cloud-mu 2.0.1 → 2.0.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +2 -1
- data/bin/mu-upload-chef-artifacts +3 -0
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/firewall/CHANGELOG.md +295 -0
- data/cookbooks/firewall/CONTRIBUTING.md +2 -0
- data/cookbooks/firewall/MAINTAINERS.md +19 -0
- data/cookbooks/firewall/README.md +339 -0
- data/cookbooks/firewall/attributes/default.rb +5 -0
- data/cookbooks/firewall/attributes/firewalld.rb +1 -0
- data/cookbooks/firewall/attributes/iptables.rb +17 -0
- data/cookbooks/firewall/attributes/ufw.rb +12 -0
- data/cookbooks/firewall/attributes/windows.rb +8 -0
- data/cookbooks/firewall/libraries/helpers.rb +100 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +116 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +112 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +135 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +130 -0
- data/cookbooks/firewall/libraries/matchers.rb +30 -0
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +179 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +171 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +196 -0
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +34 -0
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +138 -0
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +126 -0
- data/cookbooks/firewall/libraries/resource_firewall.rb +26 -0
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +52 -0
- data/cookbooks/firewall/metadata.json +1 -0
- data/cookbooks/firewall/recipes/default.rb +80 -0
- data/cookbooks/firewall/recipes/disable_firewall.rb +23 -0
- data/cookbooks/firewall/templates/default/ufw/default.erb +13 -0
- data/cookbooks/mu-firewall/metadata.rb +1 -1
- data/cookbooks/mu-master/recipes/default.rb +3 -1
- data/cookbooks/mu-master/recipes/init.rb +3 -1
- data/cookbooks/mu-master/templates/default/mu.rc.erb +3 -0
- data/cookbooks/mu-tools/recipes/apply_security.rb +2 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +1 -1
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/clamav.rb +1 -1
- data/cookbooks/mu-tools/recipes/cloudinit.rb +1 -1
- data/cookbooks/mu-tools/recipes/disable-requiretty.rb +2 -2
- data/cookbooks/mu-tools/recipes/eks.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +1 -1
- data/cookbooks/mu-tools/recipes/rsyslog.rb +2 -2
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +37 -28
- data/environments/dev.json +1 -1
- data/environments/prod.json +1 -1
- data/modules/mu/cleanup.rb +4 -0
- data/modules/mu/clouds/aws/container_cluster.rb +3 -0
- data/modules/mu/clouds/aws/role.rb +14 -2
- data/modules/mu/clouds/aws/userdata/linux.erb +2 -3
- data/modules/mu/clouds/aws.rb +30 -14
- data/modules/mu.rb +4 -0
- metadata +30 -2
@@ -18,7 +18,7 @@
|
|
18
18
|
|
19
19
|
if !node['application_attributes']['skip_recipes'].include?('rsyslog')
|
20
20
|
case node['platform_family']
|
21
|
-
when "rhel", "debian"
|
21
|
+
when "rhel", "debian", "amazon"
|
22
22
|
package "rsyslog"
|
23
23
|
package "rsyslog-gnutls"
|
24
24
|
execute "chcon -R -h -t var_log_t /Mu_Logs" do
|
@@ -29,7 +29,7 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog')
|
|
29
29
|
action [:enable, :start]
|
30
30
|
notifies :run, "execute[chcon -R -h -t var_log_t /Mu_Logs]", :immediately
|
31
31
|
end
|
32
|
-
if platform_family?("rhel")
|
32
|
+
if platform_family?("rhel") or platform_family?("amazon")
|
33
33
|
$rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem"
|
34
34
|
if !platform?("amazon")
|
35
35
|
package node['platform_version'].to_i < 6 ? "policycoreutils" : "policycoreutils-python"
|
@@ -16,42 +16,51 @@
|
|
16
16
|
# See the License for the specific language governing permissions and
|
17
17
|
# limitations under the License.
|
18
18
|
|
19
|
+
if !node['application_attributes']['skip_recipes'].include?('set_local_fw')
|
20
|
+
master_ips = get_mu_master_ips
|
21
|
+
case node['platform_family']
|
22
|
+
when 'rhel', 'amazon'
|
23
|
+
include_recipe 'mu-firewall'
|
19
24
|
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
25
|
+
if elversion >= 7 and node['platform_family'] != "amazon" # Can use firewalld, but not if iptables is already rigged
|
26
|
+
package "firewall-config" do
|
27
|
+
not_if "/bin/systemctl list-units | grep iptables.service"
|
28
|
+
end
|
29
|
+
execute "restart FirewallD" do # ...but only if iptables isn't live
|
30
|
+
command "/bin/firewall-cmd --reload"
|
31
|
+
action :nothing
|
32
|
+
not_if "/bin/systemctl list-units | grep iptables.service"
|
33
|
+
only_if { ::File.exist?("/bin/firewall-cmd") }
|
34
|
+
end
|
28
35
|
end
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
36
|
+
|
37
|
+
if elversion <= 6
|
38
|
+
firewall_rule "Allow loopback in" do
|
39
|
+
raw "-A INPUT -i lo -j ACCEPT"
|
40
|
+
end
|
41
|
+
|
42
|
+
firewall_rule "Allow loopback out" do
|
43
|
+
raw "-A OUTPUT -o lo -j ACCEPT"
|
44
|
+
end
|
34
45
|
end
|
35
|
-
end
|
36
46
|
|
37
|
-
|
38
|
-
|
39
|
-
raw "-A INPUT -i lo -j ACCEPT"
|
47
|
+
firewall_rule "Allow eth0 out" do
|
48
|
+
raw "-A OUTPUT -o eth0 -j ACCEPT"
|
40
49
|
end
|
41
50
|
|
42
|
-
firewall_rule "Allow
|
43
|
-
raw "-A
|
51
|
+
firewall_rule "Allow established connections" do
|
52
|
+
raw "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
44
53
|
end
|
45
|
-
end
|
46
54
|
|
47
|
-
|
55
|
+
opento = master_ips.map { |x| "#{x}/32"}
|
48
56
|
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
57
|
+
opento.uniq.each { |src|
|
58
|
+
[:tcp, :udp, :icmp].each { |proto|
|
59
|
+
firewall_rule "allow all #{src} #{proto} traffic" do
|
60
|
+
source src
|
61
|
+
protocol proto
|
62
|
+
end
|
63
|
+
}
|
55
64
|
}
|
56
|
-
|
65
|
+
end
|
57
66
|
end
|
data/environments/dev.json
CHANGED
data/environments/prod.json
CHANGED
data/modules/mu/cleanup.rb
CHANGED
@@ -157,6 +157,10 @@ module MU
|
|
157
157
|
rescue MU::MuError, NoMethodError => e
|
158
158
|
MU.log e.message, MU::WARN
|
159
159
|
next
|
160
|
+
rescue ::Aws::EC2::Errors::AuthFailure => e
|
161
|
+
# AWS has been having transient auth problems with ap-east-1 lately
|
162
|
+
MU.log e.message+" in "+r, MU::ERR
|
163
|
+
next
|
160
164
|
end
|
161
165
|
|
162
166
|
if @mommacat.nil? or @mommacat.numKittens(types: [t]) > 0
|
@@ -586,6 +586,9 @@ module MU
|
|
586
586
|
"sgs" => ["container_cluster#{cluster['name']}"],
|
587
587
|
"port_range" => "1-65535"
|
588
588
|
]
|
589
|
+
worker_pool["application_attributes"] ||= {}
|
590
|
+
worker_pool["application_attributes"]["skip_recipes"] ||= []
|
591
|
+
worker_pool["application_attributes"]["skip_recipes"] << "set_local_fw"
|
589
592
|
end
|
590
593
|
if cluster["vpc"]
|
591
594
|
worker_pool["vpc"] = cluster["vpc"].dup
|
@@ -37,6 +37,10 @@ module MU
|
|
37
37
|
def create
|
38
38
|
if @config['iam_policies']
|
39
39
|
@config['iam_policies'].each { |policy|
|
40
|
+
policy.values.each { |p|
|
41
|
+
p["Version"] ||= "2012-10-17"
|
42
|
+
}
|
43
|
+
|
40
44
|
policy_name = @mu_name+"-"+policy.keys.first.upcase
|
41
45
|
MU.log "Creating IAM policy #{policy_name}"
|
42
46
|
resp = MU::Cloud::AWS.iam(credentials: @config['credentials']).create_policy(
|
@@ -111,6 +115,9 @@ module MU
|
|
111
115
|
|
112
116
|
if @config['iam_policies']
|
113
117
|
@config['iam_policies'].each { |policy|
|
118
|
+
policy.values.each { |p|
|
119
|
+
p["Version"] ||= "2012-10-17"
|
120
|
+
}
|
114
121
|
policy_name = @mu_name+"-"+policy.keys.first.upcase
|
115
122
|
|
116
123
|
arn = "arn:"+(MU::Cloud::AWS.isGovCloud? ? "aws-us-gov" : "aws")+":iam::"+MU::Cloud::AWS.credToAcct(@config['credentials'])+":policy/#{@deploy.deploy_id}/#{policy_name}"
|
@@ -207,6 +214,7 @@ module MU
|
|
207
214
|
if !policy.match(/^#{@deploy.deploy_id}/)
|
208
215
|
policy = @mu_name+"-"+policy.upcase
|
209
216
|
end
|
217
|
+
|
210
218
|
my_policies = cloud_desc["policies"]
|
211
219
|
my_policies.each { |p|
|
212
220
|
if p.policy_name == policy
|
@@ -224,15 +232,19 @@ module MU
|
|
224
232
|
type: target["type"]
|
225
233
|
)
|
226
234
|
sibling.cloudobj.arn
|
227
|
-
|
235
|
+
elsif target.is_a?(Hash)
|
228
236
|
target['identifier']
|
237
|
+
else
|
238
|
+
target
|
229
239
|
end
|
230
|
-
|
240
|
+
|
241
|
+
if targetstr and !s["Resource"].include?(targetstr)
|
231
242
|
s["Resource"] << targetstr
|
232
243
|
need_update = true
|
233
244
|
end
|
234
245
|
}
|
235
246
|
}
|
247
|
+
|
236
248
|
if need_update
|
237
249
|
MU.log "Updating IAM policy #{policy} to grant permissions on #{targets.to_s}", details: doc
|
238
250
|
update_policy(p.arn, doc)
|
@@ -66,7 +66,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
|
|
66
66
|
version=6
|
67
67
|
fi
|
68
68
|
fi
|
69
|
-
if [ $version
|
69
|
+
if [ "$version" == "7" ];then
|
70
70
|
userdata_dir="/var/lib/cloud/instances/$instance_id"
|
71
71
|
else
|
72
72
|
userdata_dir="/var/lib/cloud/instance"
|
@@ -79,7 +79,7 @@ if ping -c 5 8.8.8.8 > /dev/null; then
|
|
79
79
|
|
80
80
|
sed -i 's/^Defaults.*requiretty$/Defaults !requiretty/' /etc/sudoers
|
81
81
|
|
82
|
-
if [ $version == 7 ];then
|
82
|
+
if [ "$version" == "7" ];then
|
83
83
|
chmod 755 /etc/rc.d/rc.local
|
84
84
|
systemctl reset-failed sshd.service
|
85
85
|
fi
|
@@ -161,7 +161,6 @@ if [ "$need_reboot" == "1" ];then
|
|
161
161
|
shutdown -r now "Applying new kernel"
|
162
162
|
fi
|
163
163
|
<% end %>
|
164
|
-
fi
|
165
164
|
|
166
165
|
if [ "$AWSCLI" != "" ];then
|
167
166
|
$AWSCLI --region="$region" s3 cp s3://<%= MU.adminBucketName %>/<%= $mu.muID %>-secret .
|
data/modules/mu/clouds/aws.rb
CHANGED
@@ -142,6 +142,13 @@ module MU
|
|
142
142
|
[:arn]
|
143
143
|
end
|
144
144
|
|
145
|
+
# Given an AWS region, check the API to make sure it's a valid one
|
146
|
+
# @param r [String]
|
147
|
+
# @return [String]
|
148
|
+
def self.validate_region(r)
|
149
|
+
MU::Cloud::AWS.ec2(region: r).describe_availability_zones.availability_zones.first.region_name
|
150
|
+
end
|
151
|
+
|
145
152
|
# If we've configured AWS as a provider, or are simply hosted in AWS,
|
146
153
|
# decide what our default region is.
|
147
154
|
def self.myRegion
|
@@ -151,12 +158,6 @@ module MU
|
|
151
158
|
return nil
|
152
159
|
end
|
153
160
|
|
154
|
-
# Given an AWS region, check the API to make sure it's a valid one
|
155
|
-
# @param r [String]
|
156
|
-
# @return [String]
|
157
|
-
def self.validate_region(r)
|
158
|
-
MU::Cloud::AWS.ec2(region: r).describe_availability_zones.availability_zones.first.region_name
|
159
|
-
end
|
160
161
|
|
161
162
|
if $MU_CFG and $MU_CFG['aws']
|
162
163
|
$MU_CFG['aws'].each_pair { |credset, cfg|
|
@@ -537,6 +538,7 @@ module MU
|
|
537
538
|
end
|
538
539
|
|
539
540
|
@@regions = {}
|
541
|
+
@@regions_semaphore = Mutex.new
|
540
542
|
# List the Amazon Web Services region names available to this account. The
|
541
543
|
# region that is local to this Mu server will be listed first.
|
542
544
|
# @param us_only [Boolean]: Restrict results to United States only
|
@@ -547,13 +549,20 @@ module MU
|
|
547
549
|
return [] if credConfig.nil?
|
548
550
|
result = MU::Cloud::AWS.ec2(region: myRegion, credentials: credentials).describe_regions.regions
|
549
551
|
regions = []
|
550
|
-
|
551
|
-
|
552
|
-
|
553
|
-
|
552
|
+
@@regions_semaphore.synchronize {
|
553
|
+
begin
|
554
|
+
result.each { |r|
|
555
|
+
@@regions[r.region_name] = Proc.new {
|
556
|
+
listAZs(region: r.region_name, credentials: credentials)
|
557
|
+
}
|
558
|
+
}
|
559
|
+
rescue ::Aws::EC2::Errors::AuthFailure => e
|
560
|
+
MU.log "Region #{r.region_name} throws #{e.message}, ignoring it", MU::ERR
|
561
|
+
end
|
554
562
|
}
|
555
563
|
end
|
556
564
|
|
565
|
+
|
557
566
|
regions = if us_only
|
558
567
|
@@regions.keys.delete_if { |r| !r.match(/^us\-/) }.uniq
|
559
568
|
else
|
@@ -589,10 +598,17 @@ module MU
|
|
589
598
|
if !MU::Cloud::CloudFormation.emitCloudFormation
|
590
599
|
MU::Cloud::AWS.listRegions.each { |region|
|
591
600
|
MU.log "Replicating #{keyname} to EC2 in #{region}", MU::DEBUG, details: @ssh_public_key
|
592
|
-
|
593
|
-
|
594
|
-
|
595
|
-
|
601
|
+
begin
|
602
|
+
MU::Cloud::AWS.ec2(region: region, credentials: credentials).import_key_pair(
|
603
|
+
key_name: keyname,
|
604
|
+
public_key_material: public_key
|
605
|
+
)
|
606
|
+
rescue ::Aws::EC2::Errors::AuthFailure => e
|
607
|
+
@@regions_semaphore.synchronize {
|
608
|
+
@@regions.delete(region)
|
609
|
+
}
|
610
|
+
MU.log "#{region} threw #{e.message}, skipping", MU::ERR
|
611
|
+
end
|
596
612
|
}
|
597
613
|
end
|
598
614
|
end
|
data/modules/mu.rb
CHANGED
@@ -80,6 +80,10 @@ module MU
|
|
80
80
|
@@myRoot
|
81
81
|
end
|
82
82
|
|
83
|
+
# Front our global $MU_CFG hash with a read-only copy
|
84
|
+
def self.muCfg
|
85
|
+
Marshal.load(Marshal.dump($MU_CFG)).freeze
|
86
|
+
end
|
83
87
|
|
84
88
|
# The main (root) Mu user's data directory.
|
85
89
|
@@mainDataDir = File.expand_path(@@myRoot+"/../var")
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cloud-mu
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- John Stange
|
@@ -12,7 +12,7 @@ authors:
|
|
12
12
|
autorequire:
|
13
13
|
bindir: bin
|
14
14
|
cert_chain: []
|
15
|
-
date: 2019-
|
15
|
+
date: 2019-05-06 00:00:00.000000000 Z
|
16
16
|
dependencies:
|
17
17
|
- !ruby/object:Gem::Dependency
|
18
18
|
name: erubis
|
@@ -399,6 +399,34 @@ files:
|
|
399
399
|
- cookbooks/awscli/metadata.rb
|
400
400
|
- cookbooks/awscli/recipes/default.rb
|
401
401
|
- cookbooks/awscli/templates/default/config.erb
|
402
|
+
- cookbooks/firewall/CHANGELOG.md
|
403
|
+
- cookbooks/firewall/CONTRIBUTING.md
|
404
|
+
- cookbooks/firewall/MAINTAINERS.md
|
405
|
+
- cookbooks/firewall/README.md
|
406
|
+
- cookbooks/firewall/attributes/default.rb
|
407
|
+
- cookbooks/firewall/attributes/firewalld.rb
|
408
|
+
- cookbooks/firewall/attributes/iptables.rb
|
409
|
+
- cookbooks/firewall/attributes/ufw.rb
|
410
|
+
- cookbooks/firewall/attributes/windows.rb
|
411
|
+
- cookbooks/firewall/libraries/helpers.rb
|
412
|
+
- cookbooks/firewall/libraries/helpers_firewalld.rb
|
413
|
+
- cookbooks/firewall/libraries/helpers_iptables.rb
|
414
|
+
- cookbooks/firewall/libraries/helpers_ufw.rb
|
415
|
+
- cookbooks/firewall/libraries/helpers_windows.rb
|
416
|
+
- cookbooks/firewall/libraries/matchers.rb
|
417
|
+
- cookbooks/firewall/libraries/provider_firewall_firewalld.rb
|
418
|
+
- cookbooks/firewall/libraries/provider_firewall_iptables.rb
|
419
|
+
- cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb
|
420
|
+
- cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb
|
421
|
+
- cookbooks/firewall/libraries/provider_firewall_rule.rb
|
422
|
+
- cookbooks/firewall/libraries/provider_firewall_ufw.rb
|
423
|
+
- cookbooks/firewall/libraries/provider_firewall_windows.rb
|
424
|
+
- cookbooks/firewall/libraries/resource_firewall.rb
|
425
|
+
- cookbooks/firewall/libraries/resource_firewall_rule.rb
|
426
|
+
- cookbooks/firewall/metadata.json
|
427
|
+
- cookbooks/firewall/recipes/default.rb
|
428
|
+
- cookbooks/firewall/recipes/disable_firewall.rb
|
429
|
+
- cookbooks/firewall/templates/default/ufw/default.erb
|
402
430
|
- cookbooks/mu-activedirectory/Berksfile
|
403
431
|
- cookbooks/mu-activedirectory/CHANGELOG.md
|
404
432
|
- cookbooks/mu-activedirectory/LICENSE
|