3.6. Installing SIMP Using r10k or Code Manager¶
Contents:
r10k and Code Manager are products that automate the development and deployment of a Puppet infrastructure. SIMP supports the usage of these tools, with a little tweaking.
Read the introduction documentation on whichever of these technologies that is being used:
- Code Manager: https://docs.puppet.com/pe/latest/code_mgr.html
- r10k: https://github.com/puppetlabs/r10k/blob/master/README.mkd
Note
r10k will be used to reference both r10k itself and Code Manager throughout this document. If you are using Code Manager, skip to Setting Up Your Control Repo
Important
This document will assume the SIMP server has internet access. If your system does not have internet access, you will need to adjust paths to point to your internal mirrors.
Note
This method does not modify your system’s partitioning scheme or encryption scheme to meet any regulatory policies. If you want an example of what that should look like either see the Installing SIMP from an ISO or check out the Kickstart files in the simp-core Git repository.
3.6.1. Preparing Your System¶
Follow the Preparing For Non-RPM Install guide.
3.6.2. Installation of r10k¶
On the system intended to be the Puppet server, run the following command to
install the r10k
ruby gem into the vendor ruby that comes with the
`puppet-agent
AIO package:
$ /opt/puppetlabs/puppet/bin/gem install r10k
r10k
can be used by calling the absolute path of the executable (unless
added to $PATH
):
$ /opt/puppetlabs/puppet/bin/r10k help
3.6.4. Minimum Classes For Classification¶
3.6.4.1. Server¶
3.6.4.1.1. Open Source¶
To manage the puppetserver, include the following classes:
simp
simp::server
pupmod::master
3.6.4.1.2. PE¶
In a PE environment, The SIMP Server will normally be the Master of Masters (MoM). Currently, Compile Masters (CMs) are not automatically supported out of the box, and require extra configuration to ensure they remain in sync.
simp
simp::server
3.6.4.2. Agents¶
Agents will require the simp
class at a minimum. SIMP ships with
‘scenarios’, which are essentially pre-bundled groups of modules that profile
nodes for various tasks. See the Classification and Data documentation
for more information. Depending on the function of your production environment,
and your choice of scenario, you will want to populate Hiera with required
parameters. See Initial Configuration for a list of base parameters and
their description.
3.6.5. Running Puppet For The First Time¶
SIMP doesn’t configure the puppetserver to listen on the typical port and CA
port, so the first time the puppet agent is run, you may have to specify the
ca_port
and server
. An example:
$ puppet agent -t --ca_port 8141 --server puppet.your.domain
SIMP also provides a provisioning script called runpuppet. Run this script
during provisioning and it will (provided autosign is configured) attempt to
connect to your puppetserver as defined in simp_options
and run puppet a few
times in order to get the new system in order.
Warning
SIMP, by default, implements
tcpwrappers
and PAM access restrictions. The root user should always be able to log in at a console, but if there is no console, like in AWS, be sure to add a user to the PAM whitelist and give it sudo powers:pam::access::rule { 'ec2user': origins => ['ALL'], permission => '+', users => ['ec2user'] } sudo::user_specification { 'ec2user': user_list => ['ec2user'], cmnd => ['ALL'] }
SIMP also moves the location of the ssh authorized_keys file to
/etc/ssh/local_keys/%u
, so copy it there before logging out.
3.6.6. Notes About SIMP Infrastructure¶
SIMP, when installed from the ISO, moves packages into /var/www/yum
and
creates a yum
repo in itself. SIMP modules, notably the simp::yum
class,
assumes this. You will have to set simp::yum::os_update_url
to a CentOS
Updates URL.