Chef Infra Client 16.5 Released!

Hey folks,

We have a great new release for you today with new and improved resources as well as significant performance improvements.

Performance Improvements

We continue to reduce the size of the Chef Infra Client install and optimize the performance of the client. With Chef Infra Client 16.5 we've greatly reduced the startup time of the chef-client process. Startup times on macOS, Linux, and Windows hosts are now approximately 2x faster than the 16.4 release.

CLI Improvements

  • The client license acceptance logic has been improved to provide helpful error messages when an incorrect value is passed and to accept license values in any text case.
  • A new chef-client process exit code of 43 has been added to signal that an invalid configuration was specified. Thanks @NaomiReeves!
  • The knife ssh command no longer hangs when connecting to Windows nodes over SSH.
  • The knife config commands have been renamed to make them shorter and table output has been improved:
    • knife config get-profile -> knife config use
    • knife config use-profile [NAME] -> knife config use [NAME]
    • knife config list-profiles -> knife config list
    • knife config get -> knife config show

Chef InSpec 4.23.4

Chef InSpec has been updated from 4.22.1 to 4.23.4. This new release includes the following improvements:

  • A new mechanism marks inputs as sensitive: true and replaces their values with "***".
  • Use the --no-diff CLI option to suppress diff output for textual tests.
  • Control the order of controls in output, but not execution order, with the --sort_results_by=none|control|file|random CLI option.
  • Disable caching of inputs with a cache_inputs: true setting.

New Resources

chef_client_launchd

The chef_client_launchd resource allows you to configure Chef Infra Client to run as a global launchd daemon on macOS hosts. This resource mirrors the configuration of other chef_client_* resources and allows for simple out-of-the-box configuration of the daemon, while also providing advanced tunables. If you've used the chef-client cookbook in the past, you'll notice a number of improvements in the new resource including configuration update handling, splay times support, nice level support, and an out-of-the-box configuration of low IO priority execution. In order to handle restarting the Chef Infra Client launchd daemon when configuration changes occur, the resource also installs a new com.chef.restarter daemon. This daemon watches for daemon configuration changes and gracefully handles the restart to ensure the client process continues to run.

chef_client_launchd 'Setup the Chef Infra Client to run every 30 minutes' do
  interval 30
  action :enable
end

chef_client_trusted_certificate

The chef_client_trusted_certificate resource allows you to add a certificate to Chef Infra Client's trusted certificate directory. The resource handles platform-specific locations and creates the trusted certificates directory if it doesn't already exist. Once a certificate is added, it will be used by the client itself to communicate with the Chef Infra Server and by resources such as remote_file.

chef_client_trusted_certificate 'self-signed.badssl.com' do
  certificate <<~CERT
  -----BEGIN CERTIFICATE-----
  MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
  BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
  c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
  OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
  VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
  DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
  BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
  PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
  hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
  xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
  ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
  QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
  BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
  hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95
  w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A
  vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI
  iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe
  wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW
  EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk=
  -----END CERTIFICATE-----
  CERT
end

Resource Updates

chef_client_cron

The chef_client_cron resource has been updated with a new nice property that allows you to set the nice level for the chef-client process. Nice level changes only apply to the chef-client process and not any subprocesses like ohai or system utility calls. If you need to ensure that the chef-client process does not negatively impact system performance, we highly recommend instead using the cpu_quota property in the chef_client_systemd_timer resource which applies to all child processes.

chef_client_systemd_timer

The chef_client_systemd_timer resource has been updated with a new cpu_quota property that allows you to control the systemd CPUQuota value for the chef-client process. This allows you to ensure chef-client execution doesn't adversely impact performance on your systems.

launchd

The launchd resource has been updated to better validate inputs to the nice property so we can make sure these are acceptable nice values.

mount

The mount resource on Linux has new improved idempotency in some scenarios by switching to findmnt to determine the current state of the system. Thanks for reporting this issue @pollosp!

osx_profile

The osx_profile resource will now allow you to remove profiles from macOS 11 (Big Sur) systems. Due to security changes in macOS 11, it is no longer possible to locally install profiles, but this will allow you to cleanup existing profiles left over after an upgrade from an earlier macOS release. The resource has been updated to resolve a regression introduced in Chef Infra Client 16.4 that caused the resource to attempt to update profiles on each converge. Thanks for reporting these issues @chilcote!

rhsm_register

The rhsm_register resource has been updated to reduce the load on the RedHat Satellite server when checking if a system is already registered. Thanks for reporting this issue @donwlewis! A new system_name property has also been added to allow you to register a name other than the system's hostname. Thanks for this improvement @jasonwbarnett!

windows_ad_join

The windows_ad_join resource has been updated with a new reboot_delay property which allows you to control the delay time before restarting systems.

windows_firewall_profile

The windows_firewall_profile resource was updated to prevent NilClass errors from loading the firewall state.

windows_user_privilege

The windows_user_privilege resource has been updated to better validate the privilege property and to allow the users property to accept String values. Thanks for reporting this issue @jeremyciak!

Windows securable resources

All Windows securable resources now support using SID in addition to user or group name when specifying owner, group, or rights principal. These resources include the template, file, remote_file, cookbook_file, directory, and remote_directory resources. When using a SID, you may use either the standard string representation of a SID (S-R-I-S-S) or one of the SDDL string constants.

Ohai Improvements

  • Ohai now uses the same underlying code for shelling out to external commands as Chef Infra Client. This may resolve issues from determining the state on some non-English systems.
  • The Packages plugin has been updated to gather package installation information on macOS hosts.

Platform Packages

  • We are once again building Chef Infra Client packages for RHEL 7 / SLES 12 on the S390x architecture. In addition to these packages, we've also added S390x packages for RHEL 8 / SLES 15.
  • We now produce packages for Apple's upcoming macOS 11 Big Sur release.

Security

OpenSSL has been updated to 1.0.2w which includes a fix for CVE-2020-1968.

Get the Build

As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install command-line utility:

$ mixlib-install download chef -v 16.5.64

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 16.5.64

# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 16.5.64

If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:

provisioner:
  product_name: chef
  product_version: 16.5.64

Enjoy,
Tim

32-bit Arm builds (Raspberry Pi and similar) are available here: https://mattray.github.io/arm/