cloud-mu 3.5.0 → 3.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,45 @@
|
|
1
|
+
#!/usr/local/ruby-current/bin/ruby
|
2
|
+
|
3
|
+
require 'optimist'
|
4
|
+
require 'json'
|
5
|
+
require 'net/http'
|
6
|
+
|
7
|
+
OPTS = Optimist::options do
|
8
|
+
opt :host, "Kibana host to check", :required => true, :type => :string
|
9
|
+
opt :username, "Kibana username", :required => false, :type => :string
|
10
|
+
opt :password, "Kibana password", :required => false, :type => :string
|
11
|
+
opt :port, "Port to check for Kibana", :required => false, :default => 5601, :type => :integer
|
12
|
+
opt :basepath, "Path prefix for API requests", :required => false, :default => "", :type => :string
|
13
|
+
end
|
14
|
+
|
15
|
+
uri = "https://"+OPTS[:host]+":"+OPTS[:port].to_s+OPTS[:basepath]+"/api/status"
|
16
|
+
req = Net::HTTP::Get.new(uri)
|
17
|
+
if OPTS[:username] and OPTS[:password]
|
18
|
+
req.basic_auth OPTS[:username], OPTS[:password]
|
19
|
+
end
|
20
|
+
begin
|
21
|
+
Net::HTTP.start(OPTS[:host], OPTS[:port], :use_ssl => true) do |http|
|
22
|
+
resp = JSON.parse(http.request(req).body)
|
23
|
+
status = resp["status"]["overall"]
|
24
|
+
output = status["nickname"]+" since "+status["since"]
|
25
|
+
if resp["metrics"] and resp["metrics"] and resp["metrics"]["requests"]
|
26
|
+
output += "\n"+resp["metrics"]["requests"]["total"].to_s+" requests since "+resp["metrics"]["last_updated"]
|
27
|
+
end
|
28
|
+
|
29
|
+
puts output
|
30
|
+
if status["state"] == "green"
|
31
|
+
exit 0
|
32
|
+
elsif status["state"] == "yellow"
|
33
|
+
exit 1
|
34
|
+
else
|
35
|
+
exit 2
|
36
|
+
end
|
37
|
+
end
|
38
|
+
rescue Net::HTTPServerException, SocketError, Errno::EHOSTUNREACH, Errno::ENETUNREACH, Errno::ECONNREFUSED => e
|
39
|
+
puts e.inspect
|
40
|
+
exit 2
|
41
|
+
rescue StandardError => e
|
42
|
+
puts e.inspect
|
43
|
+
exit 3
|
44
|
+
end
|
45
|
+
|
@@ -26,4 +26,28 @@ elsif File.readable?("/opt/mu/lib/modules/mu-load-config.rb")
|
|
26
26
|
require "/opt/mu/lib/modules/mu-load-config.rb"
|
27
27
|
end
|
28
28
|
|
29
|
+
# for some reason aaws-sigv4 isn't getting picked up by Mu's requires
|
30
|
+
require "aws-sigv4"
|
29
31
|
require "mu"
|
32
|
+
|
33
|
+
def baskets
|
34
|
+
baskets = {}
|
35
|
+
if Dir.exists?("/opt/mu/var/deployments")
|
36
|
+
Dir.glob("/opt/mu/var/deployments/*/basket_of_kittens.json").each { |basket_json|
|
37
|
+
basket_json =~ /^\/opt\/mu\/var\/deployments\/([^\/]+)\/basket_of_kittens.json$/
|
38
|
+
baskets[Regexp.last_match[1]] = JSON.parse(File.read(basket_json))
|
39
|
+
}
|
40
|
+
end
|
41
|
+
baskets
|
42
|
+
end
|
43
|
+
|
44
|
+
def deployments
|
45
|
+
deploys = {}
|
46
|
+
if Dir.exists?("/opt/mu/var/deployments")
|
47
|
+
Dir.glob("/opt/mu/var/deployments/*/deployment.json").each { |dep_json|
|
48
|
+
dep_json =~ /^\/opt\/mu\/var\/deployments\/([^\/]+)\/deployment.json$/
|
49
|
+
deploys[Regexp.last_match[1]] = JSON.parse(File.read(dep_json))
|
50
|
+
}
|
51
|
+
end
|
52
|
+
deploys
|
53
|
+
end
|
@@ -7,13 +7,13 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
|
7
7
|
source_url 'https://github.com/cloudamatic/mu'
|
8
8
|
issues_url 'https://github.com/cloudamatic/mu/issues'
|
9
9
|
chef_version '>= 12.1' if respond_to?(:chef_version)
|
10
|
-
version '0.9.
|
10
|
+
version '0.9.9'
|
11
11
|
|
12
12
|
%w( centos amazon redhat ).each do |os|
|
13
13
|
supports os
|
14
14
|
end
|
15
15
|
|
16
|
-
depends '
|
16
|
+
depends 'nagios'
|
17
17
|
depends 'nrpe', '~> 2.0.3'
|
18
18
|
depends 'mu-utility'
|
19
19
|
depends 'mu-tools'
|
@@ -23,9 +23,9 @@ depends 'postfix', '~> 5.3.1'
|
|
23
23
|
depends 'bind', '~> 2.2.0'
|
24
24
|
depends 'bind9-ng', '~> 0.1.0'
|
25
25
|
depends 'mu-firewall'
|
26
|
-
depends 'vault-cluster', '~> 2.1.0'
|
27
|
-
depends 'consul-cluster', '~> 2.0.0'
|
26
|
+
#depends 'vault-cluster', '~> 2.1.0'
|
27
|
+
#depends 'consul-cluster', '~> 2.0.0'
|
28
28
|
depends 'chef-sugar' # undeclared dependency of consul 2.1, which can't be upgraded without creating a conflict with consul-cluster and vault-cluster -zr2d2
|
29
29
|
depends 'hostsfile', '~> 3.0.1'
|
30
30
|
depends 'chef-vault', '~> 3.1.1'
|
31
|
-
depends 'apache2', '
|
31
|
+
depends 'apache2', '~> 9.0.3'
|
@@ -160,32 +160,33 @@ if !node['update_nagios_only']
|
|
160
160
|
end
|
161
161
|
end
|
162
162
|
|
163
|
-
include_recipe "mu-master::update_nagios_only"
|
163
|
+
include_recipe "mu-master::update_nagios_only" if !$MU_CFG['disable_nagios']
|
164
164
|
|
165
165
|
if !node['update_nagios_only']
|
166
|
-
|
167
|
-
|
168
|
-
action :install
|
169
|
-
end
|
170
|
-
|
171
|
-
package %w(nagios-plugins-mysql) do
|
166
|
+
if !$MU_CFG['disable_nagios']
|
167
|
+
package %w(nagios-plugins-breeze nagios-plugins-by_ssh nagios-plugins-cluster nagios-plugins-dhcp nagios-plugins-dig nagios-plugins-disk nagios-plugins-disk_smb nagios-plugins-dns nagios-plugins-dummy nagios-plugins-file_age nagios-plugins-flexlm nagios-plugins-fping nagios-plugins-game nagios-plugins-hpjd nagios-plugins-http nagios-plugins-icmp nagios-plugins-ide_smart nagios-plugins-ircd nagios-plugins-ldap nagios-plugins-load nagios-plugins-log nagios-plugins-mailq nagios-plugins-mrtg nagios-plugins-mrtgtraf nagios-plugins-nagios nagios-plugins-nt nagios-plugins-ntp nagios-plugins-ntp-perl nagios-plugins-nwstat nagios-plugins-oracle nagios-plugins-overcr nagios-plugins-pgsql nagios-plugins-ping nagios-plugins-procs nagios-plugins-real nagios-plugins-rpc nagios-plugins-sensors nagios-plugins-smtp nagios-plugins-snmp nagios-plugins-ssh nagios-plugins-swap nagios-plugins-tcp nagios-plugins-time nagios-plugins-ups nagios-plugins-users nagios-plugins-wave) do
|
172
168
|
action :install
|
173
|
-
|
174
|
-
end
|
169
|
+
end
|
175
170
|
|
176
|
-
|
177
|
-
|
178
|
-
|
179
|
-
|
171
|
+
package %w(nagios-plugins-mysql) do
|
172
|
+
action :install
|
173
|
+
not_if { node['platform'] == 'amazon' }
|
174
|
+
end
|
180
175
|
|
181
|
-
|
182
|
-
|
183
|
-
|
184
|
-
|
176
|
+
directory "/home/nagios" do
|
177
|
+
owner "nagios"
|
178
|
+
mode 0711
|
179
|
+
end
|
185
180
|
|
186
|
-
|
187
|
-
|
188
|
-
|
181
|
+
directory "/home/nagios/.ssh" do
|
182
|
+
owner "nagios"
|
183
|
+
mode 0711
|
184
|
+
end
|
185
|
+
|
186
|
+
file "/home/nagios/.ssh/config" do
|
187
|
+
owner "nagios"
|
188
|
+
mode 0600
|
189
|
+
end
|
189
190
|
end
|
190
191
|
|
191
192
|
execute "dhclient-script" do
|
@@ -220,6 +221,7 @@ if !node['update_nagios_only']
|
|
220
221
|
apache2_install "" do
|
221
222
|
docroot_dir "/var/www/html"
|
222
223
|
modules %w{status alias auth_basic authn_core authn_file authz_core authz_groupfile authz_host authz_user autoindex deflate dir env mime negotiation setenvif log_config logio unixd systemd headers proxy proxy_http rewrite ssl ldap authnz_ldap slotmem_shm}
|
224
|
+
listen [80, 443, 8443]
|
223
225
|
end
|
224
226
|
package "mod_ldap"
|
225
227
|
|
@@ -229,7 +231,12 @@ if !node['update_nagios_only']
|
|
229
231
|
apache2_mod_cgid ""
|
230
232
|
apache2_mod_ssl ""
|
231
233
|
|
234
|
+
link "/usr/lib64/httpd/modules/mod_php5.so" do
|
235
|
+
to "/usr/lib64/httpd/modules/libphp5.so"
|
236
|
+
end
|
232
237
|
apache2_mod "php"
|
238
|
+
apache2_module "php5"
|
239
|
+
apache2_module "cgi"
|
233
240
|
apache2_default_site "" do
|
234
241
|
action :enable
|
235
242
|
notifies :start, "service[apache2]", :delayed
|
@@ -414,6 +421,10 @@ if !node['update_nagios_only']
|
|
414
421
|
"
|
415
422
|
end
|
416
423
|
|
424
|
+
execute "chcon -R -h -t var_log_t /Mu_Logs" do
|
425
|
+
not_if "ls -aZ /Mu_Logs | grep ':var_log_t'"
|
426
|
+
end
|
427
|
+
|
417
428
|
# XXX this will catch the occasional 4am groom. Need a way to graceful-restart momma.
|
418
429
|
file "/etc/logrotate.d/Mu_momma_cat" do
|
419
430
|
content "/var/log/mu-momma-cat.log
|
@@ -23,6 +23,11 @@ firewall_rule "MU Master default ports" do
|
|
23
23
|
port [MU.mommaCatPort, 7443, 8443, 9443, 10514, 443, 80, 25]
|
24
24
|
end
|
25
25
|
|
26
|
+
firewall_rule "Logstash port" do
|
27
|
+
port [5044]
|
28
|
+
source "10.0.0.0/8"
|
29
|
+
end
|
30
|
+
|
26
31
|
local_chef_ports = [4321, 9463, 9583, 16379, 8983, 8000, 9680, 9683, 9090, 5432]
|
27
32
|
firewall_rule "Chef Server ports on 127.0.0.1" do
|
28
33
|
port local_chef_ports
|
@@ -22,6 +22,8 @@
|
|
22
22
|
# references to other cookbooks, no include_recipes, no cookbook_files, no
|
23
23
|
# templates.
|
24
24
|
|
25
|
+
chef_gem "aws-sigv4"
|
26
|
+
|
25
27
|
require 'etc'
|
26
28
|
require 'open-uri'
|
27
29
|
require 'socket'
|
@@ -35,8 +37,8 @@ ENV['PATH'] = ENV['PATH']+":/bin:/opt/opscode/embedded/bin"
|
|
35
37
|
|
36
38
|
# XXX We want to be able to override these things when invoked from chef-apply,
|
37
39
|
# but, like, how?
|
38
|
-
CHEF_SERVER_VERSION="14.
|
39
|
-
CHEF_CLIENT_VERSION="
|
40
|
+
CHEF_SERVER_VERSION="14.11.31-1"
|
41
|
+
CHEF_CLIENT_VERSION="18.5.0"
|
40
42
|
KNIFE_WINDOWS="1.9.0"
|
41
43
|
MU_BASE="/opt/mu"
|
42
44
|
|
@@ -227,7 +229,13 @@ when 'amazon'
|
|
227
229
|
when '2'
|
228
230
|
basepackages.concat(['libX11', 'mariadb-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services'])
|
229
231
|
removepackages = ['nagios', 'firewalld']
|
230
|
-
elversion = '7'
|
232
|
+
elversion = '7'
|
233
|
+
|
234
|
+
when '2023'
|
235
|
+
basepackages.concat(['libX11', 'mariadb105-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services', 'libxcrypt-compat', 'ruby'])
|
236
|
+
basepackages.delete('curl')
|
237
|
+
removepackages = ['nagios', 'firewalld']
|
238
|
+
elversion = '7'
|
231
239
|
|
232
240
|
else
|
233
241
|
raise "Mu Masters on Amazon-family hosts must be equivalent to Amazon Linux 1 or 2 (got #{node['platform_version'].split('.')[0]})"
|
@@ -237,18 +245,27 @@ else
|
|
237
245
|
end
|
238
246
|
|
239
247
|
rpms = {
|
240
|
-
"epel-release" => "http://dl.fedoraproject.org/pub/epel/epel-release-latest-#{elversion}.noarch.rpm",
|
241
248
|
"chef-server-core" => "https://packages.chef.io/files/stable/chef-server/#{CHEF_SERVER_VERSION.sub(/\-\d+$/, "")}/el/#{elversion}/chef-server-core-#{CHEF_SERVER_VERSION}.el#{elversion}.x86_64.rpm"
|
242
249
|
}
|
243
250
|
|
244
|
-
|
245
|
-
|
246
|
-
rpms["openssl"] = "https://s3.amazonaws.com/cloudamatic/mussl-1.1.1h-1.el6.x86_64.rpm"
|
247
|
-
rpms["sqlite"] = "https://s3.amazonaws.com/cloudamatic/muqlite-3.33-1.el6.x86_64.rpm"
|
251
|
+
unless node['platform_family'] == "amazon"
|
252
|
+
rpms["epel-release"] = "http://dl.fedoraproject.org/pub/epel/epel-release-latest-#{elversion}.noarch.rpm"
|
248
253
|
end
|
249
|
-
|
250
|
-
|
254
|
+
|
255
|
+
shorthand = "el"
|
256
|
+
shorthand = "amzn" if node['platform_family'] == "amazon"
|
257
|
+
|
258
|
+
rpms["ruby33"] = "https://s3.amazonaws.com/icras-ruby/muby-3.3.5-1.#{shorthand}#{node['platform_version'].split('.')[0]}.x86_64.rpm"
|
259
|
+
unless node['platform_family'] == "amazon"
|
260
|
+
if elversion.to_i == 6
|
261
|
+
rpms["openssl"] = "https://s3.amazonaws.com/cloudamatic/mussl-1.1.1h-1.el6.x86_64.rpm"
|
262
|
+
rpms["sqlite"] = "https://s3.amazonaws.com/cloudamatic/muqlite-3.33-1.el6.x86_64.rpm"
|
263
|
+
end
|
264
|
+
if elversion.to_i == 7
|
265
|
+
rpms["mugit"] = "https://s3.amazonaws.com/cloudamatic/mugit-2.30.0-1.el7.x86_64.rpm"
|
266
|
+
end
|
251
267
|
end
|
268
|
+
|
252
269
|
# this takes up a huge amount of space, save it until we're fully operational
|
253
270
|
if !RUNNING_STANDALONE
|
254
271
|
rpms["python38"] = "https://s3.amazonaws.com/cloudamatic/muthon-3.8.3-1.el#{elversion}.x86_64.rpm"
|
@@ -354,7 +371,7 @@ end
|
|
354
371
|
rpms.each_pair { |pkg, src|
|
355
372
|
rpm_package pkg do
|
356
373
|
source src
|
357
|
-
if pkg == "
|
374
|
+
if pkg == "ruby33"
|
358
375
|
options '--prefix=/opt/rubies/'
|
359
376
|
end
|
360
377
|
if pkg == "epel-release"
|
@@ -376,6 +393,21 @@ rpms.each_pair { |pkg, src|
|
|
376
393
|
end
|
377
394
|
}
|
378
395
|
|
396
|
+
execute "/sbin/ldconfig" do
|
397
|
+
action :nothing
|
398
|
+
end
|
399
|
+
|
400
|
+
["/opt/rubies/ruby-3.3.5/lib/pkgconfig/ruby-3.3.pc", "/opt/rubies/ruby-3.3.5/lib/ruby/3.3.0/x86_64-linux/rbconfig.rb"].each { |f|
|
401
|
+
execute "scrub rpmbuild cruft from #{f}" do
|
402
|
+
command "sed -i 's/-Wl,-dT,\\/root\\/rpmbuild\\/BUILD\\/.package_note-muby-3.3.5-1.amzn2023.x86_64.ld//' #{f}"
|
403
|
+
end
|
404
|
+
}
|
405
|
+
|
406
|
+
file "/etc/ld.so.conf.d/muby.conf" do
|
407
|
+
content "/usr/local/ruby-current/lib\n"
|
408
|
+
notifies :run, "execute[/sbin/ldconfig]", :immediately
|
409
|
+
end
|
410
|
+
|
379
411
|
package ["jq"] do
|
380
412
|
ignore_failure true # sometimes we can't see EPEL immediately
|
381
413
|
end
|
@@ -473,7 +505,7 @@ gemfile_dir = if RUNNING_STANDALONE and !File.readlines("/etc/mtab").grep(/\s\/o
|
|
473
505
|
end
|
474
506
|
}
|
475
507
|
dmiout = shell_out!(%Q{PATH=/sbin:/usr/sbin:/bin:/usr/bin dmidecode})
|
476
|
-
if dmiout.match(/Google/)
|
508
|
+
if dmiout.stdout.match(/Google/)
|
477
509
|
exclude_gems.delete("google-api-client")
|
478
510
|
end
|
479
511
|
|
@@ -569,14 +601,14 @@ end
|
|
569
601
|
|
570
602
|
# Get a 'mu' Chef org in place and populate it with artifacts
|
571
603
|
directory "/root/.chef"
|
572
|
-
execute "knife ssl fetch" do
|
604
|
+
execute "env -i HOME=/root:PATH=/opt/chef/embedded/bin:/bin:/usr/bin /opt/chef/embedded/bin/knife ssl fetch" do
|
573
605
|
action :nothing
|
574
606
|
end
|
575
607
|
execute "initial Chef artifact upload" do
|
576
608
|
command "MU_INSTALLDIR=#{MU_BASE} MU_LIBDIR=#{MU_BASE}/lib MU_DATADIR=#{MU_BASE}/var #{MU_BASE}/lib/bin/mu-upload-chef-artifacts"
|
577
609
|
action :nothing
|
578
610
|
notifies :stop, "service[iptables]", :before
|
579
|
-
notifies :run, "execute[knife ssl fetch]", :before
|
611
|
+
notifies :run, "execute[env -i knife ssl fetch]", :before
|
580
612
|
if !RUNNING_STANDALONE
|
581
613
|
notifies :start, "service[iptables]", :immediately
|
582
614
|
end
|
@@ -587,11 +619,13 @@ chef_gem "simple-password-gen" do
|
|
587
619
|
end
|
588
620
|
require "simple-password-gen"
|
589
621
|
|
590
|
-
# XXX this would make an awesome library
|
591
622
|
execute "create mu Chef user" do
|
592
623
|
command "/opt/opscode/bin/chef-server-ctl user-create mu Mu Master root@example.com #{Password.pronounceable} -f #{MU_BASE}/var/users/mu/mu.user.key"
|
593
624
|
umask "0277"
|
594
625
|
not_if "/opt/opscode/bin/chef-server-ctl user-list | grep '^mu$'"
|
626
|
+
if !File.exist?("/etc/opscode/pivotal.rb")
|
627
|
+
notifies :run, "execute[reconfigure Chef server]", :immediately
|
628
|
+
end
|
595
629
|
notifies :start, "service[chef-server]", :before
|
596
630
|
end
|
597
631
|
execute "create mu Chef org" do
|
@@ -679,12 +713,12 @@ knife_cfg = "-c /root/.chef/knife.rb"
|
|
679
713
|
execute "create MU-MASTER Chef client" do
|
680
714
|
# XXX I dislike --ssh-verify-host-key=never intensely, but the CLI-documented 'accept_new' doesn't actually work
|
681
715
|
if SSH_USER == "root"
|
682
|
-
command "/opt/chef/bin/knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never 127.0.0.1"
|
716
|
+
command "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never 127.0.0.1"
|
683
717
|
else
|
684
|
-
command "/opt/chef/bin/knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never --sudo 127.0.0.1"
|
718
|
+
command "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never --sudo 127.0.0.1"
|
685
719
|
end
|
686
|
-
only_if "/opt/chef/bin/knife node #{knife_cfg} list" # don't do crazy stuff just because knife isn't working
|
687
|
-
not_if "/opt/chef/bin/knife node #{knife_cfg} list | grep '^MU-MASTER$'"
|
720
|
+
only_if "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife node #{knife_cfg} list" # don't do crazy stuff just because knife isn't working
|
721
|
+
not_if "PATH='/opt/chef/bin:/opt/chef/embedded/bin' knife node #{knife_cfg} list | grep '^MU-MASTER$'"
|
688
722
|
notifies :run, "execute[add localhost key to authorized_keys]", :before
|
689
723
|
notifies :delete, "file[/etc/chef/client.rb]", :before
|
690
724
|
notifies :delete, "file[/etc/chef/client.pem]", :before
|
@@ -719,6 +753,11 @@ bash "fix misc permissions" do
|
|
719
753
|
EOH
|
720
754
|
end
|
721
755
|
|
756
|
+
# https://github.com/chef/chef-server/issues/3109#issuecomment-1022084825
|
757
|
+
execute "ensure Chef indexes aren't read-only" do
|
758
|
+
command %Q{curl -XPUT -H "Content-Type: application/json" http://127.0.0.1:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'}
|
759
|
+
end
|
760
|
+
|
722
761
|
directory TMPDIR do
|
723
762
|
action :delete
|
724
763
|
recursive true
|