cloud-mu 3.4.0 → 3.5.0

data/cookbooks/mu-master/recipes/update_nagios_only.rb

@@ -139,7 +139,7 @@ Dir.glob("/usr/lib/cgi-bin/*.cgi").each { |script|
 
 ["/usr/lib/cgi-bin"].each { |cgidir|
   if Dir.exist?(cgidir)
-    execute "chcon -R -h system_u:object_r:httpd_sys_script_exec_t #{cgidir}" do
+    execute "chcon -R -t httpd_sys_script_exec_t #{cgidir}" do
       not_if "ls -aZ #{cgidir} | grep ':httpd_sys_script_exec_t:'"
       notifies :reload, "service[apache2]", :delayed
     end

data/cookbooks/mu-master/recipes/vault.rb

@@ -25,87 +25,88 @@
 include_recipe 'mu-master::firewall-holes'
 
 # Mangle a bunch of values used by the Consul and Vault community cookbooks
-node.normal['consul']['config']['bootstrap_expect'] = 1 # XXX we only want this on our first run, maybe figure out how to toss it later
-node.normal['consul']['config']['start_join'] = ["127.0.0.1"]
-node.normal['consul']['config']['ca_file'] = "#{$MU_CFG['datadir']}/ssl/Mu_CA.pem"
-node.normal['consul']['config']['key_file'] = "#{$MU_CFG['datadir']}/ssl/consul.key"
-node.normal['consul']['config']['cert_file'] = "#{$MU_CFG['datadir']}/ssl/consul.crt"
-consul_public = $MU_CFG['public_address']
-if !consul_public.match(/^\d+\.\d+\.\d+\.\d+$/)
-  resolver = Resolv::DNS.new
-  begin
-    consul_public = resolver.getaddress(consul_public).to_s
-  end
-end
-# strictly speaking we could split internal vs. external IPs here, but atm
-# we're treating everything not local to this machine as public anyway
-node.normal['consul']['config']['advertise_addr'] = consul_public
-node.normal['consul']['config']['advertise_addr_wan'] = consul_public
-node.normal['consul']['config']['bind_addr'] = "0.0.0.0"
-node.normal['hashicorp-vault']['config']['tls_key_file'] = "#{$MU_CFG['datadir']}/ssl/vault.key"
-node.normal['hashicorp-vault']['config']['tls_cert_file'] = "#{$MU_CFG['datadir']}/ssl/vault.crt"
-node.normal['hashicorp-vault']['config']['address'] = '0.0.0.0:8200'
-node.save
+#node.normal['consul']['config']['bootstrap_expect'] = 1 # XXX we only want this on our first run, maybe figure out how to toss it later
+#node.normal['consul']['config']['start_join'] = ["127.0.0.1"]
+#node.normal['consul']['config']['ca_file'] = "#{$MU_CFG['datadir']}/ssl/Mu_CA.pem"
+#node.normal['consul']['config']['key_file'] = "#{$MU_CFG['datadir']}/ssl/consul.key"
+#node.normal['consul']['config']['cert_file'] = "#{$MU_CFG['datadir']}/ssl/consul.crt"
+#consul_public = $MU_CFG['public_address']
+#if !consul_public.match(/^\d+\.\d+\.\d+\.\d+$/)
+#  resolver = Resolv::DNS.new
+#  begin
+#    consul_public = resolver.getaddress(consul_public).to_s
+#  end
+#end
+## strictly speaking we could split internal vs. external IPs here, but atm
+## we're treating everything not local to this machine as public anyway
+#node.normal['consul']['config']['advertise_addr'] = consul_public
+#node.normal['consul']['config']['advertise_addr_wan'] = consul_public
+#node.normal['consul']['config']['bind_addr'] = "0.0.0.0"
+#node.normal['consul-cluster']['tls']
+#node.normal['hashicorp-vault']['config']['tls_key_file'] = "#{$MU_CFG['datadir']}/ssl/vault.key"
+#node.normal['hashicorp-vault']['config']['tls_cert_file'] = "#{$MU_CFG['datadir']}/ssl/vault.crt"
+#node.normal['hashicorp-vault']['config']['address'] = '0.0.0.0:8200'
+#node.save
 
-["consul", "vault"].each { |cert|
-  # These community cookbooks aren't bright enough to deal with a stringent
-  # umask, and create these unreadable by the application if we don't do it for
-  # them.
-  directory "fix /opt/#{cert} permissions" do
-    path "/opt/#{cert}"
-    mode 0755
-    notifies :restart, "service[#{cert}]", :delayed
-  end
-}
+#["consul", "vault"].each { |cert|
+#  # These community cookbooks aren't bright enough to deal with a stringent
+#  # umask, and create these unreadable by the application if we don't do it for
+#  # them.
+#  directory "fix /opt/#{cert} permissions" do
+#    path "/opt/#{cert}"
+#    mode 0755
+#    notifies :restart, "service[#{cert}]", :delayed
+#  end
+#}
 
-include_recipe "consul-cluster"
-include_recipe "vault-cluster"
+#include_recipe "consul-cluster"
+#include_recipe "vault-cluster"
 
-["consul", "vault"].each { |cert|
-  file "fix #{cert} cert permissions" do
-    path "#{$MU_CFG['datadir']}/ssl/#{cert}.crt"
-    owner cert
-    notifies :restart, "service[#{cert}]", :delayed
-  end
-  file "fix #{cert} key permissions" do
-    path "#{$MU_CFG['datadir']}/ssl/#{cert}.key"
-    notifies :restart, "service[#{cert}]", :delayed
-    owner cert
-  end
-  }
+#["consul", "vault"].each { |cert|
+#  file "fix #{cert} cert permissions" do
+#    path "#{$MU_CFG['datadir']}/ssl/#{cert}.crt"
+#    owner cert
+#    notifies :restart, "service[#{cert}]", :delayed
+#  end
+#  file "fix #{cert} key permissions" do
+#    path "#{$MU_CFG['datadir']}/ssl/#{cert}.key"
+#    notifies :restart, "service[#{cert}]", :delayed
+#    owner cert
+#  end
+#  }
 
-directory "/opt/vault/#{node['hashicorp-vault']['version']}" do
-  mode 0755
-  notifies :restart, "service[vault]", :delayed
-end
+#directory "/opt/vault/#{node['hashicorp-vault']['version']}" do
+#  mode 0755
+#  notifies :restart, "service[vault]", :delayed
+#end
 
-directory "/etc/consul/ssl" do
-  owner "consul"
-  group "consul"
-  mode 0755
-end
-directory "/etc/vault" do
-  owner "root"
-  mode 0755
-end
-directory "/etc/vault/ssl" do
-  owner "root"
-  mode 0755
-end
-directory "/etc/consul/ssl/CA" do
-  owner "root"
-  mode 0755
-end
-include_recipe 'chef-vault'
+#directory "/etc/consul/ssl" do
+#  owner "consul"
+#  group "consul"
+#  mode 0755
+#end
+#directory "/etc/vault" do
+#  owner "root"
+#  mode 0755
+#end
+#directory "/etc/vault/ssl" do
+#  owner "root"
+#  mode 0755
+#end
+#directory "/etc/consul/ssl/CA" do
+#  owner "root"
+#  mode 0755
+#end
+#include_recipe 'chef-vault'
 
-file "/etc/consul/ssl/CA/ca.crt" do
-  mode 0644
-  content chef_vault_item("secrets", "consul")["ca_certificate"]
-end
+#file "/etc/consul/ssl/CA/ca.crt" do
+#  mode 0644
+#  content chef_vault_item("secrets", "consul")["ca_certificate"]
+#end
 
-service "consul" do
-  action [:enable, :start]
-end
-service "vault" do
-  action [:enable, :start]
-end
+#service "consul" do
+#  action [:enable, :start]
+#end
+#service "vault" do
+#  action [:enable, :start]
+#end

data/cookbooks/mu-master/templates/default/mods/rewrite.conf.erb

@@ -0,0 +1 @@
+LoadModule rewrite_module /usr/lib64/httpd/modules/mod_rewrite.so

data/cookbooks/mu-master/templates/default/nagios.conf.erb

@@ -0,0 +1,103 @@
+# Autogenerated by Chef.
+
+<% unless node['nagios']['ldap_verify_cert'].nil? %>LDAPVerifyServerCert <%= node['nagios']['ldap_verify_cert'] %><% end %>
+<% unless node['nagios']['ldap_trusted_mode'].nil? -%>LDAPTrustedMode <%= node['nagios']['ldap_trusted_mode'] %> <% end -%>
+<% unless node['nagios']['ldap_trusted_global_cert'].nil? -%>LDAPTrustedGlobalCert <%= node['nagios']['ldap_trusted_global_cert'] %> <% end -%>
+
+<VirtualHost *:<%= node['nagios']['http_port'] %>>
+  ServerAdmin     <%= node['nagios']['sysadmin_email'] %>
+<% if @nagios_url %>
+  ServerName <%= @nagios_url %>
+<% else %>
+  ServerName <%= @server_name %>
+<% end %>
+  ServerAlias <% @server_aliases.each do |a| %><%= a %> <% end %>
+  DocumentRoot    <%= node['nagios']['docroot'] %>
+#  CustomLog       <%= node['apache']['log_dir'] %>/nagios_access.log combined
+#  ErrorLog        <%= node['apache']['log_dir'] %>/nagios_error.log
+
+<% if node['platform_family'] == 'debian' && node['nagios']['server']['install_method'] == 'package'-%>
+  Alias /stylesheets /etc/<%= node['nagios']['server']['vname'] %>/stylesheets
+  Alias /nagios3/stylesheets /etc/<%= node['nagios']['server']['vname'] %>/stylesheets
+<% end -%>
+  ScriptAlias <%= node['nagios']['cgi-path'] %> <%= node['nagios']['cgi-bin'] %>
+  ScriptAlias /cgi-bin/statusjson.cgi <%= node['nagios']['cgi-bin'] %>/statusjson.cgi
+  Alias /<%= node['nagios']['server']['vname'] %> <%= node['nagios']['docroot'] %>
+
+  <Directory "<%= node['nagios']['cgi-bin'] %>">
+     Options ExecCGI
+     <% if node['nagios']['default_user_name'] -%>
+     require all granted
+     <% end -%>
+  </Directory>
+
+  <FilesMatch ".+\.ph(p[345]?|t|tml)$">
+     SetHandler application/x-httpd-php
+  </FilesMatch>
+
+<% if @https -%>
+  SSLEngine On
+  SSLProtocol <%= node['nagios']['ssl_protocols'] %>
+<% if node['nagios']['ssl_ciphers'] != nil -%>
+  SSLCipherSuite <%= node['nagios']['ssl_ciphers'] %>
+<% end -%>
+  SSLCertificateFile <%= @ssl_cert_file %>
+<% if node['nagios']['ssl_cert_chain_file'] %>
+  SSLCertificateChainFile <%= node['nagios']['ssl_cert_chain_file'] %>
+<% end -%>
+  SSLCertificateKeyFile <%= @ssl_cert_key %>
+
+<% end -%>
+<% case node['nagios']['server_auth_method'] -%>
+<% when "openid" -%>
+  <Location />
+    AuthName "Nagios Server"
+    AuthType OpenID
+    require user <%= node['apache']['allowed_openids'].join(' ') %>
+    AuthOpenIDDBLocation <%= node['apache']['mod_auth_openid']['dblocation'] %>
+  </Location>
+<% when "cas" -%>
+  CASLoginURL <%= node['nagios']['cas_login_url'] %>
+  CASValidateURL <%= node['nagios']['cas_validate_url'] %>
+  CASValidateServer <%= node['nagios']['cas_validate_server'] %>
+  <% if node['nagios']['cas_root_proxy_url'] -%>
+  CASRootProxiedAs <%= node['nagios']['cas_root_proxy_url'] %>
+  <% end -%>
+
+  <Location />
+    AuthType CAS
+    require <%= node['nagios']['server_auth_require'] %>
+  </Location>
+<% when "ldap" -%>
+  <Location />
+    AuthName "Nagios Server"
+    AuthType Basic
+    AuthBasicProvider ldap
+    <% unless node['nagios']['ldap_group_attribute_is_dn'].nil? %>AuthLDAPGroupAttributeIsDN <%= node['nagios']['ldap_group_attribute_is_dn'] %><% end %>
+    <% unless node['nagios']['ldap_group_attribute'].nil? -%>AuthLDAPGroupAttribute "<%= node['nagios']['ldap_group_attribute'] %>" <% end -%>
+    <% unless node['nagios']['ldap_bind_dn'].nil? -%>AuthLDAPBindDN "<%= node['nagios']['ldap_bind_dn'] %>" <% end -%>
+    <% unless node['nagios']['ldap_bind_password'].nil? -%>AuthLDAPBindPassword "<%= node['nagios']['ldap_bind_password'] %>"<% end -%>
+    AuthLDAPURL "<%= node['nagios']['ldap_url'] %>"
+    <% if !node['apache']['version'].nil? and node['apache']['version'] < "2.4" %>
+      <% unless node['nagios']['ldap_authoritative'].nil? %>AuthzLDAPAuthoritative <%= node['nagios']['ldap_authoritative'] %><% end %>
+    <% end %>
+    require <%= node['nagios']['server_auth_require'] %>
+  </Location>
+<% else -%>
+  <Location />
+    AuthName "Nagios Server"
+    AuthType Basic
+    AuthUserFile "<%= node['nagios']['conf_dir'] %>/htpasswd.users"
+    require <%= node['nagios']['server_auth_require'] %>
+    <% unless node['nagios']['allowed_ips'].empty? -%>
+    Order Deny,Allow
+    Deny from All
+    Allow from <%=node['nagios']['allowed_ips'].join(' ') %>
+    Satisfy Any
+    <% end -%>
+  </Location>
+<% end -%>
+
+  SetEnv TZ "<%= node['nagios']['conf']['use_timezone'] %>"
+
+</VirtualHost>

data/cookbooks/mu-master/templates/default/web_app.conf.erb

@@ -1,12 +1,12 @@
-<VirtualHost *:<%= @params[:server_port] || node['apache']['listen'].first %>>
-  ServerName <%= @params[:server_name] %>
-  ServerAlias <% @params[:server_aliases].each do |a| %><%= a %> <% end %>
+<VirtualHost *:<%= @server_port || (node['apache'] and node['apache']['listen'].first) %>>
+  ServerName <%= @server_name %>
+  ServerAlias <% @server_aliases.each do |a| %><%= a %> <% end %>
+  DocumentRoot <%= @docroot %>
   FileETag -INode
-  DocumentRoot <%= @params[:docroot] %>
   RewriteEngine On
   RewriteRule ^/(nagios|jenkins|scratchpad)$ https://%{HTTP_HOST}/$1/ [R=301,NC,L]
 
-<% if @params[:server_port].to_s.match(/443$/) %>
+<% if @server_port.to_s.match(/443$/) %>
   SSLEngine On
   SSLCertificateFile <%= $MU_CFG['ssl']['cert'] %>
   SSLCertificateKeyFile <%= $MU_CFG['ssl']['key'] %>
@@ -15,12 +15,7 @@
 <% end %>
   SSLProxyEngine on
   <Proxy *>
-<% if node['apache']['version'] == "2.2" %>
-    Order allow,deny
-    Allow from all
-<% elsif node['apache']['version'] == "2.4" %>
     Require all granted
-<% end %>
   </Proxy>
 
   ProxyPreserveHost on
@@ -48,19 +43,14 @@
   RewriteRule ^/(nagios|jenkins|scratchpad)/(.*) https://%{HTTP_HOST}/$1/$2 [R=301,NC,L]
 <% end %>
 
-	RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
-	RewriteRule .* - [F]
+  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+  RewriteRule .* - [F]
 
-  <Directory <%= @params[:docroot] %>>
-    Options <%= [@params[:directory_options] || "FollowSymLinks" ].flatten.join " " %>
-    AllowOverride <%= [@params[:allow_override] || "None" ].flatten.join " " %>
-<% if node['apache']['version'] == "2.2" %>
-    Order allow,deny
-    Allow from all
-<% elsif node['apache']['version'] == "2.4" %>
-	Require all granted
-<% end %>
-  </Directory>
+  <DirectoryMatch "<%= @docroot %>\/.*">
+    Options <%= [@directory_options || "FollowSymLinks" ].flatten.join " " %>
+    AllowOverride <%= [@allow_override || "None" ].flatten.join " " %>
+    Require all granted
+  </DirectoryMatch>
 
   <Directory />
     Options FollowSymLinks
@@ -69,18 +59,12 @@
 
   <Location /server-status>
     SetHandler server-status
-<% if node['apache']['version'] == "2.2" %>
-    Order Deny,Allow
-    Deny from all
-    Allow from 127.0.0.1
-<% elsif node['apache']['version'] == "2.4" %>
     Require host 127.0.0.1
-<% end %>
   </Location>
 
 
-  <% if @params[:directory_index] -%>
-  DirectoryIndex <%= [@params[:directory_index]].flatten.join " " %>
+  <% if @directory_index -%>
+  DirectoryIndex <%= [@directory_index].flatten.join " " %>
   <% end -%>
 
 </VirtualHost>

data/cookbooks/mu-tools/attributes/default.rb

@@ -114,6 +114,11 @@ default['sec']['pwd'] = {
   end
 }
 
+default['application_attributes']['swap']["volume_size_gb"] = 4
+default['application_attributes']['swap']['mount_device'] = "/dev/xvdm"
+default['application_attributes']['swap']['label'] = "#{disk_name_str} swap"
+default['application_attributes']['swap']['mount_directory'] = "swap"
+
 default['application_attributes']['home']["volume_size_gb"] = 2
 default['application_attributes']['home']['mount_device'] = "/dev/xvdn"
 default['application_attributes']['home']['label'] = "#{disk_name_str} /home"

data/cookbooks/mu-tools/files/centos-6/CentOS-Base.repo

@@ -0,0 +1,47 @@
+# CentOS-Base.repo
+#
+# The mirror system uses the connecting IP address of the client and the
+# update status of each mirror to pick mirrors that are updated to and
+# geographically close to the client.  You should use this for CentOS updates
+# unless you are manually picking other mirrors.
+#
+# If the mirrorlist= does not work for you, as a fall back you can try the
+# remarked out baseurl= line instead.
+#
+#
+
+[base]
+name=CentOS-$releasever - Base
+baseurl=http://vault.centos.org/6.10/os/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#released updates
+[updates]
+name=CentOS-$releasever - Updates
+baseurl=http://vault.centos.org/6.10/updates/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that may be useful
+[extras]
+name=CentOS-$releasever - Extras
+baseurl=http://vault.centos.org/6.10/extras/$basearch/
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#additional packages that extend functionality of existing packages
+[centosplus]
+name=CentOS-$releasever - Plus
+baseurl=http://vault.centos.org/6.10/centosplus/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
+
+#contrib - packages by Centos Users
+[contrib]
+name=CentOS-$releasever - Contrib
+baseurl=http://vault.centos.org/6.10/contrib/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

data/cookbooks/mu-tools/libraries/helper.rb

@@ -93,11 +93,18 @@ module Mutools
       map = attached_nvme_disks
       if map[dev]
         map[dev]
+      elsif map[dev.gsub(/.*?\//, '')]
+        map[dev.gsub(/.*?\//, '')]
       else
         dev # be nice to actually handle this too
       end
     end
 
+    def uuid_line(dev)
+      realdev = real_devicepath(dev)
+      shell_out(%Q{/sbin/blkid #{realdev} -o export | grep ^UUID=}).stdout.chomp
+    end
+
     def nvme?
       if File.executable?("/bin/lsblk")
         shell_out(%Q{/bin/lsblk -i -p -r -n}).stdout.each_line { |l|
@@ -129,7 +136,7 @@ module Mutools
     @region = nil
     def set_aws_cfg_params
       begin
-        require 'aws-sdk-core'
+        require 'aws-sdk'
         instance_identity = get_aws_metadata("dynamic/instance-identity/document")
         return false if instance_identity.nil? # Not in AWS, most likely
         @region = JSON.parse(instance_identity)["region"]
@@ -154,6 +161,7 @@ module Mutools
 
     @ec2 = nil
     def ec2
+      require 'aws-sdk-ec2'
       if set_aws_cfg_params
         @ec2 ||= Aws::EC2::Client.new(region: @region)
       end
@@ -161,6 +169,7 @@ module Mutools
     end
     @s3 = nil
     def s3
+      require 'aws-sdk-s3'
       if set_aws_cfg_params
         @s3 ||= Aws::S3::Client.new(region: @region)
       end
@@ -297,7 +306,7 @@ module Mutools
       params = Base64.urlsafe_encode64(JSON.generate(arg)) if arg
       uri = URI("https://#{get_mu_master_ips.first}:2260/")
       req = Net::HTTP::Post.new(uri)
-      res_type = (node['deployment'].has_key?(:server_pools) and node['deployment']['server_pools'].has_key?(node['service_name'])) ? "server_pool" : "server"
+      res_type = (node['deployment'].has_key?('server_pools') and node['deployment']['server_pools'].has_key?(node['service_name'])) ? "server_pool" : "server"
       response = nil
       begin
         secret = get_deploy_secret
@@ -344,6 +353,7 @@ module Mutools
       rescue EOFError => e
         # Sometimes deployment metadata is incomplete and missing a
         # server_pool entry. Try to help it out.
+        # XXX find some awsmetadata way to determine that we're in an Autoscale Group before trying this
         if res_type == "server"
           res_type = "server_pool"
           retry