diff --git a/NEWS b/NEWS
index b59f96060484be7979964df4140df3a17c1ca0f6..776d81ec9d7678cfb946c1906dc984fd7b5f2a79 100644
--- a/NEWS
+++ b/NEWS
@@ -1,63 +1,68 @@
+release/005.001 (2016-12-07)
+
+ Add "path" attributes to several exec resources. This will be required
+ in the next version of Puppet [adamhl].
+
release/005.000 (2016-11-21)
This release has a number of breaking changes.
- [duo] base::duo has been completely reworked into a type plus a common
- class. Clients which use Duo for their own purposes should create an
- instance of base::duo::config, which will create a Duo PAM config file for
+ [duo] base::duo has been completely reworked into a type plus a common
+ class. Clients which use Duo for their own purposes should create an
+ instance of base::duo::config, which will create a Duo PAM config file for
them to use. See README.duo for more information.
- [ipmi] A complete rework of base::ipmi. The base::noipmi class no
- longer exists. Instead, IPMI support should be disabled by setting
- base::ipmi::ensure to "absent". IPMI kernel modules, and ipmievd, should
+ [ipmi] A complete rework of base::ipmi. The base::noipmi class no
+ longer exists. Instead, IPMI support should be disabled by setting
+ base::ipmi::ensure to "absent". IPMI kernel modules, and ipmievd, should
still be automatically disabled on virtual systems, even when
- "ensure => present"; in those cases, the IPMI client tools will still be
+ "ensure => present"; in those cases, the IPMI client tools will still be
installed. Code has been updated for Debian 8 and Ubuntu 16.04.
- [os/debian] All aptitude operations are now performed in a new phase,
- called "aptitude". The "aptitude" phase is configured to run before
+ [os/debian] All aptitude operations are now performed in a new phase,
+ called "aptitude". The "aptitude" phase is configured to run before
"main".
Clients which rely on aptitude being up-to-date must no longer
- "require => Exec['aptitude update']". The nature of Puppet phases will
+ "require => Exec['aptitude update']". The nature of Puppet phases will
ensure that aptitude is already updated.
- Clients installing their own custom sources are advised to move all of that
- into separate classes, and to put those classes into a new phase of their
+ Clients installing their own custom sources are advised to move all of that
+ into separate classes, and to put those classes into a new phase of their
own. This new phase should "require => Phase['aptitude']" and
"before => Phase['main']", to ensure proper execution sequencing.
[os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:
- * apt_cache_notin_tmp. If true, use a different directory to store package
+ * apt_cache_notin_tmp. If true, use a different directory to store package
scripts that need to be run during package install/upgrade.
- * apt_cache_tmp_dir. When apt_cache_notin_tmp is true, this is the
+ * apt_cache_tmp_dir. When apt_cache_notin_tmp is true, this is the
directory to use for package scripts.
[postfix/sender] A new type: base::postfix::sender. This is similar to
- base::postfix::recipient, except it is used to rewrite sender addresses
+ base::postfix::recipient, except it is used to rewrite sender addresses
instead of recipient addresses.
- It is suggested that clients use base::postfix::sender to ensure that
- emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
- instead being sent 'from' either "noreply@stanford.edu" or
+ It is suggested that clients use base::postfix::sender to ensure that
+ emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
+ instead being sent 'from' either "noreply@stanford.edu" or
"shared-mailbox@stanford.edu".
- [ssh] A fairly large rework of SSH code. Support has been added for
- treating "alternate accounts" (.root, .admin, root., and admin.) the same
- as root. Code has also been updated to account for changes to base::duo.
- Support has also been added to completely disable password authentication.
- Support for Ed25519 keys is also included (though disabled by default).
- Finally, pam_afs is now configurable: It can be disabled on systems that do
+ [ssh] A fairly large rework of SSH code. Support has been added for
+ treating "alternate accounts" (.root, .admin, root., and admin.) the same
+ as root. Code has also been updated to account for changes to base::duo.
+ Support has also been added to completely disable password authentication.
+ Support for Ed25519 keys is also included (though disabled by default).
+ Finally, pam_afs is now configurable: It can be disabled on systems that do
not use AFS.
See README.ssh for more information on how to use the code.
- [sudo] Complete rework of base::sudo, including configurable support for
- Duo. Anyone in the "sudo" or "wheel" group gets sudo access. If Duo is
- enabled, anyone on a specified list is able to sudo without a password, but
- with a two-step run. Fail-secure is supported, as is using the GECOS field
+ [sudo] Complete rework of base::sudo, including configurable support for
+ Duo. Anyone in the "sudo" or "wheel" group gets sudo access. If Duo is
+ enabled, anyone on a specified list is able to sudo without a password, but
+ with a two-step run. Fail-secure is supported, as is using the GECOS field
to specify the username that Puppet should actually use.
See README.sudo for more information on how to use the code.
@@ -71,20 +76,20 @@ release/005.000 (2016-11-21)
release/004.063 (2016-10-17)
[ipmi] EL package requires (like EL6, EL7 only has available OpenIPMI,
- and not OpenIPMI-tools. (jlent) Fix ipmievd configuration for Ubuntu.
+ and not OpenIPMI-tools. (jlent) Fix ipmievd configuration for Ubuntu.
(akkornel)
- [os] Update the Ubuntu-to-Debian mapping. (akkornel) Enable the
- debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
+ [os] Update the Ubuntu-to-Debian mapping. (akkornel) Enable the
+ debian-stanford backports for Unbuntu distros based on Wheezy and Jessie.
(akkornel) Also add additional Ubuntu-specific backports. (akkornel)
Also remove daemontools as a default install on systemd Ubuntu. (akkornel)
- [ntp] Add the SRCF time server, make sure NTP is installed, and disable
+ [ntp] Add the SRCF time server, make sure NTP is installed, and disable
systemd-timesyncd on RHEL 8.
[xinetd] Make sure inetd is removed before xinetd is installed. (akkornel)
- [wallet] Make sure the base::wallet::client class is included when
+ [wallet] Make sure the base::wallet::client class is included when
required. (akkornel)
release/004.062 (2016-06-03)
diff --git a/manifests/postfix/map.pp b/manifests/postfix/map.pp
index 77cf40a37b574aecddaeeb03c62d415bd9b4af48..a67d850465fdbc3b5e999662976b64a73635d4c0 100644
--- a/manifests/postfix/map.pp
+++ b/manifests/postfix/map.pp
@@ -50,6 +50,7 @@ define base::postfix::map(
# both because a command with a creates stanza won't run even if notified
# if that file already exists.
exec { "${command} ${type}:${name} initial":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "${command} ${type}:${name}",
creates => "${name}.db",
require => [ File[$name], File['/etc/postfix/main.cf'],
@@ -57,6 +58,7 @@ define base::postfix::map(
}
exec { "${command} ${type}:${name}":
refreshonly => true,
+ path => '/bin:/usr/sbin:/usr/bin',
command => "${command} ${type}:${name}",
require => [ File['/etc/postfix/main.cf'], Package['postfix'] ],
}
diff --git a/manifests/postfix/recipient.pp b/manifests/postfix/recipient.pp
index 4d1ef798d55764346c6ff5302c2b05647fda9564..eac2bcd38786ac9e8f1a841ab4169ed8094d9f29 100644
--- a/manifests/postfix/recipient.pp
+++ b/manifests/postfix/recipient.pp
@@ -25,6 +25,7 @@ define base::postfix::recipient(
case $ensure {
'absent': {
exec { "rm-recipient-${name}":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e '/^${name}/d' ${file}",
onlyif => "grep ${pattern} ${file}",
notify => Exec["postmap hash:${file}"]
@@ -33,12 +34,14 @@ define base::postfix::recipient(
default: {
$line = "${name} ${ensure}"
exec { "add-recipient-${name}":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "echo '${line}' >> ${file}",
unless => "grep ${pattern} ${file}",
require => Package['postfix'],
notify => Exec["postmap hash:${file}"],
}
exec { "fix-recipient-${name}":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e 's/^${name}..*\$/${line}/' ${file}",
unless => "grep '^${line}\$' ${file}",
require => Exec["add-recipient-${name}"],
diff --git a/manifests/sysctl.pp b/manifests/sysctl.pp
index fe9b40197599a41892f6bf966af04b6bd0c09ff3..fe3ba39a964ba8f2cf6bf2c15c5609a208f5de60 100644
--- a/manifests/sysctl.pp
+++ b/manifests/sysctl.pp
@@ -19,6 +19,7 @@ define base::sysctl($ensure) {
case $ensure {
absent: {
exec { "rm-sysctl-$name":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e '/^$name/d' $filename",
onlyif => "grep '^[^#]' $filename | grep ^$name"
}
@@ -26,11 +27,13 @@ define base::sysctl($ensure) {
default: {
$line = "$name = $ensure"
exec { "add-sysctl-$name":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "echo '$line' >> $filename",
unless => "grep '^$name' $filename",
notify => Exec["reload sysctl.conf"]
}
exec { "fix-sysctl-$name":
+ path => '/bin:/usr/sbin:/usr/bin',
command => "sed -i -e '/^$name/d' $filename; echo '$line' >> $filename",
unless => "grep '^$name[[:space:]]*=[[:space:]]*$ensure' $filename",
require => Exec["add-sysctl-$name"],
@@ -63,4 +66,4 @@ class base::sysctl::tcp_keepalive {
"net.ipv4.tcp_keepalive_probes": ensure => 20;
"net.ipv4.tcp_keepalive_time": ensure => 600;
}
-}
\ No newline at end of file
+}