cloud-mu 3.1.5 → 3.3.2

data/bin/mu-node-manage

@@ -29,9 +29,9 @@ Usage:
   opt :all, "Operate on all nodes/deploys. Use with caution.", :require => false, :default => false, :type => :boolean
   opt :platform, "Operate exclusively on one nodes of a particular operating system. Can be used in conjunction with -a or -d. Valid platforms: linux, windows", :require => false, :type => :string
   opt :environment, "Operate exclusively on one nodes with a particular environment (e.g. dev, prod). Can be used in conjunction with -a or -d.", :require => false, :type => :string
-  opt :override_chef_runlist, "An alternate runlist to pass to Chef, in chefrun mode.", :require => false, :type => :string
+  opt :override_chef_runlist, "An alternate runlist to pass to Chef, in groomeronly mode.", :require => false, :type => :string
   opt :xecute, "Run a shell command on matching nodes. Overrides --mode and suppresses some informational output in favor of scriptability.", :require => false, :type => :string
-  opt :mode, "Action to perform on matching nodes. Valid actions: groom, chefrun, awsmeta, vaults, certs, chefupgrade", :require => false, :default => "chefrun", :type => :string
+  opt :mode, "Action to perform on matching nodes. Valid actions: groom, groomeronly, awsmeta, vaults, certs, chefupgrade", :require => false, :default => "groomeronly", :type => :string
   opt :verbose, "Show output from Chef runs, etc", :require => false, :default => false, :type => :boolean
   opt :winrm, "Force WinRM connection. Disable SSH fallback", :require => false, :default => false, :type => :boolean
   opt :info, "List a particular node attribute", :require => false, :default => 'nodename', :type => :string
@@ -39,8 +39,10 @@ end
 
 MU.setLogging(MU::Logger::LOUD) if $opts[:verbose]
 
-if !["groom", "chefrun", "vaults", "userdata", "awsmeta", "certs", "chefupgrade"].include?($opts[:mode])
-  Optimist::die(:mode, "--mode must be one of: groom, chefrun, awsmeta, vaults, certs, chefupgrade")
+$opts[:mode] = "groomeronly" if $opts[:mode] == "chefrun"
+
+if !["groom", "groomeronly", "vaults", "userdata", "awsmeta", "certs", "chefupgrade"].include?($opts[:mode])
+  Optimist::die(:mode, "--mode must be one of: groom, groomeronly, awsmeta, vaults, certs, chefupgrade")
 end
 if $opts[:platform] and !["linux", "windows"].include?($opts[:platform])
   Optimist::die(:platform, "--platform must be one of: linux, windows")
@@ -176,7 +178,7 @@ end
 exit 1 if !ok
 
 
-def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false)
+def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false, groomeronly: false)
   badnodes = []
   count = 0
   deploys.each { |muid|
@@ -196,6 +198,8 @@ def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false)
                 server.config["vault_access"].each { |v|
                   MU::Groomer::Chef.grantSecretAccess(mu_name, v['vault'], v['item'])
                 }
+              elsif groomeronly
+                server.groomer.run
               else
                 mommacat.groomNode(server.cloud_id, nodeclass, type, mu_name: mu_name)
               end
@@ -227,7 +231,7 @@ def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false)
   end
 end
 
-def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_output: $opts[:verbose], noop: false, chefrun: false, chef_runlist: nil)
+def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_output: $opts[:verbose], noop: false)
   badnodes = []
   count = 0
   deploys.each { |muid|
@@ -247,12 +251,6 @@ def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_
             next
           end
 
-          # Generate the command if attemting a chef run
-          if chefrun
-            cmd = serverobj.windows? ? "powershell -Command chef-client" : "chef-client || sudo chef-client"
-            cmd += " -o '#{chef_runlist}'" if chef_runlist
-          end
-
           MU.log "Running '#{cmd}' on #{nodename} (##{count})" if !print_output
 
           # Set Variables to catch the output and exit code of the execution
@@ -363,7 +361,7 @@ def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_
   }
 
   if badnodes.size > 0
-    cmd = "Chef" if $opts[:mode] == "chefrun"
+    cmd = "Chef" if $opts[:mode] == "groomeronly"
     if !print_output
       MU.log "Not all `#{cmd}` runs exited cleanly", MU::WARN, details: badnodes
     else
@@ -687,12 +685,13 @@ elsif $opts[:mode] == "vaults"
   reGroom(do_deploys, do_nodes, vaults_only: true)
 elsif $opts[:mode] == "chefupgrade"
   chefUpgrade(do_deploys, do_nodes)
-elsif $opts[:mode] == "chefrun"
+elsif $opts[:mode] == "groomeronly"
   print_output = $opts[:verbose] || do_nodes.size == 1
   if $opts[:override_chef_runlist]
-    runCommand(do_deploys, do_nodes, chef_runlist: $opts[:override_chef_runlist], chefrun: true, print_output: print_output)
+#    runCommand(do_deploys, do_nodes, chef_runlist: $opts[:override_chef_runlist], groomeronly: true, print_output: print_output)
   else
-    runCommand(do_deploys, do_nodes, chefrun: true, print_output: print_output)
+#    runCommand(do_deploys, do_nodes, groomeronly: true, print_output: print_output)
+    reGroom(do_deploys, do_nodes, groomeronly: true)
   end
 elsif $opts[:mode] == "userdata" or $opts[:mode] == "awsmeta"
 # Need Google equiv and to select nodes correctly based on what cloud they're in

data/bin/mu-run-tests

@@ -34,6 +34,7 @@ Usage:
 #{$0} [-m <#>] [-f] [-v] [specific test BoK to run [...]]
   EOS
   opt :max_threads, "Environment to set on creation.", :require => false, :default => 3, :type => :integer
+  opt :max_retries, "Number of times to retry failed tests in --dryrun mode.", :require => false, :default => 2, :type => :integer
   opt :full, "Actually run deploys, instead of --dryrun", :require => false, :default => false
   opt :verbose, "Show more information while running", :require => false, :default => false
 end
@@ -42,7 +43,7 @@ only = ARGV
 
 files = Dir.glob("*.yaml", base: dir)
 files.concat(Dir.glob("*.yml", base: dir))
-baseclouds = MU::Cloud.supportedClouds.reject { |c| c == "CloudFormation" }
+baseclouds = MU::Cloud.availableClouds.reject { |c| c == "CloudFormation" }
 
 commands = {}
 failures = []
@@ -56,20 +57,33 @@ end
 
 files.each { |f|
   clouds = baseclouds.dup
+  groomer_match = true
   File.open(dir+"/"+f).readlines.each { |l|
     l.chomp!
-    next if !l.match(/^\s*#\s*clouds: (.*)/)
-    clouds = []
-    cloudstr = Regexp.last_match[1]
-    cloudstr.split(/\s*,\s*/).each { |c|
-      baseclouds.each { |cloud|
-        if cloud.match(/^#{Regexp.quote(c)}$/i)
-          clouds << cloud
+    if l.match(/^\s*#\s*clouds: (.*)/)
+      clouds = []
+      cloudstr = Regexp.last_match[1]
+      cloudstr.split(/\s*,\s*/).each { |c|
+        baseclouds.each { |cloud|
+          if cloud.match(/^#{Regexp.quote(c)}$/i)
+            clouds << cloud
+          end
+        }
+      }
+    elsif l.match(/^\s*#\s*groomers: (.*)/)
+      groomerstr = Regexp.last_match[1]
+      groomerstr.split(/\s*,\s*/).each { |g|
+        if !MU::Groomer.availableGroomers.include?(g)
+          MU.log "#{f} requires groomer #{g}, which is not available. This test will be skipped.", MU::NOTICE
+          groomer_match = false
         end
       }
-    }
-    break
+    end
   }
+  if !groomer_match
+    next
+  end
+
   clouds.each { |cloud|
     cmd = "mu-deploy #{f} --cloud #{cloud} #{$opts[:full] ? "" : "--dryrun"}"
     commands[cmd] = {
@@ -108,8 +122,19 @@ def execCommand(cmd, results_stash)
   }
 
   ok = true
-  output = %x{#{cmd} 2>&1}
-  ok = false if $?.exitstatus != 0
+  retries = 0
+  begin
+    output = %x{#{cmd} 2>&1}
+    if $?.exitstatus != 0
+      ok = false
+      retries += 1
+      if $opts[:verbose] and !$opts[:full] and retries <= $opts[:max_retries]
+        puts "#{cmd} RETRY #{retries.to_s}".light_red
+      end
+    else
+      ok = true
+    end
+  end while !ok and !$opts[:full] and retries <= $opts[:max_retries]
 
   results_stash["output"] += output
 

data/cloud-mu.gemspec

@@ -17,8 +17,8 @@ end
 
 Gem::Specification.new do |s|
   s.name        = 'cloud-mu'
-  s.version     = '3.1.5'
-  s.date        = '2020-03-03'
+  s.version     = '3.3.2'
+  s.date        = '2020-10-04'
   s.require_paths = ['modules']
   s.required_ruby_version = '>= 2.4'
   s.summary     = "The eGTLabs Mu toolkit for unified cloud deployments"
@@ -57,7 +57,7 @@ EOF
   s.add_runtime_dependency 'rack', "~> 2.0"
   s.add_runtime_dependency 'ruby-graphviz', "~> 1.2"
   s.add_runtime_dependency 'rubocop', '~> 0.58'
-  s.add_runtime_dependency 'rubyzip', "~> 2.0"
+  s.add_runtime_dependency 'rubyzip', "~> 2.3"
   s.add_runtime_dependency 'simple-password-gen', "~> 0.1"
   s.add_runtime_dependency 'slack-notifier', "~> 2.3"
   s.add_runtime_dependency 'solve', '~> 4.0'

data/cookbooks/mu-activedirectory/resources/domain.rb

@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
 attribute :restore_mode_password, :kind_of => String, :required => true
 attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
 attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
-attribute :ntds_static_port, :kind_of => Fixnum, :default => node['ad']['ntds_static_port']
-attribute :ntfrs_static_port, :kind_of => Fixnum, :default => node['ad']['ntfrs_static_port']
-attribute :dfsr_static_port, :kind_of => Fixnum, :default => node['ad']['dfsr_static_port']
-attribute :netlogon_static_port, :kind_of => Fixnum, :default => node['ad']['netlogon_static_port']
+attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
+attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
+attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
+attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']

data/cookbooks/mu-activedirectory/resources/domain_controller.rb

@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
 attribute :restore_mode_password, :kind_of => String, :required => true
 attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
 attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
-attribute :ntds_static_port, :kind_of => Fixnum, :default => node['ad']['ntds_static_port']
-attribute :ntfrs_static_port, :kind_of => Fixnum, :default => node['ad']['ntfrs_static_port']
-attribute :dfsr_static_port, :kind_of => Fixnum, :default => node['ad']['dfsr_static_port']
-attribute :netlogon_static_port, :kind_of => Fixnum, :default => node['ad']['netlogon_static_port']
+attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
+attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
+attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
+attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']

data/cookbooks/mu-tools/libraries/helper.rb

@@ -236,7 +236,7 @@ module Mutools
       response = nil
       begin
         secret = get_deploy_secret
-        if secret.nil?
+        if secret.nil? or secret.empty?
           raise "Failed to fetch deploy secret, and I can't communicate with Momma Cat without it"
         end
 

data/cookbooks/mu-tools/recipes/apply_security.rb

@@ -252,21 +252,21 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
       #		end
       # 6.3 Configure PAM
       # 6.3.2 Set Password Creation Requirement Parameters Using pam_cracklib
-      template "/etc/pam.d/password-auth-local" do
-        source "etc_pamd_password-auth.erb"
-        mode 0644
-      end
-      link "/etc/pam.d/password-auth" do
-        to "/etc/pam.d/password-auth-local"
-      end
+#      template "/etc/pam.d/password-auth-local" do
+#        source "etc_pamd_password-auth.erb"
+#        mode 0644
+#      end
+#      link "/etc/pam.d/password-auth" do
+#        to "/etc/pam.d/password-auth-local"
+#      end
       #6.3.3 Set Lockout for Failed Password Attempts
-      template "/etc/pam.d/system-auth-local" do
-        source "etc_pamd_system-auth.erb"
-        mode 0644
-      end
-      link "/etc/pam.d/system-auth" do
-        to "/etc/pam.d/system-auth-local"
-      end
+#      template "/etc/pam.d/system-auth-local" do
+#        source "etc_pamd_system-auth.erb"
+#        mode 0644
+#      end
+#      link "/etc/pam.d/system-auth" do
+#        to "/etc/pam.d/system-auth-local"
+#      end
   
       #SV-50303r1_rule/SV-50304r1_rule
       execute "chown root:root /etc/shadow"

data/cookbooks/mu-tools/recipes/aws_api.rb

@@ -21,3 +21,12 @@ chef_gem "aws-sdk-core" do
   version "2.11.24"
   action :install
 end
+
+if platform_family?("rhel") or platform_family?("amazon")
+  if node['platform_version'].to_i == 6
+    package "python34-pip"
+    execute "/usr/bin/pip3 install awscli" do
+      not_if "test -x /usr/bin/aws"
+    end
+  end
+end

data/cookbooks/mu-tools/recipes/eks.rb

@@ -160,8 +160,8 @@ Environment='KUBELET_EXTRA_ARGS=$KUBELET_EXTRA_ARGS'
 
   opento.uniq.each { |src|
     [:tcp, :udp, :icmp].each { |proto|
-      execute "iptables -I INPUT -p #{proto} -s #{src}" do
-        not_if "iptables -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
+      execute "iptables -w 30 -I INPUT -p #{proto} -s #{src}" do
+        not_if "iptables -w 30 -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
       end
     }
   }

data/cookbooks/mu-tools/recipes/windows-client.rb

@@ -26,20 +26,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
 
       sshd_password = windows_vault[node['windows_sshd_password_field']]
 
+      admin_user = node['windows_admin_username'] || "Administrator"
+
       windows_version = node['platform_version'].to_i
       
       public_keys = Array.new
 
-      if windows_version == 10
+      if windows_version >= 10
         Chef::Log.info "version #{windows_version}, using openssh"
 
         include_recipe 'chocolatey'
 
         openssh_path = 'C:\Program Files\OpenSSH-Win64'
 
-        ssh_program_data = "#{ENV['ProgramData']}/ssh"
+        ssh_program_data = "#{ENV['ProgramData']}\\ssh"
 
-        ssh_dir = "C:/Users/Administrator/.ssh"
+        ssh_dir = "C:/Users/#{admin_user}/.ssh"
 
         authorized_keys = "#{ssh_dir}/authorized_keys"
 
@@ -86,7 +88,8 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
           path ssh_program_data
           owner sshd_user
           rights :full_control, sshd_user
-          rights :full_control, 'Administrator'
+          rights :full_control, admin_user
+          notifies :run, 'ruby[find files to change ownership of]', :immediately
           notifies :run, 'powershell_script[Generate Host Key]', :immediately
         end
 
@@ -97,22 +100,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
           notifies :create, "template[#{ssh_program_data}/sshd_config]", :immediately
         end
 
-        template "#{ssh_program_data}/sshd_config" do
+        directory "set file ownership" do
           action :nothing
+          path ssh_program_data
           owner sshd_user
-          source "sshd_config.erb"
           mode '0600'
-          cookbook "mu-tools"
-          notifies :run, 'ruby[find files to change ownership of]', :immediately
+          rights :full_control, sshd_user
+          deny_rights :full_control, admin_user
         end
 
-        directory "set file ownership" do
+        template "#{ssh_program_data}/sshd_config" do
           action :nothing
-          path ssh_program_data
           owner sshd_user
+          source "sshd_config.erb"
           mode '0600'
-          rights :full_control, sshd_user
-          deny_rights :full_control, 'Administrator'
+          cookbook "mu-tools"
+          notifies :run, 'ruby[find files to change ownership of]', :immediately
         end
 
         windows_service 'sshd' do
@@ -120,26 +123,26 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
         end
 
         group 'sshusers' do
-          members [sshd_user, 'Administrator']
+          members [sshd_user, admin_user]
         end
 
         ruby 'find files to change ownership of' do
           action :nothing
           code <<-EOH
-            files = Dir.entries ssh_program_data
+            files = Dir.entries '#{ssh_program_data}'
             puts files
           EOH
         end
 
-        log 'files in ssh' do
-          message files.join
-          level :info
-        end
-
+#        log 'files in ssh' do
+#          message files.join
+#          level :info
+#        end
+#
         files.each do |file|
           file "#{ssh_program_data}#{file}" do
             owner sshd_user
-            deny_rights :full_control, 'Administrator'
+            deny_rights :full_control, admin_user
           end
         end
 
@@ -150,7 +153,7 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
         end
 
         file authorized_keys do
-          owner 'Administrator'
+          owner admin_user
           content public_key
         end
 
@@ -323,7 +326,7 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
 #            sensitive true
 #          end
 #        end
-#      end
+
     end
 
     else

data/extras/clean-stock-amis

@@ -18,37 +18,43 @@ require 'json'
 require File.realpath(File.expand_path(File.dirname(__FILE__)+"/../bin/mu-load-config.rb"))
 require 'mu'
 
-credentials = if ARGV[0] and !ARGV[0].empty?
-  ARGV[0]
-else
-  nil
+$opts = Optimist::options do
+  banner <<-EOS
+#{$0} [-c credentials] [-i imagename]
+  EOS
+  opt :credentials, "Use these AWS credentials from mu.yaml instead of the default set", :required => false, :type => :string
+  opt :image, "Purge a specific image, instead of just scrubing old ones", :required => false, :type => :string
 end
 
 filters = [
   {
     name: "owner-id",
-    values: [MU::Cloud::AWS.credToAcct(credentials)]
+    values: [MU::Cloud::AWS.credToAcct($opts[:credentials])]
   }
 ]
 
 
 MU::Cloud::AWS.listRegions.each { | r|
-  images = MU::Cloud::AWS.ec2(region: r, credentials: credentials).describe_images(
+  images = MU::Cloud::AWS.ec2(region: r, credentials: $opts[:credentials]).describe_images(
     filters: filters + [{ "name" => "state", "values" => ["available"]}]
   ).images
   images.each { |ami|
-		if (DateTime.now.to_time - DateTime.parse(ami.creation_date).to_time) > 15552000 and ami.name.match(/^MU-(PROD|DEV)/)
-			snaps = []
-			ami.block_device_mappings.each { |dev|
-				if !dev.ebs.nil?
-					snaps << dev.ebs.snapshot_id
-				end
-			}
-			MU.log "Deregistering #{ami.name} (#{ami.creation_date})", MU::WARN, details: snaps
-			MU::Cloud::AWS.ec2(region: r, credentials: credentials).deregister_image(image_id: ami.image_id)
- 		  snaps.each { |snap_id|
-			  MU::Cloud::AWS.ec2(region: r, credentials: credentials).delete_snapshot(snapshot_id: snap_id)
-			}
-		end
+    if ($opts[:image] and ami.name == $opts[:image]) or 
+       ((DateTime.now.to_time - DateTime.parse(ami.creation_date).to_time) > 15552000 and ami.name.match(/^MU-(PROD|DEV)/))
+      snaps = []
+      ami.block_device_mappings.each { |dev|
+        if !dev.ebs.nil?
+          snaps << dev.ebs.snapshot_id
+        end
+      }
+      MU.log "Deregistering #{ami.name}, #{r} (#{ami.creation_date})", MU::WARN, details: snaps
+      begin
+        MU::Cloud::AWS.ec2(region: r, credentials: $opts[:credentials]).deregister_image(image_id: ami.image_id)
+      rescue Aws::EC2::Errors::InvalidAMIIDUnavailable
+      end
+        snaps.each { |snap_id|
+          MU::Cloud::AWS.ec2(region: r, credentials: $opts[:credentials]).delete_snapshot(snapshot_id: snap_id)
+        }
+    end
   }
 }