cloud-mu 3.1.5 → 3.1.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Dockerfile +5 -1
- data/ansible/roles/mu-windows/files/LaunchConfig.json +9 -0
- data/ansible/roles/mu-windows/files/config.xml +76 -0
- data/ansible/roles/mu-windows/tasks/main.yml +16 -0
- data/bin/mu-adopt +2 -1
- data/bin/mu-configure +16 -0
- data/bin/mu-node-manage +15 -16
- data/cloud-mu.gemspec +2 -2
- data/cookbooks/mu-activedirectory/resources/domain.rb +4 -4
- data/cookbooks/mu-activedirectory/resources/domain_controller.rb +4 -4
- data/cookbooks/mu-tools/recipes/eks.rb +2 -2
- data/cookbooks/mu-tools/recipes/windows-client.rb +25 -22
- data/extras/clean-stock-amis +25 -19
- data/extras/image-generators/AWS/win2k12.yaml +2 -0
- data/extras/image-generators/AWS/win2k16.yaml +2 -0
- data/extras/image-generators/AWS/win2k19.yaml +2 -0
- data/modules/mommacat.ru +1 -1
- data/modules/mu.rb +6 -5
- data/modules/mu/adoption.rb +19 -4
- data/modules/mu/cleanup.rb +181 -293
- data/modules/mu/cloud.rb +58 -17
- data/modules/mu/clouds/aws.rb +36 -1
- data/modules/mu/clouds/aws/container_cluster.rb +30 -21
- data/modules/mu/clouds/aws/role.rb +1 -1
- data/modules/mu/clouds/aws/vpc.rb +5 -1
- data/modules/mu/clouds/azure.rb +10 -0
- data/modules/mu/clouds/cloudformation.rb +10 -0
- data/modules/mu/clouds/google.rb +18 -4
- data/modules/mu/clouds/google/bucket.rb +2 -2
- data/modules/mu/clouds/google/container_cluster.rb +10 -7
- data/modules/mu/clouds/google/database.rb +3 -3
- data/modules/mu/clouds/google/firewall_rule.rb +3 -3
- data/modules/mu/clouds/google/function.rb +3 -3
- data/modules/mu/clouds/google/loadbalancer.rb +4 -4
- data/modules/mu/clouds/google/role.rb +18 -9
- data/modules/mu/clouds/google/server.rb +16 -14
- data/modules/mu/clouds/google/server_pool.rb +4 -4
- data/modules/mu/clouds/google/user.rb +2 -2
- data/modules/mu/clouds/google/vpc.rb +9 -13
- data/modules/mu/config.rb +1 -1
- data/modules/mu/config/container_cluster.rb +5 -0
- data/modules/mu/config/doc_helpers.rb +1 -1
- data/modules/mu/config/ref.rb +12 -6
- data/modules/mu/config/schema_helpers.rb +8 -3
- data/modules/mu/config/server.rb +7 -0
- data/modules/mu/config/tail.rb +1 -0
- data/modules/mu/config/vpc.rb +15 -7
- data/modules/mu/config/vpc.yml +0 -1
- data/modules/mu/defaults/AWS.yaml +48 -48
- data/modules/mu/deploy.rb +1 -1
- data/modules/mu/groomer.rb +1 -1
- data/modules/mu/groomers/ansible.rb +69 -4
- data/modules/mu/groomers/chef.rb +48 -4
- data/modules/mu/master.rb +75 -3
- data/modules/mu/mommacat.rb +104 -855
- data/modules/mu/mommacat/naming.rb +28 -0
- data/modules/mu/mommacat/search.rb +463 -0
- data/modules/mu/mommacat/storage.rb +185 -183
- data/modules/tests/super_simple_bok.yml +1 -3
- metadata +8 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 447346eba4a1cd7ee0df18c2c85aea32d1a45af0f4d22474fc902007d1f30a2c
|
4
|
+
data.tar.gz: 8f44c2cf180c0748c712b9c244d0c21335147c6a3c9f6a1472772546e13a9b85
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8008e86471d5596337e3b642f5740a2bfe3b178646dd36a37f23dcfb8e0eacfcfbab4bac148ec5855f74f803543fd333480636249ec938387523e6f0c1fddde8
|
7
|
+
data.tar.gz: '08466a848ca7b54fc6460e240f472cc812e93730650545f240a92ea67bde875b96a5d8398b770182355721c6628887665f938dcb7a3103209f7e170cffa246b9'
|
data/Dockerfile
CHANGED
@@ -8,7 +8,7 @@ RUN df -h
|
|
8
8
|
|
9
9
|
RUN apt-get update
|
10
10
|
|
11
|
-
RUN apt-get install -y ruby2.5-dev dnsutils ansible build-essential
|
11
|
+
RUN apt-get install -y ruby2.5-dev dnsutils ansible build-essential python-pip curl
|
12
12
|
|
13
13
|
RUN apt-get upgrade -y
|
14
14
|
|
@@ -24,10 +24,14 @@ RUN ls -la
|
|
24
24
|
|
25
25
|
#RUN rm --verbose -f cloud-mu-*.gem
|
26
26
|
|
27
|
+
RUN pip install pywinrm
|
28
|
+
|
27
29
|
RUN apt-get remove -y build-essential ruby2.5-dev
|
28
30
|
|
29
31
|
RUN apt-get autoremove -y
|
30
32
|
|
33
|
+
RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.4/bin/linux/amd64/kubectl && mv kubectl /usr/bin && chmod +x /usr/bin/kubectl
|
34
|
+
|
31
35
|
EXPOSE 2260
|
32
36
|
|
33
37
|
CMD /usr/sbin/init
|
@@ -0,0 +1,76 @@
|
|
1
|
+
<?xml version="1.0" encoding="utf-8"?>
|
2
|
+
<Ec2ConfigurationSettings>
|
3
|
+
<Plugins>
|
4
|
+
<Plugin>
|
5
|
+
<Name>Ec2SetPassword</Name>
|
6
|
+
<State>Enabled</State>
|
7
|
+
</Plugin>
|
8
|
+
<Plugin>
|
9
|
+
<Name>Ec2SetComputerName</Name>
|
10
|
+
<State>Disabled</State>
|
11
|
+
</Plugin>
|
12
|
+
<Plugin>
|
13
|
+
<Name>Ec2InitializeDrives</Name>
|
14
|
+
<State>Enabled</State>
|
15
|
+
</Plugin>
|
16
|
+
<Plugin>
|
17
|
+
<Name>Ec2EventLog</Name>
|
18
|
+
<State>Disabled</State>
|
19
|
+
</Plugin>
|
20
|
+
<Plugin>
|
21
|
+
<Name>Ec2ConfigureRDP</Name>
|
22
|
+
<State>Disabled</State>
|
23
|
+
</Plugin>
|
24
|
+
<Plugin>
|
25
|
+
<Name>Ec2OutputRDPCert</Name>
|
26
|
+
<State>Enabled</State>
|
27
|
+
</Plugin>
|
28
|
+
<Plugin>
|
29
|
+
<Name>Ec2SetDriveLetter</Name>
|
30
|
+
<State>Enabled</State>
|
31
|
+
</Plugin>
|
32
|
+
<Plugin>
|
33
|
+
<Name>Ec2WindowsActivate</Name>
|
34
|
+
<State>Enabled</State>
|
35
|
+
</Plugin>
|
36
|
+
<Plugin>
|
37
|
+
<Name>Ec2DynamicBootVolumeSize</Name>
|
38
|
+
<State>Disabled</State>
|
39
|
+
</Plugin>
|
40
|
+
<Plugin>
|
41
|
+
<Name>Ec2SetHibernation</Name>
|
42
|
+
<State>Enabled</State>
|
43
|
+
</Plugin>
|
44
|
+
<Plugin>
|
45
|
+
<Name>Ec2SetMonitorAlwaysOn</Name>
|
46
|
+
<State>Disabled</State>
|
47
|
+
</Plugin>
|
48
|
+
<Plugin>
|
49
|
+
<Name>Ec2ElasticGpuSetup</Name>
|
50
|
+
<State>Enabled</State>
|
51
|
+
</Plugin>
|
52
|
+
<Plugin>
|
53
|
+
<Name>Ec2FeatureLogging</Name>
|
54
|
+
<State>Enabled</State>
|
55
|
+
</Plugin>
|
56
|
+
<Plugin>
|
57
|
+
<Name>Ec2SetENAConfig</Name>
|
58
|
+
<State>Enabled</State>
|
59
|
+
</Plugin>
|
60
|
+
<Plugin>
|
61
|
+
<Name>Ec2HandleUserData</Name>
|
62
|
+
<State>Enabled</State>
|
63
|
+
</Plugin>
|
64
|
+
<Plugin>
|
65
|
+
<Name>AWS.EC2.Windows.CloudWatch.PlugIn</Name>
|
66
|
+
<State>Disabled</State>
|
67
|
+
</Plugin>
|
68
|
+
</Plugins>
|
69
|
+
<GlobalSettings>
|
70
|
+
<ManageShutdown>true</ManageShutdown>
|
71
|
+
<SetDnsSuffixList>true</SetDnsSuffixList>
|
72
|
+
<WaitForMetaDataAvailable>true</WaitForMetaDataAvailable>
|
73
|
+
<ShouldAddRoutes>true</ShouldAddRoutes>
|
74
|
+
<RemoveCredentialsfromSysprepOnStartup>true</RemoveCredentialsfromSysprepOnStartup>
|
75
|
+
</GlobalSettings>
|
76
|
+
</Ec2ConfigurationSettings>
|
@@ -18,3 +18,19 @@
|
|
18
18
|
win_chocolatey:
|
19
19
|
name: openssh
|
20
20
|
state: present
|
21
|
+
|
22
|
+
- name: "Tell EC2Config to set a random password on next boot (Windows 2012)"
|
23
|
+
when: ((ansible_facts['distribution_major_version'] | int) < 10 and mu_build_image is defined and mu_build_image == True)
|
24
|
+
win_copy:
|
25
|
+
src: config.xml
|
26
|
+
dest: "c:/Program Files/Amazon/EC2ConfigService/Settings/config.xml"
|
27
|
+
|
28
|
+
- name: "Tell EC2Launch to set a random password (Windows 2016+)"
|
29
|
+
when: ((ansible_facts['distribution_major_version'] | int) >= 10 and mu_build_image is defined and mu_build_image == True)
|
30
|
+
win_copy:
|
31
|
+
src: LaunchConfig.json
|
32
|
+
dest: "c:/ProgramData/Amazon/EC2-Windows/Launch/Config/LaunchConfig.json"
|
33
|
+
|
34
|
+
- name: "Tell EC2Launch to run on next boot (Windows 2016+)"
|
35
|
+
when: ((ansible_facts['distribution_major_version'] | int) >= 10 and mu_build_image is defined and mu_build_image == True)
|
36
|
+
win_shell: C:\ProgramData\Amazon\EC2-Windows\Launch\Scripts\InitializeInstance.ps1 -Schedule
|
data/bin/mu-adopt
CHANGED
@@ -48,6 +48,7 @@ $opt = Optimist::options do
|
|
48
48
|
opt :diff, "List the differences between what we find and an existing, saved deploy from a previous run, if one exists.", :required => false, :type => :boolean
|
49
49
|
opt :grouping, "Methods for grouping found resources into separate Baskets.\n\n"+MU::Adoption::GROUPMODES.keys.map { |g| "* "+g.to_s+": "+MU::Adoption::GROUPMODES[g] }.join("\n")+"\n\n", :required => false, :type => :string, :default => "logical"
|
50
50
|
opt :habitats, "Limit scope of searches to the named accounts/projects/subscriptions, instead of search all habitats visible to our credentials.", :required => false, :type => :strings
|
51
|
+
opt :scrub, "Whether to set scrub_mu_isms in the BoKs we generate", :default => $MU_CFG.has_key?('adopt_scrub_mu_isms') ? $MU_CFG['adopt_scrub_mu_isms'] : false
|
51
52
|
end
|
52
53
|
|
53
54
|
ok = true
|
@@ -102,7 +103,7 @@ if !ok
|
|
102
103
|
end
|
103
104
|
|
104
105
|
|
105
|
-
adoption = MU::Adoption.new(clouds: clouds, types: types, parent: $opt[:parent], billing: $opt[:billing], sources: $opt[:sources], credentials: $opt[:credentials], group_by: $opt[:grouping].to_sym, savedeploys: $opt[:savedeploys], diff: $opt[:diff], habitats: $opt[:habitats])
|
106
|
+
adoption = MU::Adoption.new(clouds: clouds, types: types, parent: $opt[:parent], billing: $opt[:billing], sources: $opt[:sources], credentials: $opt[:credentials], group_by: $opt[:grouping].to_sym, savedeploys: $opt[:savedeploys], diff: $opt[:diff], habitats: $opt[:habitats], scrub_mu_isms: $opt[:scrub])
|
106
107
|
found = adoption.scrapeClouds
|
107
108
|
if found.nil? or found.empty?
|
108
109
|
MU.log "No resources found to adopt", MU::WARN, details: {"clouds" => clouds, "types" => types }
|
data/bin/mu-configure
CHANGED
@@ -113,6 +113,12 @@ $CONFIGURABLES = {
|
|
113
113
|
"desc" => "Disable the Momma Cat grooming daemon. Nodes which require asynchronous Ansible/Chef bootstraps will not function. This option is only honored in gem-based installations.",
|
114
114
|
"boolean" => true
|
115
115
|
},
|
116
|
+
"adopt_scrub_mu_isms" => {
|
117
|
+
"title" => "Disable Momma Cat",
|
118
|
+
"default" => false,
|
119
|
+
"desc" => "Ordinarily, Mu will automatically name, tag and generate auxiliary resources in a standard Mu-ish fashion that allows for deployment of multiple clones of a given stack. Toggling this flag will change the default behavior of mu-adopt, when it creates stack descriptors from found resources, to enable or disable this behavior (see also mu-adopt's --scrub option).",
|
120
|
+
"boolean" => true
|
121
|
+
},
|
116
122
|
"mommacat_port" => {
|
117
123
|
"title" => "Momma Cat Listen Port",
|
118
124
|
"pattern" => /^[0-9]+$/i,
|
@@ -246,6 +252,16 @@ $CONFIGURABLES = {
|
|
246
252
|
"required" => false,
|
247
253
|
"desc" => "For Google Cloud projects which are attached to a GSuite domain. Some API calls (groups, users, etc) require this identifier. From admin.google.com, choose Security, the Single Sign On, and look for the Entity ID field. The value after idpid= in the URL there should be the customer ID."
|
248
254
|
},
|
255
|
+
"ignore_habitats" => {
|
256
|
+
"title" => "Ignore These Projects",
|
257
|
+
"desc" => "Optional list of projects to ignore, for credentials which have visibility into multiple projects",
|
258
|
+
"array" => true
|
259
|
+
},
|
260
|
+
"restrict_to_habitats" => {
|
261
|
+
"title" => "Operate On Only These Projects",
|
262
|
+
"desc" => "Optional list of projects to which we'll restrict all of our activities.",
|
263
|
+
"array" => true
|
264
|
+
},
|
249
265
|
"default" => {
|
250
266
|
"title" => "Is Default Account",
|
251
267
|
"default" => false,
|
data/bin/mu-node-manage
CHANGED
@@ -29,9 +29,9 @@ Usage:
|
|
29
29
|
opt :all, "Operate on all nodes/deploys. Use with caution.", :require => false, :default => false, :type => :boolean
|
30
30
|
opt :platform, "Operate exclusively on one nodes of a particular operating system. Can be used in conjunction with -a or -d. Valid platforms: linux, windows", :require => false, :type => :string
|
31
31
|
opt :environment, "Operate exclusively on one nodes with a particular environment (e.g. dev, prod). Can be used in conjunction with -a or -d.", :require => false, :type => :string
|
32
|
-
opt :override_chef_runlist, "An alternate runlist to pass to Chef, in
|
32
|
+
opt :override_chef_runlist, "An alternate runlist to pass to Chef, in groomeronly mode.", :require => false, :type => :string
|
33
33
|
opt :xecute, "Run a shell command on matching nodes. Overrides --mode and suppresses some informational output in favor of scriptability.", :require => false, :type => :string
|
34
|
-
opt :mode, "Action to perform on matching nodes. Valid actions: groom,
|
34
|
+
opt :mode, "Action to perform on matching nodes. Valid actions: groom, groomeronly, awsmeta, vaults, certs, chefupgrade", :require => false, :default => "groomeronly", :type => :string
|
35
35
|
opt :verbose, "Show output from Chef runs, etc", :require => false, :default => false, :type => :boolean
|
36
36
|
opt :winrm, "Force WinRM connection. Disable SSH fallback", :require => false, :default => false, :type => :boolean
|
37
37
|
opt :info, "List a particular node attribute", :require => false, :default => 'nodename', :type => :string
|
@@ -39,8 +39,10 @@ end
|
|
39
39
|
|
40
40
|
MU.setLogging(MU::Logger::LOUD) if $opts[:verbose]
|
41
41
|
|
42
|
-
|
43
|
-
|
42
|
+
$opts[:mode] = "groomeronly" if $opts[:mode] == "chefrun"
|
43
|
+
|
44
|
+
if !["groom", "groomeronly", "vaults", "userdata", "awsmeta", "certs", "chefupgrade"].include?($opts[:mode])
|
45
|
+
Optimist::die(:mode, "--mode must be one of: groom, groomeronly, awsmeta, vaults, certs, chefupgrade")
|
44
46
|
end
|
45
47
|
if $opts[:platform] and !["linux", "windows"].include?($opts[:platform])
|
46
48
|
Optimist::die(:platform, "--platform must be one of: linux, windows")
|
@@ -176,7 +178,7 @@ end
|
|
176
178
|
exit 1 if !ok
|
177
179
|
|
178
180
|
|
179
|
-
def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false)
|
181
|
+
def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false, groomeronly: false)
|
180
182
|
badnodes = []
|
181
183
|
count = 0
|
182
184
|
deploys.each { |muid|
|
@@ -196,6 +198,8 @@ def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false)
|
|
196
198
|
server.config["vault_access"].each { |v|
|
197
199
|
MU::Groomer::Chef.grantSecretAccess(mu_name, v['vault'], v['item'])
|
198
200
|
}
|
201
|
+
elsif groomeronly
|
202
|
+
server.groomer.run
|
199
203
|
else
|
200
204
|
mommacat.groomNode(server.cloud_id, nodeclass, type, mu_name: mu_name)
|
201
205
|
end
|
@@ -227,7 +231,7 @@ def reGroom(deploys = MU::MommaCat.listDeploys, nodes = [], vaults_only: false)
|
|
227
231
|
end
|
228
232
|
end
|
229
233
|
|
230
|
-
def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_output: $opts[:verbose], noop: false
|
234
|
+
def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_output: $opts[:verbose], noop: false)
|
231
235
|
badnodes = []
|
232
236
|
count = 0
|
233
237
|
deploys.each { |muid|
|
@@ -247,12 +251,6 @@ def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_
|
|
247
251
|
next
|
248
252
|
end
|
249
253
|
|
250
|
-
# Generate the command if attemting a chef run
|
251
|
-
if chefrun
|
252
|
-
cmd = serverobj.windows? ? "powershell -Command chef-client" : "chef-client || sudo chef-client"
|
253
|
-
cmd += " -o '#{chef_runlist}'" if chef_runlist
|
254
|
-
end
|
255
|
-
|
256
254
|
MU.log "Running '#{cmd}' on #{nodename} (##{count})" if !print_output
|
257
255
|
|
258
256
|
# Set Variables to catch the output and exit code of the execution
|
@@ -363,7 +361,7 @@ def runCommand(deploys = MU::MommaCat.listDeploys, nodes = [], cmd = nil, print_
|
|
363
361
|
}
|
364
362
|
|
365
363
|
if badnodes.size > 0
|
366
|
-
cmd = "Chef" if $opts[:mode] == "
|
364
|
+
cmd = "Chef" if $opts[:mode] == "groomeronly"
|
367
365
|
if !print_output
|
368
366
|
MU.log "Not all `#{cmd}` runs exited cleanly", MU::WARN, details: badnodes
|
369
367
|
else
|
@@ -687,12 +685,13 @@ elsif $opts[:mode] == "vaults"
|
|
687
685
|
reGroom(do_deploys, do_nodes, vaults_only: true)
|
688
686
|
elsif $opts[:mode] == "chefupgrade"
|
689
687
|
chefUpgrade(do_deploys, do_nodes)
|
690
|
-
elsif $opts[:mode] == "
|
688
|
+
elsif $opts[:mode] == "groomeronly"
|
691
689
|
print_output = $opts[:verbose] || do_nodes.size == 1
|
692
690
|
if $opts[:override_chef_runlist]
|
693
|
-
runCommand(do_deploys, do_nodes, chef_runlist: $opts[:override_chef_runlist],
|
691
|
+
# runCommand(do_deploys, do_nodes, chef_runlist: $opts[:override_chef_runlist], groomeronly: true, print_output: print_output)
|
694
692
|
else
|
695
|
-
runCommand(do_deploys, do_nodes,
|
693
|
+
# runCommand(do_deploys, do_nodes, groomeronly: true, print_output: print_output)
|
694
|
+
reGroom(do_deploys, do_nodes, groomeronly: true)
|
696
695
|
end
|
697
696
|
elsif $opts[:mode] == "userdata" or $opts[:mode] == "awsmeta"
|
698
697
|
# Need Google equiv and to select nodes correctly based on what cloud they're in
|
data/cloud-mu.gemspec
CHANGED
@@ -17,8 +17,8 @@ end
|
|
17
17
|
|
18
18
|
Gem::Specification.new do |s|
|
19
19
|
s.name = 'cloud-mu'
|
20
|
-
s.version = '3.1.
|
21
|
-
s.date = '2020-03-
|
20
|
+
s.version = '3.1.6'
|
21
|
+
s.date = '2020-03-20'
|
22
22
|
s.require_paths = ['modules']
|
23
23
|
s.required_ruby_version = '>= 2.4'
|
24
24
|
s.summary = "The eGTLabs Mu toolkit for unified cloud deployments"
|
@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
|
|
19
19
|
attribute :restore_mode_password, :kind_of => String, :required => true
|
20
20
|
attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
|
21
21
|
attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
|
22
|
-
attribute :ntds_static_port, :kind_of =>
|
23
|
-
attribute :ntfrs_static_port, :kind_of =>
|
24
|
-
attribute :dfsr_static_port, :kind_of =>
|
25
|
-
attribute :netlogon_static_port, :kind_of =>
|
22
|
+
attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
|
23
|
+
attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
|
24
|
+
attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
|
25
|
+
attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']
|
@@ -19,7 +19,7 @@ attribute :domain_admin_password, :kind_of => String, :required => true
|
|
19
19
|
attribute :restore_mode_password, :kind_of => String, :required => true
|
20
20
|
attribute :site_name, :kind_of => String, :default => node['ad']['site_name'], :required => false
|
21
21
|
attribute :computer_name, :kind_of => String, :default => node['ad']['computer_name']
|
22
|
-
attribute :ntds_static_port, :kind_of =>
|
23
|
-
attribute :ntfrs_static_port, :kind_of =>
|
24
|
-
attribute :dfsr_static_port, :kind_of =>
|
25
|
-
attribute :netlogon_static_port, :kind_of =>
|
22
|
+
attribute :ntds_static_port, :kind_of => Integer, :default => node['ad']['ntds_static_port']
|
23
|
+
attribute :ntfrs_static_port, :kind_of => Integer, :default => node['ad']['ntfrs_static_port']
|
24
|
+
attribute :dfsr_static_port, :kind_of => Integer, :default => node['ad']['dfsr_static_port']
|
25
|
+
attribute :netlogon_static_port, :kind_of => Integer, :default => node['ad']['netlogon_static_port']
|
@@ -160,8 +160,8 @@ Environment='KUBELET_EXTRA_ARGS=$KUBELET_EXTRA_ARGS'
|
|
160
160
|
|
161
161
|
opento.uniq.each { |src|
|
162
162
|
[:tcp, :udp, :icmp].each { |proto|
|
163
|
-
execute "iptables -I INPUT -p #{proto} -s #{src}" do
|
164
|
-
not_if "iptables -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
|
163
|
+
execute "iptables -w 30 -I INPUT -p #{proto} -s #{src}" do
|
164
|
+
not_if "iptables -w 30 -L -n | tr -s ' ' | grep -- '#{proto} -- #{src.sub(/\/32$/, "")}' > /dev/null"
|
165
165
|
end
|
166
166
|
}
|
167
167
|
}
|
@@ -26,20 +26,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
26
26
|
|
27
27
|
sshd_password = windows_vault[node['windows_sshd_password_field']]
|
28
28
|
|
29
|
+
admin_user = node['windows_admin_username'] || "Administrator"
|
30
|
+
|
29
31
|
windows_version = node['platform_version'].to_i
|
30
32
|
|
31
33
|
public_keys = Array.new
|
32
34
|
|
33
|
-
if windows_version
|
35
|
+
if windows_version >= 10
|
34
36
|
Chef::Log.info "version #{windows_version}, using openssh"
|
35
37
|
|
36
38
|
include_recipe 'chocolatey'
|
37
39
|
|
38
40
|
openssh_path = 'C:\Program Files\OpenSSH-Win64'
|
39
41
|
|
40
|
-
ssh_program_data = "#{ENV['ProgramData']}
|
42
|
+
ssh_program_data = "#{ENV['ProgramData']}\\ssh"
|
41
43
|
|
42
|
-
ssh_dir = "C:/Users
|
44
|
+
ssh_dir = "C:/Users/#{admin_user}/.ssh"
|
43
45
|
|
44
46
|
authorized_keys = "#{ssh_dir}/authorized_keys"
|
45
47
|
|
@@ -86,7 +88,8 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
86
88
|
path ssh_program_data
|
87
89
|
owner sshd_user
|
88
90
|
rights :full_control, sshd_user
|
89
|
-
rights :full_control,
|
91
|
+
rights :full_control, admin_user
|
92
|
+
notifies :run, 'ruby[find files to change ownership of]', :immediately
|
90
93
|
notifies :run, 'powershell_script[Generate Host Key]', :immediately
|
91
94
|
end
|
92
95
|
|
@@ -97,22 +100,22 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
97
100
|
notifies :create, "template[#{ssh_program_data}/sshd_config]", :immediately
|
98
101
|
end
|
99
102
|
|
100
|
-
|
103
|
+
directory "set file ownership" do
|
101
104
|
action :nothing
|
105
|
+
path ssh_program_data
|
102
106
|
owner sshd_user
|
103
|
-
source "sshd_config.erb"
|
104
107
|
mode '0600'
|
105
|
-
|
106
|
-
|
108
|
+
rights :full_control, sshd_user
|
109
|
+
deny_rights :full_control, admin_user
|
107
110
|
end
|
108
111
|
|
109
|
-
|
112
|
+
template "#{ssh_program_data}/sshd_config" do
|
110
113
|
action :nothing
|
111
|
-
path ssh_program_data
|
112
114
|
owner sshd_user
|
115
|
+
source "sshd_config.erb"
|
113
116
|
mode '0600'
|
114
|
-
|
115
|
-
|
117
|
+
cookbook "mu-tools"
|
118
|
+
notifies :run, 'ruby[find files to change ownership of]', :immediately
|
116
119
|
end
|
117
120
|
|
118
121
|
windows_service 'sshd' do
|
@@ -120,26 +123,26 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
120
123
|
end
|
121
124
|
|
122
125
|
group 'sshusers' do
|
123
|
-
members [sshd_user,
|
126
|
+
members [sshd_user, admin_user]
|
124
127
|
end
|
125
128
|
|
126
129
|
ruby 'find files to change ownership of' do
|
127
130
|
action :nothing
|
128
131
|
code <<-EOH
|
129
|
-
files = Dir.entries ssh_program_data
|
132
|
+
files = Dir.entries '#{ssh_program_data}'
|
130
133
|
puts files
|
131
134
|
EOH
|
132
135
|
end
|
133
136
|
|
134
|
-
log 'files in ssh' do
|
135
|
-
message files.join
|
136
|
-
level :info
|
137
|
-
end
|
138
|
-
|
137
|
+
# log 'files in ssh' do
|
138
|
+
# message files.join
|
139
|
+
# level :info
|
140
|
+
# end
|
141
|
+
#
|
139
142
|
files.each do |file|
|
140
143
|
file "#{ssh_program_data}#{file}" do
|
141
144
|
owner sshd_user
|
142
|
-
deny_rights :full_control,
|
145
|
+
deny_rights :full_control, admin_user
|
143
146
|
end
|
144
147
|
end
|
145
148
|
|
@@ -150,7 +153,7 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
150
153
|
end
|
151
154
|
|
152
155
|
file authorized_keys do
|
153
|
-
owner
|
156
|
+
owner admin_user
|
154
157
|
content public_key
|
155
158
|
end
|
156
159
|
|
@@ -323,7 +326,7 @@ if !node['application_attributes']['skip_recipes'].include?('windows-client')
|
|
323
326
|
# sensitive true
|
324
327
|
# end
|
325
328
|
# end
|
326
|
-
|
329
|
+
|
327
330
|
end
|
328
331
|
|
329
332
|
else
|
data/extras/clean-stock-amis
CHANGED
@@ -18,37 +18,43 @@ require 'json'
|
|
18
18
|
require File.realpath(File.expand_path(File.dirname(__FILE__)+"/../bin/mu-load-config.rb"))
|
19
19
|
require 'mu'
|
20
20
|
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
21
|
+
$opts = Optimist::options do
|
22
|
+
banner <<-EOS
|
23
|
+
#{$0} [-c credentials] [-i imagename]
|
24
|
+
EOS
|
25
|
+
opt :credentials, "Use these AWS credentials from mu.yaml instead of the default set", :required => false, :type => :string
|
26
|
+
opt :image, "Purge a specific image, instead of just scrubing old ones", :required => false, :type => :string
|
25
27
|
end
|
26
28
|
|
27
29
|
filters = [
|
28
30
|
{
|
29
31
|
name: "owner-id",
|
30
|
-
values: [MU::Cloud::AWS.credToAcct(credentials)]
|
32
|
+
values: [MU::Cloud::AWS.credToAcct($opts[:credentials])]
|
31
33
|
}
|
32
34
|
]
|
33
35
|
|
34
36
|
|
35
37
|
MU::Cloud::AWS.listRegions.each { | r|
|
36
|
-
images = MU::Cloud::AWS.ec2(region: r, credentials: credentials).describe_images(
|
38
|
+
images = MU::Cloud::AWS.ec2(region: r, credentials: $opts[:credentials]).describe_images(
|
37
39
|
filters: filters + [{ "name" => "state", "values" => ["available"]}]
|
38
40
|
).images
|
39
41
|
images.each { |ami|
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
50
|
-
|
51
|
-
|
52
|
-
|
42
|
+
if ($opts[:image] and ami.name == $opts[:image]) or
|
43
|
+
((DateTime.now.to_time - DateTime.parse(ami.creation_date).to_time) > 15552000 and ami.name.match(/^MU-(PROD|DEV)/))
|
44
|
+
snaps = []
|
45
|
+
ami.block_device_mappings.each { |dev|
|
46
|
+
if !dev.ebs.nil?
|
47
|
+
snaps << dev.ebs.snapshot_id
|
48
|
+
end
|
49
|
+
}
|
50
|
+
MU.log "Deregistering #{ami.name}, #{r} (#{ami.creation_date})", MU::WARN, details: snaps
|
51
|
+
begin
|
52
|
+
MU::Cloud::AWS.ec2(region: r, credentials: $opts[:credentials]).deregister_image(image_id: ami.image_id)
|
53
|
+
rescue Aws::EC2::Errors::InvalidAMIIDUnavailable
|
54
|
+
end
|
55
|
+
snaps.each { |snap_id|
|
56
|
+
MU::Cloud::AWS.ec2(region: r, credentials: $opts[:credentials]).delete_snapshot(snapshot_id: snap_id)
|
57
|
+
}
|
58
|
+
end
|
53
59
|
}
|
54
60
|
}
|