4.2. Initial SIMP Server Configuration¶
4.2.1. Using the SIMP Utility¶
In these instructions we will be using the
commands of the SIMP Utility,
simp. The SIMP Utility provides a CLI
intended to make the system initial configuration straightforward and
For a list of the commands
simp provides, type
simp help. Type
simp help <Command> for more information on a specific command.
4.2.2. Configuring the SIMP Server¶
Correct time across all systems is important to the proper functioning of SIMP and Puppet in general.
If a user has trouble connecting to the Puppet server and errors regarding certificate validation appear, check the Puppet server and client times to ensure they are synchronized.
Keep in mind as the installation process begins that Puppet does not work well with capital letters in host names. Therefore, they should not be used.
For the remainder of the document, we will assume that you use the ISO
installation method and that you are logging in using a
simp local user.
Use the appropriate user for your environment if you installed via an alternate
Log on as
su -to gain root access.
simp configand configure the system as prompted.
simp configwill prompt you for system settings and then apply them as appropriate for bootstrapping the system.
- When applicable,
simp configwill present you with a recommendation for each setting (variable). To keep a recommended value, press Enter. Otherwise, enter your desired value.
simp configgenerates a log file in
/root/.simpcontaining details of the configuration selected and actions taken.
- For more details about the installation variables set by
simp configand the corresponding actions, see Advanced Configuration.
- For a list of additional options, type
simp help config.
simp config --dry-runwill run through all of the
simp configprompts without applying any changes to the system. This is the option to run to become familiar with the variables set by
simp configor generate a configuration file to be used as a template for subsequent
simp config -a <Config File>will load a previously generated configuration (aka the ‘answers’ file) in lieu of prompting for settings, and then apply the settings. This is the option to run for systems that will be rebuilt often. Please note, however, if you edit the answers file, only configuration settings for which you would be prompted by
simp configcan be modified in that file. Any changes made to settings that
simp configautomatically determines will be ignored.
simp confighas been run, three SIMP configuration files will be generated:
/root/.simp/simp_conf.yaml: File containing all your
simp configsettings; can include additional settings related to ones you entered and other settings required for SIMP.
/etc/puppetlabs/code/environments/simp/data/simp_config_settings.yaml: File containing global Hiera data relevant to SIMP clients and the SIMP server.
/etc/puppetlabs/code/environments/simp/data/hosts/<server_fqdn>.yaml: SIMP server host specific Hiera configuration.
simp bootstrapgenerates a log file in
/root/.simpcontaining details of the bootstrap operation.
- For a list of options
simp bootstrapprovides, type
simp help bootstrap.
If your SIMP server is a virtual machine in a cloud, the default timeout for the puppet server to start, 5 minutes, may be too short. You will want to extend this time by using the
-woption. For example, to extend that timeout to 10 minutes:
simp bootstrap -w 10
If progress bars of each puppet run are of equal length and the bootstrap finishes quickly, a problem has occurred. This is most likely due to an error in SIMP configuration. Refer to the previous step and make sure that all configuration options are correct.
If this happens, you can debug by either looking at the log files or by running
puppet agent -t --masterport=8150.
rebootto reboot and apply the necessary kernel configuration items.
4.2.3. Optional: Extract the full OS Package Set¶
The SIMP ISO attempts to contain everything that you need to run a base system. However, if you did not install via ISO, or you require additional stock packages, you can use the following procedure to extract the vendor ISOs.
Log on as
su -to gain root access.
Run puppet for the first time.
puppet agent -t
Copy the appropriate vendor OS ISO(s) to the server and unpack using the
unpack_dvdutility. This creates a new tree under
/var/www/yum/<OperatingSystem>suitable for serving to clients.
Update your system using yum. The updates applied will depend on what ISO you initially used.
yum clean all; yum makecache
4.2.4. Advanced Configuration¶
The goal of
simp config is to allow the user to quickly configure the
SIMP server with minimal user input/operations. To that end
sets installation variables based on information gathered from the user,
existing system settings, and SIMP security requirements. It then
applies the smallest subset of these system settings that is required to
bootstrap the system with Puppet. Both the installation variables and
their application via
simp config are described in subsections that
18.104.22.168. Installation Variables¶
This section describes the installation variables set by
Although the table that follows lists all possible installation variables,
the user will not be prompted for all of them, nor will all of them
appear in the configuration files generated by
simp config. Some
of these variables will be automatically set based on other installation
variables, system settings, or SIMP security requirements. Others will
be omitted because either they are unnecessary for a particular site
configuration, or their defaults are appropriate. Also, please note
that variables beginning with ‘cli::’ are only used internally by
simp config, itself. The ‘cli::’ variables are written to
simp_conf.yaml, but not persisted to any Puppet hiera data files.
- Not all the settings listed below can be preset in a
configuration file input to
simp config, via either
-a <Config File>or
-A <Config File>. Only settings for which you would be prompted, if you ran
simp configinteractively, can be preset. All other settings will be automatically determined by
simp config, disregarding your input.
simp configbehaves differently (asks different questions, automatically determines different settings) depending on the SIMP installation type. This is because it can safely assume certain server setup has been done, only if SIMP has been installed from the SIMP-provided ISO. For example, consider a
simplocal user. When SIMP is installed from ISO,
simp configcan safely assume that this user is the backup user installed by the ISO to prevent server lockout. As such,
sshprivileges for the
simpuser should be allowed. For non-ISO installs, however, it would not be prudent for
simp configto grant just any
simp configdetects that SIMP has been installed from a SIMP-provided ISO by the presence of
|cli::is_ldap_server||Whether the SIMP server will also be the LDAP server.|
|cli::network::dhcp||Whether to use DHCP for the network; dhcp to enable DHCP, static otherwise|
|cli::network::hostname||FQDN of server|
|cli::network::interface||Network interface to use|
|cli::network::ipaddress||IP address of server|
|cli::network::netmask||Netmask of the system|
|cli::network::set_up_nic||Whether to set up the network interface; true or false|
|cli::set_grub_password||Whether to set a GRUB password on the server; true or false|
|cli::set_production_to_simp||Whether to set default Puppet environment to ‘simp’; true or false|
|cli::simp::scenario||SIMP scenario; simp = full SIMP system, simp_lite = SIMP system with some security features disabled for clients, poss = SIMP system with all security features disabled for clients.|
|cli::use_internet_simp_yum_repos||Whether to configure SIMP nodes to use internet SIMP and SIMP dependency YUM repositories.|
|grub::password||GRUB password hash|
|puppetdb::master::config::puppetdb_port||Port used by the puppet database|
|puppetdb::master::config::puppetdb_server||DNS name or IP of puppet database server|
|simp_openldap::server::conf::rootpw||LDAP Root password hash|
|simp_options::dns::search||Search domain for DNS|
|simp_options::dns::servers||List of DNS servers for the managed hosts|
|simp_options::fips||Enable FIPS-140-2 compliance; true or false; value automatically set to detected system FIPS status|
|simp_options::ldap||Whether to use LDAP; true or false|
|simp_options::ldap::base_dn||LDAP Server Base Distinguished Name|
|simp_options::ldap::bind_dn||LDAP Bind Distinguished Name|
|simp_options::ldap::bind_hash||LDAP Bind password hash|
|simp_options::ldap::bind_pw||LDAP Bind password|
|simp_options::ldap::master||LDAP master URI|
|simp_options::ldap::sync_dn||LDAP Sync Distinguished Name|
|simp_options::ldap::sync_hash||LDAP Sync password hash|
|simp_options::ldap::sync_pw||LDAP Sync password|
|simp_options::ldap::uri||List of LDAP server URIs|
|simp_options::puppet::ca||FQDN of Puppet Certificate Authority (CA)|
|simp_options::puppet::ca_port||Port Puppet CA will listen on|
|simp_options::puppet::server||FQDN of the puppet server|
|simp_options::sssd||Whether to use SSSD|
|simp_options::syslog::failover_log_servers||IP addresses of failover log servers|
|simp_options::syslog::log_servers||IP addresses of primary log servers|
|simp_options::trusted_nets||Subnet used for clients managed by the puppet server|
|simp::runlevel||Default system run level; 1-5|
|simp::server::allow_simp_user||Whether to allow local ‘simp’ user su and ssh privileges.|
|simp::yum::repo::local_os_updates::enable_repo||Whether to enable the SIMP-managed, OS Update YUM repository that the SIMP ISO installs on the SIMP server.|
|simp::yum::repo::local_os_updates::servers||YUM server(s) for SIMP-managed, OS Update packages|
|simp::yum::repo::local_simp::enable_repo||Whether to enable the SIMP-managed, SIMP and SIMP dependency YUM repository that the SIMP ISO installs on the SIMP server.|
|simp::yum::repo::local_simp::servers||YUM server(s) for SIMP-managed, SIMP and SIMP dependency packages|
|sssd::domains||List of SSSD domains|
|svckill::mode||Strategy svckill should use when it encounters undeclared services; enforcing = shutdown and disable all services not listed in your manifests or the exclusion file warning = only report what undeclared services should be shut down and disabled, without actually making the changes to the system|
|useradd::securetty||A list of TTYs for which the root user can login|
22.214.171.124. simp config Actions¶
In addition to creating the three configuration, YAML files,
performs a limited set of actions in order to prepare the system for
bootstrapping. Although the table that follows lists all possible
simp config actions, not all of these actions will apply for all site
|Certificates||If no certificates for the host are found in
|Digest Algorithm for FIPS||When the system is in FIPS mode,
|GRUB||When the user selects to set the GRUB password
When the SIMP server is also an LDAP server,
When the SIMP server is installed from ISO, the install
creates a local simp user that the SIMP server configures
to have both su and ssh privileges. (This user is provided
to prevent server lockout, as, per security policy, SIMP by
default disables logins via ssh for all users, including
‘root’.) So, when SIMP is not installed from ISO,
|SIMP Hiera & Site Manifest||