NEWS 8.17 KB
Newer Older
1
2
3
4
release/03.009 (2014-02-10)

   add code to generate different resolv.conf for DNS servers. (meeilee)

5
release/003.008 (2014-02-05)
6

7
    Update comment documentation in base::pam::workgroup.  Remove
8
9
    unused parameter and variables.  (whm)

10
    Correct variable used to identified the syslog server to send
11
12
    output to in base::syslog::fragment.  (whm)

13
14
    Re-enable usage of DNS server at Livermore. (whm)

15
16
release/003.007 (2014-02-04)

17
    Disable usage of DNS server at Livermore until the server is
18
19
    rebuild.  (whm)

20
release/003.006 (2014-01-21)
21
22
23

    Correct template for rsyslog forwarding using v7 syntax.  (whm)

24
release/003.005 (2014-01-20)
25

26
    Lowercase the hostname when forming a Kerberos principal in the
27
28
    out-of-date cron job.  Some Networking systems use .Stanford.EDU in
    the official hostname.  (rra)
29

30
31
32
    Ignore more buggy power limit notifications from new Dell hardware.
    Several cases were missed in the previous change.  (rra)

33
    Fix for Ubuntu portmap / rpcbind service name.  (darrenp1)
Darren Patterson's avatar
Darren Patterson committed
34

35
    Update ntp.conf with IPv6 options.  (darrenp1)
36

37
38
39
40
41
42
43
44
    Update syslog support to allow transition to new configuration policy
    of putting all templates and output specifications in the rsyslog.d
    fragments directory.  (whm)

    Globally disable monlist in all the ntp.conf variations to protect
    against use of monlist to launch UDP-based DoS attacks.  This was
    probably already prevented by firewall rules, but may as well make
    sure.  (rra)
45

46
release/003.004 (2013-12-03)
47
48
49
50

    Recognize Amazon EC2 instances as virtual for the purposes of not
    installing the IPMI kernel module.  (sfeng)

51
release/003.003 (2013-12-02)
52

53
54
    Remove the temp work file in the dell-warranty-facts cronjob.
    (mgoll)
55

56
57
58
    Ignore buggy CPU core power limit notifications from new Dell
    hardware in default Debian filter-syslog rules.  (rra)

59
release/003.002 (2013-11-24)
60

61
    Make it simpler to override the default rsyslog behaviour.  Change
62
63
64
    the name of the default rsyslog fragment.  Add a default fragment for
    remote logging.  Correct path references to common syslog fragment
    templates.  (whm)
65

66
release/003.001 (2013-11-20)
67

68
    Correct syntax error in rsyslog.pp.  (whm)
69

70
71
72
73
74
75
76
77
78
release/003.000 (2013-11-19)

    Updates to base::syslog. Retire /etc/syslog.conf.  Modify
    /etc/rsyslog.conf so that it contains no input/output specifications.
    Create a fragments define to manage files in /etc/rsyslog.d.  Define
    one default fragment that replicates current behavior if no additional
    fragments are added.  (whm)

release/002.003 (2013-11-19)
79

80
81
    Fixes for Ubuntu: precise/raring vmguest open-vm-dkms, and os::ubuntu
    doesn't ensure logrotate cron removed (that is done in newsyslog).
Darren Patterson's avatar
Darren Patterson committed
82

83
84
85
86
87
88
    Just disable logrotate for all hosts including base::newsyslog instead
    of trying to remove it on Debian, Ubuntu, and Red Hat 4.  We keep
    running into other packages that depend on it, which makes removing it
    unnecessarily complex.  This means the base::logrotate::disabled class
    is now obsolete and has been removed.  Users of that class can just
    remove the include of that class.
89
90
91
92

    Map Ubuntu raring to wheezy instead of squeeze for the Stanford-local
    Debian repositories.

93
94
95
96
    In postfix-policyd, disable WHITELISTING for zimbra so ratelimit can
    be applied to zimbra servers.  This is required after we enforce
    ratelimit for smtp servers.

Russ Allbery's avatar
Russ Allbery committed
97
98
99
    Install a separate newsyslog configuration file for btmp so that its
    permissions can be set to 0660 while setting wtmp's to 0664.

100
101
    Remove obsolete blacklist-acct-accounts iptables template.

102
103
    Add validation check in newsyslog config.

Victor Chavez's avatar
Victor Chavez committed
104
release/002.002 (2013-09-10)
105
106
107
108

    Add support for a listen_addresses parameter to ssh::config::sshd that
    restricts sshd to listen to particular hosts.

Victor Chavez's avatar
Victor Chavez committed
109
110
111
    Add fix for Ubuntu (and others) in base::vmguest to install the right
    open-vm-tools package.

112
release/002.001 (2013-08-08)
113
114

    Add additional ignore patterns for failed ssh logins from IT Services
115
    staff, and ignore new ssh failure patterns seen in Debian wheezy.
116

117
    Use OpenAFS 1.6.5 in RHEL5 and RHEL6 yum repository configuration.
118

Russ Allbery's avatar
Russ Allbery committed
119
release/002.000 (2013-07-15)
120
121
122
123
124
125

    The deprecated classes base::newsyslog::messages::sa and
    base::newsyslog::messages::sa::override have been deleted.  Global
    overrides for the default base::newsyslog behavior should be put into
    the local defaults module instead.

126
127
128
129
    base::cron::filter-user-noise has been deleted.  This was specific to
    Research Computing systems and should be handled in that local
    repository.

Russ Allbery's avatar
Russ Allbery committed
130
131
132
133
    base::ssh::rc has been deleted.  This isn't part of any base::ssh
    inheritance tree and can live only in the Research Computing Puppet
    Git repository.

134
135
136
137
138
139
    The acceptable runtime for tmpreaper (used by base::tmpclean on Debian
    and Ubuntu) has been extended to 20 minutes globally, and the
    base::tmpclean::longer class, which existed only to do that, has been
    removed as unnecessary.  The longer runtime limit should not pose a
    problem on any system.

140
141
142
143
144
145
    The static crontab files installed by base::cron have been replaced
    with a template to handle differences between Red Hat and Debian.  The
    periodic cron jobs no longer even attempt to use anacron, avoiding any
    problems with unpredictable cron run times if anacron is installed on
    the system.

146
147
148
    Move campus anycast DNS servers to the bottom of the DNS server list
    for now.  These are not yet considered production DNS servers.

149
150
    Remove Kerberos filter-syslog rules for eklogind and kshd.

151
152
153
154
    base::daemontools::supervise now uses current coding standards and no
    longer special-cases various default options to some of its
    parameters.

155
156
157
158
    base::remctl no longer installs remctl-client.  This is going to be
    handled by the stanford-server-packages metapackage, and is
    independent of what's set up by this module.

Russ Allbery's avatar
Russ Allbery committed
159
release/001.002 (2013-07-10)
Russ Allbery's avatar
Russ Allbery committed
160

161
162
163
164
165
    newsyslog::config now supports a new analyze_logs parameter, which
    specifies the list of logs to run through the analyze action (when
    different than the list in logs).  analyze_logs defaults to logs if
    not given.

166
167
168
    Restructure the newsyslog::config template so that both the template
    and its output is somewhat more readable.

Russ Allbery's avatar
Russ Allbery committed
169
170
171
172
173
174
175
176
177
178
179
180
    newsyslog no longer sets up a weekly command to tar up
    /root/.history-save and removes /etc/newsyslog.weekly/audit if it
    exists.  We're no longer using per-user history files and we're
    letting bash handle managing the length of the history file.

    newsyslog now creates btmp and wtmp writable by group utmp, matching
    the operating system defaults.

    newsyslog no longer attempts to clean up sysklogd cron jobs or remove
    the old /etc/newsyslog.daily/syslog file installed by ancient versions
    of stanford-server.

181
182
    Append to the temporary file used for Dell warranty facts instead of
    deleting it and recreating it (which defeats some of the point of
Russ Allbery's avatar
Russ Allbery committed
183
    using mktemp).
184

185
186
187
188
189
    The default out-of-date cron job always uses the host/* principal of
    the local host for authentication instead of the first principal in
    /etc/krb5.keytab, which may be for some other principal or a host/*
    principal for an old hostname.

Russ Allbery's avatar
Russ Allbery committed
190
191
192
193
    Remove out-of-date::server.  This is only used on a single host, so
    all of the files and Puppet manifest have been moved to the Puppet
    model for that server.

194
195
196
    Change Puppet master server for frankoz servers to jimhenson1 since
    jimhenson4 is down with hardware trouble.

197
198
199
200
    Change the base::dns* classes to use a template to generate the
    resolv.conf file for a system and add the DNS anycast servers into
    the configuration.

Russ Allbery's avatar
Russ Allbery committed
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
release/001.001 (2013-06-25)

    Drop installation of stanford-klogin from base::os::debian.  We've
    switched completely to Kerberized ssh and no longer install Kerberos
    rlogin or rsh, so no need for the clients.

release/001.000 (2013-06-22)

    Enable the security and updates repositories for wheezy now that
    wheezy has been released.

    For Red Hat systems, switch to using the VMware tools packages and
    install the necessary yum configuration.

    Add filter-syslog rules for new remctl error messages and another sshd
    error message from terminated network connections.

    Add base::portmap.