Merge branch 'develop'

.gitignore

@@ -2,3 +2,4 @@ hosts
 *.retry
 credentials.yml
 docker-cred.yml
+security-cred.yml

micado-master.yml

@@ -30,7 +30,8 @@
         alertmanager: prom/alertmanager:v0.12.0
         cadvisor: google/cadvisor:v0.28.3
         consul: consul:1.0.0
-        dashboard: micado/dashboard:0.1.0
+        credential_manager: micado/credential-manager:0.2.0
+        dashboard: micado/dashboard:0.2.1
         dockervisualizer: micado/dockerviz:min-refresh
         grafana: grafana/grafana:5.1.0
         node_exporter: prom/node-exporter:v0.15.2
@@ -39,9 +40,11 @@
         prometheus: prom/prometheus:v2.1.0
         redis: redis:4.0
         toscasubmitter: micado/toscasubmitter:0.1.1
+        zorp: micado/zorpgpl:6.0.11
     - docker_package: docker-ce=17.09.1~ce-0~ubuntu
     - github_versions:
-        policykeeper: master
-        toscasubmitter: master
+        policykeeper: v0.5.0
+        toscasubmitter: v0.6.0
     - grafana_admin_pwd: secret
-    - micado_master_name: micado-master
+    - master_hostname: micado-master
+    - worker_hostname: micado-worker

roles/micado-master/files/grafana/grafana.ini

@@ -0,0 +1,6 @@
+[server]
+domain = localhost
+root_url = https://%(domain)s/grafana/
+
+[auth.anonymous]
+enabled = true

roles/micado-master/files/grafana/provisioning-datasources-prometheus.yaml

@@ -7,7 +7,7 @@ datasources:
   # <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
   access: proxy
   # <string> url
-  url: "http://prometheus:9090"
+  url: "http://prometheus:9090/prometheus"
   # <bool> enable/disable basic auth
   basicAuth: false
   # <bool> allow users to edit datasources from the UI.

roles/micado-master/files/iptables/ip6tables.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Restore iptables firewall rules
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip6tables-restore -n /etc/ip6tables.conf
+
+[Install]
+WantedBy=multi-user.target
+

roles/micado-master/files/iptables/iptables.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Restore iptables firewall rules
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-restore -n /etc/iptables.conf
+
+[Install]
+WantedBy=multi-user.target
+

roles/micado-master/files/micado/micado.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=MiCADO
+After=docker.service
+Requires=docker.service
+
+[Service]
+User=root
+Type=simple
+ExecStart=/usr/local/bin/docker-compose -f /var/lib/micado/docker-compose.yml up
+StandardOutput=syslog
+StandardError=syslog
+
+ExecStop=/usr/local/bin/docker-compose -f /var/lib/micado/docker-compose.yml stop
+TimeoutStartSec=60min
+
+[Install]
+WantedBy=multi-user.target
+

roles/micado-master/files/misc/micadoctl

@@ -0,0 +1,148 @@
+#!/usr/bin/env python3
+
+import click
+import requests
+from terminaltables import AsciiTable
+import re
+import subprocess
+
+
+def call_api_endpoint(cmd, method='get', data=None):
+    r = session.request(method, API.format(cmd), data=data)
+    try:
+        r_body = r.json()
+    except ValueError:
+        r_body = dict()
+    return r.ok, r_body
+
+
+@click.group()
+def cli():
+    """mictl is used to manage MiCADO configuration"""
+    pass
+
+
+@cli.group()
+@click.option('--api', default='http://localhost:5001/v1.1/', help='Base URL for credman API')
+def users(api):
+    """Manage users"""
+    global API
+    API = api+'{}'
+    global session
+    session = requests.Session()
+
+@users.command('list')
+def user_list():
+    """List users"""
+    ok, result = call_api_endpoint('listusers')
+    if ok:
+        data = [['Username', 'E-mail', 'Role', 'Locked']]
+        data.extend([(entry.get('username', ''),
+                     entry.get('email', '-'),
+                     entry.get('role', '-'),
+                     entry.get('locked', 'unlocked'))
+                     for entry in result
+                     ])
+        table = AsciiTable(data)
+        click.echo(table.table)
+    else:
+        click.echo(result.get('user message', 'Failed'))
+
+
+@users.command('add', short_help='Add a new user')
+@click.argument('user')
+@click.argument('password', default='')
+@click.option('--email', default=None, help='E-mail address of the user')
+def user_add(user, password, email):
+    """
+    Add a new user.
+
+    If a password is not provided one will be generated.
+    """
+    payload = {'username': user, 'email': email}
+    if password:
+        payload['password'] = password
+    ok, result = call_api_endpoint('adduser', 'post', payload)
+    if ok:
+        if not password:
+            password = re.match('Password is auto-generated. Its value is: (\S+)$',
+                                result.get('developer message', '')
+                                ).group(1)
+        click.echo("Success!\nNew password: '{}'".format(password))
+    else:
+        click.echo(result.get('user message', 'Failed'))
+
+
+@users.command('chrole')
+@click.argument('user')
+@click.argument('role', type=click.Choice(['user', 'admin']))
+def user_chrole(user, role):
+    """Change users's role"""
+    payload = {'username': user, 'newrole': role}
+    ok, result = call_api_endpoint('changerole', 'put', payload)
+    if ok:
+        click.echo("Success!")
+    else:
+        click.echo(result.get('user message', 'Failed'))
+
+
+@users.command('resetpwd')
+@click.argument('user')
+def user_resetpwd(user):
+    """Reset user's password"""
+    payload = {'username': user}
+    ok, result = call_api_endpoint('resetpwd', 'put', payload)
+    if ok:
+        password = result.get('new password', '')
+        click.echo("Success!\nNew password: '{}'".format(password))
+        click.echo(result)
+    else:
+        click.echo(result.get('user message', 'Failed'))
+
+
+@users.command('del')
+@click.argument('user')
+def user_del(user):
+    """Delete a user"""
+    payload = {'username': user}
+    ok, result = call_api_endpoint('deleteuser', 'put', payload)
+    if ok:
+        click.echo("Success!")
+    else:
+        click.echo(result.get('user message', 'Failed'))
+
+@cli.group()
+def service():
+    """Manage MiCADO services"""
+    pass
+
+def _handle_service(command):
+    try:
+        subprocess.check_call("systemctl %s micado" % command, shell=True)
+    except subprocess.CalledProcessError as e:
+        print("Failed to %s MiCADO services; error='%s'" % (command, e))
+        exit(e.returncode)
+
+@service.command('start')
+def service_start():
+    """Start MiCADO services"""
+    _handle_service("start")
+
+@service.command('stop')
+def service_start():
+    """Stop MiCADO services"""
+    _handle_service("stop")
+
+@service.command('restart')
+def service_start():
+    """Restart MiCADO services"""
+    _handle_service("restart")
+
+@service.command('status')
+def service_status():
+    """Query the status of MiCADO services"""
+    _handle_service("status")
+
+
+if __name__ == '__main__':
+    cli()

roles/micado-master/files/misc/wait-updates.sh

@@ -1,5 +1,6 @@
 #!/bin/bash
 
 while [[ `ps aufx | grep -v "grep" | grep "apt.systemd.daily" | wc -l` -gt 0 ]]; do
+	echo "The unattended-upgrades are running..."
 	sleep 1
 done