Hi Everyone,
We have a new release of Chef Infra Client out today packed full of improvements for configuring the Chef Infra Client, utilizing the latest and greatest PowerShell releases, and remotely executing Chef Infra Client. Be sure to check it out!
pwsh Support
We've updated multiple parts of the Chef Infra Client to fully support Microsoft's pwsh (commonly known as PowerShell Core) in addition to our previous support for PowerShell.
powershell_script resource
The powershell_script resource includes a new interpreter property that accepts either powershell or pwsh.
powershell_script 'check version table' do
code '$PSVersionTable'
interpreter 'pwsh'
end
powershell_out / powershell_exec helpers
The powershell_out and powershell_exec helpers for use in custom resources have been updated to support pwsh with a new argument that accepts either :pwsh or :powershell.
powershell_exec('$PSVersionTable', :pwsh)
Enhanced 32-bit Windows Support
The powershell_exec helper now supports the 32-bit version of Windows. This ensures many of the newer PowerShell based resources in Chef Infra Client will function as expected on 32-bit systems.
New Resources
chef_client_config
The chef_client_config resource allows you to manage Chef Infra Client's client.rb file without the need for the chef-client cookbook.
Example
chef_client_config 'Create client.rb' do
chef_server_url 'https://chef.example.dmz'
end
chef-client Cookbook Future
With the inclusion of the chef_client_config resource in Chef Infra Client 16.6, it is now possible to fully manage the Chef Infra Client without the need for the chef-client cookbook. We highly recommend using the chef_client_config, chef_client_trusted_certicate, and chef_client_* service resources to manage your clients instead of the chef-client cookbook. In the future we will mark that cookbook as deprecated, at which time it will no longer receive updates.
Here's a sample of fully managing Linux hosts with the built-in resources:
chef_client_config 'Create client.rb' do
chef_server_url 'https://chef.example.dmz'
end
chef_client_trusted_certificate "chef.example.dmz" do
certificate <<~CERT
-----BEGIN CERTIFICATE-----
MIIDeTCCAmGgAwIBAgIJAPziuikCTox4MA0GCSqGSIb3DQEBCwUAMGIxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp
c2NvMQ8wDQYDVQQKDAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTAeFw0x
OTEwMDkyMzQxNTJaFw0yMTEwMDgyMzQxNTJaMGIxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQK
DAZCYWRTU0wxFTATBgNVBAMMDCouYmFkc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMIE7PiM7gTCs9hQ1XBYzJMY61yoaEmwIrX5lZ6xKyx2
PmzAS2BMTOqytMAPgLaw+XLJhgL5XEFdEyt/ccRLvOmULlA3pmccYYz2QULFRtMW
hyefdOsKnRFSJiFzbIRMeVXk0WvoBj1IFVKtsyjbqv9u/2CVSndrOfEk0TG23U3A
xPxTuW1CrbV8/q71FdIzSOciccfCFHpsKOo3St/qbLVytH5aohbcabFXRNsKEqve
ww9HdFxBIuGa+RuT5q0iBikusbpJHAwnnqP7i/dAcgCskgjZjFeEU4EFy+b+a1SY
QCeFxxC7c3DvaRhBB0VVfPlkPz0sw6l865MaTIbRyoUCAwEAAaMyMDAwCQYDVR0T
BAIwADAjBgNVHREEHDAaggwqLmJhZHNzbC5jb22CCmJhZHNzbC5jb20wDQYJKoZI
hvcNAQELBQADggEBAGlwCdbPxflZfYOaukZGCaxYK6gpincX4Lla4Ui2WdeQxE95
w7fChXvP3YkE3UYUE7mupZ0eg4ZILr/A0e7JQDsgIu/SRTUE0domCKgPZ8v99k3A
vka4LpLK51jHJJK7EFgo3ca2nldd97GM0MU41xHFk8qaK1tWJkfrrfcGwDJ4GQPI
iLlm6i0yHq1Qg1RypAXJy5dTlRXlCLd8ufWhhiwW0W75Va5AEnJuqpQrKwl3KQVe
wGj67WWRgLfSr+4QG1mNvCZb2CkjZWmxkGPuoP40/y7Yu5OFqxP5tAjj4YixCYTW
EVA0pmzIzgBg+JIe3PdRy27T0asgQW/F4TY61Yk=
-----END CERTIFICATE-----
CERT
end
chef_client_systemd_timer "Run chef-client as a systemd timer" do
interval "1hr"
cpu_quota 50
end
Target Mode Improvements
Chef Infra Client 16 introduced an experimental Target Mode feature for executing resources remotely against hosts that do not have a Chef Infra Client or even Ruby installed. For Chef Infra Client 16.6 we've improved this functionality by converting the majority of the Ohai plugins to run remotely. This means when using Target Mode you'll have the majority of Ohai data as if the Chef Infra Client was installed on the node. Keep in mind this data collection can be time consuming over high latency network connections, and cloud plugins which fetch metadata cannot currently be run remotely. Ohai also now includes a --target option for remote data gathering, which accepts a Train URI: ohai --target ssh://foobar.example.org/. We still consider Target Mode to be an experimental feature, and we'd love your feedback on what works and what doesn't in your environment.
Updated Resources
ifconfig
The ifconfig resource has been updated to no longer add empty blank lines to the configuration files. Thanks for this improvement @jmherbst!
windows_audit_policy
The windows_audit_policy resource has been updated to fix a bug on failure-only auditing.
Ohai Improvements
Passwd Plugin For Windows
The optional Ohai Passwd plugin now supports Windows hosts in addition to Unix-like systems. To collect user/group data on Windows hosts you can use the ohai_optional_plugins property in the new chef_client_config resource to enable this plugin.
chef_client_config 'Create client.rb' do
chef_server_url 'https://chef.example.dmz'
ohai_optional_plugins [:Passwd]
end
Thanks for adding Windows support to this plugin @jaymzh!
Improved Azure Detection
The Azure plugin has been improved to better detect Windows hosts running on Azure. The plugin will now look for DHCP with the domain of reddog.microsoft.com. Thanks for this improvement @jasonwbarnett!
EC2 IAM Role Data
Ohai now collects IAM Role data on EC2 hosts including the role name and info. To address potential security concerns the data we collect is sanitized to ensure we don't report security credentials to the Chef Infra Server. Thanks for this improvement @kcbraunschweig!
Security
Ruby has been updated to 2.7.2, which includes a fix for CVE-2020-25613.
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install command-line utility:
$ mixlib-install download chef -v 16.6.14
Alternatively, you can install Chef Infra Client using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 16.6.14
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 16.6.14
If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:
provisioner:
product_name: chef
product_version: 16.6.14
Enjoy,
Tim