2.6. SIMP Community Edition (CE) 6.3.0-0¶
This release is known to work with:
CentOS 6.10 x86_64
CentOS 7.0 1804 x86_64
OEL 6.10 x86_64
OEL 7.5 x86_64
RHEL 6.10 x86_64
RHEL 7.5 x86_64
The flagship feature for SIMP 6.3.0 is full compatibility with Puppet 5 and Hiera 5.
The versions of Puppet targeted are those delivered with Puppet Enterprise 2018:
Puppet Server: 5.3.X
Puppet Agent: 5.5.X
A much wider range of versions is used for unit and acceptance testing. See
.gitlab_ci.yml file in each module to see what versions it has been tested
Puppet 4 is no longer supported as of SIMP 6.3. Users can continue with the SIMP 6.2 release and can obtain commercial support if further Puppet 4 support is required.
From this point on, all components are tested against Puppet 5 and Puppet 4 support may be removed from any module as a non-breaking change at any time.
2.6.1. 6.3.0-0 Errata¶
An upstream bug in the incron package, caused the
pupmod::master::generate_types code to spin into an infinite loop if the
incron package was updated to
0.5.12-6 as published in EPEL.
This bug affects all uses of incron, not just
pupmod::master::generate_types. We strongly advise that you remove the
0.5.12-6 package from your upstream repositories and use the following
Hiera configuration to ensure that your SIMP
6.3.0-0 installation does not
--- yum::config_options: exclude="incron"
If you previously disabled
pupmod::master::generate_types then be
advised that you will need to manually run
puppet generate types on your
environments if you upgrade the
puppetserver packages or
if you add a new environment to your system.
See the When should I run puppet generate types? for additional information.
2.6.2. Breaking Changes¶
Upgrading from Puppet 4 and earlier versions of Hiera requires some preparation. Please be sure to read Upgrading SIMP carefully.
While Hiera 5 is fully compatible with Hiera 3, there have been some configuration changes to utilize new capabilities.
/etc/puppetlabs/puppet/hiera.yamlfile, which defines the hierarchy used to search for parameter values, has been moved to the environment level to utilize the ability to have a unique
hiera.yamlconfiguration per environment.
The default data directory has been renamed from
datato match Hiera 5 conventions.
You should review the puppet documentation for upgrading to Hiera 5 to learn how to upgrade any custom modules or backends that you have created.
2.6.3. Significant Updates¶
The following items were removed as dependencies for the
simp RPM and added
as dependencies on the
simp-extras RPM since they are not used by the
default SIMP configuration:
Sudosh has been replaced by Tlog as the default for logging privileged user activities. The default command for a user to switch to privileged access is now:
sudo su - root
188.8.131.52. Package Installation Settings¶
Several of the SIMP modules have been updated to use the
simp_options::package_ensure setting as the default for package resource
ensure state. The default for
simp_options::package_ensure is installed.
This will change the default behavior of some modules that were previously
hard-coded to latest. This will not affect anything that was explicitly set.
This change makes the SIMP modules consistent and allows the administrator to set the default across the system with one variable. Also, by setting the default to installed packages will be updated only if the administrator has explicitly set the variable to latest.
This does not affect the nightly cron job that updates all packages on
the system and it is recommended that you change this to
latest and rely
on prudent repository management.
See Nightly Updates for additional information.
The following modules were updated:
184.108.40.206. Oracle Enterprise Linux¶
The testing of the modules on Oracle Enterprise Linux was expanded and automated.
2.6.4. RPM Updates¶
220.127.116.11. ELG Stack¶
The application RPMs for Elasticsearch, Logstash, and Grafana will no longer be delivered with the SIMP ISO. Updates in the same major version of Elasticsearch and Logstash have been shown to randomly corrupt data and are therefore too dangerous to potentially drop into upstream repositories by default. Users must now download their own ELG packages.
2.6.5. Removed Modules¶
There was not enough time to get the
freeradius components updated
sufficiently for Puppet 5 prior to release. This module may reappear in
future releases if there is significant demand.
2.6.7. Fixed Bugs¶
Reverted back to using the native service provider for the auditd service
Allowed users to opt-out of hooking the audit dispatchers into the SIMP rsyslog module using auditd::config::audisp::syslog::rsyslog = false or, alternatively, setting simp_options::syslog = false.
Added a write_logs option to the auditd_class and multiplex between the log_format = NOLOG setting and write_logs = false since there were breaking changes in these settings after auditd version 2.6.0.
Added support for log_format = ENHANCED for auditd version >= 2.6.0. Older versions will simply fall back to RAW.
Removed unnecessary dependencies from metadata.json. Now, when users install auditd stand-alone i.e. puppet module install, they will not have extraneous modules clutter their environment.
Allowed users to set the ‘ensure’ state of their client mount points in case they don’t want them to be mounted by default.
Updated templates to use RainerScript for rsyslogd V8 and later
Fixed the MainMsgQueueDiscardMark and MainMsgQueueWorkerThreads parameters
Updated rsyslog::rule::remote to select a more intelligent default for StreamDriverPermittedPeers when TLS is enabled. This improvement fixes the bug in which forwarding of logs to servers in different domains was not possible within one call.
Added logic to properly handle rsyslogd parameters for V8.6 and later as documented in CentOS 7.5 Release notes. These include moving -x and -w options to global.conf and issuing deprecation warning for -l and -s options.
Fixed bug in resource ordering of pki::copy and grafana::service
Used simplib::passgen() in lieu of deprecated passgen()
Workaround for upstream bug where OEL6 logstash::service_provider must be set.
Made directory where logs are gathered configurable and make rules that organize them configurable.
Updated simp_rsyslog::forward to allow configuration of the StreamDriverPermittedPeers directive in the forwarding rule actions for the remote rsyslog servers. This allows the user to set the correct StreamDriverPermittedPeers value when the default value is incorrect (e.g., when IP addresses are used in simp_rsyslog::log_servers or simp_rsyslog::failover_servers and one or more of those servers is not in the same domain as the client).
Removed redundant rules for sudosh since the puppet module will correctly take care of adding those rules.
Added support for tlog since it will be commonly replacing sudosh across the SIMP infrastructure.
Fixed bug where uid_min would throw errors under operating systems without /etc/login.defs.
Fixed bug where simplib_sysctl would throw an undefined method error on non-Linux OS’s. (both those with sysctl (MacOS X) and without (Windows))
Fixed bug with the boot_dir_uuid fact where it would throw an error if running on a system without a /boot partition (like a container).
Ensure that reboot_notify updates resources based on a modified ‘reason’
Hardened all ssh_host_* keys for security and compliance
Enabled support for Default of cmnd type in sudoers file.
Added 7.5 RHEL services to svckill::ignore_defaults list for EL7.
Updated ‘simp config’ to support environment-specific Hiera 5 configuration provided by SIMP-6.3.0.
Assumes a legacy Hiera 3 configuration, when the ‘simp’ environment only contains a ‘hieradata’ directory.
Assumes a Hiera 5 configuration configuration, when the ‘simp’ environment contains both a ‘hiera.yaml’ file and a ‘data/’
Fixed simp bootstrap errors in puppetserver 5+:
No longer overwrites web-routes.conf (fix fatal config errors)
No longer adds -XX:MaxPermSize for Java >= 8 (fix warnings)
The trusted_server_facts was removed in Puppet 5.0.0. The presence of this setting will cause each puppet run to emit the warning:
Warning: Setting trusted_server_facts is deprecated.
This patch causes simp config to quietly remove the setting if it is present and Puppet is version 5 or later.
2.6.8. New Features¶
18.104.22.168. pupmod-simp-x2go and pupmod-simp-mate¶
These modules are used to configure the x2go client and server to allow for remote access to desktops and servers. This is an alternative to VNC. An example configuration is documented in the Graphical Remote Access documentation.
This module configures Tlog for logging privileged user activities. Both sudosh and Tlog are currently available but sudosh is no longer being maintained and is expected to be deprecated in the future.
This is a technology preview and may break unexpectedly in the future
Traditionally, SIMP has used an internal “FakeCA” openssl-based CA. Over time, this has proven insufficient for our needs, particularly for capabilities in terms of Key Enrollment (SCEP and CMC), OCSP, and overall management of certificates.
Additionally, it was found that users wanted to adjust the certificate parameters for the Puppet subsystem itself outside of the defaults and/or use a “real”, and more scalable CA system for all certificate management.
The pupmod-simp-simp_pki_service module can be used to configure a Certificate Authority (CA) using the Dogtag server. This CA can be configured either for the puppet server CA, the site CA in lieu of FakeCA, or both.
See the README in the module for details on how to configure it.
The Dogtag server was chosen because it is part of the FreeIPA suite and therefore likely to have any issues fixed and be well supported.
2.6.9. Known Bugs¶
22.214.171.124. Upgrading from previous SIMP 6.X versions¶
There are known issues when upgrading from Puppet 4 to Puppet 5. Make sure you read the Upgrading SIMP before attempting an upgrade.
Tlog currently has a bug where session information may not be logged. The
immediate mitigation to this is the fact that pam_tty_audit is the primary
mode of auditing with
sudosh being in place for a better
overall tracking and behavior analysis experience.
Tlog has a second bug where the application fails if a user does not have a TTY.
This has been mitigated by the SIMP wrapper script simply bypassing
a TTY is not present.