2.2. SIMP Community Edition (CE) 6.5.0
Contents
2.2.1. OS compatibility
This release is known to work with:
CentOS 6.10 x86_64 — no server ISO or release tarball
CentOS 7.0 2003 x86_64
CentOS 8.2 2004 x86_64 — client systems only
OEL 6.10 x86_64 — no server ISO or release tarball
OEL 7.8 x86_64
OEL 8.2 x86_64 — client systems only
RHEL 6.10 x86_64 — no server ISO or release tarball
RHEL 7.8 x86_64
RHEL 8.2 x86_64 — client systems only
2.2.1.1. Important OS compatibility limitations
OS compatibility is subject to the following limitations:
2.2.1.1.1. EL8 support is CLIENT ONLY
This release introduces client-only EL8 support in the core Puppet modules.
EL8 support is limited to managing EL8 Puppet agents with the core Puppet modules.
All Puppet modules provided as core dependencies of the simp RPM support EL8.
This release does NOT support EL8 for:
Managing an EL8 SIMP Server
Installing SIMP from an EL8 ISO.
Using the unpack_dvd script on modular yum repositories found on EL8 OS ISOs
Additional limitations with EL8
Not all modules provided by the simp-extras RPM have been updated for EL8.
EL8 updates to the remaining simp-extras modules will be phased in over future SIMP releases.
Support for managing an EL8 SIMP/Puppet server and installing from EL8 ISOs will be provided in a later SIMP release (SIMP 6.6.0).
In SIMP 6.5.0, there are known issues with PXE kickstarting and unpacking ISOs as yum mirrors for EL8 clients. These issues particularly affect network-isolated environments.
For details, see: Special considerations with EL8 clients.
2.2.1.1.2. EL6 support is EOL
EL6 maintenance support is EOL for both RHEL 6 and CentOS 6.
Upstream vendor support ended on 30 November 2020.
SIMP tarball and ISO releases for EL6 have been discontinued.
There will be no EL6 tarball or server ISO release for SIMP 6.5.0.
New SIMP Puppet modules may not support EL6.
EL6 has been tested with SIMP 6.5.0’s Puppet modules, the
unpack_dvd
script, and PXE kickstarts.However: No further EL6 support is planned for SIMP Puppet modules.
EL6 support may be removed completely in each module’s next release.
Some optional Puppet modules (provided by the simp-extras RPM) no longer support EL6.
In particular, this affects simp/autofs, simp/nfs, and simp/simp_nfs.
If you need these capabilities on EL6, use earlier versions of these modules in an EL6-specific Puppet environment.
2.2.2. Breaking Changes
2.2.2.1. IPTables Rule Refinement
Important
IPTables does NOT have breaking changes out of the box.
A new parameter, iptables::precise_match
was added that performs higher
precision matching on iptables rules to detect the need to restart
iptables.
It is highly recommended that you set iptables::precise_match: true
in
Hiera so that minor changes, such as subnet updates or single port
changes, will appropriately restart
iptables.
If you enable precision matching, do so with care since you may find that iptables rule updates are propagated that you thought had previously been applied.
It is highly recommended that you migrate to firewalld
if at all
possible. See the relevant section below for more details.
2.2.2.2. Deprecated Puppet 3 API Functions Removed
All SIMP-provided Puppet 3 API functions (originally deprecated in SIMP 6.4.0) have now been removed in order to fully support Puppet 6. The affected functions and their replacements (when available) are listed in sub-sections below.
2.2.2.2.1. Puppet 3 Functions Removed from simp/compliance_markup
Puppet 3 API Function |
Replacement |
Replacement Source |
---|---|---|
|
|
simp/compliance_markup >= 3.0.0 |
2.2.2.2.2. Puppet 3 Functions Removed from simp/simp_apache
Puppet 3 API Function |
Replacement |
Replacement Source |
---|---|---|
|
|
simp/simp_apache >= 6.0.1 |
|
|
simp/simp_apache >= 6.0.1 |
|
|
simp/simp_apache >= 6.0.1 |
2.2.2.2.3. Puppet 3 Functions Removed from simp/simplib
Important
Most (but not all) of the Puppet 3 API functions in the table below have replacements. If any function that has been removed without a replacement is essential to you, let us know by submitting a feature request at https://simp-project.atlassian.net.
Puppet 3 API Function |
Replacement |
Replacement Source |
---|---|---|
|
Puppet language in operator or Puppet
built-in functions |
Puppet >= 5.2.0 |
|
Puppet built-in function |
Puppet >= 5.5.0 |
|
Puppet language + (concatenation)
operator, combined with Puppet built-in
function |
Puppet >= 5.0.0 |
|
|
simp/simplib >= 3.15.0 |
|
None |
N/A |
|
None |
N/A |
|
None |
N/A |
|
|
simp/simplib >= 3.15.0 |
|
|
simp/simplib >= 3.3.0 |
|
|
simp/simplib >= 3.5.0 |
|
|
simp/simplib >= 3.15.0 |
|
|
simp/simplib >= 3.5.0 |
|
|
simp/simplib >= 3.8.0 |
|
None |
N/A |
|
None |
N/A |
|
|
simp/simplib >= 3.7.0 |
|
|
simp/simplib >= 3.8.0 |
|
|
simp/simplib >= 3.5.0 |
|
|
simp/simplib >= 3.5.0 |
|
|
simp/simplib >= 3.5.0 |
|
|
simp/simplib >= 3.15.0 |
|
|
simp/simplib >= 3.5.0 |
|
Puppet built-in |
Puppet >= 4.0.0 |
|
|
simp/simplib >= 3.5.0 |
|
Puppet built-in |
|
|
Puppet built-in |
|
|
|
simp/simplib >= 3.8.0 |
|
Use a custom Puppet data type
such as |
Puppet >= 4.0.0 |
|
Puppet data types |
simp/simplib >= 3.8.0 |
|
Use Puppet |
Puppet: >= 4.0.0; simp/simplib >= 3.8.0 |
|
|
simp/simplib >= 3.8.0 |
|
Use Puppet |
Puppet: >= 4.0.0;
|
|
Use |
simp/simplib >= 3.7.0 |
|
Use |
simp/simplib >= 3.5.0 |
|
Use |
simp/simplib >= 3.5.0 |
|
|
simp/simplib >= 3.7.0 |
|
|
simp/simplib >= 3.7.0 |
|
Use |
simp/simplib >= 3.7.0 |
|
|
simp/simplib >= 3.7.0 |
2.2.2.2.4. Puppet 3 Functions Removed from simp/ssh
Puppet 3 API Function |
Replacement |
Replacement Source |
---|---|---|
|
|
simp/ssh >= 6.2.0 |
|
|
simp/ssh >= 6.2.0 |
2.2.2.3. Primary API Changed in Optional Modules
The following SIMP modules from the simp-extras RPM have had breaking API changes:
The specific changes made are described in detail in the New Features section.
2.2.2.4. EL6 Support Dropped from Some (Optional) Puppet Modules
The following optional SIMP modules have dropped support for EL6:
If you need EL6 for a client node, place it in an environment with older versions of the appropriate modules.
2.2.3. Significant Updates
2.2.3.1. EL8 SIMP Client Node Support
This release provides support for managing software on EL8 agents.
This includes all (appropriate) Puppet modules provided by the simp RPM, and a subset of the Puppet modules provided by the simp-extras RPM.
The remaining changes required for an EL8 SIMP server and ISO will be available in the next SIMP minor release.
EL8 updates to the remaining, optional, Puppet modules will be phased in over future SIMP releases. This includes the following SIMP modules:
2.2.3.2. Full Puppet 6 Support and Puppet 6 Default Components
All SIMP Puppet modules now work with both Puppet 5 and Puppet 6, and the SIMP-6.5.0 ISOs deliver Puppet 6 application RPMs.
2.2.3.3. firewalld Support
As of SIMP 6.5.0, firewalld support is available within the SIMP and is the default for all new installations on platforms that support it.
New simp/simp_firewalld module: SIMP now includes simp/simp_firewalld which provides a profile class and defined type to manage the system’s firewalld with “safe” defaults and safety checks for firewalld rules.
firewalld support in simp/iptables for backward compatibility: The simp/iptables module has preliminary support for acting as a pass-through to various firewalld capabilities using the simp/simp_firewalld module.
To enable ‘firewalld’ mode on supported operating systems, simply set
iptables::use_firewalld
totrue
via Hiera.EL8 systems enable ‘firewalld’ mode by default.
Use of any of the
iptables::listen::*
defined types will work seamlessly in ‘firewalld’ mode, as long as IP addresses are used in theirtrusted_net
parameters.Direct calls to
iptables::rule
in ‘firewalld’ mode will emit a warning notification that directs the user to convert their rules tosimp_iptables::rule
types.
Important
Be aware that firewalld rules do not support hostnames; IP
addresses must be used. This may impact any manifests that contain
iptables::listen
resources, including resources from some SIMP
modules. You will have to change any hostnames to IP addresses for the
affected resources when using firewalld.
The table below is a list of the SIMP resource parameters impacted by the lack of hostname support by firewalld.
Many of these parameters default to
simp_options:trusted_nets
, when it is available.Each network element can be specified as a network (CIDR notation), an IP address,
'ALL'
or'any'
.‘or’ in the table below indicates the default value that will be used if the previous value is not defined.
Parameter |
Default Value |
---|---|
|
|
|
|
|
|
|
|
|
N/A |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
N/A |
|
N/A |
|
|
|
|
|
|
|
|
|
|
|
|
2.2.3.4. Optional Dependency Handling
In SIMP 6.5.0, optional dependency handling has been integrated into ~20 additional SIMP Puppet modules. These modules explicitly identify optional, dependent modules, all while providing safeguards to ensure the user is notified of any such missing dependencies at compilation time. This feature allows the user to minimize installation of unused modules in an environment, when the user is not using SIMP to manage specific capabilities.
Key details about this feature are as follows:
Optional module dependencies are indicated in the
metadata.json
file using an ‘optional_dependencies’ key within a ‘simp’ key. For example, simp/rsyslog’s metadata.json.The user has complete control over installation of the optional dependency modules. These dependencies will not be installed automatically when the module using them is installed via
puppet module install
.Modules that use this feature will fail manifest compilation, if the user enables the optional capabilities, but the optional dependencies required to implement that capability are not installed in the environment.
2.2.3.5. Dependent Module Updates
SIMP updated as many dependent modules as possible. This included major version
bumps for several of the dependent modules. These changes did not have
a significant impact on the SIMP infrastructure. The dependency version bumps
did, however, require some of the SIMP modules to update their respective
metadata.json
files. These metadata changes, in turn, required SIMP
module version updates.
2.2.4. Security Announcements
SIMP 6.5.0 Added mitigations for the following CVEs:
2.2.5. RPM Updates
2.2.5.1. Puppet RPMs
The following Puppet RPMs are packaged with the SIMP 6.5.0 ISOs:
Package |
Version |
---|---|
puppet-agent |
6.18.0-1 |
puppet-bolt |
2.29.0-1 |
puppetdb |
6.12.0-1 |
puppetdb-termini |
6.12.0-1 |
puppetserver |
6.13.0-1 |
Warning
You do NOT need to update your version of Puppet from 5.X to use the modules supplied with this version of SIMP.
If you decide to update from 5.X, back up your server and test the upgrade carefully.
2.2.6. Removed Puppet Modules
2.2.6.1. Unused Augeasproviders Modules
The following packages for unused Augeasproviders Puppet modules and one dependency were removed from the SIMP ISOs:
pupmod-herculesteam-augeasproviders_apache
pupmod-herculesteam-augeasproviders_mounttab
pupmod-herculesteam-augeasproviders_nagios
pupmod-herculesteam-augeasproviders_pam
pupmod-herculesteam-augeasproviders_postgresql
pupmod-herculesteam-augeasproviders_puppet
pupmod-herculesteam-augeasproviders_shellvar
pupmod-puppetlabs-mount_providers
2.2.6.2. Docker Modules
The packages for the following Docker Puppet modules have been permanently removed from the SIMP ISOs, because SIMP is moving towards podman support over docker.
pupmod-puppetlabs-docker
pupmod-simp-simp_docker
2.2.6.3. pupmod-simp-journald
The pupmod-simp-journald package has been removed from SIMP ISOs, because the functionality the simp/journald module provided is now provided by the camptocamp/systemd module. If you used simp/journald, you will need to update your manifests to use camptocamp/systemd.
2.2.7. Fixed Bugs
2.2.7.1. pupmod-simp-aide
Fixed a bug in Compliance Engine data.
2.2.7.2. pupmod-simp-auditd
Fixed a bug in which the module could not enable auditing on a system with auditing already disabled in the kernel, when replication of the audit logs to syslog was required.
Fixed a bug in which the auditd service was managed when the kernel was not enforcing auditing.
Fixed a bug in which the facts were not properly confined.
Fixed a bug in which
/etc/audit/audit.rules.prev
caused unnecessary flapping.Fixed regex substitution for bad path characters.
Added missing herculesteam/augeasproviders_grub module dependency.
2.2.7.3. pupmod-simp-dconf
Fixed a bug in
ensure = absent
indconf::settings
.
2.2.7.4. pupmod-simp-compliance_markup
Fixed merging bugs introduced in interim versions of the module.
Fixed a regression introduced in interim versions of the module in which compliance reports were missing ‘controls’, ‘identifiers’, and ‘oval-ids’.
2.2.7.5. pupmod-simp-freeradius
Fixed missing ‘group_filter’ option in LDAP.
2.2.7.6. pupmod-simp-iptables
Fixed a bug in which the iptables services and rules were not managed when
iptables::use_firewalld
was set totrue
on an EL6 system.Fixed an ordering issue with setting
xt_recent
parameters that could occur on OEL7 nodes. However, there are other issues withxt_recent
on OEL that may prevent this module from working on OEL in some circumstances.Fixed a bug in which the module did not check for firewalld availability when
iptables::use_firewalld
was set totrue
.The module now ensures that systems that do not have
firewalld
do not attempt to configure it.
Fixed bugs in iptables rule address normalization:
Ensured that all addresses are normalized when rules are processed.
Removed nested looped rule normalization of addresses since it is no longer required.
Fixed
normalize_addresses()
so that it simply grabs the netmask if present and slaps on the appropriate one if not.
Fixed some bugs in the
munge()
portions of the native types.
2.2.7.7. pupmod-simp-libvirt
Fixed issues with module data.
2.2.7.8. pupmod-simp-logrotate
Fixed a bug in which the ‘size’ parameter in the global logrotate configuration file was specified more than once.
2.2.7.9. pupmod-simp-network
Fix a bug where both the legacy network and NetworkManager were activated in all cases.
2.2.7.10. pupmod-simp-nfs
Fixed a bug in which IPv6 ‘::1’ network entries were not being created in
/etc/exports
. This could cause connections over stunnel to fail under certain conditions.rpc.rquotad service configuration was erroneously written to
/etc/sysconfig/nfs
for EL7. It is now written to the correct file,/etc/sysconfig/rpc-rquotad
.Fixed idmapd-related bugs:
idmapd was erroneously only enabled when NFSv3 was allowed. idmapd is an NFSv4 service.
The idmapd client was not configured to use nfsidmap. An nfsidmap entry has now been added to
/etc/request-key.conf
.
Fixed bugs in which bidirectional communication for NFSv3 was not properly configured.
NFSv3 lockd ports on the NFS client were not explicitly configured and thus not allowed through the firewall. This would have affected file locking using NLM.
rpcbind, statd, and lockd service names were not allowed by TCP Wrappers for the NFS client. This would have affected server to client NFSv3 NSM and NLM protocol messages over TCP.
Fixed bugs in mount options
Previously used the deprecated ‘nfs4’ fstype. This has been replaced with the ‘nfs’ fstype and use of the ‘nfsvers’ option to specify the version of NFS to use.
The mount option ‘proto’ is now set to ‘tcp’ when
stunnel
is enabled.
Fixed a bug with a duplicate exec resource in
nfs::client::mount
when stunnel was enabled.Fixed erroneous server-only/client-only configuration that appeared to be able to be set independently for the NFS client and NFS server on the same node, but because of shared services, actually applied to the node as a whole.
Removed
nfs::client::firewall
andnfs::server::firewall
. Usenfs::firewall
instead.Removed
nfs::server::tcpwrappers
. Usenfs::tcpwrappers
instead.Removed
nfs::server::nfsv3
,nfs::server::lockd_arg
,nfs::server::statdarg
,nfs::server::statd_ha_callout
,nfs::server::rpcgssdargs
, andnfs::server::rpcsvcgssdargs
. Use appropriate parameters in thenfs
class instead.
2.2.7.11. pupmod-simp-pam
Fixed a bug in which a local user password could not be set.
Moved the ‘pam_unix.so’ check before the ‘pam_sss.so’ check in the password section of the auth files otherwise it returns an
authentication token manipulation
error and local passwords cannot be changed.
2.2.7.12. pupmod-simp-polkit
Fixed issue with
basic_policy
template that resulted in malformed rules.
2.2.7.13. pupmod-simp-pupmod
Fixed a bug in which the module could not determine the appropriate Puppet configuration for Puppet >= 6.19.0 from the internal
Puppet.settings
method, because the ‘master’ section was renamed to ‘server’.Fixed a bug on EL6 nodes in which setting
pupmod::master::generate_types
tofalse
caused the catalog compilation to fail.Fixed a bug in puppetserver configuration in which the ‘profiler-output-file’ parameter was incorrectly specified as ‘profiling-output-file’.
Fixed a bug in managing group ownership of
puppet.conf
when using Puppet Enterprise.Ensured that
pupmod::pass_two
does not conflict with the internal PE configuration code for group ownership ofpuppet.conf
.
2.2.7.14. pupmod-simp-rsyslog
Fixed the default security collection string for firewalld rules.
Fixed a bug where the ‘IncludeConfig’ directive for
/etc/rsyslog.d
allowed more than just.conf
files to be parsed.
2.2.7.15. pupmod-simp-selinux
Fixed a bug in which the module would attempt to create
selinux_login
resources whenselinux::login_resources
was set but selinux was disabled. This resulted in an error message Could not find a suitable provider for selinux_login during catalog compilation.
2.2.7.16. pupmod-simp-simp
Ensure that the sudoers rule for removing the Puppet SSL directory is not created when running from Bolt, since the directory target is changed at each Bolt run and will result in non-idempotency.
Fixed a bug in which the ‘gpgkey’ and ‘baseurl’ configuration strings were required for the local YUM repositories managed by
simp::yum::repo::local_os_updates
andsimp::yum::repo::local_simp
.Both are optional in the
yumrepo
type if they already exist on disk.
Removed the broken
tasks/
directory.
2.2.7.17. pupmod-simp-simplib
Fixed the
simplib::puppet::metadata::os_support
data type to allowoperatingsystemrelease
to be optionally defined.Added Amazon Linux support
Fixed the use of
simplib::debug::inspect
when using Bolt.Fixed bugs in the
grub_version
andinit_systems
facts.Fixed the
simplib__auditd
fact so that it detects the state of the running auditd process.Fixed
Simplib::Systemd::ServiceName
to accept instance services.Fixed an issue in the
simplib__sshd_config
fact that would cause the daemon to start on an EL6 system that did not already have it running.Fixed a bug in which
simplib__firewalls
fact was not properly confined and would trigger on Windows+ systems.Fixed an issue in
simplib::ip::family_hash
where the ‘unknown’ entries were not properly populated.Fixed bug in which
simplib::simp_version
did not work on Windows.Fixed
uninitialized constant
error with thereboot_notify
custom type.
2.2.7.18. pupmod-simp-simp_options
Fixed PE detection in
simp_options::puppet::server_distribution
.
2.2.7.19. pupmod-simp-simp_snmpd
Fixed a bug in which the PID file option was missing from the default options for the snmpd daemon in EL6. The daemon failed to start without this option.
Fixed a bug where the default for client security level was incorrectly set.
The default access security level is now by the new parameter
simp_snmpd::defvacmlevel
instead ofsimp_snmpd::defsecuritylevel
.simp_snmpd::defsecuritylevel
sets the default security level for the client.
Added a missing dependency on simp/tcpwrappers.
2.2.7.20. pupmod-simp-stunnel
Added the
stunnel::instance_purge
class to remedy the ‘floating services’ issue.
2.2.7.21. pupmod-simp-tftpboot
Fixed a bug in which the internal rsync operation did not match the documentation.
Fixed a manifest ordering issue.
2.2.7.22. pupmod-simp-tlog
Fixed a bug in the tcsh template.
Added a workaround to scripts in
/etc/profile
to handle a bug in tlog that would prevent logins if the system hostname could not be found.
2.2.7.23. pupmod-simp-tpm2
Fixed a bug where the tpm2_* commands could return nothing which would trigger an error in further logic.
2.2.7.24. pupmod-simp-xinetd
Removed ‘TRAFFIC’ from the default
log_on_success
list since it may cause information leakage and is not supported by all service types.
2.2.7.25. rubygem-simp-cli
Fixed a bug in which simp config did not allow DNS domains that did not include at least one dot character. Domains are now validated per RFC 3696.
Fixed a bug where simp config recommended the wrong SSSD domain, when the SIMP server was not the LDAP server. It recommended the ‘Local’ domain, when the appropriate SIMP-created domain with the ‘local’ (EL6) or ‘files’ (EL7) provider is named ‘LOCAL’.
Fixed a bug in simp environment new in which the actual failure messages from a failed setfacl --restore execution were not logged.
Fixed a bug where simp config --dry-run would prompt the user to apply actions instead of skipping them and then writing the
~/.simp/simp_conf.yaml
file.Users would answer ‘no’ to the unexpected apply query and then simp config would only persist the answers to the interim answers file (
~/.simp/.simp_conf.yaml
).
Fixed Puppet Enterprise support for simp config and simp bootstrap.
Fixed a fact-loading bug that prevented the PE fact (
is_pe
) from being available.Hardened PE-detection logic for cases in which the
is_pe
fact is not yet available during simp config.Added support for SIMP server template Hiera data that is PE-specific.
Fixed a bug in which the module paths containing PE modules were not excluded when simp config checked for modules in the ‘production’ Puppet environment. This forced the user to remove the skeleton ‘production’ environment installed by the puppet-agent RPM, in order to get simp config to run on a freshly installed PE system.
2.2.7.26. simp-environment-skeleton
When running FakeCA certification-generation scripts in batch mode, do not request input from the user.
Fixed a bug in which some non-script files were installed with executable permissions.
2.2.7.27. simp-utils
Fixed minor bugs in unpack_dvd.
2.2.8. New Features
2.2.8.1. pupmod-simp-aide
Updated the EL8 ciphers to be safe on FIPS systems by default.
Removed overrides for
aide::aliases
on EL8 since it works properly in FIPS mode.Automatically add ‘@@include’ lines to
aide.conf
. Previously, when declaringaide::rule
resources, it was also necessary to add the rule name to theaide::rules
array.Moved the default rules to data in modules.
2.2.8.2. pupmod-simp-auditd
Allow
auditd::space_left
andauditd::admin_space_left
to accept percentages on supported versions.Added ‘INCREMENTAL_ASYNC’ to possible values for
auditd::flush
.Added a
built_in
audit profile to the subsystem that provides ability to include and manage sample rulesets to be compiled into active rules.Ensured that kmod is audited in all STIG modes on EL7+.
Allow users to knockout entries from arrays specified in Hiera.
Added rules based on best practices mostly pulled from
/usr/share/doc/auditd
:Audit 32 bit operations on 64 bit systems
Audit calls to the auditd CLI commands
Audit IPv4 and IPv6 inbound connections
Optionally audit IPv4 and IPv6 outbound connections
Audit suspicious applications
Audit systemd
Audit the auditd configuration space
Ignore time daemon logs (clutter)
Ignore ‘CRYPTO_KEY_USER’ logs (clutter)
Add ability to set the ‘backlog_wait_time’
Set ‘loginuid_immutable’
Set defaults for syslog parameters if auditd version is unknown.
Added a fact that determines the major version of auditd that is running on the system,
auditd_major_version
. This is used in thehiera.yaml
hierarchy to add module data specific to the versions.Added support for auditd v3.0 which is used by RedHat 8. Most of the changes in auditd v3.0 were related to how the plugins are handled but there are a few new parameters added to
auditd.conf
. They are set to their defaults according to man page ofauditd.conf
.auditd V3.0 moved the handling of plugins into auditd from audispd. The following changes were made to accommodate that:
To make sure the parameters used to handle plugins where defined in one place no matter what version of auditd was used, they were moved to
init.pp
and referenced from there by theaudisp
manifest. For backwards compatibility, they remain inaudisp.conf
and are aliased in the Hiera module data.For backwards compatibility
auditd::syslog
remains defaulting to the value ofsimp_options::syslog
although the two are not really the same thing. You might want to review this setting and setauditd::syslog
to a value that is appropriate for your system.To enable auditd logging to syslog, set the following in Hiera
--- auditd::syslog: true auditd::config::audisp::syslog::enable: true. # The drop_audit_logs is still there for backwards compatibility and # needs to be disabled. auditd::config::audisp::syslog::drop_audit_logs: false
To stop auditd logging to syslog set the following in Hiera
--- auditd::syslog: true auditd::config::plugins::syslog::enable: false.
Setting
auditd::syslog
tofalse
will stop Puppet from managing thesyslog.conf
, it will not disable auditd logging to syslog. Disable the syslog plugin as described above.
The settings for
syslog.conf
were updated to work for new and old versions of auditd.Added installation of audisp-syslog package when using auditd V3.
Added rules to monitor
/usr/share/selinux
.
2.2.8.3. pupmod-simp-autofs
This module was extensively refactored. Please read the updated README.md
to understand the current usage. Notable feature/API changes:
Updated autofs service configuration to use
/etc/autofs.conf
in addition to/etc/sysconfig/autofs
.Updated
/etc/autofs.master
to load content from/etc/auto.master.simp.d/
and/etc/auto.master.d/
in lieu of specifying map entries directly.‘auto.master’ entries are now written to files in
/etc/auto.master.simp.d
, a directory fully managed by this module./etc/auto.master.d
is left unmanaged by Puppet.Auto-converts from old maps directory to current maps directory and emits a warning. This is to help the 90% of the users who aren’t doing anything special with this module.
Added a
autofs::map
defined type that allows the user to specify all the parameters for a ‘file’ map in one place. This resource will generate the appropriate resources to create both the ‘auto.master’ entry file and the map file.Added
autofs::masterfile
defined type to replace deprecatedautofs::master::map
.autofs::masterfile
creates an ‘auto.master’ entry file inautofs::master_conf_dir
.Unlike
autofs::map::master
,autofs::masterfile
does not have acontent
parameter, because a user can simply use afile
resource to specify a custom ‘auto.master’ entry file.
Added
autofs::mapfile
defined type to replace deprecatedautofs::master::entry
.autofs::mapfile
creates a mapfile for a direct mapping or one or more indirect mappings.Unlike
autofs::master::entry
, it does not have duplicate resource naming problems (wildcard or otherwise).
autofs
class changesAdded the following new autofs service configuration parameters:
master_wait
mount_verbose
mount_nfs_default_protocol
force_standard_program_map_env
use_hostname_for_mounts
disable_not_found_message
sss_master_map_wait
use_mount_request_log_id
auth_conf_file
custom_autofs_conf_options
Added
master_conf_dir
andmaster_include_dirs
parameters to allow users to specify directories containing ‘auto.master’ entry files.Added
maps_dir
to specify the location of SIMP-managed maps and changed the directory name from/etc/autofs
to/etc/autofs.maps.simp.d
for clarity.Added
maps
to allow users to specify ‘file’ type maps in Hiera data.Each map specifies the contents of a ‘auto.master` entry file and its corresponding mapping file.
Renamed
options
toautomount_options
for clarity.Renamed
use_misc_device
toautomount_use_misc_device
for clarity.Removed
autofs::master_map_name
.This parameter is not exposed in
/etc/autofs.conf
and does not look like it is intended to be changed.
Changed permissions of
/etc/auto.master
and/etc/sysconfig/autofs
to match those of the delivered RPM.
autofs::ldap_auth
class changesautofs::ldap_auth
is now a private class to ensure the name of the configuration file created by this class matches the ‘auth_conf_file’ setting in/etc/autofs.conf
.Added
encoded_secret
optional parameter. This parameter takes precedence when bothsecret
andencoded_secret
parameters are specified.
autofs::map::master
has been deprecated byautofs::map
orautofs::masterfile
. Its behavior has changed from writing a section of/etc/auto.master
to writing an auto.master entry file inautofs::master_conf_dir
.autofs::map::entry
has been deprecated byautofs::map
orautofs::mapfile
. Its behavior has changed from writing a file in/etc/autofs
to writing a file inautofs::maps_dir
.
2.2.8.4. pupmod-simp-clamav
Updated documentation to clarify what
simp_options::clamav
actually does and to note thatclamav
was removed from the SIMP’s default class list in SIMP 6.5.Set the default for
clamav::set_schedule::enable
to lookupclamav::enable
, so that the class will remove the ‘clamscan’ cron job if management of ClamAV is disabled.Disable SIMP’s rsync pulls by default.
2.2.8.5. pupmod-simp-compliance_markup
Deep merge hash values in the Hiera backend.
Improved confinement
Added support for confinement in ‘profiles’, ‘controls’ and ‘ces’ (as well as ‘checks’).
Added support for arrays of potential matches in confinement blocks.
Added support for structured facts in confinement.
Updated confinement logic to ensure that all possibilities are collected.
Apply confinement before merging values.
Improved performance:
Reduced the amount of data passed around in the Hiera backend.
Ensured that the Hiera backend recurses as little as possible.
Removed useless loops in
list_puppet_params()
.
Improved error handling and debugging:
Ignore undefined ‘ces’ when correlating checks and profiles.
Raise errors on malformed data.
Added debugging logs to enforcement logic.
Removed all support for v1 data since it was experimental and removed in 3.0.0.
Load data from the
compliance_markup::compliance_map
Hiera key after compliance profiles in modules to allow for profile tailoring via Hiera. This means that uses may now override all settings from the underlying compliance maps across all modules to fit their environment specifics.
2.2.8.6. pupmod-simp-cron
Manage cron packages by default.
2.2.8.7. pupmod-simp-crypto_policy
This is a new module to manage, and provide information about, the system-wide crypto policies.
2.2.8.8. pupmod-simp-dconf
Allow users to set custom settings via Hiera.
2.2.8.9. pupmod-simp-deferred_resources
Remove ‘ftp’ and ‘games’ users and groups when enforcing STIG compliance.
2.2.8.10. pupmod-simp-dhcp
Made use of SIMP’s rsync operation optional (enabled by default for backwards compatibility).
Added support for passing in a full
dhcpd.conf
entry.Ensured that the SELinux user and type are set for the configuration files.
Switched to using
iptables::listen::udp
for firewalld compatibility.
2.2.8.11. pupmod-simp-fips
Ensured that EL8 updates trigger updating the global system crypto policy, since some subsystems now ignore the local configuration by default.
2.2.8.12. pupmod-simp-freeradius
Added support for overriding ‘post-auth’ in LDAP.
Added support for overriding ‘accounting’ in LDAP.
Added support for specifying the entire file content.
Removed
simp_options::puppet::server
from the default lookup logic forfreeradius::v3::modules::ldap::server
. In systems that use Bolt to compile and apply manifests, that setting will not be available.
2.2.8.13. pupmod-simp-incron
Remove pinned versions of incron, since the upstream packages have been fixed.
2.2.8.14. pupmod-simp-iptables
Added preliminary support for acting as a pass-through to various firewalld capabilities using the simp/simp_firewalld module.
Using any of the
iptables::listen::*
defined types will work seamlessly in ‘firewalld’ mode but direct calls toiptables::rule
will fail.Calls to any of the native types included in this module will result in undefined behavior and is not advised.
To enable ‘firewalld’ mode on supported operating systems, simply set
iptables::use_firewalld
totrue
via Hiera.EL8 systems will enable ‘firewalld’ mode by default.
Improved the internal rule matching to handle most netmask and port updates.
Added a
exact_match
Boolean to theiptables_optimize
andip6tables_optimize
native types to allow for more aggressive rule matching.This change requires that inbound rules match whatever is returned by iptables-save and/or ip6tables-save to prevent iptables flapping.
Allow ‘LOCAL-INPUT’ jump rule in ‘FORWARD’ and ‘INPUT’ chains to occur last as a default action through the addition of an
iptables::rules::base::force_local_input
parameter.Allow users to disable adding the ‘SIMP:’ prefix to the rule comment.
Allow users to disable comments on rules completely.
2.2.8.15. pupmod-simp-krb5
Updated SELinux hotfix for EL8.
Migrated SELinux hotfix to
vox_selinux::module
.
2.2.8.16. pupmod-simp-libreswan
Removed unused
libreswan::use_certs_parameter
parameter.Added support for IKEv2 Mobility (RFC-4555) and mobile client connections.
Added additional settings for DNS and Domains for Libreswan v3.23+.
2.2.8.17. pupmod-simp-libvirt
Split out install and service into separate classes to give users more flexibility on what they manage with the module.
2.2.8.18. pupmod-simp-logrotate
Allow all log size configuration parameters to be specified in bytes, kilobytes, megabytes, or gigabytes.
Added ability to specify ‘maxsize’ configuration for specific logrotate rules.
2.2.8.19. pupmod-simp-named
Allow users to force enabling/disabling of the chroot settings.
Allow users to easily set the
named_write_master_zones
SELinux boolean in case they need to support dynamic DNS or zone transfers.
2.2.8.20. pupmod-simp-nfs
This module was extensively refactored. Read the updated README.md
to
understand the current usage. Notable feature/API changes:
Overall changes
Dropped stunnel support for NFSv3. This tunneling did not work because:
The NFS client sends the NFS server Network Status Manager (NSM) notifications via UDP, exclusively.
At multi-NFS-server sites, a unique rpcbind port per server is required in order for a NFS client to be able to tunnel its server-specific RPC requests to the appropriate server.
nfs
classReworked parameters to reflect configuration of
/etc/nfs.conf
and, for limited EL7-only configuration,/etc/sysconfig/nfs
. See the class documentation for full details.
Removed
stunnel_systemd_deps
andstunnel_tcp_nodelay
parameters throughout the module.These parameters were not consistently used in the manifest code (i.e., declared but not used) and were confusing.
The corresponding
stunnel_socket_options
andstunnel_wantedby
parameters in classes/defines now use defaults that were intended to be set by those parameters.
Now masks NFS services that are not needed, so they are not unnecessarily started when the nfs-server.service or nfs-client.target are restarted.
nfs::client
changesAdded support for pNFS: Set
blkmap
to true to enable the pNFS service, nfs-blkmap.service.Added
nfs::stunnel_socket_options
andstunnel_wantedby
parameters which provide the defaults for allnfs::client::mount
instances.
nfs::client::mount
define changesnfs_server
must now be specified as an IP address. This change was necessary for firewalld.In
options
, changed the default mount type to ‘soft’ instead of ‘hard’. Also removed deprecated ‘intr’ option, as it has no effect.Reworked the remote autodetect logic to detect a local mount based on IP address instead of simply whether the node is also configured to be an NFS server.
Added support for direct autofs mounts and simplified specification of indirect mounts. When
autofs_indirect_map_key
is not specified, a direct mount is specified byname
. Whenautofs_indirect_map_key
is specified, an indirect mount is specified withname
as the mount point andautofs_indirect_map_key
as the mount key.Renamed
autofs_map_to_user
toautofs_add_key_subst
to better reflect automount terminology. This parameter simply adds key substitution to the remote location, which although can be used for user home directories, is not restricted to that use case.Renamed
port
tonfsd_port
to be consistent with the name of that parameter throughout the entire module.Renamed
v4_remote_port
tostunnel_nfsd_port
for clarity and to be consistent with the name of that parameter throughout the entire module.Exposed client stunnel configuration that was scattered throughout the module to this API. User can now specify
stunnel_socket_options
andstunnel_verify
for each mount. When unspecified, the defaults from thenfs
class are used.
nfs::server
class changesExposed server stunnel configuration that was scattered throughout the module to this API. User can now specify
stunnel_accept_address
,stunnel_nfsd_accept_port
,stunnel_socket_options
,stunnel_verify
, andstunnel_wantedby
in this class. When unspecified, the defaults for all butstunnel_accept_address
andstunnel_wantedby
are pulled from thenfs
class.Added the following parameters:
nfsd_vers4
,nfsd_vers4_0
,nfsd_vers4_1
,nfsd_vers4_2
, andcustom_rpcrquotad_opts
.Renamed
nfsv3
tonfsd_vers3
to reflect its use in/etc/nfs.conf
.Moved
nfs::rpcquotad_port
to this class and renamedrpcrquotadopts
tocustom_rpcrquotad_opts
for clarity.Moved
nfs::mountd_port
to this class and removedrpcmountdopts
. Custom configuration for that daemon should now be made vianfs::custom_nfs_conf_opts
ornfs::custom_daemon_args
as appropriate.Removed the obsolete
nfsd_module
parameter.
nfs::server::export
define changesAdded
replicas
,pnfs
, andsecurity_label
parameters to support additional export configuration parameters.
nfs::idmapd
class changesRefactored into 3 classes to support distinct NFS server and client configuration
Added
no_strip
andreformat_group
tonfs::idmapd::config
to support additional/etc/idmapd.conf
configuration parameters.
2.2.8.21. pupmod-simp-oath
Allow
oath::config::user
to be any string.Disabled
show_diff
option inconcat
for/etc/liboath/users.oath
to prevent that information from being exposed in logs.
2.2.8.22. pupmod-simp-pam
- Ensured that ‘pam_tty_audit’ is optional if auditing is not enabled on the
system.
Added the ability to specify
pam::limits::rules
via Hiera.Ignore authconfig disable on EL8. Authconfig was replaced with authselect and authselect does not overwrite settings unless you select the
--force
option.Remove installation of pam_pkcs11 and fprintd-pam by default, since they aren’t actually required for basic functionality.
2.2.8.23. pupmod-simp-polkit
Added the following classes:
polkit::install
polkit::service
polkit::use
Ensured that the polkit user is managed by default and placed into the supplementary group bound to the ‘gid’ option on
/proc
, if one is set. This is necessary to work around issues with ‘hidepid’ > 0.Made the entire main class inert on unsupported OSs; logs a warning on the server that can be disabled.
2.2.8.24. pupmod-simp-pupmod
Default
pupmod::master::ssl_protocols
to TLSv1.2 only.Use
$facts['certname']
, when available, in the parameters below, because$facts['fqdn
may not be appropriate when the system does not use its primary NIC/FQDN for its Puppet certificate.pupmod::certname
pupmod::master::ca_status_whitelist
pupmod::master::admin_api_whitelist
Set the default puppetserver ciphers to a safe set.
Added better auto-tuning support for puppetserver, based on best practices.
Added ‘ReservedCodeCache’ puppetserver support.
Removed incron support in favor of using systemd path units to run simp_generate_types.
Attempts to activate the incron code will result in a warning message.
Added mitigation for CVE-2020-7942
Added optional management of the Facter configuration file.
Removed the deprecated CA CRL pull cron job and the corresponding
pupmod::ca_crl_pull_interval
parameter.Removed deprecated
auth.conf
support for the legacy pki module and the corresponding parameters:pupmod::master::simp_auth::legacy_cacerts_all
pupmod::master::simp_auth::legacy_mcollective_all
pupmod::master::simp_auth::legacy_pki_keytabs_from_host
Removed the deprecated
pupmod::master::simp_auth::server_distribution
parameter.
2.2.8.25. pupmod-simp-resolv
Added optional management of DNS servers via nmcli.
2.2.8.26. pupmod-simp-rsyslog
Added support for ‘KeepAlive’ variables for ‘imtcp’ and ‘omfwd’ actions.
Changed local rule defined type to use the same package defaults for action queues that are in the remote rule defined type.
Changed remote rule defined type to use package defaults for action queues.
Added a default rule to log packets dropped by firewalld to
/var/log/firewall.log
.Added
/var/log/firewall.log
to SIMP’s ‘syslog’ logrotate rule.Added
logrotate::rule
options torsyslog::conf::logrotate
class.Removed the
filter_
rules that were present for an old (and broken) version of the simp/simp_firewalld module.Removed params pattern and migrated to data in modules.
2.2.8.27. pupmod-simp-selinux
Allow users to include
selinux::install
without needing full SELinux system management. This is particularly important when the native types are to be used in different modules but you don’t want to include full management just to get the required packagesNo longer enable or install mcstransd by default. It is a user convenience feature and not required for core functionality.
Ensured that mcstransd is added to the GID assigned to
/proc
if one is assigned on the system.
2.2.8.28. pupmod-simp-simp
sssd configuration updates
Configure the ‘files’ provider in lieu of the ‘local’ provider for EL7 and later.
Deprecated the following parameters in
simp::sssd::client
:autofs
,ssh
andsudo
. The simp/sssd module configures services insssd::services
. Use that parameter to configure those entries.Configure sssd for EL8, even if the
ldap_domain
andlocal_domain
parameters ofsimp::sssd::client
are set tofalse
.
Updated
simp::mountpoints::proc
to ensure polkitd can be configured to have access to/proc
:Assign a group and gid by default.
Create a group by default.
Discover these values from the system if possible.
Removed the following applications from the list of base OS applications installed automatically by simp/simp:
man
man-pages
vim-enhanced
dos2unix
elinks
hunspell
lsof
mlocate
pax
pinfo
sos
star
symlinks
words
x86info
Deprecated the
simp::base_apps::manage_elinks_config
parameter.It no longer has any effect.
simp::nsswitch
updatesUpdated the
simp::nsswitch
class to have sane defaults.Added support for ‘mymachines’ and ‘myhostname’ by default.
Removed all NIS references since NIS should not be in general usage any longer and was never natively supported by SIMP.
Configuration files are now common across all supported OSs since nsswitch “does the right thing” when it hits a module that it does not recognize.
Allow nsswitch overrides.
Added chronyd support for EL8
Moved ntp to list of OS relevant applications for EL6 and EL7.
Added chrony for EL8.
Updated the client kickstart scripts/configuration
Updated the bootstrap_simp_client script to use chronyd if the kernel version is 4 or later.
Deprecated the
simp::server::kickstart::runpuppet
parameter and removed the old, corresponding runpuppet kickstart scripts. The simp_bootstrap_client scripts should be used instead.
ClamAV updates:
Removed
clamav
from the list of classes included by default in the SIMP scenarios.This will not remove ClamAV from systems where it is installed; Puppet will simply stop managing it.
To continue managing ClamAV with Puppet, add
clamav
tosimp::classes
in the appropriate Hiera file for that SIMP client.See the simp/clamav module for information on configuring or removing ClamAV on a system.
Deprecated
simp::server::clamav
.This parameter will be removed in a future SIMP release.
To manage ClamAV on the SIMP server after the parameter is removed, manually add the
clamav
class to thesimp::classes
array in the SIMP server’s Hiera file.
simp::yum::repo*
updates:Added:
simp::yum::repo::internet_simp
class:Uses the SIMP yum repository package (simp-community-release) to configure yum for SIMP’s internet public repositories at simp-project.com.
simp-project.com is the new host for SIMP’s yum repositories.
packagecloud is no longer being updated.
simp::yum::repo::simp_release_version
function: Returns the SIMP release version for use in the SIMP internet yum repositories.Simp::Version
data type alias for valid version strings for use in the SIMP internet repositories.New parameters to
simp::yum::repo::local_simp
andsimp::yum::repo::local_os_updates
:relative_repo_path
,baseurl
, andgpgkey
.baseurl
andgpgkey
allow completeyumrepo
resource overrides.
Deprecated:
simp::yum::repo::internet_simp_server
andsimp::yum::repo::internet_simp_dependencies
classes:These resources are no longer useful because their API matches the OBE packagecloud SIMP repositories.
As a workaround, the classes have been modified to use
simp::yum::repo::internet_simp
to configure the correct repositories at simp-project.com.You should switch to using
simp::yum::repo::internet_simp
, directly, as these classes will be removed in a future release.
simp::yum::repo::sanitize_simp_release_slug
function: a function only useful to the deprecated classes.
Added
simp::puppetdb::cipher_suites
parameter to manage the cipher suites supported by PuppetDB’s HTTP interface (Jetty).Used to set
puppetdb::cipher_suites
.Value set to a safe set.
Call
selinux::install
prior to using native types that require the packages to be installed.
2.2.8.29. pupmod-simp-simp_apache
Default to only TLS1.2.
2.2.8.31. pupmod-simp-simp_bolt
Added plan to install puppet-agent on target nodes.
Configured Bolt to request a pseudo TTY for SSH sessions if specified.
Configured new logs to be appended to the log file instead of overwriting.
2.2.8.32. pupmod-simp-simp_firewalld
This is a new SIMP module that provides a profile class and defined type to manage the system’s firewalld with “safe” defaults and safety checks for firewalld rules. It uses the puppet/firewalld module to update the system’s firewalld configuration.
2.2.8.33. pupmod-simp-simp_gitlab
Updated for the latest GitLab application (13.5.x) and puppet/gitlab (6.0.1).
Removed:
Support for GitLab < 12.3.0.
TLSv1.1 from the default for
simp_gitlab::ssl_protocols
.
Changed:
Set the GitLab root password in a fashion that minimizes coupling of simp/simp_gitlab with the internals of puppet/gitlab.
Set a throw-away password during initial GitLab package installation using GitLab configuration in
/etc/gitlab/gitlab.rb
. Setting the password during initial install is the only way to ensure the password is not set by an external user. Otherwise, the first GitLab page that comes up is the page to reset the root password.After GitLab initial configuration, set the real root password using a script that implements Gitlab-provided procedures for resetting the password.
Use chronyd instead of ntpd, as GitLab itself uses chronyd and chronyd is required for EL8.
Use puppet/gitlab for managing packages again.
Renamed the ‘gitlab_monitor’ key to ‘gitlab_exporter’ in the configuration hash.
The name change is required for GitLab >= 12.3.0.
No longer set
gitlab::external_port
The custom port is already appropriately configured via the
gitlab::external_url
.‘external_port’ is no longer a supported GitLab configuration key and causes gitlab-ctl reconfigure to fail.
simp/simp_gitlab now fails to compile when the node is in FIPS mode, unless
simp_gitlab::allow_fips
(a new parameter) is set totrue
.
Added:
Parameters to enable setting the GitLab root password
simp_gitlab::set_gitlab_root_password
simp_gitlab::gitlab_root_password
simp_gitlab::rails_console_load_timeout
A script to change the GitLab root password, /usr/local/sbin/change_gitlab_root_password.
Disabling of Let’s Encrypt usage in GitLab, by default.
The integration of SIMP PKI management with with Let’s Encrypt has not yet been done.
To use Let’s Encrypt, disable SIMP management of PKI by setting
simp_gitlab::pki
tofalse
and then manage the certificates manually.
svckill::ignore
rule for the GitLab service. Since the service is no longer managed by default bygitlab::service
, this prevents the service from being inadvertently killed when it is unmanaged.
Important
As a side effect of the changes related to setting the GitLab root password,
upon module upgrade, the GitLab root password will be automatically set to
the value of simp_gitlab::gitlab_root_password
, unless the (empty)
marker file /etc/gitlab/.root_password_set
exists or the parameter
simp_gitlab::set_gitlab_root_password
is set to false
. If
you forget to disable this automation or just want to reset the GitLab root
password, simply run
/usr/local/sbin/change_gitlab_root_password <new_password>
You do not need to know the previous password to set the new password.
2.2.8.34. pupmod-simp-simp_ipa
Make the IPA server optional in the
join
task. It is perfectly valid to not specify a server when doing an IPA client install and instead rely on DNS auto discovery.
2.2.8.35. pupmod-simp-simp_nfs
The following parameters had to be changed from hostnames or IP addresses to only IP addresses due to use of firewalld on EL8:
simp_nfs::home_dir_server
simp_nfs::mount::home::nfs_server
2.2.8.36. pupmod-simp-simp_options
The
simp_options::clamav
catalyst has been deprecated.As of SIMP 6.5, SIMP’s
clamav
class is no longer included in the class list of the SIMP scenarios. So, this catalyst is not needed to disable it.To have SIMP manage ClamAV on your system, add the
clamav
class to your system’s class list.See the simp/clamav module
README.md
for information on managing ClamAV.
simp_options::puppet::server
andsimp_options::puppet::ca
are now optional.These are no longer required at all times due to support for Bolt. Code that used these parameters will correctly fail and require users to add them to their configuration.
Updated
simp_options::ldap
to require themaster
anduri
parameters ifsimp_options::puppet::server
is not defined.
2.2.8.37. pupmod-simp-simp_rsyslog
Added support for firewalld log message collection.
Deep merge
simp_rsyslog::log_collection
.Removed the
filter_IN_99_simp_DROP
rules that were present for an old (and broken) version of the simp/simp_firewalld module.
2.2.8.38. pupmod-simp-simp_snmpd
Changes:
Updated to use puppet/snmp version 5.1.2.
The default configuration for this module has not changed but some settings are now placed in the
snmpd.conf
file instead of in a subdirectory.In the previous version the user directory was automatically included. Now the user must set
simp_snmpd::include_userdir
totrue
for files in the user directory to be included. The relevant parameters are as follows:simp_snmpd::include_userdir
simp_snmpd::user_snmpd_dir
The configuration parameter
simp_snmpd::snmpd_conf_file
has been renamed tosimp_snmpd::service_config
. This is the location of the thesnmpd.conf
file.The type of the
simp_snmpd::services
parameter has been changed from aString
to anInteger
.The
simp_snmpd::system_info
parameter has been deprecated. puppet/snmp now includes these settings by default and they can’t be removed. This means that net-snmp will set them as not writable and they can not be changed by aset
call from an snmpd manager or client.
New features:
Added settings to allow users to change owner/group and permissions on configuration files:
simp_snmpd::service_config_dir_owner
simp_snmpd::service_config_dir_group
simp_snmpd::service_config_dir_perms
simp_snmpd::service_config_perms
Added configuration of snmpd user and group IDs, as well as optional management of the user and group:
simp_snmpd::snmpd_uid
simp_snmpd::snmpd_gid
simp_snmpd::manage_snmpd_user
simp_snmpd::manage_snmpd_group
The SNMP trap daemon is still stopped by default. New parameters can be used to enable the daemon, set the command line options on the daemon and start it at boot. The default settings in puppet/snmp are used. Configuration files placed in a user directory can created by the user for any additional configuration. The following settings have been added to create this behavior:
simp_snmpd::trap_service_ensure
simp_snmpd::trap_service_startatboot
simp_snmpd::trap_service_config
simp_snmpd::snmpdtrapd_options
simp_snmpd::user_trapd_dir
2.2.8.39. pupmod-simp-simpkv
This is a new SIMP module that provides an abstract library that allows Puppet to access one or more key/value stores.
This module provides
a standard Puppet language API (functions) for using key/value stores
a configuration scheme that allows users to specify per-application use of different key/value store instances
adapter software that loads and uses store-specific interface software provided by the simp/simpkv module itself and other modules
a Ruby API for the store interface software that developers can implement to provide their own store interface
a file-based store on the local filesystem and its interface software.
Future versions of this module will provide a distributed key/value store.
2.2.8.40. pupmod-simp-simplib
2.2.8.40.1. Facts Changes
Added the following facts:
Fact |
Description |
---|---|
|
Returns a hash of auditd status. |
|
Return an array of known firewall commands that are present on the system. |
|
Returns a hash of mountpoints of particular interest to SIMP modules. |
|
Returns a hash of NUMA values. |
|
Returns |
|
Returns |
Deprecated the following facts:
tmp_mounts
fact. Usesimplib__mountpoints
, instead.
2.2.8.40.2. Function Changes
Added the following functions:
Function |
Description |
---|---|
|
Enhanced version of
|
|
Prints a trace of all catalog resources traversed to get to the current point. |
|
Prints a trace of all files traversed to get to the current point. |
|
Takes an IP address or array of IP addresses and returns a hash with the addresses broken down by family. The returned hash also contains additional helpful metadata. |
|
Determine if the passed metadata indicates that the current OS has been blacklisted. |
|
Determine if the passed module metadata indicates that the current OS is supported. |
|
Adds an assertion based on whether the OS is supported or blacklisted. |
|
Determines what called a function. |
|
Generates a password and salt. |
|
Generates a salt. |
|
Retrieves a generated password and any stored attributes. |
|
Retrieves the list of
generated passwords with
attributes and the list of
sub-folders stored at a
|
|
Removes a generated password, history and stored attributes. |
|
Sets a generated password with attributes. |
|
Convert a string into a is filename that ‘path safe’. |
Updated the following functions:
simplib::passgen
Added ‘simpkv’ mode.
Runs in ‘legacy’ mode (default) or in a ‘simpkv’ mode.
‘simpkv’ mode is EXPERIMENTAL.
When in ‘simpkv’ mode,
simplib:passgen
uses simp/simpkv for password persistence.‘simpkv’ mode is enabled by setting
simplib::passgen::simpkv
totrue
in Hiera.If you enable ‘simpkv’ mode in a system that already has passwords generated via the legacy code, currently, all passwords will be regenerated.
Added
simpkv_options
parameter tosimplib::passgen
for use in ‘simpkv’ mode.
Enhanced
simplib::passgen
operation when in ‘simpkv’ modeStores
complexity
andcomplex_only
setting in the password’s simpkv metadata, so that the password can be regenerated with the same characteristics.Regenerates the password if the requested ‘complexity’ or ‘complex_only’ setting differs from the setting used for the latest persisted password.
Stores up to the latest 10 <password,salt> pairs in the password’s simpkv metadata.
Added a
gen_timeout_seconds
password option. Previously this was hardcoded to 30 seconds.Added ability to set the user and group for legacy
simplib::passgen
files.Changed the default permissions on legacy
simplib::passgen
files to the user running the catalog compile. This will allow bolt to set permissions correctly.
simplib::gen_random_password
:Intersperse special characters among the alpha-numeric characters, when
complexity
is 1 or 2 andcomplex_only
isfalse
. Previously, this function grouped the all alpha-numeric characters together and grouped all special characters together. This generated passwords that were not suitable for user passwords, as they would fail the cracklib/libpwquality complexity checks.
simplib::assert_metadata
:Added
blacklist
option. This allows functionality to deliberately fail on an OS that is listed in the module’smetadata.json
, but is not necessarily supported by all parts of the given module.
2.2.8.40.3. New data type aliases
Added Simplib::Systemd::ServiceName
for valid systemd service
names.
2.2.8.41. pupmod-simp-ssh
Migrated to the updated version of simp/selinux that allows for isolated package installation in support of the SELinux native types.
Allow users to use the puppet/selinux module instead of SIMP components.
2.2.8.42. pupmod-simp-stunnel
Set default for
stunnel::connection::ssl_version
to TLSv1.2 for EL8 compatibility.Set default for
stunnel::instance::ssl_version
to TLSv1.2 for EL8 compatibility.Set the
stunnel::connection::app_pki_crl parameter
toundef
by default due to issues with pointing the setting to an absent directory in EL8.Set the
stunnel::instance::app_pki_crl
parameter toundef
by default due to issues with pointing the setting to an absent directory in EL8.Updated valid
ssl_version
entries.
2.2.8.43. pupmod-simp-sudo
Added parameters for
sudo::default_entry
andsudo::alias
defined types.CVE-2019-14287 mitigation.
Do not allow the use of user id or group id of ‘-1’ when ‘ALL’ or ‘%ALL’ are used in the runas section of a sudo user specification and the version of sudo is earlier than 1.8.28.
Deep merge
user_specifications
by default.
2.2.8.44. pupmod-simp-svckill
Updated the
svckill
provider to work with different Puppetservice
provider implementations.If after a Puppet upgrade you find that
svckill
is trying to kill system services that it previously ignored, you need simp/svckill version 3.6.1 or later to fix the problem.
Updated service lists.
2.2.8.45. pupmod-simp-swap
Disable
dynamic_swappiness
by default.Set the static system swappiness to 60 by default.
2.2.8.46. pupmod-simp-tcpwrappers
Enhanced behavior to do nothing when TCP Wrappers is not supported by the OS.
2.2.8.47. pupmod-simp-tpm2
Removed the option for managing tools,
tpm2::manage_tpm2_tools
. Tools can be managed or not by removing them from the package list. Note that the tools package is needed to determine the status of the TPM.Added support for setting
tabrm_options
for connecting to the simulator.
2.2.8.48. pupmod-simp-useradd
Added explicit support for setting the rescue/emergency shell on systemd systems.
2.2.8.49. rubygem-simp-cli
Updated the instructions provided in the local user lockout warning message in the bootstrap lock file.
Simplified instructions to create resources via Hiera.
Tell the user to check that they can ssh into the server with the new user after bootstrap but before rebooting. This step is imperative to ensure that the user can also get through Puppet-managed authentication!
Updated SIMP internet repositories configured by simp config.
Now uses simp-project.com repositories via the new
simp::yum::repo::internet_simp
class.The packagecloud repositories are no longer being updated.
Allow users to set the ‘SIMP_ENVIRONMENT’ environment variable to change the initial environment from ‘production’ to a custom value, when running simp config or simp bootstrap.
simp config changes
Ensured that simp config uses the
simp::classes
parameter instead ofclasses
by default, but accept bothsimp::classes
andclasses
as valid existing configurations.Removed deprecated
--non-interactive
option. Use--force-defaults
instead.
Added simpkv command family to allow users to manage and inspect entries in a simpkv key/value store
simp passgen changes
Split into sub-commands for ease of use:
simp passgen envs: List environments that may have
simplib::passgen
passwords.simp passgen list: List names of
simplib::passgen
passwords.simp passgen remove: Remove
simplib::passgen
passwords.simp passgen set: Set
simplib::passgen
passwords.simp passgen show: Show
simplib::passgen
passwords and other stored attributes.
Updated to work with simpkv-enabled
simplib::passgen
. Automatically detects whethersimplib::passgen
is operating in ‘legacy’ mode or ‘simpkv’ mode in the specified environment, and then executes password operations using the appropriate mechanism for that mode.When setting passwords, disabled libpwquality/cracklib validation of user-entered passwords, by default, because not all passwords managed by
simplib::passgen
are user passwords. This validation can be re-enabled with the--validate
option of simp passgen set.Added the following command line options when creating passwords
--[no-]auto-gen
: Whether to auto-generate new passwords.--complexity
: Password complexity to use when a password is auto-generated. Corresponds to thecomplexity
option ofsimplib::passgen
.--[no-]complex-only
: Whether to only use only complex characters when a password is auto-generated. Corresponds to thecomplex_only
option ofsimplib::passgen
.--[no-]validate
: Enables validation of new passwords with libpwquality/cracklib.--length
: Password length to use when a password is auto-generated.
Added
--[no-]details
option when showing password information. When enabled, all available password information is displayed, not just the current and previous password values.
Updated HighLine from version 1.7.8 to 2.0.3.
2.2.8.50. simp-adapter
Removed logic to ensure any existing, global
hiera.yaml.simp
file is not removed on upgrade from simp-adapter <= 0.0.6.This is not an issue when upgrading from SIMP 6.4.0 to SIMP 6.5.0 (i.e., simp-adapter version 1.0.1 to version 2.0.0).
If for some reason you are upgrading from simp-adapter version <= 0.0.6, manually save off
/etc/puppetlabs/puppet/hiera.yaml.simp
prior to the upgrade, and then restore that file after the upgrade is complete.
2.2.8.51. simp-environment-skeleton
Ensure that firewalld is used by default in the applicable SIMP scenarios.
Ensured that the server Hiera defaults have
simp::server
in thesimp::classes
array. Otherwise, it will never get picked up.Replace
classes
withsimp::classes
andsimp::server::classes
as appropriate in example Hiera YAML files.FakeCA updates
Added the CA code directly into the project to allow the code to work on newer OS versions
Allow users to specify an alternate output directory via a ‘KEYDIST’ environment variable.
Consolidate the certificate request and revocation code.
Certificate revocation now runs in linear time.
Changed permissions for files and directories to be world readable.
Add a PE-suitable Puppet server YAML data template.
2.2.8.52. simp-gpgkeys
Added the CentOS 8 and EPEL 8 GPG keys.
Removed Fedora 25 and 26 GPG keys.
Updated puppetlabs GPG key.
2.2.8.53. simp-rsync-skeleton
Added mitigation for CVE-2019-6477 to the sample, RedHat 7
named.conf
.Removed
rndc.key
files from sample named configuration to prevent users from accidentally using a published, sample secret key.The named service will create a key if one does not exist using the correct defaults for the system.
Updated the
README
inrsync/RedHat/Global/tftpboot/linux-install
.It now explains which boot files for the TFTP boot server are required when
tftpboot::use_os_files
is set tofalse
.
2.2.8.54. simp-utils
Added sample kickstart files to
/usr/share/simp/
to allow users to have access to all OS-specific versions of the kickstart files.Added a check to the unpack_dvd script for dangerously unspecific OS versions (e.g., ‘7’ instead of ‘7.0.2003’).
This is common when unpack_dvd autodetects the OS version from the ISO’s
.treeinfo
on some OSes (particularly CentOS).It can result in clobbering of existing OS files, when the script unpacks files into a directory names for the major OS version.
The script will exit with an informative message and instructions for how the user can address the issue with the
-v
option.
Added (optional)
--unpack-pxe [DIR]
option to the unpack_dvd script.Added (optional)
--environment ENV
to set the PXE rsync environment.Added a new
--[no-]unpack-yum
(enabled by default), to permit users to disable the RPM unpack.To enable unpacking PXE tftpboot files, run with
--unpack-pxe
.To disable unpacking RPMs/yum repos, run with
--no-unpack-yum
.See unpack_dvd --help for details.
Overhauled unpack_dvd --help; output now fits on 80-character PTY consoles.
2.2.8.55. SIMP ISO
Fixed a bug in the instructions about enabling encryption in non-FIPS mode in the sample client kickstart files.
Following the erroneous instructions prevented automatic decryption from happening at client boot, because the encrypted disk credentials were not added to the dracut configuration.
2.2.9. Known Bugs and Limitations
Below are bugs and limitations known to affect this release. If you discover additional problems, please submit an issue to let use know.
2.2.9.1. Special considerations with EL8 clients
2.2.9.1.1. Network-isolated EL8 clients require EPEL8 and EL8 Base/Updates dnf mirrors
Because there is no SIMP 6.5 EL8 server release, there is no accompanying EL8 ISO or package tarball that can be used to create a self-hosted dnf repository for SIMP-specific EL8 packages.
In order to provide the necessary packages to EL8 agents on a network-isolated SIMP 6.5 infrastructure, admins must ensure that dnf repo mirrors are available for:
EL8 Base/Updates
2.2.9.1.2. unpack_dvd does not (re-)create modular repos for EL8 dnf repos (SIMP-8614)
EL8 introduces modular package repositories. When unpacking an EL8 ISO to populate a yum repository, SIMP 6.5.0’s unpack_dvd script does not recognize or correctly package repository modules. Consequently, EL8 Puppet agents applying catalogs that require modular EL8 packages may encounter errors like the following:
Error: /Stage[main]/Simp_apache::Install/Package[httpd]/ensure: change from 'purged' to 'latest' failed: Could not update: Execution of '/usr/bin/dnf -d 0 -e 1 -y install httpd' returned 1: No available modular metadata for modular package 'httpd-2.4.37-21.module_el8.2.0+382+15b0afa8.x86_64', it cannot be installed on the system
Error: No available modular metadata for modular package