cloud-mu 3.4.0 → 3.5.0

data/cookbooks/mu-master/metadata.rb

@@ -7,7 +7,7 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 source_url 'https://github.com/cloudamatic/mu'
 issues_url 'https://github.com/cloudamatic/mu/issues'
 chef_version '>= 12.1' if respond_to?(:chef_version)
-version '0.9.6'
+version '0.9.7'
 
 %w( centos amazon redhat ).each do |os|
 	supports os
@@ -28,4 +28,4 @@ depends 'consul-cluster', '~> 2.0.0'
 depends 'chef-sugar' # undeclared dependency of consul 2.1, which can't be upgraded without creating a conflict with consul-cluster and vault-cluster -zr2d2
 depends 'hostsfile', '~> 3.0.1'
 depends 'chef-vault', '~> 3.1.1'
-depends 'apache2', '< 6.0.0'
+depends 'apache2', '< 8.0.0'

data/cookbooks/mu-master/recipes/default.rb

@@ -217,24 +217,25 @@ if !node['update_nagios_only']
   if !$MU_CFG['public_address'].match(/^\d+\.\d+\.\d+\.\d+$/)
     svrname = $MU_CFG['public_address']
   end
-
-  # nagios keeps disabling the default vhost, so let's make another one
-  include_recipe "apache2::mod_proxy"
-  include_recipe "apache2::mod_proxy_http"
-  include_recipe "apache2::mod_rewrite"
-
-  if node['platform_family'] == "rhel" and node['platform_version'].split('.')[0].to_i == 6
-    package "httpd24-mod_ldap"
-    apache_module 'ldap' do
-      conf true
-    end
-  else
-    include_recipe "apache2::mod_authnz_ldap"
+  apache2_install "" do
+    docroot_dir "/var/www/html"
+    modules %w{status alias auth_basic authn_core authn_file authz_core authz_groupfile authz_host authz_user autoindex deflate dir env mime negotiation setenvif log_config logio unixd systemd headers proxy proxy_http rewrite ssl ldap authnz_ldap slotmem_shm}
   end
+  package "mod_ldap"
+
+  # add stock .conf files to the mix where applicable
+  apache2_mod_proxy ""
+  apache2_mod_ldap ""
+  apache2_mod_cgid ""
+  apache2_mod_ssl ""
 
-  apache_site "default" do
-    enable false
+  apache2_mod "php"
+  apache2_default_site "" do
+    action :enable
+    notifies :start, "service[apache2]", :delayed
   end
+
+  # nagios keeps disabling the default vhost, so let's make another one
   execute "Allow net connect to local for apache" do
     command "/usr/sbin/setsebool -P httpd_can_network_connect on"
     not_if "/usr/sbin/getsebool httpd_can_network_connect | grep -cim1 ^.*on$"
@@ -242,22 +243,76 @@ if !node['update_nagios_only']
     notifies :reload, "service[apache2]", :delayed
   end
 
+  aliases = [node['fqdn'], node['hostname'], node['local_hostname'], node['local_ipv4'], node['public_hostname'], node['public_ipv4']]
+  if node['ec2']
+    aliases << node['ec2']['local_ipv4']
+    aliases << node['ec2']['local_hostname']
+    aliases << node['ec2']['public_ipv4']
+    aliases << node['ec2']['public_hostname']
+  end
+  aliases.uniq!
+  aliases.reject! { |a| a.nil? or a.empty? }
+
+  service 'apache2' do
+    extend Apache2::Cookbook::Helpers
+    service_name lazy { apache_platform_service_name }
+    supports restart: true, status: true, reload: true
+    action :enable
+  end
 
-  web_app "mu_docs" do
-    server_name svrname
-    server_aliases [node['fqdn'], node['hostname'], node['local_hostname'], node['local_ipv4'], node['public_hostname'], node['public_ipv4']]
-    docroot "/var/www/html"
-    cookbook "mu-master"
+  template '/etc/httpd/sites-available/mu_docs.conf' do
+    variables(
+      server_name: svrname,
+      server_port: "80",
+      server_aliases: aliases,
+      docroot: "/var/www/html"
+    )
+    cookbook 'mu-master'
+    source 'web_app.conf.erb'
     notifies :reload, "service[apache2]", :delayed
   end
-  web_app "https_proxy" do
-    server_name svrname
-    server_port "443"
-    server_aliases [node['fqdn'], node['hostname'], node['local_hostname'], node['local_ipv4'], node['public_hostname'], node['public_ipv4']]
-    docroot "/var/www/html"
-    cookbook "mu-master"
+  apache2_site "mu_docs"
+  template '/etc/httpd/sites-available/https_proxy.conf' do
+    variables(
+      server_name: svrname,
+      server_port: "443",
+      server_aliases: aliases,
+      docroot: "/var/www/html"
+    )
+    cookbook 'mu-master'
+    source 'web_app.conf.erb'
+    notifies :reload, "service[apache2]", :delayed
+  end
+  apache2_site "https_proxy"
+
+  # configure the appropriate authentication method for the web server
+  case node['nagios']['server_auth_method']
+  when 'openid'
+    apache2_mod 'auth_openid'
+  when 'cas'
+    apache2_mod 'auth_cas'
+  end
+
+#  apache2_conf "nagios" do
+#    server_name svrname
+#    server_aliases aliases
+#    template 'nagios.conf.erb'
+#    cookbook "mu-master"
+#    notifies :reload, "service[apache2]", :delayed
+#    action :enable
+#  end
+  template '/etc/httpd/sites-available/nagios.conf' do
+    variables(
+      server_name: svrname,
+      server_port: "443",
+      server_aliases: aliases,
+      docroot: "/var/www/html"
+    )
+    cookbook 'mu-master'
+    source 'nagios.conf.erb'
     notifies :reload, "service[apache2]", :delayed
   end
+  apache2_site "nagios"
 
   link "/etc/nagios3" do
     to "/etc/nagios"

data/cookbooks/mu-master/recipes/init.rb

@@ -35,20 +35,20 @@ ENV['PATH'] = ENV['PATH']+":/bin:/opt/opscode/embedded/bin"
 
 # XXX We want to be able to override these things when invoked from chef-apply,
 # but, like, how?
-CHEF_SERVER_VERSION="12.17.15-1"
-CHEF_CLIENT_VERSION="14.13.11"
+CHEF_SERVER_VERSION="14.0.65-1"
+CHEF_CLIENT_VERSION="16.9.29"
 KNIFE_WINDOWS="1.9.0"
 MU_BASE="/opt/mu"
-MU_BRANCH="master" # GIT HOOK EDITABLE DO NOT TOUCH
-realbranch=`cd #{MU_BASE}/lib && git rev-parse --abbrev-ref HEAD` # ~FC048
 
-if ENV.key?('MU_BRANCH')
-  MU_BRANCH = ENV['MU_BRANCH']
+MU_BRANCH = if ENV.key?('MU_BRANCH')
+  ENV['MU_BRANCH']
 elsif $?.exitstatus == 0
-  MU_BRANCH=realbranch.chomp
+  realbranch=`cd #{MU_BASE}/lib && git rev-parse --abbrev-ref HEAD` # ~FC048
+  realbranch.chomp
 else
-  MU_BRANCH="master"
+  "master"
 end
+
 begin
   resources('service[sshd]')
 rescue Chef::Exceptions::ResourceNotFound
@@ -77,6 +77,12 @@ service "iptables" do
   only_if "( /bin/systemctl -l --no-pager | grep iptables.service ) || ( /sbin/chkconfig --list | grep ^iptables )"
 end
 
+service "firewalld" do
+  ignore_failure true
+  action :nothing
+  only_if "/bin/systemctl -l --no-pager | grep firewalld.service"
+end
+
 # These guys are a workaround for Opscode bugs that seems to affect some Chef
 # Server upgrades.
 directory "/var/run/postgresql" do
@@ -126,28 +132,39 @@ file "use a clean /etc/hosts during install" do
   not_if { ::Dir.exist?("#{MU_BASE}/lib/.git") }
 end
 
+execute "modprobe br_netfilter" do
+  action :nothing
+end
+
 execute "reconfigure Chef server" do
-  command "/opt/opscode/bin/chef-server-ctl reconfigure"
+  command "CHEF_LICENSE=\"accept\" /opt/opscode/bin/chef-server-ctl reconfigure"
   action :nothing
   notifies :stop, "service[iptables]", :before
+  notifies :stop, "service[firewalld]", :before
 #  notifies :create, "link[/tmp/.s.PGSQL.5432]", :before
   notifies :create, "link[/var/run/postgresql/.s.PGSQL.5432]", :before
   notifies :restart, "service[chef-server]", :immediately
   if !RUNNING_STANDALONE
     notifies :start, "service[iptables]", :immediately
+    notifies :start, "service[firewalld]", :immediately
+  else
+    notifies :run, "execute[Chef Server rabbitmq workaround]", :before
   end
   only_if { RUNNING_STANDALONE }
 end
 execute "upgrade Chef server" do
-  command "/opt/opscode/bin/chef-server-ctl upgrade"
+  command "CHEF_LICENSE=\"accept\" /opt/opscode/bin/chef-server-ctl upgrade"
   action :nothing
   timeout 1200 # this can take a while
   notifies :stop, "service[iptables]", :before
+  notifies :stop, "service[firewalld]", :before
+  notifies :run, "execute[modprobe br_netfilter]", :before
   notifies :run, "execute[Chef Server rabbitmq workaround]", :before
 #  notifies :create, "link[/tmp/.s.PGSQL.5432]", :before
   notifies :create, "link[/var/run/postgresql/.s.PGSQL.5432]", :before
   if !RUNNING_STANDALONE
     notifies :start, "service[iptables]", :immediately
+    notifies :start, "service[firewalld]", :immediately
   end
   only_if { RUNNING_STANDALONE }
 end
@@ -160,8 +177,10 @@ service "chef-server" do
 #  notifies :create, "link[/tmp/.s.PGSQL.5432]", :before
 #  notifies :create, "link[/var/run/postgresql/.s.PGSQL.5432]", :before
   notifies :stop, "service[iptables]", :before
+  notifies :stop, "service[firewalld]", :before
   if !RUNNING_STANDALONE
     notifies :start, "service[iptables]", :immediately
+    notifies :start, "service[firewalld]", :immediately
   end
   only_if { RUNNING_STANDALONE }
 end
@@ -173,7 +192,7 @@ dpkgs = {}
 
 elversion = node['platform_version'].split('.')[0]
 
-rhelbase = ["git", "curl", "diffutils", "patch", "gcc", "gcc-c++", "make", "postgresql-devel", "libyaml", "libffi-devel", "tcl", "tk"]
+rhelbase = ["git", "curl", "diffutils", "patch", "gcc", "gcc-c++", "make", "postgresql-devel", "libyaml", "libffi-devel", "tcl", "tk", "xfsprogs"]
 
 case node['platform_family']
 when 'rhel'
@@ -182,11 +201,11 @@ when 'rhel'
 
   case node['platform_version'].split('.')[0].to_i
   when 6
-    basepackages.concat(["cryptsetup-luks", "mysql-devel", "centos-release-scl"])
+    basepackages.concat(["cryptsetup-luks", "mysql-devel", "centos-release-scl", "perl-WWW-Curl"])
     removepackages = ["nagios"]
 
   when 7
-    basepackages.concat(['libX11', 'mariadb-devel', 'cryptsetup'])
+    basepackages.concat(['policycoreutils-python', 'libX11', 'mariadb-devel', 'cryptsetup', 'tcl-devel', 'gdbm-devel', 'sqlite-devel', 'tk-devel', 'perl-CGI', 'perl-DBI', 'perl-Data-Dumper', 'perl-Digest-MD5', 'perl-Git-SVN', 'perl-YAML', 'nvme-cli'])
     removepackages = ['nagios', 'firewalld']
 
   when 8
@@ -222,8 +241,18 @@ rpms = {
   "chef-server-core" => "https://packages.chef.io/files/stable/chef-server/#{CHEF_SERVER_VERSION.sub(/\-\d+$/, "")}/el/#{elversion}/chef-server-core-#{CHEF_SERVER_VERSION}.el#{elversion}.x86_64.rpm"
 }
 
-rpms["ruby25"] = "https://s3.amazonaws.com/cloudamatic/muby-2.5.3-1.el#{elversion}.x86_64.rpm"
-rpms["python27"] = "https://s3.amazonaws.com/cloudamatic/muthon-2.7.16-1.el#{elversion}.x86_64.rpm"
+rpms["ruby27"] = "https://s3.amazonaws.com/cloudamatic/muby-2.7.2-1.el#{elversion}.x86_64.rpm"
+if elversion.to_i == 6
+  rpms["openssl"] = "https://s3.amazonaws.com/cloudamatic/mussl-1.1.1h-1.el6.x86_64.rpm"
+  rpms["sqlite"] = "https://s3.amazonaws.com/cloudamatic/muqlite-3.33-1.el6.x86_64.rpm"
+end
+if elversion.to_i == 7
+  rpms["mugit"] = "https://s3.amazonaws.com/cloudamatic/mugit-2.30.0-1.el7.x86_64.rpm"
+end
+# this takes up a huge amount of space, save it until we're fully operational
+if !RUNNING_STANDALONE
+  rpms["python38"] = "https://s3.amazonaws.com/cloudamatic/muthon-3.8.3-1.el#{elversion}.x86_64.rpm"
+end
 
 package basepackages
 
@@ -298,25 +327,25 @@ rpm_package "Chef Server upgrade package" do
   only_if { RUNNING_STANDALONE }
 end
 
-# REMOVE OLD RUBYs
-execute "clean up old Ruby 2.1.6" do
-  command "rm -rf /opt/rubies/ruby-2.1.6"
-  ignore_failure true
-  only_if { ::Dir.exist?("/opt/rubies/ruby-2.1.6") }
-end
-
-execute "Kill ruby-2.3.1" do
+execute "clean up old ruby-2.3.1 package" do
   command "yum erase ruby23-2.3.1-1.el7.centos.x86_64 -y; rpm -e ruby23"
   ignore_failure true
   only_if { ::Dir.exist?("/opt/rubies/ruby-2.3.1") }
 end
-
-execute "clean up old ruby-2.3.1" do
-  command "rm -rf /opt/rubies/ruby-2.3.1"
+execute "clean up old muby-2.5.3 package" do
+  command "yum erase muby-2.5.3-1.el7.x86_64 -y"
   ignore_failure true
-  only_if { ::Dir.exist?("/opt/rubies/ruby-2.3.1") }
+  only_if "rpm -q muby-2.5.3"
 end
 
+%w{2.1.6 2.3.1 2.5.3}.each { |v|
+  execute "clean up old ruby-#{v} directory" do
+    command "rm -rf /opt/rubies/ruby-#{v}"
+    ignore_failure true
+    only_if { ::Dir.exist?("/opt/rubies/ruby-#{v}") }
+  end
+}
+
 execute "yum makecache" do
   action :nothing
 end
@@ -325,11 +354,14 @@ end
 rpms.each_pair { |pkg, src|
   rpm_package pkg do
     source src
-    if pkg == "ruby25" 
+    if pkg == "ruby27" 
       options '--prefix=/opt/rubies/'
     end
     if pkg == "epel-release" 
       notifies :run, "execute[yum makecache]", :immediately
+      if elversion.to_i == 6
+        not_if "rpm -q epel-release"
+      end
     end
     if pkg == "chef-server-core"
       notifies :stop, "service[iptables]", :before
@@ -352,6 +384,10 @@ package removepackages do
 end
 
 
+if rpms["mugit"]
+  ENV['PATH'] = "/usr/local/git-current/bin:"+ENV['PATH']
+end
+
 
 file "initial chef-server.rb" do
   path "/etc/opscode/chef-server.rb"
@@ -364,6 +400,7 @@ nginx['ssl_port'] = 7443
 nginx['ssl_ciphers'] = 'HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK'
 nginx['ssl_protocols'] = 'TLSv1.2'
 bookshelf['external_url'] = 'https://127.0.0.1:7443'
+bookshelf['vip'] = server_name
 bookshelf['vip_port'] = 7443\n"
   not_if { ::File.size?("/etc/opscode/chef-server.rb") }
   notifies :run, "execute[reconfigure Chef server]", :immediately
@@ -406,13 +443,71 @@ remote_file "#{MU_BASE}/bin/mu-self-update" do
   mode 0755
 end
 
-bash "install modules for our built-in Python" do
-  code <<-EOH
-    /usr/local/python-current/bin/pip install -r #{MU_BASE}/lib/requirements.txt
-  EOH
+# Skip this during initial installs, it's space-hungry
+if !RUNNING_STANDALONE
+  bash "install modules for our built-in Python" do
+    code <<-EOH
+      /usr/local/python-current/bin/pip install -r #{MU_BASE}/lib/requirements.txt
+    EOH
+  end
+end
+
+# bundle a less heavy version of our Gemfile during initial installation, so we
+# can actually fit on normal root disks until we have enough code and
+# credentials to roll a dedicated /opt.
+TMPDIR = Dir.mktmpdir
+gemfile_dir = if RUNNING_STANDALONE and !File.readlines("/etc/mtab").grep(/\s\/opt\s/).any?
+  ruby_block "set up alternate install-time Gemfile" do # ~FC014
+    block do
+      exclude_gems = %w{aws-sdk azure_sdk google-api-client}
+
+      ["/sys/hypervisor/uuid",
+       "/sys/devices/virtual/dmi/id/product_uuid",
+       "/sys/devices/virtual/dmi/id/board_asset_tag"].each { |src|
+        if File.exists?(src)
+          uuid = File.read(src).chomp
+          if uuid and uuid =~ /^ec2/i
+            exclude_gems.delete("aws-sdk")
+          end
+          break
+        end
+      }
+      dmiout = shell_out!(%Q{PATH=/sbin:/usr/sbin:/bin:/usr/bin dmidecode})
+      if dmiout.match(/Google/)
+        exclude_gems.delete("google-api-client")
+      end
+
+      if File.exists?("/var/log/waagent.log") and File.read("/var/log/waagent.log") =~ /added Azure fabric/
+        exclude_gems.delete("azure_sdk")
+      end
+
+      f = File.open("#{TMPDIR}/cloud-mu.gemspec", "w")
+      File.read("#{MU_BASE}/lib/cloud-mu.gemspec").each_line { |l|
+        skipme = false
+        if l=~ /s\.add_runtime_dependency/
+          exclude_gems.each { |gem|
+            if l =~ /\b#{gem}\b/
+              skipme = true
+            end
+          }
+          next if skipme
+        end
+        f.puts l.chomp
+      }
+      f.close
+
+      Dir.mkdir("#{TMPDIR}/modules")
+      FileUtils.cp("#{MU_BASE}/lib/modules/Gemfile", "#{TMPDIR}/modules")
+    end
+  end
+  "#{TMPDIR}/modules"
+else
+  "#{MU_BASE}/lib/modules"
 end
 
-["/usr/local/ruby-current", "/opt/chef/embedded"].each { |rubydir|
+rubies = ["/usr/local/ruby-current", "/opt/chef/embedded"]
+
+rubies.each { |rubydir|
   gembin = rubydir+"/bin/gem"
   gemdir = Dir.glob("#{rubydir}/lib/ruby/gems/?.?.?/gems").last
   bundler_path = gembin.sub(/gem$/, "bundle")
@@ -424,19 +519,24 @@ end
     EOH
     action :nothing
   end
-  gem_package bundler_path do
+
+  gem_package "bundler for #{rubydir}" do
     gem_binary gembin
     package_name "bundler"
     if rubydir == "/usr/local/ruby-current" or File.exists?(bundler_path)
       action :upgrade
       ignore_failure true
     end
+    version "~> 2.1.4"
     notifies :run, "bash[fix #{rubydir} gem permissions]", :delayed
   end
-  execute "#{bundler_path} install" do
-    cwd "#{MU_BASE}/lib/modules"
-    umask 0022
-    not_if "#{bundler_path} check"
+  execute "#{bundler_path} install from #{gemfile_dir} for #{rubydir}" do
+    command "PATH=/usr/local/git-current/bin:/usr/local/git-current/libexec/git-core:${PATH} #{bundler_path} install"
+    cwd gemfile_dir
+    umask "0022"
+    if !RUNNING_STANDALONE
+      not_if { system("cd #{gemfile_dir} && #{bundler_path} check 2>&1"); $?.exitstatus }
+    end
     notifies :run, "bash[fix #{rubydir} gem permissions]", :delayed
     notifies :restart, "service[chef-server]", :delayed if rubydir == "/opt/opscode/embedded"
     # XXX notify mommacat if we're *not* in chef-apply... RUNNING_STANDALONE
@@ -463,7 +563,7 @@ end
 # This is mostly to make sure Berkshelf has a clean and current environment to
 # live with.
 execute "/usr/local/ruby-current/bin/bundle clean --force" do
-  cwd "#{MU_BASE}/lib/modules"
+  cwd gemfile_dir
   only_if { RUNNING_STANDALONE }
 end
 
@@ -490,29 +590,31 @@ require "simple-password-gen"
 # XXX this would make an awesome library
 execute "create mu Chef user" do
   command "/opt/opscode/bin/chef-server-ctl user-create mu Mu Master root@example.com #{Password.pronounceable} -f #{MU_BASE}/var/users/mu/mu.user.key"
-  umask 0277
+  umask "0277"
   not_if "/opt/opscode/bin/chef-server-ctl user-list | grep '^mu$'"
+  notifies :start, "service[chef-server]", :before
 end
 execute "create mu Chef org" do
   command "/opt/opscode/bin/chef-server-ctl org-create mu mu -a mu -f #{MU_BASE}/var/orgs/mu/mu.org.key"
-  umask 0277
+  umask "0277"
   not_if "/opt/opscode/bin/chef-server-ctl org-list | grep '^mu$'"
+  notifies :start, "service[chef-server]", :before
 end
 # TODO copy in ~/.chef/mu.*.key to /opt/mu/var/users/mu if the stuff already exists
 file "initial root knife.rb" do
   path "/root/.chef/knife.rb"
   content "
-  node_name 'mu'
-  client_key '#{MU_BASE}/var/users/mu/mu.user.key'
-  validation_client_name 'mu-validator'
-  validation_key '#{MU_BASE}/var/orgs/mu/mu.org.key'
-  chef_server_url 'https://127.0.0.1:7443/organizations/mu'
-  chef_server_root 'https://127.0.0.1:7443/organizations/mu'
-  syntax_check_cache_path  '/root/.chef/syntax_check_cache'
-  cookbook_path [ '/root/.chef/cookbooks', '/root/.chef/site_cookbooks' ]
-  ssl_verify_mode :verify_none
-  knife[:vault_mode] = 'client'
-  knife[:vault_admins] = ['mu']\n"
+node_name 'mu'
+client_key '#{MU_BASE}/var/users/mu/mu.user.key'
+validation_client_name 'mu-validator'
+validation_key '#{MU_BASE}/var/orgs/mu/mu.org.key'
+chef_server_url 'https://127.0.0.1:7443/organizations/mu'
+chef_server_root 'https://127.0.0.1:7443/organizations/mu'
+syntax_check_cache_path  '/root/.chef/syntax_check_cache'
+cookbook_path [ '/root/.chef/cookbooks', '/root/.chef/site_cookbooks' ]
+ssl_verify_mode :verify_none 
+knife[:vault_mode] = 'client'
+knife[:vault_admins] = ['mu']\n"
   only_if { !::File.size?("/root/.chef/knife.rb") }
   notifies :run, "execute[initial Chef artifact upload]", :immediately
 end
@@ -530,36 +632,64 @@ if SSH_DIR != ROOT_SSH_DIR
     mode 0700
   end
 end
-bash "add localhost ssh to authorized_keys and config" do
+bash "add localhost ssh to config" do
   code <<-EOH
-    cat #{ROOT_SSH_DIR}/id_rsa.pub >> #{SSH_DIR}/authorized_keys
     echo "Host localhost" >> #{ROOT_SSH_DIR}/config
     echo "  IdentityFile #{ROOT_SSH_DIR}/id_rsa" >> #{ROOT_SSH_DIR}/config
   EOH
   action :nothing
 end
 execute "ssh-keygen -N '' -f #{ROOT_SSH_DIR}/id_rsa" do
-  umask 0177
+  umask "0177"
   not_if { ::File.exist?("#{ROOT_SSH_DIR}/id_rsa") }
-  notifies :run, "bash[add localhost ssh to authorized_keys and config]", :immediately
+  notifies :run, "bash[add localhost ssh to config]", :immediately
+  notifies :run, "execute[add localhost key to authorized_keys]", :immediately
+end
+execute "add localhost key to authorized_keys" do
+  command "cat #{ROOT_SSH_DIR}/id_rsa.pub >> #{SSH_DIR}/authorized_keys"
+  only_if {
+    found = false
+    pubkey = if File.exists?("#{SSH_DIR}/authorized_keys")
+      File.read("#{ROOT_SSH_DIR}/id_rsa.pub").chomp
+    end
+    if pubkey and File.exists?("#{SSH_DIR}/authorized_keys")
+      authfile = File.read("#{ROOT_SSH_DIR}/authorized_keys")
+      authfile.each_line { |l|
+        if l =~ /#{Regexp.quote(pubkey)}/
+          found = true
+        end
+      }
+    end
+    !found
+  }
 end
-file "/etc/chef/client.pem" do
+# XXX foodcritic says this is a repeat declaration, but it's... not
+file "/etc/chef/client.pem" do # ~FC005
   action :nothing
 end
 file "/etc/chef/validation.pem" do
   action :nothing
 end
+file "/etc/chef/client.rb" do
+  action :nothing
+end
+
+knife_cfg = "-c /root/.chef/knife.rb"
 
 execute "create MU-MASTER Chef client" do
+# XXX I dislike --ssh-verify-host-key=never intensely, but the CLI-documented 'accept_new' doesn't actually work
   if SSH_USER == "root"
-    command "/opt/chef/bin/knife bootstrap -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none 127.0.0.1"
+    command "/opt/chef/bin/knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never 127.0.0.1"
   else
-    command "/opt/chef/bin/knife bootstrap -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -x #{SSH_USER} --sudo 127.0.0.1"
+    command "/opt/chef/bin/knife bootstrap #{knife_cfg} -N MU-MASTER --no-node-verify-api-cert --node-ssl-verify-mode=none -U #{SSH_USER} --ssh-identity-file=/root/.ssh/id_rsa --ssh-verify-host-key=never --sudo 127.0.0.1"
   end
-  not_if "/opt/chef/bin/knife node list | grep '^MU-MASTER$'"
-  only_if "/opt/chef/bin/knife ssl check" # make sure we don't wipe ourselves due to unrelated SSL issues
+  only_if "/opt/chef/bin/knife node #{knife_cfg} list" # don't do crazy stuff just because knife isn't working
+  not_if "/opt/chef/bin/knife node #{knife_cfg} list | grep '^MU-MASTER$'"
+  notifies :run, "execute[add localhost key to authorized_keys]", :before
+  notifies :delete, "file[/etc/chef/client.rb]", :before
   notifies :delete, "file[/etc/chef/client.pem]", :before
   notifies :delete, "file[/etc/chef/validation.pem]", :before
+  notifies :start, "service[chef-server]", :before
   only_if { RUNNING_STANDALONE }
 end
 
@@ -575,7 +705,7 @@ end
 
 # Community cookbooks keep touching gems, and none of them are smart about our
 # default umask. We have to clean up after them every time.
-["/usr/local/ruby-current", "/opt/chef/embedded"].each { |rubydir|
+rubies.each { |rubydir|
   execute "trigger permission fix in #{rubydir}" do
     command "ls /etc/motd > /dev/null"
     notifies :run, "bash[fix #{rubydir} gem permissions]", :delayed
@@ -588,3 +718,8 @@ bash "fix misc permissions" do
     chmod go+rx #{MU_BASE}/lib/bin/* #{MU_BASE}/lib/extras/*-stock-* #{MU_BASE}/lib/extras/vault_tools/*.sh
   EOH
 end
+
+directory TMPDIR do
+  action :delete
+  recursive true
+end