4.2. Initial SIMP Server Configuration¶
4.2.1. Using the SIMP Utility¶
In these instructions we will be using the config
and bootstrap
commands of the SIMP Utility, simp
. The SIMP Utility provides a CLI
intended to make the system initial configuration straightforward and
repeatable.
Note
For a list of the commands simp
provides, type simp help
. Type
simp help <Command>
for more information on a specific command.
4.2.2. Configuring the SIMP Server¶
Important
Correct time across all systems is important to the proper functioning of SIMP and Puppet in general.
If a user has trouble connecting to the Puppet server and errors regarding certificate validation appear, check the Puppet server and client times to ensure they are synchronized.
Warning
Keep in mind as the installation process begins that Puppet does not work well with capital letters in host names. Therefore, they should not be used.
For the remainder of the document, we will assume that you use the ISO
installation method and that you are logging in using a simp
local user.
Use the appropriate user for your environment if you installed via an alternate
method.
Log on as
simp
and runsu -
to gain root access.Type
simp config
and configure the system as prompted.simp config
will prompt you for system settings and then apply them as appropriate for bootstrapping the system.- When applicable,
simp config
will present you with a recommendation for each setting (variable). To keep a recommended value, press Enter. Otherwise, enter your desired value. simp config
generates a log file in/root/.simp
containing details of the configuration selected and actions taken.- For more details about the installation variables set by
simp config
and the corresponding actions, see Advanced Configuration. - For a list of additional options, type
simp help config
.simp config --dry-run
will run through all of thesimp config
prompts without applying any changes to the system. This is the option to run to become familiar with the variables set bysimp config
or generate a configuration file to be used as a template for subsequentsimp config
runs.simp config -a <Config File>
will load a previously generated configuration (aka the ‘answers’ file) in lieu of prompting for settings, and then apply the settings. This is the option to run for systems that will be rebuilt often. Please note, however, if you edit the answers file, only configuration settings for which you would be prompted bysimp config
can be modified in that file. Any changes made to settings thatsimp config
automatically determines will be ignored.
Note
Once
simp config
has been run, three SIMP configuration files will be generated:/root/.simp/simp_conf.yaml
: File containing all yoursimp config
settings; can include additional settings related to ones you entered and other settings required for SIMP./etc/puppetlabs/code/environments/simp/data/simp_config_settings.yaml
: File containing global Hiera data relevant to SIMP clients and the SIMP server./etc/puppetlabs/code/environments/simp/data/hosts/<server_fqdn>.yaml
: SIMP server host specific Hiera configuration.
Type
simp bootstrap
simp bootstrap
generates a log file in/root/.simp
containing details of the bootstrap operation.- For a list of options
simp bootstrap
provides, typesimp help bootstrap
.
Note
If your SIMP server is a virtual machine in a cloud, the default timeout for the puppet server to start, 5 minutes, may be too short. You will want to extend this time by using the
-w
option. For example, to extend that timeout to 10 minutes:simp bootstrap -w 10
If progress bars of each puppet run are of equal length and the bootstrap finishes quickly, a problem has occurred. This is most likely due to an error in SIMP configuration. Refer to the previous step and make sure that all configuration options are correct.
If this happens, you can debug by either looking at the log files or by running
puppet agent -t --masterport=8150
.
Type
reboot
to reboot and apply the necessary kernel configuration items.
4.2.3. Optional: Extract the full OS Package Set¶
The SIMP ISO attempts to contain everything that you need to run a base system. However, if you did not install via ISO, or you require additional stock packages, you can use the following procedure to extract the vendor ISOs.
Log on as
simp
and runsu -
to gain root access.Run puppet for the first time.
Type:
puppet agent -t
Copy the appropriate vendor OS ISO(s) to the server and unpack using the
unpack_dvd
utility. This creates a new tree under/var/www/yum/<OperatingSystem>
suitable for serving to clients.Type:
unpack_dvd CentOS-RHEL_MAJOR_VERSION-x86_64-DVD-####.iso
Update your system using yum. The updates applied will depend on what ISO you initially used.
Type:
yum clean all; yum makecache
4.2.4. Advanced Configuration¶
The goal of simp config
is to allow the user to quickly configure the
SIMP server with minimal user input/operations. To that end simp config
sets installation variables based on information gathered from the user,
existing system settings, and SIMP security requirements. It then
applies the smallest subset of these system settings that is required to
bootstrap the system with Puppet. Both the installation variables and
their application via simp config
are described in subsections that
follow.
4.2.4.1. Installation Variables¶
This section describes the installation variables set by simp config
.
Although the table that follows lists all possible installation variables,
the user will not be prompted for all of them, nor will all of them
appear in the configuration files generated by simp config
. Some
of these variables will be automatically set based on other installation
variables, system settings, or SIMP security requirements. Others will
be omitted because either they are unnecessary for a particular site
configuration, or their defaults are appropriate. Also, please note
that variables beginning with ‘cli::’ are only used internally by
simp config
, itself. The ‘cli::’ variables are written to
simp_conf.yaml
, but not persisted to any Puppet hiera data files.
Important
- Not all the settings listed below can be preset in a
configuration file input to
simp config
, via either-a <Config File>
or-A <Config File>
. Only settings for which you would be prompted, if you ransimp config
interactively, can be preset. All other settings will be automatically determined bysimp config
, disregarding your input. simp config
behaves differently (asks different questions, automatically determines different settings) depending on the SIMP installation type. This is because it can safely assume certain server setup has been done, only if SIMP has been installed from the SIMP-provided ISO. For example, consider asimp
local user. When SIMP is installed from ISO,simp config
can safely assume that this user is the backup user installed by the ISO to prevent server lockout. As such,su
andssh
privileges for thesimp
user should be allowed. For non-ISO installs, however, it would not be prudent forsimp config
to grant just anysimp
user bothsu
andssh
privileges.simp config
detects that SIMP has been installed from a SIMP-provided ISO by the presence of/etc/yum.repos.d/simp_filesystem.repo
.
Variable | Description |
---|---|
cli::is_ldap_server | Whether the SIMP server will also be the LDAP server. |
cli::network::dhcp | Whether to use DHCP for the network; dhcp to enable DHCP, static otherwise |
cli::network::gateway | Default gateway |
cli::network::hostname | FQDN of server |
cli::network::interface | Network interface to use |
cli::network::ipaddress | IP address of server |
cli::network::netmask | Netmask of the system |
cli::network::set_up_nic | Whether to set up the network interface; true or false |
cli::set_grub_password | Whether to set a GRUB password on the server; true or false |
cli::set_production_to_simp | Whether to set default Puppet environment to ‘simp’; true or false |
cli::simp::scenario | SIMP scenario; simp = full SIMP system, simp_lite = SIMP system with some security features disabled for clients, poss = SIMP system with all security features disabled for clients. |
cli::use_internet_simp_yum_repos | Whether to configure SIMP nodes to use internet SIMP and SIMP dependency YUM repositories. |
grub::password | GRUB password hash |
puppetdb::master::config::puppetdb_port | Port used by the puppet database |
puppetdb::master::config::puppetdb_server | DNS name or IP of puppet database server |
simp_openldap::server::conf::rootpw | LDAP Root password hash |
simp_options::dns::search | Search domain for DNS |
simp_options::dns::servers | List of DNS servers for the managed hosts |
simp_options::fips | Enable FIPS-140-2 compliance; true or false; value automatically set to detected system FIPS status |
simp_options::ldap | Whether to use LDAP; true or false |
simp_options::ldap::base_dn | LDAP Server Base Distinguished Name |
simp_options::ldap::bind_dn | LDAP Bind Distinguished Name |
simp_options::ldap::bind_hash | LDAP Bind password hash |
simp_options::ldap::bind_pw | LDAP Bind password |
simp_options::ldap::master | LDAP master URI |
simp_options::ldap::sync_dn | LDAP Sync Distinguished Name |
simp_options::ldap::sync_hash | LDAP Sync password hash |
simp_options::ldap::sync_pw | LDAP Sync password |
simp_options::ldap::uri | List of LDAP server URIs |
simp_options::ntpd::servers | NTP servers |
simp_options::puppet::ca | FQDN of Puppet Certificate Authority (CA) |
simp_options::puppet::ca_port | Port Puppet CA will listen on |
simp_options::puppet::server | FQDN of the puppet server |
simp_options::sssd | Whether to use SSSD |
simp_options::syslog::failover_log_servers | IP addresses of failover log servers |
simp_options::syslog::log_servers | IP addresses of primary log servers |
simp_options::trusted_nets | Subnet used for clients managed by the puppet server |
simp::runlevel | Default system run level; 1-5 |
simp::server::allow_simp_user | Whether to allow local ‘simp’ user su and ssh privileges. |
simp::yum::repo::local_os_updates::enable_repo | Whether to enable the SIMP-managed, OS Update YUM repository that the SIMP ISO installs on the SIMP server. |
simp::yum::repo::local_os_updates::servers | YUM server(s) for SIMP-managed, OS Update packages |
simp::yum::repo::local_simp::enable_repo | Whether to enable the SIMP-managed, SIMP and SIMP dependency YUM repository that the SIMP ISO installs on the SIMP server. |
simp::yum::repo::local_simp::servers | YUM server(s) for SIMP-managed, SIMP and SIMP dependency packages |
sssd::domains | List of SSSD domains |
svckill::mode | Strategy svckill should use when it encounters undeclared services; enforcing = shutdown and disable all services not listed in your manifests or the exclusion file warning = only report what undeclared services should be shut down and disabled, without actually making the changes to the system |
useradd::securetty | A list of TTYs for which the root user can login |
4.2.4.2. simp config Actions¶
In addition to creating the three configuration, YAML files, simp config
performs a limited set of actions in order to prepare the system for
bootstrapping. Although the table that follows lists all possible
simp config
actions, not all of these actions will apply for all site
configurations.
Category | Actions Performed | |
---|---|---|
Certificates | If no certificates for the host are found in
/var/simp/environments/simp/site_files/pki_files/
files/keydist , simp config will use SIMP’s FakeCA
to generate interim host certificates. These certificates,
which are independent of the certificates managed by Puppet,
are required by SIMP and should be replaced by certificates
from an official Certificate Authority, as soon as
is practical. |
|
Digest Algorithm for FIPS | When the system is in FIPS mode,
simp config will set the Puppet digest algorithm to
sha256 to prevent any Puppet-related actions executed by
simp config from using MD5 checksums. Note that this is
not all that must be done to enable FIPS. The complete
set of actions required to support FIPS is handled by
simp bootstrap . |
|
GRUB | When the user selects to set the GRUB password
simp config will set the password in the appropriate
grub configuration file, /etc/grub.conf or
/etc/grub2.cfg . |
|
LDAP | When the SIMP server is also an LDAP server,
|
|
Lockout Prevention | When the SIMP server is installed from ISO, the install
creates a local simp user that the SIMP server configures
to have both su and ssh privileges. (This user is provided
to prevent server lockout, as, per security policy, SIMP by
default disables logins via ssh for all users, including
‘root’.) So, when SIMP is not installed from ISO,
|
|
Network |
|
|
Puppet |
|
|
SIMP Hiera & Site Manifest |
|
|
YUM |
|