Release: Chef Analytics 1.1.2

Ohai friends,

We have just released a new version (1.1.2) of Chef Analytics to our download page.

This release updates the bundled OpenSSL version inside Chef Analytics to 1.0.1.m and introduces some exciting new functionality. We will talk more about the new functionality next week in ChefConf 2015.

You can download this version here:

https://downloads.chef.io/analytics/

Stay tuned for more news.

Also Chef Analytics team will be in ChefConf 2015. Stop by and catch us there to get any of your questions answered.

Chef Client 12.1.2 Released

Today we have pushed a small bugfix release of the Chef Client. This release includes some critical updates for some users, and includes a new version of OpenSSL.

Changelog

The Changelog is also included in the source.

OpenSSL Update

This build also includes OpenSSL 1.0.1m on Linux/BSD/OS X platforms and 1.0.0r on Windows. This upgrade is due to the OpenSSL security announcement from last week. For more information read our blog post about that announcement.

Release post-mortem

The community will be holding a post-mortem tomorrow to discuss the high number of regressions in the 12.1.0 release. More details on that meeting can be found here.

Chef Announces James Casey as New Vice President of Engineering

Casey to Lead Company’s High-Velocity Engineering Practice in Rapidly Delivering Innovation to Customers;

Analytics Expert Nicole Forsgren, Ph.D., Joins Chef to Bolster Data-Driven Continual Development Process

SEATTLE – March 23, 2015 –Chef, the leader in high-velocity IT automation, today announced James Casey has been appointed Vice President of Engineering. Casey has more than a decade of experience managing engineering and operations for CERN and is a three-year Chef veteran. Casey brings deep expertise in DevOps practices, as well as an innate understanding of the needs of Chef customers and the community. Casey will oversee the quality and cadence of product development for Chef’s engineering and operations teams, and will report to Chef CEO Barry Crist.

Chef’s engineering practice is designed to continually accelerate the delivery of innovative products to customers and itself set the bar for high velocity software development. Casey leads Chef’s development and operations teams, and joins Chef CTO Adam Jacob and Chef vice president Jez Humble in driving constant improvement of Chef’s engineering speed and quality. Casey is responsible for managing all of engineering, while Jacob focuses on product and open source strategy, and Humble drives Chef’s analytical approach to engineering process evolution and refinement.

Read more ›

Chef Server 12.0.6 Released

Today we’re pleased to announce that Chef Server 12.0.6 has been released. This update contains the latest OpenSSL 1.0.1m along with further bug fixes and API improvements.

OpenSSL 1.0.1m

While the Chef Server and other Chef products that ship with OpenSSL are not vulnerable to CVE-2015-0291 (see our earlier blog post by Charles Johnson), we’ve included the latest version of the 1.0.1-series in today’s release. This update to OpenSSL includes the following security fixes:

Bug Fixes

The following bugs have been fixed since Chef Server 12.0.5:

  • chef-server#119: LDAP users with special characters in their external_authentication_uid cannot log in
  • chef-server#97: org-user-add -a flag does not give billing-admin rights
  • chef-server#17: When you create a user via chef-server-ctl add-user with –filename pointed at invalid path, the user is created, but the key is not put on the filesystem
  • opscode-omnibus#648: JMX security issues

Key Rotation and Policyfiles

As with the last release, the Key Rotation and Policyfile features are still under heavy development and are being delivered incrementally. We’ll be providing more details on those features separately once certain milestones are hit, but you can follow along with the Chef Server CHANGELOG to see what’s been added since the last release.

OpenSSL Vulnerability CVE-2015-0291 and Chef

On March 19th, 2015, the OpenSSL team released a new high severity security advisory. In addition, the OpenSSL team also upgraded the severity of an already-published advisory, CVE-2015-0204, to high severity status. Simultaneous to the publication of this new high severity security advisory, the OpenSSL team also made available new versions of the OpenSSL code containing fixes for these vulnerabilities. After reviewing the vulnerabilities described in these security advisories, the team at CHEF has determined that Chef products are not at immediate risk as a result of the OpenSSL vulnerabilities disclosed today.

Recommendation to users

Because OpenSSL 1.0.2. is the only version of OpenSSL vulnerable to the exploit described in CVE-2015-0291, Chef users do not need to take immediate action in response to this discolsure, because Chef products do not include OpenSSL 1.0.2.

Further analysis

OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)

There are no Chef products that include OpenSSL 1.0.2. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0291 (OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291).

“Freak,” RSA silently downgrades to EXPORT_RSA Client

No Chef products are configured to support export ciphers. As a result, Chef products are not affected by the vulnerability disclosed in high severity bulletin CVE-2015-0204 (RSA silently downgrades to EXPORT_RSA[Client]).

Chef Response Plan

Though there is no immediate danger, Chef will still release new versions of several products starting today that will include updated versions of OpenSSL. Users can update to these on their own schedule, but are not required to upgrade to protect against CVE-2015-0291. Chef users do not need to take any immediate action in response to the newly published OpenSSL high severity security advisory. Chef products are not vulnerable to CVE-2015-0291, or CVE-2015-0204. Chef will include the newly-released patches to OpenSSL in future releases on the previously planned product release schedule.

This Week in Webinars

If you’re looking to level up your Chef skills, you have plenty of opportunities this week. Along with some of our partners, we’ll be presenting webinars on automating at scale, DevSecOps and automating on Azure with Chef. See full details on each webinar after the jump. Read more ›

Using Chef Supermarket: A Guided Tour

Supermarket is the Chef community’s central clearing house for sharing cookbooks, tools, and plugins. It is a place for Chef community members to download community cookbooks, collaborate on cookbooks, and upload cookbooks to be used by other community members. It is also the place to share information about tools that improve Chef’s ecosystem. The Supermarket makes it easier to start participating in Chef’s open source projects by allowing individuals and corporations to sign and manage their Contributor License Agreements (CLA’s). Check out the Supermarket Announcement Blog Post for more information.

There are two versions of Supermarket available today.

Public Supermarket

This is available at the Chef Supermarket site. This is an open source project, you can find and contribute to the repo on GitHub.

Private Supermarket

There is also a version of Supermarket that can be run privately in your own infrastructure. This guide will not cover the private version of Supermarket, but many of the same principles will apply. Stay tuned for an Private Supermarket guide!

Getting Started with Supermarket

There are a few things you will need to work with Supermarket.

Knife

You will need Knife to interact with the Supermarket.

The easiest way to get Knife (along with many other tools needed to use both Supermarket and Chef) is through the Chef Development Kit.

Make sure you have a knife.rb config file setup.

This guide will take you through the basics of using Knife and Supermarket. For more information on the various commands and options, please see the full Knife cookbook site documentation.

Browsing the Supermarket

You can now take several actions to browse the community cookbooks available on the Supermarket site.

List

To see a list of all community cookbooks available from Supermarket, run the following:
 $ knife cookbook site list
This will return lots of output similar to:
  1password                            minecraft
  301                                  mineos
  7-zip                                minidlna
  AWS_see_spots_run                    minitest
  AmazonEC2Tag                         minitest-handler
  Appfirst-Cookbook                    mirage
  CVE-2014-3566-poodle                 mlocate
  CVE-2015-0235                        mod_security
  Obfsproxy                            mod_security2
  R                                    modcloth-hubot
  Rstats                               modcloth-nad
  SysinternalsBginfo                   modman
  VRTSralus                            modules
  abiquo                               mogilefs
  acadock                              mongodb
  accel-ppp                            mongodb-10gen
  accounts                             mongodb-agents
  accumulator                          monit
  [etc]

Search

Looking for a particular cookbook? The most downloaded cookbook as of February 2015 is the mysql cookbook. If I wanted to search for this cookbook I would use a command similar to this:
 $ knife cookbook site search mysql
Which will return output similar to this:
  mysql:
    cookbook:             http://cookbooks.opscode.com/api/v1/cookbooks/mysql
    cookbook_description: Provides mysql_service, mysql_config, and mysql_client resources
    cookbook_maintainer:  chef
    cookbook_name:        mysql
  mysql-apt-config:
    cookbook:             http://cookbooks.opscode.com/api/v1/cookbooks/mysql-apt-config
    cookbook_description: Installs/Configures mysql-apt-config
    cookbook_maintainer:  tata
    cookbook_name:        mysql-apt-config
  mysql-multi:
    cookbook:             http://cookbooks.opscode.com/api/v1/cookbooks/mysql-multi
    cookbook_description: MySQL replication wrapper cookbook
    cookbook_maintainer:  rackops
    cookbook_name:        mysql-multi
Let’s take a closer look at that first mysql cookbook.

Show

To view more information about a particular cookbook, run the following:
 $ knife cookbook site show mysql
Which will return input similar to this:
 average_rating:
  category:           Other
  created_at:         2009-10-28T19:16:54.000Z
  deprecated:         false
  description:        Provides mysql_service, mysql_config, and mysql_client resources
  external_url:       http://github.com/opscode-cookbooks/mysql
  foodcritic_failure: true
  issues_url:
  latest_version:     http://cookbooks.opscode.com/api/v1/cookbooks/mysql/versions/6.0.15
  maintainer:         chef
  metrics:
    downloads:
      total:    79275449
    versions:
      0.10.0: 927561
      0.15.0: 927536
      0.20.0: 927321
      0.21.0: 927298
      0.21.1: 927311
      0.21.2: 927424
      0.21.3: 927441
      0.21.5: 927326
      0.22.0: 927297
      0.23.0: 927353
      0.23.1: 927862
      0.24.0: 927316
If you want to take a look at a specific version of a cookbook, include it in the command like this:
 $ knife cookbook site show mysql 0.10.0
Which will return output similar to:
  average_rating:
  cookbook:          http://cookbooks.opscode.com/api/v1/cookbooks/mysql
  file:              http://cookbooks.opscode.com/api/v1/cookbooks/mysql/versions/0.10.0/download
  license:           Apache 2.0
  tarball_file_size: 7010
  version:           0.10.0

Downloading and Installing from the Supermarket

Ready to downlad and install a cookbook from the community site?

Download

To download a cookbook as a tar.gz archive and place it in the current working directory, use the download command.
$ knife cookbook site download mysql

Install

Installing a cookbook is similar to downloading it, but rather than saving the cookbook as a tar.gz, it extracts the cookbook and sets up a git branch so you can keep it up to date with the original cookbook. See this Stack Overflow for an excellent explanation.

It also resolves dependencies and creates a new branch for each of the dependent cookbooks.

$ knife cookbook site install mysql
NOTE: If you receive the error “ERROR: IOError: Cannot open or read /Users/nshamrell/chef-repo/cookbooks/mysql/metadata.rb”, check which version of knife you are using with:
$ knife -v
If it is lower than Chef: 12.0.2, you will need to update your version of Knife. However, if you are using Chef DK and rvm, try running this command:
$ rvm use system
Then retry
$ knife cookbook site install mysql

Uploading to the Supermarket

Now let’s upload a cookbook to the Supermarket. If you have a cookbook of your own you would like to use, please do! If you’d like some guidance in creating a very basic cookbook of you own to practice uploading to the Supermarket, see the “Create Cookbook” section of this section of the Supermarket Docs.

Share

There are a few things you’ll need in place before you can upload your cookbook to the Supermarket. First, take a look at your knife.rb configuration file. Mine lives at .chef/knife.rb.

You will need to have lines similar to this in the config file. If you don’t already have them, please add them in.

  node_name "nellshamrell" # Replace with the login name you use to login to the Supermarket.
  client_key "#{ENV['HOME']}/.chef/client.pem" # Define the path to wherever your client.pem file lives.  This is the key you generated when you signed up for a Chef account.
  cookbook_path [ '/Users/nshamrell/Projects/my_chef_repo/cookbooks' ] # Directory where the cookbook you're uploading resides.
We also recommend that you add both a ‘source_url’ and ‘issues_url’ in your cookbooks’ metadata. Then, when your cookbook appears on Supermarket, it will also display a link to your cookbook’s source (i.e. a GitHub repo) and issues (i.e. GitHub issues for your repo).

Then use this command to upload the cookbook to the Supermarket!

$ knife cookbook site share "my_apache2_cookbook" "Web Servers"
Notice that I defined the Supermarket category my cookbook should be in – in this case, “Web Servers”. Other categories you can use are “Databases”, “Process Management”, “Monitoring & Trending”, “Programming Languages”, “Package Management”, “Applications”, “Networking”, “Operating Systems & Virtualization”, “Utilities”, or “Other”.

Stove

Stove is an alternate tool for sharing cookbooks. For more information, please see the project GitHub page.

Unshare

Should you ever need to unshare a cookbook from the Supermarket, you can use the “unshare” command to do so.
$ knife cookbook site unshare my_apache2_cookbook
This will remove your cookbook from the Supermarket site.

If you receive an error which looks like this:

ERROR: Invalid Redirect: DELETE request was redirected from https://supermarket.getchef.com/api/v1/cookbooks/my_apache2_cookbook to https://supermarket.chef.io/api/v1/cookbooks/my_apache2_cookbook. Only GET and HEAD support redirects.
Change your server location in knife.rb to the server's FQDN to avoid unwanted redirections.
You need to upgrade your Chef version to 12.1.1 or higher. Visit the Chef Client Download Site to download and install it for your operating system.

For more information, check out the Supermarket docs.

And there you have it, the basics of using Chef Supermarket! Happy cooking!

Standard Bank: Our DevOps Journey (Part 5)

This is the fifth entry in our ongoing, bi-weekly series examining our customer Standard Bank’s DevOps journey. You can read the first entry here, the second entry here, the third entry here, and the fourth entry here. Continue below for part five.

In this blog post, we talk to several members of the Chop Chop team. Derek Chung is the iteration manager and manages the deliverables. Mark Figueira works in Quality Assurance. Marcus Talken is the technical lead. Their discussion revolves around change—changes in process, changes in approaches to testing, changes in tools and changes in culture.

To set the stage, Mark described the waterfall approach that Standard Bank has traditionally used to develop applications.

“Business had its requirements. Those got handed to a business analyst who drafted an FSS (functional system specifications). The FSS went to the technical teams. Depending on the organization, one team would deliver the infrastructure and the other would deliver the application. In parallel, someone would write the test cases based on the requirements within the functional spec.”

“It would get to a point where development would complete some form of unit testing. Then, the application would be handed off to another organization for component integration testing. When that phase was complete, another organization performed system integration testing.”

“There were three testing cycles and we were always picking up bugs, throwing the application back over the fence to development or, if there were other requirements, back to the business analyst who would then confirm the requirements with business, update the functional spec, and update the test cases. You could be working on a project for five months and still hit a bug that delayed the whole process.”

Read more ›

Single chef-client run with multiple reboots on Windows

This post originally appeared on Chef engineer Alex Vinyar’s blog.

To teach is to learn…

…or something along these lines. “How do I manage reboots with chef-client on Windows” is a question I hear every so often.

So, this time around, I decided to buckle down and write down as many ways as I could remember to reboot a server and continue a chef-client run. No mucking around with the runlist, or messing around with multiple runlists, definitely no manual steps, and most definitely no knife exec.

Here is my brainchild – input and feedback are most welcome!

https://github.com/vinyar/chefwinreboots

In my experience I found a couple of common situations where Windows needs to be defibrillated-
  • something has been installed and reboot is needed
  • a bunch of somethings have been installed and reboot is needed
  • something needs to be installed and a reboot is pending
  • a series of somethings needs to be installed and they have various reboot state requirements
  • a week has passed since a reboot has been performed
  • server joined a domain
With Chef managing your infrastructure there is a new reboot scenario:
  • reboot immediately without aborting a chef-client run
The patterns in the Github repo allow users to manage reboots at the resource level, or as a wrapper cookbook pattern.

A real example can be seen in pattern two – which was really the genesis for this repo from way back when - https://github.com/vinyar/chefwinreboots/blob/master/reboot_demo/recipes/pattern2.rb

Chef Community Triage and Where You Can Help!

Our Triage Process

The Community Engineering team, along with others in Chef engineering, have been working to triage issues that come in on our open source projects.

Part of that process includes identifying and categorizing issues and assigning them to milestones.  Those milestones are general targets and do not, repeat, do not mean that they’ll be addressed for any particular release.  What the milestones do is provide a backlog to work from for those release points.  At this time, we’ve got to three main milestones (the names of which are subject to change).  They are “Accepted Major“, “Accepted Minor“, and “Help Wanted“.

The “Accepted Major” milestone is intended for features with breaking changes or with a very large scope.

“Accepted Minor” covers work that we, as Chef Engineering, want to implement or resolve – though PRs from the community for features or bugs with this milestone are welcome and encouraged!

The final milestone is “Help Wanted” which covers bugs or feature requests that we’d like to have implemented in Chef, but fall below the priority level for features or bugs in the previous two milestones.

Features or bugs can move between milestones (especially as feedback is added to existing issues or there are multiple reports or requests for a particular bug or feature).

The “Help Wanted” milestone is where we really want your help.  If you have bugs or features you’d like to see that are in this milestone, we are counting on the community to help us deliver these.  You can find all the “Help Wanted” milestone issues for the Chef project with a simple search.