Chef Blogs

ChefDK 0.7.0 Released

Kartik Cating-Subramanian | Posted on | release | Releases

Hola Chefs!  ChefDK 0.7.0 is now out and ready for consumption at our downloads page.  We have numerous features, updates and bug fixes for all of you.  To highlight, we have:

* a new environment variable `CHEFDK_HOME` that points to cookbook and gem caches.
* the latest patched SSL CA certificate bundle.
* chef `show-policy`, a new command to describe the state of your Policyfiles on the server.
* multiple default sources in Policyfile.
* an option to `chef export` policy data into a tar-ball and `chef push-archive` them.
* Powershell wrappers to ameliorate double/triple quoting issues.
* signed ChefDK MSIs on windows for added safety.
* updated dependencies:
* `chef-12.4.1`
* `ohai-8.5.1`
* `chef-provisioning-1.3.0`
* `chef-provisioning-vagrant-0.9.0`
* `chef-provisioning-aws-1.3.1`
* `cheffish-1.3.1`
* `chefspec-4.3.0`
* `knife-windows-0.8.6`
* `winrm-transport-1.0.2`

## Delightful First-use Experience

We have made a number of updates that allow you to install ChefDK and start cheffing right away.

### `CHEFDK_HOME` environment variable

All ChefDK commands that cache cookbooks, gems and other items now look for them in this location.  By default, this is in `%LOCALAPPDATA%\chefdk` on Windows and `~/.chefdk` otherwise.  On Windows, you can also request the MSI installer to fix your environment for you by exporting a default `%HOME%` environment variable when launching commands.  Both these changes ameliorate bad side-effects from using network mounted home drives that may not always exist.

### SSL CA certificate bundle update

We now use Mozilla’s root certificates from 2015-04-22.  We manually allow one older RSA 1024 bit key for Verisign that is still being used in the trust chain for a number of websites including Amazon S3 – so you can still access those locations through various chef tools.

## Policyfile Improvements

### List Policies on a Chef Server
The `chef show-policy` command describes the state of Policyfiles on your Chef Server.  With no arguments, it shows all policies, like this:

[code light=”true”]
aar
===
* dev: 95040c1993
* production: 95040c1993
* staging: 37f9b658cd
jenkins
=======
* dev: fcb73eccac
* production: *NOT APPLIED*
* staging: *NOT APPLIED*

[/code]

You can also provide a policy name to just show that kind of policy, like `chef show-policy aar`.  Adding a policy group will show the current revision of the policy applied to that policy group – for example `chef show-policy aar production`.

### Multiple Default Sources in Policyfiles

You can now have multiple default sources in your Policyfiles, so long as none of the cookbooks in those sources conflict with each other.  This allows you to specify both supermarket and your local Chef Repo as sources, and Chef will automatically pull cookbooks from both as needed.  For example, in my demo project I have:

[code language=”ruby” light=”true”]
name “jenkins”
default_source :supermarket
default_source :chef_repo, “cookbooks”
run_list “apt”, “java”, “jenkins::master”, “recipe[policyfile_demo]”
[/code]

In this example, the `policyfile_demo` cookbook is sourced from the cookbook repo, while the `apt`, `java`, and `jenkins` cookbooks (and their dependencies) are sourced from the supermarket.

### Exporting Packaged Policies

ChefDK now makes it easier to use Policyfiles in secure environments with restricted networks by packaging an entire policy and later uploading the packaged policy to a Chef Server in the secured environment.

To create a packaged policy, simply add the `-a` flag to `chef export` – e.g., `chef export -a .`.  This will package up all the cookbooks and policy data into a tarball, which you can then move into the secured environment.  From there, you can run the new `chef push-archive` command to upload the policy to your Chef Server.

## Windows Improvements

### Powershell wrappers

There is now an optional feature in the msi that you can enable during the installation of ChefDK that deploys a Powershell module alongside the rest of your installation (usually at `C:\opscode\chefdk\modules\`). This location will also be appended to your `PSModulePath` environment variable. You may activate it by running the following from any Powershell session

[code light=”true” language=”powershell”]
Import-Module chef
[/code]

You can also add the above to your Powershell profile at `~\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1`

The module exports a number of cmdlets that have the same name as the Chef command line utilities that you already use – such as `chef-client`, `knife` and `chef-apply`. What they provide is the ability to cleanly pass quoted argument strings from your Powershell command line without the need for excessive double-quoting. See chef#3026 or chef#1687 for an examples.

Previously you would have needed

[code light=”true” language=”powershell”]
knife exec -E ‘puts ARGV’ “””&s0meth1ng”””
knife node run_list set test-node ”’role[ssssssomething]”’
[/code]

Now you only need

[code light=”true” language=”powershell”]
knife exec -E ‘puts ARGV’ ‘&s0meth1ng’
knife node run_list set test-node ‘role[ssssssomething]’
[/code]

If you wish to no longer use the wrappers, run

[code light=”true” language=”powershell”]
Remove-Module chef
[/code]

### Signed MSIs

ChefDK MSIs are now signed using a code-signing cert. This should allow for simpler and faster installation of ChefDK in a secure manner. (Note: the SmartScreen filter on Windows, and other similar filters, may still initially report a warning message about the file not being commonly downloaded – this is normal, and does not mean that the package is unsecure.  It takes time for the reputation algorithm to gain confidence in our cert).