Saturday, March 12, 2016

Chef Client 12.8.1 Release [feedly]

Chef Client 12.8.1 Release
// Chef Blog


We just released Chef Client version 12.8.1 to the chef downloads site. Highlights of this release include:

Support for OpenSSL validation of FIPS

Federal Information Processing Standards (FIPS) is a United States government computer security standard that specifies security requirements for cryptography. The current version of the standard is FIPS 140-2. The chef-client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. This will disable cryptography in OpenSSL that is explicitly disallowed in FIPS-validated software, including certain ciphers and hashing algorithms. Any attempt to use any disallowed cryptography will cause the chef-client to throw an exception during a chef-client run.

Note: Chef uses MD5 hashes to uniquely identify files that are stored on the Chef server. MD5 is used only to generate a unique hash identifier and is not used for any cryptographic purpose.

Notes about FIPS:

  • May only be enabled for nodes running on Microsoft Windows and Enterprise Linux platforms
  • Should should only be enabled for environments that require FIPS 140-2 compliance
  • May not be enabled for any version of the chef-client earlier than 12.8

Enable FIPS Mode

Allowing OpenSSL to enforce FIPS-validated security may be enabled by using any of the following ways:

  • Set the fips configuration setting to true in the client.rb or knife.rb files
  • Set the --fips command-line option when running any knife command or the chef-client executable
  • Set the --fips command-line option when bootstrapping a node using the knife bootstrap command

Command Option

The following command-line option may be used to with a knife or chef-client executable command:

--[no-]fips Allows OpenSSL to enforce FIPS-validated security during the chef-client run.

Bootstrap a node using FIPS

$ knife bootstrap -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips which shows something similar to:

OpenSSL FIPS 140 mode enabled  ... Chef Client finished, 12/12 resources updated in 78.942455583 seconds  

Configuration Setting

The following configuration setting may be set in the knife.rb, client.rb, or config.rb files:

fips Allows OpenSSL to enforce FIPS-validated security during the chef-client run. Set to true to enable FIPS-validated security.

New launchd resource

Use the launchd resource to manage system-wide services (daemons) and per-user services (agents) on the Mac OS X platform.

launchd '' do  program '/Library/scripts/'  start_calendar_interval 'Weekday' => 7, 'Hourly' => 10  time_out 300  end  

New property for the mdadm resource

Use the mdadm_defaults property to set the default values for chunk and metadata to nil, which allows mdadm to apply its own default values.

chef-zero support for Chef Server API endpoints

chef-zero now supports using all Chef server API version 12 endpoints, with the exception of /universe.

Updated OpenSSL Version

OpenSSL is updated to version 1.0.1s.

Ohai auto-detects hosts for Azure and EC-2 instances

Ohai will auto-detect hosts for instances that are hosted by Microsoft Azure or Amazon EC-2.

Added gem keyword to metadata.rb per RFC-060

Support a 'gem' DSL method for cookbook metadata to create a dependency on a rubygem. The gem will be installed via chef_gem after all the cookbooks are synchronized but before any other cookbook loading is done.


Shared via my feedly reader

Sent from my iPhone