This release is known to work with:
- RHEL 6.8 x86_64
- RHEL 7.3 x86_64
- CentOS 6.8 x86_64
- CentOS 7.0 1611 x86_64
This release of SIMP is NOT backwards compatible with previous releases. Direct updates will not work.
At this point, do not expect any of our code moving forward to work with Puppet 3.
This is the final release of SIMP 6!
If you find any issues, please file bugs!
If you are working to integrate SIMP into Puppet Enterprise, these are the modules that you need to use since they are Puppet 4 compatible.
2.1.1. Breaking Changes Since RC1¶
Unfortunately, a few items were identified which necessitated additional breaking changes prior to the final release.
These are specifically enumerated here to make sure that they are not missed.
220.127.116.11. simp::yum Refactor¶
simp::yum class was confusing and, as we attempted to install systems
yum, we found out just how bad it was.
Fundamentally, most installations of SIMP are going to have their own repos at
some unknown location that they want to use. In ISO installations, which we can
detect, there will be a local repo and we can set the parameters accordingly
All of the old parameters have been removed, and to get back to old functionality, all that has to be done is add the following classes to nodes and adjust previous hiera settings to use the new classes:
--- classes: - 'simp::yum::repo::local_os_updates' - 'simp::yum::repo::local_simp' ---
2.1.2. RPM Installation¶
If installing from RPM, you will want to take a look at the latest
documentation. The most important thing to be aware of is that there is now
simp-adapter that must be installed with, or before, the
If you are using Puppet Enterprise, you’ll want to use the
18.104.22.168. Puppet AIO Paths¶
The system has been updated to use the Puppet AIO paths. Please see the Puppet Location Reference for full details.
22.214.171.124. SIMP Installation Paths¶
simp_rpm_helper has been added to copy the
module data into place at
/etc/puppetlabs/code if configured to do so.
On the ISO, this configuration is done by default and will be set to
auto-update for all future RPM updates. If you wish to disable this behavior,
you should edit the options in
Anything that is in a Git or Subversion repository in the
environment will NOT be overwritten by
126.96.36.199. SIMP Dynamic Content Paths¶
To ensure that SIMP dynamic content (ssh keys, generated passwords) are not
mixed with Git-managed infrastructure, the SIMP dynamic content has been moved
simp_autofiles at the top level of the environment.
This will be moved down into
/var/simp/environments for consistency in the
final 6.0.0 release.
188.8.131.52. SIMP Rsync Paths¶
The SIMP Rsync subsystem now fully supports multiple environments. All
environment-relevant materials have been moved to
/var/simp/environments/simp/rsync. Please copy the contents of that
directory if you create another environment.
184.108.40.206. SIMP Partitioning Scheme¶
SIMP no longer creates a
/srv partition on EL 6 or 7.
/var has assumed
the role of
/srv. The root partition size has been increased from 4GB
2.2.1. Root Login via Console¶
Root is no longer allowed to log into clients or the SIMP server by default.
2.2.2. SIMP Scenarios and simp_config_settings.yaml¶
We have changed the way that SIMP includes classes. There is a new top-level
variable, set in
manifests/site.pp that controls the list of classes to be
included. The goal of this change is to ease users with existing infrastructures
into using full-bore SIMP.
simp_classes.yaml has been replaced by class inclusions under
simp::scenario namespace and
simp_def.yaml has been replaced by
simp_config_settings.yaml. However, modifications should not be made to
simp_config_settings.yaml. Settings from
should be changed by either running
simp config again or be overwritten in
2.2.3. API Changes¶
Quite a few modules have had changes that make them incompatible with the Legacy SIMP stack.
We’ve attempted to capture those changes here at a high level so that you know where you are going to need to focus to validate your Hiera data, ENC hooks, and parameterized class calls.
220.127.116.11. Global catalysts and simp_options¶
SIMP Global catalysts now have a consistent naming scheme and are documented in
code in the
simp_options module. In particular, we have changed not only the
value in hiera, but every module parameter that uses this value’s name from
simp_options::trusted_nets. Other changes were less
obtrusive, for example
enable_selinux and other variations are now all
simp_options::selinux. Every Catayst is strongly typed and documented
in the module.
New catalysts are as follows:
18.104.22.168. Strong Parameter Typing¶
All SIMP provided modules should now be strong typed with Puppet Data Types.
22.214.171.124. De-Verbing of Defines¶
Many of the defined types have been renamed to no longer be ‘verb-oriented’.
iptables module is probably the widest reaching change where the
standard ‘ease-of-use’ aliases have been moved under a
iptables::tcp_stateful_listen is now
add_rule defines were changed to just
auditd::add_rule was changed to just
126.96.36.199. Centralized Management of Application x509 PKI Certs¶
In the past, application specific PKI certificates were copied into the application
space. This varied per application and left certs strewn throughout the system.
Now, certificates for all SIMP-managed applications are copied from
/etc/pki/simp/x509, into a central location,
The extent to which SIMP manages PKI is governed by two new catalysts,
pki::source. Additionally, every SIMP module which uses
has been modified to use a common set of pki class parameters. A high-level
description is given below, using simp_elasticsearch as an example.
# @param pki # * If 'simp', include SIMP's pki module and use pki::copy to manage # application certs in /etc/pki/simp_apps/simp_elasticsearch/x509 # * If true, do *not* include SIMP's pki module, but still use pki::copy # to manage certs in /etc/pki/simp_apps/simp_elasticsearch/x509 # * If false, do not include SIMP's pki module and do not use pki::copy # to manage certs. You will need to appropriately assign a subset of: # * app_pki_dir # * app_pki_key # * app_pki_cert # * app_pki_ca # * app_pki_ca_dir # # @param app_pki_external_source # * If pki = 'simp' or true, this is the directory from which certs will be # copied, via pki::copy. Defaults to /etc/pki/simp/x509. # # * If pki = false, this variable has no effect.
Keydist has been relocated to a second module path to facilitate working with
r10k. The new modulepath is located at
/var/simp/environments/, and the
default location of keydist is now
188.8.131.52. Forked modules¶
Most forked modules (modules that don’t start with ‘simp’) have been updated to latest upstream.
2.2.4. Puppet AIO¶
The latest version of the Puppet AIO stack has been included, along with an updated Puppet Server and PuppetDB.
simp RPM has been split to move the lesser-used portions of the
SIMP infrastructure into a
simp-extras RPM. This RPM will grow as more of
the non-essential portions are identified and isolated.
The goal of this RPM is to keep the SIMP core version churn to a minimum while allowing the ecosystem around the SIMP core to grow and flourish as time progresses.
|Package||Old Version||New Version|
- Removed until Foreman works consistently with Puppet 4
- Not yet ported to Puppet 4
- Functionality replaced by
- Renamed to
simp_openldapto pave the way towards using a more up-to-date implementation of the core openldap component module from the community.
- Not yet ported to Puppet 4.
- Rewritten and renamed module to
- Rewritten and renamed to
- Ensure that all rules are set to
- Changed the default failure mode to
printksince several required audit rules, such as
chownwould quickly overrun the auditd buffers on common scenarios, such as updating system packages
- Fixed an issue where the audisp
execwas breaking idempotence. Also, now ensure proper restarting of auditd when audispd is updated
- Updated the managed service list
- Several minor bug fixes and package updates
- Fixed the locations for the authconfig tools and made removal of the tools completely optional
- Fixed the cron job unlock code so that it actually work as documented
- Made it more clear to the user how to disable the force-unlock
- Fixed the removal of the auto-update cron job if disabled
- To deconflict with the upstream
simpcatfunctions were renamed to be prefaced by
- A simple find and replace of
concat_buildin legacy code with
- Be sure to check for
- Be sure to check for
aclfrom the default log levels since it was causing
slapdto hang on EL7 systems
- Fixed a bug in the
ssh::server::conf::subsystemparameter where multiple word strings would be truncated to the first word only
- Updated the
UsePrivilegeSeparationoption on EL7 to be
- Changed default value of allowed remote hosts to
ALLto prevent lockouts
simp_options::trusted_netsis set, it will be used instead
- New module for controlling the
- Added native TLS support and removed the requirement for Stunnel or IPTables redirects
- Added method to open ports through hiera.
- Generic, custom content can be specified to replace templated content by
pam::access:ruleresources can be added through hiera using the
- Added explicit support for Puppet Enterprise systems
- Restrict auditing of puppet-related files to the Puppet Server
- Moved the
runpuppetcode into its own class
- Added SIMP ‘scenarios’ which are common configurations for SIMP systems
- simp -> Full SIMP, recommended
- simp_lite -> SIMP without the scary stuff
- poss -> Just connect Puppet on the client to the server
- Updated the GPG keys in the YUM repo lists
- Removed all manifests and Puppet code from this module. It now only contains functions and custom type aliases.
- List of modules that were created or forked after removing content from
- The rest of the content was added to our profile module, simp-simp
- Added a warning if possible log looping is detected
- Added method to create
user_specificationresources through hiera
- The default service killing behavior has been set to ‘warning’. However,
simp cliwill ask for the setting during config.
- Completely updated
simp passgenwas updated to support environments.
- A bug is still allowing root to log into client systems on a console even
/etc/securettyis present and empty
krb5module may have issues in some cases, validation pending
- The graphical
switch userfunctionality does not work. We are working with the vendor to discover a solution