cloud-mu 3.5.0 → 3.6.3

Sign up to get free protection for your applications and to get access to all the features.
Files changed (245) hide show
  1. checksums.yaml +4 -4
  2. data/Berksfile +5 -2
  3. data/Berksfile.lock +135 -0
  4. data/ansible/roles/mu-base/README.md +33 -0
  5. data/ansible/roles/mu-base/defaults/main.yml +2 -0
  6. data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
  7. data/ansible/roles/mu-base/files/check_apm.sh +18 -0
  8. data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
  9. data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
  10. data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
  11. data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
  12. data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
  13. data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
  14. data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
  15. data/ansible/roles/mu-base/files/logrotate.conf +35 -0
  16. data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
  17. data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
  18. data/ansible/roles/mu-base/handlers/main.yml +5 -0
  19. data/ansible/roles/mu-base/meta/main.yml +53 -0
  20. data/ansible/roles/mu-base/tasks/main.yml +113 -0
  21. data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
  22. data/ansible/roles/mu-base/tests/inventory +2 -0
  23. data/ansible/roles/mu-base/tests/test.yml +5 -0
  24. data/ansible/roles/mu-base/vars/main.yml +1 -0
  25. data/ansible/roles/mu-compliance/README.md +33 -0
  26. data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
  27. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
  28. data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
  29. data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
  30. data/ansible/roles/mu-compliance/meta/main.yml +53 -0
  31. data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
  32. data/ansible/roles/mu-compliance/tests/inventory +2 -0
  33. data/ansible/roles/mu-compliance/tests/test.yml +5 -0
  34. data/ansible/roles/mu-compliance/vars/main.yml +4 -0
  35. data/ansible/roles/mu-elastic/README.md +51 -0
  36. data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
  37. data/ansible/roles/mu-elastic/files/jvm.options +93 -0
  38. data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
  39. data/ansible/roles/mu-elastic/meta/main.yml +52 -0
  40. data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
  41. data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
  42. data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
  43. data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
  44. data/ansible/roles/mu-elastic/tests/inventory +2 -0
  45. data/ansible/roles/mu-elastic/tests/test.yml +5 -0
  46. data/ansible/roles/mu-elastic/vars/main.yml +2 -0
  47. data/ansible/roles/mu-logstash/README.md +51 -0
  48. data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
  49. data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
  50. data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
  51. data/ansible/roles/mu-logstash/files/jvm.options +84 -0
  52. data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
  53. data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
  54. data/ansible/roles/mu-logstash/meta/main.yml +52 -0
  55. data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
  56. data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
  57. data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
  58. data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
  59. data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
  60. data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
  61. data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
  62. data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
  63. data/ansible/roles/mu-logstash/tests/inventory +2 -0
  64. data/ansible/roles/mu-logstash/tests/test.yml +5 -0
  65. data/ansible/roles/mu-logstash/vars/main.yml +2 -0
  66. data/ansible/roles/mu-rdp/README.md +33 -0
  67. data/ansible/roles/mu-rdp/meta/main.yml +53 -0
  68. data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
  69. data/ansible/roles/mu-rdp/tests/inventory +2 -0
  70. data/ansible/roles/mu-rdp/tests/test.yml +5 -0
  71. data/ansible/roles/mu-windows/tasks/main.yml +3 -0
  72. data/bin/mu-ansible-secret +1 -1
  73. data/bin/mu-aws-setup +4 -3
  74. data/bin/mu-azure-setup +5 -5
  75. data/bin/mu-configure +25 -17
  76. data/bin/mu-firewall-allow-clients +1 -0
  77. data/bin/mu-gcp-setup +3 -3
  78. data/bin/mu-load-config.rb +1 -0
  79. data/bin/mu-node-manage +66 -33
  80. data/bin/mu-self-update +2 -2
  81. data/bin/mu-upload-chef-artifacts +6 -1
  82. data/bin/mu-user-manage +1 -1
  83. data/cloud-mu.gemspec +25 -23
  84. data/cookbooks/firewall/CHANGELOG.md +417 -224
  85. data/cookbooks/firewall/LICENSE +202 -0
  86. data/cookbooks/firewall/README.md +153 -126
  87. data/cookbooks/firewall/TODO.md +6 -0
  88. data/cookbooks/firewall/attributes/firewalld.rb +7 -0
  89. data/cookbooks/firewall/attributes/iptables.rb +3 -3
  90. data/cookbooks/firewall/chefignore +115 -0
  91. data/cookbooks/firewall/libraries/helpers.rb +5 -0
  92. data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
  93. data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
  94. data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
  95. data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
  96. data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
  97. data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
  98. data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
  99. data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
  100. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
  101. data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
  102. data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
  103. data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
  104. data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
  105. data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
  106. data/cookbooks/firewall/metadata.json +40 -1
  107. data/cookbooks/firewall/metadata.rb +15 -0
  108. data/cookbooks/firewall/recipes/default.rb +7 -7
  109. data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
  110. data/cookbooks/firewall/recipes/firewalld.rb +87 -0
  111. data/cookbooks/firewall/renovate.json +18 -0
  112. data/cookbooks/firewall/resources/firewalld.rb +28 -0
  113. data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
  114. data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
  115. data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
  116. data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
  117. data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
  118. data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
  119. data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
  120. data/cookbooks/firewall/resources/nftables.rb +71 -0
  121. data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
  122. data/cookbooks/mu-activedirectory/Berksfile +1 -1
  123. data/cookbooks/mu-activedirectory/metadata.rb +1 -1
  124. data/cookbooks/mu-firewall/metadata.rb +2 -2
  125. data/cookbooks/mu-master/Berksfile +4 -3
  126. data/cookbooks/mu-master/attributes/default.rb +5 -2
  127. data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
  128. data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
  129. data/cookbooks/mu-master/libraries/mu.rb +24 -0
  130. data/cookbooks/mu-master/metadata.rb +5 -5
  131. data/cookbooks/mu-master/recipes/default.rb +31 -20
  132. data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
  133. data/cookbooks/mu-master/recipes/init.rb +58 -19
  134. data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
  135. data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
  136. data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
  137. data/cookbooks/mu-php54/Berksfile +1 -1
  138. data/cookbooks/mu-php54/metadata.rb +2 -2
  139. data/cookbooks/mu-tools/Berksfile +2 -3
  140. data/cookbooks/mu-tools/attributes/default.rb +3 -4
  141. data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
  142. data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
  143. data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
  144. data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
  145. data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
  146. data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
  147. data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
  148. data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
  149. data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
  150. data/cookbooks/mu-tools/libraries/helper.rb +21 -9
  151. data/cookbooks/mu-tools/metadata.rb +4 -4
  152. data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
  153. data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
  154. data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
  155. data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
  156. data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
  157. data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
  158. data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
  159. data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
  160. data/data_bags/nagios_services/apm_backend_connect.json +5 -0
  161. data/data_bags/nagios_services/apm_listen.json +5 -0
  162. data/data_bags/nagios_services/elastic_shards.json +5 -0
  163. data/data_bags/nagios_services/logstash.json +5 -0
  164. data/data_bags/nagios_services/rhel7_updates.json +8 -0
  165. data/extras/image-generators/AWS/centos7.yaml +1 -0
  166. data/extras/image-generators/AWS/rhel7.yaml +21 -0
  167. data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
  168. data/extras/image-generators/AWS/win2k16.yaml +1 -0
  169. data/extras/image-generators/AWS/win2k19.yaml +1 -0
  170. data/extras/list-stock-amis +0 -0
  171. data/extras/ruby_rpm/muby.spec +8 -5
  172. data/extras/vault_tools/export_vaults.sh +1 -1
  173. data/extras/vault_tools/recreate_vaults.sh +0 -0
  174. data/extras/vault_tools/test_vaults.sh +0 -0
  175. data/install/deprecated-bash-library.sh +1 -1
  176. data/install/installer +4 -2
  177. data/modules/mommacat.ru +3 -1
  178. data/modules/mu/adoption.rb +1 -1
  179. data/modules/mu/cloud/dnszone.rb +2 -2
  180. data/modules/mu/cloud/machine_images.rb +26 -25
  181. data/modules/mu/cloud/resource_base.rb +213 -182
  182. data/modules/mu/cloud/server_pool.rb +1 -1
  183. data/modules/mu/cloud/ssh_sessions.rb +7 -5
  184. data/modules/mu/cloud/wrappers.rb +2 -2
  185. data/modules/mu/cloud.rb +1 -1
  186. data/modules/mu/config/bucket.rb +1 -1
  187. data/modules/mu/config/function.rb +6 -1
  188. data/modules/mu/config/loadbalancer.rb +24 -2
  189. data/modules/mu/config/ref.rb +12 -0
  190. data/modules/mu/config/role.rb +1 -1
  191. data/modules/mu/config/schema_helpers.rb +42 -9
  192. data/modules/mu/config/server.rb +43 -27
  193. data/modules/mu/config/tail.rb +19 -10
  194. data/modules/mu/config.rb +6 -5
  195. data/modules/mu/defaults/AWS.yaml +78 -114
  196. data/modules/mu/deploy.rb +9 -2
  197. data/modules/mu/groomer.rb +12 -4
  198. data/modules/mu/groomers/ansible.rb +104 -20
  199. data/modules/mu/groomers/chef.rb +15 -6
  200. data/modules/mu/master.rb +9 -4
  201. data/modules/mu/mommacat/daemon.rb +4 -2
  202. data/modules/mu/mommacat/naming.rb +1 -2
  203. data/modules/mu/mommacat/storage.rb +7 -2
  204. data/modules/mu/mommacat.rb +33 -6
  205. data/modules/mu/providers/aws/database.rb +161 -8
  206. data/modules/mu/providers/aws/dnszone.rb +11 -6
  207. data/modules/mu/providers/aws/endpoint.rb +81 -6
  208. data/modules/mu/providers/aws/firewall_rule.rb +254 -172
  209. data/modules/mu/providers/aws/function.rb +65 -3
  210. data/modules/mu/providers/aws/loadbalancer.rb +39 -28
  211. data/modules/mu/providers/aws/log.rb +2 -1
  212. data/modules/mu/providers/aws/role.rb +25 -7
  213. data/modules/mu/providers/aws/server.rb +36 -12
  214. data/modules/mu/providers/aws/server_pool.rb +237 -127
  215. data/modules/mu/providers/aws/storage_pool.rb +7 -1
  216. data/modules/mu/providers/aws/user.rb +1 -1
  217. data/modules/mu/providers/aws/userdata/linux.erb +6 -2
  218. data/modules/mu/providers/aws/userdata/windows.erb +7 -5
  219. data/modules/mu/providers/aws/vpc.rb +49 -25
  220. data/modules/mu/providers/aws.rb +13 -8
  221. data/modules/mu/providers/azure/container_cluster.rb +1 -1
  222. data/modules/mu/providers/azure/loadbalancer.rb +2 -2
  223. data/modules/mu/providers/azure/server.rb +5 -2
  224. data/modules/mu/providers/azure/userdata/linux.erb +1 -1
  225. data/modules/mu/providers/azure.rb +11 -8
  226. data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
  227. data/modules/mu/providers/google/container_cluster.rb +15 -2
  228. data/modules/mu/providers/google/folder.rb +2 -1
  229. data/modules/mu/providers/google/function.rb +130 -4
  230. data/modules/mu/providers/google/habitat.rb +2 -1
  231. data/modules/mu/providers/google/loadbalancer.rb +407 -160
  232. data/modules/mu/providers/google/role.rb +16 -3
  233. data/modules/mu/providers/google/server.rb +5 -1
  234. data/modules/mu/providers/google/user.rb +25 -18
  235. data/modules/mu/providers/google/userdata/linux.erb +1 -1
  236. data/modules/mu/providers/google/vpc.rb +53 -7
  237. data/modules/mu/providers/google.rb +39 -39
  238. data/modules/mu.rb +8 -8
  239. data/modules/tests/elk.yaml +46 -0
  240. data/test/mu-master-test/controls/all_in_one.rb +1 -1
  241. metadata +207 -112
  242. data/cookbooks/firewall/CONTRIBUTING.md +0 -2
  243. data/cookbooks/firewall/MAINTAINERS.md +0 -19
  244. data/cookbooks/firewall/libraries/matchers.rb +0 -30
  245. data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,45 @@
1
+ #!/usr/local/ruby-current/bin/ruby
2
+
3
+ require 'optimist'
4
+ require 'json'
5
+ require 'net/http'
6
+
7
+ OPTS = Optimist::options do
8
+ opt :host, "Kibana host to check", :required => true, :type => :string
9
+ opt :username, "Kibana username", :required => false, :type => :string
10
+ opt :password, "Kibana password", :required => false, :type => :string
11
+ opt :port, "Port to check for Kibana", :required => false, :default => 5601, :type => :integer
12
+ opt :basepath, "Path prefix for API requests", :required => false, :default => "", :type => :string
13
+ end
14
+
15
+ uri = "https://"+OPTS[:host]+":"+OPTS[:port].to_s+OPTS[:basepath]+"/api/status"
16
+ req = Net::HTTP::Get.new(uri)
17
+ if OPTS[:username] and OPTS[:password]
18
+ req.basic_auth OPTS[:username], OPTS[:password]
19
+ end
20
+ begin
21
+ Net::HTTP.start(OPTS[:host], OPTS[:port], :use_ssl => true) do |http|
22
+ resp = JSON.parse(http.request(req).body)
23
+ status = resp["status"]["overall"]
24
+ output = status["nickname"]+" since "+status["since"]
25
+ if resp["metrics"] and resp["metrics"] and resp["metrics"]["requests"]
26
+ output += "\n"+resp["metrics"]["requests"]["total"].to_s+" requests since "+resp["metrics"]["last_updated"]
27
+ end
28
+
29
+ puts output
30
+ if status["state"] == "green"
31
+ exit 0
32
+ elsif status["state"] == "yellow"
33
+ exit 1
34
+ else
35
+ exit 2
36
+ end
37
+ end
38
+ rescue Net::HTTPServerException, SocketError, Errno::EHOSTUNREACH, Errno::ENETUNREACH, Errno::ECONNREFUSED => e
39
+ puts e.inspect
40
+ exit 2
41
+ rescue StandardError => e
42
+ puts e.inspect
43
+ exit 3
44
+ end
45
+
@@ -26,4 +26,28 @@ elsif File.readable?("/opt/mu/lib/modules/mu-load-config.rb")
26
26
  require "/opt/mu/lib/modules/mu-load-config.rb"
27
27
  end
28
28
 
29
+ # for some reason aaws-sigv4 isn't getting picked up by Mu's requires
30
+ require "aws-sigv4"
29
31
  require "mu"
32
+
33
+ def baskets
34
+ baskets = {}
35
+ if Dir.exists?("/opt/mu/var/deployments")
36
+ Dir.glob("/opt/mu/var/deployments/*/basket_of_kittens.json").each { |basket_json|
37
+ basket_json =~ /^\/opt\/mu\/var\/deployments\/([^\/]+)\/basket_of_kittens.json$/
38
+ baskets[Regexp.last_match[1]] = JSON.parse(File.read(basket_json))
39
+ }
40
+ end
41
+ baskets
42
+ end
43
+
44
+ def deployments
45
+ deploys = {}
46
+ if Dir.exists?("/opt/mu/var/deployments")
47
+ Dir.glob("/opt/mu/var/deployments/*/deployment.json").each { |dep_json|
48
+ dep_json =~ /^\/opt\/mu\/var\/deployments\/([^\/]+)\/deployment.json$/
49
+ deploys[Regexp.last_match[1]] = JSON.parse(File.read(dep_json))
50
+ }
51
+ end
52
+ deploys
53
+ end
@@ -7,13 +7,13 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7
7
  source_url 'https://github.com/cloudamatic/mu'
8
8
  issues_url 'https://github.com/cloudamatic/mu/issues'
9
9
  chef_version '>= 12.1' if respond_to?(:chef_version)
10
- version '0.9.7'
10
+ version '0.9.9'
11
11
 
12
12
  %w( centos amazon redhat ).each do |os|
13
13
  supports os
14
14
  end
15
15
 
16
- depends 'mu-nagios'
16
+ depends 'nagios'
17
17
  depends 'nrpe', '~> 2.0.3'
18
18
  depends 'mu-utility'
19
19
  depends 'mu-tools'
@@ -23,9 +23,9 @@ depends 'postfix', '~> 5.3.1'
23
23
  depends 'bind', '~> 2.2.0'
24
24
  depends 'bind9-ng', '~> 0.1.0'
25
25
  depends 'mu-firewall'
26
- depends 'vault-cluster', '~> 2.1.0'
27
- depends 'consul-cluster', '~> 2.0.0'
26
+ #depends 'vault-cluster', '~> 2.1.0'
27
+ #depends 'consul-cluster', '~> 2.0.0'
28
28
  depends 'chef-sugar' # undeclared dependency of consul 2.1, which can't be upgraded without creating a conflict with consul-cluster and vault-cluster -zr2d2
29
29
  depends 'hostsfile', '~> 3.0.1'
30
30
  depends 'chef-vault', '~> 3.1.1'
31
- depends 'apache2', '< 8.0.0'
31
+ depends 'apache2', '~> 9.0.3'
@@ -160,32 +160,33 @@ if !node['update_nagios_only']
160
160
  end
161
161
  end
162
162
 
163
- include_recipe "mu-master::update_nagios_only"
163
+ include_recipe "mu-master::update_nagios_only" if !$MU_CFG['disable_nagios']
164
164
 
165
165
  if !node['update_nagios_only']
166
-
167
- package %w(nagios-plugins-breeze nagios-plugins-by_ssh nagios-plugins-cluster nagios-plugins-dhcp nagios-plugins-dig nagios-plugins-disk nagios-plugins-disk_smb nagios-plugins-dns nagios-plugins-dummy nagios-plugins-file_age nagios-plugins-flexlm nagios-plugins-fping nagios-plugins-game nagios-plugins-hpjd nagios-plugins-http nagios-plugins-icmp nagios-plugins-ide_smart nagios-plugins-ircd nagios-plugins-ldap nagios-plugins-load nagios-plugins-log nagios-plugins-mailq nagios-plugins-mrtg nagios-plugins-mrtgtraf nagios-plugins-nagios nagios-plugins-nt nagios-plugins-ntp nagios-plugins-ntp-perl nagios-plugins-nwstat nagios-plugins-oracle nagios-plugins-overcr nagios-plugins-pgsql nagios-plugins-ping nagios-plugins-procs nagios-plugins-real nagios-plugins-rpc nagios-plugins-sensors nagios-plugins-smtp nagios-plugins-snmp nagios-plugins-ssh nagios-plugins-swap nagios-plugins-tcp nagios-plugins-time nagios-plugins-ups nagios-plugins-users nagios-plugins-wave) do
168
- action :install
169
- end
170
-
171
- package %w(nagios-plugins-mysql) do
166
+ if !$MU_CFG['disable_nagios']
167
+ package %w(nagios-plugins-breeze nagios-plugins-by_ssh nagios-plugins-cluster nagios-plugins-dhcp nagios-plugins-dig nagios-plugins-disk nagios-plugins-disk_smb nagios-plugins-dns nagios-plugins-dummy nagios-plugins-file_age nagios-plugins-flexlm nagios-plugins-fping nagios-plugins-game nagios-plugins-hpjd nagios-plugins-http nagios-plugins-icmp nagios-plugins-ide_smart nagios-plugins-ircd nagios-plugins-ldap nagios-plugins-load nagios-plugins-log nagios-plugins-mailq nagios-plugins-mrtg nagios-plugins-mrtgtraf nagios-plugins-nagios nagios-plugins-nt nagios-plugins-ntp nagios-plugins-ntp-perl nagios-plugins-nwstat nagios-plugins-oracle nagios-plugins-overcr nagios-plugins-pgsql nagios-plugins-ping nagios-plugins-procs nagios-plugins-real nagios-plugins-rpc nagios-plugins-sensors nagios-plugins-smtp nagios-plugins-snmp nagios-plugins-ssh nagios-plugins-swap nagios-plugins-tcp nagios-plugins-time nagios-plugins-ups nagios-plugins-users nagios-plugins-wave) do
172
168
  action :install
173
- not_if { node['platform'] == 'amazon' }
174
- end
169
+ end
175
170
 
176
- directory "/home/nagios" do
177
- owner "nagios"
178
- mode 0711
179
- end
171
+ package %w(nagios-plugins-mysql) do
172
+ action :install
173
+ not_if { node['platform'] == 'amazon' }
174
+ end
180
175
 
181
- directory "/home/nagios/.ssh" do
182
- owner "nagios"
183
- mode 0711
184
- end
176
+ directory "/home/nagios" do
177
+ owner "nagios"
178
+ mode 0711
179
+ end
185
180
 
186
- file "/home/nagios/.ssh/config" do
187
- owner "nagios"
188
- mode 0600
181
+ directory "/home/nagios/.ssh" do
182
+ owner "nagios"
183
+ mode 0711
184
+ end
185
+
186
+ file "/home/nagios/.ssh/config" do
187
+ owner "nagios"
188
+ mode 0600
189
+ end
189
190
  end
190
191
 
191
192
  execute "dhclient-script" do
@@ -220,6 +221,7 @@ if !node['update_nagios_only']
220
221
  apache2_install "" do
221
222
  docroot_dir "/var/www/html"
222
223
  modules %w{status alias auth_basic authn_core authn_file authz_core authz_groupfile authz_host authz_user autoindex deflate dir env mime negotiation setenvif log_config logio unixd systemd headers proxy proxy_http rewrite ssl ldap authnz_ldap slotmem_shm}
224
+ listen [80, 443, 8443]
223
225
  end
224
226
  package "mod_ldap"
225
227
 
@@ -229,7 +231,12 @@ if !node['update_nagios_only']
229
231
  apache2_mod_cgid ""
230
232
  apache2_mod_ssl ""
231
233
 
234
+ link "/usr/lib64/httpd/modules/mod_php5.so" do
235
+ to "/usr/lib64/httpd/modules/libphp5.so"
236
+ end
232
237
  apache2_mod "php"
238
+ apache2_module "php5"
239
+ apache2_module "cgi"
233
240
  apache2_default_site "" do
234
241
  action :enable
235
242
  notifies :start, "service[apache2]", :delayed
@@ -414,6 +421,10 @@ if !node['update_nagios_only']
414
421
  "
415
422
  end
416
423
 
424
+ execute "chcon -R -h -t var_log_t /Mu_Logs" do
425
+ not_if "ls -aZ /Mu_Logs | grep ':var_log_t'"
426
+ end
427
+
417
428
  # XXX this will catch the occasional 4am groom. Need a way to graceful-restart momma.
418
429
  file "/etc/logrotate.d/Mu_momma_cat" do
419
430
  content "/var/log/mu-momma-cat.log
@@ -23,6 +23,11 @@ firewall_rule "MU Master default ports" do
23
23
  port [MU.mommaCatPort, 7443, 8443, 9443, 10514, 443, 80, 25]
24
24
  end
25
25
 
26
+ firewall_rule "Logstash port" do
27
+ port [5044]
28
+ source "10.0.0.0/8"
29
+ end
30
+
26
31
  local_chef_ports = [4321, 9463, 9583, 16379, 8983, 8000, 9680, 9683, 9090, 5432]
27
32
  firewall_rule "Chef Server ports on 127.0.0.1" do
28
33
  port local_chef_ports
@@ -22,6 +22,8 @@
22
22
  # references to other cookbooks, no include_recipes, no cookbook_files, no
23
23
  # templates.
24
24
 
25
+ chef_gem "aws-sigv4"
26
+
25
27
  require 'etc'
26
28
  require 'open-uri'
27
29
  require 'socket'
@@ -35,8 +37,8 @@ ENV['PATH'] = ENV['PATH']+":/bin:/opt/opscode/embedded/bin"
35
37
 
36
38
  # XXX We want to be able to override these things when invoked from chef-apply,
37
39
  # but, like, how?
38
- CHEF_SERVER_VERSION="14.0.65-1"
39
- CHEF_CLIENT_VERSION="16.9.29"
40
+ CHEF_SERVER_VERSION="14.11.31-1"
41
+ CHEF_CLIENT_VERSION="18.5.0"
40
42
  KNIFE_WINDOWS="1.9.0"
41
43
  MU_BASE="/opt/mu"
42
44
 
@@ -227,7 +229,13 @@ when 'amazon'
227
229
  when '2'
228
230
  basepackages.concat(['libX11', 'mariadb-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services'])
229
231
  removepackages = ['nagios', 'firewalld']
230
- elversion = '7' #HACK TO FORCE AMAZON LINUX 2 TO BE TREATED LIKE RHEL 7
232
+ elversion = '7'
233
+
234
+ when '2023'
235
+ basepackages.concat(['libX11', 'mariadb105-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services', 'libxcrypt-compat', 'ruby'])
236
+ basepackages.delete('curl')
237
+ removepackages = ['nagios', 'firewalld']
238
+ elversion = '7'
231
239
 
232
240
  else
233
241
  raise "Mu Masters on Amazon-family hosts must be equivalent to Amazon Linux 1 or 2 (got #{node['platform_version'].split('.')[0]})"
@@ -237,18 +245,27 @@ else
237
245
  end
238
246
 
239
247
  rpms = {
240
- "epel-release" => "http://dl.fedoraproject.org/pub/epel/epel-release-latest-#{elversion}.noarch.rpm",
241
248
  "chef-server-core" => "https://packages.chef.io/files/stable/chef-server/#{CHEF_SERVER_VERSION.sub(/\-\d+$/, "")}/el/#{elversion}/chef-server-core-#{CHEF_SERVER_VERSION}.el#{elversion}.x86_64.rpm"
242
249
  }
243
250
 
244
- rpms["ruby27"] = "https://s3.amazonaws.com/cloudamatic/muby-2.7.2-1.el#{elversion}.x86_64.rpm"
245
- if elversion.to_i == 6
246
- rpms["openssl"] = "https://s3.amazonaws.com/cloudamatic/mussl-1.1.1h-1.el6.x86_64.rpm"
247
- rpms["sqlite"] = "https://s3.amazonaws.com/cloudamatic/muqlite-3.33-1.el6.x86_64.rpm"
251
+ unless node['platform_family'] == "amazon"
252
+ rpms["epel-release"] = "http://dl.fedoraproject.org/pub/epel/epel-release-latest-#{elversion}.noarch.rpm"
248
253
  end
249
- if elversion.to_i == 7
250
- rpms["mugit"] = "https://s3.amazonaws.com/cloudamatic/mugit-2.30.0-1.el7.x86_64.rpm"
254
+
255
+ shorthand = "el"
256
+ shorthand = "amzn" if node['platform_family'] == "amazon"
257
+
258
+ rpms["ruby33"] = "https://s3.amazonaws.com/icras-ruby/muby-3.3.5-1.#{shorthand}#{node['platform_version'].split('.')[0]}.x86_64.rpm"
259
+ unless node['platform_family'] == "amazon"
260
+ if elversion.to_i == 6
261
+ rpms["openssl"] = "https://s3.amazonaws.com/cloudamatic/mussl-1.1.1h-1.el6.x86_64.rpm"
262
+ rpms["sqlite"] = "https://s3.amazonaws.com/cloudamatic/muqlite-3.33-1.el6.x86_64.rpm"
263
+ end
264
+ if elversion.to_i == 7
265
+ rpms["mugit"] = "https://s3.amazonaws.com/cloudamatic/mugit-2.30.0-1.el7.x86_64.rpm"
266
+ end
251
267
  end
268
+
252
269
  # this takes up a huge amount of space, save it until we're fully operational
253
270
  if !RUNNING_STANDALONE
254
271
  rpms["python38"] = "https://s3.amazonaws.com/cloudamatic/muthon-3.8.3-1.el#{elversion}.x86_64.rpm"
@@ -354,7 +371,7 @@ end
354
371
  rpms.each_pair { |pkg, src|
355
372
  rpm_package pkg do
356
373
  source src
357
- if pkg == "ruby27"
374
+ if pkg == "ruby33"
358
375
  options '--prefix=/opt/rubies/'
359
376
  end
360
377
  if pkg == "epel-release"
@@ -376,6 +393,21 @@ rpms.each_pair { |pkg, src|
376
393
  end
377
394
  }
378
395
 
396
+ execute "/sbin/ldconfig" do
397
+ action :nothing
398
+ end
399
+
400
+ ["/opt/rubies/ruby-3.3.5/lib/pkgconfig/ruby-3.3.pc", "/opt/rubies/ruby-3.3.5/lib/ruby/3.3.0/x86_64-linux/rbconfig.rb"].each { |f|
401
+ execute "scrub rpmbuild cruft from #{f}" do
402
+ command "sed -i 's/-Wl,-dT,\\/root\\/rpmbuild\\/BUILD\\/.package_note-muby-3.3.5-1.amzn2023.x86_64.ld//' #{f}"
403
+ end
404
+ }
405
+
406
+ file "/etc/ld.so.conf.d/muby.conf" do
407
+ content "/usr/local/ruby-current/lib\n"
408
+ notifies :run, "execute[/sbin/ldconfig]", :immediately
409
+ end
410
+
379
411
  package ["jq"] do
380
412
  ignore_failure true # sometimes we can't see EPEL immediately
381
413
  end
@@ -473,7 +505,7 @@ gemfile_dir = if RUNNING_STANDALONE and !File.readlines("/etc/mtab").grep(/\s\/o
473
505
  end
474
506
  }
475
507
  dmiout = shell_out!(%Q{PATH=/sbin:/usr/sbin:/bin:/usr/bin dmidecode})
476
- if dmiout.match(/Google/)
508
+ if dmiout.stdout.match(/Google/)
477
509
  exclude_gems.delete("google-api-client")
478
510
  end
479
511
 
@@ -569,14 +601,14 @@ end
569
601
 
570
602
  # Get a 'mu' Chef org in place and populate it with artifacts
571
603
  directory "/root/.chef"
572
- execute "knife ssl fetch" do
604
+ execute "env -i HOME=/root:PATH=/opt/chef/embedded/bin:/bin:/usr/bin /opt/chef/embedded/bin/knife ssl fetch" do
573
605
  action :nothing
574
606
  end
575
607
  execute "initial Chef artifact upload" do
576
608
  command "MU_INSTALLDIR=#{MU_BASE} MU_LIBDIR=#{MU_BASE}/lib MU_DATADIR=#{MU_BASE}/var #{MU_BASE}/lib/bin/mu-upload-chef-artifacts"
577
609
  action :nothing
578
610
  notifies :stop, "service[iptables]", :before
579
- notifies :run, "execute[knife ssl fetch]", :before
611
+ notifies :run, "execute[env -i knife ssl fetch]", :before
580
612
  if !RUNNING_STANDALONE
581
613
  notifies :start, "service[iptables]", :immediately
582
614
  end
@@ -587,11 +619,13 @@ chef_gem "simple-password-gen" do
587
619
  end
588
620
  require "simple-password-gen"
589
621
 
590
- # XXX this would make an awesome library
591
622
  execute "create mu Chef user" do
592
623
  command "/opt/opscode/bin/chef-server-ctl user-create mu Mu Master root@example.com #{Password.pronounceable} -f #{MU_BASE}/var/users/mu/mu.user.key"
593
624
  umask "0277"
594
625
  not_if "/opt/opscode/bin/chef-server-ctl user-list | grep '^mu$'"
626
+ if !File.exist?("/etc/opscode/pivotal.rb")
627
+ notifies :run, "execute[reconfigure Chef server]", :immediately
628
+ end
595
629
  notifies :start, "service[chef-server]", :before
596
630
  end
597
631
  execute "create mu Chef org" do
@@ -679,12 +713,12 @@ knife_cfg = "-c /root/.chef/knife.rb"
679
713
  execute "create MU-MASTER Chef client" do
680
714
  # XXX I dislike --ssh-verify-host-key=never intensely, but the CLI-documented 'accept_new' doesn't actually work
681
715
  if SSH_USER == "root"
682
- command "/opt/chef/bin/knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never 127.0.0.1"
716
+ command "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never 127.0.0.1"
683
717
  else
684
- command "/opt/chef/bin/knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never --sudo 127.0.0.1"
718
+ command "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never --sudo 127.0.0.1"
685
719
  end
686
- only_if "/opt/chef/bin/knife node #{knife_cfg} list" # don't do crazy stuff just because knife isn't working
687
- not_if "/opt/chef/bin/knife node #{knife_cfg} list | grep '^MU-MASTER$'"
720
+ only_if "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife node #{knife_cfg} list" # don't do crazy stuff just because knife isn't working
721
+ not_if "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife node #{knife_cfg} list | grep '^MU-MASTER$'"
688
722
  notifies :run, "execute[add localhost key to authorized_keys]", :before
689
723
  notifies :delete, "file[/etc/chef/client.rb]", :before
690
724
  notifies :delete, "file[/etc/chef/client.pem]", :before
@@ -719,6 +753,11 @@ bash "fix misc permissions" do
719
753
  EOH
720
754
  end
721
755
 
756
+ # https://github.com/chef/chef-server/issues/3109#issuecomment-1022084825
757
+ execute "ensure Chef indexes aren't read-only" do
758
+ command %Q{curl -XPUT -H "Content-Type: application/json" http://127.0.0.1:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'}
759
+ end
760
+
722
761
  directory TMPDIR do
723
762
  action :delete
724
763
  recursive true