Automate 2 version 20190410001346 Released!

We are delighted to announce the availability of version 20190410001346 of Chef Automate 2.

Upgrade Impact

We’re preparing the way for two great new features in Chef Automate—deep filtering in Compliance reporting and IAM v2 Beta. We’re making changes to the format for compliance results, which means that we’re migrating your compliance results to the new format.
For most users, this migration will happen quickly and in the background. However, if your system has tens of gigabytes of compliance results for the current day, the migration may take hours.

Migration Process

We’ll migrate your current day’s compliance data first, and then migrate your earlier compliance data.

We’re making some systems unresponsive during the current day data migration, in order to protect your data’s integrity. Once the migration for the current day’s data finishes, these systems will operate normally. You’ll be able to use all of Chef Automate while we migrate your earlier compliance data.

During the current day’s data migration:

  • Compliance APIs and UI (Compliance page, Scan Jobs, Asset Store) will not be responsive
  • Scan jobs and incoming scan reports (from audit cookbook or inspec exec) will not be processed

We’re promoting this release to Automate’s “current” channel—which means this upgrade goes live—at 00:01am UTC (5:01 PM PDT).
For customers who have automatic upgrades enabled, this should reduce the amount of time needed for the data migration, because you should have very little data in the current day’s results.
We recommend that customers without auto-upgrades configured run their manual upgrades upgrade at 00:01 UTC, or shortly thereafter, in order to minimize their downtime.

Upgrading manually

If your Chef Automate installation isn’t configured for auto-upgrades, you will need to upgrade manually.
We recommend that you run your manual upgrade at 00:01 UTC or shortly after to minimize downtime.

During the current day’s data migration:

  • Compliance APIs and UI (Compliance page, Scan Jobs, Asset Store) will not be responsive
  • Scan jobs and incoming scan reports (from audit cookbook or inspec exec) will not be processed

Your chef-client runs will be unaffected by the data migration and you will have access to the Event Feed, Client Runs and Settings UI.

The length of time that your system is impacted by the data migration is determined solely by the amount of data in the current date and the throughput allocated (CPU, IO, etc.) to your environment. Additionally, you may see a performance impact while older data is migrated to the new format, depending on your hardware profile and the resources assigned to the various Automate services.

We recommend taking the following steps to ensure a painless experience:

  1. Ensure that your system has an appropriate amount of heap memory assigned to Elasticsearch: https://automate.chef.io/docs/configuration/#setting-elasticsearch-heap
  2. Schedule the upgrade as close to 00:01 UTC as possible to reduce the amount of data in the current day.
  3. Test the upgrade in a non-production environment prior to upgrading if you have more than a few GBs of data. Monitor your resource consumption to ensure you have enough throughput and, if necessary, allocate more resources to minimize the impact to your system.
  4. Disable other resource intensive processes (such as backups, re-indexing, etc.) during the upgrade, or schedule them run at different time before or after the upgrade
  5. If you have problems with this upgrade, contact support for help: https://www.chef.io/support/get-started/

New Features

  • Zoom and Enhance: New Detail View for Node Manager is now available. Navigating to a node manager's detail view will display its status and a list of the nodes that belong to that node manager.

Improvements

  • Easier to ID: Client run exports now include an IP address column.
  • R-E-S-P-E-C-T: Compliance suggestions now show results that match with your selected filter.
  • Make it Better, Do it Faster: We changed the controls in the CIS Windows Server 2012R2 V2.2.1 compliance profiles to be faster and have less load on domain controller instances.

Bug Fixes

  • Once, Mice, Three Times an Exterminator: Fixed a number of controls in the CIS CentOS 7 v2.2.0 compliance profile:
    • Controls that check home directories now correctly exclude system accounts
    • Controls are now correctly marked as passed when previously marked as skipped in 6.2.10 and 6.2.13
    • Control in 6.2.10 now accounts for symlinks and directories starting with a . character
  • On Time: The compliance profiles for CIS Windows 2012, 2012R2, and 2016 should now expect a value in seconds for user lockout duration rather than minutes.

How to Upgrade

By default Chef Automate 2 will automatically upgrade to this new version. If you have disabled automatic upgrades you can manually initiate an upgrade by running:

chef-automate upgrade run

As always, we welcome your feedback and invite you to contact us directly or share your feedback online. Thanks for using Chef Automate 2!