cloud-mu 3.1.5 → 3.1.6

data/modules/mu/config/schema_helpers.rb

@@ -276,15 +276,20 @@ module MU
             schema_chunk["properties"]["creation_style"] != "existing"
           schema_chunk["properties"].each_pair { |key, subschema|
             shortclass = if conf_chunk[key]
-              shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(key)
+              shortclass, _cfg_name, _cfg_plural, _classname = MU::Cloud.getResourceNames(key, false)
               shortclass
             else
               nil
             end
 
             new_val = applySchemaDefaults(conf_chunk[key], subschema, depth+1, conf_chunk, type: shortclass).dup
-
-            conf_chunk[key] = Marshal.load(Marshal.dump(new_val)) if !new_val.nil?
+            if !new_val.nil?
+              begin
+                conf_chunk[key] = Marshal.load(Marshal.dump(new_val))
+              rescue TypeError
+                conf_chunk[key] = new_val.clone
+              end
+            end
           }
         end
       elsif schema_chunk["type"] == "array" and conf_chunk.kind_of?(Array)

data/modules/mu/config/server.rb

@@ -625,6 +625,13 @@ module MU
         server['vault_access'] << {"vault" => "splunk", "item" => "admin_user"}
         ok = false if !MU::Config::Server.checkVaultRefs(server)
 
+        server['groomer'] ||= self.defaultGroomer
+        groomclass = MU::Groomer.loadGroomer(server['groomer'])
+        if !groomclass.available?(server['platform'].match(/^win/))
+          MU.log "Groomer #{server['groomer']} for #{server['name']} is missing or has incomplete dependencies", MU::ERR
+          ok = false
+        end
+
         if server["cloud"] != "Azure"
           server['dependencies'] << configurator.adminFirewallRuleset(vpc: server['vpc'], region: server['region'], cloud: server['cloud'], credentials: server['credentials'])
         end

data/modules/mu/config/tail.rb

@@ -133,6 +133,7 @@ module MU
     # @param pseudo [<Boolean>]: This is a pseudo-parameter, automatically provided, and not available as user input.
     # @param runtimecode [<String>]: Actual code to allow the cloud layer to interpret literally in its own idiom, e.g. '"Ref" : "AWS::StackName"' for CloudFormation
     def getTail(param, value: nil, prettyname: nil, cloudtype: "String", valid_values: [], description: nil, list_of: nil, prefix: "", suffix: "", pseudo: false, runtimecode: nil)
+      param = param.gsub(/[^a-z0-9_]/i, "_")
       if value.nil?
         if @@parameters.nil? or !@@parameters.has_key?(param)
           MU.log "Parameter '#{param}' (#{param.class.name}) referenced in config but not provided (#{caller[0]})", MU::DEBUG, details: @@parameters

data/modules/mu/config/vpc.rb

@@ -493,6 +493,7 @@ module MU
           # See if we'll be able to create peering connections
           can_peer = false
           already_peered = false
+
           if MU.myCloud == vpc["cloud"] and MU.myVPCObj
             if vpc['peers']
               vpc['peers'].each { |peer|
@@ -636,7 +637,7 @@ module MU
                   MU.log "VPC peering connections to non-local accounts must specify the vpc_id of the peer.", MU::ERR
                   ok = false
                 end
-              elsif !processReference(peer['vpc'], "vpcs", "vpc '#{vpc['name']}'", configurator, dflt_region: peer["vpc"]['region'])
+              elsif !processReference(peer['vpc'], "vpcs", vpc, configurator, dflt_region: peer["vpc"]['region'])
                 ok = false
               end
             end
@@ -735,8 +736,8 @@ module MU
            vpc_block["subnet_pref"] = "all_private" if vpc_block["subnet_pref"] == "private"
         end
 
-        flags = {}
-        flags["subnet_pref"] = vpc_block["subnet_pref"] if !vpc_block["subnet_pref"].nil?
+#        flags = {}
+#        flags["subnet_pref"] = vpc_block["subnet_pref"] if !vpc_block["subnet_pref"].nil?
         hab_arg = if vpc_block['habitat']
           if vpc_block['habitat'].is_a?(MU::Config::Ref)
             [vpc_block['habitat'].id] # XXX actually, findStray it
@@ -770,9 +771,9 @@ MU.log "VPC lookup cache hit", MU::WARN, details: vpc_block
                   tag_key: tag_key,
                   tag_value: tag_value,
                   region: vpc_block["region"],
-                  flags: flags,
                   habitats: hab_arg,
-                  dummy_ok: true
+                  dummy_ok: true,
+                  subnet_pref: vpc_block["subnet_pref"]
                 )
 
                 found.first if found and found.size == 1
@@ -799,7 +800,7 @@ MU.log "VPC lookup cache hit", MU::WARN, details: vpc_block
               @@reference_cache[vpc_block] ||= ext_vpc if ok
             end
           rescue StandardError => e
-            raise MuError, e.inspect, e.backtrace
+            raise MuError, e.inspect, [caller, e.backtrace]
           ensure
             if !ext_vpc and vpc_block['cloud'] != "CloudFormation"
               MU.log "Couldn't resolve VPC reference to a unique live VPC in #{parent_type} #{parent['name']} (called by #{caller[0]})", MU::ERR, details: vpc_block
@@ -923,7 +924,14 @@ MU.log "VPC lookup cache hit", MU::WARN, details: vpc_block
             ext_vpc.subnets.each { |subnet|
               next if dflt_region and vpc_block["cloud"] == "Google" and subnet.az != dflt_region
               if subnet.private? and (vpc_block['subnet_pref'] != "all_public" and vpc_block['subnet_pref'] != "public")
-                private_subnets << { "subnet_id" => configurator.getTail("#{parent['name']} Private Subnet #{priv}", value: subnet.cloud_id, prettyname: "#{parent['name']} Private Subnet #{priv}",  cloudtype:  "AWS::EC2::Subnet::Id"), "az" => subnet.az }
+                private_subnets << {
+                  "subnet_id" => configurator.getTail(
+                    "#{parent['name']} Private Subnet #{priv}",
+                    value: subnet.cloud_id,
+                    prettyname: "#{parent['name']} Private Subnet #{priv}",
+                    cloudtype: "AWS::EC2::Subnet::Id"),
+                  "az" => subnet.az
+                }
                 private_subnets_map[subnet.cloud_id] = subnet
                 priv = priv + 1
               elsif !subnet.private? and vpc_block['subnet_pref'] != "all_private" and vpc_block['subnet_pref'] != "private"

data/modules/mu/config/vpc.yml

@@ -1,7 +1,6 @@
 <% if complexity == 'complex' %>
 name: <%= vpc_name %>
 create_nat_gateway: true
-ip_block: 10.231.0.0/16
 enable_traffic_logging: true
 region: us-east-2
 availability_zones:

data/modules/mu/defaults/AWS.yaml

@@ -73,56 +73,56 @@ ubuntu14:
   ap-southeast-1: ami-2855964b
   ap-southeast-2: ami-d19fc4b2
 win2k12r2: &1
-  us-east-1: ami-00f7cf8d57d29a8a7
-  us-east-2: ami-0c14a2a9b1d88428d
-  ca-central-1: ami-0210e4efc4186f89d
-  us-west-2: ami-036681205605cba8c
-  us-west-1: ami-072d0f2b03f351e5c
-  eu-west-1: ami-061524b3efcc026da
-  eu-west-2: ami-0a7aeb2dae7c7154b
-  eu-west-3: ami-0b16adff6701f08bb
-  eu-north-1: ami-09bd34c6465aa914b
-  sa-east-1: ami-078221cae70b179c4
-  eu-central-1: ami-047d37ec58a8469fb
-  ap-northeast-1: ami-0ce23ffef990003d2
-  ap-south-1: ami-0106284f16a19651a
-  ap-northeast-2: ami-0518e43d0367f1a6d
-  ap-southeast-1: ami-0858019a829a5169d
-  ap-southeast-2: ami-0e0d7d3acb6427f53
+  us-east-1: ami-003aea65bc2e7136a
+  us-east-2: ami-0163293e39ba504c2
+  ca-central-1: ami-055689dd92f29d2aa
+  us-west-2: ami-0ce87dda2c9244e57
+  us-west-1: ami-00d9cf64bd2fafa44
+  eu-west-1: ami-026d7427b9fadad40
+  eu-west-2: ami-036a22c0780551794
+  eu-west-3: ami-05e3d9b79bdc10861
+  eu-north-1: ami-063eb48504c7d73f1
+  sa-east-1: ami-0a8c1829a5e650bc5
+  eu-central-1: ami-0ea20cef52335b008
+  ap-northeast-1: ami-08db2dc67228dbb90
+  ap-south-1: ami-012241411db3f09c3
+  ap-northeast-2: ami-0368c224de1d20502
+  ap-southeast-1: ami-028ef74e1edc3943a
+  ap-southeast-2: ami-09e03eab1b1bc151b
 win2k16: &5
-  us-east-1: ami-090dd1749dc0be91d
-  us-east-2: ami-09c9eeb95291e63d7
-  ca-central-1: ami-0c63a53a15fca4238
-  us-west-2: ami-0b8540e9a207143eb
-  eu-west-1: ami-067b5d8d85d3c8cf8
-  us-west-1: ami-0a2dc7e2cf21ab3e9
-  eu-west-2: ami-0cece465ae4b18027
-  eu-west-3: ami-0cc5f29ed6e0e8a67
-  eu-central-1: ami-02d4da18299373531
-  sa-east-1: ami-021d5c906c1898430
-  ap-northeast-1: ami-01129c98f812a3be7
-  ap-south-1: ami-005c7910458e9541d
-  ap-northeast-2: ami-024840a881c449d78
-  ap-southeast-2: ami-070af17644a596301
-  ap-southeast-1: ami-0bc2e098a07140bc4
-  eu-north-1: ami-03dcc78d77d2ee027
+  us-east-1: ami-02801a2c8dcbfb883
+  us-east-2: ami-0ca4f779a2a58a7ea
+  ca-central-1: ami-05d3854d9d6e9bcc5
+  us-west-2: ami-091f4a88ce32d28b6
+  eu-west-1: ami-0b938c9b23ed7d18c
+  us-west-1: ami-0fd744c3fbe8260f2
+  eu-west-2: ami-071a89b959c5eda27
+  eu-west-3: ami-0b206e3dbda9ff9eb
+  eu-central-1: ami-0dd9bdad31dd0d3ce
+  sa-east-1: ami-0d69b8d6c0f9a7bae
+  ap-northeast-1: ami-02eb4a6f519bc3190
+  ap-south-1: ami-0666fd543ac8b5501
+  ap-northeast-2: ami-01277c81f9b91cf77
+  ap-southeast-2: ami-0426a246f9b0ccadd
+  ap-southeast-1: ami-07ecb0d55c2eb7247
+  eu-north-1: ami-047811530583b6d08
 win2k19:
-  us-east-1: ami-09946f18cbcdce65c
-  us-east-2: ami-02ab72768678bb7d0
-  ca-central-1: ami-0fcf1b24169d88d7f
-  us-west-2: ami-025ca67c85e4e147d
-  eu-west-2: ami-08a0e09c469e6a557
-  us-west-1: ami-05960eb854f91cbb8
-  eu-west-1: ami-0f91d02c05561cf5b
-  eu-central-1: ami-0faafc220143c941c
-  eu-west-3: ami-0d2a0b6f21c7ce4a2
-  eu-north-1: ami-0fecae116e9e331bf
-  sa-east-1: ami-050693ece618acaa5
-  ap-northeast-2: ami-0e0ebd96765911d72
-  ap-northeast-1: ami-0729606d0a4051499
-  ap-southeast-1: ami-06ba249ee50ee9669
-  ap-southeast-2: ami-03a051a6d0f2b79d5
-  ap-south-1: ami-02c287a24c5e872f6
+  us-east-1: ami-00820419bf212df7e
+  us-east-2: ami-0a7916b90aa4629d5
+  ca-central-1: ami-0d704529661e19185
+  us-west-2: ami-0ee6a198d7ac35eb1
+  eu-west-2: ami-0f6ac1634bd7add92
+  us-west-1: ami-039e3816b4cac1e27
+  eu-west-1: ami-03a771d99091199b7
+  eu-central-1: ami-03b648d5b45f51a4f
+  eu-west-3: ami-068839907c18c3a6e
+  eu-north-1: ami-0db851ee76f7deefb
+  sa-east-1: ami-0c2cc60c62159f87c
+  ap-northeast-2: ami-06bdf8ae9ae9add92
+  ap-northeast-1: ami-02306d959c7f175b9
+  ap-southeast-1: ami-0d5b4a3d73e0f471f
+  ap-southeast-2: ami-00fa88caff4f64937
+  ap-south-1: ami-0b44feae4bb9f497a
 amazon:
   us-east-1: ami-b73b63a0
   us-east-2: ami-58277d3d

data/modules/mu/deploy.rb

@@ -394,7 +394,7 @@ module MU
           Thread.handle_interrupt(MU::Cloud::MuCloudResourceNotImplemented => :never) {
             begin
               Thread.handle_interrupt(MU::Cloud::MuCloudResourceNotImplemented => :immediate) {
-                MU.log "Cost calculator not available for this stack, as it uses a resource not implemented in Mu's CloudFormation layer.", MU::WARN, verbosity: MU::Logger::NORMAL
+                MU.log "Cost calculator not available for this stack, as it uses a resource not implemented in Mu's CloudFormation layer.", MU::DEBUG, verbosity: MU::Logger::NORMAL
                 Thread.current.exit
               }
             ensure

data/modules/mu/groomer.rb

@@ -37,7 +37,7 @@ module MU
 
     # Class methods that any Groomer plugin must implement
     def self.requiredClassMethods
-      [:getSecret, :cleanup, :saveSecret, :deleteSecret]
+      [:getSecret, :cleanup, :saveSecret, :deleteSecret, :available?]
     end
 
     class Ansible;

data/modules/mu/groomers/ansible.rb

@@ -24,6 +24,10 @@ module MU
       class NoAnsibleExecError < MuError;
       end
 
+      # One or more Python dependencies missing
+      class AnsibleLibrariesError < MuError;
+      end
+
       # Location in which we'll find our Ansible executables. This only applies
       # to full-grown Mu masters; minimalist gem installs will have to make do
       # with whatever Ansible executables they can find in $PATH.
@@ -40,6 +44,10 @@ module MU
         @ansible_path = node.deploy.deploy_dir+"/ansible"
         @ansible_execs = MU::Groomer::Ansible.ansibleExecDir
 
+        if !MU::Groomer::Ansible.checkPythonDependencies(@server.windows?)
+          raise AnsibleLibrariesError, "One or more python dependencies not available"
+        end
+
         if !@ansible_execs or @ansible_execs.empty?
           raise NoAnsibleExecError, "No Ansible executables found in visible paths"
         end
@@ -54,6 +62,10 @@ module MU
         installRoles
       end
 
+      # Are Ansible executables and key libraries present and accounted for?
+      def self.available?(windows = false)
+        MU::Groomer::Ansible.checkPythonDependencies(windows)
+      end
 
       # Indicate whether our server has been bootstrapped with Ansible
       def haveBootstrapped?
@@ -245,7 +257,7 @@ module MU
           "#{@server.config['name']}.yml"
         end
 
-        cmd = %Q{cd #{@ansible_path} && echo "#{purpose}" && #{@ansible_execs}/ansible-playbook -i hosts #{playbook} --limit=#{@server.mu_name} --vault-password-file #{pwfile} --timeout=30 --vault-password-file #{@ansible_path}/.vault_pw -u #{ssh_user}}
+        cmd = %Q{cd #{@ansible_path} && echo "#{purpose}" && #{@ansible_execs}/ansible-playbook -i hosts #{playbook} --limit=#{@server.windows? ? @server.canonicalIP : @server.mu_name} --vault-password-file #{pwfile} --timeout=30 --vault-password-file #{@ansible_path}/.vault_pw -u #{ssh_user}}
 
         retries = 0
         begin
@@ -294,7 +306,7 @@ module MU
       # Bootstrap our server with Ansible- basically, just make sure this node
       # is listed in our deployment's Ansible inventory.
       def bootstrap
-        @inventory.add(@server.config['name'], @server.mu_name)
+        @inventory.add(@server.config['name'], @server.windows? ? @server.canonicalIP : @server.mu_name)
         play = {
           "hosts" => @server.config['name']
         }
@@ -387,11 +399,18 @@ module MU
         allvars['deployment']
       end
 
+      # Nuke everything associated with a deploy. Since we're just some files
+      # in the deploy directory, this doesn't have to do anything.
+      def self.cleanup(deploy_id, noop = false)
+#        deploy = MU::MommaCat.new(MU.deploy_id)
+#        inventory = Inventory.new(deploy)
+      end
+
       # Expunge Ansible resources associated with a node.
       # @param node [String]: The Mu name of the node in question.
       # @param _vaults_to_clean [Array<Hash>]: Dummy argument, part of this method's interface but not used by the Ansible layer
       # @param noop [Boolean]: Skip actual deletion, just state what we'd do
-      def self.cleanup(node, _vaults_to_clean = [], noop = false)
+      def self.purge(node, _vaults_to_clean = [], noop = false)
         deploy = MU::MommaCat.new(MU.deploy_id)
         inventory = Inventory.new(deploy)
 #        ansible_path = deploy.deploy_dir+"/ansible"
@@ -427,6 +446,50 @@ module MU
         output
       end
 
+      # Hunt down and return a path for a Python executable
+      # @return [String]
+      def self.pythonExecDir
+        path = nil
+
+        if File.exist?(BINDIR+"/python")
+          path = BINDIR
+        else
+          paths = [ansibleExecDir]
+          paths.concat(ENV['PATH'].split(/:/))
+          paths << "/usr/bin" # not always in path, esp in pared-down Docker images
+          paths.reject! { |p| p.nil? }
+          paths.uniq.each { |bindir|
+            if File.exist?(bindir+"/python")
+              path = bindir
+              break
+            end
+          }
+        end
+        path
+      end
+
+      # Make sure what's in our Python requirements.txt is reflected in the
+      # Python we're about to run for Ansible
+      def self.checkPythonDependencies(windows = false)
+        return nil if !ansibleExecDir
+
+        execline = File.readlines(ansibleExecDir+"/ansible-playbook").first.chomp.sub(/^#!/, '')
+        if !execline
+          MU.log "Unable to extract a Python executable from #{ansibleExecDir}/ansible-playbook", MU::ERR
+          return false
+        end
+
+        require 'tempfile'
+        f = Tempfile.new("pythoncheck")
+        f.puts "import ansible"
+        f.puts "import winrm" if windows
+        f.close
+
+        system(%Q{#{execline} #{f.path}})
+        f.unlink
+        $?.exitstatus == 0 ? true : false
+      end
+
       # Hunt down and return a path for Ansible executables
       # @return [String]
       def self.ansibleExecDir
@@ -434,7 +497,9 @@ module MU
         if File.exist?(BINDIR+"/ansible-playbook")
           path = BINDIR
         else
-          ENV['PATH'].split(/:/).each { |bindir|
+          paths = ENV['PATH'].split(/:/)
+          paths << "/usr/bin"
+          paths.uniq.each { |bindir|
             if File.exist?(bindir+"/ansible-playbook")
               path = bindir
               if !File.exist?(bindir+"/ansible-vault")

data/modules/mu/groomers/chef.rb

@@ -35,6 +35,12 @@ module MU
         end
       }
 
+      # Are the Chef libraries present and accounted for?
+      def self.available?(windows = false)
+        loadChefLib
+        @chefloaded
+      end
+
       @chefloaded = false
       @chefload_semaphore = Mutex.new
       # Autoload is too brain-damaged to get Chef's subclasses/submodules, so
@@ -362,7 +368,7 @@ module MU
             }
 
             if resp.exitcode == 1 and output_lines.join("\n").match(/Chef Client finished/)
-              MU.log "resp.exit code 1"
+              MU.log output_lines.last
             elsif resp.exitcode != 0
               raise MU::Cloud::BootstrapTempFail if resp.exitcode == 35 or output_lines.join("\n").match(/REBOOT_SCHEDULED| WARN: Reboot requested:|Rebooting server at a recipe's request|Chef::Exceptions::Reboot/)
               raise MU::Groomer::RunError, output_lines.slice(output_lines.length-50, output_lines.length).join("")
@@ -619,15 +625,16 @@ module MU
             kb.name_args = [@server.mu_name]
             kb.config[:manual] = true
             kb.config[:winrm_transport] = :ssl
-            kb.config[:host] = @server.mu_name
             kb.config[:winrm_port] = 5986
             kb.config[:session_timeout] = timeout
             kb.config[:operation_timeout] = timeout
             if retries % 2 == 0
+              kb.config[:host] = canonical_addr
               kb.config[:winrm_authentication_protocol] = :basic
               kb.config[:winrm_user] = @server.config['windows_admin_username']
               kb.config[:winrm_password] = @server.getWindowsAdminPassword
             else
+              kb.config[:host] = @server.mu_name
               kb.config[:winrm_authentication_protocol] = :cert
               kb.config[:winrm_client_cert] = "#{MU.mySSLDir}/#{@server.mu_name}-winrm.crt"
               kb.config[:winrm_client_key] = "#{MU.mySSLDir}/#{@server.mu_name}-winrm.key"
@@ -681,7 +688,7 @@ module MU
                 preClean(false) # it's ok for this to fail
               rescue StandardError => e
               end
-              MU::Groomer::Chef.cleanup(@server.mu_name, nodeonly: true)
+              MU::Groomer::Chef.purge(@server.mu_name, nodeonly: true)
               @config['forced_preclean'] = true
               @server.reboot if @server.windows? # *sigh*
             end
@@ -798,12 +805,49 @@ retry
         end
       end
 
+      def self.cleanup(deploy_id, noop = false)
+        return nil if deploy_id.nil? or deploy_id.empty?
+        begin
+          if File.exist?(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
+            ::Chef::Config.from_file(Etc.getpwuid(Process.uid).dir+"/.chef/knife.rb")
+          end
+          deadnodes = []
+          ::Chef::Config[:environment] ||= MU.environment
+          q = ::Chef::Search::Query.new
+          begin
+            q.search("node", "tags_MU-ID:#{deploy_id}").each { |item|
+              next if item.is_a?(Integer)
+              item.each { |node|
+                deadnodes << node.name
+              }
+            }
+          rescue Net::HTTPServerException
+          end
+
+          begin
+            q.search("node", "name:#{deploy_id}-*").each { |item|
+              next if item.is_a?(Integer)
+              item.each { |node|
+                deadnodes << node.name
+              }
+            }
+          rescue Net::HTTPServerException
+          end
+          MU.log "Missed some Chef resources in node cleanup, purging now", MU::NOTICE if deadnodes.size > 0
+          deadnodes.uniq.each { |node|
+            MU::Groomer::Chef.purge(node, [], noop)
+          }
+        rescue LoadError
+        end
+
+      end
+
       # Expunge Chef resources associated with a node.
       # @param node [String]: The Mu name of the node in question.
       # @param vaults_to_clean [Array<Hash>]: Some vaults to expunge
       # @param noop [Boolean]: Skip actual deletion, just state what we'd do
       # @param nodeonly [Boolean]: Just delete the node and its keys, but leave other artifacts
-      def self.cleanup(node, vaults_to_clean = [], noop = false, nodeonly: false)
+      def self.purge(node, vaults_to_clean = [], noop = false, nodeonly: false)
         loadChefLib
         MU.log "Deleting Chef resources associated with #{node}"
         if !nodeonly