initial commit (confidential information removed)

77747ccb · Jörg Sachse · 77747ccb · 77747ccb · 77747ccb · 77747ccb
Commit 77747ccb authored 4 years ago by Jörg Sachse
--- a/.gitattributes
+++ b/.gitattributes
+# CRLF vs. LF:
+* text=auto
+# make 'git diff' use ansible-vault for vault files, so you can see decrypted
+# content if you have the password
+*.vault diff=ansible-vault merge=binary
--- a/.githooks/pre-commit
+++ b/.githooks/pre-commit
+#!/usr/bin/env bash
+#
+# An example hook script to verify what is about to be committed.
+# Called by "git commit" with no arguments.  The hook should
+# exit with non-zero status after issuing an appropriate message if
+# it wants to stop the commit.
+#
+# To enable this hook, rename this file to "pre-commit".
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+	against=HEAD
+else
+	# Initial commit: diff against an empty tree object
+	against=$(git hash-object -t tree /dev/null)
+fi
+# If you want to allow non-ASCII filenames set this variable to true.
+allownonascii=$(git config --bool hooks.allownonascii)
+# Redirect output to stderr.
+exec 1>&2
+# Cross platform projects tend to avoid non-ASCII filenames; prevent
+# them from being added to the repository. We exploit the fact that the
+# printable range starts at the space character and ends with tilde.
+if [ "$allownonascii" != "true" ] &&
+	# Note that the use of brackets around a tr range is ok here, (it's
+	# even required, for portability to Solaris 10's /usr/bin/tr), since
+	# the square bracket bytes happen to fall in the designated range.
+	test $(git diff --cached --name-only --diff-filter=A -z $against |
+	  LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+then
+	cat <<\EOF
+Error: Attempt to add a non-ASCII file name.
+This can cause problems if you want to work with people on other platforms.
+To be portable it is advisable to rename the file.
+If you know what you are doing you can disable this check using:
+  git config hooks.allownonascii true
+EOF
+	exit 1
+fi
+# If there are whitespace errors, print the offending file names and fail.
+# exec git diff-index --check --cached $against --
+################################################################################
+## Everything below this is customized, everything above is from the example. ##
+################################################################################
+### PREPARE
+# Expand aliases and make alias command work in the bash script.
+shopt -s expand_aliases
+REPOPATH="$(git rev-parse --show-toplevel)"
+GREP_CMD='grep -Rn --color'
+GREP_EXCLUDES="--exclude-dir=\.git --exclude-dir=\.githooks --exclude=*\.example"
+### YAMLLINT stage
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+YAML_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".yml$")
+if [[ ${YAML_FILES} != "" ]]; then
+	for file in ${YAML_FILES}; do
+		yamllint "${file}"
+		if [[ ${?} -ne 0 ]]; then
+			exit 1
+		fi
+	done
+fi && echo "SUCCESS: Yamllint stage."
+### VAULT detection stage
+VAULT_FILES=$(git diff --cached --name-only --diff-filter=ACM | grep ".vault$")
+if [[ ${VAULT_FILES} != "" ]]; then
+	echo "ERROR: Vaultfiles found:"
+	for file in ${VAULT_FILES}; do
+		echo "- ${file}"
+	done
+	exit 1
+fi
+# https://docs.ansible.com/ansible/latest/user_guide/vault.html#vault-format
+if [[ ${STAGED_FILES} != "" ]]; then
+	for file in ${STAGED_FILES}; do
+		grep -e "\$ANSIBLE_VAULT;[[:digit:]]\.[[:digit:]];AES256" "${file}"
+		[[ ${?} -eq 0 ]] && echo "ERROR: Ansible-Vault in String found in file '${file}'." && exit 1
+	done
+fi
+echo "SUCCESS: Vault detection stage."
+### URL detection stage
+${GREP_CMD} ${GREP_EXCLUDES} -e "http[s]*.*git.*SLUB" -e "http[s]*.*git.*slub" -e "git@" "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
+	echo "ERROR: found internal URLs."
+	exit 1;
+fi
+echo "SUCCESS: URL detection stage."
+### IP address detection stage
+# This is pretty basic regex matching, but it's a start.
+IP_REGEX='[^a-zA-ZäöÜÄÖÜß/\\\-][0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
+${GREP_CMD} ${GREP_EXCLUDES} -e "${IP_REGEX}" "${REPOPATH}" | grep -v "127.0.0"
+if [[ ${?} -eq 0 ]]; then
+	echo "ERROR: found IP address."
+	exit 1;
+fi
+echo "SUCCESS: IP address detection stage."
+### SSH-Key detection stage
+${GREP_CMD} ${GREP_EXCLUDES} -e "ssh-[dr]sa " "${REPOPATH}"
+if [[ ${?} -eq 0 ]]; then
+	echo "ERROR: found SSH key."
+	exit 1;
+fi
+echo "SUCCESS: SSH Key detection stage."
+### DONE
+# Return explicit 0.
+exit 0;
--- a/.gitignore
+++ b/.gitignore
+# Compiled source #
+###################
+*.bin
+*.com
+*.class
+*.dll
+*.exe
+*.o
+*.so
+*.pyc
+__pycache__
+# Packages #
+############
+# it's better to unpack these files and commit the raw source
+# git has its own built in compression methods
+*.7z
+*.dmg
+*.gz
+*.iso
+*.jar
+*.rar
+*.tar
+*.zip
+*.tar.gz
+*.tgz
+# Logs and databases #
+######################
+*.log
+*.sql
+*.sqlite
+# OS generated files #
+######################
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+# Linux packages #
+##################
+*.deb
+*.rpm
+# Ansible specific files #
+##########################
+*.retry
+*.vault
+# Vim #
+#######
+# swap
+[._]*.s[a-v][a-z]
+[._]*.sw[a-p]
+[._]s[a-v][a-z]
+[._]sw[a-p]
+ # session
+Session.vim
+# temporary
+.netrwhist
+# auto-generated tag files
+tags
+# Vagrant #
+###########
+.vagrant/
+*.box
+# Temporary/Build/Backup #
+##########################
+backups/
+build/
+# CONFIDENTIAL #
+################
+ssh_host_*
--- a/.yamllint
+++ b/.yamllint
+---
+# Based on ansible-lint config
+extends: default
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  colons:
+    max-spaces-after: -1
+    level: error
+  commas:
+    max-spaces-after: -1
+    level: error
+  comments: disable
+  comments-indentation: disable
+  document-start: disable
+  empty-lines:
+    max: 3
+    level: error
+  hyphens:
+    level: error
+  indentation: disable
+  key-duplicates: enable
+  line-length: disable
+  new-line-at-end-of-file: disable
+  new-lines:
+    type: unix
+  trailing-spaces: disable
+  truthy: disable
--- a/README.md
+++ b/README.md
+# Ansible-Role "ansible_lza_install_common"
+## Description
+This role provides all necessary post-install tasks to setup a basic multi-purpose Debian VM.
+## Prerequisites
+To use this role, the following software must be installed on your workstation:
+* ansible
+To deploy this role to a managed host, the following software must be installed on the target:
+* Python3
+* SSHd
+It is recommended to use Debian VMs as deployed by SLUB's UDA tool with this role. Otherwise you will not have access to the software packages that are located in SLUB's private Debian package repository.
+## Quick Start
+```
+	ansible-playbook site.yml [-i <INVENTORY_FILE>] [--limit <HOSTNAME>] [-u <USERNAME>] [-b]
+```
+## General Ansible usage
+Most options already have sensible defaults in `ansible.cfg`. However, you can override these defaults using CLI options/flags if you want to.
+To simply run the playbook, just call the `site.yml` playbook like this:
+```
+	ansible-playbook site.yml -u <username>
+```
+If you want to limit the execution to a subset of all hosts that are listed in the inventory, use the `-l` or `--limit` option like this:
+```
+	ansible-playbook site.yml -l <hostna*>
+	ansible-playbook site.yml -l <hostname>
+	ansible-playbook site.yml -l <hostname1>:<hostname2>:...
+	ansible-playbook site.yml -l <inventory_group>
+	ansible-playbook site.yml --limit=<hostna*>
+```
+If you do not have Vault password files in the directory above the role direcory, you have to give the Vault password before execution:
+```
+	ansible-playbook site.yml --ask-vault-pass
+```
+You can use your own inventory file by adding the `-i` or `--inventory=INVENTORY` option:
+```
+	ansible-playbook site.yml -i inventory.yml
+	ansible-playbook site.yml --inventory=inventory.yml
+```
+Tasks in this role have been tagged to enable users to only run subsets of tasks. This can be leveraged to decrease run times or run only certain tasks after small changes.
+To list all available tags, use:
+```
+	ansible-playbook site.yml --list-tags
+```
+You can then run only certain tagged tasks by using the `--tags` option:
+```
+	ansible-playbook site.yml -t tag1,tag2,...,tagN
+	ansible-playbook site.yml --tags=tag1,tag2,...,tagN
+```
+For more help with ansible-playbook, use the `--help` flag.
+## Testing the role
+Tests have been implemented using the Molecule framework. The details on using the test suite are described below `molecule/`.
+## Variables
+Many variables have been "hidden" in encrypted Ansible Vaults. For security reasons, these Vaults are maintained in a separate private internal repository of SLUB's Git. However, in order to better understand the data within the vaults, you can find `\*.vault.example` files below the `vars/` directory.
+If you work outside of SLUBArchive and have no access to the vault repository, make sure to put the necessary vaults in the expected paths at `../ansible_vaults/<ROLENAME>/`.
+## git configuration
+Just run the `setup_gitconfig.sh` script that comes with the repo to correctly setup all necessary local Git configurations.
+## Author Information
+If you have any comments or find bugs, please contact langzeitarchiv@slub-dresden.de or issue a pull request.
--- a/ansible.cfg
+++ b/ansible.cfg
+[defaults]
+# If set, configures the path to the Vault password file as an alternative to
+# specifying --vault-password-file on the command line.
+vault_identity_list = ../lza_install_common.pass, ../slub_osquery.pass
+# Path to default inventory file
+# Administrators can override this by using the "-i <inventoryfile>" CLI
+# argument.
+inventory           = ../ansible_vaults/inventory.yml
+# Remote user name
+# We DELIBERATELY set this to an non-existent non-root username to make sure
+# the role can only be run if an Administrator knows the correct remote_user
+# name and passes it as a CLI argument.
+remote_user         = non-root-user
+# By default, ansible will use the 'linear' strategy but you may want to try
+# another one
+strategy            = free
+# Don't like cows?  that's unfortunate.
+# Set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
+nocows = 1
+# Custom role path that guarantees roles are always found, no matter where a
+# user checks them out.
+roles_path = ../:~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles
+[inventory]
+# Ignore these extensions when parsing a directory as inventory source.
+ignore_extensions = .pyc, .pyo, .swp, .bak, ~, .rpm, .md, .txt, ~, .orig, .ini, .cfg, .retry
+[ssh_connection]
+# Enabling pipelining reduces the number of SSH operations required to
+# execute a module on the remote server. This can result in a significant
+# performance improvement when enabled, however when using "sudo:" you must
+# first disable 'requiretty' in /etc/sudoers
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+pipelining = True
--- a/defaults/main.yml
+++ b/defaults/main.yml
+---
+exim4_sendonly_fqdn: '{{ ansible_fqdn }}'
+exim4_sendonly_enable_tls: true
+exim4_sendonly_smarthost: ''
+exim4_sendonly_username: ''
+exim4_sendonly_password: ''
+exim_name: "{{ 'exim4' if ansible_distribution == 'Debian' else 'exim' }}"
--- a/files/README.txt
+++ b/files/README.txt
+This directory contains files, script files and directories for use with the copy/script resource.
\ No newline at end of file
--- a/files/etc/check_mk/mrpe.cfg
+++ b/files/etc/check_mk/mrpe.cfg
+Is%20a%20system/service%20restart%20needed? (interval=3600) /usr/lib/check_mk_agent/nrpe/check_needrestart.sh
--- a/files/etc/cron-apt/action.d/3-download
+++ b/files/etc/cron-apt/action.d/3-download
+autoclean -y
+dist-upgrade -y -o APT::Get::Show-Upgraded=true
+autoremove -y
--- a/files/etc/htoprc
+++ b/files/etc/htoprc
+# Beware! This file is rewritten by htop when settings are changed in the interface.
+# The parser is also very primitive, and not human-friendly.
+fields=0 3 2 48 17 18 38 39 40 2 46 47 111 49 1
+sort_key=46
+sort_direction=-1
+hide_threads=0
+hide_kernel_threads=1
+hide_userland_threads=0
+shadow_other_users=0
+show_thread_names=0
+show_program_path=1
+highlight_base_name=1
+highlight_megabytes=1
+highlight_threads=1
+tree_view=0
+header_margin=1
+detailed_cpu_time=1
+cpu_count_from_zero=0
+update_process_names=0
+account_guest_in_cpu_meter=0
+color_scheme=6
+delay=15
+left_meters=AllCPUs Memory Swap
+left_meter_modes=1 2 1
+right_meters=Tasks LoadAverage Uptime
+right_meter_modes=2 2 2
--- a/files/etc/logrotate.conf
+++ b/files/etc/logrotate.conf
+# see "man logrotate" for details
+# rotate log files weekly
+weekly
+# keep 13 weeks (so 1/4 of a year) worth of backlogs
+rotate 13
+# create new (empty) log files after rotating old ones
+create
+# uncomment this if you want your log files compressed
+compress
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+# system-specific logs may be configured here
--- a/files/etc/logrotate.d/wtmp
+++ b/files/etc/logrotate.d/wtmp
+# no packages own wtmp and btmp -- we'll rotate them here
+/var/log/wtmp {
+  monthly
+  create 0664 root utmp
+  minsize 1M
+  rotate 1
+}
+/var/log/btmp {
+  missingok
+  monthly
+  create 0600 root utmp
+  rotate 1
+}
--- a/files/etc/motd
+++ b/files/etc/motd
+============================================ WARNING! =============================================
+Login to this system is only allowed by authorized personnel. Any unauthorized access and use of 
+this system is unlawful and will be subject to civil and criminal penalties. The use of this system
+can be logged or monitored without further notice. Resulting logs can be used as evidence in court.
+============================================ WARNING! =============================================
--- a/files/etc/ntp.conf
+++ b/files/etc/ntp.conf
+# For more information about this file, see the man pages
+# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
+driftfile /var/lib/ntp/drift
+# Permit time synchronization with our time source, but do not
+# permit the source to query or modify the service on this system.
+#restrict default nomodify notrap nopeer noquery
+# By default, exchange time with everybody, but don't allow configuration.
+restrict -4 default kod notrap nomodify nopeer noquery
+restrict -6 default kod notrap nomodify nopeer noquery
+statistics loopstats peerstats clockstats
+filegen loopstats file loopstats type day enable
+filegen peerstats file peerstats type day enable
+filegen clockstats file clockstats type day enable
+# You do need to talk to an NTP server or two (or three).
+# Eigene NTP Server verwenden
+# Standard: #server ntp.your-provider.example
+#server ptbtime1.ptb.de
+server time1.slub-dresden.de
+server time2.slub-dresden.de
+server time3.slub-dresden.de
+server time4.slub-dresden.de
+# Use public servers from the pool.ntp.org project.
+# Please consider joining the pool (http://www.pool.ntp.org/join.html).
+#server 0.rhel.pool.ntp.org iburst
+#server 1.rhel.pool.ntp.org iburst
+#server 2.rhel.pool.ntp.org iburst
+#server 3.rhel.pool.ntp.org iburst
+# Permit all access over the loopback interface.  This could
+# be tightened as well, but to do so would effect some of
+# the administrative functions.
+restrict 127.0.0.1 
+restrict ::1
+# Hosts on local network are less restricted.
+#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
+#broadcast 192.168.1.255 autokey	# broadcast server
+#broadcastclient			# broadcast client
+#broadcast 224.0.1.1 autokey		# multicast server
+#multicastclient 224.0.1.1		# multicast client
+#manycastserver 239.255.254.254		# manycast server
+#manycastclient 239.255.254.254 autokey # manycast client
+# Enable public key cryptography.
+#crypto
+includefile /etc/ntp/crypto/pw
+# Key file containing the keys and key identifiers used when operating
+# with symmetric key cryptography. 
+keys /etc/ntp/keys
+# Specify the key identifiers which are trusted.
+#trustedkey 4 8 42
+# Specify the key identifier to use with the ntpdc utility.
+#requestkey 8
+# Specify the key identifier to use with the ntpq utility.
+#controlkey 8
+# Enable writing of statistics records.
+#statistics clockstats cryptostats loopstats peerstats
+# Disable the monitoring facility to prevent amplification attacks using ntpdc
+# monlist command when default restrict does not include the noquery flag. See
+# CVE-2013-5211 for more details.
+# Note: Monitoring will not be disabled with the limited restriction flag.
+disable monitor
--- a/files/etc/profile.d/ssh-loginscreen.sh
+++ b/files/etc/profile.d/ssh-loginscreen.sh
+#!/usr/bin/env bash
+COWSAY="$(command -v cowsay)"
+PATH="${PATH}:/usr/sbin/"; export PATH
+figlet SLUBarchiv
+# figlet SLUBarchiv | lolcat
+# colored/formatted strings are not properly supported by cowsay, which in turn is not maintained any longer (as of 2019-05-31)
+#HOST="\e[1m$( cat /etc/hostname )\e[0m.slub-dresden.de"
+HOST="${HOSTNAME}.$( dnsdomainname )"
+IP="$( 
+	ip -4 -brief addr show | \
+	grep -v 'UNKNOWN' | \
+	while read -r line; do
+#		printf " %.0s" {1..21};
+		echo "$( printf " %.0s" {1..21} )${line}";
+	done
+)"
+#RELEASE="$( uname -o ) $( cat /etc/debian_version )"
+RELEASE="$( lsb_release -s -d )"
+VERSION="$( uname -rvm )"
+UPTIME="$( uptime )"
+PROCESSES="$( ps ax | wc -l | tr -d ' ' )"
+SSH_FINGERPRINT="$( ssh-keyscan "${HOSTNAME}" 2> /dev/null | ssh-keygen -E sha256 -lf - | grep '(RSA)' )"
+WEATHER="$( curl -s --max-time 2 "http://rss.accuweather.com/rss/liveweather_rss.asp?metric=1&locCode=EUR|DE|DE01069|DRESDEN|" | sed -n '/Currently:/ s/.*: \(.*\): \([0-9]*\)\([CF]\).*/\2°\3, \1/p' )"
+SUBAPP_VERSION="(not installed)"
+if [[ $( command -v dpkg ) ]]; then
+	if dpkg -l | grep -q 'submissionapplication4rosetta'; then
+		SUBAPP_VERSION="$( dpkg --status submissionapplication4rosetta | grep '^Version:' | cut -d ' ' -f 2 )"
+	fi
+fi
+# alternative weather service that provides much nicer icons. However, these icons are not shown nicely in PuTTY
+# WEATHER="$( curl -s --max-time 2 "http://de.wttr.in/Dresden?format=4 )"
+(echo -e "\
+Hostname:            ${HOST}
+Netzwerk:            Interface        Status         Adresse\n${IP}
+OS-Name/-Release:    ${RELEASE}
+OS-Version:          ${VERSION}
+Uptime / CPU-Load:  ${UPTIME}
+Running Processes:   ${PROCESSES}
+SSH-Fingerprint:     ${SSH_FINGERPRINT}
+Wetter:              ${WEATHER}
+SubApp-Version:      ${SUBAPP_VERSION}
+- Use 'tmux a'         to attach to last tmux session.
+- Press 'Strg+B' and 'd' to leave (detatch from) any tmux session. The session will continue to run in the background.
+- Consult http://tmuxcheatsheet.com for a quick start with tmux.\
+") | ${COWSAY} -T U  -W100 -f www -n
+echo ""
--- a/files/etc/skel/.bash_aliases
+++ b/files/etc/skel/.bash_aliases
+alias grep='grep --color=auto'    # coloured grep
+alias fgrep='fgrep --color=auto'  # coloured fgrep
+alias egrep='egrep --color=auto'  # coloured egrep
+alias diff='diff --color=auto'    # coloured diff
+alias ipb='ip --color --brief'    # coloured ip command (brief)
+alias ip='ip --color'             # coloured ip command
+alias ..='cd ..'
+alias ...='cd ../../'
+alias c='clear'
+alias la='ls --color -ahl'        # long-list all files
+alias ll='ls --color -A'          # short list all files (except . & ..)
+alias l='ls --color -CF'          # short list files in columns, classify
+alias mc='mc -x'                  # Midnight Commander with tmux mouse support
+alias mload='nload -u M'          # nload with default units in MByte
+# alias please='sudo'             # by special request by Andreas :-)
+alias please='sudo $(fc -ln -1)'  # https://twitter.com/zzaaho/status/1160825118597292032
+alias nfsmounts='mount | sort | column -t -s" " | grep nfs'    # pretty print all nfs mounts
--- a/files/usr/lib/check_mk_agent/nrpe/check_needrestart.sh
+++ b/files/usr/lib/check_mk_agent/nrpe/check_needrestart.sh
+#!/usr/bin/env bash
+# Checks the status of all running processes to find outdated
+# binaries/libraries that need to be restarted in order to run the latest
+# version.
+# copy plugin to the "/usr/lib/check_mk_agent/plugin" directory
+# test it via: check_mk_agent | grep -v grep | grep -A 3 "<<<local>>>"
+# REQUIREMENTS:
+# - Debian-System
+# - needrestart
+scriptname=$( basename "${0}" ".sh" )
+LOCKFILE="/var/lock/${scriptname}.lock"
+STATUS="3"
+ITEMNAME="needrestart"
+PERF_VALUES="-"
+# IMPORTANT: Set lock using "flock", NOT "touch"!!! It's atomic and doesn't have to be cleared after the script ran.
+if [[ -e "/usr/sbin/needrestart" ]]; then
+	# based on https://itrig.de/index.php?/archives/2356-checkrestart-vs.-needrestart-alte-Prozesse-nach-Paketupdates-erkennen.html
+	flock "${LOCKFILE}" /usr/sbin/needrestart -k -l -p -q
+else
+	echo "${STATUS} ${ITEMNAME} ${PERF_VALUES} Could not get status, maybe needrestart isn't installed."
+fi
+# Code checked by shellcheck (https://github.com/koalaman/shellcheck) on 2020-12-02
--- a/files/usr/local/bin/hot-add-cpu.sh
+++ b/files/usr/local/bin/hot-add-cpu.sh
+#!/bin/bash
+set -e
+# https://askubuntu.com/questions/764620/how-do-you-hotplug-enable-new-cpu-and-ram-in-a-virtual-machine
+# Bring hot-added CPUs online
+for CPU_DIR in /sys/devices/system/cpu/cpu[0-9]*; do
+    CPU=${CPU_DIR##*/}
+    echo "Found cpu: '${CPU_DIR}' ..."
+    CPU_STATE_FILE="${CPU_DIR}/online"
+    if [ -f "${CPU_STATE_FILE}" ]; then
+        if grep -qx 1 "${CPU_STATE_FILE}"; then
+            echo -e "\t${CPU} already online"
+        else
+            echo -e "\t${CPU} is new cpu, onlining cpu ..."
+            # This is where the magic happens:
+            echo 1 > "${CPU_STATE_FILE}"
+        fi
+    else
+        echo -e "\t${CPU} already configured prior to hot-add"
+    fi
+done
--- a/files/usr/local/bin/hot-add-ram.sh
+++ b/files/usr/local/bin/hot-add-ram.sh
+#!/bin/bash
+set -e
+# https://askubuntu.com/questions/764620/how-do-you-hotplug-enable-new-cpu-and-ram-in-a-virtual-machine
+# https://kb.vmware.com/s/article/1012764
+# Bring all new Memory online
+for RAM_FILE in $( find /sys/devices/system/memory/ -type f -name "state" | sort -d ); do
+    RAM="$( echo "${RAM_FILE}" | cut -d '/' -f6 )"
+    echo -n "Found RAM module '${RAM}', "
+    if grep --quiet "offline" "${RAM_FILE}"; then
+        echo "bringing it online."
+        echo "online" > "${RAM_FILE}"
+    else
+        echo "and it's already online."
+    fi
+done