NEWS 29.2 KB
Newer Older
Adam Lewenberg's avatar
Adam Lewenberg committed
1
2
3
4
5
6
release/004.059 (2016-03-17)

    [kerberos] Add the new non-production Windows Active Directory domain
    WINUAT.STANFORD.EDU to /etc/krb5.conf. No other change to
    /etc/krb5.conf, so this is a completely safe upgrade. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
7
release/004.058 (2016-02-04)
Karl Kornel's avatar
Karl Kornel committed
8
9

    [dns] Remove Livermore-specific DNS (anycast works there now). (akkornel)
Adam Lewenberg's avatar
Adam Lewenberg committed
10
    [ssh] Allow multiple ports in sshd_config. (adamhl)
Karl Kornel's avatar
Karl Kornel committed
11

12
release/004.057 (2016-01-11)
13

14
    [puppetclient] strip special treatment for Puppet 2.X hosts (jlent)
15
    [pam] Stop overriding common PAM files with Debian jessie. (akkornel)
16
    [ssh] Misc. filter-syslog cleanups. (akkornel)
17

Adam Lewenberg's avatar
Adam Lewenberg committed
18
release/004.056 (2015-11-05)
19
20

    [sudo] Add an option to support sudo-with-Duo. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
21
22
    [duo] New class to load Duo code and wallet object. (adamhl)
    [ssh] Add pam_duo option to enable Duo for ssh regular logins (adamhl)
23

24
25
26
    [puppetclient] Add an option to override the certname in the [agent]
    section.

27
28
release/004.055 (2015-10-08)

Adam Lewenberg's avatar
Adam Lewenberg committed
29
    [dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
30
31
    systems. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
32
release/004.054 (2015-09-14)
Karl Kornel's avatar
Karl Kornel committed
33

Adam Lewenberg's avatar
Adam Lewenberg committed
34
35
36
    [systemd] New class to allow systemd daemon reloads. (adamhl)

    [dns] Changes Livermore detection to use the system's primary IP address,
37
    instead of using a manually-set parameter. (akkornel)
Karl Kornel's avatar
Karl Kornel committed
38

Adam Lewenberg's avatar
Adam Lewenberg committed
39
    [kerberos] Automatically determine if we are in Livermore; if we are, place
40
41
42
43
44
    the Livermore-based KDC at the top of the list. (akkornel)

    Clients who are using the base::kerberos::dr class should immediately switch
    to using base::kerberos.  base::kerberos::dr is deprecated.

Adam Lewenberg's avatar
Adam Lewenberg committed
45
46
47
48
49
50
51
    [kerberos] Add two parameters to the base::kerberos class. The first
    is used to force the kerberos client to prefer TCP over UDP. The
    second allows one to indicate which kerberos environment to use: prod,
    test, or uat. In both cases, the defaults are such that the krb5.conf
    will continue to have the same contents as before the addition of
    these parameters.

Jonathan Lent's avatar
Jonathan Lent committed
52
53
54
55
56
release/004.053 (2015-07-28)

    [rpm] Adding a dag-EL7.repo file so that EL7 hosts can get a
    valid repo file based on the existing logic of the manifest (jlent)

57
58
59
60
61
release/004.052 (2015-07-27b)

    [iptables] Add an "include base::iptables" to base::iptables::rule
    define so it will run correctly by itself. (adamhl)

62
release/004.051 (2015-07-27)
63

64
    [os] Small fix in base::os::debian to one of the systemd-related
65
66
    syslog-filter regexes (akkornel)

67
    [kerberos] Change the configuration for the WIN.SLAC.STANFORD.EDU domain,
68
69
    as per Kent Reuber (see INC000003427399) (akkornel)

70
71
72
73
    [rpm] Remove EL6 package requires of yum-plugin-downloadonly, since
    yum-3.2.29-69 includes this plugin and obsoletes the individual
    package (thus putting the puppet ensure in a loop) (jlent)

Jonathan Lent's avatar
Jonathan Lent committed
74
release/004.050 (2015-07-24)
75

76
    [rpm] Making available openafs-1.6.{7,8}-EL{5,6,7}.repo files
77
78
79
    pointing to yum.stanford.edu. Also edited rpm.pp to reflect that
    EL7 hosts should get 1.6.8 by default (jlent)

80
81
82
release/004.049 (2015-07-22)

    [os] Small fix to the 'ping' capability adjustment: grep -v does not
83
84
85
86
87
    return 0 on success, so changed "onlyif" to "unless" (adamhl)

    [os] Enable the jessie-backports Stanford debian repository sources
    file /etc/apt/sources.list.d/backports.list (now that jessie-backports
    is available) (adamhl)
88

Jonathan Lent's avatar
Jonathan Lent committed
89
release/004.048 (2015-06-24)
90

91
    [newsyslog] Change permissions of /var/log/btmp to '600' in RHEL
92
93
    systems so that sshd stops complaining. This is because RHEL builds
    of openssh are paranoid about the frequency that passwords are
Jonathan Lent's avatar
Jonathan Lent committed
94
95
    mistakenly entered as usernames. If the utmp group is compromised,
    there could be enough context to get real account credentials (jlent)
96

97
    [dns] Make dns_cache a class-level parameter, so that it can be set in
98
99
    Hiera (as base::dns::dns_cache) (akkornel)

100
    [dns] Add support for Livermore, via Hiera.  Set base::dns::livermore (in
101
102
    Hiera) to true, and Livermore DNS gets added to resolv.conf (akkornel)

103
    [dns] Add support for disabling Puppet management of resolv.conf, for
104
105
    systems using DHCP (akkornel)

106
    [remctl] Require remctl-server package be installed before installing
107
    xinetd config (akkornel)
108

109
release/004.047 (2015-06-17)
110

Karl Kornel's avatar
Karl Kornel committed
111
112
    [os] Adjust capability on 'ping' to allow non-root users to use
    this utility on Jessie systems (jlent)
113

Jonathan Lent's avatar
Jonathan Lent committed
114
release/004.046 (2015-06-12)
115

116
117
    [os] Start filtering systemd-related messages from syslog (akkornel)

118
119
120
    [rpm] re-enable the rhn plugin for bonafide RHEL hosts, since with
    the new licensing, updates will come from RHN classic (jlent)

Adam Lewenberg's avatar
Adam Lewenberg committed
121
122
    [syslog] Have filter-syslog ignore some systemd log messages; fix an
    @-template deprecation warning (adamhl)
123

124
125
release/004.045 (2015-06-02)

126
127
128
129
130
    [rpm] Removing the ensures that continue to push out the
    RHEL OS repositories previously hosted on yum, since we no
    no longer have our RedHat licensing agreement. Any one-off
    hosts with new keys will need to point at a cloud-based
    instance anyway (jlent)
131

132
133
    [os/centos] Changing the group name for GID 37 back to
    rpm, as it is in RedHat proper (jlent)
134

Adam Lewenberg's avatar
Adam Lewenberg committed
135
release/004.044 (2015-05-21)
136
137
138
139

    [vmguest] Add a parameter to allow the non-installation of the
    tripwire client. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
140
141
142
    Add some @'s to some instance variables in a couple of template
    files. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
143
release/004.043 (2015-05-15)
144
145
146
147
148

    [dns] Remove the legacy "C" DNS servers from resolv.conf.  Networking is
    shutting down these servers on November 1, and will start notifying admins
    in May.  (akkornel)

149
150
151
152
153
    [os] In wheezy, when CRON logs to syslog it appears as
    "/USR/BIN/CRON[12345]". With jessie, however, this has changed and the
    syslog entry now looks like "CRON[12345]". So, we add a new rule in the
    filter-syslog debian file to capture this new format. (adamhl)

154
155
156
    [syslog] jessie has changed how rsyslogd logs to syslog so we change
    filter-syslog a bit to handle this format change. (adamhl)

157
158
159
160
161
release/004.042 (2015-05-04)

    [ntp] Remove obsolete host references from ntp.conf.  Also,
    remove iptables rules allowing inbound ntp connections to
    servers. (whm)
162

163
164
    [iptables] Remove obsolete fragments for ldap and AFS file
    servers. (whm)
165

166
release/004.041 (2015-04-29)
167

168
169
170
    [portmap] Minor edit to insist that EL7 gets rpcbind, as does
    EL6, instead of portmap (jlent)

171
172
173
174
    [os] Edited conditional in sources.list.erb to allow Jessie hosts
    to get the expected Stanford-hosted Debian repositories (jlent)

    [vmguest] VMWare does not package vmware-tools-esx-nox for EL7. They
175
    instead recommend the use of open-vm-tools. Added a condition
176
177
    and refactored vmguest.pp appropriately. Also, change to
    portmap.pp. EL7, like EL6, requires rpcbind and not portmap (jlent)
178

179
180
181
182
release/004.040 (2015-04-21)

    Correct spelling mistake introduced in release/004.038. (whm)

183
184
185
186
release/004.039 (2015-04-21)

    Correct install of emacs on jessie systems. (whm)

187
188
189
190
191
release/004.038 (2015-04-20)

    Make sure that the rsyslog preferences file is installed only on
    wheezy systems.  (whm)

Bill MacAllister's avatar
Bill MacAllister committed
192
193
194
195
196
release/004.037 (2015-04-20)

    Remove lenny and older references from tftp_client, os::debian,
    postfix, syslog, and pam.  (whm)

197
198
release/004.036 (2015-04-14)

199
    [os][rpm] Support CentOS via its own class, stub an OEL
200
201
202
203
    class, small fixes to redhat.pp to be generic enough for use
    by these RHEL-ish operating systems, edits to allow EL7-
    specific repository inclusions {and exclusions} (jlent)

204
release/004.035 (2015-04-12)
205

206
    [ipmi] Re-endable ipmievd on jessie by setting the options
207
208
    correctly.  (whm)

209
release/004.034 (2015-04-08)
210

211
    [yumtools] Minor fix for RHEL5 and yum plugins. (jlent)
212
213
214
215
216

    [cron] Add parameter to base::cron to allow anacron package to be
    installed (helpful for Ubuntu systems with ubuntu-desktop
    package). (adamhl)

217
218
219
    [ipmi] Don't attempt to run ipmievd on jessie.  It doesn't appear
    to be available.  (whm)

220
221
222
release/004.033 (2015-03-13)

    Modify the base::ssh::config::sshd define to allow the
223
224
    specification of content or source.  This is required to support
    host with special ssh requirements like systems that use duo. (whm)
Adam Lewenberg's avatar
Adam Lewenberg committed
225
226
227
228

    Fix a missed hyphen in reference to class fragment-template in
    defense.pp. (adamhl)

229
230
    [dns] Refactor dns into several files and a fix a small
    typo. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
231

Adam Lewenberg's avatar
Adam Lewenberg committed
232
release/004.032 (2015-03-06)
233
234
235
236

    Fix a few more deprecation warnings concering instance variables
    (i.e., add '@'s in ERB files) (adamhl)

237
release/004.031 (2015-03-02)
238
239

    Beginning of work to support RHEL-ish operating systems
240
    such as CentOS and Oracle Linux. The most common change
241
    involves converting 'operatingsystem' variable/fact usage
242
    to 'osfamily'. These changes were made safely as not to
243
244
245
    potentially affect any existing hosts. There may be some
    additional refinements when CentOS and Oracle hosts come
    online; for now,  we're assuming they act identical to RHEL.
246

247
248
249
    Additionally modified puppetclient.pp to support version
    locking of puppet and facter versions on RHEL systems.
    Added one additional manifest to facilitate this.
250
251
    (jlent)

252
release/004.030 (2015-02-25)
Jonathan Lent's avatar
Jonathan Lent committed
253

254
255
256
257
258
259
    Removed references to darrenp1 and rra in a filter-syslog file
    (adamhl)

release/004.029 (2015-02-24d)

    [rpm][yumtools] - slight reorganization involving which
Jonathan Lent's avatar
Jonathan Lent committed
260
261
    manifest actually installs the yum versionlock package (jlent)

262
263
264
265
266
267
268
release/004.028 (2015-02-24c)

    [puppetclient] Undo the basemodulepath configuration directive
    setting from release/004.027. The default basemodulepath is fine.
    (adamhl)

release/004.027 (2015-02-24b)
269
270
271
272

    [puppetclient] Set up basemodulepath configuration directive for
    puppetservice1-dev (adamhl)

273
release/004.026 (2015-02-24a)
274
275
276
277

    [yumtools] added new group of yum-related
    commands that can be used to manage package
    pins, groups, yum plugins and gpg keys
278
    (jlent)
279

280
release/004.025 (2015-02-23)
281
    [rpm] regression of the ensure of the
282
283
284
285
286
287
    versionlock.list file. A blank version of this
    file is already installed with yum-*-versionlock,
    and since a single file is used for all current
    and future pinnings, one-off manual pins may
    get overwritten via delivery of a flat file (jlent)

288
289
290
291
292
release/004.024 (2015-02-20)

    [rpm] slight fix to release 023 in the rpm repo
    template file name (jlent)

293
294
295
296
297
298
299
300
301
release/004.023 (2015-02-20)

    [rpm] Added ensures to pull in the Stanford PuppetLabs
    repo on all RHEL-ish hosts. Also ensure that packages
    yum-utils and yum-plugin-versionlock are installed to
    assist in yum configurations such as package locking.
    'versionlock' file is just stubbed for now, and will
    be expanded in the future (jlent)

302
release/004.022 (2015-02-17)
303

304
305
    [syslog] Correct template names for the impstats fragments that
    support debugging rsyslog problems.  Update the documentation in
306
307
    the base::syslog::fragment to make debugging a bit easier.

308
309
310
311
312
release/004.021 (2015-02-17)

    [puppetclient] Filter out "Retrieving pluginfacts" puppet-agent
    messages using filter-syslog. (adamhl)

Bill MacAllister's avatar
Bill MacAllister committed
313
314
release/004.020 (2015-02-10)

315
    Update references in motd and newsyslog to follow puppet3
Bill MacAllister's avatar
Bill MacAllister committed
316
317
    requirements.  (whm)

318
319
320
321
release/004.019 (2015-02-05)

    Remove obsolete iptables fragment files. (whm)

322
323
release/004.018 (2015-02-03)

324
    Change syslog tls support to follow host base naming conventions
325
326
    for wallet objects.  (whm)

327
328
329
330
release/004.017 (2015-01-30)

    [dns] More instance variable @ fixes for resolv.conf.erb. (adamhl)

Darren Patterson's avatar
Darren Patterson committed
331
332
333
334
release/004.016 (2015-01-23)

    Another fix for lsb package names on RHEL. (darrenp1)

335
336
337
338
release/004.015 (2015-01-16)

    Fix comments and class names to use underscore, not hyphens. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
339
340
341
342
release/004.014 (2015-01-16)

    [dns] Instance variable @ fixes for resolv.conf.erb. (adamhl)

343
344
345
346
347
release/004.013 (2015-01-08b)

    [postfix] Fix master.cf config file for CentOS; break class out of
    postfix.pp into postfix/server.pp. (adamhl)

348
349
350
351
352
353
release/004.012 (2015-01-08)

    Add 4 new rsyslog formats to the templates available:
    FromHostFileFormat, FromHostForwardFormat, FromIPFileFormat, and
    FromHostFileFormat.  (whm)

Adam Lewenberg's avatar
Adam Lewenberg committed
354
355
356
357
release/004.011 (2015-01-02)

    [iptables] Fix @'s in iptables template file rule.erb. (adamhl)

358
359
360
361
release/004.010 (2014-12-22)

    Fix @ in an iptables template file. (adamhl)

362
363
364
365
release/004.009 (2014-12-17)

    Fix for $::fqdn_lc across module. (darrenp1)

366
367
368
369
release/004.008 (2014-12-11)

    [os] Fix for RHEL lsb package names for different releases. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
370
371
372
373
374
375
release/004.007 (2014-12-05)

    Several changes to support CentOS. (adamhl)

    Fix another @ in a template file. (adamhl)

376
377
378
379
380
381
release/004.006 (2014-12-05)

    [puppetclient] Install ruby-json on wheezy systems (recently patched
    wheezy systems with Puppet 2.x require ruby-json to avoid
    annoying error messages). (adamhl)

382
383
release/004.005 (2014-11-21)

384
    [dns] Change the order of the nameservers and move the anycast
385
    servers to the top of the list.  (whm)
386

387
388
389
    [ssh] Allow the PermitRootLogin to be set to "yes" (defaults to usual
    setting of "without-password").

390
391
392
    [os] replace some variables in template files with their "@" versions.
    (adamhl)

393
394
release/004.004 (2014-11-07)

395
    [syslog::tls] Restructure code to support Puppet 3's scoping
396
397
398
399
    rules.  The change required means that existing manifests that use
    the base::syslog::tls resource will need to add the
    base::syslog::tls_ca_cert resource.

400
401
402
    [cron] replace "operatingsystem" with "@operatingsystem" in
    crontab.erb. (adamhl)

403
release/004.003 (2014-11-06)
404
405
406
407

    [puppetclient] Only put the database account credentials in
    /etc/puppet/puppet.conf for the (old) Puppet 2.x servers. (adamhl)

408
409
410
    [puppetclient] Update the check-puppet hourly cron job for
    Puppet 3. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
411
412
413
    [puppetclient] Have filter-syslog ignore a new innocuous message from
    puppet-agent. (adamhl)

414
415
416
    [wallet] Change file permissions to 4-digit string, refactor, and fix
    puppet-lint warnings for base::wallet.

417
418
    [os] Update sources files to support jessie. (whm)

419
release/004.002 (2014-10-20)
420
421
422
423
424

    [puppetclient] Break out some classes into their own files; redefine
    puppetclass::dev to point to the Puppet 3 development
    servers. (adamhl)

425
426
427
428
429
release/004.001 (2014-10-14)

    The Great Hyphen Hunt. Change hyphens in class names to underscores.
    (adamhl)

Darren Patterson's avatar
Darren Patterson committed
430
431
432
433
434
release/003.037 (unreleased)

    Switch os curl package to include packages::curl to avoid duplicate
    definition.  (darrenp1)

435
    [puppetclient] Add puppetservice* servers to list of servers that can
436
    download Puppet DB credentials. Add a new ACL to auth.conf that was
Adam Lewenberg's avatar
Adam Lewenberg committed
437
438
439
440
441
442
    introduced in Puppet 3. (adamhl)

    [puppetclient] Add new class base::puppetclient::puppetlabs_repo that
    makes the Puppet Labs Debian repository available. (adamhl)

    [apt_key] Move apt_key from a local module into base. (adamhl)
443

Adam Lewenberg's avatar
Adam Lewenberg committed
444
445
446
447
448
release/003.036 (2014-09-10)

    Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
    new Puppet servers puppetservice*. (adamhl)

449
450
451
452
release/003.035 (2014-09-10)

    Filter out some innocuous rsyslog messages from the syslog. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
453
454
455
release/003.034 (2014-09-05)

    Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
Adam Lewenberg's avatar
Adam Lewenberg committed
456
    new Puppet servers puppetdb* and puppetrepo*. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
457

Bill MacAllister's avatar
Bill MacAllister committed
458
459
release/003.033 (2014-08-31)

Adam Lewenberg's avatar
Adam Lewenberg committed
460
    Add base::noipmi.  This allows "odd" machines to suppress loading ipmi
Bill MacAllister's avatar
Bill MacAllister committed
461
462
    support and running the exec that disables cipher zero.  (whm)

463
464
465
466
release/003.032 (2014-08-27)

    Remove yuelu from filter syslog exceptions.  (whm)

467
468
release/003.032 (2014-08-22)

Adam Lewenberg's avatar
Adam Lewenberg committed
469
470
    Update the backports preferences file to pull the perl remctl
    support from backports.  The newer module is required by the
471
472
    latest stanford-server package.  (whm)

473
release/003.031 (2014-07-04)
474

475
    Change the work directory used by rsyslog for disk queues to match
476
477
    the package default.  (whm)

478
479
480
481
482
    Change the queue.MaxFileSize to 100m to override the default of 1m
    in the default and ldap rsyslog fragments.  This will prevent the
    creation of many small files when the syslog server is
    unreachable.  (whm)

Adam Lewenberg's avatar
Adam Lewenberg committed
483
484
    Create /etc/facter/facts.d in puppetclient.  This is the default
    /etc directory for external facts on both Debian and RHEL.
485
486
    (jonrober)

487
release/003.030 (2014-07-07)
Russ Allbery's avatar
Russ Allbery committed
488

489
490
491
492
    Fix for IPMI on kernels >= 3.13.  (darrenp1)

    On each Puppet run on a system that enables Puppet, check if cipher
    zero is enabled and disable it if so.  (rra)
Darren Patterson's avatar
Darren Patterson committed
493

494
495
    Update ssh filter-syslog rules for current staff members.  (rra)

496
497
498
499
    Set the queue.TimeoutEnqueue parameter to zero for LDAP, TLS, and
    default rsyslog fragments.  Reformat the fragments for
    readability.  (whm)

500
release/003.029 (2014-06-17)
Adam Lewenberg's avatar
Adam Lewenberg committed
501

502
503
504
    Correct path new for RELP module fragment in
    base::syslog::tls_support. (whm)

505
release/003.028 (2014-06-17)
506
507
508

    Fix filter-syslog rules for rsyslog to ignore restart messages. (rra)

Russ Allbery's avatar
Russ Allbery committed
509
    Update ssh filter-syslog rules for current staff members and add
510
511
512
513
514
    another failed login pattern.  (rra)

    Add the squeeze-lts distribution to sources.list for squeeze systems.
    This is the long-term support archive, which provides extended
    security support.  (rra)
Russ Allbery's avatar
Russ Allbery committed
515

516
    Adjust highWater marking settings for remote rsyslog queues based
517
518
    on suggestions from rsyslog start messages. (whm)

519
    Add base::syslog::tls to support TLS/RELP connections between
520
    an rsyslog client and an rsyslog server. (whm)
521

522
523
release/003.027 (2014-05-23)

Bill MacAllister's avatar
Bill MacAllister committed
524
    Update the v5 rsyslog default to remove depreciated warnings on
525
526
    v7 systems.  (whm)

527
528
529
530
531
532
533
release/003.026 (2014-05-19)

    Change the default rsyslog configuration to assume v7 syntax.
    (whm)

    Update comments in remctl and ssh modules.  (rra)

534
535
536
537
538
539
540
release/003.025 (2014-05-12)

    Change the default transport for rsyslog v5 remote syslog message
    delivery to UDP.  This will result in message loss when the remote
    syslog server is unavailable, but it avoids the complexities of
    the v5 queue configuration.  (whm)

541
542
release/003.024 (2014-05-08)

Bill MacAllister's avatar
Bill MacAllister committed
543
    Backout one of the boolean changes because the original test
544
545
    never was for a boolean.  (whm)

546
547
548
549
550
release/003.023 (2014-05-07)

    Change handling of use_ parameters in rsyslog.pp to handle the
    cases where booleans must be tested as strings.  (whm from Darren)

Bill MacAllister's avatar
Bill MacAllister committed
551
release/003.022 (2014-05-05)
Adam Lewenberg's avatar
Adam Lewenberg committed
552

Bill MacAllister's avatar
Bill MacAllister committed
553
    Removed smtp-bypass iptable fragments. Move it to s_emailrouter
554
    class. (sfeng)
555

556
    Change the handling of the use_syslog_conf variable in the
557
558
559
    rsyslog.conf.erb template to allow the variable to be either a
    string or a boolean.  This works around a problem with puppet's
    handling of booleans in some situations.  (whm)
560

Adam Lewenberg's avatar
Adam Lewenberg committed
561
562
563
    Clean up puppet client ERB file to better handle servers like
    frankoz2-new. (adamhl)

564
565
    Ignore another new variation on ssh logs from wheezy.  (rra)

566
567
568
    Add dependencies in base::postfix::recipient on the postfix package so
    that the required directory structure will exist.  (rra)

569
570
571
    Remove base::kerberos filter-syslog rules.  These only had rules for
    ksu, which we no longer use, so they're now pointless.  (rra)

Russ Allbery's avatar
Russ Allbery committed
572
573
574
575
    Coding style cleanup for base::syslog::fragment, using the newer
    method for handling defines that should take both source and content.
    (rra)

576
577
578
579
580
581
    Added web-aws rule to block non-root user to access metadata URL.
    (sfeng)

    Default to the backports version of facter on wheezy systems to pick
    up the fix for detecting Xen VMs.  (rra)

582
583
584
585
586
587
    Modify the default rsyslog configuration for V7 servers.  The new
    configuration creates a separate queues for writing to the local
    disk and sending to the remote syslog server.  This prevents
    messages from being lost when the central server is down and
    allows writing to local disk to continue.  (whm)

Darren Patterson's avatar
Darren Patterson committed
588
589
590
591
release/003.021 (2014-03-11)

    Fix cron issues on RHEL. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
592
release/003.020 (2014-03-05)
Adam Lewenberg's avatar
Adam Lewenberg committed
593
594
595
596

    Remove class that used lsdb-dev for dev Puppet CA (should have been
    removed a long time ago). (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
597
release/003.019 (2014-02-27)
Adam Lewenberg's avatar
Adam Lewenberg committed
598
599

    fix typo in reolv.conf.erb. This changes only affect some
600
601
    DNS servers. (myl)

602
603
604
605
606
release/003.018 (2014-02-24)

    Set the default behavior for rsyslog to forward /etc/messages to
    the central syslog service, i.e. logsink.stanford.edu.  (whm)

607
608
release/003.017 (2014-02-24)

Adam Lewenberg's avatar
Adam Lewenberg committed
609
    Correct rsyslog v7 template.  The template fix removes an
610
    extra space that is causing problem for filter syslog parsing.
Adam Lewenberg's avatar
Adam Lewenberg committed
611
    This change also reverts the default behavior of forwarding
612
    syslog to the logsink servers. (whm)
613

614
615
616
617
release/003.016 (2014-02-19)

    Added a new xinetd configuration file: stunnel. (adamhl)

618
619
release/003.015 (2014-02-17)

620
621
    Change the default rsyslog configuration to forward syslog
    messages to the central syslog server in addition to writing
622
623
624
    them locally.  Change the date format for syslog to RFC 3399
    format.

625
626
627
release/003.014 (2014-02-12)

    Correct double variable reference in base::dns::dr-cache.  (whm)
628

629
630
631
632
release/003.013 (2014-02-12)

    Fix cut and past error in defining base::dns::dr-cache.  (whm)

633
634
635
636
637
release/003.012 (2014-02-12)

    Fix doubly defined class and add missing in the dns support
    used by Livermore servers.  (whm)

638
639
640
641
642
release/003.011 (2014-02-12)

    Fix syntax error specification of preferences file for rsyslog.
    (whm)

643
644
release/003.010 (2014-02-11)

645
646
    Add an apt preferences file to use the rsyslog version from
    backports.  Remove preferences installation from the syslog
647
648
    module.  (whm)

649
650
651
652
release/03.009 (2014-02-10)

   add code to generate different resolv.conf for DNS servers. (meeilee)

653
release/003.008 (2014-02-05)
654

655
    Update comment documentation in base::pam::workgroup.  Remove
656
657
    unused parameter and variables.  (whm)

658
    Correct variable used to identified the syslog server to send
659
660
    output to in base::syslog::fragment.  (whm)

661
662
    Re-enable usage of DNS server at Livermore. (whm)

663
664
release/003.007 (2014-02-04)

665
    Disable usage of DNS server at Livermore until the server is
666
667
    rebuild.  (whm)

668
release/003.006 (2014-01-21)
669
670
671

    Correct template for rsyslog forwarding using v7 syntax.  (whm)

672
release/003.005 (2014-01-20)
673

674
    Lowercase the hostname when forming a Kerberos principal in the
675
676
    out-of-date cron job.  Some Networking systems use .Stanford.EDU in
    the official hostname.  (rra)
677

678
679
680
    Ignore more buggy power limit notifications from new Dell hardware.
    Several cases were missed in the previous change.  (rra)

681
    Fix for Ubuntu portmap / rpcbind service name.  (darrenp1)
Darren Patterson's avatar
Darren Patterson committed
682

683
    Update ntp.conf with IPv6 options.  (darrenp1)
684

685
686
687
688
689
690
691
692
    Update syslog support to allow transition to new configuration policy
    of putting all templates and output specifications in the rsyslog.d
    fragments directory.  (whm)

    Globally disable monlist in all the ntp.conf variations to protect
    against use of monlist to launch UDP-based DoS attacks.  This was
    probably already prevented by firewall rules, but may as well make
    sure.  (rra)
693

694
release/003.004 (2013-12-03)
695
696
697
698

    Recognize Amazon EC2 instances as virtual for the purposes of not
    installing the IPMI kernel module.  (sfeng)

699
release/003.003 (2013-12-02)
700

701
702
    Remove the temp work file in the dell-warranty-facts cronjob.
    (mgoll)
703

704
705
706
    Ignore buggy CPU core power limit notifications from new Dell
    hardware in default Debian filter-syslog rules.  (rra)

707
release/003.002 (2013-11-24)
708

709
    Make it simpler to override the default rsyslog behaviour.  Change
710
711
712
    the name of the default rsyslog fragment.  Add a default fragment for
    remote logging.  Correct path references to common syslog fragment
    templates.  (whm)
713

714
release/003.001 (2013-11-20)
715

716
    Correct syntax error in rsyslog.pp.  (whm)
717

718
719
720
721
722
723
724
725
726
release/003.000 (2013-11-19)

    Updates to base::syslog. Retire /etc/syslog.conf.  Modify
    /etc/rsyslog.conf so that it contains no input/output specifications.
    Create a fragments define to manage files in /etc/rsyslog.d.  Define
    one default fragment that replicates current behavior if no additional
    fragments are added.  (whm)

release/002.003 (2013-11-19)
727

728
729
    Fixes for Ubuntu: precise/raring vmguest open-vm-dkms, and os::ubuntu
    doesn't ensure logrotate cron removed (that is done in newsyslog).
Darren Patterson's avatar
Darren Patterson committed
730

731
732
733
734
735
736
    Just disable logrotate for all hosts including base::newsyslog instead
    of trying to remove it on Debian, Ubuntu, and Red Hat 4.  We keep
    running into other packages that depend on it, which makes removing it
    unnecessarily complex.  This means the base::logrotate::disabled class
    is now obsolete and has been removed.  Users of that class can just
    remove the include of that class.
737
738
739
740

    Map Ubuntu raring to wheezy instead of squeeze for the Stanford-local
    Debian repositories.

741
742
743
744
    In postfix-policyd, disable WHITELISTING for zimbra so ratelimit can
    be applied to zimbra servers.  This is required after we enforce
    ratelimit for smtp servers.

Russ Allbery's avatar
Russ Allbery committed
745
746
747
    Install a separate newsyslog configuration file for btmp so that its
    permissions can be set to 0660 while setting wtmp's to 0664.

748
749
    Remove obsolete blacklist-acct-accounts iptables template.

750
751
    Add validation check in newsyslog config.

Victor Chavez's avatar
Victor Chavez committed
752
release/002.002 (2013-09-10)
753
754
755
756

    Add support for a listen_addresses parameter to ssh::config::sshd that
    restricts sshd to listen to particular hosts.

Victor Chavez's avatar
Victor Chavez committed
757
758
759
    Add fix for Ubuntu (and others) in base::vmguest to install the right
    open-vm-tools package.

760
release/002.001 (2013-08-08)
761
762

    Add additional ignore patterns for failed ssh logins from IT Services
763
    staff, and ignore new ssh failure patterns seen in Debian wheezy.
764

765
    Use OpenAFS 1.6.5 in RHEL5 and RHEL6 yum repository configuration.
766

Russ Allbery's avatar
Russ Allbery committed
767
release/002.000 (2013-07-15)
768
769
770
771
772
773

    The deprecated classes base::newsyslog::messages::sa and
    base::newsyslog::messages::sa::override have been deleted.  Global
    overrides for the default base::newsyslog behavior should be put into
    the local defaults module instead.

774
775
776
777
    base::cron::filter-user-noise has been deleted.  This was specific to
    Research Computing systems and should be handled in that local
    repository.

Russ Allbery's avatar
Russ Allbery committed
778
779
780
781
    base::ssh::rc has been deleted.  This isn't part of any base::ssh
    inheritance tree and can live only in the Research Computing Puppet
    Git repository.

782
783
784
785
786
787
    The acceptable runtime for tmpreaper (used by base::tmpclean on Debian
    and Ubuntu) has been extended to 20 minutes globally, and the
    base::tmpclean::longer class, which existed only to do that, has been
    removed as unnecessary.  The longer runtime limit should not pose a
    problem on any system.

788
789
790
791
792
793
    The static crontab files installed by base::cron have been replaced
    with a template to handle differences between Red Hat and Debian.  The
    periodic cron jobs no longer even attempt to use anacron, avoiding any
    problems with unpredictable cron run times if anacron is installed on
    the system.

794
795
796
    Move campus anycast DNS servers to the bottom of the DNS server list
    for now.  These are not yet considered production DNS servers.

797
798
    Remove Kerberos filter-syslog rules for eklogind and kshd.

799
800
801
802
    base::daemontools::supervise now uses current coding standards and no
    longer special-cases various default options to some of its
    parameters.

803
804
805
806
    base::remctl no longer installs remctl-client.  This is going to be
    handled by the stanford-server-packages metapackage, and is
    independent of what's set up by this module.

Russ Allbery's avatar
Russ Allbery committed
807
release/001.002 (2013-07-10)
Russ Allbery's avatar
Russ Allbery committed
808

809
810
811
812
813
    newsyslog::config now supports a new analyze_logs parameter, which
    specifies the list of logs to run through the analyze action (when
    different than the list in logs).  analyze_logs defaults to logs if
    not given.

814
815
816
    Restructure the newsyslog::config template so that both the template
    and its output is somewhat more readable.

Russ Allbery's avatar
Russ Allbery committed
817
818
819
820
821
822
823
824
825
826
827
828
    newsyslog no longer sets up a weekly command to tar up
    /root/.history-save and removes /etc/newsyslog.weekly/audit if it
    exists.  We're no longer using per-user history files and we're
    letting bash handle managing the length of the history file.

    newsyslog now creates btmp and wtmp writable by group utmp, matching
    the operating system defaults.

    newsyslog no longer attempts to clean up sysklogd cron jobs or remove
    the old /etc/newsyslog.daily/syslog file installed by ancient versions
    of stanford-server.

829
830
    Append to the temporary file used for Dell warranty facts instead of
    deleting it and recreating it (which defeats some of the point of
Russ Allbery's avatar
Russ Allbery committed
831
    using mktemp).
832

833
834
835
836
837
    The default out-of-date cron job always uses the host/* principal of
    the local host for authentication instead of the first principal in
    /etc/krb5.keytab, which may be for some other principal or a host/*
    principal for an old hostname.

Russ Allbery's avatar
Russ Allbery committed
838
839
840
841
    Remove out-of-date::server.  This is only used on a single host, so
    all of the files and Puppet manifest have been moved to the Puppet
    model for that server.

842
843
844
    Change Puppet master server for frankoz servers to jimhenson1 since
    jimhenson4 is down with hardware trouble.

845
846
847
848
    Change the base::dns* classes to use a template to generate the
    resolv.conf file for a system and add the DNS anycast servers into
    the configuration.

Russ Allbery's avatar
Russ Allbery committed
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
release/001.001 (2013-06-25)

    Drop installation of stanford-klogin from base::os::debian.  We've
    switched completely to Kerberized ssh and no longer install Kerberos
    rlogin or rsh, so no need for the clients.

release/001.000 (2013-06-22)

    Enable the security and updates repositories for wheezy now that
    wheezy has been released.

    For Red Hat systems, switch to using the VMware tools packages and
    install the necessary yum configuration.

    Add filter-syslog rules for new remctl error messages and another sshd
    error message from terminated network connections.

    Add base::portmap.