RubyGems - cloud-mu - Versions diffs - 2.1.0beta → 3.0.0beta - Mend

cloud-mu 2.1.0beta → 3.0.0beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (291) hide show

checksums.yaml +5 -5
data/Berksfile +4 -5
data/Berksfile.lock +179 -0
data/README.md +1 -6
data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +0 -0
data/ansible/roles/mu-installer/README.md +33 -0
data/ansible/roles/mu-installer/defaults/main.yml +2 -0
data/ansible/roles/mu-installer/handlers/main.yml +2 -0
data/ansible/roles/mu-installer/meta/main.yml +60 -0
data/ansible/roles/mu-installer/tasks/main.yml +13 -0
data/ansible/roles/mu-installer/tests/inventory +2 -0
data/ansible/roles/mu-installer/tests/test.yml +5 -0
data/ansible/roles/mu-installer/vars/main.yml +2 -0
data/bin/mu-adopt +125 -0
data/bin/mu-aws-setup +4 -4
data/bin/mu-azure-setup +265 -0
data/bin/mu-azure-tests +43 -0
data/bin/mu-cleanup +20 -8
data/bin/mu-configure +224 -98
data/bin/mu-deploy +8 -3
data/bin/mu-gcp-setup +16 -8
data/bin/mu-gen-docs +92 -8
data/bin/mu-load-config.rb +52 -12
data/bin/mu-momma-cat +36 -0
data/bin/mu-node-manage +34 -27
data/bin/mu-self-update +2 -2
data/bin/mu-ssh +12 -8
data/bin/mu-upload-chef-artifacts +11 -4
data/bin/mu-user-manage +3 -0
data/cloud-mu.gemspec +8 -11
data/cookbooks/firewall/libraries/helpers_iptables.rb +2 -2
data/cookbooks/firewall/metadata.json +1 -1
data/cookbooks/firewall/recipes/default.rb +5 -9
data/cookbooks/mu-firewall/attributes/default.rb +2 -0
data/cookbooks/mu-firewall/metadata.rb +1 -1
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +0 -0
data/cookbooks/mu-master/Berksfile +2 -2
data/cookbooks/mu-master/files/default/check_mem.pl +0 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/metadata.rb +5 -4
data/cookbooks/mu-master/recipes/389ds.rb +1 -1
data/cookbooks/mu-master/recipes/basepackages.rb +30 -10
data/cookbooks/mu-master/recipes/default.rb +59 -7
data/cookbooks/mu-master/recipes/firewall-holes.rb +1 -1
data/cookbooks/mu-master/recipes/init.rb +65 -47
data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb} +4 -10
data/cookbooks/mu-master/recipes/sssd.rb +2 -1
data/cookbooks/mu-master/recipes/update_nagios_only.rb +6 -6
data/cookbooks/mu-master/templates/default/web_app.conf.erb +2 -2
data/cookbooks/mu-master/templates/mods/ldap.conf.erb +4 -0
data/cookbooks/mu-php54/Berksfile +1 -2
data/cookbooks/mu-php54/metadata.rb +4 -5
data/cookbooks/mu-php54/recipes/default.rb +1 -1
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +0 -0
data/cookbooks/mu-tools/Berksfile +3 -2
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/libraries/helper.rb +20 -8
data/cookbooks/mu-tools/metadata.rb +5 -2
data/cookbooks/mu-tools/recipes/apply_security.rb +2 -3
data/cookbooks/mu-tools/recipes/eks.rb +1 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +5 -30
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/rsyslog.rb +1 -0
data/cookbooks/mu-tools/recipes/selinux.rb +19 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +0 -1
data/cookbooks/mu-tools/recipes/windows-client.rb +256 -122
data/cookbooks/mu-tools/resources/disk.rb +3 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +1 -1
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
data/cookbooks/mu-tools/templates/default/{kubeconfig.erb → kubeconfig-eks.erb} +0 -0
data/cookbooks/mu-tools/templates/default/kubeconfig-gke.erb +27 -0
data/cookbooks/mu-tools/templates/windows-10/sshd_config.erb +137 -0
data/cookbooks/mu-utility/recipes/nat.rb +4 -0
data/extras/alpha.png +0 -0
data/extras/beta.png +0 -0
data/extras/clean-stock-amis +2 -2
data/extras/generate-stock-images +131 -0
data/extras/git-fix-permissions-hook +0 -0
data/extras/image-generators/AWS/centos6.yaml +17 -0
data/extras/image-generators/{aws → AWS}/centos7-govcloud.yaml +0 -0
data/extras/image-generators/{aws → AWS}/centos7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/rhel7.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k12.yaml +0 -0
data/extras/image-generators/{aws → AWS}/win2k16.yaml +0 -0
data/extras/image-generators/{aws → AWS}/windows.yaml +0 -0
data/extras/image-generators/{gcp → Google}/centos6.yaml +1 -0
data/extras/image-generators/Google/centos7.yaml +18 -0
data/extras/python_rpm/build.sh +0 -0
data/extras/release.png +0 -0
data/extras/ruby_rpm/build.sh +0 -0
data/extras/ruby_rpm/muby.spec +1 -1
data/install/README.md +43 -5
data/install/deprecated-bash-library.sh +0 -0
data/install/installer +1 -1
data/install/jenkinskeys.rb +0 -0
data/install/mu-master.yaml +55 -0
data/modules/mommacat.ru +41 -7
data/modules/mu.rb +444 -149
data/modules/mu/adoption.rb +500 -0
data/modules/mu/cleanup.rb +235 -158
data/modules/mu/cloud.rb +675 -138
data/modules/mu/clouds/aws.rb +156 -24
data/modules/mu/clouds/aws/alarm.rb +4 -14
data/modules/mu/clouds/aws/bucket.rb +60 -18
data/modules/mu/clouds/aws/cache_cluster.rb +8 -20
data/modules/mu/clouds/aws/collection.rb +12 -22
data/modules/mu/clouds/aws/container_cluster.rb +209 -118
data/modules/mu/clouds/aws/database.rb +120 -45
data/modules/mu/clouds/aws/dnszone.rb +7 -18
data/modules/mu/clouds/aws/endpoint.rb +5 -15
data/modules/mu/clouds/aws/firewall_rule.rb +144 -72
data/modules/mu/clouds/aws/folder.rb +4 -11
data/modules/mu/clouds/aws/function.rb +6 -16
data/modules/mu/clouds/aws/group.rb +4 -12
data/modules/mu/clouds/aws/habitat.rb +11 -13
data/modules/mu/clouds/aws/loadbalancer.rb +40 -28
data/modules/mu/clouds/aws/log.rb +5 -13
data/modules/mu/clouds/aws/msg_queue.rb +9 -24
data/modules/mu/clouds/aws/nosqldb.rb +4 -12
data/modules/mu/clouds/aws/notifier.rb +6 -13
data/modules/mu/clouds/aws/role.rb +69 -40
data/modules/mu/clouds/aws/search_domain.rb +17 -20
data/modules/mu/clouds/aws/server.rb +184 -94
data/modules/mu/clouds/aws/server_pool.rb +33 -38
data/modules/mu/clouds/aws/storage_pool.rb +5 -12
data/modules/mu/clouds/aws/user.rb +59 -33
data/modules/mu/clouds/aws/userdata/linux.erb +18 -30
data/modules/mu/clouds/aws/userdata/windows.erb +9 -9
data/modules/mu/clouds/aws/vpc.rb +214 -145
data/modules/mu/clouds/azure.rb +978 -44
data/modules/mu/clouds/azure/container_cluster.rb +413 -0
data/modules/mu/clouds/azure/firewall_rule.rb +500 -0
data/modules/mu/clouds/azure/habitat.rb +167 -0
data/modules/mu/clouds/azure/loadbalancer.rb +205 -0
data/modules/mu/clouds/azure/role.rb +211 -0
data/modules/mu/clouds/azure/server.rb +810 -0
data/modules/mu/clouds/azure/user.rb +257 -0
data/modules/mu/clouds/azure/userdata/README.md +4 -0
data/modules/mu/clouds/azure/userdata/linux.erb +137 -0
data/modules/mu/clouds/azure/userdata/windows.erb +275 -0
data/modules/mu/clouds/azure/vpc.rb +782 -0
data/modules/mu/clouds/cloudformation.rb +12 -9
data/modules/mu/clouds/cloudformation/firewall_rule.rb +5 -13
data/modules/mu/clouds/cloudformation/server.rb +10 -1
data/modules/mu/clouds/cloudformation/server_pool.rb +1 -0
data/modules/mu/clouds/cloudformation/vpc.rb +0 -2
data/modules/mu/clouds/google.rb +554 -117
data/modules/mu/clouds/google/bucket.rb +173 -32
data/modules/mu/clouds/google/container_cluster.rb +1112 -157
data/modules/mu/clouds/google/database.rb +24 -47
data/modules/mu/clouds/google/firewall_rule.rb +344 -89
data/modules/mu/clouds/google/folder.rb +156 -79
data/modules/mu/clouds/google/group.rb +272 -82
data/modules/mu/clouds/google/habitat.rb +177 -52
data/modules/mu/clouds/google/loadbalancer.rb +9 -34
data/modules/mu/clouds/google/role.rb +1211 -0
data/modules/mu/clouds/google/server.rb +491 -227
data/modules/mu/clouds/google/server_pool.rb +233 -48
data/modules/mu/clouds/google/user.rb +479 -125
data/modules/mu/clouds/google/userdata/linux.erb +3 -3
data/modules/mu/clouds/google/userdata/windows.erb +9 -9
data/modules/mu/clouds/google/vpc.rb +381 -223
data/modules/mu/config.rb +689 -214
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/cache_cluster.rb +1 -1
data/modules/mu/config/cache_cluster.yml +0 -4
data/modules/mu/config/container_cluster.rb +18 -9
data/modules/mu/config/database.rb +6 -23
data/modules/mu/config/firewall_rule.rb +9 -15
data/modules/mu/config/folder.rb +22 -21
data/modules/mu/config/habitat.rb +22 -21
data/modules/mu/config/loadbalancer.rb +2 -2
data/modules/mu/config/role.rb +9 -40
data/modules/mu/config/server.rb +26 -5
data/modules/mu/config/server_pool.rb +1 -1
data/modules/mu/config/storage_pool.rb +2 -2
data/modules/mu/config/user.rb +4 -0
data/modules/mu/config/vpc.rb +350 -110
data/modules/mu/defaults/{amazon_images.yaml → AWS.yaml} +37 -39
data/modules/mu/defaults/Azure.yaml +17 -0
data/modules/mu/defaults/Google.yaml +24 -0
data/modules/mu/defaults/README.md +1 -1
data/modules/mu/deploy.rb +168 -125
data/modules/mu/groomer.rb +2 -1
data/modules/mu/groomers/ansible.rb +104 -32
data/modules/mu/groomers/chef.rb +96 -44
data/modules/mu/kittens.rb +20602 -0
data/modules/mu/logger.rb +38 -11
data/modules/mu/master.rb +90 -8
data/modules/mu/master/chef.rb +2 -3
data/modules/mu/master/ldap.rb +0 -1
data/modules/mu/master/ssl.rb +250 -0
data/modules/mu/mommacat.rb +917 -513
data/modules/scratchpad.erb +1 -1
data/modules/tests/super_complex_bok.yml +0 -0
data/modules/tests/super_simple_bok.yml +0 -0
data/roles/mu-master.json +2 -1
data/spec/azure_creds +5 -0
data/spec/mu.yaml +56 -0
data/spec/mu/clouds/azure_spec.rb +164 -27
data/spec/spec_helper.rb +5 -0
data/test/clean_up.py +0 -0
data/test/exec_inspec.py +0 -0
data/test/exec_mu_install.py +0 -0
data/test/exec_retry.py +0 -0
data/test/smoke_test.rb +0 -0
metadata +90 -118
data/cookbooks/mu-jenkins/Berksfile +0 -14
data/cookbooks/mu-jenkins/CHANGELOG.md +0 -13
data/cookbooks/mu-jenkins/LICENSE +0 -37
data/cookbooks/mu-jenkins/README.md +0 -105
data/cookbooks/mu-jenkins/attributes/default.rb +0 -42
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +0 -73
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +0 -44
data/cookbooks/mu-jenkins/metadata.rb +0 -21
data/cookbooks/mu-jenkins/recipes/default.rb +0 -195
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +0 -54
data/cookbooks/mu-jenkins/recipes/public_key.rb +0 -24
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +0 -24
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +0 -14
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +0 -6
data/cookbooks/nagios/Berksfile +0 -11
data/cookbooks/nagios/CHANGELOG.md +0 -589
data/cookbooks/nagios/CONTRIBUTING.md +0 -11
data/cookbooks/nagios/LICENSE +0 -37
data/cookbooks/nagios/README.md +0 -328
data/cookbooks/nagios/TESTING.md +0 -2
data/cookbooks/nagios/attributes/config.rb +0 -171
data/cookbooks/nagios/attributes/default.rb +0 -228
data/cookbooks/nagios/chefignore +0 -102
data/cookbooks/nagios/definitions/command.rb +0 -33
data/cookbooks/nagios/definitions/contact.rb +0 -33
data/cookbooks/nagios/definitions/contactgroup.rb +0 -33
data/cookbooks/nagios/definitions/host.rb +0 -33
data/cookbooks/nagios/definitions/hostdependency.rb +0 -33
data/cookbooks/nagios/definitions/hostescalation.rb +0 -34
data/cookbooks/nagios/definitions/hostgroup.rb +0 -33
data/cookbooks/nagios/definitions/nagios_conf.rb +0 -38
data/cookbooks/nagios/definitions/resource.rb +0 -33
data/cookbooks/nagios/definitions/service.rb +0 -33
data/cookbooks/nagios/definitions/servicedependency.rb +0 -33
data/cookbooks/nagios/definitions/serviceescalation.rb +0 -34
data/cookbooks/nagios/definitions/servicegroup.rb +0 -33
data/cookbooks/nagios/definitions/timeperiod.rb +0 -33
data/cookbooks/nagios/libraries/base.rb +0 -314
data/cookbooks/nagios/libraries/command.rb +0 -91
data/cookbooks/nagios/libraries/contact.rb +0 -230
data/cookbooks/nagios/libraries/contactgroup.rb +0 -112
data/cookbooks/nagios/libraries/custom_option.rb +0 -36
data/cookbooks/nagios/libraries/data_bag_helper.rb +0 -23
data/cookbooks/nagios/libraries/default.rb +0 -90
data/cookbooks/nagios/libraries/host.rb +0 -412
data/cookbooks/nagios/libraries/hostdependency.rb +0 -181
data/cookbooks/nagios/libraries/hostescalation.rb +0 -173
data/cookbooks/nagios/libraries/hostgroup.rb +0 -119
data/cookbooks/nagios/libraries/nagios.rb +0 -282
data/cookbooks/nagios/libraries/resource.rb +0 -59
data/cookbooks/nagios/libraries/service.rb +0 -455
data/cookbooks/nagios/libraries/servicedependency.rb +0 -215
data/cookbooks/nagios/libraries/serviceescalation.rb +0 -195
data/cookbooks/nagios/libraries/servicegroup.rb +0 -144
data/cookbooks/nagios/libraries/timeperiod.rb +0 -160
data/cookbooks/nagios/libraries/users_helper.rb +0 -54
data/cookbooks/nagios/metadata.rb +0 -25
data/cookbooks/nagios/recipes/_load_databag_config.rb +0 -153
data/cookbooks/nagios/recipes/_load_default_config.rb +0 -241
data/cookbooks/nagios/recipes/apache.rb +0 -48
data/cookbooks/nagios/recipes/default.rb +0 -204
data/cookbooks/nagios/recipes/nginx.rb +0 -82
data/cookbooks/nagios/recipes/pagerduty.rb +0 -143
data/cookbooks/nagios/recipes/server_package.rb +0 -40
data/cookbooks/nagios/recipes/server_source.rb +0 -164
data/cookbooks/nagios/templates/default/apache2.conf.erb +0 -96
data/cookbooks/nagios/templates/default/cgi.cfg.erb +0 -266
data/cookbooks/nagios/templates/default/commands.cfg.erb +0 -13
data/cookbooks/nagios/templates/default/contacts.cfg.erb +0 -37
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +0 -25
data/cookbooks/nagios/templates/default/hosts.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/htpasswd.users.erb +0 -6
data/cookbooks/nagios/templates/default/nagios.cfg.erb +0 -22
data/cookbooks/nagios/templates/default/nginx.conf.erb +0 -62
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +0 -185
data/cookbooks/nagios/templates/default/resource.cfg.erb +0 -27
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +0 -15
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/services.cfg.erb +0 -14
data/cookbooks/nagios/templates/default/templates.cfg.erb +0 -31
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +0 -13
data/extras/image-generators/aws/centos6.yaml +0 -18
data/modules/mu/defaults/google_images.yaml +0 -16
data/roles/mu-master-jenkins.json +0 -24

data/modules/mu/groomer.rb CHANGED

@@ -18,7 +18,7 @@ module MU
   class Groomer
     # An exception denoting a Groomer run that has failed
-    class RunError < MuError
+    class RunError < StandardError
     end
     # An exception denoting nonexistent secret
@@ -49,6 +49,7 @@ module MU
     # @param groomer [String]: The grooming agent to load.
     # @return [Class]: The class object implementing this groomer agent
     def self.loadGroomer(groomer)
+      return nil if !groomer
       if !File.size?(MU.myRoot+"/modules/mu/groomers/#{groomer.downcase}.rb")
         raise MuError, "Requested to use unsupported grooming agent #{groomer}"
       end

data/modules/mu/groomers/ansible.rb CHANGED

@@ -20,11 +20,17 @@ module MU
     # Support for Ansible as a host configuration management layer.
     class Ansible
+      # Failure to load or create a deploy
+      class NoAnsibleExecError < MuError;
+      end
-      # Location in which we'll find our Ansible executables
+      # Location in which we'll find our Ansible executables. This only applies
+      # to full-grown Mu masters; minimalist gem installs will have to make do
+      # with whatever Ansible executables they can find in $PATH.
       BINDIR = "/usr/local/python-current/bin"
       @@pwfile_semaphore = Mutex.new
       # @param node [MU::Cloud::Server]: The server object on which we'll be operating
       def initialize(node)
         @config = node.config
@@ -32,9 +38,14 @@ module MU
         @inventory = Inventory.new(node.deploy)
         @mu_user = node.deploy.mu_user
         @ansible_path = node.deploy.deploy_dir+"/ansible"
+        @ansible_execs = MU::Groomer::Ansible.ansibleExecDir
+        if !@ansible_execs or @ansible_execs.empty?
+          raise NoAnsibleExecError, "No Ansible executables found in visible paths"
+        end
         [@ansible_path, @ansible_path+"/roles", @ansible_path+"/vars", @ansible_path+"/group_vars", @ansible_path+"/vaults"].each { |dir|
-          if !Dir.exists?(dir)
+          if !Dir.exist?(dir)
             MU.log "Creating #{dir}", MU::DEBUG
             Dir.mkdir(dir, 0755)
           end
@@ -77,19 +88,20 @@ module MU
         end
         path = dir+"/"+item
-        if !Dir.exists?(dir)
+        if !Dir.exist?(dir)
           FileUtils.mkdir_p(dir, mode: 0700)
         end
-        if File.exists?(path)
+        if File.exist?(path)
           MU.log "Overwriting existing vault #{vault} item #{item}"
         end
         File.open(path, File::CREAT|File::RDWR|File::TRUNC, 0600) { |f|
           f.write data
         }
-        cmd = %Q{#{BINDIR}/ansible-vault encrypt #{path} --vault-id #{pwfile}}
+        cmd = %Q{#{ansibleExecDir}/ansible-vault encrypt #{path} --vault-password-file #{pwfile}}
         MU.log cmd
-        system(cmd)
+        raise MuError, "Failed Ansible command: #{cmd}" if !system(cmd)
       end
       # see {MU::Groomer::Ansible.saveSecret}
@@ -110,17 +122,17 @@ module MU
         pwfile = vaultPasswordFile
         dir = secret_dir+"/"+vault
-        if !Dir.exists?(dir)
+        if !Dir.exist?(dir)
           raise MuNoSuchSecret, "No such vault #{vault}"
         end
         data = nil
         if item
           itempath = dir+"/"+item
-          if !File.exists?(itempath)
+          if !File.exist?(itempath)
             raise MuNoSuchSecret, "No such item #{item} in vault #{vault}"
           end
-          cmd = %Q{#{BINDIR}/ansible-vault view #{itempath} --vault-id #{pwfile}}
+          cmd = %Q{#{ansibleExecDir}/ansible-vault view #{itempath} --vault-password-file #{pwfile}}
           MU.log cmd
           a = `#{cmd}`
           # If we happen to have stored recognizeable JSON, return it as parsed,
@@ -158,14 +170,14 @@ module MU
           raise MuError, "Must call deleteSecret with at least a vault name"
         end
         dir = secret_dir+"/"+vault
-        if !Dir.exists?(dir)
+        if !Dir.exist?(dir)
           raise MuNoSuchSecret, "No such vault #{vault}"
         end
         data = nil
         if item
           itempath = dir+"/"+item
-          if !File.exists?(itempath)
+          if !File.exist?(itempath)
             raise MuNoSuchSecret, "No such item #{item} in vault #{vault}"
           end
           MU.log "Deleting Ansible vault #{vault} item #{item}", MU::NOTICE
@@ -189,13 +201,28 @@ module MU
       # @param output [Boolean]: Display Ansible's regular (non-error) output to the console
       # @param override_runlist [String]: Use the specified run list instead of the node's configured list
       def run(purpose: "Ansible run", update_runlist: true, max_retries: 5, output: true, override_runlist: nil, reboot_first_fail: false, timeout: 1800)
+        bootstrap
         pwfile = MU::Groomer::Ansible.vaultPasswordFile
         stashHostSSLCertSecret
-        cmd = %Q{cd #{@ansible_path} && #{BINDIR}/ansible-playbook -i hosts #{@server.config['name']}.yml --limit=#{@server.mu_name} --vault-id #{pwfile} --vault-id #{@ansible_path}/.vault_pw}
+        ssh_user = @server.config['ssh_user'] || "root"
-        MU.log cmd
-        system(cmd)
+        cmd = %Q{cd #{@ansible_path} && #{@ansible_execs}/ansible-playbook -i hosts #{@server.config['name']}.yml --limit=#{@server.mu_name} --vault-password-file #{pwfile} --vault-password-file #{@ansible_path}/.vault_pw -u #{ssh_user}}
+        retries = 0
+        begin
+          MU.log cmd
+          raise MU::Groomer::RunError, "Failed Ansible command: #{cmd}" if !system(cmd)
+        rescue MU::Groomer::RunError => e
+          if retries < max_retries
+            sleep 30
+            retries += 1
+            MU.log "Failed Ansible run, will retry (#{retries.to_s}/#{max_retries.to_s})", MU::NOTICE, details: cmd
+            retry
+          else
+            raise MuError, "Failed Ansible command: #{cmd}"
+          end
+        end
       end
       # This is a stub; since Ansible is effectively agentless, this operation
@@ -224,6 +251,10 @@ module MU
           play["roles"] = @server.config['run_list']
         end
+        if @server.config['ansible_vars']
+          play["vars"] = @server.config['ansible_vars']
+        end
         File.open(@ansible_path+"/"+@server.config['name']+".yml", File::CREAT|File::RDWR|File::TRUNC, 0600) { |f|
           f.flock(File::LOCK_EX)
           f.puts [play].to_yaml
@@ -237,12 +268,13 @@ module MU
         @server.describe(update_cache: true) # Make sure we're fresh
         allvars = {
-          "deployment" => @server.deploy.deployment,
-          "service_name" => @config["name"],
-          "windows_admin_username" => @config['windows_admin_username'],
-          "mu_environment" => MU.environment.downcase,
+          "mu_deployment" => MU.structToHash(@server.deploy.deployment),
+          "mu_service_name" => @config["name"],
+          "mu_canonical_ip" => @server.canonicalIP,
+          "mu_admin_email" => $MU_CFG['mu_admin_email'],
+          "mu_environment" => MU.environment.downcase
         }
-        allvars['deployment']['ssh_public_key'] = @server.deploy.ssh_public_key
+        allvars['mu_deployment']['ssh_public_key'] = @server.deploy.ssh_public_key
         if @server.config['cloud'] == "AWS"
           allvars["ec2"] = MU.structToHash(@server.cloud_desc, stringify_keys: true)
@@ -262,7 +294,7 @@ module MU
           f.flock(File::LOCK_UN)
         }
-        groupvars = {}
+        groupvars = allvars.dup
         if @server.deploy.original_config.has_key?('parameters')
           groupvars["mu_parameters"] = @server.deploy.original_config['parameters']
         end
@@ -312,18 +344,41 @@ module MU
       # @param for_user [String]: Encrypt using the Vault password of the specified Mu user
       def self.encryptString(name, string, for_user = nil)
         pwfile = vaultPasswordFile
-        cmd = %Q{#{BINDIR}/ansible-vault}
-        system(cmd, "encrypt_string", string, "--name", name, "--vault-id", pwfile)
+        cmd = %Q{#{ansibleExecDir}/ansible-vault}
+        if !system(cmd, "encrypt_string", string, "--name", name, "--vault-password-file", pwfile)
+          raise MuError, "Failed Ansible command: #{cmd} encrypt_string <redacted> --name #{name} --vault-password-file"
+        end
       end
       private
+      def self.ansibleExecDir
+        path = nil
+        if File.exist?(BINDIR+"/ansible-playbook")
+          path = BINDIR
+        else
+          ENV['PATH'].split(/:/).each { |bindir|
+            if File.exist?(bindir+"/ansible-playbook")
+              path = bindir
+              if !File.exist?(bindir+"/ansible-vault")
+                MU.log "Found ansible-playbook executable in #{bindir}, but no ansible-vault. Vault functionality will not work!", MU::WARN
+              end
+              if !File.exist?(bindir+"/ansible-galaxy")
+                MU.log "Found ansible-playbook executable in #{bindir}, but no ansible-galaxy. Automatic community role fetch will not work!", MU::WARN
+              end
+              break
+            end
+          }
+        end
+        path
+      end
       # Get the +.vault_pw+ file for the appropriate user. If it doesn't exist,
       # generate one.
       def self.vaultPasswordFile(for_user = nil, pwfile: nil)
         pwfile ||= secret_dir(for_user)+"/.vault_pw"
         @@pwfile_semaphore.synchronize {
-          if !File.exists?(pwfile)
+          if !File.exist?(pwfile)
             MU.log "Generating Ansible vault password file at #{pwfile}", MU::DEBUG
             File.open(pwfile, File::CREAT|File::RDWR|File::TRUNC, 0400) { |f|
               f.write Password.random(12..14)
@@ -341,7 +396,7 @@ module MU
       # Figure out where our main stash of secrets is, and make sure it exists
       def self.secret_dir(user = MU.mu_user)
         path = MU.dataDir(user) + "/ansible-secrets"
-        Dir.mkdir(path, 0755) if !Dir.exists?(path)
+        Dir.mkdir(path, 0755) if !Dir.exist?(path)
         path
       end
@@ -350,6 +405,7 @@ module MU
       # artifacts, since 'roles' is an awfully generic name for a directory.
       # Short of a full, slow syntax check, this is the best we're liable to do.
       def isAnsibleRole?(path)
+        begin
         Dir.foreach(path) { |entry|
           if File.directory?(path+"/"+entry) and
              ["tasks", "vars"].include?(entry)
@@ -358,6 +414,8 @@ module MU
             return false
           end
         }
+        rescue Errno::ENOTDIR
+        end
         false
       end
@@ -368,20 +426,34 @@ module MU
         canon_links = {}
+        repodirs = []
+        # Make sure we search the global ansible_dir, if any is set
+        if $MU_CFG and $MU_CFG['ansible_dir'] and !$MU_CFG['ansible_dir'].empty?
+          if !Dir.exist?($MU_CFG['ansible_dir'])
+            MU.log "Config lists an Ansible directory at #{$MU_CFG['ansible_dir']}, but I see no such directory", MU::WARN
+          else
+            repodirs << $MU_CFG['ansible_dir']
+          end
+        end
         # Hook up any Ansible roles listed in our platform repos
         $MU_CFG['repos'].each { |repo|
           repo.match(/\/([^\/]+?)(\.git)?$/)
           shortname = Regexp.last_match(1)
-          repodir = MU.dataDir + "/" + shortname
+          repodirs << MU.dataDir + "/" + shortname
+        }
+        repodirs.each { |repodir|
           ["roles", "ansible/roles"].each { |subdir|
-            next if !Dir.exists?(repodir+"/"+subdir)
+            next if !Dir.exist?(repodir+"/"+subdir)
             Dir.foreach(repodir+"/"+subdir) { |role|
               next if [".", ".."].include?(role)
               realpath = repodir+"/"+subdir+"/"+role
               link = roledir+"/"+role
               if isAnsibleRole?(realpath)
-                if !File.exists?(link)
+                if !File.exist?(link)
                   File.symlink(realpath, link)
                   canon_links[role] = realpath
                 elsif File.symlink?(link)
@@ -402,16 +474,16 @@ module MU
         # Now layer on everything bundled in the main Mu repo
         Dir.foreach(MU.myRoot+"/ansible/roles") { |role|
           next if [".", ".."].include?(role)
-          next if File.exists?(roledir+"/"+role)
+          next if File.exist?(roledir+"/"+role)
           File.symlink(MU.myRoot+"/ansible/roles/"+role, roledir+"/"+role)
         }
         if @server.config['run_list']
           @server.config['run_list'].each { |role|
             found = false
-            if !File.exists?(roledir+"/"+role)
+            if !File.exist?(roledir+"/"+role)
               if role.match(/[^\.]\.[^\.]/) and @server.config['groomer_autofetch']
-                system(%Q{#{BINDIR}/ansible-galaxy}, "--roles-path", roledir, "install", role)
+                system(%Q{#{@ansible_execs}/ansible-galaxy}, "--roles-path", roledir, "install", role)
                 found = true
 # XXX check return value
               else
@@ -455,7 +527,7 @@ module MU
         def initialize(deploy)
           @deploy = deploy
           @ansible_path = @deploy.deploy_dir+"/ansible"
-          if !Dir.exists?(@ansible_path)
+          if !Dir.exist?(@ansible_path)
             Dir.mkdir(@ansible_path, 0755)
           end
@@ -528,7 +600,7 @@ module MU
         def read
           @inv = {}
-          if File.exists?(@ansible_path+"/hosts")
+          if File.exist?(@ansible_path+"/hosts")
             section = nil
             File.readlines(@ansible_path+"/hosts").each { |l|
               l.chomp!

data/modules/mu/groomers/chef.rb CHANGED

@@ -71,7 +71,7 @@ module MU
             require 'chef/knife/bootstrap_windows_winrm'
             require 'chef/knife/bootstrap_windows_ssh'
             ::Chef::Config[:chef_server_url] = "https://#{MU.mu_public_addr}:7443/organizations/#{user}"
-            if File.exists?("#{Etc.getpwnam(mu_user).dir}/.chef/knife.rb")
+            if File.exist?("#{Etc.getpwnam(mu_user).dir}/.chef/knife.rb")
               MU.log "Loading Chef configuration from #{Etc.getpwnam(mu_user).dir}/.chef/knife.rb", MU::DEBUG
               ::Chef::Config.from_file("#{Etc.getpwnam(mu_user).dir}/.chef/knife.rb")
             end
@@ -218,7 +218,7 @@ module MU
         loadChefLib
         raise MuError, "No vault specified, nothing to delete" if vault.nil?
         MU.log "Deleting #{vault}:#{item} from vaults"
-        knife_db = nil
         knife_cmds = []
         if item.nil?
           knife_cmds << ::Chef::Knife::DataBagDelete.new(['data', 'bag', 'delete', vault])
@@ -270,7 +270,7 @@ module MU
         retries = 0
         try_upgrade = false
-        output = []
+        output_lines = []
         error_signal = "CHEF EXITED BADLY: "+(0...25).map { ('a'..'z').to_a[rand(26)] }.join
         runstart = nil
         cmd = nil
@@ -294,9 +294,26 @@ module MU
             Timeout::timeout(timeout) {
               retval = ssh.exec!(cmd) { |ch, stream, data|
                 puts data
-                output << data
-                raise MU::Cloud::BootstrapTempFail if data.match(/REBOOT_SCHEDULED| WARN: Reboot requested:/)
-                raise MU::Groomer::RunError, output.grep(/ ERROR: /).last if data.match(/#{error_signal}/)
+                output_lines << data
+                raise MU::Cloud::BootstrapTempFail if data.match(/REBOOT_SCHEDULED| WARN: Reboot requested:|Rebooting server at a recipe's request|Chef::Exceptions::Reboot/)
+                if data.match(/#{error_signal}/)
+                  error_msg = ""
+                  clip = false
+                  output_lines.each { |chunk|
+                    chunk.split(/\n/).each { |line|
+                      if !clip and line.match(/^========+/)
+                        clip = true
+                      elsif clip and line.match(/^Running handlers:/)
+                        break
+                      end
+                      if clip and line.match(/[a-z0-9]/)
+                        error_msg += line.gsub(/\e\[(\d+)m/, '')+"\n"
+                      end
+                    }
+                  }
+                  raise MU::Groomer::RunError, error_msg
+                end
               }
             }
           else
@@ -314,7 +331,7 @@ module MU
             if try_upgrade
               pp winrm.run("Invoke-WebRequest -useb https://omnitruck.chef.io/install.ps1 | Invoke-Expression; Install-Project -version:#{MU.chefVersion} -download_directory:$HOME")
             end
-            output = []
+            output_lines = []
             cmd = "c:/opscode/chef/bin/chef-client.bat --color"
             if override_runlist
               cmd = cmd + " -o '#{override_runlist}'"
@@ -324,20 +341,20 @@ module MU
               resp = winrm.run(cmd) do |stdout, stderr|
                 if stdout
                   print stdout if output
-                  output << stdout
+                  output_lines << stdout
                 end
                 if stderr
                   MU.log stderr, MU::ERR
-                  output << stderr
+                  output_lines << stderr
                 end
               end
             }
-            if resp.exitcode == 1 and output.join("\n").match(/Chef Client finished/)
+            if resp.exitcode == 1 and output_lines.join("\n").match(/Chef Client finished/)
               MU.log "resp.exit code 1"
             elsif resp.exitcode != 0
-              raise MU::Cloud::BootstrapTempFail if resp.exitcode == 35 or output.join("\n").match(/REBOOT_SCHEDULED| WARN: Reboot requested:/)
-              raise MU::Groomer::RunError, output.slice(output.length-50, output.length).join("")
+              raise MU::Cloud::BootstrapTempFail if resp.exitcode == 35 or output_lines.join("\n").match(/REBOOT_SCHEDULED| WARN: Reboot requested:|Rebooting server at a recipe's request|Chef::Exceptions::Reboot/)
+              raise MU::Groomer::RunError, output_lines.slice(output_lines.length-50, output_lines.length).join("")
             end
           end
         rescue MU::Cloud::BootstrapTempFail
@@ -397,10 +414,12 @@ module MU
             sleep 30
             retry
           else
+            @server.deploy.sendAdminSlack("Chef run '#{purpose}' failed on `#{@server.mu_name}` :crying_cat_face:", msg: e.message)
             raise MU::Groomer::RunError, "#{@server.mu_name}: Chef run '#{purpose}' failed #{max_retries} times, last error was: #{e.message}"
           end
         rescue Exception => e
-          raise MU::Groomer::RunError, "Caught unexpected #{e.inspect} on #{@server.mu_name} in @groomer.run"
+          @server.deploy.sendAdminSlack("Chef run '#{purpose}' failed on `#{@server.mu_name}` :crying_cat_face:", msg: e.inspect)
+          raise MU::Groomer::RunError, "Caught unexpected #{e.inspect} on #{@server.mu_name} in @groomer.run at #{e.backtrace[0]}"
         end
@@ -440,20 +459,33 @@ module MU
           end
           guardfile = "/opt/mu_installed_chef"
-          ssh = @server.getSSHSession(15)
-          if leave_ours
-            MU.log "Expunging pre-existing Chef install on #{@server.mu_name}, if we didn't create it", MU::NOTICE
-            begin
-              ssh.exec!(%Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}})
-            rescue IOError => e
-              # TO DO - retry this in a cleaner way
-              MU.log "Got #{e.inspect} while trying to clean up chef, retrying", MU::NOTICE, details: %Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}}
-              ssh = @server.getSSHSession(15)
-              ssh.exec!(%Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}})
+          retries = 0
+          begin
+            ssh = @server.getSSHSession(15)
+            Timeout::timeout(60) {
+              if leave_ours
+                MU.log "Expunging pre-existing Chef install on #{@server.mu_name}, if we didn't create it", MU::NOTICE
+                begin
+                  ssh.exec!(%Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}})
+                rescue IOError => e
+                  # TO DO - retry this in a cleaner way
+                  MU.log "Got #{e.inspect} while trying to clean up chef, retrying", MU::NOTICE, details: %Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}}
+                  ssh = @server.getSSHSession(15)
+                  ssh.exec!(%Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}})
+                end
+              else
+                MU.log "Expunging pre-existing Chef install on #{@server.mu_name}", MU::NOTICE
+                ssh.exec!(remove_cmd)
+              end
+            }
+          rescue Timeout::Error
+            if retries < 5
+              retries += 1
+              sleep 5
+              retry
+            else
+              raise MuError, "Failed to preClean #{@server.mu_name} after repeated timeouts"
             end
-          else
-            MU.log "Expunging pre-existing Chef install on #{@server.mu_name}", MU::NOTICE
-            ssh.exec!(remove_cmd)
           end
           ssh.close
@@ -523,6 +555,7 @@ module MU
       def bootstrap
         self.class.loadChefLib
         stashHostSSLCertSecret
+        splunkVaultInit
         if !@config['cleaned_chef']
           begin
             leave_ours = @config['scrub_groomer'] ? false : true
@@ -654,8 +687,8 @@ retry
           end
         }
         knifeAddToRunList("role[mu-node]")
+        knifeAddToRunList("mu-tools::selinux")
-        splunkVaultInit
         grantSecretAccess(@server.mu_name, "windows_credentials") if @server.windows?
         grantSecretAccess(@server.mu_name, "ssl_cert")
@@ -669,6 +702,7 @@ retry
           run(purpose: "Base configuration", update_runlist: false, max_retries: 20)
         end
         ::Chef::Knife.run(['node', 'run_list', 'remove', @server.mu_name, "recipe[mu-tools::updates]"], {}) if !@config['skipinitialupdates']
+        ::Chef::Knife.run(['node', 'run_list', 'remove', @server.mu_name, "recipe[mu-tools::selinux]"], {})
         # This will deal with Active Directory integration.
         if !@config['active_directory'].nil?
@@ -696,6 +730,11 @@ retry
       # @return [Hash]: The data synchronized.
       def saveDeployData
         self.class.loadChefLib
+        if !haveBootstrapped?
+          MU.log "saveDeployData invoked on #{@server.to_s} before Chef has been bootstrapped!", MU::WARN, details: caller
+          return
+        end
         @server.describe(update_cache: true) # Make sure we're fresh
         saveChefMetadata
         begin
@@ -724,10 +763,12 @@ retry
             }
           end
-          if chef_node.normal['deployment'] != @server.deploy.deployment
+          if !@server.deploy.deployment.nil? and
+             (chef_node.normal['deployment'].nil? or
+               (chef_node.normal['deployment'].to_h <=> @server.deploy.deployment) != 0
+             )
             MU.log "Updating node: #{@server.mu_name} deployment attributes", details: @server.deploy.deployment
             chef_node.normal['deployment'].merge!(@server.deploy.deployment)
-            chef_node.normal['deployment']['ssh_public_key'] = @server.deploy.ssh_public_key
             chef_node.save
           end
           return chef_node['deployment']
@@ -770,6 +811,15 @@ retry
           rescue Net::HTTPServerException
           end
         end
+        MU.log "knife data bag delete #{node}"
+        if !noop
+          knife_cd = ::Chef::Knife::ClientDelete.new(['data', 'bag', 'delete', node])
+          knife_cd.config[:yes] = true
+          begin
+            knife_cd.run
+          rescue Net::HTTPServerException
+          end
+        end
         return if nodeonly
@@ -778,7 +828,7 @@ retry
         rescue MuNoSuchSecret
         end
         ["crt", "key", "csr"].each { |ext|
-          if File.exists?("#{MU.mySSLDir}/#{node}.#{ext}")
+          if File.exist?("#{MU.mySSLDir}/#{node}.#{ext}")
             MU.log "Removing #{MU.mySSLDir}/#{node}.#{ext}"
             File.unlink("#{MU.mySSLDir}/#{node}.#{ext}") if !noop
           end
@@ -812,6 +862,7 @@ retry
         begin
           chef_node = ::Chef::Node.load(@server.mu_name)
         rescue Net::HTTPServerException
+          @server.deploy.sendAdminSlack("Couldn't load Chef metadata on `#{@server.mu_name}` :crying_cat_face:")
           raise MU::Groomer::RunError, "Couldn't load Chef node #{@server.mu_name}"
         end
@@ -821,6 +872,7 @@ retry
         chef_node.normal.app = @config['application_cookbook'] if !@config['application_cookbook'].nil?
         chef_node.normal["service_name"] = @config["name"]
+        chef_node.normal["credentials"] = @config["credentials"]
         chef_node.normal["windows_admin_username"] = @config['windows_admin_username']
         chef_node.chef_environment = MU.environment.downcase
         if @server.config['cloud'] == "AWS"
@@ -965,9 +1017,9 @@ retry
         if multiple.size == 0
           multiple = [rl_entry]
         end
-        multiple.each { |rl_entry|
-          if !rl_entry.match(/^role|recipe\[/)
-            rl_entry = "#{type}[#{rl_entry}]"
+        multiple.each { |entry|
+          if !entry.match(/^role|recipe\[/)
+            entry = "#{type}[#{entry}]"
           end
         }
@@ -975,27 +1027,27 @@ retry
           role_list = nil
           recipe_list = nil
           missing = false
-          multiple.each { |rl_entry|
-            # Rather than argue about whether to expect a bare rl_entry name or
-            # require rl_entry[rolename], let's just accomodate.
-            if rl_entry.match(/^role\[(.+?)\]/)
-              rl_entry_name = Regexp.last_match(1)
+          multiple.each { |entry|
+            # Rather than argue about whether to expect a bare entry name or
+            # require entry[rolename], let's just accomodate.
+            if entry.match(/^role\[(.+?)\]/)
+              entry_name = Regexp.last_match(1)
               if role_list.nil?
                 query=%Q{#{MU::Groomer::Chef.knife} role list};
                 role_list = %x{#{query}}
               end
-              if !role_list.match(/(^|\n)#{rl_entry_name}($|\n)/)
-                MU.log "Attempting to add non-existent #{rl_entry} to #{@server.mu_name}", MU::WARN
+              if !role_list.match(/(^|\n)#{entry_name}($|\n)/)
+                MU.log "Attempting to add non-existent #{entry} to #{@server.mu_name}", MU::WARN
                 missing = true
               end
-            elsif rl_entry.match(/^recipe\[(.+?)\]/)
-              rl_entry_name = Regexp.last_match(1)
+            elsif entry.match(/^recipe\[(.+?)\]/)
+              entry_name = Regexp.last_match(1)
               if recipe_list.nil?
                 query=%Q{#{MU::Groomer::Chef.knife} recipe list};
                 recipe_list = %x{#{query}}
               end
-              if !recipe_list.match(/(^|\n)#{rl_entry_name}($|\n)/)
-                MU.log "Attempting to add non-existent #{rl_entry} to #{@server.mu_name}", MU::WARN
+              if !recipe_list.match(/(^|\n)#{entry_name}($|\n)/)
+                MU.log "Attempting to add non-existent #{entry} to #{@server.mu_name}", MU::WARN
                 missing = true
               end
             end