2.6. SIMP 6.1.0-0¶
Contents
This release is known to work with:
- RHEL 6.9 x86_64
- RHEL 7.4 x86_64
- CentOS 6.9 x86_64
- CentOS 7.0 1708 x86_64
2.6.1. Breaking Changes¶
Warning
This release of SIMP is NOT backwards compatible with the 4.X and 5.X releases. Direct upgrades will not work!
At this point, do not expect any of our code moving forward to work with Puppet 3.
If you find any issues, please file bugs!
2.6.1.1. Breaking Changes Since 6.0.0-0¶
2.6.1.1.1. Upgrade Issues¶
- You MUST read the Upgrading from SIMP-6.0.0 to SIMP-6.1.0 section of the
documentation for this upgrade. There were several RPM issues that require
manual intervention for a clean upgrade.
- The docs can be found at Read The Docs on the internet or under
/usr/share/doc
when thesimp-doc.noarch
RPM is installed.
- The docs can be found at Read The Docs on the internet or under
2.6.2. Significant Updates¶
2.6.2.1. Puppetserver Log Issues¶
You may have noticed that you were not getting puppetserver
logs recorded
either on the file system or via rsyslog
. We fixed the issue as identified
in SIMP-4049 but we cannot safely upgrade existing systems to fix the issue.
To enable log collection via rsyslog
(the default), you will need to add
the following to your puppet server’s hieradata:
rsyslog::udp_server: true
rsyslog::udp_listen_address: '127.0.0.1'
By default, this file will be located at
/etc/puppetlabs/code/environments/simp/hieradata/hosts/puppet.<your.domain>.yaml
2.6.2.2. Puppetserver auth.conf¶
If you are upgrading from SIMP-6.0.0-0 to a later version:
- The legacy
auth.conf
(/etc/puppetlabs/puppet/auth.conf
) has been deprecated pupmod-simp-pupmod
will back up legacy puppetauth.conf
after upgrade- The puppetserver’s
auth.conf
is now managed by Puppet - You will need to re-produce any custom work done to legacy
auth.conf
in the newauth.conf
, via thepuppet_authorization::rule
defined type - The stock rules are managed in
pupmod::master::simp_auth
2.6.2.3. No Longer Delivering ClamAV DAT Files¶
Given the wide spacing of SIMP releases, the team determined that it was
ineffective for us to maintain the simp-rsync-clamav
RPM with upstream
ClamAV DAT file updates.
From this point forward, SIMP will not ship with updated ClamAV DAT files and we highly recommend updating your DAT files from the authoritative upstream sources.
2.6.2.4. SNMP Support Added¶
We have re-added SNMP support after a thorough re-assessment and update from
our legacy snmp
module. We now build upon a community module and wrap the
SIMP-specific components on top of it.
2.6.2.5. Preparing for Puppet 5¶
We are in the process of updating all of our modules to include tests for Puppet 5 and, so far, things have gone quite well. Our expectation is that the update to Puppet 5 will be seamless for existing SIMP 6 installations.
2.6.2.6. Non-Breaking Version Updates¶
Many modules had dependencies that were updated in a manner that was breaking
for the downstream module, but which did not affect the SIMP infrastructure.
This caused quite a few of the SIMP modules to have version updates with no
changes other than an update to the metadata.json
file.
In general, this was due to dropping support for Puppet 3.
2.6.2.7. Long Puppet Compiles with AIDE Database Initialization¶
In order to expose aide
database configuration errors during a Puppet
compilation, the database initialization is no longer handled as a background
process.
When the AIDE database must be initialized, this can extend the time for a
Puppet compilation by several minutes. At the console the Puppet
compilation will appear to pause at (/Stage[main]/Aide/Exec[update_aide_db])
.
2.6.3. Security Announcements¶
- CVE-2017-2299
- Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 make it very easy to accidentally misconfigure TLS trust.
- SIMP brings in version puppetlabs-apache 2.1.0 to mitigate this issue.
2.6.4. RPM Updates¶
Package | Old Version | New Version |
---|---|---|
puppet-agent | 1.8.3-1 | 1.10.6-1 |
puppet-client-tools | 1.1.0-0 | 1.2.1-1 |
puppetdb | 4.3.0-1 | 4.4.0-1 |
puppetdb-termini | 4.3.0-1 | 4.4.0-1 |
puppetserver | 2.7.2-1 | 2.8.0-1 |
2.6.5. Removed Modules¶
2.6.5.1. pupmod-herculesteam-augeasproviders¶
- This was a meta-module that simply required all other
augeasproviders_*
modules and was both not in use by the SIMP framework and was causing user confusion.
2.6.5.2. pupmod-herculesteam-augeasproviders_base¶
- Has internal bugs and was not in use by any SIMP components
2.6.6. Security Updates¶
2.6.6.1. pupmod-puppetlabs-apache¶
- Updated to 2.1.0 to fix CVE-2017-2299
2.6.7. Fixed Bugs¶
2.6.7.1. pupmod-simp-aide¶
- Fixed a bug where
aide
reports and errors were not being sent to syslog - Now use FIPS-appropriate Hash algorithms when the system is in FIPS mode
- No longer hide AIDE initialization failures during Puppet runs
- Ensure that
aide
now properly retains the output database in accordance with the STIG checks
2.6.7.2. pupmod-simp-auditd¶
- Changed a typo in auditing
faillock
to the correct watch path
2.6.7.3. pupmod-simp-compliance_markup¶
- Fixed an issue where a crash would occur when
null
values were in the compliance markup data
2.6.7.4. pupmod-simp-libreswan¶
- Fixed issues when running
libreswan
on a FIPS-enabled system
2.6.7.5. pupmod-simp-logrotate¶
- Ensure that
nodateext
is set if thedateext
parameter is set tofalse
2.6.7.6. pupmod-simp-simp_openldap¶
- Fixed an issue where
pki::copy
was not correctly hooked into the server service logic. This caused the OpenLDAP server to fail to restart if a new host certificate was placed on the system. - Fixed an idempotency issue due to an
selinux
context not being set
2.6.7.8. pupmod-simp-pam¶
- Enable
pam_tty_audit
forsudo
commands
2.6.7.9. pupmod-simp-simp¶
- Changed the
simp::sssd::client::min_id
parameter to500
from1000
- Having
min_id
at1000
was causing intermittent retrieval errors for theadministrators
group (and potentially other supplementary groups) that users may be assigned to. This led to the potential of users below1000
being left unable to log into their system and was reproduced using the stockadministrators
group. - The wording of the
sssd.conf
man page formin_id
leads us to believe that the behavior of non-primary groups may not be well defined.
- Having
2.6.7.10. pupmod-simp-simp_rsyslog¶
- Ensure that
aide
andsnmp
logs are forwarded to remote syslog servers as part of the security relevant logs - Persist
aide
logs on the remote syslog server in its own directory since the logs can get quite large
2.6.7.11. pupmod-simp-sssd¶
- Updated the
Sssd::DebugLevel
Data Type to handle all variants specified in thesssd.conf
man page - No longer add
try_inotify
by default since the auto-detection should suffice - Ensure that an empty
sssd::domains
Array cannot be passed and set the maximum length to255
characters
2.6.7.12. pupmod-simp-stunnel¶
- Improved the SysV init scripts to be more safe when killing
stunnel
services - The
stunnel
PKI certificates are owned by the correct UID - Fixed the init scripts for starting
stunnel
when SELinux was disabled - Added a
systemd
unit for EL7+ systems - Updated the
systemd
unit files to run stunnel in the foreground
2.6.7.13. pupmod-simp-svckill¶
- Fixed a bug in which
svckill
could fail on servers for which there are no aliasedsystemd
services
2.6.7.14. simp-core¶
- Fixed several issues with the ISO build task:
rake beaker:suites[rpm_docker]
2.6.7.15. simp-environment¶
- Fixed a bug where a relabel of the filesystem would incorrectly change
all SELinux contexts on any environment files in
/var/simp/environments
with the exception of the defaultsimp
environment. - Added the following items to the default puppet server hieradata file at
/etc/puppetlabs/code/environments/simp/hieradata/hosts/puppet.your.domain.yaml
to enable the UDP log server on127.0.0.1
so that thepuppetserver
logs can be processed viarsyslog
by default.rsyslog::udp_server: true
rsyslog::udp_listen_address: '127.0.0.1'
2.6.7.16. simp-rsync¶
- Fixed a bug where a relabel of the filesystem would incorrectly change
all SELinux contexts on any environment files in
/var/simp/environments
with the exception of the defaultsimp
environment.
2.6.8. New Features¶
2.6.8.1. pupmod-camptocamp-systemd¶
- Added as a SIMP core module
2.6.8.2. pupmod-vshn-gitlab¶
- Added as a SIMP extra
2.6.8.3. pupmod-simp-autofs¶
- Allow pinning of the
samba
andautofs
packages to work around bugs inautofs
that do not allow proper functionality when working withstunnel
2.6.8.4. pupmod-simp-clamav¶
- Added the option to not manage ClamAV data at all
2.6.8.5. pupmod-simp-compliance_markup¶
- Converted all of the module data to JSON for efficiency
2.6.8.6. pupmod-simp-krb5¶
- Allow users to modify the owner, group, and mode of various global kerberos-related files
2.6.8.7. pupmod-simp-logrotate¶
- Made the logrotate target directory configurable
2.6.8.8. pupmod-simp-pam¶
- Changed
pam_cracklib.so
topam_pwquality.so
in EL7 systems
2.6.8.9. pupmod-simp-pupmod¶
- Added a SHA256-based option to generate the minute parameter for a client’s
puppet agent
cron entry based on its IP Address- This option is intended to mitigate the undesirable clustering of client
puppet agent
runs, when the number of IPs to be transformed is less than the minute range over which the randomization is requested (60) and/or the client IPs are not linearly assigned
- This option is intended to mitigate the undesirable clustering of client
2.6.8.10. pupmod-simp-simp_gitlab¶
- Added as a SIMP extra
2.6.8.11. pupmod-simp-selinux¶
- Added a reboot notification on appropriate SELinux state changes
- Ensure that a
/.autorelabel
file is created on appropriate SELinux state changes- This capability is disabled by default due to issues discovered with the autorelabel process in the operating system
2.6.8.12. pupmod-simp-simp_snmpd¶
- Added SNMP support back into SIMP!
2.6.8.13. pupmod-simp-simplib¶
- Updated
rand_cron
to allow the use of a SHA256-based algorithm specifically to improve randomization in systems that have non-linear IP address schemes - Added a
simplib::assert_metadata_os
function that will read theoperatingsystem_support
field of a module’smetadata.json
and fail if the target OS is not in the supported list- This can be globally disabled by setting the variable
simplib::assert_metadata::options
to{ 'enable' => false }
- This can be globally disabled by setting the variable
- Began deprecation of legacy Puppet 3 functions by Puppet 4 counterparts. At this time, no deprecation warnings will be generated but this will change in a later release of SIMP 6.
2.6.8.14. pupmod-simp-timezone¶
- Forked
saz/timezone
since our Puppet 4 PR was not reviewed and no other Puppet 4 support seemed forthcoming
2.6.8.15. pupmod-simp-tpm¶
- Refactoring and updates to make using the TPM module easier and safer
- Addition of an
instances
feature to the TPM provider so thatpuppet resource tpm_ownership
works as expected - Changed the
owner_pass
towell-known
by default intpm_ownership
- Removed
ensure
in favor ofowned
intpm_ownership
2.6.8.16. pupmod-simp-vsftpd¶
- Change
vsftpd
to use TLS 1.2 instead of TLS 1.0 by default
2.6.8.17. pupmod-voxpupuli-yum¶
- Added as a SIMP core module
2.6.8.18. simp-doc¶
- A large number of documentation changes and updates have been made
- It is HIGHLY RECOMMENDED that you review the new documentation
2.6.8.19. simp-rsync¶
- Removed the
simp-rsync-clamav
sub-package * SIMP will no longer ship with updated ClamAV DAT files
2.6.8.20. simp-utils¶
- Moved the default LDIF example files out of the
simp-doc
RPM and intosimp-utils
for wider accessibility
2.6.9. Known Bugs¶
- There is a bug in
Facter 3
that causes it to segfault when printing large unsigned integers - FACT-1732- This may cause your run to crash if you run
puppet agent -t --debug
- This may cause your run to crash if you run
- The
krb5
module may have issues in some cases, validation pending - The graphical
switch user
functionality does not work. We are working with the vendor to discover a solution - The upgrade of the
simp-gpgkeys-3.0.1-0.noarch
RPM on a SIMP server fails to set up the keys in/var/www/yum/SIMP/GPGKEYS
. This problem can be worked around by either uninstallingsimp-gpgkeys-3.0.1-0.noarch
prior to the SIMP 6.1.0 upgrade, or reinstalling the newersimp-gpgkeys
RPM after the upgrade. - An upgrade of the
pupmod-saz-timezone-3.3.0-2016.1.noarch
RPM to thepupmod-simp-timezone-4.0.0-0.noarch
RPM fails to copy the installed files into/etc/puppetlabs/code/environments/simp/modules
, when thesimp-adapter
is configured to execute the copy. This problem can be worked around by either uninstallingpupmod-saz-timezone-3.3.0-2016.1.noarch
prior to the SIMP 6.1.0 upgrade, or reinstalling thepupmod-simp-timezone-4.0.0-0.noarch
RPM after the upgrade. - Setting selinux to disabled can cause stunnel daemon fail. Using the permissive mode of selinux does not cause these issues.