Hello Chefs!
Chef Infra Server 13.2.0 is out and available on the downloads site. (https://downloads.chef.io/chef-server/stable/13.2.0)
General changes:
We are pleased to announce support for external PostgreSQL on Azure. Previously, we added support for SSL while connecting to PostgreSQL, and we have continued that work forward thanks largely to the efforts of zanecodes. Related documentation can be found in two parts (1) here and (2) here.
As mentioned in our 13.1.13 release announcement, we are working toward simplifying the management of Chef’s product portfolio. As a part of that effort, we are preparing to move from Solr to Elasticsearch to align with our other projects and products that leverage Elasticsearch. Chef Infra Server 13.2.0 continues to use Solr4 for search for the purposes of this release. Work has been done to merge Elasticsearch packages into the codebase, and we have merged some of the additional code to support moving from Solr to Elasticsearch in the future. Do not attempt to replace existing Solr with Elasticsearch at this time. We expect Chef Infra Server to be prepared for a cutover to Elasticsearch by mid-year (2020).
N.B. Existing external Elasticsearch implementations will not be impacted by the above.
What's New in 13.2
Improvements
-
Azure support for external PostgreSQL:
In the previous release we added support for ssl while connecting to PostgreSQL.
With this release we add the ability to connect to an external PostgreSQL database in Azure.
-
Update HAProxy configuration:
We have updated the configuration for HAProxy to make it more responsive. The changes include:
- Set the connect, client, server, and tunnel timeouts to reasonable defaults.
- Set client-fin and server-fin to try to mitigate connection pile-ups in the case of failing frontend services.
- Set on-marked-down shutdown-session to avoid stale sessions to previous leaders living longer than they need to.
-
Integration testing pipeline:
We have put a lot of effort into creating a test pipeline with the test infrastructure previously created. This runs multiple scenarios for Chef Infra Server with different configurations and topologies.
-
Chef Infra Server supports Elasticsearch version 6 for external Elasticsearch:
Chef Infra Server previously supported index creation for ElasticSearch versions 2 and 5. We now support index creation for ElasticSearch 6 as well.
-
Cookstyle changes applied to the cookbooks.
-
Disable actions rabbitmq queue by default.
-
Log all errors triggered due to Elasticsearch reindex.
Bug Fixes
- Fix a regression that broke FIPS 140-2 support in Chef Infra Server 13.1.13.
- Fix habitat db config for external database.
- Elasticsearch recipes should not create indexes at compile time.
Updates
- Chef Infra Client: 15.5.17 -> 15.8.23
- rack(oc-chef-pedant): 2.0.7 -> 2.0.8
- rack(oc-id): 1.6.11 -> 1.6.12
- Ruby(oc-id): 1.6.11 -> 1.6.12
- Ruby: 2.6.3 -> 2.6.5 fixes the following CVEs:
- CVE-2019-16255: A code injection vulnerability of Shell# and Shell#test
- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
- CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
- CVE-2012-6708
- CVE-2015-9251
- rubyzip(oc-id): 1.2.3 -> 1.3.0 (fixes CVE-2019-16892)
- Erlang(habitat): 18 -> 20
Recordings of Chef Infra Server triage sessions can be found here. Part of keeping our issue backlog relevant is ensuring that active issues are prominently featured over inactive issues. As a part of this effort we will be more aggressively closing issues that are inactive or do not apply to supported features. If you find that an issue or PR that you are invested in has closed, please feel free to reopen it. All feature requests can be made using the Aha! Portal.