SIMP 5.2.0-0¶
Contents
This release is known to work with:
- RHEL 7.2 x86_64
- CentOS 7.0 1511 x86_64
This update is backwards-compatible for the SIMP core functionality, but contains breaking changes in some of the optional modules.
Please read this CHANGELOG thoroughly if you are using the following components:
- NFS
- KRB5
- MCollective
- ELK
SIMP 6 is Coming¶
Due to Puppet 3.X going EOL in December of 2016, the SIMP stack will be releasing SIMP 6 as the next major release. Among major changes:
- SIMP 6 will use Puppet 4, which is distributed as a single RPM by the Puppet all-in-one (AIO) installer.
- Starting with 6.0.0, the SIMP numbering scheme will follow Semantic Versioning 2.0.0.
- 6.0.0 and will support all operating systems under that numbering scheme henceforth.
Manual Changes Required for Pre-5.1.0 Upgrades¶
Note
This only affects you if you did not have a separate partition for /tmp!
- There were issues in the
secure_mountpointsclass that caused/tmpand/var/tmpto be mounted against the root filesystem. While the new code addresses this, it cannot determine if your system has been modified incorrectly in the past. - To fix the issue, you need to do the following:
- Unmount
/var/tmp(may take multiple unmounts) - Unmount
/tmp(may take multiple unmounts) - Remove the
'bind'entries for/tmpand/var/tmpfrom/etc/fstab - Run
puppetwith the new code in place
- Unmount
SSSD¶
Warning
SSSD enforces password strength at login time! This means that, should you have old passwords that do not meet the present password policy on the host, you will not be able to authenticate with your old password!
Deprecations¶
- The
simp-sysctlmodule will be deprecated in the6.0.0release of SIMP. Current users should migrate to using theaugeasproviders_sysctlmodule provided with SIMP going forward.
Breaking Changes¶
NFS¶
NFS now supports full integration with Kerberos via the SIMP KRB5 module, or an external KRB5 resource of your choice.
Please take time to look at the updated NFS profile code in the simp puppet module as well as the new acceptance tests for the NFS puppet module for a full understanding of the new features.
Note
The system should not enable the KRB5 and Stunnel options simultaneously
Warning
Bugs discovered during acceptance testing found long standing issues in the NFS module that required API breaking changes to remedy. Please carefully validate your use of the NFS module as well as your Hiera data.
KRB5¶
The KRB5 module has been completely rewritten to support the entire KRB5 stack, including setting up a KDC and auto-creating and distributing keytabs to all nodes that are known via keydist. Please see the krb5 module documentation and the HOWTO Enable Kerberos HOWTO for details.
MCollective¶
The MCollective module has been updated from the upstream repositories and the
simp::mcollective profile has been updated, per new acceptance tests, to
ensure that MCollective works out of the box. Very little input is now required
to add MCollective to your environment. All usernames and passwords are
randomly generated and you will need to pull the usage passwords out of the
system for your users to be able to connect to ActiveMQ and send commands. The
simp mcollective acceptance test provides an excellent full stack example of
using the new module.
See simp passgen --help for usage information.
ELK¶
The Elasticsearch, Logstash, and Kibana components have been updated to support Elasticsearch and Logstash 2.3. Kibana has been replaced by Grafana for inbuilt LDAP and multi-tenant support.
Please see the new Elasticsearch, Logstash, and Grafana documentation for usage information.
Significant Updates¶
HAVEGED Installed by Default¶
Particularly affecting Virtual Machines, the volume of cryptographic operations
that the SIMP system performs by default was causing system entropy to run low
on a regular basis. To fix this, we have incorporated the
HArdware Volatile Entropy Gathering and Expansion Daemon. The haveged
process will use a hardware RNG if present so no risk to hardware generated
entropy is present. We understand that any PRNG system will not effect true
Cryptographic entropy. Please read the document linked above and see the online
discussion around the suitability of HAVEGED if you have concerns.
Note
There is also now a new global catalyst use_haveged which is enabled by
default on SIMP systems. If you set this to false in Hiera, HAVEGED will
be disabled on your system(s).
ISO Auto-Boot is Now Disabled¶
You must now explicitly select an entry when booting the SIMP ISO. There were too many instances of the ISO being left mounted and performing a constant re-install loop without this change.
HTTPS Kickstarts¶
The system now encourages the use of HTTPS kickstarts by default to ensure that any potentially sensitive data is protected in transit.
Client validation is not configured in this case since the SIMP project does not dictate how you kickstart your system.
See the Configuring the Clients section of the SIMP User Guide for instructions.
UEFI Boot¶
The system now supports UEFI booting from the SIMP ISO. This provides better support for newer systems as well as the foundation for Trusted Boot.
Full Disk Encryption (FDE)¶
SIMP now provides Full Disk Encryption capabilities directly from the ISO build and within the supplied kickstart files. Please read the documentation on this capability as found in the Disk Encryption section of the SIMP Server Installation Guide.
Warning
The default FDE setup ensures that your systems will automatically boot without intervention. For better protection, please read the documentation referenced above so that you understand the ramifications of this behavior.
Puppet 4 Support¶
All of our modules have been tested against Puppet 4 and should work in a Puppet 4 system. SIMP will natively ship with Puppet 4 by the end of 2016.
IPSec Support via LibreSwan¶
A libreswan module has been added to provide IPSec support to SIMP. We are awaiting the advent of X.509-based opportunistic IPSec to have a fully automated integrated trust system. Presently, half of the connection needs to know about the remote systems for a successful IPSec connection.
Upgrade Guidance¶
Detailed upgrade guidance can be found in the HOWTO Upgrade SIMP portion of the SIMP User Guide.
Warning
You must have at least 2.4GB of free RAM on your system to upgrade to this release.
Note
Upgrading from releases older than 5.0 is not supported.
Security Announcements¶
CVEs Addressed¶
- CVE-2015-7331
- Remote Code Execution in mcollective-puppet-agent plugin
- CVE-2016-2788
- Improper validation of fields in MCollective pings
- CVE-2016-5696
net/ipv4/tcp_input.cin the Linux kernel before 4.7 does not properly determine the rate of challenge ACK segments, which makes it easier for man-in-the-middle attackers to hijack TCP sessions via a blind in-window attack.
RPM Updates¶
Note
The naming convention for Puppet module packages was re-codified from pupmod-<module_name> to pupmod-<author>-<module_name>. This accounts for a large number of apparent deprecations and additions in this release’s RPM Updates list.
| Package | Old Version | New Version |
|---|---|---|
| clamav | 0.99-2 | 0.99.2-1 |
| clamav-data | 0.99-2 | 0.99.2-1 |
| clamav-data-empty | 0.99-2 | 0.99.2-1 |
| clamav-devel | 0.99-2 | 0.99.2-1 |
| clamav-filesystem | 0.99-2 | 0.99.2-1 |
| clamav-lib | 0.99-2 | 0.99.2-1 |
| clamav-scanner | 0.99-2 | 0.99.2-1 |
| clamav-scanner-systemd | 0.99-2 | 0.99.2-1 |
| clamav-scanner-sysvinit | 0.99-2 | 0.99.2-1 |
| clamav-server | 0.99-2 | 0.99.2-1 |
| clamav-server-systemd | 0.99-2 | 0.99.2-1 |
| clamav-server-sysvinit | 0.99-2 | 0.99.2-1 |
| clamav-update | 0.99-2 | 0.99.2-1 |
| elasticsearch [5] | N/A | 2.3.5-1 |
| elasticsearch [noarch] | 1.3.2-1 | N/A |
| es2unix | 1.6.1-0el7 | N/A |
| etcd | 2.0.11-0.SIMP | N/A |
| grafana | N/A | 3.1.1-1470047149 |
| kibana | 3.1.0.SIMP-0 | N/A |
| libevent | N/A | 2.0.21-4 |
| libreswan | N/A | 3.15-5 |
| logstash | 1.4.2-1_2c0f5a1 | 2.3.4-1 |
| logstash-contrib | 1.4.2-1_efd53ef | N/A |
| mcollective | 2.8.4-1 | 2.8.9-1 |
| mcollective-client | 2.8.4-1 | 2.8.9-1 |
| mcollective-common | 2.8.4-1 | 2.8.9-1 |
| mcollective-puppet-agent | 1.10.0-1 | 1.11.1-1 |
| mcollective-puppet-client | 1.10.0-1 | 1.11.1-1 |
| mcollective-puppet-common | 1.10.0-1 | 1.11.1-1 |
| pupmod-acpid | 0.0.1-1 | N/A |
| pupmod-aide | 4.1.0-9 | N/A |
| pupmod-apache | 4.1.1-0 | N/A |
| pupmod-auditd | 5.0.0-4 | N/A |
| pupmod-augeasproviders | 2.1.3-0 | N/A |
| pupmod-augeasproviders_apache | 2.0.1-0 | N/A |
| pupmod-augeasproviders_base | 2.0.1-0 | N/A |
| pupmod-augeasproviders_core | 2.0.1-0 | N/A |
| pupmod-augeasproviders_grub | 2.3.1-0 | N/A |
| pupmod-augeasproviders_mounttab | 2.0.1-0 | N/A |
| pupmod-augeasproviders_nagios | 2.0.1-0 | N/A |
| pupmod-augeasproviders_pam | 2.0.1-0 | N/A |
| pupmod-augeasproviders_postgresql | 2.0.1-0 | N/A |
| pupmod-augeasproviders_puppet | 2.0.1-0 | N/A |
| pupmod-augeasproviders_shellvar | 2.0.1-0 | N/A |
| pupmod-augeasproviders_ssh | 2.5.0-0 | N/A |
| pupmod-augeasproviders_sysctl | 2.1.0-0 | N/A |
| pupmod-autofs | 4.1.1-0 | N/A |
| pupmod-bfraser-grafana | N/A | 2.5.0-2016 |
| pupmod-clamav | 4.1.0-8 | N/A |
| pupmod-dhcp | 4.1.0-5 | N/A |
| pupmod-elasticsearch-elasticsearch | N/A | 0.11.0-2016 |
| pupmod-elasticsearch-logstash | N/A | 0.6.4-2016 |
| pupmod-electrical-file_concat | N/A | 1.0.1-2016 |
| pupmod-foreman | 0.1.0-1 | N/A |
| pupmod-freeradius | 5.0.0-0 | N/A |
| pupmod-ganglia | 5.0.0-0 | N/A |
| pupmod-herculesteam-augeasproviders | N/A | 2.1.3-2016 |
| pupmod-herculesteam-augeasproviders_apache | N/A | 2.0.1-2016 |
| pupmod-herculesteam-augeasproviders_base | N/A | 2.0.1-2016 |
| pupmod-herculesteam-augeasproviders_core | N/A | 2.1.1-2016 |
| pupmod-herculesteam-augeasproviders_grub | N/A | 2.3.1-2016 |
| pupmod-herculesteam-augeasproviders_mounttab | N/A | 2.0.1-2016 |
| pupmod-herculesteam-augeasproviders_nagios | N/A | 2.0.1-2016 |
| pupmod-herculesteam-augeasproviders_pam | N/A | 2.0.3-2016 |
| pupmod-herculesteam-augeasproviders_postgresql | N/A | 2.0.3-2016 |
| pupmod-herculesteam-augeasproviders_puppet | N/A | 2.0.2-2016 |
| pupmod-herculesteam-augeasproviders_shellvar | N/A | 2.1.1-2016 |
| pupmod-herculesteam-augeasproviders_ssh | N/A | 2.5.0-2016 |
| pupmod-herculesteam-augeasproviders_sysctl | N/A | 2.1.0-2016 |
| pupmod-iptables | 4.1.0-15 | N/A |
| pupmod-libvirt | 4.1.0-17 | N/A |
| pupmod-logrotate | 4.1.0-4 | N/A |
| pupmod-mcafee | 4.1.0-2 | N/A |
| pupmod-mozilla | 4.1.0-1 | N/A |
| pupmod-named | 4.2.0-9 | N/A |
| pupmod-network | 4.1.0-6 | N/A |
| pupmod-nfs | 4.4.2-0 | N/A |
| pupmod-nscd | 5.0.1-0 | N/A |
| pupmod-ntpd | 4.1.0-10 | N/A |
| pupmod-oddjob | 1.0.0-2 | N/A |
| pupmod-onyxpoint-compliance_markup | 0.1.0-0 | N/A |
| pupmod-onyxpoint-gpasswd | 1.0.0-1 | 1.0.0-2016 |
| pupmod-openldap | 4.1.4-0 | N/A |
| pupmod-openscap | 4.2.0-3 | N/A |
| pupmod-pam | 4.2.1-0 | N/A |
| pupmod-pki | 4.2.1-0 | N/A |
| pupmod-polkit | 4.1.0-2 | N/A |
| pupmod-postfix | 4.1.0-7 | N/A |
| pupmod-pupmod | 6.0.0-24 | N/A |
| pupmod-puppetlabs-apache | 1.0.1-2 | N/A |
| pupmod-puppetlabs-inifile | 1.2.0-1 | 1.5.0-2016 |
| pupmod-puppetlabs-java | 1.2.0-0 | 1.2.0-2016 |
| pupmod-puppetlabs-java_ks | N/A | 1.4.0-2016 |
| pupmod-puppetlabs-mysql | 2.2.3-1 | 2.2.3-2016 |
| pupmod-puppetlabs-puppetdb | N/A | 5.0.0-2016 |
| pupmod-puppetlabs-puppetlabs_apache | N/A | 1.0.1-2016 |
| pupmod-puppetlabs-stdlib | N/A | 4.9.0-2016 |
| pupmod-richardc-datacat | 0.6.1-0 | 0.6.2-2016 |
| pupmod-rsync | 4.2.0-5 | N/A |
| pupmod-rsyslog | 5.1.0-0 | N/A |
| pupmod-selinux | 1.0.0-5 | N/A |
| pupmod-simp | 1.2.0-0 | N/A |
| pupmod-simp-acpid | N/A | 0.0.2-2016 |
| pupmod-simp-activemq | 3.0.0-0 | 3.0.0-2016 |
| pupmod-simp-aide | N/A | 4.1.1-2016 |
| pupmod-simp-apache | N/A | 4.1.5-2016 |
| pupmod-simp-auditd | N/A | 5.0.4-2016 |
| pupmod-simp-autofs | N/A | 4.1.2-2016 |
| pupmod-simp-clamav | N/A | 4.1.1-2016 |
| pupmod-simp-compliance_markup | N/A | 1.0.0-0 |
| pupmod-simp-dhcp | N/A | 4.1.1-2016 |
| pupmod-simp-elasticsearch | 2.0.0-3 | N/A |
| pupmod-simp-foreman | N/A | 0.2.0-2016 |
| pupmod-simp-freeradius | N/A | 5.0.2-2016 |
| pupmod-simp-ganglia | N/A | 5.0.0-2016 |
| pupmod-simp-haveged | N/A | 0.3.1-2016 |
| pupmod-simp-iptables | N/A | 4.1.4-2016 |
| pupmod-simp-jenkins | N/A | 4.1.0-2016 |
| pupmod-simp-kibana | 3.0.1-5 | N/A |
| pupmod-simp-krb5 | N/A | 5.0.6-2016 |
| pupmod-simp-libreswan | N/A | 0.1.0-2016 |
| pupmod-simp-libvirt | N/A | 4.1.1-2016 |
| pupmod-simp-logrotate | N/A | 4.1.0-2016 |
| pupmod-simp-logstash | 1.0.0-6 | N/A |
| pupmod-simp-mcafee | N/A | 4.1.1-2016 |
| pupmod-simp-mcollective | 2.3.1-0 | 2.3.2-2016 |
| pupmod-simp-mozilla | N/A | 4.1.1-2016 |
| pupmod-simp-named | N/A | 4.3.1-2016 |
| pupmod-simp-network | N/A | 4.1.1-2016 |
| pupmod-simp-nfs | N/A | 4.5.2-2016 |
| pupmod-simp-nscd | N/A | 5.0.1-2016 |
| pupmod-simp-ntpd | N/A | 4.1.0-2016 |
| pupmod-simp-oddjob | N/A | 1.0.0-2016 |
| pupmod-simp-openldap | N/A | 4.1.8-2016 |
| pupmod-simp-openscap | N/A | 4.2.1-2016 |
| pupmod-simp-pam | N/A | 4.2.5-2016 |
| pupmod-simp-pki | N/A | 4.2.3-2016 |
| pupmod-simp-polkit | N/A | 4.1.0-2016 |
| pupmod-simp-postfix | N/A | 4.1.3-2016 |
| pupmod-simp-postgresql | N/A | 4.1.0-2016 |
| pupmod-simp-pupmod | N/A | 6.0.5-2016 |
| pupmod-simp-rsync | N/A | 4.2.2-2016 |
| pupmod-simp-rsyslog | N/A | 5.1.0-2016 |
| pupmod-simp-selinux | N/A | 1.0.3-2016 |
| pupmod-simp-simp | N/A | 1.2.7-2016 |
| pupmod-simp-simp_elasticsearch | N/A | 3.0.1-2016 |
| pupmod-simp-simp_grafana | N/A | 0.1.0-2016 |
| pupmod-simp-simp_logstash | N/A | 2.0.0-2016 |
| pupmod-simp-simpcat | N/A | 5.0.1-2016 |
| pupmod-simp-simplib | N/A | 1.3.1-2016 |
| pupmod-simp-site | N/A | 2.0.1-2016 |
| pupmod-simp-snmpd | N/A | 4.1.0-2016 |
| pupmod-simp-ssh | N/A | 4.1.10-2016 |
| pupmod-simp-sssd | N/A | 4.1.3-2016 |
| pupmod-simp-stunnel | N/A | 4.2.7-2016 |
| pupmod-simp-sudo | N/A | 4.1.2-2016 |
| pupmod-simp-sudosh | N/A | 4.1.1-2016 |
| pupmod-simp-svckill | N/A | 1.1.3-2016 |
| pupmod-simp-sysctl | N/A | 4.2.0-2016 |
| pupmod-simp-tcpwrappers | N/A | 4.1.0-2016 |
| pupmod-simp-tftpboot | N/A | 4.1.2-2016 |
| pupmod-simp-tpm | N/A | 0.1.0-2016 |
| pupmod-simp-upstart | N/A | 4.1.2-2016 |
| pupmod-simp-vnc | N/A | 4.1.0-2016 |
| pupmod-simp-vsftpd | N/A | 5.0.4-2016 |
| pupmod-simp-windowmanager | N/A | 4.1.2-2016 |
| pupmod-simp-xinetd | N/A | 2.1.0-2016 |
| pupmod-simp-xwindows | N/A | 4.1.1-2016 |
| pupmod-simpcat | 5.0.0-0 | N/A |
| pupmod-simplib | 1.2.2-0 | N/A |
| pupmod-site | 2.0.0-3 | N/A |
| pupmod-snmpd | 4.1.0-5 | N/A |
| pupmod-ssh | 4.1.2-0 | N/A |
| pupmod-ssh-augeas-lenses | 4.1.2-0 | N/A |
| pupmod-sssd | 4.1.2-0 | N/A |
| pupmod-stunnel | 4.2.1-0 | N/A |
| pupmod-sudo | 4.1.0-3 | N/A |
| pupmod-sudosh | 4.1.0-4 | N/A |
| pupmod-svckill | 1.1.0-0 | N/A |
| pupmod-sysctl | 4.2.0-0 | N/A |
| pupmod-tcpwrappers | 3.0.0-3 | N/A |
| pupmod-tftpboot | 4.1.0-9 | N/A |
| pupmod-tpm | 0.0.1-10 | N/A |
| pupmod-upstart | 4.1.0-5 | N/A |
| pupmod-vnc | 4.1.0-4 | N/A |
| pupmod-vsftpd | 5.0.0-2 | N/A |
| pupmod-windowmanager | 4.1.0-3 | N/A |
| pupmod-xinetd | 2.1.0-5 | N/A |
| pupmod-xwindows | 4.1.0-4 | N/A |
| puppetlabs-java_ks | 1.4.0-0 | N/A |
| puppetlabs-postgresql | 4.1.0-1.SIMP | N/A |
| puppetlabs-puppetdb | 5.0.0-0 | N/A |
| puppetlabs-stdlib | 4.9.0-0.SIMP | N/A |
| rubygem-net-ldap | N/A | 0.6.1-2 |
| rubygem-net-ldap-doc | N/A | 0.6.1-2 |
| rubygem-simp-cli | 1.0.16-0 | 1.0.20-0 |
| rubygem-simp-cli-doc | 1.0.16-0 | 1.0.20-0 |
| simp | 5.1.0-3 | 5.2.0-0 |
| simp-bootstrap | 5.2.1-4 | 5.3.2-0 |
| simp-doc | N/A | 5.2.0-0 |
| simp-utils | 5.0.0-8 | 5.0.1-1 |
| unbound-libs | N/A | 1.4.20-26 |
RPM Deprecations¶
- pupmod-simp-kibana
- Replaced by pupmod-simp-simp_grafana (SIMP profile) and pupmod-bfraser-grafana (upstream component)
- pupmod-simp-elasticsearch
- Replaced by pupmod-simp-simp_elasticsearch (SIMP profile) and pupmod-elasticsearch-elasticsearch (upstream component)
- pupmod-simp-logstash
- Replaced by pupmod-simp-simp_logstash (SIMP profile) and pupmod-elasticsearch-logstash (upstream component)
Fixed Bugs¶
pupmod-simp-apache¶
- Fix
munge_httpd_networksto work properly with Ruby >= 1.9 - Ensure that non-SIMP PKI certificates are copied recursively
- Add an explicit default deny to the
apache_limits()function
pupmod-simp-auditd¶
- Fix the default audit locations for
wtmpandbtmpin the audit rules - Ensure that audit file locations themselves can be dynamically audited
- Added an audit rule for
renameatto comply with CCE-26651-0
pupmod-simp-freeradius¶
- Fixed scoping issues with variables
- Updated the code to work around incompatibilities with integers in class names
pupmod-simp-iptables¶
- Removed the custom type warning in IPTables when used with Puppet 4
- Fixed a regex rule in Ruby 1.8 (EL6) that caused some rules to be dropped silently
- Changed the default provider for iptables services to
'redhat'because the Puppet default was not functional
pupmod-simp-named¶
- Created work-around for https://bugzilla.redhat.com/show_bug.cgi?id=1278082
- Added a named::install class and fixed the ordering across the board
pupmod-simp-nfs¶
- Several breaking changes were made
- Stunnel and KRB5 should not be used at the same time
- Removed the
create_home_dirscron job and migrated it to the pupmod-simp-simp module
pupmod-simp-openldap¶
- Fixed certificate location references in the
pam_ldapconfiguration file - Removed the dependency on the
ruby-ldappackage - Ensure that
Exec[bootstrap_ldap]is idempotent - Ensure that TLS support can be toggled in the
openldap::clientclass
pupmod-simp-pki¶
- Removed the custom type warning in
simp::pkiwhen used with Puppet 4 - Fixed permissions flapping in
pki_cert_sync
pupmod-simp-pupmod¶
- Ensure that the
use_iptablesglobal catalyst is honored - Limited the Java heap size used by the Puppetserver to not exceed 12G of RAM due to a bug in Trapperkeeper. This will be lifted once we move to Puppet 4.
pupmod-simp-rsync¶
- Changed the default provider for iptables services to ‘redhat’ because the Puppet default was not functional
- Ensure that the
client_netsglobal catalyst is properly honored
pupmod-simp-simp¶
- Set
svckillto ignorequotaonandmessagebusby default
pupmod-simp-simpcat¶
- Ensure that the client
vardiris used instead of the server variable
pupmod-simp-simplib¶
- Remove the custom type warnings from
ftpusers,reboot_notify, andscript_umask - Fixed an
nsswitchedge case that conflicted withsssd - Added the
gdm_versionfact from thexwindowsmodule - Ensure that
tmpwatchinstalled on EL6 systems
pupmod-simp-sssd¶
- Ensure that the LDAP default certificates are set if using TLS and LDAP
pupmod-simp-stunnel¶
- Ensure that all global catalysts are disabled when appropriate
- The chroot’d PKI certificates were not ordered correctly against the
pkimodule when in use
pupmod-simp-svckill¶
- Remove the custom type warnings from the custom type
svckill::ignoreshould not includesvckillby default
pupmod-simp-upstart¶
- Ensure that the
job.erbfile kept all hash keys ordered
simp-cli¶
- Ensure that
simp passgencan use the correct path by default - Fixed several issues in the
simpcommand with command line parsing
New Features¶
pupmod-bfraser-grafana¶
- Initial import of the Grafana module into the SIMP ecosystem
pupmod-elasticsearch-elasticsearch¶
- Updated to the 0.11.0 version of the upstream module
pupmod-elasticsearch-logstash¶
- Updated to the 0.6.4 version of the upstream module
pupmod-puppetlabs-inifile¶
- Updated to the 1.5.0 upstream module
pupmod-richardc-datacat¶
- Update to version 0.6.2
pupmod-simp-simp_elasticsearch¶
- First release of the rewritten SIMP Elasticsearch component profile (to be used in conjunction with the pupmod-elasticsearch-elasticsearch module)
pupmod-simp-simp_grafana¶
- Initial release of the SIMP Grafana component profile (to be used in conjunction with the pupmod-bfraser-grafana module)
pupmod-simp-haveged¶
- First release of the SIMP HAVEGED module (which is a fork of the moding/haveged module)
pupmod-simp-krb5¶
- Full module update
- Supports auto-creation of KRB5 keytabs for all systems
- Added a native type
krb5kdc_auto_keytabsto autogenerate keytabs from the SIMP resident PKI certificates
pupmod-simp-simp_logstash¶
- First release of the rewritten SIMP Logstash component profile (to be used in conjunction with the pupmod-elasticsearch-logstash module).
pupmod-simp-mcollective¶
- Our fork of the upstream MCollective module was updated to version 2.3.2
pupmod-simp-named¶
- Users can modify the chroot path in named-chroot.service
- Added a
named::installclass and fixed the ordering across the board
pupmod-simp-nfs¶
- Incorporated KRB5 support (optional)
- Fixed numerous logic errors and typos during acceptance testing
pupmod-simp-pam¶
- Added support for pam_tty_audit
pupmod-simp-selinux¶
- Ensure that
policycoreutils-pythonis installed by default
pupmod-simp-simp¶
- Ensure that
SSLVerifyClientcan be controlled inks.conf - Use HTTPS YUM repos by default
- Added the
create_home_dirsscript that used to be in thenfsmodule
pupmod-simp-ssh¶
- Added haveged for entropy generation
- Ensure that
semanageis used to handle non-standard ports - Added an
openssh_versionfact - Modified kex algorithm:
- No longer set kex prior to openssh v 5.7
- Curve25519 kex only set in openssh v 6.5+
pupmod-simp-windowmanager¶
- Ensure that the login banner works in EL7
- Add the ability to remove the login button in Gnome 3
pupmod-simp-xwindows¶
- Remove the
gdm_versionfact (to be placed insimplib)
simp-bootstrap¶
- Documented the
hostgroupHiera usage in thehieradata/directory - Recommendation for SHA512 password hashes to be generated for
localusers - Added a
site_files/directory in thesimpenvironment that will be used for all generated files and is intended to be excluded from management by r10k or Code Manager. This may need to be moved again in SIMP 6.
simp-cli¶
- Removed the deprecated
simp checkcommand
simp-core¶
- Incorporated the ELG stack in the list of included modules
- Added
havegedto the stack for persistent entropy - Enable HTTPS kickstarts by default
- Fall back to unvalidated YUM HTTPS connections by default so that new systems do not have to be bootstrapped with a trusted CA certificate. Our packages are signed, so this should not be an issue.
simp-doc¶
- Full restructure of the documentation to be less confusing and more concise for new users.
DVD¶
- Disable ISO auto-boot
- Support UEFI Booting
- Ensure that FIPS can be disabled at initial build
- Provide an option for FDE directly from the ISO
Known Bugs¶
- If you are running libvirtd, when
svckillruns it will always attempt to kill dnsmasq unless you are deliberately trying to run the dnsmasq service. This does not actually kill the service but is, instead, an error of the startup script and causes no damage to your system.