Chef Automate Release 1.6.87


#1

We are delighted to announce release 1.6.87 of Chef Automate. The release is available for download from https://downloads.chef.io/automate.

Important Upgrade Notes

This release contains significant updates to the platform; please read these release notes carefully. Before you upgrade, please take a complete backup of your Chef Automate server.

If you are upgrading from Chef Automate 0.8.5 or earlier to this release via backup/restore (rather than upgrading in place), please see this important note. Customers who upgrade the server in place can disregard.

New Features

Elasticsearch Updates
We’ve improved Chef Automate’s data handling resulting in a 20% decrease in on-disk index size for converge and compliance data going forward. The bundled version of Elasticsearch was upgraded from version 2.3 to 5.4.1 providing many performance and resiliency benefits.

Before you install this release, please take a complete backup of your Chef Automate server. Data will be migrated to new Elasticsearch indices as part of the reconfigure after installation; the process requires no user interaction. After upgrading, note that backups made with version 1.6.87 or later cannot be restored to earlier versions of Chef Automate.

Compatibility Notes:
If you are operating an external Elasticsearch cluster with Chef Automate, it must be upgraded to a 5.x version for compatibility with this release.

Kibana Updates
Paired with the Elasticsearch upgrade, a matching Kibana version is a requirement for interoperability. The upgrade to version 5.4.1 of Kibana in this release should have no material impact to Chef Automate’s functionality. Note that we are not upgrading Logstash at this time and Chef Automate will remain on version 2.x; customers using external ELK systems should ensure they also remain on Logstash 2.x.

Kibana is no longer enabled by default as of this release of Chef Automate. Please refer to these instructions if you would like to enable Kibana after the upgrade, and for information about using custom dashboards created with earlier versions.

Notifications – Open Beta
We are delighted to invite all customers to participate in our open beta for notifications. Chef Automate now supports simple configuration of Slack or webhook notifications for Chef client run failures and critical compliance control failures.

To get started using notifications, navigate to the nodes tab in Chef Automate and type beta anywhere in the UI. The beta feature flag menu will allow you to toggle on the new notifications sub-tab in the nodes view. We’d love to get your feedback – please join us at Chef Success Slack in the #automate-notification channel or share your thoughts at https://feedback.chef.io/.

Updated Compliance Profiles
All compliance profiles have been updated to include the build number of the profile. This change was necessary to track updates to CIS profiles which received changes without the official version number increasing. For example, a number of improvements were made to tests in the the RHEL profile family. Additionally, incorrectly formatted descriptions have been updated and improved.

CSV Export for Compliance Reports
In addition to the existing JSON export of compliance reports we have introduced the option to export a CSV file as well. The button in the top right corner of the compliance reporting view was updated to give the user the choice between exporting to JSON and exporting to CSV. As part of this change we also export node name information alongside node IDs.

Control Filter for Compliance
An additional filter was added to the search bar in the compliance reporting view. It allows users to search for specific controls and filter the view around these. In the past, it was only possible to search and filter the view around entire profiles, which didn’t cover cases where users asked for more fine-grained control. Please note: this mechanism will filter the list of nodes and profiles but the summary information is still calculated for the entire node and profile, not just for the control.

Node Compliance View and History
This new view allows users to inspect the current and historic state of a node’s compliance assessment. In addition to the already included trendgraph, users can now see the node state and its entire scan history via the node view of all compliance reports.

New Search Bar on Nodes View
We’ve rebuilt the search bar on the nodes view to be easier to use, and have added the ability to filter nodes by platform. The original search bar will remain available under the legacy flag for three months. Complete details on searching for nodes can be found in Chef docs. If you have trouble with the new search bar and find yourself continuing to use the legacy version, please contact us with your feedback.

Delete Node Improvements
There is now a delete-node subcommand for automate-ctl to delete a node and its corresponding history. This replaces delete-visibility-node, which would remove the node from Chef Automate views but did not delete any data. For more information, see the automate-ctl docs.

FIPS Support for Nginx
Chef Automate runs in a FIPS 140-2 compliant mode when the operating system kernel is configured similarly or when fips['enable'] = true is set in /etc/delivery/delivery.rb. When Chef Automate is configured for FIPS mode, this will also now configure Nginx to use the OpenSSL FIPS validated container.

Resolved Issues

  • Fixed an issue where automate-ctl install-runner was not prompting for a password
  • The automate-ctl cleanse command has been fixed to behave as documented
  • The Chef Automate UI no longer has issues when accessed through the IP address or anything not configured as its FQDN
  • Fixed an issue that caused automate-ctl reconfigure to hang for several minutes when Chef’s product telemetry endpoint was not reachable
  • Compliance scan results now display their latest timestamp
  • Profile updates are now available from the profiles screen whenever a new version is released
  • Fixed an issue that limited the list of compliance profiles in the report to 10
  • Small UI fixes in the compliance view around scan results filter, profile suggestions, and reports with multiple scan results

We encourage you to upgrade often. As always, we welcome your feedback and invite you to contact us directly or participate in our feedback forum. Thanks for using Chef Automate!


#3

Note that an earlier version of these release notes stated that customers using Chef Backend for high availability of Chef Server should not upgrade to this release of Chef Automate. This dependency was incorrect; customers can safely upgrade to this release. We will have a new release of Chef Backend coming soon that includes the upgrade to Elasticsearch 5.x, but this is not a requirement for compatibility with Chef Automate 1.6.x.