2.7. SIMP Community Edition (CE) 6.2.0-0¶
This release is known to work with:
RHEL 6.9 x86_64
RHEL 7.4 x86_64
CentOS 6.9 x86_64
CentOS 7.0 1708 x86_64
SIMP CE is expected to migrate to Puppet 5 on, or before, October 30 2018. We have not noticed any issues with the latest versions of Puppet 5 but it is taking time to get all of our tests updated to work with Puppet 5 for full coverage.
At this point, all vendor support for Puppet 4 will be discontinued as will SIMP CE support for Puppet prior to 4.10.4.
SIMP CE will no longer provide any support for Puppet 4 after June 30 2019.
2.7.1. Breaking Changes¶
This release of SIMP CE is NOT backwards compatible with the 4.X and 5.X releases. Direct upgrades will not work!
At this point, do not expect any of our code moving forward to work with Puppet 3.
If you find any issues, please file bugs!
2.7.2. Significant Updates¶
Due to various issues with earlier releases of Puppet, SIMP CE will now be shipping with, and supporting, puppet 4.10.4+.
It is strongly recommended that users upgrade their system as soon as they are able.
SIMP will begin supporting Hiera v5 out of the box as of SIMP 6.3. This is mainly to facilitate compliance enforcement in the infrastructure since various versions of Puppet 4 do not work properly with Hiera v3 and enforcement.
No changes will be made to existing configurations but compliance
enforcement from the
compliance_markup module will not work until an
upgrade to Hiera v5 is complete.
UEFI systems should now be fully supported. Please note that you may need to adjust your
tftpbootsettings to handle your specific UEFI system since they are not as universal as the legacy BIOS entries.
Many module updates simply added support for Puppet 5 and Oracle Enterprise Linux. These changes will not be listed individually below.
Likewise, many modules were updated simply to improve tests. These improvements will also not be noted below.
simp_gitlabmodule no longer supports EL6. This is due to integration issues with GitLab that cannot be readily fixed by the module maintenance team, alone. The EL community had shown no interest in fixing minor issues with EL6 in the GitLab platform.
2.7.4. RPM Updates¶
tomlrubygem as an RPM for use with the
Updated to the latest
5.Xrelease of Elasticsearch and Logstash
Updated the ClamAV packages to 0.100.0-2
Removed clamav-data-empty which is no longer used
2.7.5. Removed Modules¶
22.214.171.124. pupmod-simp-mcollective and pupmod-simp-activemq¶
Puppetlabs no longer supports MCollective, so SIMP has removed the
pupmod-simp-activemqmodules that support MCollective.
jenkinsmodule has not been updated in quite some time and it is unknown if it works with current versions of Jenkins since the team has moved to GitLab CI.
This module has not been updated and probably does not work with the latest McAfee products so it has been removed from the distribution.
This RPM has been removed, as it is no longer a dependency of any SIMP modules.
2.7.6. Security Updates¶
The PKI certificates in
/etc/pki/simp_appsare now purged by default so that unmanaged certificates are not available if the system is repurposed.
2.7.7. Fixed Bugs¶
Added /etc/logrotate.simp.d to default rules.
Ensure that the
packageinstall comes before dependent
croncommand to be customized.
Fixed several incorrectly typed parameters
Consolidated several duplicate entries
IPT:message start to
Synchronized CentOS and RHEL STIG settings
Fixed the permissions on the
systemdto remove logged errors.
Matched RPM permissions based on STIG requirements.
Updated to match the
ignoreparameter on input and output interfaces
scanblockrule ordering to properly ban all hosts that are blocked by the rules.
Fixed some issues in the chain retention and optimization code that would cause
iptablesto fail to reload in some cases.
Fixed compilation failures if
protowas specified in the
defaultssection of the options Hash.
Fixed an issue where a
jumptarget went to an empty ruleset and the chain was dropped.
Retained all native IPTables
jumppoints by default.
Added a deep rule comparison on rulesets that are identical based on simple checks.
Remediated potential memory leaks.
Fixed ordering issues when used with
Matched RPM permissions based on STIG requirements.
Ensure idempotency by working around the fact that the modprobe changes - to _.
Properly override the
systemdservice file for
named-chrootinstead of modifying the vendor provided service file.
Fixed a bug where
ntpd::ntpd_optionswas not applied to
Change the minimum allowed UID to the one defined in
/etc/login.defsby default, or
1000if nothing else is defined.
Replace the removal of
authconfig-tuiwith the use of a
authconfigno-op script, so that tools using
authconfigdo not break.
Added changes to support the settings required by the STIGs.
Match the RPM supplied file permissions are required by the STIG.
Allow modification of the
denyrules for supported
$pki_cacerts_all’s auth rule from
Modified the default
max_active_instancesconfiguration to be safer by default.
Make the Puppet Server service name dynamic to work properly with both PE and FOSS Puppet.
Properly disable the
puppetservice if running in cron mode. This was not disabled before and could contribute to a “thundering herd” issue.
Fixed the Java
tmpdirpath for the
puppetserverwhich allows runs on systems that have been pre-hardened.
concatordering to be
numericdue to a bug in
puppetlabs-concatthat reverses the order from the native type provided by the same module.
Use double quotes to allow evaluation of line returns in strings.
systemdservice override that fixes an ordering problem with older versions of
Fixed bug that did not allow a TLS encrypted server to be configured to forward to a follow-on unencrypted rsyslog server.
Fixed a bug where removing
rsyslog::rulestatements from the catalog would not cause the
rsyslogservice to restart.
Clarified documentation around adding files to
$selinux::ensurenow defaults to
enforcingand it used across the board instead of
$simp_options::selinuxwhich never behaved as designed.
Fixed a bug where if the
puppet_settingsfact did not exist, users in the
rm -rfany path.
Fixed the certificate cleaning
sudorule to point to
prelinkis fully disabled when the system is in
FIPSmode since the two are incompatible.
portreserveservice so that there would no longer be any service restart flapping.
Fixed the permissions on the
ctrl-alt-del-captureservice file so that warnings would no longer be logged.
Replace the deprecated
runpuppetscript with client Puppet bootstrap scripts which will not be inappropriately killed by
systemd, when executed in highly-loaded environments. These scripts allow the
systemdtimeout to be specified and provide better error handling and logging.
On systems with
systemd, set the host name in client Puppet bootstrap scripts, to prevent issues that can arise when a
dhcplease expires. Not setting the hostname could cause the generated Puppet configuration for the client to use
localhostas the client’s hostname.
Ensure that running on unsupported operating systems is completely safe.
No longer deviate from vendor RPM default permissions per the STIG.
Changed the permissions of
Removed the explicit setting of the
sudo::user_specificationresources to let the updated module defaults handle setting
Fix the ownership of the configuration files to use the
ownervariable instead of the
groupvariable for user ownership.
Add a missing
Fixed the git
Dropped all support for CentOS 6 due to issues that kept cropping up during integration and the overall lack of support from EL upstream to fix minor bugs.
Automatically opt-out of the GitLab data collection service in accordance with NIST 800-53r4 AC-20(1) and SC-38.
Ensure that users can fully disable
autofsif they choose to.
puppet_settingsfact so that the different sections are appropriately filled out. If not updated, this has been shown to cause the
puppetserverprocess to be unable to restart on package update.
runlevelenforcement so that it activates properly when called. Previously, no action would be taken on the running system.
Added logic to prevent respawn of systemctl isolate if already in progress.
Added a configurable timeout for changing runlevels based on issues discovered in the field with systemctl.
Fixed bugs in the EL6 runlevel persistence where, in some cases, the runlevel line might not be added to /etc/inittab.
stunnelstartup scripts to ensure that they will always execute.
Only display errors when errors occur during startup.
Ensure that the
stunnelservice name is set correctly in all instances, so that
Add simp_client_bootstrap service to the ignore list; otherwise, svckill will kill the bootstrap process of SIMP clients.
Fixed issues with the
'IPv4needed to be set as a flag and the banner needed to be eliminated from the connection.
Move to the updated OS facts for less fragility.
Update several messages to be more clear to the user.
Fix setting GRUB passwords on EL6.
Fix ownership and permission issues on created files.
Validate all puppet code present prior to bootstrapping.
Fixed various logging issues.
Improved validation and error handling.
simp passgenprocessing of all password files and improved password generation.
Properly detect Puppet Enterprise on a system and avoid conflicting operations.
Fixed some tests that were not safe to run on real operating systems.
Enabled GPG checking for the ISO-configured local filesystem repository by default
Fixed errors in the
Improved detection of SSD devices using the
simp-big-disk-cryptkickstart options in EL7
No longer install
prelinkat kickstart time
Fixed EFI support on the ISO releases
Removed EL7 references to function keys which no longer are honored
Fixed the boot directory when
fipsis enabled on the ISO
Remove OBE MCollective references
Fixed issues in the sample
Fixed several broken links
Made the installation guide more user friendly by rearranging the content
distmacro to the package name
/var/simp/environments/simp/site_files/pki_filesand set the permissions appropriately. This fixes the failure of
simp bootstrapon systems where the
umaskhas already been set to
FakeCA config files were marked as such in the RPM so that they will not be overwritten on RPM upgrade.
Fixed a bug where the
cacertkeyfile was not being generated in the correct location at install time.
simp_options::selinuxfrom the scenario hieradata.
Force a run of
Fully support UEFI booting.
2.7.8. New Features¶
More closely aligned with the latest SSG STIG content.
Added a module for managing
Allow users to define entries for
incronsystem tables from Hiera.
Added a native type
incron_system_tableto allow for client side path glob expansion.
kmod::loadinstead of a Ruby script to load the kernel module
libvirt_br_netfilter_loadedfact to determine if the
br_netfilterkernel module is loaded
Moved SIMP-specific logrotate rules to a SIMP-managed configuration directory,
/etc/logrotate.simp.d, and ensured
logrotateprocesses that directory first. This ensures that SIMP rules take priority, when duplicate rules are specified (e.g., OS and SIMP rules for
stunnelconnections to use
stunnel::instanceto that they are not interrupted due to issues with the global
Added the ability to tweak
stunnelparameters for all NFS connections.
Ensure that all
stunnelservices used with NFS are now dependencies of the remote filesystem servers actually being active.
Added the ability to set
nfs::client::mount::autodetect_remoteto override all autodetection of whether or not the remote system is the local NFS server.
nfs::client::mount::stunnelto allow users to dictate the
stunnelstate for individual connections.
Added optional management of the
$package_ensureparameter to control the
Added management of
concatresource ordering is set in
oscapfact to collect the following: * OpenSCAP Version * OpenSCAP Supported Specifications * OpenSCAP Profiles from
Added the ability to set
Set the default
Allow users to change the password hashing algorithm.
Allow users to toggle password enforcement for the
/etc/pki/simp_appsby default to clean up old certificates and allow users to move this directory target.
Added a new
$pki::certnameparameter that controls the name of the certificates in
keydistthat will be copied to the client. This is, by default, set to
$trusted['certname']but can be changed so that users can pull other certificates by default.
Changed the CA certificate source to be a
httpsendpoints can be specified.
incronhooks that will automatically run
puppet generate typeson your server when environments or native types are updated in any environment.
resolv.conffiles from being written.
prelinkif it is not enabled.
Added support for connecting to
simp::mcollectiveclass due to global deprecation.
Removed group management for the
rootuser based on feedback.
Set the ownership and permissions of
/etc/puppet/puppetdb.confso that systems that already have the
simp::netconsoleclass to allow users to configure the
netconsolekernel parameter for boot time logging.
Split out the
runpuppetlogic into a
bootstrap_simp_clientscript to be separate from the startup scripts and work around issues with
Added an exponential backoff to the
bootstrap_simp_clientscript to handle cases where a lot of servers are being built at the same time.
Added Microsoft Windows support to the module that changes where the
simp.versionfile is placed on that platform.
Multiple minor updates mostly surrounding the updates to
simp/iptablesto make it better work with
Added support for the new GitLab 10+ LDAP options, specifically for TLS.
Added documentation regarding
rubygem-puppetserver-tomlfor use with the
Initial release of a module for managing
Does not currently manage
Added the ability to force mounts to point to a remote host.
Allow users to set the
GIDvalues in the
Use concat numeric ordering to allow placement of new modifications in a predictable and reliable order.
simp_options::gidsince several modules required a consistent parameter set for enforcing these items globally.
$simp_options::selinuxsince it never worked as designed and was not required by more than one module. This is not considered a breaking change since it effectively never had any effect on the system anyway.
Simplib::Domaindata type that validates DNS domains against the
TLDrestrictions from RFC 3968, Section 2.
login_defscustom fact that returns a structured fact for the entire contents of
ipafact that returns information about connectivity to an
prelinkfact to determine whether or not
prelinkis installed on the system.
simplib::ldap::domain_to_dnfunction to allow users to decide whether or not they want to upcase the returned LDAP attribute strings.
simplib::reboot_notifyclass to allow users to easily toggle global
Allow users to set the log level on
init_ulimitto allow it to work properly with
puppet generate types.
simplib::hash_to_optsfunction which turns a
Stringthat mirrors a usual shell command.
simplib::installdefined type that allows package management based on a supplied
simplib::module_existfunction to detect the existence of a module.
systemctlis never spawned more than once when attempting to change the system
Fixed an issue in EL6
runlevelpersistence where the line may not be written to
GSSAPIAuthenticationis disabled if the host is on an
Moved all management of the
/etc/ssh/ssh_configfile to use the
ssh_configaugeasprovider. Management of all SSH configuration files is now done consistently.
Removed the no longer required
Added parameter management to the
sshd_configto align with the STIG requirements.
Default to not configure RhostsRSAAuthentication in sshd_config for versions of openssh that no longer allow that option.
Updated to use the
login_defsfact to determine the default
Added a defined type for connecting to an
Added tests for connecting to Active Directory and updated the configuration settings appropriately.
sssdpermissions with the RPM defaults.
instancelogic away from the global
Added a native type that cleans up all instances that may have been abandoned by
Added parameters to allow controlling
Added both the short
fqdnto the user access control by default.
Update user_specification define to not accept an empty hostlist.
Added support for UEFI PXEboot
tftpbootroot directory from
/var/lib/tftpbootto match the expectations of SELinux and the STIG.
tftpboot::tftpboot_root_dirparameter to all users to override the root directory location.
Moved the policy
systemdunit files to
Ensure that the
IMAservice only starts on reboot instead of during a puppet run.
IMAchecks by default to make the impact lighter on a standard system.
Set the min and max
GIDbased on what is in
login.defs, and default to something sensible for the platform.
Added logic to auto.cfg to use OS-specific GPG keys in simp_filesystem.repo.
Client kickstart files were updated to use the latest
simp::server::kickstartAPI and to provide support for UEFI PXE boot
EL6 kickstart files were updated to more closely match the EL7 kickstart files
Added SIMP 6.1.0 to 6.2.0 upgrade guide
Added SIMP on AWS documentation
Added a HOWTO for IPA client enrollment
Added a HOWTO for customizing settings for SSH
Added documentation on how to disconnect from
Updated the documentation for UEFI PXE booting.
Clarified certificate management
Restructured pages for better navigation
Updated contributors guide to description more details about the development workflow
Added a SIMP vendored version of
r10kthat lives at
/usr/share/simp/bin/r10kto ensure that a known version of
r10kis present on the system at all times. User
PATHenvironment variables are not updated so that command must be called directly.
2.7.9. Known Bugs¶
There is a bug in
Facter 3that causes it to segfault when printing large unsigned integers - FACT-1732
This may cause your run to crash if you run
puppet agent -t --debug
krb5module may have issues in some cases, validation pending
switch userfunctionality appears to work randomly. We are working with the vendor to discover a solution