4.7.1. Classification and Data Node Classification in SIMP

From the Puppet, Inc. website:

Hiera is a key/value lookup tool for configuration data, built to set node-specific data without repeating yourself.

SIMP uses Hiera to attempt to make configuration of the overall system easier for our end users by providing a simple, centralized, method for setting class parameters using automatic parameter lookup.

It is highly recommended that you read the Hiera Documentation prior to jumping into using a SIMP system. Hiera in SIMP

SIMP users are expected to make extensive use of Hiera to set parameters, particularly those that are deep within the code.

The default Hiera hierarchy used by SIMP defined at the environment level in the Hiera configuration file and looks like the following:

version: 5
  datadir: data
  data_hash: yaml_data


  - name: Per-node data
    - "hosts/%{trusted.certname}.yaml"
    - "hosts/%{facts.fqdn}.yaml"
    - "hosts/%{facts.hostname}.yaml"

  - name: Per-domain data
    - "domains/%{facts.domain}.yaml"

  - name: Per-OS data
    - "%{facts.os.family}.yaml"
    - "%{facts.os.name}/%{facts.os.release.full}.yaml"
    - "%{facts.os.name}/%{facts.os.release.major}.yaml"
    - "%{facts.os.name}.yaml"

  - name: Per-hostgroup data - See site.pp for more information
    - "hostgroups/%{hostgroup}.yaml"

  - name: General data
    - "default.yaml"
    - "common.yaml"

  - name: SIMP specific data - Please do not modify
    - "simp_config_settings.yaml"
    - "scenarios/%{simp_scenario}.yaml"


This may not be accurate for your version of SIMP, please check your local Hiera settings!

The rest of this document will use this hierarchy as a reference. Assigning Classes to Nodes

Assigning classes to nodes can be done in a few ways in SIMP. First, there is a lookup function in /etc/puppetlabs/code/environments/simp/manifests/site.pp that looks for an array called classes in your hierarchy. It also looks for an array called class_exclusions, which can be used to remove classes from the classes array. The classes that are included are the result of $classes - $class_exclusions. If classes need to be added to all nodes, a classes array could be added to the default.yaml in your hiera data, like this:

  - 'site::example_class'

A similar array could be created in any other layer in the hierarchy, and it will be merged with the ‘unique’ strategy by the lookup function noted above.

The SIMP profile module also includes other classes needed for a secure baseline, which are discussed below in the SIMP scenarios section. Assigning Defined Types to Nodes

Defined types do not have the ability to receive parameters via Hiera in the traditional sense. To include a defined type on a node, one could use create_resources, but this is messy and discouraged. Instead, create your own profile or add a class to the SIMP site module such as: /etc/puppetlabs/code/environments/simp/modules/site/manifests/my_site.pp.


You can find a working example of this in the Configure PXE Boot section of the documentation SIMP Scenarios

SIMP scenarios are groups of classes, settings, and simp_options that ensure the system is compliant and secure.

There are currently four SIMP scenarios: - simp - simp_lite - poss - remote_access

The simp scenario includes all security features enabled by default, including iptables and svckill. This scenario is what stock SIMP used to look like in previous releases.

The simp_lite scenario offers many security features, with a few explicitly turned off. This scenario was designed to make it easier to implement SIMP in an existing environment, because it might not be trivial to flip SELinux to Enforcing on all nodes.

The poss option is the barebones option. It only includes the pupmod class, to configure Puppet agent on clients. All of the simp_options default to false, so SIMP will not do a lot of modification to clients through Puppet when using this scenario.

The remote_access scenario includes the SSH module and the authentication stack, namely PAM and nsswitch. This scenario is useful for those who want to retain remote access to their machine while leaving virtually everything else untouched.

These scenarios are defined in the pupmod-simp-simp module. For more details refer to this module.


The SIMP or Puppet master is exempt from most of these settings, and will be using most features from the simp scenario by default. The SIMP server should only have services on it related to Puppet and systems management, and SIMP modules all work with all security features enabled. See the puppet.your.domain.yaml in the data/hosts directory for details. SIMP File Structure

The default puppet environment in SIMP, located at /etc/puppetlabs/code/environments/simp, contains almost all necessary files for a Puppet infrastructure. It will look like this on a fresh SIMP system:

├── environment.conf
├── data/
├── manifests/
└── modules/
  • environment.conf - Sets the environment to include the second SIMP modulepath.
  • manifests/ - Contains site.pp and all other node manifests.
  • data/ - Default location of the yaml files used by hiera which contain your node data
  • modules/ - Default install location of Puppet modules. Each module RPM copies files here during installation from /usr/share/simp/modules. Second Modulepath

SIMP utilizes a second modulepath to ensure that deployment tools like r10k do not squash keydist and some krb5 files. The path is /var/simp/environments/simp/site_files/. Apply Certificates are stored there. Hiera

There are three Hiera Configuration Layers in hiera 5. To take advantage of environmental data layer, SIMP configures hiera at the environment level. The global level configuration file still exists but its hierarchy is empty in a fresh system.

/etc/puppetlabs/code/environments/<environment name>/hiera.yaml - Hiera’s config file, used to control hiera data lookups.

The hiera data directory layout created in a fresh system is:

├── default.yaml
├── hostgroups/
├── hosts/
├── scenarios/
└── simp_config_settings.yaml
  • data/simp_config_settings.yaml - Contains the variables needed to configure SIMP. Added by simp config.

  • data/scenarios/ - Directory containing SIMP Scenarios, set in manifests/site.pp.

  • data/hosts/ - By populating this directory with host name files, you can assign parameters to specific hosts. Heira looks for the name in following formats:

    * %{trusted.certname}.yaml
    * %{facts.fqdn}.yaml
    * %{facts.hostname}.yaml
  • data/hostgroups/ - The hostgroup of a node can be computed in site.pp. Nodes assigned to hostgroup $hostgroup will read Hiera from a file named <hostgroup>.yaml in this directory.

  • data/default.yaml - Settings that should be applied to all systems in the environment.

It is recommended to not change or update the scenarios or simp_config_settings.yaml files. These files are the last in the hierachy and settings can be overridden in the other hiera files.

The default hierarchy defined in the Hiera configuration file, hiera.yaml, contains other files/directories that can be added to the environment’s data directory. An example of the file is shown in Hiera in SIMP