3.3.4. Installing SIMP Using r10k or Code Manager¶
Contents:
r10k and Code Manager are products that automate the development and deployment of a Puppet infrastructure. SIMP supports the usage of these tools, with a little tweaking.
Read the introduction documentation on whichever of these technologies that is being used:
- Code Manager: https://docs.puppet.com/pe/latest/code_mgr.html
- r10k: https://github.com/puppetlabs/r10k/blob/master/README.mkd
Note
r10k will be used to reference both r10k itself and Code Manager throughout this document. If you are using Code Manager, skip to Setting Up Your Control Repo
Important
This document will assume the SIMP server has internet access. If your system does not have internet access, you will need to adjust paths to point to your internal mirrors.
Note
This method does not modify your system’s partitioning scheme or encryption scheme to meet any regulatory policies. If you want an example of what that should look like either see the SIMP Installation Walkthrough or check out the Kickstart files in the simp-core Git repository.
3.3.4.1. Preparing Your System¶
Follow the Preparing For Non-RPM Install guide.
3.3.4.2. Installation of r10k¶
r10k is a Ruby gem that only needs to be installed on hosts running
puppetserver
. This gem can be installed in one of two ways:
Gem install into the
puppetserver
gem set.$ /opt/puppetlabs/puppet/bin/gem install r10k
RPM package install of SIMP-provided r10k RPMs into
/usr/share/simp
without modifying thepuppetserver
gem set. These RPMs are available from the official SIMP YUM repositories, and, beginning with SIMP 6.2.0 the SIMP ISO.$ yum install simp-vendored-r10k
r10k
can be used by calling the executable
# If installed from Puppet gem
$ /opt/puppetlabs/puppet/bin/r10k help
or
# If installed from simp-vendored-r10k
$ /usr/share/simp/bin/r10k help
3.3.4.3. Setting Up Your Control Repository¶
Follow the HOWTO Setup a SIMP Control Repository guide.
3.3.4.4. Minimum Classes For Classification¶
3.3.4.4.1. Server¶
3.3.4.4.1.1. Open Source¶
To manage the puppetserver, include the following classes:
simp
simp::server
pupmod::master
3.3.4.4.1.2. PE¶
In a PE environment, The SIMP Server will normally be the Master of Masters (MoM). Currently, Compile Masters (CMs) are not automatically supported out of the box, and require extra configuration to ensure they remain in sync.
simp
simp::server
3.3.4.4.2. Agents¶
Agents will require the simp
class at a minimum. SIMP ships with
‘scenarios’, which are essentially pre-bundled groups of modules that profile
nodes for various tasks. See the Classification and Data documentation
for more information. Depending on the function of your production environment,
and your choice of scenario, you will want to populate Hiera with required
parameters. See Advanced Configuration for a list of base parameters and
their description.
3.3.4.5. Running Puppet For The First Time¶
SIMP doesn’t configure the puppetserver to listen on the typical port and CA
port, so the first time the puppet agent is run, you may have to specify the
ca_port
and server
. An example:
$ puppet agent -t --ca_port 8141 --server puppet.your.domain
SIMP also provides a provisioning script called runpuppet. Run this script
during provisioning and it will (provided autosign is configured) attempt to
connect to your puppetserver as defined in simp_options
and run puppet a few
times in order to get the new system in order.
Warning
SIMP, by default, implements
tcpwrappers
and PAM access restrictions. The root user should always be able to log in at a console, but if there is no console, like in AWS, be sure to add a user to the PAM whitelist and give it sudo powers:pam::access::rule { 'ec2user': origins => ['ALL'], permission => '+', users => ['ec2user'] } sudo::user_specification { 'ec2user': user_list => ['ec2user'], cmnd => ['ALL'] }
SIMP also moves the location of the ssh authorized_keys file to
/etc/ssh/local_keys/%u
, so copy it there before logging out.
3.3.4.6. Notes About SIMP Infrastructure¶
SIMP, when installed from the ISO, moves packages into /var/www/yum
and
creates a yum
repo in itself. SIMP modules, notably the simp::yum
class,
assumes this. You will have to set simp::yum::os_update_url
to a CentOS
Updates URL.