cloud-mu 3.3.0 → 3.5.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ansible/roles/mu-nat/tasks/main.yml +3 -0
- data/bin/mu-aws-setup +41 -7
- data/bin/mu-azure-setup +36 -2
- data/bin/mu-configure +214 -119
- data/bin/mu-gcp-setup +37 -2
- data/bin/mu-node-manage +3 -0
- data/bin/mu-refresh-ssl +67 -0
- data/bin/mu-run-tests +14 -4
- data/bin/mu-self-update +30 -10
- data/bin/mu-upload-chef-artifacts +30 -26
- data/cloud-mu.gemspec +9 -7
- data/cookbooks/mu-master/attributes/default.rb +5 -1
- data/cookbooks/mu-master/metadata.rb +2 -2
- data/cookbooks/mu-master/recipes/default.rb +81 -26
- data/cookbooks/mu-master/recipes/init.rb +197 -62
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +1 -1
- data/cookbooks/mu-master/recipes/vault.rb +78 -77
- data/cookbooks/mu-master/templates/default/mods/rewrite.conf.erb +1 -0
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +103 -0
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +14 -30
- data/cookbooks/mu-tools/attributes/default.rb +12 -0
- data/cookbooks/mu-tools/files/centos-6/CentOS-Base.repo +47 -0
- data/cookbooks/mu-tools/libraries/helper.rb +98 -4
- data/cookbooks/mu-tools/libraries/monkey.rb +1 -1
- data/cookbooks/mu-tools/recipes/apply_security.rb +31 -9
- data/cookbooks/mu-tools/recipes/aws_api.rb +8 -2
- data/cookbooks/mu-tools/recipes/base_repositories.rb +1 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +2 -9
- data/cookbooks/mu-tools/recipes/google_api.rb +7 -0
- data/cookbooks/mu-tools/recipes/rsyslog.rb +8 -1
- data/cookbooks/mu-tools/resources/disk.rb +113 -42
- data/cookbooks/mu-tools/resources/mommacat_request.rb +1 -2
- data/cookbooks/mu-tools/templates/centos-8/sshd_config.erb +215 -0
- data/extras/Gemfile.lock.bootstrap +394 -0
- data/extras/bucketstubs/error.html +0 -0
- data/extras/bucketstubs/index.html +0 -0
- data/extras/clean-stock-amis +11 -3
- data/extras/generate-stock-images +6 -3
- data/extras/git_rpm/build.sh +20 -0
- data/extras/git_rpm/mugit.spec +53 -0
- data/extras/image-generators/AWS/centos7.yaml +19 -16
- data/extras/image-generators/AWS/{rhel7.yaml → rhel71.yaml} +0 -0
- data/extras/image-generators/AWS/{win2k12.yaml → win2k12r2.yaml} +0 -0
- data/extras/image-generators/VMWare/centos8.yaml +15 -0
- data/extras/openssl_rpm/build.sh +19 -0
- data/extras/openssl_rpm/mussl.spec +46 -0
- data/extras/python_rpm/muthon.spec +14 -4
- data/extras/ruby_rpm/muby.spec +9 -5
- data/extras/sqlite_rpm/build.sh +19 -0
- data/extras/sqlite_rpm/muqlite.spec +47 -0
- data/install/installer +7 -5
- data/modules/mommacat.ru +2 -2
- data/modules/mu.rb +12 -5
- data/modules/mu/cloud/machine_images.rb +1 -1
- data/modules/mu/cloud/providers.rb +6 -1
- data/modules/mu/cloud/resource_base.rb +7 -4
- data/modules/mu/cloud/ssh_sessions.rb +5 -1
- data/modules/mu/cloud/wrappers.rb +16 -7
- data/modules/mu/config.rb +28 -12
- data/modules/mu/config/database.rb +2 -2
- data/modules/mu/config/firewall_rule.rb +1 -1
- data/modules/mu/config/ref.rb +3 -3
- data/modules/mu/config/schema_helpers.rb +12 -3
- data/modules/mu/config/server.rb +10 -4
- data/modules/mu/config/server_pool.rb +2 -2
- data/modules/mu/config/vpc.rb +10 -10
- data/modules/mu/defaults/AWS.yaml +96 -96
- data/modules/mu/deploy.rb +27 -14
- data/modules/mu/groomers/chef.rb +2 -2
- data/modules/mu/master.rb +49 -3
- data/modules/mu/mommacat.rb +27 -9
- data/modules/mu/mommacat/naming.rb +2 -2
- data/modules/mu/mommacat/search.rb +16 -5
- data/modules/mu/mommacat/storage.rb +67 -32
- data/modules/mu/providers/aws.rb +185 -71
- data/modules/mu/providers/aws/alarm.rb +3 -3
- data/modules/mu/providers/aws/bucket.rb +19 -19
- data/modules/mu/providers/aws/cache_cluster.rb +22 -22
- data/modules/mu/providers/aws/cdn.rb +2 -2
- data/modules/mu/providers/aws/collection.rb +14 -14
- data/modules/mu/providers/aws/container_cluster.rb +27 -27
- data/modules/mu/providers/aws/database.rb +49 -45
- data/modules/mu/providers/aws/dnszone.rb +5 -5
- data/modules/mu/providers/aws/endpoint.rb +35 -35
- data/modules/mu/providers/aws/firewall_rule.rb +26 -23
- data/modules/mu/providers/aws/function.rb +35 -32
- data/modules/mu/providers/aws/group.rb +7 -7
- data/modules/mu/providers/aws/habitat.rb +2 -2
- data/modules/mu/providers/aws/job.rb +35 -32
- data/modules/mu/providers/aws/loadbalancer.rb +58 -37
- data/modules/mu/providers/aws/log.rb +14 -14
- data/modules/mu/providers/aws/msg_queue.rb +10 -10
- data/modules/mu/providers/aws/nosqldb.rb +8 -8
- data/modules/mu/providers/aws/notifier.rb +7 -7
- data/modules/mu/providers/aws/role.rb +69 -47
- data/modules/mu/providers/aws/search_domain.rb +10 -10
- data/modules/mu/providers/aws/server.rb +198 -110
- data/modules/mu/providers/aws/server_pool.rb +71 -119
- data/modules/mu/providers/aws/storage_pool.rb +17 -9
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/vpc.rb +106 -51
- data/modules/mu/providers/aws/vpc_subnet.rb +43 -39
- data/modules/mu/providers/azure.rb +82 -16
- data/modules/mu/providers/azure/server.rb +18 -3
- data/modules/mu/providers/cloudformation/server.rb +1 -1
- data/modules/mu/providers/google.rb +20 -5
- data/modules/mu/providers/google/folder.rb +6 -2
- data/modules/mu/providers/google/function.rb +65 -30
- data/modules/mu/providers/google/role.rb +2 -1
- data/modules/mu/providers/google/vpc.rb +27 -2
- data/modules/tests/aws-servers-with-handrolled-iam.yaml +37 -0
- data/modules/tests/k8s.yaml +1 -1
- metadata +32 -15
@@ -139,7 +139,7 @@ Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
|
|
139
139
|
|
140
140
|
["/usr/lib/cgi-bin"].each { |cgidir|
|
141
141
|
if Dir.exist?(cgidir)
|
142
|
-
execute "chcon -R -
|
142
|
+
execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
|
143
143
|
not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
|
144
144
|
notifies :reload, "service[apache2]", :delayed
|
145
145
|
end
|
@@ -25,87 +25,88 @@
|
|
25
25
|
include_recipe 'mu-master::firewall-holes'
|
26
26
|
|
27
27
|
# Mangle a bunch of values used by the Consul and Vault community cookbooks
|
28
|
-
node.normal['consul']['config']['bootstrap_expect'] = 1 # XXX we only want this on our first run, maybe figure out how to toss it later
|
29
|
-
node.normal['consul']['config']['start_join'] = ["127.0.0.1"]
|
30
|
-
node.normal['consul']['config']['ca_file'] = "#{$MU_CFG['datadir']}/ssl/Mu_CA.pem"
|
31
|
-
node.normal['consul']['config']['key_file'] = "#{$MU_CFG['datadir']}/ssl/consul.key"
|
32
|
-
node.normal['consul']['config']['cert_file'] = "#{$MU_CFG['datadir']}/ssl/consul.crt"
|
33
|
-
consul_public = $MU_CFG['public_address']
|
34
|
-
if !consul_public.match(/^\d+\.\d+\.\d+\.\d+$/)
|
35
|
-
resolver = Resolv::DNS.new
|
36
|
-
begin
|
37
|
-
consul_public = resolver.getaddress(consul_public).to_s
|
38
|
-
end
|
39
|
-
end
|
40
|
-
|
41
|
-
|
42
|
-
node.normal['consul']['config']['advertise_addr'] = consul_public
|
43
|
-
node.normal['consul']['config']['advertise_addr_wan'] = consul_public
|
44
|
-
node.normal['consul']['config']['bind_addr'] = "0.0.0.0"
|
45
|
-
node.normal['
|
46
|
-
node.normal['hashicorp-vault']['config']['
|
47
|
-
node.normal['hashicorp-vault']['config']['
|
48
|
-
node.
|
28
|
+
#node.normal['consul']['config']['bootstrap_expect'] = 1 # XXX we only want this on our first run, maybe figure out how to toss it later
|
29
|
+
#node.normal['consul']['config']['start_join'] = ["127.0.0.1"]
|
30
|
+
#node.normal['consul']['config']['ca_file'] = "#{$MU_CFG['datadir']}/ssl/Mu_CA.pem"
|
31
|
+
#node.normal['consul']['config']['key_file'] = "#{$MU_CFG['datadir']}/ssl/consul.key"
|
32
|
+
#node.normal['consul']['config']['cert_file'] = "#{$MU_CFG['datadir']}/ssl/consul.crt"
|
33
|
+
#consul_public = $MU_CFG['public_address']
|
34
|
+
#if !consul_public.match(/^\d+\.\d+\.\d+\.\d+$/)
|
35
|
+
# resolver = Resolv::DNS.new
|
36
|
+
# begin
|
37
|
+
# consul_public = resolver.getaddress(consul_public).to_s
|
38
|
+
# end
|
39
|
+
#end
|
40
|
+
## strictly speaking we could split internal vs. external IPs here, but atm
|
41
|
+
## we're treating everything not local to this machine as public anyway
|
42
|
+
#node.normal['consul']['config']['advertise_addr'] = consul_public
|
43
|
+
#node.normal['consul']['config']['advertise_addr_wan'] = consul_public
|
44
|
+
#node.normal['consul']['config']['bind_addr'] = "0.0.0.0"
|
45
|
+
#node.normal['consul-cluster']['tls']
|
46
|
+
#node.normal['hashicorp-vault']['config']['tls_key_file'] = "#{$MU_CFG['datadir']}/ssl/vault.key"
|
47
|
+
#node.normal['hashicorp-vault']['config']['tls_cert_file'] = "#{$MU_CFG['datadir']}/ssl/vault.crt"
|
48
|
+
#node.normal['hashicorp-vault']['config']['address'] = '0.0.0.0:8200'
|
49
|
+
#node.save
|
49
50
|
|
50
|
-
["consul", "vault"].each { |cert|
|
51
|
-
# These community cookbooks aren't bright enough to deal with a stringent
|
52
|
-
# umask, and create these unreadable by the application if we don't do it for
|
53
|
-
# them.
|
54
|
-
directory "fix /opt/#{cert} permissions" do
|
55
|
-
path "/opt/#{cert}"
|
56
|
-
mode 0755
|
57
|
-
notifies :restart, "service[#{cert}]", :delayed
|
58
|
-
end
|
59
|
-
}
|
51
|
+
#["consul", "vault"].each { |cert|
|
52
|
+
# # These community cookbooks aren't bright enough to deal with a stringent
|
53
|
+
# # umask, and create these unreadable by the application if we don't do it for
|
54
|
+
# # them.
|
55
|
+
# directory "fix /opt/#{cert} permissions" do
|
56
|
+
# path "/opt/#{cert}"
|
57
|
+
# mode 0755
|
58
|
+
# notifies :restart, "service[#{cert}]", :delayed
|
59
|
+
# end
|
60
|
+
#}
|
60
61
|
|
61
|
-
include_recipe "consul-cluster"
|
62
|
-
include_recipe "vault-cluster"
|
62
|
+
#include_recipe "consul-cluster"
|
63
|
+
#include_recipe "vault-cluster"
|
63
64
|
|
64
|
-
["consul", "vault"].each { |cert|
|
65
|
-
file "fix #{cert} cert permissions" do
|
66
|
-
path "#{$MU_CFG['datadir']}/ssl/#{cert}.crt"
|
67
|
-
owner cert
|
68
|
-
notifies :restart, "service[#{cert}]", :delayed
|
69
|
-
end
|
70
|
-
file "fix #{cert} key permissions" do
|
71
|
-
path "#{$MU_CFG['datadir']}/ssl/#{cert}.key"
|
72
|
-
notifies :restart, "service[#{cert}]", :delayed
|
73
|
-
owner cert
|
74
|
-
end
|
75
|
-
}
|
65
|
+
#["consul", "vault"].each { |cert|
|
66
|
+
# file "fix #{cert} cert permissions" do
|
67
|
+
# path "#{$MU_CFG['datadir']}/ssl/#{cert}.crt"
|
68
|
+
# owner cert
|
69
|
+
# notifies :restart, "service[#{cert}]", :delayed
|
70
|
+
# end
|
71
|
+
# file "fix #{cert} key permissions" do
|
72
|
+
# path "#{$MU_CFG['datadir']}/ssl/#{cert}.key"
|
73
|
+
# notifies :restart, "service[#{cert}]", :delayed
|
74
|
+
# owner cert
|
75
|
+
# end
|
76
|
+
# }
|
76
77
|
|
77
|
-
directory "/opt/vault/#{node['hashicorp-vault']['version']}" do
|
78
|
-
mode 0755
|
79
|
-
notifies :restart, "service[vault]", :delayed
|
80
|
-
end
|
78
|
+
#directory "/opt/vault/#{node['hashicorp-vault']['version']}" do
|
79
|
+
# mode 0755
|
80
|
+
# notifies :restart, "service[vault]", :delayed
|
81
|
+
#end
|
81
82
|
|
82
|
-
directory "/etc/consul/ssl" do
|
83
|
-
owner "consul"
|
84
|
-
group "consul"
|
85
|
-
mode 0755
|
86
|
-
end
|
87
|
-
directory "/etc/vault" do
|
88
|
-
owner "root"
|
89
|
-
mode 0755
|
90
|
-
end
|
91
|
-
directory "/etc/vault/ssl" do
|
92
|
-
owner "root"
|
93
|
-
mode 0755
|
94
|
-
end
|
95
|
-
directory "/etc/consul/ssl/CA" do
|
96
|
-
owner "root"
|
97
|
-
mode 0755
|
98
|
-
end
|
99
|
-
include_recipe 'chef-vault'
|
83
|
+
#directory "/etc/consul/ssl" do
|
84
|
+
# owner "consul"
|
85
|
+
# group "consul"
|
86
|
+
# mode 0755
|
87
|
+
#end
|
88
|
+
#directory "/etc/vault" do
|
89
|
+
# owner "root"
|
90
|
+
# mode 0755
|
91
|
+
#end
|
92
|
+
#directory "/etc/vault/ssl" do
|
93
|
+
# owner "root"
|
94
|
+
# mode 0755
|
95
|
+
#end
|
96
|
+
#directory "/etc/consul/ssl/CA" do
|
97
|
+
# owner "root"
|
98
|
+
# mode 0755
|
99
|
+
#end
|
100
|
+
#include_recipe 'chef-vault'
|
100
101
|
|
101
|
-
file "/etc/consul/ssl/CA/ca.crt" do
|
102
|
-
mode 0644
|
103
|
-
content chef_vault_item("secrets", "consul")["ca_certificate"]
|
104
|
-
end
|
102
|
+
#file "/etc/consul/ssl/CA/ca.crt" do
|
103
|
+
# mode 0644
|
104
|
+
# content chef_vault_item("secrets", "consul")["ca_certificate"]
|
105
|
+
#end
|
105
106
|
|
106
|
-
service "consul" do
|
107
|
-
action [:enable, :start]
|
108
|
-
end
|
109
|
-
service "vault" do
|
110
|
-
action [:enable, :start]
|
111
|
-
end
|
107
|
+
#service "consul" do
|
108
|
+
# action [:enable, :start]
|
109
|
+
#end
|
110
|
+
#service "vault" do
|
111
|
+
# action [:enable, :start]
|
112
|
+
#end
|
@@ -0,0 +1 @@
|
|
1
|
+
LoadModule rewrite_module /usr/lib64/httpd/modules/mod_rewrite.so
|
@@ -0,0 +1,103 @@
|
|
1
|
+
# Autogenerated by Chef.
|
2
|
+
|
3
|
+
<% unless node['nagios']['ldap_verify_cert'].nil? %>LDAPVerifyServerCert <%= node['nagios']['ldap_verify_cert'] %><% end %>
|
4
|
+
<% unless node['nagios']['ldap_trusted_mode'].nil? -%>LDAPTrustedMode <%= node['nagios']['ldap_trusted_mode'] %> <% end -%>
|
5
|
+
<% unless node['nagios']['ldap_trusted_global_cert'].nil? -%>LDAPTrustedGlobalCert <%= node['nagios']['ldap_trusted_global_cert'] %> <% end -%>
|
6
|
+
|
7
|
+
<VirtualHost *:<%= node['nagios']['http_port'] %>>
|
8
|
+
ServerAdmin <%= node['nagios']['sysadmin_email'] %>
|
9
|
+
<% if @nagios_url %>
|
10
|
+
ServerName <%= @nagios_url %>
|
11
|
+
<% else %>
|
12
|
+
ServerName <%= @server_name %>
|
13
|
+
<% end %>
|
14
|
+
ServerAlias <% @server_aliases.each do |a| %><%= a %> <% end %>
|
15
|
+
DocumentRoot <%= node['nagios']['docroot'] %>
|
16
|
+
# CustomLog <%= node['apache']['log_dir'] %>/nagios_access.log combined
|
17
|
+
# ErrorLog <%= node['apache']['log_dir'] %>/nagios_error.log
|
18
|
+
|
19
|
+
<% if node['platform_family'] == 'debian' && node['nagios']['server']['install_method'] == 'package'-%>
|
20
|
+
Alias /stylesheets /etc/<%= node['nagios']['server']['vname'] %>/stylesheets
|
21
|
+
Alias /nagios3/stylesheets /etc/<%= node['nagios']['server']['vname'] %>/stylesheets
|
22
|
+
<% end -%>
|
23
|
+
ScriptAlias <%= node['nagios']['cgi-path'] %> <%= node['nagios']['cgi-bin'] %>
|
24
|
+
ScriptAlias /cgi-bin/statusjson.cgi <%= node['nagios']['cgi-bin'] %>/statusjson.cgi
|
25
|
+
Alias /<%= node['nagios']['server']['vname'] %> <%= node['nagios']['docroot'] %>
|
26
|
+
|
27
|
+
<Directory "<%= node['nagios']['cgi-bin'] %>">
|
28
|
+
Options ExecCGI
|
29
|
+
<% if node['nagios']['default_user_name'] -%>
|
30
|
+
require all granted
|
31
|
+
<% end -%>
|
32
|
+
</Directory>
|
33
|
+
|
34
|
+
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
|
35
|
+
SetHandler application/x-httpd-php
|
36
|
+
</FilesMatch>
|
37
|
+
|
38
|
+
<% if @https -%>
|
39
|
+
SSLEngine On
|
40
|
+
SSLProtocol <%= node['nagios']['ssl_protocols'] %>
|
41
|
+
<% if node['nagios']['ssl_ciphers'] != nil -%>
|
42
|
+
SSLCipherSuite <%= node['nagios']['ssl_ciphers'] %>
|
43
|
+
<% end -%>
|
44
|
+
SSLCertificateFile <%= @ssl_cert_file %>
|
45
|
+
<% if node['nagios']['ssl_cert_chain_file'] %>
|
46
|
+
SSLCertificateChainFile <%= node['nagios']['ssl_cert_chain_file'] %>
|
47
|
+
<% end -%>
|
48
|
+
SSLCertificateKeyFile <%= @ssl_cert_key %>
|
49
|
+
|
50
|
+
<% end -%>
|
51
|
+
<% case node['nagios']['server_auth_method'] -%>
|
52
|
+
<% when "openid" -%>
|
53
|
+
<Location />
|
54
|
+
AuthName "Nagios Server"
|
55
|
+
AuthType OpenID
|
56
|
+
require user <%= node['apache']['allowed_openids'].join(' ') %>
|
57
|
+
AuthOpenIDDBLocation <%= node['apache']['mod_auth_openid']['dblocation'] %>
|
58
|
+
</Location>
|
59
|
+
<% when "cas" -%>
|
60
|
+
CASLoginURL <%= node['nagios']['cas_login_url'] %>
|
61
|
+
CASValidateURL <%= node['nagios']['cas_validate_url'] %>
|
62
|
+
CASValidateServer <%= node['nagios']['cas_validate_server'] %>
|
63
|
+
<% if node['nagios']['cas_root_proxy_url'] -%>
|
64
|
+
CASRootProxiedAs <%= node['nagios']['cas_root_proxy_url'] %>
|
65
|
+
<% end -%>
|
66
|
+
|
67
|
+
<Location />
|
68
|
+
AuthType CAS
|
69
|
+
require <%= node['nagios']['server_auth_require'] %>
|
70
|
+
</Location>
|
71
|
+
<% when "ldap" -%>
|
72
|
+
<Location />
|
73
|
+
AuthName "Nagios Server"
|
74
|
+
AuthType Basic
|
75
|
+
AuthBasicProvider ldap
|
76
|
+
<% unless node['nagios']['ldap_group_attribute_is_dn'].nil? %>AuthLDAPGroupAttributeIsDN <%= node['nagios']['ldap_group_attribute_is_dn'] %><% end %>
|
77
|
+
<% unless node['nagios']['ldap_group_attribute'].nil? -%>AuthLDAPGroupAttribute "<%= node['nagios']['ldap_group_attribute'] %>" <% end -%>
|
78
|
+
<% unless node['nagios']['ldap_bind_dn'].nil? -%>AuthLDAPBindDN "<%= node['nagios']['ldap_bind_dn'] %>" <% end -%>
|
79
|
+
<% unless node['nagios']['ldap_bind_password'].nil? -%>AuthLDAPBindPassword "<%= node['nagios']['ldap_bind_password'] %>"<% end -%>
|
80
|
+
AuthLDAPURL "<%= node['nagios']['ldap_url'] %>"
|
81
|
+
<% if !node['apache']['version'].nil? and node['apache']['version'] < "2.4" %>
|
82
|
+
<% unless node['nagios']['ldap_authoritative'].nil? %>AuthzLDAPAuthoritative <%= node['nagios']['ldap_authoritative'] %><% end %>
|
83
|
+
<% end %>
|
84
|
+
require <%= node['nagios']['server_auth_require'] %>
|
85
|
+
</Location>
|
86
|
+
<% else -%>
|
87
|
+
<Location />
|
88
|
+
AuthName "Nagios Server"
|
89
|
+
AuthType Basic
|
90
|
+
AuthUserFile "<%= node['nagios']['conf_dir'] %>/htpasswd.users"
|
91
|
+
require <%= node['nagios']['server_auth_require'] %>
|
92
|
+
<% unless node['nagios']['allowed_ips'].empty? -%>
|
93
|
+
Order Deny,Allow
|
94
|
+
Deny from All
|
95
|
+
Allow from <%=node['nagios']['allowed_ips'].join(' ') %>
|
96
|
+
Satisfy Any
|
97
|
+
<% end -%>
|
98
|
+
</Location>
|
99
|
+
<% end -%>
|
100
|
+
|
101
|
+
SetEnv TZ "<%= node['nagios']['conf']['use_timezone'] %>"
|
102
|
+
|
103
|
+
</VirtualHost>
|
@@ -1,12 +1,12 @@
|
|
1
|
-
<VirtualHost *:<%= @
|
2
|
-
ServerName <%= @
|
3
|
-
ServerAlias <% @
|
1
|
+
<VirtualHost *:<%= @server_port || (node['apache'] and node['apache']['listen'].first) %>>
|
2
|
+
ServerName <%= @server_name %>
|
3
|
+
ServerAlias <% @server_aliases.each do |a| %><%= a %> <% end %>
|
4
|
+
DocumentRoot <%= @docroot %>
|
4
5
|
FileETag -INode
|
5
|
-
DocumentRoot <%= @params[:docroot] %>
|
6
6
|
RewriteEngine On
|
7
7
|
RewriteRule ^/(nagios|jenkins|scratchpad)$ https://%{HTTP_HOST}/$1/ [R=301,NC,L]
|
8
8
|
|
9
|
-
<% if @
|
9
|
+
<% if @server_port.to_s.match(/443$/) %>
|
10
10
|
SSLEngine On
|
11
11
|
SSLCertificateFile <%= $MU_CFG['ssl']['cert'] %>
|
12
12
|
SSLCertificateKeyFile <%= $MU_CFG['ssl']['key'] %>
|
@@ -15,12 +15,7 @@
|
|
15
15
|
<% end %>
|
16
16
|
SSLProxyEngine on
|
17
17
|
<Proxy *>
|
18
|
-
<% if node['apache']['version'] == "2.2" %>
|
19
|
-
Order allow,deny
|
20
|
-
Allow from all
|
21
|
-
<% elsif node['apache']['version'] == "2.4" %>
|
22
18
|
Require all granted
|
23
|
-
<% end %>
|
24
19
|
</Proxy>
|
25
20
|
|
26
21
|
ProxyPreserveHost on
|
@@ -48,19 +43,14 @@
|
|
48
43
|
RewriteRule ^/(nagios|jenkins|scratchpad)/(.*) https://%{HTTP_HOST}/$1/$2 [R=301,NC,L]
|
49
44
|
<% end %>
|
50
45
|
|
51
|
-
|
52
|
-
|
46
|
+
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
|
47
|
+
RewriteRule .* - [F]
|
53
48
|
|
54
|
-
<
|
55
|
-
Options <%= [@
|
56
|
-
AllowOverride <%= [@
|
57
|
-
|
58
|
-
|
59
|
-
Allow from all
|
60
|
-
<% elsif node['apache']['version'] == "2.4" %>
|
61
|
-
Require all granted
|
62
|
-
<% end %>
|
63
|
-
</Directory>
|
49
|
+
<DirectoryMatch "<%= @docroot %>\/.*">
|
50
|
+
Options <%= [@directory_options || "FollowSymLinks" ].flatten.join " " %>
|
51
|
+
AllowOverride <%= [@allow_override || "None" ].flatten.join " " %>
|
52
|
+
Require all granted
|
53
|
+
</DirectoryMatch>
|
64
54
|
|
65
55
|
<Directory />
|
66
56
|
Options FollowSymLinks
|
@@ -69,18 +59,12 @@
|
|
69
59
|
|
70
60
|
<Location /server-status>
|
71
61
|
SetHandler server-status
|
72
|
-
<% if node['apache']['version'] == "2.2" %>
|
73
|
-
Order Deny,Allow
|
74
|
-
Deny from all
|
75
|
-
Allow from 127.0.0.1
|
76
|
-
<% elsif node['apache']['version'] == "2.4" %>
|
77
62
|
Require host 127.0.0.1
|
78
|
-
<% end %>
|
79
63
|
</Location>
|
80
64
|
|
81
65
|
|
82
|
-
<% if @
|
83
|
-
DirectoryIndex <%= [@
|
66
|
+
<% if @directory_index -%>
|
67
|
+
DirectoryIndex <%= [@directory_index].flatten.join " " %>
|
84
68
|
<% end -%>
|
85
69
|
|
86
70
|
</VirtualHost>
|
@@ -21,6 +21,13 @@ if disk_name_str == "CAP-MASTER" or disk_name_str == "MU-MASTER" and !node['host
|
|
21
21
|
disk_name_str = node['hostname']
|
22
22
|
end rescue NoMethodError
|
23
23
|
|
24
|
+
diskdevs = :xvd
|
25
|
+
if !platform_family?("windows")
|
26
|
+
if default['kernel']['modules'].keys.include?("nvme")
|
27
|
+
diskdevs = :nvme
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
24
31
|
default['os_updates_using_chef'] = false
|
25
32
|
|
26
33
|
default['application_attributes']['application_volume']['mount_directory'] = '/apps'
|
@@ -107,6 +114,11 @@ default['sec']['pwd'] = {
|
|
107
114
|
end
|
108
115
|
}
|
109
116
|
|
117
|
+
default['application_attributes']['swap']["volume_size_gb"] = 4
|
118
|
+
default['application_attributes']['swap']['mount_device'] = "/dev/xvdm"
|
119
|
+
default['application_attributes']['swap']['label'] = "#{disk_name_str} swap"
|
120
|
+
default['application_attributes']['swap']['mount_directory'] = "swap"
|
121
|
+
|
110
122
|
default['application_attributes']['home']["volume_size_gb"] = 2
|
111
123
|
default['application_attributes']['home']['mount_device'] = "/dev/xvdn"
|
112
124
|
default['application_attributes']['home']['label'] = "#{disk_name_str} /home"
|
@@ -0,0 +1,47 @@
|
|
1
|
+
# CentOS-Base.repo
|
2
|
+
#
|
3
|
+
# The mirror system uses the connecting IP address of the client and the
|
4
|
+
# update status of each mirror to pick mirrors that are updated to and
|
5
|
+
# geographically close to the client. You should use this for CentOS updates
|
6
|
+
# unless you are manually picking other mirrors.
|
7
|
+
#
|
8
|
+
# If the mirrorlist= does not work for you, as a fall back you can try the
|
9
|
+
# remarked out baseurl= line instead.
|
10
|
+
#
|
11
|
+
#
|
12
|
+
|
13
|
+
[base]
|
14
|
+
name=CentOS-$releasever - Base
|
15
|
+
baseurl=http://vault.centos.org/6.10/os/$basearch/
|
16
|
+
gpgcheck=1
|
17
|
+
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
|
18
|
+
|
19
|
+
#released updates
|
20
|
+
[updates]
|
21
|
+
name=CentOS-$releasever - Updates
|
22
|
+
baseurl=http://vault.centos.org/6.10/updates/$basearch/
|
23
|
+
gpgcheck=1
|
24
|
+
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
|
25
|
+
|
26
|
+
#additional packages that may be useful
|
27
|
+
[extras]
|
28
|
+
name=CentOS-$releasever - Extras
|
29
|
+
baseurl=http://vault.centos.org/6.10/extras/$basearch/
|
30
|
+
gpgcheck=1
|
31
|
+
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
|
32
|
+
|
33
|
+
#additional packages that extend functionality of existing packages
|
34
|
+
[centosplus]
|
35
|
+
name=CentOS-$releasever - Plus
|
36
|
+
baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
|
37
|
+
gpgcheck=1
|
38
|
+
enabled=0
|
39
|
+
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
|
40
|
+
|
41
|
+
#contrib - packages by Centos Users
|
42
|
+
[contrib]
|
43
|
+
name=CentOS-$releasever - Contrib
|
44
|
+
baseurl=http://vault.centos.org/6.10/contrib/$basearch/
|
45
|
+
gpgcheck=1
|
46
|
+
enabled=0
|
47
|
+
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
|
@@ -45,6 +45,77 @@ module Mutools
|
|
45
45
|
nil
|
46
46
|
end
|
47
47
|
|
48
|
+
# Just list our block devices
|
49
|
+
# @return [Array<String>]
|
50
|
+
def list_disk_devices
|
51
|
+
if File.executable?("/bin/lsblk")
|
52
|
+
shell_out(%Q{/bin/lsblk -i -p -r -n | egrep ' disk( |$)'}).stdout.each_line.map { |l|
|
53
|
+
l.chomp.sub(/ .*/, '')
|
54
|
+
}
|
55
|
+
else
|
56
|
+
# XXX something dumber
|
57
|
+
nil
|
58
|
+
end
|
59
|
+
end
|
60
|
+
|
61
|
+
# If we're in AWS and NVME-aware, return a mapping of AWS-side device names
|
62
|
+
# to actual NVME devices.
|
63
|
+
# @return [Hash]
|
64
|
+
def attached_nvme_disks
|
65
|
+
if get_aws_metadata("meta-data/instance-id").nil? or
|
66
|
+
!File.executable?("/bin/lsblk") or !File.executable?("/sbin/nvme")
|
67
|
+
return {}
|
68
|
+
end
|
69
|
+
map = {}
|
70
|
+
devices = list_disk_devices
|
71
|
+
return {} if !devices
|
72
|
+
devices.each { |d|
|
73
|
+
if d =~ /^\/dev\/nvme/
|
74
|
+
shell_out(%Q{/sbin/nvme id-ctrl -v #{d}}).stdout.each_line { |desc|
|
75
|
+
if desc.match(/^0000: (?:[0-9a-f]{2} ){16}"(.+?)\./)
|
76
|
+
virt_dev = Regexp.last_match[1]
|
77
|
+
map[virt_dev] = d
|
78
|
+
if !File.exists?(virt_dev)
|
79
|
+
begin
|
80
|
+
File.symlink(d, virt_dev)
|
81
|
+
rescue Errno::EEXIST # XXX whyyyyy is this needed
|
82
|
+
end
|
83
|
+
end
|
84
|
+
break
|
85
|
+
end
|
86
|
+
}
|
87
|
+
end
|
88
|
+
}
|
89
|
+
map
|
90
|
+
end
|
91
|
+
|
92
|
+
def real_devicepath(dev)
|
93
|
+
map = attached_nvme_disks
|
94
|
+
if map[dev]
|
95
|
+
map[dev]
|
96
|
+
elsif map[dev.gsub(/.*?\//, '')]
|
97
|
+
map[dev.gsub(/.*?\//, '')]
|
98
|
+
else
|
99
|
+
dev # be nice to actually handle this too
|
100
|
+
end
|
101
|
+
end
|
102
|
+
|
103
|
+
def uuid_line(dev)
|
104
|
+
realdev = real_devicepath(dev)
|
105
|
+
shell_out(%Q{/sbin/blkid #{realdev} -o export | grep ^UUID=}).stdout.chomp
|
106
|
+
end
|
107
|
+
|
108
|
+
def nvme?
|
109
|
+
if File.executable?("/bin/lsblk")
|
110
|
+
shell_out(%Q{/bin/lsblk -i -p -r -n}).stdout.each_line { |l|
|
111
|
+
return true if l =~ /^\/dev\/nvme\d/
|
112
|
+
}
|
113
|
+
else
|
114
|
+
return true if File.exists?("/dev/nvme0n1")
|
115
|
+
end
|
116
|
+
false
|
117
|
+
end
|
118
|
+
|
48
119
|
@project = nil
|
49
120
|
@authorizer = nil
|
50
121
|
def set_gcp_cfg_params
|
@@ -65,7 +136,7 @@ module Mutools
|
|
65
136
|
@region = nil
|
66
137
|
def set_aws_cfg_params
|
67
138
|
begin
|
68
|
-
require 'aws-sdk
|
139
|
+
require 'aws-sdk'
|
69
140
|
instance_identity = get_aws_metadata("dynamic/instance-identity/document")
|
70
141
|
return false if instance_identity.nil? # Not in AWS, most likely
|
71
142
|
@region = JSON.parse(instance_identity)["region"]
|
@@ -90,6 +161,7 @@ module Mutools
|
|
90
161
|
|
91
162
|
@ec2 = nil
|
92
163
|
def ec2
|
164
|
+
require 'aws-sdk-ec2'
|
93
165
|
if set_aws_cfg_params
|
94
166
|
@ec2 ||= Aws::EC2::Client.new(region: @region)
|
95
167
|
end
|
@@ -97,6 +169,7 @@ module Mutools
|
|
97
169
|
end
|
98
170
|
@s3 = nil
|
99
171
|
def s3
|
172
|
+
require 'aws-sdk-s3'
|
100
173
|
if set_aws_cfg_params
|
101
174
|
@s3 ||= Aws::S3::Client.new(region: @region)
|
102
175
|
end
|
@@ -186,12 +259,12 @@ module Mutools
|
|
186
259
|
if cloud == "AWS"
|
187
260
|
resp = nil
|
188
261
|
begin
|
262
|
+
Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
|
189
263
|
resp = s3.get_object(bucket: bucket, key: filename)
|
190
264
|
rescue ::Aws::S3::Errors::PermanentRedirect => e
|
191
265
|
tmps3 = Aws::S3::Client.new(region: "us-east-1")
|
192
266
|
resp = tmps3.get_object(bucket: bucket, key: filename)
|
193
267
|
end
|
194
|
-
Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
|
195
268
|
secret = resp.body.read
|
196
269
|
elsif cloud == "Google"
|
197
270
|
include_recipe "mu-tools::gcloud"
|
@@ -230,9 +303,10 @@ module Mutools
|
|
230
303
|
end
|
231
304
|
|
232
305
|
def mommacat_request(action, arg)
|
306
|
+
params = Base64.urlsafe_encode64(JSON.generate(arg)) if arg
|
233
307
|
uri = URI("https://#{get_mu_master_ips.first}:2260/")
|
234
308
|
req = Net::HTTP::Post.new(uri)
|
235
|
-
res_type = (node['deployment'].has_key?(
|
309
|
+
res_type = (node['deployment'].has_key?('server_pools') and node['deployment']['server_pools'].has_key?(node['service_name'])) ? "server_pool" : "server"
|
236
310
|
response = nil
|
237
311
|
begin
|
238
312
|
secret = get_deploy_secret
|
@@ -241,6 +315,8 @@ module Mutools
|
|
241
315
|
end
|
242
316
|
|
243
317
|
Chef::Log.info("Sending Momma Cat #{action} request to #{uri} from #{get_aws_metadata("meta-data/instance-id")}")
|
318
|
+
disks_before = list_disk_devices if action == "add_volume"
|
319
|
+
|
244
320
|
req.set_form_data(
|
245
321
|
"mu_id" => mu_get_tag_value("MU-ID"),
|
246
322
|
"mu_resource_name" => node['service_name'],
|
@@ -248,7 +324,7 @@ module Mutools
|
|
248
324
|
"mu_resource_type" => res_type,
|
249
325
|
"mu_user" => node['deployment']['mu_user'] || node['deployment']['chef_user'],
|
250
326
|
"mu_deploy_secret" => secret,
|
251
|
-
action =>
|
327
|
+
action => params
|
252
328
|
)
|
253
329
|
http = Net::HTTP.new(uri.hostname, uri.port)
|
254
330
|
http.use_ssl = true
|
@@ -256,10 +332,28 @@ module Mutools
|
|
256
332
|
response = http.request(req)
|
257
333
|
if response.code != "200"
|
258
334
|
Chef::Log.error("Got #{response.code} back from #{uri} on #{action} => #{arg}")
|
335
|
+
else
|
336
|
+
if action == "add_volume" and arg and arg.is_a?(Hash) and arg[:dev]
|
337
|
+
seen_requested = false
|
338
|
+
retries = 0
|
339
|
+
begin
|
340
|
+
list_disk_devices.each { |d|
|
341
|
+
if d == arg[:dev] or
|
342
|
+
(nvme? and d == attached_nvme_disks[arg[:dev]])
|
343
|
+
seen_requested = true
|
344
|
+
end
|
345
|
+
}
|
346
|
+
if !seen_requested
|
347
|
+
sleep 6
|
348
|
+
retries += 1
|
349
|
+
end
|
350
|
+
end while retries < 5 and !seen_requested
|
351
|
+
end
|
259
352
|
end
|
260
353
|
rescue EOFError => e
|
261
354
|
# Sometimes deployment metadata is incomplete and missing a
|
262
355
|
# server_pool entry. Try to help it out.
|
356
|
+
# XXX find some awsmetadata way to determine that we're in an Autoscale Group before trying this
|
263
357
|
if res_type == "server"
|
264
358
|
res_type = "server_pool"
|
265
359
|
retry
|