3.4. Installing SIMP From A Repository¶
Using the official SIMP YUM repositories is the simplest method for getting up and running with SIMP on an existing infrastructure. If you are using a virtual infrastructure, such as AWS, Microsoft Azure, Google Cloud, or your own internal VM stack, this is the method that you will want to use.
Note
This method does not modify your system’s partitioning scheme or encryption scheme to meet any regulatory policies. If you want an example of what that should look like either see the Installing SIMP from an ISO or check out the Kickstart files in the simp-core Git repository.
3.4.1. Enable EPEL¶
Note
RHEL systems will need to enable the EPEL Repositories manually.
$ sudo yum install epel-release -y
$ sudo yum install pygpgme yum-utils
3.4.2. Install The SIMP-Project Repositories¶
Add the following to /etc/yum.repos.d/simp-project.repo
, replacing
6
with the appropriate version of SIMP. If the repo file does not exist,
create it. The repo file contents for SIMP 6.X
is shown below.
If you don’t know what versions map together, please see the SIMP Version Guide.
Important
RHEL Users should replace $releasever
below with the actual release
version.
This would be 7
for RHEL 7 and 6
for RHEL 6
Note
The ‘dependencies’ repository may contain items from external vendors, most notably Puppet, Inc. and EPEL but may also contain non-SIMP project files that have been compiled for distribution.
Warning
The whitespace and alignment shown before the additional gpgkey
values must be preserved
[simp-project_6_X]
name=simp-project_6_X
baseurl=https://packagecloud.io/simp-project/6_X/el/$releasever/$basearch
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/NationalSecurityAgency/SIMP/master/GPGKEYS/RPM-GPG-KEY-SIMP
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
[simp-project_6_X_dependencies]
name=simp-project_6_X_dependencies
baseurl=https://packagecloud.io/simp-project/6_X_Dependencies/el/$releasever/$basearch
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/NationalSecurityAgency/SIMP/master/GPGKEYS/RPM-GPG-KEY-SIMP
https://yum.puppetlabs.com/RPM-GPG-KEY-puppetlabs
https://yum.puppetlabs.com/RPM-GPG-KEY-puppet
https://apt.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG-96
https://artifacts.elastic.co/GPG-KEY-elasticsearch
https://grafanarel.s3.amazonaws.com/RPM-GPG-KEY-grafana
https://getfedora.org/static/352C64E5.txt
sslverify=1
sslcacert=/etc/pki/tls/certs/ca-bundle.crt
metadata_expire=300
3.4.3. Rebuild The Yum Cache¶
$ sudo yum makecache
3.4.4. Install the SIMP Server¶
- Select the simp-adapter package appropriate for the version of Puppet
you will be using
- simp-adapter-foss: Version appropriate for FOSS Puppet
- simp-adapter-pe: Version appropriate for Puppet Enterprise
- Install the simp-adapter package
$ sudo yum install -y simp-adapter-foss
- Install the remaining SIMP packages
$ sudo yum install -y simp
Note
The simp
RPM installs the SIMP core Puppet modules. Breaking changes in
these modules trigger a breaking change update in SIMP itself.
There are a large number of additional ‘extra’ modules that may be
individually installed. Search for pupmod
via yum
to discover what
is available.
If you wish to install all of the extra modules, you can simply run sudo
yum install -y simp-extras
3.4.5. Configure and Bootstrap the SIMP Server¶
su
toroot
- Type
simp config
and configure the system as prompted.
simp config
will prompt you for system settings and then apply the smallest settings subset that is required to bootstrap the system.- When applicable,
simp config
will present you with a recommendation for each setting. To keep a recommended value, press Enter. Otherwise, enter your desired value.simp config
generates a log file containing details of the configuration selected and actions taken.- For more details about the installation variables set by
simp config
and the corresponding actions, see Initial Configuration.- For a list of additional options, type
simp help config
.
simp config --dry-run
will run through all of thesimp config
prompts without applying any changes to the system. This is the option to run to become familiar with the variables set bysimp config
or generate a configuration file to be used as a template for subsequentsimp config
runs.simp config -a <Config File>
will load a previously generated configuration in lieu of prompting for settings, and then apply the settings. This is the option to run for systems that will be rebuilt often.
Note
Once simp config
has been run, three SIMP configuration files will be
generated:
/root/.simp/simp_conf.yaml
: File containing all yoursimp config
settings; can include additional settings related to ones you entered and other settings required for SIMP./etc/puppetlabs/code/environments/simp/hieradata/simp_config_settings.yaml
: File containing global hieradata relevant to SIMP clients and the SIMP server./etc/puppetlabs/code/environments/simp/hieradata/hosts/<host>.yaml
: SIMP server host YAML file.
- Type
simp bootstrap
Note
If progress bars are of equal length and the bootstrap finishes quickly, a problem has occurred. This is most likely due to an error in SIMP configuration. Refer to the previous step and make sure that all configuration options are correct.
- Reboot your system
$ reboot
3.4.6. Bootstrap SIMP Clients¶
Use the runpuppet
script from the newly created SIMP server to bootstrap
your clients. That script can be acquired in one of two ways:
Use a SIMP server as a kickstart server, see Client Management for details on how to take advantage of SIMP to make this easier.
If another server is to be used as a kickstart server, you can still use our distributed and tested provisioning script,
runpuppet
.Add the
simp::server::kickstart::runpuppet
class to your kickstart server node to userunpuppet
. The file can be placed in an existing web server by setting thelocation
parameter. Here’s an example that could be placed in a kickstarting profile class:class { 'simp::server::kickstart::runpuppet': location => '/var/www/web/server/path/runpuppet' }
Note
This would be the general technique that you would use to auto-bootstrap
your clients via user-data
scripts in cloud environments.
You should take care to ensure that your environment is protected prior to
running the runpuppet
script across the Internet. You may want to
package it as a signed RPM specific to your environment and deploy it
independently.
Be ready to sign your client credentials as systems check in with the server!
Run the script on a client. This example assumes the first option from above:
# Remove the ``--insecure`` option if your system has a certificate signed
# by a well-known CA.
$ curl --insecure https://<puppet.server.fqdn>/ks/runpuppet | bash