Chef Server 12.0.7 Released

Hello Chefs,

I’m pleased to announce that Chef Server 12.0.7 is now available. Aside from some behind-the-scenes build improvements, it has two major updates over the previous release:

  • The minimum set of Policyfile endpoints necessary to upload a policy and run Chef Client is now implemented (though see the caveats below).
  • You can enable strict RBAC checking of search results.

Read more ›

Chef Client 12.2.0 Released

Ohai Chefs,

Update Sat Mar 28 00:28:04 UTC 2015Chef 12.2.0 has a regression that will prevent you from running chef-client in situations where the HOME environment variable is unset. This will likely break anybody running chef-client as a service. We are currently working on getting a release out. For now, if you are running chef-client as a service, it’s probably best to wait for 12.2.1 before upgrading.

The issue is tracked on GitHub at https://github.com/chef/chef/issues/3153

 

We’ve just released Chef Client 12.2.0. This release includes bug fixes as well couple of new goodies… we hope you enjoy them. You can check out the CHANGELOG for a full set of the changes.

What’s New

Policyfile Chef Server 12.0.7 Compatibility

Chef Server 12.0.7 will contain the minimum necessary functioning implementation of Policyfiles to converge a node. Policyfile “native mode” is updated to work with the APIs in Chef Server 12.0.7. Note that Chef Server 12.0.7 will likely not ship with the necessary code to upgrade existing organizations, so you will need to set some special configuration to opt-in to enabling the Policyfile APIs in Chef Server. That process will be described in the release notes for Chef Server.

Desired State Configuration (DSC) Resource

If you are using Windows Management Framework(WMF) 5, you can now take advantage of the new dsc_resource. This new functionality takes advantage of WMF 5′s Invoke-DscResource cmdlet to directly invoke resources.

Prerequisites

To use this new resource, you must have the February preview of WMF 5. This can be installed using the Powershell cookbook. It is also required that the Local Configuration Manager(LCM) be configured with a RefreshMode of Disabled. Doing this will preclude you from using dsc_script. Below we provide an example DSC configuration:

</p>

<h1>create a configuration command to generate a meta.mof to set</h1>

<h1>Local Configuration Manager settings</h1>

<p>Configuration LCMSettings {
  Node localhost {
    LocalConfigurationManager {
      RefreshMode = 'Disabled'
   }
  }
}</p>

<h1>Run the configuration command and generate the meta.mof to configure</h1>

<h1>a local configuration manager</h1>

<p>LCMSettings</p>

<h1>Apply the local configuration manager settings found in the LCMSettings</h1>

<h1>folder (by default configurations are generated to a folder in the current</h1>

<h1>working directory named for the configuration command name</h1>

<p>Set-DscLocalConfigurationManager -path ./LCMSettings</p>

<p>

Running this script tells the LCM not to do document management, allowing Chef to take over that role. While you may be able to switch this to other values mid-run, you should not be doing this to run both dsc_script and dsc_resource resources.

Usage

Once the LCM is correctly configured, you can begin using dsc_resource in your recipes. You can get a list of available by running the Get-DscResource command. You will be able to use any resource that does not have an ImplementedAs property with value Composite.

As an example, let’s consider the User dsc resource. Start by taking a look at what a DSC User resource would look like

</p>

<p>&gt; Get-DscResource User</p>

<p>ImplementedAs Name Module Properties</p>

<hr />

<p>PowerShell User PSDesiredStateConfiguration {UserName, DependsOn, Descr...</p>

<p>

We see here that is ImplementedAs is not equal to Composite, so it is a resource that can be used with dsc_resource. We can what properties are accpeted by the User resource by running

&gt; Get-DscResource User -Syntax</p>

<p>User [string] #ResourceName
{
  UserName = [string]
  [ DependsOn = [string[]] ]
  [ Description = [string] ]
  [ Disabled = [bool] ]
  [ Ensure = [string] { Absent | Present } ]
  [ FullName = [string] ]
  [ Password = [PSCredential] ]
  [ PasswordChangeNotAllowed = [bool] ]
  [ PasswordChangeRequired = [bool] ]
  [ PasswordNeverExpires = [bool] ]
}

From above, the User resource has a require property UserName, however we’re probably also going to want to prover at the very least a Password. From above, we can see the UserName property must be of type string, and Password needs to be of type PSCredential. Since there is no native Ruby type that maps to a Powershell PSCredential, a dsl method ps_credential is provided that makes creating this simple. ps_credential can be called as ps_credential(password) or ps_credential(username, password). Under the hood, this creates a Chef::Util::Powershell::PSCredential which gets serialized into a Powershell PSCredential.

The following type translations are supported:

Ruby Type Powershell Type
Fixnum Integer
Float Doule
FalseClass $false
TrueClass $true
Chef::Util::Powershell:PSCredential PSCredential
Hash Hashtable
Array Object[]
With this information in hand, we can now construct a Chef dsc_resource resource that creates a user.

</p>

<p>dsc<em>resource 'create foo user' do
  resource :User
  property :UserName, 'FooUser'
  property :Password, ps</em>credential(&quot;P@ssword!&quot;)
  property :Ensure, 'Present'
end</p>

<p>

Third Party Resources

dsc_resource also supports the use of 3rd party DSC resources, for example the DSC Resource Kit. These resources can be used just like you would use any PSDesiredStateConfiguration resource like User. Since the implementation of dsc_resource knows how to talk to DSC resources that are visible through the Get-DscResource cmdlet, it should just work. For example, if we wanted to use xSmbShare, we could construct the powershell resource as

</p>

<p>dsc_resource 'create smb share' do
  resource :xSmbShare
  property :Name, 'Foo'
  property :Path, 'C:\Foo'
end</p>

<p>

This would execute

&gt; Get-DscResource xSmbShare</p>

<p>ImplementedAs Name Module Properties</p>

<hr />

<p>PowerShell xSmbShare xSmbShare {Name, Path, ChangeAccess, ...</p>

<p>

to look up the module name, and in this case use xSmbShare. However, this lookup process can slow down the process. It is also possible that there are multiple DSC resources with that name. To address these cases, dsc_resource provides an aditional attribute module_name. You can pass the name of the module that the resource comes from, and dsc_resource will make sure that it uses that module. This will short-circuit any logic to lookup the module name, shortening the time it takes to execute the resource.

Notes

  • The implementation of dsc_resource is base on the experimental Invoke-DscResource cmdlet

How do I get it?

You can visit our download page.

Additionally you can use this command to download the latest version of the Chef Client on platforms other than windows:

curl -L https://www.chef.io/chef/install.sh | sudo bash -s -- -v 12.2.0

For Windows, you can download this version using this link: Chef Client 12.2.0

Get Help

If you run into any issues with this release, please file an issue on Github or drop an email on our chef and chef-dev mailing lists.

Release: Chef Analytics 1.1.2

Ohai friends,

We have just released a new version (1.1.2) of Chef Analytics to our download page.

This release updates the bundled OpenSSL version inside Chef Analytics to 1.0.1.m and introduces some exciting new functionality. We will talk more about the new functionality next week in ChefConf 2015.

You can download this version here:

https://downloads.chef.io/analytics/

Stay tuned for more news.

Also Chef Analytics team will be in ChefConf 2015. Stop by and catch us there to get any of your questions answered.

Chef Client 12.1.2 Released

Today we have pushed a small bugfix release of the Chef Client. This release includes some critical updates for some users, and includes a new version of OpenSSL.

Changelog

The Changelog is also included in the source.

OpenSSL Update

This build also includes OpenSSL 1.0.1m on Linux/BSD/OS X platforms and 1.0.0r on Windows. This upgrade is due to the OpenSSL security announcement from last week. For more information read our blog post about that announcement.

Release post-mortem

The community will be holding a post-mortem tomorrow to discuss the high number of regressions in the 12.1.0 release. More details on that meeting can be found here.

Chef Announces James Casey as New Vice President of Engineering

Casey to Lead Company’s High-Velocity Engineering Practice in Rapidly Delivering Innovation to Customers;

Analytics Expert Nicole Forsgren, Ph.D., Joins Chef to Bolster Data-Driven Continual Development Process

SEATTLE – March 23, 2015 –Chef, the leader in high-velocity IT automation, today announced James Casey has been appointed Vice President of Engineering. Casey has more than a decade of experience managing engineering and operations for CERN and is a three-year Chef veteran. Casey brings deep expertise in DevOps practices, as well as an innate understanding of the needs of Chef customers and the community. Casey will oversee the quality and cadence of product development for Chef’s engineering and operations teams, and will report to Chef CEO Barry Crist.

Chef’s engineering practice is designed to continually accelerate the delivery of innovative products to customers and itself set the bar for high velocity software development. Casey leads Chef’s development and operations teams, and joins Chef CTO Adam Jacob and Chef vice president Jez Humble in driving constant improvement of Chef’s engineering speed and quality. Casey is responsible for managing all of engineering, while Jacob focuses on product and open source strategy, and Humble drives Chef’s analytical approach to engineering process evolution and refinement.

Read more ›

Chef Server 12.0.6 Released

Today we’re pleased to announce that Chef Server 12.0.6 has been released. This update contains the latest OpenSSL 1.0.1m along with further bug fixes and API improvements.

OpenSSL 1.0.1m

While the Chef Server and other Chef products that ship with OpenSSL are not vulnerable to CVE-2015-0291 (see our earlier blog post by Charles Johnson), we’ve included the latest version of the 1.0.1-series in today’s release. This update to OpenSSL includes the following security fixes:

Bug Fixes

The following bugs have been fixed since Chef Server 12.0.5:

  • chef-server#119: LDAP users with special characters in their external_authentication_uid cannot log in
  • chef-server#97: org-user-add -a flag does not give billing-admin rights
  • chef-server#17: When you create a user via chef-server-ctl add-user with –filename pointed at invalid path, the user is created, but the key is not put on the filesystem
  • opscode-omnibus#648: JMX security issues

Key Rotation and Policyfiles

As with the last release, the Key Rotation and Policyfile features are still under heavy development and are being delivered incrementally. We’ll be providing more details on those features separately once certain milestones are hit, but you can follow along with the Chef Server CHANGELOG to see what’s been added since the last release.

OpenSSL Vulnerability CVE-2015-0291 and Chef

On March 19th, 2015, the OpenSSL team released a new high severity security advisory. In addition, the OpenSSL team also upgraded the severity of an already-published advisory, CVE-2015-0204, to high severity status. Simultaneous to the publication of this new high severity security advisory, the OpenSSL team also made available new versions of the OpenSSL code containing fixes for these vulnerabilities. After reviewing the vulnerabilities described in these security advisories, the team at CHEF has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.

Recommendation to users

Because OpenSSL 1.0.2. is the only version of OpenSSL vulnerable to the exploit described in CVE-2015-0291, Chef users do not need to take immediate action in response to this discolsure, because Chef products do not include OpenSSL 1.0.2.

Further analysis

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)

There are no Chef products that include OpenSSL 1.0.2. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291).

“Freak,” RSA silently downgrades to EXPORT_RSA Client

No Chef products are configured to support export ciphers. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA[Client]).

Chef Response Plan

Though there is no immediate danger, Chef will still release new versions of several products starting today that will include updated versions of OpenSSL. Users can update to these on their own schedule, but are not required to upgrade to protect against CVE-2015-0291. Chef users do not need to take any immediate action in response to the newly published OpenSSL high severity security advisory. Chef products are not vulnerable to CVE-2015-0291, or CVE-2015-0204. Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.

This Week in Webinars

If you’re looking to level up your Chef skills, you have plenty of opportunities this week. Along with some of our partners, we’ll be presenting webinars on automating at scale, DevSecOps and automating on Azure with Chef. See full details on each webinar after the jump. Read more ›

Using Chef Supermarket: A Guided Tour

Supermarket is the Chef community’s central clearing house for sharing cookbooks, tools, and plugins. It is a place for Chef community members to download community cookbooks, collaborate on cookbooks, and upload cookbooks to be used by other community members. It is also the place to share information about tools that improve Chef’s ecosystem. The Supermarket makes it easier to start participating in Chef’s open source projects by allowing individuals and corporations to sign and manage their Contributor License Agreements (CLA’s). Check out the Supermarket Announcement Blog Post for more information.

There are two versions of Supermarket available today.

Public Supermarket

This is available at the Chef Supermarket site. This is an open source project, you can find and contribute to the repo on GitHub.

Private Supermarket

There is also a version of Supermarket that can be run privately in your own infrastructure. This guide will not cover the private version of Supermarket, but many of the same principles will apply. Stay tuned for an Private Supermarket guide!

Getting Started with Supermarket

There are a few things you will need to work with Supermarket.

Knife

You will need Knife to interact with the Supermarket.

The easiest way to get Knife (along with many other tools needed to use both Supermarket and Chef) is through the Chef Development Kit.

Make sure you have a knife.rb config file setup.

This guide will take you through the basics of using Knife and Supermarket. For more information on the various commands and options, please see the full Knife cookbook site documentation.

Browsing the Supermarket

You can now take several actions to browse the community cookbooks available on the Supermarket site.

List

To see a list of all community cookbooks available from Supermarket, run the following:
 $ knife cookbook site list
This will return lots of output similar to:
  1password                            minecraft
  301                                  mineos
  7-zip                                minidlna
  AWS_see_spots_run                    minitest
  AmazonEC2Tag                         minitest-handler
  Appfirst-Cookbook                    mirage
  CVE-2014-3566-poodle                 mlocate
  CVE-2015-0235                        mod_security
  Obfsproxy                            mod_security2
  R                                    modcloth-hubot
  Rstats                               modcloth-nad
  SysinternalsBginfo                   modman
  VRTSralus                            modules
  abiquo                               mogilefs
  acadock                              mongodb
  accel-ppp                            mongodb-10gen
  accounts                             mongodb-agents
  accumulator                          monit
  [etc]

Search

Looking for a particular cookbook? The most downloaded cookbook as of February 2015 is the mysql cookbook. If I wanted to search for this cookbook I would use a command similar to this:
 $ knife cookbook site search mysql
Which will return output similar to this:
  mysql:
    cookbook:             http://cookbooks.opscode.com/api/v1/cookbooks/mysql
    cookbook_description: Provides mysql_service, mysql_config, and mysql_client resources
    cookbook_maintainer:  chef
    cookbook_name:        mysql
  mysql-apt-config:
    cookbook:             http://cookbooks.opscode.com/api/v1/cookbooks/mysql-apt-config
    cookbook_description: Installs/Configures mysql-apt-config
    cookbook_maintainer:  tata
    cookbook_name:        mysql-apt-config
  mysql-multi:
    cookbook:             http://cookbooks.opscode.com/api/v1/cookbooks/mysql-multi
    cookbook_description: MySQL replication wrapper cookbook
    cookbook_maintainer:  rackops
    cookbook_name:        mysql-multi
Let’s take a closer look at that first mysql cookbook.

Show

To view more information about a particular cookbook, run the following:
 $ knife cookbook site show mysql
Which will return input similar to this:
 average_rating:
  category:           Other
  created_at:         2009-10-28T19:16:54.000Z
  deprecated:         false
  description:        Provides mysql_service, mysql_config, and mysql_client resources
  external_url:       http://github.com/opscode-cookbooks/mysql
  foodcritic_failure: true
  issues_url:
  latest_version:     http://cookbooks.opscode.com/api/v1/cookbooks/mysql/versions/6.0.15
  maintainer:         chef
  metrics:
    downloads:
      total:    79275449
    versions:
      0.10.0: 927561
      0.15.0: 927536
      0.20.0: 927321
      0.21.0: 927298
      0.21.1: 927311
      0.21.2: 927424
      0.21.3: 927441
      0.21.5: 927326
      0.22.0: 927297
      0.23.0: 927353
      0.23.1: 927862
      0.24.0: 927316
If you want to take a look at a specific version of a cookbook, include it in the command like this:
 $ knife cookbook site show mysql 0.10.0
Which will return output similar to:
  average_rating:
  cookbook:          http://cookbooks.opscode.com/api/v1/cookbooks/mysql
  file:              http://cookbooks.opscode.com/api/v1/cookbooks/mysql/versions/0.10.0/download
  license:           Apache 2.0
  tarball_file_size: 7010
  version:           0.10.0

Downloading and Installing from the Supermarket

Ready to downlad and install a cookbook from the community site?

Download

To download a cookbook as a tar.gz archive and place it in the current working directory, use the download command.
$ knife cookbook site download mysql

Install

Installing a cookbook is similar to downloading it, but rather than saving the cookbook as a tar.gz, it extracts the cookbook and sets up a git branch so you can keep it up to date with the original cookbook. See this Stack Overflow for an excellent explanation.

It also resolves dependencies and creates a new branch for each of the dependent cookbooks.

$ knife cookbook site install mysql
NOTE: If you receive the error “ERROR: IOError: Cannot open or read /Users/nshamrell/chef-repo/cookbooks/mysql/metadata.rb”, check which version of knife you are using with:
$ knife -v
If it is lower than Chef: 12.0.2, you will need to update your version of Knife. However, if you are using Chef DK and rvm, try running this command:
$ rvm use system
Then retry
$ knife cookbook site install mysql

Uploading to the Supermarket

Now let’s upload a cookbook to the Supermarket. If you have a cookbook of your own you would like to use, please do! If you’d like some guidance in creating a very basic cookbook of you own to practice uploading to the Supermarket, see the “Create Cookbook” section of this section of the Supermarket Docs.

Share

There are a few things you’ll need in place before you can upload your cookbook to the Supermarket. First, take a look at your knife.rb configuration file. Mine lives at .chef/knife.rb.

You will need to have lines similar to this in the config file. If you don’t already have them, please add them in.

  node_name "nellshamrell" # Replace with the login name you use to login to the Supermarket.
  client_key "#{ENV['HOME']}/.chef/client.pem" # Define the path to wherever your client.pem file lives.  This is the key you generated when you signed up for a Chef account.
  cookbook_path [ '/Users/nshamrell/Projects/my_chef_repo/cookbooks' ] # Directory where the cookbook you're uploading resides.
We also recommend that you add both a ‘source_url’ and ‘issues_url’ in your cookbooks’ metadata. Then, when your cookbook appears on Supermarket, it will also display a link to your cookbook’s source (i.e. a GitHub repo) and issues (i.e. GitHub issues for your repo).

Then use this command to upload the cookbook to the Supermarket!

$ knife cookbook site share "my_apache2_cookbook" "Web Servers"
Notice that I defined the Supermarket category my cookbook should be in – in this case, “Web Servers”. Other categories you can use are “Databases”, “Process Management”, “Monitoring & Trending”, “Programming Languages”, “Package Management”, “Applications”, “Networking”, “Operating Systems & Virtualization”, “Utilities”, or “Other”.

Stove

Stove is an alternate tool for sharing cookbooks. For more information, please see the project GitHub page.

Unshare

Should you ever need to unshare a cookbook from the Supermarket, you can use the “unshare” command to do so.
$ knife cookbook site unshare my_apache2_cookbook
This will remove your cookbook from the Supermarket site.

If you receive an error which looks like this:

ERROR: Invalid Redirect: DELETE request was redirected from https://supermarket.getchef.com/api/v1/cookbooks/my_apache2_cookbook to https://supermarket.chef.io/api/v1/cookbooks/my_apache2_cookbook. Only GET and HEAD support redirects.
Change your server location in knife.rb to the server's FQDN to avoid unwanted redirections.
You need to upgrade your Chef version to 12.1.1 or higher. Visit the Chef Client Download Site to download and install it for your operating system.

For more information, check out the Supermarket docs.

And there you have it, the basics of using Chef Supermarket! Happy cooking!

Standard Bank: Our DevOps Journey (Part 5)

This is the fifth entry in our ongoing, bi-weekly series examining our customer Standard Bank’s DevOps journey. You can read the first entry here, the second entry here, the third entry here, and the fourth entry here. Continue below for part five.

In this blog post, we talk to several members of the Chop Chop team. Derek Chung is the iteration manager and manages the deliverables. Mark Figueira works in Quality Assurance. Marcus Talken is the technical lead. Their discussion revolves around change—changes in process, changes in approaches to testing, changes in tools and changes in culture.

To set the stage, Mark described the waterfall approach that Standard Bank has traditionally used to develop applications.

“Business had its requirements. Those got handed to a business analyst who drafted an FSS (functional system specifications). The FSS went to the technical teams. Depending on the organization, one team would deliver the infrastructure and the other would deliver the application. In parallel, someone would write the test cases based on the requirements within the functional spec.”

“It would get to a point where development would complete some form of unit testing. Then, the application would be handed off to another organization for component integration testing. When that phase was complete, another organization performed system integration testing.”

“There were three testing cycles and we were always picking up bugs, throwing the application back over the fence to development or, if there were other requirements, back to the business analyst who would then confirm the requirements with business, update the functional spec, and update the test cases. You could be working on a project for five months and still hit a bug that delayed the whole process.”

Read more ›