NEWS 36.6 KB
Newer Older
Adam Lewenberg's avatar
Adam Lewenberg committed
1
release/005.002 (2016-12-13)
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

    [ssh] Change the class "ssh::pam" to "base::ssh::pam".  This should
    only affect people who are setting ssh::pam variables via Hiera, or
    via class parameters.  Clients setting base::ssh variables in any
    way are not affected. [akkornel]

    [ssh] Add support for the pam_slurm module.  This is for clients using
    the SLURM job scheduler, and who want to prevent users from logging in
    without an allocation.  This is disabled by default.  Also add the
    pam_slurm_bypass parameter, which is a file containing a list of users
    (one per line) who should not be blocked by pam_slurm. [aseishas]

    [syslog] On Ubuntu, have files and directories by owned by the
    "syslog" user, and the "adm" group.

    [wallet] When running inside a Packer build, do not attempt to retrieve
    things from wallet. [akkornel]

    [os::debian] More @ symbols into ERB templates. [akkornel]

22
release/005.001 (2016-12-11)
23
24

    Add "path" attributes to several exec resources. This will be required
25
26
    in the next version of Puppet. [adamhl]

27
28
29
30
31
32
33
34
    [puppetclient] Replace "local" variables in ERB templates with what is
    really intended: instance variables defined in the calling manifest
    (or defined as a Puppet fact). While currently not strictly necessary,
    in a future version Puppet will stop interpreting ERB local variables
    as instance variables, so we might as well fix them now. Furthermore,
    when using "puppet apply" incorrect use of variables in templates
    generates ugly red warnings, so fixing these now makes "puppet apply"
    happier. [adamhl]
35
36
37
38

    [puppetclient] Remove some conditional code that made sense when we
    used very old versions of Puppet. [adamhl]

39
    [ssh, syslog, xinetd] More instance variable cleanup. [adamhl]
40

41
42
43
    [ipmi] When comparing lsbmajdistrelease to a Debian version, convert
    lsbmajdistrelease to an integer first (otherwise, get Ruby
    error). [adamhl]
44

45
46
    [os/debian] Add parameter to allow the option of *not* including the
    debian-stanford backports repository in the apt sources. [adamhl]
47

48
49
50
51
release/005.000 (2016-11-21)

    This release has a number of breaking changes.

52
53
54
    [duo] base::duo has been completely reworked into a type plus a common
    class.  Clients which use Duo for their own purposes should create an
    instance of base::duo::config, which will create a Duo PAM config file for
55
56
    them to use.  See README.duo for more information.

57
58
59
    [ipmi] A complete rework of base::ipmi.      The base::noipmi class no
    longer exists.  Instead, IPMI support should be disabled by setting
    base::ipmi::ensure to "absent".  IPMI kernel modules, and ipmievd, should
60
    still be automatically disabled on virtual systems, even when
61
    "ensure => present"; in those cases, the IPMI client tools will still be
62
63
    installed.  Code has been updated for Debian 8 and Ubuntu 16.04.

64
65
    [os/debian] All aptitude operations are now performed in a new phase,
    called "aptitude".  The "aptitude" phase is configured to run before
66
67
68
    "main".

    Clients which rely on aptitude being up-to-date must no longer
69
    "require => Exec['aptitude update']".  The nature of Puppet phases will
70
71
    ensure that aptitude is already updated.

72
73
    Clients installing their own custom sources are advised to move all of that
    into separate classes, and to put those classes into a new phase of their
74
75
76
77
78
    own.  This new phase should "require => Phase['aptitude']" and
    "before => Phase['main']", to ensure proper execution sequencing.

    [os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:

79
    * apt_cache_notin_tmp.  If true, use a different directory to store package
80
81
    scripts that need to be run during package install/upgrade.

82
    * apt_cache_tmp_dir.  When apt_cache_notin_tmp is true, this is the
83
84
    directory to use for package scripts.

85
86
87
    [os/debian] Install the stanford-server package (this might trigger a
    duplicate resource error if currently installed by other classes).

88
    [postfix/sender] A new type: base::postfix::sender.  This is similar to
89
    base::postfix::recipient, except it is used to rewrite sender addresses
90
91
    instead of recipient addresses.

92
93
94
    It is suggested that clients use base::postfix::sender to ensure that
    emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
    instead being sent 'from' either "noreply@stanford.edu" or
95
96
    "shared-mailbox@stanford.edu".

97
98
99
100
101
102
    [ssh] A fairly large rework of SSH code.  Support has been added for
    treating "alternate accounts" (.root, .admin, root., and admin.) the same
    as root.  Code has also been updated to account for changes to base::duo.
    Support has also been added to completely disable password authentication.
    Support for Ed25519 keys is also included (though disabled by default).
    Finally, pam_afs is now configurable: It can be disabled on systems that do
103
104
105
106
    not use AFS.

    See README.ssh for more information on how to use the code.

107
108
109
110
    [sudo] Complete rework of base::sudo, including configurable support for
    Duo.  Anyone in the "sudo" or "wheel" group gets sudo access.  If Duo is
    enabled, anyone on a specified list is able to sudo without a password, but
    with a two-step run.  Fail-secure is supported, as is using the GECOS field
111
112
113
114
115
116
117
118
119
120
    to specify the username that Puppet should actually use.

    See README.sudo for more information on how to use the code.

    [syslog] Some fixes for Ubuntu.

    [os/debian] Fix the $PATH used by aptitude.

    [puppetclient] Fix a filter-syslog regex error.

Karl Kornel's avatar
Karl Kornel committed
121
release/004.063 (2016-10-17)
122
123

    [ipmi] EL package requires (like EL6, EL7 only has available OpenIPMI,
124
    and not OpenIPMI-tools. (jlent)  Fix ipmievd configuration for Ubuntu.
Karl Kornel's avatar
Karl Kornel committed
125
126
    (akkornel)

127
128
    [os] Update the Ubuntu-to-Debian mapping. (akkornel)  Enable the
    debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
Karl Kornel's avatar
Karl Kornel committed
129
130
131
    (akkornel)  Also add additional Ubuntu-specific backports. (akkornel)
    Also remove daemontools as a default install on systemd Ubuntu. (akkornel)

132
    [ntp] Add the SRCF time server, make sure NTP is installed, and disable
Karl Kornel's avatar
Karl Kornel committed
133
134
135
136
    systemd-timesyncd on RHEL 8.

    [xinetd] Make sure inetd is removed before xinetd is installed. (akkornel)

137
    [wallet] Make sure the base::wallet::client class is included when
Karl Kornel's avatar
Karl Kornel committed
138
    required. (akkornel)
139

140
141
142
143
144
145
release/004.062 (2016-06-03)

    [os] Fix references applicable to Oracle Linux
    [cron] Address cron-related package not available on Oracle Linux
    [puppetclient] Address lack of versionlock on Oracle Linux (jlent)

146
147
148
release/004.061 (2016-04-21)

    [os] Add some parameters to the base::os::debian class to make apt use
Adam Lewenberg's avatar
Adam Lewenberg committed
149
150
151
152
153
154
155
156
157
158
159
160
161
    a directory other than /tmp for its cache.

    Reason: The apt utility when installing or uninstalling a package puts
    its temporary files, including scripts it needs to execute, in
    /tmp. If the /tmp partition is set to noexec (as recommended by
    security advisors), then one cannot run any executable out of the /tmp
    directory. The result is that the package install will not finish
    properly. The new parameters in the base::os::debian class tell apt to
    use /var/cache/apt/tmp as its temporary cache directory getting around
    the /tmp noexec problem.

    Note that the default is to continue using /tmp as apt's cache
    directory, so upgrading to this version is safe. (adamhl)
162

163
164
165
166
167
release/004.060 (2016-04-04)

    [kerberos] Add the mapping wst-web1-uat.stanford.edu -->
    WINUAT.STANFORD.EDU in /etc/krb5.conf. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
168
169
170
171
172
173
release/004.059 (2016-03-17)

    [kerberos] Add the new non-production Windows Active Directory domain
    WINUAT.STANFORD.EDU to /etc/krb5.conf. No other change to
    /etc/krb5.conf, so this is a completely safe upgrade. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
174
release/004.058 (2016-02-04)
Karl Kornel's avatar
Karl Kornel committed
175
176

    [dns] Remove Livermore-specific DNS (anycast works there now). (akkornel)
Adam Lewenberg's avatar
Adam Lewenberg committed
177
    [ssh] Allow multiple ports in sshd_config. (adamhl)
Karl Kornel's avatar
Karl Kornel committed
178

179
release/004.057 (2016-01-11)
180

181
    [puppetclient] strip special treatment for Puppet 2.X hosts (jlent)
182
    [pam] Stop overriding common PAM files with Debian jessie. (akkornel)
183
    [ssh] Misc. filter-syslog cleanups. (akkornel)
184

Adam Lewenberg's avatar
Adam Lewenberg committed
185
release/004.056 (2015-11-05)
186
187

    [sudo] Add an option to support sudo-with-Duo. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
188
189
    [duo] New class to load Duo code and wallet object. (adamhl)
    [ssh] Add pam_duo option to enable Duo for ssh regular logins (adamhl)
190

191
192
193
    [puppetclient] Add an option to override the certname in the [agent]
    section.

194
195
release/004.055 (2015-10-08)

Adam Lewenberg's avatar
Adam Lewenberg committed
196
    [dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
197
198
    systems. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
199
release/004.054 (2015-09-14)
Karl Kornel's avatar
Karl Kornel committed
200

Adam Lewenberg's avatar
Adam Lewenberg committed
201
202
203
    [systemd] New class to allow systemd daemon reloads. (adamhl)

    [dns] Changes Livermore detection to use the system's primary IP address,
204
    instead of using a manually-set parameter. (akkornel)
Karl Kornel's avatar
Karl Kornel committed
205

Adam Lewenberg's avatar
Adam Lewenberg committed
206
    [kerberos] Automatically determine if we are in Livermore; if we are, place
207
208
209
210
211
    the Livermore-based KDC at the top of the list. (akkornel)

    Clients who are using the base::kerberos::dr class should immediately switch
    to using base::kerberos.  base::kerberos::dr is deprecated.

Adam Lewenberg's avatar
Adam Lewenberg committed
212
213
214
215
216
217
218
    [kerberos] Add two parameters to the base::kerberos class. The first
    is used to force the kerberos client to prefer TCP over UDP. The
    second allows one to indicate which kerberos environment to use: prod,
    test, or uat. In both cases, the defaults are such that the krb5.conf
    will continue to have the same contents as before the addition of
    these parameters.

Jonathan Lent's avatar
Jonathan Lent committed
219
220
221
222
223
release/004.053 (2015-07-28)

    [rpm] Adding a dag-EL7.repo file so that EL7 hosts can get a
    valid repo file based on the existing logic of the manifest (jlent)

224
225
226
227
228
release/004.052 (2015-07-27b)

    [iptables] Add an "include base::iptables" to base::iptables::rule
    define so it will run correctly by itself. (adamhl)

229
release/004.051 (2015-07-27)
230

231
    [os] Small fix in base::os::debian to one of the systemd-related
232
233
    syslog-filter regexes (akkornel)

234
    [kerberos] Change the configuration for the WIN.SLAC.STANFORD.EDU domain,
235
236
    as per Kent Reuber (see INC000003427399) (akkornel)

237
238
239
240
    [rpm] Remove EL6 package requires of yum-plugin-downloadonly, since
    yum-3.2.29-69 includes this plugin and obsoletes the individual
    package (thus putting the puppet ensure in a loop) (jlent)

Jonathan Lent's avatar
Jonathan Lent committed
241
release/004.050 (2015-07-24)
242

243
    [rpm] Making available openafs-1.6.{7,8}-EL{5,6,7}.repo files
244
245
246
    pointing to yum.stanford.edu. Also edited rpm.pp to reflect that
    EL7 hosts should get 1.6.8 by default (jlent)

247
248
249
release/004.049 (2015-07-22)

    [os] Small fix to the 'ping' capability adjustment: grep -v does not
250
251
252
253
254
    return 0 on success, so changed "onlyif" to "unless" (adamhl)

    [os] Enable the jessie-backports Stanford debian repository sources
    file /etc/apt/sources.list.d/backports.list (now that jessie-backports
    is available) (adamhl)
255

Jonathan Lent's avatar
Jonathan Lent committed
256
release/004.048 (2015-06-24)
257

258
    [newsyslog] Change permissions of /var/log/btmp to '600' in RHEL
259
260
    systems so that sshd stops complaining. This is because RHEL builds
    of openssh are paranoid about the frequency that passwords are
Jonathan Lent's avatar
Jonathan Lent committed
261
262
    mistakenly entered as usernames. If the utmp group is compromised,
    there could be enough context to get real account credentials (jlent)
263

264
    [dns] Make dns_cache a class-level parameter, so that it can be set in
265
266
    Hiera (as base::dns::dns_cache) (akkornel)

267
    [dns] Add support for Livermore, via Hiera.  Set base::dns::livermore (in
268
269
    Hiera) to true, and Livermore DNS gets added to resolv.conf (akkornel)

270
    [dns] Add support for disabling Puppet management of resolv.conf, for
271
272
    systems using DHCP (akkornel)

273
    [remctl] Require remctl-server package be installed before installing
274
    xinetd config (akkornel)
275

276
release/004.047 (2015-06-17)
277

Karl Kornel's avatar
Karl Kornel committed
278
279
    [os] Adjust capability on 'ping' to allow non-root users to use
    this utility on Jessie systems (jlent)
280

Jonathan Lent's avatar
Jonathan Lent committed
281
release/004.046 (2015-06-12)
282

283
284
    [os] Start filtering systemd-related messages from syslog (akkornel)

285
286
287
    [rpm] re-enable the rhn plugin for bonafide RHEL hosts, since with
    the new licensing, updates will come from RHN classic (jlent)

Adam Lewenberg's avatar
Adam Lewenberg committed
288
289
    [syslog] Have filter-syslog ignore some systemd log messages; fix an
    @-template deprecation warning (adamhl)
290

291
292
release/004.045 (2015-06-02)

293
294
295
296
297
    [rpm] Removing the ensures that continue to push out the
    RHEL OS repositories previously hosted on yum, since we no
    no longer have our RedHat licensing agreement. Any one-off
    hosts with new keys will need to point at a cloud-based
    instance anyway (jlent)
298

299
300
    [os/centos] Changing the group name for GID 37 back to
    rpm, as it is in RedHat proper (jlent)
301

Adam Lewenberg's avatar
Adam Lewenberg committed
302
release/004.044 (2015-05-21)
303
304
305
306

    [vmguest] Add a parameter to allow the non-installation of the
    tripwire client. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
307
308
309
    Add some @'s to some instance variables in a couple of template
    files. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
310
release/004.043 (2015-05-15)
311
312
313
314
315

    [dns] Remove the legacy "C" DNS servers from resolv.conf.  Networking is
    shutting down these servers on November 1, and will start notifying admins
    in May.  (akkornel)

316
317
318
319
320
    [os] In wheezy, when CRON logs to syslog it appears as
    "/USR/BIN/CRON[12345]". With jessie, however, this has changed and the
    syslog entry now looks like "CRON[12345]". So, we add a new rule in the
    filter-syslog debian file to capture this new format. (adamhl)

321
322
323
    [syslog] jessie has changed how rsyslogd logs to syslog so we change
    filter-syslog a bit to handle this format change. (adamhl)

324
325
326
327
328
release/004.042 (2015-05-04)

    [ntp] Remove obsolete host references from ntp.conf.  Also,
    remove iptables rules allowing inbound ntp connections to
    servers. (whm)
329

330
331
    [iptables] Remove obsolete fragments for ldap and AFS file
    servers. (whm)
332

333
release/004.041 (2015-04-29)
334

335
336
337
    [portmap] Minor edit to insist that EL7 gets rpcbind, as does
    EL6, instead of portmap (jlent)

338
339
340
341
    [os] Edited conditional in sources.list.erb to allow Jessie hosts
    to get the expected Stanford-hosted Debian repositories (jlent)

    [vmguest] VMWare does not package vmware-tools-esx-nox for EL7. They
342
    instead recommend the use of open-vm-tools. Added a condition
343
344
    and refactored vmguest.pp appropriately. Also, change to
    portmap.pp. EL7, like EL6, requires rpcbind and not portmap (jlent)
345

346
347
348
349
release/004.040 (2015-04-21)

    Correct spelling mistake introduced in release/004.038. (whm)

350
351
352
353
release/004.039 (2015-04-21)

    Correct install of emacs on jessie systems. (whm)

354
355
356
357
358
release/004.038 (2015-04-20)

    Make sure that the rsyslog preferences file is installed only on
    wheezy systems.  (whm)

Bill MacAllister's avatar
Bill MacAllister committed
359
360
361
362
363
release/004.037 (2015-04-20)

    Remove lenny and older references from tftp_client, os::debian,
    postfix, syslog, and pam.  (whm)

364
365
release/004.036 (2015-04-14)

366
    [os][rpm] Support CentOS via its own class, stub an OEL
367
368
369
370
    class, small fixes to redhat.pp to be generic enough for use
    by these RHEL-ish operating systems, edits to allow EL7-
    specific repository inclusions {and exclusions} (jlent)

371
release/004.035 (2015-04-12)
372

373
    [ipmi] Re-endable ipmievd on jessie by setting the options
374
375
    correctly.  (whm)

376
release/004.034 (2015-04-08)
377

378
    [yumtools] Minor fix for RHEL5 and yum plugins. (jlent)
379
380
381
382
383

    [cron] Add parameter to base::cron to allow anacron package to be
    installed (helpful for Ubuntu systems with ubuntu-desktop
    package). (adamhl)

384
385
386
    [ipmi] Don't attempt to run ipmievd on jessie.  It doesn't appear
    to be available.  (whm)

387
388
389
release/004.033 (2015-03-13)

    Modify the base::ssh::config::sshd define to allow the
390
391
    specification of content or source.  This is required to support
    host with special ssh requirements like systems that use duo. (whm)
Adam Lewenberg's avatar
Adam Lewenberg committed
392
393
394
395

    Fix a missed hyphen in reference to class fragment-template in
    defense.pp. (adamhl)

396
397
    [dns] Refactor dns into several files and a fix a small
    typo. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
398

Adam Lewenberg's avatar
Adam Lewenberg committed
399
release/004.032 (2015-03-06)
400
401
402
403

    Fix a few more deprecation warnings concering instance variables
    (i.e., add '@'s in ERB files) (adamhl)

404
release/004.031 (2015-03-02)
405
406

    Beginning of work to support RHEL-ish operating systems
407
    such as CentOS and Oracle Linux. The most common change
408
    involves converting 'operatingsystem' variable/fact usage
409
    to 'osfamily'. These changes were made safely as not to
410
411
412
    potentially affect any existing hosts. There may be some
    additional refinements when CentOS and Oracle hosts come
    online; for now,  we're assuming they act identical to RHEL.
413

414
415
416
    Additionally modified puppetclient.pp to support version
    locking of puppet and facter versions on RHEL systems.
    Added one additional manifest to facilitate this.
417
418
    (jlent)

419
release/004.030 (2015-02-25)
Jonathan Lent's avatar
Jonathan Lent committed
420

421
422
423
424
425
426
    Removed references to darrenp1 and rra in a filter-syslog file
    (adamhl)

release/004.029 (2015-02-24d)

    [rpm][yumtools] - slight reorganization involving which
Jonathan Lent's avatar
Jonathan Lent committed
427
428
    manifest actually installs the yum versionlock package (jlent)

429
430
431
432
433
434
435
release/004.028 (2015-02-24c)

    [puppetclient] Undo the basemodulepath configuration directive
    setting from release/004.027. The default basemodulepath is fine.
    (adamhl)

release/004.027 (2015-02-24b)
436
437
438
439

    [puppetclient] Set up basemodulepath configuration directive for
    puppetservice1-dev (adamhl)

440
release/004.026 (2015-02-24a)
441
442
443
444

    [yumtools] added new group of yum-related
    commands that can be used to manage package
    pins, groups, yum plugins and gpg keys
445
    (jlent)
446

447
release/004.025 (2015-02-23)
448
    [rpm] regression of the ensure of the
449
450
451
452
453
454
    versionlock.list file. A blank version of this
    file is already installed with yum-*-versionlock,
    and since a single file is used for all current
    and future pinnings, one-off manual pins may
    get overwritten via delivery of a flat file (jlent)

455
456
457
458
459
release/004.024 (2015-02-20)

    [rpm] slight fix to release 023 in the rpm repo
    template file name (jlent)

460
461
462
463
464
465
466
467
468
release/004.023 (2015-02-20)

    [rpm] Added ensures to pull in the Stanford PuppetLabs
    repo on all RHEL-ish hosts. Also ensure that packages
    yum-utils and yum-plugin-versionlock are installed to
    assist in yum configurations such as package locking.
    'versionlock' file is just stubbed for now, and will
    be expanded in the future (jlent)

469
release/004.022 (2015-02-17)
470

471
472
    [syslog] Correct template names for the impstats fragments that
    support debugging rsyslog problems.  Update the documentation in
473
474
    the base::syslog::fragment to make debugging a bit easier.

475
476
477
478
479
release/004.021 (2015-02-17)

    [puppetclient] Filter out "Retrieving pluginfacts" puppet-agent
    messages using filter-syslog. (adamhl)

Bill MacAllister's avatar
Bill MacAllister committed
480
481
release/004.020 (2015-02-10)

482
    Update references in motd and newsyslog to follow puppet3
Bill MacAllister's avatar
Bill MacAllister committed
483
484
    requirements.  (whm)

485
486
487
488
release/004.019 (2015-02-05)

    Remove obsolete iptables fragment files. (whm)

489
490
release/004.018 (2015-02-03)

491
    Change syslog tls support to follow host base naming conventions
492
493
    for wallet objects.  (whm)

494
495
496
497
release/004.017 (2015-01-30)

    [dns] More instance variable @ fixes for resolv.conf.erb. (adamhl)

Darren Patterson's avatar
Darren Patterson committed
498
499
500
501
release/004.016 (2015-01-23)

    Another fix for lsb package names on RHEL. (darrenp1)

502
503
504
505
release/004.015 (2015-01-16)

    Fix comments and class names to use underscore, not hyphens. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
506
507
508
509
release/004.014 (2015-01-16)

    [dns] Instance variable @ fixes for resolv.conf.erb. (adamhl)

510
511
512
513
514
release/004.013 (2015-01-08b)

    [postfix] Fix master.cf config file for CentOS; break class out of
    postfix.pp into postfix/server.pp. (adamhl)

515
516
517
518
519
520
release/004.012 (2015-01-08)

    Add 4 new rsyslog formats to the templates available:
    FromHostFileFormat, FromHostForwardFormat, FromIPFileFormat, and
    FromHostFileFormat.  (whm)

Adam Lewenberg's avatar
Adam Lewenberg committed
521
522
523
524
release/004.011 (2015-01-02)

    [iptables] Fix @'s in iptables template file rule.erb. (adamhl)

525
526
527
528
release/004.010 (2014-12-22)

    Fix @ in an iptables template file. (adamhl)

529
530
531
532
release/004.009 (2014-12-17)

    Fix for $::fqdn_lc across module. (darrenp1)

533
534
535
536
release/004.008 (2014-12-11)

    [os] Fix for RHEL lsb package names for different releases. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
537
538
539
540
541
542
release/004.007 (2014-12-05)

    Several changes to support CentOS. (adamhl)

    Fix another @ in a template file. (adamhl)

543
544
545
546
547
548
release/004.006 (2014-12-05)

    [puppetclient] Install ruby-json on wheezy systems (recently patched
    wheezy systems with Puppet 2.x require ruby-json to avoid
    annoying error messages). (adamhl)

549
550
release/004.005 (2014-11-21)

551
    [dns] Change the order of the nameservers and move the anycast
552
    servers to the top of the list.  (whm)
553

554
555
556
    [ssh] Allow the PermitRootLogin to be set to "yes" (defaults to usual
    setting of "without-password").

557
558
559
    [os] replace some variables in template files with their "@" versions.
    (adamhl)

560
561
release/004.004 (2014-11-07)

562
    [syslog::tls] Restructure code to support Puppet 3's scoping
563
564
565
566
    rules.  The change required means that existing manifests that use
    the base::syslog::tls resource will need to add the
    base::syslog::tls_ca_cert resource.

567
568
569
    [cron] replace "operatingsystem" with "@operatingsystem" in
    crontab.erb. (adamhl)

570
release/004.003 (2014-11-06)
571
572
573
574

    [puppetclient] Only put the database account credentials in
    /etc/puppet/puppet.conf for the (old) Puppet 2.x servers. (adamhl)

575
576
577
    [puppetclient] Update the check-puppet hourly cron job for
    Puppet 3. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
578
579
580
    [puppetclient] Have filter-syslog ignore a new innocuous message from
    puppet-agent. (adamhl)

581
582
583
    [wallet] Change file permissions to 4-digit string, refactor, and fix
    puppet-lint warnings for base::wallet.

584
585
    [os] Update sources files to support jessie. (whm)

586
release/004.002 (2014-10-20)
587
588
589
590
591

    [puppetclient] Break out some classes into their own files; redefine
    puppetclass::dev to point to the Puppet 3 development
    servers. (adamhl)

592
593
594
595
596
release/004.001 (2014-10-14)

    The Great Hyphen Hunt. Change hyphens in class names to underscores.
    (adamhl)

Darren Patterson's avatar
Darren Patterson committed
597
598
599
600
601
release/003.037 (unreleased)

    Switch os curl package to include packages::curl to avoid duplicate
    definition.  (darrenp1)

602
    [puppetclient] Add puppetservice* servers to list of servers that can
603
    download Puppet DB credentials. Add a new ACL to auth.conf that was
Adam Lewenberg's avatar
Adam Lewenberg committed
604
605
606
607
608
609
    introduced in Puppet 3. (adamhl)

    [puppetclient] Add new class base::puppetclient::puppetlabs_repo that
    makes the Puppet Labs Debian repository available. (adamhl)

    [apt_key] Move apt_key from a local module into base. (adamhl)
610

Adam Lewenberg's avatar
Adam Lewenberg committed
611
612
613
614
615
release/003.036 (2014-09-10)

    Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
    new Puppet servers puppetservice*. (adamhl)

616
617
618
619
release/003.035 (2014-09-10)

    Filter out some innocuous rsyslog messages from the syslog. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
620
621
622
release/003.034 (2014-09-05)

    Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
Adam Lewenberg's avatar
Adam Lewenberg committed
623
    new Puppet servers puppetdb* and puppetrepo*. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
624

Bill MacAllister's avatar
Bill MacAllister committed
625
626
release/003.033 (2014-08-31)

Adam Lewenberg's avatar
Adam Lewenberg committed
627
    Add base::noipmi.  This allows "odd" machines to suppress loading ipmi
Bill MacAllister's avatar
Bill MacAllister committed
628
629
    support and running the exec that disables cipher zero.  (whm)

630
631
632
633
release/003.032 (2014-08-27)

    Remove yuelu from filter syslog exceptions.  (whm)

634
635
release/003.032 (2014-08-22)

Adam Lewenberg's avatar
Adam Lewenberg committed
636
637
    Update the backports preferences file to pull the perl remctl
    support from backports.  The newer module is required by the
638
639
    latest stanford-server package.  (whm)

640
release/003.031 (2014-07-04)
641

642
    Change the work directory used by rsyslog for disk queues to match
643
644
    the package default.  (whm)

645
646
647
648
649
    Change the queue.MaxFileSize to 100m to override the default of 1m
    in the default and ldap rsyslog fragments.  This will prevent the
    creation of many small files when the syslog server is
    unreachable.  (whm)

Adam Lewenberg's avatar
Adam Lewenberg committed
650
651
    Create /etc/facter/facts.d in puppetclient.  This is the default
    /etc directory for external facts on both Debian and RHEL.
652
653
    (jonrober)

654
release/003.030 (2014-07-07)
Russ Allbery's avatar
Russ Allbery committed
655

656
657
658
659
    Fix for IPMI on kernels >= 3.13.  (darrenp1)

    On each Puppet run on a system that enables Puppet, check if cipher
    zero is enabled and disable it if so.  (rra)
Darren Patterson's avatar
Darren Patterson committed
660

661
662
    Update ssh filter-syslog rules for current staff members.  (rra)

663
664
665
666
    Set the queue.TimeoutEnqueue parameter to zero for LDAP, TLS, and
    default rsyslog fragments.  Reformat the fragments for
    readability.  (whm)

667
release/003.029 (2014-06-17)
Adam Lewenberg's avatar
Adam Lewenberg committed
668

669
670
671
    Correct path new for RELP module fragment in
    base::syslog::tls_support. (whm)

672
release/003.028 (2014-06-17)
673
674
675

    Fix filter-syslog rules for rsyslog to ignore restart messages. (rra)

Russ Allbery's avatar
Russ Allbery committed
676
    Update ssh filter-syslog rules for current staff members and add
677
678
679
680
681
    another failed login pattern.  (rra)

    Add the squeeze-lts distribution to sources.list for squeeze systems.
    This is the long-term support archive, which provides extended
    security support.  (rra)
Russ Allbery's avatar
Russ Allbery committed
682

683
    Adjust highWater marking settings for remote rsyslog queues based
684
685
    on suggestions from rsyslog start messages. (whm)

686
    Add base::syslog::tls to support TLS/RELP connections between
687
    an rsyslog client and an rsyslog server. (whm)
688

689
690
release/003.027 (2014-05-23)

Bill MacAllister's avatar
Bill MacAllister committed
691
    Update the v5 rsyslog default to remove depreciated warnings on
692
693
    v7 systems.  (whm)

694
695
696
697
698
699
700
release/003.026 (2014-05-19)

    Change the default rsyslog configuration to assume v7 syntax.
    (whm)

    Update comments in remctl and ssh modules.  (rra)

701
702
703
704
705
706
707
release/003.025 (2014-05-12)

    Change the default transport for rsyslog v5 remote syslog message
    delivery to UDP.  This will result in message loss when the remote
    syslog server is unavailable, but it avoids the complexities of
    the v5 queue configuration.  (whm)

708
709
release/003.024 (2014-05-08)

Bill MacAllister's avatar
Bill MacAllister committed
710
    Backout one of the boolean changes because the original test
711
712
    never was for a boolean.  (whm)

713
714
715
716
717
release/003.023 (2014-05-07)

    Change handling of use_ parameters in rsyslog.pp to handle the
    cases where booleans must be tested as strings.  (whm from Darren)

Bill MacAllister's avatar
Bill MacAllister committed
718
release/003.022 (2014-05-05)
Adam Lewenberg's avatar
Adam Lewenberg committed
719

Bill MacAllister's avatar
Bill MacAllister committed
720
    Removed smtp-bypass iptable fragments. Move it to s_emailrouter
721
    class. (sfeng)
722

723
    Change the handling of the use_syslog_conf variable in the
724
725
726
    rsyslog.conf.erb template to allow the variable to be either a
    string or a boolean.  This works around a problem with puppet's
    handling of booleans in some situations.  (whm)
727

Adam Lewenberg's avatar
Adam Lewenberg committed
728
729
730
    Clean up puppet client ERB file to better handle servers like
    frankoz2-new. (adamhl)

731
732
    Ignore another new variation on ssh logs from wheezy.  (rra)

733
734
735
    Add dependencies in base::postfix::recipient on the postfix package so
    that the required directory structure will exist.  (rra)

736
737
738
    Remove base::kerberos filter-syslog rules.  These only had rules for
    ksu, which we no longer use, so they're now pointless.  (rra)

Russ Allbery's avatar
Russ Allbery committed
739
740
741
742
    Coding style cleanup for base::syslog::fragment, using the newer
    method for handling defines that should take both source and content.
    (rra)

743
744
745
746
747
748
    Added web-aws rule to block non-root user to access metadata URL.
    (sfeng)

    Default to the backports version of facter on wheezy systems to pick
    up the fix for detecting Xen VMs.  (rra)

749
750
751
752
753
754
    Modify the default rsyslog configuration for V7 servers.  The new
    configuration creates a separate queues for writing to the local
    disk and sending to the remote syslog server.  This prevents
    messages from being lost when the central server is down and
    allows writing to local disk to continue.  (whm)

Darren Patterson's avatar
Darren Patterson committed
755
756
757
758
release/003.021 (2014-03-11)

    Fix cron issues on RHEL. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
759
release/003.020 (2014-03-05)
Adam Lewenberg's avatar
Adam Lewenberg committed
760
761
762
763

    Remove class that used lsdb-dev for dev Puppet CA (should have been
    removed a long time ago). (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
764
release/003.019 (2014-02-27)
Adam Lewenberg's avatar
Adam Lewenberg committed
765
766

    fix typo in reolv.conf.erb. This changes only affect some
767
768
    DNS servers. (myl)

769
770
771
772
773
release/003.018 (2014-02-24)

    Set the default behavior for rsyslog to forward /etc/messages to
    the central syslog service, i.e. logsink.stanford.edu.  (whm)

774
775
release/003.017 (2014-02-24)

Adam Lewenberg's avatar
Adam Lewenberg committed
776
    Correct rsyslog v7 template.  The template fix removes an
777
    extra space that is causing problem for filter syslog parsing.
Adam Lewenberg's avatar
Adam Lewenberg committed
778
    This change also reverts the default behavior of forwarding
779
    syslog to the logsink servers. (whm)
780

781
782
783
784
release/003.016 (2014-02-19)

    Added a new xinetd configuration file: stunnel. (adamhl)

785
786
release/003.015 (2014-02-17)

787
788
    Change the default rsyslog configuration to forward syslog
    messages to the central syslog server in addition to writing
789
790
791
    them locally.  Change the date format for syslog to RFC 3399
    format.

792
793
794
release/003.014 (2014-02-12)

    Correct double variable reference in base::dns::dr-cache.  (whm)
795

796
797
798
799
release/003.013 (2014-02-12)

    Fix cut and past error in defining base::dns::dr-cache.  (whm)

800
801
802
803
804
release/003.012 (2014-02-12)

    Fix doubly defined class and add missing in the dns support
    used by Livermore servers.  (whm)

805
806
807
808
809
release/003.011 (2014-02-12)

    Fix syntax error specification of preferences file for rsyslog.
    (whm)

810
811
release/003.010 (2014-02-11)

812
813
    Add an apt preferences file to use the rsyslog version from
    backports.  Remove preferences installation from the syslog
814
815
    module.  (whm)

816
817
818
819
release/03.009 (2014-02-10)

   add code to generate different resolv.conf for DNS servers. (meeilee)

820
release/003.008 (2014-02-05)
821

822
    Update comment documentation in base::pam::workgroup.  Remove
823
824
    unused parameter and variables.  (whm)

825
    Correct variable used to identified the syslog server to send
826
827
    output to in base::syslog::fragment.  (whm)

828
829
    Re-enable usage of DNS server at Livermore. (whm)

830
831
release/003.007 (2014-02-04)

832
    Disable usage of DNS server at Livermore until the server is
833
834
    rebuild.  (whm)

835
release/003.006 (2014-01-21)
836
837
838

    Correct template for rsyslog forwarding using v7 syntax.  (whm)

839
release/003.005 (2014-01-20)
840

841
    Lowercase the hostname when forming a Kerberos principal in the
842
843
    out-of-date cron job.  Some Networking systems use .Stanford.EDU in
    the official hostname.  (rra)
844

845
846
847
    Ignore more buggy power limit notifications from new Dell hardware.
    Several cases were missed in the previous change.  (rra)

848
    Fix for Ubuntu portmap / rpcbind service name.  (darrenp1)
Darren Patterson's avatar
Darren Patterson committed
849

850
    Update ntp.conf with IPv6 options.  (darrenp1)
851

852
853
854
855
856
857
858
859
    Update syslog support to allow transition to new configuration policy
    of putting all templates and output specifications in the rsyslog.d
    fragments directory.  (whm)

    Globally disable monlist in all the ntp.conf variations to protect
    against use of monlist to launch UDP-based DoS attacks.  This was
    probably already prevented by firewall rules, but may as well make
    sure.  (rra)
860

861
release/003.004 (2013-12-03)
862
863
864
865

    Recognize Amazon EC2 instances as virtual for the purposes of not
    installing the IPMI kernel module.  (sfeng)

866
release/003.003 (2013-12-02)
867

868
869
    Remove the temp work file in the dell-warranty-facts cronjob.
    (mgoll)
870

871
872
873
    Ignore buggy CPU core power limit notifications from new Dell
    hardware in default Debian filter-syslog rules.  (rra)

874
release/003.002 (2013-11-24)
875

876
    Make it simpler to override the default rsyslog behaviour.  Change
877
878
879
    the name of the default rsyslog fragment.  Add a default fragment for
    remote logging.  Correct path references to common syslog fragment
    templates.  (whm)
880

881
release/003.001 (2013-11-20)
882

883
    Correct syntax error in rsyslog.pp.  (whm)
884

885
886
887
888
889
890
891
892
893
release/003.000 (2013-11-19)

    Updates to base::syslog. Retire /etc/syslog.conf.  Modify
    /etc/rsyslog.conf so that it contains no input/output specifications.
    Create a fragments define to manage files in /etc/rsyslog.d.  Define
    one default fragment that replicates current behavior if no additional
    fragments are added.  (whm)

release/002.003 (2013-11-19)
894

895
896
    Fixes for Ubuntu: precise/raring vmguest open-vm-dkms, and os::ubuntu
    doesn't ensure logrotate cron removed (that is done in newsyslog).
Darren Patterson's avatar
Darren Patterson committed
897

898
899
900
901
902
903
    Just disable logrotate for all hosts including base::newsyslog instead
    of trying to remove it on Debian, Ubuntu, and Red Hat 4.  We keep
    running into other packages that depend on it, which makes removing it
    unnecessarily complex.  This means the base::logrotate::disabled class
    is now obsolete and has been removed.  Users of that class can just
    remove the include of that class.
904
905
906
907

    Map Ubuntu raring to wheezy instead of squeeze for the Stanford-local
    Debian repositories.

908
909
910
911
    In postfix-policyd, disable WHITELISTING for zimbra so ratelimit can
    be applied to zimbra servers.  This is required after we enforce
    ratelimit for smtp servers.

Russ Allbery's avatar
Russ Allbery committed
912
913
914
    Install a separate newsyslog configuration file for btmp so that its
    permissions can be set to 0660 while setting wtmp's to 0664.

915
916
    Remove obsolete blacklist-acct-accounts iptables template.

917
918
    Add validation check in newsyslog config.

Victor Chavez's avatar
Victor Chavez committed
919
release/002.002 (2013-09-10)
920
921
922
923

    Add support for a listen_addresses parameter to ssh::config::sshd that
    restricts sshd to listen to particular hosts.

Victor Chavez's avatar
Victor Chavez committed
924
925
926
    Add fix for Ubuntu (and others) in base::vmguest to install the right
    open-vm-tools package.

927
release/002.001 (2013-08-08)
928
929

    Add additional ignore patterns for failed ssh logins from IT Services
930
    staff, and ignore new ssh failure patterns seen in Debian wheezy.
931

932
    Use OpenAFS 1.6.5 in RHEL5 and RHEL6 yum repository configuration.
933

Russ Allbery's avatar
Russ Allbery committed
934
release/002.000 (2013-07-15)
935
936
937
938
939
940

    The deprecated classes base::newsyslog::messages::sa and
    base::newsyslog::messages::sa::override have been deleted.  Global
    overrides for the default base::newsyslog behavior should be put into
    the local defaults module instead.

941
942
943
944
    base::cron::filter-user-noise has been deleted.  This was specific to
    Research Computing systems and should be handled in that local
    repository.

Russ Allbery's avatar
Russ Allbery committed
945
946
947
948
    base::ssh::rc has been deleted.  This isn't part of any base::ssh
    inheritance tree and can live only in the Research Computing Puppet
    Git repository.

949
950
951
952
953
954
    The acceptable runtime for tmpreaper (used by base::tmpclean on Debian
    and Ubuntu) has been extended to 20 minutes globally, and the
    base::tmpclean::longer class, which existed only to do that, has been
    removed as unnecessary.  The longer runtime limit should not pose a
    problem on any system.

955
956
957
958
959
960
    The static crontab files installed by base::cron have been replaced
    with a template to handle differences between Red Hat and Debian.  The
    periodic cron jobs no longer even attempt to use anacron, avoiding any
    problems with unpredictable cron run times if anacron is installed on
    the system.

961
962
963
    Move campus anycast DNS servers to the bottom of the DNS server list
    for now.  These are not yet considered production DNS servers.

964
965
    Remove Kerberos filter-syslog rules for eklogind and kshd.

966
967
968
969
    base::daemontools::supervise now uses current coding standards and no
    longer special-cases various default options to some of its
    parameters.

970
971
972
973
    base::remctl no longer installs remctl-client.  This is going to be
    handled by the stanford-server-packages metapackage, and is
    independent of what's set up by this module.

Russ Allbery's avatar
Russ Allbery committed
974
release/001.002 (2013-07-10)
Russ Allbery's avatar
Russ Allbery committed
975

976
977
978
979
980
    newsyslog::config now supports a new analyze_logs parameter, which
    specifies the list of logs to run through the analyze action (when
    different than the list in logs).  analyze_logs defaults to logs if
    not given.

981
982
983
    Restructure the newsyslog::config template so that both the template
    and its output is somewhat more readable.

Russ Allbery's avatar
Russ Allbery committed
984
985
986
987
988
989
990
991
992
993
994
995
    newsyslog no longer sets up a weekly command to tar up
    /root/.history-save and removes /etc/newsyslog.weekly/audit if it
    exists.  We're no longer using per-user history files and we're
    letting bash handle managing the length of the history file.

    newsyslog now creates btmp and wtmp writable by group utmp, matching
    the operating system defaults.

    newsyslog no longer attempts to clean up sysklogd cron jobs or remove
    the old /etc/newsyslog.daily/syslog file installed by ancient versions
    of stanford-server.

996
997
    Append to the temporary file used for Dell warranty facts instead of
    deleting it and recreating it (which defeats some of the point of
Russ Allbery's avatar
Russ Allbery committed
998
    using mktemp).
999

1000
1001
1002
1003
1004
    The default out-of-date cron job always uses the host/* principal of
    the local host for authentication instead of the first principal in
    /etc/krb5.keytab, which may be for some other principal or a host/*
    principal for an old hostname.

Russ Allbery's avatar
Russ Allbery committed
1005
1006
1007
1008
    Remove out-of-date::server.  This is only used on a single host, so
    all of the files and Puppet manifest have been moved to the Puppet
    model for that server.

1009
1010
1011
    Change Puppet master server for frankoz servers to jimhenson1 since
    jimhenson4 is down with hardware trouble.

1012
1013
1014
1015
    Change the base::dns* classes to use a template to generate the
    resolv.conf file for a system and add the DNS anycast servers into
    the configuration.

Russ Allbery's avatar
Russ Allbery committed
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
release/001.001 (2013-06-25)

    Drop installation of stanford-klogin from base::os::debian.  We've
    switched completely to Kerberized ssh and no longer install Kerberos
    rlogin or rsh, so no need for the clients.

release/001.000 (2013-06-22)

    Enable the security and updates repositories for wheezy now that
    wheezy has been released.

    For Red Hat systems, switch to using the VMware tools packages and
    install the necessary yum configuration.

    Add filter-syslog rules for new remctl error messages and another sshd
    error message from terminated network connections.

    Add base::portmap.