Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-pupmod', '8.2.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Overview
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
If you find any issues, they can be submitted to our JIRA.
Please read our Contribution Guide.
Module Description
See REFERENCE.md for more details.
Upgrade Considerations
Upgrading From 7.3.0 Or Earlier
Legacy auth.conf, /etc/puppetlabs/puppet/auth.conf
, has been deprecated.
pupmod-simp-pupmod
will back up legacy puppet auth.conf after upgrade.
The puppetserver's auth.conf is now managed by Puppet. You will need to
re-produce any custom work done to legacy auth.conf in the new auth.conf, via
the puppet_authorization::rule
define. The stock rules are managed in
pupmod::master::simp_auth
.
Reference
Table of Contents
Classes
pupmod
: A class for managing Puppet configurations. This is mainly a stub class for hooking other classes along the way with a small bit of logic topupmod::agent::cron
: This class configures the scheduled run settings for a non-daemonized puppet client Note: The parameters are present for backwards compatibipupmod::facter::conf
: A class to manage Facter configurationpupmod::master
: Provides configuration for a puppet master.pupmod::master::base
: A break out of the mostly static files used by the Puppet master.pupmod::master::generate_types
: Usesystemd
to runpuppet generate types
when the necessary files have been changedpupmod::master::install
: Install the puppetserverpupmod::master::reports
: This class simply controls settings around client reports on the system. Most importantly, it allows for purging the reports.pupmod::master::service
: Split out the 'service' for cleaner dependency orderingpupmod::master::simp_auth
: Add SIMP-specific entries to PuppetServer's auth.conf For documentation about _allow and _deny, see the puppetserver docspupmod::master::sysconfig
: This class provides the sysconfig settings for thepuppetserver
daemon. to use. To use the default enter 'default'. (Does not affect PE.
Defined types
pupmod::conf
: This is a simple define to call the Puppet INIFile class for the passed parameters on the puppet.conf file. The main purpose is to easily alpupmod::master::autosign
: Add an autosign entry to the puppet autosign file. Ideally, autosign will not be used in your environment. However, should you happen to neepupmod::master::fileserver_entry
: Manage entries in the /etc/puppet/fileserver.conf file.pupmod::pass_two
: A helper defined type for adding processing to fix some issues with
Functions
pupmod::java_max_memory
: Provides a reasonable calculation for the reserved code cache value for JRuby for a systempupmod::max_active_instances
: Provides a reasonable calculation for the maximum number of active instances for a system Parameters are not to be used but are present as apupmod::reserved_code_cache
: Provides a reasonable calculation for the reserved code cache value for JRuby for a systempupmod::server_distribution
: Figure out if we're running PC1 or PE puppetpupmod::server_version
: Authoritatively determine the puppet server version and return0.0.0
if one could not be determined.
Data types
Pupmod::CaTTL
: Matches valid Puppet CA TTL configurationPupmod::LogLevel
: puppetserver log levelsPupmod::Master::SSLCiphersuites
: Valid SSL Cipher Suites for the Puppet Master WebserverPupmod::Master::SSLProtocols
: Valid SSL Protocols for the Puppet Master WebserverPupmod::Memory
: Matches valid puppetserver JAVA memory parametersPupmod::ProfilingMode
: puppetserver profiling modes
Classes
pupmod
A class for managing Puppet configurations.
This is mainly a stub class for hooking other classes along the way with a small bit of logic to flex the system toward being a Puppet master or client. It manages Puppet and Facter configurations.
All Puppet configuration parameters are, by default, written to the [main] config block of the Puppet configuration file. Selective options may be written to their respective components as necessary for deconfliction.
Parameters
The following parameters are available in the pupmod
class:
ca_port
ca_server
puppet_server
server_distribution
certname
classfile
confdir
daemonize
digest_algorithm
enable_puppet_master
environmentpath
listen
logdir
purge_logs
purge_logs_duration
purge_log_dirs
masterport
report
rundir
runinterval
splay
splaylimit
srv_domain
ssldir
syslogfacility
use_srv_records
haveged
fips
vardir
manage_facter_conf
facter_conf_dir
facter_options
mock
firewall
pe_classlist
package_ensure
set_environment
ca_port
Data type: Simplib::Port
The port where the remote CA should be contacted.
Default value: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 })
ca_server
Data type: Variant[Simplib::Host,Enum['$server']]
The puppet CA from which to obtain your system certificates.
Default value: simplib::lookup('simp_options::puppet::ca', { 'default_value' => '$server' })
puppet_server
Data type: Variant[Simplib::Host, Array[Simplib::Host]]
One or more puppet servers from which to retrieve your configuration.
Default value: simplib::lookup('simp_options::puppet::server', { 'default_value' => "puppet.${facts['domain']}" })
server_distribution
Data type: Simplib::ServerDistribution
The server distribution used. This changes the configuration based on whether we are using PC1 or PE
Default value: pupmod::server_distribution(false)
certname
Data type: Simplib::Host
The puppet certificate CN name of the system.
- For authenticated remote requests, this defaults to `$trusted['certname']
- For all other requests (e.g., bolt), the default is
$facts['clientcert']
For additional details, see:
- http://docs.puppetlabs.com/references/latest/configuration.html
- https://puppet.com/docs/puppet/latest/lang_facts_builtin_variables.html
Default value: (
classfile
Data type: String[0]
The path to the puppet class file.
See http://docs.puppetlabs.com/references/latest/configuration.html for additional details.
Default value: '$vardir/classes.txt'
confdir
Data type: Stdlib::AbsolutePath
The path to the puppet configuration directory.
See http://docs.puppetlabs.com/references/latest/configuration.html for additional details.
daemonize
Data type: Boolean
Whether or not to daemonize the Puppet agent.
SIMP systems do not, by default, daemonize their agents so that the consumed resources can be freed for other uses and so that the cron job can maintain a safe system state over time.
Default value: false
digest_algorithm
Data type: Enum['md5','sha256']
The hash Digest to use for file operations on the system.
Default value: 'sha256'
enable_puppet_master
Data type: Boolean
Whether or not to make the system a puppetmaster.
Default value: false
environmentpath
Data type: Stdlib::AbsolutePath
The path to the directory holding the puppet environments.
listen
Data type: Boolean
Whether or not to listen for incoming connections to the puppet agent.
Given the ability to run puppet remotely via SSH, MCollective, or many other means, we will not open this by default. If you decide to enable it, don't forget to add an associated IPTables rule.
Default value: false
logdir
Data type: Stdlib::AbsolutePath
The path to the puppet log directory.
See http://docs.puppetlabs.com/references/latest/configuration.html for additional details.
purge_logs
Data type: Boolean
Purge old logs from the system.
Default value: true
purge_logs_duration
Data type: Pattern['\d+(h|m|w)']
The timeframe after which logs will be purged.
- Uses systemd tmpfiles age notation
Default value: '4w'
purge_log_dirs
Data type: Array[Stdlib::AbsolutePath]
The directories under $logdir
to be purged.
Default value: ['/puppet*']
masterport
Data type: Simplib::Port
The port where the Puppet Master should be contacted.
Default value: 8140
report
Data type: Boolean
Whether or not to send reports to the report server. This is disabled by default to allow users to reduce network load unless reports are required.
Default value: false
rundir
Data type: Stdlib::AbsolutePath
The path to the puppet run status directory.
See http://docs.puppetlabs.com/references/latest/configuration.html for additional details.
runinterval
Data type: Integer[0]
The number of seconds between puppet runs. Has no effect on the client cron job.
Default value: 1800
splay
Data type: Boolean
Whether or not to splay the puppet runs.
This is done by default to add some randomization to client system runs on large systems.
Default value: false
splaylimit
Data type: Optional[Integer[1]]
Default value: undef
srv_domain
Data type: Simplib::Host
The domain to search when using SRV records.
Default value: $facts['domain']
ssldir
Data type: Stdlib::AbsolutePath
The path to the puppet ssl directory.
See http://docs.puppetlabs.com/references/latest/configuration.html for additional details.
syslogfacility
Data type: Simplib::Syslog::Facility
The Syslog facility to use when outputting messages from puppet.
Default value: 'local6'
use_srv_records
Data type: Boolean
Whether the server will search for SRV records in DNS for the current domain.
Default value: false
haveged
Data type: Boolean
If true, include haveged to assist with entropy generation.
Default value: simplib::lookup('simp_options::haveged', { 'default_value' => false })
fips
Data type: Boolean
If true, enable fips mode
Default value: simplib::lookup('simp_options::fips', { 'default_value' => false })
vardir
Data type: Stdlib::AbsolutePath
The directory where puppet will store all of its 'variable' data.
manage_facter_conf
Data type: Boolean
Whether to manage the Facter configuration file.
Default value: false
facter_conf_dir
Data type: Stdlib::Absolutepath
Directory containing the Facter configuration file.
Default value: '/etc/puppetlabs/facter'
facter_options
Data type: Hash
Hash of Facter configuration options.
- Only applies when
manage_facter_conf
istrue
. - Each primary key is a section in the Facter configuration file (e.g., 'facts', 'global', 'cli')
- When the configuration for a section is empty, that section will be removed entirely from the Facter configuration file.
- See https://puppet.com/docs/facter/latest/configuring_facter.html for details on how to configure Facter.
mock
Data type: Boolean
If true, disable all code.
Default value: false
firewall
Data type: Boolean
Whether or not firewall rules should be created
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
pe_classlist
Data type: Hash
Hash of pe classes and assorted metadata.
Default value: {}
package_ensure
Data type: String[1]
String used to specify 'latest', 'installed', or a specific version of the puppet-agent package
Default value: simplib::lookup('simp_options::package_ensure' , { 'default_value' => 'installed'})
set_environment
Data type: Variant[Boolean, Enum['no_clean']]
Set the environment on the system to the currently running environment
- This will automatically purge the
environment
setting from themain
section of the configuration to prevent issues from arising when running various puppet tools. To prevent this from happening, you may set this tono_clean
and the entry will be preserved if present.
Default value: false
pupmod::agent::cron
This class configures the scheduled run settings for a non-daemonized puppet client
Note: The parameters are present for backwards compatibility, at some point, this class will be renamed to reflect that it is now a systemd timer.
Examples
Configure puppet agent cron to run every 20 minutes
class { 'pupmod::agent::cron:
interval => 20,
minute => 'nil'
}
Configure puppet agent cron to run once an hour using
the default minute randomization algorithm
class { 'pupmod::agent::cron:
runs_per_timeframe => 1
}
Configure cron to run once per day at a particular time
class { 'pupmod::agent::cron:
minute => '23'
hour => '4'
}
Parameters
The following parameters are available in the pupmod::agent::cron
class:
enable
interval
minute_base
run_timeframe
runs_per_timeframe
systemd_calendar
minute
hour
monthday
month
weekday
maxruntime
break_puppet_lock
max_disable_time
enable
Data type: Boolean
Enable, or disable, the scheduled agent run
Default value: true
interval
Data type: Integer[0]
The cron iteration time (in minutes) for running puppet
-
When
$minute
is set to 'nil', this applies the standard*/$interval
style syntax from cron for the minute field. Seecrontab(5)
for additional details. -
Otherwise, this value is ignored.
Default value: 30
minute_base
Data type: String
The default artifact to use to auto-generate a cron interval
-
The default of
$::ipaddress
is used to provide a reasonable guess at spreading the puppet runs across all of your systems. However, you can set this to anything that you like. -
Use
$::ipaddress_eth0
to generate the entry from the eth0 IP Address -
Use
$::uniqueid
to generate the entry from the system UUID -
WARNING: If this is the same resolved value on all of your systems then your systems will have the same run interval.
-
Not used if using
$interval
Default value: $facts['ipaddress']
run_timeframe
Data type: Integer[0]
The time frame within which you wish to run the puppet agent
-
This directly translates to the minute field of the cron job so this should probably be left at 60
-
Not used if using
$interval
Default value: 60
runs_per_timeframe
Data type: Integer[0]
The number of times, per $timeframe
, that you want to run the Puppet
Agent.
- Not used if using
$interval
Default value: 2
systemd_calendar
Data type: Optional[String[1]]
The exact systemd calendar string to add to the timer
- This is not checked for correctess
Default value: undef
minute
Data type: Variant[Simplib::Cron::Minute,Enum['nil','ip_mod','rand','sha256']]
The minute
value for the crontab entry
Set to nil
if you want to only use $interval
.
Set to one of the randiomization algorithms if you want the minute
to be auto-generated from $minute_base
:
ip_mod
or its backward-compatible alias rand
uses a
IP-modulus-based transformation of the numeric IP representation of
$minute_base
, when $minute_base
is an IP address.
Otherwise, it uses a crc32-based transformation of $minute_base.
This algorithm works well when the number of hosts managed by a
Puppet master exceeds 60 and the hosts have linearly-assigned IP
addresses.
sha256
uses a SHA256-based transformation $minute_base
.
This algorithm provides general randomization for cases in which
ip_mod
yields undesirable clustering.
Default value: 'ip_mod'
hour
Data type: Simplib::Cron::Hour
The hour
value for the crontab entry
- Not used if using
$interval
Default value: '*'
monthday
Data type: Simplib::Cron::MonthDay
The monthday
value for the crontab entry
- Not used if using
$interval
Default value: '*'
month
Data type: Simplib::Cron::Month
The month
value for the crontab entry
- Not used if using
$interval
Default value: '*'
weekday
Data type: Simplib::Cron::Weekday
The weekday
value for the crontab entry
- Not used if using
$interval
Default value: '*'
maxruntime
Data type: Integer[1]
How long (in minutes) a puppet agent will be allowed to run before being forcibly stopped
Default value: 240
break_puppet_lock
Data type: Boolean
Forcibly enable the puppet agent if it has been disabled for
$max_disable_time
- This is enabled by default so that the system can remain in a self-healing state
Default value: true
max_disable_time
Data type: Optional[Integer[1]]
How long (in minutes) a puppet agent will be allowed to remain disabled before being forcibly enabled
-
This only takes effect if
$break_puppet_lock
is true -
When not set, an appropriate value is computed based on cron frequency and
$maxruntime
.
Default value: undef
pupmod::facter::conf
A class to manage Facter configuration
Parameters
The following parameters are available in the pupmod::facter::conf
class:
facter_conf_dir
Data type: Stdlib::Absolutepath
Facter configuration directory
Default value: $::pupmod::facter_conf_dir
facter_options
Data type: Hash
Facter configuration Hash
Default value: $::pupmod::facter_options
pupmod::master
Provides configuration for a puppet master.
Parameters
The following parameters are available in the pupmod::master
class:
bind_address
ca_allow_auth_extensions
ca_allow_alt_names
ca_bind_address
auditd
ca_port
trusted_nets
server_distribution
server_type
ca_ttl
daemonize
enable_ca
enable_master
environmentpath
freeze_main
masterport
puppet_confdir
confdir
codedir
vardir
rundir
logdir
ssldir
use_legacy_auth_conf
max_queued_requests
max_retry_delay
firewall
ca_status_whitelist
ruby_load_path
max_active_instances
max_requests_per_instance
borrow_timeout
environment_class_cache_enabled
compat_version
compile_mode
ssl_protocols
ssl_cipher_suites
enable_profiler
profiling_mode
profiler_output_file
admin_api_whitelist
admin_api_mountpoint
log_to_file
strict_hostname_checking
cve_2020_7942_warning
syslog
syslog_facility
syslog_message_format
log_level
autosign_hosts
package_ensure
enable_analytics
server_webserver_options
ca_webserver_options
extra_webserver_sections
mock
bind_address
Data type: Simplib::IP
The IP address to which the Puppet Master process should bind
Default value: '0.0.0.0'
ca_allow_auth_extensions
Data type: Boolean
If true, allows the CA to sign certificates with authorization extensions.
Default value: false
ca_allow_alt_names
Data type: Boolean
If true, allows the CA to sign certificates with subject alternative names.
Default value: false
ca_bind_address
Data type: Simplib::IP
The IP address to which the Puppet CA process should bind
Default value: '0.0.0.0'
auditd
Data type: Boolean
If true, adds an audit record to watch sensitive Puppet directories for changes by any user that is not the puppet user.
Default value: simplib::lookup('simp_options::auditd', { 'default_value' => false })
ca_port
Data type: Simplib::Port
The port upon which the CA should listen. This has been modified from the default setting of 8140 so that it does not interfere with the certificate verification of various clients.
Default value: simplib::lookup('simp_options::puppet::ca_port', { 'default_value' => 8141 })
trusted_nets
Data type: Simplib::NetList
An array of networks from which to allow access to the master.
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1','::1'] })
server_distribution
Data type: String
Deprecated: The version of the server that is being managed.
- PC1 covers everything after Puppet 3
Default value: pupmod::server_distribution()
server_type
Data type: Enum['monolithic', 'primary', 'compile']
The type of Puppet server this is. Can be 'monolithic', 'primary', or 'compile' as defined in https://puppet.com/docs/puppetserver/latest/scaling_puppet_server.html
Default value: 'monolithic'
ca_ttl
Data type: Pupmod::CaTTL
This is the length after which the CA certificate will no longer be valid.
Default value: '10y'
daemonize
Data type: Boolean
Whether or not to run the server as a daemon.
Default value: true
enable_ca
Data type: Boolean
Whether or not the system should act as a CA.
Default value: true
enable_master
Data type: Boolean
Whether or not the system should act as a Puppet Master
Default value: true
environmentpath
Data type: Stdlib::AbsolutePath
The location of all directory environments.
Default value: $pupmod::environmentpath
freeze_main
Data type: Boolean
Whether or not code is allowed outside of site.pp or a module.
Default value: false
masterport
Data type: Simplib::Port
The port upon which the Puppet master process will listen.
Default value: 8140
puppet_confdir
Data type: Stdlib::AbsolutePath
The Puppet server configuration directory.
Default value: $pupmod::confdir
confdir
Data type: Stdlib::AbsolutePath
The Puppet client configuration directory.
codedir
Data type: Stdlib::AbsolutePath
The directory holding the Puppet configuration codebase.
vardir
Data type: Stdlib::AbsolutePath
The Puppet server 'var' directory
rundir
Data type: Stdlib::AbsolutePath
The Puppet server runtime directory
logdir
Data type: Stdlib::AbsolutePath
The log directory for the Puppet server
ssldir
Data type: Stdlib::AbsolutePath
The SSL configuration directory for the Puppet server
use_legacy_auth_conf
Data type: Boolean
Enable processing of the legacy Puppetserver auth.conf.
- This is NOT recommended and may cause a SIMP installation to malfunction.
Default value: false
max_queued_requests
Data type: Integer[0]
The number of requests that may be queued against the server prior to being rejected.
- Only functional on
puppetserver
>= 5.4.1
Default value: 10
max_retry_delay
Data type: Integer[1]
The maximum time that a client will wait prior to giving up on the server response.
- Only functional on
puppetserver
>= 5.4.1
Default value: 1800
firewall
Data type: Boolean
If enabled, will use the SIMP iptables classes to manipulate IPTables.
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => false })
ca_status_whitelist
Data type: Array[Simplib::Host]
An array of certificate short names which will be allowed to query the CA end point of the Puppet Server
Default value: [pick($facts['certname'], $facts['fqdn'])]
ruby_load_path
Data type: Optional[Stdlib::AbsolutePath]
The path to the system Ruby installation to use for the Puppet Server
Default value: undef
max_active_instances
Data type: Integer[1]
The maximum number of active JRuby instances to be run by the Puppet Server
Default value: pupmod::max_active_instances($server_type)
max_requests_per_instance
Data type: Integer
The number of requests a given JRuby instance will process prior to being stopped.
Default value: 100000
borrow_timeout
Data type: Integer[1000]
The timeout, in milliseconds, when attempting to borrow an instance from the JRuby pool.
Default value: 1200000
environment_class_cache_enabled
Data type: Boolean
Maintain a cache in conjucntion with the use of the environment_classes
API.
Default value: true
compat_version
Data type: Optional[Pattern['^\d+\.\d+$']]
Set the JRuby compat version
- Has no effect on
puppetserver
>= 5.0
Default value: undef
compile_mode
Data type: Enum['off', 'jit', 'force']
Set the JRuby CompileMode
.
Default value: 'off'
ssl_protocols
Data type: Array[Pupmod::Master::SSLProtocols]
The protocols that are allowed for communication with the Puppet Server. See the ssl-protocols documentation for the Puppet Server for additional details.
Default value: ['TLSv1.2']
ssl_cipher_suites
Data type: Optional[Array[Pupmod::Master::SSLCipherSuites]]
The allowed SSL Cipher Suites to be used by the Puppet Server. The allowed list is Java version dependent and you will need to check the system Java documentation for details.
- The default is in the module data
Default value: undef
enable_profiler
Data type: Boolean
Whether or not to enable the Puppet Server profiler to allow for code metrics gathering.
Default value: false
profiling_mode
Data type: Pupmod::ProfilingMode
The JRuby profiling mode to use when profiling the server.
- Only functional on
puppetserver
>= 5.4.1
Default value: 'off'
profiler_output_file
Data type: Stdlib::AbsolutePath
The file to use when outputting server profiling information
- Only functional on
puppetserver
>= 5.4.1
Default value: "${vardir}/server_jruby_profiling"
admin_api_whitelist
Data type: Array[Simplib::Hostname]
A list of X.509 certificate names that should be allowed to access the Puppet Server's administrative API.
Default value: [pick($facts['certname'], $facts['fqdn'])]
admin_api_mountpoint
Data type: String
The endpoint for the Puppet Servers adminstrative API. Changing this may break external utilities.
Default value: '/puppet-admin-api'
log_to_file
Data type: Boolean
If true, log to system log files at /var/log/puppetserver.
Default value: false
strict_hostname_checking
Data type: Boolean
Whether to only search for the complete hostname as it is in the certificate when searching for node information in teh catalogs or to match dot delimited segments of the cert's certname and the hostname, fqdn, and/or domain facts.
- Do NOT set to
false
unless you have read the details of CVE-2020-7942
Default value: true
cve_2020_7942_warning
Data type: Boolean
Whether to warn about CVE-2020-7942 when the issue is detected.
Default value: true
syslog
Data type: Boolean
If true, log to the local system logger over UDP port 514.
Default value: simplib::lookup('simp_options::syslog', { 'default_value' => false })
syslog_facility
Data type: String
The syslog facility to which to report if using syslog.
Default value: 'LOCAL6'
syslog_message_format
Data type: String
The Logback compatible syslog message format. For more information, see the Logback documentation for 'SuffixPattern'.
Default value: '%logger[%thread]: %msg'
log_level
Data type: Pupmod::LogLevel
Type: One of ['TRACE','DEBUG','INFO','WARN','ERROR','OFF'] A syslog severity string limiting the messages reported. Be aware that anything above 'WARN' will provide a massive amount of logs at each puppet run.
Default value: 'WARN'
autosign_hosts
Data type: Optional[Array[String[1]]]
An array of hosts or host globs to add to the master's autosign.conf
file
- WARNING: If set, will be authoritative and overwrite the entire file!
Default value: undef
package_ensure
Data type: String
String used to specify either 'latest', 'installed', or a specific version of the puppetserver package
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
enable_analytics
Data type: Boolean
Enable the built-in analytics, and upgrade check, on the puppetserver
Default value: false
server_webserver_options
Data type: Optional[Hash[String[1],String[1]]]
A Hash
of String,String
pairs that will be added as HOCON formatted
options to the base
section of the server's webserver.conf
configuration.
This is completely unvalidated and is present to allow setting many of the more escoteric options that can be found in the webserver configuration documentation at https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md
The results will be printed in the order that they are defined as key: value
with no additional formatting so take care to ensure that your
values are in proper HOCON format per
https://github.com/lightbend/config/blob/master/HOCON.md
Default value: undef
ca_webserver_options
Data type: Optional[Hash[String[1],String[1]]]
A Hash
of String,String
pairs that will be added as HOCON formatted
options to the ca
section of the server's webserver.conf configuration.
This is completely unvalidated and is present to allow setting many of the more escoteric options that can be found in the webserver configuration documentation at https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md
The results will be printed in the order that they are defined as key: value
with no additional formatting so take care to ensure that your
values are in proper HOCON format per
https://github.com/lightbend/config/blob/master/HOCON.md
Default value: undef
extra_webserver_sections
Data type: Optional[Hash[String[1],Hash[String[1],String[1]]]]
A Hash
using the following format to express the full contents of a
webserver configuration section with options as defined in
https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md
Section Hash Example:
{
'section1_name' => {
'ssl-port' => 1234
},
'section2_name' => {
'ssl-port' => 2345
}
}
Result Example:
webserver: {
...pre-existing material...
section1_name: {
ssl-port: 1234
}
section2_name: {
ssl-port: 2345
}
}
This is completely unvalidated and is present to allow setting many of the more escoteric options that can be found in the webserver configuration documentation at https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/doc/jetty-config.md
The results will be printed in the order that they are defined as key: value
with no additional formatting so take care to ensure that your
values are in proper HOCON format per
https://github.com/lightbend/config/blob/master/HOCON.md
Default value: undef
mock
Data type: Boolean
DO NOT USE. needed for rspec testing
Default value: false
pupmod::master::base
A break out of the mostly static files used by the Puppet master.
pupmod::master::generate_types
NOTE: incron
support has been removed due to continuing issues with incrond
.
If you are using a system that does not support systemd
, you will need to
run simp_generate_types
using an alternate method (such as an r10k
post script).
Parameters
The following parameters are available in the pupmod::master::generate_types
class:
enable
trigger_on_puppetserver_update
puppetserver_exe
trigger_on_puppet_update
puppet_exe
trigger_on_new_environment
trigger_on_type_change
timeout
stability_timeout
run_dir
enable
Data type: Boolean
Enable or disable automatic generation of types using puppet generate types
Default value: true
trigger_on_puppetserver_update
Data type: Boolean
Run puppet generate types
on all environments if the puppetserver
application is updated
Default value: true
puppetserver_exe
Data type: Stdlib::AbsolutePath
Fully qualified path to the puppetserver
executable
Default value: '/opt/puppetlabs/server/apps/puppetserver/bin/puppetserver'
trigger_on_puppet_update
Data type: Boolean
Run puppet generate types
on all environments if the puppet
application is updated
Default value: true
puppet_exe
Data type: Stdlib::AbsolutePath
Fully qualified path to the puppet
executable
Default value: '/opt/puppetlabs/puppet/bin/puppet'
trigger_on_new_environment
Data type: Boolean
Run puppet generate types
on new environments as soon as they are
created
Default value: true
trigger_on_type_change
Data type: Boolean
Watch all type files for changes and generate types when types are updated
Default value: true
timeout
Data type: Integer[0]
Seconds before the simp_generate_types script will kill any other simp_generate_types processes and continue
Default value: 300
stability_timeout
Data type: Integer[0]
Seconds before the simp_generate_types script will exit, without processing, due to environments continuing to be created in the environment path while the simp_generate_types script is attempting to execute
- This comes into play when deploying large numbers of environments and generally should not need to be changed otherwise. If you see an error message relating to environments not reaching stability, then you will need to increase this number.
Default value: 500
run_dir
Data type: Stdlib::AbsolutePath
The directory to use for saving state and metadata for the
simp_generate_types
process
Default value: '/var/run/simp_generate_types'
pupmod::master::install
Install the puppetserver
Parameters
The following parameters are available in the pupmod::master::install
class:
package_name
Data type: String[1]
Default value: pupmod::server_distribution()
package_ensure
Data type: String[1]
Default value: pick(getvar('pupmod::master::package_ensure'), 'installed')
pupmod::master::reports
This class simply controls settings around client reports on the system.
Most importantly, it allows for purging the reports.
Parameters
The following parameters are available in the pupmod::master::reports
class:
vardir
Data type: Stdlib::AbsolutePath
The directory where reports should be stored.
Default value: $pupmod::master::vardir
purge
Data type: Boolean
Whether or not to purge old reports from the system.
Default value: true
purge_keep_days
Data type: Integer
The number of days of reports to keep around on the system.
Default value: 7
purge_verbose
Data type: Optional[Boolean]
DEPRECATED
- See the systemd tmpfiles logs for details
Default value: undef
port
Data type: Optional[Simplib::Port]
DEPRECATED
Default value: undef
pupmod::master::service
Split out the 'service' for cleaner dependency ordering
Parameters
The following parameters are available in the pupmod::master::service
class:
service_name
Data type: String[1]
Name of the puppetserver service
Default value: pupmod::server_distribution()
pupmod::master::simp_auth
Add SIMP-specific entries to PuppetServer's auth.conf
For documentation about _allow and _deny, see the puppetserver docs
Parameters
The following parameters are available in the pupmod::master::simp_auth
class:
auth_conf_path
pki_cacerts_all
pki_mcollective_all
pki_cacerts_all
pki_cacerts_all_rule
pki_cacerts_all_allow
pki_cacerts_all_deny
keydist_from_host
keydist_from_host_rule
keydist_from_host_allow
keydist_from_host_deny
krb5_keytabs_from_host
krb5_keytabs_from_host_rule
krb5_keytabs_from_host_allow
krb5_keytabs_from_host_deny
auth_conf_path
Data type: Stdlib::AbsolutePath
The location to the puppet master's auth.conf
Default value: '/etc/puppetlabs/puppetserver/conf.d/auth.conf'
pki_cacerts_all
Data type: Boolean
Allow access to the cacerts from the pki_files
module from all hosts
Default value: true
pki_mcollective_all
Data type: Boolean
Allow access to the mcollective PKI from the pki_files
module from all
hosts
Default value: true
pki_cacerts_all
If enabled, allow access to the cacerts from the pki_files
module from all hosts
Default value: true
pki_cacerts_all_rule
Data type: NotUndef
The regex rule to match requests against. The provided rule matched requests
coming from the files/keydist/cacerts
directory from the pki_files module
Default value: '^/puppet/v3/file_(metadata|content)/modules/pki_files/keydist/cacerts'
pki_cacerts_all_allow
Data type: NotUndef
Default value: '*'
pki_cacerts_all_deny
Data type: Any
Default value: undef
keydist_from_host
Data type: Boolean
If enabled, allow access to each host's own certs from the pki_files
module
Default value: true
keydist_from_host_rule
Data type: NotUndef
The regex rule to match requests against. The provided rule matched requests
coming from the files/keydist
directory from the pki_files module
Default value: '^/puppet/v3/file_(metadata|content)/modules/pki_files/keydist/([^/]+)'
keydist_from_host_allow
Data type: NotUndef
Rules that the puppetserver should allow @see https://puppet.com/docs/puppetserver/2.7/config_file_auth.html#rules
Default value: '$2'
keydist_from_host_deny
Data type: Any
Rules that the puppetserver should deny @see https://puppet.com/docs/puppetserver/2.7/config_file_auth.html#rules
Default value: undef
krb5_keytabs_from_host
Data type: Boolean
If enabled, allow access to each host's own kerberos keytabs from the pki_files
module
Default value: true
krb5_keytabs_from_host_rule
Data type: NotUndef
The regex rule to match requests against. The provided rule matched requests
coming from the files/keytabs
directory from the krb5_files module
Default value: '^/puppet/v3/file_(metadata|content)/modules/krb5_files/keytabs/([^/]+)'
krb5_keytabs_from_host_allow
Data type: NotUndef
Rules that the puppetserver should allow @see https://puppet.com/docs/puppetserver/2.7/config_file_auth.html#rules
Default value: '$2'
krb5_keytabs_from_host_deny
Data type: Any
Rules that the puppetserver should deny @see https://puppet.com/docs/puppetserver/2.7/config_file_auth.html#rules
Default value: undef
pupmod::master::sysconfig
This class provides the sysconfig settings for the puppetserver
daemon.
to use. To use the default enter 'default'. (Does not affect PE.)
Parameters
The following parameters are available in the pupmod::master::sysconfig
class:
install_dir
config
bootstrap_config
java_bin
java_start_memory
java_max_memory
jruby_jar
java_temp_dir
extra_java_args
use_code_cache_flushing
reserved_code_cache
service_stop_retries
start_timeout
server_distribution
user
group
mock
install_dir
Data type: Stdlib::AbsolutePath
The installation directory for the puppetserver
.
config
Data type: Stdlib::AbsolutePath
The configuration directory for the puppetserver
.
bootstrap_config
Data type: Array[Stdlib::AbsolutePath]
The bootstrap configuration directory for the puppetserver
.
java_bin
Data type: Stdlib::AbsolutePath
The path to the java executable that the Puppet server should use on the system.
Default value: '/usr/bin/java'
java_start_memory
Data type: Optional[Pupmod::Memory]
The amount of memory to allocate on service startup.
Default value: undef
java_max_memory
Data type: Optional[Pupmod::Memory]
The maximum amount of memory to allocate within the system.
Default value: undef
jruby_jar
Data type: String
The name of the jar file located in /opt/puppetlabs/apps/puppetserver
Default value: 'jruby-9k.jar'
java_temp_dir
Data type: Optional[Stdlib::AbsolutePath]
The temporary directory to be used for periodic executables.
- This should not be
/tmp
,/var/tmp
, or/dev/shm
on SIMP systems due to the default disabling of exec on those spaces. - Preceeding directories will not be created.
Default value: undef
extra_java_args
Data type: Optional[Array[String]]
An Array
that will be joined and appended to the Java argument list.
- The sanity and syntax of this list will not be checked.
Default value: undef
use_code_cache_flushing
Data type: Boolean
Enable code cache flushing to alleviate memory strain on the server
Default value: true
reserved_code_cache
Data type: Integer[0]
An Integer
of the MB to be used for JRuby options of ReservedCodeCache
- By default, this will auto-populate based on function
Default value: pupmod::reserved_code_cache()
service_stop_retries
Data type: Integer
The number of times to attempt to stop the puppetserver process before failing.
Default value: 60
start_timeout
Data type: Integer
The number of seconds after which the service will be determined to have failed to start.
Default value: 120
server_distribution
Data type: Simplib::ServerDistribution
The Puppet distribution that is being managed.
Default value: pupmod::server_distribution()
user
Data type: String
The user
that the puppetserver
service will run as.
Default value: pick($facts.dig('puppet_settings','server','user'),$facts.dig('puppet_settings','master','user'))
group
Data type: String
The group
that the puppetserver
service will run as.
Default value: pick($facts.dig('puppet_settings','server','group'),$facts.dig('puppet_settings','master','group'))
mock
Data type: Boolean
Do not apply this class, only mock it up
Default value: false
Defined types
pupmod::conf
This is a simple define to call the Puppet INIFile class for the passed parameters on the puppet.conf file.
The main purpose is to easily allow for a service trigger.
Parameters
The following parameters are available in the pupmod::conf
defined type:
name
A globally unique name for this resource. Will be prefixed with $modname
setting
Data type: String
The setting in the section to set
value
Data type: Scalar
The value of the setting to be set.
confdir
Data type: String
The configuration directory holding the 'puppet.conf' file.
section
Data type: String
The Section of the puppet.conf to set.
- If
$setting
is trying to be set toenvironment
, then this will be forced toagent
to work around various puppet command bugs.
@see https://simp-project.atlassian.net/browse/SIMP-6820
Default value: $setting
ensure
Data type: Enum['present', 'absent']
Determines whether the specified setting should exist.
Default value: 'present'
pupmod::master::autosign
Add an autosign entry to the puppet autosign file.
Ideally, autosign will not be used in your environment. However, should you happen to need it
Parameters
The following parameters are available in the pupmod::master::autosign
defined type:
name
A useful comment for the entry being signed
entry
Data type: Optional[Pattern['^(\*\.)?\S+$']]
The autosign entry to add to the file if $name
is used as a unique comment
Default value: undef
pupmod::master::fileserver_entry
Manage entries in the /etc/puppet/fileserver.conf file.
Parameters
The following parameters are available in the pupmod::master::fileserver_entry
defined type:
name
The name of the [] segment.
allow
Data type: Variant[Array[Simplib::Host],Simplib::Host]
An array of entries to add to the allow statement.
path
Data type: Stdlib::AbsolutePath
The filesystem path to which this segment should point.
pupmod::pass_two
Puppet 4+ installations.
- See also
- comment
- at manifests/init.pp:244
- comment
Parameters
The following parameters are available in the pupmod::pass_two
defined type:
namevar
server_distribution
confdir
firewall
pe_classlist
pupmod_server
pupmod_ca_server
pupmod_ca_port
pupmod_report
pupmod_masterport
namevar
Data type: String
Default value: $name
server_distribution
Data type: Simplib::ServerDistribution
Default value: pupmod::server_distribution()
confdir
Data type: Stdlib::AbsolutePath
Default value: '/etc/puppetlabs/puppet'
firewall
Data type: Optional[Boolean]
Default value: undef
pe_classlist
Data type: Hash
Default value: lookup('pupmod::pe_classlist')
pupmod_server
Data type: Variant[Simplib::Host, Array[Simplib::Host]]
Default value: '1.2.3.4'
pupmod_ca_server
Data type: Variant[Simplib::Host,Enum['$server']]
Default value: '$server'
pupmod_ca_port
Data type: Simplib::Port
Default value: 8141
pupmod_report
Data type: Boolean
Default value: false
pupmod_masterport
Data type: Simplib::Port
Default value: 8140
Functions
pupmod::java_max_memory
Type: Puppet Language
Provides a reasonable calculation for the reserved code cache value for JRuby for a system
pupmod::java_max_memory(Integer[1] $max_active_instances = 1)
Provides a reasonable calculation for the reserved code cache value for JRuby for a system
Returns: Pupmod::Memory
The maximum number of JRuby instances that should be active on the puppetserver
max_active_instances
Data type: Integer[1]
pupmod::max_active_instances
Type: Puppet Language
Provides a reasonable calculation for the maximum number of active instances for a system
Parameters are not to be used but are present as an assist to testing
pupmod::max_active_instances(Enum['monolithic', 'primary', 'compile'] $server_type = 'monolithic')
Provides a reasonable calculation for the maximum number of active instances for a system
Parameters are not to be used but are present as an assist to testing
Returns: Integer
The maximum number of JRuby instances that should be active on the puppetserver
server_type
Data type: Enum['monolithic', 'primary', 'compile']
pupmod::reserved_code_cache
Type: Puppet Language
Provides a reasonable calculation for the reserved code cache value for JRuby for a system
pupmod::reserved_code_cache()
Provides a reasonable calculation for the reserved code cache value for JRuby for a system
Returns: Integer
The maximum number of JRuby instances that should be active on the puppetserver
pupmod::server_distribution
Type: Puppet Language
Figure out if we're running PC1 or PE puppet
pupmod::server_distribution(Boolean $lookup_from_pupmod = true)
Figure out if we're running PC1 or PE puppet
Returns: String
'PE' or 'PC1' as applicable
lookup_from_pupmod
Data type: Boolean
Attempt to look up the value from $pupmod::server_distribution
pupmod::server_version
Type: Puppet Language
Authoritatively determine the puppet server version and return 0.0.0
if one
could not be determined.
pupmod::server_version()
Authoritatively determine the puppet server version and return 0.0.0
if one
could not be determined.
Returns: String
The puppet server version
Data types
Pupmod::CaTTL
Matches valid Puppet CA TTL configuration
Alias of
Variant[Integer, Pattern[/^\d+[smhdy]$/]]
Pupmod::LogLevel
puppetserver log levels
Alias of
Enum['TRACE', 'DEBUG', 'INFO', 'WARN', 'ERROR', 'OFF']
Pupmod::Master::SSLCiphersuites
Valid SSL Cipher Suites for the Puppet Master Webserver
Alias of
Enum['TLS_RSA_WITH_AES_256_GCM_SHA384', 'TLS_RSA_WITH_AES_256_CBC_SHA256', 'TLS_RSA_WITH_AES_256_CBC_SHA', 'TLS_RSA_WITH_AES_128_GCM_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA256', 'TLS_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDH_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDH_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA256', 'TLS_DHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_DHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_256_GCM_SHA384', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_256_CBC_SHA', 'TLS_DHE_DSS_WITH_AES_128_GCM_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256', 'TLS_DHE_DSS_WITH_AES_128_CBC_SHA', 'TLS_EMPTY_RENEGOTIATION_INFO_SCSV']
Pupmod::Master::SSLProtocols
Valid SSL Protocols for the Puppet Master Webserver
Alias of
Enum['TLSv1', 'TLSv1.1', 'TLSv1.2']
Pupmod::Memory
Matches valid puppetserver JAVA memory parameters
Alias of
Pattern['^\d+(g|k|m|%)$']
Pupmod::ProfilingMode
puppetserver profiling modes
Alias of
Enum['off', 'api', 'flat', 'graph', 'html', 'json', 'service']
- Tue Aug 17 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0
- Change all instances of pupmod::master adding items to the
master
section to useserver
instead - Update pupmod::conf to automatically switch
master
toserver
- Automatically remove items from the puppet config in the
master
section that are set in theserver
section - Added pupmod::master::sysconfig::use_code_cache_flushing to reduce excessive memory usage
- Removed SHA1 ciphers from the server cipher list
- Disable the internal Red Hat FIPS option in the puppet server
- Wed Jul 28 2021 Andy Adrian andy.adrian@onyxpoint.com - 8.2.0
- Updated pupmod::puppet_server to accept Array as well as single hosts
- Updated pupmod::pass_two to configure server_list when multiple puppet_server are specified
- Updated pupmod::server_distribution to check server_list for puppet_user
- Wed Jun 16 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.2.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Tue Jun 15 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.2.0
- Changed
- Converted all
cron
items tosystemd
timers - Converted the cleanup jobs to
tmpfiles
jobs - Converted from the 'params' patter to module data
- Converted all
- Added
- Purge puppet logs > 30 days by default
- Disable puppetserver analytics by default
- Wed May 26 2021 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.3
- Fixed
- Fixed a bug where the pupmod::master::sysconfig class was not getting applied
- Changed
- Default pupmod::set_environment to
false
so that users don't accidentally end up with systems in the wrong environment
- Default pupmod::set_environment to
- Tue Jan 12 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 8.1.3
- Removed EL6 support
- Get
certname
from trusted facts ONLY for authenticated remote requests
- Thu Nov 05 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.2-0
- Default to TLS1.2 only
- Use
certname
by default and fall back tofqdn
for bolt, etc..
- Fri Oct 23 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 8.1.1-0
- Puppet 6.19 has changed the "master" section to "server" in Puppet.settings. This fix updates the modules to check puppet_settings[:server] first then puppet_settings[:master].
- Tue Sep 22 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.1.0-0
- Set the default puppetserver ciphers to a safe set
- Fri Sep 11 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 8.1.0-0
- Added better auto-tuning support for puppetserver, based on best practices
- Added ReservedCodeCache puppetserver support
- Wed Jul 29 2020 Jeanne Greulich jeanne.greulich@onyxpoint.com - 8.0.1-0
- Updated upper bound of inifile.
- Tue Jun 23 2020 Adam Yohrling adam.yohrling@onyxpoint.com - 8.0.0-0
- Resolved bug with systemd when simp_generate_types disabled
- Tue May 26 2020 Trevor Vaughan tvaughan@onyxpoint.com - 8.0.0-0
- Add EL8 Support
- Removed incron support in favor of using systemd path units to run simp_generate_types
- Attempts to activate the incron code will result in a warning message
- Add mitigation for https://puppet.com/security/cve/CVE-2020-7942/
- Wed Jan 08 2020 Liz Nemsick lnemsick.simp@gmail.com - 8.0.0-0
- Added optional management of the Facter configuration file.
- Mon Jan 06 2020 Michael Morrone michael.morrone@onyxpoint.com - 8.0.0-0
- Removed the deprecated CA CRL pull cron job and the corresponding pupmod::ca_crl_pull_interval parameter
- Removed deprecated auth.conf support for the legacy pki module and
the corresponding parameters:
- pupmod::master::simp_auth::legacy_cacerts_all
- pupmod::master::simp_auth::legacy_mcollective_all
- pupmod::master::simp_auth::legacy_pki_keytabs_from_host
- Removed the deprecated pupmod::master::simp_auth::server_distribution parameter
- Tue Nov 19 2019 Luke Stigdon git@lukestigdon.com - 7.11.1-0
- Correct pupmod::master::profiler_output_file option name
- Mon Sep 02 2019 Trevor Vaughan tvaughan@onyxpoint.com - 7.11.1-0
- Ensure that pupmod::pass_two does not conflict with the internal PE configuration code for group ownership of puppet.conf
- Support simp-simplib < 5
- Fri Aug 02 2019 Robert Vincent pillarsdotnet@gmail.com - 7.11.1-0
- Support puppetlabs/concat 6.x and puppetlabs/inifile 3.x.
- Thu Jul 04 2019 Trevor Vaughan tvaughan@onyxpoint.com - 7.11.0-0
- Add a pupmod::server_distribution function for more accurately determining the version of the puppet server installed on the target system.
- Refactor some of the underlying code to use the new function and be safer for PE installations.
- Wed Jul 03 2019 Bob Vincent pillarsdotnet@gmail.com - 7.11.0-0
- Ensure that the 'environment' setting in puppet.conf is forced into the 'agent' section.
- Ensure that the 'environment' setting in puppet.conf does not exist in the 'main' section.
- Fri Jun 28 2019 Steven Pritchard steven.pritchard@onypoint.com - 7.11.0-0
- Add v2 compliance_markup data
- Fri Jun 28 2019 Bob Vincent pillarsdotnet@gmail.com - 7.10.2-0
- Add ca params for auth-extensions and subject-alt-names.
- Tue May 28 2019 Liz Nemsick lnemsick.simp@gmail.com - 7.10.1-0
- No longer hardcode the puppet uid and puppet gid to 52.
- Fri May 17 2019 Robert Vincent robert.vincent@conning.com - 7.10.1-0
- Add missing gem-path setting to puppetserver.conf template.
- Mon Mar 25 2019 Joseph Sharkey shark.bruhaha@gmail.com - 7.10.0-0
- Standardized cron datatypes to use the Simplib::Cron::### types. This allows more flexibility in cron scheduling.
- Fri Mar 08 2019 Nick Miller nick.miller@onyxpoint.com - 7.9.0-0
- Added Puppet 6 support
- Add management of $ssldir and $rundir
- Ensure that the puppet client environment is set to that which is provided by the server by default.
- Thu Mar 07 2019 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.9.0-0
- Add fact to list all the jruby jar files in the puppetserver installation directory.
- Allow user to change the jar file used to run puppetserver via pupmod::master::sysconfig::jruby_jar.
- Change the default jar file for puppetserver to jruby-9k.jar for the FOSS puppetserver. (It is already set to that for PE.)
- Wed Mar 06 2019 Liz Nemsick lnemsick.simp@gmail.com - 7.9.0-0
- Update minimum version of inifile Puppet module to 2.5.0
- Fix dependency cycle in a full SIMP system that was introduced by the new autorequire of the parent directory of an INI file in the ini_setting type
- Expanded the upper limit of the concat and stdlib Puppet module versions
- Updated a URL in the README.md
- Fri Jan 25 2019 Trevor Vaughan tvaughan@onyxpoint.com - 7.8.0-0
- Fixed issues with incron rules and the simp_generate_types calls.
- This was mostly due to bugs in the newer version of incrond. However, this module is now extensively tested for safety but will only trigger type generation on environment creation or updates to the puppet binaries.
- Fix bug where some SSL settings could not be set for the puppet server
webserver
components. - Added the following advanced usage parameters in case users need to set
parameters that are not presently managed to work around future issues:
- pupmod::master::server_webserver_options
- pupmod::master::ca_webserver_options
- Tue Jan 22 2019 Brandon Riden brandon.riden@onyxpoint.com - 7.7.1-0
- Set pupmod::master::generate_types: enable => false by default to fix
bug causing puppet servers to crash.
- pupmod::master::extra_webserver_sections
- Thu Nov 15 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.7.0-0
- Fix warning about automatic data type munging in the puppet server sysconfig template
- Add workaround for Puppet 5 background exec issue to the generate_types exec
- Mon Oct 29 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 7.7.0-0
- Remove deprecated
[master] ca
setting whenca = true
in Puppet 5.5.6+ - Remove
[master] ca
setting in Puppet 6+ - Update badges and contribution guide URL in README.md
- Mon Oct 15 2018 Chris Tessmer chris.tessmer@onyxpoint.com - 7.7.0-0
- Add
ensure
parameter to `pupmod::conf`` - Ensure that
trusted_server_facts
is removed for Puppet 5.+ (PUP-6112)
- Tue Sep 11 2018 Steven Pritchard steven.pritchard@onyxpoint.com - 7.7.0-0
- Unconditionally manages the puppet service
- Remove the (apparently) broken status logic on the puppet service
- Mon Sep 10 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.7.0-0
- Update Hiera 4 to Hiera 5
- Thu Jul 19 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.6.1-0
- Fixed bug in which the JAVA tmpdir path for the puppetserver was incorrectly set. This could cause puppetserver RPM upgrades to fail.
- Thu Jul 12 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.6.1-0
- Fixed the new
simp_generate_types
script to ensure that the permissions on the created directory are correctly set.
- Thu Jun 14 2018 Nick Miller nick.miller@onyxpoint.com - 7.6.1-0
- Cleanup unneeded fixtures and update CI assets
- Remove unused simp/tcpwrappers and simp/logrotate dependencies
- Fri May 04 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.6.0-0
- Changed some 'validate_re' statements to 'assert_type' to remove deprecation warnings
- Added 'pupmod::master::generate_types' (enabled by default) which:
- Adds a script, /usr/local/sbin/simp_generate_types that will run 'puppet generate types' either on all environments (when first distributed by Puppet) or per environment
- Adds incron hooks to run 'simp_generate_types' when Ruby files in any puppet type have been updated
- Adds incron hooks to run 'simp_generate_types' on any new environment
- Adds incron hooks to run 'simp_generate_types' on all environments if the puppetserver binary is updated
- All errors are logged to syslog
- Tue Apr 17 2018 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.6.0-0
- Added line in puppet cron to shutdown/disable puppet client service.
- Added check in agent/cron manifest to disable and stop puppet client service so it would not run multiple times on newly kickstarted systems.
- Mon Mar 19 2018 Lucas Yamanishi lucas.yamanishi@onyxpoint.com - 7.5.0-0
- Fix service name and related resources on Puppet Enterprise (PE)
- Fix
$tmpdir
setting on PE - Fix Puppetserver service management on PE
- Fix
- Tue Mar 06 2018 Nick Miller nick.miller@onyxpoint.com - 7.5.0-0
- pupmod::master::simp_auth
- Allow tweaking
allow
anddeny
rules for supported keydist auth rules - Removed Mcollective auth rules
- Deprecated
$legacy_cacerts_all
and$legacy_pki_keytabs_from_host
- Allow tweaking
- Fri Mar 02 2018 Trevor Vaughan tvaughan@onyxpoint.com - 7.5.0-0
- Updated to support Puppet 5
- Fixed issues with the puppetserver configuration that could have broken Puppet 5 system configurations
- Updated to support new server options
- Fixed issues with autosign and fileserver.conf defined types generating incorrect files
- Updated all puppet strings documentation
- Converted all templates to EPP
- Added process limits on the number of JRuby instances started designed to not overload the server in terms of either processor power or memory capabilities
- Added OracleLinux support
- Fri Feb 09 2018 Liz Nemsick lnemsick.simp@gmail.com - 7.5.0-0
- Add the missing puppetlabs/inifile dependency to the metadata.json
- Fixed puppet-lint problem
- Mon Oct 02 2017 Chris Tessmer chris.tessmer@onyxpoint.com - 7.4.1-0
- Fixed bug where
:selinux_config_mode
is tested even when:selinux
is false.
- Mon Sep 11 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.4.0-0
- Add SHA256-based option to generate the minute parameter for a client's puppet agent cron from its IP address. This option is intended mitigate the undesirable clustering of client puppet agent runs, when the number of IPs to be transformed is less than the minute range over which the randomization is requested (60) and/or the client IPs are not linearly assigned.
- Tue Aug 01 2017 Liz Nemsick lnemsick.simp@gmail.com - 7.4.0-0
- Ensure OBE 'puppet_crl_pull' cron job from pupmod versions prior to 7.3.1 is removed.
- Thu Jul 27 2017 Nick Markowski nmarkowski@keywcorp.com - 7.4.0-0
- README updates:
- Informed users of legacy auth.conf deprecation
- Provided instructions to reproduce custom auth.conf entries in puppet
- Thu Jun 22 2017 Jeanne Greulich jeanne.greulich@onyxpoint.com - 7.3.1-0
- fixed the path to the pki_files and krb_files in the auth.conf so remote systems could download files.
- Update puppet requirement in metadata.json
- Wed Jun 14 2017 Nick Miller nick.miller@onyxpoint.com - 7.3.1-0
- Removed Puppet CRL download, the puppet agent now checks for the expiration of the cert automatically
- Mon Jun 05 2017 Nick Markowski nmarkowski@keywcorp.com - 7.3.1-0
- Ensure legacy auth.conf is backed up before removing it. This is a follow up to SIMP-3049 based on feedback to SIMP-3196.
- Mon May 22 2017 Kendall Moore kendall.moore@onyxpoint.com 7.3.1-0
- Added manifest to manage simp-specific puppet master auth requirements
- Disabled puppetserver setting to enable legacy auth.conf by default
- Remove legacy auth.conf placed by the
puppet-agent
package
- Fri May 19 2017 Nick Miller nick.miller@onyxpoint.com - 7.3.1-0
- Removed deprecated
audit
metaparameter
- Fri Apr 28 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 7.3.1-0
- Use global catalyst to configure package_ensure.
- Add 'puppet_enterprise::profile::database' class definition to the pe_classlist and move the postgresql components under that class.
- Add 'puppet_enterprise::profile::primary_master_replica' class definition to the class list to work around an issue in production
- Tue Apr 04 2017 Dylan Cochran dylan.cochran@onyxpoint.com - 7.3.0-0
- Add 'package_ensure' to allow users to specify that they want to use 'latest' or 'installed'
- Wed Mar 08 2017 Nick Markowski nmarkowski@keywcorp.com - 7.2.0-0
- Updated puppetagent_cron:
- Added
break_puppet_lock
param so users can clearly specify when they wish to forcibly enable the puppet agent. - Added
max_disable_time param
. Updated logic to determine when to forcibly enable a puppet agent, and moved logic into cron.pp for user-friendliness. - Set maxruntime default of 4 hours
- Wed Mar 01 2017 Nick Miller nick.miller@onyxpoint.com - 7.1.1-0
- The previous audit rules relied on the puppet user existing, but in newer versions of puppet, the puppet user only exists on the puppetserver. This commit only puts auditing on the puppetserver.
- Mon Feb 20 2017 Jeanne Greuich jeanne.greulich@onyxpoint.com - 7.1.0-0
- Fix typos in the puppetagent cron script
- Mon Dec 10 2016 Nick Miller nick.miller@onyxpoint.com - 7.1.0-0
- Updated assets and versions
- Converted to puppet-strings
- Switched to the new catalyst pattern with simplib::lookup
- Strong typed module
- Set trusted_server_facts to true by default
- Wed Nov 23 2016 Jeanne Greulich jgreulich.simp@onyxpoint.com - 7.0.0-0
- update requirement versions
- Mon Nov 21 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 7.0.0-0
- Updated to compliance_markup version 2
- Tue Nov 15 2016 Liz Nemsick lnemsick.simp@gmail.com - 7.0.0-0
- Updated iptables dependency version
- Thu Nov 10 2016 Nick Miller nick.miller@onyxpoint.com - 7.0.0-0
- Removed puppetlast_support puppet_auth resource, it is unneeded
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com, Chris Tessmer chris.tessmer@onyxpoint.com - 7.0.0-0
- Upate to work with the latest Puppet 4 and Puppet Server
- Fixed a lot of tests and minor logic problems
- Wed Sep 28 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 6.0.7-0
- Fix Forge
haveged
dependency name
- Tue Sep 20 2016 Bryan Howard, Liz Nemsick lnemsick.simp@gmail.com - 6.0.6-0
- Fixed bash redirection error in puppetagent_cron.erb
- Thu Jun 30 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.5-0
- Use_haveged is now a global catalyst.
- Tue Jun 28 2016 Nick Miller nick.miller@onyxpoint.com - 6.0.4-0
- Added logic to make sure java_max_memory never exceeded 12G
- Mon Jun 27 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0
- Pupmod-haveged included by default to assist with entropy generation.
- Tue Jun 21 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.2-0
- Updated the calls to use_iptables to be able to be disabled globally.
- Thu May 19 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.1-0
- Made master::reports a private class
- Thu Feb 25 2016 Ralph Wright ralph.wright@onyxpoint.com - 6.0.0-24
- Added compliance function support
- Wed Feb 24 2016 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-24
- Fix the subscribe on the Service['puppet'] resource to not be a hard coded path.
- Thu Dec 24 2015 Trevor Vaughan tvaughahn@onyxpoint.com - 6.0.0-23
- Fixed minor logic errors
- Now have configuration changes notify Service['puppetserver'] instead of the more efficient Exec. This gets around a race condition when the service is restarted and the exec fires before the service has fully restarted.
- Fixed issues with the puppetserver_* helper scripts that surfaced due to changes in the HTTP responses from the Puppet Server.
- Fri Dec 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 6.0.0-22
- Replaced all 'lsb' facts with their (package-independent) 'operatingsystem' counterparts.
- Moved parameter validations to the top of each class.
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 6.0.0-21
- migration to simplib and simpcat (lib/ only)
- Wed Nov 04 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 6.0.0-20
- Improved logic for defaults
- Thu Sep 17 2015 Kendall Moore kmoore@keywcorp.com - 6.0.0-19
- Ensure keylength is set to 2048 in puppet.conf if FIPS mode is enabled.
- Wed Jun 17 2015 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-18
- Remove the legacy code that restarted httpd when the Puppet CRL was downloaded.
- Tue May 05 2015 Jacob Gingrich jacob.gingrich@onyxpoint.com - 6.0.0-17
- Enabled the puppetserver service
- Fri Mar 20 2015 Kendall Moore kmoore@keywcorp.com - 6.0.0-16
- Added a puppet_ruby_dir fact to return the location of the runtime ruby directory for Puppet on the client.
- Wed Feb 18 2015 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-16
- Updated to use the refactored Augeasproviders
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-15
- Changed puppet-server requirement to puppet
- Added full support for the new Clojure-based Puppet Server
- Removed all support for the Passenger Puppet Master
- Wed Dec 03 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-14
- Changed 'splay' to false
- Properly handles true/false values in the puppet conf settings.
- Added support for $runinterval, $splaylimit, and $configtimeout
- Added full class validation
- Multiple fixes to the cron script:
- No longer uses values from the Puppet master to make decisions.
- Properly differentiates between the run lock file and the manual disabling of the system.
- Tue Nov 25 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-13
- Updated the agent cron job to be able to use alternate run intervals as well as support an alternate base for run randomization. This means that you can use something other than IP address to randomize your nodes. Any string will work.
- Fri Oct 17 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-12
- CVE-2014-3566: Updated protocols to mitigate POODLE.
- Mon Sep 08 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-11
- Add appropriate confines to the passenger* facts and no longer hard code paths.
- Ensure that the puppetmaster init does not fire off alongside httpd.
- Made the change for puppet_manage_all_files conditional on the RHEL/CentOS version since this needs to work on both 6 and 7.
- Wed Aug 27 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-10
- Changed the $passenger_temp_dir selinux type from tmp_t to httpd_var_run_t since it is now in /var/run/passenger by default.
- Tue Aug 26 2014 Kendall Moore kmoore@keywcorp.com - 6.0.0-9
- Updated the passenger_version fact to return "unknown" when Passenger is not installed.
- Mon Aug 25 2014 Kendall Moore kmoore@keywcorp.com - 6.0.0-9
- SELinux boolean puppet_manage_all_files was changed to puppetagent_manage_all_files.
- Mon Jul 14 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-8
- Updated the code to only enable the puppetmaster init script if passenger is not enabled and the init system includes systemd.
- Added a setitng to set 'stringify_facts' to 'false' in the [main] section of puppet.conf. This was not made a variable since complex facts in other parts of the system will fail without it.
- Tue Jul 01 2014 Adam Yohrling adam.yohrling@onyxpoint.com - 6.0.0-7
- Added puppet_auth type to make sure puppet master is able to access node REST endpoint for puppetlast script to work
- Added pupmod RPM requirement of pupmod-augeasproviders
- Mon Jun 23 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-6
- Added a segment for using a passenger service stub to ensure that the passenger service can properly run.
- Fixed a bug in the passenger template for apache where the output configuration would be incorrect should you have both the master and CA ports identically set.
- Fixed SELinux check for when selinux_current_mode is not found.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 6.0.0-6
- Removed MD5 file checksums for FIPS compliance.
- Updated puppet conf to set the digest algorithm to SHA-256 by default.
- Fri Jun 13 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-5
- Updated the code to use environment directories instead of the 'manifest' option since it is deprecated in Puppet 3.6.
- Fri May 16 2014 Kendall Moore kmoore@keywcorp.com - 6.0.0-4
- Updated the passenger manifest to convert the SSL cipher suite to an array and updated the passenger template to correspond to this change.
- Sun Apr 20 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-3
- master::freeze_main is now set to true by default.
- Changed back to /bin/logger since that is correct for RHEL/CentOS 6
- Wed Apr 16 2014 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-2
- Selinux booleans now set if mode != disabled
- Fixed some minor errors in rspec tests, and updated them for the Selinux change.
- Updated facter value calls to new standard
- Fri Apr 04 2014 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-2
- Selinux booleans now set if mode != disabled
- Fixed some minor errors in rspec tests, and updated them for the Selinux change.
- Fri Mar 28 2014 Kendall Moore kmoore@keywcorp.com - 6.0.0-1
- Updated puppetagent_cron script to ignore output when stopping the puppet service.
- Wed Feb 12 2014 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Converted all string booleans to booleans.
- Refactored the entire module to use puppetlabs-inifile for puppet.conf management.
- Parameterized as many variables as reasonable in the classes to allow for flexibility.
- Added a CRL downloading cron job to update the Puppet CRLs on all hosts on a regular basis.
- Updated the puppetmaster init script to ignore mongrel settings and reload apache properly on update.
- Added a requirement on puppetlabs-inifile to manage only specific entries in puppet.conf.
- This should not break any existing installations but will not trap, nor manage, by default all of the values that were previously specified.
- A new define pupmod::conf has been added to provide for the manipulation of configuration file entries.
- Added basic puppet-rspec tests.
- Set SSLVerifyClient to optional for CA
- Mon Oct 07 2013 Kendall Moore kmoore@keywcorp.com - 5.0.0-2
- Updated all erb templates to properly scope variables.
- Tue Oct 01 2013 Trevor Vaughan tvaughan@onyxpoint.com - 5.0.0-1
- Fixed change to pupmod::passenger::add_site which changed the name of the site and, therefore, the name of the file in /etc/httpd/conf.d. This caused a conflict on upgrade.
- Tue Sep 24 2013 Kendall Moore kmoore@keywcorp.com - 5.0.0-0
- Require puppet 3.X and puppet-server 3.X because of an upgrade to use hiera instead of extdata.
- Updated the config.ru and apache_passenger templates as well as the passenger::add_site manifest to support new passenger options in Puppet 3.1.
- Updated puppetagent_cron template by changing lockfile variable according to Puppet 3.
- Tue Sep 24 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-5
- Moved the passenger temp directory from /tmp to /var/run/passenger. The permissions on the socket files were simply too permissive to have hanging about in /tmp. Puppetmaster_switch and the init script were updated to accommodate the change.
- Thu Aug 15 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-4
- Re-introduced the passenger_root fact but made it more intelligent.
- Set the passenger_root variable to $::passenger_root by default.
- Thu Jun 13 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-3
- Added audit rules that will watch the /etc/puppet directory tree for writes or attribute changes not performed by the puppet user.
- Tue Feb 05 2013 Kendall Moore kmoore@keywcorp.com - 4.2.0-2
- Created Cucumber tests to check basic puppet server and client features
- Tue Jan 29 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-1
- Added +ExportCertData to SSLOptions.
- Mon Dec 10 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.2.0-0
- Updated the apache_passenger template to support most of the passenger options.
- Attempt to keep half as many puppetmaster instances running as are specified or calculated at all times. This should make response time better overall.
- Removed the passenger_root fact since the EPEL version of passenger doesn't supply the utils.
- This is another mid-level jump due to the fact that EPEL split out the native Passenger libraries! These are included in the associated patch set but there's no good way to tie them together explicitly so be careful!
- Wed Nov 28 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-0
- Critical update to fix an issue where unowned files at the root level were getting recursively chowned to puppet.puppet.
- Moved all of the singleton defines to classes which will cause some files in simp-bootstrap to be reconfigured.
- Thu Jul 05 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-5
- Fixed a typo where we had 'dbpasword' instead of 'dbpassword' for the server configuration.
- Updated the server and client configuration files with the options for the latest version.
- Thu Jun 07 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-4
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Optimized the find command for 'gem_permissions'.
- Moved mit-tests to /usr/share/simp...
- Updated pp files to better meet Puppet's recommended style guide.
- Fri Mar 02 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-3
- Removed puppetd cron job from running systems since it conflicted with the new puppetagent cron job.
- Improved test stubs.
- Tue Jan 31 2012 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-2
- Remove newserver.erb, this fact is no longer required.
- Mon Dec 26 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-1
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Mon Nov 14 2011 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- Updated to ensure that the puppet cron using /usr/bin/logger instead of /bin/logger.
- Mon Oct 10 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Tue Aug 09 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-2
- Ensure that autosign.conf is 644.
- Mon Apr 18 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-1
- Update the puppet cron job to properly unlock. This was broken in previous releases. This feature is important in the case that puppet dies unexpectedly and leaves a lock file behind. The default is set to 4 times the croninterval and will not exceed 4 hours.
- Ensure that Passenger and Mongrel configuration files are not in the Apache space if attempting to run under a Mongrel server. Users should now have the ability to seamlessly switch between all three types of servers.
- Updated puppetmaster_switch exec to properly require files and only run if it has changed.
- Ensure that mongrel and passenger can switch between each other effectively.
- Changed all instances of defined(Class['foo']) to defined('foo') per the directions from the Puppet mailing list.
- Updated to use concat_build and concat_fragment types.
- Mon Apr 18 2011 Morgan Haskel morgan.haskel@onyxpoint.com - 2.0.0-1
- Changed puppet://$puppet_server/ to puppet:///
- Added two stock classes, cluster_client and cluster_master, for enabling NFS to help cluster puppet servers.
- Tue Jan 11 2011 Trevor Vaughan tvaughan@onyxpoint.com - 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Puppet.conf updated to deal with puppet deprecations
- svckill.rb added to puppet.conf postrun_command
- 'puppet' uid/gid changed to 52
- Tue Oct 26 2010 Maintenance - 1-5
- Converting all spec files to check for directories prior to copy.
- Tue Aug 03 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-4
- Updated puppetmaster init script to work with passenger.
- Thu Jul 22 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-3
- Removed all instances of 'daemonize' from templates as this caused horrible problems with activerecord.
- Thu Jul 01 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-2
- Updated puppetmaster_switch to work with external CA.
- Updated the configuration for Passenger to properly utilize CRLs.
- Added the ability for Passenger to listen on both 8140 and 8141 by default for legacy purposes.
- Thu Jul 01 2010 Morgan Haskel morgan.haskel@onyxpoint.com - 1.0-2
- Added templates needed for clustered puppetmasters.
- Wed Jun 16 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-1
- Added a fact that determines the passenger root directory if passenger is installed.
- Thu Jun 03 2010 Trevor Vaughan tvaughan@onyxpoint.com - 1.0-0
- Made server permissions changes less aggressive.
- Tue May 25 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-40
- Updated Passenger.
- Mon May 03 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-39
- Modified gem package names for Mongrel.
- Tue Apr 27 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-38
- Added the ability to set the 'certname' option in pupmod::client::main_conf
- Wed Mar 17 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-37
- Added the --no-splay option to the puppet runs in puppetmaster_switch.sh. This massively speeds things up if you have to re-run it later for some reason.
- Tue Feb 23 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-36
- Removed the 'nice' ability added in 0.1-33 as it propogates the nice value to all spawned services.
- Wed Feb 17 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-35
-
Refactored the code to be more maintainable.
-
Added the variables: $cronminute $cronhour $cronmonthday $cronmonth $cronweekday
to pupmod::client::client_conf to allow users to set their own complete cron schedule for puppet runs. $croninterval still works but will be overridden if you set $cronminute to anything other than 'nil'.
- Thu Jan 28 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-33
- Added the ability to 'nice' the puppet cron job. The default 'nice' value is now '1'.
- Thu Jan 14 2010 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-32
- Fixed typo in puppetd.cron in if comparison. Ignoring the override will now function properly.
- Thu Dec 31 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-31
- Fixed puppetmaster_switch.sh. All instances of --no-show-diff have been changed to --no-show_diff.
- Thu Nov 05 2009 Trevor Vaughan tvaughan@onyxpoint.com - 0.1-30
- Prevent the puppetmaster_switch.sh script from printing diff information to the logs.
Dependencies
- camptocamp/systemd (>= 2.7.0 < 3.0.0)
- simp/haveged (>= 0.4.5 < 1.0.0)
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- puppetlabs/inifile (>= 2.5.0 < 5.0.0)
- puppetlabs/puppet_authorization (>= 0.2.0 < 1.0.0)
- puppetlabs/hocon (>= 0.9.3 < 2.0.0)
- puppetlabs/concat (>= 6.4.0 < 8.0.0)
- simp/iptables (>= 6.1.2 < 7.0.0)
- simp/simplib (>= 4.9.0 < 5.0.0)
- simp/pki (>= 6.0.0 < 7.0.0)
pupmod-simp-pupmod - A Puppet Module for managing Puppet -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.