cloud-mu 3.2.0 → 3.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +1 -1
- data/ansible/roles/mu-nat/tasks/main.yml +3 -0
- data/bin/mu-adopt +12 -1
- data/bin/mu-aws-setup +41 -7
- data/bin/mu-azure-setup +34 -0
- data/bin/mu-configure +214 -119
- data/bin/mu-gcp-setup +37 -2
- data/bin/mu-load-config.rb +2 -1
- data/bin/mu-node-manage +3 -0
- data/bin/mu-refresh-ssl +67 -0
- data/bin/mu-run-tests +28 -6
- data/bin/mu-self-update +30 -10
- data/bin/mu-upload-chef-artifacts +30 -26
- data/cloud-mu.gemspec +10 -8
- data/cookbooks/mu-master/attributes/default.rb +5 -1
- data/cookbooks/mu-master/metadata.rb +2 -2
- data/cookbooks/mu-master/recipes/default.rb +81 -26
- data/cookbooks/mu-master/recipes/init.rb +197 -62
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +1 -1
- data/cookbooks/mu-master/recipes/vault.rb +78 -77
- data/cookbooks/mu-master/templates/default/mods/rewrite.conf.erb +1 -0
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +103 -0
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +14 -30
- data/cookbooks/mu-tools/attributes/default.rb +12 -0
- data/cookbooks/mu-tools/files/centos-6/CentOS-Base.repo +47 -0
- data/cookbooks/mu-tools/libraries/helper.rb +98 -4
- data/cookbooks/mu-tools/libraries/monkey.rb +1 -1
- data/cookbooks/mu-tools/recipes/apply_security.rb +31 -9
- data/cookbooks/mu-tools/recipes/aws_api.rb +8 -2
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +2 -9
- data/cookbooks/mu-tools/recipes/google_api.rb +7 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
- data/cookbooks/mu-tools/resources/disk.rb +113 -42
- data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
- data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
- data/extras/Gemfile.lock.bootstrap +394 -0
- data/extras/bucketstubs/error.html +0 -0
- data/extras/bucketstubs/index.html +0 -0
- data/extras/clean-stock-amis +11 -3
- data/extras/generate-stock-images +6 -3
- data/extras/git_rpm/build.sh +20 -0
- data/extras/git_rpm/mugit.spec +53 -0
- data/extras/image-generators/AWS/centos7.yaml +19 -16
- data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
- data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
- data/extras/image-generators/VMWare/centos8.yaml +15 -0
- data/extras/openssl_rpm/build.sh +19 -0
- data/extras/openssl_rpm/mussl.spec +46 -0
- data/extras/python_rpm/muthon.spec +14 -4
- data/extras/ruby_rpm/muby.spec +9 -5
- data/extras/sqlite_rpm/build.sh +19 -0
- data/extras/sqlite_rpm/muqlite.spec +47 -0
- data/install/installer +7 -5
- data/modules/mommacat.ru +2 -2
- data/modules/mu.rb +14 -7
- data/modules/mu/adoption.rb +5 -5
- data/modules/mu/cleanup.rb +47 -25
- data/modules/mu/cloud.rb +29 -1
- data/modules/mu/cloud/dnszone.rb +0 -2
- data/modules/mu/cloud/machine_images.rb +1 -1
- data/modules/mu/cloud/providers.rb +6 -1
- data/modules/mu/cloud/resource_base.rb +16 -7
- data/modules/mu/cloud/ssh_sessions.rb +5 -1
- data/modules/mu/cloud/wrappers.rb +20 -7
- data/modules/mu/config.rb +28 -12
- data/modules/mu/config/bucket.rb +31 -2
- data/modules/mu/config/cache_cluster.rb +1 -1
- data/modules/mu/config/cdn.rb +100 -0
- data/modules/mu/config/container_cluster.rb +1 -1
- data/modules/mu/config/database.rb +3 -3
- data/modules/mu/config/dnszone.rb +4 -3
- data/modules/mu/config/endpoint.rb +1 -0
- data/modules/mu/config/firewall_rule.rb +1 -1
- data/modules/mu/config/function.rb +16 -7
- data/modules/mu/config/job.rb +89 -0
- data/modules/mu/config/notifier.rb +7 -18
- data/modules/mu/config/ref.rb +55 -9
- data/modules/mu/config/schema_helpers.rb +12 -3
- data/modules/mu/config/server.rb +11 -5
- data/modules/mu/config/server_pool.rb +2 -2
- data/modules/mu/config/vpc.rb +11 -10
- data/modules/mu/defaults/AWS.yaml +106 -106
- data/modules/mu/deploy.rb +40 -14
- data/modules/mu/groomers/chef.rb +2 -2
- data/modules/mu/master.rb +70 -3
- data/modules/mu/mommacat.rb +28 -9
- data/modules/mu/mommacat/daemon.rb +13 -7
- data/modules/mu/mommacat/naming.rb +2 -2
- data/modules/mu/mommacat/search.rb +16 -5
- data/modules/mu/mommacat/storage.rb +67 -32
- data/modules/mu/providers/aws.rb +298 -85
- data/modules/mu/providers/aws/alarm.rb +5 -5
- data/modules/mu/providers/aws/bucket.rb +284 -50
- data/modules/mu/providers/aws/cache_cluster.rb +26 -26
- data/modules/mu/providers/aws/cdn.rb +782 -0
- data/modules/mu/providers/aws/collection.rb +16 -16
- data/modules/mu/providers/aws/container_cluster.rb +84 -64
- data/modules/mu/providers/aws/database.rb +59 -55
- data/modules/mu/providers/aws/dnszone.rb +29 -12
- data/modules/mu/providers/aws/endpoint.rb +535 -50
- data/modules/mu/providers/aws/firewall_rule.rb +32 -26
- data/modules/mu/providers/aws/folder.rb +1 -1
- data/modules/mu/providers/aws/function.rb +300 -134
- data/modules/mu/providers/aws/group.rb +16 -14
- data/modules/mu/providers/aws/habitat.rb +4 -4
- data/modules/mu/providers/aws/job.rb +469 -0
- data/modules/mu/providers/aws/loadbalancer.rb +67 -45
- data/modules/mu/providers/aws/log.rb +17 -17
- data/modules/mu/providers/aws/msg_queue.rb +22 -13
- data/modules/mu/providers/aws/nosqldb.rb +99 -8
- data/modules/mu/providers/aws/notifier.rb +137 -65
- data/modules/mu/providers/aws/role.rb +119 -83
- data/modules/mu/providers/aws/search_domain.rb +166 -30
- data/modules/mu/providers/aws/server.rb +209 -118
- data/modules/mu/providers/aws/server_pool.rb +95 -130
- data/modules/mu/providers/aws/storage_pool.rb +19 -11
- data/modules/mu/providers/aws/user.rb +5 -5
- data/modules/mu/providers/aws/userdata/linux.erb +5 -4
- data/modules/mu/providers/aws/vpc.rb +109 -54
- data/modules/mu/providers/aws/vpc_subnet.rb +43 -39
- data/modules/mu/providers/azure.rb +78 -12
- data/modules/mu/providers/azure/server.rb +20 -4
- data/modules/mu/providers/cloudformation/server.rb +1 -1
- data/modules/mu/providers/google.rb +21 -5
- data/modules/mu/providers/google/bucket.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +1 -1
- data/modules/mu/providers/google/database.rb +1 -1
- data/modules/mu/providers/google/firewall_rule.rb +1 -1
- data/modules/mu/providers/google/folder.rb +7 -3
- data/modules/mu/providers/google/function.rb +66 -31
- data/modules/mu/providers/google/group.rb +1 -1
- data/modules/mu/providers/google/habitat.rb +1 -1
- data/modules/mu/providers/google/loadbalancer.rb +1 -1
- data/modules/mu/providers/google/role.rb +6 -3
- data/modules/mu/providers/google/server.rb +1 -1
- data/modules/mu/providers/google/server_pool.rb +1 -1
- data/modules/mu/providers/google/user.rb +1 -1
- data/modules/mu/providers/google/vpc.rb +28 -3
- data/modules/tests/aws-jobs-functions.yaml +46 -0
- data/modules/tests/aws-servers-with-handrolled-iam.yaml +37 -0
- data/modules/tests/centos6.yaml +4 -0
- data/modules/tests/centos7.yaml +4 -0
- data/modules/tests/ecs.yaml +2 -2
- data/modules/tests/eks.yaml +1 -1
- data/modules/tests/functions/node-function/lambda_function.js +10 -0
- data/modules/tests/functions/python-function/lambda_function.py +12 -0
- data/modules/tests/k8s.yaml +1 -1
- data/modules/tests/microservice_app.yaml +288 -0
- data/modules/tests/rds.yaml +5 -5
- data/modules/tests/regrooms/rds.yaml +5 -5
- data/modules/tests/server-with-scrub-muisms.yaml +1 -1
- data/modules/tests/super_complex_bok.yml +2 -2
- data/modules/tests/super_simple_bok.yml +2 -2
- metadata +42 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 210514240124518b016fcafc33868f4efcbd890764614b535a3460fd7736961e
|
4
|
+
data.tar.gz: 22982dbf157d8c94ecb38c9ca7ee9209dcdef516158ecd1835461da255b7a3df
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 412580d1d702cf61dcd3671bee157b787c0a4ffd79b2c57d845b29bb93cf71da092910209b1ba0a7ff7f98d5a37b21f0b542a99cc31e479b8d4a45b1fa778622
|
7
|
+
data.tar.gz: 55fe915449c29467c2731736b357c35a5aef4af243b1c57e06a986273e27eed1726769ce0982d0e6202888161df0664fd10b8179697b13b73c90b3e02f4bcf45
|
data/Dockerfile
CHANGED
data/bin/mu-adopt
CHANGED
@@ -45,6 +45,7 @@ $opt = Optimist::options do
|
|
45
45
|
opt :habitats, "Limit scope of searches to the named accounts/projects/subscriptions, instead of search all habitats visible to our credentials.", :required => false, :type => :strings
|
46
46
|
opt :regions, "Restrict to operating on a subset of available regions, instead of all that we know about.", :require => false, :type => :strings
|
47
47
|
opt :scrub, "Whether to set scrub_mu_isms in the BoKs we generate", :default => $MU_CFG.has_key?('adopt_scrub_mu_isms') ? $MU_CFG['adopt_scrub_mu_isms'] : false
|
48
|
+
opt :pattern, "Only adopt resources whose resource name would match this pattern. Must be a valid regular expression. Alphabetical characters will be treated case-insensitively.", :required => false, :type => :string
|
48
49
|
end
|
49
50
|
|
50
51
|
ok = true
|
@@ -60,6 +61,16 @@ if $opt[:diff]
|
|
60
61
|
$opt[:savedeploys] = false
|
61
62
|
end
|
62
63
|
|
64
|
+
pattern = nil
|
65
|
+
if $opt[:pattern]
|
66
|
+
begin
|
67
|
+
pattern = Regexp.new($opt[:pattern], true)
|
68
|
+
rescue RegexpError => e
|
69
|
+
MU.log "Invalid --pattern option: #{e.message}", MU::ERR
|
70
|
+
exit 1
|
71
|
+
end
|
72
|
+
end
|
73
|
+
|
63
74
|
types = []
|
64
75
|
$opt[:types].each { |t|
|
65
76
|
t_name = t.gsub(/-/, "_")
|
@@ -98,7 +109,7 @@ if !ok
|
|
98
109
|
exit 1
|
99
110
|
end
|
100
111
|
|
101
|
-
adoption = MU::Adoption.new(clouds: clouds, types: types, parent: $opt[:parent], billing: $opt[:billing], sources: $opt[:sources], credentials: $opt[:credentials], group_by: $opt[:grouping].to_sym, savedeploys: $opt[:savedeploys], diff: $opt[:diff], habitats: $opt[:habitats], scrub_mu_isms: $opt[:scrub], regions: $opt[:regions], merge: $opt[:merge_changes])
|
112
|
+
adoption = MU::Adoption.new(clouds: clouds, types: types, parent: $opt[:parent], billing: $opt[:billing], sources: $opt[:sources], credentials: $opt[:credentials], group_by: $opt[:grouping].to_sym, savedeploys: $opt[:savedeploys], diff: $opt[:diff], habitats: $opt[:habitats], scrub_mu_isms: $opt[:scrub], regions: $opt[:regions], merge: $opt[:merge_changes], pattern: pattern)
|
102
113
|
found = adoption.scrapeClouds
|
103
114
|
if found.nil? or found.empty?
|
104
115
|
MU.log "No resources found to adopt", MU::WARN, details: {"clouds" => clouds, "types" => types }
|
data/bin/mu-aws-setup
CHANGED
@@ -44,6 +44,7 @@ Usage:
|
|
44
44
|
opt :dns, "Ensure the presence of a private DNS Zone called for internal amongst Mu resources.", :require => false, :default => false, :type => :boolean
|
45
45
|
opt :uploadlogs, "Push today's log files to the S3 bucket created by the -l option.", :require => false, :default => false, :type => :boolean
|
46
46
|
opt :ephemeral, "Make sure all of our instance store (ephemeral) block devices are mapped and available.", :require => false, :default => false, :type => :boolean
|
47
|
+
opt :optdisk, "Create an EBS volume for /opt and slide our installation onto it", :require => false, :default => false, :type => :boolean
|
47
48
|
end
|
48
49
|
|
49
50
|
if MU::Cloud::AWS.hosted? and !$MU_CFG['aws']
|
@@ -70,7 +71,9 @@ preferred_ip = MU.mu_public_ip
|
|
70
71
|
|
71
72
|
if $opts[:ephemeral] and !MU::Cloud::AWS.isGovCloud?
|
72
73
|
instancetypes = MU::Cloud::AWS.listInstanceTypes
|
73
|
-
if instancetypes[MU.myRegion][instance.instance_type]
|
74
|
+
if !instancetypes or !instancetypes[MU::Cloud::AWS.myRegion] or !instancetypes[MU::Cloud::AWS.myRegion][instance.instance_type]
|
75
|
+
MU.log "Failed to load instance type mappings from Pricing API for #{instance.instance_type} in #{MU::Cloud::AWS.myRegion}", MU::ERR
|
76
|
+
elsif instancetypes[MU::Cloud::AWS.myRegion][instance.instance_type]["storage"] == "EBS only"
|
74
77
|
MU.log "#{instance.instance_type} instance types do not have ephemeral volumes, skipping ephemeral device setup", MU::NOTICE
|
75
78
|
else
|
76
79
|
# instance.block_device_mappings.each { |dev|
|
@@ -101,7 +104,7 @@ if $opts[:sg]
|
|
101
104
|
admin_sg = nil
|
102
105
|
if instance.security_groups.size > 0
|
103
106
|
instance.security_groups.each { |sg|
|
104
|
-
found = MU::MommaCat.findStray("AWS", "firewall_rule", region: MU.myRegion, dummy_ok: true, cloud_id: sg.group_id)
|
107
|
+
found = MU::MommaCat.findStray("AWS", "firewall_rule", region: MU::Cloud::AWS.myRegion, dummy_ok: true, cloud_id: sg.group_id)
|
105
108
|
if found.size > 0 and
|
106
109
|
!found.first.cloud_desc.group_name.match(/^Mu Client Rules for /)
|
107
110
|
admin_sg = found.first
|
@@ -118,7 +121,7 @@ if $opts[:sg]
|
|
118
121
|
!ranges.include?(range.cidr_ip) and rule.to_port != 80 and
|
119
122
|
!(rule.to_port == 22 and range.cidr_ip == "#{preferred_ip}/32")
|
120
123
|
MU.log "Revoking old Mu Master service access rule for #{range.cidr_ip} port #{rule.to_port.to_s}", MU::NOTICE
|
121
|
-
MU::Cloud::AWS.ec2(region: MU.myRegion, credentials: admin_sg.credentials).revoke_security_group_ingress(
|
124
|
+
MU::Cloud::AWS.ec2(region: MU::Cloud::AWS.myRegion, credentials: admin_sg.credentials).revoke_security_group_ingress(
|
122
125
|
group_id: admin_sg.cloud_desc.group_id,
|
123
126
|
ip_permissions: [
|
124
127
|
{
|
@@ -173,7 +176,7 @@ if $opts[:sg]
|
|
173
176
|
cfg = {
|
174
177
|
"name" => "Mu Master",
|
175
178
|
"cloud" => "AWS",
|
176
|
-
"region" => MU.myRegion,
|
179
|
+
"region" => MU::Cloud::AWS.myRegion,
|
177
180
|
"rules" => rules
|
178
181
|
}
|
179
182
|
|
@@ -233,7 +236,36 @@ elsif $opts[:ip]
|
|
233
236
|
MU.log "Currently assigned IP address is #{instance.public_ip_address}"
|
234
237
|
end
|
235
238
|
|
236
|
-
$
|
239
|
+
if $opts[:optdisk] and !File.open("/etc/mtab").read.match(/ \/opt[\s\/]/)
|
240
|
+
wd = Dir.getwd
|
241
|
+
Dir.chdir("/")
|
242
|
+
if File.exists?("/opt/opscode/bin/chef-server-ctl")
|
243
|
+
system("/opt/opscode/bin/chef-server-ctl stop")
|
244
|
+
end
|
245
|
+
if !File.exists?("/sbin/mkfs.xfs")
|
246
|
+
system("/usr/bin/yum -y install xfsprogs")
|
247
|
+
end
|
248
|
+
MU::Master.disk("/dev/xvdj", "/opt_tmp", 30)
|
249
|
+
uuid = MU::Master.diskUUID("/dev/xvdj")
|
250
|
+
if !uuid or uuid.empty?
|
251
|
+
MU.log "Failed to retrieve UUID of block device xvdj", MU::ERR, details: MU::Cloud::AWS.realDevicePath("/dev/xvdj")
|
252
|
+
exit 1
|
253
|
+
end
|
254
|
+
MU.log "Moving contents of /opt to /opt_tmp", MU::NOTICE
|
255
|
+
system("/bin/mv /opt/* /opt_tmp/")
|
256
|
+
exit 1 if $?.exitstatus != 0
|
257
|
+
MU.log "Remounting /opt_tmp /opt", MU::NOTICE
|
258
|
+
system("/bin/umount /opt_tmp")
|
259
|
+
exit 1 if $?.exitstatus != 0
|
260
|
+
system("echo '#{uuid} /opt xfs defaults 0 0' >> /etc/fstab")
|
261
|
+
system("/bin/mount -a")
|
262
|
+
exit 1 if $?.exitstatus != 0
|
263
|
+
if File.exists?("/opt/opscode/bin/chef-server-ctl")
|
264
|
+
system("/opt/opscode/bin/chef-server-ctl start")
|
265
|
+
end
|
266
|
+
Dir.chdir(wd)
|
267
|
+
end
|
268
|
+
|
237
269
|
|
238
270
|
if $opts[:logs]
|
239
271
|
MU::Cloud::AWS.listCredentials.each { |credset|
|
@@ -385,6 +417,7 @@ if $opts[:logs]
|
|
385
417
|
end
|
386
418
|
|
387
419
|
if $opts[:dns] and !MU::Cloud::AWS.isGovCloud?
|
420
|
+
$bucketname ||= MU.adminBucketName
|
388
421
|
if instance.vpc_id.nil? or instance.vpc_id.empty?
|
389
422
|
MU.log "This Mu master appears to be in EC2 Classic. Route53 private DNS zones are not supported. Falling back to old /etc/hosts chicanery.", MU::ERR
|
390
423
|
else
|
@@ -394,7 +427,7 @@ if $opts[:dns] and !MU::Cloud::AWS.isGovCloud?
|
|
394
427
|
params = {
|
395
428
|
:name => "platform-mu",
|
396
429
|
:vpc => {
|
397
|
-
:vpc_region => MU.myRegion,
|
430
|
+
:vpc_region => MU::Cloud::AWS.myRegion,
|
398
431
|
:vpc_id => instance.vpc_id
|
399
432
|
},
|
400
433
|
:hosted_zone_config => {
|
@@ -417,7 +450,7 @@ if $opts[:dns] and !MU::Cloud::AWS.isGovCloud?
|
|
417
450
|
MU::Cloud::AWS.route53.associate_vpc_with_hosted_zone(
|
418
451
|
hosted_zone_id: ext_zone.id,
|
419
452
|
vpc: {
|
420
|
-
vpc_region: MU.myRegion,
|
453
|
+
vpc_region: MU::Cloud::AWS.myRegion,
|
421
454
|
vpc_id: instance.vpc_id
|
422
455
|
}
|
423
456
|
)
|
@@ -436,6 +469,7 @@ if $opts[:dns] and !MU::Cloud::AWS.isGovCloud?
|
|
436
469
|
end
|
437
470
|
|
438
471
|
if $opts[:uploadlogs]
|
472
|
+
$bucketname ||= MU.adminBucketName
|
439
473
|
today = Time.new.strftime("%Y%m%d").to_s
|
440
474
|
["master.log", "nodes.log"].each { |log|
|
441
475
|
if File.exist?("/Mu_Logs/#{log}-#{today}")
|
data/bin/mu-azure-setup
CHANGED
@@ -44,6 +44,7 @@ Usage:
|
|
44
44
|
opt :logs, "Ensure the presence of an Cloud Storage bucket prefixed with 'Mu_Logs' for use with CloudTrails, syslog, etc.", :require => false, :default => false, :type => :boolean
|
45
45
|
# opt :dns, "Ensure the presence of a private DNS Zone called for internal amongst Mu resources.", :require => false, :default => false, :type => :boolean
|
46
46
|
opt :uploadlogs, "Push today's log files to the Cloud Storage bucket created by the -l option.", :require => false, :default => false, :type => :boolean
|
47
|
+
opt :optdisk, "Create a block volume for /opt and slide our installation onto it", :require => false, :default => false, :type => :boolean
|
47
48
|
end
|
48
49
|
|
49
50
|
if MU::Cloud::Azure.hosted? and !$MU_CFG['google']
|
@@ -245,6 +246,39 @@ if $opts[:logs]
|
|
245
246
|
|
246
247
|
end
|
247
248
|
|
249
|
+
if $opts[:optdisk] and !File.open("/etc/mtab").read.match(/ \/opt[\s\/]/)
|
250
|
+
puts "PLACEHOLDER"
|
251
|
+
# myname = MU::Cloud::Google.getGoogleMetaData("instance/name")
|
252
|
+
# wd = Dir.getwd
|
253
|
+
# Dir.chdir("/")
|
254
|
+
# if File.exists?("/opt/opscode/bin/chef-server-ctl")
|
255
|
+
# system("/opt/opscode/bin/chef-server-ctl stop")
|
256
|
+
# end
|
257
|
+
# if !File.exists?("/sbin/mkfs.xfs")
|
258
|
+
# system("/usr/bin/yum -y install xfsprogs")
|
259
|
+
# end
|
260
|
+
# MU::Master.disk(myname+"-mu-opt", "/opt_tmp", 30)
|
261
|
+
# uuid = MU::Master.diskUUID(myname+"-mu-opt")
|
262
|
+
# if !uuid or uuid.empty?
|
263
|
+
# MU.log "Failed to retrieve UUID of block device #{myname}-mu-opt", MU::ERR, details: MU::Cloud::AWS.realDevicePath(myname+"-mu-opt")
|
264
|
+
# exit 1
|
265
|
+
# end
|
266
|
+
# MU.log "Moving contents of /opt to /opt_tmp", MU::NOTICE
|
267
|
+
# system("/bin/mv /opt/* /opt_tmp/")
|
268
|
+
# exit 1 if $?.exitstatus != 0
|
269
|
+
# MU.log "Remounting /opt_tmp /opt", MU::NOTICE
|
270
|
+
# system("/bin/umount /opt_tmp")
|
271
|
+
# exit 1 if $?.exitstatus != 0
|
272
|
+
# system("echo '#{uuid} /opt xfs defaults 0 0' >> /etc/fstab")
|
273
|
+
# system("/bin/mount -a")
|
274
|
+
# exit 1 if $?.exitstatus != 0
|
275
|
+
# if File.exists?("/opt/opscode/bin/chef-server-ctl")
|
276
|
+
# system("/opt/opscode/bin/chef-server-ctl start")
|
277
|
+
# end
|
278
|
+
# Dir.chdir(wd)
|
279
|
+
end
|
280
|
+
|
281
|
+
|
248
282
|
if $opts[:dns]
|
249
283
|
end
|
250
284
|
|
data/bin/mu-configure
CHANGED
@@ -20,7 +20,6 @@ require 'open-uri'
|
|
20
20
|
require 'colorize'
|
21
21
|
require 'timeout'
|
22
22
|
require 'etc'
|
23
|
-
require 'aws-sdk-core'
|
24
23
|
require 'json'
|
25
24
|
require 'pp'
|
26
25
|
require 'readline'
|
@@ -28,6 +27,30 @@ require 'fileutils'
|
|
28
27
|
require 'erb'
|
29
28
|
require 'tmpdir'
|
30
29
|
|
30
|
+
AMROOT = Process.uid == 0
|
31
|
+
HOMEDIR = Etc.getpwuid(Process.uid).dir
|
32
|
+
CLEAN_ENV={
|
33
|
+
"PATH" => "/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/local/ruby-current/bin",
|
34
|
+
"HOME" => HOMEDIR
|
35
|
+
}
|
36
|
+
CLEAN_ENV_STR = CLEAN_ENV.keys.map { |k|
|
37
|
+
k+"=\""+CLEAN_ENV[k]+"\""
|
38
|
+
}.join(" ")
|
39
|
+
CHEF_CLIENT="/opt/chef/bin/chef-client"
|
40
|
+
CHEF_CTL="/opt/opscode/bin/chef-server-ctl"
|
41
|
+
GIT_PATTERN = /(((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?))?([\w\.@\:\/\-~]+)(\.git)?(\/)?/
|
42
|
+
|
43
|
+
|
44
|
+
#def _x(cmd)
|
45
|
+
# puts "#{CLEAN_ENV} #{cmd}".bold
|
46
|
+
# %x{#{CLEAN_ENV} #{cmd}}
|
47
|
+
#end
|
48
|
+
|
49
|
+
def _system(cmd)
|
50
|
+
puts cmd.bold
|
51
|
+
system(CLEAN_ENV, cmd)
|
52
|
+
end
|
53
|
+
|
31
54
|
$IN_GEM = false
|
32
55
|
gemwhich = %x{gem which mu 2>&1}.chomp
|
33
56
|
gemwhich = nil if $?.exitstatus != 0
|
@@ -46,6 +69,36 @@ if !mypath.match(/^\/opt\/mu/)
|
|
46
69
|
end
|
47
70
|
end
|
48
71
|
|
72
|
+
if !$NOOP
|
73
|
+
$IN_AWS = false
|
74
|
+
begin
|
75
|
+
Timeout.timeout(2) do
|
76
|
+
instance_id = URI.open("http://169.254.169.254/latest/meta-data/instance-id").read
|
77
|
+
$IN_AWS = true if !instance_id.nil? and instance_id.size > 0
|
78
|
+
end
|
79
|
+
rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH
|
80
|
+
end
|
81
|
+
$IN_GOOGLE = false
|
82
|
+
begin
|
83
|
+
Timeout.timeout(2) do
|
84
|
+
instance_id = URI.open(
|
85
|
+
"http://metadata.google.internal/computeMetadata/v1/instance/name",
|
86
|
+
"Metadata-Flavor" => "Google"
|
87
|
+
).read
|
88
|
+
$IN_GOOGLE = true if !instance_id.nil? and instance_id.size > 0
|
89
|
+
end
|
90
|
+
rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH
|
91
|
+
end
|
92
|
+
$IN_AZURE = false
|
93
|
+
begin
|
94
|
+
Timeout.timeout(2) do
|
95
|
+
instance = URI.open("http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01","Metadata"=>"true").read
|
96
|
+
$IN_AZURE = true if !instance.nil? and instance.size > 0
|
97
|
+
end
|
98
|
+
rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH, Errno::EHOSTUNREACH
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
49
102
|
$possible_addresses = []
|
50
103
|
$impossible_addresses = ['127.0.0.1', 'localhost']
|
51
104
|
begin
|
@@ -62,18 +115,36 @@ Socket.getifaddrs.each { |iface|
|
|
62
115
|
if iface.addr and iface.addr.ipv4?
|
63
116
|
$possible_addresses << iface.addr.ip_address
|
64
117
|
begin
|
65
|
-
addrinfo = Socket.gethostbyaddr(iface.addr.ip_address)
|
118
|
+
addrinfo = Socket.gethostbyaddr(iface.addr.ip_address.split(/\./).map { |o| o.to_i }.pack("CCCC"))
|
66
119
|
$possible_addresses << addrinfo.first if !addrinfo.first.nil?
|
67
120
|
rescue SocketError
|
68
121
|
# usually no name to look up; that's ok
|
69
122
|
end
|
70
123
|
end
|
71
124
|
}
|
72
|
-
$possible_addresses.uniq!
|
73
|
-
$possible_addresses.reject! { |i| i.match(/^(0\.0\.0\.0$|169\.254\.|127\.0\.)/)}
|
74
125
|
|
75
|
-
|
126
|
+
if $IN_AWS
|
127
|
+
["local-ipv4", "public-ipv4"].each { |addr|
|
128
|
+
ip = URI.open("http://169.254.169.254/latest/meta-data/#{addr}").read.chomp
|
129
|
+
$possible_addresses.unshift(ip) if ip and ip =~ /^\d+\.\d+\.\d+\.\d+/
|
130
|
+
}
|
131
|
+
elsif $IN_GOOGLE
|
132
|
+
["ip", "access-configs/0/external-ip"].each { |addr|
|
133
|
+
ip = URI.open(
|
134
|
+
"http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/#{addr}",
|
135
|
+
"Metadata-Flavor" => "Google"
|
136
|
+
).read.chomp
|
137
|
+
$possible_addresses.unshift(ip) if ip and ip =~ /^\d+\.\d+\.\d+\.\d+/
|
138
|
+
}
|
139
|
+
elsif $IN_AZURE
|
140
|
+
["privateIpAddress", "publicIpAddress"].each { |addr|
|
141
|
+
ip = URI.open("http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/#{addr}?api-version=2017-08-01&format=text","Metadata"=>"true").read
|
142
|
+
$possible_addresses.unshift(ip) if ip and ip =~ /^\d+\.\d+\.\d+\.\d+/
|
143
|
+
}
|
144
|
+
end
|
76
145
|
|
146
|
+
$possible_addresses.uniq!
|
147
|
+
$possible_addresses.reject! { |i| i.match(/^(0\.0\.0\.0$|169\.254\.|127\.0\.)/)}
|
77
148
|
|
78
149
|
# Top-level keys in $MU_CFG for which we'll provide interactive, menu-driven
|
79
150
|
# configuration.
|
@@ -404,8 +475,6 @@ def importCurrentValues
|
|
404
475
|
end
|
405
476
|
|
406
477
|
if !$NOOP
|
407
|
-
AMROOT = Process.uid == 0
|
408
|
-
HOMEDIR = Etc.getpwuid(Process.uid).dir
|
409
478
|
|
410
479
|
$opts = Optimist::options do
|
411
480
|
banner <<-EOS
|
@@ -476,66 +545,65 @@ if !$NOOP
|
|
476
545
|
end
|
477
546
|
end
|
478
547
|
|
479
|
-
|
480
|
-
|
481
|
-
|
482
|
-
|
483
|
-
|
484
|
-
|
485
|
-
|
486
|
-
|
487
|
-
|
488
|
-
begin
|
489
|
-
Timeout.timeout(2) do
|
490
|
-
instance_id = open(
|
491
|
-
"http://metadata.google.internal/computeMetadata/v1/instance/name",
|
492
|
-
"Metadata-Flavor" => "Google"
|
493
|
-
).read
|
494
|
-
$IN_GOOGLE = true if !instance_id.nil? and instance_id.size > 0
|
495
|
-
end
|
496
|
-
rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH
|
497
|
-
end
|
498
|
-
$IN_AZURE = false
|
499
|
-
begin
|
500
|
-
Timeout.timeout(2) do
|
501
|
-
instance = open("http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01","Metadata"=>"true").read
|
502
|
-
$IN_AZURE = true if !instance.nil? and instance.size > 0
|
548
|
+
|
549
|
+
if AMROOT and !$IN_GEM
|
550
|
+
Dir.chdir("/")
|
551
|
+
if $IN_AWS
|
552
|
+
_system("#{MU_BASE}/lib/bin/mu-aws-setup --optdisk")
|
553
|
+
elsif $IN_GOOGLE
|
554
|
+
_system("#{MU_BASE}/lib/bin/mu-gcp-setup --optdisk")
|
555
|
+
elsif $IN_AZURE
|
556
|
+
_system("#{MU_BASE}/lib/bin/mu-azure-setup --optdisk")
|
503
557
|
end
|
504
|
-
|
558
|
+
exit 1 if $?.exitstatus != 0
|
505
559
|
end
|
560
|
+
_system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install")
|
561
|
+
_system("cd #{MU_BASE}/lib/modules && umask 0022 && /opt/chef/embedded/bin/bundle install")
|
506
562
|
|
507
563
|
KNIFE_TEMPLATE = "log_level :info
|
508
|
-
|
509
|
-
|
510
|
-
|
511
|
-
|
512
|
-
|
513
|
-
|
514
|
-
|
515
|
-
|
516
|
-
|
517
|
-
|
518
|
-
|
519
|
-
|
520
|
-
|
521
|
-
|
522
|
-
|
564
|
+
log_location STDOUT
|
565
|
+
node_name '<%= chefuser %>'
|
566
|
+
client_key '<%= MU_BASE %>/var/users/<%= user %>/<%= chefuser %>.user.key'
|
567
|
+
validation_client_name 'mu-validator'
|
568
|
+
validation_key '<%= MU_BASE %>/var/orgs/<%= user %>/<%= chefuser %>.org.key'
|
569
|
+
chef_server_url 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>'
|
570
|
+
chef_server_root 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>'
|
571
|
+
syntax_check_cache_path '<%= HOMEDIR %>/.chef/syntax_check_cache'
|
572
|
+
cookbook_path [ '<%= HOMEDIR %>/.chef/cookbooks', '<%= HOMEDIR %>/.chef/site_cookbooks' ]
|
573
|
+
<% if $MU_CFG.has_key?('ssl') and $MU_CFG['ssl'].has_key?('chain') %>
|
574
|
+
ssl_ca_path '<%= File.dirname($MU_CFG['ssl']['chain']) %>'
|
575
|
+
ssl_ca_file '<%= File.basename($MU_CFG['ssl']['chain']) %>'
|
576
|
+
<% end %>
|
577
|
+
knife[:vault_mode] = 'client'
|
578
|
+
knife[:vault_admins] = ['<%= chefuser %>']"
|
523
579
|
|
524
580
|
CLIENT_TEMPLATE = "chef_server_url 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= user %>'
|
525
|
-
|
526
|
-
|
527
|
-
|
528
|
-
|
529
|
-
|
530
|
-
|
581
|
+
validation_client_name 'mu-validator'
|
582
|
+
log_location STDOUT
|
583
|
+
node_name 'MU-MASTER'
|
584
|
+
chef_license 'accept'
|
585
|
+
verify_api_cert false
|
586
|
+
ssl_verify_mode :verify_none
|
587
|
+
"
|
588
|
+
|
589
|
+
#chef_server_url "https://127.0.0.1:7443/organizations/mu"
|
590
|
+
#validation_client_name "mu-validator"
|
591
|
+
#chef_license "accept"
|
592
|
+
#log_location STDOUT
|
593
|
+
#node_name "MU-MASTER"
|
594
|
+
#verify_api_cert false
|
595
|
+
#ssl_verify_mode :verify_none
|
596
|
+
#trusted_certs_dir "/etc/chef/trusted_certs"
|
597
|
+
#file_cache_path "/var/chef/cache"
|
598
|
+
#file_backup_path "/var/chef/backup"
|
531
599
|
|
532
600
|
PIVOTAL_TEMPLATE = "node_name 'pivotal'
|
533
|
-
|
534
|
-
|
535
|
-
|
536
|
-
|
537
|
-
|
538
|
-
|
601
|
+
chef_server_url 'https://<%= MU.mu_public_addr %>:7443'
|
602
|
+
chef_server_root 'https://<%= MU.mu_public_addr %>:7443'
|
603
|
+
no_proxy '<%= MU.mu_public_addr %>'
|
604
|
+
client_key '/etc/opscode/pivotal.pem'
|
605
|
+
ssl_verify_mode :verify_none
|
606
|
+
"
|
539
607
|
|
540
608
|
$CHANGES = []
|
541
609
|
|
@@ -612,7 +680,7 @@ if !$NOOP
|
|
612
680
|
keynamestr = repo.gsub(/[^a-z0-9\-]/i, "-") + Process.pid.to_s
|
613
681
|
keypath = "#{HOMEDIR}/.ssh/#{keynamestr}"
|
614
682
|
puts "Paste a complete SSH private key for #{ssh_user.bold}@#{ssh_host.bold} below, then ^D"
|
615
|
-
|
683
|
+
_system("cat > #{keypath}")
|
616
684
|
File.chmod(0600, keypath)
|
617
685
|
puts "Key saved to "+keypath.bold
|
618
686
|
deletekey = true
|
@@ -724,7 +792,7 @@ if !$NOOP
|
|
724
792
|
["public-ipv4", "local-ipv4"].each { |addr|
|
725
793
|
begin
|
726
794
|
Timeout.timeout(2) do
|
727
|
-
ip = open("http://169.254.169.254/latest/meta-data/#{addr}").read
|
795
|
+
ip = URI.open("http://169.254.169.254/latest/meta-data/#{addr}").read
|
728
796
|
ips << ip if !ip.nil? and ip.size > 0
|
729
797
|
end
|
730
798
|
rescue OpenURI::HTTPError, Timeout::Error, SocketError
|
@@ -736,9 +804,9 @@ if !$NOOP
|
|
736
804
|
begin
|
737
805
|
Timeout.timeout(2) do
|
738
806
|
# TODO iterate across multiple interfaces/access-configs
|
739
|
-
ip = open("#{base_url}/instance/network-interfaces/0/ip", "Metadata-Flavor" => "Google").read
|
807
|
+
ip = URI.open("#{base_url}/instance/network-interfaces/0/ip", "Metadata-Flavor" => "Google").read
|
740
808
|
ips << ip if !ip.nil? and ip.size > 0
|
741
|
-
ip = open("#{base_url}/instance/network-interfaces/0/access-configs/0/external-ip", "Metadata-Flavor" => "Google").read
|
809
|
+
ip = URI.open("#{base_url}/instance/network-interfaces/0/access-configs/0/external-ip", "Metadata-Flavor" => "Google").read
|
742
810
|
ips << ip if !ip.nil? and ip.size > 0
|
743
811
|
end
|
744
812
|
rescue OpenURI::HTTPError, Timeout::Error, SocketError => e
|
@@ -753,10 +821,10 @@ if !$NOOP
|
|
753
821
|
$CONFIGURABLES["banner"]["default"] = "Mu Master at #{$CONFIGURABLES["public_address"]["default"]}"
|
754
822
|
if $IN_AWS
|
755
823
|
# XXX move this crap to a callback hook for puttering around in the AWS submenu
|
756
|
-
aws = JSON.parse(open("http://169.254.169.254/latest/dynamic/instance-identity/document").read)
|
824
|
+
aws = JSON.parse(URI.open("http://169.254.169.254/latest/dynamic/instance-identity/document").read)
|
757
825
|
iam = nil
|
758
826
|
begin
|
759
|
-
iam = open("http://169.254.169.254/latest/meta-data/iam/security-credentials").read
|
827
|
+
iam = URI.open("http://169.254.169.254/latest/meta-data/iam/security-credentials").read
|
760
828
|
rescue OpenURI::HTTPError, SocketError
|
761
829
|
end
|
762
830
|
# $CONFIGURABLES["aws"]["subtree"]["account_number"]["default"] = aws["accountId"]
|
@@ -914,7 +982,7 @@ if !$NOOP
|
|
914
982
|
if data["named_subentries"]
|
915
983
|
if data['subtree']['#entries']
|
916
984
|
data['subtree']['#entries'].each_pair { |nameentry, subdata|
|
917
|
-
next if nameentry.match(/^#/)
|
985
|
+
next if nameentry.nil? or nameentry.match(/^#/)
|
918
986
|
puts " "+subdata["#menu"].bold+". "+nameentry.green.on_black
|
919
987
|
}
|
920
988
|
end
|
@@ -1218,13 +1286,13 @@ if !$NOOP
|
|
1218
1286
|
pref_chef_version = File.read("#{MU_BASE}/var/mu-chef-client-version").chomp
|
1219
1287
|
if (cur_chef_version != pref_chef_version and cur_chef_version.sub(/\-\d+$/, "") != pref_chef_version) or cur_chef_version.match(/is not installed/)
|
1220
1288
|
puts "Updating MU-MASTER's Chef Client to '#{pref_chef_version}' from '#{cur_chef_version}'"
|
1221
|
-
chef_installer = open("https://omnitruck.chef.io/install.sh").read
|
1289
|
+
chef_installer = URI.open("https://omnitruck.chef.io/install.sh").read
|
1222
1290
|
File.open("#{HOMEDIR}/chef-install.sh", File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
|
1223
1291
|
f.puts chef_installer
|
1224
1292
|
}
|
1225
|
-
|
1293
|
+
_system("/bin/rm -rf /opt/chef ; sh #{HOMEDIR}/chef-install.sh -v #{pref_chef_version}");
|
1226
1294
|
# This will go fix gems, permissions, etc
|
1227
|
-
|
1295
|
+
_system("/opt/chef/bin/chef-apply #{MU_BASE}/lib/cookbooks/mu-master/recipes/init.rb");
|
1228
1296
|
end
|
1229
1297
|
end
|
1230
1298
|
|
@@ -1247,12 +1315,17 @@ if !$NOOP
|
|
1247
1315
|
end
|
1248
1316
|
begin
|
1249
1317
|
require 'mu'
|
1318
|
+
rescue LoadError, Gem::MissingSpecError
|
1319
|
+
_system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install")
|
1320
|
+
require 'bundler'
|
1321
|
+
pwd = Dir.pwd
|
1322
|
+
Dir.chdir(MU_BASE+"/lib/modules")
|
1323
|
+
Bundler.setup
|
1324
|
+
require 'mu'
|
1325
|
+
Dir.chdir(pwd)
|
1250
1326
|
rescue MU::MuError => e
|
1251
1327
|
puts "Correct the above error before proceeding. To retry, run:\n\n#{$0.bold} #{ARGV.join(" ").bold}"
|
1252
1328
|
exit 1
|
1253
|
-
rescue LoadError
|
1254
|
-
system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install")
|
1255
|
-
require 'mu'
|
1256
1329
|
end
|
1257
1330
|
|
1258
1331
|
if $IN_GEM
|
@@ -1268,15 +1341,45 @@ if !$NOOP
|
|
1268
1341
|
end
|
1269
1342
|
|
1270
1343
|
if AMROOT and ($INITIALIZE or $CHANGES.include?("hostname"))
|
1271
|
-
|
1344
|
+
_system("/bin/hostname #{$MU_CFG['hostname']}")
|
1345
|
+
end
|
1346
|
+
|
1347
|
+
def updateChefRbs
|
1348
|
+
user = AMROOT ? "mu" : Etc.getpwuid(Process.uid).name
|
1349
|
+
chefuser = user.gsub(/\./, "")
|
1350
|
+
templates = { HOMEDIR+"/.chef/knife.rb" => KNIFE_TEMPLATE }
|
1351
|
+
Dir.mkdir(HOMEDIR+"/.chef") if !Dir.exist?(HOMEDIR+"/.chef")
|
1352
|
+
if AMROOT
|
1353
|
+
templates["/etc/chef/client.rb"] = CLIENT_TEMPLATE
|
1354
|
+
templates["/etc/opscode/pivotal.rb"] = PIVOTAL_TEMPLATE
|
1355
|
+
end
|
1356
|
+
templates.each_pair { |file, template|
|
1357
|
+
erb = ERB.new(template)
|
1358
|
+
processed = erb.result(binding)
|
1359
|
+
tmpfile = file+".tmp."+Process.pid.to_s
|
1360
|
+
File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
|
1361
|
+
f.puts processed
|
1362
|
+
}
|
1363
|
+
if !File.size?(file) or File.read(tmpfile) != File.read(file)
|
1364
|
+
File.rename(tmpfile, file)
|
1365
|
+
MU.log "Updated #{file}", MU::NOTICE
|
1366
|
+
$CHANGES << "chefcerts"
|
1367
|
+
else
|
1368
|
+
File.unlink(tmpfile)
|
1369
|
+
end
|
1370
|
+
}
|
1272
1371
|
end
|
1273
1372
|
|
1373
|
+
|
1274
1374
|
# Do some more basic-but-Chef-dependent configuration *before* we meddle with
|
1275
1375
|
# the Chef Server configuration, which depends on some of this (SSL certs and
|
1276
1376
|
# local firewall ports).
|
1277
1377
|
if AMROOT and ($INITIALIZE or $CHANGES.include?("chefartifacts"))
|
1278
1378
|
MU.log "Purging and re-uploading all Chef artifacts", MU::NOTICE
|
1279
1379
|
%x{/sbin/service iptables stop} if $INITIALIZE
|
1380
|
+
if File.exists?("#{CHEF_CTL}")
|
1381
|
+
_system("#{CHEF_CTL} start")
|
1382
|
+
end
|
1280
1383
|
output = %x{MU_INSTALLDIR=#{MU_BASE} MU_LIBDIR=#{MU_BASE}/lib MU_DATADIR=#{MU_BASE}/var #{MU_BASE}/lib/bin/mu-upload-chef-artifacts}
|
1281
1384
|
if $?.exitstatus != 0
|
1282
1385
|
puts output
|
@@ -1287,47 +1390,28 @@ if !$NOOP
|
|
1287
1390
|
%x{/sbin/service iptables start} if !$INITIALIZE
|
1288
1391
|
end
|
1289
1392
|
|
1393
|
+
Dir.chdir(Dir.home)
|
1394
|
+
|
1290
1395
|
if $INITIALIZE and AMROOT
|
1291
1396
|
MU.log "Force open key firewall holes", MU::NOTICE
|
1292
|
-
|
1397
|
+
_system("#{CHEF_CLIENT} -o 'recipe[mu-master::firewall-holes]'")
|
1293
1398
|
end
|
1294
1399
|
|
1295
1400
|
if AMROOT
|
1296
1401
|
MU.log "Checking internal SSL signing authority and certificates", MU::NOTICE
|
1297
|
-
if !
|
1402
|
+
if !_system("#{CHEF_CLIENT} -o 'recipe[mu-master::ssl-certs]'") and $INITIALIZE
|
1298
1403
|
MU.log "Got bad exit code trying to run recipe[mu-master::ssl-certs]', aborting", MU::ERR
|
1299
1404
|
exit 1
|
1300
1405
|
end
|
1301
|
-
|
1302
|
-
|
1303
|
-
|
1304
|
-
user = AMROOT ? "mu" : Etc.getpwuid(Process.uid).name
|
1305
|
-
chefuser = user.gsub(/\./, "")
|
1306
|
-
templates = { HOMEDIR+"/.chef/knife.rb" => KNIFE_TEMPLATE }
|
1307
|
-
Dir.mkdir(HOMEDIR+"/.chef") if !Dir.exist?(HOMEDIR+"/.chef")
|
1308
|
-
if AMROOT
|
1309
|
-
templates["/etc/chef/client.rb"] = CLIENT_TEMPLATE
|
1310
|
-
templates["/etc/opscode/pivotal.rb"] = PIVOTAL_TEMPLATE
|
1406
|
+
if !File.size?("#{$MU_CFG['datadir']}/ssl/mommacat.crt")
|
1407
|
+
MU.log "I just ran recipe[mu-master::ssl-certs]', but #{$MU_CFG['datadir']}/ssl/mommacat.crt} is still missing. Bailing.", MU::ERR
|
1408
|
+
exit 1
|
1311
1409
|
end
|
1312
|
-
templates.each_pair { |file, template|
|
1313
|
-
erb = ERB.new(template)
|
1314
|
-
processed = erb.result(binding)
|
1315
|
-
tmpfile = file+".tmp."+Process.pid.to_s
|
1316
|
-
File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
|
1317
|
-
f.puts processed
|
1318
|
-
}
|
1319
|
-
if !File.size?(file) or File.read(tmpfile) != File.read(file)
|
1320
|
-
File.rename(tmpfile, file)
|
1321
|
-
MU.log "Updated #{file}", MU::NOTICE
|
1322
|
-
$CHANGES << "chefcerts"
|
1323
|
-
else
|
1324
|
-
File.unlink(tmpfile)
|
1325
|
-
end
|
1326
|
-
}
|
1327
1410
|
end
|
1328
1411
|
|
1329
1412
|
|
1330
1413
|
if AMROOT
|
1414
|
+
updateChefRbs if !$INITIALIZE
|
1331
1415
|
erb = ERB.new(File.read("#{MU_BASE}/lib/cookbooks/mu-master/templates/default/chef-server.rb.erb"))
|
1332
1416
|
updated_server_cfg = erb.result(binding)
|
1333
1417
|
cfgpath = "/etc/opscode/chef-server.rb"
|
@@ -1335,7 +1419,7 @@ if !$NOOP
|
|
1335
1419
|
File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f|
|
1336
1420
|
f.puts updated_server_cfg
|
1337
1421
|
}
|
1338
|
-
if !File.size?(cfgpath) or File.read(tmpfile) != File.read(cfgpath)
|
1422
|
+
if $INITIALIZE or !File.size?(cfgpath) or File.read(tmpfile) != File.read(cfgpath)
|
1339
1423
|
File.rename(tmpfile, cfgpath)
|
1340
1424
|
# Opscode can't seem to get things right with their postgres socket
|
1341
1425
|
Dir.mkdir("/var/run/postgresql", 0755) if !Dir.exist?("/var/run/postgresql")
|
@@ -1344,12 +1428,15 @@ if !$NOOP
|
|
1344
1428
|
elsif !File.exist?("/tmp/.s.PGSQL.5432") and File.exist?("/var/run/postgresql/.s.PGSQL.5432")
|
1345
1429
|
File.symlink("/var/run/postgresql/.s.PGSQL.5432", "/tmp/.s.PGSQL.5432")
|
1346
1430
|
end
|
1347
|
-
MU.log "Chef Server config was modified, reconfiguring...", MU::NOTICE
|
1431
|
+
MU.log "Chef Server config was modified, reconfiguring...", MU::NOTICE, details: updated_server_cfg
|
1348
1432
|
# XXX Some undocumented port Chef needs only on startup is being blocked by
|
1349
1433
|
# iptables. Something rabbitmq-related. Dopey workaround.
|
1350
1434
|
%x{/sbin/service iptables stop}
|
1351
|
-
|
1352
|
-
|
1435
|
+
_system("#{CHEF_CTL} stop")
|
1436
|
+
MU.retrier(wait: 10, max: 6, loop_if: Proc.new { $?.exitstatus != 0 }, loop_msg: "Trying to get chef-server-ctl reconfigure to work") {
|
1437
|
+
_system("#{CHEF_CTL} reconfigure")
|
1438
|
+
}
|
1439
|
+
_system("#{CHEF_CTL} start")
|
1353
1440
|
%x{/sbin/service iptables start} if !$INITIALIZE
|
1354
1441
|
updateChefRbs
|
1355
1442
|
$CHANGES << "chefcerts"
|
@@ -1361,21 +1448,21 @@ if !$NOOP
|
|
1361
1448
|
updateChefRbs
|
1362
1449
|
end
|
1363
1450
|
|
1364
|
-
if $IN_AWS and AMROOT
|
1365
|
-
|
1451
|
+
if $IN_AWS and AMROOT# and $IN_GEM
|
1452
|
+
_system("#{MU_BASE}/lib/bin/mu-aws-setup --dns --sg --logs --ephemeral")
|
1366
1453
|
# XXX --ip? Do we really care?
|
1367
1454
|
end
|
1368
1455
|
if $IN_GOOGLE and AMROOT
|
1369
|
-
|
1456
|
+
_system("#{MU_BASE}/lib/bin/mu-gcp-setup --sg --logs")
|
1370
1457
|
end
|
1371
1458
|
if $IN_AZURE and AMROOT
|
1372
|
-
|
1459
|
+
_system("#{MU_BASE}/lib/bin/mu-azure-setup --sg")
|
1373
1460
|
end
|
1374
1461
|
|
1375
1462
|
if $INITIALIZE or $CHANGES.include?("chefcerts")
|
1376
|
-
|
1463
|
+
_system("rm -f #{HOMEDIR}/.chef/trusted_certs/* ; knife ssl fetch -c #{HOMEDIR}/.chef/knife.rb")
|
1377
1464
|
if AMROOT
|
1378
|
-
|
1465
|
+
_system("rm -f /etc/chef/trusted_certs/* ; knife ssl fetch -c /etc/chef/client.rb")
|
1379
1466
|
end
|
1380
1467
|
end
|
1381
1468
|
|
@@ -1400,7 +1487,7 @@ if !$NOOP
|
|
1400
1487
|
if !Dir.exist?(repodir)
|
1401
1488
|
MU.log "Cloning #{repo} into #{repodir}", MU::NOTICE
|
1402
1489
|
Dir.chdir(MU.dataDir)
|
1403
|
-
|
1490
|
+
_system("/usr/bin/git clone #{repo}")
|
1404
1491
|
$CHANGES << "chefartifacts"
|
1405
1492
|
end
|
1406
1493
|
}
|
@@ -1411,7 +1498,15 @@ if !$NOOP
|
|
1411
1498
|
end
|
1412
1499
|
|
1413
1500
|
begin
|
1501
|
+
if File.exists?("#{CHEF_CTL}")
|
1502
|
+
_system("#{CHEF_CTL} start")
|
1503
|
+
end
|
1414
1504
|
MU::Groomer::Chef.getSecret(vault: "secrets", item: "consul")
|
1505
|
+
rescue OpenSSL::SSL::SSLError => e
|
1506
|
+
if !$INITIALIZE
|
1507
|
+
raise e
|
1508
|
+
end
|
1509
|
+
MU.log "Got SSL error connecting to Chef for vault secrets, this is normal during initial install", MU::NOTICE, details: e.message
|
1415
1510
|
rescue MU::Groomer::MuNoSuchSecret
|
1416
1511
|
data = {
|
1417
1512
|
"private_key" => File.read("#{MU_BASE}/var/ssl/consul.key"),
|
@@ -1427,9 +1522,10 @@ if !$NOOP
|
|
1427
1522
|
end
|
1428
1523
|
if $INITIALIZE or $CHANGES.include?("vault")
|
1429
1524
|
MU.log "Setting up Hashicorp Vault", MU::NOTICE
|
1430
|
-
|
1525
|
+
_system("#{CHEF_CLIENT} -o 'recipe[mu-master::vault]'")
|
1431
1526
|
end
|
1432
1527
|
|
1528
|
+
set389DSCreds
|
1433
1529
|
if $MU_CFG['ldap']['type'] == "389 Directory Services"
|
1434
1530
|
begin
|
1435
1531
|
MU::Master::LDAP.listUsers
|
@@ -1439,11 +1535,10 @@ if !$NOOP
|
|
1439
1535
|
if $INITIALIZE or $CHANGES.include?("389ds")
|
1440
1536
|
File.unlink("/root/389ds.tmp/389-directory-setup.inf") if File.exist?("/root/389ds.tmp/389-directory-setup.inf")
|
1441
1537
|
MU.log "Configuring 389 Directory Services", MU::NOTICE
|
1442
|
-
|
1443
|
-
system("chef-client -o 'recipe[mu-master::389ds]'")
|
1538
|
+
_system("#{CHEF_CLIENT} -o 'recipe[mu-master::389ds]'")
|
1444
1539
|
exit 1 if $? != 0
|
1445
1540
|
MU::Master::LDAP.initLocalLDAP
|
1446
|
-
|
1541
|
+
_system("#{CHEF_CLIENT} -o 'recipe[mu-master::sssd]'")
|
1447
1542
|
exit 1 if $? != 0
|
1448
1543
|
end
|
1449
1544
|
end
|
@@ -1474,12 +1569,12 @@ if !$NOOP
|
|
1474
1569
|
MU::Config.emitSchemaAsRuby
|
1475
1570
|
MU.log "Generating YARD documentation in /var/www/html/docs (see http://#{$MU_CFG['public_address']}/docs/frames.html)"
|
1476
1571
|
File.umask(0022)
|
1477
|
-
|
1572
|
+
_system("cd #{MU.myRoot} && umask 0022 && /usr/local/ruby-current/bin/yard doc modules -m markdown -o /var/www/html/docs && chcon -R -h -t httpd_sys_script_exec_t /var/www/html/")
|
1478
1573
|
end
|
1479
1574
|
|
1480
1575
|
|
1481
1576
|
MU.log "Running chef-client on MU-MASTER", MU::NOTICE
|
1482
|
-
|
1577
|
+
_system("#{CHEF_CLIENT} -o '#{run_list.join(",")}'")
|
1483
1578
|
|
1484
1579
|
|
1485
1580
|
if !File.exist?("#{MU_BASE}/var/users/mu/email") or !File.exist?("#{MU_BASE}/var/users/mu/realname")
|
@@ -1507,11 +1602,11 @@ if !$NOOP
|
|
1507
1602
|
end
|
1508
1603
|
|
1509
1604
|
MU.log "Regenerating documentation in /var/www/html/docs"
|
1510
|
-
%x{#{MU_BASE}/lib/bin/mu-gen-docs}
|
1605
|
+
%x{#{CLEAN_ENV_STR} #{MU_BASE}/lib/bin/mu-gen-docs}
|
1511
1606
|
|
1512
1607
|
if $INITIALIZE
|
1513
1608
|
MU.log "Setting initial password for admin user 'mu', for logging into Nagios and other built-in services.", MU::NOTICE
|
1514
|
-
puts %x{#{MU_BASE}/lib/bin/mu-user-manage -g mu -n "#{$MU_CFG['mu_admin_name']}"}
|
1609
|
+
puts %x{#{CLEAN_ENV_STR} #{MU_BASE}/lib/bin/mu-user-manage -g mu -n "#{$MU_CFG['mu_admin_name']}"}
|
1515
1610
|
MU.log "If Scratchpad web interface is not accessible, try the following:", MU::NOTICE
|
1516
1611
|
puts "#{MU_BASE}/lib/bin/mu-user-manage -g --no-scratchpad mu".bold
|
1517
1612
|
end
|