Release Announcement for Chef Automate 0.6.6
We are delighted to announce release 0.6.6 of Chef Automate. The release is available for download from https://downloads.chef.io/automate.
New Feature: Chef Automate Backup & Restore
Chef Automate now provides a full suite of tools for creating, managing and restoring backup archives and Elasticsearch snapshots. This new feature also supports Amazon Web Services (AWS) S3. Please read the documentation for more information and the full list of commands.
New Feature: SSH-based Runners
In addition to dispatching jobs to build nodes, workflow now supports dispatching jobs to runners. Think of runners as build nodes v2. They can run all the jobs associated with workflow phases, and bring a lot of new features to the table.
Runners feature the following improvements:
- Runners can be managed via the workflow GUI
- The runner job queue can be viewed via the workflow GUI
- Users may cancel running jobs assigned to runners via the GUI
- Runners use SSH as the transport rather than Push Jobs, so no Push Jobs agent is required
Runners can be used side-by-side with build nodes connected to the same Chef Automate server. The choice of which job dispatch system to use, build nodes or runners, is configured per-project. For more information, please see the runner documentation.
PLEASE NOTE: This version shipped a bug with the install-runner command.The runner incorrectly assumed that it should be configured to use a chef_server_proxy in all cases. We’ve fixed this bug in Chef Automate 0.6.7. If you run into this bug, please upgrade to 0.6.7 or later.
New Feature: Backend Data Store Authentication
Please note that if you access Elasticsearch directly or use the provided Kibana UI, an authenticated Chef Automate session is now required. The Chef Automate Elasticsearch endpoint and the Kibana UI now use the same authentication mechanisms as the rest of Chef Automate to ensure your data is safe. More details about the new authentication mechanism and how it’s configured can be found in the documentation.
Feature Improvements: Visibility
- Tokenless Visibility Data Collection: Chef client automatically sends Visibility data to Automate with no extra configuration; instead of a token, Chef will authenticate using Chef client’s key pair. To start using the feature, you need to have Chef client version 12.16.42 or higher and Chef server version 12.11.0. The token and data collector service will need to be configured, see the chef_server.rb documentation.
- Chef Automate welcome message box: Upon login, if Chef Automate has not yet been configured to send data to visibility, a welcome message box will appear asking if users need help. Users can close the welcome message box and navigate back to it through drop-down menu on the right side navigation.
- Delete nodes from visibility: New automate-ctl commands for deleting nodes from visibility
Feature Improvements: Compliance
Chef Automate now allows you to store and retrieve compliance profiles. This lets you use it as a storage backend with the audit cookbook. Since visibility has been featuring the ability to display your nodes’ compliance status, this is further tightening the integration of compliance, powered by InSpec, into Chef Automate.
To download profiles and report InSpec scans in Chef Automate you require the audit cookbook at version v2.2.0 or newer. For its configuration, take a look at this guide.
Compliance can use a token based authentication system, or chef server based clients can authenticate against the server. The token and compliance service will need to be configured in chef server, for details see the chef_server.rb documentation.
- The command line interface for the Chef Automate server has been renamed from delivery-ctl to automate-ctl. All subcommands remain the same. The change is backward compatible, so delivery-ctl commands will still function.
- New gather logs command via automate-ctl
- Chef Automate now allows you to reset the password of a user via the server’s command line interface
- Addressed http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5461
- Addressed https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8080
- Addressed https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7458
- Addressed https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4450
- Bumped OpenSSL from 1.0.1 to 1.0.2
- Updated ssh settings to improve security
- SAML integration is now compatible with SAML IdPs that require md:Organization fields
- Removed unauthenticated access to the postgres database and protected the erlang cookie to prevent local users from accessing the database via erlang remote shell
- The runner utilization graph on the welcome page now correctly displays runner status
- Several references to ‘Delivery’ in the GUI have been changed to ‘Chef Automate’, including the title of Slack messages created for workflow project events
We encourage you to upgrade often. As always, we welcome your feedback and invite you to contact us directly or participate in our feedback forum. Thanks for using Chef Automate and for US based folks, have a happy Thanksgiving.