cloud-mu 3.2.0 → 3.5.0

data/cookbooks/mu-tools/libraries/monkey.rb

@@ -19,7 +19,7 @@ class Chef
           end
 
           begin
-            shell_out_with_timeout!(cmd, env: nil)
+            shell_out(cmd, env: nil)
           rescue StandardError => e
             if cmd.match(/--no-rdoc|--no-ri/)
               cmd.gsub!(/--no-rdoc --no-ri/, "--no-document")

data/cookbooks/mu-tools/recipes/apply_security.rb

@@ -23,13 +23,37 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
       include_recipe "mu-tools::aws_api"
       include_recipe "mu-tools::google_api"
   
+      if node['platform_version'].to_i < 6
+        package "policycoreutils"
+      elsif node['platform_version'].to_i < 8
+        package "policycoreutils-python"
+      else
+        package "xfsprogs"
+        package "xfsprogs-devel"
+        package "policycoreutils-python-utils"
+      end
   
-      %w{ policycoreutils-python authconfig ntp aide }.each do |pkg|
+      %w{ authconfig aide }.each do |pkg|
         package "apply_security package #{pkg}" do
           package_name pkg
         end
       end
 
+      if node['platform_version'].to_i < 8
+        package "ntp"
+        bash "NTP" do
+          user "root"
+          code <<-EOH
+    				chkconfig ntpd on
+  	  			ntpdate pool.ntp.org
+  		  		service ntpd start
+          EOH
+        end
+      else
+        package "chrony"
+        service "chronyd"
+      end
+
       execute "enable manual auditd restarts" do
         command "sed -i s/RefuseManualStop=yes/#RefuseManualStop=yes/ /usr/lib/systemd/system/auditd.service ; pkill auditd"
         ignore_failure true
@@ -60,14 +84,6 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
         content "set -r autologout 15\n"
       end
   
-      bash "NTP" do
-        user "root"
-        code <<-EOH
-  				chkconfig ntpd on
-  				ntpdate pool.ntp.org
-  				service ntpd start
-        EOH
-      end
   
       #File integrity checking. Default configuration
       bash "AIDE" do
@@ -329,6 +345,12 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
         end
       }
 
+      mu_tools_disk "swap" do
+        device node['application_attributes']['swap']['mount_device']
+        size node['application_attributes']['swap']['volume_size_gb']
+        swap true
+      end
+
       mu_tools_disk "/home" do
         device node['application_attributes']['home']['mount_device']
         size node['application_attributes']['home']['volume_size_gb']

data/cookbooks/mu-tools/recipes/aws_api.rb

@@ -16,9 +16,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-chef_gem "aws-sdk-core" do
+chef_gem "aws-sdk" do
   compile_time true
-  version "2.11.24"
+  version "3.0.1"
   action :install
 end
 
@@ -30,3 +30,9 @@ if platform_family?("rhel") or platform_family?("amazon")
     end
   end
 end
+
+if node['platform_version'].to_i > 6
+  package "nvme-cli" do
+    ignore_failure true
+  end
+end

data/cookbooks/mu-tools/recipes/base_repositories.rb

@@ -21,7 +21,7 @@ if !node['application_attributes']['skip_recipes'].include?('base_repositories')
   case node['platform_family']
     when "rhel", "redhat", "amazon" # ~FC024
       # Workaround for EOL CentOS 5 repos
-      if node['platform'] != "amazon" and node['platform_version'].to_i == 5
+      if node['platform'] != "amazon" and node['platform_version'].to_i <= 6
         cookbook_file "/etc/yum.repos.d/CentOS-Base.repo" do
           source "CentOS-Base.repo"
         end

data/cookbooks/mu-tools/recipes/gcloud.rb

@@ -28,7 +28,7 @@ if platform_family?("rhel") or platform_family?("amazon")
     end
     package "google-cloud-sdk"
   elsif node['platform_version'].to_i == 6
-    version = "267.0.0"
+    version = "317.0.0"
     remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.sh" do
       source "https://sdk.cloud.google.com"
       action :nothing
@@ -42,14 +42,7 @@ if platform_family?("rhel") or platform_family?("amazon")
       code <<-EOH
         rm -rf /opt/google-cloud-sdk/
         tar -xzf #{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz
-        if [ -f /opt/rh/python27/root/usr/bin/python ];then
-          if [ ! -f /etc/ld.so.conf.d/python27.conf ];then
-            echo "/opt/rh/python27/root/usr/lib64" > /etc/ld.so.conf.d/python27.conf
-            echo "/opt/rh/python27/root/usr/lib" >> /etc/ld.so.conf.d/python27.conf
-            /sbin/ldconfig
-          fi
-        fi
-        CLOUDSDK_PYTHON="`/bin/rpm -ql muthon python27-python | grep '/bin/python$'`" ./google-cloud-sdk/install.sh -q
+        CLOUDSDK_PYTHON="`/bin/rpm -ql muthon | grep '/bin/python3$'`" ./google-cloud-sdk/install.sh -q
       EOH
       notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.sh]", :before
       notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz]", :before

data/cookbooks/mu-tools/recipes/google_api.rb

@@ -23,3 +23,10 @@
 		only_if { !get_google_metadata("instance/name").nil? }
   end
 }
+
+
+if node['platform_version'].to_i > 6
+  package "nvme-cli" do
+    ignore_failure true
+  end
+end

data/cookbooks/mu-tools/recipes/rsyslog.rb

@@ -33,7 +33,14 @@ if !node['application_attributes']['skip_recipes'].include?('rsyslog')
     if platform_family?("rhel") or platform_family?("amazon")
       $rsyslog_ssl_ca_path = "/etc/pki/Mu_CA.pem"
       if !platform?("amazon")
-        package node['platform_version'].to_i < 6 ? "policycoreutils" : "policycoreutils-python"
+        semanage_pkg = if node['platform_version'].to_i < 6
+          "policycoreutils"
+        elsif node['platform_version'].to_i < 8
+          "policycoreutils-python"
+        else
+          "policycoreutils-python-utils"
+        end
+        package semanage_pkg
         execute "allow rsyslog to meddle with port 10514" do
           command "/usr/sbin/semanage port -a -t syslogd_port_t -p tcp 10514"
           not_if "/usr/sbin/semanage port -l | grep '^syslog.*10514'"

data/cookbooks/mu-tools/resources/disk.rb

@@ -4,86 +4,157 @@ property :device, String, required: true
 property :delete_on_termination, :kind_of => [TrueClass, FalseClass], default: true
 property :preserve_data, :kind_of => [TrueClass, FalseClass], :required => false, :default => false
 property :reboot_after_create, :kind_of => [TrueClass, FalseClass], :required => false, :default => false
+property :swap, :kind_of => [TrueClass, FalseClass], :required => false, :default => false
 property :size, Integer, default: 8
 
 actions :create # ~FC092
 default_action :create
 
 action :create do
-  device = new_resource.device
+  devicepath = new_resource.device
   path = new_resource.mountpoint
-  devicename = device
+  devicename = devicepath.dup
 
   if set_gcp_cfg_params
     devicename= devicename.gsub(/.*?\//, "")
-    device = "/dev/disk/by-id/google-"+devicename
+    devicepath = "/dev/disk/by-id/google-"+devicename
   end
 
-  mu_tools_mommacat_request "create #{path}" do
+  mu_tools_mommacat_request "create #{devicepath} for #{path}" do
     request "add_volume"
     passparams(
       :dev => devicename,
       :size => new_resource.size,
       :delete_on_termination => new_resource.delete_on_termination
     )
-    not_if { ::File.exist?(device) }
+    not_if { ::File.exist?(real_devicepath(devicepath)) }
   end
 
   reboot "Rebooting after adding #{path}" do
     action :nothing
   end
 
-  backupname = path.gsub(/[^a-z0-9]/i, "_")
-  directory "/mnt#{backupname}" do
-    action :nothing
+  fstype = if new_resource.swap
+    "swap"
+  else
+    node['platform_version'].to_i == 6 ? "ext4" : "xfs"
   end
-  mount "/mnt#{backupname}" do
-    device device
-    options "nodev"
-    action :nothing
-    notifies :create, "directory[/mnt#{backupname}]", :before
+  path = "swap" if new_resource.swap
+
+  mkfs_cmd = case fstype
+  when "xfs"
+    "mkfs.xfs -i size=512"
+  when "ext4"
+    "mkfs.ext4 -F"
+  when "swap"
+    "mkswap"
   end
-  execute "back up #{backupname}" do
-    # also expunge files so we don't eat up a bunch of disk space quietly
-    # underneath our new mount
-    command "( cd #{path} && tar -cpf - . | su -c 'cd /mnt#{backupname}/ && tar -xpf -' ) && find #{path}/ -type f -exec rm -f {} \\;"
-    only_if { ::Dir.exist?(path) and ::Dir.exist?("/mnt#{backupname}") }
-    action :nothing
+
+  have_fs_cmd = case fstype
+  when "xfs"
+    "xfs_admin -l"
+  when "ext4"
+    "tune2fs -l"
+  when "swap"
+    "blkid"
   end
 
-  mkfs_cmd = node['platform_version'].to_i == 6 ? "mkfs.ext4 -F #{device}" : "mkfs.xfs -i size=512 #{device}"
-  guard_cmd = node['platform_version'].to_i == 6 ? "tune2fs -l #{device} > /dev/null" : "xfs_admin -l #{device} > /dev/null"
+  ruby_block "format #{path} by its real device name" do
+    block do
+      guard_cmd = have_fs_cmd+" "+real_devicepath(devicepath)+" 2>&1 > /dev/null"
+      format_cmd = mkfs_cmd+" "+real_devicepath(devicepath)
+
+      shell_out(guard_cmd)
+      if $?.exitstatus != 0
+        puts "\n"+format_cmd
+        shell_out(format_cmd)
+      end
+    end
+    not_if "grep ' #{path} ' /etc/mtab"
+  end
+
+
+  ruby_block "mount #{path} by its real device name" do # ~FC014
+    block do
+
+      def sort_fstab(a, b)
+        a_dev, a_path, a_fs, a_opts, a_dump, a_fsck = a.chomp.split(/[\t\s]+/)
+        b_dev, b_path, b_fs, b_opts, b_dump, b_fsck = b.chomp.split(/[\t\s]+/)
+        if a =~ /^\s*[#\n]/ or b =~ /^\s*[#\n]/ or !a_path or !b_path
+          0
+        elsif a_path =~ /^#{Regexp.quote(b_path)}\//
+          1
+        elsif b_path =~ /^#{Regexp.quote(a_path)}\//
+          -1
+        else
+          0
+        end
+      end
 
-  execute mkfs_cmd do
-    if new_resource.preserve_data
-      notifies :mount, "mount[/mnt#{backupname}]", :immediately
-      notifies :run, "execute[back up #{backupname}]", :immediately
-      notifies :unmount, "mount[/mnt#{backupname}]", :immediately
+      dev_pattern = Regexp.quote(real_devicepath(devicepath))
+      uuid_line = uuid_line(devicepath)
+      uuid_line = nil if uuid_line.empty?
+      if uuid_line
+        dev_pattern = "("+dev_pattern+"|"+Regexp.quote(uuid_line)+")"
+      end
+
+      have_mtab = false
+      ::File.read("/etc/mtab").each_line { |l|
+        if l =~ /^#{dev_pattern}\s+#{path}\s+#{fstype}\s+/
+          have_mtab = true
+          break
+        end
+      }
+
+      if !have_mtab and new_resource.preserve_data and path != "swap"
+        backupname = path.gsub(/[^a-z0-9]/i, "_")
+        puts "\nPreserving data from #{path}"
+        shell_out(%Q{mkdir -p /mnt#{backupname}})
+        shell_out(%Q{mount #{real_devicepath(devicepath)} /mnt#{backupname}})
+        shell_out(%Q{( cd #{path} && tar -cpf - . | su -c 'cd /mnt#{backupname}/ && tar -xpf -' ) && find #{path}/ -type f -exec rm -f {} \\;})
+        shell_out(%Q{umount /mnt#{backupname}})
+      end
+
+
+      have_fstab = false
+      fstab_lines = []
+      ::File.read("/etc/fstab").each_line { |l|
+        fstab_lines << l.chomp
+        if l =~ /^#{dev_pattern}\s+#{path}\s+#{fstype}\s+/
+          have_fstab = true
+          break
+        end
+      }
+
+      if !have_fstab
+        fstabline = "#{uuid_line ? uuid_line : real_devicepath(devicepath)} #{path} #{fstype} #{new_resource.swap ? "defaults" : "nodev" } 0 #{new_resource.swap ? "0" : "2"}"
+        fstab_lines << fstabline
+        puts "\nAppending to /etc/fstab: #{fstabline}"
+        ::File.open("/etc/fstab", "w") { |f|
+          fstab_lines.sort { |a, b| sort_fstab(a,b) }.uniq.each { |l|
+            f.puts l
+          }
+        }
+      end
+
+      if !new_resource.reboot_after_create and !new_resource.swap
+        shell_out(%Q{mkdir -p #{path}})
+        shell_out(%Q{/bin/mount -a})
+        shell_out(%Q{/sbin/restorecon -R #{path}})
+      end
     end
+    not_if "grep ' #{path} ' /etc/mtab && grep ' #{path} ' /etc/fstab"
     if new_resource.reboot_after_create
       notifies :request_reboot, "reboot[Rebooting after adding #{path}]", :delayed
     end
-    not_if guard_cmd
   end
 
-  if !new_resource.reboot_after_create
-    directory "Ensure existence of #{path} for #{device}" do
-      recursive true
-      path path
-    end
-
+  if new_resource.swap
+    execute "/sbin/swapon -a"
+  elsif !new_resource.reboot_after_create
     execute "/sbin/restorecon -R #{path}" do
       only_if { ::File.exist?("/sbin/restorecon") }
-      action :nothing
     end
-
-    mount path do
-      device device
-      options "nodev"
-      action [:mount, :enable]
-      notifies :run, "execute[/sbin/restorecon -R #{path}]", :immediately
-    end
-
   end
 
 

data/cookbooks/mu-tools/resources/mommacat_request.rb

@@ -6,6 +6,5 @@ actions :run # ~FC092
 default_action :run
 
 action :run do
-  params = Base64.urlsafe_encode64(JSON.generate(new_resource.passparams))
-  mommacat_request(new_resource.request, params)
+  mommacat_request(new_resource.request, new_resource.passparams)
 end

data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb

@@ -0,0 +1,215 @@
+#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+# If you want to change the port on a SELinux system, you have to tell
+# SELinux about this change.
+# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
+#
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# The default requires explicit activation of protocol 1
+#Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+MaxAuthTries 4
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+PermitEmptyPasswords no
+<% begin
+	if node['application_attributes']['sshd_allow_password_auth'] %>
+PasswordAuthentication yes
+<%
+  else %>
+    PasswordAuthentication no
+<%  end
+rescue NoMethodError %>
+PasswordAuthentication no
+<% end %>
+
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+#GSSAPIEnablek5users no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
+# problems.
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+UsePrivilegeSeparation sandbox          # Default for new installations.
+#PermitUserEnvironment no
+#Compression delayed
+ClientAliveInterval 300
+ClientAliveCountMax 0
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+Banner /etc/issue.net
+
+# override default of no subsystems
+Subsystem sftp  /usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#       X11Forwarding no
+#       AllowTcpForwarding no
+#       PermitTTY no
+#       ForceCommand cvs server
+PermitRootLogin without-password
+UseDNS no
+
+Ciphers aes128-ctr,aes192-ctr,aes256-ctr
+
+# If we've set AllowGroups, use that instead of restricting to centos
+<%
+begin
+	if !node['application_attributes']['sshd_allow_groups'].empty? %>
+AllowGroups <%= node['application_attributes']['sshd_allow_groups'] %> root
+<%
+	else
+	%>
+AllowUsers centos root
+<%
+	end
+rescue NoMethodError %>
+AllowUsers centos root
+<%
+end
+%>
+
+# Support SVN-only servers, while we're at it
+<%
+begin
+	if node['application_attributes']['svn_only_group'] %>
+Match Group <%= node['application_attributes']['svn_only_group'] %>
+	ForceCommand /usr/bin/svnserve -t
+<%
+	end
+rescue NoMethodError
+end
+%>
+
+# Support SFTP-only servers, while we're at it
+<%
+begin
+	if node['application_attributes']['sftp_only_group'] %>
+Match Group <%= node['application_attributes']['sftp_only_group'] %>
+	ForceCommand internal-sftp
+<%  begin
+			if node['application_attributes']['sftp_chroot'] %>
+	ChrootDirectory <%= node['application_attributes']['sftp_chroot'] %>
+<%
+			end
+		rescue NoMethodError %>
+	ChrootDirectory /home/
+<%
+		end
+	end
+rescue NoMethodError
+end
+%>