cloud-mu 3.5.0 → 3.6.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Berksfile +5 -2
- data/Berksfile.lock +135 -0
- data/ansible/roles/mu-base/README.md +33 -0
- data/ansible/roles/mu-base/defaults/main.yml +2 -0
- data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
- data/ansible/roles/mu-base/files/check_apm.sh +18 -0
- data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
- data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
- data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
- data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
- data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
- data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
- data/ansible/roles/mu-base/files/logrotate.conf +35 -0
- data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
- data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
- data/ansible/roles/mu-base/handlers/main.yml +5 -0
- data/ansible/roles/mu-base/meta/main.yml +53 -0
- data/ansible/roles/mu-base/tasks/main.yml +113 -0
- data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
- data/ansible/roles/mu-base/tests/inventory +2 -0
- data/ansible/roles/mu-base/tests/test.yml +5 -0
- data/ansible/roles/mu-base/vars/main.yml +1 -0
- data/ansible/roles/mu-compliance/README.md +33 -0
- data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
- data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
- data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
- data/ansible/roles/mu-compliance/meta/main.yml +53 -0
- data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
- data/ansible/roles/mu-compliance/tests/inventory +2 -0
- data/ansible/roles/mu-compliance/tests/test.yml +5 -0
- data/ansible/roles/mu-compliance/vars/main.yml +4 -0
- data/ansible/roles/mu-elastic/README.md +51 -0
- data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
- data/ansible/roles/mu-elastic/files/jvm.options +93 -0
- data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
- data/ansible/roles/mu-elastic/meta/main.yml +52 -0
- data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
- data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
- data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
- data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
- data/ansible/roles/mu-elastic/tests/inventory +2 -0
- data/ansible/roles/mu-elastic/tests/test.yml +5 -0
- data/ansible/roles/mu-elastic/vars/main.yml +2 -0
- data/ansible/roles/mu-logstash/README.md +51 -0
- data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
- data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
- data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
- data/ansible/roles/mu-logstash/files/jvm.options +84 -0
- data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
- data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
- data/ansible/roles/mu-logstash/meta/main.yml +52 -0
- data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
- data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
- data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
- data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
- data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
- data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
- data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
- data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
- data/ansible/roles/mu-logstash/tests/inventory +2 -0
- data/ansible/roles/mu-logstash/tests/test.yml +5 -0
- data/ansible/roles/mu-logstash/vars/main.yml +2 -0
- data/ansible/roles/mu-rdp/README.md +33 -0
- data/ansible/roles/mu-rdp/meta/main.yml +53 -0
- data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
- data/ansible/roles/mu-rdp/tests/inventory +2 -0
- data/ansible/roles/mu-rdp/tests/test.yml +5 -0
- data/ansible/roles/mu-windows/tasks/main.yml +3 -0
- data/bin/mu-ansible-secret +1 -1
- data/bin/mu-aws-setup +4 -3
- data/bin/mu-azure-setup +5 -5
- data/bin/mu-configure +25 -17
- data/bin/mu-firewall-allow-clients +1 -0
- data/bin/mu-gcp-setup +3 -3
- data/bin/mu-load-config.rb +1 -0
- data/bin/mu-node-manage +66 -33
- data/bin/mu-self-update +2 -2
- data/bin/mu-upload-chef-artifacts +6 -1
- data/bin/mu-user-manage +1 -1
- data/cloud-mu.gemspec +25 -23
- data/cookbooks/firewall/CHANGELOG.md +417 -224
- data/cookbooks/firewall/LICENSE +202 -0
- data/cookbooks/firewall/README.md +153 -126
- data/cookbooks/firewall/TODO.md +6 -0
- data/cookbooks/firewall/attributes/firewalld.rb +7 -0
- data/cookbooks/firewall/attributes/iptables.rb +3 -3
- data/cookbooks/firewall/chefignore +115 -0
- data/cookbooks/firewall/libraries/helpers.rb +5 -0
- data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
- data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
- data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
- data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
- data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
- data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
- data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
- data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
- data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
- data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
- data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
- data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
- data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
- data/cookbooks/firewall/metadata.json +40 -1
- data/cookbooks/firewall/metadata.rb +15 -0
- data/cookbooks/firewall/recipes/default.rb +7 -7
- data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
- data/cookbooks/firewall/recipes/firewalld.rb +87 -0
- data/cookbooks/firewall/renovate.json +18 -0
- data/cookbooks/firewall/resources/firewalld.rb +28 -0
- data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
- data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
- data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
- data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
- data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
- data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
- data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
- data/cookbooks/firewall/resources/nftables.rb +71 -0
- data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
- data/cookbooks/mu-activedirectory/Berksfile +1 -1
- data/cookbooks/mu-activedirectory/metadata.rb +1 -1
- data/cookbooks/mu-firewall/metadata.rb +2 -2
- data/cookbooks/mu-master/Berksfile +4 -3
- data/cookbooks/mu-master/attributes/default.rb +5 -2
- data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
- data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
- data/cookbooks/mu-master/libraries/mu.rb +24 -0
- data/cookbooks/mu-master/metadata.rb +5 -5
- data/cookbooks/mu-master/recipes/default.rb +31 -20
- data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
- data/cookbooks/mu-master/recipes/init.rb +58 -19
- data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
- data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
- data/cookbooks/mu-php54/Berksfile +1 -1
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-tools/Berksfile +2 -3
- data/cookbooks/mu-tools/attributes/default.rb +3 -4
- data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
- data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
- data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
- data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
- data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
- data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
- data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
- data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
- data/cookbooks/mu-tools/libraries/helper.rb +21 -9
- data/cookbooks/mu-tools/metadata.rb +4 -4
- data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
- data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
- data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
- data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
- data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
- data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
- data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
- data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
- data/data_bags/nagios_services/apm_backend_connect.json +5 -0
- data/data_bags/nagios_services/apm_listen.json +5 -0
- data/data_bags/nagios_services/elastic_shards.json +5 -0
- data/data_bags/nagios_services/logstash.json +5 -0
- data/data_bags/nagios_services/rhel7_updates.json +8 -0
- data/extras/image-generators/AWS/centos7.yaml +1 -0
- data/extras/image-generators/AWS/rhel7.yaml +21 -0
- data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
- data/extras/image-generators/AWS/win2k16.yaml +1 -0
- data/extras/image-generators/AWS/win2k19.yaml +1 -0
- data/extras/list-stock-amis +0 -0
- data/extras/ruby_rpm/muby.spec +8 -5
- data/extras/vault_tools/export_vaults.sh +1 -1
- data/extras/vault_tools/recreate_vaults.sh +0 -0
- data/extras/vault_tools/test_vaults.sh +0 -0
- data/install/deprecated-bash-library.sh +1 -1
- data/install/installer +4 -2
- data/modules/mommacat.ru +3 -1
- data/modules/mu/adoption.rb +1 -1
- data/modules/mu/cloud/dnszone.rb +2 -2
- data/modules/mu/cloud/machine_images.rb +26 -25
- data/modules/mu/cloud/resource_base.rb +213 -182
- data/modules/mu/cloud/server_pool.rb +1 -1
- data/modules/mu/cloud/ssh_sessions.rb +7 -5
- data/modules/mu/cloud/wrappers.rb +2 -2
- data/modules/mu/cloud.rb +1 -1
- data/modules/mu/config/bucket.rb +1 -1
- data/modules/mu/config/function.rb +6 -1
- data/modules/mu/config/loadbalancer.rb +24 -2
- data/modules/mu/config/ref.rb +12 -0
- data/modules/mu/config/role.rb +1 -1
- data/modules/mu/config/schema_helpers.rb +42 -9
- data/modules/mu/config/server.rb +43 -27
- data/modules/mu/config/tail.rb +19 -10
- data/modules/mu/config.rb +6 -5
- data/modules/mu/defaults/AWS.yaml +78 -114
- data/modules/mu/deploy.rb +9 -2
- data/modules/mu/groomer.rb +12 -4
- data/modules/mu/groomers/ansible.rb +104 -20
- data/modules/mu/groomers/chef.rb +15 -6
- data/modules/mu/master.rb +9 -4
- data/modules/mu/mommacat/daemon.rb +4 -2
- data/modules/mu/mommacat/naming.rb +1 -2
- data/modules/mu/mommacat/storage.rb +7 -2
- data/modules/mu/mommacat.rb +33 -6
- data/modules/mu/providers/aws/database.rb +161 -8
- data/modules/mu/providers/aws/dnszone.rb +11 -6
- data/modules/mu/providers/aws/endpoint.rb +81 -6
- data/modules/mu/providers/aws/firewall_rule.rb +254 -172
- data/modules/mu/providers/aws/function.rb +65 -3
- data/modules/mu/providers/aws/loadbalancer.rb +39 -28
- data/modules/mu/providers/aws/log.rb +2 -1
- data/modules/mu/providers/aws/role.rb +25 -7
- data/modules/mu/providers/aws/server.rb +36 -12
- data/modules/mu/providers/aws/server_pool.rb +237 -127
- data/modules/mu/providers/aws/storage_pool.rb +7 -1
- data/modules/mu/providers/aws/user.rb +1 -1
- data/modules/mu/providers/aws/userdata/linux.erb +6 -2
- data/modules/mu/providers/aws/userdata/windows.erb +7 -5
- data/modules/mu/providers/aws/vpc.rb +49 -25
- data/modules/mu/providers/aws.rb +13 -8
- data/modules/mu/providers/azure/container_cluster.rb +1 -1
- data/modules/mu/providers/azure/loadbalancer.rb +2 -2
- data/modules/mu/providers/azure/server.rb +5 -2
- data/modules/mu/providers/azure/userdata/linux.erb +1 -1
- data/modules/mu/providers/azure.rb +11 -8
- data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
- data/modules/mu/providers/google/container_cluster.rb +15 -2
- data/modules/mu/providers/google/folder.rb +2 -1
- data/modules/mu/providers/google/function.rb +130 -4
- data/modules/mu/providers/google/habitat.rb +2 -1
- data/modules/mu/providers/google/loadbalancer.rb +407 -160
- data/modules/mu/providers/google/role.rb +16 -3
- data/modules/mu/providers/google/server.rb +5 -1
- data/modules/mu/providers/google/user.rb +25 -18
- data/modules/mu/providers/google/userdata/linux.erb +1 -1
- data/modules/mu/providers/google/vpc.rb +53 -7
- data/modules/mu/providers/google.rb +39 -39
- data/modules/mu.rb +8 -8
- data/modules/tests/elk.yaml +46 -0
- data/test/mu-master-test/controls/all_in_one.rb +1 -1
- metadata +207 -112
- data/cookbooks/firewall/CONTRIBUTING.md +0 -2
- data/cookbooks/firewall/MAINTAINERS.md +0 -19
- data/cookbooks/firewall/libraries/matchers.rb +0 -30
- data/extras/image-generators/AWS/rhel71.yaml +0 -17
@@ -0,0 +1,294 @@
|
|
1
|
+
# Please note that the parameters in this configuration file control the
|
2
|
+
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
|
3
|
+
# passwd command) should therefore be configured elsewhere. Refer to
|
4
|
+
# /etc/pam.d/system-auth for more information.
|
5
|
+
#
|
6
|
+
|
7
|
+
#
|
8
|
+
# Delay in seconds before being allowed another attempt after a login failure
|
9
|
+
# Note: When PAM is used, some modules may enforce a minimum delay (e.g.
|
10
|
+
# pam_unix(8) enforces a 2s delay)
|
11
|
+
#
|
12
|
+
#FAIL_DELAY 3
|
13
|
+
|
14
|
+
# Currently FAILLOG_ENAB is not supported
|
15
|
+
|
16
|
+
#
|
17
|
+
# Enable display of unknown usernames when login(1) failures are recorded.
|
18
|
+
#
|
19
|
+
#LOG_UNKFAIL_ENAB no
|
20
|
+
|
21
|
+
# Currently LOG_OK_LOGINS is not supported
|
22
|
+
|
23
|
+
# Currently LASTLOG_ENAB is not supported
|
24
|
+
|
25
|
+
#
|
26
|
+
# Limit the highest user ID number for which the lastlog entries should
|
27
|
+
# be updated.
|
28
|
+
#
|
29
|
+
# No LASTLOG_UID_MAX means that there is no user ID limit for writing
|
30
|
+
# lastlog entries.
|
31
|
+
#
|
32
|
+
#LASTLOG_UID_MAX
|
33
|
+
|
34
|
+
# Currently MAIL_CHECK_ENAB is not supported
|
35
|
+
|
36
|
+
# Currently OBSCURE_CHECKS_ENAB is not supported
|
37
|
+
|
38
|
+
# Currently PORTTIME_CHECKS_ENAB is not supported
|
39
|
+
|
40
|
+
# Currently QUOTAS_ENAB is not supported
|
41
|
+
|
42
|
+
# Currently SYSLOG_SU_ENAB is not supported
|
43
|
+
|
44
|
+
#
|
45
|
+
# Enable "syslog" logging of newgrp(1) and sg(1) activity.
|
46
|
+
#
|
47
|
+
#SYSLOG_SG_ENAB yes
|
48
|
+
|
49
|
+
# Currently CONSOLE is not supported
|
50
|
+
|
51
|
+
# Currently SULOG_FILE is not supported
|
52
|
+
|
53
|
+
# Currently MOTD_FILE is not supported
|
54
|
+
|
55
|
+
# Currently ISSUE_FILE is not supported
|
56
|
+
|
57
|
+
# Currently TTYTYPE_FILE is not supported
|
58
|
+
|
59
|
+
# Currently FTMP_FILE is not supported
|
60
|
+
|
61
|
+
# Currently NOLOGINS_FILE is not supported
|
62
|
+
|
63
|
+
# Currently SU_NAME is not supported
|
64
|
+
|
65
|
+
# *REQUIRED*
|
66
|
+
# Directory where mailboxes reside, _or_ name of file, relative to the
|
67
|
+
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
|
68
|
+
#
|
69
|
+
MAIL_DIR /var/spool/mail
|
70
|
+
#MAIL_FILE .mail
|
71
|
+
|
72
|
+
#
|
73
|
+
# If defined, file which inhibits all the usual chatter during the login
|
74
|
+
# sequence. If a full pathname, then hushed mode will be enabled if the
|
75
|
+
# user's name or shell are found in the file. If not a full pathname, then
|
76
|
+
# hushed mode will be enabled if the file exists in the user's home directory.
|
77
|
+
#
|
78
|
+
#HUSHLOGIN_FILE .hushlogin
|
79
|
+
#HUSHLOGIN_FILE /etc/hushlogins
|
80
|
+
|
81
|
+
# Currently ENV_TZ is not supported
|
82
|
+
|
83
|
+
# Currently ENV_HZ is not supported
|
84
|
+
|
85
|
+
#
|
86
|
+
# The default PATH settings, for superuser and normal users.
|
87
|
+
#
|
88
|
+
# (they are minimal, add the rest in the shell startup files)
|
89
|
+
#ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
|
90
|
+
#ENV_PATH PATH=/bin:/usr/bin
|
91
|
+
|
92
|
+
#
|
93
|
+
# Terminal permissions
|
94
|
+
#
|
95
|
+
# TTYGROUP Login tty will be assigned this group ownership.
|
96
|
+
# TTYPERM Login tty will be set to this permission.
|
97
|
+
#
|
98
|
+
# If you have a write(1) program which is "setgid" to a special group
|
99
|
+
# which owns the terminals, define TTYGROUP as the number of such group
|
100
|
+
# and TTYPERM as 0620. Otherwise leave TTYGROUP commented out and
|
101
|
+
# set TTYPERM to either 622 or 600.
|
102
|
+
#
|
103
|
+
#TTYGROUP tty
|
104
|
+
#TTYPERM 0600
|
105
|
+
|
106
|
+
# Currently ERASECHAR, KILLCHAR and ULIMIT are not supported
|
107
|
+
|
108
|
+
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
|
109
|
+
# Default "umask" value for pam_umask(8) on PAM enabled systems.
|
110
|
+
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
|
111
|
+
# home directories if HOME_MODE is not set.
|
112
|
+
# 022 is the default value, but 027, or even 077, could be considered
|
113
|
+
# for increased privacy. There is no One True Answer here: each sysadmin
|
114
|
+
# must make up their mind.
|
115
|
+
UMASK 077
|
116
|
+
|
117
|
+
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
|
118
|
+
# home directories.
|
119
|
+
# If HOME_MODE is not set, the value of UMASK is used to create the mode.
|
120
|
+
HOME_MODE 0700
|
121
|
+
|
122
|
+
# Password aging controls:
|
123
|
+
#
|
124
|
+
# PASS_MAX_DAYS Maximum number of days a password may be used.
|
125
|
+
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
|
126
|
+
# PASS_MIN_LEN Minimum acceptable password length.
|
127
|
+
# PASS_WARN_AGE Number of days warning given before a password expires.
|
128
|
+
#
|
129
|
+
PASS_MAX_DAYS 90
|
130
|
+
PASS_MIN_DAYS 7
|
131
|
+
PASS_MIN_LEN 12
|
132
|
+
PASS_WARN_AGE 14
|
133
|
+
|
134
|
+
# Currently PASS_MIN_LEN is not supported
|
135
|
+
|
136
|
+
# Currently SU_WHEEL_ONLY is not supported
|
137
|
+
|
138
|
+
# Currently CRACKLIB_DICTPATH is not supported
|
139
|
+
|
140
|
+
#
|
141
|
+
# Min/max values for automatic uid selection in useradd(8)
|
142
|
+
#
|
143
|
+
UID_MIN 1000
|
144
|
+
UID_MAX 60000
|
145
|
+
# System accounts
|
146
|
+
SYS_UID_MIN 201
|
147
|
+
SYS_UID_MAX 999
|
148
|
+
# Extra per user uids
|
149
|
+
SUB_UID_MIN 100000
|
150
|
+
SUB_UID_MAX 600100000
|
151
|
+
SUB_UID_COUNT 65536
|
152
|
+
|
153
|
+
#
|
154
|
+
# Min/max values for automatic gid selection in groupadd(8)
|
155
|
+
#
|
156
|
+
GID_MIN 1000
|
157
|
+
GID_MAX 60000
|
158
|
+
# System accounts
|
159
|
+
SYS_GID_MIN 201
|
160
|
+
SYS_GID_MAX 999
|
161
|
+
# Extra per user group ids
|
162
|
+
SUB_GID_MIN 100000
|
163
|
+
SUB_GID_MAX 600100000
|
164
|
+
SUB_GID_COUNT 65536
|
165
|
+
|
166
|
+
#
|
167
|
+
# Max number of login(1) retries if password is bad
|
168
|
+
#
|
169
|
+
#LOGIN_RETRIES 3
|
170
|
+
|
171
|
+
#
|
172
|
+
# Max time in seconds for login(1)
|
173
|
+
#
|
174
|
+
#LOGIN_TIMEOUT 60
|
175
|
+
|
176
|
+
# Currently PASS_CHANGE_TRIES is not supported
|
177
|
+
|
178
|
+
# Currently PASS_ALWAYS_WARN is not supported
|
179
|
+
|
180
|
+
# Currently PASS_MAX_LEN is not supported
|
181
|
+
|
182
|
+
# Currently CHFN_AUTH is not supported
|
183
|
+
|
184
|
+
#
|
185
|
+
# Which fields may be changed by regular users using chfn(1) - use
|
186
|
+
# any combination of letters "frwh" (full name, room number, work
|
187
|
+
# phone, home phone). If not defined, no changes are allowed.
|
188
|
+
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
|
189
|
+
#
|
190
|
+
#CHFN_RESTRICT rwh
|
191
|
+
|
192
|
+
# Currently LOGIN_STRING is not supported
|
193
|
+
|
194
|
+
# Currently MD5_CRYPT_ENAB is not supported
|
195
|
+
|
196
|
+
#
|
197
|
+
# If set to MD5, MD5-based algorithm will be used for encrypting password
|
198
|
+
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
|
199
|
+
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
|
200
|
+
# If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
|
201
|
+
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
|
202
|
+
# If set to DES, DES-based algorithm will be used for encrypting password (default)
|
203
|
+
#
|
204
|
+
ENCRYPT_METHOD YESCRYPT
|
205
|
+
|
206
|
+
#
|
207
|
+
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
|
208
|
+
#
|
209
|
+
# Define the number of SHA rounds.
|
210
|
+
# With a lot of rounds, it is more difficult to brute-force the password.
|
211
|
+
# However, more CPU resources will be needed to authenticate users if
|
212
|
+
# this value is increased.
|
213
|
+
#
|
214
|
+
# If not specified, the libc will choose the default number of rounds (5000).
|
215
|
+
# The values must be within the 1000-999999999 range.
|
216
|
+
#
|
217
|
+
#SHA_CRYPT_MAX_ROUNDS 5000
|
218
|
+
|
219
|
+
# Currently SHA_CRYPT_MIN_ROUNDS is not supported
|
220
|
+
|
221
|
+
#
|
222
|
+
# Only works if ENCRYPT_METHOD is set to BCRYPT.
|
223
|
+
#
|
224
|
+
# Define the number of BCRYPT rounds.
|
225
|
+
# With a lot of rounds, it is more difficult to brute-force the password.
|
226
|
+
# However, more CPU resources will be needed to authenticate users if
|
227
|
+
# this value is increased.
|
228
|
+
#
|
229
|
+
# If not specified, 13 rounds will be attempted.
|
230
|
+
# If only one of the MIN or MAX values is set, then this value will be used.
|
231
|
+
# If MIN > MAX, the highest value will be used.
|
232
|
+
#
|
233
|
+
#BCRYPT_MIN_ROUNDS 13
|
234
|
+
#BCRYPT_MAX_ROUNDS 31
|
235
|
+
|
236
|
+
#
|
237
|
+
# Only works if ENCRYPT_METHOD is set to YESCRYPT.
|
238
|
+
#
|
239
|
+
# Define the YESCRYPT cost factor.
|
240
|
+
# With a higher cost factor, it is more difficult to brute-force the password.
|
241
|
+
# However, more CPU time and more memory will be needed to authenticate users
|
242
|
+
# if this value is increased.
|
243
|
+
#
|
244
|
+
# If not specified, a cost factor of 5 will be used.
|
245
|
+
# The value must be within the 1-11 range.
|
246
|
+
#
|
247
|
+
#YESCRYPT_COST_FACTOR 5
|
248
|
+
|
249
|
+
# Currently CONSOLE_GROUPS is not supported
|
250
|
+
|
251
|
+
#
|
252
|
+
# Should login be allowed if we can't cd to the home directory?
|
253
|
+
# Default is yes.
|
254
|
+
#
|
255
|
+
#DEFAULT_HOME yes
|
256
|
+
|
257
|
+
# Currently ENVIRON_FILE is not supported
|
258
|
+
|
259
|
+
#
|
260
|
+
# If defined, this command is run when removing a user.
|
261
|
+
# It should remove any at/cron/print jobs etc. owned by
|
262
|
+
# the user to be removed (passed as the first argument).
|
263
|
+
#
|
264
|
+
#USERDEL_CMD /usr/sbin/userdel_local
|
265
|
+
|
266
|
+
#
|
267
|
+
# Enables userdel(8) to remove user groups if no members exist.
|
268
|
+
#
|
269
|
+
USERGROUPS_ENAB yes
|
270
|
+
|
271
|
+
#
|
272
|
+
# If set to a non-zero number, the shadow utilities will make sure that
|
273
|
+
# groups never have more than this number of users on one line.
|
274
|
+
# This permits to support split groups (groups split into multiple lines,
|
275
|
+
# with the same group ID, to avoid limitation of the line length in the
|
276
|
+
# group file).
|
277
|
+
#
|
278
|
+
# 0 is the default value and disables this feature.
|
279
|
+
#
|
280
|
+
#MAX_MEMBERS_PER_GROUP 0
|
281
|
+
|
282
|
+
#
|
283
|
+
# If useradd(8) should create home directories for users by default (non
|
284
|
+
# system users only).
|
285
|
+
# This option is overridden with the -M or -m flags on the useradd(8)
|
286
|
+
# command-line.
|
287
|
+
#
|
288
|
+
CREATE_HOME yes
|
289
|
+
|
290
|
+
#
|
291
|
+
# Force use shadow, even if shadow passwd & shadow group files are
|
292
|
+
# missing.
|
293
|
+
#
|
294
|
+
#FORCE_SHADOW yes
|
@@ -0,0 +1,35 @@
|
|
1
|
+
# see "man logrotate" for details
|
2
|
+
# rotate log files weekly
|
3
|
+
daily
|
4
|
+
|
5
|
+
# keep 4 weeks worth of backlogs
|
6
|
+
rotate 4
|
7
|
+
|
8
|
+
# create new (empty) log files after rotating old ones
|
9
|
+
create
|
10
|
+
|
11
|
+
# use date as a suffix of the rotated file
|
12
|
+
dateext
|
13
|
+
|
14
|
+
# uncomment this if you want your log files compressed
|
15
|
+
compress
|
16
|
+
|
17
|
+
# RPM packages drop log rotation information into this directory
|
18
|
+
include /etc/logrotate.d
|
19
|
+
|
20
|
+
# no packages own wtmp and btmp -- we'll rotate them here
|
21
|
+
/var/log/wtmp {
|
22
|
+
monthly
|
23
|
+
create 0664 root utmp
|
24
|
+
minsize 1M
|
25
|
+
rotate 1
|
26
|
+
}
|
27
|
+
|
28
|
+
/var/log/btmp {
|
29
|
+
missingok
|
30
|
+
monthly
|
31
|
+
create 0600 root utmp
|
32
|
+
rotate 1
|
33
|
+
}
|
34
|
+
|
35
|
+
# system-specific logs may be also be configured here.
|
Binary file
|
@@ -16,13 +16,13 @@ module Mutools
|
|
16
16
|
base_url = "http://metadata.google.internal/computeMetadata/v1"
|
17
17
|
begin
|
18
18
|
Timeout.timeout(2) do
|
19
|
-
response = open(
|
19
|
+
response = URI.open(
|
20
20
|
"#{base_url}/#{param}",
|
21
21
|
"Metadata-Flavor" => "Google"
|
22
22
|
).read
|
23
23
|
return response
|
24
24
|
end
|
25
|
-
rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError => e
|
25
|
+
rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENOENT, OpenSSL::SSL::SSLError => e
|
26
26
|
# This is fairly normal, just handle it gracefully
|
27
27
|
end
|
28
28
|
|
@@ -36,11 +36,17 @@ module Mutools
|
|
36
36
|
base_url = "http://169.254.169.254/latest"
|
37
37
|
begin
|
38
38
|
Timeout.timeout(2) do
|
39
|
-
response = open("#{base_url}/#{param}").read
|
39
|
+
response = URI.open("#{base_url}/#{param}").read
|
40
40
|
return response
|
41
41
|
end
|
42
|
-
|
42
|
+
require 'aws-sdk-ec2'
|
43
|
+
require 'aws-sdk-s3'
|
44
|
+
rescue Net::HTTPServerException, OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENOENT => e
|
45
|
+
puts e.inspect
|
43
46
|
# This is fairly normal, just handle it gracefully
|
47
|
+
if e.code == 401
|
48
|
+
puts "*************** Got 401 Unauthorized trying to fetch #{base_url}/#{param}. This instance may be requiring IMDSv2 requests to fetch its own metadata. ***************"
|
49
|
+
end
|
44
50
|
end
|
45
51
|
nil
|
46
52
|
end
|
@@ -136,7 +142,7 @@ module Mutools
|
|
136
142
|
@region = nil
|
137
143
|
def set_aws_cfg_params
|
138
144
|
begin
|
139
|
-
require 'aws-sdk'
|
145
|
+
require 'aws-sdk-core'
|
140
146
|
instance_identity = get_aws_metadata("dynamic/instance-identity/document")
|
141
147
|
return false if instance_identity.nil? # Not in AWS, most likely
|
142
148
|
@region = JSON.parse(instance_identity)["region"]
|
@@ -153,7 +159,8 @@ module Mutools
|
|
153
159
|
rescue OpenURI::HTTPError, Timeout::Error, SocketError, JSON::ParserError
|
154
160
|
Chef::Log.info("This node isn't in Amazon Web Services, skipping AWS config")
|
155
161
|
return false
|
156
|
-
rescue LoadError
|
162
|
+
rescue LoadError => e
|
163
|
+
puts e.inspect
|
157
164
|
Chef::Log.info("aws-sdk-gem hasn't been installed yet!")
|
158
165
|
return false
|
159
166
|
end
|
@@ -257,10 +264,14 @@ module Mutools
|
|
257
264
|
filename = mu_get_tag_value("MU-ID")+"-secret"
|
258
265
|
|
259
266
|
if cloud == "AWS"
|
267
|
+
include_recipe "mu-tools::aws_api"
|
268
|
+
require 'aws-sdk-s3'
|
260
269
|
resp = nil
|
261
270
|
begin
|
262
271
|
Chef::Log.info("Fetch deploy secret from s3://#{bucket}/#{filename}")
|
263
|
-
|
272
|
+
set_aws_cfg_params
|
273
|
+
@s3 ||= Aws::S3::Client.new(region: @region)
|
274
|
+
resp = @s3.get_object(bucket: bucket, key: filename)
|
264
275
|
rescue ::Aws::S3::Errors::PermanentRedirect => e
|
265
276
|
tmps3 = Aws::S3::Client.new(region: "us-east-1")
|
266
277
|
resp = tmps3.get_object(bucket: bucket, key: filename)
|
@@ -308,6 +319,7 @@ module Mutools
|
|
308
319
|
req = Net::HTTP::Post.new(uri)
|
309
320
|
res_type = (node['deployment'].has_key?('server_pools') and node['deployment']['server_pools'].has_key?(node['service_name'])) ? "server_pool" : "server"
|
310
321
|
response = nil
|
322
|
+
retries = 0
|
311
323
|
begin
|
312
324
|
secret = get_deploy_secret
|
313
325
|
if secret.nil? or secret.empty?
|
@@ -331,7 +343,7 @@ module Mutools
|
|
331
343
|
http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX this sucks
|
332
344
|
response = http.request(req)
|
333
345
|
if response.code != "200"
|
334
|
-
Chef::Log.error("Got #{response.code} back from #{uri} on #{action} => #{arg}")
|
346
|
+
Chef::Log.error("Got #{response.code} back from #{uri} on #{action} => #{arg}: #{response.body}")
|
335
347
|
else
|
336
348
|
if action == "add_volume" and arg and arg.is_a?(Hash) and arg[:dev]
|
337
349
|
seen_requested = false
|
@@ -350,7 +362,7 @@ module Mutools
|
|
350
362
|
end while retries < 5 and !seen_requested
|
351
363
|
end
|
352
364
|
end
|
353
|
-
rescue EOFError => e
|
365
|
+
rescue EOFError, OpenSSL::SSL::SSLError => e
|
354
366
|
# Sometimes deployment metadata is incomplete and missing a
|
355
367
|
# server_pool entry. Try to help it out.
|
356
368
|
# XXX find some awsmetadata way to determine that we're in an Autoscale Group before trying this
|
@@ -7,14 +7,14 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
|
7
7
|
source_url 'https://github.com/cloudamatic/mu'
|
8
8
|
issues_url 'https://github.com/cloudamatic/mu/issues'
|
9
9
|
chef_version '>= 14.0' if respond_to?(:chef_version)
|
10
|
-
version '1.1.
|
10
|
+
version '1.1.1'
|
11
11
|
|
12
12
|
%w( amazon centos redhat windows ).each do |os|
|
13
13
|
supports os
|
14
14
|
end
|
15
15
|
|
16
16
|
depends "oracle-instantclient", '~> 1.1.0'
|
17
|
-
depends "
|
17
|
+
depends "nagios"
|
18
18
|
depends "database", '~> 6.1.1'
|
19
19
|
depends "postgresql", '~> 7.1.0'
|
20
20
|
depends "mu-utility"
|
@@ -22,8 +22,8 @@ depends "java", '~> 2.2.0'
|
|
22
22
|
depends "windows", '~> 5.1.1'
|
23
23
|
depends "mu-splunk"
|
24
24
|
depends "chef-vault", '~> 3.1.1'
|
25
|
-
depends "poise-python", '~> 1.7.0'
|
26
|
-
depends "yum-epel", '~>
|
25
|
+
#depends "poise-python", '~> 1.7.0'
|
26
|
+
depends "yum-epel", '~> 5.0.8'
|
27
27
|
depends "mu-firewall"
|
28
28
|
depends "mu-activedirectory"
|
29
29
|
depends "chocolatey"
|
@@ -66,7 +66,7 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
66
66
|
notifies :run, "execute[enable manual auditd restarts]", :before
|
67
67
|
end
|
68
68
|
|
69
|
-
if node['platform_version'].to_i < 7
|
69
|
+
if !platform_family?("amazon") and node['platform_version'].to_i < 7
|
70
70
|
cookbook_file "/etc/audit/audit.rules" do
|
71
71
|
source "etc/audit/stig.rules"
|
72
72
|
notifies :restart, "service[auditd]", :delayed
|
@@ -124,11 +124,12 @@ if !node['application_attributes']['skip_recipes'].include?('apply_security')
|
|
124
124
|
|
125
125
|
|
126
126
|
bash "Logging and Auditing" do
|
127
|
-
code <<-EOH
|
128
127
|
#4.1.4 Create and Set Permissions on rsyslog Log Files
|
129
128
|
#find `awk '/^ *[^#$]/ { print $2 }' /etc/rsyslog.conf | egrep -o "/.*"` -perm /o+rwx
|
129
|
+
code <<-EOH
|
130
130
|
chmod og-rwx /var/log/boot.log
|
131
131
|
EOH
|
132
|
+
only_if { File.exist?("/var/log/boot.log") }
|
132
133
|
end
|
133
134
|
|
134
135
|
bash "Network Configuration and Firewalls" do
|
@@ -16,11 +16,29 @@
|
|
16
16
|
# See the License for the specific language governing permissions and
|
17
17
|
# limitations under the License.
|
18
18
|
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
19
|
+
# well apparently these versions need to be pegged to whatever Chef is using
|
20
|
+
# internally (as of Chef 17.4.38, aws-sdk-core 3.119)
|
21
|
+
awsgems = {
|
22
|
+
# "aws-sdk-core" => "~> 3.119",
|
23
|
+
"aws-sdk-s3" => "3.205.0",
|
24
|
+
# "aws-sdk-ec2" => nil
|
25
|
+
}
|
26
|
+
|
27
|
+
awsgems.each_pair { |g, v|
|
28
|
+
# XXX chef_gem is, inexplicably, failing for these AWS SDK gems; logs indicate
|
29
|
+
# installation, but they're not actually there. Doing it with an execute seems
|
30
|
+
# to circumvent the problem. We then use chef_gem to load the stupid thing for
|
31
|
+
# the current Chef run.
|
32
|
+
execute "env -i /opt/chef/embedded/bin/gem install #{g} #{v.nil? ? "" : "--version '#{v}'"}" do
|
33
|
+
compile_time true
|
34
|
+
end
|
35
|
+
chef_gem g do
|
36
|
+
gem_binary "/opt/chef/embedded/bin/gem"
|
37
|
+
version v if !v.nil?
|
38
|
+
compile_time true
|
39
|
+
action :install
|
40
|
+
end
|
41
|
+
}
|
24
42
|
|
25
43
|
if platform_family?("rhel") or platform_family?("amazon")
|
26
44
|
if node['platform_version'].to_i == 6
|
@@ -21,11 +21,14 @@ if !node['application_attributes']['skip_recipes'].include?('base_repositories')
|
|
21
21
|
case node['platform_family']
|
22
22
|
when "rhel", "redhat", "amazon" # ~FC024
|
23
23
|
# Workaround for EOL CentOS 5 repos
|
24
|
-
if node['
|
24
|
+
if node['platform_family'] != "amazon" and node['platform_version'].to_i <= 6
|
25
25
|
cookbook_file "/etc/yum.repos.d/CentOS-Base.repo" do
|
26
26
|
source "CentOS-Base.repo"
|
27
27
|
end
|
28
28
|
end
|
29
29
|
include_recipe "yum-epel"
|
30
30
|
end
|
31
|
+
if platform_family?("amazon")
|
32
|
+
package "cronie"
|
33
|
+
end
|
31
34
|
end
|
@@ -16,59 +16,59 @@
|
|
16
16
|
# See the License for the specific language governing permissions and
|
17
17
|
# limitations under the License.
|
18
18
|
|
19
|
-
if platform_family?("rhel") or platform_family?("amazon")
|
20
|
-
if node['platform_version'].to_i >= 7
|
21
|
-
yum_repository "google-cloud-sdk" do
|
22
|
-
description 'Google Cloud SDK'
|
23
|
-
url "https://packages.cloud.google.com/yum/repos/cloud-sdk-el#{node['platform_version'].to_i}-x86_64#{node['platform_version'].to_i == 6 ? "-unstable": ""}"
|
24
|
-
enabled true
|
25
|
-
gpgcheck true
|
26
|
-
repo_gpgcheck true
|
27
|
-
gpgkey ["https://packages.cloud.google.com/yum/doc/
|
28
|
-
end
|
29
|
-
package "google-cloud-sdk"
|
30
|
-
elsif node['platform_version'].to_i == 6
|
31
|
-
version = "317.0.0"
|
32
|
-
remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.sh" do
|
33
|
-
source "https://sdk.cloud.google.com"
|
34
|
-
action :nothing
|
35
|
-
end
|
36
|
-
remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz" do
|
37
|
-
source "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-#{version}-linux-x86_64.tar.gz"
|
38
|
-
action :nothing
|
39
|
-
end
|
40
|
-
bash "install gcloud-cli" do
|
41
|
-
cwd "/opt"
|
42
|
-
code <<-EOH
|
43
|
-
rm -rf /opt/google-cloud-sdk/
|
44
|
-
tar -xzf #{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz
|
45
|
-
CLOUDSDK_PYTHON="`/bin/rpm -ql muthon | grep '/bin/python3$'`" ./google-cloud-sdk/install.sh -q
|
46
|
-
EOH
|
47
|
-
notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.sh]", :before
|
48
|
-
notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz]", :before
|
49
|
-
not_if "/opt/google-cloud-sdk/bin/gcloud version | grep 'Google Cloud SDK #{version}'"
|
50
|
-
end
|
51
|
-
link "/etc/bash_completion.d/gcloud" do
|
52
|
-
to "/opt/google-cloud-sdk/completion.bash.inc"
|
53
|
-
end
|
54
|
-
link "/etc/profile.d/gcloud.sh" do
|
55
|
-
to "/opt/google-cloud-sdk/path.bash.inc"
|
56
|
-
end
|
57
|
-
file "/etc/profile.d/gcloud_python.sh" do
|
58
|
-
content "export CLOUDSDK_PYTHON=\"`/bin/rpm -ql muthon | grep '/bin/python$'`\"\n"
|
59
|
-
mode 0644
|
60
|
-
end
|
61
|
-
end
|
62
|
-
elsif platform_family?("debian")
|
63
|
-
bash "add google-cloud-sdk repo" do
|
64
|
-
code <<-EOH
|
65
|
-
export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
|
66
|
-
echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
|
67
|
-
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
|
68
|
-
sudo apt-get update
|
69
|
-
EOH
|
70
|
-
not_if { ::File.exist?("/etc/apt/sources.list.d/google-cloud-sdk.list") }
|
71
|
-
end
|
72
|
-
package "google-cloud-sdk"
|
73
|
-
else
|
74
|
-
end
|
19
|
+
#if platform_family?("rhel") or platform_family?("amazon")
|
20
|
+
# if node['platform_version'].to_i >= 7
|
21
|
+
# yum_repository "google-cloud-sdk" do
|
22
|
+
# description 'Google Cloud SDK'
|
23
|
+
# url "https://packages.cloud.google.com/yum/repos/cloud-sdk-el#{node['platform_version'].to_i}-x86_64#{node['platform_version'].to_i == 6 ? "-unstable": ""}"
|
24
|
+
# enabled true
|
25
|
+
# gpgcheck true
|
26
|
+
# repo_gpgcheck true
|
27
|
+
# gpgkey ["https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg"]
|
28
|
+
# end
|
29
|
+
# package "google-cloud-sdk"
|
30
|
+
# elsif node['platform_version'].to_i == 6
|
31
|
+
# version = "317.0.0"
|
32
|
+
# remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.sh" do
|
33
|
+
# source "https://sdk.cloud.google.com"
|
34
|
+
# action :nothing
|
35
|
+
# end
|
36
|
+
# remote_file "#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz" do
|
37
|
+
# source "https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-#{version}-linux-x86_64.tar.gz"
|
38
|
+
# action :nothing
|
39
|
+
# end
|
40
|
+
# bash "install gcloud-cli" do
|
41
|
+
# cwd "/opt"
|
42
|
+
# code <<-EOH
|
43
|
+
# rm -rf /opt/google-cloud-sdk/
|
44
|
+
# tar -xzf #{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz
|
45
|
+
# CLOUDSDK_PYTHON="`/bin/rpm -ql muthon | grep '/bin/python3$'`" ./google-cloud-sdk/install.sh -q
|
46
|
+
# EOH
|
47
|
+
# notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.sh]", :before
|
48
|
+
# notifies :create, "remote_file[#{Chef::Config[:file_cache_path]}/gcloud-cli.tar.gz]", :before
|
49
|
+
# not_if "/opt/google-cloud-sdk/bin/gcloud version | grep 'Google Cloud SDK #{version}'"
|
50
|
+
# end
|
51
|
+
# link "/etc/bash_completion.d/gcloud" do
|
52
|
+
# to "/opt/google-cloud-sdk/completion.bash.inc"
|
53
|
+
# end
|
54
|
+
# link "/etc/profile.d/gcloud.sh" do
|
55
|
+
# to "/opt/google-cloud-sdk/path.bash.inc"
|
56
|
+
# end
|
57
|
+
# file "/etc/profile.d/gcloud_python.sh" do
|
58
|
+
# content "export CLOUDSDK_PYTHON=\"`/bin/rpm -ql muthon | grep '/bin/python$'`\"\n"
|
59
|
+
# mode 0644
|
60
|
+
# end
|
61
|
+
# end
|
62
|
+
#elsif platform_family?("debian")
|
63
|
+
# bash "add google-cloud-sdk repo" do
|
64
|
+
# code <<-EOH
|
65
|
+
# export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
|
66
|
+
# echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
|
67
|
+
# curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
|
68
|
+
# sudo apt-get update
|
69
|
+
# EOH
|
70
|
+
# not_if { ::File.exist?("/etc/apt/sources.list.d/google-cloud-sdk.list") }
|
71
|
+
# end
|
72
|
+
# package "google-cloud-sdk"
|
73
|
+
#else
|
74
|
+
#end
|