Blog-S_Secure_100x385

Chef 0.8.14 Release

It’s Chef release time again! This time, we’re skipping 0.8.12 and heading right to 0.8.14 due to a hiccup in our publishing process. Chef 0.8.14 has a huge amount of bug fixes and improvements, thanks to the tireless work of our awesome community. Most importantly, Chef 0.8.14 provides a fix for a privilege escalation vulnerability discovered and fixed by our community security guru, Tollef Fog Heen. The problem was that valid, non-administrator clients were able to edit their administrative status and become administrators. Users of previous versions should upgrade as soon as possible. In addition to this fix, the validation client created when you first install Chef server now only has enough privileges to register new nodes—it can no longer create admin clients. Knife’s configuration command has been updated to make this distinction much clearer.

Now, on to the fun stuff: two features we’re super proud of in this release are preliminary support for both the Windows platform and Ruby 1.9. Support for both Windows and Ruby 1.9 is limited to Chef client and Chef solo for now—Ruby 1.9 will be supported on Chef server when we upgrade to Merb 1.1.0.

On Windows, you are now able to use the file, directory, remote_file, remote_directory, template, and execute providers. We have also added a Windows service provider that allows you to stop, start and restart Windows services.

Our community was amazing as always during this release cycle. Your MVP for this release is Renaud Chaput. Renaud has been working with the FreeBSD Ruby team to get Chef running smoothly on FreeBSD, tackling a nasty bug where MRI’s threading implementation would cause Ruby to hang after forking a subprocess on FreeBSD. We are always excited about expanding platform support, so we are also tremendously excited about Renaud’s work to package Chef on FreeBSD.

Olivier Raginel added to our ever-expanding platform support with a patch that enables Chef to run correctly on Scientific Linux.

In addition to the security fixes I’ve already mentioned, Tollef Fog Heen contributed a ton of bug fixes and improvements, including the ability to purge remote directories of untracked files, improvements to our spec suite and more.

Matthew Kent fixed some particularly annoying bugs with Chef repo, and made sure Chef does everything in the right order when starting up as root and dropping privileges.

Farzad Farid fixed rake roles in Chef repo.

Bruce Krysiak fixed our user and group providers on Mac OS X 10.5.

Tim Harper contributed a patch to our revision deploy provider, allowing it to recover if its history cache was deleted. Thanks again, Tim.

Ben Standefer contributed a handy usability fix so Chef will reveal the culprit when a malformed metadata file is loaded.

Pierre Baillet added a text output format for knife for easier integration with shell scripts.

I’d also like to give a shout out to Kurt Yoder for catching a tricky bug right before release. We’d introduced a bug where knife would change its working directory to root, so commands like cookbook uploading would fail when given a relative path. This release is much better thanks to your testing, Kurt.

Also in this release, we’ve added some new knife commands to interact with cookbooks.opscode.com. `knife cookbook site download` downloads cookbooks (surprise!) and `knife cookbook site vendor` downloads a cookbook, then does some source control magic to stick that cookbook in a vendor branch. From there, you can tweak the cookbook for your environment, keep your changes in source control, and apply your patches to newer versions of the upstream cookbook when it is released. I’d like to thank everyone who contributed to the lively mailing list discussion that inspired this feature. We feel that sharing cookbooks is a big deal, and we’re happy you guys took the time to offer your thoughts and make sure we keep streamlining and improving this process.

Release Notes – Chef – Version 0.8.14

Bug

  • [CHEF-424] – Chef’s Tempfile leaves lot of chef-rest files in /tmp
  • [CHEF-557] – Remove rubygems from any libraries
  • [CHEF-675] – Allow for rendering file contents with a ‘content’ variable
  • [CHEF-724] – Chef should complain when it can’t find any cookbooks
  • [CHEF-751] – mixlib-authentication needs version tags
  • [CHEF-785] – svn_arguments not used when svn info is called (deploy resource)
  • [CHEF-791] – Help text for -T refers to openid
  • [CHEF-845] – Wrong number of arguments in preseed_package
  • [CHEF-1001] – gem provider specify’s the source of ‘gems.rubyforge.org’ if the source is not specified, which is a deprecated mirror…
  • [CHEF-1025] – mdadm provider is broken
  • [CHEF-1030] – Properly escape existing cron-job names
  • [CHEF-1032] – rake test no longer performs syntax check on ruby and erb files
  • [CHEF-1050] – FreeBSD: chef commands freeze during ohai calls
  • [CHEF-1060] – Deep merge json attributes passed on the command line
  • [CHEF-1087] – chef-solr truncating logs, not logging startup
  • [CHEF-1091] – chef_repo rake task fails to build metadata
  • [CHEF-1092] – chef problems with dropping privileges
  • [CHEF-1099] – chef-solr problems with dropping privileges
  • [CHEF-1107] – Revision Provider for Deployment Resource cannot recover if cache file storing deployed revisions is lost
  • [CHEF-1121] – Group/user creation / null group append fails on OSX
  • [CHEF-1126] – Deleting a role is extremely slow when using couchdb 10
  • [CHEF-1150] – "knife configure -i" uses hardcoded validation key path
  • [CHEF-1151] – Chef Solr should not run ohai in its startup sequence
  • [CHEF-1152] – Scientific Linux missing from chef/lib/platform.rb
  • [CHEF-1166] – There is no need to save the node after syncing cookbooks
  • [CHEF-1168] – RubyGems 1.3.7 will introduce an issue where Chef’s gem_package won’t be able to install arch-specific packages
  • [CHEF-1170] – File lookup problems cause specs to fail on ruby 1.9.2 when run with rake
  • [CHEF-1172] – file_spec.rb test is time zone dependent
  • [CHEF-1173] – clients can turn themselves into admins
  • [CHEF-1178] – rake role[role_name] does not work at all
  • [CHEF-1181] – knife configure needs to be updated to reflect that the validator is no longer an administrator

Improvement

  • [CHEF-489] – Ruby 1.9 Support for Chef
  • [CHEF-510] – be able to use debian/ubuntu libjs-jquery packaged library for chef-server
  • [CHEF-632] – remote_file resource should display an INFO message at start of a download
  • [CHEF-641] – Improvements to RPM packages
  • [CHEF-669] – optional rubygems?
  • [CHEF-721] – support for purging managed directories
  • [CHEF-804] – make knife ‘configure’ give an example of the server url requested
  • [CHEF-1008] – validation key should not be an admin key
  • [CHEF-1105] – bring back the ruby/template test cache
  • [CHEF-1109] – Add descriptive error message identifying the file when an invalid metadata.json is loaded from a cookbook.
  • [CHEF-1120] – Regex validation in the params validation mixin should print regex.inspect instead of regex.to_s in the error message
  • [CHEF-1155] – Allow ‘execute’ resource to accept multiple return values without error.
  • [CHEF-1157] – Make Chef-Client run on Windows with cookbooks using file, directory, remote file, remote directory, and template providers
  • [CHEF-1174] – Knife output format: Allow more simple output for single attribute

New Feature

  • [CHEF-1164] – Service Provider on Windows

Task

  • [CHEF-674] – uuidtools gem needs to be packaged for debian
  • [CHEF-1053] – Chef source code repository need a CONTRIBUTING file
  • [CHEF-1106] – remove suse copyrighted init script
  • [CHEF-1108] – attribute note for streaming_cookbook_uploader.rb from author

Dan DeLeo