2.3. SIMP Community Edition (CE) 6.3.2-0

Warning

Please see the SIMP Community Edition (CE) 6.2.0-0 Changelog for general information, upgrade guidance, and compatibility notes.

This is a bug fix release in the 6.3.X series of SIMP to address the following issues:

  • SIMP-5974: Ensure that the incron spawned puppet generate types would not overwhelm the puppet server due to an upstream bug in the incron package. This involved both pinning the incron version to a version that did not have bugs as well as reducing the footprint of the monitored files in the filesystem. See When Should I Run puppet generate types? for additional information.

    • The version of incron that shipped with SIMP 6.3.0 did not have issues, but the update in upstream EPEL did and affects all uses of incron, not just pupmod::master::generate_types. We strongly advise that you remove the 0.5.12-6 package from your upstream repositories and use the following Hiera configuration to ensure that your SIMP 6.3.0-0 installation does not upgrade.

      ---
      yum::config_options:
        exclude="incron"
      

      Warning

      If you previously disabled pupmod::master::generate_types then be advised that you will need to manually run puppet generate types on your environments if you upgrade the puppet or puppetserver packages or if you add a new environment to your system.

      See the When Should I Run puppet generate types? for additional information.

  • SIMP-5480: Fix a bug in the default sssd settings where the minimum allowed uid/gid is now 1 and the maximum allowed uid/gid is now 0 to align properly with the sssd functionality.
  • SIMP-5932: Allow users to specify a timeout for simp bootstrap to address slow systems.
  • SIMP-5975: Allow users to specify SSL settings for the puppet server.

2.3.1. Fixed Bugs

2.3.1.1. pupmod-simp-incron

  • Add Incron::Mask Data Type denoting valid incron masks
  • Added support for new options starting in 0.5.12
    • Automatically strip out options not supported by earlier versions for seamless backward compatibility
  • Add ability to set max_open_files ulimit
  • Pin incron to 0.5.10 via data in modules since 0.5.12 as currently published in EPEL can cause catastrophic system failure.

2.3.1.2. pupmod-simp-pupmod

  • Fixed issues where a large number of incron watches may overload the system.
    • The module is now extensively tested against large numbers of environments but will still cause load if a large number of environments are created at once.
  • Fixed a bug where some SSL settings could not be set in the puppetserver webserver components.
  • Added the following advanced usage parameters in case users need to set parameters that are not presently managed to work around future issues:
    • pupmod::master::server_webserver_options
    • pupmod::master::ca_webserver_options

2.3.1.3. pupmod-simp-simplib

  • Ensure that IPA fact does not hang indefinitely.
  • Added ‘defined type’ lookup capability, simplib::dlookup that provides a consistent method for rerieving defined type parameters from Hiera in an opt-in manner. (Required for fixing the stunnel bug).
  • Fixed YARD documentation issues

2.3.1.4. pupmod-simp-sssd

  • Set the min_id settings across the board to 1 to match the sssd defaults, since they really have nothing to do with the target system’s relationship with a centralized authentication service.
  • The original setting of the min_id or max_id settings to the login.defs defaults was a bug since, per the man page, this would preclude sssd from recognizing items outside of that range at all. The relevance of the local login.defs settings (system specific) and the sssd settings (global authentication source) are completely irrelevant to one another and should not have been bound together.
  • Updated the sssd::provider::ldap_access_order parameter to support the ppolicy related options that were added in sssd 1.14.0.
    • ppolicy
    • pwd_expire_policy_reject
    • pwd_expire_policy_warn
    • pwd_expire_policy_renew
  • Added pwd_expire_policy_reject to the sssd::provider::ldap::ldap_access_order default. This will deny a locked account even it access is being attempted via a SSH key.

2.3.1.5. pupmod-simp-stunnel

  • Add ability for users to override stunnel::connection and stunnel::instance options either globally or by specific indentified instances using the new simplib::dlookup function.
  • Fixed stunnel::connection and stunnel::instance bugs:
    • sni is not applicable on EL6
    • retry is ony applicable when exec is specified and needed to be translated from a booolean to yes/no
    • session is only applicable on EL6

2.3.1.6. rubygem_simp_cli

  • Added a simp bootstrap option to set the wait time for the puppetserver to start during the bootstrap process.
  • Adjusted the help message so that it fits within a 80-character console window.

2.3.2. Known Bugs

2.3.2.1. Upgrading from previous SIMP 6.X versions

There are known issues when upgrading from Puppet 4 to Puppet 5. Make sure you read the Upgrading SIMP before attempting an upgrade.

2.3.2.2. Tlog

Tlog currently has a bug where session information may not be logged. The immediate mitigation to this is the fact that pam_tty_audit is the primary mode of auditing with tlog and/or sudosh being in place for a better overall tracking and behavior analysis experience.

Tlog has a second bug where the application fails if a user does not have a TTY. This has been mitigated by the SIMP wrapper script simply bypassing tlog if a TTY is not present.