Today we are releasing 10.30.2 & 11.8.2 of Chef Client as well as 1.3.0 of mixlib-shellout.
Release highlights for 10.30.2 & 11.8.2:
- Omnibus packages of 10.30.2 & 11.8.2 now include ruby version 1.9.3-p484. This ruby version includes a fix to a published security vulnerability in Ruby. Check this for more details.
- 10.30.2 & 11.8.2 also include a security fix to Chef which fixes a security issue for CHEF-4662 reported by James Ogden. These releases make sure that the necessary permissions are applied to the temporary files created while modifying chef objects with knife. You can check this to get more information about this issue.
Big thanks to James Ogden for reporting the security issue and Phil Dibowitz, our first external committer to Chef for contributing whyrun_safe_ruby_block and with his help on validating 10.30.2 release.
Chef Client 10.30.2
In addition to these, 10.30.2 also includes:
Improvements to node attribute calculation
In 10.30.2 Chef fixes the problems around using to_hash() method on node attributes .
Before 10.30.2, Chef used to merge the values of array attributes coming from different precedence levels. In this release Chef makes sure that the values from the higher precedence levels override the values from the lower precedence levels. This is also the behavior of Chef 11.x versions.
Eg: If node had a default value of [“foo”, “bar”] and an override value of [“zoo”, “bar”] for an attribute:
- Prior to Chef 10.30.2 the calculated value would be [“bar”, “foo”, “zoo”]
- With Chef 10.30.2 the calculated value will be [“zoo”, “bar”]
NOTE: We don’t expect this to be a breaking change for you. But if this breaks your cookbooks you can set the below configuration in your client.rb to restore the old behavior:
Chef::Config[:deep_merge_array_concat] = false
New property :excluded_members on group resource
:excluded_members property on group resource, takes an array of user accounts and make sure that the group doesn’t contain any of the specified members after convergence. It is useful if you would like to remove certain accounts from your groups.
Note that it is only applicable while running :manage and :modify actions for a group resource and only for resources on which :append is set.
New resource: whyrun_safe_ruby_block
10.30.2 introduces a new resource called whyrun_safe_ruby_block which is similar to the ruby_block resource but also gets executed during why-run mode.
Here is a list of other issues that are fixed in 10.30.2:
- [CHEF-1260] – File Resource shouldn’t checksum large files if checksum is not needed
- [CHEF-2682] – Redirected API requests can result in confusing error messages
- [CHEF-3297] – The groupmod provider should allow you to remove individual users
- [CHEF-3582] – whyrun mode fails for user resource lock action
- [CHEF-3899] – Create reads in entire file
- [CHEF-4057] – Regression in passing headers through an HTTP direct
- [CHEF-4380] – package resource with “source” is broken on EL6 using 11.6.0rc3
- [CHEF-4435] – Chef::DataBag.save does a PUT getting a 405 from the chef server
- [CHEF-4596] – .to_hash sometimes unique-ifies internal arrays
- [CHEF-4631] – to_hash returns all precedence instead of highest precedence
- [CHEF-4662] – knife edit creates temporary files with insecure permissions
- [CHEF-4752] – Unable to bootstrap chef 10 onto ruby 1.8
- [CHEF-4807] – Upgrade Ruby to 1.9.3 patchlevel 484
- [CHEF-4110] – ruby_blocks should support why_run
- [CHEF-4616] – Chef-client Cannot Handle Bare IPv6 In chef_server_url
10.30.2 also includes mixlib-shellout version 1.3.0. This version of mixlib-shellout is updated to clean the system by terminating the processes which do not complete in the specified :timeout. You can read more about this change here.
Getting the releases
You can get the omnibus packages for new Chef releases using:
curl -L "https://www.opscode.com/chef/install.sh" | sudo bash -s — -v 10.30.2
curl -L "https://www.opscode.com/chef/install.sh" | sudo bash -s — -v 11.8.2
Let us know if you experience any issues for these releases.