...
- SIMP subsystems rely on environmental conventions that cannot be assumed to be present outside of SIMP.
- They are opt-in, so Forge users can use SIMP modules within non-SIMP infrastructures.
- A full SIMP ecosystem's hiera will enable each subsystem by default in
simp_def.yaml - IMPORTANT: These subsystem only manage SIMP-related resources and integrations for the module.
- Each module may naturally have its own way of configuring PKI, tcpwrappers, etc. That belongs within the conventional module structure.
- Examples: enabling SSL or TCP wrappers in a config file, setting SELinux contexts (QUESTION: are the contexts we use SIMP-specific? ANSWER: No),
- Each module may naturally have its own way of configuring PKI, tcpwrappers, etc. That belongs within the conventional module structure.
Standard Class Parameters in
...
init.pp
Each module willl have the following class parameters in init.pp (when applicable):
- client_nets
- Array of Strings/String = subnets to permit, generally in CIDR notation. This may be required by the module regardless of whether any SIMP subsystems are used.
- simp_firewall
- true = includes simp-iptables and sets up rules to permit the application
- false = Firewall settings for the application are not managed; use a profile to make your own arrangements
- simp_logging
- true = QUESTION: what will this do? ANSWER: Configure RSyslog (for now) includes simp-rsyslog and configures rsyslog hooks into the application's log files (and/or set sets things up to be logged appropriately through the SIMP default LOCAL6.)
- NOTE: in the future this may expand to logging providers beyond rsyslog, thus requiring le Stroolean
- false = doesn't set up logging via SIMP
- true = QUESTION: what will this do? ANSWER: Configure RSyslog (for now) includes simp-rsyslog and configures rsyslog hooks into the application's log files (and/or set sets things up to be logged appropriately through the SIMP default LOCAL6.)
- simp_auditd
- true =
- simp_selinux
- true = includes simp-selinux (which effectively manages the SELinux enforcement and mode) and manages SIMP-specific SELinux configurations (QUESTION: like what? ANSWER: Not a lot, honestly besides the fact that we actually configure SELinux as a core part of the system and you need our facts to make it work.)
- NOTE: Many Most if not all module-specific SElinux configurations are handled as attributes of native puppet resources . and will not be featured in this fileinfluence by this parameter.
- SE boolean flipping should probably be done here, especially if they rely on the SIMP environment (NOTE: this is pretty vague. NOTE NOTE: We have a couple of facts that we added to help detect the SELinux state on your system.)
- false = ???does not ensure that SELinux is enabled via simp-selinux; make your own arrangements elsewhere.
- NOTE: It may seem counterintuitive, but setting this parameter to false DOES NOT disable SELinux!
- To disable SELinux (within a SIMP ecosystem), include simp-selinux (with
$simp_selinux = true)and ensure that the top-scope hiera or ENC variable$::selinux::enableis set tofalse.
- true = includes simp-selinux (which effectively manages the SELinux enforcement and mode) and manages SIMP-specific SELinux configurations (QUESTION: like what? ANSWER: Not a lot, honestly besides the fact that we actually configure SELinux as a core part of the system and you need our facts to make it work.)
- simp_pki
- true / or 'simp' = includes simp-pki and uses pki::copy to distribute PKI certificates to the correct locations
- false = PKI certificates are not distributed by SIMP; make your own arrangements to get them in place
- simp_tcpwrappers
- true = includes simp-tcpwrappers and uses tcpwrappers::allow to permit the application to the subnets in $::client_nets
- false = TCP wrappers (/etc/hosts.*) entries for the application are not managed; use a profile to make your own arrangements (using a profile, probably).
Each of these parameters must adhere to the following:
- The parameter must be disabled (false) by default.
- The parameter must honor booleans and Strings where the Boolean true and the String '
simp' amount to the same action.- Welcome to the Trevorian type "Stroolean."
- The String value such as '
simp' will translate into the filename in the subsystem path simp/<subsystem>/simp.pp- This is intended to permit backwards compatibility between SIMP versions if they require mutually exclusive logic (i.e., 'simp', 'simp4', 'simp4_2', 'simp5', etc.,).
- QUESTION: what is the benefit of these files over the ::params pattern?
ANSWER:- it allows n parallel configs configuration tracks to exist coexist without conflicting
- it separates SIMP-specific settings from the rest of the module.
- Welcome to the Trevorian type "Stroolean."
- The parameter must allow for an ENC or Hiera or straight parameter, since we want maximum module uptake where possible.
This will look something like the following
$manage $simp_firewall = defined('$::managesimp_firewall') ? { true => $::managesimp_firewall, default => hiera('managesimp_firewall',true) }
Translation:
$variable$parameter => { <if set> => <use global/ENV variable>, <otherwise> => <use what's in Hiera or default to true> }
- QUESTION: Should we make this defined->hiera->default logic a function in
simplib?
ANSWER: Yeah, probably. How about.....simp_def('variable','default') - QUESTION: Why not just
lookup()?
ANSWER:lookup()was introduced in Puppet 4. The core SIMP modules will need to support Puppet 3.x for at some time (at least another major version, probably longer).
- QUESTION: Should we make this defined->hiera->default logic a function in
Advanced Module Structure
...