RubyGems - cloud-mu - Versions diffs - 3.5.0 → 3.6.3 - Mend

cloud-mu 3.5.0 → 3.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (245) hide show

checksums.yaml +4 -4
data/Berksfile +5 -2
data/Berksfile.lock +135 -0
data/ansible/roles/mu-base/README.md +33 -0
data/ansible/roles/mu-base/defaults/main.yml +2 -0
data/ansible/roles/mu-base/files/check_apm.cfg +1 -0
data/ansible/roles/mu-base/files/check_apm.sh +18 -0
data/ansible/roles/mu-base/files/check_disk.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.cfg +1 -0
data/ansible/roles/mu-base/files/check_elastic_shards.sh +12 -0
data/ansible/roles/mu-base/files/check_logstash.cfg +1 -0
data/ansible/roles/mu-base/files/check_logstash.sh +14 -0
data/ansible/roles/mu-base/files/check_mem.cfg +1 -0
data/ansible/roles/mu-base/files/check_updates.cfg +1 -0
data/ansible/roles/mu-base/files/logrotate.conf +35 -0
data/ansible/roles/mu-base/files/nrpe-apm-sudo +1 -0
data/ansible/roles/mu-base/files/nrpe-elasticshards-sudo +2 -0
data/ansible/roles/mu-base/handlers/main.yml +5 -0
data/ansible/roles/mu-base/meta/main.yml +53 -0
data/ansible/roles/mu-base/tasks/main.yml +113 -0
data/ansible/roles/mu-base/templates/nrpe.cfg.j2 +231 -0
data/ansible/roles/mu-base/tests/inventory +2 -0
data/ansible/roles/mu-base/tests/test.yml +5 -0
data/ansible/roles/mu-base/vars/main.yml +1 -0
data/ansible/roles/mu-compliance/README.md +33 -0
data/ansible/roles/mu-compliance/defaults/main.yml +2 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2016_V2R1_STIG_SCAP_1-2_Benchmark.xml +15674 -0
data/ansible/roles/mu-compliance/files/U_MS_Windows_Server_2019_V2R1_STIG_SCAP_1-2_Benchmark.xml +17553 -0
data/ansible/roles/mu-compliance/handlers/main.yml +2 -0
data/ansible/roles/mu-compliance/meta/main.yml +53 -0
data/ansible/roles/mu-compliance/tasks/main.yml +45 -0
data/ansible/roles/mu-compliance/tests/inventory +2 -0
data/ansible/roles/mu-compliance/tests/test.yml +5 -0
data/ansible/roles/mu-compliance/vars/main.yml +4 -0
data/ansible/roles/mu-elastic/README.md +51 -0
data/ansible/roles/mu-elastic/defaults/main.yml +2 -0
data/ansible/roles/mu-elastic/files/jvm.options +93 -0
data/ansible/roles/mu-elastic/handlers/main.yml +10 -0
data/ansible/roles/mu-elastic/meta/main.yml +52 -0
data/ansible/roles/mu-elastic/tasks/main.yml +186 -0
data/ansible/roles/mu-elastic/templates/elasticsearch.yml.j2 +110 -0
data/ansible/roles/mu-elastic/templates/kibana.yml.j2 +131 -0
data/ansible/roles/mu-elastic/templates/password_set.expect.j2 +19 -0
data/ansible/roles/mu-elastic/tests/inventory +2 -0
data/ansible/roles/mu-elastic/tests/test.yml +5 -0
data/ansible/roles/mu-elastic/vars/main.yml +2 -0
data/ansible/roles/mu-logstash/README.md +51 -0
data/ansible/roles/mu-logstash/defaults/main.yml +2 -0
data/ansible/roles/mu-logstash/files/02-beats-input.conf +5 -0
data/ansible/roles/mu-logstash/files/10-rails-filter.conf +16 -0
data/ansible/roles/mu-logstash/files/jvm.options +84 -0
data/ansible/roles/mu-logstash/files/logstash.yml +304 -0
data/ansible/roles/mu-logstash/handlers/main.yml +20 -0
data/ansible/roles/mu-logstash/meta/main.yml +52 -0
data/ansible/roles/mu-logstash/tasks/main.yml +254 -0
data/ansible/roles/mu-logstash/templates/20-cloudtrail.conf.j2 +28 -0
data/ansible/roles/mu-logstash/templates/30-elasticsearch-output.conf.j2 +19 -0
data/ansible/roles/mu-logstash/templates/apm-server.yml.j2 +33 -0
data/ansible/roles/mu-logstash/templates/heartbeat.yml.j2 +29 -0
data/ansible/roles/mu-logstash/templates/nginx/apm.conf.j2 +25 -0
data/ansible/roles/mu-logstash/templates/nginx/default.conf.j2 +56 -0
data/ansible/roles/mu-logstash/templates/nginx/elastic.conf.j2 +27 -0
data/ansible/roles/mu-logstash/tests/inventory +2 -0
data/ansible/roles/mu-logstash/tests/test.yml +5 -0
data/ansible/roles/mu-logstash/vars/main.yml +2 -0
data/ansible/roles/mu-rdp/README.md +33 -0
data/ansible/roles/mu-rdp/meta/main.yml +53 -0
data/ansible/roles/mu-rdp/tasks/main.yml +9 -0
data/ansible/roles/mu-rdp/tests/inventory +2 -0
data/ansible/roles/mu-rdp/tests/test.yml +5 -0
data/ansible/roles/mu-windows/tasks/main.yml +3 -0
data/bin/mu-ansible-secret +1 -1
data/bin/mu-aws-setup +4 -3
data/bin/mu-azure-setup +5 -5
data/bin/mu-configure +25 -17
data/bin/mu-firewall-allow-clients +1 -0
data/bin/mu-gcp-setup +3 -3
data/bin/mu-load-config.rb +1 -0
data/bin/mu-node-manage +66 -33
data/bin/mu-self-update +2 -2
data/bin/mu-upload-chef-artifacts +6 -1
data/bin/mu-user-manage +1 -1
data/cloud-mu.gemspec +25 -23
data/cookbooks/firewall/CHANGELOG.md +417 -224
data/cookbooks/firewall/LICENSE +202 -0
data/cookbooks/firewall/README.md +153 -126
data/cookbooks/firewall/TODO.md +6 -0
data/cookbooks/firewall/attributes/firewalld.rb +7 -0
data/cookbooks/firewall/attributes/iptables.rb +3 -3
data/cookbooks/firewall/chefignore +115 -0
data/cookbooks/firewall/libraries/helpers.rb +5 -0
data/cookbooks/firewall/libraries/helpers_firewalld.rb +1 -1
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +72 -0
data/cookbooks/firewall/libraries/helpers_iptables.rb +3 -3
data/cookbooks/firewall/libraries/helpers_nftables.rb +170 -0
data/cookbooks/firewall/libraries/helpers_ufw.rb +7 -0
data/cookbooks/firewall/libraries/helpers_windows.rb +8 -9
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +9 -9
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +7 -7
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +12 -8
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +13 -9
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +1 -1
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +5 -5
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +4 -4
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +3 -3
data/cookbooks/firewall/metadata.json +40 -1
data/cookbooks/firewall/metadata.rb +15 -0
data/cookbooks/firewall/recipes/default.rb +7 -7
data/cookbooks/firewall/recipes/disable_firewall.rb +1 -1
data/cookbooks/firewall/recipes/firewalld.rb +87 -0
data/cookbooks/firewall/renovate.json +18 -0
data/cookbooks/firewall/resources/firewalld.rb +28 -0
data/cookbooks/firewall/resources/firewalld_config.rb +39 -0
data/cookbooks/firewall/resources/firewalld_helpers.rb +106 -0
data/cookbooks/firewall/resources/firewalld_icmptype.rb +88 -0
data/cookbooks/firewall/resources/firewalld_ipset.rb +104 -0
data/cookbooks/firewall/resources/firewalld_policy.rb +115 -0
data/cookbooks/firewall/resources/firewalld_service.rb +98 -0
data/cookbooks/firewall/resources/firewalld_zone.rb +118 -0
data/cookbooks/firewall/resources/nftables.rb +71 -0
data/cookbooks/firewall/resources/nftables_rule.rb +113 -0
data/cookbooks/mu-activedirectory/Berksfile +1 -1
data/cookbooks/mu-activedirectory/metadata.rb +1 -1
data/cookbooks/mu-firewall/metadata.rb +2 -2
data/cookbooks/mu-master/Berksfile +4 -3
data/cookbooks/mu-master/attributes/default.rb +5 -2
data/cookbooks/mu-master/files/default/check_elastic.sh +761 -0
data/cookbooks/mu-master/files/default/check_kibana.rb +45 -0
data/cookbooks/mu-master/libraries/mu.rb +24 -0
data/cookbooks/mu-master/metadata.rb +5 -5
data/cookbooks/mu-master/recipes/default.rb +31 -20
data/cookbooks/mu-master/recipes/firewall-holes.rb +5 -0
data/cookbooks/mu-master/recipes/init.rb +58 -19
data/cookbooks/mu-master/recipes/update_nagios_only.rb +251 -178
data/cookbooks/mu-master/templates/default/nagios.conf.erb +5 -11
data/cookbooks/mu-master/templates/default/web_app.conf.erb +3 -0
data/cookbooks/mu-php54/Berksfile +1 -1
data/cookbooks/mu-php54/metadata.rb +2 -2
data/cookbooks/mu-tools/Berksfile +2 -3
data/cookbooks/mu-tools/attributes/default.rb +3 -4
data/cookbooks/mu-tools/files/amazon/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/amazon/etc/login.defs +292 -0
data/cookbooks/mu-tools/files/amazon/etc/profile +77 -0
data/cookbooks/mu-tools/files/amazon/etc/security/limits.conf +63 -0
data/cookbooks/mu-tools/files/amazon/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/amazon/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/amazon-2023/etc/login.defs +294 -0
data/cookbooks/mu-tools/files/default/logrotate.conf +35 -0
data/cookbooks/mu-tools/files/default/nrpe_conf_d.pp +0 -0
data/cookbooks/mu-tools/libraries/helper.rb +21 -9
data/cookbooks/mu-tools/metadata.rb +4 -4
data/cookbooks/mu-tools/recipes/apply_security.rb +3 -2
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -5
data/cookbooks/mu-tools/recipes/base_repositories.rb +4 -1
data/cookbooks/mu-tools/recipes/gcloud.rb +56 -56
data/cookbooks/mu-tools/recipes/nagios.rb +1 -1
data/cookbooks/mu-tools/recipes/nrpe.rb +20 -2
data/cookbooks/mu-tools/recipes/rsyslog.rb +12 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +1 -1
data/data_bags/nagios_services/apm_backend_connect.json +5 -0
data/data_bags/nagios_services/apm_listen.json +5 -0
data/data_bags/nagios_services/elastic_shards.json +5 -0
data/data_bags/nagios_services/logstash.json +5 -0
data/data_bags/nagios_services/rhel7_updates.json +8 -0
data/extras/image-generators/AWS/centos7.yaml +1 -0
data/extras/image-generators/AWS/rhel7.yaml +21 -0
data/extras/image-generators/AWS/win2k12r2.yaml +1 -0
data/extras/image-generators/AWS/win2k16.yaml +1 -0
data/extras/image-generators/AWS/win2k19.yaml +1 -0
data/extras/list-stock-amis +0 -0
data/extras/ruby_rpm/muby.spec +8 -5
data/extras/vault_tools/export_vaults.sh +1 -1
data/extras/vault_tools/recreate_vaults.sh +0 -0
data/extras/vault_tools/test_vaults.sh +0 -0
data/install/deprecated-bash-library.sh +1 -1
data/install/installer +4 -2
data/modules/mommacat.ru +3 -1
data/modules/mu/adoption.rb +1 -1
data/modules/mu/cloud/dnszone.rb +2 -2
data/modules/mu/cloud/machine_images.rb +26 -25
data/modules/mu/cloud/resource_base.rb +213 -182
data/modules/mu/cloud/server_pool.rb +1 -1
data/modules/mu/cloud/ssh_sessions.rb +7 -5
data/modules/mu/cloud/wrappers.rb +2 -2
data/modules/mu/cloud.rb +1 -1
data/modules/mu/config/bucket.rb +1 -1
data/modules/mu/config/function.rb +6 -1
data/modules/mu/config/loadbalancer.rb +24 -2
data/modules/mu/config/ref.rb +12 -0
data/modules/mu/config/role.rb +1 -1
data/modules/mu/config/schema_helpers.rb +42 -9
data/modules/mu/config/server.rb +43 -27
data/modules/mu/config/tail.rb +19 -10
data/modules/mu/config.rb +6 -5
data/modules/mu/defaults/AWS.yaml +78 -114
data/modules/mu/deploy.rb +9 -2
data/modules/mu/groomer.rb +12 -4
data/modules/mu/groomers/ansible.rb +104 -20
data/modules/mu/groomers/chef.rb +15 -6
data/modules/mu/master.rb +9 -4
data/modules/mu/mommacat/daemon.rb +4 -2
data/modules/mu/mommacat/naming.rb +1 -2
data/modules/mu/mommacat/storage.rb +7 -2
data/modules/mu/mommacat.rb +33 -6
data/modules/mu/providers/aws/database.rb +161 -8
data/modules/mu/providers/aws/dnszone.rb +11 -6
data/modules/mu/providers/aws/endpoint.rb +81 -6
data/modules/mu/providers/aws/firewall_rule.rb +254 -172
data/modules/mu/providers/aws/function.rb +65 -3
data/modules/mu/providers/aws/loadbalancer.rb +39 -28
data/modules/mu/providers/aws/log.rb +2 -1
data/modules/mu/providers/aws/role.rb +25 -7
data/modules/mu/providers/aws/server.rb +36 -12
data/modules/mu/providers/aws/server_pool.rb +237 -127
data/modules/mu/providers/aws/storage_pool.rb +7 -1
data/modules/mu/providers/aws/user.rb +1 -1
data/modules/mu/providers/aws/userdata/linux.erb +6 -2
data/modules/mu/providers/aws/userdata/windows.erb +7 -5
data/modules/mu/providers/aws/vpc.rb +49 -25
data/modules/mu/providers/aws.rb +13 -8
data/modules/mu/providers/azure/container_cluster.rb +1 -1
data/modules/mu/providers/azure/loadbalancer.rb +2 -2
data/modules/mu/providers/azure/server.rb +5 -2
data/modules/mu/providers/azure/userdata/linux.erb +1 -1
data/modules/mu/providers/azure.rb +11 -8
data/modules/mu/providers/cloudformation/dnszone.rb +1 -1
data/modules/mu/providers/google/container_cluster.rb +15 -2
data/modules/mu/providers/google/folder.rb +2 -1
data/modules/mu/providers/google/function.rb +130 -4
data/modules/mu/providers/google/habitat.rb +2 -1
data/modules/mu/providers/google/loadbalancer.rb +407 -160
data/modules/mu/providers/google/role.rb +16 -3
data/modules/mu/providers/google/server.rb +5 -1
data/modules/mu/providers/google/user.rb +25 -18
data/modules/mu/providers/google/userdata/linux.erb +1 -1
data/modules/mu/providers/google/vpc.rb +53 -7
data/modules/mu/providers/google.rb +39 -39
data/modules/mu.rb +8 -8
data/modules/tests/elk.yaml +46 -0
data/test/mu-master-test/controls/all_in_one.rb +1 -1
metadata +207 -112
data/cookbooks/firewall/CONTRIBUTING.md +0 -2
data/cookbooks/firewall/MAINTAINERS.md +0 -19
data/cookbooks/firewall/libraries/matchers.rb +0 -30
data/extras/image-generators/AWS/rhel71.yaml +0 -17

data/modules/mu/groomers/ansible.rb CHANGED Viewed

@@ -19,6 +19,7 @@ module MU
   class Groomer
     # Support for Ansible as a host configuration management layer.
     class Ansible
+      require 'open3'
       # Failure to load or create a deploy
       class NoAnsibleExecError < MuError;
@@ -77,7 +78,7 @@ module MU
       # @param data [Hash]: Data to save
       # @param permissions [Boolean]: If true, save the secret under the current active deploy (if any), rather than in the global location for this user
       # @param deploy_dir [String]: If permissions is +true+, save the secret here
-      def self.saveSecret(vault: nil, item: nil, data: nil, permissions: false, deploy_dir: nil)
+      def self.saveSecret(vault: nil, item: nil, data: nil, permissions: false, deploy_dir: nil, quiet: false)
         if vault.nil? or vault.empty? or item.nil? or item.empty?
           raise MuError, "Must call saveSecret with vault and item names"
@@ -86,6 +87,7 @@ module MU
           raise MuError, "Ansible vault/item names cannot include forward slashes"
         end
         pwfile = vaultPasswordFile
+        vault_cmd = %Q{#{ansibleExecDir}/ansible-vault}
         dir = if permissions
           if deploy_dir
@@ -104,7 +106,7 @@ module MU
           FileUtils.mkdir_p(dir, mode: 0700)
         end
-        if File.exist?(path)
+        if File.exist?(path) and !quiet
           MU.log "Overwriting existing vault #{vault} item #{item}"
         end
@@ -112,14 +114,36 @@ module MU
           f.write data.to_yaml
         }
-        cmd = %Q{#{ansibleExecDir}/ansible-vault encrypt #{path} --vault-password-file #{pwfile}}
-        MU.log cmd
+        cmd = %Q{#{vault_cmd} encrypt #{path} --vault-password-file #{pwfile}}
+        MU.log cmd if !quiet
         raise MuError, "Failed Ansible command: #{cmd}" if !system(cmd)
+        # If we're stashing things under a deploy, go ahead and munge them into
+        # variables that actual Ansible tasks can get at
+        if permissions
+          encrypted_string = File.read(path).chomp
+          dir = (deploy_dir ? deploy_dir : MU.mommacat.deploy_dir)+"/ansible"
+          FileUtils.mkdir_p(dir, mode: 0700) if !Dir.exist?(dir)
+          FileUtils.mkdir_p(dir+"/vars", mode: 0700) if !Dir.exist?(dir+"/vars")
+          vars_file = "#{dir}/vars/#{vault}.yml"
+          vars = if File.exist?(vars_file)
+            YAML.load(File.read(vars_file))
+          else
+            {}
+          end
+          vars[item] = encrypted_string
+          File.open(vars_file, File::CREAT|File::RDWR|File::TRUNC, 0600) { |f|
+            f.flock(File::LOCK_EX)
+            f.puts vars.to_yaml
+            f.flock(File::LOCK_UN)
+          }
+        end
       end
       # see {MU::Groomer::Ansible.saveSecret}
-      def saveSecret(vault: @server.mu_name, item: nil, data: nil, permissions: true)
-        self.class.saveSecret(vault: vault, item: item, data: data, permissions: permissions, deploy_dir: @server.deploy.deploy_dir)
+      def saveSecret(vault: @server.mu_name, item: nil, data: nil, permissions: true, quiet: false)
+        self.class.saveSecret(vault: vault, item: item, data: data, permissions: permissions, deploy_dir: @server.deploy.deploy_dir, quiet: quiet)
       end
       # Retrieve sensitive data, which hopefully we're storing and retrieving
@@ -128,7 +152,7 @@ module MU
       # @param item [String]: The item within the repository to retrieve
       # @param field [String]: OPTIONAL - A specific field within the item to return.
       # @return [Hash]
-      def self.getSecret(vault: nil, item: nil, field: nil, deploy_dir: nil)
+      def self.getSecret(vault: nil, item: nil, field: nil, deploy_dir: nil, quiet: false, cmd_only: false)
         if vault.nil? or vault.empty?
           raise MuError, "Must call getSecret with at least a vault name"
         end
@@ -137,7 +161,7 @@ module MU
         dir = nil
         try = [secret_dir+"/"+vault]
         try << deploy_dir+"/ansible/vaults/"+vault if deploy_dir
-        try << MU.mommacat.deploy_dir+"/ansible/vaults/"+vault if MU.mommacat.deploy_dir
+        try << MU.mommacat.deploy_dir+"/ansible/vaults/"+vault if MU.mommacat and MU.mommacat.deploy_dir
         try.each { |maybe_dir|
           if Dir.exist?(maybe_dir) and (item.nil? or File.exist?(maybe_dir+"/"+item))
             dir = maybe_dir
@@ -155,7 +179,8 @@ module MU
             raise MuNoSuchSecret, "No such item #{item} in vault #{vault}"
           end
           cmd = %Q{#{ansibleExecDir}/ansible-vault view #{itempath} --vault-password-file #{pwfile}}
-          MU.log cmd
+          return cmd if cmd_only
+          MU.log cmd if !quiet
           a = `#{cmd}`
           # If we happen to have stored recognizeable JSON or YAML, return it
           # as parsed, which is a behavior we're used to from Chef vault.
@@ -187,8 +212,8 @@ module MU
       end
       # see {MU::Groomer::Ansible.getSecret}
-      def getSecret(vault: nil, item: nil, field: nil)
-        self.class.getSecret(vault: vault, item: item, field: field, deploy_dir: @server.deploy.deploy_dir)
+      def getSecret(vault: @server.mu_name, item: nil, field: nil, quiet: false, cmd_only: false)
+        self.class.getSecret(vault: vault, item: item, field: field, deploy_dir: @server.deploy.deploy_dir, quiet: quiet, cmd_only: cmd_only)
       end
       # Delete a Ansible data bag / Vault
@@ -259,6 +284,16 @@ module MU
         cmd = %Q{cd #{@ansible_path} && echo "#{purpose}" && #{@ansible_execs}/ansible-playbook -i hosts #{playbook} --limit=#{@server.windows? ? @server.canonicalIP : @server.mu_name} --vault-password-file #{pwfile} --timeout=30 --vault-password-file #{@ansible_path}/.vault_pw -u #{ssh_user}}
+        if @server.config['vault_access']
+          @server.config['vault_access'].each { |entry|
+            vault = entry['vault'] || @server.deploy.deploy_id
+            begin
+              MU.log "To retrieve secret #{vault}:#{entry['item']} - "+getSecret(vault: vault, item: entry['item'], cmd_only: true), MU::SUMMARY
+            rescue MuNoSuchSecret
+            end
+          }
+        end
         retries = 0
         begin
           MU.log cmd
@@ -315,8 +350,13 @@ module MU
           play["become"] = "yes"
         end
-        if @server.config['run_list'] and !@server.config['run_list'].empty?
-          play["roles"] = @server.config['run_list']
+        if @server.windows?
+          play["roles"] = ["mu-windows"]
+        else
+          play["roles"] = ["mu-base"]
+        end
+        if @server.config['run_list']
+          play["roles"].concat(@server.config['run_list'])
         end
         if @server.config['ansible_vars']
@@ -326,6 +366,7 @@ module MU
         if @server.windows?
           play["vars"] ||= {}
           play["vars"]["ansible_connection"] = "winrm"
+          play["vars"]['ansible_python_interpreter'] = "c:/bin/python/python310/python.exe"
           play["vars"]["ansible_winrm_scheme"] = "https"
           play["vars"]["ansible_winrm_transport"] = "ntlm"
           play["vars"]["ansible_winrm_server_cert_validation"] = "ignore" # XXX this sucks; use Mu_CA.pem if we can get it to work
@@ -355,18 +396,43 @@ module MU
         allvars = {
           "mu_deployment" => MU::Config.stripConfig(@server.deploy.deployment),
           "mu_service_name" => @config["name"],
+          "mu_name" => @server.mu_name,
+          "mu_deploy_id" => @server.deploy.deploy_id,
           "mu_canonical_ip" => @server.canonicalIP,
           "mu_admin_email" => $MU_CFG['mu_admin_email'],
-          "mu_environment" => MU.environment.downcase
+          "mu_environment" => MU.environment.downcase,
+          "mu_vaults" => {}
         }
         allvars['mu_deployment']['ssh_public_key'] = @server.deploy.ssh_public_key
+        vaultdir = @ansible_path+"/vaults"
+        if Dir.exist?(vaultdir)
+          Dir.entries(vaultdir).each { |v|
+            next if !File.directory?(vaultdir+"/"+v)
+            next if [".", ".."].include?(v)
+            Dir.entries(vaultdir+"/"+v).each { |i|
+              next if File.directory?(vaultdir+"/"+v+"/"+i)
+              value = getSecret(vault: v, item: i, quiet: true)
+              next if !value # ignore corrupted data
+              # Ansible struggles to actually use this. The only thing that
+              # seems to work is writing it (decrypted) to a tmp file on the
+              # target host then reading that back, which is both ugly and
+              # insecure. None of these workarounds seem to do the thing:
+              # https://github.com/ansible/ansible/issues/24425
+              allvars["mu_vaults"][v] ||= {}
+              allvars["mu_vaults"][v].merge!(YAML.load(self.class.encryptString(value.to_yaml, i)))
+            }
+          }
+        end
         if @server.config['cloud'] == "AWS"
           allvars["ec2"] = MU.structToHash(@server.cloud_desc, stringify_keys: true)
         end
         if @server.windows?
           allvars['windows_admin_username'] = @config['windows_admin_username']
+          allvars['ansible_python_interpreter'] = "c:/bin/python/python310/python.exe"
         end
         if !@server.cloud.nil?
@@ -380,6 +446,9 @@ module MU
         }
         groupvars = allvars.dup
+        if @server.windows? and @server.mu_windows_name
+          groupvars['mu_windows_name'] = @server.mu_windows_name
+        end
         if @server.deploy.original_config.has_key?('parameters')
           groupvars["mu_parameters"] = @server.deploy.original_config['parameters']
         end
@@ -433,17 +502,23 @@ module MU
         found
       end
-      # Encrypt a string using +ansible-vault encrypt_string+ and print the
-      # the results to +STDOUT+.
-      # @param name [String]: The variable name to use for the string's YAML key
+      # Encrypt a string using +ansible-vault encrypt_string+ and return +STDOUT+
       # @param string [String]: The string to encrypt
-      def self.encryptString(name, string)
+      # @param name [String]: A name to use for the string's YAML key
+      def self.encryptString(string, name = nil)
         pwfile = vaultPasswordFile
         cmd = %Q{#{ansibleExecDir}/ansible-vault}
-        if !system(cmd, "encrypt_string", string, "--name", name, "--vault-password-file", pwfile)
+        stdout, status = if name
+           Open3.capture2(cmd, "encrypt_string", string, "--name", name, "--vault-password-file", pwfile)
+        else
+          Open3.capture2(cmd, "encrypt_string", string, "--vault-password-file", pwfile)
+        end
+        if !status.success?
           raise MuError, "Failed Ansible command: #{cmd} encrypt_string <redacted> --name #{name} --vault-password-file"
         end
-        output
+        stdout.strip
       end
       # Hunt down and return a path for a Python executable
@@ -630,6 +705,14 @@ module MU
           File.symlink(MU.myRoot+"/ansible/roles/"+role, roledir+"/"+role)
         }
+        coldir = "#{Etc.getpwuid(Process.uid).dir}/.ansible/collections/ansible_collections"
+        ["ansible.windows", "community.general.gem"].each { |coll|
+          %x{#{@ansible_execs}/ansible-galaxy collection list -p "#{coldir}"}
+          if $? != 0
+            system(%Q{#{@ansible_execs}/ansible-galaxy}, "collection", "install", coll, "-p", coldir)
+          end
+        }
         if @server.config['run_list']
           @server.config['run_list'].each { |role|
             found = false
@@ -655,6 +738,7 @@ module MU
             end
           }
         end
       end
       # Upload the certificate to a Chef Vault for this node

data/modules/mu/groomers/chef.rb CHANGED Viewed

@@ -58,6 +58,9 @@ module MU
             require 'chef/knife/ssh'
             require 'mu/monkey_patches/chef_knife_ssh'
             require 'chef/knife/bootstrap'
+            require 'chef/knife/bootstrap/train_connector'
+            require 'chef/knife/bootstrap/chef_vault_handler'
+            require 'chef/knife/bootstrap/client_builder'
             require 'chef/knife/node_delete'
             require 'chef/knife/client_delete'
             require 'chef/knife/data_bag_delete'
@@ -96,11 +99,11 @@ module MU
         }
       end
-      @knife = "cd #{MU.myRoot} && env -i HOME=#{Etc.getpwnam(MU.mu_user).dir} PATH=/opt/chef/embedded/bin:/usr/bin:/usr/sbin knife"
+      @@knife = "cd #{MU.myRoot} && env -i HOME=#{Etc.getpwnam(MU.mu_user).dir} PATH=/usr/local/ruby-current/bin:/opt/chef/embedded/bin:/usr/bin:/usr/sbin knife"
       # The canonical path to invoke Chef's *knife* utility with a clean environment.
       # @return [String]
-      def self.knife;
-        @knife;
+      def self.knife
+        @@knife
       end
       attr_reader :knife
@@ -218,7 +221,7 @@ module MU
       end
       # see {MU::Groomer::Chef.getSecret}
-      def getSecret(vault: nil, item: nil, field: nil)
+      def getSecret(vault: @server.mu_name, item: nil, field: nil)
         self.class.getSecret(vault: vault, item: item, field: field)
       end
@@ -618,8 +621,10 @@ module MU
             kb.name_args = "#{canonical_addr}"
             kb.config[:distro] = 'chef-full'
             kb.config[:ssh_user] = ssh_user
+            kb.config[:ssh_verify_host_key] = :accept_new
             kb.config[:forward_agent] = ssh_user
             kb.config[:identity_file] = "#{Etc.getpwuid(Process.uid).dir}/.ssh/#{ssh_key_name}"
+            kb.config[:ssh_identity_file] = "#{Etc.getpwuid(Process.uid).dir}/.ssh/#{ssh_key_name}"
           else
             kb = ::Chef::Knife::BootstrapWindowsWinrm.new([@server.mu_name])
             kb.name_args = [@server.mu_name]
@@ -628,6 +633,7 @@ module MU
             kb.config[:winrm_port] = 5986
             kb.config[:session_timeout] = timeout
             kb.config[:operation_timeout] = timeout
+#            kb.config[:bootstrap_curl_options] = ""
             if retries % 2 == 0
               kb.config[:host] = canonical_addr
               kb.config[:winrm_authentication_protocol] = :basic
@@ -658,7 +664,9 @@ module MU
           kb.config[:json_attribs] = JSON.generate(json_attribs) if json_attribs.size > 1
           kb.config[:run_list] = run_list
           kb.config[:chef_node_name] = @server.mu_name
+          kb.config[:bootstrap_product] = "chef"
           kb.config[:bootstrap_version] = MU.chefVersion
+          kb.config[:channel] = "stable"
           # XXX key off of MU verbosity level
           kb.config[:log_level] = :debug
           # kb.config[:ssh_gateway] = "#{nat_ssh_user}@#{nat_ssh_host}" if !nat_ssh_host.nil? # Breaking bootsrap
@@ -898,7 +906,7 @@ retry
         vaults_to_clean.each { |vault|
           MU::MommaCat.lock("vault-#{vault['vault']}", false, true)
           MU.log "Purging unknown clients from #{vault['vault']} #{vault['item']}", MU::DEBUG
-          output = %x{#{@knife} data bag show "#{vault['vault']}" "#{vault['item']}_keys" --format json}
+          output = %x{#{knife} data bag show "#{vault['vault']}" "#{vault['item']}_keys" --format json}
           # This is an ugly workaround for --clean-unknown-clients, which in
           # fact cleans known clients.
           if output
@@ -941,7 +949,7 @@ retry
         MU::MommaCat.lock("vault-#{vault}", false, true)
         MU.log "Granting #{host} access to #{vault} #{item}"
         begin
-          ::Chef::Knife.run(['vault', 'update', vault, item, "--search", "name:#{host}"])
+          ::Chef::Knife.run(['vault', 'update', vault, item, "--clients", "#{host}"])
         rescue StandardError => e
           MU.log e.inspect, MU::ERR, details: caller
         end
@@ -1087,6 +1095,7 @@ retry
       def grantSecretAccess(vault, item)
         return if @secrets_granted["#{vault}:#{item}"] == item
         self.class.grantSecretAccess(@server.mu_name, vault, item)
+        MU.log %Q{To retrieve secret #{vault}:#{item} - #{self.class.knife} vault show "#{vault}" "#{item}"}, MU::SUMMARY
         @secrets_granted["#{vault}:#{item}"] = item
       end

data/modules/mu/master.rb CHANGED Viewed

@@ -202,6 +202,7 @@ module MU
         else
           device.dup
         end
         alias_device = cryptfile ? "/dev/mapper/"+path.gsub(/[^0-9a-z_\-]/i, "_") : realdevice
         if !File.exist?(realdevice)
@@ -212,7 +213,7 @@ module MU
               cloud_id: MU.myInstanceId,
               kitten_cfg: {}
             )
-            dummy_svr.addVolume(device, size)
+            dummy_svr.addVolume(dev: device, size: size)
             MU::Cloud::AWS::Server.tagVolumes(
               MU.myInstanceId,
               device: device,
@@ -228,7 +229,7 @@ module MU
               cloud_id: MU.myInstanceId,
               kitten_cfg: { 'project' => MU::Cloud::Google.myProject, 'availability_zone' => MU.myAZ }
             )
-            dummy_svr.addVolume(device, size) # This will tag itself sensibly
+            dummy_svr.addVolume(dev: device, size: size) # This will tag itself sensibly
           else
             raise MuError, "Not in a familiar cloud, so I don't know how to create volumes for myself"
           end
@@ -271,14 +272,16 @@ module MU
         end
         %x{/usr/sbin/xfs_admin -l "#{alias_device}" > /dev/null 2>&1}
         if $?.exitstatus != 0
           MU.log "Formatting #{alias_device}", MU::NOTICE
           %x{/sbin/mkfs.xfs "#{alias_device}"}
           %x{/usr/sbin/xfs_admin -L "#{path.gsub(/[^0-9a-z_\-]/i, "_")}" "#{alias_device}"}
         end
         Dir.mkdir(path, 0700) if !Dir.exist?(path) # XXX recursive
         %x{/usr/sbin/xfs_info "#{alias_device}" > /dev/null 2>&1}
-        if $?.exitstatus != 0
+        if $?.exitstatus == 0 and !File.open("/etc/mtab").read.match(/ #{path} /)
           MU.log "Mounting #{alias_device} to #{path}"
           %x{/bin/mount "#{alias_device}" "#{path}"}
         end
@@ -797,6 +800,7 @@ module MU
       nagios_threads = []
       nagios_threads << Thread.new {
         MU.dupGlobals(parent_thread_id)
+        Thread.current.thread_variable_set("syncMonitoringConfig", "<main>")
         realhome = Etc.getpwnam("nagios").dir
         [NAGIOS_HOME, "#{NAGIOS_HOME}/.ssh"].each { |dir|
           Dir.mkdir(dir, 0711) if !Dir.exist?(dir)
@@ -839,6 +843,7 @@ module MU
                     MU.dupGlobals(parent_thread_id)
                     threads << Thread.new {
                       MU::MommaCat.setThreadContext(deploy)
+                      Thread.current.thread_variable_set("syncMonitoringConfig",server.mu_name)
                       MU.log "Adding #{server.mu_name} to #{NAGIOS_HOME}/.ssh/config", MU::DEBUG
                       MU::Master.addHostToSSHConfig(
                           server,
@@ -941,7 +946,7 @@ module MU
           return true if l =~ /^\/dev\/nvme\d/
         }
       else
-        return true if File.exists?("/dev/nvme0n1")
+        return true if File.exist?("/dev/nvme0n1")
       end
       false
     end

data/modules/mu/mommacat/daemon.rb CHANGED Viewed

@@ -213,6 +213,7 @@ module MU
         need_reload = false
         @cleanup_threads << Thread.new {
           MU.dupGlobals(parent_thread_id)
+          Thread.current.thread_variable_set("cleanTerminatedInstances", deploy_id)
           deploy = MU::MommaCat.getLitter(deploy_id, set_context_to_me: true)
           purged_this_deploy = 0
             MU.log "#{deploy_id} has some kittens in it", loglevel, details: deploy.kittens.keys
@@ -225,7 +226,8 @@ module MU
                 servers.each_pair { |mu_name, server|
                   server.describe
                   if !server.cloud_id
-                    MU.log "Checking for presence of #{mu_name}, but unable to fetch its cloud_id", MU::WARN, details: server
+                    MU.log "Checking for presence of instance '#{mu_name}', but unable to fetch its cloud_id", MU::WARN, server.class.name
+                    pp servers.keys
                   elsif !server.active?
                     next if File.exist?(deploy_dir(deploy_id)+"/.cleanup-"+server.cloud_id)
                     deletia << mu_name
@@ -313,7 +315,7 @@ module MU
         return 0
       end
-      File.unlink(daemonPidFile) if File.exists?(daemonPidFile)
+      File.unlink(daemonPidFile) if File.exist?(daemonPidFile)
       MU.log "Starting Momma Cat on port #{MU.mommaCatPort}, logging to #{daemonLogFile}, PID file #{daemonPidFile}"
       origdir = Dir.getwd
       Dir.chdir(MU.myRoot+"/modules")

data/modules/mu/mommacat/naming.rb CHANGED Viewed

@@ -305,9 +305,8 @@ module MU
         zones = MU::Cloud::DNSZone.find(cloud_id: "platform-mu")
         mu_zone = zones.values.first if !zones.nil?
       end
       if !mu_zone.nil?
-        MU::Cloud::DNSZone.genericMuDNSEntry(name: node.gsub(/[^a-z0-9!"\#$%&'\(\)\*\+,\-\/:;<=>\?@\[\]\^_`{\|}~\.]/, '-').gsub(/--|^-/, ''), target: server.canonicalIP, cloudclass: MU::Cloud::Server, sync_wait: sync_wait)
+        MU::Cloud::DNSZone.genericMuDNSEntry(name: node.gsub(/[^a-z0-9!"\#$%&'\(\)\*\+,\-\/:;<=>\?@\[\]\^_`{\|}~\.]/i, '-').gsub(/--|^-/, ''), target: server.canonicalIP, cloudclass: MU::Cloud::Server, sync_wait: sync_wait)
       else
         MU::Master.addInstanceToEtcHosts(server.canonicalIP, node)
       end

data/modules/mu/mommacat/storage.rb CHANGED Viewed

@@ -179,6 +179,7 @@ module MU
     # return [false, nil]
     def self.lock(id, nonblock = false, global = false, retries: 0, deploy_id: MU.deploy_id)
       raise MuError, "Can't pass a nil id to MU::MommaCat.lock" if id.nil?
+      called_by = caller[0]
       if !global
         lockdir = "#{deploy_dir(deploy_id)}/locks"
@@ -200,6 +201,10 @@ module MU
         @locks[Thread.current.object_id][id] = File.open("#{lockdir}/#{id}.lock", File::CREAT|File::RDWR, 0600)
       }
+      thr_to_s = Proc.new { |t|
+        "#{t.object_id} (#{t.thread_variables.map { |v| "#{v.to_s}: #{t.thread_variable_get(v).to_s}" }.join(", ")})"
+      }
       MU.log "Getting a lock on #{lockdir}/#{id}.lock (thread #{Thread.current.object_id})...", MU::DEBUG, details: caller
       show_relevant = Proc.new {
         @lock_semaphore.synchronize {
@@ -208,7 +213,7 @@ module MU
               if lockid == id
                 thread = Thread.list.select { |t| t.object_id == thread_id }.first
                 if thread.object_id != Thread.current.object_id
-                  MU.log "#{thread_id} sitting on #{id} (#{thread.thread_variables.map { |v| "#{v.to_s}: #{thread.thread_variable_get(v).to_s}" }.join(", ")})", MU::WARN, thread.backtrace
+                  MU.log "Thread #{thr_to_s.call(thread)} sitting on #{id}, which is needed by #{thr_to_s.call(Thread.current)} at #{called_by}", MU::WARN, thread.backtrace
                 end
               end
             }
@@ -585,7 +590,7 @@ module MU
           orig_cfg = findResourceConfig(type, res_name)
           if orig_cfg.nil?
-            MU.log "Failed to locate original config for #{attrs[:cfg_name]} #{res_name} in #{@deploy_id}", MU::WARN if !["firewall_rules", "databases", "storage_pools", "cache_clusters", "alarms"].include?(type) # XXX shaddap
+            MU.log "Failed to locate original config for #{attrs[:cfg_name]} #{res_name}, seen in cached deployment.json for #{@deploy_id}", MU::DEBUG
             next
           end

data/modules/mu/mommacat.rb CHANGED Viewed

@@ -150,6 +150,7 @@ module MU
       @deploy_id = deploy_id
       @mu_user = mu_user.dup
       @no_artifacts = no_artifacts
+      @ssh_key_generated = false
       # Make sure mu_user and chef_user are sane.
       if @mu_user == "root"
@@ -167,7 +168,6 @@ module MU
       @need_deploy_flush = false
       @node_cert_semaphore = Mutex.new
       @deployment = deployment_data
       @deployment['mu_public_ip'] = MU.mu_public_ip
       @private_key = nil
       @public_key = nil
@@ -175,6 +175,7 @@ module MU
       @secrets['instance_secret'] = Hash.new
       @secrets['windows_admin_password'] = Hash.new
       @ssh_key_name = ssh_key_name
+      @ssh_key_name ||= "deploy-#{@deploy_id}"
       @ssh_private_key = ssh_private_key
       @ssh_public_key = ssh_public_key
       @clouds = {}
@@ -195,6 +196,7 @@ module MU
         setDeploySecret
         MU::MommaCat.setThreadContext(self) if set_context_to_me
         save!
+        generatePasswords
       end
       @appname ||= MU.appname
@@ -202,6 +204,7 @@ module MU
       @environment ||= MU.environment
       loadDeploy(set_context_to_me: set_context_to_me)
+      @deployment['mu_all_ips'] ||= [MU.mu_public_ip, MU.my_private_ip].uniq
       if !deploy_secret.nil? and !authKey(deploy_secret)
         raise DeployInitializeError, "Client request did not include a valid deploy authorization secret. Verify that userdata runs correctly?"
       end
@@ -224,6 +227,29 @@ module MU
 #     if !@@litter_semaphore.owned?
     end # end of initialize()
+    def generatePasswords
+      return if !@original_config['generate_passwords']
+      @original_config['generate_passwords'].each { |pw|
+        password = MU.generatePassword(safe_pattern: pw['safe_chars'], length: pw['minlength'])
+        MU.supportedGroomers.each { |g|
+          groomclass = MU.loadGroomer(g)
+          begin
+            groomclass.getSecret(vault: @deploy_id,
+                                        item: pw['itemname'],
+                                        field: 'password')
+          rescue MU::Groomer::MuNoSuchSecret
+            pwdata = { "password" => password }
+            pwdata["username"] = pw["username"] if pw["username"]
+            groomclass.saveSecret(vault: @deploy_id,
+                                  item: pw['itemname'],
+                                  data: pwdata,
+                                  permissions: (g == "Ansible"))
+          end
+        }
+      }
+    end
     # List all the cloud providers declared by resources in our deploy.
     def cloudsUsed
       seen = []
@@ -490,7 +516,7 @@ module MU
     # Return the parts and pieces of this deploy's node ssh key set. Generate
     # or load if that hasn't been done already.
     def SSHKey
-      return [@ssh_key_name, @ssh_private_key, @ssh_public_key] if !@ssh_key_name.nil?
+      return [@ssh_key_name, @ssh_private_key, @ssh_public_key] if @ssh_key_generated
       if numKittens(types: ["Server", "ServerPool", "ContainerCluster"]) == 0
         return []
       end
@@ -535,6 +561,7 @@ module MU
         }
       end
+      @ssh_key_generated = true
       return [@ssh_key_name, @ssh_private_key, @ssh_public_key]
     end
@@ -549,8 +576,8 @@ module MU
     # @param triggering_node [MU::Cloud]: A cloud object calling this notify, usually on behalf of itself
     # @param remove [Boolean]: Remove this resource from the deploy structure, instead of adding it.
     # @return [void]
-    def notify(type, key, data, mu_name: nil, remove: false, triggering_node: nil, delayed_save: false)
-      no_write = (@no_artifacts or !caller.grep(/\/mommacat\.rb:\d+:in `notify'/).empty?)
+    def notify(type, key, data, mu_name: nil, remove: false, triggering_node: nil, delayed_save: false, no_write: nil)
+      no_write ||= (@no_artifacts or !caller.grep(/\/mommacat\.rb:\d+:in `notify'/).empty?)
       begin
         if !no_write
@@ -831,7 +858,7 @@ MAIL_HEAD_END
         next if sibling.config.has_key?("groom") and !sibling.config["groom"]
         threads << Thread.new {
           Thread.abort_on_exception = true
-          Thread.current.thread_variable_set("name", "sync-"+sibling.mu_name.downcase)
+          Thread.current.thread_variable_set("syncLitterThread", sibling.mu_name)
           MU.setVar("syncLitterThread", true)
           begin
             sibling.groomer.saveDeployData
@@ -874,7 +901,7 @@ MAIL_HEAD_END
         sans << resource.mu_name.downcase if resource.mu_name and resource.mu_name != cert_cn
         # XXX were there other names we wanted to include?
         key = MU::Master::SSL.getKey(cert_cn, keysize: keysize)
-        cert, pfx_cert = MU::Master::SSL.getCert(cert_cn, "/CN=#{cert_cn}/O=Mu/C=US", sans: sans, pfx: is_windows)
+        cert, pfx_cert = MU::Master::SSL.getCert(cert_cn, "/CN=#{cert_cn}/O=Mu/C=US", sans: sans, pfx: true)
         results[cert_cn] = [key, cert]
         winrm_cert = nil