2.3. SIMP Community Edition (CE) 6.3.2-0¶
Warning
Please see the SIMP Community Edition (CE) 6.2.0-0 Changelog for general information, upgrade guidance, and compatibility notes.
This is a bug fix release in the 6.3.X series of SIMP to address the following issues:
SIMP-5974: Ensure that the
incron
spawnedpuppet generate types
would not overwhelm the puppet server due to an upstream bug in the incron package. This involved both pinning the incron version to a version that did not have bugs as well as reducing the footprint of the monitored files in the filesystem. See When should I run puppet generate types? for additional information.
The version of
incron
that shipped with SIMP 6.3.0 did not have issues, but the update in upstream EPEL did and affects all uses of incron, not justpupmod::master::generate_types
. We strongly advise that you remove the0.5.12-6
package from your upstream repositories and use the following Hiera configuration to ensure that your SIMP6.3.0-0
installation does not upgrade.--- yum::config_options: exclude="incron"Warning
If you previously disabled
pupmod::master::generate_types
then be advised that you will need to manually runpuppet generate types
on your environments if you upgrade thepuppet
orpuppetserver
packages or if you add a new environment to your system.See the When should I run puppet generate types? for additional information.
- SIMP-5480: Fix a bug in the default
sssd settings
where the minimum alloweduid/gid
is now1
and the maximum alloweduid/gid
is now0
to align properly with thesssd
functionality.- SIMP-5932: Allow users to specify a timeout for
simp bootstrap
to address slow systems.- SIMP-5975: Allow users to specify SSL settings for the puppet server.
2.3.1. Fixed Bugs¶
2.3.1.1. pupmod-simp-incron¶
- Add
Incron::Mask
Data Type denoting valid incron masks - Added support for new options starting in
0.5.12
- Automatically strip out options not supported by earlier versions for seamless backward compatibility
- Add ability to set
max_open_files
ulimit - Pin incron to
0.5.10
via data in modules since0.5.12
as currently published in EPEL can cause catastrophic system failure.
2.3.1.2. pupmod-simp-pupmod¶
- Fixed issues where a large number of
incron
watches may overload the system.- The module is now extensively tested against large numbers of environments but will still cause load if a large number of environments are created at once.
- Fixed a bug where some SSL settings could not be set in the puppetserver
webserver
components. - Added the following advanced usage parameters in case users need to set
parameters that are not presently managed to work around future issues:
pupmod::master::server_webserver_options
pupmod::master::ca_webserver_options
2.3.1.3. pupmod-simp-simplib¶
- Ensure that IPA fact does not hang indefinitely.
- Added ‘defined type’ lookup capability,
simplib::dlookup
that provides a consistent method for retrieving defined type parameters from Hiera in an opt-in manner. (Required for fixing thestunnel
bug). - Fixed YARD documentation issues
2.3.1.4. pupmod-simp-sssd¶
- Set the
min_id
settings across the board to1
to match the sssd defaults, since they really have nothing to do with the target system’s relationship with a centralized authentication service. - The original setting of the
min_id
ormax_id
settings to thelogin.defs
defaults was a bug since, per the man page, this would preclude sssd from recognizing items outside of that range at all. The relevance of thelocal login.defs
settings (system specific) and the sssd settings (global authentication source) are completely irrelevant to one another and should not have been bound together. - Updated the
sssd::provider::ldap_access_order
parameter to support theppolicy
related options that were added in sssd1.14.0
.- ppolicy
- pwd_expire_policy_reject
- pwd_expire_policy_warn
- pwd_expire_policy_renew
- Added
pwd_expire_policy_reject
to thesssd::provider::ldap::ldap_access_order
default. This will deny a locked account even it access is being attempted via a SSH key.
2.3.1.5. pupmod-simp-stunnel¶
- Add ability for users to override
stunnel::connection
andstunnel::instance
options either globally or by specific identified instances using the newsimplib::dlookup
function. - Fixed
stunnel::connection
andstunnel::instance
bugs:sni
is not applicable on EL6retry
is only applicable whenexec
is specified and needed to be translated from a boolean toyes/no
session
is only applicable on EL6
2.3.1.6. rubygem_simp_cli¶
- Added a
simp bootstrap
option to set the wait time for the puppetserver to start during the bootstrap process. - Adjusted the help message so that it fits within a 80-character console window.
2.3.2. Known Bugs¶
2.3.2.1. Upgrading from previous SIMP 6.X versions¶
There are known issues when upgrading from Puppet 4 to Puppet 5. Make sure you read the Upgrading SIMP before attempting an upgrade.
2.3.2.2. Tlog¶
Tlog currently has a bug where session information may not be logged. The
immediate mitigation to this is the fact that pam_tty_audit is the primary
mode of auditing with tlog
and/or sudosh
being in place for a better
overall tracking and behavior analysis experience.
Tlog has a second bug where the application fails if a user does not have a TTY.
This has been mitigated by the SIMP wrapper script simply bypassing tlog
if
a TTY is not present.