Newer
Older
[postfix] Change the sender address for root mail from
"root@${::hostname}" to "root@${::fqdn}". This is needed by newer
versions of postfix and makes more sense anyway.
[wallet] Make wallet ketyab use the correct path for ktutil.
[duo] Change apt pin file to point to codename rather than archive
name. [adamhl]
[out_of_date] Add some parameters to the interface to make it easier
to point at different out-of-date servers. [adamhl]
[ssh] Change interface parameter. The parameter
base::ssh::extra_gssapi_only_users has been renamed to
base::ssh::extra_skip_duo_users to more accurately reflect what this
parameter does. Also, fix some whitespace messiness in
/etc/pam.d/sshd [adamhl]
[syslog] Add use_logsink_server parameter that allows servers to not
send logs to the logsink server. Once everyone is using Splunk, ELK,
etc., we will set this default to false. In the meantime, the default
is true. [adamhl]
[pam] Add "ensure" parameter to base::pam::debian to allow the
non-installation of some Kerberos-related PAM packages in the special
case of non-production Kerberos servers not synced with production
Kerberos environment. [adamhl]
release/005.010 (2017-10-02)
[kerberos] Use three rather than four "kdc" lines in
/etc/krb5.conf. [adamhl]
Starting the work to make the code Puppet 4 compatible. [adamhl]
[ssh] Add $extra_gssapi_only_users parameter listing any extra
accounts that should skip Duo (i.e., service accounts). [adamhl]
[postfix] Remove the transport lines which allowed stanford.edu mail
to route via published MX records, because that is moving entirely
off-campus Instead, just have everything go through smtp.stanford.edu
(which still has an on-campus presence). [akkornel]
release/005.009 (2017-07-07)
[ntp] Push "tinker-panic 0" to the top of the ntp.conf file to help
address the timekeeping problem with vmware. This means always reset
the clock, even if the new time is more than 1000s away from the
current system time. [ljlgeek]
[ssh] Add $max_sessions options. [adamhl]
[iptables] Ensure that port numbers are converted to strings inside
the rules erb file to avoid Ruby errors. [adamhl]
[kerberos] Allow kerberos kinit port number override for the "custom"
version of krb5.conf. Needed for the non-production kerberos
environments that don't use port 88. [adamhl]
Adam Lewenberg
committed
[kerberos] Add option to completely override /etc/krb5.conf using
the parameter 'source'. [adamhl]
[kerberos] Add a new defined resource type that makes it easier to
setup a krb5.conf file. The defined resource type is
base::kerberos::krb5_conf [adamhl]
[newsyslog] Pull out filter-syslog from newsyslog so filtersyslog can
be used separately from newsyslog. [adamhl]
[ssh] Change the method by which we specify a list of sunetids too
Adam Lewenberg
committed
filter via filter-syslog. If you install this version of base you will
need to add to hiera the list of sunetids whose authentication failure
warnings you want to continue ignoring. Otherwise, your root mail get
noisier. Because this only affects filter-syslog it has no affect on
the actual ssh service running on the server, so it is a very
low-impact change. [adamhl]
[ssh] Ignore a couple more innocuous sshd log lines. [adamhl]
[ssh] Add the parameter $pubkey to the ssh class to allow ssh key-pair
logins (this way you do not have to do class inheritance). Also add a
parameter to allow root users to login using ssh key-pairs. Both of
these parameters are set to have no effect by default. [adamhl]
[ssh] Add the parameter $ip_ranges. This is an array of iptable
addresses that are allowed to access port 22 on this server. [adamhl]
release/005.006 (2017-02-16)
[kerberos] Add support for the new kerberos environment 'qa'. [adamhl]
[kerberos] Add the option rdns_enabled so that Kerberos can be
configured not to require clients to do a reverse DNS lookup on the
hostname of a service principal. The default is set to true, so unless
specifically overridden to false Kerberos clients will behave as they
always have. [adamhl]
[kerberos] Change the master_kdc setting in krb5.conf to point to an
alias of the master (kerberos1). This will not change how the
configuration works, but makes it easier to change the ordering of the
replicas if, in the future, we need to. [adamhl]
release/005.004 (2017-01-09)
[os] Change the exec resource in the 'aptitude' staged
base::os::debian::apt class to have the name 'apt config aptitude
update' so that it will not interfere with other exec's of the same
name in the 'main' stage. [adamhl]
release/005.003 (2016-12-16)
[ssh] Add "@" to a few more variables on sshd_config.erb. [adamhl]
[ssh] Change the class "ssh::pam" to "base::ssh::pam". This should
only affect people who are setting ssh::pam variables via Hiera, or
via class parameters. Clients setting base::ssh variables in any
way are not affected. [akkornel]
[ssh] Add support for the pam_slurm module. This is for clients using
the SLURM job scheduler, and who want to prevent users from logging in
without an allocation. This is disabled by default. Also add the
pam_slurm_bypass parameter, which is a file containing a list of users
(one per line) who should not be blocked by pam_slurm. [aseishas]
[syslog] On Ubuntu, have files and directories by owned by the
"syslog" user, and the "adm" group.
[wallet] When running inside a Packer build, do not attempt to retrieve
things from wallet. [akkornel]
[os::debian] More @ symbols into ERB templates. [akkornel]
release/005.001 (2016-12-11)
Add "path" attributes to several exec resources. This will be required
in the next version of Puppet. [adamhl]
[puppetclient] Replace "local" variables in ERB templates with what is
really intended: instance variables defined in the calling manifest
(or defined as a Puppet fact). While currently not strictly necessary,
in a future version Puppet will stop interpreting ERB local variables
as instance variables, so we might as well fix them now. Furthermore,
when using "puppet apply" incorrect use of variables in templates
generates ugly red warnings, so fixing these now makes "puppet apply"
happier. [adamhl]
[puppetclient] Remove some conditional code that made sense when we
used very old versions of Puppet. [adamhl]
[ssh, syslog, xinetd] More instance variable cleanup. [adamhl]
[ipmi] When comparing lsbmajdistrelease to a Debian version, convert
lsbmajdistrelease to an integer first (otherwise, get Ruby
error). [adamhl]
[os/debian] Add parameter to allow the option of *not* including the
debian-stanford backports repository in the apt sources. [adamhl]
release/005.000 (2016-11-21)
This release has a number of breaking changes.
[duo] base::duo has been completely reworked into a type plus a common
class. Clients which use Duo for their own purposes should create an
instance of base::duo::config, which will create a Duo PAM config file for
them to use. See README.duo for more information.
[ipmi] A complete rework of base::ipmi. The base::noipmi class no
longer exists. Instead, IPMI support should be disabled by setting
base::ipmi::ensure to "absent". IPMI kernel modules, and ipmievd, should
still be automatically disabled on virtual systems, even when
"ensure => present"; in those cases, the IPMI client tools will still be
installed. Code has been updated for Debian 8 and Ubuntu 16.04.
[os/debian] All aptitude operations are now performed in a new phase,
called "aptitude". The "aptitude" phase is configured to run before
"main".
Clients which rely on aptitude being up-to-date must no longer
"require => Exec['aptitude update']". The nature of Puppet phases will
ensure that aptitude is already updated.
Clients installing their own custom sources are advised to move all of that
into separate classes, and to put those classes into a new phase of their
own. This new phase should "require => Stage['aptitude']" and
"before => Stage['main']", to ensure proper execution sequencing.
[os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:
* apt_cache_notin_tmp. If true, use a different directory to store package
Loading
Loading full blame...