Newer
Older
[postfix] Change the sender address for root mail from
"root@${::hostname}" to "root@${::fqdn}". This is needed by newer
versions of postfix and makes more sense anyway.
[wallet] Make wallet ketyab use the correct path for ktutil.
[duo] Change apt pin file to point to codename rather than archive
name. [adamhl]
[out_of_date] Add some parameters to the interface to make it easier
to point at different out-of-date servers. [adamhl]
[ssh] Change interface parameter. The parameter
base::ssh::extra_gssapi_only_users has been renamed to
base::ssh::extra_skip_duo_users to more accurately reflect what this
parameter does. Also, fix some whitespace messiness in
/etc/pam.d/sshd [adamhl]
[syslog] Add use_logsink_server parameter that allows servers to not
send logs to the logsink server. Once everyone is using Splunk, ELK,
etc., we will set this default to false. In the meantime, the default
is true. [adamhl]
[pam] Add "ensure" parameter to base::pam::debian to allow the
non-installation of some Kerberos-related PAM packages in the special
case of non-production Kerberos servers not synced with production
Kerberos environment. [adamhl]
release/005.010 (2017-10-02)
[kerberos] Use three rather than four "kdc" lines in
/etc/krb5.conf. [adamhl]
Starting the work to make the code Puppet 4 compatible. [adamhl]
[ssh] Add $extra_gssapi_only_users parameter listing any extra
accounts that should skip Duo (i.e., service accounts). [adamhl]
[postfix] Remove the transport lines which allowed stanford.edu mail
to route via published MX records, because that is moving entirely
off-campus Instead, just have everything go through smtp.stanford.edu
(which still has an on-campus presence). [akkornel]
release/005.009 (2017-07-07)
[ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
address the timekeeping problem with vmware. This means always reset
the clock, even if the new time is more than 1000s away from the
current system time. [ljlgeek]
[ssh] Add $max_sessions options. [adamhl]
[iptables] Ensure that port numbers are converted to strings inside
the rules erb file to avoid Ruby errors. [adamhl]
[kerberos] Allow kerberos kinit port number override for the "custom"
version of krb5.conf. Needed for the non-production kerberos
environments that don't use port 88. [adamhl]
Adam Lewenberg
committed
[kerberos] Add option to completely override /etc/krb5.conf using
the parameter 'source'. [adamhl]
[kerberos] Add a new defined resource type that makes it easier to
setup a krb5.conf file. The defined resource type is
base::kerberos::krb5_conf [adamhl]
[newsyslog] Pull out filter-syslog from newsyslog so filtersyslog can
be used separately from newsyslog. [adamhl]
[ssh] Change the method by which we specify a list of sunetids too
Adam Lewenberg
committed
filter via filter-syslog. If you install this version of base you will
need to add to hiera the list of sunetids whose authentication failure
warnings you want to continue ignoring. Otherwise, your root mail get
noisier. Because this only affects filter-syslog it has no affect on
the actual ssh service running on the server, so it is a very
low-impact change. [adamhl]
[ssh] Ignore a couple more innocuous sshd log lines. [adamhl]
[ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
logins (this way you do not have to do class inheritance). Also add a
parameter to allow root users to login using ssh key-pairs. Both of
these parameters are set to have no effect by default. [adamhl]
[ssh] Add the parameter $ip_ranges. This is an array of iptable
addresses that are allowed to access port 22 on this server. [adamhl]
release/005.006 (2017-02-16)
[kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
[kerberos] Add the option rdns_enabled so that Kerberos can be
configured not to require clients to do a reverse DNS lookup on the
hostname of a service principal. The default is set to true, so unless
specifically overridden to false Kerberos clients will behave as they
always have. [adamhl]
[kerberos] Change the master_kdc setting in krb5.conf to point to an
alias of the master (kerberos1). This will not change how the
configuration works, but makes it easier to change the ordering of the
replicas if, in the future, we need to. [adamhl]
release/005.004 (2017-01-09)
[os] Change the exec resource in the 'aptitude' staged
base::os::debian::apt class to have the name 'apt config aptitude
update' so that it will not interfere with other exec's of the same
name in the 'main' stage. [adamhl]
release/005.003 (2016-12-16)
[ssh] Add "@" to a few more variables on sshd_config.erb. [adamhl]
[ssh] Change the class "ssh::pam" to "base::ssh::pam". This should
only affect people who are setting ssh::pam variables via Hiera, or
via class parameters. Clients setting base::ssh variables in any
way are not affected. [akkornel]
[ssh] Add support for the pam_slurm module. This is for clients using
the SLURM job scheduler, and who want to prevent users from logging in
without an allocation. This is disabled by default. Also add the
pam_slurm_bypass parameter, which is a file containing a list of users
(one per line) who should not be blocked by pam_slurm. [aseishas]
[syslog] On Ubuntu, have files and directories by owned by the
"syslog" user, and the "adm" group.
[wallet] When running inside a Packer build, do not attempt to retrieve
things from wallet. [akkornel]
[os::debian] More @ symbols into ERB templates. [akkornel]
release/005.001 (2016-12-11)
Add "path" attributes to several exec resources. This will be required
in the next version of Puppet. [adamhl]
[puppetclient] Replace "local" variables in ERB templates with what is
really intended: instance variables defined in the calling manifest
(or defined as a Puppet fact). While currently not strictly necessary,
in a future version Puppet will stop interpreting ERB local variables
as instance variables, so we might as well fix them now. Furthermore,
when using "puppet apply" incorrect use of variables in templates
generates ugly red warnings, so fixing these now makes "puppet apply"
happier. [adamhl]
[puppetclient] Remove some conditional code that made sense when we
used very old versions of Puppet. [adamhl]
[ssh, syslog, xinetd] More instance variable cleanup. [adamhl]
[ipmi] When comparing lsbmajdistrelease to a Debian version, convert
lsbmajdistrelease to an integer first (otherwise, get Ruby
error). [adamhl]
[os/debian] Add parameter to allow the option of *not* including the
debian-stanford backports repository in the apt sources. [adamhl]
release/005.000 (2016-11-21)
This release has a number of breaking changes.
[duo] base::duo has been completely reworked into a type plus a common
class. Clients which use Duo for their own purposes should create an
instance of base::duo::config, which will create a Duo PAM config file for
them to use. See README.duo for more information.
[ipmi] A complete rework of base::ipmi. The base::noipmi class no
longer exists. Instead, IPMI support should be disabled by setting
base::ipmi::ensure to "absent". IPMI kernel modules, and ipmievd, should
still be automatically disabled on virtual systems, even when
"ensure => present"; in those cases, the IPMI client tools will still be
installed. Code has been updated for Debian 8 and Ubuntu 16.04.
[os/debian] All aptitude operations are now performed in a new phase,
called "aptitude". The "aptitude" phase is configured to run before
"main".
Clients which rely on aptitude being up-to-date must no longer
"require => Exec['aptitude update']". The nature of Puppet phases will
ensure that aptitude is already updated.
Clients installing their own custom sources are advised to move all of that
into separate classes, and to put those classes into a new phase of their
own. This new phase should "require => Stage['aptitude']" and
"before => Stage['main']", to ensure proper execution sequencing.
[os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:
* apt_cache_notin_tmp. If true, use a different directory to store package
scripts that need to be run during package install/upgrade.
* apt_cache_tmp_dir. When apt_cache_notin_tmp is true, this is the
directory to use for package scripts.
[os/debian] Install the stanford-server package (this might trigger a
duplicate resource error if currently installed by other classes).
[postfix/sender] A new type: base::postfix::sender. This is similar to
base::postfix::recipient, except it is used to rewrite sender addresses
It is suggested that clients use base::postfix::sender to ensure that
emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
instead being sent 'from' either "noreply@stanford.edu" or
[ssh] A fairly large rework of SSH code. Support has been added for
treating "alternate accounts" (.root, .admin, root., and admin.) the same
as root. Code has also been updated to account for changes to base::duo.
Support has also been added to completely disable password authentication.
Support for Ed25519 keys is also included (though disabled by default).
Finally, pam_afs is now configurable: It can be disabled on systems that do
not use AFS.
See README.ssh for more information on how to use the code.
[sudo] Complete rework of base::sudo, including configurable support for
Duo. Anyone in the "sudo" or "wheel" group gets sudo access. If Duo is
enabled, anyone on a specified list is able to sudo without a password, but
with a two-step run. Fail-secure is supported, as is using the GECOS field
to specify the username that Puppet should actually use.
See README.sudo for more information on how to use the code.
[syslog] Some fixes for Ubuntu.
[os/debian] Fix the $PATH used by aptitude.
[puppetclient] Fix a filter-syslog regex error.
[ipmi] EL package requires (like EL6, EL7 only has available OpenIPMI,
and not OpenIPMI-tools. (jlent) Fix ipmievd configuration for Ubuntu.
[os] Update the Ubuntu-to-Debian mapping. (akkornel) Enable the
debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
(akkornel) Also add additional Ubuntu-specific backports. (akkornel)
Also remove daemontools as a default install on systemd Ubuntu. (akkornel)
[ntp] Add the SRCF time server, make sure NTP is installed, and disable
systemd-timesyncd on RHEL 8.
[xinetd] Make sure inetd is removed before xinetd is installed. (akkornel)
[wallet] Make sure the base::wallet::client class is included when
release/004.062 (2016-06-03)
[os] Fix references applicable to Oracle Linux
[cron] Address cron-related package not available on Oracle Linux
[puppetclient] Address lack of versionlock on Oracle Linux (jlent)
release/004.061 (2016-04-21)
[os] Add some parameters to the base::os::debian class to make apt use
a directory other than /tmp for its cache.
Reason: The apt utility when installing or uninstalling a package puts
its temporary files, including scripts it needs to execute, in
/tmp. If the /tmp partition is set to noexec (as recommended by
security advisors), then one cannot run any executable out of the /tmp
directory. The result is that the package install will not finish
properly. The new parameters in the base::os::debian class tell apt to
use /var/cache/apt/tmp as its temporary cache directory getting around
the /tmp noexec problem.
Note that the default is to continue using /tmp as apt's cache
directory, so upgrading to this version is safe. (adamhl)
release/004.060 (2016-04-04)
[kerberos] Add the mapping wst-web1-uat.stanford.edu -->
WINUAT.STANFORD.EDU in /etc/krb5.conf. (adamhl)
release/004.059 (2016-03-17)
[kerberos] Add the new non-production Windows Active Directory domain
WINUAT.STANFORD.EDU to /etc/krb5.conf. No other change to
/etc/krb5.conf, so this is a completely safe upgrade. (adamhl)
[dns] Remove Livermore-specific DNS (anycast works there now). (akkornel)
release/004.057 (2016-01-11)
[puppetclient] strip special treatment for Puppet 2.X hosts (jlent)
[pam] Stop overriding common PAM files with Debian jessie. (akkornel)
[ssh] Misc. filter-syslog cleanups. (akkornel)
[sudo] Add an option to support sudo-with-Duo. (adamhl)
[duo] New class to load Duo code and wallet object. (adamhl)
[ssh] Add pam_duo option to enable Duo for ssh regular logins (adamhl)
[puppetclient] Add an option to override the certname in the [agent]
section.
[dns] Rewrite base::dns::cache so that it uses dnsmasq on jessie
[systemd] New class to allow systemd daemon reloads. (adamhl)
[dns] Changes Livermore detection to use the system's primary IP address,
instead of using a manually-set parameter. (akkornel)
[kerberos] Automatically determine if we are in Livermore; if we are, place
the Livermore-based KDC at the top of the list. (akkornel)
Clients who are using the base::kerberos::dr class should immediately switch
to using base::kerberos. base::kerberos::dr is deprecated.
[kerberos] Add two parameters to the base::kerberos class. The first
is used to force the kerberos client to prefer TCP over UDP. The
second allows one to indicate which kerberos environment to use: prod,
test, or uat. In both cases, the defaults are such that the krb5.conf
will continue to have the same contents as before the addition of
these parameters.
release/004.053 (2015-07-28)
[rpm] Adding a dag-EL7.repo file so that EL7 hosts can get a
valid repo file based on the existing logic of the manifest (jlent)
release/004.052 (2015-07-27b)
[iptables] Add an "include base::iptables" to base::iptables::rule
define so it will run correctly by itself. (adamhl)
release/004.051 (2015-07-27)
[os] Small fix in base::os::debian to one of the systemd-related
syslog-filter regexes (akkornel)
[kerberos] Change the configuration for the WIN.SLAC.STANFORD.EDU domain,
as per Kent Reuber (see INC000003427399) (akkornel)
[rpm] Remove EL6 package requires of yum-plugin-downloadonly, since
yum-3.2.29-69 includes this plugin and obsoletes the individual
package (thus putting the puppet ensure in a loop) (jlent)
[rpm] Making available openafs-1.6.{7,8}-EL{5,6,7}.repo files
pointing to yum.stanford.edu. Also edited rpm.pp to reflect that
EL7 hosts should get 1.6.8 by default (jlent)
release/004.049 (2015-07-22)
[os] Small fix to the 'ping' capability adjustment: grep -v does not
return 0 on success, so changed "onlyif" to "unless" (adamhl)
[os] Enable the jessie-backports Stanford debian repository sources
file /etc/apt/sources.list.d/backports.list (now that jessie-backports
is available) (adamhl)
[newsyslog] Change permissions of /var/log/btmp to '600' in RHEL
systems so that sshd stops complaining. This is because RHEL builds
of openssh are paranoid about the frequency that passwords are
mistakenly entered as usernames. If the utmp group is compromised,
there could be enough context to get real account credentials (jlent)
[dns] Make dns_cache a class-level parameter, so that it can be set in
Hiera (as base::dns::dns_cache) (akkornel)
[dns] Add support for Livermore, via Hiera. Set base::dns::livermore (in
Hiera) to true, and Livermore DNS gets added to resolv.conf (akkornel)
[dns] Add support for disabling Puppet management of resolv.conf, for
systems using DHCP (akkornel)
[remctl] Require remctl-server package be installed before installing
xinetd config (akkornel)
[os] Adjust capability on 'ping' to allow non-root users to use
this utility on Jessie systems (jlent)
[os] Start filtering systemd-related messages from syslog (akkornel)
[rpm] re-enable the rhn plugin for bonafide RHEL hosts, since with
the new licensing, updates will come from RHN classic (jlent)
[syslog] Have filter-syslog ignore some systemd log messages; fix an
@-template deprecation warning (adamhl)
release/004.045 (2015-06-02)
[rpm] Removing the ensures that continue to push out the
RHEL OS repositories previously hosted on yum, since we no
no longer have our RedHat licensing agreement. Any one-off
hosts with new keys will need to point at a cloud-based
instance anyway (jlent)
[os/centos] Changing the group name for GID 37 back to
rpm, as it is in RedHat proper (jlent)
[vmguest] Add a parameter to allow the non-installation of the
tripwire client. (adamhl)
Add some @'s to some instance variables in a couple of template
files. (adamhl)
[dns] Remove the legacy "C" DNS servers from resolv.conf. Networking is
shutting down these servers on November 1, and will start notifying admins
in May. (akkornel)
[os] In wheezy, when CRON logs to syslog it appears as
"/USR/BIN/CRON[12345]". With jessie, however, this has changed and the
syslog entry now looks like "CRON[12345]". So, we add a new rule in the
filter-syslog debian file to capture this new format. (adamhl)
[syslog] jessie has changed how rsyslogd logs to syslog so we change
filter-syslog a bit to handle this format change. (adamhl)
release/004.042 (2015-05-04)
[ntp] Remove obsolete host references from ntp.conf. Also,
remove iptables rules allowing inbound ntp connections to
servers. (whm)
[iptables] Remove obsolete fragments for ldap and AFS file
servers. (whm)
release/004.041 (2015-04-29)
[portmap] Minor edit to insist that EL7 gets rpcbind, as does
EL6, instead of portmap (jlent)
[os] Edited conditional in sources.list.erb to allow Jessie hosts
to get the expected Stanford-hosted Debian repositories (jlent)
[vmguest] VMWare does not package vmware-tools-esx-nox for EL7. They
instead recommend the use of open-vm-tools. Added a condition
and refactored vmguest.pp appropriately. Also, change to
portmap.pp. EL7, like EL6, requires rpcbind and not portmap (jlent)
release/004.040 (2015-04-21)
Correct spelling mistake introduced in release/004.038. (whm)
release/004.039 (2015-04-21)
Correct install of emacs on jessie systems. (whm)
release/004.038 (2015-04-20)
Make sure that the rsyslog preferences file is installed only on
wheezy systems. (whm)
release/004.037 (2015-04-20)
Remove lenny and older references from tftp_client, os::debian,
postfix, syslog, and pam. (whm)
release/004.036 (2015-04-14)
[os][rpm] Support CentOS via its own class, stub an OEL
class, small fixes to redhat.pp to be generic enough for use
by these RHEL-ish operating systems, edits to allow EL7-
specific repository inclusions {and exclusions} (jlent)
[ipmi] Re-endable ipmievd on jessie by setting the options
correctly. (whm)
[yumtools] Minor fix for RHEL5 and yum plugins. (jlent)
[cron] Add parameter to base::cron to allow anacron package to be
installed (helpful for Ubuntu systems with ubuntu-desktop
package). (adamhl)
[ipmi] Don't attempt to run ipmievd on jessie. It doesn't appear
to be available. (whm)
release/004.033 (2015-03-13)
Modify the base::ssh::config::sshd define to allow the
specification of content or source. This is required to support
host with special ssh requirements like systems that use duo. (whm)
Fix a missed hyphen in reference to class fragment-template in
defense.pp. (adamhl)
[dns] Refactor dns into several files and a fix a small
typo. (adamhl)
Fix a few more deprecation warnings concering instance variables
(i.e., add '@'s in ERB files) (adamhl)
release/004.031 (2015-03-02)
Beginning of work to support RHEL-ish operating systems
such as CentOS and Oracle Linux. The most common change
involves converting 'operatingsystem' variable/fact usage
to 'osfamily'. These changes were made safely as not to
potentially affect any existing hosts. There may be some
additional refinements when CentOS and Oracle hosts come
online; for now, we're assuming they act identical to RHEL.
Additionally modified puppetclient.pp to support version
locking of puppet and facter versions on RHEL systems.
Added one additional manifest to facilitate this.
Removed references to darrenp1 and rra in a filter-syslog file
(adamhl)
release/004.029 (2015-02-24d)
[rpm][yumtools] - slight reorganization involving which
manifest actually installs the yum versionlock package (jlent)
release/004.028 (2015-02-24c)
[puppetclient] Undo the basemodulepath configuration directive
setting from release/004.027. The default basemodulepath is fine.
(adamhl)
release/004.027 (2015-02-24b)
[puppetclient] Set up basemodulepath configuration directive for
puppetservice1-dev (adamhl)
release/004.026 (2015-02-24a)
[yumtools] added new group of yum-related
commands that can be used to manage package
pins, groups, yum plugins and gpg keys
[rpm] regression of the ensure of the
versionlock.list file. A blank version of this
file is already installed with yum-*-versionlock,
and since a single file is used for all current
and future pinnings, one-off manual pins may
get overwritten via delivery of a flat file (jlent)
release/004.024 (2015-02-20)
[rpm] slight fix to release 023 in the rpm repo
template file name (jlent)
release/004.023 (2015-02-20)
[rpm] Added ensures to pull in the Stanford PuppetLabs
repo on all RHEL-ish hosts. Also ensure that packages
yum-utils and yum-plugin-versionlock are installed to
assist in yum configurations such as package locking.
'versionlock' file is just stubbed for now, and will
be expanded in the future (jlent)
[syslog] Correct template names for the impstats fragments that
support debugging rsyslog problems. Update the documentation in
the base::syslog::fragment to make debugging a bit easier.
release/004.021 (2015-02-17)
[puppetclient] Filter out "Retrieving pluginfacts" puppet-agent
messages using filter-syslog. (adamhl)
Update references in motd and newsyslog to follow puppet3
release/004.019 (2015-02-05)
Remove obsolete iptables fragment files. (whm)
release/004.018 (2015-02-03)
Change syslog tls support to follow host base naming conventions
for wallet objects. (whm)
release/004.017 (2015-01-30)
[dns] More instance variable @ fixes for resolv.conf.erb. (adamhl)
release/004.016 (2015-01-23)
Another fix for lsb package names on RHEL. (darrenp1)
release/004.015 (2015-01-16)
Fix comments and class names to use underscore, not hyphens. (darrenp1)
release/004.014 (2015-01-16)
[dns] Instance variable @ fixes for resolv.conf.erb. (adamhl)
release/004.013 (2015-01-08b)
[postfix] Fix master.cf config file for CentOS; break class out of
postfix.pp into postfix/server.pp. (adamhl)
release/004.012 (2015-01-08)
Add 4 new rsyslog formats to the templates available:
FromHostFileFormat, FromHostForwardFormat, FromIPFileFormat, and
FromHostFileFormat. (whm)
release/004.011 (2015-01-02)
[iptables] Fix @'s in iptables template file rule.erb. (adamhl)
release/004.010 (2014-12-22)
Fix @ in an iptables template file. (adamhl)
release/004.009 (2014-12-17)
Fix for $::fqdn_lc across module. (darrenp1)
release/004.008 (2014-12-11)
[os] Fix for RHEL lsb package names for different releases. (darrenp1)
release/004.007 (2014-12-05)
Several changes to support CentOS. (adamhl)
Fix another @ in a template file. (adamhl)
release/004.006 (2014-12-05)
[puppetclient] Install ruby-json on wheezy systems (recently patched
wheezy systems with Puppet 2.x require ruby-json to avoid
annoying error messages). (adamhl)
release/004.005 (2014-11-21)
[dns] Change the order of the nameservers and move the anycast
servers to the top of the list. (whm)
[ssh] Allow the PermitRootLogin to be set to "yes" (defaults to usual
setting of "without-password").
[os] replace some variables in template files with their "@" versions.
(adamhl)
release/004.004 (2014-11-07)
[syslog::tls] Restructure code to support Puppet 3's scoping
rules. The change required means that existing manifests that use
the base::syslog::tls resource will need to add the
base::syslog::tls_ca_cert resource.
[cron] replace "operatingsystem" with "@operatingsystem" in
crontab.erb. (adamhl)
release/004.003 (2014-11-06)
Adam Lewenberg
committed
[puppetclient] Only put the database account credentials in
/etc/puppet/puppet.conf for the (old) Puppet 2.x servers. (adamhl)
[puppetclient] Update the check-puppet hourly cron job for
Puppet 3. (adamhl)
[puppetclient] Have filter-syslog ignore a new innocuous message from
puppet-agent. (adamhl)
[wallet] Change file permissions to 4-digit string, refactor, and fix
puppet-lint warnings for base::wallet.
[os] Update sources files to support jessie. (whm)
[puppetclient] Break out some classes into their own files; redefine
puppetclass::dev to point to the Puppet 3 development
servers. (adamhl)
release/004.001 (2014-10-14)
The Great Hyphen Hunt. Change hyphens in class names to underscores.
(adamhl)
release/003.037 (unreleased)
Switch os curl package to include packages::curl to avoid duplicate
definition. (darrenp1)
[puppetclient] Add puppetservice* servers to list of servers that can
download Puppet DB credentials. Add a new ACL to auth.conf that was
introduced in Puppet 3. (adamhl)
[puppetclient] Add new class base::puppetclient::puppetlabs_repo that
makes the Puppet Labs Debian repository available. (adamhl)
[apt_key] Move apt_key from a local module into base. (adamhl)
release/003.036 (2014-09-10)
Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
new Puppet servers puppetservice*. (adamhl)
release/003.035 (2014-09-10)
Filter out some innocuous rsyslog messages from the syslog. (adamhl)
release/003.034 (2014-09-05)
Use jimhenson1 for the Puppetmaster in /etc/puppet/puppet.conf for the
Add base::noipmi. This allows "odd" machines to suppress loading ipmi
support and running the exec that disables cipher zero. (whm)
release/003.032 (2014-08-27)
Remove yuelu from filter syslog exceptions. (whm)
Update the backports preferences file to pull the perl remctl
support from backports. The newer module is required by the
latest stanford-server package. (whm)
Change the work directory used by rsyslog for disk queues to match
the package default. (whm)
Change the queue.MaxFileSize to 100m to override the default of 1m
in the default and ldap rsyslog fragments. This will prevent the
creation of many small files when the syslog server is
unreachable. (whm)
Create /etc/facter/facts.d in puppetclient. This is the default
/etc directory for external facts on both Debian and RHEL.
(jonrober)
release/003.030 (2014-07-07)
Fix for IPMI on kernels >= 3.13. (darrenp1)
On each Puppet run on a system that enables Puppet, check if cipher
zero is enabled and disable it if so. (rra)
Update ssh filter-syslog rules for current staff members. (rra)
Set the queue.TimeoutEnqueue parameter to zero for LDAP, TLS, and
default rsyslog fragments. Reformat the fragments for
readability. (whm)
release/003.029 (2014-06-17)
Correct path new for RELP module fragment in
base::syslog::tls_support. (whm)
release/003.028 (2014-06-17)
Fix filter-syslog rules for rsyslog to ignore restart messages. (rra)
Update ssh filter-syslog rules for current staff members and add
another failed login pattern. (rra)
Add the squeeze-lts distribution to sources.list for squeeze systems.
This is the long-term support archive, which provides extended
security support. (rra)
Adjust highWater marking settings for remote rsyslog queues based
on suggestions from rsyslog start messages. (whm)
Add base::syslog::tls to support TLS/RELP connections between
an rsyslog client and an rsyslog server. (whm)
Update the v5 rsyslog default to remove depreciated warnings on
release/003.026 (2014-05-19)
Change the default rsyslog configuration to assume v7 syntax.
(whm)
Update comments in remctl and ssh modules. (rra)
release/003.025 (2014-05-12)
Change the default transport for rsyslog v5 remote syslog message
delivery to UDP. This will result in message loss when the remote
syslog server is unavailable, but it avoids the complexities of
the v5 queue configuration. (whm)
release/003.024 (2014-05-08)
Backout one of the boolean changes because the original test
never was for a boolean. (whm)
release/003.023 (2014-05-07)
Change handling of use_ parameters in rsyslog.pp to handle the
cases where booleans must be tested as strings. (whm from Darren)
Removed smtp-bypass iptable fragments. Move it to s_emailrouter
class. (sfeng)
Change the handling of the use_syslog_conf variable in the
rsyslog.conf.erb template to allow the variable to be either a
string or a boolean. This works around a problem with puppet's
handling of booleans in some situations. (whm)
Clean up puppet client ERB file to better handle servers like
frankoz2-new. (adamhl)
Ignore another new variation on ssh logs from wheezy. (rra)
Add dependencies in base::postfix::recipient on the postfix package so
that the required directory structure will exist. (rra)
Remove base::kerberos filter-syslog rules. These only had rules for
ksu, which we no longer use, so they're now pointless. (rra)
Coding style cleanup for base::syslog::fragment, using the newer
method for handling defines that should take both source and content.
(rra)
Added web-aws rule to block non-root user to access metadata URL.
(sfeng)
Default to the backports version of facter on wheezy systems to pick
up the fix for detecting Xen VMs. (rra)
Modify the default rsyslog configuration for V7 servers. The new
configuration creates a separate queues for writing to the local
disk and sending to the remote syslog server. This prevents
messages from being lost when the central server is down and
allows writing to local disk to continue. (whm)
release/003.021 (2014-03-11)
Fix cron issues on RHEL. (darrenp1)
Remove class that used lsdb-dev for dev Puppet CA (should have been
removed a long time ago). (adamhl)
fix typo in reolv.conf.erb. This changes only affect some
DNS servers. (myl)
release/003.018 (2014-02-24)
Set the default behavior for rsyslog to forward /etc/messages to
the central syslog service, i.e. logsink.stanford.edu. (whm)
release/003.017 (2014-02-24)
Correct rsyslog v7 template. The template fix removes an
extra space that is causing problem for filter syslog parsing.
This change also reverts the default behavior of forwarding
syslog to the logsink servers. (whm)
release/003.016 (2014-02-19)
Added a new xinetd configuration file: stunnel. (adamhl)
release/003.015 (2014-02-17)
Change the default rsyslog configuration to forward syslog
messages to the central syslog server in addition to writing
them locally. Change the date format for syslog to RFC 3399
format.
release/003.014 (2014-02-12)
Correct double variable reference in base::dns::dr-cache. (whm)
release/003.013 (2014-02-12)
Fix cut and past error in defining base::dns::dr-cache. (whm)
release/003.012 (2014-02-12)
Fix doubly defined class and add missing in the dns support
used by Livermore servers. (whm)
release/003.011 (2014-02-12)
Fix syntax error specification of preferences file for rsyslog.
(whm)
release/003.010 (2014-02-11)
Add an apt preferences file to use the rsyslog version from
backports. Remove preferences installation from the syslog
release/03.009 (2014-02-10)
add code to generate different resolv.conf for DNS servers. (meeilee)
release/003.008 (2014-02-05)
Update comment documentation in base::pam::workgroup. Remove
unused parameter and variables. (whm)
Correct variable used to identified the syslog server to send
output to in base::syslog::fragment. (whm)
Re-enable usage of DNS server at Livermore. (whm)
release/003.007 (2014-02-04)
Disable usage of DNS server at Livermore until the server is
rebuild. (whm)
release/003.006 (2014-01-21)
Correct template for rsyslog forwarding using v7 syntax. (whm)
release/003.005 (2014-01-20)
Lowercase the hostname when forming a Kerberos principal in the
out-of-date cron job. Some Networking systems use .Stanford.EDU in
the official hostname. (rra)
Ignore more buggy power limit notifications from new Dell hardware.
Several cases were missed in the previous change. (rra)
Fix for Ubuntu portmap / rpcbind service name. (darrenp1)
Update ntp.conf with IPv6 options. (darrenp1)
Update syslog support to allow transition to new configuration policy
of putting all templates and output specifications in the rsyslog.d
fragments directory. (whm)
Globally disable monlist in all the ntp.conf variations to protect
against use of monlist to launch UDP-based DoS attacks. This was
probably already prevented by firewall rules, but may as well make
sure. (rra)
Recognize Amazon EC2 instances as virtual for the purposes of not
installing the IPMI kernel module. (sfeng)
Remove the temp work file in the dell-warranty-facts cronjob.
(mgoll)
Ignore buggy CPU core power limit notifications from new Dell
hardware in default Debian filter-syslog rules. (rra)
Make it simpler to override the default rsyslog behaviour. Change
the name of the default rsyslog fragment. Add a default fragment for
remote logging. Correct path references to common syslog fragment
templates. (whm)