cloud-mu 2.1.0beta → 3.0.0beta

data/cookbooks/mu-master/recipes/init.rb

@@ -36,7 +36,7 @@ ENV['PATH'] = ENV['PATH']+":/bin:/opt/opscode/embedded/bin"
 # XXX We want to be able to override these things when invoked from chef-apply,
 # but, like, how?
 CHEF_SERVER_VERSION="12.17.15-1"
-CHEF_CLIENT_VERSION="14.11.21"
+CHEF_CLIENT_VERSION="14.13.11"
 KNIFE_WINDOWS="1.9.0"
 MU_BASE="/opt/mu"
 MU_BRANCH="master" # GIT HOOK EDITABLE DO NOT TOUCH
@@ -171,45 +171,60 @@ removepackages = []
 rpms = {}
 dpkgs = {}
 
-elversion = node['platform_version'].to_i > 2000 ? 6 : node['platform_version'].to_i
-if platform_family?("rhel")
-  basepackages = ["git", "curl", "diffutils", "patch", "gcc", "gcc-c++", "make", "postgresql-devel", "libyaml", "libffi-devel", "tcl", "tk"]
-#        package epel-release-6-8.9.amzn1.noarch (which is newer than epel-release-6-8.noarch) is already installed
+elversion = node['platform_version'].split('.')[0]
 
-  rpms = {
-    "epel-release" => "http://dl.fedoraproject.org/pub/epel/epel-release-latest-#{elversion}.noarch.rpm",
-    "chef-server-core" => "https://packages.chef.io/files/stable/chef-server/#{CHEF_SERVER_VERSION.sub(/\-\d+$/, "")}/el/#{elversion}/chef-server-core-#{CHEF_SERVER_VERSION}.el#{elversion}.x86_64.rpm"
-  }
+rhelbase = ["git", "curl", "diffutils", "patch", "gcc", "gcc-c++", "make", "postgresql-devel", "libyaml", "libffi-devel", "tcl", "tk"]
 
+case node['platform_family']
+when 'rhel'
 
-  if elversion < 6 or elversion >= 8
-    raise "Mu Masters on RHEL-family hosts must be equivalent to RHEL6 or RHEL7 (got #{elversion})"
+  basepackages = rhelbase
 
-  # RHEL6, CentOS6, Amazon Linux
-  elsif elversion < 7
-    basepackages.concat(["mysql-devel"])
-    rpms["ruby25"] = "https://s3.amazonaws.com/cloudamatic/muby-2.5.3-1.el6.x86_64.rpm"
-    rpms["python27"] = "https://s3.amazonaws.com/cloudamatic/muthon-2.7.16-1.el6.x86_64.rpm"
-    
+  case node['platform_version'].split('.')[0].to_i
+  when 6
+    basepackages.concat(["cryptsetup-luks", "mysql-devel", "centos-release-scl"])
     removepackages = ["nagios"]
 
-  # RHEL7, CentOS7
-  elsif elversion < 8
-    basepackages.concat(["libX11", "mariadb-devel", "cryptsetup"])
-    rpms["ruby25"] = "https://s3.amazonaws.com/cloudamatic/muby-2.5.3-1.el7.x86_64.rpm"
-    rpms["python27"] = "https://s3.amazonaws.com/cloudamatic/muthon-2.7.16-1.el7.x86_64.rpm"
-    removepackages = ["nagios", "firewalld"]
-  end
-  # Amazon Linux
-  if node['platform_version'].to_i > 2000
-    basepackages.concat(["compat-libffi5"])
-    rpms.delete("epel-release")
+  when 7
+    basepackages.concat(['libX11', 'mariadb-devel', 'cryptsetup'])
+    removepackages = ['nagios', 'firewalld']
+
+  when 8
+    raise "Mu currently does not support RHEL 8... but I assume it will in the future... But I am Bill and I am hopeful about the future."
+  else
+    raise "Mu does not support RHEL #{node['platform_version']} (matched on #{node['platform_version'].split('.')[0]})"
   end
 
+when 'amazon'
+  basepackages = rhelbase
+  rpms.delete('epel-release')
+  
+  case node['platform_version'].split('.')[0]
+  when '1', '6' #REALLY THIS IS AMAZON LINUX 1, BUT IT IS BASED OFF OF RHEL 6
+    basepackages.concat(['mysql-devel', 'libffi-devel'])
+    basepackages.delete('tk')
+    removepackages = ["nagios"]
+
+  when '2'
+    basepackages.concat(['libX11', 'mariadb-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services'])
+    removepackages = ['nagios', 'firewalld']
+    elversion = '7' #HACK TO FORCE AMAZON LINUX 2 TO BE TREATED LIKE RHEL 7
+
+  else
+    raise "Mu Masters on Amazon-family hosts must be equivalent to Amazon Linux 1 or 2 (got #{node['platform_version'].split('.')[0]})"
+  end
 else
-  raise "Mu Masters are currently only supported on RHEL-family hosts."
+  raise "Mu Masters are currently only supported on RHEL and Amazon family hosts (got #{node['platform_family']})."
 end
 
+rpms = {
+  "epel-release" => "http://dl.fedoraproject.org/pub/epel/epel-release-latest-#{elversion}.noarch.rpm",
+  "chef-server-core" => "https://packages.chef.io/files/stable/chef-server/#{CHEF_SERVER_VERSION.sub(/\-\d+$/, "")}/el/#{elversion}/chef-server-core-#{CHEF_SERVER_VERSION}.el#{elversion}.x86_64.rpm"
+}
+
+rpms["ruby25"] = "https://s3.amazonaws.com/cloudamatic/muby-2.5.3-1.el#{elversion}.x86_64.rpm"
+rpms["python27"] = "https://s3.amazonaws.com/cloudamatic/muthon-2.7.16-1.el#{elversion}.x86_64.rpm"
+
 package basepackages
 
 directory MU_BASE do
@@ -302,6 +317,10 @@ execute "clean up old ruby-2.3.1" do
   only_if { ::Dir.exist?("/opt/rubies/ruby-2.3.1") }
 end
 
+execute "yum makecache" do
+  action :nothing
+end
+
 # Regular old rpm-based installs
 rpms.each_pair { |pkg, src|
   rpm_package pkg do
@@ -309,6 +328,9 @@ rpms.each_pair { |pkg, src|
     if pkg == "ruby25" 
       options '--prefix=/opt/rubies/'
     end
+    if pkg == "epel-release" 
+      notifies :run, "execute[yum makecache]", :immediately
+    end
     if pkg == "chef-server-core"
       notifies :stop, "service[iptables]", :before
       if File.size?("/etc/opscode/chef-server.rb")
@@ -371,7 +393,7 @@ file "#{MU_BASE}/var/users/mu/realname" do
   end
 end
 
-["mu-aws-setup", "mu-cleanup", "mu-configure", "mu-deploy", "mu-firewall-allow-clients", "mu-gen-docs", "mu-load-config.rb", "mu-node-manage", "mu-tunnel-nagios", "mu-upload-chef-artifacts", "mu-user-manage", "mu-ssh"].each { |exe|
+["mu-cleanup", "mu-configure", "mu-deploy", "mu-firewall-allow-clients", "mu-gen-docs", "mu-load-config.rb", "mu-node-manage", "mu-tunnel-nagios", "mu-upload-chef-artifacts", "mu-user-manage", "mu-ssh", "mu-adopt", "mu-azure-setup", "mu-gcp-setup", "mu-aws-setup"].each { |exe|
   link "#{MU_BASE}/bin/#{exe}" do
     to "#{MU_BASE}/lib/bin/#{exe}"
   end
@@ -432,26 +454,15 @@ end
       execute "rm -rf #{gemdir}/knife-windows-#{Regexp.last_match[1]}"
     }
 
-# XXX rely on bundler to get this right for us
-#    gem_package "#{rubydir} knife-windows #{KNIFE_WINDOWS} #{gembin}" do
-#      gem_binary gembin
-#      package_name "knife-windows"
-#      version KNIFE_WINDOWS
-#      notifies :restart, "service[chef-server]", :delayed if rubydir == "/opt/opscode/embedded"
-#      # XXX notify mommacat if we're *not* in chef-apply... RUNNING_STANDALONE
-#    end
-
-#    execute "Patch #{rubydir}'s knife-windows for Cygwin SSH bootstraps" do
-#      cwd "#{gemdir}/knife-windows-#{KNIFE_WINDOWS}"
-#      command "patch -p1 < #{MU_BASE}/lib/install/knife-windows-cygwin-#{KNIFE_WINDOWS}.patch"
-#      not_if "grep -i 'locate_config_value(:cygwin)' #{gemdir}/knife-windows-#{KNIFE_WINDOWS}/lib/chef/knife/bootstrap_windows_base.rb"
-#      notifies :restart, "service[chef-server]", :delayed if rubydir == "/opt/opscode/embedded"
-#      only_if { ::Dir.exist?(gemdir) }
-      # XXX notify mommacat if we're *not* in chef-apply... RUNNING_STANDALONE
-#    end
   end
 }
 
+# This is mostly to make sure Berkshelf has a clean and current environment to
+# live with.
+execute "/usr/local/ruby-current/bin/bundle clean --force" do
+  cwd "#{MU_BASE}/lib/modules"
+  only_if { RUNNING_STANDALONE }
+end
 
 # Get a 'mu' Chef org in place and populate it with artifacts
 directory "/root/.chef"
@@ -567,3 +578,10 @@ end
     notifies :run, "bash[fix #{rubydir} gem permissions]", :delayed
   end
 }
+bash "fix misc permissions" do
+  code <<-EOH
+    find #{MU_BASE}/lib -not -path "#{MU_BASE}/.git" -type d -exec chmod go+r {} \\;
+    find #{MU_BASE}/lib -not -path "#{MU_BASE}/.git/*" -type f -exec chmod go+r {} \\;
+    chmod go+rx #{MU_BASE}/lib/bin/* #{MU_BASE}/lib/extras/*-stock-* #{MU_BASE}/lib/extras/vault_tools/*.sh
+  EOH
+end

data/cookbooks/mu-master/recipes/{eks-kubectl.rb → kubectl.rb}

@@ -1,5 +1,5 @@
 # Cookbook Name:: mu-master
-# Recipe:: eks-kubectl
+# Recipe:: kubectl
 #
 # Copyright:: Copyright (c) 2018 eGlobalTech, Inc., all rights reserved
 #
@@ -23,19 +23,13 @@
 # templates.
 #
 remote_file "/opt/mu/bin/kubectl" do
-  source "https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/kubectl"
+  source "https://amazon-eks.s3-us-west-2.amazonaws.com/1.14.6/2019-08-22/bin/linux/amd64/kubectl"
   mode 0755
-  not_if "test -f /opt/mu/bin/kubectl"
+  not_if "test -f /opt/mu/bin/kubectl && kubectl version --short | grep 1.14.6"
 end
 
 remote_file "/opt/mu/bin/aws-iam-authenticator" do
-  source "https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/bin/linux/amd64/aws-iam-authenticator"
+  source "https://amazon-eks.s3-us-west-2.amazonaws.com/1.14.6/2019-08-22/bin/linux/amd64/aws-iam-authenticator"
   mode 0755
   not_if "test -f /opt/mu/bin/aws-iam-authenticator"
 end
-
-# in brand new accounts where no load balancer has been created, something
-# has to do this before EKS has to, because by default it can't
-execute "aws iam create-service-linked-role --aws-service-name 'elasticloadbalancing.amazonaws.com'" do
-  not_if "aws iam list-roles | grep /aws-service-role/elasticloadbalancing.amazonaws.com/"
-end

data/cookbooks/mu-master/recipes/sssd.rb

@@ -58,7 +58,8 @@ service "oddjobd" do
   start_command "sh -x /etc/init.d/oddjobd start" if %w{redhat centos}.include?(node['platform']) && node['platform_version'].to_i == 6  # seems to actually work
   action [:enable, :start]
 end
-execute "/usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do
+package "authconfig"
+execute "LC_ALL=C /usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do
   notifies :restart, "service[oddjobd]", :immediately
   notifies :reload, "service[sshd]", :delayed
   not_if "grep pam_sss.so /etc/pam.d/password-auth"

data/cookbooks/mu-master/recipes/update_nagios_only.rb

@@ -16,8 +16,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-include_recipe "nagios::server_source"
-include_recipe "nagios"
+include_recipe "mu-nagios::server_source"
+include_recipe "mu-nagios"
 include_recipe 'mu-master::firewall-holes'
 
 if $MU_CFG.has_key?('ldap')
@@ -49,7 +49,7 @@ file "/etc/sysconfig/nagios" do
   content "checkconfig=\"false\"\n"
   mode 0600
 end
-include_recipe "nagios"
+include_recipe "mu-nagios"
 
 # scrub our old stuff if it's around
 ["nagios_fifo", "nagios_more_selinux"].each { |policy|
@@ -139,15 +139,15 @@ Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
 
 ["/usr/lib/cgi-bin"].each { |cgidir|
   if Dir.exist?(cgidir)
-    execute "chcon -R -h -t httpd_sys_script_exec_t #{cgidir}" do
+    execute "chcon -R -h system_u:object_r:httpd_sys_script_exec_t #{cgidir}" do
       not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
       notifies :reload, "service[apache2]", :delayed
     end
   end
 }
 if File.exist?("/usr/lib64/nagios/plugins/check_nagios")
-  execute "chcon -R -h -t nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
-    not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep ':nagios_unconfined_plugin_exec_t:'"
+  execute "chcon -R -h system_u:object_r:nagios_unconfined_plugin_exec_t /usr/lib64/nagios/plugins/check_nagios" do
+    not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
   end
 end
 

data/cookbooks/mu-master/templates/default/web_app.conf.erb

@@ -27,8 +27,8 @@
   AllowEncodedSlashes off
   
   # Scratchpad, the Mu secret-sharer
-  ProxyPass /scratchpad https://localhost:2260/scratchpad
-  ProxyPassReverse /scratchpad https://localhost:2260/scratchpad
+  ProxyPass /scratchpad https://localhost:<%= MU.mommaCatPort.to_s %>/scratchpad
+  ProxyPassReverse /scratchpad https://localhost:<%= MU.mommaCatPort.to_s %>/scratchpad
 
   # Nagios web UI
   ProxyPass /nagios/ https://localhost:8443/nagios/

data/cookbooks/mu-master/templates/mods/ldap.conf.erb

@@ -0,0 +1,4 @@
+<Location /ldap-status>
+   SetHandler ldap-status
+   Require local
+</Location>

data/cookbooks/mu-php54/Berksfile

@@ -8,6 +8,5 @@ cookbook 'mu-utility'
 
 # Supermarket Cookbooks
 cookbook 'simple_iptables', '~> 0.8.0'
-cookbook 'apache2', '< 4.0'
 cookbook 'mysql', '~> 8.5.1'
-cookbook 'yum-epel', '~> 3.2.0'
+cookbook 'yum-epel', '~> 3.2.0'

data/cookbooks/mu-php54/metadata.rb

@@ -4,11 +4,10 @@ maintainer_email 'mu-developers@googlegroups.com'
 license 'BSD-3-Clause'
 
 description 'Installs/Configures php'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 source_url 'https://github.com/cloudamatic/mu'
 issues_url 'https://github.com/cloudamatic/mu/issues'
-chef_version '>= 14.0' if respond_to?(:chef_version)
-version '0.3.0'
+chef_version '>= 14.0'
+version '0.3.1'
 
 %w( centos ubuntu ).each do |os|
 	supports os
@@ -16,6 +15,6 @@ end
 
 depends 'mu-utility'
 depends 'simple_iptables', '~> 0.8.0'
-depends 'apache2', '< 4.0'
 depends 'mysql', '~> 8.5.1'
-depends 'yum-epel', '~> 3.2.0'
+depends 'yum-epel', '~> 3.2.0'
+depends 'apache2', '< 6.0.0'

data/cookbooks/mu-php54/recipes/default.rb

@@ -24,7 +24,7 @@ end
 
 case node['platform']
 
-  when "centos"
+  when "centos", "amazon"
     include_recipe "yum-epel"
     include_recipe "mu-utility::remi"
 

data/cookbooks/mu-tools/Berksfile

@@ -4,7 +4,7 @@ source chef_repo: ".."
 metadata
 
 # Mu Cookbooks
-cookbook "nagios"
+cookbook 'mu-nagios' , '~> 8.2.0', git: "https://github.com/cloudamatic/mu-nagios.git"
 cookbook "mu-utility"
 cookbook "mu-splunk"
 cookbook "mu-firewall"
@@ -18,4 +18,5 @@ cookbook "java", '~> 2.2.0'
 cookbook "windows", '~> 5.1.1'
 cookbook "chef-vault", '~> 3.1.1'
 cookbook "poise-python", '~> 1.7.0'
-cookbook "yum-epel", '~> 3.2.0'
+cookbook "yum-epel", '~> 3.2.0'
+cookbook 'selinux', '~> 3.0.0'

data/cookbooks/mu-tools/files/default/Mu_CA.pem

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFvzCCA6egAwIBAgIJANg7fTwivzSDMA0GCSqGSIb3DQEBDQUAMF0xFjAUBgNV
+BAMMDTU0LjE3NS44Ni4xOTQxIDAeBgNVBAsMF011IFNlcnZlciA1NC4xNzUuODYu
+MTk0MRQwEgYDVQQKDAtlR2xvYmFsVGVjaDELMAkGA1UEBhMCVVMwHhcNMTkwODEx
+MjExMzMwWhcNMjIwNTMxMjExMzMwWjBdMRYwFAYDVQQDDA01NC4xNzUuODYuMTk0
+MSAwHgYDVQQLDBdNdSBTZXJ2ZXIgNTQuMTc1Ljg2LjE5NDEUMBIGA1UECgwLZUds
+b2JhbFRlY2gxCzAJBgNVBAYTAlVTMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAo7rntOFj/WPNvh00SN55aJBusppsY9arq7QF5gt/9+cBPsjcXn7jJMu0
+vD9RFqkR8fpkvs01MiTToKHDli30FYSO+pybW/3R8VMby3jU7Df+i20tnB8gZqkc
+XQGU4c8cGwdu1J/DpRoX5oCOlO2by+2+5nebJd7ABpzl9eE2/1HBJVaHROCVzmbu
+UCXVIlKAOccgwzPj+r4EHwH4Nyv8cSnh67Fg8jehW21ZltZNXek7upc9421MQLka
+9TtbBod7DWVQNfc8hAxATlupOnKsKa1n8vZD9bj9xvK2wz1E6lVYbkuxzpOzqBqy
+PO/6Svt8zTH3pEJMbxwtiwJ8cCLiqSoxj8hOKvvsSmvboN9DwN73JQjOY/pXHaU1
+/w9syNORnwEKMzs5Eu14dAV1+w7Nk8xff4LHjIYoTWD+zuK6ETVnX8j7f1zwebok
+HLF0qlnfZhU4uiE8+wU1h6oeGZG9fLV63wlGdUXA+HermzovuJ0d2ocy0O93QQDt
+Y92dr6UcPfAmzFyX3Rj9FFMYb2/n1G8l5pEd/Qkx3sH04aoxEmyQU0zugo3zQsL9
+KNyIbp2BTlSh2R/4hWJpWiXFliRvotiJu1s2wdNQ1D3SZgxDbfxf/3j04xgdi5eW
+e4Q3VnxhRfmkS1NqEzIvPabVLg9qvN419cubpE6HAtBJw/f3ocUCAwEAAaOBgTB/
+MC8GA1UdEQQoMCaHBDavVsKCCWxvY2FsaG9zdIcEfwAAAYINc3RhbmdlLW11LWRl
+djAdBgNVHQ4EFgQUr8Sa0Z5sLB3lCkzzL/cQp1g1VtwwHwYDVR0jBBgwFoAUr8Sa
+0Z5sLB3lCkzzL/cQp1g1VtwwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOC
+AgEAISgwMuoA0es7f8a8aZHuxeUP/160yyMzzoSolKW+JXHDvJjRi/uM5IICkspR
+19ucWB5NJjp6oLaRTA+Recfpk8rc14GICcjhj/455xlhbg/Dnpwi4S58XEeFnoMY
+9o/z9xWHafM579oZPrUzT2un/1xZuYaOshXa3hZQa5R/aK24P4rW/oCCmifBm8ij
+Mdx24gbI2/1aijWXkUrSMpQ1GVTBKs1ArUokrNWHrXeWInGPp3pEj+9C4t6fnzGu
+QA8zL61yt2ZL5bAedYolWklIkZpbo/5U33tdQP8Jm/HUnbrMLucW1Ar2WV556+1S
+2D3DyJ6gkJ17wR/6XwwQAwZvvNtBIKtWvjS+pCgKzlb2l+jyFeUDaFdCKoxCsYvw
+8UMjBNcWYzA6jqmseR+iCxTiGz/kXScOZ9RiFAARGP8yaLNjNZQDPv2Mdm6w7BGB
+E2K/gxNjq5v6aq2YH8uWkN+/A19UzKwr0GItXWFZHFMUQId5gQre57hvYYlcKbbk
+wBQoEmE5IfyLizIOHVUZ8HwTLRXi3eZjuGcDM4cviGdCsCfPJSLrLwQXcKKdmXB7
+6PbucNbPWgHH7V3ny/yi1OeKn2EPM8izxuOZmE6ck4akf+HuAY/NJI2D7dYhZs2P
+GbrvG4NaRQwTbrrykAcKvFfRb+Wle4YNCf11akm5bHLxAwQ=
+-----END CERTIFICATE-----

data/cookbooks/mu-tools/libraries/helper.rb

@@ -168,7 +168,14 @@ module Mutools
     end
 
     def get_deploy_secret
-      uri = URI("https://#{get_mu_master_ips.first}:2260/rest/bucketname")
+      cloud = if !get_aws_metadata("meta-data/instance-id").nil?
+        "AWS"
+      elsif !get_google_metadata("instance/name").nil?
+        "Google"
+#      elsif <some condition here>
+#        "Azure"
+      end
+      uri = URI("https://#{get_mu_master_ips.first}:2260/rest/bucketname/#{cloud}/#{node['credentials']}")
       http = Net::HTTP.new(uri.hostname, uri.port)
       http.use_ssl = true
       http.verify_mode = ::OpenSSL::SSL::VERIFY_NONE # XXX this sucks
@@ -177,7 +184,7 @@ module Mutools
       secret = nil
       filename = mu_get_tag_value("MU-ID")+"-secret"
 
-      if !get_aws_metadata("meta-data/instance-id").nil?
+      if cloud == "AWS"
         resp = nil
         begin
           resp = s3.get_object(bucket: bucket, key: filename)
@@ -187,18 +194,23 @@ module Mutools
         end
         Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
         secret = resp.body.read
-      elsif !get_google_metadata("instance/name").nil?
+      elsif cloud == "Google"
         include_recipe "mu-tools::gcloud"
+        resp = nil
         ["/opt/google-cloud-sdk/bin/gsutil", "/bin/gsutil"].each { |gsutil|
           next if !File.exist?(gsutil)
           Chef::Log.info("Fetching deploy secret: #{gsutil} cp gs://#{bucket}/#{filename} -")
-          if File.exist?("/usr/bin/python2.7")
-            # secret = %x{CLOUDSDK_PYTHON=/usr/bin/python2.7 #{gsutil} cp gs://#{bucket}/#{filename} -}
-            secret = shell_out("CLOUDSDK_PYTHON=/usr/bin/python2.7 #{gsutil} cp gs://#{bucket}/#{filename} -").stdout.str
+          cmd = if File.exist?("/usr/bin/python2.7")
+            %Q{CLOUDSDK_PYTHON=/usr/bin/python2.7 #{gsutil} cp gs://#{bucket}/#{filename} -}
           else
-            # secret = %x{#{gsutil} cp gs://#{bucket}/#{filename} -}
-            secret = shell_out("#{gsutil} cp gs://#{bucket}/#{filename} -").stdout.str
+            %Q{#{gsutil} cp gs://#{bucket}/#{filename} -}
+          end
+          Chef::Log.info(cmd)
+          resp = shell_out(cmd)
+          if resp.status.exitstatus != 0
+            raise "\nDeploy secret fetch failed with exit code #{resp.status.exitstatus.to_s}: #{resp.stderr}. Command was:\n#{cmd}"
           end
+          secret = resp.stdout
           break if !secret.nil? and !secret.empty?
         }
         if secret.nil? or secret.empty?

data/cookbooks/mu-tools/metadata.rb

@@ -7,14 +7,14 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 source_url 'https://github.com/cloudamatic/mu'
 issues_url 'https://github.com/cloudamatic/mu/issues'
 chef_version '>= 14.0' if respond_to?(:chef_version)
-version '1.0.4'
+version '1.1.0'
 
 %w( amazon centos redhat windows ).each do |os|
 	supports os
 end
 
 depends "oracle-instantclient", '~> 1.1.0'
-depends "nagios"
+depends "mu-nagios"
 depends "database", '~> 6.1.1'
 depends "postgresql", '~> 7.1.0'
 depends "mu-utility"
@@ -26,3 +26,6 @@ depends "poise-python", '~> 1.7.0'
 depends "yum-epel", '~> 3.2.0'
 depends "mu-firewall"
 depends "mu-activedirectory"
+depends "chocolatey"
+depends "firewall"
+depends 'selinux', '~> 3.0.0'

data/cookbooks/mu-tools/recipes/apply_security.rb

@@ -145,7 +145,7 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
       end
   
   
-      if node.normal.root_login_disabled
+      if node['root_login_disabled']
         #some code
       end
   
@@ -333,10 +333,9 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
         device node['application_attributes']['home']['mount_device']
         size node['application_attributes']['home']['volume_size_gb']
         preserve_data true
-        not_if "awk '{print $2}' < /etc/mtab | grep '^/home$'"
       end
 
-      Chef::Log.info("Value of login_disabled is #{node.normal.root_login_disabled}")
+      Chef::Log.info("Value of login_disabled is #{node['root_login_disabled']}")
   
       ruby_block "do a bunch of weird stuff" do # ~FC014
         block do