Hey folks!
We have a great new Chef Infra Client release to announce today with updated resources, a new way to write streamlined custom resources, and updated platform support!
Custom Resource Unified Mode
Chef Infra Client 15.3 introduces an exciting new way to easily write custom resources that mix built-in Chef Infra resources with Ruby code. Previously custom resources would use Chef Infra's standard compile and converge phases, which meant that Ruby would be evaluated first and then the resources would be converged. This often results in confusing and undesirable behavior when you are trying to mix resources with Ruby logic. Many custom resource authors would attempt to get around this by forcing resources to run at compile time so that all the code in their resource would execute during the compile phase.
An example of forcing a resource to run at compile time:
resource_name 'foo' do
action :nothing
end.run_action(:some_action)
With unified mode, you opt in to a single phase per resource where all Ruby and Chef Infra resources are executed at once. This makes it far easier to determine how your code will be evaluated and run. Additionally, you no longer need to force any resources to run at compile time, as all code is run in the compile phase. To enable this new mode just add unified_mode true to your resources like this:
property :Some_property, String
unified_mode true
action :create do
# some code
end
Interval Mode Now Fails on Windows
Chef Infra Client 15.3 will now raise an error if you attempt to keep the chef-client process running long-term by enabling interval runs. Interval runs have already raised failures on non-Windows platforms and we've suggested that users move away from them on Windows for many years. The long-running chef-client process on Windows will load and reload cookbooks over each other in memory. This could produce a running state which is not a representation of the cookbook code that the authors wrote or tested, and behavior that may be wildly different depending on how long the chef-client process has been running and on the sequence that the cookbooks were uploaded.
Updated Resources
ifconfig
The ifconfig resource has been updated to properly support interfaces with a hyphen in their name. This is most commonly encountered with bridge interfaces that are named br-1234.
archive_file
The archive_file resource now supports archives in the RAR 5.0 format as well as zip files compressed using xz, lzma, ppmd8 and bzip2 compression.
user
macOS 10.14 / 10.15 support
The user resource now supports the creation of users on macOS 10.14 and 10.15 systems. The updated resource now complies with macOS TCC policies by using a user with admin privileges to create and modify users. The following new properties have been added for macOS user creation:
-
adminsets a user to be an admin. -
admin_usernameandadmin_passworddefine the admin user credentials required for toggling SecureToken for a user. The value of 'admin_username' must correspond to a system user that is part of the 'admin' with SecureToken enabled in order to toggle SecureToken. -
secure_tokenis a boolean property that sets the desired state for SecureToken. FileVault requires a SecureToken for full disk encryption. -
secure_token_passwordis the plaintext password required to enable or disablesecure_tokenfor a user. If no salt is specified we assume the 'password' property corresponds to a plaintext password and will attempt to use it in place of secure_token_password if it is not set.
Password property is now sensitive
The password property is now set to sensitive to prevent the password from being shown in debug or failure logs.
gid property can now be a string
The gid property now allows specifying the user's gid as a string. For example:
user 'tim' do
gid '123'
end
Platform Support Updates
macOS 10.15 Support
Chef Infra Client is now validated against macOS 10.15 (Catalina) with packages now available at downloads.chef.io and via the Omnitruck API. Additionally, Chef Infra Client will no longer be validated against macOS 10.12.
AIX 7.2
Chef Infra Client is now validated against AIX 7.2 with packages now available at downloads.chef.io and via the Omnitruck API.
Chef InSpec 4.16
Chef InSpec has been updated from 4.10.4 to 4.16.0 with the following changes:
- A new
postfix_confhas been added for inspecting Postfix configuration files. - A new
pluginssection has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins. - The
serviceresource now includes a newstartnameproperty for determining which user is starting the Windows services. - The
groupsresource now properly gathers membership information on macOS hosts.
Security Updates
Ruby
Ruby has been updated from 2.6.3 to 2.6.4 in order to resolve CVE-2012-6708 and CVE-2015-9251.
openssl
openssl has been updated from 1.0.2s to 1.0.2t in order to resolve CVE-2019-1563 and CVE-2019-1547.
nokogiri
nokogori has been updated from 1.10.2 to 1.10.4 in order to resolve CVE-2019-5477
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install command line utility:
$ mixlib-install download chef -v 15.3.14
Alternatively, you can install Chef Infra Client using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 15.3.14
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 15.3.14
If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:
provisioner:
product_name: chef
product_version: 15.3.14
Enjoy,
Tim