Hey folks,
I'm pleased to announce that this morning we released Chef Infra Client 17 our yearly major release of the Chef Infra Client. This new release includes a new Compliance Phase as well as a number of improvements to system detection and our built-in resources. Be sure to check it out!
What's New in 17.0
Compliance Phase
Chef Infra Client's new Compliance Phase allows users to automatically execute compliance audits and view the results in Chef Automate as part of any Chef Infra Client Run. This new phase of the Chef Infra Client run replaces the legacy audit cookbook and works using the existing audit cookbook attributes. With this new phase, you'll always have the latest compliance capabilities out of the box without the need to manage cookbook dependencies or juggle versions during Chef Infra Client updates.
The Compliance Phase also features a new compliance reporter: cli
. This reporter mimics the InSpec command line output giving you a visual indication of your system's compliance status. Thanks for this new reporter @aknarts.
Existing audit cookbook users can migrate to the new Compliance Phase by removing the audit cookbook from their run_list and setting the node['audit']['compliance_phase']
attribute to true
.
For more information see our on-demand webinar Configure Chef Infra & Compliance Using Built-In Functionality
Ruby 3
Chef Infra Client 17 packages now ship with embedded Ruby 3.0. This new release of Ruby improves performance and offers many new language improvements for those writing advanced custom resources. See the ruby-lang.org Ruby 3.0 Announcement for additional details on what's new and improved in Ruby 3.0.
Knife Moved to Workstation
For historical packaging reasons the Chef Infra Client packages have always shipped with the knife
command for managing your Chef Infra nodes. With Chef Workstation there's no benefit to shipping knife in the Chef Infra Client package and there are several downsides. Shipping management tooling within the client is seen as a security risk to many and increases the side of the Chef Infra Client codebase by adding a large number of management dependencies. With Chef Infra Client 17 we've split knife into its own Ruby Gem, which will continue to ship in Chef Workstation, but will no longer come bundled with Chef Infra Client. We hope you'll enjoy the new faster and smaller Chef Infra Client while continuing to use knife in Chef Workstation uninterrupted.
Breaking Changes
AIX Virtualization Improvements
The Ohai :Virtualization plugin on AIX systems will now properly return the lpar_no
and wpar_no
values as Integers instead of Strings. This makes the data much easier to work within cookbooks, but may be a breaking change depending on how AIX users consumed these values.
32bit RHEL/CentOS 6 Support
We will not produce Chef Infra Client 17 packages for 32bit RHEL/CentOS 6 systems. RHEL/CentOS 6 reached EOL in November 2020. We are extending support for 64-bit RHEL/CentOS 6 until Chef Infra Client 18 (April 2022) or when an upstream platform or library changes prevent us from building on these systems that are at the end of their lifecycle.
Chef Client As A Service on Windows
Based on customer feedback and observations in the field we've removed the ability to run the Chef Infra Client as a service on Windows nodes. We've seen the service manager for the Chef Infra Client consume excessive memory, hang preventing runs, or prevent nodes from updating to new client releases properly. We've always seen significantly better reliability by running Chef Infra Client as a scheduled task on Windows and in July of 2006 we introduced warnings to the chef-client cookbook when running as a service. The ability to set up the client as a service was later removed from the cookbook entirely in October of 2017.
For customers currently running Chef Infra Client as a service, we advise migrating to scheduled task-based execution. This allows for complex scheduling scenarios not possible with simple services, such as skipping Chef Infra Client execution on systems running on battery power or running the Chef Infra Client immediately after a system boot to ensure configuration.
Chef Infra Client can be configured to run as a scheduled task using the chef-client cookbook or ideally using the chef_client_scheduled_task resource built into Chef Infra Client 16 or later. For users already running as a service setting up the scheduled task and then stopping the existing service can be performed within a Chef Infra Client run to migrate systems.
Gem Resource Ruby 1.9+
The gem
resource used to install Ruby Gems into the system's Ruby installation will now assume Ruby 1.9 or later. As Ruby 1.8 and below reached end of life almost 7 years ago, we believe there is little to no impact in this change.
Legacy node['filesystem2'] removed on AIX/Solaris/FreeBSD
The legacy node['filesystem2']
attributes leftover from our multi-year migration of filesystem data on AIX, Solaris, and FreeBSD systems has been removed. This same data is now available at node['filesystem']
node['filesystem'] Uses Updated Format on Windows
In Chef Infra Client 16 we introduced node['filesystem2']
on Windows to complete our migration to a unified structure for filesystem data regardless of platform. In Chef Infra Client 17 we are updating node['filesystem']
on Windows with this same unified format. Both node attributes now have the same data allowing users to more easily migrate filesystem2
to filesystem
in their cookbooks. In Chef Infra Client 18, we will remove node['filesystem2']
completely finishing our multi-year migration of Ohai filesystem data format.
Removed Antergos and Pidora Detection
Ohai detection of the end-of-life Antergos and Pidora distributions has been removed. Antergos ended releases and downloads of the distribution in May 2019 and Pidora stopped receiving updates in 2014.
Infra Language Improvements
Lazy Attribute Loading
A common problem when using the "wrapper cookbook" pattern is when the wrapped cookbook declares what are called "derived attributes", which are attributes that refer to other attributes. Because of the order that attribute files are parsed in, this does not work as intended when the base attribute is changed in a wrapper cookbook. By extending the use of the lazy {}
helper to the declaration of node attributes, it makes it possible for the wrapped cookbook to cleanly allow wrapper cookbooks to override base attributes as intended.
Use the lazy helper:
default['myapp']['dir'] = '/opt/myapp'
default['myapp']['bindir'] = lazy { "#{node['myapp']['dir']}/bin" }
Instead of:
default['myapp']['dir'] = '/opt/myapp'
default['myapp']['bindir'] = "#{node['myapp']['dir']}/bin"
With the lazy helper the wrapper cookbook can then override the base attribute and the derived attribute will change:
default['myapp']['dir'] = "/opt/my_better_app" # this also changes the bindir attribute correctly
The use of this helper is not limited to declarations in attribute files and can be used whenever attributes are being assigned. For a complete description of the capabilities of lazy attribute evaluation see Add support for lazy attributes by lamont-granquist · Pull Request #10861 · chef/chef · GitHub
Custom Resource Property Defaults
Chef Infra Client's handling of default property values in Custom Resources has been improved to avoid potential Ruby errors. These values are now duplicated internally allowing them to be modified by the user in their recipes without potentially receiving fatal frozen value modification errors.
effortless? helper
A new effortless?
helper identifies if a system is running Chef Infra Client using the Effortless Pattern.
reboot_pending? Improvements
The reboot_pending?
helper now works on all Debian based platforms instead of just Ubuntu.
Resource Improvements
Logging Improvements
A large number of resources have seen improvements to the logging available in the debug
log level providing better information for troubleshooting Chef Infra Client execution. Thanks for this improvement @jaymzh!
apt_package
The apt_package
resource now properly handles downgrading package versions. Please note that full versions must be provided in the version
property and invalid version strings will now raise an error. Thanks for this improvement @jaymzh!
chef_client_launchd / macosx_service
The chef_client_launchd
and macosx_service
resources have been updated to use the full path to the launchctl
command. This avoids failures running these resources with incorrect PATH environment variables. Thanks for this improvement @krackajak!
execute
The execute
resource includes a new login
property allowing you to run commands with a login shell. This helps ensure you have all potential environment variables defined in the user's shell.
hostname
The hostname
resource now includes a new fqdn
property to allow you to set a custom fqdn in the hostname file in addition to the system's hostname. Thanks for suggesting this improvement @evandam!
systemd_unit
The systemd_unit
resource has been improved to only shell out once to determine the state of the systemd unit. This optimization should result in significant performance improvements when using large numbers of systemd_unit
resources. Thanks @joshuamiller01!
windows_certificate
The windows_certificate
resource has undergone a large overhaul, with improved support for importing and exporting certificate objects, the ability to create certificate objects from a URL, and a new output_path
property for use with exporting.
windows_task
The windows_task
resource now has a new backup
property that allows you to control the number of XML backups that will be kept of your Windows Scheduled Task definition. This default for this setting is 5
and can be disabled by setting the property to false
. Thanks @ kimbernator!
Ohai
Podman Detection
Ohai now includes detection for hosts running the Podman containerization engine or Chef Infra Client running in containers under Podman.
For hosts the following attributes will be set:
{
"systems": {
"podman": "host",
},
"system": "podman",
"role": "host"
}
For Chef Infra Client within containers the following attributes will be set:
{
"systems": {
"podman": "guest",
},
"system": "podman",
"role": "guest"
}
Thanks for this addition @ramereth!
Habitat Support
Ohai includes a new :Habitat
plugin that gathers information about the Habitat installation, including installed Habitat version, installed packages, and running services.
Sample Habitat attribute output:
{
"version": "1.6.288/20210402191717",
"packages": ["core/busybox-static/1.31.0/20200306011713",
"core/bzip2/1.0.8/20200305225842",
"core/cacerts/2020.01.01/20200306005234",
"core/gcc-libs/9.1.0/20200305225533",
"core/glibc/2.29/20200305172459",
"core/hab-launcher/15358/20210402194815",
"core/hab-sup/1.6.288/20210402194826",
"core/libedit/3.1.20150325/20200319193649",
"core/libsodium/1.0.18/20200319192446",
"core/linux-headers/4.19.62/20200305172241",
"core/ncurses/6.1/20200305230210",
"core/nginx/1.18.0/20200506101012",
"core/openssl-fips/2.0.16/20200306005307",
"core/openssl/1.0.2t/20200306005450",
"core/pcre/8.42/20200305232429",
"core/zeromq/4.3.1/20200319192759",
"core/zlib/1.2.11/20200305174519"
],
"services": [{
"identity": "core/nginx/1.18.0/20200506101012",
"topology": "standalone",
"state_desired": "up",
"state_actual": "up"
}]
}
Alibaba Detection
Ohai now includes detection of nodes running on the Alibaba cloud and supports gathering Alibaba instance metadata.
Sample node['alibaba']
values:
{
"meta_data": {
"dns_conf_": "nameservers",
"eipv4": "47.89.242.123",
"hibernation_": "configured",
"hostname": "1234",
"image_id": "aliyun_2_1903_x64_20G_alibase_20210120.vhd",
"instance_id": "i-12345",
"instance_": {
"instance_type": "ecs.t6-c2m1.large",
"last_host_landing_time": "2021-02-07 19:10:04",
"max_netbw_egress": 81920,
"max_netbw_ingress": 81920,
"virtualization_solution": "ECS Virt",
"virtualization_solution_version": 2.0
},
"mac": "00:16:3e:00:d9:01",
"network_type": "vpc",
"network_": "interfaces/",
"ntp_conf_": "ntp-servers",
"owner_account_id": 1234,
"private_ipv4": "172.25.58.242",
"region_id": "us-west-1",
"serial_number": "ac344378-4d5d-4b9e-851b-1234",
"source_address": "http://us1.mirrors.cloud.aliyuncs.com",
"sub_private_ipv4_list": "172.25.58.243",
"vpc_cidr_block": "172.16.0.0/12",
"vpc_id": "vpc-1234",
"vswitch_cidr_block": "172.25.48.0/20",
"vswitch_id": "vsw-rj9eiw6yqh6zll23h0tlt",
"zone_id": "us-west-1b"
},
"user_data": null,
"dynamic": "instance-identity",
"global_config": null,
"maintenance": "active-system-events"
}
Sample `node['cloud'] values:
{
"public_ipv4_addrs": [
"47.89.242.123"
],
"local_ipv4_addrs": [
"172.25.58.242"
],
"provider": "alibaba",
"local_hostname": "123",
"public_ipv4": "47.89.242.123",
"local_ipv4": "172.25.58.242"
}
The Chef Infra Language now includes an alibaba?
helper method to check for instances running on Alibaba as well.
Improved Linux CPU Data
Data collection in the :Cpu
plugin on Linux has been greatly expanded to give enhanced information on architecture, cache, virtualization status, and overall model and configuration data. Thanks for this addition @ramereth!
Packaging Improvements
PowerPC RHEL FIPS Support
We now produce FIPS capable packages for RHEL on PowerPC
Sample client.rb on *nix Platforms
On AIX, Solaris, macOS, and Linux platforms the Chef Infra Client packages will now create the various configuration directories under /etc/chef
as well as a sample /etc/chef/client.rb
file to make it easier to get started running the client.
New Deprecations
Unified Mode in Custom Resources
In Chef Infra Client 16 we introduced Unified Mode allowing you to collapse the sometimes confusing compile and converge phases into a single unified phase. Unified mode makes it easier to write and troubleshoot failures in custom resources and for Chef Infra Client 18 we plan to make this the default execution phase for custom resources. We've backported the unified mode feature to the Chef Infra Client 14 and 15 systems and for Chef Infra Client 17 we will now begin warning if resources don't explicitly set this new mode. Enabling unified mode now lets you validate that resources will continue to function as expected in Chef Infra Client 18. To enable unified mode in your resource add unified_mode true
to the file.
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install
command-line utility:
$ mixlib-install download chef -v 17.0.242
Alternatively, you can install Chef Infra Client using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 17.0.242
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 17.0.242
If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml
file:
provisioner:
product_name: chef
product_version: 17.0.242
Enjoy,
Tim