Monday, August 17, 2015

ChefDK 0.7.0 Released [feedly]

ChefDK 0.7.0 Released

-- via my reader

Hola Chefs!  ChefDK 0.7.0 is now out and ready for consumption at our downloads page.  We have numerous features, updates and bug fixes for all of you.  To highlight, we have:

  • a new environment variable CHEFDK_HOME that points to cookbook and gem caches.
  • the latest patched SSL CA certificate bundle.
  • chef show-policy, a new command to describe the state of your Policyfiles on the server.
  • multiple default sources in Policyfile.
  • an option to chef export policy data into a tar-ball and chef push-archive them.
  • Powershell wrappers to ameliorate double/triple quoting issues.
  • signed ChefDK MSIs on windows for added safety.
  • updated dependencies:
  • chef-12.4.1
  • ohai-8.5.1
  • chef-provisioning-1.3.0
  • chef-provisioning-vagrant-0.9.0
  • chef-provisioning-aws-1.3.1
  • cheffish-1.3.1
  • chefspec-4.3.0
  • knife-windows-0.8.6
  • winrm-transport-1.0.2

Delightful First-use Experience

We have made a number of updates that allow you to install ChefDK and start cheffing right away.

CHEFDK_HOME environment variable

All ChefDK commands that cache cookbooks, gems and other items now look for them in this location.  By default, this is in %LOCALAPPDATA%\chefdk on Windows and ~/.chefdkotherwise.  On Windows, you can also request the MSI installer to fix your environment for you by exporting a default %HOME% environment variable when launching commands.  Both these changes ameliorate bad side-effects from using network mounted home drives that may not always exist.

SSL CA certificate bundle update

We now use Mozilla's root certificates from 2015-04-22.  We manually allow one older RSA 1024 bit key for Verisign that is still being used in the trust chain for a number of websites including Amazon S3 – so you can still access those locations through various chef tools.

Policyfile Improvements

List Policies on a Chef Server

The chef show-policy command describes the state of Policyfiles on your Chef Server.  With no arguments, it shows all policies, like this:

</p>    <h1>aar</h1>    <ul>  <li>dev: 95040c1993</li>  <li>production: 95040c1993</li>  <li>staging: 37f9b658cd</li>  </ul>    <h1>jenkins</h1>    <ul>  <li>dev: fcb73eccac</li>  <li>production: <em>NOT APPLIED</em></li>  <li>staging: <em>NOT APPLIED</em>  

You can also provide a policy name to just show that kind of policy, like chef show-policy aar.  Adding a policy group will show the current revision of the policy applied to that policy group – for example chef show-policy aar production.

Multiple Default Sources in Policyfiles

You can now have multiple default sources in your Policyfiles, so long as none of the cookbooks in those sources conflict with each other.  This allows you to specify both supermarket and your local Chef Repo as sources, and Chef will automatically pull cookbooks from both as needed.  For example, in my demo project I have:

name &amp;quot;jenkins&amp;quot;  default<em>source :supermarket  default</em>source :chef<em>repo, &amp;quot;cookbooks&amp;quot;  run</em>list &amp;quot;apt&amp;quot;, &amp;quot;java&amp;quot;, &amp;quot;jenkins::master&amp;quot;, &amp;quot;recipe[policyfile_demo]&amp;quot;  

In this example, the policyfile_demo cookbook is sourced from the cookbook repo, while the aptjava, and jenkins cookbooks (and their dependencies) are sourced from the supermarket.

Exporting Packaged Policies

ChefDK now makes it easier to use Policyfiles in secure environments with restricted networks by packaging an entire policy and later uploading the packaged policy to a Chef Server in the secured environment.

To create a packaged policy, simply add the -a flag to chef export – e.g., chef export -a ..  This will package up all the cookbooks and policy data into a tarball, which you can then move into the secured environment.  From there, you can run the new chef push-archive command to upload the policy to your Chef Server.

Windows Improvements

Powershell wrappers

There is now an optional feature in the msi that you can enable during the installation of ChefDK that deploys a Powershell module alongside the rest of your installation (usually at C:\opscode\chefdk\modules\). This location will also be appended to your PSModulePath environment variable. You may activate it by running the following from any Powershell session

Import-Module chef  

You can also add the above to your Powershell profile at ~\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

The module exports a number of cmdlets that have the same name as the Chef command line utilities that you already use – such as chef-clientknife and chef-apply. What they provide is the ability to cleanly pass quoted argument strings from your Powershell command line without the need for excessive double-quoting. See chef#3026 or chef#1687for an examples.

Previously you would have needed

knife exec -E 'puts ARGV' &quot;&quot;&quot;&amp;s0meth1ng&quot;&quot;&quot;  knife node run_list set test-node '''role[ssssssomething]'''  

Now you only need

knife exec -E 'puts ARGV' '&amp;s0meth1ng'  knife node run_list set test-node 'role[ssssssomething]'  

If you wish to no longer use the wrappers, run

Remove-Module chef  

Signed MSIs

ChefDK MSIs are now signed using a code-signing cert. This should allow for simpler and faster installation of ChefDK in a secure manner. (Note: the SmartScreen filter on Windows, and other similar filters, may still initially report a warning message about the file not being commonly downloaded – this is normal, and does not mean that the package is unsecure.  It takes time for the reputation algorithm to gain confidence in our cert).