cloud-mu 3.1.2 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +15 -3
- data/ansible/roles/mu-windows/README.md +33 -0
- data/ansible/roles/mu-windows/defaults/main.yml +2 -0
- data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
- data/ansible/roles/mu-windows/files/config.xml +76 -0
- data/ansible/roles/mu-windows/handlers/main.yml +2 -0
- data/ansible/roles/mu-windows/meta/main.yml +53 -0
- data/ansible/roles/mu-windows/tasks/main.yml +36 -0
- data/ansible/roles/mu-windows/tests/inventory +2 -0
- data/ansible/roles/mu-windows/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/vars/main.yml +2 -0
- data/bin/mu-adopt +10 -13
- data/bin/mu-azure-tests +57 -0
- data/bin/mu-cleanup +2 -4
- data/bin/mu-configure +52 -0
- data/bin/mu-deploy +3 -3
- data/bin/mu-findstray-tests +25 -0
- data/bin/mu-gen-docs +2 -4
- data/bin/mu-load-config.rb +2 -3
- data/bin/mu-node-manage +15 -16
- data/bin/mu-run-tests +135 -37
- data/cloud-mu.gemspec +22 -20
- data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
- data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
- data/cookbooks/mu-tools/libraries/helper.rb +3 -2
- data/cookbooks/mu-tools/libraries/monkey.rb +35 -0
- data/cookbooks/mu-tools/recipes/apply_security.rb +14 -14
- data/cookbooks/mu-tools/recipes/aws_api.rb +9 -0
- data/cookbooks/mu-tools/recipes/eks.rb +2 -2
- data/cookbooks/mu-tools/recipes/google_api.rb +2 -2
- data/cookbooks/mu-tools/recipes/selinux.rb +2 -1
- data/cookbooks/mu-tools/recipes/windows-client.rb +163 -164
- data/cookbooks/mu-tools/resources/disk.rb +1 -1
- data/cookbooks/mu-tools/resources/windows_users.rb +44 -43
- data/extras/clean-stock-amis +25 -19
- data/extras/generate-stock-images +1 -0
- data/extras/image-generators/AWS/win2k12.yaml +18 -13
- data/extras/image-generators/AWS/win2k16.yaml +18 -13
- data/extras/image-generators/AWS/win2k19.yaml +21 -0
- data/extras/image-generators/Google/centos6.yaml +1 -0
- data/extras/image-generators/Google/centos7.yaml +1 -1
- data/modules/mommacat.ru +6 -16
- data/modules/mu.rb +165 -111
- data/modules/mu/adoption.rb +401 -68
- data/modules/mu/cleanup.rb +199 -306
- data/modules/mu/cloud.rb +100 -1632
- data/modules/mu/cloud/database.rb +49 -0
- data/modules/mu/cloud/dnszone.rb +46 -0
- data/modules/mu/cloud/machine_images.rb +212 -0
- data/modules/mu/cloud/providers.rb +81 -0
- data/modules/mu/cloud/resource_base.rb +920 -0
- data/modules/mu/cloud/server.rb +40 -0
- data/modules/mu/cloud/server_pool.rb +1 -0
- data/modules/mu/cloud/ssh_sessions.rb +228 -0
- data/modules/mu/cloud/winrm_sessions.rb +237 -0
- data/modules/mu/cloud/wrappers.rb +165 -0
- data/modules/mu/config.rb +171 -1767
- data/modules/mu/config/alarm.rb +2 -6
- data/modules/mu/config/bucket.rb +4 -4
- data/modules/mu/config/cache_cluster.rb +1 -1
- data/modules/mu/config/collection.rb +4 -4
- data/modules/mu/config/container_cluster.rb +9 -4
- data/modules/mu/config/database.rb +83 -104
- data/modules/mu/config/database.yml +1 -2
- data/modules/mu/config/dnszone.rb +6 -6
- data/modules/mu/config/doc_helpers.rb +516 -0
- data/modules/mu/config/endpoint.rb +4 -4
- data/modules/mu/config/firewall_rule.rb +103 -4
- data/modules/mu/config/folder.rb +4 -4
- data/modules/mu/config/function.rb +3 -3
- data/modules/mu/config/group.rb +4 -4
- data/modules/mu/config/habitat.rb +4 -4
- data/modules/mu/config/loadbalancer.rb +60 -14
- data/modules/mu/config/log.rb +4 -4
- data/modules/mu/config/msg_queue.rb +4 -4
- data/modules/mu/config/nosqldb.rb +4 -4
- data/modules/mu/config/notifier.rb +3 -3
- data/modules/mu/config/ref.rb +365 -0
- data/modules/mu/config/role.rb +4 -4
- data/modules/mu/config/schema_helpers.rb +509 -0
- data/modules/mu/config/search_domain.rb +4 -4
- data/modules/mu/config/server.rb +97 -70
- data/modules/mu/config/server.yml +1 -0
- data/modules/mu/config/server_pool.rb +5 -9
- data/modules/mu/config/storage_pool.rb +1 -1
- data/modules/mu/config/tail.rb +200 -0
- data/modules/mu/config/user.rb +4 -4
- data/modules/mu/config/vpc.rb +70 -27
- data/modules/mu/config/vpc.yml +0 -1
- data/modules/mu/defaults/AWS.yaml +83 -60
- data/modules/mu/defaults/Azure.yaml +1 -0
- data/modules/mu/defaults/Google.yaml +3 -2
- data/modules/mu/deploy.rb +30 -26
- data/modules/mu/groomer.rb +17 -2
- data/modules/mu/groomers/ansible.rb +188 -41
- data/modules/mu/groomers/chef.rb +116 -55
- data/modules/mu/logger.rb +127 -148
- data/modules/mu/master.rb +389 -2
- data/modules/mu/master/chef.rb +3 -4
- data/modules/mu/master/ldap.rb +3 -3
- data/modules/mu/master/ssl.rb +12 -3
- data/modules/mu/mommacat.rb +217 -2612
- data/modules/mu/mommacat/daemon.rb +397 -0
- data/modules/mu/mommacat/naming.rb +473 -0
- data/modules/mu/mommacat/search.rb +495 -0
- data/modules/mu/mommacat/storage.rb +722 -0
- data/modules/mu/{clouds → providers}/README.md +1 -1
- data/modules/mu/{clouds → providers}/aws.rb +271 -112
- data/modules/mu/{clouds → providers}/aws/alarm.rb +5 -3
- data/modules/mu/{clouds → providers}/aws/bucket.rb +26 -22
- data/modules/mu/{clouds → providers}/aws/cache_cluster.rb +33 -67
- data/modules/mu/{clouds → providers}/aws/collection.rb +24 -23
- data/modules/mu/{clouds → providers}/aws/container_cluster.rb +681 -721
- data/modules/mu/providers/aws/database.rb +1744 -0
- data/modules/mu/{clouds → providers}/aws/dnszone.rb +64 -63
- data/modules/mu/{clouds → providers}/aws/endpoint.rb +22 -27
- data/modules/mu/{clouds → providers}/aws/firewall_rule.rb +214 -244
- data/modules/mu/{clouds → providers}/aws/folder.rb +7 -7
- data/modules/mu/{clouds → providers}/aws/function.rb +17 -22
- data/modules/mu/{clouds → providers}/aws/group.rb +23 -23
- data/modules/mu/{clouds → providers}/aws/habitat.rb +17 -14
- data/modules/mu/{clouds → providers}/aws/loadbalancer.rb +57 -48
- data/modules/mu/{clouds → providers}/aws/log.rb +15 -12
- data/modules/mu/{clouds → providers}/aws/msg_queue.rb +17 -16
- data/modules/mu/{clouds → providers}/aws/nosqldb.rb +18 -11
- data/modules/mu/{clouds → providers}/aws/notifier.rb +11 -6
- data/modules/mu/{clouds → providers}/aws/role.rb +112 -86
- data/modules/mu/{clouds → providers}/aws/search_domain.rb +39 -33
- data/modules/mu/{clouds → providers}/aws/server.rb +835 -1133
- data/modules/mu/{clouds → providers}/aws/server_pool.rb +56 -60
- data/modules/mu/{clouds → providers}/aws/storage_pool.rb +24 -42
- data/modules/mu/{clouds → providers}/aws/user.rb +21 -22
- data/modules/mu/{clouds → providers}/aws/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/aws/userdata/windows.erb +2 -1
- data/modules/mu/{clouds → providers}/aws/vpc.rb +523 -929
- data/modules/mu/providers/aws/vpc_subnet.rb +286 -0
- data/modules/mu/{clouds → providers}/azure.rb +29 -9
- data/modules/mu/{clouds → providers}/azure/container_cluster.rb +3 -8
- data/modules/mu/{clouds → providers}/azure/firewall_rule.rb +18 -11
- data/modules/mu/{clouds → providers}/azure/habitat.rb +8 -6
- data/modules/mu/{clouds → providers}/azure/loadbalancer.rb +5 -5
- data/modules/mu/{clouds → providers}/azure/role.rb +8 -10
- data/modules/mu/{clouds → providers}/azure/server.rb +95 -48
- data/modules/mu/{clouds → providers}/azure/user.rb +6 -8
- data/modules/mu/{clouds → providers}/azure/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/azure/vpc.rb +16 -21
- data/modules/mu/{clouds → providers}/cloudformation.rb +18 -7
- data/modules/mu/{clouds → providers}/cloudformation/alarm.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/cache_cluster.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/collection.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/database.rb +6 -17
- data/modules/mu/{clouds → providers}/cloudformation/dnszone.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/firewall_rule.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/loadbalancer.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/log.rb +3 -3
- data/modules/mu/{clouds → providers}/cloudformation/server.rb +7 -7
- data/modules/mu/{clouds → providers}/cloudformation/server_pool.rb +5 -5
- data/modules/mu/{clouds → providers}/cloudformation/vpc.rb +5 -7
- data/modules/mu/{clouds → providers}/docker.rb +0 -0
- data/modules/mu/{clouds → providers}/google.rb +67 -30
- data/modules/mu/{clouds → providers}/google/bucket.rb +13 -15
- data/modules/mu/{clouds → providers}/google/container_cluster.rb +84 -77
- data/modules/mu/{clouds → providers}/google/database.rb +10 -20
- data/modules/mu/{clouds → providers}/google/firewall_rule.rb +15 -14
- data/modules/mu/{clouds → providers}/google/folder.rb +20 -17
- data/modules/mu/{clouds → providers}/google/function.rb +139 -167
- data/modules/mu/{clouds → providers}/google/group.rb +29 -34
- data/modules/mu/{clouds → providers}/google/habitat.rb +21 -22
- data/modules/mu/{clouds → providers}/google/loadbalancer.rb +18 -20
- data/modules/mu/{clouds → providers}/google/role.rb +92 -58
- data/modules/mu/{clouds → providers}/google/server.rb +242 -155
- data/modules/mu/{clouds → providers}/google/server_pool.rb +25 -44
- data/modules/mu/{clouds → providers}/google/user.rb +95 -31
- data/modules/mu/{clouds → providers}/google/userdata/README.md +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/linux.erb +0 -0
- data/modules/mu/{clouds → providers}/google/userdata/windows.erb +0 -0
- data/modules/mu/{clouds → providers}/google/vpc.rb +103 -79
- data/modules/tests/bucket.yml +4 -0
- data/modules/tests/centos6.yaml +11 -0
- data/modules/tests/centos7.yaml +11 -0
- data/modules/tests/centos8.yaml +12 -0
- data/modules/tests/ecs.yaml +23 -0
- data/modules/tests/includes-and-params.yaml +2 -1
- data/modules/tests/rds.yaml +108 -0
- data/modules/tests/regrooms/aws-iam.yaml +201 -0
- data/modules/tests/regrooms/bucket.yml +19 -0
- data/modules/tests/regrooms/rds.yaml +123 -0
- data/modules/tests/server-with-scrub-muisms.yaml +1 -0
- data/modules/tests/super_simple_bok.yml +1 -3
- data/modules/tests/win2k12.yaml +17 -5
- data/modules/tests/win2k16.yaml +25 -0
- data/modules/tests/win2k19.yaml +25 -0
- data/requirements.txt +1 -0
- data/spec/mu/clouds/azure_spec.rb +2 -2
- metadata +232 -154
- data/extras/image-generators/AWS/windows.yaml +0 -18
- data/modules/mu/clouds/aws/database.rb +0 -1985
@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
|
|
19
19
|
attribute :restore_mode_password, :kind_of => String, :required => true
|
20
20
|
attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
|
21
21
|
attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
|
22
|
-
attribute :ntds_static_port, :kind_of =>
|
23
|
-
attribute :ntfrs_static_port, :kind_of =>
|
24
|
-
attribute :dfsr_static_port, :kind_of =>
|
25
|
-
attribute :netlogon_static_port, :kind_of =>
|
22
|
+
attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
|
23
|
+
attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
|
24
|
+
attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
|
25
|
+
attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']
|
@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
|
|
19
19
|
attribute :restore_mode_password, :kind_of => String, :required => true
|
20
20
|
attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
|
21
21
|
attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
|
22
|
-
attribute :ntds_static_port, :kind_of =>
|
23
|
-
attribute :ntfrs_static_port, :kind_of =>
|
24
|
-
attribute :dfsr_static_port, :kind_of =>
|
25
|
-
attribute :netlogon_static_port, :kind_of =>
|
22
|
+
attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
|
23
|
+
attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
|
24
|
+
attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
|
25
|
+
attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']
|
@@ -49,7 +49,6 @@ module Mutools
|
|
49
49
|
@authorizer = nil
|
50
50
|
def set_gcp_cfg_params
|
51
51
|
begin
|
52
|
-
require "google/cloud"
|
53
52
|
require "googleauth"
|
54
53
|
@project ||= get_google_metadata("project/project-id")
|
55
54
|
@authorizer ||= ::Google::Auth.get_application_default(['https://www.googleapis.com/auth/cloud-platform', 'https://www.googleapis.com/auth/compute.readonly'])
|
@@ -202,6 +201,8 @@ module Mutools
|
|
202
201
|
Chef::Log.info("Fetching deploy secret: #{gsutil} cp gs://#{bucket}/#{filename} -")
|
203
202
|
cmd = if File.exist?("/usr/bin/python2.7")
|
204
203
|
%Q{CLOUDSDK_PYTHON=/usr/bin/python2.7 #{gsutil} cp gs://#{bucket}/#{filename} -}
|
204
|
+
elsif File.exist?("/opt/rh/python27/root/usr/bin/python")
|
205
|
+
%Q{CLOUDSDK_PYTHON=/opt/rh/python27/root/usr/bin/python #{gsutil} cp gs://#{bucket}/#{filename} -}
|
205
206
|
else
|
206
207
|
%Q{#{gsutil} cp gs://#{bucket}/#{filename} -}
|
207
208
|
end
|
@@ -235,7 +236,7 @@ module Mutools
|
|
235
236
|
response = nil
|
236
237
|
begin
|
237
238
|
secret = get_deploy_secret
|
238
|
-
if secret.nil?
|
239
|
+
if secret.nil? or secret.empty?
|
239
240
|
raise "Failed to fetch deploy secret, and I can't communicate with Momma Cat without it"
|
240
241
|
end
|
241
242
|
|
@@ -0,0 +1,35 @@
|
|
1
|
+
class Chef
|
2
|
+
class Provider
|
3
|
+
class Package
|
4
|
+
class Rubygems < Chef::Provider::Package
|
5
|
+
|
6
|
+
def install_via_gem_command(name, version)
|
7
|
+
src = []
|
8
|
+
if new_resource.source.is_a?(String) && new_resource.source =~ /\.gem$/i
|
9
|
+
name = new_resource.source
|
10
|
+
else
|
11
|
+
src << "--clear-sources" if new_resource.clear_sources
|
12
|
+
src += gem_sources.map { |s| "--source=#{s}" }
|
13
|
+
end
|
14
|
+
src_str = src.empty? ? "" : " #{src.join(" ")}"
|
15
|
+
cmd = if !version.nil? && !version.empty?
|
16
|
+
"#{gem_binary_path} install #{name} -q --no-rdoc --no-ri -v \"#{version}\"#{src_str}#{opts}"
|
17
|
+
else
|
18
|
+
"#{gem_binary_path} install \"#{name}\" -q --no-rdoc --no-ri #{src_str}#{opts}"
|
19
|
+
end
|
20
|
+
|
21
|
+
begin
|
22
|
+
shell_out_with_timeout!(cmd, env: nil)
|
23
|
+
rescue StandardError => e
|
24
|
+
if cmd.match(/--no-rdoc|--no-ri/)
|
25
|
+
cmd.gsub!(/--no-rdoc --no-ri/, "--no-document")
|
26
|
+
retry
|
27
|
+
end
|
28
|
+
raise e
|
29
|
+
end
|
30
|
+
end
|
31
|
+
|
32
|
+
end
|
33
|
+
end
|
34
|
+
end
|
35
|
+
end
|
@@ -252,21 +252,21 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
252
252
|
# end
|
253
253
|
# 6.3 Configure PAM
|
254
254
|
# 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib
|
255
|
-
template "/etc/pam.d/password-auth-local" do
|
256
|
-
source "etc_pamd_password-auth.erb"
|
257
|
-
mode 0644
|
258
|
-
end
|
259
|
-
link "/etc/pam.d/password-auth" do
|
260
|
-
to "/etc/pam.d/password-auth-local"
|
261
|
-
end
|
255
|
+
# template "/etc/pam.d/password-auth-local" do
|
256
|
+
# source "etc_pamd_password-auth.erb"
|
257
|
+
# mode 0644
|
258
|
+
# end
|
259
|
+
# link "/etc/pam.d/password-auth" do
|
260
|
+
# to "/etc/pam.d/password-auth-local"
|
261
|
+
# end
|
262
262
|
#6.3.3 Set Lockout for Failed Password Attempts
|
263
|
-
template "/etc/pam.d/system-auth-local" do
|
264
|
-
source "etc_pamd_system-auth.erb"
|
265
|
-
mode 0644
|
266
|
-
end
|
267
|
-
link "/etc/pam.d/system-auth" do
|
268
|
-
to "/etc/pam.d/system-auth-local"
|
269
|
-
end
|
263
|
+
# template "/etc/pam.d/system-auth-local" do
|
264
|
+
# source "etc_pamd_system-auth.erb"
|
265
|
+
# mode 0644
|
266
|
+
# end
|
267
|
+
# link "/etc/pam.d/system-auth" do
|
268
|
+
# to "/etc/pam.d/system-auth-local"
|
269
|
+
# end
|
270
270
|
|
271
271
|
#SV-50303r1_rule/SV-50304r1_rule
|
272
272
|
execute "chown root:root /etc/shadow"
|
@@ -21,3 +21,12 @@ chef_gem "aws-sdk-core" do
|
|
21
21
|
version "2.11.24"
|
22
22
|
action :install
|
23
23
|
end
|
24
|
+
|
25
|
+
if platform_family?("rhel") or platform_family?("amazon")
|
26
|
+
if node['platform_version'].to_i == 6
|
27
|
+
package "python34-pip"
|
28
|
+
execute "/usr/bin/pip3 install awscli" do
|
29
|
+
not_if "test -x /usr/bin/aws"
|
30
|
+
end
|
31
|
+
end
|
32
|
+
end
|
@@ -160,8 +160,8 @@ Environment='KUBELET_EXTRA_ARGS=$KUBELET_EXTRA_ARGS'
|
|
160
160
|
|
161
161
|
opento.uniq.each { |src|
|
162
162
|
[:tcp, :udp, :icmp].each { |proto|
|
163
|
-
execute "iptables -I INPUT -p #{proto} -s #{src}" do
|
164
|
-
not_if "iptables -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
|
163
|
+
execute "iptables -w 30 -I INPUT -p #{proto} -s #{src}" do
|
164
|
+
not_if "iptables -w 30 -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
|
165
165
|
end
|
166
166
|
}
|
167
167
|
}
|
@@ -16,10 +16,10 @@
|
|
16
16
|
# See the License for the specific language governing permissions and
|
17
17
|
# limitations under the License.
|
18
18
|
|
19
|
-
["google-api-client", "
|
19
|
+
["google-api-client", "googleauth"].each { |gem|
|
20
20
|
chef_gem gem do
|
21
21
|
compile_time true
|
22
22
|
action :install
|
23
|
-
only_if { !get_google_metadata("name").nil? }
|
23
|
+
only_if { !get_google_metadata("instance/name").nil? }
|
24
24
|
end
|
25
25
|
}
|
@@ -4,7 +4,8 @@
|
|
4
4
|
#
|
5
5
|
# Copyright:: 2019, The Authors, All Rights Reserved.
|
6
6
|
|
7
|
-
if !node['application_attributes']['skip_recipes'].include?('selinux')
|
7
|
+
if !node['application_attributes']['skip_recipes'].include?('selinux') and
|
8
|
+
(platform_family?("rhel") or platform_family?("amazon"))
|
8
9
|
|
9
10
|
selinux_state "SELinux Enforcing" do
|
10
11
|
action :enforcing
|
@@ -26,20 +26,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
26
26
|
|
27
27
|
sshd_password = windows_vault[node['windows_sshd_password_field']]
|
28
28
|
|
29
|
+
admin_user = node['windows_admin_username'] || "Administrator"
|
30
|
+
|
29
31
|
windows_version = node['platform_version'].to_i
|
30
32
|
|
31
33
|
public_keys = Array.new
|
32
34
|
|
33
|
-
if windows_version
|
35
|
+
if windows_version >= 10
|
34
36
|
Chef::Log.info "version #{windows_version}, using openssh"
|
35
37
|
|
36
38
|
include_recipe 'chocolatey'
|
37
39
|
|
38
40
|
openssh_path = 'C:\Program Files\OpenSSH-Win64'
|
39
41
|
|
40
|
-
ssh_program_data = "#{ENV['ProgramData']}
|
42
|
+
ssh_program_data = "#{ENV['ProgramData']}\\ssh"
|
41
43
|
|
42
|
-
ssh_dir = "C:/Users
|
44
|
+
ssh_dir = "C:/Users/#{admin_user}/.ssh"
|
43
45
|
|
44
46
|
authorized_keys = "#{ssh_dir}/authorized_keys"
|
45
47
|
|
@@ -86,7 +88,8 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
86
88
|
path ssh_program_data
|
87
89
|
owner sshd_user
|
88
90
|
rights :full_control, sshd_user
|
89
|
-
rights :full_control,
|
91
|
+
rights :full_control, admin_user
|
92
|
+
notifies :run, 'ruby[find files to change ownership of]', :immediately
|
90
93
|
notifies :run, 'powershell_script[Generate Host Key]', :immediately
|
91
94
|
end
|
92
95
|
|
@@ -97,22 +100,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
97
100
|
notifies :create, "template[#{ssh_program_data}/sshd_config]", :immediately
|
98
101
|
end
|
99
102
|
|
100
|
-
|
103
|
+
directory "set file ownership" do
|
101
104
|
action :nothing
|
105
|
+
path ssh_program_data
|
102
106
|
owner sshd_user
|
103
|
-
source "sshd_config.erb"
|
104
107
|
mode '0600'
|
105
|
-
|
106
|
-
|
108
|
+
rights :full_control, sshd_user
|
109
|
+
deny_rights :full_control, admin_user
|
107
110
|
end
|
108
111
|
|
109
|
-
|
112
|
+
template "#{ssh_program_data}/sshd_config" do
|
110
113
|
action :nothing
|
111
|
-
path ssh_program_data
|
112
114
|
owner sshd_user
|
115
|
+
source "sshd_config.erb"
|
113
116
|
mode '0600'
|
114
|
-
|
115
|
-
|
117
|
+
cookbook "mu-tools"
|
118
|
+
notifies :run, 'ruby[find files to change ownership of]', :immediately
|
116
119
|
end
|
117
120
|
|
118
121
|
windows_service 'sshd' do
|
@@ -120,26 +123,26 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
120
123
|
end
|
121
124
|
|
122
125
|
group 'sshusers' do
|
123
|
-
members [sshd_user,
|
126
|
+
members [sshd_user, admin_user]
|
124
127
|
end
|
125
128
|
|
126
129
|
ruby 'find files to change ownership of' do
|
127
130
|
action :nothing
|
128
131
|
code <<-EOH
|
129
|
-
files = Dir.entries ssh_program_data
|
132
|
+
files = Dir.entries '#{ssh_program_data}'
|
130
133
|
puts files
|
131
134
|
EOH
|
132
135
|
end
|
133
136
|
|
134
|
-
log 'files in ssh' do
|
135
|
-
message files.join
|
136
|
-
level :info
|
137
|
-
end
|
138
|
-
|
137
|
+
# log 'files in ssh' do
|
138
|
+
# message files.join
|
139
|
+
# level :info
|
140
|
+
# end
|
141
|
+
#
|
139
142
|
files.each do |file|
|
140
143
|
file "#{ssh_program_data}#{file}" do
|
141
144
|
owner sshd_user
|
142
|
-
deny_rights :full_control,
|
145
|
+
deny_rights :full_control, admin_user
|
143
146
|
end
|
144
147
|
end
|
145
148
|
|
@@ -150,7 +153,7 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
150
153
|
end
|
151
154
|
|
152
155
|
file authorized_keys do
|
153
|
-
owner
|
156
|
+
owner admin_user
|
154
157
|
content public_key
|
155
158
|
end
|
156
159
|
|
@@ -184,153 +187,149 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
184
187
|
# end
|
185
188
|
# }
|
186
189
|
|
187
|
-
reboot "Cygwin LSA" do
|
188
|
-
action :nothing
|
189
|
-
reason "Enabling Cygwin LSA support"
|
190
|
-
end
|
191
|
-
|
192
|
-
powershell_script "Configuring Cygwin LSA support" do
|
193
|
-
code <<-EOH
|
194
|
-
Invoke-Expression '& #{cygwindir}/bin/bash.exe --login -c "echo yes | /bin/cyglsa-config"'
|
195
|
-
EOH
|
196
|
-
not_if {
|
197
|
-
lsa_found = false
|
198
|
-
if registry_key_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa")
|
199
|
-
registry_get_values("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa").each { |val|
|
200
|
-
if val[:name] == "Authentication Packages"
|
201
|
-
lsa_found = true if val[:data].grep(/cyglsa64\.dll/)
|
202
|
-
break
|
203
|
-
end
|
204
|
-
}
|
205
|
-
end
|
206
|
-
lsa_found
|
207
|
-
}
|
208
|
-
notifies :reboot_now, "reboot[Cygwin LSA]", :immediately
|
209
|
-
end
|
210
|
-
|
211
|
-
powershell_script "enable Cygwin sshd" do
|
212
|
-
code <<-EOH
|
213
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "ssh-host-config -y -c ntsec -w ''#{sshd_password}'' -u #{sshd_user}"'
|
214
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*StrictModes.*yes/StrictModes no/'' /etc/sshd_config"'
|
215
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*PasswordAuthentication.*yes/PasswordAuthentication no/'' /etc/sshd_config"'
|
216
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
|
217
|
-
EOH
|
218
|
-
sensitive true
|
219
|
-
not_if %Q{Get-Service "sshd"}
|
220
|
-
end
|
221
|
-
powershell_script "set unix-style Cygwin sshd permissions" do
|
222
|
-
code <<-EOH
|
223
|
-
if((Get-WmiObject win32_computersystem).partofdomain){
|
224
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -d > /etc/passwd"'
|
225
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l -d > /etc/group"'
|
226
|
-
} else {
|
227
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -l > /etc/passwd"'
|
228
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l > /etc/group"'
|
229
|
-
}
|
230
|
-
Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
|
231
|
-
EOH
|
232
|
-
end
|
233
|
-
|
234
|
-
include_recipe 'mu-activedirectory'
|
235
|
-
|
236
|
-
::Chef::Recipe.send(:include, Chef::Mixin::PowershellOut)
|
237
|
-
|
238
|
-
template "c:/bin/cygwin/etc/sshd_config" do
|
239
|
-
source "sshd_config.erb"
|
240
|
-
mode 0644
|
241
|
-
cookbook "mu-tools"
|
242
|
-
ignore_failure true
|
243
|
-
end
|
244
|
-
|
245
|
-
ec2config_user= windows_vault[node['windows_ec2config_username_field']]
|
246
|
-
ec2config_password = windows_vault[node['windows_ec2config_password_field']]
|
247
|
-
login_dom = "."
|
248
|
-
|
249
|
-
if in_domain?
|
250
|
-
|
251
|
-
ad_vault = chef_vault_item(node['ad']['domain_admin_vault'], node['ad']['domain_admin_item'])
|
252
|
-
login_dom = node['ad']['netbios_name']
|
253
|
-
|
254
|
-
windows_users node['ad']['computer_name'] do
|
255
|
-
username ad_vault[node['ad']['domain_admin_username_field']]
|
256
|
-
password ad_vault[node['ad']['domain_admin_password_field']]
|
257
|
-
domain_name node['ad']['domain_name']
|
258
|
-
netbios_name node['ad']['netbios_name']
|
259
|
-
dc_ips node['ad']['dc_ips']
|
260
|
-
ssh_user sshd_user
|
261
|
-
ssh_password sshd_password
|
262
|
-
ec2config_user ec2config_user
|
263
|
-
ec2config_password ec2config_password
|
264
|
-
end
|
265
|
-
|
266
|
-
aws_windows "ec2" do
|
267
|
-
username ec2config_user
|
268
|
-
service_username "#{node['ad']['netbios_name']}\\#{ec2config_user}"
|
269
|
-
password ec2config_password
|
270
|
-
end
|
271
|
-
|
272
|
-
scheduled_tasks "tasks" do
|
273
|
-
username ad_vault[node['ad']['domain_admin_username_field']]
|
274
|
-
password ad_vault[node['ad']['domain_admin_password_field']]
|
275
|
-
end
|
276
|
-
|
277
|
-
sshd_service "sshd" do
|
278
|
-
service_username "#{node['ad']['netbios_name']}\\#{sshd_user}"
|
279
|
-
username sshd_user
|
280
|
-
password sshd_password
|
281
|
-
end
|
282
|
-
|
283
|
-
begin
|
284
|
-
resources('service[sshd]')
|
285
|
-
escue Chef::Exceptions::ResourceNotFound
|
286
|
-
service "sshd" do
|
287
|
-
action [:enable, :start]
|
288
|
-
sensitive true
|
289
|
-
end
|
290
|
-
end
|
291
|
-
else
|
292
|
-
windows_users node['hostname'] do
|
293
|
-
username node['windows_admin_username']
|
294
|
-
password windows_vault[node['windows_auth_password_field']]
|
295
|
-
ssh_user sshd_user
|
296
|
-
ssh_password sshd_password
|
297
|
-
ec2config_user ec2config_user
|
298
|
-
ec2config_password ec2config_password
|
299
|
-
end
|
300
|
-
|
301
|
-
aws_windows "ec2" do
|
302
|
-
username ec2config_user
|
303
|
-
service_username ".\\#{ec2config_user}"
|
304
|
-
password ec2config_password
|
305
|
-
end
|
306
|
-
|
307
|
-
scheduled_tasks "tasks" do
|
308
|
-
username node['windows_admin_username']
|
309
|
-
password windows_vault[node['windows_auth_password_field']]
|
310
|
-
end
|
190
|
+
# reboot "Cygwin LSA" do
|
191
|
+
# action :nothing
|
192
|
+
# reason "Enabling Cygwin LSA support"
|
193
|
+
# end
|
194
|
+
#
|
195
|
+
# powershell_script "Configuring Cygwin LSA support" do
|
196
|
+
# code <<-EOH
|
197
|
+
# Invoke-Expression '& #{cygwindir}/bin/bash.exe --login -c "echo yes | /bin/cyglsa-config"'
|
198
|
+
# EOH
|
199
|
+
# not_if {
|
200
|
+
# lsa_found = false
|
201
|
+
# if registry_key_exists?("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa")
|
202
|
+
# registry_get_values("HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa").each { |val|
|
203
|
+
# if val[:name] == "Authentication Packages"
|
204
|
+
# lsa_found = true if val[:data].grep(/cyglsa64\.dll/)
|
205
|
+
# break
|
206
|
+
# end
|
207
|
+
# }
|
208
|
+
# end
|
209
|
+
# lsa_found
|
210
|
+
# }
|
211
|
+
# notifies :reboot_now, "reboot[Cygwin LSA]", :immediately
|
212
|
+
# end
|
213
|
+
#
|
214
|
+
# powershell_script "enable Cygwin sshd" do
|
215
|
+
# code <<-EOH
|
216
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "ssh-host-config -y -c ntsec -w ''#{sshd_password}'' -u #{sshd_user}"'
|
217
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*StrictModes.*yes/StrictModes no/'' /etc/sshd_config"'
|
218
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash.exe --login -c "sed -i.bak ''s/#.*PasswordAuthentication.*yes/PasswordAuthentication no/'' /etc/sshd_config"'
|
219
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
|
220
|
+
# EOH
|
221
|
+
# sensitive true
|
222
|
+
# not_if %Q{Get-Service "sshd"}
|
223
|
+
# end
|
224
|
+
# powershell_script "set unix-style Cygwin sshd permissions" do
|
225
|
+
# code <<-EOH
|
226
|
+
# if((Get-WmiObject win32_computersystem).partofdomain){
|
227
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -d > /etc/passwd"'
|
228
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l -d > /etc/group"'
|
229
|
+
# } else {
|
230
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkpasswd -l > /etc/passwd"'
|
231
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "mkgroup -l > /etc/group"'
|
232
|
+
# }
|
233
|
+
# Invoke-Expression -Debug '& #{cygwindir}/bin/bash --login -c "chown #{sshd_user} /var/empty /var/log/sshd.log /etc/ssh*; chmod 755 /var/empty"'
|
234
|
+
# EOH
|
235
|
+
# end
|
236
|
+
#
|
237
|
+
# include_recipe 'mu-activedirectory'
|
238
|
+
#
|
239
|
+
# ::Chef::Recipe.send(:include, Chef::Mixin::PowershellOut)
|
240
|
+
#
|
241
|
+
# template "c:/bin/cygwin/etc/sshd_config" do
|
242
|
+
# source "sshd_config.erb"
|
243
|
+
# mode 0644
|
244
|
+
# cookbook "mu-tools"
|
245
|
+
# ignore_failure true
|
246
|
+
# end
|
247
|
+
#
|
248
|
+
# ec2config_user= windows_vault[node['windows_ec2config_username_field']]
|
249
|
+
# ec2config_password = windows_vault[node['windows_ec2config_password_field']]
|
250
|
+
# login_dom = "."
|
251
|
+
#
|
252
|
+
# if in_domain?
|
253
|
+
#
|
254
|
+
# ad_vault = chef_vault_item(node['ad']['domain_admin_vault'], node['ad']['domain_admin_item'])
|
255
|
+
# login_dom = node['ad']['netbios_name']
|
256
|
+
#
|
257
|
+
# windows_users node['ad']['computer_name'] do
|
258
|
+
# username ad_vault[node['ad']['domain_admin_username_field']]
|
259
|
+
# password ad_vault[node['ad']['domain_admin_password_field']]
|
260
|
+
# domain_name node['ad']['domain_name']
|
261
|
+
# netbios_name node['ad']['netbios_name']
|
262
|
+
# dc_ips node['ad']['dc_ips']
|
263
|
+
# ssh_user sshd_user
|
264
|
+
# ssh_password sshd_password
|
265
|
+
# ec2config_user ec2config_user
|
266
|
+
# ec2config_password ec2config_password
|
267
|
+
# end
|
268
|
+
#
|
269
|
+
# aws_windows "ec2" do
|
270
|
+
# username ec2config_user
|
271
|
+
# service_username "#{node['ad']['netbios_name']}\\#{ec2config_user}"
|
272
|
+
# password ec2config_password
|
273
|
+
# end
|
274
|
+
#
|
275
|
+
# scheduled_tasks "tasks" do
|
276
|
+
# username ad_vault[node['ad']['domain_admin_username_field']]
|
277
|
+
# password ad_vault[node['ad']['domain_admin_password_field']]
|
278
|
+
# end
|
279
|
+
#
|
280
|
+
# sshd_service "sshd" do
|
281
|
+
# service_username "#{node['ad']['netbios_name']}\\#{sshd_user}"
|
282
|
+
# username sshd_user
|
283
|
+
# password sshd_password
|
284
|
+
# end
|
285
|
+
#
|
286
|
+
# begin
|
287
|
+
# resources('service[sshd]')
|
288
|
+
# escue Chef::Exceptions::ResourceNotFound
|
289
|
+
# service "sshd" do
|
290
|
+
# action [:enable, :start]
|
291
|
+
# sensitive true
|
292
|
+
# end
|
293
|
+
# end
|
294
|
+
# else
|
295
|
+
# windows_users node['hostname'] do
|
296
|
+
# username node['windows_admin_username']
|
297
|
+
# password windows_vault[node['windows_auth_password_field']]
|
298
|
+
# ssh_user sshd_user
|
299
|
+
# ssh_password sshd_password
|
300
|
+
# ec2config_user ec2config_user
|
301
|
+
# ec2config_password ec2config_password
|
302
|
+
# end
|
303
|
+
#
|
304
|
+
# aws_windows "ec2" do
|
305
|
+
# username ec2config_user
|
306
|
+
# service_username ".\\#{ec2config_user}"
|
307
|
+
# password ec2config_password
|
308
|
+
# end
|
309
|
+
#
|
310
|
+
# scheduled_tasks "tasks" do
|
311
|
+
# username node['windows_admin_username']
|
312
|
+
# password windows_vault[node['windows_auth_password_field']]
|
313
|
+
# end
|
314
|
+
#
|
315
|
+
# sshd_service "sshd" do
|
316
|
+
# username sshd_user
|
317
|
+
# service_username ".\\#{sshd_user}"
|
318
|
+
# password sshd_password
|
319
|
+
# end
|
320
|
+
# begin
|
321
|
+
# resources('service[sshd]')
|
322
|
+
# rescue Chef::Exceptions::ResourceNotFound
|
323
|
+
# service "Cygwin sshd as '#{sshd_user}'" do
|
324
|
+
# service_name "sshd"
|
325
|
+
# action [:enable, :start]
|
326
|
+
# sensitive true
|
327
|
+
# end
|
328
|
+
# end
|
311
329
|
|
312
|
-
sshd_service "sshd" do
|
313
|
-
username sshd_user
|
314
|
-
service_username ".\\#{sshd_user}"
|
315
|
-
password sshd_password
|
316
|
-
end
|
317
|
-
begin
|
318
|
-
resources('service[sshd]')
|
319
|
-
rescue Chef::Exceptions::ResourceNotFound
|
320
|
-
service "Cygwin sshd as '#{sshd_user}'" do
|
321
|
-
service_name "sshd"
|
322
|
-
action [:enable, :start]
|
323
|
-
sensitive true
|
324
|
-
end
|
325
|
-
end
|
326
|
-
end
|
327
330
|
end
|
328
331
|
|
329
332
|
else
|
330
333
|
Chef::Log.info("mu-tools::windows-client: Unsupported platform #{node['platform']}")
|
331
334
|
end
|
332
335
|
end
|
333
|
-
# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
|
334
|
-
#
|
335
|
-
# Cookbook Name:: mu-tools
|
336
|
-
# Recipe:: windows-client
|