cloud-mu 3.2.0 → 3.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +1 -1
- data/ansible/roles/mu-nat/tasks/main.yml +3 -0
- data/bin/mu-adopt +12 -1
- data/bin/mu-aws-setup +41 -7
- data/bin/mu-azure-setup +34 -0
- data/bin/mu-configure +214 -119
- data/bin/mu-gcp-setup +37 -2
- data/bin/mu-load-config.rb +2 -1
- data/bin/mu-node-manage +3 -0
- data/bin/mu-refresh-ssl +67 -0
- data/bin/mu-run-tests +28 -6
- data/bin/mu-self-update +30 -10
- data/bin/mu-upload-chef-artifacts +30 -26
- data/cloud-mu.gemspec +10 -8
- data/cookbooks/mu-master/attributes/default.rb +5 -1
- data/cookbooks/mu-master/metadata.rb +2 -2
- data/cookbooks/mu-master/recipes/default.rb +81 -26
- data/cookbooks/mu-master/recipes/init.rb +197 -62
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +1 -1
- data/cookbooks/mu-master/recipes/vault.rb +78 -77
- data/cookbooks/mu-master/templates/default/mods/rewrite.conf.erb +1 -0
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +103 -0
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +14 -30
- data/cookbooks/mu-tools/attributes/default.rb +12 -0
- data/cookbooks/mu-tools/files/centos-6/CentOS-Base.repo +47 -0
- data/cookbooks/mu-tools/libraries/helper.rb +98 -4
- data/cookbooks/mu-tools/libraries/monkey.rb +1 -1
- data/cookbooks/mu-tools/recipes/apply_security.rb +31 -9
- data/cookbooks/mu-tools/recipes/aws_api.rb +8 -2
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +2 -9
- data/cookbooks/mu-tools/recipes/google_api.rb +7 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
- data/cookbooks/mu-tools/resources/disk.rb +113 -42
- data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
- data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
- data/extras/Gemfile.lock.bootstrap +394 -0
- data/extras/bucketstubs/error.html +0 -0
- data/extras/bucketstubs/index.html +0 -0
- data/extras/clean-stock-amis +11 -3
- data/extras/generate-stock-images +6 -3
- data/extras/git_rpm/build.sh +20 -0
- data/extras/git_rpm/mugit.spec +53 -0
- data/extras/image-generators/AWS/centos7.yaml +19 -16
- data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
- data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
- data/extras/image-generators/VMWare/centos8.yaml +15 -0
- data/extras/openssl_rpm/build.sh +19 -0
- data/extras/openssl_rpm/mussl.spec +46 -0
- data/extras/python_rpm/muthon.spec +14 -4
- data/extras/ruby_rpm/muby.spec +9 -5
- data/extras/sqlite_rpm/build.sh +19 -0
- data/extras/sqlite_rpm/muqlite.spec +47 -0
- data/install/installer +7 -5
- data/modules/mommacat.ru +2 -2
- data/modules/mu.rb +14 -7
- data/modules/mu/adoption.rb +5 -5
- data/modules/mu/cleanup.rb +47 -25
- data/modules/mu/cloud.rb +29 -1
- data/modules/mu/cloud/dnszone.rb +0 -2
- data/modules/mu/cloud/machine_images.rb +1 -1
- data/modules/mu/cloud/providers.rb +6 -1
- data/modules/mu/cloud/resource_base.rb +16 -7
- data/modules/mu/cloud/ssh_sessions.rb +5 -1
- data/modules/mu/cloud/wrappers.rb +20 -7
- data/modules/mu/config.rb +28 -12
- data/modules/mu/config/bucket.rb +31 -2
- data/modules/mu/config/cache_cluster.rb +1 -1
- data/modules/mu/config/cdn.rb +100 -0
- data/modules/mu/config/container_cluster.rb +1 -1
- data/modules/mu/config/database.rb +3 -3
- data/modules/mu/config/dnszone.rb +4 -3
- data/modules/mu/config/endpoint.rb +1 -0
- data/modules/mu/config/firewall_rule.rb +1 -1
- data/modules/mu/config/function.rb +16 -7
- data/modules/mu/config/job.rb +89 -0
- data/modules/mu/config/notifier.rb +7 -18
- data/modules/mu/config/ref.rb +55 -9
- data/modules/mu/config/schema_helpers.rb +12 -3
- data/modules/mu/config/server.rb +11 -5
- data/modules/mu/config/server_pool.rb +2 -2
- data/modules/mu/config/vpc.rb +11 -10
- data/modules/mu/defaults/AWS.yaml +106 -106
- data/modules/mu/deploy.rb +40 -14
- data/modules/mu/groomers/chef.rb +2 -2
- data/modules/mu/master.rb +70 -3
- data/modules/mu/mommacat.rb +28 -9
- data/modules/mu/mommacat/daemon.rb +13 -7
- data/modules/mu/mommacat/naming.rb +2 -2
- data/modules/mu/mommacat/search.rb +16 -5
- data/modules/mu/mommacat/storage.rb +67 -32
- data/modules/mu/providers/aws.rb +298 -85
- data/modules/mu/providers/aws/alarm.rb +5 -5
- data/modules/mu/providers/aws/bucket.rb +284 -50
- data/modules/mu/providers/aws/cache_cluster.rb +26 -26
- data/modules/mu/providers/aws/cdn.rb +782 -0
- data/modules/mu/providers/aws/collection.rb +16 -16
- data/modules/mu/providers/aws/container_cluster.rb +84 -64
- data/modules/mu/providers/aws/database.rb +59 -55
- data/modules/mu/providers/aws/dnszone.rb +29 -12
- data/modules/mu/providers/aws/endpoint.rb +535 -50
- data/modules/mu/providers/aws/firewall_rule.rb +32 -26
- data/modules/mu/providers/aws/folder.rb +1 -1
- data/modules/mu/providers/aws/function.rb +300 -134
- data/modules/mu/providers/aws/group.rb +16 -14
- data/modules/mu/providers/aws/habitat.rb +4 -4
- data/modules/mu/providers/aws/job.rb +469 -0
- data/modules/mu/providers/aws/loadbalancer.rb +67 -45
- data/modules/mu/providers/aws/log.rb +17 -17
- data/modules/mu/providers/aws/msg_queue.rb +22 -13
- data/modules/mu/providers/aws/nosqldb.rb +99 -8
- data/modules/mu/providers/aws/notifier.rb +137 -65
- data/modules/mu/providers/aws/role.rb +119 -83
- data/modules/mu/providers/aws/search_domain.rb +166 -30
- data/modules/mu/providers/aws/server.rb +209 -118
- data/modules/mu/providers/aws/server_pool.rb +95 -130
- data/modules/mu/providers/aws/storage_pool.rb +19 -11
- data/modules/mu/providers/aws/user.rb +5 -5
- data/modules/mu/providers/aws/userdata/linux.erb +5 -4
- data/modules/mu/providers/aws/vpc.rb +109 -54
- data/modules/mu/providers/aws/vpc_subnet.rb +43 -39
- data/modules/mu/providers/azure.rb +78 -12
- data/modules/mu/providers/azure/server.rb +20 -4
- data/modules/mu/providers/cloudformation/server.rb +1 -1
- data/modules/mu/providers/google.rb +21 -5
- data/modules/mu/providers/google/bucket.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +1 -1
- data/modules/mu/providers/google/database.rb +1 -1
- data/modules/mu/providers/google/firewall_rule.rb +1 -1
- data/modules/mu/providers/google/folder.rb +7 -3
- data/modules/mu/providers/google/function.rb +66 -31
- data/modules/mu/providers/google/group.rb +1 -1
- data/modules/mu/providers/google/habitat.rb +1 -1
- data/modules/mu/providers/google/loadbalancer.rb +1 -1
- data/modules/mu/providers/google/role.rb +6 -3
- data/modules/mu/providers/google/server.rb +1 -1
- data/modules/mu/providers/google/server_pool.rb +1 -1
- data/modules/mu/providers/google/user.rb +1 -1
- data/modules/mu/providers/google/vpc.rb +28 -3
- data/modules/tests/aws-jobs-functions.yaml +46 -0
- data/modules/tests/aws-servers-with-handrolled-iam.yaml +37 -0
- data/modules/tests/centos6.yaml +4 -0
- data/modules/tests/centos7.yaml +4 -0
- data/modules/tests/ecs.yaml +2 -2
- data/modules/tests/eks.yaml +1 -1
- data/modules/tests/functions/node-function/lambda_function.js +10 -0
- data/modules/tests/functions/python-function/lambda_function.py +12 -0
- data/modules/tests/k8s.yaml +1 -1
- data/modules/tests/microservice_app.yaml +288 -0
- data/modules/tests/rds.yaml +5 -5
- data/modules/tests/regrooms/rds.yaml +5 -5
- data/modules/tests/server-with-scrub-muisms.yaml +1 -1
- data/modules/tests/super_complex_bok.yml +2 -2
- data/modules/tests/super_simple_bok.yml +2 -2
- metadata +42 -17
@@ -23,13 +23,37 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
23
23
|
include_recipe "mu-tools::aws_api"
|
24
24
|
include_recipe "mu-tools::google_api"
|
25
25
|
|
26
|
+
if node['platform_version'].to_i < 6
|
27
|
+
package "policycoreutils"
|
28
|
+
elsif node['platform_version'].to_i < 8
|
29
|
+
package "policycoreutils-python"
|
30
|
+
else
|
31
|
+
package "xfsprogs"
|
32
|
+
package "xfsprogs-devel"
|
33
|
+
package "policycoreutils-python-utils"
|
34
|
+
end
|
26
35
|
|
27
|
-
%w{
|
36
|
+
%w{ authconfig aide }.each do |pkg|
|
28
37
|
package "apply_security package #{pkg}" do
|
29
38
|
package_name pkg
|
30
39
|
end
|
31
40
|
end
|
32
41
|
|
42
|
+
if node['platform_version'].to_i < 8
|
43
|
+
package "ntp"
|
44
|
+
bash "NTP" do
|
45
|
+
user "root"
|
46
|
+
code <<-EOH
|
47
|
+
chkconfig ntpd on
|
48
|
+
ntpdate pool.ntp.org
|
49
|
+
service ntpd start
|
50
|
+
EOH
|
51
|
+
end
|
52
|
+
else
|
53
|
+
package "chrony"
|
54
|
+
service "chronyd"
|
55
|
+
end
|
56
|
+
|
33
57
|
execute "enable manual auditd restarts" do
|
34
58
|
command "sed -i s/RefuseManualStop=yes/#RefuseManualStop=yes/ /usr/lib/systemd/system/auditd.service ; pkill auditd"
|
35
59
|
ignore_failure true
|
@@ -60,14 +84,6 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
60
84
|
content "set -r autologout 15\n"
|
61
85
|
end
|
62
86
|
|
63
|
-
bash "NTP" do
|
64
|
-
user "root"
|
65
|
-
code <<-EOH
|
66
|
-
chkconfig ntpd on
|
67
|
-
ntpdate pool.ntp.org
|
68
|
-
service ntpd start
|
69
|
-
EOH
|
70
|
-
end
|
71
87
|
|
72
88
|
#File integrity checking. Default configuration
|
73
89
|
bash "AIDE" do
|
@@ -329,6 +345,12 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
329
345
|
end
|
330
346
|
}
|
331
347
|
|
348
|
+
mu_tools_disk "swap" do
|
349
|
+
device node['application_attributes']['swap']['mount_device']
|
350
|
+
size node['application_attributes']['swap']['volume_size_gb']
|
351
|
+
swap true
|
352
|
+
end
|
353
|
+
|
332
354
|
mu_tools_disk "/home" do
|
333
355
|
device node['application_attributes']['home']['mount_device']
|
334
356
|
size node['application_attributes']['home']['volume_size_gb']
|
@@ -16,9 +16,9 @@
|
|
16
16
|
# See the License for the specific language governing permissions and
|
17
17
|
# limitations under the License.
|
18
18
|
|
19
|
-
chef_gem "aws-sdk
|
19
|
+
chef_gem "aws-sdk" do
|
20
20
|
compile_time true
|
21
|
-
version "
|
21
|
+
version "3.0.1"
|
22
22
|
action :install
|
23
23
|
end
|
24
24
|
|
@@ -30,3 +30,9 @@ if platform_family?("rhel") or platform_family?("amazon")
|
|
30
30
|
end
|
31
31
|
end
|
32
32
|
end
|
33
|
+
|
34
|
+
if node['platform_version'].to_i > 6
|
35
|
+
package "nvme-cli" do
|
36
|
+
ignore_failure true
|
37
|
+
end
|
38
|
+
end
|
@@ -21,7 +21,7 @@ if !node['application_attributes']['skip_recipes'].include?('base_repositories')
|
|
21
21
|
case node['platform_family']
|
22
22
|
when "rhel", "redhat", "amazon" # ~FC024
|
23
23
|
# Workaround for EOL CentOS 5 repos
|
24
|
-
if node['platform'] != "amazon" and node['platform_version'].to_i
|
24
|
+
if node['platform'] != "amazon" and node['platform_version'].to_i <= 6
|
25
25
|
cookbook_file "/etc/yum.repos.d/CentOS-Base.repo" do
|
26
26
|
source "CentOS-Base.repo"
|
27
27
|
end
|
@@ -28,7 +28,7 @@ if platform_family?("rhel") or platform_family?("amazon")
|
|
28
28
|
end
|
29
29
|
package "google-cloud-sdk"
|
30
30
|
elsif node['platform_version'].to_i == 6
|
31
|
-
version = "
|
31
|
+
version = "317.0.0"
|
32
32
|
remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.sh" do
|
33
33
|
source "https://sdk.cloud.google.com"
|
34
34
|
action :nothing
|
@@ -42,14 +42,7 @@ if platform_family?("rhel") or platform_family?("amazon")
|
|
42
42
|
code <<-EOH
|
43
43
|
rm -rf /opt/google-cloud-sdk/
|
44
44
|
tar -xzf #{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz
|
45
|
-
|
46
|
-
if [ ! -f /etc/ld.so.conf.d/python27.conf ];then
|
47
|
-
echo "/opt/rh/python27/root/usr/lib64" > /etc/ld.so.conf.d/python27.conf
|
48
|
-
echo "/opt/rh/python27/root/usr/lib" >> /etc/ld.so.conf.d/python27.conf
|
49
|
-
/sbin/ldconfig
|
50
|
-
fi
|
51
|
-
fi
|
52
|
-
CLOUDSDK_PYTHON="`/bin/rpm -ql muthon python27-python | grep '/bin/python$'`" ./google-cloud-sdk/install.sh -q
|
45
|
+
CLOUDSDK_PYTHON="`/bin/rpm -ql muthon | grep '/bin/python3$'`" ./google-cloud-sdk/install.sh -q
|
53
46
|
EOH
|
54
47
|
notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.sh]", :before
|
55
48
|
notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz]", :before
|
@@ -33,7 +33,14 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog')
|
|
33
33
|
if platform_family?("rhel") or platform_family?("amazon")
|
34
34
|
$rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem"
|
35
35
|
if !platform?("amazon")
|
36
|
-
|
36
|
+
semanage_pkg = if node['platform_version'].to_i < 6
|
37
|
+
"policycoreutils"
|
38
|
+
elsif node['platform_version'].to_i < 8
|
39
|
+
"policycoreutils-python"
|
40
|
+
else
|
41
|
+
"policycoreutils-python-utils"
|
42
|
+
end
|
43
|
+
package semanage_pkg
|
37
44
|
execute "allow rsyslog to meddle with port 10514" do
|
38
45
|
command "/usr/sbin/semanage port -a -t syslogd_port_t -p tcp 10514"
|
39
46
|
not_if "/usr/sbin/semanage port -l | grep '^syslog.*10514'"
|
@@ -4,86 +4,157 @@ property :device, String, required: true
|
|
4
4
|
property :delete_on_termination, :kind_of => [TrueClass, FalseClass], default: true
|
5
5
|
property :preserve_data, :kind_of => [TrueClass, FalseClass], :required => false, :default => false
|
6
6
|
property :reboot_after_create, :kind_of => [TrueClass, FalseClass], :required => false, :default => false
|
7
|
+
property :swap, :kind_of => [TrueClass, FalseClass], :required => false, :default => false
|
7
8
|
property :size, Integer, default: 8
|
8
9
|
|
9
10
|
actions :create # ~FC092
|
10
11
|
default_action :create
|
11
12
|
|
12
13
|
action :create do
|
13
|
-
|
14
|
+
devicepath = new_resource.device
|
14
15
|
path = new_resource.mountpoint
|
15
|
-
devicename =
|
16
|
+
devicename = devicepath.dup
|
16
17
|
|
17
18
|
if set_gcp_cfg_params
|
18
19
|
devicename= devicename.gsub(/.*?\//, "")
|
19
|
-
|
20
|
+
devicepath = "/dev/disk/by-id/google-"+devicename
|
20
21
|
end
|
21
22
|
|
22
|
-
mu_tools_mommacat_request "create #{path}" do
|
23
|
+
mu_tools_mommacat_request "create #{devicepath} for #{path}" do
|
23
24
|
request "add_volume"
|
24
25
|
passparams(
|
25
26
|
:dev => devicename,
|
26
27
|
:size => new_resource.size,
|
27
28
|
:delete_on_termination => new_resource.delete_on_termination
|
28
29
|
)
|
29
|
-
not_if { ::File.exist?(
|
30
|
+
not_if { ::File.exist?(real_devicepath(devicepath)) }
|
30
31
|
end
|
31
32
|
|
32
33
|
reboot "Rebooting after adding #{path}" do
|
33
34
|
action :nothing
|
34
35
|
end
|
35
36
|
|
36
|
-
|
37
|
-
|
38
|
-
|
37
|
+
fstype = if new_resource.swap
|
38
|
+
"swap"
|
39
|
+
else
|
40
|
+
node['platform_version'].to_i == 6 ? "ext4" : "xfs"
|
39
41
|
end
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
42
|
+
path = "swap" if new_resource.swap
|
43
|
+
|
44
|
+
mkfs_cmd = case fstype
|
45
|
+
when "xfs"
|
46
|
+
"mkfs.xfs -i size=512"
|
47
|
+
when "ext4"
|
48
|
+
"mkfs.ext4 -F"
|
49
|
+
when "swap"
|
50
|
+
"mkswap"
|
45
51
|
end
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
+
|
53
|
+
have_fs_cmd = case fstype
|
54
|
+
when "xfs"
|
55
|
+
"xfs_admin -l"
|
56
|
+
when "ext4"
|
57
|
+
"tune2fs -l"
|
58
|
+
when "swap"
|
59
|
+
"blkid"
|
52
60
|
end
|
53
61
|
|
54
|
-
|
55
|
-
|
62
|
+
ruby_block "format #{path} by its real device name" do
|
63
|
+
block do
|
64
|
+
guard_cmd = have_fs_cmd+" "+real_devicepath(devicepath)+" 2>&1 > /dev/null"
|
65
|
+
format_cmd = mkfs_cmd+" "+real_devicepath(devicepath)
|
66
|
+
|
67
|
+
shell_out(guard_cmd)
|
68
|
+
if $?.exitstatus != 0
|
69
|
+
puts "\n"+format_cmd
|
70
|
+
shell_out(format_cmd)
|
71
|
+
end
|
72
|
+
end
|
73
|
+
not_if "grep ' #{path} ' /etc/mtab"
|
74
|
+
end
|
75
|
+
|
76
|
+
|
77
|
+
ruby_block "mount #{path} by its real device name" do # ~FC014
|
78
|
+
block do
|
79
|
+
|
80
|
+
def sort_fstab(a, b)
|
81
|
+
a_dev, a_path, a_fs, a_opts, a_dump, a_fsck = a.chomp.split(/[\t\s]+/)
|
82
|
+
b_dev, b_path, b_fs, b_opts, b_dump, b_fsck = b.chomp.split(/[\t\s]+/)
|
83
|
+
if a =~ /^\s*[#\n]/ or b =~ /^\s*[#\n]/ or !a_path or !b_path
|
84
|
+
0
|
85
|
+
elsif a_path =~ /^#{Regexp.quote(b_path)}\//
|
86
|
+
1
|
87
|
+
elsif b_path =~ /^#{Regexp.quote(a_path)}\//
|
88
|
+
-1
|
89
|
+
else
|
90
|
+
0
|
91
|
+
end
|
92
|
+
end
|
56
93
|
|
57
|
-
|
58
|
-
|
59
|
-
|
60
|
-
|
61
|
-
|
94
|
+
dev_pattern = Regexp.quote(real_devicepath(devicepath))
|
95
|
+
uuid_line = uuid_line(devicepath)
|
96
|
+
uuid_line = nil if uuid_line.empty?
|
97
|
+
if uuid_line
|
98
|
+
dev_pattern = "("+dev_pattern+"|"+Regexp.quote(uuid_line)+")"
|
99
|
+
end
|
100
|
+
|
101
|
+
have_mtab = false
|
102
|
+
::File.read("/etc/mtab").each_line { |l|
|
103
|
+
if l =~ /^#{dev_pattern}\s+#{path}\s+#{fstype}\s+/
|
104
|
+
have_mtab = true
|
105
|
+
break
|
106
|
+
end
|
107
|
+
}
|
108
|
+
|
109
|
+
if !have_mtab and new_resource.preserve_data and path != "swap"
|
110
|
+
backupname = path.gsub(/[^a-z0-9]/i, "_")
|
111
|
+
puts "\nPreserving data from #{path}"
|
112
|
+
shell_out(%Q{mkdir -p /mnt#{backupname}})
|
113
|
+
shell_out(%Q{mount #{real_devicepath(devicepath)} /mnt#{backupname}})
|
114
|
+
shell_out(%Q{( cd #{path} && tar -cpf - . | su -c 'cd /mnt#{backupname}/ && tar -xpf -' ) && find #{path}/ -type f -exec rm -f {} \\;})
|
115
|
+
shell_out(%Q{umount /mnt#{backupname}})
|
116
|
+
end
|
117
|
+
|
118
|
+
|
119
|
+
have_fstab = false
|
120
|
+
fstab_lines = []
|
121
|
+
::File.read("/etc/fstab").each_line { |l|
|
122
|
+
fstab_lines << l.chomp
|
123
|
+
if l =~ /^#{dev_pattern}\s+#{path}\s+#{fstype}\s+/
|
124
|
+
have_fstab = true
|
125
|
+
break
|
126
|
+
end
|
127
|
+
}
|
128
|
+
|
129
|
+
if !have_fstab
|
130
|
+
fstabline = "#{uuid_line ? uuid_line : real_devicepath(devicepath)} #{path} #{fstype} #{new_resource.swap ? "defaults" : "nodev" } 0 #{new_resource.swap ? "0" : "2"}"
|
131
|
+
fstab_lines << fstabline
|
132
|
+
puts "\nAppending to /etc/fstab: #{fstabline}"
|
133
|
+
::File.open("/etc/fstab", "w") { |f|
|
134
|
+
fstab_lines.sort { |a, b| sort_fstab(a,b) }.uniq.each { |l|
|
135
|
+
f.puts l
|
136
|
+
}
|
137
|
+
}
|
138
|
+
end
|
139
|
+
|
140
|
+
if !new_resource.reboot_after_create and !new_resource.swap
|
141
|
+
shell_out(%Q{mkdir -p #{path}})
|
142
|
+
shell_out(%Q{/bin/mount -a})
|
143
|
+
shell_out(%Q{/sbin/restorecon -R #{path}})
|
144
|
+
end
|
62
145
|
end
|
146
|
+
not_if "grep ' #{path} ' /etc/mtab && grep ' #{path} ' /etc/fstab"
|
63
147
|
if new_resource.reboot_after_create
|
64
148
|
notifies :request_reboot, "reboot[Rebooting after adding #{path}]", :delayed
|
65
149
|
end
|
66
|
-
not_if guard_cmd
|
67
150
|
end
|
68
151
|
|
69
|
-
if
|
70
|
-
|
71
|
-
|
72
|
-
path path
|
73
|
-
end
|
74
|
-
|
152
|
+
if new_resource.swap
|
153
|
+
execute "/sbin/swapon -a"
|
154
|
+
elsif !new_resource.reboot_after_create
|
75
155
|
execute "/sbin/restorecon -R #{path}" do
|
76
156
|
only_if { ::File.exist?("/sbin/restorecon") }
|
77
|
-
action :nothing
|
78
157
|
end
|
79
|
-
|
80
|
-
mount path do
|
81
|
-
device device
|
82
|
-
options "nodev"
|
83
|
-
action [:mount, :enable]
|
84
|
-
notifies :run, "execute[/sbin/restorecon -R #{path}]", :immediately
|
85
|
-
end
|
86
|
-
|
87
158
|
end
|
88
159
|
|
89
160
|
|
@@ -0,0 +1,215 @@
|
|
1
|
+
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
|
2
|
+
|
3
|
+
# This is the sshd server system-wide configuration file. See
|
4
|
+
# sshd_config(5) for more information.
|
5
|
+
|
6
|
+
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
|
7
|
+
|
8
|
+
# The strategy used for options in the default sshd_config shipped with
|
9
|
+
# OpenSSH is to specify options with their default value where
|
10
|
+
# possible, but leave them commented. Uncommented options override the
|
11
|
+
# default value.
|
12
|
+
|
13
|
+
# If you want to change the port on a SELinux system, you have to tell
|
14
|
+
# SELinux about this change.
|
15
|
+
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
|
16
|
+
#
|
17
|
+
#Port 22
|
18
|
+
#AddressFamily any
|
19
|
+
#ListenAddress 0.0.0.0
|
20
|
+
#ListenAddress ::
|
21
|
+
|
22
|
+
# The default requires explicit activation of protocol 1
|
23
|
+
#Protocol 2
|
24
|
+
|
25
|
+
# HostKey for protocol version 1
|
26
|
+
#HostKey /etc/ssh/ssh_host_key
|
27
|
+
# HostKeys for protocol version 2
|
28
|
+
HostKey /etc/ssh/ssh_host_rsa_key
|
29
|
+
#HostKey /etc/ssh/ssh_host_dsa_key
|
30
|
+
HostKey /etc/ssh/ssh_host_ecdsa_key
|
31
|
+
HostKey /etc/ssh/ssh_host_ed25519_key
|
32
|
+
|
33
|
+
# Lifetime and size of ephemeral version 1 server key
|
34
|
+
#KeyRegenerationInterval 1h
|
35
|
+
#ServerKeyBits 1024
|
36
|
+
|
37
|
+
# Logging
|
38
|
+
# obsoletes QuietMode and FascistLogging
|
39
|
+
#SyslogFacility AUTH
|
40
|
+
SyslogFacility AUTHPRIV
|
41
|
+
LogLevel INFO
|
42
|
+
|
43
|
+
# Authentication:
|
44
|
+
|
45
|
+
#LoginGraceTime 2m
|
46
|
+
#PermitRootLogin yes
|
47
|
+
#StrictModes yes
|
48
|
+
MaxAuthTries 4
|
49
|
+
#MaxSessions 10
|
50
|
+
|
51
|
+
#RSAAuthentication yes
|
52
|
+
#PubkeyAuthentication yes
|
53
|
+
|
54
|
+
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
|
55
|
+
# but this is overridden so installations will only check .ssh/authorized_keys
|
56
|
+
AuthorizedKeysFile .ssh/authorized_keys
|
57
|
+
|
58
|
+
#AuthorizedPrincipalsFile none
|
59
|
+
|
60
|
+
#AuthorizedKeysCommand none
|
61
|
+
#AuthorizedKeysCommandUser nobody
|
62
|
+
|
63
|
+
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
|
64
|
+
#RhostsRSAAuthentication no
|
65
|
+
# similar for protocol version 2
|
66
|
+
HostbasedAuthentication no
|
67
|
+
# Change to yes if you don't trust ~/.ssh/known_hosts for
|
68
|
+
# RhostsRSAAuthentication and HostbasedAuthentication
|
69
|
+
#IgnoreUserKnownHosts no
|
70
|
+
# Don't read the user's ~/.rhosts and ~/.shosts files
|
71
|
+
IgnoreRhosts yes
|
72
|
+
|
73
|
+
# To disable tunneled clear text passwords, change to no here!
|
74
|
+
#PasswordAuthentication yes
|
75
|
+
PermitEmptyPasswords no
|
76
|
+
<% begin
|
77
|
+
if node['application_attributes']['sshd_allow_password_auth'] %>
|
78
|
+
PasswordAuthentication yes
|
79
|
+
<%
|
80
|
+
else %>
|
81
|
+
PasswordAuthentication no
|
82
|
+
<% end
|
83
|
+
rescue NoMethodError %>
|
84
|
+
PasswordAuthentication no
|
85
|
+
<% end %>
|
86
|
+
|
87
|
+
|
88
|
+
# Change to no to disable s/key passwords
|
89
|
+
#ChallengeResponseAuthentication yes
|
90
|
+
ChallengeResponseAuthentication no
|
91
|
+
|
92
|
+
# Kerberos options
|
93
|
+
#KerberosAuthentication no
|
94
|
+
#KerberosOrLocalPasswd yes
|
95
|
+
#KerberosTicketCleanup yes
|
96
|
+
#KerberosGetAFSToken no
|
97
|
+
#KerberosUseKuserok yes
|
98
|
+
|
99
|
+
# GSSAPI options
|
100
|
+
#GSSAPIAuthentication no
|
101
|
+
GSSAPIAuthentication yes
|
102
|
+
GSSAPICleanupCredentials yes
|
103
|
+
#GSSAPIStrictAcceptorCheck yes
|
104
|
+
#GSSAPIKeyExchange no
|
105
|
+
#GSSAPIEnablek5users no
|
106
|
+
|
107
|
+
# Set this to 'yes' to enable PAM authentication, account processing,
|
108
|
+
# and session processing. If this is enabled, PAM authentication will
|
109
|
+
# be allowed through the ChallengeResponseAuthentication and
|
110
|
+
# PasswordAuthentication. Depending on your PAM configuration,
|
111
|
+
# PAM authentication via ChallengeResponseAuthentication may bypass
|
112
|
+
# the setting of "PermitRootLogin without-password".
|
113
|
+
# If you just want the PAM account and session checks to run without
|
114
|
+
# PAM authentication, then enable this but set PasswordAuthentication
|
115
|
+
# and ChallengeResponseAuthentication to 'no'.
|
116
|
+
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
|
117
|
+
# problems.
|
118
|
+
UsePAM yes
|
119
|
+
|
120
|
+
# Accept locale-related environment variables
|
121
|
+
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
|
122
|
+
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
|
123
|
+
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
|
124
|
+
AcceptEnv XMODIFIERS
|
125
|
+
|
126
|
+
#AllowAgentForwarding yes
|
127
|
+
#AllowTcpForwarding yes
|
128
|
+
#GatewayPorts no
|
129
|
+
X11Forwarding no
|
130
|
+
#X11DisplayOffset 10
|
131
|
+
#X11UseLocalhost yes
|
132
|
+
#PermitTTY yes
|
133
|
+
#PrintMotd yes
|
134
|
+
#PrintLastLog yes
|
135
|
+
#TCPKeepAlive yes
|
136
|
+
#UseLogin no
|
137
|
+
UsePrivilegeSeparation sandbox # Default for new installations.
|
138
|
+
#PermitUserEnvironment no
|
139
|
+
#Compression delayed
|
140
|
+
ClientAliveInterval 300
|
141
|
+
ClientAliveCountMax 0
|
142
|
+
#ShowPatchLevel no
|
143
|
+
#UseDNS yes
|
144
|
+
#PidFile /var/run/sshd.pid
|
145
|
+
#MaxStartups 10:30:100
|
146
|
+
#PermitTunnel no
|
147
|
+
#ChrootDirectory none
|
148
|
+
#VersionAddendum none
|
149
|
+
|
150
|
+
# no default banner path
|
151
|
+
#Banner none
|
152
|
+
Banner /etc/issue.net
|
153
|
+
|
154
|
+
# override default of no subsystems
|
155
|
+
Subsystem sftp /usr/libexec/openssh/sftp-server
|
156
|
+
|
157
|
+
# Example of overriding settings on a per-user basis
|
158
|
+
#Match User anoncvs
|
159
|
+
# X11Forwarding no
|
160
|
+
# AllowTcpForwarding no
|
161
|
+
# PermitTTY no
|
162
|
+
# ForceCommand cvs server
|
163
|
+
PermitRootLogin without-password
|
164
|
+
UseDNS no
|
165
|
+
|
166
|
+
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
|
167
|
+
|
168
|
+
# If we've set AllowGroups, use that instead of restricting to centos
|
169
|
+
<%
|
170
|
+
begin
|
171
|
+
if !node['application_attributes']['sshd_allow_groups'].empty? %>
|
172
|
+
AllowGroups <%= node['application_attributes']['sshd_allow_groups'] %> root
|
173
|
+
<%
|
174
|
+
else
|
175
|
+
%>
|
176
|
+
AllowUsers centos root
|
177
|
+
<%
|
178
|
+
end
|
179
|
+
rescue NoMethodError %>
|
180
|
+
AllowUsers centos root
|
181
|
+
<%
|
182
|
+
end
|
183
|
+
%>
|
184
|
+
|
185
|
+
# Support SVN-only servers, while we're at it
|
186
|
+
<%
|
187
|
+
begin
|
188
|
+
if node['application_attributes']['svn_only_group'] %>
|
189
|
+
Match Group <%= node['application_attributes']['svn_only_group'] %>
|
190
|
+
ForceCommand /usr/bin/svnserve -t
|
191
|
+
<%
|
192
|
+
end
|
193
|
+
rescue NoMethodError
|
194
|
+
end
|
195
|
+
%>
|
196
|
+
|
197
|
+
# Support SFTP-only servers, while we're at it
|
198
|
+
<%
|
199
|
+
begin
|
200
|
+
if node['application_attributes']['sftp_only_group'] %>
|
201
|
+
Match Group <%= node['application_attributes']['sftp_only_group'] %>
|
202
|
+
ForceCommand internal-sftp
|
203
|
+
<% begin
|
204
|
+
if node['application_attributes']['sftp_chroot'] %>
|
205
|
+
ChrootDirectory <%= node['application_attributes']['sftp_chroot'] %>
|
206
|
+
<%
|
207
|
+
end
|
208
|
+
rescue NoMethodError %>
|
209
|
+
ChrootDirectory /home/
|
210
|
+
<%
|
211
|
+
end
|
212
|
+
end
|
213
|
+
rescue NoMethodError
|
214
|
+
end
|
215
|
+
%>
|