Merge remote-tracking branch 'origin/main' into HEAD

CODEOWNERS

@@ -0,0 +1 @@
+* @etsy/chef-maintainers

cookbooks/fb_apache/README.md

@@ -17,6 +17,7 @@ Attributes
 * node['fb_apache']['module_packages']
 * node['fb_apache']['enable_default_site']
 * node['fb_apache']['extra_configs']
+* node['fb_apache']['status_config']
 * node['fb_apache']['mpm']
 
 Usage
@@ -208,10 +209,13 @@ and we've pre-populated all the common modules on both distro variants.
 Finally, `node['fb_apache']['modules_directory']` is set to the proper module
 directory for your distro, but you may override it if you'd like.
 
-### Extra Configs
+### Extra Configs & Status Configs
 Everything in `node['fb_apache']['extra_configs']` will be converted from hash
 syntax to Apache Config syntax in the same 1:1 manner as the `sites` hash above
 and put into an `fb_apache.conf` config file.
 
+The same is true for for `node['fb_apache]['status_config]` which is by-default
+used to manage the `server-status` directive found in the `status.conf`file. 
+
 ### MPM
 Allows to chose mpm module used. It can be prefork, worker or event.

cookbooks/fb_apache/attributes/default.rb

@@ -75,7 +75,7 @@
 when 'debian'
   {
     'htcacheclean_run' => 'auto',
-    'htcacheclean_mode' => 'daeon',
+    'htcacheclean_mode' => 'daemon',
     'htcacheclean_size' => '300M',
     'htcacheclean_daemon_interval' => '120',
     'htcacheclean_path' => '/var/cache/apache2/mod_cache_disk',
@@ -90,6 +90,11 @@
   'manage_packages' => true,
   'enable_default_site' => true,
   'sites' => {},
+  'status_config' => {
+    'Location /server-status' => {
+      'SetHandler' => 'server-status'
+    },
+  },
   'extra_configs' => {},
   'modules' => modules,
   'modules_directory' => moddir,

cookbooks/fb_apache/libraries/default.rb

@@ -28,37 +28,55 @@ def self.indentstr(indent)
       '  ' * indent
     end
 
-    # Map a hash to a apache-style syntax
-    def self.template_hash_handler(buf, indent, kw, data)
-      if HANDLERS.keys.include?(kw)
-        self.send(HANDLERS[kw], buf, indent, kw, data)
-        return
-      end
-      buf << indentstr(indent)
-      buf << "<#{kw}>\n"
-      data.each do |key, val|
+    def self.render_apache_conf(buf, depth, config)
+      config.each do |kw, val|
+        if HANDLERS.keys.include?(kw)
+          self.send(HANDLERS[kw], buf, depth, val)
+          next
+        end
+
+        indent = indentstr(depth)
+
         case val
-        when String
-          buf << indentstr(indent + 1)
-          buf << "#{key} #{val}\n"
+        when String, Integer
+          buf << indent
+          buf << "#{kw} #{val}\n"
+
+        when Array
+          val.each do |entry|
+            buf << indent
+            buf << "#{kw} #{entry}\n"
+          end
+
         when Hash
-          template_hash_handler(buf, indent + 1, key, val)
+          buf << indent
+          buf << "<#{kw}>\n"
+
+          render_apache_conf(buf, depth + 1, val)
+
+          buf << indent
+          buf << "</#{kw.split[0]}>\n"
+
+        else
+          fail "fb_apache: bad type for value of #{kw}: #{val.class}"
         end
       end
-      buf << indentstr(indent)
-      buf << "</#{kw.split[0]}>\n"
     end
 
     # Helper for rewrite syntax
-    def self.template_rewrite_helper(buf, _indent, _key, rules)
+    def self.template_rewrite_helper(buf, depth, rules)
+      indent = indentstr(depth)
+
       rules.each do |name, ruleset|
-        buf << indentstr(1)
+        buf << indent
         buf << "# #{name}\n"
+
         ruleset['conditions']&.each do |cond|
-          buf << indentstr(1)
+          buf << indent
           buf << "RewriteCond #{cond}\n"
         end
-        buf << indentstr(1)
+
+        buf << indent
         buf << "RewriteRule #{ruleset['rule']}\n\n"
       end
     end

cookbooks/fb_apache/recipes/default.rb

@@ -72,6 +72,11 @@
     end
   end
 
+baseconfig = value_for_platform_family(
+ 'rhel' => "#{httpdir}/conf/httpd.conf",
+ 'debian' => "#{httpdir}/apache2.conf",
+)
+
 sitesdir = value_for_platform_family(
   'rhel' => confdir,
   'debian' => "#{httpdir}/sites-enabled",
@@ -147,12 +152,30 @@
   end
 end
 
+# By default the apache package installs some default config files which we're probably not interested in
+if node['platform_family'] == 'rhel'
+  %w{autoindex ssl userdir welcome}.each do |file|
+    file "#{sitesdir}/#{file}.conf" do
+      not_if { node['fb_apache']['enable_default_site'] }
+      action :delete
+    end
+  end
+end
+
 # The package comes pre-installed with module configs, but we dropp off our own
 # in fb_modules.conf. Also, we don't want non-Chef controlled module configs.
 fb_apache_cleanup_modules 'doit' do
   mod_dir moddir
 end
 
+template baseconfig do
+  owner node.root_user
+  group node.root_group
+  mode '0644'
+  notifies :verify, 'fb_apache_verify_configs[doit]', :before
+  notifies :reload, 'service[apache]'
+end
+
 template "#{moddir}/fb_modules.conf" do
   not_if { node.centos6? }
   owner node.root_user
@@ -193,7 +216,6 @@
   owner node.root_user
   group node.root_group
   mode '0644'
-  variables(:location => '/server-status')
   notifies :verify, 'fb_apache_verify_configs[doit]', :before
   notifies :restart, 'service[apache]'
 end
@@ -222,6 +244,12 @@
     only_if { node['fb_apache']['enable_default_site'] }
     to '../sites-available/000-default.conf'
   end
+
+  %w{charset localized-error-pages other-vhosts-access-log security serve-cgi-bin}.each do |file|
+    file "#{confdir}/#{file}.conf" do
+      action :delete
+    end
+  end
 end
 
 service 'apache' do

cookbooks/fb_apache/resources/verify_configs.rb

@@ -33,11 +33,37 @@
     # `/tmp/<whatever>`. This way, all the other configurations in the temp
     # folder are correctly loaded and verified.
     Chef::Log.debug("fb_apache: modify contents of '#{tdir}/conf/httpd.conf'")
-    file = Chef::Util::FileEdit.new("#{tdir}/conf/httpd.conf")
-    file.search_file_replace_line(%r{^ServerRoot "/etc/httpd"$},
-                                  "ServerRoot \"#{tdir}\"") ||
-      fail('Apache validation failed. Cannot find `ServerRoot /etc/httpd`')
-    file.write_file
+    if node.rhel_family?
+      # Generate the base apache config before doing the path substitution trickery below.
+      build_resource(:template,
+                     "#{tdir}/conf/httpd.conf") do
+        source 'httpd.conf.erb'
+        owner 'root'
+        group 'root'
+        mode '0644'
+      end.run_action(:create)
+      # This is
+      file = Chef::Util::FileEdit.new("#{tdir}/conf/httpd.conf")
+      file.search_file_replace_line(%r{^ServerRoot "/etc/httpd"$},
+                                        "ServerRoot \"#{tdir}\"") ||
+            fail('Apache validation failed. Cannot find `ServerRoot /etc/httpd`')
+          file.write_file
+    else node.debian_family?
+      # Generate the base apache config before doing the path substitution trickery below.
+      build_resource(:template,
+                     "#{tdir}/apache2.conf") do
+        source 'apache2.conf.erb'
+        owner 'root'
+        group 'root'
+        mode '0644'
+      end.run_action(:create)
+      file = Chef::Util::FileEdit.new("#{tdir}/apache2.conf")
+      file.search_file_replace_line(%r{^.?ServerRoot "/etc/apache2"$},
+                                        "ServerRoot \"#{tdir}\"") ||
+            fail('Apache validation failed. Cannot find `ServerRoot /etc/apache2`')
+          file.write_file
+    end
+
 
     # we manually build the resource so that Chef does not add these to its
     # resource collection and hence not track it for "updates".

cookbooks/fb_apache/templates/default/apache2.conf.erb

@@ -0,0 +1,3 @@
+# This file is controlled by Chef, do not edit!
+
+<% FB::Apache.render_apache_conf(_buf, 0, node['fb_apache']['httpd_config']) %>

cookbooks/fb_apache/templates/default/fb_apache.conf.erb

@@ -3,5 +3,4 @@
 <%=   render 'apache_modules.erb' %>
 
 <%  end %>
-<%= render 'apache_conf.erb',
-        :variables => {:conf => node['fb_apache']['extra_configs']} %>
+<% FB::Apache.render_apache_conf(_buf, 0, node['fb_apache']['extra_configs']) %>

cookbooks/fb_apache/templates/default/fb_sites.conf.erb

@@ -3,7 +3,7 @@
 <% realvhost = conf['_virtualhost'] || vhost %>
 <VirtualHost <%= realvhost %>>
 <%   conf.reject! { |x, y| x == '_virtualhost' } %>
-<%=  render 'apache_conf.erb', :variables => {:conf => conf} %>
+<%   FB::Apache.render_apache_conf(_buf, 1, conf) %>
 </VirtualHost>
 
 <% end %>

cookbooks/fb_apache/templates/default/httpd.conf.erb

@@ -0,0 +1,3 @@
+# This file is controlled by Chef, do not edit!
+
+<% FB::Apache.render_apache_conf(_buf, 0, node['fb_apache']['httpd_config']) %>

cookbooks/fb_apache/templates/default/status.erb

@@ -1,3 +1,3 @@
-<Location "<%= @location %>">
-    SetHandler server-status
-</Location>
+# This file is controlled by Chef, do not edit!
+
+<% FB::Apache.render_apache_conf(_buf, 0, node['fb_apache']['status_config']) %>

cookbooks/fb_apt/README.md

@@ -23,6 +23,7 @@ Attributes
 * node['fb_apt']['preserve_unknown_keyrings']
 * node['fb_apt']['allow_modified_pkg_keyrings']
 * node['fb_apt']['apt_update_log_path']
+* node['fb_apt']['apt_update_strace_path']
 
 Usage
 -----
@@ -113,3 +114,10 @@ want to use Chef to upgrade across distros, however, you can set
 Set `node['fb_apt']['apt_update_log_path']` to log stdout and stderr of the
 `apt-get update` command invoked by this cookbook. This may be useful for
 debugging purposes. The caller must handle log rotation.
+
+Similarly, set `node['fb_apt']['apt_update_strace_path']` to capture strace
+output of the `apt-get update` command invoked by this cookbook. This may be
+useful for debugging purposes. Set `node['fb_apt']['apt_update_strace_flags']`
+to override the default strace flags (`-v -f -yy -Y -ttt -T -s4096 -A`). Note
+that by default, the log is appended to on each invocation. The caller must
+handle log rotation.

cookbooks/fb_apt/attributes/default.rb

@@ -39,6 +39,8 @@
   'preserve_unknown_keyrings' => false,
   'allow_modified_pkg_keyrings' => false,
   'apt_update_log_path' => nil,
+  'apt_update_strace_path' => nil,
+  'apt_update_strace_flags' => '-v -f -yy -Y -ttt -T -s4096 -A',
 }
 # fb_apt must be defined for this to work...
 keys = FB::Apt.get_official_keyids(node).map { |id| [id, nil] }.to_h

cookbooks/fb_apt/recipes/default.rb

@@ -98,8 +98,11 @@
 execute 'apt-get update' do
   command(lazy do
     log_path = node['fb_apt']['apt_update_log_path']
-    cmd_suffix = " >>#{Shellwords.shellescape(log_path)} 2>&1" if log_path
-    "apt-get update#{cmd_suffix}"
+    strace_path = node['fb_apt']['apt_update_strace_path']
+    strace_flags = node['fb_apt']['apt_update_strace_flags']
+    cmd_suffix = " >>#{log_path.shellescape} 2>&1" if log_path
+    cmd_prefix = "strace #{strace_flags} -o #{strace_path.shellescape} " if strace_path && ::File.exist?('/usr/bin/strace')
+    "#{cmd_prefix}apt-get update#{cmd_suffix}"
   end)
   action :nothing
 end

cookbooks/fb_collectd/recipes/default.rb

@@ -18,8 +18,8 @@
 # limitations under the License.
 #
 
-unless node.centos? || node.debian? || node.ubuntu?
-  fail 'fb_collectd is only supported on CentOS, Debian or Ubuntu.'
+unless node.rhel_family? || node.debian? || node.ubuntu?
+  fail 'fb_collectd is only supported on RHEL and family, Debian, or Ubuntu.'
 end
 
 case node['platform_family']

cookbooks/fb_collectd/recipes/frontend.rb

@@ -18,8 +18,8 @@
 # limitations under the License.
 #
 
-unless node.centos? || node.debian? || node.ubuntu?
-  fail 'fb_collectd is only supported on CentOS, Debian or Ubuntu.'
+unless node.rhel_family? || node.debian? || node.ubuntu?
+  fail 'fb_collectd is only supported on RHEL and family, Debian, or Ubuntu.'
 end
 
 case node['platform_family']

cookbooks/fb_init_sample/metadata.rb

@@ -57,6 +57,8 @@
   'fb_screen',
   'fb_sdparm',
   'fb_securetty',
+  'fb_ssh',
+  'fb_sssd',
   'fb_storage',
   'fb_stunnel',
   'fb_sudo',

cookbooks/fb_init_sample/recipes/default.rb

@@ -49,7 +49,8 @@
   include_recipe 'fb_launchd'
 end
 include_recipe 'fb_nsswitch'
-# HERE: ssh
+include_recipe 'fb_ssh'
+include_recipe 'fb_sssd'
 include_recipe 'fb_less'
 if node.linux? && !node.embedded? && !node.container?
   include_recipe 'fb_ethtool'