Blog-L_News_4_1283x494

Get the Most From Chef: Analytics, Provisioning, and More

Earlier today, Chef Automation Engineer, Galen Emery, presented a webinar on how to “Get the Most From Chef” with some of our newest features.

Chef Analytics: Do you have compliance or audit requirements? Get real-time visibility into what’s happening on the Chef server.

Chef Provisioning: Spend less time on the tedious stuff. Describe, version, deploy, and manage clusters of any size and complexity with a single tool set.

Chef Delivery: Get a sneak peek of our new continuous delivery tool currently available by invitation only.

Watch the recording of the webinar to see demos and learn how to get and be successful with these features. Q&A from the live webinar is available below.

Q&A From the Live Webinar:

Q: Can analytics integrate with Slack? Or would we need to use a web hook?

A: Currently need to use a Webhook.

Q: How can I extend Chef analytics to show what cookbooks are installed on nodes?

A: A full list of the ability of rules is available here: https://docs.chef.io/analytics_rules.html#run-converge

Q: Is there an easy way to document audit rules in layman’s term?

A: Rules can be stored as JSON documents.

Q: If we pay for 150+ nodes using Chef v.12 is Analytics included in this price? Or I should pay for it separately?

A: Analytics is included with any Chef package. It is not a separate item.

Q: Is Analytics a separate component to be installed on a different server apart from Chef Server ? If so how does the integration work?

A: Analytics runs on its own server in your datacenter. It doesn’t need to be as large as Chef Server, but does require fast disk for writing to the database.

Q: Does Chef Supermarket have audit rules for STIG compliance available?

A: Currently we have some of the rules for the CIS benchmarks built.

Q: If you have an existing environment without Chef Client setup, is there a method to audit the production environment for PCI?

A: By setting up your analytics rules and running audit_mode you can audit your systems for PCI compliance, irregardless if you manage them with Chef.

Q: Are these features available on hosted chef? If not, when will they be?

A: We are looking at Q4 at the earliest for Analytics to be available on Hosted Chef.

Q: Is there a whitepaper or blog that takes you step by step installing Chef Server 12, Analytics, Provisioning, etc. to setup a local POC?

A: Not currently. We are working on building out more of this. This will most likely be built on top of the AWS Chef Server AMI as a base.

Q: Is it safe to manage PCI compliant AWS nodes with Chef Server?

A: Analytics enables us to be very confident in managing our compliant nodes with Chef. We can be confident as we make changes that we are staying compliant.

Q: Does it require any agent to be installed on the node?

A: The only agent required is the chef-client, which we use to push out node policy.

Q: Does Analytics provide any REST api to get the information?

A: Yes. Everything at Chef is built upon REST APIs.

Q: Where would I get a complete code sample for a particular case study?

A: CIS Benchmark examples can be found here: https://supermarket.chef.io/cookbooks/audit-cis

Q: Existing RSpec/Serverspec specs to be used with analytics or coverted?

A: If your existing Serverspec tests use the “expects” format, they can be used by audit_mode as is. If they use “should” then you’ll need to convert them.

Q: Other than splunk, do you support standard syslog? or integration with other event correlation tools such as sumo logic, Alienvault, QRadar, etc…

A: We are working next on adding PagerDuty and AWS support. Analytics events are logged on the server and can be pulled out via syslog or similar frameworks.

Q: Can provisioning manage changes to environments or is it only useful when building a new environment? For example, I need to scale from 5 to 10 app nodes.

A: Yes, provisioning can build new environments or scale up existing ones.

Q: Can I use AWS CloudFormation to provide the ec2 instances and then use chef to setup the machine?

A: Yes, you can use Cloudformation to build systems and then use Chef to setup the machine. Or you can use Chef to do all of it.

Q: Since Chef is prescriptive, do you have any other examples of use cases for audit mode? For instance, you could have simply applied the remediate recipe from the beggining since it is idempotent instead of first auditing and then applying. Is the primary purpose of audit mode to be an extra layer of insurance?

A: Analytics can be used to do more than just provide insurance for Chef runs. It can be used to bring unmanaged fleets into management by determining their current state. It can also be used by Audit and Security teams to ensure that nodes meet the required policies, independent of the recipes being run on the system.

Q: When running more than one Chef Server, can Analytics be merged into one console?

A: Not at this time. We are working on consuming data from multiple chef servers.

Q: Is it possible to send alerts via text to phones?

A: Currently you’d have to tie to a webhook or SMTP > Text service.

Q: If you have a multi-tenant environment (ie mulitple orgs) would each of those orgs require a different instance of analytics? Has any thought been given to applying rules across multiple orgs?

A: Analytics can tie into multiple orgs on a Chef Server. We do not currently have a way to apply rules across multiple orgs, but that is on the roadmap along with a number of other replication features for Chef Server.

Q: Can Chef Provisioning support deployment to physical hosts, your example implied VMs only.

A: Yes. While I deployed to Amazon, provisioning supports physical hosts through the Hanlon driver: https://github.com/chef/chef-provisioning-hanlon.

Q: Are there cookbooks showing examples of PCI compliance across multiple platforms?

A: Not currently. We do have a cookbook for CIS benchmarks available here; https://github.com/chef-cookbooks/audit-cis.

Q: Is it not recommended having Chef Server and Analytics all in one?

A: Analytics and Chef Server should be separate so the system recording the actions is not the system making them.

Q: When creating instances in AWS how are you controlling the host name or are you just relying upon node value from Chef for reporting?

A: The name within the machine resource is creating the name both for AWS and for the Chef Server.

Q: How can I get Delivery?

A: Delivery is currently available by invitation only. Sign up to receive updates as availability expands here: chef.io/delivery.

Posted in:

Jamie Bright

Former Chef employee