pam by default, since they aren’t actually required for basic functionality.
2.1.8.23. pupmod-simp-polkit¶
- Added the following classes:
polkit::install
polkit::service
polkit::use
- Ensured that the polkit user is managed by default and placed into the
supplementary group bound to the ‘gid’ option on
/proc
, if one is set. This is necessary to work around issues with ‘hidepid’ > 0. - Made the entire main class inert on unsupported OSs; logs a warning on the server that can be disabled.
2.1.8.24. pupmod-simp-pupmod¶
- Default
pupmod::master::ssl_protocols
to TLSv1.2 only. - Use
$facts['certname']
, when available, in the parameters below, because$facts['fqdn
may not be appropriate when the system does not use its primary NIC/FQDN for its Puppet certificate.pupmod::certname
pupmod::master::ca_status_whitelist
pupmod::master::admin_api_whitelist
- Set the default puppetserver ciphers to a safe set.
- Added better auto-tuning support for puppetserver, based on best practices.
- Added ‘ReservedCodeCache’ puppetserver support.
- Removed incron support in favor of using systemd path
units to run simp_generate_types.
- Attempts to activate the incron code will result in a warning message.
- Added mitigation for CVE-2020-7942
- Added optional management of the Facter configuration file.
- Removed the deprecated CA CRL pull cron job and the corresponding
pupmod::ca_crl_pull_interval
parameter. - Removed deprecated
auth.conf
support for the legacy pki module and the corresponding parameters:pupmod::master::simp_auth::legacy_cacerts_all
pupmod::master::simp_auth::legacy_mcollective_all
pupmod::master::simp_auth::legacy_pki_keytabs_from_host
- Removed the deprecated
pupmod::master::simp_auth::server_distribution
parameter.
2.1.8.25. pupmod-simp-resolv¶
- Added optional management of DNS servers via nmcli.
2.1.8.26. pupmod-simp-rsyslog¶
- Added support for ‘KeepAlive’ variables for ‘imtcp’ and ‘omfwd’ actions.
- Changed local rule defined type to use the same package defaults for action queues that are in the remote rule defined type.
- Changed remote rule defined type to use package defaults for action queues.
- Added a default rule to log packets dropped by firewalld to
/var/log/firewall.log
. - Added
/var/log/firewall.log
to SIMP’s ‘syslog’ logrotate rule. - Added
logrotate::rule
options torsyslog::conf::logrotate
class. - Removed the
filter_
rules that were present for an old (and broken) version of the simp/simp_firewalld module. - Removed params pattern and migrated to data in modules.
2.1.8.27. pupmod-simp-selinux¶
- Allow users to include
selinux::install
without needing full SELinux system management. This is particularly important when the native types are to be used in different modules but you don’t want to include full management just to get the required packages - No longer enable or install mcstransd by default. It is a user convenience feature and not required for core functionality.
- Ensured that mcstransd is added to the GID assigned to
/proc
if one is assigned on the system.
2.1.8.28. pupmod-simp-simp¶
- sssd configuration updates
- Configure the ‘files’ provider in lieu of the ‘local’ provider for EL7 and later.
- Deprecated the following parameters in
simp::sssd::client
:autofs
,ssh
andsudo
. The simp/sssd module configures services insssd::services
. Use that parameter to configure those entries. - Configure sssd for EL8, even if the
ldap_domain
andlocal_domain
parameters ofsimp::sssd::client
are set tofalse
.
- Updated
simp::mountpoints::proc
to ensure polkitd can be configured to have access to/proc
:- Assign a group and gid by default.
- Create a group by default.
- Discover these values from the system if possible.
- Removed the following applications from the list of base OS applications
installed automatically by simp/simp:
- man
- man-pages
- vim-enhanced
- dos2unix
- elinks
- hunspell
- lsof
- mlocate
- pax
- pinfo
- sos
- star
- symlinks
- words
- x86info
- Deprecated the
simp::base_apps::manage_elinks_config
parameter.- It no longer has any effect.
simp::nsswitch
updates- Updated the
simp::nsswitch
class to have sane defaults.- Added support for ‘mymachines’ and ‘myhostname’ by default.
- Removed all NIS references since NIS should not be in general usage any longer and was never natively supported by SIMP.
- Configuration files are now common across all supported OSs since nsswitch “does the right thing” when it hits a module that it does not recognize.
- Allow nsswitch overrides.
- Updated the
- Added chronyd support for EL8
- Moved ntp to list of OS relevant applications for EL6 and EL7.
- Added chrony for EL8.
- Updated the client kickstart scripts/configuration
- Updated the bootstrap_simp_client script to use chronyd if the kernel version is 4 or later.
- Deprecated the
simp::server::kickstart::runpuppet
parameter and removed the old, corresponding runpuppet kickstart scripts. The simp_bootstrap_client scripts should be used instead.
- ClamAV updates:
- Removed
clamav
from the list of classes included by default in the SIMP scenarios.- This will not remove ClamAV from systems where it is installed; Puppet will simply stop managing it.
- To continue managing ClamAV with Puppet, add
clamav
tosimp::classes
in the appropriate Hiera file for that SIMP client. - See the simp/clamav module for information on configuring or removing ClamAV on a system.
- Deprecated
simp::server::clamav
.- This parameter will be removed in a future SIMP release.
- To manage ClamAV on the SIMP server after the parameter is removed,
manually add the
clamav
class to thesimp::classes
array in the SIMP server’s Hiera file.
- Removed
simp::yum::repo*
updates:- Added:
simp::yum::repo::internet_simp
class:- Uses the SIMP yum repository package (simp-community-release) to configure yum for SIMP’s internet public repositories at simp-project.com.
- simp-project.com is the new host for SIMP’s yum repositories.
- packagecloud is no longer being updated.
simp::yum::repo::simp_release_version
function: Returns the SIMP release version for use in the SIMP internet yum repositories.Simp::Version
data type alias for valid version strings for use in the SIMP internet repositories.- New parameters to
simp::yum::repo::local_simp
andsimp::yum::repo::local_os_updates
:relative_repo_path
,baseurl
, andgpgkey
.baseurl
andgpgkey
allow completeyumrepo
resource overrides.
- Deprecated:
simp::yum::repo::internet_simp_server
andsimp::yum::repo::internet_simp_dependencies
classes:- These resources are no longer useful because their API matches the OBE packagecloud SIMP repositories.
- As a workaround, the classes have been modified to use
simp::yum::repo::internet_simp
to configure the correct repositories at simp-project.com. - You should switch to using
simp::yum::repo::internet_simp
, directly, as these classes will be removed in a future release.
simp::yum::repo::sanitize_simp_release_slug
function: a function only useful to the deprecated classes.
- Added:
- Added
simp::puppetdb::cipher_suites
parameter to manage the cipher suites supported by PuppetDB’s HTTP interface (Jetty).- Used to set
puppetdb::cipher_suites
. - Value set to a safe set.
- Used to set
- Call
selinux::install
prior to using native types that require the packages to be installed.
2.1.8.29. pupmod-simp-simp_apache¶
- Default to only TLS1.2.
2.1.8.30. pupmod-simp-simp_banners¶
- Removed all OS support statements from
metadata.json
, since this is simply a data-only module.
2.1.8.31. pupmod-simp-simp_bolt¶
- Added plan to install puppet-agent on target nodes.
- Configured Bolt to request a pseudo TTY for SSH sessions if specified.
- Configured new logs to be appended to the log file instead of overwriting.
2.1.8.32. pupmod-simp-simp_firewalld¶
This is a new SIMP module that provides a profile class and defined type to manage the system’s firewalld with “safe” defaults and safety checks for firewalld rules. It uses the puppet/firewalld module to update the system’s firewalld configuration.
2.1.8.33. pupmod-simp-simp_gitlab¶
Updated for the latest GitLab application (13.5.x) and puppet/gitlab (6.0.1).
Removed:
- Support for GitLab < 12.3.0.
- TLSv1.1 from the default for
simp_gitlab::ssl_protocols
.
Changed:
- Set the GitLab root password in a fashion that minimizes coupling of
simp/simp_gitlab with the internals of puppet/gitlab.
- Set a throw-away password during initial GitLab package installation
using GitLab configuration in
/etc/gitlab/gitlab.rb
. Setting the password during initial install is the only way to ensure the password is not set by an external user. Otherwise, the first GitLab page that comes up is the page to reset the root password. - After GitLab initial configuration, set the real root password using a script that implements Gitlab-provided procedures for resetting the password.
- Set a throw-away password during initial GitLab package installation
using GitLab configuration in
- Use chronyd instead of ntpd, as GitLab itself uses chronyd and chronyd is required for EL8.
- Use puppet/gitlab for managing packages again.
- Renamed the ‘gitlab_monitor’ key to ‘gitlab_exporter’ in the configuration
hash.
- The name change is required for GitLab >= 12.3.0.
- No longer set
gitlab::external_port
- The custom port is already appropriately configured via the
gitlab::external_url
. - ‘external_port’ is no longer a supported GitLab configuration key and causes gitlab-ctl reconfigure to fail.
- The custom port is already appropriately configured via the
- simp/simp_gitlab now fails to compile when the node is in
FIPS mode, unless
simp_gitlab::allow_fips
(a new parameter) is set totrue
.
- Set the GitLab root password in a fashion that minimizes coupling of
simp/simp_gitlab with the internals of puppet/gitlab.
Added:
- Parameters to enable setting the GitLab root password
simp_gitlab::set_gitlab_root_password
simp_gitlab::gitlab_root_password
simp_gitlab::rails_console_load_timeout
- A script to change the GitLab root password, /usr/local/sbin/change_gitlab_root_password.
- Disabling of Let’s Encrypt usage in GitLab, by default.
- The integration of SIMP PKI management with with Let’s Encrypt has not yet been done.
- To use Let’s Encrypt, disable SIMP management of PKI by setting
simp_gitlab::pki
tofalse
and then manage the certificates manually.
svckill::ignore
rule for the GitLab service. Since the service is no longer managed by default bygitlab::service
, this prevents the service from being inadvertently killed when it is unmanaged.
- Parameters to enable setting the GitLab root password
Important
As a side effect of the changes related to setting the GitLab root password,
upon module upgrade, the GitLab root password will be automatically set to
the value of simp_gitlab::gitlab_root_password
, unless the (empty)
marker file /etc/gitlab/.root_password_set
exists or the parameter
simp_gitlab::set_gitlab_root_password
is set to false
. If
you forget to disable this automation or just want to reset the GitLab root
password, simply run
/usr/local/sbin/change_gitlab_root_password <new_password>
You do not need to know the previous password to set the new password.
2.1.8.34. pupmod-simp-simp_ipa¶
- Make the IPA server optional in the
join
task. It is perfectly valid to not specify a server when doing an IPA client install and instead rely on DNS auto discovery.
2.1.8.35. pupmod-simp-simp_nfs¶
- The following parameters had to be changed from hostnames or IP addresses
to only IP addresses due to use of firewalld on EL8:
simp_nfs::home_dir_server
simp_nfs::mount::home::nfs_server
2.1.8.36. pupmod-simp-simp_options¶
- The
simp_options::clamav
catalyst has been deprecated.- As of SIMP 6.5, SIMP’s
clamav
class is no longer included in the class list of the SIMP scenarios. So, this catalyst is not needed to disable it. - To have SIMP manage ClamAV on your system, add the
clamav
class to your system’s class list. - See the simp/clamav module
README.md
for information on managing ClamAV.
- As of SIMP 6.5, SIMP’s
simp_options::puppet::server
andsimp_options::puppet::ca
are now optional.- These are no longer required at all times due to support for Bolt. Code that used these parameters will correctly fail and require users to add them to their configuration.
- Updated
simp_options::ldap
to require themaster
anduri
parameters ifsimp_options::puppet::server
is not defined.
2.1.8.37. pupmod-simp-simp_rsyslog¶
- Added support for firewalld log message collection.
- Deep merge
simp_rsyslog::log_collection
. - Removed the
filter_IN_99_simp_DROP
rules that were present for an old (and broken) version of the simp/simp_firewalld module.
2.1.8.38. pupmod-simp-simp_snmpd¶
- Changes:
- Updated to use puppet/snmp version 5.1.2.
- The default configuration for this module has not changed but some settings
are now placed in the
snmpd.conf
file instead of in a subdirectory. - In the previous version the user directory was automatically included.
Now the user must set
simp_snmpd::include_userdir
totrue
for files in the user directory to be included. The relevant parameters are as follows:simp_snmpd::include_userdir
simp_snmpd::user_snmpd_dir
- The configuration parameter
simp_snmpd::snmpd_conf_file
has been renamed tosimp_snmpd::service_config
. This is the location of the thesnmpd.conf
file. - The type of the
simp_snmpd::services
parameter has been changed from aString
to anInteger
. - The
simp_snmpd::system_info
parameter has been deprecated. puppet/snmp now includes these settings by default and they can’t be removed. This means that net-snmp will set them as not writable and they can not be changed by aset
call from an snmpd manager or client.
- New features:
- Added settings to allow users to change owner/group and permissions
on configuration files:
simp_snmpd::service_config_dir_owner
simp_snmpd::service_config_dir_group
simp_snmpd::service_config_dir_perms
simp_snmpd::service_config_perms
- Added configuration of snmpd user and group IDs, as well
as optional managment of the user and group:
simp_snmpd::snmpd_uid
simp_snmpd::snmpd_gid
simp_snmpd::manage_snmpd_user
simp_snmpd::manage_snmpd_group
- The SNMP trap daemon is still stopped by default. New parameters can be used
to enable the daemon, set the command line options on the daemon and start
it at boot. The default settings in puppet/snmp are used.
Configuration files placed in a user directory can created by the user for
any additional configuration. The following settings have been added to
create this behavior:
simp_snmpd::trap_service_ensure
simp_snmpd::trap_service_startatboot
simp_snmpd::trap_service_config
simp_snmpd::snmpdtrapd_options
simp_snmpd::user_trapd_dir
- Added settings to allow users to change owner/group and permissions
on configuration files:
2.1.8.39. pupmod-simp-simpkv¶
This is a new SIMP module that provides an abstract library that allows Puppet to access one or more key/value stores.
This module provides
- a standard Puppet language API (functions) for using key/value stores
- a configuration scheme that allows users to specify per-application use of different key/value store instances
- adapter software that loads and uses store-specific interface software provided by the simp/simpkv module itself and other modules
- a Ruby API for the store interface software that developers can implement to provide their own store interface
- a file-based store on the local filesystem and its interface software.
- Future versions of this module will provide a distributed key/value store.
2.1.8.40. pupmod-simp-simplib¶
2.1.8.40.1. Facts Changes¶
Added the following facts:
Fact | Description |
---|---|
simplib__auditd |
Returns a hash of auditd status. |
simplib__firewalls |
Return an array of known firewall commands that are present on the system. |
simplib__mountpoints |
Returns a hash of mountpoints of particular interest to SIMP modules. |
simplib__numa |
Returns a hash of NUMA values. |
simplib__efi_enabled |
Returns true if the host is
using EFI. |
simplib__secure_boot_enabled |
Returns true if the host is
using UEFI Secure Boot. |
Deprecated the following facts:
tmp_mounts
fact. Usesimplib__mountpoints
, instead.
2.1.8.40.2. Function Changes¶
Added the following functions:
Function | Description |
---|---|
simplib::debug::inspect |
Enhanced version of
simplib::inspect . |
simplib::debug::classtrace |
Prints a trace of all catalog resources traversed to get to the current point. |
simplib::debug::stacktrace |
Prints a trace of all files traversed to get to the current point. |
simplib::ip::family_hash |
Takes an IP address or array of IP addresses and returns a hash with the addresses broken down by family. The returned hash also contains additional helpful metadata. |
simplib::module_metadata::os_blacklisted |
Determine if the passed metadata indicates that the current OS has been blacklisted. |
simplib::module_metadata::os_supported |
Determine if the passed module metadata indicates that the current OS is supported. |
simplib::module_metadata::assert |
Adds an assertion based on whether the OS is supported or blacklisted. |
simplib::caller |
Determines what called a function. |
simplib::passgen::gen_password_and_salt |
Generates a password and salt. |
simplib::passgen::gen_salt |
Generates a salt. |
simplib::passgen::get |
Retrieves a generated password and any stored attributes. |
simplib::passgen::list |
Retrieves the list of
generated passwords with
attributes and the list of
sub-folders stored at a
simplib::passgen
folder. |
simplib::passgen::remove |
Removes a generated password, history and stored attributes. |
simplib::passgen::set |
Sets a generated password with attributes. |
simplib::safe_filename |
Convert a string into a is filename that ‘path safe’. |
Updated the following functions:
simplib::passgen
- Added ‘simpkv’ mode.
- Runs in ‘legacy’ mode (default) or in a ‘simpkv’ mode.
- ‘simpkv’ mode is EXPERIMENTAL.
- When in ‘simpkv’ mode,
simplib:passgen
uses simp/simpkv for password persistence. - ‘simpkv’ mode is enabled by setting
simplib::passgen::simpkv
totrue
in Hiera. - If you enable ‘simpkv’ mode in a system that already has passwords generated via the legacy code, currently, all passwords will be regenerated.
- Added
simpkv_options
parameter tosimplib::passgen
for use in ‘simpkv’ mode.
- Enhanced
simplib::passgen
operation when in ‘simpkv’ mode- Stores
complexity
andcomplex_only
setting in the password’s simpkv metadata, so that the password can be regenerated with the same characteristics. - Regenerates the password if the requested ‘complexity’ or ‘complex_only’ setting differs from the setting used for the latest persisted password.
- Stores up to the lastest 10 <password,salt> pairs in the password’s simpkv metadata.
- Stores
- Added a
gen_timeout_seconds
password option. Previously this was hardcoded to 30 seconds. - Added ability to set the user and group for legacy
simplib::passgen
files. - Changed the default permissions on legacy
simplib::passgen
files to the user running the catalog compile. This will allow bolt to set permissions correctly.
- Added ‘simpkv’ mode.
simplib::gen_random_password
:- Intersperse special characters among the alpha-numeric characters,
when
complexity
is 1 or 2 andcomplex_only
isfalse
. Previously, this function grouped the all alpha-numeric characters together and grouped all special characters together. This generated passwords that were not suitable for user passwords, as they would fail the cracklib/libpwquality complexity checks.
- Intersperse special characters among the alpha-numeric characters,
when
simplib::assert_metadata
:- Added
blacklist
option. This allows functionality to deliberately fail on an OS that is listed in the module’smetadata.json
, but is not necessarily supported by all parts of the given module.
- Added
2.1.8.40.3. New data type aliases¶
Added Simplib::Systemd::ServiceName
for valid systemd service
names.
2.1.8.41. pupmod-simp-ssh¶
- Migrated to the updated version of simp/selinux that allows for isolated package installation in support of the SELinux native types.
- Allow users to use the puppet/selinux module instead of SIMP components.
2.1.8.42. pupmod-simp-stunnel¶
- Set default for
stunnel::connection::ssl_version
to TLSv1.2 for EL8 compatibility. - Set default for
stunnel::instance::ssl_version
to TLSv1.2 for EL8 compatibility. - Set the
stunnel::connection::app_pki_crl parameter
toundef
by default due to issues with pointing the setting to an absent directory in EL8. - Set the
stunnel::instance::app_pki_crl
parameter toundef
by default due to issues with pointing the setting to an absent directory in EL8. - Updated valid
ssl_version
entries.
2.1.8.43. pupmod-simp-sudo¶
- Added parameters for
sudo::default_entry
andsudo::alias
defined types. - CVE-2019-14287 mitigation.
- Do not allow the use of user id or group id of ‘-1’ when ‘ALL’ or ‘%ALL’ are used in the runas section of a sudo user specification and the version of sudo is earlier than 1.8.28.
- Deep merge
user_specifications
by default.
2.1.8.44. pupmod-simp-svckill¶
- Updated the
svckill
provider to work with different Puppetservice
provider implementations.- If after a Puppet upgrade you find that
svckill
is trying to kill system services that it previously ignored, you need simp/svckill version 3.6.1 or later to fix the problem.
- If after a Puppet upgrade you find that
- Updated service lists.
2.1.8.45. pupmod-simp-swap¶
- Disable
dynamic_swappiness
by default. - Set the static system swappiness to 60 by default.
2.1.8.46. pupmod-simp-tcpwrappers¶
- Enhanced behavior to do nothing when TCP Wrappers is not supported by the OS.
2.1.8.47. pupmod-simp-tpm2¶
- Removed the option for managing tools,
tpm2::manage_tpm2_tools
. Tools can be managed or not by removing them from the package list. Note that the tools package is needed to determine the status of the TPM. - Added support for setting
tabrm_options
for connecting to the simulator.
2.1.8.48. pupmod-simp-useradd¶
- Added explicit support for setting the rescue/emergency shell on systemd systems.
2.1.8.49. rubygem-simp-cli¶
- Updated the instructions provided in the local user lockout warning message
in the bootstrap lock file.
- Simplified instructions to create resources via Hiera.
- Tell the user to check that they can ssh into the server with the new user after bootstrap but before rebooting. This step is imperative to ensure that the user can also get through Puppet-managed authentication!
- Updated SIMP internet repositories configured by simp config.
- Now uses simp-project.com repositories via the new
simp::yum::repo::internet_simp
class. - The packagecloud repositories are no longer being updated.
- Now uses simp-project.com repositories via the new
- Allow users to set the ‘SIMP_ENVIRONMENT’ environment variable to change the initial environment from ‘production’ to a custom value, when running simp config or simp bootstrap.
- simp config changes
- Ensured that simp config uses the
simp::classes
parameter instead ofclasses
by default, but accept bothsimp::classes
andclasses
as valid existing configurations. - Removed deprecated
--non-interactive
option. Use--force-defaults
instead.
- Ensured that simp config uses the
- Added simp kv command family to allow users to manage and inspect entries in a simpkv key/value store
- simp passgen changes
- Split into sub-commands for ease of use:
- simp passgen envs: List environments that may have
simplib::passgen
passwords. - simp passgen list: List names of
simplib::passgen
passwords. - simp passgen remove: Remove
simplib::passgen
passwords. - simp passgen set: Set
simplib::passgen
passwords. - simp passgen show: Show
simplib::passgen
passwords and other stored attributes.
- simp passgen envs: List environments that may have
- Updated to work with simpkv-enabled
simplib::passgen
. Automatically detects whethersimplib::passgen
is operating in ‘legacy’ mode or ‘simpkv’ mode in the specified environment, and then executes password operations using the appropriate mechanism for that mode. - When setting passwords, disabled libpwquality/cracklib
validation of user-entered passwords, by default, because not all passwords
managed by
simplib::passgen
are user passwords. This validation can be re-enabled with the--validate
option of simp passgen set. - Added the following command line options when creating passwords
--[no-]auto-gen
: Whether to auto-generate new passwords.--complexity
: Password complexity to use when a password is auto-generated. Corresponds to thecomplexity
option ofsimplib::passgen
.--[no-]complex-only
: Whether to only use only complex characters when a password is auto-generated. Corresponds to thecomplex_only
option ofsimplib::passgen
.--[no-]validate
: Enables validation of new passwords with libpwquality/cracklib.--length
: Password length to use when a password is auto-generated.
- Added
--[no-]details
option when showing password information. When enabled, all available password information is displayed, not just the current and previous password values.
- Split into sub-commands for ease of use:
- Updated HighLine from version 1.7.8 to 2.0.3.
2.1.8.50. simp-adapter¶
- Removed logic to ensure any existing, global
hiera.yaml.simp
file is not removed on upgrade from simp-adapter <= 0.0.6.- This is not an issue when upgrading from SIMP 6.4.0 to SIMP 6.5.0 (i.e., simp-adapter version 1.0.1 to version 2.0.0).
- If for some reason you are upgrading from simp-adapter version
<= 0.0.6, manually save off
/etc/puppetlabs/puppet/hiera.yaml.simp
prior to the upgrade, and then restore that file after the upgrade is complete.
2.1.8.51. simp-environment-skeleton¶
- Ensure that firewalld is used by default in the applicable SIMP scenarios.
- Ensured that the server Hiera defaults have
simp::server
in thesimp::classes
array. Otherwise, it will never get picked up. - Replace
classes
withsimp::classes
andsimp::server::classes
as appropriate in example Hiera YAML files. - FakeCA updates
- Added the CA code directly into the project to allow the code to work on newer OS versions
- Allow users to specify an alternate output directory via a ‘KEYDIST’ environment variable.
- Consolidate the certificate request and revocation code.
- Certificate revocation now runs in linear time.
- Changed permissions for files and directories to be world readable.
- Add a PE-suitable Puppet server YAML data template.
2.1.8.52. simp-gpgkeys¶
- Added the CentOS 8 and EPEL 8 GPG keys.
- Removed Fedora 25 and 26 GPG keys.
- Updated puppetlabs GPG key.
2.1.8.53. simp-rsync-skeleton¶
- Added mitigation for CVE-2019-6477 to the sample, RedHat 7
named.conf
. - Removed
rndc.key
files from sample named configuration to prevent users from accidentally using a published, sample secret key.- The named service will create a key if one does not exist using the correct defaults for the system.
- Updated the
README
inrsync/RedHat/Global/tftpboot/linux-install
.- It now explains which boot files for the TFTP boot server are
required when
tftpboot::use_os_files
is set tofalse
.
- It now explains which boot files for the TFTP boot server are
required when
2.1.8.54. simp-utils¶
- Added sample kickstart files to
/usr/share/simp/
to allow users to have access to all OS-specific versions of the kickstart files. - Added a check to the unpack_dvd script for dangerously unspecific
OS versions (e.g., ‘7’ instead of ‘7.0.2003’).
- This is common when unpack_dvd autodetects the OS version from
the ISO’s
.treeinfo
on some OSes (particularly CentOS). - It can result in clobbering of existing OS files, when the script unpacks files into a directory names for the major OS version.
- The script will exit with an informative message and instructions for how
the user can address the issue with the
-v
option.
- This is common when unpack_dvd autodetects the OS version from
the ISO’s
- Added (optional)
--unpack-pxe [DIR]
option to the unpack_dvd script.- Added (optional)
--environment ENV
to set the PXE rsync environment. - Added a new
--[no-]unpack-yum
(enabled by default), to permit users to disable the RPM unpack. - To enable unpacking PXE tftpboot files, run with
--unpack-pxe
. - To disable unpacking RPMs/yum repos, run with
--no-unpack-yum
. - See unpack_dvd --help for details.
- Added (optional)
- Overhauled unpack_dvd --help; output now fits on 80-character PTY consoles.
2.1.8.55. SIMP ISO¶
- Fixed a bug in the instructions about enabling encryption in non-FIPS
mode in the sample client kickstart files.
- Following the erronous instructions prevented automatic decryption from happening at client boot, because the encrypted disk credentials were not added to the dracut configuration.
2.1.9. Known Bugs and Limitations¶
Below are bugs and limitations known to affect this release. If you discover additional problems, please submit an issue to let use know.
2.1.9.1. Special considerations with EL8 clients¶
2.1.9.1.1. Network-isolated EL8 clients require EPEL8 and EL8 Base/Updates dnf mirrors¶
Because there is no SIMP 6.5 EL8 server release, there is no accompanying EL8 ISO or package tarball that can be used to create a self-hosted dnf repository for SIMP-specific EL8 packages.
In order to provide the necessary packages to EL8 agents on a network-isolated SIMP 6.5 infrastructure, admins must ensure that dnf repo mirrors are available for:
- EL8 Base/Updates
- EPEL 8
- Puppet EL8
2.1.9.1.2. unpack_dvd does not (re-)create modular repos for EL8 dnf repos (SIMP-8614)¶
EL8 introduces modular package repositories. When unpacking an EL8 ISO to populate a yum repository, SIMP 6.5.0’s unpack_dvd script does not recognize or correctly package repository modules. Consequently, EL8 Puppet agents applying catalogs that require modular EL8 packages may encounter errors like the following:
Error: /Stage[main]/Simp_apache::Install/Package[httpd]/ensure: change from 'purged' to 'latest' failed: Could not update: Execution of '/usr/bin/dnf -d 0 -e 1 -y install httpd' returned 1: No available modular metadata for modular package 'httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64', it cannot be installed on the system
Error: No available modular metadata for modular package