3.6. Installing SIMP Using r10k or Code Manager

r10k and Code Manager are products that automate the development and deployment of a Puppet infrastructure. SIMP supports the usage of these tools, with a little tweaking.

Read the introduction documentation on whichever of these technologies that is being used:


r10k will be used to reference both r10k itself and Code Manager throughout this document. If you are using Code Manager, skip to Setting Up Your Control Repo


This document will assume the SIMP server has internet access. If your system does not have internet access, you will need to adjust paths to point to your internal mirrors.


This method does not modify your system’s partitioning scheme or encryption scheme to meet any regulatory policies. If you want an example of what that should look like either see the Installing SIMP from an ISO or check out the Kickstart files in the simp-core Git repository.

3.6.2. Installation of r10k

On the system intended to be the Puppet server, run the following command to install the r10k ruby gem into the vendor ruby that comes with the `puppet-agent AIO package:

$ /opt/puppetlabs/puppet/bin/gem install r10k

r10k can be used by calling the absolute path of the executable (unless added to $PATH):

$ /opt/puppetlabs/puppet/bin/r10k help

3.6.4. Minimum Classes For Classification Server Open Source

To manage the puppetserver, include the following classes:

  • simp
  • simp::server
  • pupmod::master PE

In a PE environment, The SIMP Server will normally be the Master of Masters (MoM). Currently, Compile Masters (CMs) are not automatically supported out of the box, and require extra configuration to ensure they remain in sync.

  • simp
  • simp::server Agents

Agents will require the simp class at a minimum. SIMP ships with ‘scenarios’, which are essentially pre-bundled groups of modules that profile nodes for various tasks. See the Classification and Data documentation for more information. Depending on the function of your production environment, and your choice of scenario, you will want to populate Hiera with required parameters. See Initial Configuration for a list of base parameters and their description.

3.6.5. Running Puppet For The First Time

SIMP doesn’t configure the puppetserver to listen on the typical port and CA port, so the first time the puppet agent is run, you may have to specify the ca_port and server. An example:

$ puppet agent -t --ca_port 8141 --server puppet.your.domain

SIMP also provides a provisioning script called runpuppet. Run this script during provisioning and it will (provided autosign is configured) attempt to connect to your puppetserver as defined in simp_options and run puppet a few times in order to get the new system in order.


SIMP, by default, implements tcpwrappers and PAM access restrictions. The root user should always be able to log in at a console, but if there is no console, like in AWS, be sure to add a user to the PAM whitelist and give it sudo powers:

pam::access::rule { 'ec2user':
  origins    => ['ALL'],
  permission => '+',
  users      => ['ec2user']
sudo::user_specification { 'ec2user':
  user_list => ['ec2user'],
  cmnd      => ['ALL']

SIMP also moves the location of the ssh authorized_keys file to /etc/ssh/local_keys/%u, so copy it there before logging out.

3.6.6. Notes About SIMP Infrastructure

SIMP, when installed from the ISO, moves packages into /var/www/yum and creates a yum repo in itself. SIMP modules, notably the simp::yum class, assumes this. You will have to set simp::yum::os_update_url to a CentOS Updates URL.