4.5.3. General Administration¶
Warning
While working with the system, keep in mind that Puppet does not work well with capital letters in host names. Therefore, they should not be used.
4.5.3.1. The SIMP Environment¶
SIMP fully supports Puppet Environments and, by default, installs into an
environment named simp
. This environment is symlinked to the production
environment by simp config
but that symlink will not be overwritten on
update so you may freely change or replace the symlink to meet your needs.
There are a couple of paths on the system that are environment related.
4.5.3.1.1. /var/simp¶
This space holds all static, non-Puppet created files. It is generally used for large binary items that will be centrally delievered via rsync and for files that are too dangerous to add to a version control system. These include things like the SIMP rsync materials and the Infrastructure keys.
This space is environment aware and you will note that there is an
environments
directory under /var/simp
with, by default, the simp
environment represented. If you add new environments, you will need to
replicate the appropriate structure from the simp
environment into your
custom environment.
This space also holds FakeCA. See Infrastructure Certificates.
Note
For more information on the SIMP rsync structure, please see HOWTO Work with the SIMP Rsync Shares
4.5.3.1.2. /opt/puppetlabs/server/data/puppetserver/simp¶
This space holds all non-static, Puppet server created files. This is used
by both passgen()
and the krb5
Puppet module for storing dynamically
generated server-side content.
Like /var/simp
this space is also environment aware but you should never
need to manually adjust anything in this directory space.
4.5.3.2. Nightly Updates¶
All SIMP systems are configured, by default, to do a YUM update of the entire system on a nightly basis. When the update task runs, it will pull ALL updates that the system is aware of.
Note
Refer to the HOWTO Exclude YUM Repositories HOWTO for additional configuration information.
SIMP chose this as the default because it is easier to manage symlinks in YUM repositories than it is to manage individual package minutia for all packages across the environment.
To use this effectively, packages that all systems will receive should be
placed into the Updates
repository provided with SIMP. Any packages that
will only go to specific system sets should then be placed into adjunct
repositories under /var/www/yum
and the user will point specific systems at
those repositories using the yumrepo
Puppet Type. Any common packages can
be either symlinked or hard linked between repositories for efficiency.
4.5.3.2.1. Changing the Default Repositories¶
By default, SIMP stores YUM information in the following directories:
/var/www/yum
The base SIMP repository is in /var/www/yum/SIMP
and it is highly unlikely
that you would want to modify anything in this directory.
By default, access to the YUM repository is restricted to the networks
contained in the simp_options::trusted_nets
parameter. For this section, we
will assume that this is sufficient.
4.5.3.2.2. The Operating System Repos¶
The default location for the Operating System (OS) repositories, on the
Puppet server, is /var/www/yum/<OSTYPE>/<MAJORRELEASE>/x86_64
.
An Updates
repository has been configured in this space. All OS updates
should be placed within this directory.
You should run the following in the Updates
directory after ANY package
addition or removal within that directory.
$ createrepo .
$ chown -R root.apache ./*
$ find . -type f -exec chmod 640 {} \;
$ find . -type d -exec chmod 750 {} \;
4.5.3.2.3. Adding a Custom Repository¶
For this section, we will assume that you have a repository named foo
that
you would like to expose to your systems. To do this, perform the following:
$ cd /var/www/yum $ mkdir foo $ cd foo $ -- copy all RPMs into the folder $ createrepo . $ chown -R root.apache ./* $ find . -type f -exec chmod 640 {} \; $ find . -type d -exec chmod 750 {} \;
Note
For more information on managing YUM repos, please see the Red Hat local repository Documentation.
4.5.3.2.4. Configuring the Clients¶
Now that you’ve added this repository, you’re going to want to add it to your clients.
The best way to do this is to make it part of your site profile. You can make it part of your module, but you will need to wrap it in a Defined Type so that the server parameter can be modified.
To add it to your clients, use the puppet yumrepo
Type. You can find more
information in the Puppet Type Reference.
The following is a basic yumrepo
example:
yumrepo { example:
baseurl => "http://your.server.fqdn/yum/foo",
enabled => 1,
enablegroups => 0,
gpgcheck => 0,
keepalive => 0,
metadata_expire => 3600
}
4.5.3.3. Session auditing¶
By default, a SIMP system uses Sudosh to enable logging of sudo
sessions to Rsyslog
.
To open a sudo
session from a regular user to root
, you should type
sudo sudosh
.
sudosh
logs are stored in /var/log/sudosh.log
. Sessions can be replayed
by typing sudosh-syslog-replay
.
Note
The SIMP system does not allow the root
user to execute sudo
by
default per common configuration guidance.
Note
If you built your system from an ISO, you will probably have a local
simp
user that has the ability to run sudo su - root
directly and
bypass sudosh
.
This is meant as an emergency ‘break glass’ user and should be removed or disabled once your environment is configured to your satisfaction.
4.5.3.4. User Accounts¶
The SIMP team tests both local and LDAP account access to systems. Other modes of access may function but are not tested by the SIMP test suite at this time.
We recommend that LDAP be used for adding all human users so that there is no conflict with multiple system updates and synchronization. For more information on managing LDAP users, refer to the User Management chapter.
If you need to create local system accounts, you can use the user
and
group
Native Types.
4.5.3.5. Certificate Management¶
This section describes the two different types of certificates used in a SIMP system and how to manage them. For information on initial certificate setup, refer to the Apply Certificates section of Client Management.
4.5.3.5.1. Infrastructure Certificates¶
Server certificates are the standard PKI certificates assigned either
by an official CA (preferred) or generated using the FakeCA utility
offered by SIMP. Generated certificates are placed in the /etc/pki/simp
directory of all managed systems. These certificates are set to expire
annually. To change this, edit the following files with the number of days for
the desired lifespan of the certificates:
Note
This assumes that the user has generated Certificates with the FakeCA provided by SIMP. If official certificates are being used, these settings must be changed within the official CA, not on the SIMP system.
/var/simp/environments/simp/FakeCA/CA
/var/simp/environments/simp/FakeCA/ca.cnf
/var/simp/environments/simp/FakeCA/default\_altnames.cnf
/var/simp/environments/simp/FakeCA/default.cnf
/var/simp/environments/simp/FakeCA/user.cnf
In addition, any certificates that have already been created and signed will
have a config file containing all of its details in
/var/simp/environments/simp/FakeCA/output/conf/
.
Important
Editing any entries in the above mentioned config files will not affect existing certificates. Existing certificates must be regenerated if you need to make changes.
The following is an example of how to change the expiration time from one year (the default) to five years for any newly created certificate.
for file in $(grep -rl 365 /var/simp/environments/simp/FakeCA/)
do
sed -i 's/365/1825/' $file
done
4.5.3.5.2. Puppet Certificates¶
Puppet certificates are issued and maintained strictly within Puppet. They are
different from the server certificates and should be managed with the
puppet cert
utility.
For documentation on the puppet cert
tool, visit the Puppet Inc. cert manual.
You can find the location for the Puppet certificates on your system by running
puppet config print ssldir
.
Note
By default, Puppet certificates expire every five (5) years.
4.5.3.6. The SIMP Utility¶
The SIMP server provides a command line utility called simp
that is an
interface into SIMP-specific settings and subsystems.
You can get information on the simp
utility by running simp help
on
your SIMP server.
4.5.3.6.1. simp passgen¶
Throughout the SIMP codebase, you may find references to the passgen()
function. This function auto-generates passwords and stores them in
/opt/puppetlabs/server/data/puppetserver/simp/environments/<environment>/simp_autofiles/gen_passwd
on the Puppet server.
For more information, see the passgen() documentation.
4.5.3.7. GUI¶
SIMP was designed as a minimized system, but you may occasionally need a GUI. Refer to the Graphical Desktop Setup documentation for information on setting up GUIs for the systems.