RubyGems - cloud-mu - Versions diffs - 1.9.0.pre.beta - Mend

cloud-mu 1.9.0.pre.beta

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (618) hide show

checksums.yaml +7 -0
data/Berksfile +56 -0
data/Berksfile.lock +250 -0
data/Jenkinsfile +184 -0
data/LICENSE.md +37 -0
data/README.md +26 -0
data/bin/mu-aws-setup +376 -0
data/bin/mu-cleanup +68 -0
data/bin/mu-configure +1133 -0
data/bin/mu-deploy +166 -0
data/bin/mu-firewall-allow-clients +30 -0
data/bin/mu-gcp-setup +200 -0
data/bin/mu-gen-docs +34 -0
data/bin/mu-gen-env +42 -0
data/bin/mu-load-config.rb +158 -0
data/bin/mu-node-manage +683 -0
data/bin/mu-self-update +228 -0
data/bin/mu-ssh +23 -0
data/bin/mu-tunnel-nagios +144 -0
data/bin/mu-upload-chef-artifacts +757 -0
data/bin/mu-user-manage +275 -0
data/cookbooks/awscli/LICENSE +37 -0
data/cookbooks/awscli/README.md +58 -0
data/cookbooks/awscli/attributes/default.rb +1 -0
data/cookbooks/awscli/libraries/instance_metadata.rb +21 -0
data/cookbooks/awscli/metadata.rb +20 -0
data/cookbooks/awscli/recipes/default.rb +56 -0
data/cookbooks/awscli/templates/default/config.erb +18 -0
data/cookbooks/mu-activedirectory/CHANGELOG.md +13 -0
data/cookbooks/mu-activedirectory/LICENSE +37 -0
data/cookbooks/mu-activedirectory/README.md +6 -0
data/cookbooks/mu-activedirectory/attributes/default.rb +98 -0
data/cookbooks/mu-activedirectory/files/default/password-auth +32 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-activedirectory/files/default/system-auth +34 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.pp +0 -0
data/cookbooks/mu-activedirectory/files/default/winbindpol.te +37 -0
data/cookbooks/mu-activedirectory/libraries/config.rb +106 -0
data/cookbooks/mu-activedirectory/libraries/helper.rb +86 -0
data/cookbooks/mu-activedirectory/metadata.rb +17 -0
data/cookbooks/mu-activedirectory/providers/domain.rb +152 -0
data/cookbooks/mu-activedirectory/providers/domain_controller.rb +89 -0
data/cookbooks/mu-activedirectory/providers/domain_node.rb +275 -0
data/cookbooks/mu-activedirectory/recipes/default.rb +8 -0
data/cookbooks/mu-activedirectory/recipes/domain-controller.rb +44 -0
data/cookbooks/mu-activedirectory/recipes/domain-node.rb +50 -0
data/cookbooks/mu-activedirectory/recipes/domain.rb +43 -0
data/cookbooks/mu-activedirectory/recipes/sssd.rb +185 -0
data/cookbooks/mu-activedirectory/resources/domain.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_controller.rb +25 -0
data/cookbooks/mu-activedirectory/resources/domain_node.rb +20 -0
data/cookbooks/mu-activedirectory/templates/default/dhclient-eth0.conf.erb +4 -0
data/cookbooks/mu-activedirectory/templates/default/interface +0 -0
data/cookbooks/mu-activedirectory/templates/default/krb5.conf.erb +23 -0
data/cookbooks/mu-activedirectory/templates/default/ntp.conf.erb +56 -0
data/cookbooks/mu-activedirectory/templates/default/smb.conf.erb +33 -0
data/cookbooks/mu-activedirectory/templates/default/sssd.conf.erb +60 -0
data/cookbooks/mu-activedirectory/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-activedirectory/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-activedirectory/templates/windows/gpreprt.xml.erb +198 -0
data/cookbooks/mu-activedirectory/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-activedirectory/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-firewall/CHANGELOG.md +11 -0
data/cookbooks/mu-firewall/LICENSE +37 -0
data/cookbooks/mu-firewall/README.md +5 -0
data/cookbooks/mu-firewall/attributes/default.rb +3 -0
data/cookbooks/mu-firewall/metadata.rb +16 -0
data/cookbooks/mu-firewall/recipes/default.rb +10 -0
data/cookbooks/mu-glusterfs/CHANGELOG.md +13 -0
data/cookbooks/mu-glusterfs/LICENSE +37 -0
data/cookbooks/mu-glusterfs/README.md +5 -0
data/cookbooks/mu-glusterfs/attributes/default.rb +34 -0
data/cookbooks/mu-glusterfs/metadata.rb +17 -0
data/cookbooks/mu-glusterfs/recipes/client.rb +62 -0
data/cookbooks/mu-glusterfs/recipes/default.rb +16 -0
data/cookbooks/mu-glusterfs/recipes/samba.rb +57 -0
data/cookbooks/mu-glusterfs/recipes/server.rb +200 -0
data/cookbooks/mu-glusterfs/templates/default/mu-gluster-client.erb +71 -0
data/cookbooks/mu-glusterfs/templates/default/smb.conf.erb +14 -0
data/cookbooks/mu-jenkins/CHANGELOG.md +13 -0
data/cookbooks/mu-jenkins/LICENSE +37 -0
data/cookbooks/mu-jenkins/README.md +105 -0
data/cookbooks/mu-jenkins/attributes/default.rb +42 -0
data/cookbooks/mu-jenkins/files/default/cleanup_deploy_config.xml +73 -0
data/cookbooks/mu-jenkins/files/default/deploy_config.xml +44 -0
data/cookbooks/mu-jenkins/metadata.rb +21 -0
data/cookbooks/mu-jenkins/recipes/default.rb +195 -0
data/cookbooks/mu-jenkins/recipes/node-ssh-config.rb +54 -0
data/cookbooks/mu-jenkins/recipes/public_key.rb +24 -0
data/cookbooks/mu-jenkins/templates/default/example_job.config.xml.erb +24 -0
data/cookbooks/mu-jenkins/templates/default/org.jvnet.hudson.plugins.SSHBuildWrapper.xml.erb +14 -0
data/cookbooks/mu-jenkins/templates/default/ssh_config.erb +6 -0
data/cookbooks/mu-master/CHANGELOG.md +13 -0
data/cookbooks/mu-master/LICENSE +37 -0
data/cookbooks/mu-master/README.md +6 -0
data/cookbooks/mu-master/attributes/default.rb +95 -0
data/cookbooks/mu-master/files/default/0-mu-log-server.conf +19 -0
data/cookbooks/mu-master/files/default/addRSA.ldif +8 -0
data/cookbooks/mu-master/files/default/check_mem.pl +197 -0
data/cookbooks/mu-master/files/default/cloudamatic.png +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.pp +0 -0
data/cookbooks/mu-master/files/default/dirsrv_admin.te +13 -0
data/cookbooks/mu-master/files/default/nagios_selinux.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux.te +51 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.pp +0 -0
data/cookbooks/mu-master/files/default/nagios_selinux_7.te +17 -0
data/cookbooks/mu-master/files/default/pam_sshd +18 -0
data/cookbooks/mu-master/files/default/ssl_enable.ldif +18 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.pp +0 -0
data/cookbooks/mu-master/files/default/syslogd_oddjobd.te +10 -0
data/cookbooks/mu-master/files/default/vimrc +19 -0
data/cookbooks/mu-master/libraries/mu.rb +29 -0
data/cookbooks/mu-master/metadata.rb +30 -0
data/cookbooks/mu-master/providers/user.rb +41 -0
data/cookbooks/mu-master/recipes/389ds.rb +164 -0
data/cookbooks/mu-master/recipes/basepackages.rb +58 -0
data/cookbooks/mu-master/recipes/caching_nameserver.rb +37 -0
data/cookbooks/mu-master/recipes/default.rb +451 -0
data/cookbooks/mu-master/recipes/eks-kubectl.rb +41 -0
data/cookbooks/mu-master/recipes/firewall-holes.rb +70 -0
data/cookbooks/mu-master/recipes/init.rb +542 -0
data/cookbooks/mu-master/recipes/ssl-certs.rb +109 -0
data/cookbooks/mu-master/recipes/sssd.rb +89 -0
data/cookbooks/mu-master/recipes/update_nagios_only.rb +242 -0
data/cookbooks/mu-master/recipes/vault.rb +111 -0
data/cookbooks/mu-master/resources/user.rb +19 -0
data/cookbooks/mu-master/templates/default/389-directory-setup.inf.erb +28 -0
data/cookbooks/mu-master/templates/default/chef-server.rb.erb +18 -0
data/cookbooks/mu-master/templates/default/dhclient-eth0.conf.erb +9 -0
data/cookbooks/mu-master/templates/default/mu-momma-cat.erb +149 -0
data/cookbooks/mu-master/templates/default/mu.rc.erb +9 -0
data/cookbooks/mu-master/templates/default/openssl.cnf.erb +354 -0
data/cookbooks/mu-master/templates/default/sssd.conf.erb +44 -0
data/cookbooks/mu-master/templates/default/web_app.conf.erb +90 -0
data/cookbooks/mu-mongo/CHANGELOG.md +13 -0
data/cookbooks/mu-mongo/LICENSE +37 -0
data/cookbooks/mu-mongo/README.md +5 -0
data/cookbooks/mu-mongo/attributes/default.rb +22 -0
data/cookbooks/mu-mongo/files/default/keyfile +16 -0
data/cookbooks/mu-mongo/files/default/remove_nodes.js +5 -0
data/cookbooks/mu-mongo/metadata.rb +17 -0
data/cookbooks/mu-mongo/recipes/default.rb +149 -0
data/cookbooks/mu-mongo/recipes/yum-update-rule.rb +18 -0
data/cookbooks/mu-mongo/templates/default/mongo_create_openfema_db.js.erb +2 -0
data/cookbooks/mu-mongo/templates/default/mongo_init.js.erb +1 -0
data/cookbooks/mu-mongo/templates/default/mongo_logrotate.erb +14 -0
data/cookbooks/mu-mongo/templates/default/mongo_replset_addnodes.js.erb +6 -0
data/cookbooks/mu-mongo/templates/default/replset_init.js.erb +2 -0
data/cookbooks/mu-openvpn/CHANGELOG.md +13 -0
data/cookbooks/mu-openvpn/LICENSE +37 -0
data/cookbooks/mu-openvpn/README.md +6 -0
data/cookbooks/mu-openvpn/attributes/default.rb +119 -0
data/cookbooks/mu-openvpn/metadata.rb +18 -0
data/cookbooks/mu-openvpn/recipes/default.rb +108 -0
data/cookbooks/mu-openvpn/templates/default/users.json.erb +42 -0
data/cookbooks/mu-php54/CHANGELOG.md +12 -0
data/cookbooks/mu-php54/LICENSE +37 -0
data/cookbooks/mu-php54/README.md +0 -0
data/cookbooks/mu-php54/files/centos/php.ini +1802 -0
data/cookbooks/mu-php54/files/ubuntu/php.ini +1870 -0
data/cookbooks/mu-php54/metadata.rb +21 -0
data/cookbooks/mu-php54/recipes/default.rb +97 -0
data/cookbooks/mu-splunk/CHANGELOG.md +37 -0
data/cookbooks/mu-splunk/LICENSE +37 -0
data/cookbooks/mu-splunk/README.md +451 -0
data/cookbooks/mu-splunk/attributes/default.rb +95 -0
data/cookbooks/mu-splunk/attributes/upgrade.rb +49 -0
data/cookbooks/mu-splunk/definitions/splunk_installer.rb +103 -0
data/cookbooks/mu-splunk/files/default/splunk-nocheck +10 -0
data/cookbooks/mu-splunk/libraries/helpers.rb +72 -0
data/cookbooks/mu-splunk/libraries/splunk_app_provider.rb +156 -0
data/cookbooks/mu-splunk/libraries/splunk_app_resource.rb +43 -0
data/cookbooks/mu-splunk/metadata.json +30 -0
data/cookbooks/mu-splunk/metadata.rb +17 -0
data/cookbooks/mu-splunk/recipes/client.rb +143 -0
data/cookbooks/mu-splunk/recipes/default.rb +31 -0
data/cookbooks/mu-splunk/recipes/disabled.rb +41 -0
data/cookbooks/mu-splunk/recipes/install_forwarder.rb +23 -0
data/cookbooks/mu-splunk/recipes/install_server.rb +23 -0
data/cookbooks/mu-splunk/recipes/server.rb +53 -0
data/cookbooks/mu-splunk/recipes/service.rb +95 -0
data/cookbooks/mu-splunk/recipes/setup_auth.rb +49 -0
data/cookbooks/mu-splunk/recipes/setup_ssl.rb +63 -0
data/cookbooks/mu-splunk/recipes/upgrade.rb +94 -0
data/cookbooks/mu-splunk/recipes/user.rb +34 -0
data/cookbooks/mu-splunk/templates/default/base_logs_unix_inputs.conf.erb +26 -0
data/cookbooks/mu-splunk/templates/default/inputs.conf.erb +13 -0
data/cookbooks/mu-splunk/templates/default/outputs.conf.erb +9 -0
data/cookbooks/mu-splunk/templates/default/splunk-init.erb +74 -0
data/cookbooks/mu-splunk/templates/default/system-web.conf.erb +7 -0
data/cookbooks/mu-tools/CHANGELOG.md +12 -0
data/cookbooks/mu-tools/LICENSE +37 -0
data/cookbooks/mu-tools/README.md +188 -0
data/cookbooks/mu-tools/attributes/default.rb +142 -0
data/cookbooks/mu-tools/attributes/ebs_rolling_snapshots.rb +3 -0
data/cookbooks/mu-tools/files/amazon/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/CentOS-Base.repo +52 -0
data/cookbooks/mu-tools/files/centos/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/centos/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/centos/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/centos/etc/profile +77 -0
data/cookbooks/mu-tools/files/centos/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/centos/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/centos/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/centos-6/README_MU +0 -0
data/cookbooks/mu-tools/files/centos-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/centos-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/centos-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/centos-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/centos-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/centos-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/default/Mu_CA.pem +34 -0
data/cookbooks/mu-tools/files/default/PSWindowsUpdate.zip +0 -0
data/cookbooks/mu-tools/files/default/ebs_snapshots.py +123 -0
data/cookbooks/mu-tools/files/default/etc/BANNER +0 -0
data/cookbooks/mu-tools/files/default/etc/BANNER-FEDERAL +19 -0
data/cookbooks/mu-tools/files/default/gpo_no_uac.zip +0 -0
data/cookbooks/mu-tools/files/default/mypol.pp +0 -0
data/cookbooks/mu-tools/files/default/mypol.te +37 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_c7.te +31 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_check_disk.te +11 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_disk.te +10 -0
data/cookbooks/mu-tools/files/default/nrpe_file.pp +0 -0
data/cookbooks/mu-tools/files/default/nrpe_file.te +31 -0
data/cookbooks/mu-tools/files/default/ntrights +0 -0
data/cookbooks/mu-tools/files/default/serverclass.conf +18 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_unix/local/inputs.conf +13 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/app.conf +1 -0
data/cookbooks/mu-tools/files/default/splunk-apps/base_logs_windows/local/inputs.conf +8 -0
data/cookbooks/mu-tools/files/default/sshd_pol.pp +0 -0
data/cookbooks/mu-tools/files/default/sshd_pol.te +32 -0
data/cookbooks/mu-tools/files/redhat/etc/bashrc +93 -0
data/cookbooks/mu-tools/files/redhat/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/redhat/etc/login.defs +72 -0
data/cookbooks/mu-tools/files/redhat/etc/profile +77 -0
data/cookbooks/mu-tools/files/redhat/etc/security/limits.conf +57 -0
data/cookbooks/mu-tools/files/redhat/etc/sysconfig/init +19 -0
data/cookbooks/mu-tools/files/redhat/etc/sysctl.conf +82 -0
data/cookbooks/mu-tools/files/redhat-6/README_MU +0 -0
data/cookbooks/mu-tools/files/redhat-6/etc/audit/stig.rules +173 -0
data/cookbooks/mu-tools/files/redhat-6/etc/bashrc +90 -0
data/cookbooks/mu-tools/files/redhat-6/etc/login.defs +70 -0
data/cookbooks/mu-tools/files/redhat-6/etc/pam.d/su +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/profile +83 -0
data/cookbooks/mu-tools/files/redhat-6/etc/securetty +12 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysconfig/init +30 -0
data/cookbooks/mu-tools/files/redhat-6/etc/sysctl.conf +40 -0
data/cookbooks/mu-tools/files/redhat-7.1/etc/freshclam.conf +235 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/bash.bashrc +64 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/common-session +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/login.defs +338 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/profile +30 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/security/limits.conf +56 -0
data/cookbooks/mu-tools/files/ubuntu-12.04/etc/sysctl.conf +60 -0
data/cookbooks/mu-tools/libraries/helper.rb +292 -0
data/cookbooks/mu-tools/metadata.rb +28 -0
data/cookbooks/mu-tools/recipes/add_admin_ssh_keys.rb +35 -0
data/cookbooks/mu-tools/recipes/apply_security.rb +440 -0
data/cookbooks/mu-tools/recipes/aws_api.rb +23 -0
data/cookbooks/mu-tools/recipes/base_repositories.rb +31 -0
data/cookbooks/mu-tools/recipes/cisbenchmark.rb +59 -0
data/cookbooks/mu-tools/recipes/clamav.rb +53 -0
data/cookbooks/mu-tools/recipes/cloudinit.rb +58 -0
data/cookbooks/mu-tools/recipes/configure_oracle_tools.rb +81 -0
data/cookbooks/mu-tools/recipes/disable-requiretty.rb +22 -0
data/cookbooks/mu-tools/recipes/ebs_rolling_snapshots.rb +75 -0
data/cookbooks/mu-tools/recipes/efs.rb +70 -0
data/cookbooks/mu-tools/recipes/eks.rb +160 -0
data/cookbooks/mu-tools/recipes/gcloud.rb +98 -0
data/cookbooks/mu-tools/recipes/google_api.rb +25 -0
data/cookbooks/mu-tools/recipes/maldet.rb +67 -0
data/cookbooks/mu-tools/recipes/nagios.rb +19 -0
data/cookbooks/mu-tools/recipes/newclient.rb +23 -0
data/cookbooks/mu-tools/recipes/nrpe.rb +115 -0
data/cookbooks/mu-tools/recipes/python_pip.rb +35 -0
data/cookbooks/mu-tools/recipes/retrieve_application.rb +51 -0
data/cookbooks/mu-tools/recipes/rsyslog.rb +65 -0
data/cookbooks/mu-tools/recipes/set_local_fw.rb +57 -0
data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +81 -0
data/cookbooks/mu-tools/recipes/split_var_partitions.rb +86 -0
data/cookbooks/mu-tools/recipes/splunk-client.rb +69 -0
data/cookbooks/mu-tools/recipes/splunk-server.rb +104 -0
data/cookbooks/mu-tools/recipes/store_inspec_attr.rb +8 -0
data/cookbooks/mu-tools/recipes/updates.rb +96 -0
data/cookbooks/mu-tools/recipes/windows-client.rb +202 -0
data/cookbooks/mu-tools/resources/aws_windows.rb +33 -0
data/cookbooks/mu-tools/resources/disk.rb +88 -0
data/cookbooks/mu-tools/resources/mommacat_request.rb +11 -0
data/cookbooks/mu-tools/resources/scheduled_tasks.rb +29 -0
data/cookbooks/mu-tools/resources/sshd_service.rb +45 -0
data/cookbooks/mu-tools/resources/windows_users.rb +242 -0
data/cookbooks/mu-tools/templates/amazon/sshd_config.erb +168 -0
data/cookbooks/mu-tools/templates/centos-6/sshd_config.erb +212 -0
data/cookbooks/mu-tools/templates/centos-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/default/0-mu-log-client.conf.erb +13 -0
data/cookbooks/mu-tools/templates/default/conf.maldet.erb +137 -0
data/cookbooks/mu-tools/templates/default/etc_hosts.erb +30 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_password-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_pamd_system-auth.erb +14 -0
data/cookbooks/mu-tools/templates/default/etc_sysconfig_network.erb +12 -0
data/cookbooks/mu-tools/templates/default/kubeconfig.erb +29 -0
data/cookbooks/mu-tools/templates/default/kubelet.service.erb +35 -0
data/cookbooks/mu-tools/templates/default/maldet_scanall.sh.erb +15 -0
data/cookbooks/mu-tools/templates/default/nrpe.cfg.erb +233 -0
data/cookbooks/mu-tools/templates/redhat-6/sshd_config.erb +213 -0
data/cookbooks/mu-tools/templates/redhat-7/sshd_config.erb +215 -0
data/cookbooks/mu-tools/templates/ubuntu-12.04/sshd_config.erb +146 -0
data/cookbooks/mu-tools/templates/ubuntu-14.04/sshd_config.erb +145 -0
data/cookbooks/mu-tools/templates/windows/Backup.xml.erb +20 -0
data/cookbooks/mu-tools/templates/windows/bkupInfo.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/gpreprt.xml.erb +214 -0
data/cookbooks/mu-tools/templates/windows/gptmpl.inf.erb +12 -0
data/cookbooks/mu-tools/templates/windows/manifest.xml.erb +1 -0
data/cookbooks/mu-tools/templates/windows/set_ad_dns_scheduled_task.ps1.erb +6 -0
data/cookbooks/mu-tools/templates/windows/sshd_config.erb +136 -0
data/cookbooks/mu-utility/CHANGELOG.md +12 -0
data/cookbooks/mu-utility/LICENSE +37 -0
data/cookbooks/mu-utility/README.md +6 -0
data/cookbooks/mu-utility/attributes/default.rb +1 -0
data/cookbooks/mu-utility/libraries/matchers.rb +21 -0
data/cookbooks/mu-utility/metadata.rb +16 -0
data/cookbooks/mu-utility/recipes/apt.rb +23 -0
data/cookbooks/mu-utility/recipes/cleanup_image_helper.rb +118 -0
data/cookbooks/mu-utility/recipes/iptables.rb +26 -0
data/cookbooks/mu-utility/recipes/luks.rb +18 -0
data/cookbooks/mu-utility/recipes/nat.rb +104 -0
data/cookbooks/mu-utility/recipes/php.rb +33 -0
data/cookbooks/mu-utility/recipes/rdp_gateway.rb +83 -0
data/cookbooks/mu-utility/recipes/remi.rb +44 -0
data/cookbooks/mu-utility/recipes/vim.rb +26 -0
data/cookbooks/mu-utility/recipes/windows_basics.rb +37 -0
data/cookbooks/mu-utility/recipes/zip.rb +26 -0
data/cookbooks/mu-utility/templates/default/BundleConfig.xml.erb +34 -0
data/cookbooks/mu-utility/templates/default/config.xml.erb +60 -0
data/cookbooks/nagios/Berksfile +8 -0
data/cookbooks/nagios/CHANGELOG.md +589 -0
data/cookbooks/nagios/CONTRIBUTING.md +11 -0
data/cookbooks/nagios/LICENSE +37 -0
data/cookbooks/nagios/README.md +328 -0
data/cookbooks/nagios/TESTING.md +2 -0
data/cookbooks/nagios/attributes/config.rb +171 -0
data/cookbooks/nagios/attributes/default.rb +228 -0
data/cookbooks/nagios/chefignore +102 -0
data/cookbooks/nagios/definitions/command.rb +33 -0
data/cookbooks/nagios/definitions/contact.rb +33 -0
data/cookbooks/nagios/definitions/contactgroup.rb +33 -0
data/cookbooks/nagios/definitions/host.rb +33 -0
data/cookbooks/nagios/definitions/hostdependency.rb +33 -0
data/cookbooks/nagios/definitions/hostescalation.rb +34 -0
data/cookbooks/nagios/definitions/hostgroup.rb +33 -0
data/cookbooks/nagios/definitions/nagios_conf.rb +38 -0
data/cookbooks/nagios/definitions/resource.rb +33 -0
data/cookbooks/nagios/definitions/service.rb +33 -0
data/cookbooks/nagios/definitions/servicedependency.rb +33 -0
data/cookbooks/nagios/definitions/serviceescalation.rb +34 -0
data/cookbooks/nagios/definitions/servicegroup.rb +33 -0
data/cookbooks/nagios/definitions/timeperiod.rb +33 -0
data/cookbooks/nagios/libraries/base.rb +314 -0
data/cookbooks/nagios/libraries/command.rb +91 -0
data/cookbooks/nagios/libraries/contact.rb +230 -0
data/cookbooks/nagios/libraries/contactgroup.rb +112 -0
data/cookbooks/nagios/libraries/custom_option.rb +36 -0
data/cookbooks/nagios/libraries/data_bag_helper.rb +23 -0
data/cookbooks/nagios/libraries/default.rb +90 -0
data/cookbooks/nagios/libraries/host.rb +412 -0
data/cookbooks/nagios/libraries/hostdependency.rb +181 -0
data/cookbooks/nagios/libraries/hostescalation.rb +173 -0
data/cookbooks/nagios/libraries/hostgroup.rb +119 -0
data/cookbooks/nagios/libraries/nagios.rb +282 -0
data/cookbooks/nagios/libraries/resource.rb +59 -0
data/cookbooks/nagios/libraries/service.rb +455 -0
data/cookbooks/nagios/libraries/servicedependency.rb +215 -0
data/cookbooks/nagios/libraries/serviceescalation.rb +195 -0
data/cookbooks/nagios/libraries/servicegroup.rb +144 -0
data/cookbooks/nagios/libraries/timeperiod.rb +160 -0
data/cookbooks/nagios/libraries/users_helper.rb +54 -0
data/cookbooks/nagios/metadata.rb +25 -0
data/cookbooks/nagios/recipes/_load_databag_config.rb +153 -0
data/cookbooks/nagios/recipes/_load_default_config.rb +241 -0
data/cookbooks/nagios/recipes/apache.rb +48 -0
data/cookbooks/nagios/recipes/default.rb +204 -0
data/cookbooks/nagios/recipes/nginx.rb +82 -0
data/cookbooks/nagios/recipes/pagerduty.rb +143 -0
data/cookbooks/nagios/recipes/server_package.rb +40 -0
data/cookbooks/nagios/recipes/server_source.rb +164 -0
data/cookbooks/nagios/templates/default/apache2.conf.erb +96 -0
data/cookbooks/nagios/templates/default/cgi.cfg.erb +266 -0
data/cookbooks/nagios/templates/default/commands.cfg.erb +13 -0
data/cookbooks/nagios/templates/default/contacts.cfg.erb +37 -0
data/cookbooks/nagios/templates/default/hostgroups.cfg.erb +25 -0
data/cookbooks/nagios/templates/default/hosts.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/htpasswd.users.erb +6 -0
data/cookbooks/nagios/templates/default/nagios.cfg.erb +22 -0
data/cookbooks/nagios/templates/default/nginx.conf.erb +62 -0
data/cookbooks/nagios/templates/default/pagerduty.cgi.erb +185 -0
data/cookbooks/nagios/templates/default/resource.cfg.erb +27 -0
data/cookbooks/nagios/templates/default/servicedependencies.cfg.erb +15 -0
data/cookbooks/nagios/templates/default/servicegroups.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/services.cfg.erb +14 -0
data/cookbooks/nagios/templates/default/templates.cfg.erb +31 -0
data/cookbooks/nagios/templates/default/timeperiods.cfg.erb +13 -0
data/cookbooks/s3fs/CHANGELOG.md +13 -0
data/cookbooks/s3fs/LICENSE +37 -0
data/cookbooks/s3fs/README.md +6 -0
data/cookbooks/s3fs/attributes/default.rb +15 -0
data/cookbooks/s3fs/files/default/fuse-2.9.3.zip +0 -0
data/cookbooks/s3fs/metadata.rb +16 -0
data/cookbooks/s3fs/recipes/default.rb +91 -0
data/data_bags/demo/app.json +7 -0
data/data_bags/nagios_services/chef.json +6 -0
data/data_bags/nagios_services/linux_diskspace.json +5 -0
data/data_bags/nagios_services/momma_cat.json +6 -0
data/data_bags/nagios_services/mu-master-memory.json +5 -0
data/data_bags/nagios_services/nagios_ui.json +6 -0
data/data_bags/nagios_services/node_ssh.json +6 -0
data/data_bags/nagios_services/ssh.json +6 -0
data/demo/lambda_test.yaml +29 -0
data/environments/DEV.json +8 -0
data/environments/PROD.json +8 -0
data/environments/dev.json +8 -0
data/environments/development.json +8 -0
data/environments/prod.json +8 -0
data/extras/README.md +1 -0
data/extras/admin-role-binding.yaml +16 -0
data/extras/admin-user.yaml +6 -0
data/extras/aws-auth-cm.yaml.erb +12 -0
data/extras/clean-stock-amis +48 -0
data/extras/git-fix-permissions-hook +12 -0
data/extras/gitlab-eks-helper.sh.erb +20 -0
data/extras/image-generators/README.md +2 -0
data/extras/image-generators/aws/centos6.yaml +18 -0
data/extras/image-generators/aws/centos7-govcloud.yaml +24 -0
data/extras/image-generators/aws/centos7.yaml +17 -0
data/extras/image-generators/aws/rhel7.yaml +17 -0
data/extras/image-generators/aws/win2k12.yaml +16 -0
data/extras/image-generators/aws/win2k16.yaml +16 -0
data/extras/image-generators/aws/windows.yaml +18 -0
data/extras/image-generators/gcp/centos6.yaml +17 -0
data/extras/lambda_waf_domain_blacklist.py +103 -0
data/extras/platform_berksfile_base +50 -0
data/extras/ruby_rpm/build.sh +17 -0
data/extras/ruby_rpm/muby.spec +44 -0
data/extras/vault_tools/README.md +6 -0
data/extras/vault_tools/export_vaults.sh +3 -0
data/extras/vault_tools/recreate_vaults.sh +5 -0
data/extras/vault_tools/test_vaults.sh +5 -0
data/install/README.md +8 -0
data/install/cfn_create_mu_master.json +1034 -0
data/install/chef-server.rb.erb +19 -0
data/install/deprecated-bash-library.sh +1891 -0
data/install/images/Usage.png +0 -0
data/install/installer +71 -0
data/install/jenkinskeys.rb +8 -0
data/install/user-dot-murc.erb +14 -0
data/modules/html.erb +19 -0
data/modules/mommacat.ru +426 -0
data/modules/mu/cleanup.rb +339 -0
data/modules/mu/cloud.rb +1446 -0
data/modules/mu/clouds/README.md +201 -0
data/modules/mu/clouds/aws/alarm.rb +319 -0
data/modules/mu/clouds/aws/cache_cluster.rb +1010 -0
data/modules/mu/clouds/aws/collection.rb +373 -0
data/modules/mu/clouds/aws/container_cluster.rb +667 -0
data/modules/mu/clouds/aws/database.rb +1836 -0
data/modules/mu/clouds/aws/dnszone.rb +911 -0
data/modules/mu/clouds/aws/firewall_rule.rb +641 -0
data/modules/mu/clouds/aws/folder.rb +92 -0
data/modules/mu/clouds/aws/function.rb +349 -0
data/modules/mu/clouds/aws/group.rb +251 -0
data/modules/mu/clouds/aws/loadbalancer.rb +888 -0
data/modules/mu/clouds/aws/log.rb +363 -0
data/modules/mu/clouds/aws/msg_queue.rb +480 -0
data/modules/mu/clouds/aws/notification.rb +139 -0
data/modules/mu/clouds/aws/role.rb +656 -0
data/modules/mu/clouds/aws/search_domain.rb +646 -0
data/modules/mu/clouds/aws/server.rb +2294 -0
data/modules/mu/clouds/aws/server_pool.rb +1388 -0
data/modules/mu/clouds/aws/storage_pool.rb +495 -0
data/modules/mu/clouds/aws/user.rb +382 -0
data/modules/mu/clouds/aws/userdata/README.md +4 -0
data/modules/mu/clouds/aws/userdata/linux.erb +179 -0
data/modules/mu/clouds/aws/userdata/windows.erb +278 -0
data/modules/mu/clouds/aws/vpc.rb +1943 -0
data/modules/mu/clouds/aws.rb +1009 -0
data/modules/mu/clouds/cloudformation/alarm.rb +146 -0
data/modules/mu/clouds/cloudformation/cache_cluster.rb +167 -0
data/modules/mu/clouds/cloudformation/collection.rb +117 -0
data/modules/mu/clouds/cloudformation/database.rb +278 -0
data/modules/mu/clouds/cloudformation/dnszone.rb +274 -0
data/modules/mu/clouds/cloudformation/firewall_rule.rb +308 -0
data/modules/mu/clouds/cloudformation/loadbalancer.rb +193 -0
data/modules/mu/clouds/cloudformation/log.rb +170 -0
data/modules/mu/clouds/cloudformation/server.rb +370 -0
data/modules/mu/clouds/cloudformation/server_pool.rb +279 -0
data/modules/mu/clouds/cloudformation/vpc.rb +322 -0
data/modules/mu/clouds/cloudformation.rb +733 -0
data/modules/mu/clouds/docker.rb +30 -0
data/modules/mu/clouds/google/container_cluster.rb +290 -0
data/modules/mu/clouds/google/database.rb +152 -0
data/modules/mu/clouds/google/firewall_rule.rb +267 -0
data/modules/mu/clouds/google/group.rb +164 -0
data/modules/mu/clouds/google/loadbalancer.rb +479 -0
data/modules/mu/clouds/google/server.rb +1510 -0
data/modules/mu/clouds/google/server_pool.rb +274 -0
data/modules/mu/clouds/google/user.rb +266 -0
data/modules/mu/clouds/google/userdata/README.md +4 -0
data/modules/mu/clouds/google/userdata/linux.erb +137 -0
data/modules/mu/clouds/google/userdata/windows.erb +275 -0
data/modules/mu/clouds/google/vpc.rb +890 -0
data/modules/mu/clouds/google.rb +811 -0
data/modules/mu/config/README.md +11 -0
data/modules/mu/config/alarm.rb +271 -0
data/modules/mu/config/cache_cluster.rb +172 -0
data/modules/mu/config/collection.rb +87 -0
data/modules/mu/config/container_cluster.rb +103 -0
data/modules/mu/config/container_cluster.yml +36 -0
data/modules/mu/config/database.rb +458 -0
data/modules/mu/config/database.yml +26 -0
data/modules/mu/config/dnszone.rb +327 -0
data/modules/mu/config/firewall_rule.rb +118 -0
data/modules/mu/config/folder.rb +70 -0
data/modules/mu/config/function.rb +140 -0
data/modules/mu/config/group.rb +64 -0
data/modules/mu/config/loadbalancer.rb +482 -0
data/modules/mu/config/log.rb +47 -0
data/modules/mu/config/log.yml +6 -0
data/modules/mu/config/msg_queue.rb +47 -0
data/modules/mu/config/msg_queue.yml +9 -0
data/modules/mu/config/notification.rb +44 -0
data/modules/mu/config/project.rb +71 -0
data/modules/mu/config/role.rb +102 -0
data/modules/mu/config/search_domain.rb +61 -0
data/modules/mu/config/search_domain.yml +25 -0
data/modules/mu/config/server.rb +587 -0
data/modules/mu/config/server.yml +8 -0
data/modules/mu/config/server_pool.rb +216 -0
data/modules/mu/config/server_pool.yml +71 -0
data/modules/mu/config/storage_pool.rb +145 -0
data/modules/mu/config/user.rb +78 -0
data/modules/mu/config/vpc.rb +743 -0
data/modules/mu/config/vpc.yml +6 -0
data/modules/mu/config.rb +2000 -0
data/modules/mu/defaults/README.md +2 -0
data/modules/mu/defaults/amazon_images.yaml +121 -0
data/modules/mu/defaults/google_images.yaml +16 -0
data/modules/mu/deploy.rb +686 -0
data/modules/mu/groomer.rb +123 -0
data/modules/mu/groomers/README.md +58 -0
data/modules/mu/groomers/chef.rb +1024 -0
data/modules/mu/kittens.rb +11319 -0
data/modules/mu/logger.rb +208 -0
data/modules/mu/master/README.md +27 -0
data/modules/mu/master/chef.rb +471 -0
data/modules/mu/master/ldap.rb +1005 -0
data/modules/mu/master.rb +415 -0
data/modules/mu/mommacat.rb +2703 -0
data/modules/mu-load-config.rb +1 -0
data/modules/mu.rb +724 -0
data/modules/scratchpad.erb +1 -0
data/modules/tests/super_complex_bok.yml +41 -0
data/modules/tests/super_simple_bok.yml +40 -0
data/mu.gemspec +62 -0
data/roles/demo-dbservice-configure.json +19 -0
data/roles/demo-portal-configure.json +19 -0
data/roles/mu-master-jenkins.json +24 -0
data/roles/mu-master-nagios-only.json +13 -0
data/roles/mu-master.json +12 -0
data/roles/mu-node.json +19 -0
data/roles/mu-splunk-server.json +13 -0
data/roles/mu-splunk.json +13 -0
data/test/clean_up.py +25 -0
data/test/demo-test-profile/README.md +3 -0
data/test/demo-test-profile/controls/flask.rb +84 -0
data/test/demo-test-profile/inspec.lock +7 -0
data/test/demo-test-profile/inspec.yml +11 -0
data/test/etco-test-profile/README.md +3 -0
data/test/etco-test-profile/controls/all-in-one.rb +182 -0
data/test/etco-test-profile/inspec.lock +7 -0
data/test/etco-test-profile/inspec.yml +11 -0
data/test/exec_inspec.py +246 -0
data/test/exec_mu_install.py +241 -0
data/test/exec_retry.py +44 -0
data/test/mu-master-test/README.md +3 -0
data/test/mu-master-test/controls/all_in_one.rb +557 -0
data/test/mu-master-test/inspec.lock +3 -0
data/test/mu-master-test/inspec.yml +11 -0
data/test/mu-tools-test/README.md +3 -0
data/test/mu-tools-test/controls/base.rb +265 -0
data/test/mu-tools-test/inspec.lock +3 -0
data/test/mu-tools-test/inspec.yml +8 -0
data/test/simple-server-php-test/README.md +3 -0
data/test/simple-server-php-test/controls/apachephp.rb +25 -0
data/test/simple-server-php-test/controls/example.rb +19 -0
data/test/simple-server-php-test/inspec.lock +7 -0
data/test/simple-server-php-test/inspec.yml +12 -0
data/test/simple-server-rails-test/README.md +3 -0
data/test/simple-server-rails-test/controls/rails.rb +188 -0
data/test/simple-server-rails-test/inspec.lock +7 -0
data/test/simple-server-rails-test/inspec.yml +11 -0
data/test/simple-windows-test/README.md +3 -0
data/test/simple-windows-test/controls/windows.rb +20 -0
data/test/simple-windows-test/inspec.lock +7 -0
data/test/simple-windows-test/inspec.yml +11 -0
data/test/smoke_test.rb +75 -0
data/test/wordpress-test/README.md +3 -0
data/test/wordpress-test/controls/wordpress.rb +97 -0
data/test/wordpress-test/inspec.lock +7 -0
data/test/wordpress-test/inspec.yml +11 -0
metadata +979 -0

data/modules/mu/groomers/chef.rb ADDED Viewed

@@ -0,0 +1,1024 @@
+# Copyright:: Copyright (c) 2014 eGlobalTech, Inc., all rights reserved
+#
+# Licensed under the BSD-3 license (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License in the root of the project or at
+#
+#    http://egt-labs.com/mu/LICENSE.html
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+module MU
+  # Plugins under this namespace serve as interfaces to host configuration
+  # management tools, like Chef or Puppet.
+  class Groomer
+    # Support for Chef as a host configuration management layer.
+    class Chef
+      # Wrapper class for temporary Exceptions. Gives our internals something
+      # to inherit that will log a notice message appropriately before
+      # bubbling up.
+      class MuNoSuchSecret < StandardError;end
+      Object.class_eval {
+        def self.const_missing(symbol)
+          if symbol.to_sym == :Chef or symbol.to_sym == :ChefVault
+            MU::Groomer::Chef.loadChefLib
+            return Object.const_get(symbol)
+          end
+        end
+        def const_missing(symbol)
+          if symbol.to_sym == :Chef or symbol.to_sym == :ChefVault
+            MU::Groomer::Chef.loadChefLib(@server.deploy.chef_user, @server.deploy.environment, @server.deploy.mu_user)
+            return Object.const_get(symbol)
+          end
+        end
+      }
+      @chefloaded = false
+      @chefload_semaphore = Mutex.new
+      # Autoload is too brain-damaged to get Chef's subclasses/submodules, so
+      # implement our own lazy loading.
+      def self.loadChefLib(user = MU.chef_user, env = "dev", mu_user = MU.mu_user)
+        @chefload_semaphore.synchronize {
+          if !@chefloaded
+            MU.log "Loading Chef libraries as user #{user}...", MU::DEBUG
+            start = Time.now
+            # need to find which classes are actually needed instead of loading chef
+            require 'chef'
+            require 'chef/api_client_v1'
+            require 'chef/knife'
+            require 'chef/knife/ssh'
+            require 'chef/knife/bootstrap'
+            require 'chef/knife/node_delete'
+            require 'chef/knife/client_delete'
+            require 'chef/knife/data_bag_delete'
+            require 'chef/knife/vault_delete'
+            require 'chef/scan_access_control'
+            require 'chef/file_access_control/unix'
+            require 'chef-vault'
+            require 'chef-vault/item'
+            # XXX kludge to get at knife-windows when it's installed from
+            # a git repo and bundler sticks it somewhere in a corner
+            $LOAD_PATH.each { |path|
+              if path.match(/\/gems\/aws\-sdk\-core\-\d+\.\d+\.\d+\/lib$/)
+                addpath = path.sub(/\/gems\/aws\-sdk\-core\-\d+\.\d+\.\d+\/lib$/, "")+"/bundler/gems"
+                Dir.glob(addpath+"/knife-windows-*").each { |version|
+                  $LOAD_PATH << version+"/lib"
+                }
+              end
+            }
+            require 'chef/knife/bootstrap_windows_winrm'
+            require 'chef/knife/bootstrap_windows_ssh'
+            ::Chef::Config[:chef_server_url] = "https://#{MU.mu_public_addr}:7443/organizations/#{user}"
+            if File.exists?("#{Etc.getpwnam(mu_user).dir}/.chef/knife.rb")
+              MU.log "Loading Chef configuration from #{Etc.getpwnam(mu_user).dir}/.chef/knife.rb", MU::DEBUG
+              ::Chef::Config.from_file("#{Etc.getpwnam(mu_user).dir}/.chef/knife.rb")
+            end
+            ::Chef::Config[:environment] = env
+            ::Chef::Config[:yes] = true
+            if mu_user != "root"
+              ::Chef::Config.trusted_certs_dir = "#{Etc.getpwnam(mu_user).dir}/.chef/trusted_certs"
+            end
+            @chefloaded = true
+            MU.log "Chef libraries loaded (took #{(Time.now-start).to_s} seconds)", MU::DEBUG
+          end
+        }
+      end
+      @knife = "cd #{MU.myRoot} && env -i HOME=#{Etc.getpwnam(MU.mu_user).dir} PATH=/opt/chef/embedded/bin:/usr/bin:/usr/sbin knife"
+      # The canonical path to invoke Chef's *knife* utility with a clean environment.
+      # @return [String]
+      def self.knife;
+        @knife;
+      end
+      attr_reader :knife
+      @vault_opts = "--mode client -u #{MU.chef_user} -F json"
+      # The canonical set of arguments for most `knife vault` commands
+      # @return [String]
+      def self.vault_opts;
+        @vault_opts;
+      end
+      attr_reader :vault_opts
+      @chefclient = "env -i HOME=#{Etc.getpwuid(Process.uid).dir} PATH=/opt/chef/embedded/bin:/usr/bin:/usr/sbin chef-client"
+      # The canonical path to invoke Chef's *chef-client* utility with a clean environment.
+      # @return [String]
+      def self.chefclient;
+        @chefclient;
+      end
+      attr_reader :chefclient
+      # @param node [MU::Cloud::Server]: The server object on which we'll be operating
+      def initialize(node)
+        @config = node.config
+        @server = node
+        if node.mu_name.nil? or node.mu_name.empty?
+          raise MuError, "Cannot groom a server that doesn't tell me its mu_name"
+        end
+        @secrets_semaphore = Mutex.new
+        @secrets_granted = {}
+      end
+      # Indicate whether our server has been bootstrapped with Chef
+      def haveBootstrapped?
+        self.class.loadChefLib
+        MU.log "Chef config", MU::DEBUG, details: ::Chef::Config.inspect
+        nodelist = ::Chef::Node.list()
+        nodelist.has_key?(@server.mu_name)
+      end
+      # @param vault [String]: A repository of secrets to create/save into.
+      # @param item [String]: The item within the repository to create/save.
+      # @param data [Hash]: Data to save
+      # @param permissions [String]: An implementation-specific string describing what node or nodes should have access to this secret.
+      def self.saveSecret(vault: @server.mu_name, item: nil, data: nil, permissions: nil)
+        loadChefLib
+        if item.nil? or !item.is_a?(String)
+          raise MuError, "item argument to saveSecret must be a String"
+        end
+        if data.nil? or !data.is_a?(Hash)
+          raise MuError, "data argument to saveSecret must be a Hash"
+        end
+        cmd = "update"
+        begin
+          MU.log "Checking for existence of #{vault} #{item}", MU::DEBUG, details: caller
+          ::ChefVault::Item.load(vault, item)
+        rescue ::ChefVault::Exceptions::KeysNotFound
+          cmd = "create"
+        end
+        if permissions
+          MU.log "knife vault #{cmd} #{vault} #{item} --search #{permissions}"
+          ::Chef::Knife.run(['vault', cmd, vault, item, JSON.generate(data).gsub(/'/, '\\1'), '--search', permissions])
+        else
+          MU.log "knife vault #{cmd} #{vault} #{item}"
+          ::Chef::Knife.run(['vault', cmd, vault, item, JSON.generate(data).gsub(/'/, '\\1')])
+        end
+      end
+      # see {MU::Groomer::Chef.saveSecret}
+      def saveSecret(vault: @server.mu_name, item: nil, data: nil, permissions: "name:#{@server.mu_name}")
+        self.class.saveSecret(vault: vault, item: item, data: data, permissions: permissions)
+      end
+      # Retrieve sensitive data, which hopefully we're storing and retrieving
+      # in a secure fashion.
+      # @param vault [String]: A repository of secrets to search
+      # @param item [String]: The item within the repository to retrieve
+      # @param field [String]: OPTIONAL - A specific field within the item to return.
+      # @return [Hash]
+      def self.getSecret(vault: nil, item: nil, field: nil)
+        loadChefLib
+        loaded = nil
+        if !item.nil?
+          begin
+            loaded = ::ChefVault::Item.load(vault, item)
+          rescue ::ChefVault::Exceptions::KeysNotFound => e
+            raise MuNoSuchSecret, "Can't load the Chef Vault #{vault}:#{item}. Does it exist? Chef user: #{MU.chef_user}"
+          end
+        else
+          # If we didn't ask for a particular item, list what we have.
+          begin
+            loaded = ::Chef::DataBag.load(vault).keys.select { |k, v| !k.match(/_keys$/) }
+          rescue Net::HTTPServerException
+            raise MuNoSuchSecret, "Failed to retrieve Vault #{vault}"
+          end
+        end
+        if loaded.nil?
+          raise MuNoSuchSecret, "Failed to retrieve Vault #{vault}:#{item}"
+        end
+        if !field.nil?
+          if loaded.has_key?(field)
+            return loaded[field]
+          else
+            raise MuNoSuchSecret, "No such field in Vault #{vault}:#{item}"
+          end
+        else
+          return loaded
+        end
+      end
+      # see {MU::Groomer::Chef.getSecret}
+      def getSecret(vault: nil, item: nil, field: nil)
+        self.class.getSecret(vault: vault, item: item, field: field)
+      end
+      # Delete a Chef data bag / Vault
+      # @param vault [String]: A repository of secrets to delete
+      def self.deleteSecret(vault: nil, item: nil)
+        loadChefLib
+        raise MuError, "No vault specified, nothing to delete" if vault.nil?
+        MU.log "Deleting #{vault}:#{item} from vaults"
+        knife_db = nil
+        knife_cmds = []
+        if item.nil?
+          knife_cmds << ::Chef::Knife::DataBagDelete.new(['data', 'bag', 'delete', vault])
+        else
+          knife_cmds << ::Chef::Knife::DataBagDelete.new(['data', 'bag', 'delete', vault, item])
+          knife_cmds << ::Chef::Knife::DataBagDelete.new(['data', 'bag', 'delete', vault, item+"_keys"])
+        end
+        begin
+          knife_cmds.each { |knife_db|
+            knife_db.config[:yes] = true
+            knife_db.run
+          }
+        rescue Net::HTTPServerException => e
+          # We don't want to raise an error here. As an example we might be cleaning up a dead node in a server pool and this will then fail for no god reasons.
+          MU.log "Tried to delete vault #{vault} but got #{e.inspect}, giving up", MU::ERR
+        end
+      end
+      # see {MU::Groomer::Chef.deleteSecret}
+      def deleteSecret(vault: nil)
+        self.class.deleteSecret(vault: vault)
+      end
+      # Invoke the Chef client on the node at the other end of a provided SSH
+      # session.
+      # @param purpose [String]: A string describing the purpose of this client run.
+      # @param max_retries [Integer]: The maximum number of attempts at a successful run to make before giving up.
+      # @param output [Boolean]: Display Chef's regular (non-error) output to the console
+      # @param override_runlist [String]: Use the specified run list instead of the node's configured list
+      def run(purpose: "Chef run", update_runlist: true, max_retries: 5, output: true, override_runlist: nil, reboot_first_fail: false)
+        self.class.loadChefLib
+        if update_runlist and !@config['run_list'].nil?
+          knifeAddToRunList(multiple: @config['run_list'])
+        end
+        timeout = @server.windows? ? 1800 : 600
+        pending_reboot_count = 0
+        chef_node = ::Chef::Node.load(@server.mu_name)
+        if !@config['application_attributes'].nil?
+          MU.log "Setting node:#{@server.mu_name} application_attributes", MU::DEBUG, details: @config['application_attributes']
+          chef_node.normal.application_attributes = @config['application_attributes']
+          chef_node.save
+        end
+        if @server.deploy.original_config.has_key?('parameters')
+          MU.log "Setting node:#{@server.mu_name} parameters", MU::DEBUG, details: @server.deploy.original_config['parameters']
+          chef_node.normal['mu_parameters'] = @server.deploy.original_config['parameters']
+          chef_node.save
+        end
+        saveDeployData
+        retries = 0
+        try_upgrade = false
+        output = []
+        error_signal = "CHEF EXITED BADLY: "+(0...25).map { ('a'..'z').to_a[rand(26)] }.join
+        runstart = nil
+        cmd = nil
+        ssh = nil
+        winrm = nil
+        windows_try_ssh = false
+        begin
+          runstart = Time.new
+          if !@server.windows? or windows_try_ssh
+            MU.log "Invoking Chef over ssh on #{@server.mu_name}: #{purpose}"
+            ssh = @server.getSSHSession(@server.windows? ? 1 : max_retries)
+            if @server.windows?
+              cmd = "chef-client.bat --color || echo #{error_signal}"
+            elsif !@config["ssh_user"].nil? and !@config["ssh_user"].empty? and @config["ssh_user"] != "root"
+              upgrade_cmd = try_upgrade ? "sudo curl -L https://chef.io/chef/install.sh | sudo version=#{MU.chefVersion} sh &&" : ""
+              cmd = "#{upgrade_cmd} sudo chef-client --color || echo #{error_signal}"
+            else
+              upgrade_cmd = try_upgrade ? "curl -L https://chef.io/chef/install.sh | version=#{MU.chefVersion} sh &&" : ""
+              cmd = "#{upgrade_cmd} chef-client --color || echo #{error_signal}"
+            end
+            Timeout::timeout(timeout) {
+              retval = ssh.exec!(cmd) { |ch, stream, data|
+                puts data
+                output << data
+                raise MU::Cloud::BootstrapTempFail if data.match(/REBOOT_SCHEDULED| WARN: Reboot requested:/)
+                raise MU::Groomer::RunError, output.grep(/ ERROR: /).last if data.match(/#{error_signal}/)
+              }
+            }
+          else
+            MU.log "Invoking Chef over WinRM on #{@server.mu_name}: #{purpose}"
+            winrm = @server.getWinRMSession(haveBootstrapped? ? 1 : max_retries)
+            if @server.windows? and @server.windowsRebootPending?(winrm)
+              # Windows frequently gets stuck here
+              if retries > 5
+                @server.reboot(true)
+              elsif retries > 3
+                @server.reboot
+              end
+              raise MU::Groomer::RunError, "#{@server.mu_name} has a pending reboot"
+            end
+            if try_upgrade
+              pp winrm.run("Invoke-WebRequest -useb https://omnitruck.chef.io/install.ps1 | Invoke-Expression; Install-Project -version:#{MU.chefVersion} -download_directory:$HOME")
+            end
+            output = []
+            cmd = "c:/opscode/chef/bin/chef-client.bat --color"
+            if override_runlist
+              cmd = cmd + " -o '#{override_runlist}'"
+            end
+            resp = nil
+            Timeout::timeout(timeout) {
+              resp = winrm.run(cmd) do |stdout, stderr|
+                if stdout
+                  print stdout if output
+                  output << stdout
+                end
+                if stderr
+                  MU.log stderr, MU::ERR
+                  output << stderr
+                end
+              end
+            }
+            if resp.exitcode != 0
+              raise MU::Cloud::BootstrapTempFail if resp.exitcode == 35 or output.join("\n").match(/REBOOT_SCHEDULED| WARN: Reboot requested:/)
+              raise MU::Groomer::RunError, output.slice(output.length-50, output.length).join("")
+            end
+          end
+        rescue MU::Cloud::BootstrapTempFail
+          MU.log "#{@server.mu_name} rebooting from Chef, waiting then resuming", MU::NOTICE
+          sleep 30
+          # weird failures seem common in govcloud
+          if MU::Cloud::AWS.isGovCloud?(@config['region'])
+            @server.reboot(true)
+            sleep 30
+          end
+          retry
+        rescue RuntimeError, SystemCallError, Timeout::Error, SocketError, Errno::ECONNRESET, IOError, Net::SSH::Exception, MU::Groomer::RunError, WinRM::WinRMError, MU::MuError => e
+          begin
+            ssh.close if !ssh.nil?
+          rescue Net::SSH::Exception, IOError => e
+            if @server.windows?
+              MU.log "Windows has probably closed the ssh session before we could. Waiting before trying again", MU::DEBUG
+            else
+              MU.log "ssh session to #{@server.mu_name} was closed unexpectedly, waiting before trying again", MU::NOTICE
+            end
+            sleep 10
+          end
+          if e.instance_of?(MU::Groomer::RunError) and retries == 0 and max_retries > 1 and purpose != "Base Windows configuration"
+            MU.log "Got a run error, will attempt to install/update Chef Client on next attempt", MU::NOTICE
+            try_upgrade = true
+          else
+            try_upgrade = false
+          end
+          if e.is_a?(MU::Groomer::RunError)
+            if reboot_first_fail
+              try_upgrade = true
+              begin
+                preClean(true) # drop any Chef install that's not ours
+                @server.reboot # try gently rebooting the thing
+              rescue Exception => e # it's ok to fail here (and to ignore failure)
+                MU.log "preclean err #{e.inspect}", MU::ERR
+              end
+              reboot_first_fail = false
+            end
+          end
+          if retries < max_retries
+            retries += 1
+            MU.log "#{@server.mu_name}: Chef run '#{purpose}' failed after #{Time.new - runstart} seconds, retrying (#{retries}/#{max_retries})", MU::WARN, details: e.message.dup
+            if purpose != "Base Windows configuration"
+              windows_try_ssh = !windows_try_ssh
+            end
+            if e.is_a?(WinRM::WinRMError)
+              if @server.windows? and retries >= 3 and retries % 3 == 0
+                # Mix in a hard reboot if WinRM isn't answering
+                @server.reboot(true)
+              end
+            end
+            sleep 30
+            retry
+          else
+            raise MU::Groomer::RunError, "#{@server.mu_name}: Chef run '#{purpose}' failed #{max_retries} times, last error was: #{e.message}"
+          end
+        rescue Exception => e
+          raise MU::Groomer::RunError, "Caught unexpected #{e.inspect} on #{@server.mu_name} in @groomer.run"
+        end
+        saveDeployData
+      end
+      # Make sure we've got a Splunk admin vault for any mu-splunk-servers to
+      # use, and set it up if we don't.
+      def splunkVaultInit
+        self.class.loadChefLib
+        begin
+          loaded = ::ChefVault::Item.load("splunk", "admin_user")
+        rescue ::ChefVault::Exceptions::KeysNotFound => e
+          pw = Password.pronounceable(12..14)
+          creds = {
+            "username" => "admin",
+            "password" => pw,
+            "auth" => "admin:#{pw}"
+          }
+          saveSecret(
+            vault: "splunk",
+            item: "admin_user",
+            data: creds,
+            permissions: "role:mu-splunk-server"
+          )
+        end
+      end
+      # Expunge
+      def preClean(leave_ours = false)
+        remove_cmd = nil
+        if !@server.windows?
+          if @server.config['ssh_user'] == "root"
+            remove_cmd = "rm -rf /var/chef/ /etc/chef /opt/chef/ /usr/bin/chef-* ; yum -y erase chef ; rpm -e chef; apt-get -y remove chef ; touch /opt/mu_installed_chef"
+          else
+            remove_cmd = "sudo yum -y erase chef ; sudo rpm -e erase chef ; sudo rm -rf /var/chef/ /etc/chef /opt/chef/ /usr/bin/chef-* ; sudo apt-get -y remove chef ; sudo touch /opt/mu_installed_chef"
+          end
+          guardfile = "/opt/mu_installed_chef"
+          ssh = @server.getSSHSession(15)
+          if leave_ours
+            MU.log "Expunging pre-existing Chef install on #{@server.mu_name}, if we didn't create it", MU::NOTICE
+            begin
+              ssh.exec!(%Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}})
+            rescue IOError => e
+              # TO DO - retry this in a cleaner way
+              MU.log "Got #{e.inspect} while trying to clean up chef, retrying", MU::NOTICE, details: %Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}}
+              ssh = @server.getSSHSession(15)
+              ssh.exec!(%Q{test -f #{guardfile} || (#{remove_cmd}) ; touch #{guardfile}})
+            end
+          else
+            MU.log "Expunging pre-existing Chef install on #{@server.mu_name}", MU::NOTICE
+            ssh.exec!(remove_cmd)
+          end
+          ssh.close
+        else
+          remove_cmd = %Q{
+            $uninstall_string = (Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Where-Object {$_.DisplayName -like "chef client*"}).UninstallString
+            if($uninstall_string){
+              $uninstall_string = ($uninstall_string -Replace "msiexec.exe","" -Replace "/I","" -Replace "/X","").Trim()
+              $($uninstall_string -Replace '[\\s\\t]+', ' ').Split() | ForEach {
+                start-process "msiexec.exe" -arg "/X $_ /qn" -Wait
+              }
+            }
+            Remove-Item c:/chef/ -Force -Recurse -ErrorAction Continue
+            Remove-Item c:/opscode/ -Force -Recurse -ErrorAction Continue
+            Remove-Item C:/Users/ADMINI~1/AppData/Local/Temp/bootstrap*.bat -Force -Recurse -ErrorAction Continue
+            Remove-Item C:/Users/ADMINI~1/AppData/Local/Temp/chef-* -Force -Recurse -ErrorAction Continue
+          }
+          shell = @server.getWinRMSession(15)
+          removechef = true
+          if leave_ours
+            resp = shell.run("Test-Path c:/mu_installed_chef")
+            if resp.stdout.chomp == "True"
+              MU.log "Found existing Chef installation created by Mu, leaving it alone"
+              removechef = false
+            end
+          end
+#          remove_cmd = %Q{$my_chef = (Get-ItemProperty $location | Where-Object {$_.DisplayName -like "chef client*"}).DisplayName
+          if removechef
+            MU.log "Expunging pre-existing Chef install on #{@server.mu_name}", MU::NOTICE, details: remove_cmd
+#            pp shell.run(remove_cmd)
+          end
+        end
+      end
+      # Forcibly (re)install Chef. Useful for upgrading or overwriting a
+      # broken existing install.
+      def reinstall
+        try_winrm = false
+        if !@server.windows?
+          cmd = %Q{curl -LO https://omnitruck.chef.io/install.sh && sudo bash ./install.sh -v #{MU.chefVersion} && rm install.sh}
+        else
+          try_winrm = true
+          cmd = %Q{Invoke-WebRequest -useb https://omnitruck.chef.io/install.ps1 | Invoke-Expression; Install-Project -version:#{MU.chefVersion} -download_directory:$HOME}
+        end
+        if try_winrm
+          begin
+            MU.log "Attempting Chef upgrade via WinRM on #{@server.mu_name}", MU::NOTICE, details: cmd
+            winrm = @server.getWinRMSession(1, 30, winrm_retries: 2)
+            pp winrm.run(cmd)
+            return
+          rescue Net::SSH::Disconnect, SystemCallError, Timeout::Error, Errno::ECONNRESET, Errno::EHOSTUNREACH, Net::SSH::Proxy::ConnectError, SocketError, Net::SSH::Disconnect, Net::SSH::AuthenticationFailed, IOError, Net::HTTPServerException, SystemExit, Errno::ECONNREFUSED, Errno::EPIPE, WinRM::WinRMError, HTTPClient::ConnectTimeoutError, RuntimeError, MU::Cloud::BootstrapTempFail, MU::MuError => e
+            MU.log "WinRM failure attempting Chef upgrade on #{@server.mu_name}, will fall back to ssh", MU::WARN
+            cmd = %Q{powershell.exe -inputformat none -noprofile "#{cmd}"}
+          end
+        end
+        MU.log "Attempting Chef upgrade via ssh on #{@server.mu_name}", MU::NOTICE, details: cmd
+        ssh = @server.getSSHSession(1)
+        retval = ssh.exec!(cmd) { |ch, stream, data|
+          puts data
+        }
+      end
+      # Bootstrap our server with Chef
+      def bootstrap
+        self.class.loadChefLib
+        stashHostSSLCertSecret
+        if !@config['cleaned_chef']
+          begin
+            leave_ours = @config['scrub_groomer'] ? false : true
+            preClean(leave_ours)
+          rescue RuntimeError => e
+            MU.log e.inspect, MU::ERR
+            sleep 10
+            retry
+          end
+          @config['cleaned_chef'] = true
+        end
+        nat_ssh_key, nat_ssh_user, nat_ssh_host, canonical_addr, ssh_user, ssh_key_name = @server.getSSHConfig
+        MU.log "Bootstrapping #{@server.mu_name} (#{canonical_addr}) with knife"
+        run_list = ["recipe[mu-tools::newclient]"]
+        run_list << "mu-tools::gcloud" if @server.cloud == "Google" or @server.config['cloud'] == "Google"
+        json_attribs = {}
+        if !@config['application_attributes'].nil?
+          json_attribs['application_attributes'] = @config['application_attributes']
+          json_attribs['skipinitialupdates'] = @config['skipinitialupdates']
+        end
+        if !@config['vault_access'].nil?
+          vault_access = @config['vault_access']
+        else
+          vault_access = []
+        end
+        @server.windows? ? max_retries = 25 : max_retries = 10
+        @server.windows? ? timeout = 1800 : timeout = 300
+        retries = 0
+        begin
+          if !@server.windows?
+            kb = ::Chef::Knife::Bootstrap.new([canonical_addr])
+            kb.config[:use_sudo] = true
+            kb.name_args = "#{canonical_addr}"
+            kb.config[:distro] = 'chef-full'
+            kb.config[:ssh_user] = ssh_user
+            kb.config[:forward_agent] = ssh_user
+            kb.config[:identity_file] = "#{Etc.getpwuid(Process.uid).dir}/.ssh/#{ssh_key_name}"
+          else
+            kb = ::Chef::Knife::BootstrapWindowsWinrm.new([@server.mu_name])
+            kb.name_args = [@server.mu_name]
+            kb.config[:manual] = true
+            kb.config[:winrm_transport] = :ssl
+            kb.config[:host] = @server.mu_name
+            kb.config[:winrm_port] = 5986
+            kb.config[:session_timeout] = timeout
+            kb.config[:operation_timeout] = timeout
+            kb.config[:winrm_authentication_protocol] = :cert
+            kb.config[:winrm_client_cert] = "#{MU.mySSLDir}/#{@server.mu_name}-winrm.crt"
+            kb.config[:winrm_client_key] = "#{MU.mySSLDir}/#{@server.mu_name}-winrm.key"
+#          kb.config[:ca_trust_file] = "#{MU.mySSLDir}/Mu_CA.pem"
+            # XXX ca_trust_file doesn't work for some reason, so we have to set the below for now
+            kb.config[:winrm_ssl_verify_mode] = :verify_none
+            kb.config[:msi_url] = "https://www.chef.io/chef/download?p=windows&pv=2012&m=x86_64&v=#{MU.chefVersion}"
+          end
+          # XXX this seems to break Knife Bootstrap
+          #      if vault_access.size > 0
+          #        v = {}
+          #        vault_access.each { |vault|
+          #          v[vault['vault']] = [] if v[vault['vault']].nil?
+          #          v[vault['vault']] << vault['item']
+          #        }
+          #        kb.config[:bootstrap_vault_json] = JSON.generate(v)
+          #      end
+          kb.config[:json_attribs] = JSON.generate(json_attribs) if json_attribs.size > 1
+          kb.config[:run_list] = run_list
+          kb.config[:chef_node_name] = @server.mu_name
+          kb.config[:bootstrap_version] = MU.chefVersion
+          # XXX key off of MU verbosity level
+          kb.config[:log_level] = :debug
+          # kb.config[:ssh_gateway] = "#{nat_ssh_user}@#{nat_ssh_host}" if !nat_ssh_host.nil? # Breaking bootsrap
+          MU.log "Knife Bootstrap settings for #{@server.mu_name} (#{canonical_addr}), timeout set to #{timeout.to_s}", MU::NOTICE, details: kb.config
+          if @server.windows? and @server.windowsRebootPending?
+            raise MU::Cloud::BootstrapTempFail, "#{@server.mu_name} has a pending reboot"
+          end
+          Timeout::timeout(timeout) {
+            require 'chef'
+            MU::Cloud.handleNetSSHExceptions
+            kb.run
+          }
+          # throws Net::HTTPServerException if we haven't really bootstrapped
+          ::Chef::Node.load(@server.mu_name)
+        rescue Net::SSH::Disconnect, SystemCallError, Timeout::Error, Errno::ECONNRESET, Errno::EHOSTUNREACH, Net::SSH::Proxy::ConnectError, SocketError, Net::SSH::Disconnect, Net::SSH::AuthenticationFailed, IOError, Net::HTTPServerException, SystemExit, Errno::ECONNREFUSED, Errno::EPIPE, WinRM::WinRMError, HTTPClient::ConnectTimeoutError, RuntimeError, MU::Cloud::BootstrapTempFail => e
+          if retries < max_retries
+            retries += 1
+            # Bad Chef installs are possible culprits of bootstrap failures, so
+            # try scrubbing them when that happens.
+            # On Windows, even a fresh install comes up screwy disturbingly
+            # often, so we let it start over from scratch if needed. Except for
+            # the first attempt, which usually fails due to WinRM funk.
+            if !e.is_a?(MU::Cloud::BootstrapTempFail) and
+               !(e.is_a?(WinRM::WinRMError) and @config['forced_preclean']) and
+               !@config['forced_preclean']
+              begin
+                preClean(false) # it's ok for this to fail
+              rescue Exception => e
+              end
+              MU::Groomer::Chef.cleanup(@server.mu_name, nodeonly: true)
+              @config['forced_preclean'] = true
+              @server.reboot if @server.windows? # *sigh*
+            end
+            MU.log "#{@server.mu_name}: Knife Bootstrap failed #{e.inspect}, retrying in #{(10*retries).to_s}s (#{retries} of #{max_retries})", MU::WARN, details: e.backtrace
+            sleep 10*retries
+            retry
+          else
+            raise MuError, "#{@server.mu_name}: Knife Bootstrap failed too many times with #{e.inspect}"
+          end
+        rescue Exception => e
+MU.log e.inspect, MU::ERR, details: e.backtrace
+sleep 10*retries
+retry
+        end
+        # Now that we're done, remove one-shot bootstrap recipes from the
+        # node's final run list
+        ["mu-tools::newclient"].each { |recipe|
+          begin
+            ::Chef::Knife.run(['node', 'run_list', 'remove', @server.mu_name, "recipe[#{recipe}]"], {})
+          rescue SystemExit => e
+            MU.log "#{@server.mu_name}: Run list removal of recipe[#{recipe}] failed with #{e.inspect}", MU::WARN
+          end
+        }
+        knifeAddToRunList("role[mu-node]")
+        splunkVaultInit
+        grantSecretAccess(@server.mu_name, "windows_credentials") if @server.windows?
+        grantSecretAccess(@server.mu_name, "ssl_cert")
+        saveChefMetadata
+        knifeAddToRunList("recipe[mu-tools::updates]") if !@config['skipinitialupdates']
+        # Making sure all Windows nodes get the mu-tools::windows-client recipe
+        if @server.windows?
+          knifeAddToRunList("recipe[mu-tools::windows-client]")
+          run(purpose: "Base Windows configuration", update_runlist: false, max_retries: 20)
+        elsif !@config['skipinitialupdates']
+          run(purpose: "Base configuration", update_runlist: false, max_retries: 20)
+        end
+        ::Chef::Knife.run(['node', 'run_list', 'remove', @server.mu_name, "recipe[mu-tools::updates]"], {}) if !@config['skipinitialupdates']
+        # This will deal with Active Directory integration.
+        if !@config['active_directory'].nil?
+          if @config['active_directory']['domain_operation'] == "join"
+            knifeAddToRunList("recipe[mu-activedirectory::domain-node]")
+            run(purpose: "Join Active Directory", update_runlist: false, max_retries: max_retries)
+          elsif @config['active_directory']['domain_operation'] == "create"
+            knifeAddToRunList("recipe[mu-activedirectory::domain]")
+            run(purpose: "Create Active Directory Domain", update_runlist: false, max_retries: 15)
+          elsif @config['active_directory']['domain_operation'] == "add_controller"
+            knifeAddToRunList("recipe[mu-activedirectory::domain-controller]")
+            run(purpose: "Add Domain Controller to Active Directory", update_runlist: false, max_retries: 15)
+          end
+        end
+        if !@config['run_list'].nil?
+          knifeAddToRunList(multiple: @config['run_list'])
+        end
+        saveDeployData
+      end
+      # Synchronize the deployment structure managed by {MU::MommaCat} to Chef,
+      # so that nodes can access this metadata.
+      # @return [Hash]: The data synchronized.
+      def saveDeployData
+        self.class.loadChefLib
+        @server.describe(update_cache: true) # Make sure we're fresh
+        saveChefMetadata
+        begin
+          chef_node = ::Chef::Node.load(@server.mu_name)
+          # Our deploydata gets corrupted often with server pools, in this case the the deploy data structure of some nodes is corrupt the hashes can become too nested and also invalid.
+          # When we try to merge this invalid structure with our chef node structure we get a 'stack level too deep' error.
+          # The choice here is to either fail more gracefully or try to clean up our deployment data. This is an attempt to implement the second option
+          nodes_to_delete = []
+          node_class = nil
+          if @server.deploy.deployment.has_key?('servers')
+            @server.deploy.deployment['servers'].each_pair { |nodeclass, server_struct|
+              node_class = nodeclass
+              server_struct.each_pair { |name, server|
+                if server.is_a?(Hash) && !server.has_key?('nodename')
+                  MU.log "#{name} deploy data is corrupt, trying to delete section before merging deployment metadata", MU::ERR, details: server
+                  nodes_to_delete << name
+                end
+              }
+            }
+          end
+          if !nodes_to_delete.empty?
+            nodes_to_delete.each { |name|
+              @server.deploy.deployment['servers'][node_class].delete(name)
+            }
+          end
+          if chef_node.normal['deployment'] != @server.deploy.deployment
+            MU.log "Updating node: #{@server.mu_name} deployment attributes", details: @server.deploy.deployment
+            chef_node.normal['deployment'].merge!(@server.deploy.deployment)
+            chef_node.normal['deployment']['ssh_public_key'] = @server.deploy.ssh_public_key
+            chef_node.save
+          end
+          return chef_node['deployment']
+        rescue Net::HTTPServerException => e
+          MU.log "Attempted to save deployment to Chef node #{@server.mu_name} before it was bootstrapped.", MU::DEBUG
+        end
+      end
+      # Expunge Chef resources associated with a node.
+      # @param node [String]: The Mu name of the node in question.
+      # @param vaults_to_clean [Array<Hash>]: Some vaults to expunge
+      # @param noop [Boolean]: Skip actual deletion, just state what we'd do
+      # @param nodeonly [Boolean]: Just delete the node and its keys, but leave other artifacts
+      def self.cleanup(node, vaults_to_clean = [], noop = false, nodeonly: false)
+        loadChefLib
+        MU.log "Deleting Chef resources associated with #{node}"
+        if !nodeonly
+          vaults_to_clean.each { |vault|
+            MU::MommaCat.lock("vault-#{vault['vault']}", false, true)
+            MU.log "knife vault remove #{vault['vault']} #{vault['item']} --search name:#{node}", MU::NOTICE
+            ::Chef::Knife.run(['vault', 'remove', vault['vault'], vault['item'], "--search", "name:#{node}"]) if !noop
+            MU::MommaCat.unlock("vault-#{vault['vault']}")
+          }
+        end
+        MU.log "knife node delete #{node}"
+        if !noop
+          knife_nd = ::Chef::Knife::NodeDelete.new(['node', 'delete', node])
+          knife_nd.config[:yes] = true
+          begin
+            knife_nd.run
+          rescue Net::HTTPServerException
+          end
+        end
+        MU.log "knife client delete #{node}"
+        if !noop
+          knife_cd = ::Chef::Knife::ClientDelete.new(['client', 'delete', node])
+          knife_cd.config[:yes] = true
+          begin
+            knife_cd.run
+          rescue Net::HTTPServerException
+          end
+        end
+        return if nodeonly
+        begin
+          deleteSecret(vault: node) if !noop
+        rescue MuNoSuchSecret
+        end
+        ["crt", "key", "csr"].each { |ext|
+          if File.exists?("#{MU.mySSLDir}/#{node}.#{ext}")
+            MU.log "Removing #{MU.mySSLDir}/#{node}.#{ext}"
+            File.unlink("#{MU.mySSLDir}/#{node}.#{ext}") if !noop
+          end
+        }
+      end
+      # Allow a node access to a vault.
+      # @param host [String]:
+      # @param vault [String]:
+      # @param item [String]:
+      def self.grantSecretAccess(host, vault, item)
+        loadChefLib
+        MU::MommaCat.lock("vault-#{vault}", false, true)
+        MU.log "Granting #{host} access to #{vault} #{item}"
+        begin
+          ::Chef::Knife.run(['vault', 'update', vault, item, "--search", "name:#{host}"])
+        rescue Exception => e
+          MU.log e.inspect, MU::ERR, details: caller
+        end
+        MU::MommaCat.unlock("vault-#{vault}", true)
+      end
+      private
+      # Save common Mu attributes to this node's Chef node structure.
+      def saveChefMetadata
+        self.class.loadChefLib
+        nat_ssh_key, nat_ssh_user, nat_ssh_host, canonical_addr, ssh_user, ssh_key_name = @server.getSSHConfig
+        MU.log "Saving #{@server.mu_name} Chef artifacts"
+        begin
+          chef_node = ::Chef::Node.load(@server.mu_name)
+        rescue Net::HTTPServerException
+          raise MU::Groomer::RunError, "Couldn't load Chef node #{@server.mu_name}"
+        end
+        # Figure out what this node thinks its name is
+        system_name = chef_node['fqdn'] if !chef_node['fqdn'].nil?
+        MU.log "#{@server.mu_name} local name is #{system_name}", MU::DEBUG
+        chef_node.normal.app = @config['application_cookbook'] if !@config['application_cookbook'].nil?
+        chef_node.normal["service_name"] = @config["name"]
+        chef_node.normal["windows_admin_username"] = @config['windows_admin_username']
+        chef_node.chef_environment = MU.environment.downcase
+        if @server.config['cloud'] == "AWS"
+          chef_node.normal["ec2"] = MU.structToHash(@server.cloud_desc)
+        end
+        if @server.windows?
+          chef_node.normal['windows_admin_username'] = @config['windows_admin_username']
+          chef_node.normal['windows_auth_vault'] = @server.mu_name
+          chef_node.normal['windows_auth_item'] = "windows_credentials"
+          chef_node.normal['windows_auth_password_field'] = "password"
+          chef_node.normal['windows_auth_username_field'] = "username"
+          chef_node.normal['windows_ec2config_password_field'] = "ec2config_password"
+          chef_node.normal['windows_ec2config_username_field'] = "ec2config_username"
+          chef_node.normal['windows_sshd_password_field'] = "sshd_password"
+          chef_node.normal['windows_sshd_username_field'] = "sshd_username"
+        end
+        # If AD integration has been requested for this node, give Chef what it'll need.
+        if !@config['active_directory'].nil?
+          chef_node.normal['ad']['computer_name'] = @server.mu_windows_name
+          chef_node.normal['ad']['node_class'] = @config['name']
+          chef_node.normal['ad']['domain_name'] = @config['active_directory']['domain_name']
+          chef_node.normal['ad']['node_type'] = @config['active_directory']['node_type']
+          chef_node.normal['ad']['domain_operation'] = @config['active_directory']['domain_operation']
+          chef_node.normal['ad']['domain_controller_hostname'] = @config['active_directory']['domain_controller_hostname'] if @config['active_directory'].has_key?('domain_controller_hostname')
+          chef_node.normal['ad']['netbios_name'] = @config['active_directory']['short_domain_name']
+          chef_node.normal['ad']['computer_ou'] = @config['active_directory']['computer_ou'] if @config['active_directory'].has_key?('computer_ou')
+          chef_node.normal['ad']['domain_sid'] = @config['active_directory']['domain_sid'] if @config['active_directory'].has_key?('domain_sid')
+          chef_node.normal['ad']['dcs'] = @config['active_directory']['domain_controllers']
+          chef_node.normal['ad']['domain_join_vault'] = @config['active_directory']['domain_join_vault']['vault']
+          chef_node.normal['ad']['domain_join_item'] = @config['active_directory']['domain_join_vault']['item']
+          chef_node.normal['ad']['domain_join_username_field'] = @config['active_directory']['domain_join_vault']['username_field']
+          chef_node.normal['ad']['domain_join_password_field'] = @config['active_directory']['domain_join_vault']['password_field']
+          chef_node.normal['ad']['domain_admin_vault'] = @config['active_directory']['domain_admin_vault']['vault']
+          chef_node.normal['ad']['domain_admin_item'] = @config['active_directory']['domain_admin_vault']['item']
+          chef_node.normal['ad']['domain_admin_username_field'] = @config['active_directory']['domain_admin_vault']['username_field']
+          chef_node.normal['ad']['domain_admin_password_field'] = @config['active_directory']['domain_admin_vault']['password_field']
+        end
+        # Amazon-isms, possibly irrelevant
+        awscli_region_widget = {
+            "compile_time" => true,
+            "config_profiles" => {
+                "default" => {
+                    "options" => {
+                        "region" => @config['region']
+                    }
+                }
+            }
+        }
+        chef_node.normal['awscli'] = awscli_region_widget
+        if !@server.cloud.nil?
+          chef_node.normal['cloudprovider'] = @server.cloud
+          # XXX In AWS this is an OpenStruct-ish thing, but it may not be in
+          # others.
+          chef_node.normal[@server.cloud.to_sym] = MU.structToHash(@server.cloud_desc)
+        end
+        tags = MU::MommaCat.listStandardTags
+        tags.merge!(MU::MommaCat.listOptionalTags) if @config['optional_tags']
+        if !@config['tags'].nil?
+          @config['tags'].each { |tag|
+            tags[tag['key']] = tag['value']
+          }
+        end
+        chef_node.normal['tags'] = tags
+        chef_node.save
+        # If we have a database make sure we grant access to that vault.
+        # In some cases the cached getLitter response will not have all the resources in the deploy, so lets not use the cache.
+        if @config.has_key?('dependencies')
+          deploy = MU::MommaCat.getLitter(MU.deploy_id, use_cache: false)
+          @config['dependencies'].each{ |dep|
+            if dep['type'] == "database" && deploy.deployment.has_key?("databases") && deploy.deployment["databases"].has_key?(dep['name'])
+                deploy.deployment["databases"][dep['name']].each { |name, database|
+                grantSecretAccess(database['vault_name'], database['vault_item']) if database.has_key?("vault_name") && database.has_key?("vault_item")
+              }
+            end
+          }
+        end
+        # Finally, grant us access to some pre-existing Vaults.
+        if !@config['vault_access'].nil?
+          @config['vault_access'].each { |vault|
+            grantSecretAccess(vault['vault'], vault['item'])
+          }
+        end
+      end
+      def grantSecretAccess(vault, item)
+        return if @secrets_granted["#{vault}:#{item}"] == item
+        self.class.grantSecretAccess(@server.mu_name, vault, item)
+        @secrets_granted["#{vault}:#{item}"] = item
+      end
+      def self.knifeCmd(cmd, showoutput = false)
+        MU.log "knife #{cmd}", MU::NOTICE if showoutput
+        output = `#{MU::Groomer::Chef.knife} #{cmd}`
+        exitstatus = $?.exitstatus
+        if showoutput
+          puts output
+          puts "Exit status: #{exitstatus}"
+        end
+        return [exitstatus, output]
+      end
+      def knifeCmd(cmd, showoutput = false)
+        self.class.knifeCmd(cmd, showoutput)
+      end
+      # Upload the certificate to a Chef Vault for this node
+      def stashHostSSLCertSecret
+        cert, key = @server.deploy.nodeSSLCerts(@server)
+        certdata = {
+          "data" => {
+            "node.crt" => cert.to_pem.chomp!.gsub(/\n/, "\\n"),
+            "node.key" => key.to_pem.chomp!.gsub(/\n/, "\\n")
+          }
+        }
+        saveSecret(item: "ssl_cert", data: certdata, permissions: nil)
+        saveSecret(item: "secrets", data: @config['secrets'], permissions: nil) if !@config['secrets'].nil?
+        certdata
+      end
+      # Add a role or recipe to a node. Optionally, throw a fit if it doesn't
+      # exist.
+      # @param rl_entry [String]: The run-list entry to add.
+      # @param type [String]: One of *role* or *recipe*.
+      # @param ignore_missing [Boolean]: If set to true, will merely warn about missing recipes/roles instead of throwing an exception.
+      # @param multiple [Array<String>]: Add more than one run_list entry. Overrides rl_entry.
+      # @return [void]
+      def knifeAddToRunList(rl_entry = nil, type="role", ignore_missing: false, multiple: [])
+        self.class.loadChefLib
+        return if rl_entry.nil? and multiple.size == 0
+        if multiple.size == 0
+          multiple = [rl_entry]
+        end
+        multiple.each { |rl_entry|
+          if !rl_entry.match(/^role|recipe\[/)
+            rl_entry = "#{type}[#{rl_entry}]"
+          end
+        }
+        if !ignore_missing
+          role_list = nil
+          recipe_list = nil
+          missing = false
+          multiple.each { |rl_entry|
+            # Rather than argue about whether to expect a bare rl_entry name or
+            # require rl_entry[rolename], let's just accomodate.
+            if rl_entry.match(/^role\[(.+?)\]/)
+              rl_entry_name = Regexp.last_match(1)
+              if role_list.nil?
+                query=%Q{#{MU::Groomer::Chef.knife} role list};
+                role_list = %x{#{query}}
+              end
+              if !role_list.match(/(^|\n)#{rl_entry_name}($|\n)/)
+                MU.log "Attempting to add non-existent #{rl_entry} to #{@server.mu_name}", MU::WARN
+                missing = true
+              end
+            elsif rl_entry.match(/^recipe\[(.+?)\]/)
+              rl_entry_name = Regexp.last_match(1)
+              if recipe_list.nil?
+                query=%Q{#{MU::Groomer::Chef.knife} recipe list};
+                recipe_list = %x{#{query}}
+              end
+              if !recipe_list.match(/(^|\n)#{rl_entry_name}($|\n)/)
+                MU.log "Attempting to add non-existent #{rl_entry} to #{@server.mu_name}", MU::WARN
+                missing = true
+              end
+            end
+            if missing and !ignore_missing
+              raise MuError, "Can't continue with missing roles/recipes for #{@server.mu_name}"
+            end
+          }
+        end
+        rl_string = multiple.join(",")
+        begin
+          query=%Q{#{MU::Groomer::Chef.knife} node run_list add #{@server.mu_name} "#{rl_string}"};
+          MU.log("Adding #{rl_string} to Chef run_list of #{@server.mu_name}")
+          MU.log("Running #{query}", MU::DEBUG)
+          output=%x{#{query}}
+            # XXX rescue Exception is bad style
+        rescue Exception => e
+          raise MuError, "FAIL: #{MU::Groomer::Chef.knife} node run_list add #{@server.mu_name} \"#{rl_string}\": #{e.message} (output was #{output})"
+        end
+      end
+    end # class Chef
+  end # class Groomer
+end # Module Mu