Hey Everyone,
Today we released Chef Infra Client 17.3. This release is by far our largest "minor" release ever and it includes even more new functionality than we shipped in 17.0. Be sure to check out everything that's new, and let us know what you think on Community Slack.
What's New in 17.3
Compliance Phase Improvements
Chef InSpec 4.38
We've updated Chef InSpec from 4.37.23 to 4.38.3:
New Features
- Added a new mongodb_conf resource.
Bug Fixes
- Changed the Windows local pipe server connection to retry once on EPIPE.
- Exceptions are now handled correctly in the oracledb_session resource.
- Fixed the mysql_session resource to raise an exception if there is an error in a connection or query.
- Fixed the postgres_session resource to raise an exception if there is an error in a connection or query
Run Lists with Policyfiles
You can now optionally execute Chef Infra Client with a specified run list on nodes that are managed with Policyfiles. This differs from the traditional Policyfile workflow by allowing you to run any cookbook/recipe combination that exists within the Policyfile lock.
Safety With Flexibility
Run lists with Policyfiles give you the safety of locked sets of cookbook dependencies while also giving you the flexibility to change run lists or run different run lists on nodes for adhoc Chef Infra Client converges. Without Policyfiles, manually specifying or overriding a run list determines an entirely new set of dependencies. When using run lists with Policyfiles, Chef Infra Client executes within the predefined set of cookbook dependencies in your Policyfile lock. This allows you to change or override run lists without introducing new, and potentially untested, cookbook dependencies.
To execute a run list defined on a node in Chef Infra Server instead of the run list defined directly in a Policyfile, set the Chef Config policy_persist_run_list to true. An override run list that is specified on the command line with Policyfiles will execute without any additional configuration.
How This Differs From Named Run Lists
Policyfiles with run lists offer additional flexibility over named run lists and are better suited for adhoc Chef Infra Client execution or programmatically changing run lists during bootstrap. Named run lists within Policyfiles need to be defined when the Policyfile is created, requiring you to predefine each potential run list you may want to run at a future date. Run lists with Policyfiles allows you to run any run list for cookbooks included in the Policyfile lock. Override run lists with Policyfiles offer adhoc flexibility as the override run list is not saved to the node on Chef Infra Server, unlike named run lists which permanently update the node.
Examples
Override Run List
chef-client -o my_cookbook::some_recipe
Set Permanent Run List via CLI
chef-client -r my_cookbook::some_recipe
or
chef-client -j my_run_list_and_attribute_data.json
Configuring Chef Infra Client to Use Run Lists
chef_client_config 'Configure Infra Client' do
policy_persist_run_list true
end
New Resources
habitat_package
Use the habitat_package to install or remove Chef Habitat packages from Habitat Builder. See the habitat_package Resource documentation for additional details and example usage.
habitat_sup
Use the habitat_sup resource to run a Chef Habitat supervisor for one or more Chef Habitat services. The resource is commonly used in conjunction with the habitat_service resource, which will manage the services loaded and started within the supervisor. See the habitat_sup Resource documentation for additional details and example usage.
habitat_config
Use the habitat_config resource to apply a configuration to a Chef Habitat service. See the habitat_config Resource documentation for additional details and example usage.
habitat_install
Use the habitat_install resource to install Chef Habitat. See the habitat_install Resource documentation for additional details and example usage.
habitat_service
Use the habitat_service resource to manage Chef Habitat services. This requires that core/hab-sup be running as a service. See the habitat_sup resource documentation for more information. See the habitat_service Resource documentation for additional details and example usage.
habitat_user_toml
Use the habitat_user_toml resource to template a user.toml for Chef Habitat services. Configurations set in the user.toml override the default.toml for a given package, which makes it an alternative to applying service group level configuration. See the habitat_user_toml Resource documentation for additional details and example usage.
windows_defender
Use the windows_defender resource to enable, configure, or disable the Microsoft Windows Defender service. See the windows_defender Resource documentation for additional details and example usage.
windows_defender_exclusion
Use the windows_defender_exclusion resource to exclude paths, processes, or file types from Windows Defender realtime protection scanning. See the windows_defender_exclusion Resource documentation for additional details and example usage.
windows_update_settings
Use the windows_update_settings resource to manage the various Windows Update patching options. See the windows_update_settings Resource documentation for additional details and example usage.
Updated Resources
powershell_package
Updated the powershell_package resource to allow passing an array of install options via the options property. Thanks for reporting this issue @kimbernator
windows_printer
Updated the windows_printer resource to better load the current state of the printer and to allow controlling the creation of the printer port. The resource now includes a create_port property that allows skipping the creation of the printer port and a port_name property that allows specifying the name of the port to use. With these new properties, users can create advanced printer ports using the windows_printer_port resource and then attach a new printer to those ports using the windows_printer resource.
windows_printer_port '10.4.64.39' do
port_name 'My awesome printer port'
snmp_enabled true
port_protocol 2
end
windows_printer 'HP LaserJet 5th Floor' do
driver_name 'HP LaserJet 4100 Series PCL6'
port_name 'My awesome printer port'
ipv4_address '10.4.64.38'
create_port false
end
chef_client_config
Updated the chef_client_config resource to properly format the client.rb config when the user sets the ohai_optional_plugins or ohai_disabled_plugins properties. Thanks for reporting this issue @caneylan. The resource can now also set the new policy_persist_run_list configuration with the client.rb file by setting the policy_persist_run_list property to true.
Chef Language Improvements
We've added several new helpers to the Chef Infra Language to make writing out various data formats easier. These helpers allow you to convert data from Ruby Hashes or Chef Infra attributes into YAML, JSON, or TOML formatted data. A great use case for these helpers is writing system or application configuration files to disk without having to template out data formats using a template resource.
Given this Ruby hash:
example_hash = {
"golf": "hotel",
"kilo": %w{lima mike},
"india": {
"juliett": "blue",
},
"alpha": {
"charlie": true,
"bravo": 10,
},
"echo": "foxtrot",
}
Output the data in JSON format:
render_json(example_hash)
{
"golf": "hotel",
"kilo": [
"lima",
"mike"
],
"india": {
"juliett": "blue"
},
"alpha": {
"charlie": true,
"bravo": 10
},
"echo": "foxtrot"
}
Output the data in TOML format:
render_toml(example_hash)
echo = "foxtrot"
golf = "hotel"
kilo = ["lima", "mike"]
[alpha]
bravo = 10
charlie = true
[india]
juliett = "blue"
Output the data in YAML format:
render_yaml(example_hash)
---
golf: hotel
kilo:
- lima
- mike
india:
juliett: blue
alpha:
charlie: true
bravo: 10
echo: foxtrot
Using this helper with the file resource:
file '/etc/some_app/config.yml' do
content render_yml(example_hash)
mode '0640'
end
Experimental Secrets Management
With Chef Infra Client 17.3, we're introducing experimental secrets management integration with a new secrets helper in the Infra Language. This helper has a pluggable model for fetching secrets from multiple secrets management systems. In this release of Chef Infra Client we're support AWS Secrets Manager and Azure Key Vault with additional secrets managers coming in future releases. This new functionality should be considered a beta and not not necessarily ready for production usage. We'd love to get feedback on how how this works for you and additional features you'd like, or need, in order to utilize secrets from secret managers within your cookbooks. E-mail us at secrets_management_beta@progress.com.
Authentication
The secrets helper uses cloud instance authentication to access secrets in both Azure Key Vault and AWS Secrets Manager. This avoids the need to pass authentication in the helper and allows you to control access to secrets using existing cloud vendor access control models. When using AWS Secrets Manager, this is IAM roles applied to instances. In Azure this is Manged Identities applied to the VMs.
Fetching Secrets
The secrets helper accepts the secret name, and secrets service, secret version (optional), and connection options for the secrets service.
Fetching an AWS Secrets Manager secret
secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })
Fetching an Azure Key Vault secret
secret(name: 'test1', service: :azure_key_vault, config: { vault: 'vault1' })
Fetching a specific version of an Azure Key Vault secret
secret(name: 'test1', version: 'v1', service: :azure_key_vault, config: { vault: 'vault1' })
Using in Cookbooks
The secrets helper returns a text string, so it can be used anywhere in Chef Infra where you might hard code a value or access a value from a data bag.
Writing a Secret To a File
file '/home/ubuntu/aws-secret' do
content secret(name: 'test1', service: :aws_secrets_manager)
end
Passing a Secret to a Template
template '/etc/my_fancy_service/my_fancy_service.conf' do
source 'config.erb'
variables(
db_token: secret(name: 'db_token', service: :aws_secrets_manager)
)
end
System Detection Improvements
virtuozzo Support
The virtuozzo platform is now detected as a member of the RHEL platform family. Thanks for this addition @robertmasztalerz!
Linux Livepatch Detection
A new Ohai optional plugin :Livepatch has been added to detect Linux kernel Livepatch modules that have been loaded on a system. This plugin can be enabled on systems using the ohai_optional_plugins property in the chef_client_config resource. Thanks for this new plugin @liu-song-6!
Package Improvements
M1 macOS Monterey Packages
Chef Infra Client packages are now produced for Apple's macOS Monterey preview release. Packages for Intel-based Macs will ship at a later date.
Solaris 11.3 EOL / Solaris 11.4 Packages
Oracle Solaris 11.3 became end-of-life (EOL) in January 2021. Chef Infra Client packages are no longer produced for Solaris 11.3 and new Solaris 11.4 packages are available in their place.
FIPS on PPC RHEL
Failures initializing Chef Infra Client on FIPS enabled PowerPC RHEL systems have been resolved.
RPM Package Digests
The file digest in Chef Infra RPM packages has been updated from MD5 to SHA256 to prevent failures installing on some FIPS-enabled systems.
Security
Ruby 3.0.2
Ruby has been updated to 3.0.2 to resolve a large number of bugs as well as the following CVEs:
Addressable
We've updated the addressable gem from 2.7 to 2.8 to resolve CVE-2021-32740.
Get the Build
As always, you can download binaries directly from downloads.chef.io or by using the mixlib-install command-line utility:
$ mixlib-install download chef -v 17.3.48
Alternatively, you can install Chef Infra Client using one of the following command options:
# In Shell
$ curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P chef -v 17.3.48
# In Windows Powershell
. { iwr -useb https://omnitruck.chef.io/install.ps1 } | iex; install -project chef -version 17.3.48
If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:
provisioner:
product_name: chef
product_version: 17.3.48
Enjoy,
Tim