RubyGems - cloud-mu - Versions diffs - 3.6.10 → 3.6.11 - Mend

cloud-mu 3.6.10 → 3.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (171) hide show

checksums.yaml +4 -4
data/Berksfile +2 -3
data/Berksfile.lock +11 -14
data/bin/mu-aws-setup +16 -4
data/bin/mu-configure +2 -1
data/cloud-mu.gemspec +2 -2
data/cookbooks/mu-firewall/Berksfile +1 -1
data/cookbooks/mu-firewall/attributes/default.rb +2 -2
data/cookbooks/mu-firewall/metadata.rb +3 -3
data/cookbooks/mu-firewall/recipes/default.rb +11 -2
data/cookbooks/mu-master/Berksfile +1 -1
data/cookbooks/mu-master/attributes/default.rb +14 -1
data/cookbooks/mu-master/files/default/389ds-perl/ASDialogs.pm +173 -0
data/cookbooks/mu-master/files/default/389ds-perl/AdminMigration.pm +569 -0
data/cookbooks/mu-master/files/default/389ds-perl/AdminServer.pm +952 -0
data/cookbooks/mu-master/files/default/389ds-perl/AdminUtil.pm +983 -0
data/cookbooks/mu-master/files/default/389ds-perl/ConfigDSDialogs.pm +449 -0
data/cookbooks/mu-master/files/default/389ds-perl/DSCreate.pm +1551 -0
data/cookbooks/mu-master/files/default/389ds-perl/DSDialogs.pm +233 -0
data/cookbooks/mu-master/files/default/389ds-perl/DSMigration.pm +1175 -0
data/cookbooks/mu-master/files/default/389ds-perl/DSUpdate.pm +534 -0
data/cookbooks/mu-master/files/default/389ds-perl/DSUpdateDialogs.pm +152 -0
data/cookbooks/mu-master/files/default/389ds-perl/DSUtil.pm +1710 -0
data/cookbooks/mu-master/files/default/389ds-perl/Dialog.pm +249 -0
data/cookbooks/mu-master/files/default/389ds-perl/DialogManager.pm +212 -0
data/cookbooks/mu-master/files/default/389ds-perl/FileConn.pm +461 -0
data/cookbooks/mu-master/files/default/389ds-perl/Inf.pm +268 -0
data/cookbooks/mu-master/files/default/389ds-perl/Migration.pm +327 -0
data/cookbooks/mu-master/files/default/389ds-perl/RegDSDialogs.pm +94 -0
data/cookbooks/mu-master/files/default/389ds-perl/Resource.pm +137 -0
data/cookbooks/mu-master/files/default/389ds-perl/Setup.pm +240 -0
data/cookbooks/mu-master/files/default/389ds-perl/SetupDialogs.pm +243 -0
data/cookbooks/mu-master/files/default/389ds-perl/SetupLog.pm +82 -0
data/cookbooks/mu-master/files/default/setCertName.ldif +4 -0
data/cookbooks/mu-master/libraries/mu.rb +2 -2
data/cookbooks/mu-master/metadata.rb +1 -1
data/cookbooks/mu-master/recipes/389ds.rb +71 -32
data/cookbooks/mu-master/recipes/basepackages.rb +5 -0
data/cookbooks/mu-master/recipes/default.rb +16 -5
data/cookbooks/mu-master/recipes/init.rb +36 -3
data/cookbooks/mu-master/recipes/ssl-certs.rb +6 -0
data/cookbooks/mu-master/recipes/sssd.rb +85 -62
data/cookbooks/mu-master/recipes/update_nagios_only.rb +7 -1
data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +11 -26
data/cookbooks/mu-master/templates/default/sssd.conf.erb +18 -8
data/cookbooks/mu-tools/files/default/Mu_CA.pem +33 -0
data/cookbooks/mu-tools/metadata.rb +0 -1
data/cookbooks/mu-tools/recipes/set_local_fw.rb +7 -1
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +5 -1
data/cookbooks/nagios/CHANGELOG.md +679 -0
data/cookbooks/nagios/LICENSE +201 -0
data/cookbooks/nagios/README.md +340 -0
data/cookbooks/nagios/attributes/config.rb +163 -0
data/cookbooks/nagios/attributes/default.rb +204 -0
data/cookbooks/nagios/libraries/base.rb +311 -0
data/cookbooks/nagios/libraries/command.rb +68 -0
data/cookbooks/nagios/libraries/contact.rb +229 -0
data/cookbooks/nagios/libraries/contactgroup.rb +111 -0
data/cookbooks/{firewall/recipes/disable_firewall.rb → nagios/libraries/custom_option.rb} +20 -7
data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
data/cookbooks/nagios/libraries/default.rb +90 -0
data/cookbooks/nagios/libraries/helpers.rb +229 -0
data/cookbooks/nagios/libraries/host.rb +410 -0
data/cookbooks/nagios/libraries/hostdependency.rb +178 -0
data/cookbooks/nagios/libraries/hostescalation.rb +170 -0
data/cookbooks/nagios/libraries/hostgroup.rb +117 -0
data/cookbooks/nagios/libraries/nagios.rb +277 -0
data/cookbooks/nagios/libraries/resource.rb +59 -0
data/cookbooks/nagios/libraries/service.rb +449 -0
data/cookbooks/nagios/libraries/servicedependency.rb +213 -0
data/cookbooks/nagios/libraries/serviceescalation.rb +193 -0
data/cookbooks/nagios/libraries/servicegroup.rb +142 -0
data/cookbooks/nagios/libraries/timeperiod.rb +159 -0
data/cookbooks/nagios/libraries/users_helper.rb +54 -0
data/cookbooks/nagios/metadata.json +44 -0
data/cookbooks/nagios/metadata.rb +22 -0
data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
data/cookbooks/nagios/recipes/apache.rb +114 -0
data/cookbooks/nagios/recipes/default.rb +41 -0
data/cookbooks/nagios/recipes/nginx.rb +114 -0
data/cookbooks/nagios/recipes/pagerduty.rb +95 -0
data/cookbooks/nagios/recipes/server.rb +182 -0
data/cookbooks/nagios/recipes/server_package.rb +85 -0
data/cookbooks/nagios/recipes/server_source.rb +137 -0
data/cookbooks/nagios/resources/command.rb +34 -0
data/cookbooks/nagios/resources/conf.rb +52 -0
data/cookbooks/nagios/resources/contact.rb +34 -0
data/cookbooks/nagios/resources/contactgroup.rb +35 -0
data/cookbooks/nagios/resources/host.rb +35 -0
data/cookbooks/nagios/resources/hostdependency.rb +35 -0
data/cookbooks/nagios/resources/hostescalation.rb +36 -0
data/cookbooks/nagios/resources/hostgroup.rb +35 -0
data/cookbooks/nagios/resources/resource.rb +34 -0
data/cookbooks/nagios/resources/service.rb +35 -0
data/cookbooks/nagios/resources/servicedependency.rb +35 -0
data/cookbooks/nagios/resources/serviceescalation.rb +35 -0
data/cookbooks/nagios/resources/servicegroup.rb +35 -0
data/cookbooks/nagios/resources/timeperiod.rb +35 -0
data/cookbooks/nagios/templates/apache2.conf.erb +102 -0
data/cookbooks/nagios/templates/cgi.cfg.erb +266 -0
data/cookbooks/nagios/templates/commands.cfg.erb +13 -0
data/cookbooks/nagios/templates/contacts.cfg.erb +37 -0
data/cookbooks/nagios/templates/hostgroups.cfg.erb +25 -0
data/cookbooks/nagios/templates/hosts.cfg.erb +15 -0
data/cookbooks/nagios/templates/htpasswd.users.erb +6 -0
data/cookbooks/nagios/templates/nagios.cfg.erb +22 -0
data/cookbooks/nagios/templates/nginx.conf.erb +80 -0
data/cookbooks/nagios/templates/pagerduty.cgi.erb +185 -0
data/cookbooks/nagios/templates/resource.cfg.erb +27 -0
data/cookbooks/nagios/templates/servicedependencies.cfg.erb +15 -0
data/cookbooks/nagios/templates/servicegroups.cfg.erb +14 -0
data/cookbooks/nagios/templates/services.cfg.erb +14 -0
data/cookbooks/nagios/templates/spawn-fcgi.erb +10 -0
data/cookbooks/nagios/templates/templates.cfg.erb +31 -0
data/cookbooks/nagios/templates/timeperiods.cfg.erb +13 -0
data/extras/platform_berksfile_base +3 -3
data/extras/python_rpm/build.sh +4 -4
data/extras/python_rpm/muthon.spec +2 -4
data/extras/vault_tools/export_vaults.sh +11 -1
data/install/installer +1 -1
data/modules/mu/kittens.rb +27523 -0
data/modules/mu/master/ldap.rb +48 -31
data/modules/mu/master.rb +69 -0
data/modules/mu/mu.yaml.rb +351 -0
data/modules/mu/providers/aws/firewall_rule.rb +3 -1
data/modules/mu/providers/aws.rb +11 -5
data/modules/mu.rb +5 -4
metadata +99 -48
data/cookbooks/firewall/CHANGELOG.md +0 -488
data/cookbooks/firewall/LICENSE +0 -202
data/cookbooks/firewall/README.md +0 -366
data/cookbooks/firewall/TODO.md +0 -6
data/cookbooks/firewall/attributes/default.rb +0 -5
data/cookbooks/firewall/attributes/firewalld.rb +0 -8
data/cookbooks/firewall/attributes/iptables.rb +0 -17
data/cookbooks/firewall/attributes/ufw.rb +0 -12
data/cookbooks/firewall/attributes/windows.rb +0 -8
data/cookbooks/firewall/libraries/helpers.rb +0 -105
data/cookbooks/firewall/libraries/helpers_firewalld.rb +0 -116
data/cookbooks/firewall/libraries/helpers_firewalld_dbus.rb +0 -72
data/cookbooks/firewall/libraries/helpers_iptables.rb +0 -112
data/cookbooks/firewall/libraries/helpers_nftables.rb +0 -170
data/cookbooks/firewall/libraries/helpers_ufw.rb +0 -142
data/cookbooks/firewall/libraries/helpers_windows.rb +0 -129
data/cookbooks/firewall/libraries/provider_firewall_firewalld.rb +0 -179
data/cookbooks/firewall/libraries/provider_firewall_iptables.rb +0 -171
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb +0 -200
data/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu1404.rb +0 -200
data/cookbooks/firewall/libraries/provider_firewall_rule.rb +0 -34
data/cookbooks/firewall/libraries/provider_firewall_ufw.rb +0 -138
data/cookbooks/firewall/libraries/provider_firewall_windows.rb +0 -126
data/cookbooks/firewall/libraries/resource_firewall.rb +0 -26
data/cookbooks/firewall/libraries/resource_firewall_rule.rb +0 -52
data/cookbooks/firewall/metadata.json +0 -40
data/cookbooks/firewall/metadata.rb +0 -15
data/cookbooks/firewall/recipes/default.rb +0 -76
data/cookbooks/firewall/recipes/firewalld.rb +0 -87
data/cookbooks/firewall/resources/firewalld.rb +0 -28
data/cookbooks/firewall/resources/firewalld_config.rb +0 -39
data/cookbooks/firewall/resources/firewalld_helpers.rb +0 -106
data/cookbooks/firewall/resources/firewalld_icmptype.rb +0 -88
data/cookbooks/firewall/resources/firewalld_ipset.rb +0 -104
data/cookbooks/firewall/resources/firewalld_policy.rb +0 -115
data/cookbooks/firewall/resources/firewalld_service.rb +0 -98
data/cookbooks/firewall/resources/firewalld_zone.rb +0 -118
data/cookbooks/firewall/resources/nftables.rb +0 -71
data/cookbooks/firewall/resources/nftables_rule.rb +0 -113
data/cookbooks/firewall/templates/default/ufw/default.erb +0 -13
/data/cookbooks/{firewall → nagios}/chefignore +0 -0
/data/cookbooks/{firewall → nagios}/renovate.json +0 -0

data/cookbooks/mu-master/recipes/389ds.rb CHANGED Viewed

@@ -18,7 +18,41 @@
 include_recipe 'mu-master::firewall-holes'
-package ["389-ds", "389-ds-console"]
+# We had to hand-roll 389DS packages for Amazon 2023. It was ludicrious.
+if node['platform_family'] == 'amazon' && node['platform_version'].to_i == 2023
+  base_url = "https://s3.amazonaws.com/icras-ruby/"
+  # Mozilla's ancient LDAP library. We don't actually run code out of it, but
+  # a bunch of the supporting tools for 389DS insist on linking to it.
+  pkgs = ["mozldap-6.0.7-1.amzn2023.x86_64.rpm", "mozldap-devel-6.0.7-1.amzn2023.x86_64.rpm", "mozldap-tools-6.0.7-1.amzn2023.x86_64.rpm"]
+  execute "install legacy Mozilla LDAP library" do
+    command "rpm -ivh #{pkgs.map { |p| base_url+p }.join(' ')}"
+    not_if "rpm -q mozldap mozldap-devel mozldap-tools"
+  end
+  link "/usr/local/mozldap/lib" do
+    to "/usr/local/mozldap/lib64"
+  end
+  # Prereqs for 389-admin, including miscellaneous difficult-to-source Perl modules
+  package ["cyrus-sasl-gssapi", "cyrus-sasl-md5", "nss-tools", "perl-Archive-Tar", "perl-DB_File", "perl-debugger", "perl-sigtrap", "openssl-perl", "python3-pytest", "perl-FileHandle", "perl-Log-Log4perl", "perl-LDAP"]
+  version = "3.1.1"
+  pkgs = ["389-ds-base-libs-#{version}-icrasmu.x86_64.rpm", "389-ds-base-3.1.1-icrasmu.x86_64.rpm", "python3-lib389-#{version}-icrasmu.noarch.rpm", "389-ds-base-devel-#{version}-icrasmu.x86_64.rpm"]
+  # XXX These RPMs will conflict with themselves if they try to install twice. They are very stupid.
+  execute "install 389DS packages" do
+    command "rpm -ivh #{pkgs.map { |p| base_url+p }.join(' ')}"
+    not_if "rpm -q 389-ds-base 389-ds-base-libs python3-lib389 389-ds-base-devel"
+  end
+  pkgs = ["389-adminutil-devel-1.1.23-1.amzn2023.x86_64.rpm", "389-adminutil-1.1.23-1.amzn2023.x86_64.rpm"]
+  execute "install 389DS adminutil packages" do
+    command "rpm -ivh #{pkgs.map { |p| base_url+p }.join(' ')}"
+    not_if "rpm -q 389-adminutil 389-adminutil-devel"
+  end
+else
+  package ["389-ds", "389-ds-console"]
+end
 include_recipe 'chef-vault'
@@ -34,7 +68,7 @@ $CREDS = {
     "user" => "CN=mu_join_creds,#{$MU_CFG["ldap"]['user_ou']}"
   },
   "cfg_directory_adm" => {
-    "user" => "admin"
+    "user" => "cn=Directory Manager"
   },
   "root_dn_user" => {
     "user" => "CN=root_dn_user"
@@ -73,10 +107,12 @@ end
 #  %x{/usr/sbin/setenforce 0}
 execute "initialize 389 Directory Services" do
-  command "/usr/sbin/setup-ds-admin.pl -s -f /root/389ds.tmp/389-directory-setup.inf --continue --debug #{Dir.exist?("/etc/dirsrv/slapd-#{$MU_CFG["hostname"]}") ? "--update" : ""}"
+  command "/usr/sbin/dscreate from-file /root/389ds.tmp/389-directory-setup.inf"
   action :nothing
 end
+confdir = "/etc/dirsrv/slapd-#{$MU_CFG["hostname"]}"
 template "/root/389ds.tmp/389-directory-setup.inf"do
   source "389-directory-setup.inf.erb"
   variables :hostname => $MU_CFG["hostname"],
@@ -84,7 +120,7 @@ template "/root/389ds.tmp/389-directory-setup.inf"do
             :domain => $MU_CFG["ldap"]["domain_name"],
             :domain_dn => $MU_CFG["ldap"]["domain_name"].split(/\./).map{ |x| "DC=#{x}" }.join(","),
             :creds => $CREDS
-  not_if { ::Dir.exist?("/etc/dirsrv/slapd-#{$MU_CFG["hostname"]}") }
+  not_if { ::Dir.exist?(confdir) }
   notifies :run, "execute[initialize 389 Directory Services]", :immediately
 end
@@ -115,49 +151,52 @@ file "/root/389ds.tmp/blank" do
   content ""
   action :nothing
 end
-execute "389ds cert util" do
+# This is the PIN for the certificate store, not the LDAP server's root password
+execute "ensure plainpin.txt" do
+  command "cat #{confdir}/pin.txt | cut -d: -f 2 > #{confdir}/plainpin.txt"
+  not_if { File.exist?("#{confdir}/plainpin.txt") }
+end
+# ... the LDAP server's root password is a crypt in #{confdir}/dse.ldif, the
+# line nsslapd-rootpw. You can generate a new one with the /usr/bin/pwdhash
+# utility.
+execute "389ds set Mu CA" do
   if $MU_CFG['ssl'] and $MU_CFG['ssl']['chain']
-    command "/usr/bin/certutil -d /etc/dirsrv/slapd-#{$MU_CFG["hostname"]} -A -n \"Mu Master CA\" -t CT,, -a -i #{$MU_CFG['ssl']['chain']}"
+    command "/usr/bin/certutil -d #{confdir} -A -f #{confdir}/plainpin.txt -n \"Mu Master CA\" -t CTP,C,C -a -i #{$MU_CFG['ssl']['chain']}"
   else
-    command "/usr/bin/certutil -d /etc/dirsrv/slapd-#{$MU_CFG["hostname"]} -A -n \"Mu Master CA\" -t CT,, -a -i /opt/mu/var/ssl/Mu_CA.pem"
+    command "/usr/bin/certutil -d #{confdir} -A -f #{confdir}/plainpin.txt -n \"Mu Master CA\" -t CTP,C,C -a -i /opt/mu/var/ssl/Mu_CA.pem"
   end
   action :nothing
   notifies :restart, "service[#{service_name}]", :delayed
 end
-# Why is this utility interactive-only? So much hate.
-ruby_block "import SSL certificates for 389ds" do
-  block do
-    certimportcmd = "/usr/bin/pk12util -i /opt/mu/var/ssl/ldap.p12 -d /etc/dirsrv/slapd-#{$MU_CFG["hostname"]} -w /root/389ds.tmp/blank -W \"\""
-    require 'pty'
-    require 'expect'
-    PTY.spawn(certimportcmd) { |r, w, _pid|
-      begin
-        r.expect("Enter new password:") do
-          w.puts
-        end
-        r.expect("Re-enter password:") do
-          w.puts
-        end
-      rescue Errno::EIO
-        break
-      end
-    }
-  end
-  notifies :create, "file[/root/389ds.tmp/blank]", :before
-  notifies :run, "execute[389ds cert util]", :immediately
+execute "remove existing Server-Cert" do
+  command "/usr/bin/certutil -D -d #{confdir} -f #{confdir}/plainpin.txt -n Server-Cert"
+  only_if "/usr/bin/certutil -L -d #{confdir} -f #{confdir}/plainpin.txt -n Server-Cert | grep CN=ssca.389ds.example.com" # XXX make this look for any mismatch with the correct one
 end
+# certutil is too stupid to import a key, so we have to do this little dance with pk12util instead
+execute "389ds set Mu server key" do
+  command "PW=\"`cat #{confdir}/plainpin.txt`\" /usr/bin/pk12util -d #{confdir} -i /opt/mu/var/ssl/ldap.p12 -W \"\" -K \"`cat #{confdir}/plainpin.txt`\""
+  #  not_if # XXX be a lot cooler if we guarded this
+  notifies :restart, "service[#{service_name}]", :delayed
+end
+execute "389ds set Mu server cert" do
+  command "/usr/bin/certutil -d #{confdir} -A -f #{confdir}/plainpin.txt -n ldap -t TP,, -a -i /opt/mu/var/ssl/ldap.crt"
+  notifies :run, "execute[389ds set Mu CA]", :before
+end
-{"ssl_enable.ldif" => "nsslapd-security: on", "addRSA.ldif" => "nsSSLActivation: on"}.each_pair { |ldif, guardstr|
+#{"ssl_enable.ldif" => "nsSSL3: off", "addRSA.ldif" => "nsSSLActivation: on"}.each_pair { |ldif, guardstr|
+{"setCertName.ldif" => "nsSSLPersonalitySSL: ldap"}.each_pair { |ldif, guardstr|
   cookbook_file "/root/389ds.tmp/#{ldif}" do
     source ldif
   end
-  execute "/usr/bin/ldapmodify -x -D #{$CREDS["root_dn_user"]['user']} -w #{$CREDS["root_dn_user"]['pw']} -f /root/389ds.tmp/#{ldif}" do
+  execute "/usr/bin/ldapmodify -x -D \"#{$CREDS["cfg_directory_adm"]['user']}\" -w \"#{$CREDS["cfg_directory_adm"]['pw']}\" -f /root/389ds.tmp/#{ldif}" do
     notifies :restart, "service[#{service_name}]", :delayed
-    not_if "grep '#{guardstr}' /etc/dirsrv/slapd-#{$MU_CFG['hostname']}/dse.ldif"
+    not_if "grep '#{guardstr}' #{confdir}/dse.ldif"
   end
 }

data/cookbooks/mu-master/recipes/basepackages.rb CHANGED Viewed

@@ -57,6 +57,11 @@ when 'amazon'
   when 2
     basepackages.concat(["gecode-devel", "mariadb", "qt", "qt-x11", "iptables-services"])
+  when 2023
+    basepackages.concat(["iptables-services"])
+    basepackages.delete("java-1.8.0-openjdk")
+    basepackages.delete("cryptsetup-luks")
   else
     raise "Mu does not support Amazon #{node['platform_version']}"
   end

data/cookbooks/mu-master/recipes/default.rb CHANGED Viewed

@@ -164,7 +164,7 @@ include_recipe "mu-master::update_nagios_only" if !$MU_CFG['disable_nagios']
 if !node['update_nagios_only']
   if !$MU_CFG['disable_nagios']
-    package %w(nagios-plugins-breeze nagios-plugins-by_ssh nagios-plugins-cluster nagios-plugins-dhcp nagios-plugins-dig nagios-plugins-disk nagios-plugins-disk_smb nagios-plugins-dns nagios-plugins-dummy nagios-plugins-file_age nagios-plugins-flexlm nagios-plugins-fping nagios-plugins-game nagios-plugins-hpjd nagios-plugins-http nagios-plugins-icmp nagios-plugins-ide_smart nagios-plugins-ircd nagios-plugins-ldap nagios-plugins-load nagios-plugins-log nagios-plugins-mailq nagios-plugins-mrtg nagios-plugins-mrtgtraf nagios-plugins-nagios nagios-plugins-nt nagios-plugins-ntp nagios-plugins-ntp-perl nagios-plugins-nwstat nagios-plugins-oracle nagios-plugins-overcr nagios-plugins-pgsql nagios-plugins-ping nagios-plugins-procs nagios-plugins-real nagios-plugins-rpc nagios-plugins-sensors nagios-plugins-smtp nagios-plugins-snmp nagios-plugins-ssh nagios-plugins-swap nagios-plugins-tcp nagios-plugins-time nagios-plugins-ups nagios-plugins-users nagios-plugins-wave) do
+    package %w(nagios-plugins-breeze nagios-plugins-by_ssh nagios-plugins-cluster nagios-plugins-dhcp nagios-plugins-dig nagios-plugins-disk nagios-plugins-disk_smb nagios-plugins-dns nagios-plugins-dummy nagios-plugins-file_age nagios-plugins-flexlm nagios-plugins-fping nagios-plugins-game nagios-plugins-hpjd nagios-plugins-http nagios-plugins-icmp nagios-plugins-ide_smart nagios-plugins-ircd nagios-plugins-load nagios-plugins-log nagios-plugins-mailq nagios-plugins-mrtg nagios-plugins-mrtgtraf nagios-plugins-nagios nagios-plugins-nt nagios-plugins-ntp nagios-plugins-nwstat nagios-plugins-oracle nagios-plugins-overcr nagios-plugins-pgsql nagios-plugins-ping nagios-plugins-procs nagios-plugins-real nagios-plugins-rpc nagios-plugins-sensors nagios-plugins-smtp nagios-plugins-snmp nagios-plugins-ssh nagios-plugins-swap nagios-plugins-tcp nagios-plugins-time nagios-plugins-ups nagios-plugins-users nagios-plugins-wave) do
       action :install
     end
@@ -218,6 +218,14 @@ if !node['update_nagios_only']
   if !$MU_CFG['public_address'].match(/^\d+\.\d+\.\d+\.\d+$/)
     svrname = $MU_CFG['public_address']
   end
+  directory "/etc/httpd/conf" do
+    recursive true
+    mode 0755
+  end
+  package ["php8.3", "php8.3-devel", "php8.3-cli", "php8.3-modphp", "php-pear"]
   apache2_install "" do
     docroot_dir "/var/www/html"
     modules %w{status alias auth_basic authn_core authn_file authz_core authz_groupfile authz_host authz_user autoindex deflate dir env mime negotiation setenvif log_config logio unixd systemd headers proxy proxy_http rewrite ssl ldap authnz_ldap slotmem_shm}
@@ -231,11 +239,11 @@ if !node['update_nagios_only']
   apache2_mod_cgid ""
   apache2_mod_ssl ""
-  link "/usr/lib64/httpd/modules/mod_php5.so" do
-    to "/usr/lib64/httpd/modules/libphp5.so"
-  end
+#  link "/usr/lib64/httpd/modules/mod_php5.so" do
+#    to "/usr/lib64/httpd/modules/libphp5.so"
+#  end
   apache2_mod "php"
-  apache2_module "php5"
+#  apache2_module "php5"
   apache2_module "cgi"
   apache2_default_site "" do
     action :enable
@@ -465,6 +473,9 @@ if !node['update_nagios_only']
   template "Mu Master /etc/ssh/sshd_config" do
     path "/etc/ssh/sshd_config"
+    variables(
+      :allowgroups => ["mu-users"]
+    )
     source "sshd_config.erb"
     mode 0600
     owner "root"

data/cookbooks/mu-master/recipes/init.rb CHANGED Viewed

@@ -31,7 +31,7 @@ chef_gem "cloud-mu" do
 end
 CHEF_SERVER_VERSION="14.11.31-1"
-CHEF_CLIENT_VERSION="18.5.0"
+CHEF_CLIENT_VERSION="18.7.6"
 # The versions of these must not bring in a newer version of aws-sdk-core
 # than whatever Chef prefers (aws-sdk-core 3.171.0 as of Chef 18.5.0,
@@ -262,7 +262,7 @@ when 'amazon'
     elversion = '7'
   when '2023'
-    basepackages.concat(['libX11', 'mariadb105-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services', 'libxcrypt-compat', 'ruby'])
+    basepackages.concat(['libX11', 'mariadb105-devel', 'cryptsetup', 'ncurses-devel', 'ncurses-compat-libs', 'iptables-services', 'libxcrypt-compat', 'ruby', 'nspr-devel', 'nss-devel >= 3.34', 'openldap-clients', 'openldap-devel', 'lmdb-devel', 'cyrus-sasl-devel', 'icu', 'libicu-devel', 'pcre2-devel', 'cracklib-devel', 'json-c-devel', 'libatomic', 'clang', 'compiler-rt', 'lld', 'gcc', 'gcc-c++', 'libasan', 'libtsan', 'libubsan', 'libdb-devel', 'net-snmp-devel', 'bzip2-devel', 'openssl-devel', 'pam-devel', 'systemd-units', 'systemd-devel', 'pkgconfig', 'krb5-devel', 'autoconf', 'automake', 'libtool', 'doxygen', 'libcmocka-devel', 'python3', 'python3-devel', 'python3-setuptools', 'python3-ldap', 'python3-pyasn1', 'python3-pyasn1-modules', 'python3-dateutil', 'python3-argcomplete', 'python3-policycoreutils', 'python3-libselinux', 'python3-cryptography', 'rsync', 'python3-pip'])
     basepackages.delete('curl')
     removepackages = ['nagios', 'firewalld']
     elversion = '7'
@@ -298,7 +298,7 @@ end
 # this takes up a huge amount of space, save it until we're fully operational
 if !RUNNING_STANDALONE
-  rpms["python38"] = "https://s3.amazonaws.com/cloudamatic/muthon-3.8.3-1.el#{elversion}.x86_64.rpm"
+  rpms["python38"] = "https://s3.amazonaws.com/icras-ruby/muthon-3.13.1-1.#{shorthand}#{node['platform_version'].split('.')[0]}.x86_64.rpm"
 end
 package basepackages
@@ -795,6 +795,39 @@ execute "ensure Chef indexes aren't read-only" do
   command %Q{curl -XPUT -H "Content-Type: application/json" http://127.0.0.1:9200/_all/_settings -d '{"index.blocks.read_only_allow_delete": null}'}
 end
+if node['platform_family'] == "amazon" and node['platform_version'].split('.')[0] == "2023"
+  execute "install python's argparse-manpage" do
+    command "/usr/bin/pip3 install argparse-manpage"
+    not_if { File.exist?("/usr/local/bin/argparse-manpage") }
+  end
+  execute "fetch Rust installer" do
+    command "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs > /root/rust-install.sh && chmod 700 /root/rust-install.sh"
+    action :nothing
+  end
+  execute "install Rust for root only" do
+    command "/root/rust-install.sh -y"
+    notifies :run, "execute[fetch Rust installer]", :before
+    not_if { File.exist?("/root/.cargo/bin/rustc") }
+  end
+  execute "fetch NodeJS repo installer" do
+    command "curl -fsSL https://rpm.nodesource.com/setup_23.x -o /root/nodesource_setup.sh"
+    action :nothing
+  end
+  execute "enable NodeJS repo" do
+    command "sh /root/nodesource_setup.sh"
+    action :nothing
+  end
+  package "nodejs" do
+    notifies :run, "execute[enable NodeJS repo]", :before
+    action :install
+  end
+end
 directory TMPDIR do
   action :delete
   recursive true

data/cookbooks/mu-master/recipes/ssl-certs.rb CHANGED Viewed

@@ -80,6 +80,9 @@ end
 remote_file "#{$MU_CFG['installdir']}/lib/cookbooks/mu-tools/files/default/Mu_CA.pem" do
   source "file://#{$MU_CFG['datadir']}/ssl/Mu_CA.pem"
 end
+execute "chcon -t httpd_config_t #{$MU_CFG['datadir']}/ssl/Mu_CA.pem" do
+  not_if "ls -aZ #{$MU_CFG['datadir']}/ssl/Mu_CA.pem | grep 'object_r:httpd_config_t'"
+end
 service_certs.each { |cert|
   bash "generate service cert for #{cert}" do
@@ -102,6 +105,9 @@ service_certs.each { |cert|
     file "#{$MU_CFG['datadir']}/ssl/#{cert}.#{type}" do
       mode 0400
     end
+    execute "chcon -t httpd_config_t #{$MU_CFG['datadir']}/ssl/#{cert}.#{type}" do
+      not_if "ls -aZ #{$MU_CFG['datadir']}/ssl/#{cert}.#{type} | grep 'object_r:httpd_config_t'"
+    end
   end
   file "#{$MU_CFG['datadir']}/ssl/#{cert}.csr" do

data/cookbooks/mu-master/recipes/sssd.rb CHANGED Viewed

@@ -19,72 +19,95 @@
 include_recipe 'mu-master::firewall-holes'
 include_recipe "mu-master::389ds"
+# XXX SSSD seems to not work on Amazon 2023 at all right now. It fails silently
+# on startup over some kind of systemd/permission issue (it can't write its
+# PID file, no it's not SELinux's fault either).
+#
+# If you run it interactively (sssd -i), it can't seem to enumerate users from
+# the LDAP server, though they are definitely present.
+#
+# Working around this problem elsewhere.
 package "sssd"
-package "sssd-ldap"
+package "sssd-tools"
 package "sssd-client"
-package "nss-pam-ldapd" do
-  action :remove
-end
-package "pam_ldap" do
-  action :remove
-end
-package "dbus"
-service "messagebus" do
-  action [:enable, :start]
-end
-package "nscd"
-service "nscd" do
-  action [:disable, :stop]
-end
-package "oddjob-mkhomedir"
-execute "restorecon -r /usr/sbin"
-service "sshd" do
-  action :nothing
-end
-# SELinux Policy for oddjobd and its interaction with syslogd
-cookbook_file "syslogd_oddjobd.pp" do
-  path "#{Chef::Config[:file_cache_path]}/syslogd_oddjobd.pp"
-end
-execute "Add oddjobd and syslogd interaction to SELinux allow list" do
-  command "/usr/sbin/semodule -i syslogd_oddjobd.pp"
-  cwd Chef::Config[:file_cache_path]
-  not_if "/usr/sbin/semodule -l | grep syslogd_oddjobd"
-  notifies :restart, "service[oddjobd]", :delayed
-end
-service "oddjobd" do
-  start_command "sh -x /etc/init.d/oddjobd start" if %w{redhat centos}.include?(node['platform']) && node['platform_version'].to_i == 6  # seems to actually work
-  action [:enable, :start]
-end
-package "authconfig"
-execute "LC_ALL=C /usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do
-  notifies :restart, "service[oddjobd]", :immediately
-  notifies :reload, "service[sshd]", :delayed
-  not_if "grep pam_sss.so /etc/pam.d/password-auth"
-end
-directory "/var/log/sssd" do
-  mode 0750
-  recursive true
-end
 service "sssd" do
   action :nothing
   notifies :restart, "service[sshd]", :immediately
 end
-template "/etc/sssd/sssd.conf" do
-  source "sssd.conf.erb"
-  mode 0600
-  owner "root"
-  group "root"
-  notifies :restart, "service[sssd]", :immediately
-  variables(
-    :base_dn => $MU_CFG['ldap']['base_dn'],
-    :user_ou => $MU_CFG['ldap']['user_ou'],
-    :dcs => $MU_CFG['ldap']['dcs']
-  )
-end
-service "sssd" do
-  action [:enable, :start]
-  notifies :restart, "service[sshd]", :immediately
+if node['platform_family'] == 'amazon' && node['platform_version'].to_i == 2023
+  package "authselect"
+  execute "authselect select minimal --force" do
+    not_if "authselect current | grep '^Profile ID: minimal$'"
+    notifies :restart, "service[sshd]", :immediately
+  end
+else
+  package "sssd-ldap"
+  package "authconfig"
+  package "nss-pam-ldapd" do
+    action :remove
+  end
+  package "pam_ldap" do
+    action :remove
+  end
+  package "dbus"
+  service "messagebus" do
+    action [:enable, :start]
+  end
+  package "nscd"
+  service "nscd" do
+    action [:disable, :stop]
+  end
+  package "oddjob-mkhomedir"
+  execute "restorecon -r /usr/sbin"
+  service "sshd" do
+    action :nothing
+  end
+  execute "LC_ALL=C /usr/sbin/authconfig --disablenis --disablecache --disablewinbind --disablewinbindauth --enablemkhomedir --disablekrb5 --enablesssd --enablesssdauth --enablelocauthorize --disableforcelegacy --disableldap --disableldapauth --updateall" do
+    notifies :restart, "service[oddjobd]", :immediately
+    notifies :reload, "service[sshd]", :delayed
+    not_if "grep pam_sss.so /etc/pam.d/password-auth"
+  end
+  # SELinux Policy for oddjobd and its interaction with syslogd
+  cookbook_file "syslogd_oddjobd.pp" do
+    path "#{Chef::Config[:file_cache_path]}/syslogd_oddjobd.pp"
+  end
+  execute "Add oddjobd and syslogd interaction to SELinux allow list" do
+    command "/usr/sbin/semodule -i syslogd_oddjobd.pp"
+    cwd Chef::Config[:file_cache_path]
+    not_if "/usr/sbin/semodule -l | grep syslogd_oddjobd"
+    notifies :restart, "service[oddjobd]", :delayed
+  end
+  service "oddjobd" do
+    start_command "sh -x /etc/init.d/oddjobd start" if %w{redhat centos}.include?(node['platform']) && node['platform_version'].to_i == 6  # seems to actually work
+    action [:enable, :start]
+  end
+  directory "/var/log/sssd" do
+    mode 0750
+    recursive true
+  end
+  service "sssd" do
+    action :nothing
+    notifies :restart, "service[sshd]", :immediately
+  end
+  template "/etc/sssd/sssd.conf" do
+    source "sssd.conf.erb"
+    mode 0600
+    owner "root"
+    group "root"
+    notifies :restart, "service[sssd]", :immediately
+    variables(
+      :base_dn => $MU_CFG['ldap']['base_dn'],
+      :user_ou => $MU_CFG['ldap']['user_ou'],
+      :dcs => $MU_CFG['ldap']['dcs']
+    )
+  end
+  service "sssd" do
+    action [:enable, :start]
+    notifies :restart, "service[sshd]", :immediately
+  end
 end

data/cookbooks/mu-master/recipes/update_nagios_only.rb CHANGED Viewed

@@ -202,6 +202,10 @@ else
       not_if "ls -aZ /usr/lib64/nagios/plugins/check_nagios | grep 'object_r:nagios_'"
     end
   end
+  execute "chcon -t nagios_etc_t /etc/nagios/nrpe.d/check_disk.cfg" do
+    not_if "ls -aZ /etc/nagios/nrpe.d/check_disk.cfg | grep 'object_r:nagios_etc_t'"
+    only_if { File.exist?("/etc/nagios/nrpe.d/check_disk.cfg") }
+  end
   # execute "chgrp apache /var/log/nagios"
   ["/etc/nagios/conf.d/", "/etc/nagios/*.cfg", "/var/run/nagios.pid"].each { |dir|
@@ -211,7 +215,9 @@ else
     end
   }
-  execute "/sbin/restorecon -R /var/log/nagios"
+  execute "/sbin/restorecon -R /var/log/nagios" do
+    only_if { ::Dir.exist?("/var/log/nagios") }
+  end
   # The Nagios cookbook currently screws up this setting, so work around it.
   execute "sed -i s/^interval_length=.*/interval_length=1/ || echo 'interval_length=1' >> /etc/nagios/nagios.cfg" do

data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb CHANGED Viewed

@@ -1,28 +1,13 @@
-[General]
-FullMachineName= <%= @address %>
-SuiteSpotUserID= nobody
-SuiteSpotGroup= nobody
-AdminDomain= <%= @domain %>
-ServerRoot = /usr/lib64/dirsrv
-StrictHostCheck = false
-ConfigDirectoryAdminID= <%= @creds["cfg_directory_adm"]["user"] %>
-ConfigDirectoryAdminPwd= <%= @creds["cfg_directory_adm"]["pw"] %>
-ConfigDirectoryLdapURL= ldap://<%= @address %>:389/o=NetscapeRoot
-[admin]
-Port= 9830
-ServerIpAddress= 0.0.0.0
-ServerAdminID= <%= @creds["cfg_directory_adm"]["user"] %>
-ServerAdminPwd= <%= @creds["cfg_directory_adm"]["pw"] %>
+[general]
+full_machine_name = <%= @address %>
+start = True
+strict_host_checking = False
 [slapd]
-AddOrgEntries = Yes
-AddSampleEntries = No
-SlapdConfigForMC= Yes
-UseExistingMC= No
-ServerPort= 389
-ServerIdentifier= <%= @hostname.gsub(/[^a-z0-9#%:@_-]/i, "_") %>
-Suffix= <%= @domain_dn %>
-naming_value= <%= @domain %>
-RootDN= <%= @creds["root_dn_user"]["user"] %>
-RootDNPwd= <%= @creds["root_dn_user"]["pw"] %>
+instance_name = <%= @hostname %>
+root_password = <%= @creds["cfg_directory_adm"]["pw"] %>
+secure_port = 636
+[backend-userroot]
+create_suffix_entry = True
+suffix = dc="platform-mu"

data/cookbooks/mu-master/templates/default/sssd.conf.erb CHANGED Viewed

@@ -1,34 +1,44 @@
 [domain/platform-mu]
-autofs_provider = ldap
+enabled = true
 cache_credentials = False
 enumerate = True
-ldap_search_base = <%= @base_dn %>
-ldap_user_search_base = <%= @base_dn %>
-ldap_group_search_base = <%= @base_dn %>
+access_provider = permit
+<% if @base_dn %>
+autofs_provider = ldap
 id_provider = ldap
 auth_provider = ldap
-access_provider = permit
 chpass_provider = ldap
 sudo_provider = ldap
+ldap_search_base = <%= @base_dn %>
+ldap_user_search_base = OU=Users,<%= @base_dn %>
+ldap_group_search_base = OU=Groups,<%= @base_dn %>
+ldap_schema = rfc2307
 ldap_uri = <%= @dcs.map { |dc| "ldaps://"+dc+"/" }.join(",") %>
 ldap_tls_reqcert = allow
 ldap_id_use_start_tls = True
-ldap_tls_cacertdir = /etc/openldap/cacerts
+ldap_tls_cacertdir = /opt/mu/var/ssl/Mu_CA.pem
 ldap_user_object_class = inetorgperson
 ldap_user_uid_number = employeeNumber
 ldap_user_gid_number = departmentNumber
 ldap_group_objectclass = posixGroup
 ldap_group_member = memberUid
 ldap_group_gid_number = gidNumber
+ldap_min_id = 10000
+<% else %>
+id_provider = files
+proxy_lib_name = files
+proxy_pam_target = sssd-shadowutils
+<% end %>
 [sssd]
 services = nss, pam
 config_file_version = 2
 domains = platform-mu
+domain_resolution_order = platform-mu,files
 [nss]
-nss_filter_groups = root
-nss_filter_users = root, apache, postfix, bin, daemon, sshd, ftp, clam, centos, mysql, clam, saslauth, dbus, nagios, rpc, nscd
+filter_groups = root
+filter_users = root, apache, postfix, bin, daemon, sshd, ftp, clam, centos, mysql, clam, saslauth, dbus, nagios, rpc, nscd
 override_homedir = /home/%u
 default_shell = /bin/bash

data/cookbooks/mu-tools/files/default/Mu_CA.pem ADDED Viewed

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFxDCCA6ygAwIBAgIUPoPbuBgBWIv0DrXhb862YSWbjEIwDQYJKoZIhvcNAQEN
+BQAwXTEWMBQGA1UEAwwNNTIuMjA2LjU5LjI1NTEgMB4GA1UECwwXTXUgU2VydmVy
+IDUyLjIwNi41OS4yNTUxFDASBgNVBAoMC2VHbG9iYWxUZWNoMQswCQYDVQQGEwJV
+UzAeFw0yNDEyMDkwNTA1NTZaFw0yNzA5MjkwNTA1NTZaMF0xFjAUBgNVBAMMDTUy
+LjIwNi41OS4yNTUxIDAeBgNVBAsMF011IFNlcnZlciA1Mi4yMDYuNTkuMjU1MRQw
+EgYDVQQKDAtlR2xvYmFsVGVjaDELMAkGA1UEBhMCVVMwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCbdWLUArFSAON/1Verd6RO/N05XjLBLu1CtKuUta+I
+JhFArFBjhaGX4v9lKsK0aU3aXhiTktM7ATuun+KC18/rNzDv6TXnvWEJOI44NeQT
+uQsug0arRkxRco0Z8gKFfGK26haNDFgR9AqeO8RbjmUuDRyet2lYTF+kOPMeEu+N
+t1FInzGXdDw5syfodgklAmOor+z/ImFvFMT7FmShJ9kFWL744tAGFGkH6fow0QZ7
+XBjXjNlQEz8h3+Nqym70fFX5XVidnQub4+cXqGKwLPyGrJmNzfPE/M3DO8TWxC2Q
+fe142Xt9R00RQrIWeszzl1U5Sq6WLt6w78ziWRmONxvN5ZcYMnzV/tzCuZ9WthU/
+cCinlWbWtkz6r+mKn5IFLca/AUmD3WdDeetpP30z0dD2vNaM3njuq3kE7GlgT065
+yPumE7YGQyN7i1bECQ/0XhxwSubrdm4+C4Fu7QfIRidCOxlkZFZzs9hpcTm1hxxN
+ygJsmqy3SA3NpAsR1QQMjBGCLDu/Ml6Do4f+aqsqPcHAFRtKisOWXmFKyoneaWW1
+vOt8ZQXF1aoIvTmJ6Vy1FJZa4UmD7LtTiNDBHVXh1DPHV2/gBPNaSk3xmzmjoVBN
+vn7RmgYkgH3JdmhhNAYyqixbBRPUqFNE36FEIP6EUY+GdmZTneujFDDCLJghzMrJ
+lwIDAQABo3wwejAqBgNVHREEIzAhhwQ0zjv/gglsb2NhbGhvc3SHBH8AAAGCCGlj
+cmFzLW11MB0GA1UdDgQWBBRJx2ufKhH6OQBjI8orkMrTztWWvzAfBgNVHSMEGDAW
+gBRJx2ufKhH6OQBjI8orkMrTztWWvzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB
+DQUAA4ICAQB2/qLrUOntYza+XEx+p7xLWyZcAQvDMg+gRwwpgOx9PPL1ZYGEQ85F
+lam6m+n86TScVCvVLLX/tfolzJsrJVO2QewAA4WGLly+26N79Gc4NinXoe5zV3P+
+81xAyhZ72RNDRp57I4pmYrwp0x8iP3fF+kdNEdji3+4TQzfXcmFlbevGBAVjA+sr
+Ubjy5hTW7Zrxm9Dne+GLS5sspuYymEcE1IV13DAhCBN8SGf8F/v657tyUVsZwrgL
+1gTCVyj1FOauOOF6j/gttpQM0LwfVNMSLgO1nLJ4UKe3BFraSnJUDQk74cHAuYjT
+nLRiiv/GHwDtBnSespvZ14Zmfi7CY1MfO9XtS2jf3NTVIvMax207dbHQAxHf/D+k
+N5rKjVIHr3Ic6P8/SBBAqriY2+k/ZRHX6PgqzCow5ek4nME/jGKRvBcIzq/vcXk3
+1dFlY1il4T+ClgCiNgpG1mE50s7HiPOjDxDt4Y6tKjyeUn3KGZ+nHizryUrHHyrR
+gxXqSz72DHo1SdPDs5uUod8S3bB/L/BQOb/LYfSevAohkzWLWxKEg0teFkh8VsCk
+e9YJY8n+dbzitbpqaugQKbxIz/cmBaHz86l6GC3Dg59Di5l564j0h0wbPb/jMeIY
+a++LM5rOunhzaVmpMG4MZMcgUoSMQgzQHuNsfWGPDlOSGmzky/IpPw==
+-----END CERTIFICATE-----

data/cookbooks/mu-tools/metadata.rb CHANGED Viewed

@@ -27,5 +27,4 @@ depends "yum-epel", '~> 5.0.8'
 depends "mu-firewall"
 depends "mu-activedirectory"
 depends "chocolatey"
-depends "firewall"
 depends 'selinux', '~> 3.0.0'

data/cookbooks/mu-tools/recipes/set_local_fw.rb CHANGED Viewed

@@ -19,7 +19,13 @@
 if !node['application_attributes']['skip_recipes'].include?('set_local_fw')
   master_ips = get_mu_master_ips
   case node['platform_family']
-  when 'rhel'#, 'amazon'
+  when 'amazon'
+    if node['platform_version'].to_i == 2023
+      include_recipe 'mu-firewall'
+    end
+  when 'rhel'
     include_recipe 'mu-firewall'
     if elversion >= 7 and node['platform_family'] != "amazon" # Can use firewalld, but not if iptables is already rigged

data/cookbooks/mu-tools/templates/amazon/sshd_config.erb CHANGED Viewed

@@ -165,4 +165,8 @@ UseDNS no
 # CAP Mod, restrict ciphers
 Ciphers aes128-ctr,aes192-ctr,aes256-ctr
-AllowUsers ec2-user root
+<% if @allowgroups %>
+  AllowGroups <%= @allowgroups.join(" ") %>
+<% else %>
+  AllowUsers ec2-user root
+<% end %>