Commit c69f4739 authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

add path attribtues to exec resources in several places

parent e03c5185
release/005.001 (2016-12-07)
Add "path" attributes to several exec resources. This will be required
in the next version of Puppet [adamhl].
release/005.000 (2016-11-21)
This release has a number of breaking changes.
[duo] base::duo has been completely reworked into a type plus a common
class. Clients which use Duo for their own purposes should create an
instance of base::duo::config, which will create a Duo PAM config file for
[duo] base::duo has been completely reworked into a type plus a common
class. Clients which use Duo for their own purposes should create an
instance of base::duo::config, which will create a Duo PAM config file for
them to use. See README.duo for more information.
[ipmi] A complete rework of base::ipmi. The base::noipmi class no
longer exists. Instead, IPMI support should be disabled by setting
base::ipmi::ensure to "absent". IPMI kernel modules, and ipmievd, should
[ipmi] A complete rework of base::ipmi. The base::noipmi class no
longer exists. Instead, IPMI support should be disabled by setting
base::ipmi::ensure to "absent". IPMI kernel modules, and ipmievd, should
still be automatically disabled on virtual systems, even when
"ensure => present"; in those cases, the IPMI client tools will still be
"ensure => present"; in those cases, the IPMI client tools will still be
installed. Code has been updated for Debian 8 and Ubuntu 16.04.
[os/debian] All aptitude operations are now performed in a new phase,
called "aptitude". The "aptitude" phase is configured to run before
[os/debian] All aptitude operations are now performed in a new phase,
called "aptitude". The "aptitude" phase is configured to run before
"main".
Clients which rely on aptitude being up-to-date must no longer
"require => Exec['aptitude update']". The nature of Puppet phases will
"require => Exec['aptitude update']". The nature of Puppet phases will
ensure that aptitude is already updated.
Clients installing their own custom sources are advised to move all of that
into separate classes, and to put those classes into a new phase of their
Clients installing their own custom sources are advised to move all of that
into separate classes, and to put those classes into a new phase of their
own. This new phase should "require => Phase['aptitude']" and
"before => Phase['main']", to ensure proper execution sequencing.
[os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:
* apt_cache_notin_tmp. If true, use a different directory to store package
* apt_cache_notin_tmp. If true, use a different directory to store package
scripts that need to be run during package install/upgrade.
* apt_cache_tmp_dir. When apt_cache_notin_tmp is true, this is the
* apt_cache_tmp_dir. When apt_cache_notin_tmp is true, this is the
directory to use for package scripts.
[postfix/sender] A new type: base::postfix::sender. This is similar to
base::postfix::recipient, except it is used to rewrite sender addresses
base::postfix::recipient, except it is used to rewrite sender addresses
instead of recipient addresses.
It is suggested that clients use base::postfix::sender to ensure that
emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
instead being sent 'from' either "noreply@stanford.edu" or
It is suggested that clients use base::postfix::sender to ensure that
emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
instead being sent 'from' either "noreply@stanford.edu" or
"shared-mailbox@stanford.edu".
[ssh] A fairly large rework of SSH code. Support has been added for
treating "alternate accounts" (.root, .admin, root., and admin.) the same
as root. Code has also been updated to account for changes to base::duo.
Support has also been added to completely disable password authentication.
Support for Ed25519 keys is also included (though disabled by default).
Finally, pam_afs is now configurable: It can be disabled on systems that do
[ssh] A fairly large rework of SSH code. Support has been added for
treating "alternate accounts" (.root, .admin, root., and admin.) the same
as root. Code has also been updated to account for changes to base::duo.
Support has also been added to completely disable password authentication.
Support for Ed25519 keys is also included (though disabled by default).
Finally, pam_afs is now configurable: It can be disabled on systems that do
not use AFS.
See README.ssh for more information on how to use the code.
[sudo] Complete rework of base::sudo, including configurable support for
Duo. Anyone in the "sudo" or "wheel" group gets sudo access. If Duo is
enabled, anyone on a specified list is able to sudo without a password, but
with a two-step run. Fail-secure is supported, as is using the GECOS field
[sudo] Complete rework of base::sudo, including configurable support for
Duo. Anyone in the "sudo" or "wheel" group gets sudo access. If Duo is
enabled, anyone on a specified list is able to sudo without a password, but
with a two-step run. Fail-secure is supported, as is using the GECOS field
to specify the username that Puppet should actually use.
See README.sudo for more information on how to use the code.
......@@ -71,20 +76,20 @@ release/005.000 (2016-11-21)
release/004.063 (2016-10-17)
[ipmi] EL package requires (like EL6, EL7 only has available OpenIPMI,
and not OpenIPMI-tools. (jlent) Fix ipmievd configuration for Ubuntu.
and not OpenIPMI-tools. (jlent) Fix ipmievd configuration for Ubuntu.
(akkornel)
[os] Update the Ubuntu-to-Debian mapping. (akkornel) Enable the
debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
[os] Update the Ubuntu-to-Debian mapping. (akkornel) Enable the
debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
(akkornel) Also add additional Ubuntu-specific backports. (akkornel)
Also remove daemontools as a default install on systemd Ubuntu. (akkornel)
[ntp] Add the SRCF time server, make sure NTP is installed, and disable
[ntp] Add the SRCF time server, make sure NTP is installed, and disable
systemd-timesyncd on RHEL 8.
[xinetd] Make sure inetd is removed before xinetd is installed. (akkornel)
[wallet] Make sure the base::wallet::client class is included when
[wallet] Make sure the base::wallet::client class is included when
required. (akkornel)
release/004.062 (2016-06-03)
......
......@@ -50,6 +50,7 @@ define base::postfix::map(
# both because a command with a creates stanza won't run even if notified
# if that file already exists.
exec { "${command} ${type}:${name} initial":
path => '/bin:/usr/sbin:/usr/bin',
command => "${command} ${type}:${name}",
creates => "${name}.db",
require => [ File[$name], File['/etc/postfix/main.cf'],
......@@ -57,6 +58,7 @@ define base::postfix::map(
}
exec { "${command} ${type}:${name}":
refreshonly => true,
path => '/bin:/usr/sbin:/usr/bin',
command => "${command} ${type}:${name}",
require => [ File['/etc/postfix/main.cf'], Package['postfix'] ],
}
......
......@@ -25,6 +25,7 @@ define base::postfix::recipient(
case $ensure {
'absent': {
exec { "rm-recipient-${name}":
path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e '/^${name}/d' ${file}",
onlyif => "grep ${pattern} ${file}",
notify => Exec["postmap hash:${file}"]
......@@ -33,12 +34,14 @@ define base::postfix::recipient(
default: {
$line = "${name} ${ensure}"
exec { "add-recipient-${name}":
path => '/bin:/usr/sbin:/usr/bin',
command => "echo '${line}' >> ${file}",
unless => "grep ${pattern} ${file}",
require => Package['postfix'],
notify => Exec["postmap hash:${file}"],
}
exec { "fix-recipient-${name}":
path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e 's/^${name}..*\$/${line}/' ${file}",
unless => "grep '^${line}\$' ${file}",
require => Exec["add-recipient-${name}"],
......
......@@ -19,6 +19,7 @@ define base::sysctl($ensure) {
case $ensure {
absent: {
exec { "rm-sysctl-$name":
path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e '/^$name/d' $filename",
onlyif => "grep '^[^#]' $filename | grep ^$name"
}
......@@ -26,11 +27,13 @@ define base::sysctl($ensure) {
default: {
$line = "$name = $ensure"
exec { "add-sysctl-$name":
path => '/bin:/usr/sbin:/usr/bin',
command => "echo '$line' >> $filename",
unless => "grep '^$name' $filename",
notify => Exec["reload sysctl.conf"]
}
exec { "fix-sysctl-$name":
path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e '/^$name/d' $filename; echo '$line' >> $filename",
unless => "grep '^$name[[:space:]]*=[[:space:]]*$ensure' $filename",
require => Exec["add-sysctl-$name"],
......@@ -63,4 +66,4 @@ class base::sysctl::tcp_keepalive {
"net.ipv4.tcp_keepalive_probes": ensure => 20;
"net.ipv4.tcp_keepalive_time": ensure => 600;
}
}
\ No newline at end of file
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment