4.2. Initial SIMP Server Configuration¶
4.2.1. Using the SIMP Utility¶
In these instructions, we will be using the config
and bootstrap
of the
simp
command. The simp
command provides a CLI intended to make the
initial configuration of the SIMP server straightforward and repeatable.
Note
For a list of the commands simp
provides, type simp help
. Type
simp <Command> --help
for more information on a specific command.
4.2.2. Configuring the SIMP Server¶
Important
Correct time synchronization across all systems is critical to the proper functioning of SIMP (and Puppet in general).
Tip
If a Puppet agent receives errors regarding certificate validation while connecting to the Puppet server, compare the time on the server and agent to make sure they are synchronized.
Warning
Puppet has problems when hostnames contain capital letters (SERVER-1809) — do not use them!
Note
This section assumes that:
- You started by Installing SIMP from an ISO
- You have logged in using the
simp
local user account (created by the ISO installation)Use the appropriate user for your environment if you installed via an alternate method.
Log on as
simp
and runsu -
to gain root access.Run
simp config
and configure the system as prompted.simp config
will prompt you for system settings and then apply them as appropriate for bootstrapping the system.When applicable,
simp config
will present you with a recommendation for each setting.- Press Enter to keep a recommended value.
- Otherwise, enter your desired value.
simp config
generates a log file under/root/.simp/
with details of the configurations selected and actions taken.
Note
For details about
simp config
’s installation variables and actions, see Advanced Configuration.Tip
There are two
simp config
options that are particularly useful:--dry-run
will run through all of the prompts without applying any changes to the system. This is useful to:- become familiar with the variables set by
simp config
without applying them - generate a configuration file to use as a template for subsequent
simp config
runs
- become familiar with the variables set by
-a <Config File>
will load and apply a previously-generated configuration (aka the ‘answers’ file) in lieu of prompting for settings.- This is useful to run on systems that will be rebuilt often.
- Please note, however: if you edit the answers file, only configuration
settings for which you would be prompted by
simp config
can be modified in that file—any changes made to settings thatsimp config
automatically determines will be ignored.
Note
For a list of additional options, type
simp config --help
.When the questionnaire is finished and you are prompted with
Ready to apply?
, enteryes
to continue.This will apply changes to the system, which may take some time.
Note
After
simp config
is applied, three SIMP configuration files will have been generated:/root/.simp/simp_conf.yaml
: File containing all yoursimp config
settings; can include additional settings related to ones you entered and other settings required for SIMP./etc/puppetlabs/code/environments/production/data/simp_config_settings.yaml
: File containing global Hiera data relevant to SIMP clients and the SIMP server./etc/puppetlabs/code/environments/production/data/hosts/<server_fqdn>.yaml
: The SIMP server’s host-specific Hiera configuration.
Run
simp bootstrap
.simp bootstrap
uses several targeted Puppet runs to configure the rest of the system.- It generates a detailed log file under
/root/.simp/
.
Note
For a list of additional options, type
simp bootstrap --help
.Note
If your SIMP server is a virtual machine in a cloud, the default timeout for the Puppet server to start (5 minutes) may be too short. You will want to extend this time by using the
-w
option. For example, to extend that timeout to 10 minutes:simp bootstrap -w 10
Note
If the bootstrap finishes quickly and the progress bars of each Puppet run are of equal length, it is very likely that a problem has occurred due to an error in SIMP configuration. Refer to the previous step and make sure that all configuration options are correct.
If this happens, you can debug by either looking at the log files or by running
puppet agent -t --masterport=8150
.Run
reboot
to restart your system and apply the necessary kernel configuration items.
4.2.3. Optional: Extract the full OS RPM Package Set¶
The SIMP ISO only provides enough RPM packages to run a basic system. If you did not install via ISO, or you require additional stock packages, you can extract additional packages from vendor ISOs using the following procedure:
Log on as
simp
and runsu -
to gain root access.Run
puppet agent -t
to ensure system consistency.Copy the appropriate vendor OS ISO(s) to the server and unpack using the
unpack_dvd
utility. This will create a new directory tree under/var/www/yum/<OperatingSystem>
suitable for serving to clients.Run:
unpack_dvd CentOS-RHEL_MAJOR_VERSION-x86_64-DVD-####.iso
Ensure that subsequent yum operations are aware of the new RPM packages by refreshing the system’s yum cache:
Run:
yum clean all; yum makecache
4.2.4. Advanced Configuration¶
The goal of simp config
is to allow the user to quickly configure the
SIMP server with minimal user input/operations. To that end simp config
sets installation variables based on information gathered from the user,
existing system settings, and SIMP security requirements. It then
applies the smallest subset of these system settings that is required to
bootstrap the system with Puppet. Both the installation variables and
their application via simp config
are described in subsections that
follow.
4.2.4.1. Installation Variables¶
This section describes the installation variables set by simp config
.
Although the table that follows lists all possible installation
variables, the user will not be prompted for all of them, nor will all of
them appear in the configuration files generated by simp config
. Some
of these variables will be automatically set based on other installation
variables, system settings, or SIMP security requirements. Others will
be omitted because either they are unnecessary for a particular site
configuration, or their defaults are appropriate. Also, please note
that variables beginning with ‘cli::’ are only used internally by
simp config
, itself. The ‘cli::’ variables are written to
simp_conf.yaml
, but not persisted to any Puppet hiera data files.
Important
- Not all the settings listed below can be preset in a
configuration file input to
simp config
, via either-a <Config File>
or-A <Config File>
. Some settings for which you would not be prompted if you ransimp config
interactively are automatically determined bysimp config
. - Passwords for which only hashed values are stored in the YAML
output of
simp config
must be input as hashed values in an input configuration file. simp config
behaves differently (asks different questions, automatically determines different settings) depending on the SIMP installation type. This is because it can safely assume certain server setup has been done, only if SIMP has been installed from the SIMP-provided ISO. For example, consider asimp
local user. When SIMP is installed from ISO,simp config
can safely assume that this user is the backup user installed by the ISO to prevent server lockout. As such,su
andssh
privileges for thesimp
user should be allowed. For non-ISO installs, however, it would not be prudent forsimp config
to grant just anysimp
user bothsu
andssh
privileges.simp config
detects that SIMP has been installed from a SIMP-provided ISO by the presence of/etc/yum.repos.d/simp_filesystem.repo
.
Tip
If you want to understand what variables apply to your setup, run
simp config --dry-run
and examine the generated simp_conf.yaml
file. That file will contain both the settings and their documentation.
Variable | Description |
---|---|
cli::is_simp_ldap_server | Whether the SIMP server will also be a SIMP-provided LDAP server |
cli::network::dhcp | Whether to use DHCP for the network; dhcp to enable DHCP, static otherwise |
cli::network::gateway | Default gateway |
cli::network::hostname | FQDN of server |
cli::network::interface | Network interface to use |
cli::network::ipaddress | IP address of server |
cli::network::netmask | Netmask of the system |
cli::network::set_up_nic | Whether to set up the network interface; true or false |
cli::set_grub_password | Whether to set a GRUB password on the server; true or false |
cli::simp::scenario | SIMP scenario; simp = full SIMP system, simp_lite = SIMP system with some security features disabled for clients, poss = SIMP system with all security features disabled for clients |
cli::use_internet_simp_yum_repos | Whether to configure SIMP nodes to use internet SIMP and SIMP dependency YUM repositories |
grub::password | GRUB password hash |
puppetdb::master::config::puppetdb_port | Port used by the puppet database |
puppetdb::master::config::puppetdb_server | DNS name or IP of puppet database server |
simp_openldap::server::conf::rootpw | LDAP Root password hash |
simp_options::dns::search | Search domain for DNS |
simp_options::dns::servers | List of DNS servers for the managed hosts |
simp_options::fips | Enable FIPS-140-2 compliance; true or false; value automatically set to detected system FIPS status |
simp_options::ldap | Whether to use LDAP; true or false |
simp_options::ldap::base_dn | LDAP Server Base Distinguished Name |
simp_options::ldap::bind_dn | LDAP Bind Distinguished Name |
simp_options::ldap::bind_hash | LDAP Bind password hash |
simp_options::ldap::bind_pw | LDAP Bind password |
simp_options::ldap::master | LDAP master URI |
simp_options::ldap::sync_dn | LDAP Sync Distinguished Name |
simp_options::ldap::sync_hash | LDAP Sync password hash |
simp_options::ldap::sync_pw | LDAP Sync password |
simp_options::ldap::uri | List of LDAP server URIs |
simp_options::ntpd::servers | NTP servers |
simp_options::puppet::ca | FQDN of Puppet Certificate Authority (CA) |
simp_options::puppet::ca_port | Port Puppet CA will listen on |
simp_options::puppet::server | FQDN of the puppet server |
simp_options::sssd | Whether to use SSSD |
simp_options::syslog::failover_log_servers | IP addresses of failover log servers |
simp_options::syslog::log_servers | IP addresses of primary log servers |
simp_options::trusted_nets | Subnet used for clients managed by the puppet server |
simp::runlevel | Default system run level; 1-5 |
simp::server::allow_simp_user | Whether to allow local ‘simp’ user su and ssh privileges |
simp::yum::repo::local_os_updates::enable_repo | Whether to enable the SIMP-managed, OS Update YUM repository that the SIMP ISO installs on the SIMP server |
simp::yum::repo::local_os_updates::servers | YUM server(s) for SIMP-managed, OS Update packages |
simp::yum::repo::local_simp::enable_repo | Whether to enable the SIMP-managed, SIMP and SIMP dependency YUM repository that the SIMP ISO installs on the SIMP server. |
simp::yum::repo::local_simp::servers | YUM server(s) for SIMP-managed, SIMP and SIMP dependency packages |
sssd::domains | List of SSSD domains |
svckill::mode | Strategy svckill should use when it encounters undeclared services; enforcing = shutdown and disable all services not listed in your manifests or the exclusion file warning = only report what undeclared services should be shut down and disabled, without actually making the changes to the system |
useradd::securetty | A list of TTYs for which the root user can login |
4.2.4.2. simp config Actions¶
In addition to creating the three configuration, YAML files, simp config
performs a limited set of actions in order to prepare the system for
bootstrapping. Although the table that follows lists all possible
simp config
actions, not all of these actions will apply for all site
configurations.
Category | Actions Performed |
---|---|
Certificates | If no certificates for the host are found in
/var/simp/environments/production/site_files/pki_files/ files/keydist , simp config will use SIMP’s FakeCA
to generate interim host certificates. These certificates,
which are independent of the certificates managed by Puppet,
are required by SIMP and should be replaced by certificates
from an official Certificate Authority, as soon as
is practical. |
GRUB | When the user selects to set the GRUB password
simp config will set the password in the appropriate
grub configuration file, /etc/grub.conf or
/etc/grub2.cfg . After initial configuration, the GRUB
password can be managed with the simp-simp_grub module.
See Managing GRUB Users
for more information. |
LDAP | When the SIMP server is also a SIMP-provided LDAP server,
|
Lockout Prevention | When the SIMP server is installed from ISO, the install
creates a local simp user that the SIMP server configures
to have both su and ssh privileges. (This user is provided
to prevent server lockout, as, per security policy, SIMP by
default disables logins via ssh for all users, including
‘root’.) So, when SIMP is not installed from ISO,
|
Network |
|
Puppet |
|
SIMP Hiera & Site Manifest |
|
YUM |
|