Skip to content
release/005.000 (2016-11-21)

    This release has a number of breaking changes.

    [duo] base::duo has been completely reworked into a type plus a common
    class.  Clients which use Duo for their own purposes should create an
    instance of base::duo::config, which will create a Duo PAM config file for
    them to use.  See README.duo for more information.

    [ipmi] A complete rework of base::ipmi.      The base::noipmi class no
    longer exists.  Instead, IPMI support should be disabled by setting
    base::ipmi::ensure to "absent".  IPMI kernel modules, and ipmievd, should
    still be automatically disabled on virtual systems, even when
    "ensure => present"; in those cases, the IPMI client tools will still be
    installed.  Code has been updated for Debian 8 and Ubuntu 16.04.

    [os/debian] All aptitude operations are now performed in a new phase,
    called "aptitude".  The "aptitude" phase is configured to run before
    "main".

    Clients which rely on aptitude being up-to-date must no longer
    "require => Exec['aptitude update']".  The nature of Puppet phases will
    ensure that aptitude is already updated.

    Clients installing their own custom sources are advised to move all of that
    into separate classes, and to put those classes into a new phase of their
    own.  This new phase should "require => Phase['aptitude']" and
    "before => Phase['main']", to ensure proper execution sequencing.

    [os/debian] Add two Hiera-configurable parameters to base::os::debian::apt:

    * apt_cache_notin_tmp.  If true, use a different directory to store package
    scripts that need to be run during package install/upgrade.

    * apt_cache_tmp_dir.  When apt_cache_notin_tmp is true, this is the
    directory to use for package scripts.

    [postfix/sender] A new type: base::postfix::sender.  This is similar to
    base::postfix::recipient, except it is used to rewrite sender addresses
    instead of recipient addresses.

    It is suggested that clients use base::postfix::sender to ensure that
    emails sent 'from' "root@stanford.edu" or "root@hostname.stanford.edu" are
    instead being sent 'from' either "noreply@stanford.edu" or
    "shared-mailbox@stanford.edu".

    [ssh] A fairly large rework of SSH code.  Support has been added for
    treating "alternate accounts" (.root, .admin, root., and admin.) the same
    as root.  Code has also been updated to account for changes to base::duo.
    Support has also been added to completely disable password authentication.
    Support for Ed25519 keys is also included (though disabled by default).
    Finally, pam_afs is now configurable: It can be disabled on systems that do
    not use AFS.

    See README.ssh for more information on how to use the code.

    [sudo] Complete rework of base::sudo, including configurable support for
    Duo.  Anyone in the "sudo" or "wheel" group gets sudo access.  If Duo is
    enabled, anyone on a specified list is able to sudo without a password, but
    with a two-step run.  Fail-secure is supported, as is using the GECOS field
    to specify the username that Puppet should actually use.

    See README.sudo for more information on how to use the code.

    [syslog] Some fixes for Ubuntu.

    [os/debian] Fix the $PATH used by aptitude.

    [puppetclient] Fix a filter-syslog regex error.