cloud-mu 2.1.0beta → 3.0.0beta

data/modules/mu/mommacat.rb

@@ -53,21 +53,34 @@ module MU
       if deploy_id.nil? or deploy_id.empty?
         raise MuError, "Cannot fetch a deployment without a deploy_id"
       end
+
 # XXX this caching may be harmful, causing stale resource objects to stick
 # around. Have we fixed this? Sort of. Bad entries seem to have no kittens,
 # so force a reload if we see that. That's probably not the root problem.
-      @@litter_semaphore.synchronize {
-
-        if !use_cache or !@@litters.has_key?(deploy_id) or @@litters[deploy_id].kittens.nil? or @@litters[deploy_id].kittens.size == 0
-          @@litters[deploy_id] = MU::MommaCat.new(deploy_id, set_context_to_me: set_context_to_me)
-        elsif set_context_to_me
-          MU::MommaCat.setThreadContext(@@litters[deploy_id])
-        end
-        return @@litters[deploy_id]
-      }
+      littercache = nil
+      begin
+        @@litter_semaphore.synchronize {
+          littercache = @@litters.dup
+        }
+      rescue ThreadError => e
+        # already locked by a parent caller and this is a read op, so this is ok
+        raise e if !e.message.match(/recursive locking/)
+        littercache = @@litters.dup
+      end
+      if !use_cache or littercache[deploy_id].nil?
+        newlitter = MU::MommaCat.new(deploy_id, set_context_to_me: set_context_to_me)
+        # This, we have to synchronize, as it's a write
+        @@litter_semaphore.synchronize {
+          @@litters[deploy_id] ||= newlitter
+        }
+      elsif set_context_to_me
+        MU::MommaCat.setThreadContext(@@litters[deploy_id])
+      end
+      return @@litters[deploy_id]
 #     MU::MommaCat.new(deploy_id, set_context_to_me: set_context_to_me)
     end
 
+    attr_reader :initializing
     attr_reader :public_key
     attr_reader :deploy_secret
     attr_reader :deployment
@@ -155,16 +168,20 @@ module MU
                    ssh_private_key: nil,
                    ssh_public_key: nil,
                    nocleanup: false,
+                   appname: nil,
+                   timestamp: nil,
                    set_context_to_me: true,
                    skip_resource_objects: false,
                    no_artifacts: false,
                    deployment_data: {},
+                   delay_descriptor_load: false,
                    mu_user: Etc.getpwuid(Process.uid).name
     )
       if deploy_id.nil? or deploy_id.empty?
         raise DeployInitializeError, "MommaCat objects must specify a deploy_id"
       end
       set_context_to_me = true if create
+      @initializing = true
 
       @deploy_id = deploy_id
       @mu_user = mu_user.dup
@@ -179,10 +196,11 @@ module MU
       end
       @kitten_semaphore = Mutex.new
       @kittens = {}
-      @original_config = config
+      @original_config = MU::Config.manxify(config)
       @nocleanup = nocleanup
       @secret_semaphore = Mutex.new
       @notify_semaphore = Mutex.new
+      @need_deploy_flush = false
       @node_cert_semaphore = Mutex.new
       @deployment = deployment_data
       @deployment['mu_public_ip'] = MU.mu_public_ip
@@ -190,16 +208,21 @@ module MU
       @public_key = nil
       @secrets = Hash.new
       @secrets['instance_secret'] = Hash.new
-      @environment = environment
       @ssh_key_name = ssh_key_name
       @ssh_private_key = ssh_private_key
       @ssh_public_key = ssh_public_key
       @clouds = {}
       @seed = MU.seed # pass this in
       @handle = MU.handle # pass this in
+      @appname = appname
+      @appname ||= @original_config['name'] if @original_config
+      @timestamp = timestamp
+      @environment = environment
+
       if set_context_to_me
         MU::MommaCat.setThreadContext(self)
       end
+
       if create and !@no_artifacts
         if !Dir.exist?(MU.dataDir+"/deployments")
           MU.log "Creating #{MU.dataDir}/deployments", MU::DEBUG
@@ -214,23 +237,27 @@ module MU
           raise DeployInitializeError, "New MommaCat repository requires config hash"
         end
         credsets = {}
-        @appname = @original_config['name']
-        MU::Cloud.resource_types.each { |cloudclass, data|
+
+        MU::Cloud.resource_types.values { |data|
           if !@original_config[data[:cfg_plural]].nil? and @original_config[data[:cfg_plural]].size > 0
             @original_config[data[:cfg_plural]].each { |resource|
+
               credsets[resource['cloud']] ||= []
               credsets[resource['cloud']] << resource['credentials']
               @clouds[resource['cloud']] = 0 if !@clouds.has_key?(resource['cloud'])
               @clouds[resource['cloud']] = @clouds[resource['cloud']] + 1
+
             }
           end
         }
+
         @ssh_key_name, @ssh_private_key, @ssh_public_key = self.SSHKey
         if !File.exist?(deploy_dir+"/private_key")
           @private_key, @public_key = createDeployKey
         end
         MU.log "Creating deploy secret for #{MU.deploy_id}"
         @deploy_secret = Password.random(256)
+
         if !@original_config['scrub_mu_isms']
           credsets.each_pair { |cloud, creds|
             creds.uniq!
@@ -243,9 +270,14 @@ module MU
         if set_context_to_me
           MU::MommaCat.setThreadContext(self)
         end
+
         save!
+
       end
 
+      @appname ||= MU.appname
+      @timestamp ||= MU.timestamp
+      @environment ||= MU.environment
 
       loadDeploy(set_context_to_me: set_context_to_me)
       if !deploy_secret.nil?
@@ -255,13 +287,19 @@ module MU
       end
 
 
+      @@litter_semaphore.synchronize {
+        @@litters[@deploy_id] ||= self
+      }
+
       # Initialize a MU::Cloud object for each resource belonging to this
       # deploy, IF it already exists, which is to say if we're loading an
       # existing deploy instead of creating a new one.
       if !create and @deployment and @original_config and !skip_resource_objects
+
         MU::Cloud.resource_types.each_pair { |res_type, attrs|
           type = attrs[:cfg_plural]
           if @deployment.has_key?(type)
+
             @deployment[type].each_pair { |res_name, data|
               orig_cfg = nil
               if @original_config.has_key?(type)
@@ -284,16 +322,23 @@ module MU
                   end
                 }
               end
+
               if orig_cfg.nil?
                 MU.log "Failed to locate original config for #{attrs[:cfg_name]} #{res_name} in #{@deploy_id}", MU::WARN if !["firewall_rules", "databases", "storage_pools", "cache_clusters", "alarms"].include?(type) # XXX shaddap
                 next
               end
+
+              if orig_cfg['vpc']
+                ref = MU::Config::Ref.get(orig_cfg['vpc'])
+                orig_cfg['vpc']['id'] = ref if ref.kitten
+              end
+
               begin
                 # Load up MU::Cloud objects for all our kittens in this deploy
                 orig_cfg['environment'] = @environment # not always set in old deploys
                 if attrs[:has_multiples]
-                  data.each_pair { |mu_name, actual_data|
-                    attrs[:interface].new(mommacat: self, kitten_cfg: orig_cfg, mu_name: mu_name)
+                  data.keys.each { |mu_name|
+                    attrs[:interface].new(mommacat: self, kitten_cfg: orig_cfg, mu_name: mu_name, delay_descriptor_load: delay_descriptor_load)
                   }
                 else
                   # XXX hack for old deployments, this can go away some day
@@ -315,19 +360,99 @@ module MU
                   attrs[:interface].new(mommacat: self, kitten_cfg: orig_cfg, mu_name: data['mu_name'], cloud_id: data['cloud_id'])
                 end
               rescue Exception => e
-                MU.log "Failed to load an existing resource of type '#{type}' in #{@deploy_id}: #{e.inspect}", MU::WARN, details: e.backtrace
+                if e.class != MU::Cloud::MuCloudResourceNotImplemented
+                  MU.log "Failed to load an existing resource of type '#{type}' in #{@deploy_id}: #{e.inspect}", MU::WARN, details: e.backtrace
+                end
               end
             }
+
           end
         }
       end
 
+      @initializing = false
+
 # XXX this .owned? method may get changed by the Ruby maintainers
 #     if !@@litter_semaphore.owned?
-#       @@litter_semaphore.synchronize {
-#         @@litters[@deploy_id] = self
-#       }
-#     end
+    end # end of initialize()
+
+    # List all the cloud providers declared by resources in our deploy.
+    def cloudsUsed
+      seen = []
+      seen << @original_config['cloud'] if @original_config['cloud']
+      MU::Cloud.resource_types.values.each { |attrs|
+        type = attrs[:cfg_plural]
+        if @original_config.has_key?(type)
+          @original_config[type].each { |resource|
+            seen << resource['cloud'] if resource['cloud']
+          }
+        end
+      }
+      seen.uniq
+    end
+
+    # Assay this deployment for a list of credentials (from mu.yaml) which are
+    # used. Our Cleanup module can leverage this to skip unnecessary checks.
+    # @return [Array<String>]
+    def credsUsed
+      return [] if !@original_config
+      seen = []
+#      clouds = []
+      seen << @original_config['credentials'] if @original_config['credentials']
+#      defaultcloud = @original_config['cloud']
+      MU::Cloud.resource_types.values.each { |attrs|
+        type = attrs[:cfg_plural]
+        if @original_config.has_key?(type)
+          @original_config[type].each { |resource|
+            if resource['credentials']
+              seen << resource['credentials']
+            else
+              cloudclass = if @original_config['cloud']
+                Object.const_get("MU").const_get("Cloud").const_get(@original_config['cloud'])
+              else
+                Object.const_get("MU").const_get("Cloud").const_get(MU::Config.defaultCloud)
+              end
+              seen << cloudclass.credConfig(name_only: true)
+            end
+          }
+        end
+      }
+# XXX insert default for each cloud provider if not explicitly seen
+      seen.uniq
+    end
+
+    # List the regions used by each resource in our deploy. This will just be
+    # a flat list of strings with no regard to which region belongs with what
+    # cloud provider- things mostly use this as a lookup table so they can
+    # safely skip unnecessary regions when creating/cleaning deploy artifacts.
+    # @return [Array<String>]
+    def regionsUsed
+      return [] if !@original_config
+      regions = []
+      regions << @original_config['region'] if @original_config['region']
+      MU::Cloud.resource_types.each_pair { |res_type, attrs|
+        type = attrs[:cfg_plural]
+        if @original_config.has_key?(type)
+          @original_config[type].each { |resource|
+            if resource['cloud']
+              cloudclass = Object.const_get("MU").const_get("Cloud").const_get(resource['cloud'])
+              resclass = Object.const_get("MU").const_get("Cloud").const_get(resource['cloud']).const_get(res_type.to_s)
+              if resclass.isGlobal?
+                regions.concat(cloudclass.listRegions)
+                next
+              elsif !resource['region']
+                regions << cloudclass.myRegion
+              end
+            end
+            if resource['region']
+              regions << resource['region'] if resource['region']
+            else
+            end
+          }
+        end
+      }
+
+      regions.uniq
     end
 
     # Tell us the number of first-class resources we've configured, optionally
@@ -341,13 +466,13 @@ module MU
       return 0 if @original_config.nil?
       if !types.nil? and types.size > 0
         types.each { |type|
-          shortclass, cfg_name, cfg_plural, classname = MU::Cloud.getResourceNames(type)
+          cfg_plural = MU::Cloud.getResourceNames(type)[2]
           realtypes << cfg_plural
         }
       end
 
       count = 0
-      MU::Cloud.resource_types.each { |cloudclass, data|
+      MU::Cloud.resource_types.values.each { |data|
         next if @original_config[data[:cfg_plural]].nil?
         next if realtypes.size > 0 and (!negate and !realtypes.include?(data[:cfg_plural]))
         @original_config[data[:cfg_plural]].each { |resource|
@@ -365,13 +490,13 @@ module MU
         raise MuError, "Nil arguments to removeKitten are not allowed"
       end
       @kitten_semaphore.synchronize {
-        MU::Cloud.resource_types.each_pair { |name, attrs|
+        MU::Cloud.resource_types.values.each { |attrs|
           type = attrs[:cfg_plural]
           next if !@kittens.has_key?(type)
           tmplitter = @kittens[type].values.dup
           tmplitter.each { |nodeclass, data|
             if data.is_a?(Hash)
-              data.each_pair { |mu_name, obj|
+              data.keys.each { |mu_name|
                 if data == object
                   @kittens[type][nodeclass].delete(mu_name)
                   return
@@ -421,17 +546,19 @@ module MU
       if !type or !name or !object or !object.mu_name
         raise MuError, "Nil arguments to addKitten are not allowed (got type: #{type}, name: #{name}, and '#{object}' to add)"
       end
-      shortclass, cfg_name, cfg_plural, classname, attrs = MU::Cloud.getResourceNames(type)
-      type = cfg_plural
+
+      _shortclass, _cfg_name, type, _classname, attrs = MU::Cloud.getResourceNames(type)
       has_multiples = attrs[:has_multiples]
+      object.intoDeploy(self)
 
       @kitten_semaphore.synchronize {
         @kittens[type] ||= {}
+        @kittens[type][object.habitat] ||= {}
         if has_multiples
-          @kittens[type][name] ||= {}
-          @kittens[type][name][object.mu_name] = object
+          @kittens[type][object.habitat][name] ||= {}
+          @kittens[type][object.habitat][name][object.mu_name] = object
         else
-          @kittens[type][name] = object
+          @kittens[type][object.habitat][name] = object
         end
       }
     end
@@ -458,7 +585,7 @@ module MU
           return false
         end
       rescue OpenSSL::PKey::RSAError => e
-        MU.log e.inspect, MU::ERR
+        MU.log "Error decrypting provided ciphertext using private key from #{deploy_dir}/private_key: #{e.message}", MU::ERR, details: ciphertext
         return false
       end
     end
@@ -506,7 +633,7 @@ module MU
         raise MuError, "Got no argument to MU::MommaCat.getResourceName"
       end
       if @appname.nil? or @environment.nil? or @timestamp.nil? or @seed.nil?
-        MU.log "Missing global deploy variables in thread #{Thread.current.object_id}, using bare name '#{name}' (appname: #{@appname}, environment: #{@environment}, timestamp: #{@timestamp}, seed: #{@seed}", MU::WARN, details: caller
+        MU.log "getResourceName: Missing global deploy variables in thread #{Thread.current.object_id}, using bare name '#{name}' (appname: #{@appname}, environment: #{@environment}, timestamp: #{@timestamp}, seed: #{@seed}, deploy_id: #{@deploy_id}", MU::WARN, details: caller
         return name
       end
       need_unique_string = false if scrub_mu_isms
@@ -597,7 +724,7 @@ module MU
     def saveNodeSecret(instance_id, raw_secret, type)
       return if @no_artifacts
       if instance_id.nil? or instance_id.empty? or raw_secret.nil? or raw_secret.empty? or type.nil? or type.empty?
-        raise SecretError, "saveNodeSecret requires instance_id, raw_secret, and type args"
+        raise SecretError, "saveNodeSecret requires instance_id (#{instance_id}), raw_secret (#{raw_secret}), and type (#{type}) args"
       end
       MU::MommaCat.lock("deployment-notification")
       loadDeploy(true) # make sure we're not trampling deployment data
@@ -746,14 +873,14 @@ module MU
         kitten.groom
       rescue Exception => e
         MU::MommaCat.unlockAll
-        if e.class.name != "MU::Cloud::AWS::Server::BootstrapTempFail" and !File.exists?(deploy_dir+"/.cleanup."+cloud_id) and !File.exists?(deploy_dir+"/.cleanup")
+        if e.class.name != "MU::Cloud::AWS::Server::BootstrapTempFail" and !File.exist?(deploy_dir+"/.cleanup."+cloud_id) and !File.exist?(deploy_dir+"/.cleanup")
           MU.log "Grooming FAILED for #{kitten.mu_name} (#{e.inspect})", MU::ERR, details: e.backtrace
-#         sendAdminMail("Grooming FAILED for #{kitten.mu_name} on #{MU.appname} \"#{MU.handle}\" (#{MU.deploy_id})",
-#           msg: e.inspect,
-#           kitten: kitten,
-#           data: e.backtrace,
-#           debug: true
-#         )
+          sendAdminSlack("Grooming FAILED for `#{kitten.mu_name}` with `#{e.message}` :crying_cat_face:", msg: e.backtrace.join("\n"))
+         sendAdminMail("Grooming FAILED for #{kitten.mu_name} on #{MU.appname} \"#{MU.handle}\" (#{MU.deploy_id})",
+           msg: e.inspect,
+           data: e.backtrace,
+           debug: true
+         )
           raise e if reraise_fail
         else
           MU.log "Grooming of #{kitten.mu_name} interrupted by cleanup or planned reboot"
@@ -761,7 +888,7 @@ module MU
         return
       end
 
-      if !@deployment['servers'].nil?
+      if !@deployment['servers'].nil? and !sync_wait
         syncLitter(@deployment["servers"].keys, triggering_node: kitten)
       end
       MU::MommaCat.unlock(cloud_id+"-mommagroom")
@@ -770,12 +897,12 @@ module MU
       end
       MU::MommaCat.getLitter(MU.deploy_id, use_cache: false)
       MU::MommaCat.syncMonitoringConfig(false)
-      MU::MommaCat.createStandardTags(cloud_id, region: kitten.config["region"])
       MU.log "Grooming complete for '#{name}' mu_name on \"#{MU.handle}\" (#{MU.deploy_id})"
-      FileUtils.touch("/opt/mu/var/deployments/#{MU.deploy_id}/#{name}_done.txt")
+      FileUtils.touch(MU.dataDir+"/deployments/#{MU.deploy_id}/#{name}_done.txt")
       MU::MommaCat.unlockAll
       if first_groom
-        sendAdminMail("Grooming complete for '#{name}' (#{mu_name}) on deploy \"#{MU.handle}\" (#{MU.deploy_id})", kitten: kitten)
+        sendAdminSlack("Grooming complete for #{mu_name} :heart_eyes_cat:")
+        sendAdminMail("Grooming complete for '#{name}' (#{mu_name}) on deploy \"#{MU.handle}\" (#{MU.deploy_id})")
       end
       return
     end
@@ -797,7 +924,7 @@ module MU
           ssh_dir.chown(Etc.getpwnam(@mu_user).uid, Etc.getpwnam(@mu_user).gid)
         end
       end
-      if !File.exists?("#{ssh_dir}/#{@ssh_key_name}")
+      if !File.exist?("#{ssh_dir}/#{@ssh_key_name}")
         MU.log "Generating SSH key #{@ssh_key_name}"
         %x{/usr/bin/ssh-keygen -N "" -f #{ssh_dir}/#{@ssh_key_name}}
       end
@@ -811,6 +938,7 @@ module MU
         ["servers", "server_pools", "container_clusters"].each { |type|
           next if @original_config[type].nil?
           @original_config[type].each { |descriptor|
+            next if descriptor['cloud'] != "AWS"
             if descriptor['credentials']
               creds_used << descriptor['credentials']
             else
@@ -836,10 +964,9 @@ module MU
         # in lock() or unlock(). We can't just wrap our iterator block in a
         # semaphore here, because we're calling another method that uses the
         # same semaphore.
-        lock_copy = nil
         @lock_semaphore.synchronize {
           delete_list = []
-          @locks[Thread.current.object_id].each_pair { |id, fh|
+          @locks[Thread.current.object_id].keys.each { |id|
             MU.log "Releasing lock on #{deploy_dir(MU.deploy_id)}/locks/#{id}.lock (thread #{Thread.current.object_id})", MU::DEBUG
             begin
               @locks[Thread.current.object_id][id].flock(File::LOCK_UN)
@@ -895,7 +1022,7 @@ module MU
         else
           @locks[Thread.current.object_id][id].flock(File::LOCK_EX)
         end
-      rescue IOError => e
+      rescue IOError
         raise MU::BootstrapTempFail, "Interrupted waiting for lock on thread #{Thread.current.object_id}, probably just a node rebooting as part of a synchronous install"
       end
       MU.log "Lock on #{lockdir}/#{id}.lock on thread #{Thread.current.object_id} acquired", MU::DEBUG
@@ -940,11 +1067,11 @@ module MU
       path = File.expand_path(MU.dataDir+"/deployments")
       if Dir.exist?(path+"/"+deploy_id)
         unlockAll
-        MU.log "Purging #{path}/#{deploy_id}" if File.exists?(path+"/"+deploy_id+"/deployment.json")
+        MU.log "Purging #{path}/#{deploy_id}" if File.exist?(path+"/"+deploy_id+"/deployment.json")
 
         FileUtils.rm_rf(path+"/"+deploy_id, :secure => true)
       end
-      if File.exists?(path+"/unique_ids")
+      if File.exist?(path+"/unique_ids")
         File.open(path+"/unique_ids", File::CREAT|File::RDWR, 0600) { |f|
           newlines = []
           f.flock(File::LOCK_EX)
@@ -973,10 +1100,9 @@ module MU
       MU::MommaCat.lock("clean-terminated-instances", false, true)
       MU.log "Checking for harvested instances in need of cleanup", MU::DEBUG
       parent_thread_id = Thread.current.object_id
-      cleanup_threads = []
       purged = 0
       MU::MommaCat.listDeploys.each { |deploy_id|
-        next if File.exists?(deploy_dir(deploy_id)+"/.cleanup")
+        next if File.exist?(deploy_dir(deploy_id)+"/.cleanup")
         MU.log "Checking for dead wood in #{deploy_id}", MU::DEBUG
         @cleanup_threads << Thread.new {
           MU.dupGlobals(parent_thread_id)
@@ -984,32 +1110,35 @@ module MU
           deploy = MU::MommaCat.getLitter(deploy_id, set_context_to_me: true, use_cache: false)
           purged_this_deploy = 0
           if deploy.kittens.has_key?("servers")
-            deploy.kittens["servers"].each_pair { |nodeclass, servers|
-              deletia = []
-              servers.each_pair { |mu_name, server|
-                server.describe
-                if !server.cloud_id
-                  MU.log "Checking for deletion of #{mu_name}, but unable to fetch its cloud_id", MU::WARN, details: server
-                elsif !server.active?
-                  next if File.exists?(deploy_dir(deploy_id)+"/.cleanup-"+server.cloud_id)
-                  deletia << mu_name
-                  MU.log "Deleting #{server} (#{nodeclass}), formerly #{server.cloud_id}", MU::NOTICE
-                  begin
-                    server.destroy
-                    deploy.sendAdminMail("Retired terminated node #{mu_name}", kitten: server)
-                  rescue Exception => e
-                    MU.log "Saw #{e.message} while retiring #{mu_name}", MU::ERR, details: e.backtrace
-                    next
+            deploy.kittens["servers"].values.each { |nodeclasses|
+              nodeclasses.each_pair { |nodeclass, servers|
+                deletia = []
+                servers.each_pair { |mu_name, server|
+                  server.describe
+                  if !server.cloud_id
+                    MU.log "Checking for presence of #{mu_name}, but unable to fetch its cloud_id", MU::WARN, details: server
+                  elsif !server.active?
+                    next if File.exist?(deploy_dir(deploy_id)+"/.cleanup-"+server.cloud_id)
+                    deletia << mu_name
+                    MU.log "Cleaning up metadata for #{server} (#{nodeclass}), formerly #{server.cloud_id}, which appears to have been terminated", MU::NOTICE
+                    begin
+                      server.destroy
+                      deploy.sendAdminMail("Retired metadata for terminated node #{mu_name}")
+                      deploy.sendAdminSlack("Retired metadata for terminated node `#{mu_name}`")
+                    rescue Exception => e
+                      MU.log "Saw #{e.message} while retiring #{mu_name}", MU::ERR, details: e.backtrace
+                      next
+                    end
+                    MU.log "Cleanup of metadata for #{server} (#{nodeclass}), formerly #{server.cloud_id} complete", MU::NOTICE
+                    purged = purged + 1
+                    purged_this_deploy = purged_this_deploy + 1
                   end
-                  MU.log "Deletion of #{server} (#{nodeclass}), formerly #{server.cloud_id} complete", MU::NOTICE
-                  purged = purged + 1
-                  purged_this_deploy = purged_this_deploy + 1
+                }
+                if purged_this_deploy > 0
+                  # XXX some kind of filter (obey sync_siblings on nodes' configs)
+                  deploy.syncLitter(servers.keys)
                 end
               }
-              if purged_this_deploy > 0
-                # XXX some kind of filter (obey sync_siblings on nodes' configs)
-                deploy.syncLitter(servers.keys)
-              end
             }
           end
           MU.purgeGlobals
@@ -1029,6 +1158,7 @@ module MU
       MU::MommaCat.unlock("clean-terminated-instances", true)
     end
 
+    @@dummy_cache = {}
 
     # Locate a resource that's either a member of another deployment, or of no
     # deployment at all, and return a {MU::Cloud} object for it.
@@ -1045,7 +1175,8 @@ module MU
     # @param dummy_ok [Boolean]: Permit return of a faked {MU::Cloud} object if we don't have enough information to identify a real live one.
     # @param flags [Hash]: Other cloud or resource type specific options to pass to that resource's find() method
     # @return [Array<MU::Cloud>]
-    def self.findStray(cloud,
+    def self.findStray(
+        cloud,
         type,
         deploy_id: nil,
         name: nil,
@@ -1058,18 +1189,31 @@ module MU
         allow_multi: false,
         calling_deploy: MU.mommacat,
         flags: {},
+        habitats: [],
         dummy_ok: false,
         debug: false
-    )
+    ) 
+      start = Time.now
+      callstr = "findStray(cloud: #{cloud}, type: #{type}, deploy_id: #{deploy_id}, calling_deploy: #{calling_deploy.deploy_id if !calling_deploy.nil?}, name: #{name}, cloud_id: #{cloud_id}, tag_key: #{tag_key}, tag_value: #{tag_value}, credentials: #{credentials}, habitats: #{habitats ? habitats.to_s : "[]"}, dummy_ok: #{dummy_ok.to_s}, flags: #{flags.to_s}) from #{caller[0]}"
+      callstack = caller.dup
+
       return nil if cloud == "CloudFormation" and !cloud_id.nil?
+      shortclass, _cfg_name, cfg_plural, classname, _attrs = MU::Cloud.getResourceNames(type)
+      if !MU::Cloud.supportedClouds.include?(cloud) or shortclass.nil?
+        MU.log "findStray was called with bogus cloud argument '#{cloud}'", MU::WARN, details: callstr
+        return nil
+      end
+
       begin
+        # TODO this is dumb as hell, clean this up.. and while we're at it
+        # .dup everything so we don't mangle referenced values from the caller
         deploy_id = deploy_id.to_s if deploy_id.class.to_s == "MU::Config::Tail"
         name = name.to_s if name.class.to_s == "MU::Config::Tail"
         cloud_id = cloud_id.to_s if !cloud_id.nil?
         mu_name = mu_name.to_s if mu_name.class.to_s == "MU::Config::Tail"
         tag_key = tag_key.to_s if tag_key.class.to_s == "MU::Config::Tail"
         tag_value = tag_value.to_s if tag_value.class.to_s == "MU::Config::Tail"
-        shortclass, cfg_name, cfg_plural, classname, attrs = MU::Cloud.getResourceNames(type)
+        type = cfg_plural
         resourceclass = MU::Cloud.loadCloudType(cloud, shortclass)
         cloudclass = Object.const_get("MU").const_get("Cloud").const_get(cloud)
 
@@ -1097,11 +1241,11 @@ module MU
         end
         loglevel = debug ? MU::NOTICE : MU::DEBUG
 
-        MU.log "findStray(cloud: #{cloud}, type: #{type}, deploy_id: #{deploy_id}, calling_deploy: #{calling_deploy.deploy_id if !calling_deploy.nil?}, name: #{name}, cloud_id: #{cloud_id}, tag_key: #{tag_key}, tag_value: #{tag_value}, credentials: #{credentials})", loglevel, details: flags
+        MU.log callstr, loglevel, details: caller
 
         # See if the thing we're looking for is a member of the deploy that's
         # asking after it.
-        if !deploy_id.nil? and !calling_deploy.nil? and flags.empty? and
+        if !deploy_id.nil? and !calling_deploy.nil? and
             calling_deploy.deploy_id == deploy_id and (!name.nil? or !mu_name.nil?)
           handle = calling_deploy.findLitterMate(type: type, name: name, mu_name: mu_name, cloud_id: cloud_id, credentials: credentials)
           return [handle] if !handle.nil?
@@ -1109,23 +1253,61 @@ module MU
 
         kittens = {}
         # Search our other deploys for matching resources
-        if (deploy_id or name or mu_name or cloud_id)# and flags.empty?
+        if (deploy_id or name or mu_name or cloud_id)
+          MU.log "findStray: searching my deployments (#{cfg_plural}, name: #{name}, deploy_id: #{deploy_id}, mu_name: #{mu_name}) - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+
+          # Check our in-memory cache of live deploys before resorting to
+          # metadata
+          littercache = nil
+          # Sometimes we're called inside a locked thread, sometimes not. Deal
+          # with locking gracefully.
+          begin
+            @@litter_semaphore.synchronize {
+              littercache = @@litters.dup
+            }
+          rescue ThreadError => e
+            raise e if !e.message.match(/recursive locking/)
+            littercache = @@litters.dup
+          end
+
+          littercache.each_pair { |cur_deploy, momma|
+            next if deploy_id and deploy_id != cur_deploy
+            
+            straykitten = momma.findLitterMate(type: type, cloud_id: cloud_id, name: name, mu_name: mu_name, credentials: credentials, created_only: true)
+            if straykitten
+              MU.log "Found matching kitten #{straykitten.mu_name} in-memory - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+              # Peace out if we found the exact resource we want
+              if cloud_id and straykitten.cloud_id.to_s == cloud_id.to_s
+                return [straykitten]
+              elsif mu_name and straykitten.mu_name == mu_name
+                return [straykitten]
+              else
+                kittens[straykitten.cloud_id] ||= straykitten
+              end
+            end
+          }
+
           mu_descs = MU::MommaCat.getResourceMetadata(cfg_plural, name: name, deploy_id: deploy_id, mu_name: mu_name)
+          MU.log "findStray: #{mu_descs.size.to_s} deploys had matches - #{sprintf("%.2fs", (Time.now-start))}", loglevel
 
-          mu_descs.each_pair { |deploy_id, matches|
-            MU.log "findStray: #{deploy_id} had #{matches.size.to_s} initial matches", loglevel
+          mu_descs.each_pair { |cur_deploy_id, matches|
+            MU.log "findStray: #{cur_deploy_id} had #{matches.size.to_s} initial matches - #{sprintf("%.2fs", (Time.now-start))}", loglevel
             next if matches.nil? or matches.size == 0
-            momma = MU::MommaCat.getLitter(deploy_id)
-            straykitten = nil
 
+            momma = MU::MommaCat.getLitter(cur_deploy_id)
+
+            straykitten = nil
 
             # If we found exactly one match in this deploy, use its metadata to
             # guess at resource names we weren't told.
-            if matches.size == 1 and name.nil? and mu_name.nil?
+            if matches.size > 1 and cloud_id
+              MU.log "findStray: attempting to narrow down multiple matches with cloud_id #{cloud_id} - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+              straykitten = momma.findLitterMate(type: type, cloud_id: cloud_id, credentials: credentials, created_only: true)
+            elsif matches.size == 1 and name.nil? and mu_name.nil?
               if cloud_id.nil?
                 straykitten = momma.findLitterMate(type: type, name: matches.first["name"], cloud_id: matches.first["cloud_id"], credentials: credentials)
               else
-                MU.log "findStray: attempting to narrow down with cloud_id #{cloud_id}", loglevel
+                MU.log "findStray: fetching single match with cloud_id #{cloud_id} - #{sprintf("%.2fs", (Time.now-start))}", loglevel
                 straykitten = momma.findLitterMate(type: type, name: matches.first["name"], cloud_id: cloud_id, credentials: credentials)
               end
 #            elsif !flags.nil? and !flags.empty? # XXX eh, maybe later
@@ -1146,16 +1328,17 @@ module MU
             end
 
             next if straykitten.nil?
+            straykitten.intoDeploy(momma)
 
             if straykitten.cloud_id.nil?
               MU.log "findStray: kitten #{straykitten.mu_name} came back with nil cloud_id", MU::WARN
               next
             end
 
-            kittens[straykitten.cloud_id] = straykitten
+            kittens[straykitten.cloud_id] ||= straykitten
 
             # Peace out if we found the exact resource we want
-            if cloud_id and straykitten.cloud_id == cloud_id
+            if cloud_id and straykitten.cloud_id.to_s == cloud_id.to_s
               return [straykitten]
             # ...or if we've validated our one possible match
             elsif !cloud_id and mu_descs.size == 1 and matches.size == 1
@@ -1186,87 +1369,208 @@ module MU
         found_the_thing = false
         credlist.each { |creds|
           break if found_the_thing
-          if cloud_id or (tag_key and tag_value) or !flags.empty?
-            regions = []
-            begin
-              if region
-                regions << region
-              else
-                regions = cloudclass.listRegions(credentials: creds)
-              end
+          if cloud_id or (tag_key and tag_value) or !flags.empty? or allow_multi
+
+            regions = begin
+              region ? [region] : cloudclass.listRegions(credentials: creds)
             rescue NoMethodError # Not all cloud providers have regions
-              regions = [""]
+              [nil]
             end
 
-            if cloud == "Google" and ["vpcs", "firewall_rules"].include?(cfg_plural)
+            # ..not all resource types care about regions either
+            if resourceclass.isGlobal?
               regions = [nil]
             end
 
-            cloud_descs = {}
-            regions.each { |r|
-              cloud_descs[r] = resourceclass.find(cloud_id: cloud_id, region: r, tag_key: tag_key, tag_value: tag_value, flags: flags, credentials: creds)
-              # Stop if you found the thing
-              if cloud_id and cloud_descs[r] and !cloud_descs[r].empty?
-                found_the_thing = true
-                break
+            # Decide what habitats (accounts/projects/subscriptions) we'll
+            # search, if applicable for this resource type.
+            habitats ||= []
+            begin
+              if flags["project"] # backwards-compat
+                habitats << flags["project"]
               end
-            }
-            regions.each { |r|
-              next if cloud_descs[r].nil?
-              cloud_descs[r].each_pair { |kitten_cloud_id, descriptor|
-                # We already have a MU::Cloud object for this guy, use it
-                if kittens.has_key?(kitten_cloud_id)
-                  matches << kittens[kitten_cloud_id]
-                elsif kittens.size == 0
-                  if !dummy_ok
-                    next
+              if habitats.empty?
+                if resourceclass.canLiveIn.include?(nil)
+                  habitats << nil
+                end
+                if resourceclass.canLiveIn.include?(:Habitat)
+                  habitats.concat(cloudclass.listProjects(creds))
+                end
+              end
+            rescue NoMethodError # we only expect this to work on Google atm
+            end
+
+            if habitats.empty?
+              habitats << nil
+            end
+            habitats.uniq!
+
+            habitat_threads = []
+            desc_semaphore = Mutex.new
+
+            cloud_descs = {}
+            habitats.each { |hab|
+              begin
+                habitat_threads.each { |t| t.join(0.1) }
+                habitat_threads.reject! { |t| t.nil? or !t.status }
+                sleep 1 if habitat_threads.size > 5
+              end while habitat_threads.size > 5
+              habitat_threads << Thread.new(hab) { |p|
+                MU.log "findStray: Searching #{p} (#{habitat_threads.size.to_s} habitat threads running) - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+                cloud_descs[p] = {}
+                region_threads = []
+                regions.each { |reg| region_threads << Thread.new(reg) { |r|
+                  MU.log "findStray: Searching #{r} in #{p} (#{region_threads.size.to_s} region threads running) - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+                  MU.log "findStray: calling #{classname}.find(cloud_id: #{cloud_id}, region: #{r}, tag_key: #{tag_key}, tag_value: #{tag_value}, flags: #{flags}, credentials: #{creds}, project: #{p}) - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+begin
+                  found = resourceclass.find(cloud_id: cloud_id, region: r, tag_key: tag_key, tag_value: tag_value, flags: flags, credentials: creds, habitat: p)
+                  MU.log "findStray: #{found ? found.size.to_s : "nil"} results - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+rescue Exception => e
+MU.log "#{e.class.name} THREW A FIND EXCEPTION "+e.message, MU::WARN, details: caller
+pp e.backtrace
+MU.log "#{callstr}", MU::WARN, details: callstack
+exit
+end
+                  if found
+                    desc_semaphore.synchronize {
+                      cloud_descs[p][r] = found
+                    }
+                  end
+                  # Stop if you found the thing by a specific cloud_id
+                  if cloud_id and found and !found.empty?
+                    found_the_thing = true
+                    Thread.exit
+                  end
+                } }
+                begin
+                  region_threads.each { |t| t.join(0.1) }
+                  region_threads.reject! { |t| t.nil? or !t.status }
+                  if region_threads.size > 0
+                    MU.log "#{region_threads.size.to_s} regions still running in #{p}", loglevel
+                    sleep 3
                   end
-                  # If we don't have a MU::Cloud object, manufacture a dummy one.
-                  # Give it a fake name if we have to and have decided that's ok.
-                  if (name.nil? or name.empty?)
+                end while region_threads.size > 0
+              }
+            }
+            begin
+              habitat_threads.each { |t| t.join(0.1) }
+              habitat_threads.reject! { |t| t.nil? or !t.status }
+              if habitat_threads.size > 0
+                MU.log "#{habitat_threads.size.to_s} habitats still running", loglevel
+                sleep 3
+              end
+            end while habitat_threads.size > 0
+
+            habitat_threads = []
+            habitats.each { |hab| habitat_threads << Thread.new(hab) { |p|
+              region_threads = []
+              regions.each { |reg| region_threads << Thread.new(reg) { |r|
+                next if cloud_descs[p][r].nil?
+                cloud_descs[p][r].each_pair { |kitten_cloud_id, descriptor|
+
+                  # We already have a MU::Cloud object for this guy, use it
+                  if kittens.has_key?(kitten_cloud_id)
+                    desc_semaphore.synchronize {
+                      matches << kittens[kitten_cloud_id]
+                    }
+                  elsif kittens.size == 0
                     if !dummy_ok
-                      MU.log "Found cloud provider data for #{cloud} #{type} #{kitten_cloud_id}, but without a name I can't manufacture a proper #{type} object to return", loglevel, details: caller
                       next
-                    else
-                      if !mu_name.nil?
-                        name = mu_name
-                      elsif !tag_value.nil?
-                        name = tag_value
+                    end
+
+                    # If we don't have a MU::Cloud object, manufacture a dummy
+                    # one.  Give it a fake name if we have to and have decided
+                    # that's ok. Wild inferences from the cloud descriptor are
+                    # ok to try here.
+                    use_name = if (name.nil? or name.empty?)
+                      if !dummy_ok
+                        nil
+                      elsif !mu_name.nil?
+                        mu_name
                       else
-                        name = kitten_cloud_id
+                        try = nil
+                        [:display_name, :name, (resourceclass.cfg_name+"_name").to_sym].each { |field|
+                          if descriptor.respond_to?(field) and descriptor.send(field).is_a?(String)
+                            try = descriptor.send(field)
+                            break
+                          end
+
+                        }
+                        try ||= if !tag_value.nil?
+                            tag_value
+                          else
+                            kitten_cloud_id
+                          end
+                        try
                       end
+                    else
+                      name
                     end
-                  end
-                  cfg = {
-                    "name" => name,
-                    "cloud" => cloud,
-                    "region" => r,
-                    "credentials" => creds
-                  }
-                  # If we can at least find the config from the deploy this will
-                  # belong with, use that, even if it's an ungroomed resource.
-                  if !calling_deploy.nil? and
-                     !calling_deploy.original_config.nil? and
-                     !calling_deploy.original_config[type+"s"].nil?
-                    calling_deploy.original_config[type+"s"].each { |s|
-                      if s["name"] == name
-                        cfg = s.dup
-                        break
-                      end
+                    if use_name.nil?
+                      MU.log "Found cloud provider data for #{cloud} #{type} #{kitten_cloud_id}, but without a name I can't manufacture a proper #{type} object to return - #{sprintf("%.2fs", (Time.now-start))}", loglevel, details: caller
+                      next
+                    end
+                    cfg = {
+                      "name" => use_name,
+                      "cloud" => cloud,
+                      "credentials" => creds
                     }
+                    if !r.nil? and !resourceclass.isGlobal?
+                     cfg["region"] = r
+                    end
 
-                    matches << resourceclass.new(mommacat: calling_deploy, kitten_cfg: cfg, cloud_id: kitten_cloud_id)
-                  else
-                    matches << resourceclass.new(mu_name: name, kitten_cfg: cfg, cloud_id: kitten_cloud_id.to_s)
+                    if !p.nil? and resourceclass.canLiveIn.include?(:Habitat)
+                      cfg["project"] = p
+                    end
+                    # If we can at least find the config from the deploy this will
+                    # belong with, use that, even if it's an ungroomed resource.
+                    if !calling_deploy.nil? and
+                       !calling_deploy.original_config.nil? and
+                       !calling_deploy.original_config[type+"s"].nil?
+                      calling_deploy.original_config[type+"s"].each { |s|
+                        if s["name"] == use_name
+                          cfg = s.dup
+                          break
+                        end
+                      }
+
+                      newkitten = resourceclass.new(mommacat: calling_deploy, kitten_cfg: cfg, cloud_id: kitten_cloud_id)
+                      desc_semaphore.synchronize {
+                        matches << newkitten
+                      }
+                    else
+                      if !@@dummy_cache[cfg_plural] or !@@dummy_cache[cfg_plural][cfg.to_s]
+                        MU.log "findStray: Generating dummy '#{resourceclass.to_s}' cloudobj with name: #{use_name}, cloud_id: #{kitten_cloud_id.to_s} - #{sprintf("%.2fs", (Time.now-start))}", loglevel, details: cfg
+                        resourceclass.new(mu_name: use_name, kitten_cfg: cfg, cloud_id: kitten_cloud_id.to_s, from_cloud_desc: descriptor)
+                        desc_semaphore.synchronize {
+                          @@dummy_cache[cfg_plural] ||= {}
+                          @@dummy_cache[cfg_plural][cfg.to_s] = resourceclass.new(mu_name: use_name, kitten_cfg: cfg, cloud_id: kitten_cloud_id.to_s, from_cloud_desc: descriptor)
+                          MU.log "findStray: Finished generating dummy '#{resourceclass.to_s}' cloudobj - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+                        }
+                      end
+                      desc_semaphore.synchronize {
+                        matches << @@dummy_cache[cfg_plural][cfg.to_s]
+                      }
+                    end
                   end
-                end
+                }
+              } }
+              MU.log "findStray: tying up #{region_threads.size.to_s} region threads - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+              region_threads.each { |t|
+                t.join
               }
+            } }
+            MU.log "findStray: tying up #{habitat_threads.size.to_s} habitat threads - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+            habitat_threads.each { |t|
+              t.join
             }
           end
         }
       rescue Exception => e
         MU.log e.inspect, MU::ERR, details: e.backtrace
       end
+      MU.log "findStray: returning #{matches.size.to_s} matches - #{sprintf("%.2fs", (Time.now-start))}", loglevel
+
       matches
     end
 
@@ -1278,19 +1582,47 @@ module MU
     # @param created_only [Boolean]: Only return the littermate if its cloud_id method returns a value
     # @param return_all [Boolean]: Return a Hash of matching objects indexed by their mu_name, instead of a single match. Only valid for resource types where has_multiples is true.
     # @return [MU::Cloud]
-    def findLitterMate(type: nil, name: nil, mu_name: nil, cloud_id: nil, created_only: false, return_all: false, credentials: nil)
+    def findLitterMate(type: nil, name: nil, mu_name: nil, cloud_id: nil, created_only: false, return_all: false, credentials: nil, habitat: nil, debug: false, indent: "")
       shortclass, cfg_name, cfg_plural, classname, attrs = MU::Cloud.getResourceNames(type)
       type = cfg_plural
       has_multiples = attrs[:has_multiples]
 
+      loglevel = debug ? MU::NOTICE : MU::DEBUG
+
+      argstring = [:type, :name, :mu_name, :cloud_id, :created_only, :credentials, :habitat, :has_multiples].reject { |a|
+        binding.local_variable_get(a).nil?
+      }.map { |v|
+        v.to_s+": "+binding.local_variable_get(v).to_s
+      }.join(", ")
+
+      # Fun times: if we specified a habitat, which we may also have done by
+      # its shorthand sibling name, let's... call ourselves first to make sure
+      # we're fishing for the right thing.
+      if habitat
+        MU.log indent+"findLitterMate(#{argstring}): Attempting to resolve habitat name #{habitat}", loglevel
+        realhabitat = findLitterMate(type: "habitat", name: habitat, debug: debug, credentials: credentials, indent: indent+"  ")
+        if realhabitat and realhabitat.mu_name
+          MU.log indent+"findLitterMate: Resolved habitat name #{habitat} to #{realhabitat.mu_name}", loglevel, details: [realhabitat.mu_name, realhabitat.cloud_id, realhabitat.config.keys]
+          habitat = realhabitat.cloud_id
+        elsif debug
+          MU.log indent+"findLitterMate(#{argstring}): Failed to resolve habitat name #{habitat}", MU::WARN
+        end
+      end
+
+
       @kitten_semaphore.synchronize {
         if !@kittens.has_key?(type)
+          if debug
+            MU.log indent+"NO SUCH KEY #{type} findLitterMate(#{argstring})", MU::WARN, details: @kittens.keys
+          end
           return nil
         end
-        MU.log "findLitterMate(type: #{type}, name: #{name}, mu_name: #{mu_name}, cloud_id: #{cloud_id}, created_only: #{created_only}, credentials: #{credentials}). has_multiples is #{attrs[:has_multiples].to_s}. Caller: #{caller[2]}", MU::DEBUG, details: @kittens.keys.map { |k| k.to_s+": "+@kittens[k].keys.join(", ") }
+        MU.log indent+"START findLitterMate(#{argstring}), caller: #{caller[2]}", loglevel, details: @kittens[type].keys.map { |hab| hab.to_s+": "+@kittens[type][hab].keys.join(", ") }
         matches = []
 
-        @kittens[type].each { |sib_class, data|
+        @kittens[type].each { |habitat_group, sib_classes|
+          next if habitat and habitat_group != habitat
+          sib_classes.each_pair { |sib_class, data|
           virtual_name = nil
 
           if !has_multiples and data and !data.is_a?(Hash) and data.config and data.config.is_a?(Hash) and data.config['virtual_name'] and name == data.config['virtual_name']
@@ -1301,14 +1633,13 @@ module MU
           if has_multiples
             if !name.nil?
               if return_all
+                MU.log indent+"MULTI-MATCH RETURN_ALL findLitterMate(#{argstring})", loglevel, details: data.keys
                 return data.dup
               end
               if data.size == 1 and (cloud_id.nil? or data.values.first.cloud_id == cloud_id)
-                obj = data.values.first
-                return obj
+                return data.values.first
               elsif mu_name.nil? and cloud_id.nil?
-                obj = data.values.first
-                MU.log "#{@deploy_id}: Found multiple matches in findLitterMate based on #{type}: #{name}, and not enough info to narrow down further. Returning an arbitrary result. Caller: #{caller[2]}", MU::WARN, details: data.keys
+                MU.log indent+"#{@deploy_id}: Found multiple matches in findLitterMate based on #{type}: #{name}, and not enough info to narrow down further. Returning an arbitrary result. Caller: #{caller[2]}", MU::WARN, details: data.keys
                 return data.values.first
               end
             end
@@ -1318,20 +1649,35 @@ module MU
                   (!credentials.nil? and credentials == obj.credentials)
                 if !created_only or !obj.cloud_id.nil?
                   if return_all
+                    MU.log indent+"MULTI-MATCH RETURN_ALL findLitterMate(#{argstring})", loglevel, details: data.keys
                     return data.dup
                   else
+                    MU.log indent+"MULTI-MATCH findLitterMate(#{argstring})", loglevel, details: data.keys
                     return obj
                   end
                 end
               end
             }
           else
-            if (name.nil? or sib_class == name or virtual_name == name) and
-                (cloud_id.nil? or cloud_id == data.cloud_id) and
-                (credentials.nil? or data.credentials.nil? or credentials == data.credentials)
-              matches << data if !created_only or !data.cloud_id.nil?
+
+            MU.log indent+"CHECKING AGAINST findLitterMate #{habitat_group}/#{type}/#{sib_class} data.cloud_id: #{data.cloud_id}, data.credentials: #{data.credentials}, sib_class: #{sib_class}, virtual_name: #{virtual_name}", loglevel, details: argstring
+
+            data_cloud_id = data.cloud_id.nil? ? nil : data.cloud_id.to_s
+
+            MU.log indent+"(name.nil? or sib_class == name or virtual_name == name)", loglevel, details: (name.nil? or sib_class == name or virtual_name == name).to_s
+            MU.log indent+"(cloud_id.nil? or cloud_id[#{cloud_id.class.name}:#{cloud_id.to_s}] == data_cloud_id[#{data_cloud_id.class.name}:#{data_cloud_id}])", loglevel, details: (cloud_id.nil? or cloud_id == data_cloud_id).to_s
+            MU.log indent+"(credentials.nil? or data.credentials.nil? or credentials[#{credentials.class.name}:#{credentials}] == data.credentials[#{data.credentials.class.name}:#{data.credentials}])", loglevel, details: (credentials.nil? or data.credentials.nil? or credentials == data.credentials).to_s
+
+            if (name.nil? or sib_class == name.to_s or virtual_name == name.to_s) and
+                (cloud_id.nil? or cloud_id.to_s == data_cloud_id) and
+                (credentials.nil? or data.credentials.nil? or credentials.to_s == data.credentials.to_s)
+              if !created_only or !data_cloud_id.nil?
+                MU.log indent+"SINGLE MATCH findLitterMate(#{argstring})", loglevel, details: [data.mu_name, data_cloud_id, data.config.keys]
+                matches << data
+              end
             end
           end
+          }
         }
 
         return matches.first if matches.size == 1
@@ -1340,6 +1686,7 @@ module MU
         end
       }
 
+      MU.log indent+"NO MATCH findLitterMate(#{argstring})", loglevel
 
       return nil
     end
@@ -1354,11 +1701,20 @@ module MU
     def notify(type, key, data, mu_name: nil, remove: false, triggering_node: nil, delayed_save: false)
       return if @no_artifacts
       MU::MommaCat.lock("deployment-notification")
-      loadDeploy(true) # make sure we're saving the latest and greatest
-      have_deploy = true
-      shortclass, cfg_name, cfg_plural, classname, attrs = MU::Cloud.getResourceNames(type)
-      type = cfg_plural
-      has_multiples = attrs[:has_multiples]
+
+      if !@need_deploy_flush or @deployment.nil? or @deployment.empty?
+        loadDeploy(true) # make sure we're saving the latest and greatest
+      end
+
+      _shortclass, _cfg_name, cfg_plural, _classname, attrs = MU::Cloud.getResourceNames(type)
+      has_multiples = false
+
+      # it's not always the case that we're logging data for a legal resource
+      # type, though that's what we're usually for
+      if cfg_plural
+        type = cfg_plural
+        has_multiples = attrs[:has_multiples]
+      end
 
       if mu_name.nil?
         if !data.nil? and !data["mu_name"].nil?
@@ -1373,15 +1729,21 @@ module MU
         end
       end
 
+      @need_deploy_flush = true
+
       if !remove
         if data.nil?
           MU.log "MU::MommaCat.notify called to modify deployment struct, but no data provided", MU::WARN
           MU::MommaCat.unlock("deployment-notification")
           return
         end
-        @deployment[type] = {} if @deployment[type].nil?
+        @notify_semaphore.synchronize {
+          @deployment[type] ||= {}
+        }
         if has_multiples
-          @deployment[type][key] = {} if @deployment[type][key].nil?
+          @notify_semaphore.synchronize {
+            @deployment[type][key] ||= {}
+          }
           # fix has_multiples classes that weren't tiered correctly
           if @deployment[type][key].is_a?(Hash) and @deployment[type][key].has_key?("mu_name")
             olddata = @deployment[type][key].dup
@@ -1409,23 +1771,26 @@ module MU
         end
 
         if have_deploy
-          if has_multiples
-            MU.log "Removing @deployment[#{type}][#{key}][#{mu_name}]", MU::DEBUG, details: @deployment[type][key][mu_name]
-            @deployment[type][key].delete(mu_name)
-            if @deployment[type][key].size == 0
+          @notify_semaphore.synchronize {
+            if has_multiples
+              MU.log "Removing @deployment[#{type}][#{key}][#{mu_name}]", MU::DEBUG, details: @deployment[type][key][mu_name]
+              @deployment[type][key].delete(mu_name)
+              if @deployment[type][key].size == 0
+                @deployment[type].delete(key)
+              end
+            else
+              MU.log "Removing @deployment[#{type}][#{key}]", MU::DEBUG, details: @deployment[type][key]
               @deployment[type].delete(key)
             end
-          else
-            MU.log "Removing @deployment[#{type}][#{key}]", MU::DEBUG, details: @deployment[type][key]
-            @deployment[type].delete(key)
-          end
-          if @deployment[type].size == 0
-            @deployment.delete(type)
-          end
+            if @deployment[type].size == 0
+              @deployment.delete(type)
+            end
+          }
         end
         save! if !delayed_save
 
       end
+
       MU::MommaCat.unlock("deployment-notification")
     end
 
@@ -1475,51 +1840,27 @@ module MU
       end
     end
 
-    # XXX this belongs in MU::Cloud::AWS
-    # Tag a resource with all of our standard identifying tags.
-    #
-    # @param resource [String]: The cloud provider identifier of the resource to tag
-    # @param region [String]: The cloud provider region
-    # @return [void]
-    def self.createStandardTags(resource = nil, region: MU.curRegion, credentials: nil)
-      tags = []
-      listStandardTags.each_pair { |name, value|
-        if !value.nil?
-          tags << {key: name, value: value}
-        end
-      }
-      if MU::Cloud::CloudFormation.emitCloudFormation
-        return tags
-      end
-
-      attempts = 0
-      begin
-        MU::Cloud::AWS.ec2(region: region, credentials: credentials).create_tags(
-          resources: [resource],
-          tags: tags
-        )
-      rescue Aws::EC2::Errors::ServiceError => e
-        MU.log "Got #{e.inspect} tagging #{resource} in #{region}, will retry", MU::WARN, details: caller.concat(tags) if attempts > 1
-        if attempts < 5
-          attempts = attempts + 1
-          sleep 15
-          retry
-        else
-          raise e
-        end
-      end
-      MU.log "Created standard tags for resource #{resource}", MU::DEBUG, details: caller
-    end
-
     # List the name/value pairs for our mandatory standard set of resource tags, which
     # should be applied to all taggable cloud provider resources.
     # @return [Hash<String,String>]
     def self.listStandardTags
-      return {
-          "MU-ID" => MU.deploy_id,
-          "MU-APP" => MU.appname,
-          "MU-ENV" => MU.environment,
-          "MU-MASTER-IP" => MU.mu_public_ip
+      return {} if !MU.deploy_id
+      {
+        "MU-ID" => MU.deploy_id,
+        "MU-APP" => MU.appname,
+        "MU-ENV" => MU.environment,
+        "MU-MASTER-IP" => MU.mu_public_ip
+      }
+    end
+    # List the name/value pairs for our mandatory standard set of resource tags
+    # for this deploy.
+    # @return [Hash<String,String>]
+    def listStandardTags
+      {
+        "MU-ID" => @deploy_id,
+        "MU-APP" => @appname,
+        "MU-ENV" => @environment,
+        "MU-MASTER-IP" => MU.mu_public_ip
       }
     end
 
@@ -1541,7 +1882,7 @@ module MU
       sshdir = "#{@myhome}/.ssh"
       sshconf = "#{sshdir}/config"
 
-      if File.exists?(sshconf) and File.open(sshconf).read.match(/ #{node} /)
+      if File.exist?(sshconf) and File.open(sshconf).read.match(/ #{node} /)
         MU.log "Expunging old #{node} entry from #{sshconf}", MU::DEBUG
         if !@noop
           File.open(sshconf, File::CREAT|File::RDWR, 0600) { |f|
@@ -1572,8 +1913,7 @@ module MU
     # @param server [MU::Cloud::Server]: The {MU::Cloud::Server} we'll be setting up.
     # @param sync_wait [Boolean]: Whether to wait for DNS to fully synchronize before returning.
     def self.nameKitten(server, sync_wait: false)
-      node, config, deploydata = server.describe
-      nat_ssh_key, nat_ssh_user, nat_ssh_host, canonical_addr, ssh_user, ssh_key_name = server.getSSHConfig
+      node, config, _deploydata = server.describe
 
       mu_zone = nil
       # XXX GCP!
@@ -1659,9 +1999,10 @@ module MU
         MU.log "Called addHostToSSHConfig without a MU::Cloud::Server object", MU::ERR, details: caller
         return nil
       end
-      begin
-        nat_ssh_key, nat_ssh_user, nat_ssh_host, canonical_ip, ssh_user, ssh_key_name = server.getSSHConfig
-      rescue MU::MuError => e
+
+      _nat_ssh_key, nat_ssh_user, nat_ssh_host, canonical_ip, ssh_user, ssh_key_name = begin
+        server.getSSHConfig
+      rescue MU::MuError
         return
       end
 
@@ -1680,7 +2021,7 @@ module MU
 
       @ssh_semaphore.synchronize {
 
-        if File.exists?(ssh_conf)
+        if File.exist?(ssh_conf)
           File.readlines(ssh_conf).each { |line|
             if line.match(/^Host #{server.mu_name} /)
               MU.log("Attempt to add duplicate #{ssh_conf} entry for #{server.mu_name}", MU::WARN)
@@ -1753,7 +2094,6 @@ module MU
     # @param system_name [String]: The node's local system name
     # @return [void]
     def self.addInstanceToEtcHosts(public_ip, chef_name = nil, system_name = nil)
-      return if !["mu", "root"].include?(MU.mu_user)
 
       # XXX cover ipv6 case
       if public_ip.nil? or !public_ip.match(/^\d+\.\d+\.\d+\.\d+$/) or (chef_name.nil? and system_name.nil?)
@@ -1762,6 +2102,19 @@ module MU
       if chef_name == "localhost" or system_name == "localhost"
         raise MuError, "Can't set localhost as a name in addInstanceToEtcHosts"
       end
+
+      if !["mu", "root"].include?(MU.mu_user)
+        response = nil
+        begin
+          response = open("https://127.0.0.1:#{MU.mommaCatPort.to_s}/rest/hosts_add/#{chef_name}/#{public_ip}").read
+        rescue Errno::ECONNRESET, Errno::ECONNREFUSED
+        end
+        if response != "ok"
+          MU.log "Error adding #{public_ip} to /etc/hosts via MommaCat request", MU::ERR
+        end
+        return
+      end
+
       File.readlines("/etc/hosts").each { |line|
         if line.match(/^#{public_ip} /) or (chef_name != nil and line.match(/ #{chef_name}(\s|$)/)) or (system_name != nil and line.match(/ #{system_name}(\s|$)/))
           MU.log "Ignoring attempt to add duplicate /etc/hosts entry: #{public_ip} #{chef_name} #{system_name}", MU::DEBUG
@@ -1776,13 +2129,32 @@ module MU
       MU.log("Added to /etc/hosts: #{public_ip} #{chef_name} #{system_name}")
     end
 
-    # Send a notification to a deployment's administrators.
+
+    # Send a Slack notification to a deployment's administrators.
+    # @param subject [String]: The subject line of the message.
+    # @param msg [String]: The message body.
+    # @return [void]
+    def sendAdminSlack(subject, msg: "")
+      if $MU_CFG['slack'] and $MU_CFG['slack']['webhook'] and
+         (!$MU_CFG['slack']['skip_environments'] or !$MU_CFG['slack']['skip_environments'].any?{ |s| s.casecmp(MU.environment)==0 })
+        require 'slack-notifier'
+        slack =  Slack::Notifier.new $MU_CFG['slack']['webhook']
+
+        if msg and !msg.empty?
+          slack.ping "#{MU.appname} \*\"#{MU.handle}\"\* (`#{MU.deploy_id}`) - #{subject}:\n\n```#{msg}\n```", channel: $MU_CFG['slack']['channel']
+        else
+          slack.ping "#{MU.appname} \*\"#{MU.handle}\"\* (`#{MU.deploy_id}`) - #{subject}", channel: $MU_CFG['slack']['channel']
+        end
+      end
+    end
+
+    # Send an email notification to a deployment's administrators.
     # @param subject [String]: The subject line of the message.
     # @param msg [String]: The message body.
     # @param data [Array]: Supplemental data to add to the message body.
     # @param debug [Boolean]: If set, will include the full deployment structure and original {MU::Config}-parsed configuration.
     # @return [void]
-    def sendAdminMail(subject, msg: msg = "", kitten: nil, data: nil, debug: debug = false)
+    def sendAdminMail(subject, msg: "", kitten: nil, data: nil, debug: false)
       require 'net/smtp'
       if @deployment.nil?
         MU.log "Can't send admin mail without a loaded deployment", MU::ERR
@@ -1890,11 +2262,11 @@ MESSAGE_END
         MU.dupGlobals(parent_thread_id)
         realhome = Etc.getpwnam("nagios").dir
         [@nagios_home, "#{@nagios_home}/.ssh"].each { |dir|
-          Dir.mkdir(dir, 0711) if !Dir.exists?(dir)
+          Dir.mkdir(dir, 0711) if !Dir.exist?(dir)
           File.chown(Etc.getpwnam("nagios").uid, Etc.getpwnam("nagios").gid, dir)
         }
-        if realhome != @nagios_home and Dir.exists?(realhome) and !File.symlink?("#{realhome}/.ssh")
-          File.rename("#{realhome}/.ssh", "#{realhome}/.ssh.#{$$}") if Dir.exists?("#{realhome}/.ssh")
+        if realhome != @nagios_home and Dir.exist?(realhome) and !File.symlink?("#{realhome}/.ssh")
+          File.rename("#{realhome}/.ssh", "#{realhome}/.ssh.#{$$}") if Dir.exist?("#{realhome}/.ssh")
           File.symlink("#{@nagios_home}/.ssh", Etc.getpwnam("nagios").dir+"/.ssh")
         end
         MU.log "Updating #{@nagios_home}/.ssh/config..."
@@ -1910,12 +2282,6 @@ MESSAGE_END
         FileUtils.cp("#{@myhome}/.ssh/id_rsa", "#{@nagios_home}/.ssh/id_rsa")
         File.chown(Etc.getpwnam("nagios").uid, Etc.getpwnam("nagios").gid, "#{@nagios_home}/.ssh/id_rsa")
         threads = []
-        if !MU::Cloud::AWS.isGovCloud?
-          mu_zone = MU::Cloud::DNSZone.find(cloud_id: "platform-mu").values.first
-        end
-# XXX what if we're in GCP?
-# XXX need a MU::Cloud::DNSZone.lookup for bulk lookups
-# XXX also grab things like mu_windows_name out of deploy data if we can
 
         parent_thread_id = Thread.current.object_id
         MU::MommaCat.listDeploys.sort.each { |deploy_id|
@@ -1929,19 +2295,21 @@ MESSAGE_END
             FileUtils.cp("#{@myhome}/.ssh/#{deploy.ssh_key_name}", "#{@nagios_home}/.ssh/#{deploy.ssh_key_name}")
             File.chown(Etc.getpwnam("nagios").uid, Etc.getpwnam("nagios").gid, "#{@nagios_home}/.ssh/#{deploy.ssh_key_name}")
             if deploy.kittens.has_key?("servers")
-              deploy.kittens["servers"].each_pair { |nodeclass, nodes|
-                nodes.each_pair { |mu_name, server|
-                  MU.dupGlobals(parent_thread_id)
-                  threads << Thread.new {
-                    MU::MommaCat.setThreadContext(deploy)
-                    MU.log "Adding #{server.mu_name} to #{@nagios_home}/.ssh/config", MU::DEBUG
-                    MU::MommaCat.addHostToSSHConfig(
-                        server,
-                        ssh_dir: "#{@nagios_home}/.ssh",
-                        ssh_conf: "#{@nagios_home}/.ssh/config.tmp",
-                        ssh_owner: "nagios"
-                    )
-                    MU.purgeGlobals
+              deploy.kittens["servers"].values.each { |nodeclasses|
+                nodeclasses.values.each { |nodes|
+                  nodes.values.each { |server|
+                    MU.dupGlobals(parent_thread_id)
+                    threads << Thread.new {
+                      MU::MommaCat.setThreadContext(deploy)
+                      MU.log "Adding #{server.mu_name} to #{@nagios_home}/.ssh/config", MU::DEBUG
+                      MU::MommaCat.addHostToSSHConfig(
+                          server,
+                          ssh_dir: "#{@nagios_home}/.ssh",
+                          ssh_conf: "#{@nagios_home}/.ssh/config.tmp",
+                          ssh_owner: "nagios"
+                      )
+                      MU.purgeGlobals
+                    }
                   }
                 }
               }
@@ -1983,10 +2351,10 @@ MESSAGE_END
     # Return a list of all currently active deploy identifiers.
     # @return [Array<String>]
     def self.listDeploys
-      return [] if !Dir.exists?("#{MU.dataDir}/deployments")
+      return [] if !Dir.exist?("#{MU.dataDir}/deployments")
       deploys = []
       Dir.entries("#{MU.dataDir}/deployments").reverse_each { |muid|
-        next if !Dir.exists?("#{MU.dataDir}/deployments/#{muid}") or muid == "." or muid == ".."
+        next if !Dir.exist?("#{MU.dataDir}/deployments/#{muid}") or muid == "." or muid == ".."
         deploys << muid
       }
       return deploys
@@ -1999,7 +2367,7 @@ MESSAGE_END
       nodes = Hash.new
       MU::MommaCat.deploy_struct_semaphore.synchronize {
         MU::MommaCat.listDeploys.each { |deploy|
-          if !Dir.exists?(MU::MommaCat.deploy_dir(deploy)) or
+          if !Dir.exist?(MU::MommaCat.deploy_dir(deploy)) or
               !File.size?("#{MU::MommaCat.deploy_dir(deploy)}/deployment.json")
             MU.log "Didn't see deployment metadata for '#{deploy}'", MU::WARN
             next
@@ -2018,7 +2386,7 @@ MESSAGE_END
               }
             end
           rescue JSON::ParserError => e
-            MU.log "JSON parse failed on #{MU::MommaCat.deploy_dir(deploy)}/deployment.json", MU::ERR
+            MU.log "JSON parse failed on #{MU::MommaCat.deploy_dir(deploy)}/deployment.json", MU::ERR, details: e.message
           end
           data.flock(File::LOCK_UN)
           data.close
@@ -2084,82 +2452,25 @@ MESSAGE_END
     end
 
     # Given a Certificate Signing Request, sign it with our internal CA and
-    # writers the resulting signed certificate. Only works on local files.
+    # write the resulting signed certificate. Only works on local files.
     # @param csr_path [String]: The CSR to sign, as a file.
     def signSSLCert(csr_path, sans = [])
-      # XXX more sanity here, this feels unsafe
-      certdir = File.dirname(csr_path)
-      certname = File.basename(csr_path, ".csr")
-      if File.exists?("#{certdir}/#{certname}.crt")
-        MU.log "Not re-signing SSL certificate request #{csr_path}, #{certdir}/#{certname}.crt already exists", MU::WARN
-        return
-      end
-      MU.log "Signing SSL certificate request #{csr_path} with #{MU.mySSLDir}/Mu_CA.pem"
-
-      begin
-        csr = OpenSSL::X509::Request.new File.read csr_path
-      rescue Exception => e
-        MU.log e.message, MU::ERR, details: File.read(csr_path)
-        raise e
-      end
-      key = OpenSSL::PKey::RSA.new File.read "#{certdir}/#{certname}.key"
-
-      # Load up the Mu Certificate Authority
-      cakey = OpenSSL::PKey::RSA.new File.read "#{MU.mySSLDir}/Mu_CA.key"
-      cacert = OpenSSL::X509::Certificate.new File.read "#{MU.mySSLDir}/Mu_CA.pem"
-      cur_serial = 0
-      File.open("#{MU.mySSLDir}/serial", File::CREAT|File::RDWR, 0600) { |f|
-        f.flock(File::LOCK_EX)
-        cur_serial = f.read.chomp!.to_i
-        cur_serial = cur_serial + 1
-        f.rewind
-        f.truncate(0)
-        f.puts cur_serial
-        f.flush
-        f.flock(File::LOCK_UN)
-      }
-
-      # Create a certificate from our CSR, signed by the Mu CA
-      cert = OpenSSL::X509::Certificate.new
-      cert.serial = cur_serial
-      cert.version = 3
-      cert.not_before = Time.now
-      cert.not_after = Time.now + 180000000
-      cert.subject = csr.subject
-      cert.public_key = csr.public_key
-      cert.issuer = cacert.subject
-      if !sans.nil? and sans.size > 0
-        MU.log "Incorporting Subject Alternative Names: #{sans.join(",")}"
-        ef = OpenSSL::X509::ExtensionFactory.new
-        ef.issuer_certificate = cacert
-#v3_req_client 
-        ef.subject_certificate = cert
-        ef.subject_request = csr
-        cert.add_extension(ef.create_extension("keyUsage","nonRepudiation,digitalSignature,keyEncipherment", false))
-        cert.add_extension(ef.create_extension("subjectAltName",sans.join(","),false))
-# XXX only do this if we see the otherName thinger in the san list
-        cert.add_extension(ef.create_extension("extendedKeyUsage","clientAuth,serverAuth,codeSigning,emailProtection",false))
-      end
-      cert.sign cakey, OpenSSL::Digest::SHA256.new
-
-      open("#{certdir}/#{certname}.crt", 'w', 0644) { |io|
-        io.write cert.to_pem
-      }
-      if MU.mu_user != "mu"
-        owner_uid = Etc.getpwnam(MU.mu_user).uid
-        File.chown(owner_uid, nil, "#{certdir}/#{certname}.crt")
-      end
-
+      MU::Master::SSL.sign(csr_path, sans, for_user: MU.mu_user)
     end
 
     # Make sure deployment data is synchronized to/from each node in the
     # currently-loaded deployment.
-    def syncLitter(nodeclasses = [], triggering_node: nil, save_all_only: false)
-# XXX take some config logic to decide what nodeclasses to hit
-# XXX don't run on triggering node, duh
+    def syncLitter(nodeclasses = [], triggering_node: nil, save_only: false)
+# XXX take some config logic to decide what nodeclasses to hit? like, make
+# inferences from dependencies or something?
+
       return if MU.syncLitterThread
-      return if !Dir.exists?(deploy_dir)
+      return if !Dir.exist?(deploy_dir)
       svrs = MU::Cloud.resource_types[:Server][:cfg_plural] # legibility shorthand
+      if !triggering_node.nil? and nodeclasses.size > 0
+        nodeclasses.reject! { |n| n == triggering_node.to_s }
+        return if nodeclasses.size == 0
+      end
 
       @kitten_semaphore.synchronize {
         if @kittens.nil? or
@@ -2168,14 +2479,22 @@ MESSAGE_END
           return
         end
 
-        MU.log "Updating these siblings in #{@deploy_id}: #{nodeclasses.join(', ')}", MU::DEBUG, details: @kittens[svrs].map { |nodeclass, instance| instance.keys }
+
+        MU.log "Updating these node classes in #{@deploy_id}", MU::DEBUG, details: nodeclasses
       }
 
       update_servers = []
       if nodeclasses.nil? or nodeclasses.size == 0
         litter = findLitterMate(type: "server", return_all: true)
+        return if litter.nil?
         litter.each_pair { |mu_name, node|
-          next if !triggering_node.nil? and mu_name == triggering_node.mu_name
+          if !triggering_node.nil? and (
+               (triggering_node.is_a?(MU::Cloud::Server) and mu_name == triggering_node.mu_name) or
+               (triggering_node.is_a?(String) and mu_name == triggering_node)
+             )
+            next
+          end
+
           if !node.groomer.nil?
             update_servers << node
           end
@@ -2187,10 +2506,16 @@ MESSAGE_END
           litter.merge!(mates) if mates
         }
         litter.each_pair { |mu_name, node|
-          next if !triggering_node.nil? and mu_name == triggering_node.mu_name
+          if !triggering_node.nil? and (
+               (triggering_node.is_a?(MU::Cloud::Server) and mu_name == triggering_node.mu_name) or
+               (triggering_node.is_a?(String) and mu_name == triggering_node)
+             )
+            next
+          end
+
           if !node.deploydata or !node.deploydata.keys.include?('nodename')
             details = node.deploydata ? node.deploydata.keys : nil
-            MU.log "#{mu_name} deploy data is missing (possibly retired), not syncing it", MU::WARN, details: details
+            MU.log "#{mu_name} deploy data is missing (possibly retired or mid-bootstrap), so not syncing it", MU::WARN, details: details
           else
             update_servers << node
           end
@@ -2198,6 +2523,8 @@ MESSAGE_END
       end
       return if update_servers.size == 0
 
+      MU.log "Updating these nodes in #{@deploy_id}", MU::DEBUG, details: update_servers.map { |n| n.mu_name }
+
       update_servers.each { |node|
         # Not clear where this pollution comes from, but let's stick a temp
         # fix in here.
@@ -2210,7 +2537,7 @@ MESSAGE_END
       }
 
       # Merge everyone's deploydata together
-      if !save_all_only
+      if !save_only
         skip = []
         update_servers.each { |node|
           if node.mu_name.nil? or node.deploydata.nil? or node.config.nil?
@@ -2239,7 +2566,7 @@ MESSAGE_END
           begin
             if sibling.config['groom'].nil? or sibling.config['groom']
               sibling.groomer.saveDeployData
-              sibling.groomer.run(purpose: "Synchronizing sibling kittens") if !save_all_only
+              sibling.groomer.run(purpose: "Synchronizing sibling kittens") if !save_only
             end
           rescue MU::Groomer::RunError => e
             MU.log "Sync of #{sibling.mu_name} failed: #{e.inspect}", MU::WARN
@@ -2263,125 +2590,45 @@ MESSAGE_END
     # @param poolname [Boolean]: If true, generate certificates for the base name of the server pool of which this node is a member, rather than for the individual node
     # @param keysize [Integer]: The size of the private key to use when generating this certificate
     def nodeSSLCerts(resource, poolname = false, keysize = 4096)
-      nat_ssh_key, nat_ssh_user, nat_ssh_host, canonical_ip, ssh_user, ssh_key_name = resource.getSSHConfig if resource.respond_to?(:getSSHConfig)
+      _nat_ssh_key, _nat_ssh_user, _nat_ssh_host, canonical_ip, _ssh_user, _ssh_key_name = resource.getSSHConfig if resource.respond_to?(:getSSHConfig)
 
       deploy_id = resource.deploy_id || @deploy_id || resource.deploy.deploy_id
 
       cert_cn = poolname ? deploy_id + "-" + resource.config['name'].upcase : resource.mu_name
 
-      certs = {}
       results = {}
 
-      @node_cert_semaphore.synchronize {
-        if File.exists?("#{MU.mySSLDir}/#{cert_cn}.crt") and
-           File.exists?("#{MU.mySSLDir}/#{cert_cn}.key")
-          ext_cert = OpenSSL::X509::Certificate.new(File.read("#{MU.mySSLDir}/#{cert_cn}.crt"))
-          if ext_cert.not_after < Time.now
-            MU.log "Node certificate for #{cert_cn} is expired, regenerating", MU::WARN
-            ["crt", "key", "csr"].each { |suffix|
-              if File.exists?("#{MU.mySSLDir}/#{cert_cn}.#{suffix}")
-                File.unlink("#{MU.mySSLDir}/#{cert_cn}.#{suffix}")
-              end
-            }
-          else
-            results[cert_cn] = [
-              OpenSSL::X509::Certificate.new(File.read("#{MU.mySSLDir}/#{cert_cn}.crt")),
-              OpenSSL::PKey::RSA.new(File.read("#{MU.mySSLDir}/#{cert_cn}.key"))
-            ]
-          end
-        end
+      is_windows = (resource.respond_to?(:windows?) and resource.windows?)
 
-        if results.size == 0
-          certs[cert_cn] = {
-#            "sans" => ["IP:#{canonical_ip}"],
-            "cn" => cert_cn
-          }
-          if canonical_ip
-            certs[cert_cn]["sans"] = ["IP:#{canonical_ip}"]
+      @node_cert_semaphore.synchronize {
+        MU::Master::SSL.bootstrap
+        sans = []
+        sans << canonical_ip if canonical_ip
+        # XXX were there other names we wanted to include?
+        key = MU::Master::SSL.getKey(cert_cn, keysize: keysize)
+        cert, pfx_cert = MU::Master::SSL.getCert(cert_cn, "/CN=#{cert_cn}/O=Mu/C=US", sans: sans, pfx: is_windows)
+        results[cert_cn] = [key, cert]
+
+        winrm_cert = nil
+        if is_windows
+          winrm_key = MU::Master::SSL.getKey(cert_cn+"-winrm", keysize: keysize)
+          winrm_cert = MU::Master::SSL.getCert(cert_cn+"-winrm", "/CN=#{resource.config['windows_admin_username']}/O=Mu/C=US", sans: ["otherName:1.3.6.1.4.1.311.20.2.3;UTF8:#{resource.config['windows_admin_username']}@localhost"], pfx: true)[0]
+          results[cert_cn+"-winrm"] = [winrm_key, winrm_cert]
+        end
+
+        if resource and resource.config and resource.config['cloud']
+          cloudclass = Object.const_get("MU").const_get("Cloud").const_get(resource.config['cloud'])
+
+          cloudclass.writeDeploySecret(@deploy_id, cert.to_pem, cert_cn+".crt", credentials: resource.config['credentials'])
+          cloudclass.writeDeploySecret(@deploy_id, key.to_pem, cert_cn+".key", credentials: resource.config['credentials'])
+          if pfx_cert
+            cloudclass.writeDeploySecret(@deploy_id, pfx_cert.to_der, cert_cn+".pfx", credentials: resource.config['credentials'])
           end
-        end
-
-        if [MU::Cloud::Server, MU::Cloud::AWS::Server, MU::Cloud::Google::Server].include?(resource.class) and resource.windows?
-          if File.exists?("#{MU.mySSLDir}/#{cert_cn}-winrm.crt") and
-             File.exists?("#{MU.mySSLDir}/#{cert_cn}-winrm.key")
-            results[cert_cn+"-winrm"] = [File.read("#{MU.mySSLDir}/#{cert_cn}-winrm.crt"), File.read("#{MU.mySSLDir}/#{cert_cn}-winrm.key")]
-          else
-            certs[cert_cn+"-winrm"] = {
-              "sans" => ["otherName:1.3.6.1.4.1.311.20.2.3;UTF8:#{resource.config['windows_admin_username']}@localhost"],
-              "cn" => resource.config['windows_admin_username']
-            }
+          if winrm_cert
+            cloudclass.writeDeploySecret(@deploy_id, winrm_cert.to_pem, cert_cn+"-winrm.crt", credentials: resource.config['credentials'])
           end
         end
 
-        certs.each { |certname, data|
-          MU.log "Generating SSL certificate #{certname} for #{resource} with key size #{keysize.to_s}"
-
-          # Create and save a key
-          key = OpenSSL::PKey::RSA.new keysize
-          if !Dir.exist?(MU.mySSLDir)
-            Dir.mkdir(MU.mySSLDir, 0700)
-          end
-
-          open("#{MU.mySSLDir}/#{certname}.key", 'w', 0600) { |io|
-            io.write key.to_pem
-          }
-          # Create a certificate request for this node
-          csr = OpenSSL::X509::Request.new
-          csr.version = 3
-          csr.subject = OpenSSL::X509::Name.parse "/CN=#{data['cn']}/O=Mu/C=US"
-          csr.public_key = key.public_key
-          csr.sign key, OpenSSL::Digest::SHA256.new
-          open("#{MU.mySSLDir}/#{certname}.csr", 'w', 0644) { |io|
-            io.write csr.to_pem
-          }
-          if MU.chef_user == "mu"
-            signSSLCert("#{MU.mySSLDir}/#{certname}.csr", data['sans'])
-          else
-            deploykey = OpenSSL::PKey::RSA.new(public_key)
-            deploysecret = Base64.urlsafe_encode64(deploykey.public_encrypt(deploy_secret))
-# XXX things that aren't servers
-            res_type = "server"
-            res_type = "server_pool" if !resource.config['basis'].nil?
-            uri = URI("https://#{MU.mu_public_addr}:2260/")
-            req = Net::HTTP::Post.new(uri)
-            req.set_form_data(
-              "mu_id" => MU.deploy_id,
-              "mu_resource_name" => resource.config['name'],
-              "mu_resource_type" => res_type,
-              "mu_ssl_sign" => "#{MU.mySSLDir}/#{certname}.csr",
-              "mu_ssl_sans" => data["sans"].join(","),
-              "mu_user" => MU.mu_user,
-              "mu_deploy_secret" => deploysecret
-            )
-            http = Net::HTTP.new(uri.hostname, uri.port)
-            http.ca_file = "/etc/pki/Mu_CA.pem" # XXX why no worky?
-            http.use_ssl = true
-            http.verify_mode = OpenSSL::SSL::VERIFY_NONE # XXX this sucks
-            response = http.request(req)
-            MU.log "Got error back on signing request for #{MU.mySSLDir}/#{certname}.csr", MU::ERR if response.code != "200"
-          end
-
-          pfx = nil
-          cert = OpenSSL::X509::Certificate.new File.read "#{MU.mySSLDir}/#{certname}.crt"
-          if [MU::Cloud::Server, MU::Cloud::AWS::Server, MU::Cloud::Google::Server].include?(resource.class) and resource.windows?
-            cacert = OpenSSL::X509::Certificate.new File.read "#{MU.mySSLDir}/Mu_CA.pem"
-            pfx = OpenSSL::PKCS12.create(nil, nil, key, cert, [cacert], nil, nil, nil, nil)
-            open("#{MU.mySSLDir}/#{certname}.pfx", 'w', 0644) { |io|
-              io.write pfx.to_der
-            }
-          end
-
-          results[certname] = [cert, key]
-
-          if resource.config['cloud'] == "AWS"
-            MU::Cloud::AWS.writeDeploySecret(@deploy_id, cert.to_pem, certname+".crt")
-            MU::Cloud::AWS.writeDeploySecret(@deploy_id, key.to_pem, certname+".key")
-            if pfx
-              MU::Cloud::AWS.writeDeploySecret(@deploy_id, pfx.to_der, certname+".pfx")
-            end
-# XXX add google logic, or better yet abstract this method
-          end
-        }
       }
 
       results[cert_cn]
@@ -2392,80 +2639,129 @@ MESSAGE_END
       MU::MommaCat.deploy_dir(@deploy_id)
     end
 
-    private
+    # Path to the log file used by the Momma Cat daemon
+    # @return [String]
+    def self.daemonLogFile
+      base = (Process.uid == 0 and !MU.localOnly) ? "/var" : MU.dataDir
+      "#{base}/log/mu-momma-cat.log"
+    end
 
-    # Check to see whether a given resource name is unique across all
-    # deployments on this Mu server. We only enforce this for certain classes
-    # of names. If the name in question is available, add it to our cache of
-    # said names.  See #{MU::MommaCat.getResourceName}
-    # @param name [String]: The name to attempt to allocate.
-    # @return [Boolean]: True if allocation was successful.
-    def allocateUniqueResourceName(name)
-      raise MuError, "Cannot call allocateUniqueResourceName without an active deployment" if @deploy_id.nil?
-      path = File.expand_path(MU.dataDir+"/deployments")
-      File.open(path+"/unique_ids", File::CREAT|File::RDWR, 0600) { |f|
-        existing = []
-        f.flock(File::LOCK_EX)
-        f.readlines.each { |line|
-          existing << line.chomp
-        }
-        begin
-          existing.each { |used|
-            if used.match(/^#{name}:/)
-              if !used.match(/^#{name}:#{@deploy_id}$/)
-                MU.log "#{name} is already reserved by another resource on this Mu server.", MU::WARN, details: caller
-                return false
-              else
-                return true
-              end
-            end
-          }
-          f.puts name+":"+@deploy_id
-          return true
-        ensure
-          f.flock(File::LOCK_UN)
-        end
-      }
+    # Path to the PID file used by the Momma Cat daemon
+    # @return [String]
+    def self.daemonPidFile
+      base = (Process.uid == 0 and !MU.localOnly) ? "/var" : MU.dataDir
+      "#{base}/run/mommacat.pid"
     end
 
-    ###########################################################################
-    ###########################################################################
-    def self.deploy_dir(deploy_id)
-      raise MuError, "deploy_dir must get a deploy_id if called as class method (from #{caller[0]}; #{caller[1]})" if deploy_id.nil?
-# XXX this will blow up if someone sticks MU in /
-      path = File.expand_path(MU.dataDir+"/deployments")
-      if !Dir.exist?(path)
-        MU.log "Creating #{path}", MU::DEBUG
-        Dir.mkdir(path, 0700)
+		# Start the Momma Cat daemon and return the exit status of the command used
+    # @return [Integer]
+    def self.start
+      base = (Process.uid == 0 and !MU.localOnly) ? "/var" : MU.dataDir
+      [base, "#{base}/log", "#{base}/run"].each { |dir|
+       if !Dir.exist?(dir)
+          MU.log "Creating #{dir}"
+          Dir.mkdir(dir)
+        end
+      }
+      return 0 if status
+    
+      MU.log "Starting Momma Cat on port #{MU.mommaCatPort}, logging to #{daemonLogFile}, PID file #{daemonPidFile}"
+      origdir = Dir.getwd
+      Dir.chdir(MU.myRoot+"/modules")
+
+      # XXX what's the safest way to find the 'bundle' executable in both gem and non-gem installs?
+      cmd = %Q{bundle exec thin --threaded --daemonize --port #{MU.mommaCatPort} --pid #{daemonPidFile} --log #{daemonLogFile} --ssl --ssl-key-file #{MU.mySSLDir}/mommacat.key --ssl-cert-file #{MU.mySSLDir}/mommacat.pem --ssl-disable-verify --tag mu-momma-cat -R mommacat.ru start}
+      MU.log cmd, MU::NOTICE
+      output = %x{#{cmd}}
+      Dir.chdir(origdir)
+
+      retries = 0
+      begin
+        sleep 1
+        retries += 1
+        if retries >= 10
+          MU.log "MommaCat failed to start (command was #{cmd})", MU::WARN, details: output
+          pp caller
+          return $?.exitstatus
+        end
+      end while !status
+    
+      if $?.exitstatus != 0
+        exit 1
       end
-      path = path+"/"+deploy_id
-      return path
+
+      return $?.exitstatus
     end
 
-    def self.deploy_exists?(deploy_id)
-      if deploy_id.nil? or deploy_id.empty?
-        MU.log "Got nil deploy_id in MU::MommaCat.deploy_exists?", MU::WARN
-        return
+    # Return true if the Momma Cat daemon appears to be running
+    # @return [Boolean]
+    def self.status
+      if File.exist?(daemonPidFile)
+        pid = File.read(daemonPidFile).chomp.to_i
+        begin
+          Process.getpgid(pid)
+          MU.log "Momma Cat running with pid #{pid.to_s}"
+          return true
+        rescue Errno::ESRCH
+        end
       end
-      path = File.expand_path(MU.dataDir+"/deployments")
-      if !Dir.exists?(path)
-        Dir.mkdir(path, 0700)
+      MU.log "Momma Cat daemon not running", MU::NOTICE, details: daemonPidFile
+      false
+    end
+    
+		# Stop the Momma Cat daemon, if it's running
+    def self.stop
+      if File.exist?(daemonPidFile)
+        pid = File.read(daemonPidFile).chomp.to_i
+        MU.log "Stopping Momma Cat with pid #{pid.to_s}"
+        Process.kill("INT", pid)
+        killed = false
+        begin
+          Process.getpgid(pid)
+          sleep 1
+        rescue Errno::ESRCH
+          killed = true
+        end while killed
+        MU.log "Momma Cat with pid #{pid.to_s} stopped", MU::DEBUG, details: daemonPidFile
+    
+        begin
+          File.unlink(daemonPidFile)
+        rescue Errno::ENOENT
+        end
       end
-      deploy_path = File.expand_path(path+"/"+deploy_id)
-      return Dir.exist?(deploy_path)
     end
 
+		# (Re)start the Momma Cat daemon and return the exit status of the start command
+    # @return [Integer]
+    def self.restart
+      stop
+      start
+    end
 
-    def createDeployKey
-      key = OpenSSL::PKey::RSA.generate(4096)
-      MU.log "Generated deploy key for #{MU.deploy_id}", MU::DEBUG, details: key.public_key.export
-      return [key.export, key.public_key.export]
+    # Locate and return the deploy, if any, which matches the provided origin
+    # description
+    # @param origin [Hash]
+    def self.findMatchingDeploy(origin)
+      MU::MommaCat.listDeploys.each { |deploy_id|
+        o_path = deploy_dir(deploy_id)+"/origin.json"
+        next if !File.exist?(o_path)
+        this_origin = JSON.parse(File.read(o_path))
+        if origin == this_origin
+          MU.log "Deploy #{deploy_id} matches origin hash, loading", details: origin
+          return MU::MommaCat.new(deploy_id)
+        end
+      }
+      nil
     end
 
     # Synchronize all in-memory information related to this to deployment to
     # disk.
-    def save!(triggering_node = nil)
-      return if @no_artifacts
+    # @param triggering_node [MU::Cloud::Server]: If we're being triggered by the addition/removal/update of a node, this allows us to notify any sibling or dependent nodes of changes
+    # @param force [Boolean]: Save even if +no_artifacts+ is set
+    # @param origin [Hash]: Optional blob of data indicating how this deploy was created
+    def save!(triggering_node = nil, force: false, origin: nil)
+
+      return if @no_artifacts and !force
       MU::MommaCat.deploy_struct_semaphore.synchronize {
         MU.log "Saving deployment #{MU.deploy_id}", MU::DEBUG
 
@@ -2474,6 +2770,12 @@ MESSAGE_END
           Dir.mkdir(deploy_dir, 0700)
         end
 
+        if !origin.nil?
+          o_file = File.new("#{deploy_dir}/origin.json", File::CREAT|File::TRUNC|File::RDWR, 0600)
+          o_file.puts JSON.pretty_generate(origin)
+          o_file.close
+        end
+
         if !@private_key.nil?
           privkey = File.new("#{deploy_dir}/private_key", File::CREAT|File::TRUNC|File::RDWR, 0600)
           privkey.puts @private_key
@@ -2489,6 +2791,11 @@ MESSAGE_END
         if !@deployment.nil? and @deployment.size > 0
           @deployment['handle'] = MU.handle if @deployment['handle'].nil? and !MU.handle.nil?
           @deployment['public_key'] = @public_key
+          @deployment['timestamp'] ||= @timestamp
+          @deployment['seed'] ||= @seed
+          @deployment['appname'] ||= @appname
+          @deployment['handle'] ||= @handle
+          @deployment['ssh_public_key'] ||= @ssh_public_key if @ssh_public_key
           begin
             # XXX doing this to trigger JSON errors before stomping the stored
             # file...
@@ -2498,15 +2805,20 @@ MESSAGE_END
             deploy.flock(File::LOCK_EX)
             deploy.puts JSON.pretty_generate(@deployment, max_nesting: false)
           rescue JSON::NestingError => e
-            raise MuError, e.inspect+"\n\n"+@deployment.to_s
+            MU.log e.inspect, MU::ERR, details: @deployment
+            raise MuError, "Got #{e.message} trying to save deployment"
+          rescue Encoding::UndefinedConversionError => e
+            MU.log e.inspect, MU::ERR, details: @deployment
+            raise MuError, "Got #{e.message} at #{e.error_char.dump} (#{e.source_encoding_name} => #{e.destination_encoding_name}) trying to save deployment"
           end
           deploy.flock(File::LOCK_UN)
           deploy.close
+          @need_deploy_flush = false
         end
 
         if !@original_config.nil? and @original_config.is_a?(Hash)
           config = File.new("#{deploy_dir}/basket_of_kittens.json", File::CREAT|File::TRUNC|File::RDWR, 0600)
-          config.puts JSON.pretty_generate(@original_config)
+          config.puts JSON.pretty_generate(MU::Config.manxify(@original_config))
           config.close
         end
 
@@ -2541,10 +2853,10 @@ MESSAGE_END
             MU.log "Creating #{secretdir}", MU::DEBUG
             Dir.mkdir(secretdir, 0700)
           end
-          @secrets.each_pair { |type, server|
-            server.each_pair { |server, secret|
+          @secrets.each_pair { |type, servers|
+            servers.each_pair { |server, svr_secret|
               key = File.new("#{secretdir}/#{type}.#{server}", File::CREAT|File::TRUNC|File::RDWR, 0600)
-              key.puts secret
+              key.puts svr_secret
               key.close
             }
           }
@@ -2552,7 +2864,7 @@ MESSAGE_END
       }
 
       # Update groomer copies of this metadata
-      syncLitter(@deployment['servers'].keys, save_all_only: true) if @deployment.has_key?("servers")
+      syncLitter(@deployment['servers'].keys, triggering_node: triggering_node, save_only: true) if @deployment.has_key?("servers")
     end
 
     # Find one or more resources by their Mu resource name, and return
@@ -2562,21 +2874,112 @@ MESSAGE_END
     # @param type [String]: The type of resource, e.g. "vpc" or "server."
     # @param name [String]: The Mu resource class, typically the name field of a Basket of Kittens resource declaration.
     # @param mu_name [String]: The fully-expanded Mu resource name, e.g. MGMT-PROD-2015040115-FR-ADMGMT2
+
+    private
+
+    # Check to see whether a given resource name is unique across all
+    # deployments on this Mu server. We only enforce this for certain classes
+    # of names. If the name in question is available, add it to our cache of
+    # said names.  See #{MU::MommaCat.getResourceName}
+    # @param name [String]: The name to attempt to allocate.
+    # @return [Boolean]: True if allocation was successful.
+    def allocateUniqueResourceName(name)
+      raise MuError, "Cannot call allocateUniqueResourceName without an active deployment" if @deploy_id.nil?
+      path = File.expand_path(MU.dataDir+"/deployments")
+      File.open(path+"/unique_ids", File::CREAT|File::RDWR, 0600) { |f|
+        existing = []
+        f.flock(File::LOCK_EX)
+        f.readlines.each { |line|
+          existing << line.chomp
+        }
+        begin
+          existing.each { |used|
+            if used.match(/^#{name}:/)
+              if !used.match(/^#{name}:#{@deploy_id}$/)
+                MU.log "#{name} is already reserved by another resource on this Mu server.", MU::WARN, details: caller
+                return false
+              else
+                return true
+              end
+            end
+          }
+          f.puts name+":"+@deploy_id
+          return true
+        ensure
+          f.flock(File::LOCK_UN)
+        end
+      }
+    end
+
+    ###########################################################################
+    ###########################################################################
+    def self.deploy_dir(deploy_id)
+      raise MuError, "deploy_dir must get a deploy_id if called as class method (from #{caller[0]}; #{caller[1]})" if deploy_id.nil?
+# XXX this will blow up if someone sticks MU in /
+      path = File.expand_path(MU.dataDir+"/deployments")
+      if !Dir.exist?(path)
+        MU.log "Creating #{path}", MU::DEBUG
+        Dir.mkdir(path, 0700)
+      end
+      path = path+"/"+deploy_id
+      return path
+    end
+
+    def self.deploy_exists?(deploy_id)
+      if deploy_id.nil? or deploy_id.empty?
+        MU.log "Got nil deploy_id in MU::MommaCat.deploy_exists?", MU::WARN
+        return
+      end
+      path = File.expand_path(MU.dataDir+"/deployments")
+      if !Dir.exist?(path)
+        Dir.mkdir(path, 0700)
+      end
+      deploy_path = File.expand_path(path+"/"+deploy_id)
+      return Dir.exist?(deploy_path)
+    end
+
+
+    def createDeployKey
+      key = OpenSSL::PKey::RSA.generate(4096)
+      MU.log "Generated deploy key for #{MU.deploy_id}", MU::DEBUG, details: key.public_key.export
+      return [key.export, key.public_key.export]
+    end
+
     # @param deploy_id [String]: The deployment to search. Will search all deployments if not specified.
     # @return [Hash,Array<Hash>]
     def self.getResourceMetadata(type, name: nil, deploy_id: nil, use_cache: true, mu_name: nil)
       if type.nil?
         raise MuError, "Can't call getResourceMetadata without a type argument"
       end
-      shortclass, cfg_name, cfg_plural, classname = MU::Cloud.getResourceNames(type)
-      type = cfg_plural
+      _shortclass, _cfg_name, type, _classname = MU::Cloud.getResourceNames(type)
+
+      # first, check our in-memory deploys, which may or may not have been
+      # written to disk yet.
+      littercache = nil
+      begin
+        @@litter_semaphore.synchronize {
+          littercache = @@litters.dup
+        }
+      rescue ThreadError => e
+        # already locked by a parent caller and this is a read op, so this is ok
+        raise e if !e.message.match(/recursive locking/)
+        littercache = @@litters.dup
+      end
+      littercache.each_pair { |deploy, momma|
+        @@deploy_struct_semaphore.synchronize {
+          @deploy_cache[deploy] = {
+            "mtime" => Time.now,
+            "data" => momma.deployment
+          }
+        }
+      }
 
       deploy_root = File.expand_path(MU.dataDir+"/deployments")
       MU::MommaCat.deploy_struct_semaphore.synchronize {
-        if Dir.exists?(deploy_root)
+        if Dir.exist?(deploy_root)
           Dir.entries(deploy_root).each { |deploy|
             this_deploy_dir = deploy_root+"/"+deploy
-            next if deploy == "." or deploy == ".." or !Dir.exists?(this_deploy_dir)
+            next if deploy == "." or deploy == ".." or !Dir.exist?(this_deploy_dir)
             next if deploy_id and deploy_id != deploy
 
             if !File.size?(this_deploy_dir+"/deployment.json")
@@ -2605,7 +3008,7 @@ MESSAGE_END
               # Populate some generable entries that should be in the deploy
               # data. Also, bounce out if we realize we've found exactly what
               # we needed already.
-              MU::Cloud.resource_types.each_pair { |res_type, attrs|
+              MU::Cloud.resource_types.values.each { |attrs|
 
                 next if @deploy_cache[deploy]['data'][attrs[:cfg_plural]].nil?
                 if !attrs[:has_multiples]
@@ -2650,10 +3053,10 @@ MESSAGE_END
           next if !@deploy_cache[deploy]['data'].has_key?(type)
           if !name.nil?
             next if @deploy_cache[deploy]['data'][type][name].nil?
-            matches[deploy] = [] if !matches.has_key?(deploy)
+            matches[deploy] ||= []
             matches[deploy] << @deploy_cache[deploy]['data'][type][name].dup
           else
-            matches[deploy] = [] if !matches.has_key?(deploy)
+            matches[deploy] ||= []
             matches[deploy].concat(@deploy_cache[deploy]['data'][type].values)
           end
         }
@@ -2663,7 +3066,7 @@ MESSAGE_END
             !@deploy_cache[deploy_id]['data'][type].nil?
           if !name.nil?
             if !@deploy_cache[deploy_id]['data'][type][name].nil?
-              matches[deploy_id] = [] if !matches.has_key?(deploy_id)
+              matches[deploy_id] ||= []
               matches[deploy_id] << @deploy_cache[deploy_id]['data'][type][name].dup
             else
               return matches # nothing, actually
@@ -2694,13 +3097,14 @@ MESSAGE_END
           begin
             @deployment = JSON.parse(File.read("#{deploy_dir}/deployment.json"))
           rescue JSON::ParserError => e
-            MU.log "JSON parse failed on #{deploy_dir}/deployment.json", MU::ERR
+            MU.log "JSON parse failed on #{deploy_dir}/deployment.json", MU::ERR, details: e.message
           end
 
           deploy.flock(File::LOCK_UN)
           deploy.close
           if set_context_to_me
             ["appname", "environment", "timestamp", "seed", "handle"].each { |var|
+              @deployment[var] ||= instance_variable_get("@#{var}".to_sym)
               if @deployment[var]
                 if var != "handle"
                   MU.setVar(var, @deployment[var].upcase)
@@ -2727,7 +3131,7 @@ MESSAGE_END
           begin
             @original_config = JSON.parse(File.read("#{deploy_dir}/basket_of_kittens.json"))
           rescue JSON::ParserError => e
-            MU.log "JSON parse failed on #{deploy_dir}/basket_of_kittens.json", MU::ERR
+            MU.log "JSON parse failed on #{deploy_dir}/basket_of_kittens.json", MU::ERR, details: e.message
           end
         end
         if File.exist?(deploy_dir+"/ssh_key_name")
@@ -2748,7 +3152,7 @@ MESSAGE_END
         if Dir.exist?("#{deploy_dir}/secrets")
           @secrets.each_key { |type|
             Dir.glob("#{deploy_dir}/secrets/#{type}.*") { |filename|
-              base, server = File.basename(filename).split(/\./)
+              server = File.basename(filename).split(/\./)[1]
 
               @secrets[type][server] = File.read(filename).chomp!
             }
@@ -2757,9 +3161,10 @@ MESSAGE_END
       }
     end
 
-    @catadjs = %w{fuzzy ginger lilac chocolate xanthic wiggly itty}
-    @catnouns = %w{bastet biscuits bobcat catnip cheetah chonk dot felix jaguar kitty leopard lion lynx maru mittens moggy neko nip ocelot panther patches paws phoebe purr queen roar saber sekhmet skogkatt socks sphinx spot tail tiger tom whiskers wildcat yowl floof beans ailurophile dander dewclaw grimalkin kibble quick tuft misty simba mew quat eek ziggy}
-    @catmixed = %w{abyssinian angora bengal birman bobtail bombay burmese calico chartreux cheshire cornish-rex curl devon egyptian-mau feline furever fumbs havana himilayan japanese-bobtail javanese khao-manee maine-coon manx marmalade mau munchkin norwegian pallas persian peterbald polydactyl ragdoll russian-blue savannah scottish-fold serengeti shorthair siamese siberian singapura snowshoe stray tabby tonkinese tortoiseshell turkish-van tuxedo uncia caterwaul lilac-point chocolate-point mackerel maltese knead whitenose vorpal}
+    # 2019-06-03 adding things from https://aiweirdness.com/post/185339301987/once-again-a-neural-net-tries-to-name-cats
+    @catadjs = %w{fuzzy ginger lilac chocolate xanthic wiggly itty chonky norty slonky floofy}
+    @catnouns = %w{bastet biscuits bobcat catnip cheetah chonk dot felix hamb jaguar kitty leopard lion lynx maru mittens moggy neko nip ocelot panther patches paws phoebe purr queen roar saber sekhmet skogkatt socks sphinx spot tail tiger tom whiskers wildcat yowl floof beans ailurophile dander dewclaw grimalkin kibble quick tuft misty simba slonk mew quat eek ziggy whiskeridoo cromch monch screm}
+    @catmixed = %w{abyssinian angora bengal birman bobtail bombay burmese calico chartreux cheshire cornish-rex curl devon egyptian-mau feline furever fumbs havana himilayan japanese-bobtail javanese khao-manee maine-coon manx marmalade mau munchkin norwegian pallas persian peterbald polydactyl ragdoll russian-blue savannah scottish-fold serengeti shorthair siamese siberian singapura snowshoe stray tabby tonkinese tortoiseshell turkish-van tuxedo uncia caterwaul lilac-point chocolate-point mackerel maltese knead whitenose vorpal chewie-bean chicken-whiskey fish-especially thelonious-monsieur tom-glitter serendipitous-kill sparky-buttons}
     @catwords = @catadjs + @catnouns + @catmixed
 
     @jaegeradjs = %w{azure fearless lucky olive vivid electric grey yarely violet ivory jade cinnamon crimson tacit umber mammoth ultra iron zodiac}
@@ -2771,4 +3176,3 @@ MESSAGE_END
 
   end #class
 end #module
-