Analysis of SIMP 6.4.0 modules that use simplib::passgen()

Description

This article provides a survey of SIMP 6.4.0 modules, documenting which classes can (and cannot) be configured to avoid using the simplib::passgen() internally.

If you are:

  1. Using SIMP 6.4 (and probably earlier versions of SIMP 6

  2. Want to prevent SIMP modules from internally executing the function simplib::passgen()

This document will help you determine:

  1. If it is possible, given the modules/conditions at your site

  2. What class parameters/hiera data to define

  3. What conditions to avoid

In SIMP 5.0-6.4, it is necessary to avoid the use simplib::passgen() in order to use control repositories to (safely):

  • Manage multiple Puppet environments

  • Scale a SIMP + Puppet environment across multiple Puppet masters

The only function that writes to the SIMP Writable directory used by SIMP modules internally is simplib::passgen().

See: SE02: Using hiera-eyaml in the control repo to replace Writeable environment data.

Modules that cannot be configured to avoid simplib::passgen() under some conditions in SIMP 6.4.0

SIMP module

Conditions when simplib::passgen() is unavoidable:

Code

SIMP module

Conditions when simplib::passgen() is unavoidable:

Code

dhcp

Either:

  • Parameter dhcp::is_server is true, or

  • dhcp::dhcpd is classified

https://github.com/simp/pupmod-simp-dhcp/blob/6.1.1/manifests/dhcpd.pp#L74

simp_apache

Parameter simp_apache::web_root is true

https://github.com/simp/pupmod-simp-simp_apache/blob/6.2.0/manifests/init.pp#L140

simp_gitlab

When the gitlab package is first installed

  • Note: In SIMP 6.4.0, this use of simplib::passgen is not often problematic: under normal conditions, it is only useful when the gitlab RPM is first installed.

https://github.com/simp/pupmod-simp-simp_gitlab/blob/0.4.0/manifests/init.pp#L180

tftpboot

When $::tftpboot::rsync_enabled is true

https://github.com/simp/pupmod-simp-tftpboot/blob/6.2.2/manifests/config.pp

named

Unavoidable, once named is classified

 

Modules that can be configured to avoid simplib::passgen() in SIMP 6.4.0

SIMP module

Configuration to avoid simplib::passgen()

SIMP module

Configuration to avoid simplib::passgen()

simp_pki_service

  • Within Hash parameter simp_pki_server::ds_config , define the key 'admin_password'

  • Within Hash parameter simp_pki_service::cas, define the key 'simp-pki-root' 

Note: Both Hash parameters require many other key/value pairs. 

See: https://github.com/simp/pupmod-simp-simp_pki_service/blob/0.2.0/manifests/init.pp#L30-L69

simp_snmpd

  • Within Hash parameter simp_snmpd::v3_users_hash, define the keys 'authpass' and 'privpass' for each user defined

Note: By default, the simp_snmpd::v3_users_hash is populated with the users snmp_ro and simp_rw.

See: https://github.com/simp/pupmod-simp-simp_snmpd/blob/0.1.2/data/common.yaml#L16-L22

rsync

  • When declaring the defined types rsync::push or rsync::retrieve, define the Optional[String] parameter $pass.

tpm

  • Override String parameter tpm::tboot::owner_password

  • Override String parameter tpm::pkcs11::so_pin

  • Override String parameter tpm::pkcs11::user_pin

freeradius

  • Override String parameter freeradius::config::rsync::radius_rsync_password

  • When using the defined type freeradius::v3::client, override the String parameter $secret

simp

  • Override String parameter simp::puppetdb::database_password

  • Override String parameter simp::puppetdb::read_database_password

libreswan

  • Override String parameter libreswan::nssdb_password

tpm2

  • Override String parameter tpm2::ownership::owner_auth

  • Override String parameter tpm2::ownership::lockout_auth

  • Override String parameter tpm2::ownership::endorsement_auth

krb5

  • Override String parameter krb5::kdc::config::kdb5_password