3.3. Installing SIMP From A Repository¶
Using the official SIMP YUM repositories is the simplest method for getting up and running with a SIMP system. If you are using a virtual infrastructure, such as AWS, Microsoft Azure, Google Cloud, or your own internal VM stack, this is the method that you will almost definitely want to use.
Note
This method does not modify your system’s partitioning scheme or encryption scheme to meet any regulatory policies. If you want an example of what that should look like either see the SIMP Server ISO Installation Guide or check out the Kickstart files in the simp-core Git repository.
3.3.1. Enable EPEL¶
$ sudo yum install epel-release -y
$ sudo yum install pygpgme yum-utils
3.3.2. Install The SIMP-Project Repository¶
Add the following to /etc/yum.repos.d/simp-project.repo
, replacing 7
with
the appropriate version of EL and 5
with the appropriate version of SIMP.
EL 7
with SIMP 5.X
is shown below.
If you don’t know what versions map together, please see the SIMP Version Guide.
[simp-project_5_X]
name=simp-project_5_X
baseurl=https://packagecloud.io/simp-project/5_X/el/7/$basearch
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/NationalSecurityAgency/SIMP/master/GPGKEYS/RPM-GPG-KEY-SIMP
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[simp-project_5_X-source]
name=simp-project_5_X-source
baseurl=https://packagecloud.io/simp-project/5_X/el/7/SRPMS
gpgcheck=1
enabled=0
gpgkey=https://raw.githubusercontent.com/NationalSecurityAgency/SIMP/master/GPGKEYS/RPM-GPG-KEY-SIMP
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
3.3.3. Install The SIMP-project_dependencies Repository¶
Note
The repository may contain items from external vendors, most notably Puppet, Inc. and EPEL but may also contain non-SIMP project files that have been compiled for distribution.
Add the following to /etc/yum.repos.d/simp-project_dependencies.repo
,
replacing 7
with the appropriate version of EL and 5
with the appropriate
version of SIMP. EL 7
with SIMP 5.X
is shown below.
If you don’t know what versions map together, please see the SIMP Version Guide.
Note
The whitespace and alignment shown before the additional gpgkey
values
must be preserved
[simp-project_5_X_dependencies]
name=simp-project_5_1_X_dependencies
baseurl=https://packagecloud.io/simp-project/5_X_Dependencies/el/7/$basearch
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/NationalSecurityAgency/SIMP/master/GPGKEYS/RPM-GPG-KEY-SIMP
https://yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs
https://getfedora.org/static/352C64E5.txt
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[simp-project_5_X_dependencies-source]
name=simp-project_5_X_dependencies-source
baseurl=https://packagecloud.io/simp-project/5_X_Dependencies/el/7/SRPMS
gpgcheck=1
enabled=0
gpgkey=https://raw.githubusercontent.com/NationalSecurityAgency/SIMP/master/GPGKEYS/RPM-GPG-KEY-SIMP
https://yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs
https://getfedora.org/static/352C64E5.txt
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
3.3.4. Rebuild The Yum Cache¶
$ sudo yum makecache
3.3.5. Install SIMP¶
$ sudo yum install -y simp
3.3.6. Modify Yum URLs¶
Set the following variables to repositories of your choosing in
/etc/puppet/environments/production/hieradata/default.yaml
# Full URL to a YUM repo for Operating System packages
simp::yum::os_update_url: 'http://mirror.centos.org/centos/$releasever/os/$basearch/'
# Full URL to a YUM repo for SIMP packages
simp::yum::simp_update_url: 'https://packagecloud.io/simp-project/5_X/el/7/$basearch'
3.3.7. SIMP Config¶
Run simp config:
$ simp config
Note
If you intend to use FIPS, set use_fips=true
during simp config and follow
the Enable FIPS instructions after config is complete. Otherwise, set it to
false
and skip Enable FIPS.
3.3.8. Enable FIPS¶
$ rm -rf /var/lib/puppet/ssl
$ yum-config-manager --enable base
$ yum install dracut-fips
$ dracut -f
$ reboot now
3.3.9. SIMP Bootstrap¶
$ simp bootstrap
3.3.10. Clients¶
Use the runpuppet
script from the newly created SIMP server to bootstrap
your clients.
Note
This would be the general technique that you would use to auto-bootstrap your
clients via user-data
scripts in cloud environments.
Be ready to sign your client credentials as systems check in with the server!
$ curl http://<puppet.server.fqdn>/ks/runpuppet | bash