Add two new parameters. The first is to add a line to the krb5.conf file
indicating that we prefer TCP. The other is a parameter stating which
kerberos environment we want: prod, test, or uat.

If the system's primary IP address is in one of the two well-known Livermore
netblocks, then automatically set the Livermore-based Kerberos server as the
primary KDC.

base::kerberos::dr is now deprecated.

We know the three large IP address blocks that exist in Livermore, and we now
have an ip_in_cidr() function, so we are using that to tell if a system is in
Livermore.

This code will need updating only if the large network blocks in Livermore are
changed.

We don't have anycast DNS in Livermore, so this adds a parameter to base::dns,
a parameter that can be set via Hiera, to put Livermore's DNS server at (or
near) the top of the list.

This is important for systems using Puppet and DHCP, because DHCP renewals
rewrite resolv.conf, which then gets re-re-written by Puppet.

The ntp iptables rules date from the days when Unix Systems actually
ran ntp servers on Linux hosts.  Since the ntp service is now provided
by hardware appliances there is no need to allow inbound ntp
connections.  Remove the iptables rules allow inbound ntp connections
at Rob Riepel's suggestion.

Similarly remove restrict entries from ntp.conf that point at hosts
that are no longer ntp servers.  Be a bit more conservative and leave
the restrict to the current ntp servers.

Remove some iptables fragments that are no longer used to reduce
confusion.

VMWare does not package vmware-tools-esx-nox for EL7. They
instead recommend the use of open-vm-tools. Added a condition
and refactored the manifest appropriately.