3.9. Initial Configuration¶
The goal of simp config
is to allow the user to quickly configure the
SIMP server with minimal user input/operations. To that end simp config
sets installation variables based on information gathered from the user,
existing system settings, and SIMP security requirements. It then
applies the smallest subset of these system settings that is required to
bootstrap the system with Puppet. Both the installation variables and
their application via simp config
are described in subsections that
follow.
3.9.1. Installation Variables¶
This section describes the installation variables set by simp config
.
Although the table that follows lists all possible installation variables,
the user will not be prompted for all of them, nor will all of them
appear in the configuration files generated by simp config
. Some
of these variables will be automatically set based on other installation
variables, system settings, or SIMP security requirements. Others will
be omitted because either they are unnecessary for a particular site
configuration, or their defaults are appropriate. Also, please note
that variables beginning with ‘cli::’ are only used internally by
simp config
, itself. The ‘cli::’ variables are written to
simp_conf.yaml
, but not persisted to any Puppet hieradata files.
Important
- Not all the settings listed below can be preset in a
configuration file input to
simp config
, via either-a <Config File>
or-A <Config File>
. Only settings for which you would be prompted, if you ransimp config
interactively, can be preset. All other settings will be automatically determined bysimp config
, disregarding your input. simp config
behaves differently (asks different questions, automatically determines different settings) depending on the SIMP installation type. This is because it can safely assume certain server setup has been done, only if SIMP has been installed from the SIMP-provided ISO. For example, consider asimp
local user. When SIMP is installed from ISO,simp config
can safely assume that this user is the backup user installed by the ISO to prevent server lockout. As such,su
andssh
privileges for thesimp
user should be allowed. For non-ISO installs, however, it would not be prudent forsimp config
to grant just anysimp
user bothsu
andssh
privileges.simp config
detects that SIMP has been installed from a SIMP-provided ISO by the presence of/etc/yum.repos.d/simp_filesystem.repo
.
Variable | Description |
---|---|
cli::is_ldap_server | Whether the SIMP server will also be the LDAP server. |
cli::network::dhcp | Whether to use DHCP for the network; dhcp to enable DHCP, static otherwise |
cli::network::gateway | Default gateway |
cli::network::hostname | FQDN of server |
cli::network::interface | Network interface to use |
cli::network::ipaddress | IP address of server |
cli::network::netmask | Netmask of the system |
cli::network::set_up_nic | Whether to set up the network interface; true or false |
cli::set_grub_password | Whether to set a GRUB password on the server; true or false |
cli::set_production_to_simp | Whether to set default Puppet environment to ‘simp’; true or false |
cli::simp::scenario | SIMP scenario; simp = full SIMP system, simp_lite = SIMP system with some security features disabled for clients, poss = SIMP system with all security features disabled for clients. |
cli::use_internet_simp_yum_repos | Whether to configure SIMP nodes to use internet SIMP and SIMP dependency YUM repositories. |
grub::password | GRUB password hash |
puppetdb::master::config::puppetdb_port | Port used by the puppet database |
puppetdb::master::config::puppetdb_server | DNS name or IP of puppet database server |
simp_openldap::server::conf::rootpw | LDAP Root password hash |
simp_options::dns::search | Search domain for DNS |
simp_options::dns::servers | List of DNS servers for the managed hosts |
simp_options::fips | Enable FIPS-140-2 compliance; true or false; value automatically set to detected system FIPS status |
simp_options::ldap | Whether to use LDAP; true or false |
simp_options::ldap::base_dn | LDAP Server Base Distinguished Name |
simp_options::ldap::bind_dn | LDAP Bind Distinguished Name |
simp_options::ldap::bind_hash | LDAP Bind password hash |
simp_options::ldap::bind_pw | LDAP Bind password |
simp_options::ldap::master | LDAP master URI |
simp_options::ldap::sync_dn | LDAP Sync Distinguished Name |
simp_options::ldap::sync_hash | LDAP Sync password hash |
simp_options::ldap::sync_pw | LDAP Sync password |
simp_options::ldap::uri | List of LDAP server URIs |
simp_options::ntpd::servers | NTP servers |
simp_options::puppet::ca | FQDN of Puppet Certificate Authority (CA) |
simp_options::puppet::ca_port | Port Puppet CA will listen on |
simp_options::puppet::server | FQDN of the puppet server |
simp_options::sssd | Whether to use SSSD |
simp_options::syslog::failover_log_servers | IP addresses of failover log servers |
simp_options::syslog::log_servers | IP addresses of primary log servers |
simp_options::trusted_nets | Subnet used for clients managed by the puppet server |
simp::runlevel | Default system run level; 1-5 |
simp::server::allow_simp_user | Whether to allow local ‘simp’ user su and ssh privileges. |
simp::yum::repo::local_os_updates::enable_repo | Whether to enable the SIMP-managed, OS Update YUM repository that the SIMP ISO installs on the SIMP server. |
simp::yum::repo::local_os_updates::servers | YUM server(s) for SIMP-managed, OS Update packages |
simp::yum::repo::local_simp::enable_repo | Whether to enable the SIMP-managed, SIMP and SIMP dependency YUM repository that the SIMP ISO installs on the SIMP server. |
simp::yum::repo::local_simp::servers | YUM server(s) for SIMP-managed, SIMP and SIMP dependency packages |
sssd::domains | List of SSSD domains |
svckill::mode | Strategy svckill should use when it encounters undeclared services; enforcing = shutdown and disable all services not listed in your manifests or the exclusion file warning = only report what undeclared services should be shut down and disabled, without actually making the changes to the system |
useradd::securetty | A list of TTYs for which the root user can login |
3.9.2. simp config Actions¶
In addition to creating the three configuration, YAML files, simp config
performs a limited set of actions in order to prepare the system for
bootstrapping. Although the table that follows lists all possible
simp config
actions, not all of these actions will apply for all site
configurations.
Category | Actions Performed | |
---|---|---|
Certificates | If no certificates for the host are found in
/var/simp/environments/simp/site_files/pki_files/
files/keydist , simp config will use SIMP’s FakeCA
to generate interim host certificates. These certificates,
which are independent of the certificates managed by Puppet,
are required by SIMP and should be replaced by certificates
from an official Certificate Authority, as soon as
is practical. |
|
Digest Algorithm for FIPS | When the system is in FIPS mode,
simp config will set the Puppet digest algorithm to
sha256 to prevent any Puppet-related actions executed by
simp config from using MD5 checksums. Note that this is
not all that must be done to enable FIPS. The complete
set of actions required to support FIPS is handled by
simp bootstrap . |
|
GRUB | When the user selects to set the GRUB password
simp config will set the password in the appropriate
grub configuration file, /etc/grub.conf or
/etc/grub2.cfg . |
|
LDAP | When the SIMP server is also an LDAP server,
|
|
Lockout Prevention | When the SIMP server is installed from ISO, the install
creates a local simp user that the SIMP server configures
to have both su and ssh privileges. (This user is provided
to prevent server lockout, as, per security policy, SIMP by
default disables logins via ssh for all users, including
‘root’.) So, when SIMP is not installed from ISO,
|
|
Network |
|
|
Puppet |
|
|
SIMP Hiera & Site Manifest |
|
|
YUM |
|