Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WinRM? More like "rm windows" #74

Merged
merged 68 commits into from
Dec 8, 2017
Merged

WinRM? More like "rm windows" #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
68 commits
Select commit Hold shift + click to select a range
1f1fe00
some workarounds for Cygwin ssh difficulties
Aug 29, 2017
8cc3a5d
backport the_goog's abstraction of deploy secret handling to cloud st…
Aug 29, 2017
ae3e15c
add SAN to our internally-signed node certs; bump to v3; add a -winrm…
Aug 29, 2017
47b179e
mu-node-manage -m certs to fill in missing certs (but especially winrm)
Aug 30, 2017
c615c94
new Windows metadata, which in theory enables WinRM certificate auth
Aug 31, 2017
2f802fd
shrink Windows userdata script a smidge
Aug 31, 2017
7f7086c
mu-node-manage: don't touch unrelated autoscale groups when manipulat…
Aug 31, 2017
dcad9e6
better debugging logging around WinRM bits
Aug 31, 2017
a13f9aa
scrub extraneous logic from Windows userdata; fix some edge cases and…
Sep 11, 2017
ce28980
WinRM: workaround for hostname resolution (/etc/hosts, ew); cert auth…
Sep 18, 2017
fa59c11
Merge branch 'master' into winrm_more_like_rm_windows
Sep 19, 2017
5d13fe0
suspect mu-tools windows_users resource has been meddling with sshd d…
Sep 25, 2017
2c1a5d6
Merge branch 'master' into winrm_more_like_rm_windows
Sep 25, 2017
762ff6a
Merge branch 'master' into winrm_more_like_rm_windows
Sep 25, 2017
f84bf91
now do it right, chowderhead
Sep 25, 2017
1408326
WinRM breakthrough: successfully getting a shell with certificate auth
Oct 3, 2017
85ebeea
knife bootstrap working over winrm; Chef runs invoke correctly (but c…
Oct 5, 2017
848a9ae
bump Chef version; start on a non-cygwin opensshd for Windows
Oct 6, 2017
d9c3e39
pull knife-windows from our fork until the Chef people take my pull r…
Oct 10, 2017
6875467
Cygwin install back in play, but not in the critical path (much)
Oct 10, 2017
f75e0a6
Chef Server has *problems*
Oct 11, 2017
dd6135c
split list of localhost firewall holes for Chef server
Oct 11, 2017
626b25a
shuffle windows userdata a bit
Oct 11, 2017
90565df
weird workarounds for bundling a gem from git
Oct 11, 2017
88f62d3
mu-node-manage: gracefully try WinRM to do things, then fail to ssh i…
Oct 12, 2017
23896c4
mu-master cookbook fixlets
Oct 17, 2017
7a20f5a
further Windows bootstrap hokey-pokey
Oct 18, 2017
c533710
comment extraneous install of knife-windows gem
Oct 19, 2017
ee35a64
we're going to try *not* bundling our gems into /opt/opscode and see …
Oct 19, 2017
f1012b9
minor YARD doc updates
Oct 19, 2017
3e56e28
Merge branch 'master' into winrm_more_like_rm_windows
Oct 19, 2017
2b280f4
remove accidental hardcoded mommacat IP from userdata; tweaks to Wind…
jstange Oct 19, 2017
1aa26cb
Merge branch 'winrm_more_like_rm_windows' of github.com:/cloudamatic/…
jstange Oct 19, 2017
83b0b29
more reboot assistance for stuck windows nodes
jstange Oct 19, 2017
4d01bb6
handle windows' stuff sshd service differently if not in a domain
jstange Oct 19, 2017
b453299
catch some aggravating errors
jstange Oct 19, 2017
2b39c11
don't accept dumb values like 'localhost' for public_addr
jstange Oct 19, 2017
97371c2
signing a CSR: scene missing?
jstange Oct 19, 2017
f8f0d8d
parents around args to MU.log so it doesn't think spaces mean more args
jstange Oct 19, 2017
8a38ebb
new win2k12 stock AMIs; cleaner script for old base images
jstange Oct 24, 2017
74051b5
mu-tools windows_users resource: name the temporary password setter r…
Oct 24, 2017
db05d6b
don't log passwords to plain text in windows userdata, fool
Oct 25, 2017
cd03e8b
installer: take a branch argument
Oct 26, 2017
22d8de8
mu-configure: drop out quicker if LDAP setup fails
Oct 26, 2017
61c7306
389ds setup script bug workaroud
Oct 26, 2017
9017f27
more workarounds for new bugs in SSSD and 389DS vendor packages (than…
Oct 26, 2017
ea0d5d6
auto-regenerate expired node SSL certs
Oct 27, 2017
4a22367
windows: existing nodes can try ssh if winrm grooms fail; installer: …
Oct 30, 2017
a544bf2
tighter retry logic for windows in Chef groomer's run method
Oct 30, 2017
5e7230c
init.rb: put the right branch name in this testing branch, eh wot
Oct 31, 2017
28f6bb8
make manual VPC peering connection acceptance a warning so it jumps o…
Nov 1, 2017
e7da04e
we don't need these old knife-windows diffs anymore
Nov 1, 2017
b9a4c72
mu-configure: don't keel over if the user enters a wrong (stub) menu …
Nov 3, 2017
9db9307
VPC manual peering warning: clarify that setting is per-accont
jstange Nov 3, 2017
4b837e4
deploy nits for non-root users
jstange Nov 6, 2017
8b02939
better check for bogus menu options in mu-configure
Nov 7, 2017
cab9c1c
don't blow up when an ungroomed node calls to momma
Nov 8, 2017
6153d20
AWS: always try to rig up ephemeral volumes, if the AMI didn't presen…
jstange Nov 15, 2017
d577f48
see if we can avoid the Chef git resource leaving us on the 'deploy' …
Nov 24, 2017
0b96f4f
testing pre-commit hook to auto-set branch name in installer
Nov 24, 2017
aa42907
be better at paths in pre-commit hook
Nov 24, 2017
7d016f1
cleaner display of branch heads-up in installer stub
Nov 24, 2017
3eb9592
work around dumb Chef git resource checkout behavior
Nov 24, 2017
c10b839
custom DNS records for ALBs don't alias correctly; work around with C…
Nov 28, 2017
96c2054
more aggressive validation of bad inputs in mu-configure
Nov 28, 2017
d13277c
polish for new mu-configure validation behavior
Nov 28, 2017
6d69477
a little more tweaking for mu-configure's new validation pickiness
Nov 30, 2017
7f39312
mu-configure: don't just run as soon as we see a valid config
Dec 1, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Berksfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,5 @@ cookbook 'runit', '~> 1.7'
cookbook 's3fs', path: "#{cookbookPath}/s3fs"
cookbook 'zipfile', '~> 0.1.0'
#cookbook 'hashicorp-vault', '~> 2.5.0', git: "https://github.com/johnbellone/vault-cookbook"
cookbook 'demo', path: "#{siteCookbookPath}/demo"
cookbook 'windows', '= 3.2.0'
78 changes: 62 additions & 16 deletions Berksfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@ DEPENDENCIES
awscli
path: cookbooks/awscli
build-essential (~> 8.0)
chef-vault (< 3.0.0)
chef_nginx (~> 6.1.1)
demo
path: site_cookbooks/demo
freebsd (~> 0.1.9)
gunicorn (~> 1.1.2)
logrotate (~> 1.9.2)
Expand Down Expand Up @@ -42,11 +45,29 @@ DEPENDENCIES
runit (~> 1.7)
s3fs
path: cookbooks/s3fs
windows (= 3.2.0)
zipfile (~> 0.1.0)

GRAPH
apache2 (3.3.1)
apt (6.1.3)
application (5.2.0)
poise (~> 2.4)
poise-service (~> 1.0)
application_python (4.0.0)
application (~> 5.0)
poise (~> 2.0)
poise-python (~> 1.0)
poise-service (~> 1.0)
application_ruby (4.1.0)
application (~> 5.0)
poise (~> 2.0)
poise-ruby (~> 2.1)
poise-service (~> 1.0)
apt (6.1.4)
ark (3.1.0)
build-essential (>= 0.0.0)
seven_zip (>= 0.0.0)
windows (>= 0.0.0)
aws (2.9.3)
ohai (>= 2.1.0)
awscli (0.2.1)
Expand All @@ -56,8 +77,7 @@ GRAPH
mingw (>= 1.1)
seven_zip (>= 0.0.0)
chef-sugar (3.4.0)
chef-vault (3.0.0)
compat_resource (>= 12.16.3)
chef-vault (2.1.1)
chef_nginx (6.1.1)
build-essential (>= 0.0.0)
compat_resource (>= 12.16.3)
Expand All @@ -79,15 +99,24 @@ GRAPH
cpan (0.0.37)
database (6.1.1)
postgresql (>= 1.0.0)
dmg (4.0.0)
demo (0.3.0)
application (>= 0.0.0)
application_python (>= 0.0.0)
application_ruby (>= 0.0.0)
chef-vault (>= 0.0.0)
chef_nginx (>= 0.0.0)
git (>= 0.0.0)
mysql (>= 0.0.0)
nodejs (>= 0.0.0)
php (>= 0.0.0)
ruby_build (>= 0.0.0)
dpkg_autostart (0.2.0)
firewall (2.6.2)
chef-sugar (>= 0.0.0)
freebsd (0.1.10)
git (6.1.0)
git (8.0.0)
build-essential (>= 0.0.0)
dmg (>= 0.0.0)
yum-epel (>= 0.0.0)
homebrew (>= 0.0.0)
golang (1.7.0)
gunicorn (1.1.6)
python (>= 0.0.0)
Expand All @@ -98,12 +127,12 @@ GRAPH
poise-service (~> 1.1)
rubyzip (~> 1.0)
homebrew (4.2.0)
hostsfile (2.4.5)
hostsfile (3.0.1)
java (1.50.0)
apt (>= 0.0.0)
homebrew (>= 0.0.0)
windows (>= 0.0.0)
jenkins (5.0.3)
jenkins (5.0.4)
compat_resource (>= 12.16.3)
dpkg_autostart (>= 0.0.0)
runit (>= 1.7)
Expand Down Expand Up @@ -174,6 +203,7 @@ GRAPH
chef-vault (>= 0.0.0)
database (>= 0.0.0)
java (>= 0.0.0)
mu-activedirectory (>= 0.0.0)
mu-firewall (>= 0.0.0)
mu-splunk (>= 0.0.0)
mu-utility (>= 0.0.0)
Expand All @@ -185,7 +215,7 @@ GRAPH
yum-epel (>= 0.0.0)
mu-utility (0.6.0)
windows (>= 0.0.0)
mysql (8.4.0)
mysql (8.5.1)
mysql-chef_gem (0.0.5)
build-essential (>= 0.0.0)
mysql (>= 0.0.0)
Expand All @@ -203,19 +233,23 @@ GRAPH
perl (>= 0.0.0)
runit (>= 0.0.0)
yum-epel (>= 0.0.0)
nodejs (4.0.0)
ark (>= 2.0.2)
build-essential (>= 0.0.0)
compat_resource (>= 12.16)
nrpe (2.0.2)
build-essential (>= 0.0.0)
yum-epel (>= 0.0.0)
nssm (3.0.2)
nssm (4.0.0)
windows (>= 0.0.0)
ohai (5.1.0)
ohai (5.2.0)
openssl (7.1.0)
oracle-instantclient (1.1.0)
build-essential (>= 0.0.0)
cpan (>= 0.0.0)
php (>= 0.0.0)
packagecloud (0.3.0)
perl (5.2.0)
perl (5.2.1)
windows (>= 3.0)
php (4.5.0)
build-essential (>= 0.0.0)
Expand All @@ -224,16 +258,28 @@ GRAPH
poise (2.8.1)
poise-archive (1.5.0)
poise (~> 2.6)
poise-languages (2.1.1)
poise (~> 2.5)
poise-archive (~> 1.0)
poise-python (1.6.0)
poise (~> 2.7)
poise-languages (~> 2.0)
poise-ruby (2.3.0)
poise (~> 2.0)
poise-languages (~> 2.0)
poise-service (1.5.2)
poise (~> 2.0)
postfix (5.0.3)
postfix (5.1.1)
postgresql (6.1.1)
build-essential (>= 2.0.0)
compat_resource (>= 12.16.3)
openssl (>= 4.0)
python (1.4.7)
build-essential (>= 0.0.0)
yum-epel (>= 0.0.0)
ruby_build (1.1.0)
git (>= 0.0.0)
yum-epel (>= 0.0.0)
rubyzip (1.3.1)
poise (~> 2.2)
runit (1.8.0)
Expand All @@ -252,11 +298,11 @@ GRAPH
consul-cluster (~> 2.0)
hashicorp-vault (~> 2.1)
ssl_certificate (~> 1.11)
windows (3.1.1)
windows (3.2.0)
ohai (>= 4.0.0)
yum (3.13.0)
yum-epel (2.1.2)
compat_resource (>= 12.16.3)
zap (0.15.1)
zap (1.1.0)
zipfile (0.1.0)
zypper (0.4.0)
30 changes: 27 additions & 3 deletions bin/mu-aws-setup
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,10 @@ Usage:
EOS
opt :ip, "Attempt to configure the IP requested in the CHEF_PUBLIC_IP environment variable, or if none is set, to associate an arbitrary Elastic IP.", :require => false, :default => false, :type => :boolean
opt :sg, "Attempt to configure a Security Group with appropriate permissions.", :require => false, :default => false, :type => :boolean
opt :logs, "Ensure the presence of an S3 bucket prefixed with 'Mu_Logs' for use with CloudTrails, syslog, etc.", :require => false, :default => false, :type => :boolean
opt :logs, "Ensure the presence of a cloud storage bucket for use with CloudTrails, syslog, deploy secrets, node SSL certificates, etc.", :require => false, :default => false, :type => :boolean
opt :dns, "Ensure the presence of a private DNS Zone called for internal amongst Mu resources.", :require => false, :default => false, :type => :boolean
opt :uploadlogs, "Push today's log files to the S3 bucket created by the -l option.", :require => false, :default => false, :type => :boolean
opt :ephemeral, "Make sure all of our instance store (ephemeral) block devices are mapped and available.", :require => false, :default => false, :type => :boolean
end

my_instance_id = MU::Cloud::AWS.getAWSMetaData("instance-id")
Expand All @@ -52,6 +53,20 @@ instance = resp.reservations.first.instances.first

preferred_ip = MU.mu_public_ip

if $opts[:ephemeral]
if instance.instance_type.match(/^(t2|m4)\./)
MU.log "t2 and m4 instance types do not have ephemeral volumes, skipping setup", MU::WARN
else
# instance.block_device_mappings.each { |dev|
# next if dev.ebs
# }
MU::Cloud::AWS.ec2.modify_instance_attribute(
instance_id: instance.instance_id,
block_device_mappings: MU::Cloud::AWS::Server.ephemeral_mappings
)
end
end

# Create a security group, or manipulate an existing one, so that we have all
# of the appropriate network holes.
if $opts[:sg]
Expand Down Expand Up @@ -186,6 +201,15 @@ if $opts[:logs]
body: "#{key}"
)
end
if File.exists?("#{MU.mySSLDir}/Mu_CA.pem")
MU.log "Putting the Mu Master's public SSL certificate into #{$bucketname}/Mu_CA.pem"
MU::Cloud::AWS.s3.put_object(
bucket: $bucketname,
key: "Mu_CA.pem",
body: File.read("#{MU.mySSLDir}/Mu_CA.pem"),
acl: "public-read",
)
end

# MU.log "Uploading Mu_CA.pem to #{$bucketname}"
# MU::Cloud::AWS.s3.put_object(
Expand All @@ -196,8 +220,8 @@ if $opts[:logs]
# )

resp = MU::Cloud::AWS.s3.list_objects(
bucket: $bucketname,
prefix: "log_vol_ebs_key"
bucket: $bucketname,
prefix: "log_vol_ebs_key"
)
owner = MU.structToHash(resp.contents.first.owner)

Expand Down
Loading