bin/mu-configure in cloud-mu-3.4.0 vs bin/mu-configure in cloud-mu-3.5.0

- old
+ new

@@ -18,18 +18,41 @@ require 'socket' require 'open-uri' require 'colorize' require 'timeout' require 'etc' -require 'aws-sdk-core' require 'json' require 'pp' require 'readline' require 'fileutils' require 'erb' require 'tmpdir' +AMROOT = Process.uid == 0 +HOMEDIR = Etc.getpwuid(Process.uid).dir +CLEAN_ENV={ + "PATH" => "/usr/local/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/usr/local/ruby-current/bin", + "HOME" => HOMEDIR +} +CLEAN_ENV_STR = CLEAN_ENV.keys.map { |k| + k+"=\""+CLEAN_ENV[k]+"\"" +}.join(" ") +CHEF_CLIENT="/opt/chef/bin/chef-client" +CHEF_CTL="/opt/opscode/bin/chef-server-ctl" +GIT_PATTERN = /(((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?))?([\w\.@\:\/\-~]+)(\.git)?(\/)?/ + + +#def _x(cmd) +# puts "#{CLEAN_ENV} #{cmd}".bold +# %x{#{CLEAN_ENV} #{cmd}} +#end + +def _system(cmd) + puts cmd.bold + system(CLEAN_ENV, cmd) +end + $IN_GEM = false gemwhich = %x{gem which mu 2>&1}.chomp gemwhich = nil if $?.exitstatus != 0 mypath = File.realpath(File.expand_path(File.dirname(__FILE__))) if !mypath.match(/^\/opt\/mu/) @@ -44,10 +67,40 @@ end } end end +if !$NOOP + $IN_AWS = false + begin + Timeout.timeout(2) do + instance_id = URI.open("http://169.254.169.254/latest/meta-data/instance-id").read + $IN_AWS = true if !instance_id.nil? and instance_id.size > 0 + end + rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH + end + $IN_GOOGLE = false + begin + Timeout.timeout(2) do + instance_id = URI.open( + "http://metadata.google.internal/computeMetadata/v1/instance/name", + "Metadata-Flavor" => "Google" + ).read + $IN_GOOGLE = true if !instance_id.nil? and instance_id.size > 0 + end + rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH + end + $IN_AZURE = false + begin + Timeout.timeout(2) do + instance = URI.open("http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01","Metadata"=>"true").read + $IN_AZURE = true if !instance.nil? and instance.size > 0 + end + rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH, Errno::EHOSTUNREACH + end +end + $possible_addresses = [] $impossible_addresses = ['127.0.0.1', 'localhost'] begin sys_name = Socket.gethostname official, aliases = Socket.gethostbyname(sys_name) @@ -60,23 +113,41 @@ end Socket.getifaddrs.each { |iface| if iface.addr and iface.addr.ipv4? $possible_addresses << iface.addr.ip_address begin - addrinfo = Socket.gethostbyaddr(iface.addr.ip_address) + addrinfo = Socket.gethostbyaddr(iface.addr.ip_address.split(/\./).map { |o| o.to_i }.pack("CCCC")) $possible_addresses << addrinfo.first if !addrinfo.first.nil? rescue SocketError # usually no name to look up; that's ok end end } + +if $IN_AWS + ["local-ipv4", "public-ipv4"].each { |addr| + ip = URI.open("http://169.254.169.254/latest/meta-data/#{addr}").read.chomp + $possible_addresses.unshift(ip) if ip and ip =~ /^\d+\.\d+\.\d+\.\d+/ + } +elsif $IN_GOOGLE + ["ip", "access-configs/0/external-ip"].each { |addr| + ip = URI.open( + "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/#{addr}", + "Metadata-Flavor" => "Google" + ).read.chomp + $possible_addresses.unshift(ip) if ip and ip =~ /^\d+\.\d+\.\d+\.\d+/ + } +elsif $IN_AZURE + ["privateIpAddress", "publicIpAddress"].each { |addr| + ip = URI.open("http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0/#{addr}?api-version=2017-08-01&format=text","Metadata"=>"true").read + $possible_addresses.unshift(ip) if ip and ip =~ /^\d+\.\d+\.\d+\.\d+/ + } +end + $possible_addresses.uniq! $possible_addresses.reject! { |i| i.match(/^(0\.0\.0\.0$|169\.254\.|127\.0\.)/)} -GIT_PATTERN = /(((git|ssh|http(s)?)|(git@[\w\.]+))(:(\/\/)?))?([\w\.@\:\/\-~]+)(\.git)?(\/)?/ - - # Top-level keys in $MU_CFG for which we'll provide interactive, menu-driven # configuration. $CONFIGURABLES = { "public_address" => { "title" => "Public Address", @@ -402,12 +473,10 @@ end } end if !$NOOP - AMROOT = Process.uid == 0 - HOMEDIR = Etc.getpwuid(Process.uid).dir $opts = Optimist::options do banner <<-EOS EOS required = [] @@ -474,70 +543,69 @@ puts "Specify --public-address and --mu-admin-email on new non-interactive configs" exit 1 end end - $IN_AWS = false - begin - Timeout.timeout(2) do - instance_id = open("http://169.254.169.254/latest/meta-data/instance-id").read - $IN_AWS = true if !instance_id.nil? and instance_id.size > 0 + + if AMROOT and !$IN_GEM + Dir.chdir("/") + if $IN_AWS + _system("#{MU_BASE}/lib/bin/mu-aws-setup --optdisk") + elsif $IN_GOOGLE + _system("#{MU_BASE}/lib/bin/mu-gcp-setup --optdisk") + elsif $IN_AZURE + _system("#{MU_BASE}/lib/bin/mu-azure-setup --optdisk") end - rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH + exit 1 if $?.exitstatus != 0 end - $IN_GOOGLE = false - begin - Timeout.timeout(2) do - instance_id = open( - "http://metadata.google.internal/computeMetadata/v1/instance/name", - "Metadata-Flavor" => "Google" - ).read - $IN_GOOGLE = true if !instance_id.nil? and instance_id.size > 0 - end - rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH - end - $IN_AZURE = false - begin - Timeout.timeout(2) do - instance = open("http://169.254.169.254/metadata/instance/compute?api-version=2017-08-01","Metadata"=>"true").read - $IN_AZURE = true if !instance.nil? and instance.size > 0 - end - rescue OpenURI::HTTPError, Timeout::Error, SocketError, Errno::ENETUNREACH, Errno::EHOSTUNREACH - end + _system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install") + _system("cd #{MU_BASE}/lib/modules && umask 0022 && /opt/chef/embedded/bin/bundle install") KNIFE_TEMPLATE = "log_level :info - log_location STDOUT - node_name '<%= chefuser %>' - client_key '<%= MU_BASE %>/var/users/<%= user %>/<%= chefuser %>.user.key' - validation_client_name 'mu-validator' - validation_key '<%= MU_BASE %>/var/orgs/<%= user %>/<%= chefuser %>.org.key' - chef_server_url 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>' - chef_server_root 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>' - syntax_check_cache_path '<%= HOMEDIR %>/.chef/syntax_check_cache' - cookbook_path [ '<%= HOMEDIR %>/.chef/cookbooks', '<%= HOMEDIR %>/.chef/site_cookbooks' ] - <% if $MU_CFG.has_key?('ssl') and $MU_CFG['ssl'].has_key?('chain') %> - ssl_ca_path '<%= File.dirname($MU_CFG['ssl']['chain']) %>' - ssl_ca_file '<%= File.basename($MU_CFG['ssl']['chain']) %>' - <% end %> - knife[:vault_mode] = 'client' - knife[:vault_admins] = ['<%= chefuser %>']" +log_location STDOUT +node_name '<%= chefuser %>' +client_key '<%= MU_BASE %>/var/users/<%= user %>/<%= chefuser %>.user.key' +validation_client_name 'mu-validator' +validation_key '<%= MU_BASE %>/var/orgs/<%= user %>/<%= chefuser %>.org.key' +chef_server_url 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>' +chef_server_root 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= chefuser %>' +syntax_check_cache_path '<%= HOMEDIR %>/.chef/syntax_check_cache' +cookbook_path [ '<%= HOMEDIR %>/.chef/cookbooks', '<%= HOMEDIR %>/.chef/site_cookbooks' ] +<% if $MU_CFG.has_key?('ssl') and $MU_CFG['ssl'].has_key?('chain') %> +ssl_ca_path '<%= File.dirname($MU_CFG['ssl']['chain']) %>' +ssl_ca_file '<%= File.basename($MU_CFG['ssl']['chain']) %>' +<% end %> +knife[:vault_mode] = 'client' +knife[:vault_admins] = ['<%= chefuser %>']" CLIENT_TEMPLATE = "chef_server_url 'https://<%= MU.mu_public_addr %>:7443/organizations/<%= user %>' - validation_client_name 'mu-validator' - log_location STDOUT - node_name 'MU-MASTER' - verify_api_cert false - ssl_verify_mode :verify_none - " +validation_client_name 'mu-validator' +log_location STDOUT +node_name 'MU-MASTER' +chef_license 'accept' +verify_api_cert false +ssl_verify_mode :verify_none +" +#chef_server_url "https://127.0.0.1:7443/organizations/mu" +#validation_client_name "mu-validator" +#chef_license "accept" +#log_location STDOUT +#node_name "MU-MASTER" +#verify_api_cert false +#ssl_verify_mode :verify_none +#trusted_certs_dir "/etc/chef/trusted_certs" +#file_cache_path "/var/chef/cache" +#file_backup_path "/var/chef/backup" + PIVOTAL_TEMPLATE = "node_name 'pivotal' - chef_server_url 'https://<%= MU.mu_public_addr %>:7443' - chef_server_root 'https://<%= MU.mu_public_addr %>:7443' - no_proxy '<%= MU.mu_public_addr %>' - client_key '/etc/opscode/pivotal.pem' - ssl_verify_mode :verify_none - " +chef_server_url 'https://<%= MU.mu_public_addr %>:7443' +chef_server_root 'https://<%= MU.mu_public_addr %>:7443' +no_proxy '<%= MU.mu_public_addr %>' +client_key '/etc/opscode/pivotal.pem' +ssl_verify_mode :verify_none +" $CHANGES = [] $MENU_MAP = {} @@ -610,11 +678,11 @@ if response == "y" or response == "Y" Dir.mkdir("#{HOMEDIR}/.ssh", 0700) if !Dir.exist?("#{HOMEDIR}/.ssh") keynamestr = repo.gsub(/[^a-z0-9\-]/i, "-") + Process.pid.to_s keypath = "#{HOMEDIR}/.ssh/#{keynamestr}" puts "Paste a complete SSH private key for #{ssh_user.bold}@#{ssh_host.bold} below, then ^D" - system("cat > #{keypath}") + _system("cat > #{keypath}") File.chmod(0600, keypath) puts "Key saved to "+keypath.bold deletekey = true else return false @@ -722,11 +790,11 @@ ips = [] if $IN_AWS ["public-ipv4", "local-ipv4"].each { |addr| begin Timeout.timeout(2) do - ip = open("http://169.254.169.254/latest/meta-data/#{addr}").read + ip = URI.open("http://169.254.169.254/latest/meta-data/#{addr}").read ips << ip if !ip.nil? and ip.size > 0 end rescue OpenURI::HTTPError, Timeout::Error, SocketError # these are ok to ignore end @@ -734,13 +802,13 @@ elsif $IN_GOOGLE base_url = "http://metadata.google.internal/computeMetadata/v1" begin Timeout.timeout(2) do # TODO iterate across multiple interfaces/access-configs - ip = open("#{base_url}/instance/network-interfaces/0/ip", "Metadata-Flavor" => "Google").read + ip = URI.open("#{base_url}/instance/network-interfaces/0/ip", "Metadata-Flavor" => "Google").read ips << ip if !ip.nil? and ip.size > 0 - ip = open("#{base_url}/instance/network-interfaces/0/access-configs/0/external-ip", "Metadata-Flavor" => "Google").read + ip = URI.open("#{base_url}/instance/network-interfaces/0/access-configs/0/external-ip", "Metadata-Flavor" => "Google").read ips << ip if !ip.nil? and ip.size > 0 end rescue OpenURI::HTTPError, Timeout::Error, SocketError => e # This is fairly normal, just handle it gracefully end @@ -751,14 +819,14 @@ $CONFIGURABLES["public_address"]["default"] = $possible_addresses.first $CONFIGURABLES["hostname"]["default"] = Socket.gethostname $CONFIGURABLES["banner"]["default"] = "Mu Master at #{$CONFIGURABLES["public_address"]["default"]}" if $IN_AWS # XXX move this crap to a callback hook for puttering around in the AWS submenu - aws = JSON.parse(open("http://169.254.169.254/latest/dynamic/instance-identity/document").read) + aws = JSON.parse(URI.open("http://169.254.169.254/latest/dynamic/instance-identity/document").read) iam = nil begin - iam = open("http://169.254.169.254/latest/meta-data/iam/security-credentials").read + iam = URI.open("http://169.254.169.254/latest/meta-data/iam/security-credentials").read rescue OpenURI::HTTPError, SocketError end # $CONFIGURABLES["aws"]["subtree"]["account_number"]["default"] = aws["accountId"] $CONFIGURABLES["aws"]["subtree"]["region"]["default"] = aws["region"] if iam and iam.size > 0 @@ -912,11 +980,11 @@ if data.has_key?("subtree") puts "" if data["named_subentries"] if data['subtree']['#entries'] data['subtree']['#entries'].each_pair { |nameentry, subdata| - next if nameentry.match(/^#/) + next if nameentry.nil? or nameentry.match(/^#/) puts " "+subdata["#menu"].bold+". "+nameentry.green.on_black } end else data["subtree"].each_pair { |subkey, subdata| @@ -1216,17 +1284,17 @@ if AMROOT and !$IN_GEM cur_chef_version = `/bin/rpm -q chef`.sub(/^chef-(\d+\.\d+\.\d+-\d+)\..*/, '\1').chomp pref_chef_version = File.read("#{MU_BASE}/var/mu-chef-client-version").chomp if (cur_chef_version != pref_chef_version and cur_chef_version.sub(/\-\d+$/, "") != pref_chef_version) or cur_chef_version.match(/is not installed/) puts "Updating MU-MASTER's Chef Client to '#{pref_chef_version}' from '#{cur_chef_version}'" - chef_installer = open("https://omnitruck.chef.io/install.sh").read + chef_installer = URI.open("https://omnitruck.chef.io/install.sh").read File.open("#{HOMEDIR}/chef-install.sh", File::CREAT|File::TRUNC|File::RDWR, 0644){ |f| f.puts chef_installer } - system("/bin/rm -rf /opt/chef ; sh #{HOMEDIR}/chef-install.sh -v #{pref_chef_version}"); + _system("/bin/rm -rf /opt/chef ; sh #{HOMEDIR}/chef-install.sh -v #{pref_chef_version}"); # This will go fix gems, permissions, etc - system("/opt/chef/bin/chef-apply #{MU_BASE}/lib/cookbooks/mu-master/recipes/init.rb"); + _system("/opt/chef/bin/chef-apply #{MU_BASE}/lib/cookbooks/mu-master/recipes/init.rb"); end end if $INITIALIZE if AMROOT and !$IN_GEM @@ -1245,16 +1313,21 @@ $MU_CFG = $MU_CFG.merge(setConfigTree) require File.realpath(File.expand_path(File.dirname(__FILE__)+"/mu-load-config.rb")) end begin require 'mu' + rescue LoadError, Gem::MissingSpecError + _system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install") + require 'bundler' + pwd = Dir.pwd + Dir.chdir(MU_BASE+"/lib/modules") + Bundler.setup + require 'mu' + Dir.chdir(pwd) rescue MU::MuError => e puts "Correct the above error before proceeding. To retry, run:\n\n#{$0.bold} #{ARGV.join(" ").bold}" exit 1 - rescue LoadError - system("cd #{MU_BASE}/lib/modules && umask 0022 && /usr/local/ruby-current/bin/bundle install") - require 'mu' end if $IN_GEM if $INITIALIZE $MU_CFG = MU.detectCloudProviders @@ -1266,92 +1339,106 @@ MU::MommaCat.restart exit end if AMROOT and ($INITIALIZE or $CHANGES.include?("hostname")) - system("/bin/hostname #{$MU_CFG['hostname']}") + _system("/bin/hostname #{$MU_CFG['hostname']}") end + def updateChefRbs + user = AMROOT ? "mu" : Etc.getpwuid(Process.uid).name + chefuser = user.gsub(/\./, "") + templates = { HOMEDIR+"/.chef/knife.rb" => KNIFE_TEMPLATE } + Dir.mkdir(HOMEDIR+"/.chef") if !Dir.exist?(HOMEDIR+"/.chef") + if AMROOT + templates["/etc/chef/client.rb"] = CLIENT_TEMPLATE + templates["/etc/opscode/pivotal.rb"] = PIVOTAL_TEMPLATE + end + templates.each_pair { |file, template| + erb = ERB.new(template) + processed = erb.result(binding) + tmpfile = file+".tmp."+Process.pid.to_s + File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f| + f.puts processed + } + if !File.size?(file) or File.read(tmpfile) != File.read(file) + File.rename(tmpfile, file) + MU.log "Updated #{file}", MU::NOTICE + $CHANGES << "chefcerts" + else + File.unlink(tmpfile) + end + } + end + + # Do some more basic-but-Chef-dependent configuration *before* we meddle with # the Chef Server configuration, which depends on some of this (SSL certs and # local firewall ports). if AMROOT and ($INITIALIZE or $CHANGES.include?("chefartifacts")) MU.log "Purging and re-uploading all Chef artifacts", MU::NOTICE %x{/sbin/service iptables stop} if $INITIALIZE + if File.exists?("#{CHEF_CTL}") + _system("#{CHEF_CTL} start") + end output = %x{MU_INSTALLDIR=#{MU_BASE} MU_LIBDIR=#{MU_BASE}/lib MU_DATADIR=#{MU_BASE}/var #{MU_BASE}/lib/bin/mu-upload-chef-artifacts} if $?.exitstatus != 0 puts output MU.log "mu-upload-chef-artifacts failed, can't proceed", MU::ERR %x{/sbin/service iptables start} if !$INITIALIZE exit 1 end %x{/sbin/service iptables start} if !$INITIALIZE end + Dir.chdir(Dir.home) + if $INITIALIZE and AMROOT MU.log "Force open key firewall holes", MU::NOTICE - system("chef-client -o 'recipe[mu-master::firewall-holes]'") + _system("#{CHEF_CLIENT} -o 'recipe[mu-master::firewall-holes]'") end if AMROOT MU.log "Checking internal SSL signing authority and certificates", MU::NOTICE - if !system("chef-client -o 'recipe[mu-master::ssl-certs]'") and $INITIALIZE + if !_system("#{CHEF_CLIENT} -o 'recipe[mu-master::ssl-certs]'") and $INITIALIZE MU.log "Got bad exit code trying to run recipe[mu-master::ssl-certs]', aborting", MU::ERR exit 1 end - end - - def updateChefRbs - user = AMROOT ? "mu" : Etc.getpwuid(Process.uid).name - chefuser = user.gsub(/\./, "") - templates = { HOMEDIR+"/.chef/knife.rb" => KNIFE_TEMPLATE } - Dir.mkdir(HOMEDIR+"/.chef") if !Dir.exist?(HOMEDIR+"/.chef") - if AMROOT - templates["/etc/chef/client.rb"] = CLIENT_TEMPLATE - templates["/etc/opscode/pivotal.rb"] = PIVOTAL_TEMPLATE + if !File.size?("#{$MU_CFG['datadir']}/ssl/mommacat.crt") + MU.log "I just ran recipe[mu-master::ssl-certs]', but #{$MU_CFG['datadir']}/ssl/mommacat.crt} is still missing. Bailing.", MU::ERR + exit 1 end - templates.each_pair { |file, template| - erb = ERB.new(template) - processed = erb.result(binding) - tmpfile = file+".tmp."+Process.pid.to_s - File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f| - f.puts processed - } - if !File.size?(file) or File.read(tmpfile) != File.read(file) - File.rename(tmpfile, file) - MU.log "Updated #{file}", MU::NOTICE - $CHANGES << "chefcerts" - else - File.unlink(tmpfile) - end - } end if AMROOT + updateChefRbs if !$INITIALIZE erb = ERB.new(File.read("#{MU_BASE}/lib/cookbooks/mu-master/templates/default/chef-server.rb.erb")) updated_server_cfg = erb.result(binding) cfgpath = "/etc/opscode/chef-server.rb" tmpfile = "/etc/opscode/chef-server.rb.#{Process.pid}" File.open(tmpfile, File::CREAT|File::TRUNC|File::RDWR, 0644){ |f| f.puts updated_server_cfg } - if !File.size?(cfgpath) or File.read(tmpfile) != File.read(cfgpath) + if $INITIALIZE or !File.size?(cfgpath) or File.read(tmpfile) != File.read(cfgpath) File.rename(tmpfile, cfgpath) # Opscode can't seem to get things right with their postgres socket Dir.mkdir("/var/run/postgresql", 0755) if !Dir.exist?("/var/run/postgresql") if File.exist?("/tmp/.s.PGSQL.5432") and !File.exist?("/var/run/postgresql/.s.PGSQL.5432") File.symlink("/tmp/.s.PGSQL.5432", "/var/run/postgresql/.s.PGSQL.5432") elsif !File.exist?("/tmp/.s.PGSQL.5432") and File.exist?("/var/run/postgresql/.s.PGSQL.5432") File.symlink("/var/run/postgresql/.s.PGSQL.5432", "/tmp/.s.PGSQL.5432") end - MU.log "Chef Server config was modified, reconfiguring...", MU::NOTICE + MU.log "Chef Server config was modified, reconfiguring...", MU::NOTICE, details: updated_server_cfg # XXX Some undocumented port Chef needs only on startup is being blocked by # iptables. Something rabbitmq-related. Dopey workaround. %x{/sbin/service iptables stop} - system("/opt/opscode/bin/chef-server-ctl reconfigure") - system("/opt/opscode/bin/chef-server-ctl restart") + _system("#{CHEF_CTL} stop") + MU.retrier(wait: 10, max: 6, loop_if: Proc.new { $?.exitstatus != 0 }, loop_msg: "Trying to get chef-server-ctl reconfigure to work") { + _system("#{CHEF_CTL} reconfigure") + } + _system("#{CHEF_CTL} start") %x{/sbin/service iptables start} if !$INITIALIZE updateChefRbs $CHANGES << "chefcerts" else File.unlink(tmpfile) @@ -1359,25 +1446,25 @@ end else updateChefRbs end - if $IN_AWS and AMROOT - system("#{MU_BASE}/lib/bin/mu-aws-setup --dns --sg --logs --ephemeral") + if $IN_AWS and AMROOT# and $IN_GEM + _system("#{MU_BASE}/lib/bin/mu-aws-setup --dns --sg --logs --ephemeral") # XXX --ip? Do we really care? end if $IN_GOOGLE and AMROOT - system("#{MU_BASE}/lib/bin/mu-gcp-setup --sg --logs") + _system("#{MU_BASE}/lib/bin/mu-gcp-setup --sg --logs") end if $IN_AZURE and AMROOT - system("#{MU_BASE}/lib/bin/mu-azure-setup --sg") + _system("#{MU_BASE}/lib/bin/mu-azure-setup --sg") end if $INITIALIZE or $CHANGES.include?("chefcerts") - system("rm -f #{HOMEDIR}/.chef/trusted_certs/* ; knife ssl fetch -c #{HOMEDIR}/.chef/knife.rb") + _system("rm -f #{HOMEDIR}/.chef/trusted_certs/* ; knife ssl fetch -c #{HOMEDIR}/.chef/knife.rb") if AMROOT - system("rm -f /etc/chef/trusted_certs/* ; knife ssl fetch -c /etc/chef/client.rb") + _system("rm -f /etc/chef/trusted_certs/* ; knife ssl fetch -c /etc/chef/client.rb") end end # knife ssl fetch isn't bright enough to nab our intermediate certs, which # ironically becomes a problem when we use one from the real world. Jam it @@ -1398,22 +1485,30 @@ shortname = Regexp.last_match(1) repodir = MU.dataDir + "/" + shortname if !Dir.exist?(repodir) MU.log "Cloning #{repo} into #{repodir}", MU::NOTICE Dir.chdir(MU.dataDir) - system("/usr/bin/git clone #{repo}") + _system("/usr/bin/git clone #{repo}") $CHANGES << "chefartifacts" end } end if !AMROOT exit end begin + if File.exists?("#{CHEF_CTL}") + _system("#{CHEF_CTL} start") + end MU::Groomer::Chef.getSecret(vault: "secrets", item: "consul") + rescue OpenSSL::SSL::SSLError => e + if !$INITIALIZE + raise e + end + MU.log "Got SSL error connecting to Chef for vault secrets, this is normal during initial install", MU::NOTICE, details: e.message rescue MU::Groomer::MuNoSuchSecret data = { "private_key" => File.read("#{MU_BASE}/var/ssl/consul.key"), "certificate" => File.read("#{MU_BASE}/var/ssl/consul.crt"), "ca_certificate" => File.read("#{MU_BASE}/var/ssl/Mu_CA.pem") @@ -1425,27 +1520,27 @@ permissions: "name:MU-MASTER" ) end if $INITIALIZE or $CHANGES.include?("vault") MU.log "Setting up Hashicorp Vault", MU::NOTICE - system("chef-client -o 'recipe[mu-master::vault]'") + _system("#{CHEF_CLIENT} -o 'recipe[mu-master::vault]'") end + set389DSCreds if $MU_CFG['ldap']['type'] == "389 Directory Services" begin MU::Master::LDAP.listUsers rescue Exception => e # XXX lazy exception handling is lazy $CHANGES << "389ds" end if $INITIALIZE or $CHANGES.include?("389ds") File.unlink("/root/389ds.tmp/389-directory-setup.inf") if File.exist?("/root/389ds.tmp/389-directory-setup.inf") MU.log "Configuring 389 Directory Services", MU::NOTICE - set389DSCreds - system("chef-client -o 'recipe[mu-master::389ds]'") + _system("#{CHEF_CLIENT} -o 'recipe[mu-master::389ds]'") exit 1 if $? != 0 MU::Master::LDAP.initLocalLDAP - system("chef-client -o 'recipe[mu-master::sssd]'") + _system("#{CHEF_CLIENT} -o 'recipe[mu-master::sssd]'") exit 1 if $? != 0 end end # Figure out if our run list is dumb @@ -1472,16 +1567,16 @@ if $INITIALIZE MU::Config.emitSchemaAsRuby MU.log "Generating YARD documentation in /var/www/html/docs (see http://#{$MU_CFG['public_address']}/docs/frames.html)" File.umask(0022) - system("cd #{MU.myRoot} && umask 0022 && env -i PATH=#{ENV['PATH']} HOME=#{HOMEDIR} /usr/local/ruby-current/bin/yard doc modules -m markdown -o /var/www/html/docs && chcon -R -h -t httpd_sys_script_exec_t /var/www/html/") + _system("cd #{MU.myRoot} && umask 0022 && /usr/local/ruby-current/bin/yard doc modules -m markdown -o /var/www/html/docs && chcon -R -h -t httpd_sys_script_exec_t /var/www/html/") end MU.log "Running chef-client on MU-MASTER", MU::NOTICE - system("chef-client -o '#{run_list.join(",")}'") + _system("#{CHEF_CLIENT} -o '#{run_list.join(",")}'") if !File.exist?("#{MU_BASE}/var/users/mu/email") or !File.exist?("#{MU_BASE}/var/users/mu/realname") MU.log "Finalizing the 'mu' Chef/LDAP account", MU::NOTICE MU.setLogging(MU::Logger::SILENT) @@ -1505,14 +1600,14 @@ permissions: "name:MU-MASTER" ) end MU.log "Regenerating documentation in /var/www/html/docs" - %x{#{MU_BASE}/lib/bin/mu-gen-docs} + %x{#{CLEAN_ENV_STR} #{MU_BASE}/lib/bin/mu-gen-docs} if $INITIALIZE MU.log "Setting initial password for admin user 'mu', for logging into Nagios and other built-in services.", MU::NOTICE - puts %x{#{MU_BASE}/lib/bin/mu-user-manage -g mu -n "#{$MU_CFG['mu_admin_name']}"} + puts %x{#{CLEAN_ENV_STR} #{MU_BASE}/lib/bin/mu-user-manage -g mu -n "#{$MU_CFG['mu_admin_name']}"} MU.log "If Scratchpad web interface is not accessible, try the following:", MU::NOTICE puts "#{MU_BASE}/lib/bin/mu-user-manage -g --no-scratchpad mu".bold end if !ENV['PATH'].match(/(^|:)#{Regexp.quote(MU_BASE)}\/bin(:|$)/)