NEWS 35.5 KB
Newer Older
1
release/005.001 (2016-12-11)
2
3

    Add "path" attributes to several exec resources. This will be required
4
5
6
7
8
9
10
11
12
13
14
    in the next version of Puppet. [adamhl]

    [puppetclient] Replace "local" variables with what is really intended:
    instance variables defined in the calling manifest (or defiend as a
    Puppet fact). While not strictly necessary right now, in a future
    version of Puppet will stop interpreting ERB local variables as
    instance variables so we might as well fix them now. [adamhl]

    [puppetclient] Remove some conditional code that made sense when we
    used very old versions of Puppet. [adamhl]

15
    [ssh, syslog, xinetd] More instance variable cleanup. [adamhl]
16

17
18
19
    [ipmi] When comparing lsbmajdistrelease to a Debian version, convert
    lsbmajdistrelease to an integer first (otherwise, get Ruby
    error). [adamhl]
20

21
22
    [os/debian] Add parameter to allow the option of *not* including the
    debian-stanford backports repository in the apt sources. [adamhl]
23

24
25
26
27
release/005.000 (2016-11-21)

    This release has a number of breaking changes.

28
29
30
    [duo] base::duo has been completely reworked into a type plus a common
    class.  Clients which use Duo for their own purposes should create an
    instance of base::duo::config, which will create a Duo PAM config file for
31
32
    them to use.  See README.duo for more information.

33
34
35
    [ipmi] A complete rework of base::ipmi.      The base::noipmi class no
    longer exists.  Instead, IPMI support should be disabled by setting
    base::ipmi::ensure to "absent".  IPMI kernel modules, and ipmievd, should
36
    still be automatically disabled on virtual systems, even when
37
    "ensure => present"; in those cases, the IPMI client tools will still be
38
39
    installed.  Code has been updated for Debian 8 and Ubuntu 16.04.

40
41
    [os/debian] All aptitude operations are now performed in a new phase,
    called "aptitude".  The "aptitude" phase is configured to run before
42
43
44
    "main".

    Clients which rely on aptitude being up-to-date must no longer
45
    "require => Exec['aptitude update']".  The nature of Puppet phases will
46
47
    ensure that aptitude is already updated.

48
49
    Clients installing their own custom sources are advised to move all of that
    into separate classes, and to put those classes into a new phase of their
50
51
52
53
54
    own.  This new phase should "require => Phase['aptitude']" and
    "before => Phase['main']", to ensure proper execution sequencing.

    [os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:

55
    * apt_cache_notin_tmp.  If true, use a different directory to store package
56
57
    scripts that need to be run during package install/upgrade.

58
    * apt_cache_tmp_dir.  When apt_cache_notin_tmp is true, this is the
59
60
    directory to use for package scripts.

61
62
63
    [os/debian] Install the stanford-server package (this might trigger a
    duplicate resource error if currently installed by other classes).

64
    [postfix/sender] A new type: base::postfix::sender.  This is similar to
65
    base::postfix::recipient, except it is used to rewrite sender addresses
66
67
    instead of recipient addresses.

68
69
70
    It is suggested that clients use base::postfix::sender to ensure that
    emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
    instead being sent 'from' either "noreply@stanford.edu" or
71
72
    "shared-mailbox@stanford.edu".

73
74
75
76
77
78
    [ssh] A fairly large rework of SSH code.  Support has been added for
    treating "alternate accounts" (.root, .admin, root., and admin.) the same
    as root.  Code has also been updated to account for changes to base::duo.
    Support has also been added to completely disable password authentication.
    Support for Ed25519 keys is also included (though disabled by default).
    Finally, pam_afs is now configurable: It can be disabled on systems that do
79
80
81
82
    not use AFS.

    See README.ssh for more information on how to use the code.

83
84
85
86
    [sudo] Complete rework of base::sudo, including configurable support for
    Duo.  Anyone in the "sudo" or "wheel" group gets sudo access.  If Duo is
    enabled, anyone on a specified list is able to sudo without a password, but
    with a two-step run.  Fail-secure is supported, as is using the GECOS field
87
88
89
90
91
92
93
94
95
96
    to specify the username that Puppet should actually use.

    See README.sudo for more information on how to use the code.

    [syslog] Some fixes for Ubuntu.

    [os/debian] Fix the $PATH used by aptitude.

    [puppetclient] Fix a filter-syslog regex error.

Karl Kornel's avatar
Karl Kornel committed
97
release/004.063 (2016-10-17)
98
99

    [ipmi] EL package requires (like EL6, EL7 only has available OpenIPMI,
100
    and not OpenIPMI-tools. (jlent)  Fix ipmievd configuration for Ubuntu.
Karl Kornel's avatar
Karl Kornel committed
101
102
    (akkornel)

103
104
    [os] Update the Ubuntu-to-Debian mapping. (akkornel)  Enable the
    debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
Karl Kornel's avatar
Karl Kornel committed
105
106
107
    (akkornel)  Also add additional Ubuntu-specific backports. (akkornel)
    Also remove daemontools as a default install on systemd Ubuntu. (akkornel)

108
    [ntp] Add the SRCF time server, make sure NTP is installed, and disable
Karl Kornel's avatar
Karl Kornel committed
109
110
111
112
    systemd-timesyncd on RHEL 8.

    [xinetd] Make sure inetd is removed before xinetd is installed. (akkornel)

113
    [wallet] Make sure the base::wallet::client class is included when
Karl Kornel's avatar
Karl Kornel committed
114
    required. (akkornel)
115

116
117
118
119
120
121
release/004.062 (2016-06-03)

    [os] Fix references applicable to Oracle Linux
    [cron] Address cron-related package not available on Oracle Linux
    [puppetclient] Address lack of versionlock on Oracle Linux (jlent)

122
123
124
release/004.061 (2016-04-21)

    [os] Add some parameters to the base::os::debian class to make apt use
Adam Lewenberg's avatar
Adam Lewenberg committed
125
126
127
128
129
130
131
132
133
134
135
136
137
    a directory other than /tmp for its cache.

    Reason: The apt utility when installing or uninstalling a package puts
    its temporary files, including scripts it needs to execute, in
    /tmp. If the /tmp partition is set to noexec (as recommended by
    security advisors), then one cannot run any executable out of the /tmp
    directory. The result is that the package install will not finish
    properly. The new parameters in the base::os::debian class tell apt to
    use /var/cache/apt/tmp as its temporary cache directory getting around
    the /tmp noexec problem.

    Note that the default is to continue using /tmp as apt's cache
    directory, so upgrading to this version is safe. (adamhl)
138

139
140
141
142
143
release/004.060 (2016-04-04)

    [kerberos] Add the mapping wst-web1-uat.stanford.edu -->
    WINUAT.STANFORD.EDU in /etc/krb5.conf. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
144
145
146
147
148
149
release/004.059 (2016-03-17)

    [kerberos] Add the new non-production Windows Active Directory domain
    WINUAT.STANFORD.EDU to /etc/krb5.conf. No other change to
    /etc/krb5.conf, so this is a completely safe upgrade. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
150
release/004.058 (2016-02-04)
Karl Kornel's avatar
Karl Kornel committed
151
152

    [dns] Remove Livermore-specific DNS (anycast works there now). (akkornel)
Adam Lewenberg's avatar
Adam Lewenberg committed
153
    [ssh] Allow multiple ports in sshd_config. (adamhl)
Karl Kornel's avatar
Karl Kornel committed
154

155
release/004.057 (2016-01-11)
156

157
    [puppetclient] strip special treatment for Puppet 2.X hosts (jlent)
158
    [pam] Stop overriding common PAM files with Debian jessie. (akkornel)
159
    [ssh] Misc. filter-syslog cleanups. (akkornel)
160

Adam Lewenberg's avatar
Adam Lewenberg committed
161
release/004.056 (2015-11-05)
162
163

    [sudo] Add an option to support sudo-with-Duo. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
164
165
    [duo] New class to load Duo code and wallet object. (adamhl)
    [ssh] Add pam_duo option to enable Duo for ssh regular logins (adamhl)
166

167
168
169
    [puppetclient] Add an option to override the certname in the [agent]
    section.

170
171
release/004.055 (2015-10-08)

Adam Lewenberg's avatar
Adam Lewenberg committed
172
    [dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
173
174
    systems. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
175
release/004.054 (2015-09-14)
Karl Kornel's avatar
Karl Kornel committed
176

Adam Lewenberg's avatar
Adam Lewenberg committed
177
178
179
    [systemd] New class to allow systemd daemon reloads. (adamhl)

    [dns] Changes Livermore detection to use the system's primary IP address,
180
    instead of using a manually-set parameter. (akkornel)
Karl Kornel's avatar
Karl Kornel committed
181

Adam Lewenberg's avatar
Adam Lewenberg committed
182
    [kerberos] Automatically determine if we are in Livermore; if we are, place
183
184
185
186
187
    the Livermore-based KDC at the top of the list. (akkornel)

    Clients who are using the base::kerberos::dr class should immediately switch
    to using base::kerberos.  base::kerberos::dr is deprecated.

Adam Lewenberg's avatar
Adam Lewenberg committed
188
189
190
191
192
193
194
    [kerberos] Add two parameters to the base::kerberos class. The first
    is used to force the kerberos client to prefer TCP over UDP. The
    second allows one to indicate which kerberos environment to use: prod,
    test, or uat. In both cases, the defaults are such that the krb5.conf
    will continue to have the same contents as before the addition of
    these parameters.

Jonathan Lent's avatar
Jonathan Lent committed
195
196
197
198
199
release/004.053 (2015-07-28)

    [rpm] Adding a dag-EL7.repo file so that EL7 hosts can get a
    valid repo file based on the existing logic of the manifest (jlent)

200
201
202
203
204
release/004.052 (2015-07-27b)

    [iptables] Add an "include base::iptables" to base::iptables::rule
    define so it will run correctly by itself. (adamhl)

205
release/004.051 (2015-07-27)
206

207
    [os] Small fix in base::os::debian to one of the systemd-related
208
209
    syslog-filter regexes (akkornel)

210
    [kerberos] Change the configuration for the WIN.SLAC.STANFORD.EDU domain,
211
212
    as per Kent Reuber (see INC000003427399) (akkornel)

213
214
215
216
    [rpm] Remove EL6 package requires of yum-plugin-downloadonly, since
    yum-3.2.29-69 includes this plugin and obsoletes the individual
    package (thus putting the puppet ensure in a loop) (jlent)

Jonathan Lent's avatar
Jonathan Lent committed
217
release/004.050 (2015-07-24)
218

219
    [rpm] Making available openafs-1.6.{7,8}-EL{5,6,7}.repo files
220
221
222
    pointing to yum.stanford.edu. Also edited rpm.pp to reflect that
    EL7 hosts should get 1.6.8 by default (jlent)

223
224
225
release/004.049 (2015-07-22)

    [os] Small fix to the 'ping' capability adjustment: grep -v does not
226
227
228
229
230
    return 0 on success, so changed "onlyif" to "unless" (adamhl)

    [os] Enable the jessie-backports Stanford debian repository sources
    file /etc/apt/sources.list.d/backports.list (now that jessie-backports
    is available) (adamhl)
231

Jonathan Lent's avatar
Jonathan Lent committed
232
release/004.048 (2015-06-24)
233

234
    [newsyslog] Change permissions of /var/log/btmp to '600' in RHEL
235
236
    systems so that sshd stops complaining. This is because RHEL builds
    of openssh are paranoid about the frequency that passwords are
Jonathan Lent's avatar
Jonathan Lent committed
237
238
    mistakenly entered as usernames. If the utmp group is compromised,
    there could be enough context to get real account credentials (jlent)
239

240
    [dns] Make dns_cache a class-level parameter, so that it can be set in
241
242
    Hiera (as base::dns::dns_cache) (akkornel)

243
    [dns] Add support for Livermore, via Hiera.  Set base::dns::livermore (in
244
245
    Hiera) to true, and Livermore DNS gets added to resolv.conf (akkornel)

246
    [dns] Add support for disabling Puppet management of resolv.conf, for
247
248
    systems using DHCP (akkornel)

249
    [remctl] Require remctl-server package be installed before installing
250
    xinetd config (akkornel)
251

252
release/004.047 (2015-06-17)
253

Karl Kornel's avatar
Karl Kornel committed
254
255
    [os] Adjust capability on 'ping' to allow non-root users to use
    this utility on Jessie systems (jlent)
256

Jonathan Lent's avatar
Jonathan Lent committed
257
release/004.046 (2015-06-12)
258

259
260
    [os] Start filtering systemd-related messages from syslog (akkornel)

261
262
263
    [rpm] re-enable the rhn plugin for bonafide RHEL hosts, since with
    the new licensing, updates will come from RHN classic (jlent)

Adam Lewenberg's avatar
Adam Lewenberg committed
264
265
    [syslog] Have filter-syslog ignore some systemd log messages; fix an
    @-template deprecation warning (adamhl)
266

267
268
release/004.045 (2015-06-02)

269
270
271
272
273
    [rpm] Removing the ensures that continue to push out the
    RHEL OS repositories previously hosted on yum, since we no
    no longer have our RedHat licensing agreement. Any one-off
    hosts with new keys will need to point at a cloud-based
    instance anyway (jlent)
274

275
276
    [os/centos] Changing the group name for GID 37 back to
    rpm, as it is in RedHat proper (jlent)
277

Adam Lewenberg's avatar
Adam Lewenberg committed
278
release/004.044 (2015-05-21)
279
280
281
282

    [vmguest] Add a parameter to allow the non-installation of the
    tripwire client. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
283
284
285
    Add some @'s to some instance variables in a couple of template
    files. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
286
release/004.043 (2015-05-15)
287
288
289
290
291

    [dns] Remove the legacy "C" DNS servers from resolv.conf.  Networking is
    shutting down these servers on November 1, and will start notifying admins
    in May.  (akkornel)

292
293
294
295
296
    [os] In wheezy, when CRON logs to syslog it appears as
    "/USR/BIN/CRON[12345]". With jessie, however, this has changed and the
    syslog entry now looks like "CRON[12345]". So, we add a new rule in the
    filter-syslog debian file to capture this new format. (adamhl)

297
298
299
    [syslog] jessie has changed how rsyslogd logs to syslog so we change
    filter-syslog a bit to handle this format change. (adamhl)

300
301
302
303
304
release/004.042 (2015-05-04)

    [ntp] Remove obsolete host references from ntp.conf.  Also,
    remove iptables rules allowing inbound ntp connections to
    servers. (whm)
305

306
307
    [iptables] Remove obsolete fragments for ldap and AFS file
    servers. (whm)
308

309
release/004.041 (2015-04-29)
310

311
312
313
    [portmap] Minor edit to insist that EL7 gets rpcbind, as does
    EL6, instead of portmap (jlent)

314
315
316
317
    [os] Edited conditional in sources.list.erb to allow Jessie hosts
    to get the expected Stanford-hosted Debian repositories (jlent)

    [vmguest] VMWare does not package vmware-tools-esx-nox for EL7. They
318
    instead recommend the use of open-vm-tools. Added a condition
319
320
    and refactored vmguest.pp appropriately. Also, change to
    portmap.pp. EL7, like EL6, requires rpcbind and not portmap (jlent)
321

322
323
324
325
release/004.040 (2015-04-21)

    Correct spelling mistake introduced in release/004.038. (whm)

326
327
328
329
release/004.039 (2015-04-21)

    Correct install of emacs on jessie systems. (whm)

330
331
332
333
334
release/004.038 (2015-04-20)

    Make sure that the rsyslog preferences file is installed only on
    wheezy systems.  (whm)

Bill MacAllister's avatar
Bill MacAllister committed
335
336
337
338
339
release/004.037 (2015-04-20)

    Remove lenny and older references from tftp_client, os::debian,
    postfix, syslog, and pam.  (whm)

340
341
release/004.036 (2015-04-14)

342
    [os][rpm] Support CentOS via its own class, stub an OEL
343
344
345
346
    class, small fixes to redhat.pp to be generic enough for use
    by these RHEL-ish operating systems, edits to allow EL7-
    specific repository inclusions {and exclusions} (jlent)

347
release/004.035 (2015-04-12)
348

349
    [ipmi] Re-endable ipmievd on jessie by setting the options
350
351
    correctly.  (whm)

352
release/004.034 (2015-04-08)
353

354
    [yumtools] Minor fix for RHEL5 and yum plugins. (jlent)
355
356
357
358
359

    [cron] Add parameter to base::cron to allow anacron package to be
    installed (helpful for Ubuntu systems with ubuntu-desktop
    package). (adamhl)

360
361
362
    [ipmi] Don't attempt to run ipmievd on jessie.  It doesn't appear
    to be available.  (whm)

363
364
365
release/004.033 (2015-03-13)

    Modify the base::ssh::config::sshd define to allow the
366
367
    specification of content or source.  This is required to support
    host with special ssh requirements like systems that use duo. (whm)
Adam Lewenberg's avatar
Adam Lewenberg committed
368
369
370
371

    Fix a missed hyphen in reference to class fragment-template in
    defense.pp. (adamhl)

372
373
    [dns] Refactor dns into several files and a fix a small
    typo. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
374

Adam Lewenberg's avatar
Adam Lewenberg committed
375
release/004.032 (2015-03-06)
376
377
378
379

    Fix a few more deprecation warnings concering instance variables
    (i.e., add '@'s in ERB files) (adamhl)

380
release/004.031 (2015-03-02)
381
382

    Beginning of work to support RHEL-ish operating systems
383
    such as CentOS and Oracle Linux. The most common change
384
    involves converting 'operatingsystem' variable/fact usage
385
    to 'osfamily'. These changes were made safely as not to
386
387
388
    potentially affect any existing hosts. There may be some
    additional refinements when CentOS and Oracle hosts come
    online; for now,  we're assuming they act identical to RHEL.
389

390
391
392
    Additionally modified puppetclient.pp to support version
    locking of puppet and facter versions on RHEL systems.
    Added one additional manifest to facilitate this.
393
394
    (jlent)

395
release/004.030 (2015-02-25)
Jonathan Lent's avatar
Jonathan Lent committed
396

397
398
399
400
401
402
    Removed references to darrenp1 and rra in a filter-syslog file
    (adamhl)

release/004.029 (2015-02-24d)

    [rpm][yumtools] - slight reorganization involving which
Jonathan Lent's avatar
Jonathan Lent committed
403
404
    manifest actually installs the yum versionlock package (jlent)

405
406
407
408
409
410
411
release/004.028 (2015-02-24c)

    [puppetclient] Undo the basemodulepath configuration directive
    setting from release/004.027. The default basemodulepath is fine.
    (adamhl)

release/004.027 (2015-02-24b)
412
413
414
415

    [puppetclient] Set up basemodulepath configuration directive for
    puppetservice1-dev (adamhl)

416
release/004.026 (2015-02-24a)
417
418
419
420

    [yumtools] added new group of yum-related
    commands that can be used to manage package
    pins, groups, yum plugins and gpg keys
421
    (jlent)
422

423
release/004.025 (2015-02-23)
424
    [rpm] regression of the ensure of the
425
426
427
428
429
430
    versionlock.list file. A blank version of this
    file is already installed with yum-*-versionlock,
    and since a single file is used for all current
    and future pinnings, one-off manual pins may
    get overwritten via delivery of a flat file (jlent)

431
432
433
434
435
release/004.024 (2015-02-20)

    [rpm] slight fix to release 023 in the rpm repo
    template file name (jlent)

436
437
438
439
440
441
442
443
444
release/004.023 (2015-02-20)

    [rpm] Added ensures to pull in the Stanford PuppetLabs
    repo on all RHEL-ish hosts. Also ensure that packages
    yum-utils and yum-plugin-versionlock are installed to
    assist in yum configurations such as package locking.
    'versionlock' file is just stubbed for now, and will
    be expanded in the future (jlent)

445
release/004.022 (2015-02-17)
446

447
448
    [syslog] Correct template names for the impstats fragments that
    support debugging rsyslog problems.  Update the documentation in
449
450
    the base::syslog::fragment to make debugging a bit easier.

451
452
453
454
455
release/004.021 (2015-02-17)

    [puppetclient] Filter out "Retrieving pluginfacts" puppet-agent
    messages using filter-syslog. (adamhl)

Bill MacAllister's avatar
Bill MacAllister committed
456
457
release/004.020 (2015-02-10)

458
    Update references in motd and newsyslog to follow puppet3
Bill MacAllister's avatar
Bill MacAllister committed
459
460
    requirements.  (whm)

461
462
463
464
release/004.019 (2015-02-05)

    Remove obsolete iptables fragment files. (whm)

465
466
release/004.018 (2015-02-03)

467
    Change syslog tls support to follow host base naming conventions
468
469
    for wallet objects.  (whm)

470
471
472
473
release/004.017 (2015-01-30)

    [dns] More instance variable @ fixes for resolv.conf.erb. (adamhl)

Darren Patterson's avatar
Darren Patterson committed
474
475
476
477
release/004.016 (2015-01-23)

    Another fix for lsb package names on RHEL. (darrenp1)

478
479
480
481
release/004.015 (2015-01-16)

    Fix comments and class names to use underscore, not hyphens. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
482
483
484
485
release/004.014 (2015-01-16)

    [dns] Instance variable @ fixes for resolv.conf.erb. (adamhl)

486
487
488
489
490
release/004.013 (2015-01-08b)

    [postfix] Fix master.cf config file for CentOS; break class out of
    postfix.pp into postfix/server.pp. (adamhl)

491
492
493
494
495
496
release/004.012 (2015-01-08)

    Add 4 new rsyslog formats to the templates available:
    FromHostFileFormat, FromHostForwardFormat, FromIPFileFormat, and
    FromHostFileFormat.  (whm)

Adam Lewenberg's avatar
Adam Lewenberg committed
497
498
499
500
release/004.011 (2015-01-02)

    [iptables] Fix @'s in iptables template file rule.erb. (adamhl)

501
502
503
504
release/004.010 (2014-12-22)

    Fix @ in an iptables template file. (adamhl)

505
506
507
508
release/004.009 (2014-12-17)

    Fix for $::fqdn_lc across module. (darrenp1)

509
510
511
512
release/004.008 (2014-12-11)

    [os] Fix for RHEL lsb package names for different releases. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
513
514
515
516
517
518
release/004.007 (2014-12-05)

    Several changes to support CentOS. (adamhl)

    Fix another @ in a template file. (adamhl)

519
520
521
522
523
524
release/004.006 (2014-12-05)

    [puppetclient] Install ruby-json on wheezy systems (recently patched
    wheezy systems with Puppet 2.x require ruby-json to avoid
    annoying error messages). (adamhl)

525
526
release/004.005 (2014-11-21)

527
    [dns] Change the order of the nameservers and move the anycast
528
    servers to the top of the list.  (whm)
529

530
531
532
    [ssh] Allow the PermitRootLogin to be set to "yes" (defaults to usual
    setting of "without-password").

533
534
535
    [os] replace some variables in template files with their "@" versions.
    (adamhl)

536
537
release/004.004 (2014-11-07)

538
    [syslog::tls] Restructure code to support Puppet 3's scoping
539
540
541
542
    rules.  The change required means that existing manifests that use
    the base::syslog::tls resource will need to add the
    base::syslog::tls_ca_cert resource.

543
544
545
    [cron] replace "operatingsystem" with "@operatingsystem" in
    crontab.erb. (adamhl)

546
release/004.003 (2014-11-06)
547
548
549
550

    [puppetclient] Only put the database account credentials in
    /etc/puppet/puppet.conf for the (old) Puppet 2.x servers. (adamhl)

551
552
553
    [puppetclient] Update the check-puppet hourly cron job for
    Puppet 3. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
554
555
556
    [puppetclient] Have filter-syslog ignore a new innocuous message from
    puppet-agent. (adamhl)

557
558
559
    [wallet] Change file permissions to 4-digit string, refactor, and fix
    puppet-lint warnings for base::wallet.

560
561
    [os] Update sources files to support jessie. (whm)

562
release/004.002 (2014-10-20)
563
564
565
566
567

    [puppetclient] Break out some classes into their own files; redefine
    puppetclass::dev to point to the Puppet 3 development
    servers. (adamhl)

568
569
570
571
572
release/004.001 (2014-10-14)

    The Great Hyphen Hunt. Change hyphens in class names to underscores.
    (adamhl)

Darren Patterson's avatar
Darren Patterson committed
573
574
575
576
577
release/003.037 (unreleased)

    Switch os curl package to include packages::curl to avoid duplicate
    definition.  (darrenp1)

578
    [puppetclient] Add puppetservice* servers to list of servers that can
579
    download Puppet DB credentials. Add a new ACL to auth.conf that was
Adam Lewenberg's avatar
Adam Lewenberg committed
580
581
582
583
584
585
    introduced in Puppet 3. (adamhl)

    [puppetclient] Add new class base::puppetclient::puppetlabs_repo that
    makes the Puppet Labs Debian repository available. (adamhl)

    [apt_key] Move apt_key from a local module into base. (adamhl)
586

Adam Lewenberg's avatar
Adam Lewenberg committed
587
588
589
590
591
release/003.036 (2014-09-10)

    Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
    new Puppet servers puppetservice*. (adamhl)

592
593
594
595
release/003.035 (2014-09-10)

    Filter out some innocuous rsyslog messages from the syslog. (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
596
597
598
release/003.034 (2014-09-05)

    Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
Adam Lewenberg's avatar
Adam Lewenberg committed
599
    new Puppet servers puppetdb* and puppetrepo*. (adamhl)
Adam Lewenberg's avatar
Adam Lewenberg committed
600

Bill MacAllister's avatar
Bill MacAllister committed
601
602
release/003.033 (2014-08-31)

Adam Lewenberg's avatar
Adam Lewenberg committed
603
    Add base::noipmi.  This allows "odd" machines to suppress loading ipmi
Bill MacAllister's avatar
Bill MacAllister committed
604
605
    support and running the exec that disables cipher zero.  (whm)

606
607
608
609
release/003.032 (2014-08-27)

    Remove yuelu from filter syslog exceptions.  (whm)

610
611
release/003.032 (2014-08-22)

Adam Lewenberg's avatar
Adam Lewenberg committed
612
613
    Update the backports preferences file to pull the perl remctl
    support from backports.  The newer module is required by the
614
615
    latest stanford-server package.  (whm)

616
release/003.031 (2014-07-04)
617

618
    Change the work directory used by rsyslog for disk queues to match
619
620
    the package default.  (whm)

621
622
623
624
625
    Change the queue.MaxFileSize to 100m to override the default of 1m
    in the default and ldap rsyslog fragments.  This will prevent the
    creation of many small files when the syslog server is
    unreachable.  (whm)

Adam Lewenberg's avatar
Adam Lewenberg committed
626
627
    Create /etc/facter/facts.d in puppetclient.  This is the default
    /etc directory for external facts on both Debian and RHEL.
628
629
    (jonrober)

630
release/003.030 (2014-07-07)
Russ Allbery's avatar
Russ Allbery committed
631

632
633
634
635
    Fix for IPMI on kernels >= 3.13.  (darrenp1)

    On each Puppet run on a system that enables Puppet, check if cipher
    zero is enabled and disable it if so.  (rra)
Darren Patterson's avatar
Darren Patterson committed
636

637
638
    Update ssh filter-syslog rules for current staff members.  (rra)

639
640
641
642
    Set the queue.TimeoutEnqueue parameter to zero for LDAP, TLS, and
    default rsyslog fragments.  Reformat the fragments for
    readability.  (whm)

643
release/003.029 (2014-06-17)
Adam Lewenberg's avatar
Adam Lewenberg committed
644

645
646
647
    Correct path new for RELP module fragment in
    base::syslog::tls_support. (whm)

648
release/003.028 (2014-06-17)
649
650
651

    Fix filter-syslog rules for rsyslog to ignore restart messages. (rra)

Russ Allbery's avatar
Russ Allbery committed
652
    Update ssh filter-syslog rules for current staff members and add
653
654
655
656
657
    another failed login pattern.  (rra)

    Add the squeeze-lts distribution to sources.list for squeeze systems.
    This is the long-term support archive, which provides extended
    security support.  (rra)
Russ Allbery's avatar
Russ Allbery committed
658

659
    Adjust highWater marking settings for remote rsyslog queues based
660
661
    on suggestions from rsyslog start messages. (whm)

662
    Add base::syslog::tls to support TLS/RELP connections between
663
    an rsyslog client and an rsyslog server. (whm)
664

665
666
release/003.027 (2014-05-23)

Bill MacAllister's avatar
Bill MacAllister committed
667
    Update the v5 rsyslog default to remove depreciated warnings on
668
669
    v7 systems.  (whm)

670
671
672
673
674
675
676
release/003.026 (2014-05-19)

    Change the default rsyslog configuration to assume v7 syntax.
    (whm)

    Update comments in remctl and ssh modules.  (rra)

677
678
679
680
681
682
683
release/003.025 (2014-05-12)

    Change the default transport for rsyslog v5 remote syslog message
    delivery to UDP.  This will result in message loss when the remote
    syslog server is unavailable, but it avoids the complexities of
    the v5 queue configuration.  (whm)

684
685
release/003.024 (2014-05-08)

Bill MacAllister's avatar
Bill MacAllister committed
686
    Backout one of the boolean changes because the original test
687
688
    never was for a boolean.  (whm)

689
690
691
692
693
release/003.023 (2014-05-07)

    Change handling of use_ parameters in rsyslog.pp to handle the
    cases where booleans must be tested as strings.  (whm from Darren)

Bill MacAllister's avatar
Bill MacAllister committed
694
release/003.022 (2014-05-05)
Adam Lewenberg's avatar
Adam Lewenberg committed
695

Bill MacAllister's avatar
Bill MacAllister committed
696
    Removed smtp-bypass iptable fragments. Move it to s_emailrouter
697
    class. (sfeng)
698

699
    Change the handling of the use_syslog_conf variable in the
700
701
702
    rsyslog.conf.erb template to allow the variable to be either a
    string or a boolean.  This works around a problem with puppet's
    handling of booleans in some situations.  (whm)
703

Adam Lewenberg's avatar
Adam Lewenberg committed
704
705
706
    Clean up puppet client ERB file to better handle servers like
    frankoz2-new. (adamhl)

707
708
    Ignore another new variation on ssh logs from wheezy.  (rra)

709
710
711
    Add dependencies in base::postfix::recipient on the postfix package so
    that the required directory structure will exist.  (rra)

712
713
714
    Remove base::kerberos filter-syslog rules.  These only had rules for
    ksu, which we no longer use, so they're now pointless.  (rra)

Russ Allbery's avatar
Russ Allbery committed
715
716
717
718
    Coding style cleanup for base::syslog::fragment, using the newer
    method for handling defines that should take both source and content.
    (rra)

719
720
721
722
723
724
    Added web-aws rule to block non-root user to access metadata URL.
    (sfeng)

    Default to the backports version of facter on wheezy systems to pick
    up the fix for detecting Xen VMs.  (rra)

725
726
727
728
729
730
    Modify the default rsyslog configuration for V7 servers.  The new
    configuration creates a separate queues for writing to the local
    disk and sending to the remote syslog server.  This prevents
    messages from being lost when the central server is down and
    allows writing to local disk to continue.  (whm)

Darren Patterson's avatar
Darren Patterson committed
731
732
733
734
release/003.021 (2014-03-11)

    Fix cron issues on RHEL. (darrenp1)

Adam Lewenberg's avatar
Adam Lewenberg committed
735
release/003.020 (2014-03-05)
Adam Lewenberg's avatar
Adam Lewenberg committed
736
737
738
739

    Remove class that used lsdb-dev for dev Puppet CA (should have been
    removed a long time ago). (adamhl)

Adam Lewenberg's avatar
Adam Lewenberg committed
740
release/003.019 (2014-02-27)
Adam Lewenberg's avatar
Adam Lewenberg committed
741
742

    fix typo in reolv.conf.erb. This changes only affect some
743
744
    DNS servers. (myl)

745
746
747
748
749
release/003.018 (2014-02-24)

    Set the default behavior for rsyslog to forward /etc/messages to
    the central syslog service, i.e. logsink.stanford.edu.  (whm)

750
751
release/003.017 (2014-02-24)

Adam Lewenberg's avatar
Adam Lewenberg committed
752
    Correct rsyslog v7 template.  The template fix removes an
753
    extra space that is causing problem for filter syslog parsing.
Adam Lewenberg's avatar
Adam Lewenberg committed
754
    This change also reverts the default behavior of forwarding
755
    syslog to the logsink servers. (whm)
756

757
758
759
760
release/003.016 (2014-02-19)

    Added a new xinetd configuration file: stunnel. (adamhl)

761
762
release/003.015 (2014-02-17)

763
764
    Change the default rsyslog configuration to forward syslog
    messages to the central syslog server in addition to writing
765
766
767
    them locally.  Change the date format for syslog to RFC 3399
    format.

768
769
770
release/003.014 (2014-02-12)

    Correct double variable reference in base::dns::dr-cache.  (whm)
771

772
773
774
775
release/003.013 (2014-02-12)

    Fix cut and past error in defining base::dns::dr-cache.  (whm)

776
777
778
779
780
release/003.012 (2014-02-12)

    Fix doubly defined class and add missing in the dns support
    used by Livermore servers.  (whm)

781
782
783
784
785
release/003.011 (2014-02-12)

    Fix syntax error specification of preferences file for rsyslog.
    (whm)

786
787
release/003.010 (2014-02-11)

788
789
    Add an apt preferences file to use the rsyslog version from
    backports.  Remove preferences installation from the syslog
790
791
    module.  (whm)

792
793
794
795
release/03.009 (2014-02-10)

   add code to generate different resolv.conf for DNS servers. (meeilee)

796
release/003.008 (2014-02-05)
797

798
    Update comment documentation in base::pam::workgroup.  Remove
799
800
    unused parameter and variables.  (whm)

801
    Correct variable used to identified the syslog server to send
802
803
    output to in base::syslog::fragment.  (whm)

804
805
    Re-enable usage of DNS server at Livermore. (whm)

806
807
release/003.007 (2014-02-04)

808
    Disable usage of DNS server at Livermore until the server is
809
810
    rebuild.  (whm)

811
release/003.006 (2014-01-21)
812
813
814

    Correct template for rsyslog forwarding using v7 syntax.  (whm)

815
release/003.005 (2014-01-20)
816

817
    Lowercase the hostname when forming a Kerberos principal in the
818
819
    out-of-date cron job.  Some Networking systems use .Stanford.EDU in
    the official hostname.  (rra)
820

821
822
823
    Ignore more buggy power limit notifications from new Dell hardware.
    Several cases were missed in the previous change.  (rra)

824
    Fix for Ubuntu portmap / rpcbind service name.  (darrenp1)
Darren Patterson's avatar
Darren Patterson committed
825

826
    Update ntp.conf with IPv6 options.  (darrenp1)
827

828
829
830
831
832
833
834
835
    Update syslog support to allow transition to new configuration policy
    of putting all templates and output specifications in the rsyslog.d
    fragments directory.  (whm)

    Globally disable monlist in all the ntp.conf variations to protect
    against use of monlist to launch UDP-based DoS attacks.  This was
    probably already prevented by firewall rules, but may as well make
    sure.  (rra)
836

837
release/003.004 (2013-12-03)
838
839
840
841

    Recognize Amazon EC2 instances as virtual for the purposes of not
    installing the IPMI kernel module.  (sfeng)

842
release/003.003 (2013-12-02)
843

844
845
    Remove the temp work file in the dell-warranty-facts cronjob.
    (mgoll)
846

847
848
849
    Ignore buggy CPU core power limit notifications from new Dell
    hardware in default Debian filter-syslog rules.  (rra)

850
release/003.002 (2013-11-24)
851

852
    Make it simpler to override the default rsyslog behaviour.  Change
853
854
855
    the name of the default rsyslog fragment.  Add a default fragment for
    remote logging.  Correct path references to common syslog fragment
    templates.  (whm)
856

857
release/003.001 (2013-11-20)
858

859
    Correct syntax error in rsyslog.pp.  (whm)
860

861
862
863
864
865
866
867
868
869
release/003.000 (2013-11-19)

    Updates to base::syslog. Retire /etc/syslog.conf.  Modify
    /etc/rsyslog.conf so that it contains no input/output specifications.
    Create a fragments define to manage files in /etc/rsyslog.d.  Define
    one default fragment that replicates current behavior if no additional
    fragments are added.  (whm)

release/002.003 (2013-11-19)
870

871
872
    Fixes for Ubuntu: precise/raring vmguest open-vm-dkms, and os::ubuntu
    doesn't ensure logrotate cron removed (that is done in newsyslog).
Darren Patterson's avatar
Darren Patterson committed
873

874
875
876
877
878
879
    Just disable logrotate for all hosts including base::newsyslog instead
    of trying to remove it on Debian, Ubuntu, and Red Hat 4.  We keep
    running into other packages that depend on it, which makes removing it
    unnecessarily complex.  This means the base::logrotate::disabled class
    is now obsolete and has been removed.  Users of that class can just
    remove the include of that class.
880
881
882
883

    Map Ubuntu raring to wheezy instead of squeeze for the Stanford-local
    Debian repositories.

884
885
886
887
    In postfix-policyd, disable WHITELISTING for zimbra so ratelimit can
    be applied to zimbra servers.  This is required after we enforce
    ratelimit for smtp servers.

Russ Allbery's avatar
Russ Allbery committed
888
889
890
    Install a separate newsyslog configuration file for btmp so that its
    permissions can be set to 0660 while setting wtmp's to 0664.

891
892
    Remove obsolete blacklist-acct-accounts iptables template.

893
894
    Add validation check in newsyslog config.

Victor Chavez's avatar
Victor Chavez committed
895
release/002.002 (2013-09-10)
896
897
898
899

    Add support for a listen_addresses parameter to ssh::config::sshd that
    restricts sshd to listen to particular hosts.

Victor Chavez's avatar
Victor Chavez committed
900
901
902
    Add fix for Ubuntu (and others) in base::vmguest to install the right
    open-vm-tools package.

903
release/002.001 (2013-08-08)
904
905

    Add additional ignore patterns for failed ssh logins from IT Services
906
    staff, and ignore new ssh failure patterns seen in Debian wheezy.
907

908
    Use OpenAFS 1.6.5 in RHEL5 and RHEL6 yum repository configuration.
909

Russ Allbery's avatar
Russ Allbery committed
910
release/002.000 (2013-07-15)
911
912
913
914
915
916

    The deprecated classes base::newsyslog::messages::sa and
    base::newsyslog::messages::sa::override have been deleted.  Global
    overrides for the default base::newsyslog behavior should be put into
    the local defaults module instead.

917
918
919
920
    base::cron::filter-user-noise has been deleted.  This was specific to
    Research Computing systems and should be handled in that local
    repository.

Russ Allbery's avatar
Russ Allbery committed
921
922
923
924
    base::ssh::rc has been deleted.  This isn't part of any base::ssh
    inheritance tree and can live only in the Research Computing Puppet
    Git repository.

925
926
927
928
929
930
    The acceptable runtime for tmpreaper (used by base::tmpclean on Debian
    and Ubuntu) has been extended to 20 minutes globally, and the
    base::tmpclean::longer class, which existed only to do that, has been
    removed as unnecessary.  The longer runtime limit should not pose a
    problem on any system.

931
932
933
934
935
936
    The static crontab files installed by base::cron have been replaced
    with a template to handle differences between Red Hat and Debian.  The
    periodic cron jobs no longer even attempt to use anacron, avoiding any
    problems with unpredictable cron run times if anacron is installed on
    the system.

937
938
939
    Move campus anycast DNS servers to the bottom of the DNS server list
    for now.  These are not yet considered production DNS servers.

940
941
    Remove Kerberos filter-syslog rules for eklogind and kshd.

942
943
944
945
    base::daemontools::supervise now uses current coding standards and no
    longer special-cases various default options to some of its
    parameters.

946
947
948
949
    base::remctl no longer installs remctl-client.  This is going to be
    handled by the stanford-server-packages metapackage, and is
    independent of what's set up by this module.

Russ Allbery's avatar
Russ Allbery committed
950
release/001.002 (2013-07-10)
Russ Allbery's avatar
Russ Allbery committed
951

952
953
954
955
956
    newsyslog::config now supports a new analyze_logs parameter, which
    specifies the list of logs to run through the analyze action (when
    different than the list in logs).  analyze_logs defaults to logs if
    not given.

957
958
959
    Restructure the newsyslog::config template so that both the template
    and its output is somewhat more readable.

Russ Allbery's avatar
Russ Allbery committed
960
961
962
963
964
965
966
967
968
969
970
971
    newsyslog no longer sets up a weekly command to tar up
    /root/.history-save and removes /etc/newsyslog.weekly/audit if it
    exists.  We're no longer using per-user history files and we're
    letting bash handle managing the length of the history file.

    newsyslog now creates btmp and wtmp writable by group utmp, matching
    the operating system defaults.

    newsyslog no longer attempts to clean up sysklogd cron jobs or remove
    the old /etc/newsyslog.daily/syslog file installed by ancient versions
    of stanford-server.

972
973
    Append to the temporary file used for Dell warranty facts instead of
    deleting it and recreating it (which defeats some of the point of
Russ Allbery's avatar
Russ Allbery committed
974
    using mktemp).
975

976
977
978
979
980
    The default out-of-date cron job always uses the host/* principal of
    the local host for authentication instead of the first principal in
    /etc/krb5.keytab, which may be for some other principal or a host/*
    principal for an old hostname.

Russ Allbery's avatar
Russ Allbery committed
981
982
983
984
    Remove out-of-date::server.  This is only used on a single host, so
    all of the files and Puppet manifest have been moved to the Puppet
    model for that server.

985
986
987
    Change Puppet master server for frankoz servers to jimhenson1 since
    jimhenson4 is down with hardware trouble.

988
989
990
991
    Change the base::dns* classes to use a template to generate the
    resolv.conf file for a system and add the DNS anycast servers into
    the configuration.

Russ Allbery's avatar
Russ Allbery committed
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
release/001.001 (2013-06-25)

    Drop installation of stanford-klogin from base::os::debian.  We've
    switched completely to Kerberized ssh and no longer install Kerberos
    rlogin or rsh, so no need for the clients.

release/001.000 (2013-06-22)

    Enable the security and updates repositories for wheezy now that
    wheezy has been released.

    For Red Hat systems, switch to using the VMware tools packages and
    install the necessary yum configuration.

    Add filter-syslog rules for new remctl error messages and another sshd
    error message from terminated network connections.

    Add base::portmap.