Chef Workstation Release Notes
Chef Workstation 23.7.1042
https://packages.chef.io/release-notes/chef-workstation/23.7.1042.mdUpdated Components
Chef InSpec
Updated Chef InSpec from 5.21.29 to 5.22.3. See the Chef InSpec release notes for a full list of improvements and features.
Bug Fixes
- Updated the
chef
CLI to fix an issue where cookbook generator converge fails when run from the same parent directory as a new cookbook - Updated Berkshelf to fix an issue where invalid Cookbook dependency versions were allowed to be uploaded using
berks upload
.
Chef Workstation 23.5.1040
https://packages.chef.io/release-notes/chef-workstation/23.5.1040.mdPlatform support
- Added support for RHEL 9. (#3108)
Bug Fixes
- Fixed an issue where
chef env
would not correctly handle the-chef-license
flag. (#3097) - Updated the chef-apply gem from 0.9.4 to 0.9.6 to fix an issue loading YAML files. (#3113)
- Updated the
chef-cli
gem from 5.6.8 to 5.6.11 to address warnings that would appear whenchef shell-init
is run. (#3109)
Test-Kitchen
- Updated the kitchen-azurerm gem from 1.10.5 to 1.12 to fix an issue when running
kitchen create
after using Azure CLI to log in using the Kitchen AzureRM Driver. (#3100)
Chef Workstation 23.5.1039
https://packages.chef.io/release-notes/chef-workstation/23.5.1039.mdThis release does not have any release notes.
Chef Workstation 23.4.1032
https://packages.chef.io/release-notes/chef-workstation/23.4.1032.mdUpdated Components
Chef Infra Client
Updated Chef Infra Client from 18.0.185 to 18.2.7. See the Chef Infra Client release notes for a full list of improvements and features.
Chef InSpec
Updated Chef InSpec from 5.18.14 to 5.21.29. See the Chef InSpec release notes for a full list of improvements and features.
Bug Fixes & Updates
- Fixed errors that occur when
knife ssl fetch
orknife ssl check
is run. - Updated cookstyle to fix an issue where
cron.deny
gets flagged as false positive.
Chef Workstation 23.3.1030
https://packages.chef.io/release-notes/chef-workstation/23.3.1030.mdUpdated Components
Chef Habitat CLI
Updated the Chef Habitat CLI from 1.6.521 to 1.6.652. See the Chef Habitat release notes for a full list of improvements and features.
Chef Workstation App
We removed the experimental dashboard that allows you to manage cookbooks on Windows and macOS from the Chef Workstation App.
Bug Fixes & Updates
- Updated
chef-vault
to support theclient_key_contents
attribute. Thanks Tyrael! - Updated
kitchen-vagrant
to correctly prune older bento boxes in use. - Updated
kitchen-vagrant
to append-arm64
to the bento box name automatically when run on this architecture.
Chef Workstation 23.2.1028
https://packages.chef.io/release-notes/chef-workstation/23.2.1028.mdUpdated Components
Chef Infra Client
Updated Chef Infra Client from 17.10.0 to 18.0.185, which comes with Ruby 3.1. See the Chef Infra Client release notes for a full list of improvements and features.
Chef InSpec
Updated Chef InSpec from 4.56.20 to 5.18.14. See the Chef InSpec release notes for a full list of improvements and features.
Bug Fixes & Updates
- We fixed an error when opening the Chef Workstation App on macOS Ventura that states that “Chef Workstation App.app is damaged and can’t be opened”.
Platform Packages
- We are no longer producing Debian 9 packages as Debian 9 is now end-of-life.
Test-Kitchen
- Updated
kitchen-dokken
to support a newplatform:
attribute. Thanks nrocco! - Updated
kitchen-dokken
to fix an issue wherekitchen login
fails if Docker is absent. Thanks jmauro! - Updated
kitchen-vra
to fix issues with catalog lookup usingcatalog_name
and to deprecate the outdatedsubtenant_id
attribute.
Chef Workstation 22.12.1024
https://packages.chef.io/release-notes/chef-workstation/22.12.1024.mdNew Features
Preview Feature
- The Chef Workstation App on Windows and macOS now includes a dashboard to help manage cookbooks. You can access the dashboard from the system tray menu.
Bug Fixes & Updates
- Chef Workstation now supports Ubuntu 18, 20, and 22.
- Support for Ubuntu 16 is deprecated.
- The
chef export
command now works with Chef repositories located in deeply-nested directories on Windows.
Test-Kitchen
- Test-Kitchen is updated to fetch relevant data and run fallback/cleanup actions on test failure. Thanks brycekahle!
- Test-Kitchen is updated to support
net-scp
4.0 &net-ssh
7.0. Thanks tas50! - Updated
kitchen-dokken
plugin to supportsystemd
based containers. Thanks drehammond! - Updated
kitchen-ec2
to support MacOS M1 & M2 EC2 instances. Thanks tecracer-theinen! - Updated
kitchen-vagrant
to specify an optional provider in the configuration for use in auto-update and auto-prune commands. - Updated
kitchen-vra
to align with the use of thedomain
attribute in lieu of the oldertenant
attribute.
Chef Workstation 22.10.1013
https://packages.chef.io/release-notes/chef-workstation/22.10.1013.mdImprovements
Updated Test Kitchen to allow pattern-based platform exclusions. Thanks Annih!
Chef Habitat
Updated the Chef Habitat CLI to 1.6.521.
Bug Fixes
The chef report nodes
and chef report cookbooks
subcommands now work with a FIPS-enabled Chef Infra Server when authentication based on Public-Key Cryptography Standards (PKCS) #8 is used.
Test Kitchen
- Fixed an issue with the
kitchen-vagrant
plugin that would create an incorrectly formattedVagrantfile
. Thanks PowerKiKi! - Fixed an issue with the
kitchen-dokken
plugin so it will verify that the Dockerconfig.json
file exists before trying to parse credentials. Thanks evandam!
Chef Workstation 22.7.1006
https://packages.chef.io/release-notes/chef-workstation/22.7.1006.mdImprovements
Test Kitchen
test-kitchen
has been updated to mask the sensitive data in debug logs.- The
kitchen-dokken
plugin has been updated to read credentials fromconfig.json
when attempting to authenticate with the registry. Thanks evandam!
Bug Fixes
knife-tidy
has been updated to address an issue where the--keep-versions
flag would not account for node data. Thanks ecottom!
Backward Incompatibilities
- The reference to the default user gem path is now updated from
~/.chefdk
to~/.chef
. This is made to avoid gem loading issues in MacOS. The backward incompatibility, if any, is relevant to a prior ChefDK installation (which is EOL) and not related to Chef Workstation installation.
Chef Workstation 22.6.973
https://packages.chef.io/release-notes/chef-workstation/22.6.973.mdImprovements
- Chef Workstation now includes
knife-vrealize
. This plugin is updated to work with VMware vRealize Automation (vRA) v8.
Test Kitchen Updates
- Updated the
kitchen-ec2
plugin to include support for configuring IMDSv2. Thanks bdwyertech! - The state of readiness of a newly created Windows instance is now detected much faster by the
kitchen-ec2
plugin. Thanks jakauppila! - Added support for waivers in the
kitchen-inspec
plugin. kitchen-vcenter
plugin now lets you specify multiple network interfaces while creating a VM from a template. Earlier, only one network interface could be specified.
Bug Fixes
- Fixed an issue in Berkshelf where the
berks package
command returns incorrect file paths. Thanks inopinatus! - Fixed an issue in
cookbook-omnifetch
so that cached cookbooks can be used for ChefSpec testing. Thanks karmix! - Fixed an issue in the
kitchen-vra
plugin which restores the ability to specify vRA users that are not part of the default domain. - Fixed an issue in the
kitchen-vra
plugin which will allow non-administrator vRA users to execute kitchen tests. Thanks oshvarts!
Chef Workstation 22.5.923
https://packages.chef.io/release-notes/chef-workstation/22.5.923.mdImprovements
- Updated the
berkshelf
gem to support Ruby 3.1.
Bug Fixes
Test Kitchen Updates
- Updated the
kitchen-azurerm
plugin so that failures related to thezone
parameter no longer appear. Thanks @jasonwbarnett!
Chef Workstation 22.4.861
https://packages.chef.io/release-notes/chef-workstation/22.4.861.mdImprovements
train-winrm
added the option to allow SSL connection with certificates. In this case, the password is not required.chef env
now runs faster on all OSes, especially on Windows.knife supermarket
commands are now additionally available to execute aschef supermarket
. This is a preview feature.
Chef Infra Client 17.10.0
Updated Chef Infra Client from 17.9.52 to 17.10.0. See the Chef Infra Client release notes for a complete list of new features and updates.
Test Kitchen Updates
kitchen-vcenter
now supports adding a new network interface to the VM being cloned.kitchen-vcenter
now works on Windows platforms.kitchen-azurerm
introduces a new parameterstore_deployment_credentials_in_state
that defaults totrue
. Thanks @jasonwbarnett!
Chef InSpec 4.56.19
Updated Chef InSpec 4.52.9 to 4.56.19. See the Chef InSpec release notes for a complete list of new features and updates.
Bug Fixes
- The parameter
default_chef_server_http_client
is now set when used with CookbookOmnifetch. Thanks @karmix! kitchen-azurerm
has temporarily disabled support for specifying a VM availability zone. This allowskitchen create
to run successfully when the availability zone is not configured.
Chef Workstation 22.2.807
https://packages.chef.io/release-notes/chef-workstation/22.2.807.mdImprovements
Cookstyle 7.32
Cookstyle has been updated from 7.31.7 to 7.32.
- A new
Chef/Deprecations/FoodcriticFile
cop detects the legacy.foodcritic
configuration file used by Foodcritic - The
Chef/Deprecations/Delivery
cop has been rewritten to avoid false positives due to caching. Thanks @karmix!
Bug Fixes
- Failures running ChefSpec when using Policyfiles have been resolved
Chef Workstation 22.2.802
https://packages.chef.io/release-notes/chef-workstation/22.2.802.mdNew Features
New Generators for Compliance Phase
We introduced support for Compliance Phase in the chef generate
command. You can now create an InSpec profile
, an input
file, or a waiver
file using the chef generate profile
, chef generate input
, or chef generate waiver
commands. These files are created in the compliance
subfolder within the cookbook folder of your repo.
Kitchen.ci Drivers Documentation
Updated the documentation for test-kitchen plugins in the kitchen.ci website. Users no longer need to look up driver documentation for separate plugins in GitHub.
Improvements
Test Kitchen Updates
- kitchen-vra no longer requires the version property
- kitchen-azurerm now lets you define the zone of the VM. Thanks for this improvement @pkazi!
Chef Infra Client 17.9.52
We updated Chef Infra Client from 17.9.26 to 17.9.52. See the Chef Infra Client release notes for a complete list of new features and updates.
Cookstyle 7.31.7
We updated Cookstyle from 7.31.1 to 7.31.7. This release updates the underlying RuboCop engine used by Cookstyle to 1.25.1, fixes a number of bugs, and improves issue detection in the Chef/Modernize/CronDFileOrTemplate
cop. Thanks for these improvements @yacn!
Chef CLI Updates
- The
chef push
command now supports--profile
option
Bug Fixes
- Chef InSpec no longer fails when using VMware Transport.
- The
chef report cookbooks
command now correctly processes options such as-p
. - Resolved failures when using cookbooks defined in a Policyfile with ChefSpec.
Chef Workstation 22.1.778
https://packages.chef.io/release-notes/chef-workstation/22.1.778.mdNew Features
VMware vRealize Automation Test Kitchen Support
Chef Workstation now includes the updated kitchen-vra
plugin to support VMware’s vRealize Automation 8.0. See the Test Kitchen kitchen-vra documentation for more information on using this new plugin in vRealize Automation environments.
chef-run AIX Support
We updated the chef-run
command for ad-hoc execution of Chef Infra Client on remote systems to support running on AIX systems. chef-run can now remotely manage Linux, macOS, Windows, Solaris, and AIX systems.
Improvements
Chef Infra Client 17.9.26
We updated Chef Infra Client from 17.9.18 to 17.9.26. This update includes a fix for failures when running the homebrew_tap resource that was introduced in 17.9.18. See the Chef Infra Client release notes for a complete list of new features and updates.
Cookstyle 7.31.1
We updated Cookstyle from 7.26.1 to 7.31.1. This new release includes the latest RuboCop engine for improved cookbook issue detection and also includes several new and updated Chef Infra cops:
- The new
Chef/Security/SshPrivateKey
cop detects plain text private key content used within cookbooks that should be stored securely. - The new
Chef/Correctness/InvalidNotificationResource
cop detects incorrect syntax in resource notifications. - The new
Chef/Correctness/InvalidCookbookName
cop detects cookbook names which contain a period. - The new
Chef/Deprecations/Delivery
cop detects the use of Chef Delivery / Workflow. Chef/Deprecated/CookbookDependsOnPoise
now detects the usage of thepoise-hoist
cookbook.Chef/RedundantCode/UseCreateIfMissing
now examines thepath
property in resources to detect more problematic resources.Chef/RedundantCode/UseCreateIfMissing
now examines non-string values to detect more problematic resources.Chef/Deprecations/DeprecatedChefSpecPlatform
now detects additional legacy platform versions in ChefSpec tests.
Updated Platforms for ChefSpec Tests
We’ve updated the Fauxhai project, which provides mock platform data for use in ChefSpecs. This new release has the following platform updates:
Added support for:
- macOS
12
- Almalinux
8
- Rocky Linux
8
Deprecated support for:
- FreeBSD
11.2
- macOS
11.0
and replaced it with11
curl 7.81
We updated the version of the curl command-line tool bundled with Chef Workstation from 7.80 to 7.81. This new release includes a large number of bug fixes. See the curl 7.81 changelog for more information.
Backward Incompatibilities
Delivery CLI Removal
We removed the Delivery CLI tool from Chef Workstation as part of the December 31, 2020 end-of-life for Chef Workflow and Chef Delivery. Running this command will now show a warning and exit. We updated the chef cookbook generate
commands so they no longer generate Workflow or Delivery content. We also added a new Cookstyle cop Chef/Deprecations/Delivery
to detect cookbooks shipping with a .delivery/project.toml
config.
Packaging
Native Apple M1 Packages
We now produce macOS packages for Chef Workstation macOS for Intel and M1 (ARM) architectures. The new M1 packages eliminate the need for Apple’s Rosetta framework when using Chef Workstation. We have also seen significant performance improvements with 28% faster knife command runtime on MacBook Air systems.
Chef Workstation 22.1.745
https://packages.chef.io/release-notes/chef-workstation/22.1.745.mdPerformance
Improved Knife Performance
Improved the Knife command performance with optimizations to plugin loading. Windows users and users on non-SSD disks will see the most significant performance improvements from this update.
Updated Components
Chef Infra Client 17.9.18
Updated Chef Infra Client from 17.8.25 to 17.9.18 with improvements to YUM support in the package
resource, improved detection of VMware hypervisors, and supports for HashiCorp Vault Approle authentication in the secrets
helper. See the Chef Infra Client release notes for a complete list of new features and updates.
Chef InSpec 4.52.9
Chef InSpec has been updated from 4.50.3 to 4.52.9 with many important fixes and improvements.
New Features
- Added remote target support for Alpine Linux.
- Added a CLI option for executing profiles from private Supermarkets.
- Added the ability to specify a proxy as a parameter in the
http
resource. - Added a CLI option to set an SSH configuration file path for SSH transport.
- Added support for TLS 1.3 to the
ssl
resource.
Bug Fixes
- Fixed an edge case in the
service
resource where InSpec may falsely detect services as enabled on FreeBSD if that service is the suffix of another enabled service. - Fixed the
ibmdb2_session
resource so that it now correctly accepts queries with clauses. - Fixed the
oracledb_session
resource to properly handle nil in the query output. - Fixed the
packages
resource to list only installed packages on Alpine Linux correctly.
Cookstyle 7.26.1
Updated Cookstyle from 7.25.10 to 7.26.1. This new version includes an updated RuboCop engine with improvements for code linting. New Style/FileRead
and Style/FileWrite
cops are also enabled to simplify file read/write code in libraries and resources.
Kitchen-ec2 3.12
Updated the Test Kitchen kitchen-ec2 plugin from 3.11.1 to 3.12.0. This new release allows you to define multiple tags in the subnet_filter
configuration and ensures the system is properly terminated if there is a failure during the instance creation. Thanks for these improvements @jakauppila!
Chef Workstation 21.12.720
https://packages.chef.io/release-notes/chef-workstation/21.12.720.mdBug Fixes
- The knife boostrap command’s
--max-wait
no longer fails when connecting over WinRM
Updated Components
InSpec 4.50.3
Chef InSpec has been updated from 4.49.0 to 4.50.3 which adds Windows support to the http resource.
Chef Infra Client 17.8.25
Chef Infra Client has been updated from 17.7.29 to 17.8.25. This new release includes Compliance Phase improvements along with a large number of resource improvements and fixes. See the Chef Infra Client 17.8.25 Release Notes for complete details on what’s new in this version.
Chef Vault 4.1.5
Chef Vault has been updated to 4.1.5 to resolve issues where no results would be shown with the chef-vault` CLI.
Cookstyle 7.25.10
Cookstyle has been updated from 7.25.9 to 7.25.10. This new release updates the RuboCop engine used by Cookstyle to resolve a number of false positives and improve detection and autocorrection.
Test Kitchen
Test Kitchen has been updated from 3.1.1 to 3.2.2 and kitchen-ec2, kitchen-vagrant, kitchen-vcenter, and kitchen-dokken.
Bug Fixes
- Resolved failures using the
multiple_converge
config option when testing Windows systems. Thanks for this fix @tecracer-theinen! - Resolved failures cloning a VM without a network interface in the kitchen-vcenter driver. Thanks for this fix @tecracer-theinen!
- Resolved output formatting issues when running the
kitchen diagnose
command. - Resolved deprecation warnings in the kitchen-aws driver.
New Features
- Support for testing cookbooks that use the
compliance
directory introduced in Chef Infra Client 17.5. - Added support for private Docker registries in the kitchen-dokken driver.
- Adds the ability to set
use_cached_chef_client
in the kitchen-vagrant driver to enable caching of Chef Infra Client packages on vagrant boxes not produced by Chef. Thanks for this improvement @gaelik!
Chef CLI
The Chef CLI has seen significant performance improvements.
Packaging
macOS 10.14 Package Removal
With the release of macOS 12, our N-2 macOS release policy now includes macOS 12, 11, and 10.15. macOS 10.14 packages will no longer be produced.
Security
Ruby 3.0.3
Ruby has been updated from 3.0.2 to 3.0.3 to resolve the following CVEs:
- CVE-2021-41817
- CVE-2021-41816
- CVE-2021-41819
Chef Workstation 21.11.679
https://packages.chef.io/release-notes/chef-workstation/21.11.679.mdImprovements
Chef Infra Client 17.7.29
Chef Infra Client has been updated from 17.6.18 to 17.7.29 with improved secrets manager support for Azure Key Vault, improvements to agentless Chef Infra Client runs with Target Mode, and multiple updated resources. See the Chef Infra Client 17.7.22 Release Notes and Chef Infra Client 17.7.29 Release Notes for more details.
Chef InSpec 4.49.0
Chef InSpec has been updated from 4.46.13 to 4.49.0 with the following updates:
New Features
- Added support for testing Cassandra DB configurations and CQL commands.
- Added the CLI option
--filter-waived-controls
to increase execution speed when using waivers. - Integrated
inspec check
with Cookstyle.
Bug Fixes
- Resolved case sensitivity issue for Windows
users
andgroup
resources. - Fixed the oracledb_session resource when invoking a query using OS user and DB role.
- Additional oracledb_session resource fixes.
Test Kitchen
Test Kitchen has been updated from 3.1.0 to 3.1.1 with improved progress logging in the ssh
transport. Thanks @karmix!
Kitchen Dokken
The Test Kitchen plugin kitchen-dokken
now includes colored output in the terminal to distinguish between multiple nodes converging at the same time and also includes improved support for Docker on Windows.
Kitchen EC2
The Test Kitchen plugin kitchen-ec2
has been updated with better platform support and error handling:
- Test Kitchen no longer waits 300 seconds during
kitchen destroy
if the AWS instance was destroyed outside of Test Kitchen. - Supports using vendor images of Windows 2022
- Supports using vendor images of Debian 10 or later
knife acl
The knife acl
command now supports setting acls on cookbook_artifacts
objects on the Chef Infra Server.
Habitat 1.6.420
Habitat has been updated from 1.6.351 to 1.6.420 with many behind-the-scenes updates.
Cookstyle 7.25.9
Cookstyle has been updated from 7.25.6 to 7.25.9 with many improvements to its code linting engine.
Chef Workstation 21.10.640
https://packages.chef.io/release-notes/chef-workstation/21.10.640.mdUpdated Components
Chef Infra Client 17.6.18
Chef Infra Client has been updated from 17.4.38 to 17.6.18. This new release supports shipping InSpec profiles directly in cookbooks with a new compliance
directory in cookbooks. It also adds support to the secrets
helper for fetching secrets from HashiCorp Vault as well as Akeyless Vault. For a complete list of everything new in this release see the Chef Infra Client Release Notes.
InSpec 4.46.13
Chef InSpec has been updated from 4.41.20 to 4.46.13 with the following enhancements:
- Added
rocky
andalmalinux
Linux distributions toservice
resource. - Added the ability to handle files without headers in the
csv
resource. - Added the option to establish a connection using a UNIX socket in the
postgres_session
resource. - Fixed the –tags filter for dependent profiles.
- Fixed the –controls filter for dependent profiles.
- Fixed the
opa_cli
andopa_api
resources so they are able to verify an empty result.
Cookstyle 7.25.6
Cookstyle has been updated from 7.24.1 to 7.25.6. This new release includes an updated RuboCop engine to resolve edge cases and adds the Chef/Correctness/MetadataMissingVersion
cop to detect cookbooks that don’t have a version defined in the metadata.rb
file.
chef-vault
Chef Vault has been updated to allow uploading secrets that include a newline character (\n
).
Test Kitchen
WinRM Certificate Authentication
Test Kitchen now supports certificate authentication with the WinRM transport. New WinRM transport configuration options client_cert
and client_key
control the certificate authentication behavior. See the WinRM Transport Documentation for more information on this transport and these new configuration options. Thanks for adding this new capability @gholtiii!
Kitchen DigitalOcean
The Kitchen Digital Ocean driver now supports Debian 11 DigitalOcean droplets. Thanks for this new capability @cedricverhaeghe!
Kitchen vCenter
The Kitchen vCenter drive now supports passing guestinfo
data to the test instances. Thanks for this new capability @jasonwbarnett!
Security
OpenSSL 1.0.2zb
OpenSSL has been updated from 1.0.2za to 1.0.2zb to resolve issues with Let’s Encrypt certificates.
cacerts
The cacerts bundle has been updated to the 2021-09-30 release which removes older expired root certificates and adds the following new root certificates:
- AC RAIZ FNMT-RCM SERVIDORES SEGUROS
- GlobalSign Root R46
- GlobalSign Root E46
- GLOBALTRUST 2020
- ANF Secure Server Root CA
- Certum EC-384 CA
- Certum Trusted Root CA
Packaging
Chef Workstation packages are now produced for the following operating systems:
- Windows 11
- Windows 2022
- macOS 12
- Debian 11
- Ubuntu 16.04 (no longer EOL)
Chef Workstation 21.9.613
https://packages.chef.io/release-notes/chef-workstation/21.9.613.mdUpdated Components
Chef Infra Client 17.4
Chef Infra Client has been updated from 17.3.48 to 17.4.38. This new release includes a large number of improvements to the Infra Client Compliance Phase, simplifies fetching secrets with the secrets
helper, and improves a large number of built-in resources. For a complete list of everything new in this release, see the Chef Infra Client 17.4 Release Notes
InSpec 4.41.20
Chef InSpec has been updated from 4.38.9 to 4.41.20 with the following enhancements:
- Updated the git fetcher to handle profiles that have a default git branch that is not
master
. - Added support for Alibaba Cloud Linux 3 to the Chef InSpec service resource.
- Replaced the WMI command-line (WMIC) utility in the Chef InSpec security_identifier resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon.
- Adjusted the exit code to Normal when attempting to install a plugin that is already installed.
- Added new Open Policy Agent resources opa_cli and opa_api.
- Added new mongodb_session resource.
- The mssql_session resource now allows named connections by no longer forcing a port.
- The PostgreSQL resources (postgres_session, postgres_conf, postgres_hba_conf, and postgres_ident_conf) now work with Windows.
- Fixed a bug where the year in an expiration date was misinterpreted in waiver files.
- Fixed range-based filtering in filter tables.
- Fixed an issue in the Chef InSpec apache_conf resource when the ServerRoot is not specified in the Apache configuration file.
- Fixed an issue when testing files with
chef exec
where the--insecure
flag doesn’t bypass SSL verification when downloading profiles over HTTPS. - Fixed the
inspec --chef-license=accept
invocation to only show the license acceptance message and not show the InSpec CLI help command output. - Fixed an error in the Chef InSpec postgres_session resource where the resource could not connect to a database.
- Fixed an error in the Chef InSpec apache_conf resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files.
- Fixed an error where the Chef InSpec
security_policy
resource returned a comma-separated string of local groups (rather than SIDs) instead of an array. - Fixed a regression related to processing tags in certain formats using the
--tags
CLI option.
Knife
Knife has been updated to 17.4.47 to resolve an error running knife client create
. Thanks for this fix @jasonwbarnett!
chef-run
The chef-run command for ad-hoc execution of Chef Infra Client on remote systems has been updated to support running on Solaris systems. chef-run can now remotely manage Linux, macOS, Windows, and Solaris systems, with AIX support coming soon!
Cookstyle 7.24.1
Cookstyle has been updated from 7.15.4 to 7.24.1 with an updated RuboCop engine for improved performance as well as 18 new autocorrecting Chef Infra Cops:
- Chef/Correctness/MetadataMalformedDepends
- Chef/Correctness/PowershellFileExists
- Chef/Deprecations/DependsOnChefNginxCookbook
- Chef/Deprecations/DependsOnChefReportingCookbook
- Chef/Deprecations/DependsOnOmnibusUpdaterCookbook
- Chef/Deprecations/DeprecatedSudoActions
- Chef/Modernize/ClassEvalActionClass
- Chef/Modernize/DependsOnChefVaultCookbook
- Chef/Modernize/DependsOnChocolateyCookbooks
- Chef/Modernize/DependsOnKernelModuleCookbook
- Chef/Modernize/DependsOnLocaleCookbook
- Chef/Modernize/DependsOnOpensslCookbook
- Chef/Modernize/DependsOnTimezoneLwrpCookbook
- Chef/Modernize/DependsOnWindowsFirewallCookbook
- Chef/Modernize/UnnecessaryDependsChef15
- Chef/Modernize/UseChefLanguageCloudHelpers
- Chef/Modernize/UseChefLanguageEnvHelpers
- Chef/Modernize/UseChefLanguageSystemdHelper
Test Kitchen
Several Test Kitchen drivers received important updates to improve their reliability on specific hypervisors and clouds.
VMware vCenter
The Test Kitchen driver for VMware VCenter has been updated to avoid targeting ESXi systems in maintenance mode and to provide better errors when resources are not found or the client lacks permissions on the cluster. Thanks for these improvements @tecracer-theinen!
Microsoft Hyper-V
The Test Kitchen driver for Microsoft Hyper-V received updates to allow specifying remote Hyper-V hosts. See the driver documentation for more details on specifying remote hosts. Thanks for this new feature @tecracer-theinen!
HashiCorp Vagrant
The Test Kitchen driver for HashiCorp Vagrant has been updated to allow specifying existing VM disk images. Thanks for the initial pull request for this work @stissot!
Microsoft Azure
The Test Kitchen driver for Microsoft Azure has been updated to allow creating Virtual Machines with a maximum volume size of up to 2048GB. Thanks for this improvement @jasonwbarnett!
Security
OpenSSL 1.1.1l/1.0.2za
Updated OpenSSL to 1.1.1l on macOS and 1.0.2za on all other platforms to resolve the following CVEs:
libarchive 3.5.2
Updated the libarchive library that powers the archive_file resource from 3.5.1 to 3.5.2 to resolve security vulnerabilities in libarchive’s handling of symbolic links.
Improvements
The Chef Workstation CLI command chef -v
has been optimised to fetch the component version details faster across all platforms.
Chef Workstation 21.9.612
https://packages.chef.io/release-notes/chef-workstation/21.9.612.mdUpdated Components
Chef Infra Client 17.4
Chef Infra Client has been updated from 17.3.48 to 17.4.38. This new release includes a large number of improvements to the Infra Client Compliance Phase, simplifies fetching secrets with the secrets
helper, and improves a large number of built-in resources. For a complete list of everything new in this release, see the Chef Infra Client 17.4 Release Notes
InSpec 4.41.20
Chef InSpec has been updated from 4.38.9 to 4.41.20 with the following enhancements:
- Updated the git fetcher to handle profiles that have a default git branch that is not
master
. - Added support for Alibaba Cloud Linux 3 to the Chef InSpec service resource.
- Replaced the WMI command-line (WMIC) utility in the Chef InSpec security_identifier resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon.
- Adjusted the exit code to Normal when attempting to install a plugin that is already installed.
- Added new Open Policy Agent resources opa_cli and opa_api.
- Added new mongodb_session resource.
- The mssql_session resource now allows named connections by no longer forcing a port.
- The PostgreSQL resources (postgres_session, postgres_conf, postgres_hba_conf, and postgres_ident_conf) now work with Windows.
- Fixed a bug where the year in an expiration date was misinterpreted in waiver files.
- Fixed range-based filtering in filter tables.
- Fixed an issue in the Chef InSpec apache_conf resource when the ServerRoot is not specified in the Apache configuration file.
- Fixed an issue when testing files with
chef exec
where the--insecure
flag doesn’t bypass SSL verification when downloading profiles over HTTPS. - Fixed the
inspec --chef-license=accept
invocation to only show the license acceptance message and not show the InSpec CLI help command output. - Fixed an error in the Chef InSpec postgres_session resource where the resource could not connect to a database.
- Fixed an error in the Chef InSpec apache_conf resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files.
- Fixed an error where the Chef InSpec
security_policy
resource returned a comma-separated string of local groups (rather than SIDs) instead of an array. - Fixed a regression related to processing tags in certain formats using the
--tags
CLI option.
Knife
Knife has been updated to 17.4.47 to resolve an error running knife client create
. Thanks for this fix @jasonwbarnett!
chef-run
The chef-run command for ad-hoc execution of Chef Infra Client on remote systems has been updated to support running on Solaris systems. chef-run can now remotely manage Linux, macOS, Windows, and Solaris systems, with AIX support coming soon!
Cookstyle 7.24.1
Cookstyle has been updated from 7.15.4 to 7.24.1 with an updated RuboCop engine for improved performance as well as 18 new autocorrecting Chef Infra Cops:
- Chef/Correctness/MetadataMalformedDepends
- Chef/Correctness/PowershellFileExists
- Chef/Deprecations/DependsOnChefNginxCookbook
- Chef/Deprecations/DependsOnChefReportingCookbook
- Chef/Deprecations/DependsOnOmnibusUpdaterCookbook
- Chef/Deprecations/DeprecatedSudoActions
- Chef/Modernize/ClassEvalActionClass
- Chef/Modernize/DependsOnChefVaultCookbook
- Chef/Modernize/DependsOnChocolateyCookbooks
- Chef/Modernize/DependsOnKernelModuleCookbook
- Chef/Modernize/DependsOnLocaleCookbook
- Chef/Modernize/DependsOnOpensslCookbook
- Chef/Modernize/DependsOnTimezoneLwrpCookbook
- Chef/Modernize/DependsOnWindowsFirewallCookbook
- Chef/Modernize/UnnecessaryDependsChef15
- Chef/Modernize/UseChefLanguageCloudHelpers
- Chef/Modernize/UseChefLanguageEnvHelpers
- Chef/Modernize/UseChefLanguageSystemdHelper
Test Kitchen
Several Test Kitchen drivers received important updates to improve their reliability on specific hypervisors and clouds.
VMware vCenter
The Test Kitchen driver for VMware VCenter has been updated to avoid targeting ESXi systems in maintenance mode and to provide better errors when resources are not found or the client lacks permissions on the cluster. Thanks for these improvements @tecracer-theinen!
Microsoft Hyper-V
The Test Kitchen driver for Microsoft Hyper-V received updates to allow specifying remote Hyper-V hosts. See the driver documentation for more details on specifying remote hosts. Thanks for this new feature @tecracer-theinen!
HashiCorp Vagrant
The Test Kitchen driver for HashiCorp Vagrant has been updated to allow specifying existing VM disk images. Thanks for the initial pull request for this work @stissot!
Microsoft Azure
The Test Kitchen driver for Microsoft Azure has been updated to allow creating Virtual Machines with a maximum volume size of up to 2048GB. Thanks for this improvement @jasonwbarnett!
Security
OpenSSL 1.1.1l/1.0.2za
Updated OpenSSL to 1.1.1l on macOS and 1.0.2za on all other platforms to resolve the following CVEs:
libarchive 3.5.2
Updated the libarchive library that powers the archive_file resource from 3.5.1 to 3.5.2 to resolve security vulnerabilities in libarchive’s handling of symbolic links.
Improvements
The Chef Workstation CLI command chef -v
has been optimised to fetch the component version details faster across all platforms.
Chef Workstation 21.8.555
https://packages.chef.io/release-notes/chef-workstation/21.8.555.mdBug Fixes
- PowerShell DLLs for Chef Infra Client are now properly set up on Windows systems to prevent failures running Chef Infra Client.
knife bootstrap
now respects theconfig_log_level
config when setting upclient.rb
configuration files on new Windows nodes.knife bootstrap
with the--use-sudo-password
no longer fails with a sudo error.knife user create
now provides helpful error messages if the client can’t be written to disk.knife bootstrap
now properly supports the~/.ssh/config
settings.- Cookstyle no longer reports
Chef/Deprecations/ResourceWithoutUnifiedTrue
failures in custom resource partials. - Cookstyle no longer reports
Chef/Deprecations/ResourceWithoutUnifiedTrue
failures when a custom resource file is empty. chef generate cookbook
now generates cookbooks that require Chef Infra Client 16 or later.chef generate cookbook
now generates example content referencing Chef Infra Client 17.
Packaging
RHEL 8 Packages
We improved our RHEL 8 packages with additional RHEL 8 optimizations and EL8 in the filename.
Chef Workstation 21.7.545
https://packages.chef.io/release-notes/chef-workstation/21.7.545.mdBug Fixes
Knife
- Resolved failures running
knife ssh
on hosts that require a PTY with a new--pty
flag. - Resolved
knife bootstrap
of Windows nodes from Chef Workstation on Linux/macOS incorrectly setting the file cache config. - Resolved
knife bootstrap
of Linux nodes from Chef Workstation on macOS creating a/Users
directory.
Updated Components
InSpec 4.38.9
InSpec has been updated from 4.38.3 to 4.38.9:
New Features
- The mssql_session resource now allows named connections by no longer forcing a port.
- The PostgreSQL resources (postgres_session, postgres_conf, postgres_hba_conf, and postgres_ident_conf) now work with Windows.
Bug Fixes
- Fixed a bug where the year in an expiration date was misinterpreted in waiver files.
Chef Infra Client 17.3.48
Chef Infra Client has been updated from 17.2.29 to 17.3.48. This new release includes large improvements to Policyfiles, 9 new built-in resources, and initial support for fetching secrets from AWS Secrets Manager and Azure Key Vault. See the 17.3 release notes for more information.
Habitat 1.6.351
Habitat has been updated from 1.6.319 to 1.6.351 with updated internal libraries.
Security
Addressable
We’ve updated the addressable gem from 2.7 to 2.8 to resolve CVE-2021-32740.
Ruby
We’ve upgraded Ruby from 3.0.1 to 3.0.2. This upgrade resolves bugs and also resolves the following CVEs:
curl
We’ve updated the bundled curl CLI from 7.76 to 7.77 to resolve the following CVEs:
Chef Workstation 21.7.524
https://packages.chef.io/release-notes/chef-workstation/21.7.524.mdBug Fixes
- Resolved Ruby crashes that occurred intermittently when running
knife ssh
orknife bootstrap
.
New Features
Policyfile Improvements
Policyfile.rb metadata Helper
Policyfiles has a new metadata
helper. This helper gets a local cookbook’s name
and path
from the metadata.rb
file instead of requiring them in the Policyfile.
Existing Policyfile:
name "base" # cookbook name
run_list "base::default"
default_source :supermarket
cookbook "base", path: "." # cookbook path
Policyfile using the metadata
helper:
metadata # invokes the metadata helper
run_list "base::default"
default_source :supermarket
Defined Policy Groups in Exports
The chef export
command now includes a new --policy_group
flag that allows you to define a policy group (a set of hosts in a deployed unit) in the exported tarball.
Cookstyle 7.15.1
Cookstyle has been updated from 7.13 to 7.15.1 with additional cops and an updated RuboCop engine.
RuboCop 1.18.3
The RuboCop engine that powers Cookstyle has been updated to 1.18.3. This new release improves autocorrection and resolves a large number of detection errors.
New Cops
We added Chef InSpec-specific Cookstyle Cops to the InSpec/Deprecations
department. These cops help with the migration from InSpec attributes
to inputs
. Watch for additional deprecation and correctness cops for InSpec in the future. You can also request a new cop for Chef InSpec!
InSpec/Deprecations/AttributeDefault
The Chef/Deprecations/AttributeDefault
cop detects Chef InSpec profiles that use the deprecated pattern of passing the default
option to attribute
or input
helpers instead of passing it to the newer value
option.
Enabled by default
: True
Autocorrects
: True
InSpec/Deprecations/AttributeHelper
The Chef/Deprecations/AttributeHelper
cop detects Chef InSpec profiles that use the deprecated attribute
helper instead of the input
helper.
Enabled by default
: True
Autocorrects
: True
Chef/Deprecations/PolicyfileCommunitySource
The Chef/Deprecations/PolicyfileCommunitySource
cop detects Policyfile.rb files that set a default_source
of :community
. This source is deprecated and is an alias to the :supermarket
source, which should be used instead.
Enabled by default
: True
Autocorrects
: True
Test Kitchen Improvements
New default chef_infra Provisioner
We renamed the chef_zero
Test Kitchen provisioner to chef_infra
, making it clear that it is the preferred provisioner for testing Chef Infra cookbooks. This change is backward-compatible, so your existing kitchen.yml
configurations will still work. We also changed Test Kitchen’s default provisioned from chef_solo
to chef_infra
. Even if you leave the provisioner configuration unassigned, you will still get Chef Infra cookbook testing. To test with Chef Solo, you need to set the provisioner to chef_solo
explicitly.
Berkshelf / Policyfiles Update Automatically
We changed Test Kitchen to automatically run berks update
or chef update
before testing, so you’re always testing the latest cookbook code on your workstation. If you prefer to test an existing Policyfile.lock
without updating it, add always_update_cookbooks false
to the provisioner section of your kitchen.yml
file.
Specifying Policy Groups
We added a new policy_group
configuration that allows setting the policy group for testing a cookbook. Set this in the provisioner block or individual suites.
suites:
- name: default
policy_group: production
run_list:
- recipe[base]
Attaching Elastic Network Interfaces in AWS
We added a new elastic_network_interface_id
configuration option that allows you to specify the Elastic Network Interface ID attached to new AWS test instances.
driver:
name: ec2
elastic_network_interface_id: eni-0545666738adeed14
Ubuntu FIPS Support
Chef Workstation Ubuntu packages are now FIPS enabled for all your FedRAMP needs.
Chef Workstation 21.6.497
https://packages.chef.io/release-notes/chef-workstation/21.6.497.mdRegression Fixes
- The Chef Workstation toolbar app now properly shows the installed version of Workstation.
- Resolves failures running Berkshelf, including failures running ChefSpec in GitHub actions when cookbooks use Berkshelf for depsolving. Thanks for these fixes @ramereth!
- Resolved ChefSpec failures on Windows.
Updated Components
Knife
Knife has been updated to 17.2.38 with support for Curve25519 SSH key exchange.
Test Kitchen
Test Kitchen has been updated to 2.12.0:
Bug Fixes
- Fixes failures running the
kitchen console
command which were caused by changes in Ruby’spry
gem. Thanks for this fix @jayaddison-collabora! - Test Kitchen will now continue to run even if an SSH connection fails in
lifecycle_hooks
andskippable
is set totrue
. Thanks for this fix @tarcinil!
Slow Resource Report Support
Test Kitchen now supports Chef Infra Client 17.2’s new slow resource report for displaying the slowest resources in a Chef Infra Client run. You can enable this report by setting the slow_resource_report
configuration option in the chef-zero
provisioner:
provisioner:
name: chef_zero
# set the configuration value to true to display the 10 slowest resources
# or set it to the number of resources you'd like to display
slow_resource_report true
Kitchen Dokken
The Kitchen Dokken driver for testing Chef Infa cookbooks in Docker containers has been updated to 2.13:
Bug Fixes
- Fixes execution failures on Windows. Thanks for this fix @jakauppila!
- Fixes failures when running on Podman instead of Docker. Thanks for this fix @tomhughes!
Slow Resource Report Support
Kitchen Dokken has also been updated to support Chef Infra Client 17.2’s new slow resource report for displaying the slowest resources in a Chef Infra Client run. You can enable this report by setting the slow_resource_report
configuration option in the dokken
provisioner:
provisioner:
name: dokken
# set the configuration value to true to display the 10 slowest resources
# or set it to the number of resources you'd like to display
slow_resource_report true
Chef InSpec 4.37.30
Chef InSpec has been updated from 4.37.25 to 4.37.30 with the following bugfixes:
- Fixed the mysql_session resource to raise an exception if there is an error in a connection or query.
- Fixed the postgres_session resource to raise an exception if there is an error in a connection or query.
Chef Workstation 21.6.479
https://packages.chef.io/release-notes/chef-workstation/21.6.479.mdBug Fixes
- Resolved errors from running various knife commands.
Upgraded Components
Ruby 3.0
Ruby has been updated from 2.7.3 to 3.0.1. The Ruby 3.0 release includes improved performance and aligns Chef Workstation with the release of Ruby in Chef Infra Client 17 for maximum compatibility.
Chef Infra Client 17.2
Chef Infra Client has been updated from 17.1 to 17.2. This release includes a new --slow-report
flag for displaying the slowest resources in a client run, improved allowlist/denylist functionality with Automate reporting, and many improved resources. See the Chef Infra Client Release Notes for complete details
Chef InSpec 4.37.23
Chef InSpec has been updated from 4.37.20 to 4.37.23:
Improvements
- Updated the
inspec init plugin
command- The values of flags passed to the
inspec init plugin
command are now wrapped in double quotes instead of single quotes. - Template files are now ERB files.
- The
activator
flag replaces thehook
flag, which is now an alias.
- The values of flags passed to the
Backward Incompatibilities
- Removed support for Chef Compliance Server and Chef Automate 1 from the
inspec automate
command, as both products are EOL.
Knife Azure
The knife-azure plugin has been updated from 3.0.6 to 4.0.0. This major release removes the legacy knife azure
commands that were based on the Azure ASM API deprecated in 2018. knife azurerm
commands will continue to function as they are based on the modern Azure ARM API.
Kitchen InSpec
The kitchen-inspec
plugin has been updated to from 2.4.1 to 2.4.3, which adds a forward_agent
option for connecting to the host using SSH Agent Forwarding.
Security
Nokogiri
Nokogiri was updated to 1.11.7 to resolve CVE-2020-26247.
Chef Workstation 21.6.467
https://packages.chef.io/release-notes/chef-workstation/21.6.467.mdBug Fixes
- Failures running
knife org user add
are resolved. - Failures running
knife configure
are resolved.
Chef Workstation 21.5.462
https://packages.chef.io/release-notes/chef-workstation/21.5.462.mdUpdated Tools
Chef Infra Client 17.1
Chef Infra Client has been updated from 17.0 to 17.1. This new release includes improvements to the Chef Infra Client Compliance Phase, Unified Mode improvements, and updates to many built-in resources. See the Chef Infra Client 17.1 Release Notes for details on new functionality.
Chef InSpec 4.37.20
Chef InSpec has been updated from 4.36.4 to 4.37.20 with the following bug fixes and improvements:
Improvements
- Added support for
zfs_pool
andzfs_dataset
resources on Linux. - Improved
port
resource performance: adding more specific search while usingss
command. - A new
inspec automate
command replaces theinspec compliance
command, which is now deprecated. This command also fully validates credentials before storing them to disk.
Bug Fixes
- The
file
resourcemore_permissive_than
matcher returns nil instead of throwing an exception when the file does not exist. - The
http
resource response body is now coerced into UTF-8. - Fixed an error when using profile dependencies and require_controls.
- Fixed the windows_firewall_rule resource when it failed to validate more than one rule.
- Modified the windows_feature resource to indicate if a feature is enabled rather than just available.
inspec detect --no-color
returns color-free output
Chef Habitat 1.6.319
The Chef Habitat CLI has been updated from 1.6.288 to 1.6.319 with performance and stability improvements.
Chef CLI 5.1
The Chef CLI has been updated to 5.1. This new release includes a new --yaml
flag for the chef generate cookbook
command to generate example YAML Chef Infra cookbooks.
Knife 17.2
The Knife CLI has been updated from 17.0 to 17.2, which includes several fixes for failures running knife commands.
Cookstyle 7.13
Cookstyle has been updated from 7.10 to 7.13 with the following improvements:
- Cookstyle now targets Ruby 2.5 or later allowing Cookstyle to simplify some complex codebases to use new Ruby functionality.
- A new
Chef/Deprecations/HWRPWithoutUnifiedTrue
cop detects custom resources that do not setunified_mode true
. These resources will produce deprecation warnings in Chef Infra Client 17.0 or later as the Unified Mode will become the default in Chef Infra Client 18 (April 2022). Settingunified_mode true
in custom resources today allows you to ensure they will continue to function as expected in future Chef Infra Client releases. - Fixed false positives in the
Chef/Modernize/WindowsRegistryUAC
resource. - Improved how we exclude
vendor
andfiles
directories so that Cookstyle can run in cookbooks contained in directories namedvendor
orfiles
. - Updated the RuboCop engine used by Cookstyle to 1.15 with a significant number of detection and autocorrection improvements.
Security
TLS 1.3 Support on macOS
macOS builds of Chef Workstation now ship with OpenSSL 1.1.1, which enables TLS 1.3 communication with Chef services.
Known Issues
Chef Workstation 21.5.420 introduced a regression causing failures when running some knife commands. We are currently working towards a fix for this issue which we hope to ship in the next release of Chef Workstation. If you encounter failures running knife commands, please install Chef Workstation 21.4.365
Chef Workstation 21.5.420
https://packages.chef.io/release-notes/chef-workstation/21.5.420.mdBreaking Changes
Chef CLI
The chef shell-init
CLI command checks for the Chef Workstation PATH variable before adding it, ensuring that it appears only once in your PATH.
We removed two legacy Chef Workflow (Delivery) commands in the chef-cli (Chef Workflow reached end-of-life status in December 2020):
chef generate cookbook --workflow
now warns that the--workflow
flag is no longer supported and generates a Chef cookbook—without the Chef Workflow build-cookbook.chef generate build-cookbook
now alerts that build-cookbook generation is no longer supported and exits with an error.
Knife Changes
Renamed knife opc org commands
We’ve rewritten our knife-opc plugin and merged it into the main knife codebase. As part of this rewrite, the knife opc org
commands have been renamed to knife org
, and several of the user commands have merged into the existing knife user
commands.
Renamed Commands
- knife opc org create -> knife org create
- knife opc org delete -> knife org delete
- knife opc org edit -> knife org edit
- knife opc org list -> knife org list
- knife opc org show -> knife org show
- knife opc org user add -> knife org user add
- knife opc org user remove -> knife org user remove
User Commands Now in Knife User
- knife opc user create -> knife user create
- knife opc user delete -> knife user delete
- knife opc user edit -> knife user edit
- knife opc user list -> knife user list
- knife opc user password -> knife user password
- knife opc user show -> knife user show
Simplified knife user create syntax
The knife user create
command previously required passing the user’s display name, first name, last name, e-mail, and password in order as arguments. Only the e-mail and password values are actually required by Chef Infra Server, so we’ve simplified the syntax to allow passing just the required values. New flags have been introduced for each of the values and only the --email
and --password
flags are now required. The existing positional argument syntax will continue to work with a warning message, but will be removed in a future release.
Fauxhai updated to 9.0
The Fauxhai engine mocks Ohai data in ChefSpec tests. The 9.0 release removes all the deprecated Fauxhai definitions—the ones that warned you of their impending deprecation every time you used them this past year.
The Fauxhai community team removed platforms that:
- have reached end-of-life status and are no longer supported.
- have newer minor release versions available in Fauxhai.
The best practice for referencing platforms in ChefSpec tests is to use a platform’s major version or no version at all, which lets Fauxhai automatically pick the latest version. This practice ensures that your specs will continue to run, even as new platforms are released and older ones are removed.
To automatically migrate ChefSpec tests to use newer platforms, use the Chef/Deprecations/DeprecatedChefSpecPlatform Cookstyle cop. This cop will autocorrect many specs. Run it with:
cookstyle -a --only Chef/Deprecations/DeprecatedChefSpecPlatform
Fauxhai Platforms Removed
- AIX 6.1
- Amazon Linux 2015.03
- Amazon Linux 2015.09
- Amazon Linux 2016.03
- Amazon Linux 2016.09
- Amazon Linux 2017.03
- Amazon Linux 2017.09
- CentOS 5.11
- CentOS 6.9
- CentOS 7.5.1804
- CentOS 7.6.1810
- Debian 8.11
- Debian 9.8
- Debian 9.9
- Fedora 29
- Fedora 30
- FreeBSD 11.1
- Linux Mint 18.3
- macOS 10.13
- OpenSUSE 15.0
- OpenSUSE 15.1
- Oracle Linux 5.11
- Oracle Linux 6.9
- Red Hat Linux 5.11
- Red Hat Linux 6.9
- Red Hat Linux 7.4
- Red Hat Linux 7.5
- Red Hat Linux 7.6
- Suse Enterprise Linux 12.3
- Ubuntu 14.04
- Windows 20008 R2
Improvements
Chef Infra Client 17
Chef Workstation now includes Chef Infra Client 17 with the new Compliance Phase and many other improvements. For a complete list of what’s new, see the Chef Infra Client 17.0 Release Notes and our Chef Infra Client 17 Launch Webinar.
Chef InSpec
Chef InSpec has been updated from 4.29.3 to 4.36.4 with the following improvements and bug fixes:
New Features
- Added the SELinux resource, which includes support for modules and booleans.
- Added the pattern input option for DSL and metadata inputs.
- Added the
members_array
property for group & groups resources. - Train now reads the username and port from the
.ssh/config
file and will use these values if present. - Added the new
--reporter-include-source
CLI option, which includes the source code of the controls in the output of the CLI reporter. - Added ability to pass inputs to InSpec shell using input file and cli.
- Commands can now be set to timeout using the command resource or the
--command timeout
option in the CLI. Commands timeout by default after one hour. - Added the
--docker-url
CLI option, which can be used to specify the URI to connect to the Docker Engine. - Added support for targeting Linux and Windows containers running on Docker for Windows.
Bug Fixes
- Fix SSH Timeout PTY allocation. We fixed a bug that caused occasional failures in some command resources that use SSH transport and were mistakenly allocated a pseudoterminal (PTY) when setting a timeout. In some cases, the PTY changed how the resource was interpreted. This fix only uses PTY when explicitly requested.
- Fixed the group resource when a member does not exist.
- Hash inputs will now be loaded consistently and accessed as strings or symbols.
Test Kitchen
Digital Ocean Driver Update
The kitchen-digitalocean
driver update removes support for legacy platform values that no longer exist on Digital Ocean: CoreOS
, Ubuntu17
, CentOS6
and it adds support for RancherOS
. The Test Kitchen docs have a new Digital Ocean getting started guide.
Amazon AWS Driver Update
The Amazon AWS kitchen-ec2
driver update adds support for GP3 EBS volume types on instances and proper cleanup of EBS volumes on termination on RHEL-based platforms. Thanks for the GP3 fix @bdwyertech!
Cookstyle updated to 7.10.1
This update improves offense detection and autocorrelation in Ruby code.
Platform Support
Ubuntu 16.04 packages will no longer be produced for Chef Workstation as Ubuntu 16.04 became EOL at the end of April 2021.
Security Updates
Ruby updated to 2.7.3
This Ruby version provides a large number of bug fixes and resolves the following CVEs:
git updated to 2.31.1
This update to the embedded git client in Chef Workstation resolves CVE-2021-21300
Chef Workstation 21.4.365
https://packages.chef.io/release-notes/chef-workstation/21.4.365.mdmacOS Support in chef-run
We have updated the chef-run
command to allow resources to be executed against macOS nodes in addition to Linux and Windows nodes.
Opt-In ChefSpec Specs
The chef generate cookbook
will no longer generate ChefSpec tests by default. For many users ChefSpec tests add a minimal amount of quality assurance for their large level of complexity. We believe that users are overwhelmingly better off writing true integration tests with InSpec and Test Kitchen, as these tests are far more likely to detect real-world failure conditions. If you’d like to continue to generate sample ChefSpecs, you can run chef generate cookbook --specs MY_COOKBOOK_NAME
.
Improved Kitchen Dokken Configs
The chef generate cookbook --kitchen dokken
command will now generate a Kitchen Dokken config that runs the container in privileged mode by default. This is necessary for testing any cookbook which includes a systemd unit. Since most cookbooks tested with Kitchen Dokken manage services this will make it easier to switch to Kitchen Dokken for quick test cycles.
Autocompletion in fish Shell
We’ve updated the code snippet generated by the chef shell-init fish
command to generate proper auto-complete commands for the fish shell. If you previously added the code generated by this command to your ~/.config/fish/config.fish
config file, you’ll want to update that content with the new code. This will give you autocompletion helpers for all the chef
sub-commands.
Packaging Improvements
- Failures running Habitat on macOS systems have been resolved.
- On Linux and macOS systems symlinks are now created for
chef-zero
,mixlib-install
, andfauxhai
making Chef Workstation more functional for users that don’t want to use the Chef Workstation Ruby installation as their system-wide Ruby installation.
Chef Workstation 21.3.346
https://packages.chef.io/release-notes/chef-workstation/21.3.346.mdBug Fixes
- We resolved a failure running our embedded
curl
on macOS systems. Thanks for reporting this @kmf. - We updated the
chef-run
command to allow using symbols in resources defined on the command-line. - We resolved frozen string errors that could occur in Test Kitchen. Thanks for the help with this @tbugfinder.
- @signe fixed fetching the validation key from AWS S3 with
knife ec2
.
Improvements
kitchen-dokken
We’ve improved how the Test Kitchen dokken
driver handles Docker registries other than DockerHub. You should now be able to configure DockerHub mirrors without any requests being made to DockerHub. Thanks @jaymzh! We’ve also updated the docker-api
gem to 2.1.0. The docker-api
gem powers the dokken driver and this update adds support for running dokken against Podman.
kitchen-azurerm
The Test Kitchen azurerm
driver has been updated to use unique instance names by default to avoid conflicts. Systems will now be named tk-RANDOMVALUE
instead of just vm
. Thanks @jasonwbarnett!
Cookstyle
Cookstyle has been updated from 7.8 to 7.9. This release includes an updated RuboCop engine with improved detection and autocorrection capabilities.
Chef Infra Client
Chef Infra Client has been updated to 16.11, with minor bug fixes. See the Chef Infra Client Release Notes for more details.
Chef InSpec
Chef InSpec has been updated from 4.26.13 to 4.29.3.
New Features
- The JSON metadata pass-through configuration has been moved from the Automate reporter to the JSON Reporter
- Added the option to filter out empty profiles from reports.
- Exposed the
conf_path
,content
, andparams
properties to theauditd_conf
resource. - Added the ability to specify
--user
when connecting to docker containers.
Bug Fixes
- Fixed the
crontab
resource when passing a username to AIX. - Stopped a backtrace from occurring when using
cmp
to comparenil
with a non-existing file. - The apt resource now correctly fetches all package repositories using the
-name
flag in an environment where ZSH is the user’s default shell. - The
--controls
option ininspec exec
now correctly filters the controls by name. - Updates how InSpec profiles are created with GCP or AWS providers so they use
inputs
instead ofattributes
. inspec exec
will now fetch profiles via Git regardless of the name of the default branch.
Security
Git
The embedded git
client in Workstation has been updated to 2.30.2 to resolve CVE-2021-21300.
Chef Workstation 21.2.303
https://packages.chef.io/release-notes/chef-workstation/21.2.303.mdImproved Upgrade Behavior
Chef Workstation packages on Linux will now upgrade existing ChefDK installations. This matches the existing behavior on Windows and macOS systems.
Improved Git Client
The embedded git client in Chef Workstation has been updated to 2.30.1. This new release includes improvements to git diff
functionality as well as a large number of bug fixes.
InSpec
InSpec has been updated to 4.26.13 with two bug fixes:
- Fixed skip_control to work on deeply nested profiles.
- The ssh_config and sshd_config resources now correctly use the first value when a setting is repeated.
Test Kitchen
Several Test Kitchen plugins have been updated to improve the overall testing experience:
AzureRM
The azurerm
Test Kitchen driver has been updated to improve backwards compatibility in the public_ip_sku
configuration option with previous driver release.
InSpec
A regression in the Test Kitchen inspec
has been resolved, which would cause failures when setting custom reporters.
Dokken
The Test Kitchen dokken
driver/provisioner has been updated with a new docker_registry
configuration option for specifying a Docker Registry other than DockerHub.
Example:
driver:
docker_registry: docker.sample.com
Note: The Docker Registry must container the dokken
images for the platforms you want to test, the chef
image, as well as the centos
image that is used as part of the driver setup.
Smaller Package Size
In order to further reduce the Chef Workstation installation size, we’ve removed the yard
package from Chef Workstation. This package was never documented as being included in Chef Workstation and isn’t required for any Chef product workflows.
Chef Workstation 21.2.292
https://packages.chef.io/release-notes/chef-workstation/21.2.292.mdBug Fixes
We resolved two regressions in the 21.2.278 release of Chef Workstation:
- A failure in
mixlib-archive
when runningberks install
- Failures using the
azurerm
provider in Test Kitchen
Chef Infra Client
Chef Infra Client has been updated to 16.10.17. This release resolves two bugs:
- Fixed the
mount
resource for network mounts using the root level as the device. Thanks @ramereth! - Resolved a Compliance Phase failure with profile names using the
@
symbol.
Test Kitchen
Several Test Kitchen plugins have been updated to improve the overall Test Kitchen experience:
Improved Windows Reliability
Windows detection for Chef Infra Client installations is now more reliable.
InSpec Plugin Configuration
A new plugin_config
config option has been added to the inspec
verifier for passing configs to InSpec plugins. Thanks for this improvement @tecracer-theinen!
Example plugin config in a kitchen.yml
:
verifier:
name: inspec
plugin_config:
example_plugin_name:
example_setting: "Example value"
Azure Storage Account Types
The storage_account_type
config option in the azurerm
plugin is now honored. This allows you to set storage_account_type: Standard_LRS
to use non-SSD disks in Azure. Thanks for this fix @reasland and @Dreweasland!
Cloud-Init With OpenStack
The openstack
Test Kitchen driver now includes a new cloud_config
config option that allows you to pass config options to cloud-init
for setting up systems before Chef Infra Client runs. Thanks for this improvement @JimScadden!
An example of setting the hostname at provision time:
driver_config:
cloud_config:
hostname: my-hostname
Cookstyle
Cookstyle has been updated to provide links to our new Cookstyle cop documentation on docs.chef.io.
Security
OpenSSL has been upgraded to 1.0.2y to resolve the following CVEs:
Platform Updates
With the release of macOS 11 we will no longer produce packages for macOS 10.13 systems. See our Platform End-of-Life Policy for details on the platform lifecycle.
Chef Workstation 21.2.278
https://packages.chef.io/release-notes/chef-workstation/21.2.278.mdPerformance Improvements
We’ve improved the performance of many of the included command-line tools in Chef Workstation along with the performance of the Chef Workstation menubar application.
Test Kitchen
The Kitchen vCenter driver has been updated to prevent failures while running on Windows hosts.
The Kitchen Azure driver now includes support for setting the public IP SKU with a new public_ip_sku
driver configuration option thanks to @simonjefford! For example:
platforms:
- name: ubuntu-1804
driver:
image_urn: Canonical:UbuntuServer:18.04.4-LTS:latest
vnet_id: /subscriptions/b6e7eee9-YOUR-GUID-HERE-03ab624df016/resourceGroups/pendrica-infrastructure/providers/Microsoft.Network/virtualNetworks/pendrica-arm-vnet
subnet_id: subnet-10.1.0
public_ip: true
public_ip_sku: Standard
To learn more about this configuration option, see the Azure Public IP Documentation.
Chef-CLI
You can now rename the generator directory after generation without breaking generator usage.
Berkshelf
Several potential race conditions in Berkshelf have been resolved. This may improve the reliability of testing multiple instances in Test Kitchen when Berkshelf is used for cookbook dependency resolution.
Cookstyle
Cookstyle has been updated with the latest RuboCop engine for improved code issue detection and correction. Additionally, RuboCop’s Lint/ErbNewArguments
cop has been enabled to detect deprecated usage of the ERB class in libraries.
Chef Workstation 21.2.259
https://packages.chef.io/release-notes/chef-workstation/21.2.259.mdChef Infra Client 16.10
Chef Workstation now ships with Chef Infra Client 16.10. This new release includes expanded AWS Metadata support including IMDSv2 support, Alma Linux support, and resource updates. See the Chef Infra Client 16.10 Release Notes for more details on everything new in this release.
Policyfiles Improvements
We’ve improved how Policyfiles are handled in the chef
command. Now running chef install
when a Policyfile.lock
is not present will generate the lock file and install the cookbooks instead of producing an error. This mirrors the behavior of bundle install
and other dependency management tools. We think this will make it easier to manage Chef Infra cookbooks in CI pipelines where a lock may or may not be generated yet. Thanks for reporting this issue @coderanger!
We’ve also resolved a failure that would occur when testing cookbooks that use Policyfiles in ChefSpec. Thanks for reporting this issue @ElfoLiNk!
Knife Bootstrapping Without Sudo
The knife boostrap
command now supports elevating privileges on systems without sudo
by using the su
command instead. Use the new --su-user
and --su-password
flags to specify credentials for su
.
Alma Linux Support
Chef Infra Client and Chef Workstation now support Alma Linux, a new open-source RHEL fork produced by the CloudLinux team.
Chef Infra Client 16.10 and later now maps the alma-linux
platform
to the rhel
platform_family
value.
In Chef Workstation, we’ve also added support for testing cookbooks on Alma Linux with new Alma Linux 8 Vagrant Images for use in Test Kitchen on VirtualBox, Parallels, and VMware. You can use these images today in Test Kitchen by specifying this new box in your config as follows:
platforms:
- name: almalinux-8
Kitchen vCenter Windows Improvements
When using Test Kitchen’s vcenter
driver, you can now specify administrator_password
to set the password on a Windows test instance’s Administrator
account. Thanks for this enhancement @lomeroe!
Updated Cookstyle
Cookstyle has been updated from 7.5 to 7.7. This new release includes an updated RuboCop engine for improved detection and autocorrection. It also enables RuboCop’s Lint/DeprecatedConstants
cop to detect deprecated TRUE
, FALSE
, and NIL
constant values.
Amazon Linux 2 Packages
We now produce Chef Workstation packages for Amazon Linux 2. You can find these packages from Chef Downloads.
Security
We’ve updated the version of curl
packaged with Chef Workstation to 7.75 to resolve the following curl CVEs:
Chef Workstation 21.1.247
https://packages.chef.io/release-notes/chef-workstation/21.1.247.mdChef Infra Client
Chef Infra Client has been updated from 16.9.20 to 16.9.32.
- Resolved orphaned PowerShell processes when using Compliance Remediation content.
- Resolved failures from running
chef-client
on some Windows systems. - Compliance Phase: Improved detection of the
audit
cookbook when it is used for compliance reporting. - chef-shell: Added support for loading configs in
client.d
directories - Thanks @jaymzh!
Chef InSpec
Chef InSpec has been updated from 4.24.32 to 4.26.14.
New Features
- You can now directly refer to settings in the
nginx_conf
resource using theits
syntax. Thanks @rgeissert! - You can now specify the shell type for WinRM connections using the
--winrm-shell-type
option. Thanks @catriona1! - Plugin settings can now be set programmatically. Thanks @tecracer-theinen!
- OpenSSH Client on Windows can now be tested with the ssh_config and sshd_config resources. Thanks @rgeissert!
- The
--reporter-message-truncation
option now also truncates thecode_desc
field, preventing failures when sending large reports to Automate.
Bug Fixes
- Updated the
oracledb_session
to use more general invocation options. Thanks @pacopal! - Fixed an error with the
http
resource in Chef Infra Client by includingfaraday_middleware
in the gemspec. - Fixed an incompatibility between
parslet
andtoml
in Chef Infra Client. - Improved programmatic plugin configuration.
Test Kitchen
Test Kitchen has been updated from 2.9 to 2.10.
Uploading Files In the Provisioner
Test Kitchen now allows you to upload files from your workstation to the test node within the provisioner. The new uploads
config accepts a hash mapping local files to files on the remote test node. Thanks for this new feature @tecracer-theinen!
Uploading a config file before running Chef Infra Client
provisioner:
name: chef_zero
uploads:
"foo.cfg": "/etc/foo.cfg"
Includes/Excludes Filters in Lifecycle Hooks
You can now exclude or include platforms from running in a lifecycle hook. This is particularly useful when running commands like apt-get update
which can only be run on certain systems. Thanks for this new feature @jasonwbarnett!
Excluding apt-get update on RHEL
lifecycle:
pre_converge:
- remote: |
"apt-get update"
exclude:
- rhel-7
- rhel-8
Bug Fixes
- Resolved
uninitialized constant Kitchen::Loader::YAML::Psych
error - @dwmarshall
Kitchen Inspec Verifier
The kitchen-inspec verifier plugin has been updated from 2.2.2 to 2.3.0. This new release improves performance by setting the backend_cache
config to true
by default.
Chef CLI
The Chef CLI has been updated to allow chef generate
to properly create files in subdirectories.
Chef Workstation 21.1.233
https://packages.chef.io/release-notes/chef-workstation/21.1.233.mdThis release of Chef Workstation includes a small number of bug fixes and improvements from the previous 21.1.222 release.
Chef Infra Client
Chef Infra Client has been updated from 16.9.16 to 16.9.20, which resolves issues from installing packages on newer FreeBSD releases and resolves errors from using the audit cookbook for compliance scans.
Chef InSpec
Chef InSpec has been updated from 4.24.26 to 4.24.32, which reduces the size of some report data to avoid failures from pushing reports larger than 4MB to Chef Automate.
kitchen-google
The kitchen-google plugin has been updated to use the latest version of Google’s SDK with better support for newer services.
knife-ec2
The knife-ec2 plugin has been updated to resolve an error where an EBS volume would be created when using the ephemeral
option instead of attaching an ephemeral volume, and to resolve failures when bootstrapping Windows nodes if a password has not been provided. Thanks for reporting these issues @DoctorOgg and @jerseyfoxcom!
Chef Workstation 21.1.222
https://packages.chef.io/release-notes/chef-workstation/21.1.222.mdUpdated Components
Knife
Chef Infra Client has been updated to 16.9 with the following improvements to the knife
command:
- The
knife bootstrap
command now properly formats thetrusted_certs_dir
configuration value on Windows hosts. Thanks for this fix @axelrtgs! - The
knife bootstrap
command now only specifies the ssh option-o IdentitiesOnly=yes
if keys are present. Thanks for this fix @drbrain! - The
knife status
command with the-F json
flag no longer fails if cloud nodes have no public IP.
Chef InSpec
Chef InSpec has been updated from 4.24.8 to 4.24.26. This release includes several behind-the-scenes updates as well as a few useful resource updates:
- The
parse_config
resource now accepts[
and]
characters, which allows access to settings that contain dots. Thanks @rgeissert! (#5252) - The
mssql_session
resource expands its platform support to include macOS and Linux since thesqlcmd
utility is now available on those platforms. Thanks @kclinden! (#5366)
Upgrade Lab
The chef report
command in the Chef Upgrade Lab has been updated to work with the latest releases of Cookstyle.
Cookstyle
Cookstyle has been updated from 7.3 to 7.5. This new release updates the RuboCop engine that powers Cookstyle in order to improve detection and autocorrect of Ruby code. The new release also offers several improvements to existing Chef Infra cops:
- The
Chef/RedundantCode/UnnecessaryNameProperty
has been improved to detect additional cases where an unnecessary name property is defined in a resource. - Trailing whitespace in files is once again detected by enabling the renamed
Layout/TrailingEmptyLines
cop. Thanks for reporting this issue @mvangoor! - The
Chef/Deprecations/DeprecatedChefSpecPlatform
cop has been updated to detect newly deprecated platforms in Fauxhai when used in ChefSpec tests.
ChefSpec
Missing dependency errors running ChefSpec tests have been resolved. Thanks for the report @y0y0z!
Test Kitchen
Test Kitchen has been updated from 2.8.0 to 2.9.0. This new release improves connecting to Windows hosts over WinRM from Linux systems. Connections are now made using xfreerdp
to avoid CredSSP error messages that previously occurred. If you’re currently using the previous rdesktop
solution, you’ll need to install xfreerdp
. This solution works out of the box without configuration, making it easier to test Windows guests on Linux hosts. Thanks @ramereth!
knife-ec2
The knife-ec2 plugin for Amazon EC2 has been updated from 2.1.0 to 2.1.1 to properly report the instance name when running knife ec2 server list
. Thanks for reporting this issue @isaitgirl!
Fauxhai
Fauxhai was updated from 8.6 to 8.7. Fauxhai provides mock Ohai system configuration data for use in ChefSpec unit tests. This release marked several legacy OS datasets as deprecated. The mocked data for these platforms will be removed from Fauxhai in the April 2021 release:
- openSUSE 15.1
- Redhat 7.6
- CentOS 7.6
- Linux Mint 18.3
- All Amazon Linux 201X releases except 2018.03
To detect and update ChefSpec tests using this legacy data, run Cookstyle against your cookbooks.
Backward Incompatibilities
The Chef Push Client and knife-push plugin are no longer included in Chef Workstation. Chef Push Jobs became EOL on Dec 31, 2020.
Chef Workstation 20.12.205
https://packages.chef.io/release-notes/chef-workstation/20.12.205.mdChef Infra Client 16.8.14
Chef Infra Client has been updated to 16.8.14 with many improvements to built-in resources, as well as the following improvements to the knife
CLI:
knife bootstrap
with the--forward-agent
no longer results in an error. Thanks for fixing this @drbrain!knife bootstrap
no longer sets the SSH option-o IdentitiesOnly
when no keys are specified. Thanks for fixing this @drbrain!knife ssh
with the--no-host-key-verify
option no longer shows a deprecation warning. Thanks for reporting this issue @bipinbachhao-lilly!knife ssh
with the--ssh-password
option no longer results in an error. Thanks for reporting this issue @evandam!knife ssh
with the--sudo
flag will no longer silently fail. Thanks for fixing this @rveznaver!
Chef InSpec
Chef InSpec has been updated to 4.24.8 including the following improvements:
- An unset
HOME
environment variable will not cause execution failures - You can use wildcards in
platform-name
andrelease
in InSpec profiles. Thanks for this improvement @yarick! - The
WMI
resource now returns an array to support returning multiple WMI objects - The
package
resource on Windows properly escapes package names. Thanks for this improvement @ramereth! - The
grub_conf
resource succeeds even if without amenuentry
in the grub config - Loaded plugins won’t try to re-load themselves
Cookstyle
Cookstyle has been updated to 7.3.11, which includes an updated RuboCop, two additional Chef Infra cops, and a large number of improvements to existing cops.
See the Cookstyle 7.3.11 Release Notes for details.
Kitchen-dokken
Kitchen Dokken has been updated to 2.11.2 to resolve failures from creating containers during the Test Kitchen converge. Thanks for reporting this issue @emeshuris!
Chef Workstation App
We’ve improved the Chef Workstation menu bar app to make getting started with Chef Infra easier:
- We added links to the Chef Documentation and Learn Chef sites on the app menu bar, making it easier to find documentation for Chef products.
- Our Release Notes are on the Chef Documentation site, making them easier to find and read.
- The first time it launches, Chef Workstation creates the
.chef
directory with a samplecredential
file in your home directory (if you don’t already have them), making the set-up process one step easier.
Chef Workstation 20.12.187
https://packages.chef.io/release-notes/chef-workstation/20.12.187.mdBreaking Changes
Foodcritic Removal
Foodcritic was deprecated in September 2019 and we are removing it in this release. In its place, Chef Workstation comes with Cookstyle, which has over 200 Chef Infra-specific rules. Foodcritic commands now result in an error message directing users to Cookstyle.
See our Goodbye, Foodcritic blog post for more details.
Stove Removal
We’ve removed the Stove binary, which was included in Chef Workstation, but not added to the default path. We added Stove’s functionality of pruning files from artifacts uploaded to Supermarket (such as test files) to the knife supermarket share
command. You no longer need stove
to upload trimmed artifacts to Supermarket.
Red Hat 6 EOL
Red Hat 6 / CentOS 6 entered end-of-life on November 30th, 2020. We have removed platform support for RHEL 6 from our build matrix and will no longer publish packages. If you require Chef Workstation on a RHEL platform you’ll need to upgrade to Red Hat or CentOS 7/8.
See Red Hat’s 6.0 End of Maintenance Phase FAQ page for more information.
Windows Bootstrap Improvements
We’ve improved the knife bootstrap
experience for Windows. Windows hosts now respect the knife bootstrap
--secret
flag and sets up nodes correctly to use encrypted data bags. Thanks for reporting this issue @AMC-7! Additionally, we now force connections to use TLS 1.2 during the bootstrap procedure, which prevents failures on Windows 2012-2016. Thanks for this improvement @TimothyTitan!
Updated Components
Chef Infra Client
Chef Infra Client was updated from 16.6 to 16.7. This new release includes significant performance improvements to Windows resources as well as extensive bug fixes throughout the codebase.
Habitat
Habitat was updated from 1.6.56 to 1.6.181, which includes a large number of studio and supervisor improvements.
git
The bundled git client was updated from 2.28 to 2.29.2. See the git 2.29.0 release notes for the most significant new functionality introduced in this release.
Test Kitchen
Test Kitchen was updated from 2.7.2 to 2.8.0. This release improves how we execute commands on Windows hosts in order to avoid failures executing commands that are too long for the windows command line. Thanks for this fix @ramereth!
Kitchen Google
The Kitchen Google driver for Test Kitchen was updated from 2.0.3 to 2.1.0. This release adds a new network_ip
config for an IPv4 internal IP address to assign to the instance. The driver automatically assigns an unused internal IP to an unconfigured network_ip
. Thanks @eReGeBe for this new feature!
Fauxhai
Fauxhai was updated from 8.4 to 8.6. Fauxhai provides mock Ohai system configuration data for use in ChefSpec unit tests. This release adds AIX 7.2 and macOS 11.0 platform data and deprecated the macOS 10.13 data.
Chef Workstation 20.11.180
https://packages.chef.io/release-notes/chef-workstation/20.11.180.mdImprovements
fauxhai
The fauxhai
library is updated from 8.3.1 to 8.4.0 and includes new support for CentOS 7.8, RedHat 7.8, and openSUSE 15.2, as well as updates to existing platform data for Chef Infra Client 16.6.
Cookstyle
The Cookstyle linting tool has been updated from 6.21.1 to 7.2.1, with new cops and a new cop naming format.
New Cop Naming Format
Cookstyle now ships with the RuboCop 1.x engine. This new release of RuboCop has enabled us to improve the naming scheme for Cookstyle cops. Previously all Cookstyle cops started with Chef
and then included the description of what the department actually did such as ChefDeprecations
, which was for deprecation cops. Cop names are now three parts instead of two, so ChefDeprecations/SomeCop
becomes Chef/Deprecations/SomeCop
. Why the change? Using this format makes it much easier to enable just the Chef specific cops in Cookstyle without having to list each individual department. Now you can run cookstyle --only Chef
to see just Chef Infra related cops without the additional few hundred Ruby specific cops provided by RuboCop. Cookstyle will automatically migrate any comments to the new department names, but anything in your .rubocop.yml will need to be updated manually.
New Name Mapping
- ChefCorrectness -> Chef/Correctness
- ChefDeprecations -> Chef/Deprecations
- ChefEffortless -> Chef/Effortless
- ChefModernize -> Chef/Modernize
- RedundantCode -> Chef/RedundantCode
- ChefSharing -> Chef/Sharing
- ChefStyle -> Chef/Style
New Cops
Style/CollectionCompact
The Style/CollectionCompact
cop detects code that removes nil
values from Hashes or Arrays using a Ruby block when this can be done with the compact
method instead.
Examples:
Overly complex nil removals:
array.reject { |e| e.nil? }
array.select { |e| !e.nil? }
Simpler nil removal:
array.compact
Chef/Deprecations/FoodcriticTesting
The Chef/Deprecations/FoodcriticTesting
cop detects cookbooks with a Gemfile that requires Foodcritic or any code, such as a Rakefile/Guardfile, that requires the Foodcritic gem. Foodcritic is no longer supported and has been significantly eclipsed in functionality by Cookstyle. Any existing Rakefile or Guardfile tests for Foodcritic should be updated to use Cookstyle instead.
Enabled by default
: True
Autocorrects
: False
Chef/Deprecations/LibrarianChefSpec
The Chef/Deprecations/LibrarianChefSpec
cop detects ChefSpec tests that require the legacy chefspec/librarian
library. Librarian Chef is no longer supported and users should migrate to Berkshelf or Policyfiles.
Enabled by default
: True
Autocorrects
: True
Chef InSpec
Chef InSpec is updated from 4.23.11 to 4.23.15. A bug fix included ensuring that waiver expiration data is always populated.
chef-vault
We’ve updated the release of chef-vault
to 4.1. Chef Vault 4.1 properly handles escape strings in secrets and greatly improves performance for users with large numbers of secrets. Thanks for the performance work @Annih!
Kitchen Vagrant
The kitchen-vagrant
plugin is updated from version 1.7.1 to 1.7.2 with a bug fix to no longer stop with an error when updating a Vagrant box that has not yet been downloaded.
Kitchen vCenter
The kitchen-vcenter
plugin is updated from version 2.8.2 to 2.9.0, which includes support for Windows guest customization and improved support for nested datacenters.
Chef Workstation 20.10.168
https://packages.chef.io/release-notes/chef-workstation/20.10.168.mdSecurity Updates
Ruby has been updated to 2.7.2, which includes a fix for CVE-2020-25613.
Improvements
Install times on Windows systems are now 2.5x faster.
Chef Workstation Powershell Shortcut
We removed the administrator requirement from the PowerShell shortcut added to the Desktop on install. Users who desire this existing functionality should right-click and Run as administrator
on this shortcut.
Chef Infra Client
Chef Infra Client has been updated from 16.5.77 to 16.6.14. This release adds support for Microsoft’s pwsh
(commonly known as PowerShell Core) in addition to its previous support for PowerShell
. The powershell_script resource includes a new interpreter
property that accepts either powershell
or pwsh
, the powershell_out
and powershell_exec
custom resource helpers have been updated with a new argument that accepts either :pwsh
or :powershell
, and the powershell_exec
helper now supports the 32-bit version of Windows.
This release also improves the Target Mode feature by converting the majority of Ohai plugins to run remotely, adds a new chef_client_config resource, and fixes various bugs.
Cookstyle
Cookstyle has been updated from 6.19.5 to 6.21.1. This release includes an updated RuboCop engine, improves scan times, fixes various bugs, and adds 3 new cops:
Lint/RedundantSafeNavigation
The Lint/RedundantSafeNavigation
cop detects redundant save navigation operators in order to simplify code. For example attrs&.respond_to?(:[])
can be simplified to just attrs.respond_to?(:[])
because respond_to?
will not error even if attrs
is not defined.
ChefCorrectness/OctalModeAsString
The ChefCorrectness/OctalModeAsString
cop detects mode properties that incorrectly use a string to represent an octal value. We highly recommend using strings that contain a base 10 mode value, but even if you want to use octal values, they can’t be passed as strings.
ChefDeprecations/UseYamlDump
The ChefDeprecations/UseYamlDump
cop detects cookbooks that use the .to_yaml method. Chef Infra Client 16.5 introduced performance enhancements to Ruby library loading and due to the underlying implementation of Ruby’s .to_yaml
method, it does not automatically load the YAML library. We recommend using YAML.dump()
instead, which is functionally equivalent, and also properly loads the YAML library.
Kitchen EC2
The kitchen-ec2
gem has been updated from 3.7.2 to 3.8.0. This release allows multiple IP addresses to be specified when creating a security group and fixes a bug when creating spot instances.
Kitchen Dokken
The kitchen-dokken
gem has been updated from 2.11.0 to 2.11.1 This release improves how kitchen-dokken determines if containers are available for connections.
knife-ec2
The knife-ec2
plugin has been updated from 2.0.4 to 2.0.6. This release fixes an error that would occur when using the --server-connect-attribute private_ip_address
flag.
Chef Workstation 20.9.158
https://packages.chef.io/release-notes/chef-workstation/20.9.158.mdSecurity Updates
OpenSSL 1.0.2w
OpenSSL has been updated to 1.0.2w, which includes a fix for CVE-2020-1968.
False Positive chef.exe
Malware Detection
Recently we received reports that chef.exe
was triggering users’ anti-virus software. We confirmed that we are shipping the latest security patches that we can and are not shipping malware to users. This is a false positive and we submitted a report as such to Microsoft. They corrected their security definitions and are no longer marking chef.exe
as malware. If you get errors trying to run the chef
command in PowerShell or have issues starting the Chef Workstation shell shortcut, most likely Windows Defender already quarantined your chef.exe
executable. You can either un-quarantine that file or reinstall Chef Workstation to fix this issue.
We also submitted a false positive report to McAfee, but have yet to hear back from them.
Improvements
Chef Infra Client
Chef Infra Client has been updated from 16.4.41 to 16.5.77. This release includes two new resources, updates to 10 existing resources, and the following CLI improvements:
- The client license acceptance logic has been improved to provide helpful error messages when an incorrect value is passed and to accept license values in any text case.
- A new
chef-client
process exit code of 43 has been added to signal that an invalid configuration was specified. Thanks @NaomiReeves ! - The
knife vault
commands now output properly formatted text when using-f json
or-f yaml
formatters. - The
knife ssh
command no longer hangs when connecting to Windows nodes over SSH. - The
knife config
commands have been renamed to make them shorter and table output has been improved:knife config get-profile
->knife config use
knife config use-profile [NAME]
->knife config use [NAME]
knife config list-profiles
->knife config list
knife config get
->knife config show
Cookstyle
Cookstyle has been updated from 6.16.10 to 6.19.5. This release includes eight new Chef Infra cops and twelve new Ruby cops to help you identify deprecations and invalid code in your cookbooks. It also includes several performance and memory usage improvements to speed up Cookstyle scans.
Chef InSpec
InSpec has been updated from 4.22.22 to 4.23.11. This release includes a --no-diff
CLI option to suppress diff output for textual tests, a --sort_results_by
CLI option to sort control output, and implements a sensitive mechanism to hide sensitive output.
knife-opc
The knife-opc
plugin has been updated from 0.4.6 to 0.4.7. This release includes a new --all-info
flag for use with the knife opc user list
command. This flag provides additional details on each listed user:
antima_gupta:
display_name: Antima Gupta
email: agupta@example.com
first_name: Antima
last_name: Gupta
pivotal:
display_name: Chef Server Superuser
email: root@localhost.localdomain
first_name: Chef
last_name: Server
kitchen-azurerm
The kitchen-azurerm
plugin has been updated from 1.2.0 to 1.4.0. This release includes multiple bug fixes, as well as a new use_fqdn_hostname
config option that forces using the instance’s FQDN for all communication.
kitchen-dokken
The kitchen-dokken
plugin has been updated from 2.10.0 to 2.11.0. This release works with newer Docker API releases and resolves Ruby 2.7 compatibility warnings.
kitchen-ec2
The kitchen-ec2
plugin has been updated from 3.7.1 to 3.7.2. This release now avoids beta releases of Red Hat when searching for AMIs to converge.
kitchen-inspec
The kitchen-inspec
plugin has been updated from 2.0.0 to 2.2.1. This release includes the ability to disable input caching in InSpec, as well as a fix for using the junit
reporter under Test Kitchen.
kitchen-vcenter
The kitchen-vcenter
gem has been updated from 2.7.12 to 2.8.2. This release includes the ability to enable IP customization using DHCP, as well as minor performance improvements.
Performance Improvements
We made updates to kitchen-azurerm
and Chef Infra Client, various knife gems to autoload dependencies. This should reduce the startup time of these gems by not trying to load a gazillion files on program startup. If these performance improvements function well, we plan to continue rolling this autoloading pattern to more gems to continue performance improvements.
Bug Fixes
Chef CLI
The chef install
command will no longer fail if a Policyfile.lock.json
file exists, but no Policyfile.rb
exists.
Test Kitchen
Test Kitchen has been updated from 2.6.0 to 2.7.2. This release fixes a bug when trying to use concurrency. Some plugins did not support concurrency and would raise an exception when run concurrently. Plugins now run concurrently by default, and known non-concurrent ones are being marked as such. In this case that plugin will run serially. For example, the InSpec verifier is not concurrent. If used with the AWS driver (for example) the machines would be created in parallel but verified serially.
Chef Workstation 20.9.136
https://packages.chef.io/release-notes/chef-workstation/20.9.136.mdImprovements
FIPS support
Starting with this release, we added FIPS support for Chef Workstation. This includes support for all the Ruby-based tools, such as knife
, chef-client
, and kitchen
, but does not include support for some of our newer tools, such as the Chef Workstation App and the Upgrade Lab flow.
Chef Infra Client
Chef Infra Client has been updated from 16.4.38 to 16.4.41. This release:
- Resolves an error that would prevent ipaddress detection on Windows hosts
- Fixes failures running the knife configure command
- Refactors the
timezone
resource to properly load the existing timezone value in order to improve logging, and the data exposed to Chef Automate and handlers.
chef-run
chef-run
has been updated to add support for YAML-based recipes introduced in Chef Infra Client 16. Users can specify a YAML recipe in the same way that they would normally specify a Ruby recipe, such as chef run target chef_repo/recipes/my_recipe.yml
.
NOTE: We incorrectly said we released this feature in Chef Workstation 20.6.62, but the updated dependency was not pulled for that release. 😢
Chef Vault
Chef Vault has been updated from 4.0.6 to 4.0.11. This release raises a warning if the input of the vault admin is anything other than an array.
Cookstyle
Cookstyle has been updated from 6.15.5 to 6.16.10. This release makes Cookstyle 16% faster, while also improving detection in many existing Chef cops. The RuboCop engine that powers Cookstyle has been updated to 0.90 with improvements to greatly speed up autocorrection while consuming less memory. This release also fixes an issue where Cookstyle was not detecting invalid Ruby syntax.
Chef InSpec
Chef InSpec has been updated from 4.22.8 to 4.22.22. This release includes new windows_firewall
and windows_firewall_rule
resources, a junit2
reporter, as well as numerous bug fixes and improvements.
Kitchen AzureRM
Kitchen AzureRM has been updated from 1.0.0 to 1.2.0. This release includes:
- Support for deletion or preservation of resource group tags with a new
destroy_explicit_resource_group_tags
config that defaults totrue
- Default password generation increased to 25 characters to avoid failures on newer Windows releases
- Multiple README and documentation fixes. Thanks @jasonwbarnett!
Kitchen vCenter
Kitchen vCenter has been updated from 2.7.9 to 2.7.12. This release allows storing the images created by Test Kitchen in nested folders. Thanks @cattywampus!
Platform Packages
- We now produce macOS Big Sur (11.0) packages for Chef Workstation
Chef Workstation 20.8.125
https://packages.chef.io/release-notes/chef-workstation/20.8.125.mdImprovements
Chef Infra Client
Chef Infra Client has been updated from 16.3.45 to 16.4.38. This release resolves an issue with knife bootstrap
that prevented bootstrapping Windows nodes from a non-Windows Workstation. It also updates 8 built-in resources.
Cookstyle
Cookstyle has been updated from 6.14.7 to 6.15.5. This updates the RuboCop engine to 0.89. This new release also enabled several new Ruby cops that were helpful in writing quality cookbooks and disabled several naming and code length cops that were not helpful when writing cookbooks.
Chef InSpec
InSpec has been updated from 4.22.1 to 4.22.8. This release adds a new sensitive
parameter to MySQL and Postgres sessions that, when enabled, shows REDACTED
in the command output. Thank you @fzipi!
kitchen-vagrant
kitchen-vagrant has been updated from 1.6.1 to 1.7.0. This release adds new box_auto_update
and box_auto_prune
options to pull newer Vagrant base boxes. Thank you @Stromweld!
markdownlint
markdownlint (mdl
) has been updated from 0.9.0 to 0.10.0. This release updates Dockerfile to work with modern markdownlint, updates the minimum version of kramdown, and updates the minimum version of RuboCop to consume security fixes.
Fauxhai
Fauxhai has been updated to 8.3.1 providing updated mocked Ohai platform data for use with ChefSpec. This release adds Debian 9.12 data, updates all Ubuntu releases to the latest patch releases, and updates CentOS 8 to be the 8.2 release. This release also deprecates several of the older platform versions so you may start to see additional platform deprecation warnings when running ChefSpec. To avoid these deprecations in the future make sure to specify just the major version of the platform when writing ChefSpec. For example, use Debian “10” instead of “10.3” to always use the latest version of Debian 10 data.
Chef Vault
Chef Vault has been updated to 4.0.6 to resolve errors when running some knife vault
commands.
Security
CA Root Certificates
The included cacerts
bundle in Chef Workstation has been updated to the 7-22-2020 release. This new release removes 4 legacy root certificates and adds 4 additional root certificates.
Reduced Dependencies
We’ve audited the included dependencies that we ship with Chef Workstation to reduce the 3rd party code we ship. We’ve removed many of the embedded binaries that shipped with the package in the past, but were not directly used. We’ve also reduced the feature set built into many of the libraries that we depend on, and removed several Ruby gem dependencies that were no longer necessary. This reduces the future potential for CVEs in the product and reduces package size at the same time.
Bug Fixes
Chef Workstation App
Chef Workstation App has been updated to fix a bug where dialog boxes would incorrectly pop up when the app started before internet connectivity was available causing the update check to fail. This no longer results in a dialog box and the update check will run after internet connectivity has been restored.
Chef Workstation 20.8.111
https://packages.chef.io/release-notes/chef-workstation/20.8.111.mdImprovements
.chef Home Directory
The first time you execute the chef
command, it checks for the presence of the ~/.chef
directory. If it does not exist, chef
creates it. Some tools included in Chef Workstation raise an error if that directory does not exist, so we are attempting to add more safeguards to ensure that it does.
Habitat Version Reporting
chef -v
output has been updated to display the included Habitat version. We also updated the Chef Workstation App to include the Habitat version on the ‘About’ page.
Chef Infra Client
Chef Infra Client has been updated from 16.2.73 to 16.3.45.
We took a hard look at many of the terms we’ve historically used throughout the Chef Infra Client configuration sub-system and came to the realization that we weren’t living up to the words of our Community Code of Conduct. From the code of conduct: “Be careful in the words that you choose. Be kind to others. Practice empathy”. Terms such as blacklist and sanity don’t meet that bar so we’ve chosen to rename these configuration options:
automatic_attribute_blacklist
->blocked_automatic_attributes
default_attribute_blacklist
->blocked_default_attributes
normal_attribute_blacklist
->blocked_normal_attributes
override_attribute_blacklist
->blocked_override_attributes
automatic_attribute_whitelist
->allowed_automatic_attributes
default_attribute_whitelist
->allowed_default_attributes
normal_attribute_whitelist
->allowed_normal_attributes
override_attribute_whitelist
->allowed_override_attributes
enforce_path_sanity
->enforce_default_paths
Existing configuration options will continue to function for now, but will raise a deprecation warning and will be removed entirely from a future release of Chef Infra Client.
This release includes the new windows_firewall_profile
resource and updates eight existing resources. It also includes improvements to knife
. See the release notes for full details!
This update resolves failures from negotiating protocol versions with the Chef Infra Server. It also improves log output on Windows systems in the hostname
resource and adds support to the archive_file
resource for pzstd compressed files.
Knife Improvements
- Ctrl-C can now be used to exit knife even when being prompted for input.
knife bootstrap
will now properly error if attempting to bootstrap an AIX system using an account with an expired password.knife profile
commands will no longer error if an invalid profile was previously set.- The
-o
flag forknife cookbook upload
can now be used on Windows systems. knife ssh
now once again accepts legacy DSS host keys although we highly recommend upgrading to a more secure key algorithm if possible.- Several changes were made to knife to that may prevent intermittent failures running cookbook commands
Cookstyle
Cookstyle has been updated from 6.12.6 to 6.14.7. This release includes seven new cops, including ones to modernize resource writing and clean up macos_userdefaults
usage.
Chef InSpec
InSpec has been updated from 4.21.3 to 4.22.1. This release includes the following improvements:
- The
=
character is now allowed for command line inputs. apt-cdrom
repositories are now skipped when parsing out the list of apt repositories.- Faulty profiles are now reported instead of causing a crash.
- Errors are no longer logged to stdout with the
html2
reporter. - macOS Big Sur is now correctly identified as macOS.
knife-opc
knife-opc
has been updated from 0.4.4 to 0.4.6. This release fixes hydrate errors raised when running knife opc user edit USERNAME
.
Test Kitchen
Test Kitchen has been updated from 2.5.3 to 2.5.4. This update rolls back a change we introduced around fixing root_path
usage. We are going to take another stab at fixing this and will include that in the next version of Chef Workstation.
kitchen-vcenter
kitchen-vcenter has been updated from 2.7.0 to 2.7.8. This release adds the ability to customize the guest OS as well as supporting data centers stored in folders. It also updates the vSphere interface gem (rbvmomi
) to the latest major release.
Chef Workstation 20.7.96
https://packages.chef.io/release-notes/chef-workstation/20.7.96.mdNew Features
Improvements
Bug Fixes
Backward Incompatibilities
Chef Workstation 20.7.81
https://packages.chef.io/release-notes/chef-workstation/20.7.81.mdImprovements
Chef CLI
The Chef CLI’s chef generate cookbook
command has been updated to generate a more complete chefignore
file.
ChefSpec
ChefSpec was updated from 9.1 to 9.2 which now supports cookbooks that include Ohai plugins in the ‘ohai’ directory. It also adds support for Chef 16’s after_resource
.
Cookstyle
Cookstyle has been updated from 6.7 to 6.9 with an updated RuboCop engine and additional Chef Infra cops.
RuboCop 0.86
RuboCop has been updated to 0.86 which includes several bug fixes to prevent false positives and includes new autocorrection capabilities.
Improvements for Chef Infra Client 16.2
Chef Infra Client 16.2 contains additional changes to the way that resource names are specified in order to avoid edge cases in resource naming. When setting the name of a custom resource, provides
should now be used instead of resource_name
. When writing cookbooks that support Chef Infra Client earlier than version 16, you’ll want to use both provides
and resource_name
to support all releases.
To support these changes we’ve made several updates to existing cops. The ChefDeprecations/ResourceUsesOnlyResourceName
cop has been updated to add provides
in addition to resoure_name
instead of replacing resource_name
with provides
. This change ensures that cookbooks will continue to function on versions of Chef Infra Client prior to version 16. The ChefDeprecations/ResourceWithoutNameOrProvides
cop has also been renamed to ChefDeprecations/HWRPWithoutProvides
and improves detection of resources without provides
. Both cops now better validate the contents of existing provides
calls.
InSpec
InSpec was updated from 4.19 to 4.21. This new release includes the following improvements:
- Certain substrings within a .toml file no longer cause unexpected crashes.
- Accurate InSpec CLI input parsing for numeric values and structured data, which were previously treated as strings. Numeric values are cast to an integer or float and YAML or JSON structures are converted to a hash or an array.
- Suppress deprecation warnings on
inspec exec
with the--silence-deprecations
option.
knife bootstrap
The knife bootstrap
command has been updated with several fixes and improvements
- knife bootstrap will now warn when bootstrapping a system using a validation key. Users should instead use validatorless bootstrapping with
knife bootstrap
which generates node and client keys using the client key of the user bootstrapping the node. This method is far more secure as an organization-wide validation key does not need to be distributed or rotated. Users can switch to validatorless bootstrapping by removing anyvalidation_key
entries in their config.rb (knife.rb) file. - Resolved an error bootstrapping Linux nodes from Windows hosts
- Improved information messages during the bootstrap process
- Bootstrapping will now be done using a single SSH connection improving bootstrap times on high latency network connection.
Knife Tidy
Knife Tidy has been updated from 2.0.12 to 2.1.0 which adds support for a --keep-versions
command line flag. Specifying this keeps a minimum number of versions of each cookbook and defaults to 0
.
net-ssh
net-ssh
has been updated from 5.2.0 to 6.1.0 which includes the following updates:
- Support empty lines and comments in known_hosts.
- Add sha2-{256,512}-etm@openssh.com MAC algorithms.
- curve25519sha256 support.
Ohai
Ohai was updated from 16.1 to 16.2 which correctly identifies the new macOS Big Sur (11.0) beta as the platform mac_os_x
.
Platform Packages
- Debian 8 packages are no longer being produced as Debian 8 is now end-of-life.
- We now produce Windows 8 packages.
Backward Incompatibilities
- gerkin and cucumber-core gems no longer ship by default with Chef Workstation.
Chef Workstation 20.6.62
https://packages.chef.io/release-notes/chef-workstation/20.6.62.mdMajor Version Change
Starting with this release, Chef Workstation is switching to a date-based versioning scheme. The major number represents the year, the minor number represents the month, and the patch number represents the build number. For example, 20.6.111
would refer to the June 2020 release at build number 111.
We decided to switch to a date-based version because Chef Workstation is a collection of tools meant to be used by humans and not machines. Dates are easier to relate and reference, whereas SemVer makes it easier to convey API changes and backward-incompatible changes.
The Chef Workstation team introduced feature flags as a way of introducing new functionality or breaking changes alongside bundled tool updates. The Chef Workstation team will document feature flags in the release notes and Chef Workstation App tool.
This change gives us the ability to change human-centric tools more rapidly than strict adherence to SemVer allowed us to. We will not break major tool flows (except in the scope of a feature flag), but rather we want users to always stay up-to-date on the latest release and consume iterative updates to their tooling.
Breaking Changes
chef-sugar removal
With the introduction of chef-utils in Chef Infra Client 15, we now ship nearly 100 of the most important helpers from chef-sugar directly in Chef Infra Client. Including these helpers is the right thing to do for users and makes them easier to maintain. Now that this functionality is included, users no longer need to install the chef-sugar gem or use the chef-sugar cookbook, so we removed them from Chef Workstation.
Security Updates
OpenSSL
OpenSSL was updated from 1.0.2u to 1.0.2v with the following message:
*) Implemented coordinate blinding for the generic implementations of both binary and prime elliptic curves to avoid leaking bits of the scalar and, potentially, bug attacks. A group of security researchers and cryptographers from academia and industry, listed below, reported a successful cache timing attack in OpenSSL 1.0.2u against specific prime and binary curves whose order or field length is close to a word boundary. They also provided the fix. This attack does not fit the OpenSSL threat model and so no CVE is assigned, but a fix is implemented nonetheless. [Diego F. Aranha, Akira Takahashi, Mehdi Tibouchi, Yuval Yarom]
Rake
Rake was updated from 12.3.2 to 13.0.1 to resolve CVE-2020-8130.
Upgrade Lab
Chef Upgrade Lab is a new process guide for upgrading nodes from legacy Chef Infra Client 12 to current Chef Infra Client 16 using a powerful set of new tools.
Upgrade Lab Guide
The Upgrade Lab Guide teaches users how to leverage the new tools in Chef Workstation to upgrade their older Chef Infra installations to the latest version. Users will learn how to query their existing infrastructure to identify a single node to upgrade, capture the state of that node to a local development workstation, iterate locally on cookbook changes to support the latest version of Chef Infra Client, deploy the updated cookbook to a new Chef Infra Server instance, and finally upgrade the installed version of Chef Infra Client on the node.
The new report
command
Use the new chef report
command to analyze a Chef Infra Server and quickly get insight into which nodes and cookbooks are best suited for upgrading. The chef report nodes
command lists all nodes on the server and describes which cookbooks are used by each node. The chef report cookbooks
command lists cookbooks and the nodes that consume them, and can even analyse the cookbooks using cookstyle
to look for potential upgrade issues in the recipes!
The new capture
command
chef capture
is a powerful interactive CLI experience that analyzes a single node on the Chef Infra Server, then helps you locate the cookbooks it consumes, downloads the node data, and even creates a local Test Kitchen configuration. This enables you to start upgrading your cookbooks while running Chef Infra Client in a local virtual machine for rapid development.
VSCode Integration
As you iterate on your cookbooks, you can make your changes directly in Visual Studio Code assisted by the Chef Infra Extension. It provides code completion and integration with cookstyle, including auto-correction of recipe code issues.
Updated Components
Chef Infra Client 16
Chef Infra Client has been updated to Chef 16. This release adds tons of new features and improvements, including these highlights:
- Cookbook authors can now write simple recipes in YAML.
- New resources for setting the client to run on an interval using native system schedulers.
- New
windows_security_policy
andwindows_user_privlidge
resources. - Resource partials allow you to define reusable portions of code that can be included in multiple custom resources.
- Built-in support for Chef Vault, so no need to depend on the
chef-vault
cookbook or gem. - Improved performance on Windows systems.
See the Chef Infra Client 16 Release Notes for details on all the great new features and improvements, as well as breaking changes.
Chef executables
chef-run
and chef
have been updated to add support for YAML-based recipes introduced in Chef Infra Client 16. Users can specify a YAML recipe in the same way that they would normally specify a ruby recipe (chef run target chef_repo/recipes/my_recipe.yml
, chef install
, etc.).
chef generate cookbook
has also been updated to use the latest CentOS and Ubuntu releases in Test Kitchen and ChefSpec configuration files.
Cookstyle 6.7
Cookstyle has been updated from 6.3.4 to 6.7.3. This new release includes 8 new Chef Infra cookbook cops as well as an updated RuboCop engine, which includes a large number of autocorrection improvements and bug fixes. It also enables a ChefModernize/FoodcriticComments
, encouraging users to migrate off Foodcritic and includes improved Chef Infra Client version documentation for each cop.
Chef InSpec
Chef InSpec has been updated from 4.18.111 to 4.19.0. This new release allows you to develop your own Chef InSpec Reporter plugin and determine how Chef InSpec will report result data. Additionally, the inspec archive
command packs your profile into a tar.gz
file that includes the profile in JSON form as the inspec.json
file. Use this JSON file to programmatically examine the profile without needing to load it into Chef InSpec.
Kitchen Hyper-V
The Kitchen Hyper-V driver has updated from 0.5.3 to 0.5.4, which resolves failures from getting the default VM Switch if there were spaces in the name. Thanks @kdoores for this improvement.
Kitchen DigitalOcean
The Kitchen DigitalOcean driver has updated from 0.10.6 to 0.11.0. This release adds slugs for Ubuntu 20.04 / RHEL 8 / Fedora 31 support, and adds support for VPCs. Thanks @zmaupin, @tolland, and @gregf for these improvements.
Ruby 2.7
Chef Workstation’s Ruby installation has been updated from Ruby 2.6 to Ruby 2.7.1, which includes many features available for use in resources and libraries.
See https://medium.com/rubyinside/whats-new-in-ruby-2-7-79c98b265502 for details on many of the new features.
Windows 10
Our Windows 10 Chef Workstation packages now receive an additional layer of testing to ensure that they function as expected.
Updates to Homebrew Cask
We moved Chef Workstation out of our custom tap and into the core Homebrew casks. If you use Homebrew to keep your Chef Workstation version updated, you will need to run the following:
brew update
brew cask reinstall chef-workstation
The reinstall
command removes chef-workstation if it was installed from our custom tap (previously installed with brew cask install chef/chef/chef-workstation
), and installs it from the list of core Homebrew casks.
Chef Workstation 0.18.3
https://packages.chef.io/release-notes/chef-workstation/0.18.3.mdNew features
Kitchen OpenStack
Chef Workstation now ships with Kitchen OpenStack so you can test your Chef Infra cookbooks using instances in OpenStack clouds. See the Kitchen Openstack GitHub repo for usage information. Thanks @ramereth for all the work getting this driver ready to ship in Workstation.
Ubuntu 20.04 Packages
Chef Workstation packages are now created for Ubuntu 20.04! See the Workstation Downloads Page for a complete list of platforms we produce packages for.
Updated Components
Chef Infra Client 15.10
Chef Infra Client has been updated from 15.8 to 15.10 which includes improvements to resources, additional cookbook helpers, and critical bug fixes for bootstrapping nodes using knife bootstrap
and SSHing to nodes with ed25519
keys from Windows hosts. For a complete list of changes, see the Chef Infra Client 15.10 release notes
Cookstyle 6.3
Cookstyle has been updated from 5.22 to 6.3. This new release includes an updated RuboCop engine which includes a large number of autocorrection improvements and bug fixes, plus compatibility with Ruby 2.7. Cookstyle also ships with a large number of autocorrection improvements and 18 new Chef Infra cops. Included in the new cops are cops to get your cookbooks ready for Chef Infra Client 16.
Note: The updated RuboCop engine has renamed many of the out-of-the-box Ruby cops which may require updating cop names in your .rubocop.yml config. Additionally, this release will now fail Cookstyle runs if any of the ChefDeprecations
department cops that shipped at the time of Cookstyle 5.22 alert. Any new cops we add will be added at the warning level until Cookstyle 7.0 ships. This gives you time to update your cookbooks using the latest Cookstyle releases without immediately failing CI builds.
Fauxhai 8.1
Fauxhai has been updated from 7.6 to 8.1. Fauxhai is the engine that provides ChefSpec with mocked Ohai data, allowing you to writes ChefSpecs for multiple platforms. This release updates all of the mocked Ohai data to be generated with Chef Infra Client 16. It also updates the list of platforms that are included in the mocked data. We’ve added new platforms and removed deprecated platforms that have generated warnings for the last year. To avoid deprecation warnings in your ChefSpecs in the future, you can avoid specifying the minor versions of releases and instead let ChefSpec choose the latest platform for you. For example, instead of specifying platform: 'centos', version: '7.7.1908'
you can instead set platform: 'centos'
or platform: 'centos', version: '7'
.
New Platforms
- Ubuntu 20.04
- openSUSE 15.1
- Raspbian 10
- Fedora 31
- Redhat 7.7
- CentOS 7.7.1908
Removed Platforms
- Raspbian 8.0
- Debian 9.2 / 9.3 / 9.4 / 9.5 / 9.6
- Fedora 26/27/28
- FreeBSD 10.4
- macOS 10.11 / 10.12
- openSUSE 42.2 / 42.3
- CentOS 6.8 / 7.3.1611 / 7.4.1708
- Debian 7.11
- FreeBSD 10.4
- Oracle Linux 6.8 / 7.3 / 7.4
- Redhat 6.8 / 7.3
- SUSE 11.4 / 12.1 / 12.2
- Ubuntu 17.10
Chef InSpec 4.18.111
Chef InSpec has been updated from 4.18.100 to 4.18.108. This update includes the following fixes and improvements:
- Resolved a regression that prevented the
service
resource from working correctly on Windows. Thanks @Axuba - Implemented VMware and Hyper-V detection on Linux systems
- Implemented VMware, Hyper-V, Virtualbox, KVM and Xen detection on Windows systems
- Added helpers
virtual_system?
andphysical_system?
. Thanks @tecracer-theinen
Chef CLI
The Chef CLI has been updated from 2.0 to 2.0.10. This fixes chef update
to properly add cookbooks from include_policies
to the PolicyFile lockfile. This release also supports new Chef Infra 16 YAML recipes in the chef install
command.
Test Kitchen
Test Kitchen itself has been updated to from 2.4.0 to 2.5.0. This release includes support for Ohai plugins stored in the ohai
directory of cookbooks and also resolves failures using the PowerShell provisioner. Thanks @SAPDanJoe and @alanghartJC for these improvements.
Kitchen AzureRM
The Kitchen AzureRM driver was updated from 0.15.1 to 1.0. This release fixes several failures from running the Kitchen Azurerm driver. It also includes support for Azure Marketplace plans and Managed Service Identity (MSI). Thanks @jasonwbarnett, @zanecodes, @albertvaka, and @KSerrania for these improvements.
Kitchen Hyper-V
The Kitchen Hyper-V driver has been updated from 0.5.3 to 0.5.4 which resolves failures from getting the default VM Switch if there were spaces in the name. Thanks @kdoores for this improvement.
Kitchen DigitalOcean
The Kitchen DigitalOcean driver has been updated from 0.10.5 to 0.10.6. This release adds slugs for RHEL 8 / Fedora 31 support and updates the default instance memory size to 1GB. Thanks @zmaupin and @tolland for these improvements.
Kitchen EC2
The Kitchen EC2 driver has been updated from 3.3 to 3.5. This release lets the driver cleanly exit if the test instance was destroyed outside of the Test Kitchen run, either by automation or in the console. Test Kitchen will also now select the subnet with the most available IPs to better distribute systems across multiple Availability Zones. Thanks @bdwyertech and @kamaradclimber for these improvements.
Kitchen InSpec
The Kitchen InSpec verifier has been updated to allow setting Chef InSpec plugins for use during the verification. This new functionality can be enabled by adding load_plugins: true
to your InSpec verifier config. Thanks @tecracer-theinen for this improvement.
Kitchen vCenter
The Kitchen vCenter driver has been updated from 2.6.4 to 2.7.0 which adds the ability to define transformations for VM IPs that are used in 1:1 NAT environments. This release also includes improved fallback for DC lookups to use methods that may work with less privileged users. Thanks @tecracer-theinen and @jasonwbarnett for these improvements.
Kitchen Dokken
The Kitchen Dokken driver has been updated from 2.8.1 to 2.9.0. This release adds a new provisioning configuration, clean_dokken_sandbox
, that does not require cleaning the Chef Infra and Test Kitchen files between converges. This configuration will speed up repeatedly converging systems. This defaults to true
which maintains the existing behavior. Thanks @chrisUsick
Knife Plugins
Knife Tidy
Knife Tidy has been updated from 2.0.9 to 2.0.12 which provides compatibility with Chef Infra Client 15 and improves error handling in JSON parsing.
Knife Azure
Knife Azure was updated from 2.0.13 to 2.0.17 which resolves issues from loading plugin requirements.
Knife EC2
Knife EC2 has been updated from 1.0.32 to 1.0.36. This update resolves failures from bootstrapping nodes in classic EC2 and avoids attempting to bootstrap nodes using private DNS which may not be accessible from the node running the bootstrap command.
Security Updates
Git
Git was updated from 2.24.1 to 2.26.2 to resolves the following CVEs:
- CVE-2020-5260: Heap exposure vulnerability in the socket library
- CVE-2020-11008: Heap exposure vulnerability in the socket library
libarchive
libarchive was updated from 3.4.0 to 3.4.2 to resolve the following CVEs:
- CVE-2019-19221: archive_wstring_append_from_mbs in archive_string.c has an out-of-bounds read because of an incorrect mbrtowc or mbtowc call
- CVE-2020-9308: archive_read_support_format_rar5.c in libarchive before 3.4.2 attempts to unpack a RAR5 file with an invalid or corrupted header
Ruby
Ruby was updated from 2.6.5 to 2.6.6 to resolve the following CVEs:
- CVE-2020-16255: Unsafe Object Creation Vulnerability in JSON (Additional fix)
- CVE-2020-10933: Heap exposure vulnerability in the socket library
Chef Workstation 0.17.5
https://packages.chef.io/release-notes/chef-workstation/0.17.5.mdUpdated Components
Chef InSpec 4.18.100
Chef InSpec has been updated to 4.18.100 to fix the following bugs:
- We fixed a problem in which the sudo password would appear to be ignored even if provided.
- We resolved an issue in which profiles could not be fetched from an Automate server.
- The
release
property of theplatform
resource no longer breaks for Chef Habitat with Linux.
Test Kitchen 2.4.0
Test Kitchen has been updated to 2.4.0. This update will now pass the CHEF_LICENSE
environmental variable, if it is set, from the host workstation to any created machines. The CHEF_LICENSE
environmental variable is
used to accept the required EULA. Any environmental variables on the host machine that start with TKENV_
will also be passed to created machines with that prefix removed.
The base verifier was updated to support a downloads configuration. This configuration will download files from the created machines to the host machine after running verification. It expects a hash from locations on the created machine to locations on the host machine:
downloads:
"/tmp/kitchen/nodes": "./test/fixtures"
Chef Workstation 0.16.33
https://packages.chef.io/release-notes/chef-workstation/0.16.33.mdUpdated Components
knife-ec2
knife-ec2 has been updated to 1.0.32 to fix a regression in profile support. Using profiles with knife ec2 server create
is working correctly again.
Markdown Lint
Markdown Lint has been updated to 0.9.0. This release adds support for nested code blocks as well as block quoted list items. Thank you @jaymzh!
Reverted Components
Chef InSpec
Chef InSpec has been reverted to 4.18.51 to fix some escaped defects. We are currently working on a fix and will update to the latest version of Chef InSpec as soon as the fixes are released.
Chef Workstation 0.16.32
https://packages.chef.io/release-notes/chef-workstation/0.16.32.mdUpdated Components
knife-ec2
knife-ec2 has been updated to 1.0.32 to fix a regression in profile support. Using profiles with knife ec2 server create
is working correctly again.
Markdown Lint
Markdown Lint has been updated to 0.9.0. This release adds support for nested code blocks as well as block quoted list items. Thank you @jaymzh!
Reverted Components
Chef InSpec
Chef InSpec has been reverted to 4.18.51 to fix some escaped defects. We are currently working on a fix and will update to the latest version of Chef InSpec as soon as the fixes are released.
Chef Workstation 0.16.31
https://packages.chef.io/release-notes/chef-workstation/0.16.31.mdImproved Knife Performance
We’ve optimized knife to provide a huge performance increase. Knife commands are now more than 3x faster on Windows and more than 4.5x faster on macOS.
Chef Workstation App Improvements
The Chef Workstation App now runs at boot and launches after installing Chef Workstation. We’ve also added a new preferences dialog on macOS that allows you to set Chef Workstation preferences without using the config file.
Updated Components
Chef Infra Client 15.8.23
Chef Infra Client has been updated to 15.8.23 with updated resources, a new notify_group feature, and dozens of new helpers to make writing cookbooks easier than ever. Check the complete release notes for details on docs.chef.io
Chef InSpec 4.18.85
Chef InSpec has been updated from 4.18.51 to 4.18.85. This release includes a large number of bug fixes in addition to some great resource enhancements:
- The service resource features new support for yocto-based linux distributions. Thank you to @michaellihs for this addition!
- The package resource now includes support for FreeBSD. Thank you to @fzipi for this work!
- We standardized the platform for the etc_hosts, virtualization, ini, and xml resources.
- The oracledb_session resource works again due to a missing quote fix.
- The groups resource on macOS no longer reports duplicates anymore. command.exist? now conforms to POSIX standards. Thanks to @PiQuer!
- We changed the postfix_conf resource’s supported platform to the broader unix. Thank you to @fzipi for this fix!
Cookstyle 5.21.9
We updated Cookstyle from 5.20.0 to 5.21.9. This release adds 4 new Chef Infra cops and improves many existing cops:
ChefStyle/UnnecessaryOSCheck
The ChefStyle/UnnecessaryOSCheck
cop checks cookbooks that use node['os']
to check the operating system of a node, when they could instead use the platform_family?()
helper. All values of os
from Ohai match one-to-one with platform_family
values, except for linux
which has no single equivalent plaform_family
.
ChefModernize/SimplifyAptPpaSetup
The ChefModernize/SimplifyAptPpaSetup
cop detects apt_repository
resources that setup Ubuntu PPAs by using their full URL. For example, http://ppa.launchpad.net/webupd8team/atom/ubuntu
can be simplified to just ppa:webupd8team/atom
.
ChefRedundantCode/StringPropertyWithNilDefault
The ChefRedundantCode/StringPropertyWithNilDefault
cop detects String type resource properties that set their default value to nil
. All String type properties default to nil
, so this does not need to be set.
ChefRedundantCode/PropertySplatRegex
The ChefRedundantCode/PropertySplatRegex
cop detects String type resource properties that validate their input with a regex of /.*/
. This regex will match on any String value and is not necessary.
Other Cookstyle fixes and changes
ChefDeprecations/IncludingYumDNFCompatRecipe
will now remove any inline conditionals around theinclude_recipe
statement during autocorrection so that it does not leave behind invalid Ruby.ChefDeprecations/WindowsTaskChangeAction
will no longer fail when the action value is not a String type value.ChefSharing/InvalidLicenseString
will not autocorrectapache v2
toApache-2.0
.Layout/EndAlignment
andLayout/DefEndAlignment
now have autocorrection enabled to eliminate the need for manually fixing indentation in cookbooks.ChefStyle/UsePlatformHelpers
now detects and autocorrectsnode['platform'].eql?()
usage.Style/ModuleFunction
cop has been disabled because this caused library helpers to fail to load.- All metadata cops now properly autocorrect legacy metadata that included HEREDOCs.
- The
TargetRubyVersion
is now set to 2.3 to match the version of Ruby that shipped in Chef Infra Client 12. This config value is used to enable/disable cops and autocorrection that may break Ruby code in these older Chef Infra Client releases. If you are on a later release of Chef Infra Client, you can set this value to Ruby 2.6 to enable additional cops and autocorrection.
Fauxhai 7.6
Fauxhai has been updated to 7.6 with FreeBSD 12.1 data for use in ChefSpec. Thanks to @nhuff!
kitchen-vcenter 2.6.4
kitchen-vcenter has been updated to 2.6.2. This update fixes multiple bugs from spinning up nodes in Test Kitchen. Thanks @leotaglia and @cattywampus for these fixes.
knife-ec2 1.0.31
knife-ec2 has been updated to 1.0.31 with a fix for SSH connection failures that occurred if the instance has no public DNS name.
chef-apply 4.1.5
chef-apply has been updated to 4.1.5 to add the missing CHEFVAL001 error message.
ChefSpec 9.1
ChefSpec has been updated to 9.1 with a new matcher include_any_recipe
that allows you to write specs to ensure that cookbooks aren’t including recipes. Thanks @jasonwbarnett. This release also fixes a bug mocking out the Chef::Provider
class when a cookbook uses Poise’s resource_provider_mixin
. Thanks @Annih for this fix.
Platform Support
Chef Workstation packages are now validated on Debian 10.
Chef Workstation 0.15.18
https://packages.chef.io/release-notes/chef-workstation/0.15.18.mdBug Fixes
We fixed an issue with the macOS Catalina (10.15) notarization process. In Chef Workstation 0.15.6, users were seeing errors when trying to run
chef install
and other tools. These errors had a message similar to:terminated by signal SIGKILL (Forced quit))
. This type of error was caused byffi
attempts to load native bindings into insecure memory, which is disabled by default in MacOS Catalina. We added an entitlement to allow this loading to happen.Apple previously detailed updates to the notarization process that takes effect on February 3rd, 2020. You can read about the notarization requirements and process here.
Updated Components
- Updated
win32-service
from2.1.4
to2.1.5
. This version removes deprecation warnings about theffi
gem from being outputted on Windows. Thank you @Dreweasland for this fix!
Chef Workstation 0.15.6
https://packages.chef.io/release-notes/chef-workstation/0.15.6.mdUpdated Components
Chef Infra Client
Chef Infra Client has been updated from 15.6 to 15.7 which includes improvements to the archive_file
, cron
, cron_d
, file
, launchd
, sudo
, user
, windows_task
, and x509_certificate
resources as well as the usual collection of bug fixes and bootstrap improvements.
Berkshelf
Berkshelf has been updated from 7.0.8 to 7.0.9, which resolves errors when running berks verify
and when using the --skip-syntax-check
flag.
Cookstyle
Cookstyle has been updated from 5.19 to 5.20 with a new Chef cop ChefDeprecations/DeprecatedChefSpecPlatform to detect legacy platforms in ChefSpecs. This release also includes improvements to autocorrection and detection of deprecated content in the Chef cops.
Chef InSpec
Chef InSpec has been updated from 4.18.39 to 4.18.51 with the following improvements:
- Example groups can now use InSpec resources
- The user resource can now check the last login date on Windows
- Improved the fetchers to fail consistently
Debian Support
We now produce Chef Workstation packages for Debian 8 and 9.
macOS Binary Signing
Each binary in the macOS Chef Workstation installation is now signed to improve the integrity of the Workstation installation and improve compatibility with future macOS updates.
Chef Workstation 0.14.16
https://packages.chef.io/release-notes/chef-workstation/0.14.16.mdWorkstation App on Windows
The Chef Workstation App is now installed by default on Windows and is no longer considered experimental. If you would like to run this application at boot to ensure your system stays up to date, you can select this option during the installation.
Smaller Size
We continue to optimize the size of the Chef Workstation package with this release taking up 9% less space on disk and containing nearly 5,000 fewer files.
Updated Components
chef-vault
The chef-vault gem has been updated to 4.0.1. This release includes bug fixes from @MarkGibbons and @jeremy-clerc as well as a new way to update existing keys to sparse-mode by running knife vault update --keys_mode sparse
thanks to @jeunito.
knife-ec2
knife-ec2 has been updated to 1.0.26 with multiple bug fixes for provisioning new systems in EC2.
kitchen-ec2
kitchen-ec2 has been updated to 3.3.0. This new version improves how we search for security groups by tags, improves the logic that detects usage of the chef Test Kitchen provisioner, and improves security group and spot instance logic. Thanks @slapvanilla and @bdwyertech for these enhancements.
Cookstyle 5.19
Cookstyle has been updated from 5.16 to 5.19. This new release contains 7 new Chef Cops and a large number of detection and autocorrection improvements for existing cops:
ChefRedundantCode/GroupingMetadata
The ChefRedundantCode/GroupingMetadata
cop removes the legacy grouping
metadata from the metadata.rb file. This metadata was never consumed by any Chef Infra services and does not need to be defined.
ChefStyle/OverlyComplexSupportsDependsMetadata
The ChefStyle/OverlyComplexSupportsDependsMetadata
cop cleans up overly complex methods of declaring supports
or depends
metadata via an array. This rule will detect and correct the array or each form of declaring this metadata when there are fewer than three items.
Overly complex metadata:
%w(windows apt).each |cb|
depends cb
end
Simpler form:
depends 'apt'
depends 'windows'
ChefModernize/ResourceForcingCompileTime
The ChefModernize/ResourceForcingCompileTime cop detects hostname, build_essential, chef_gem, and ohai_hint resources that are being set to run at compile-time by forcing an action on the resource block. These resources include compile-time properties which should be set to force the resources to run at compile-time.
ChefModernize/ExecuteSysctl
The ChefModernize/ExecuteSysctl detects the usage of execute to load sysctl values. Chef Infra Client 14.0+ includes the sysctl resource which should be used to idempotently add or remove sysctl values without the need for chaining file and execute resources.
ChefModernize/DslIncludeInResource
The ChefModernize/DslIncludeInResource cop detects resources and providers that include either the Chef::DSL::Recipe or Chef::DSL::IncludeRecipe classes. Starting with Chef Infra Client 12.4+, this is done automatically for each resource and provider.
ChefRedundantCode/AptRepositoryNotifiesAptUpdate
The ChefRedundantCode/AptRepositoryNotifiesAptUpdate cop detects apt_repository resources that notify an execute resource to run apt-get update. Updating apt cache is performed automatically when the apt_repository makes any updates to the repository config and doesn’t need to be performed again afterward.
ChefRedundantCode/AptRepositoryDistributionDefault
The ChefRedundantCode/AptRepositoryDistributionDefault cop detects apt_repository resources that set the distribution property to node[’lsb’][‘codename’] which is the default and does not need to be set in cookbook code.
Security Updates
OpenSSL
OpenSSL has been updated to 1.0.2u to resolve CVE-2019-1551
Git
The embedded git client has been updated to 2.24.1 to resolve the following CVEs:
- CVE-2019-1348
- CVE-2019-1349
- CVE-2019-1350
- CVE-2019-1351
- CVE-2019-1352
- CVE-2019-1353
- CVE-2019-1354
- CVE-2019-1387
- CVE-2019-19604
Chef Workstation 0.13.35
https://packages.chef.io/release-notes/chef-workstation/0.13.35.mdPerformance Improvements
This release of Chef Workstation ships with several optimizations to our Ruby installation to improve the performance of loading the various commands bundled with Workstation. These improvements are particularly noticeable on non-SSD hosts and on Windows.
Updated Components
Chef Infra Client 15.6.10
Chef Infra Client has been updated to 15.6.10 which includes multiple resource fixes and optimizations.
Cookstyle 5.16
Cookstyle has been updated from 5.13 to 5.16 with 22 new cops, improvements to existing cops, a new TargetChefVersion config option, and expanded cop departments.
TargetChefVersion Config
Cookstyle now includes a new top-level configuration option TargetChefVersion
. This new configuration option works similarly to RuboCop’s TargetRubyVersion
config option and allows you to specify a Chef Infra version that you want to target in your Cookstyle analysis. This prevents Cookstyle from autocorrecting cookbook code in a way that would make your cookbook incompatible with your desired Chef Infra Client version. It also makes it easier to perform staged upgrades of the Chef Infra Client by allowing you to step the TargetChefVersion
one major version at a time.
Example .rubocop.yml config specifying a TargetChefVersion of 14.0:
AllCops:
TargetChefVersion: 14.0
New ChefSharing and ChefRedundantCode Departments
Cookstyle now includes two new Chef cop departments with a large number of existing cops moved into these more appropriate departments. Our goal is to have clearly defined cop departments that can be enabled or disabled to detect particular conditions in your cookbooks. Cops in the new ChefSharing department are focused around sharing cookbooks internally or on the public Supermarket. This includes things like ensuring proper license strings and complete metadata. Cops in the ChefRedundantCode category detect and correct unnecessary cookbook code. Anything detected by ChefRedundantCode cops can be removed regardless of the Chef Infra Client release you run in your infrastructure, so these are always safe to run.
With the addition of these new departments, we’ve moved many cops out of the ChefCorrectness department. Going forward only cops that detect code that may fail a Chef Infra Client run or cause it to behave incorrectly will be included in this category. We hope that ChefCorrectness along with ChefDeprecations are used in most cookbook CI pipelines.
kitchen-azurerm
kitchen-azurerm has been updated from 0.14.9 to 0.15.0 with the following improvements:
- Enable the WinRM HTTP listener by default. Thanks @sean-nixon
- Allow overriding the
subscription_id
by setting theAZURE_SUBSCRIPTION_ID
ENV variable - Add a new
nic_name
config. Thanks @libertymutual - Support for creating VM with Azure KeyVault certificate. Thanks @javgallegos
kitchen-dokken
kitchen-dokken has been updated to 2.8.1 which fixes a bug that prevented ENV vars from being passed into containers.
kitchen-google and knife-google
kitchen-google and knife-google plugins have been updated to allow the updated google-api-client SDK v0.34.
knife-ec2
knife-ec2 has been updated from 1.0.17 to 1.0.21 with the following fixes:
- Resolved a missing credential error when using aws-profile.
- Mask AWS access keys data in any error or debug logs.
- Raises an error if password length is less than 8 characters on Windows and will stop warning on passwords over 14 characters.
knife-tidy
knife-tidy has been updated from 2.0.1 to 2.0.6 to resolve issues if an org was named cookbooks
and to improve error messages.
mixlib-install
mixlib-install has been updated from 3.11.21 to 3.11.24, which properly identifies Windows 2019 hosts.
Chef Workstation 0.12.20
https://packages.chef.io/release-notes/chef-workstation/0.12.20.mdUpdated Components
Chef Infra Client
The Chef Infra Client has been updated from 15.4.45 to 15.5.16 with updated helpers, Chefignore improvements, and a new chef_sleep resource:
New Cookbook Helpers
Chef Infra Client now includes a new chef-utils
gem which ships with a large number of helpers to make writing cookbooks easier. Many of these helpers existed previously in the chef-sugar
gem. We have renamed many of the named helpers for consistency while providing backwards compatibility with existing chef-sugar
names. Existing cookbooks written with chef-sugar
should work unmodified with any of these new helpers. Expect a Cookstyle rule in the near future to help you update existing chef-sugar
code to use the newer built-in helpers.
For more information on all of the new helpers available, see the chef-utils readme
Chefignore Improvements
We’ve reworked how chefignore files are handled in knife
which has allowed us to close out a large number of long outstanding bugs. knife
will now traverse all the way up the directory structure looking for a chefignore file. This means you can place a chefignore file in each cookbook or any parent directory in your repository structure. Additionally, we have made fixes that ensure that commands like knife diff
and knife cookbook upload
always honor your chefignore files.
chef_sleep Resource
The new chef_sleep
resource can be used to sleep for a specified number of seconds during a Chef Infra Client run. This may be helpful to use with other commands that return a completed status before they are actually ready. In general, do not use this resource unless you truly need it.
Using with a Windows service that starts, but is not immediately ready:
service 'Service that is slow to start and reports as started' do
service_name 'my_database'
action :start
notifies :sleep, chef_sleep['wait for service start']
end
chef_sleep 'wait for service start' do
seconds 30
action :nothing
end
Cookstyle
The Cookstyle cookbook linter has been updated from 5.10 to 5.13 and includes 17 new Chef cops for detecting deprecated and outdated cookbook code. This release also updates the underlying RuboCop engine used by Cookstyle which includes a large number of bug fixes that better detect violations and prevent false positives. See the Cookstyle Release Notes for a complete list of changes between 5.10 and 5.13.
This new release also allows you to use cookstyle
specific comments in your cookbook code to enable or disable cops instead of the standard rubocop
comments. We think that it will be easier to understand the cops that you intend to control if you use cookstyle
comments. You can continue to use the existing rubocop
comments, if you prefer them, since both types of comments will be honored by Cookstyle.
Rubocop comment to disable a cop:
'node.normal[:foo] # rubocop: disable ChefCorrectness/Bar'
Cookstyle comment to disable a cop:
'node.normal[:foo] # cookstyle: disable ChefCorrectness/Bar'
Foodcritic
Foodcritic has been updated from 16.1.1 to 16.2.0. This release includes a fix for detecting incorrect notification actions and ships with updated Chef Infra Client Metadata. Keep in mind that Foodcritic is no longer being actively developed and users should migrate to Cookstyle instead.
Chef InSpec
Chef InSpec has been updated from 4.18.0 to 4.18.39. This release includes a large number of bug fixes to resources:
- The
service
resource now includes astartname
property for Windows and systemd services. - The
nginx
resource now includes parsing support for wildcard, dot prefix, and regex. - The
iis_app_pool
resource now handles empty app pools. - The
filesystem
resource now supports devices with very long names. - The
apt
better handles URIs and supports repos with anarch
. - The
oracledb_session
has received multiple fixes to make it work better.
knife-ec2
The knife-ec2
plugin has been updated from 1.0.16 to 1.0.17 which includes a fix for an error when launching non-T2 type instances.
Performance Improvements
This release of Chef Workstation ships with several optimizations to our Ruby installation that improve the performance of the included commands, especially on Windows systems. Expect to see more here in future releases.
Smaller Installation Size
We’ve continued to optimize Chef Workstation to reduce the install size. Chef Workstation 0.12 has ~5% fewer files than the 0.11 release. Stay tuned for further optimizations of our install footprint in the coming months.
Chef Workstation 0.11.21
https://packages.chef.io/release-notes/chef-workstation/0.11.21.mdTwo Important Regression Fixes:
- Fixes Test Kitchen, which once again works with Policyfiles on Windows.
- Fixes Chef CLI commands, so once again commands with user input such as
chef exec
or license acceptance succeed.
Notable Updates
- The Workstation menu bar application supports dark mode on macOS.
- The Workstation install size is now ~4% smaller! More improvements to come!
New Components
mdl
Chef Workstation includes the mdl command line tool for linting markdown.
Updated Components
Cookstyle
We updated Cookstyle to 5.10.13, which includes 11 new Chef cops for detecting deprecated code and refactoring some legacy Heavy Weight Resource Providers (HWRPs).
Fauxhai-ng
We updated Fauxhai-ng to 7.5.1, which fixes missing platform_family
data in the opensuse-15
data file.
Test Kitchen
We updated Test Kitchen has to 2.3.4, which includes more robust code for finding the Chef binary on Windows and also improves some logging messages.
kitchen-inspec
We updated the kitchen-inspec plugin to 1.3.1, which allows relative paths in the GIT fetcher and resolves failures when using inputs.
Security Updates
libxlst was updated from 1.1.30 to 1.1.34 to resolve these vulnerabilities:
Chef Workstation 0.10.41
https://packages.chef.io/release-notes/chef-workstation/0.10.41.mdUpdated Components
Updated Chef Command Line
This release lays the ground work for massive speed improvements to the chef command. A new native binary chef command will allow us to slowly replace code with significantly faster native code. Stay tuned for more announcements in the coming months.
Chef Infra Client
Chef Infra Client has been updated from 15.3 to 15.4 with updated resources and several significant fixes to knife bootstrap
. See the Chef Infra Client 15.4 Release Notes for a complete list of the new and improved functionality.
Chef InSpec
Chef InSpec has been updated from 4.16 to 4.18 with the following changes:
New Features
- We have released our beta Chef InSpec plug-in for HashiCorp Vault. Check it out in our inspec-vault GitHub repo and let us know what you think – or better yet, start jumping in and contributing with us on it.
- Waivers, our new beta feature, was added to Chef InSpec! Waivers allows you to better manage compliance failures. We would love to hear your feedback on this! See the InSpec Waivers documentation for more details.
Improvements
- The
interface
resource now has a name property. - Expanded
user
resource to include the passwordage, maxbadpasswords, and badpasswordattempts properties with Windows. - The
sys_info
resource now supports ip_address, fqdn, domain, and short options when giving a version of the hostname. - Sped up initial load/response time for all commands by removing pre-leading of resources on invocation of inspec.
- If an error occurs when using the
json
resource with a command source, you will now get the error message from STDERR returned in the report. - We improved the formatting of the usage help, so what you see when you type
inspec exec --help
should look better!
Cookstyle
Cookstyle has been updated from 5.6.2 to 5.9.3, which includes 13 new Chef cops, improved detection in existing cops, and improved autocorrection. See the Cookstyle 5.7, 5.8, and 5.9 release notes for additional information on the new cops.
knife-google
knife-google was updated from 3.3.7 to 4.2.0 with support for bootstrapping nodes with Chef Infra Client 15 and adding multiple local SSD interfaces to a new instance.
knife-vsphere
knife-vsphere was updated from 4.0.1 to 4.0.3, which resolves a bug in determining the state of instances.
knife-vcenter
knife-vcenter was updated from 2.0.3 to 2.0.6 to fix vm clone operations.
kitchen-digitalocean
kitchen-digital has been updated from 0.10.4 to 0.10.5 to add Debian-10 and FreeBSD-12 image aliases.
Security Updates
Ruby
Ruby has been updated from 2.6.4 to 2.6.5 in order to resolve the following CVEs:
- CVE-2019-16255: A code injection vulnerability of Shell#[] and Shell#test
- CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
- CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
- CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick’s Digest access authentication
Chef Workstation 0.9.42
https://packages.chef.io/release-notes/chef-workstation/0.9.42.mdNew Software
kitchen-vcenter
We now include the kitchen-vcenter
plugin for Test Kitchen. This is the official Chef Test Kitchen plugin for the VMware REST API. This plugin gives Test Kitchen the ability to create, bootstrap, and test VMware vms.
knife-azure
We now include the knife-azure
plugin for Knife. This plugin is used to create, delete, and enumerate Microsoft Azure resources to be managed by Chef.
knife-vcenter
We now include the knife-vcenter
plugin for Knife. This is the official Chef Knife plugin for the VMware REST API. This plugin gives Knife the ability to create, bootstrap, and manage VMware vms.
Software Updates
chef
CLI
The chef -v
command has been updated to run much faster. Yay!
Chef Infra Client
Chef Infra Client has been updated from 15.2 to 15.3 with updated resources, a new way to write streamlined custom resources, and updated platform support! See the Chef Infra Client 15.3 Release Notes for a complete list of the new and improved functionality.
Chef InSpec
Chef InSpec has been updated from 4.10.4 to 4.16.0 with the following changes:
- A new
postfix_conf
has been added for inspecting Postfix configuration files. - A new
plugins
section has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins. - The
service
resource now includes a newstartname
property for determining which user is starting the Windows services. - The
groups
resource now properly gathers membership information on macOS hosts.
See the Chef InSpec 4.16.0 Release Notes for more information.
Chef Workstation App
Chef Workstation App has been updated with the following changes:
- Updated all dialog windows to match the Chef design.
- Removed the menu (file, edit, etc.) from Windows to match the style guide.
- Fixed the About Chef Workstation Page links (Package Details, License Agreement, and Release Notes).
- Fixed the update interval so it automatically notifies about new releases.
- Fixed the “Switch To Channel” button.
Cookstyle
Cookstyle has been updated from 5.1.19 to 5.6.2. This update brings the total number of Chef cops to 94 and divides the cops into four separate departments. The new departments make it easier to search for specific cops and to enable and disable groups of cops. Instead of just “Chef”, we now have the following departments:
ChefDeprecations
: Cops that detect (and in many cases correct) deprecations that will prevent cookbooks from running on modern versions of Chef Infra Client.ChefStyle
: Cops that will help you improve the format and readability of your cookbooks.ChefModernize
: Cops that will help you modernize your cookbooks by including features introduced in new releases of Chef Infra Client.ChefEffortless
: Cops that will help you migrate your cookbooks to the Effortless pattern. These are disabled by default.
You can run cookstyle with just a single department:
cookstyle --only ChefDeprecations
You can also exclude a specific department from the command line:
cookstyle --except ChefStyle
You can also disable a specific department by adding the following to your .rubocop.yml config:
ChefStyle:
Enabled: false
See the Cookstyle cops documentation for a complete list of cops included in Cookstyle 5.6.
Going forward, Cookstyle will be our sole Ruby and Chef Infra cookbook linting tool. With the release of Cookstyle 5.6, we’re officially deprecating Foodcritic and will not be shipping Foodcritic in the next major release of Chef Workstation (April 2020). See our Goodbye, Foodcritic blog post for more information on why Cookstyle is replacing Foodcritic.
kitchen-ec2
kitchen-ec2
has been updated from 3.1.0 to 3.2.0. This adds support for Windows Server 2019 and adds the ability to look up security group by subnet_filter
in addition to subnet_id
.
kitchen-inspec
kitchen-inspec
has been updated from 1.1.0 to 1.2.0. This renames the attrs
key to input_files
and attributes
key to inputs
to match InSpec 4. The old names are still supported but issue a warning.
knife-ec2
knife-ec2
has been updated from 1.0.12 to 1.0.16. This resolves the following issues:
- Fix argument error for –platform option #609 (dheerajd-msys)
- Fix for Generate temporary keypair when none is supplied #608 (kapilchouhan99)
- Color code fixes in json format output of knife ec2 server list #606 (dheerajd-msys)
- Allow instances to be provisioned with source/dest checks disabled #605 (kapilchouhan99)
Test Kitchen
Test Kitchen has been updated from 2.2.5 to 2.3.2 with the following changes:
- Add
keepalive_maxcount
setting for better control of ssh connection timeouts. - Add
lifecycle_hooks
information tokitchen diagnose
output.
knife-google
The knife-google plugin has been updated to 4.1.0 with support for bootstrapping Chef Infra Client 15 and also includes a new knife google image list command
which lists project and public images.
For example knife google image list --gce_project "chef-msys"
:
NAME PROJECT FAMILY DISK SIZE STATUS
kpl-w-image chef-msys windows 60 GB READY
centos-6-v20190916 centos-cloud centos-6 10 GB READY
centos-7-v20190916 centos-cloud centos-7 10 GB READY
coreos-alpha-2261-0-0-v20190911 coreos-cloud coreos-alpha 9 GB READY
coreos-beta-2247-2-0-v20190911 coreos-cloud coreos-beta 9 GB READY
....
....
....
Security Updates
Git
Git has been updated from 2.20.0 to 2.23.0 on Windows and from 2.14.1 to 2.23.0 on non-Windows systems. This brings the latest git workflows to our users who do not have it installed another way and fixes two CVEs:
- non-Windows systems: CVE-2017-14867
- Windows systems: CVE-2019-1211
Nokogiri
Nokogiri has been updated from 1.10.2 to 1.10.4 in order to resolve CVE-2019-5477
OpenSSL
OpenSSL has been updated from 1.0.2s to 1.0.2t in order to resolve CVE-2019-1563 and CVE-2019-1547.
Ruby
Ruby has been updated from 2.6.3 to 2.6.4 in order to resolve CVE-2012-6708 and CVE-2015-9251.
Removals
chef verify
Removed the chef verify
subcommand. This command has been deprecated with a warning for a long time and should not have been used by users. It is an internal command used to test the components included in Chef Workstation. Instead, we extracted it to scripts run by our CI system, which is where it should have been the whole time.
Platform Support Updates
macOS 10.15 Support
Chef Workstation is now validated against macOS 10.15 (Catalina). Additionally, Chef Workstation will no longer be validated against macOS 10.12.
Chef Workstation 0.8.7
https://packages.chef.io/release-notes/chef-workstation/0.8.7.mdChef Infra Client
Chef Infra Client has been updated from 15.1 to 15.2 with new and improved resources and support for RHEL 8. See the Chef Infra Client 15.2 Release Notes for a complete list of new and improved functionality.
Chef InSpec
Chef InSpec has been updated from 4.7.3 to 4.10.4 with the following changes:
- Fixed handling multiple triggers in the
windows_task
resource - Fixed exceptions when resources are used with incompatible transports
- Un-deprecated the
be_running
matcher on theservice
resource - Added
sys_info.manufacturer
andsys_info.model
resources - Added
ip6tables
resource
Cookstyle
Cookstyle has been updated from 5.0 to 5.1.19 with twenty-four new Chef specific cops to detect, and in many cases, to auto-correct errors in your cookbook code. With the release of Cookstyle 5.1, we have started the process of replacing Foodcritic with Cookstyle. Cookstyle offers a modern configuration system, auto-correction, and a faster and more reliable engine thanks to RuboCop. We will continue to port useful rules from Foodcritic to Cookstyle, as well as add rules that were not possible in the legacy Foodcritic engine. See the Cookstyle 5.1 Release Notes for a complete list of new rules.
kitchen-azurerm
kitchen-azurerm has been updated from 0.14.8 to 0.14.9, which adds a new use_ephemeral_osdisk
configuration option. See Microsoft’s Empheral OS Disk Announcement for more information on this new feature.
kitchen-ec2
kitchen-ec2 has been updated from 3.0.1 to 3.1.0 with several new features:
- Added support for SSH through Session Manager. Thanks @awiddersheim
- Adds support for searching for multiple security groups, as well as searching by group name. Thanks @bdwyertech
- Allows asking for multiple instance types and subnets for spot pricing. Thanks @vmiszczak-teads
kitchen-vagrant
kitchen-vagrant has been updated from 1.5.2. to 1.6.0. This new version properly truncates the instance name to avoid hitting the 100 character limit in Hyper-V, and also updates the hostname length limit on Windows from 12 characters to 15 characters. Thanks @Xorima and @PowerSchill.
knife-ec2
knife-ec2 has beeen updated from 1.0.8 to 1.0.12. This new version includes multiple fixes for network configuration setup, a new --cpu-credits
option for launching T2/T3 instances as unlimited, and fixes for issues with attaching emphemeral disks.
Chef Workstation 0.7.4
https://packages.chef.io/release-notes/chef-workstation/0.7.4.mdBug Fixes
- 404, in which
inspec
was failing to load due to gem conflicts.
Chef Workstation 0.6.2
https://packages.chef.io/release-notes/chef-workstation/0.6.2.mdBug Fixes
- Rubygems has been rolled back to 3.0.3 to resolve duplicate bundler gems that shipped in ChefDK 4.1.7. This resulted in warning messages when running commands as well as performance degradations.
- Fixed ‘chef install foo.lock.json’ errors when loading cookbooks from Artifactory.
Red Hat 8 Support
Chef Workstation builds are now validated for Red Hat 8. Red Hat 8 builds are now listed on downloads.chef.io and our Omnitruck API
Updated Components
knife-ec2 1.0.8
Knife-ec2 has been updated to 1.0.8. This release removes previously deprecated bootstrap command-line options that were removed from Chef Infra Client 15.
knife-vsphere 3.0.1
Knife-vsphere has been updated to 3.0.1 to resolve Ruby warnings that occured when running some commmands.
Fauxhai 7.4.0
Fauxhai has been updated to 7.4.0, which adds additional platforms for use with ChefSpec testing.
- Updated
suse
15 from 15.0 to 15.1 - Added a new
redhat
8 definition to replace the 8.0 definition, which is now deprecated - Updated all
amazon
andubuntu
releases to Chef 15.1 - Added
debian
10 and 9.9
Chef InSpec 4.7.3
Chef InSpec has been updated to 4.7.3, which adds a new ip6tables
resource and includes new aws-sdk
gems that are necessary for the Chef InSpec AWS Resource Pack.
Security Fixes
The lodash
package in the Workstation menu bar application has been updated to 4.17.14
to resolve CVE-2018-16487
Chef Workstation 0.5.1
https://packages.chef.io/release-notes/chef-workstation/0.5.1.mdUpdated Components
Chef Infra Client 15.1
Chef Infra Client has been updated to 15.1 with new and improved resources, improvements to target mode, bootstrap bug fixes, new Ohai detection on VirtualBox hosts, and more. See the Chef Infra Client 15.1 Release Notes for a complete list of new and improved functionality.
Chef InSpec 4.6.9
Chef InSpec has been updated from 4.3.2 to 4.6.9 with the following changes:
- InSpec
Attributes
have now been renamed toInputs
to avoid confusion with Chef Infra attributes. - A new InSpec plugin type of
Input
has been added for defining new input types. See the InSpec Plugins documentation for more information on writing these plugins. - InSpec no longer prints errors to the stdout when passing
--format json
. - When fetching profiles from GitHub, the URL can now include periods.
- The performance of InSpec startup has been improved.
Cookstyle 5.0.0
Cookstyle has been updated to 5.0.0 with a large number of bugfixes and major improvements that lay the groundwork for future autocorrecting of cookobook style and deprecation warnings.
The RuboCop engine that powers Cookstyle has been updated from 0.62 to 0.72, which includes several hundred bugfixes to the codebase. Due to some of these bugfixes, existing cookbooks may fail when using Cookstyle 5.0. Additionally, some cops have had their names changed and the Rubocop Performance cops have been removed. If you disabled individual cops in your .rubocop.yml file, this may require you to update your confg.
This new release also merges in code from the rubocop-chef
project, providing new alerting and autocorrecting capabilities specific to Chef Infra Cookbooks. Thank you @coderanger for your work in the rubocop-chef project and @chrishenry for helping with new cops.
Foodcritic 16.1.1
Foodcritic has been updated from 16.0.0 to 16.1.1 with new rules and support for the latest Chef:
- Updated Chef Infra Client metadata for 15.1 to include the new
chocolatey_feature
resources, as well as new properties in thelaunchd
andchocolatey_source
resources - Added new rule to detect large files shipped in a cookbook:
FC123: Content of a cookbook file is larger than 1MB
. Thanks @mattray - Allowed configuring the size of the AST cache with a new
--ast-cache-size
command line option. Thanks @Babar
ChefSpec 7.4.0
ChefSpec has been updated to 7.4 with better support stubbing commands, and a new policyfile_path
configuration option for specifying the path to the PolicyFile.
kitchen-dokken 2.7.0
kitchen-dokken has been updated to 2.7.0 with new options for controlling how containers are setup and pulled. You can now disable user namespace mode when running privileged containers with a new userns_host
config option. There is also a new option pull_chef_image
(true/false) to control force-pulling the chef image on each run to check for newer images. This option now defaults to true
so that testing on latest and current always actually mean latest and current. See the kitchen-digitalocean readme for kitchen.yml
config examples.
kitchen-digitalocean 0.10.4
kitchen-digitalocean has been updated to 0.10.4 with support for new distros and additional configuration options for instance setup. You can now control the default DigitalOcean region systems that are spun up by using a new DIGITALOCEAN_REGION
env var. You can still modify the region in the driver section of your kitchen.yml
file if you’d like, and the default region of nyc1
has not changed. This release also adds slug support for fedora-29
, fedora-30
, and ubuntu-19
. Finally, if you’d like to monitor your test instances, the new monitoring
configuration option in the kitchen.yml
driver section allows enabling DigitalOcean’s instance monitoring. See the kitchen-dokken readme for kitchen.yml
config examples.
knife-vsphere 3.0.0
knife-vsphere has been updated to 3.0. This new version adds support for specifying the bootstrap_template
when creating new VMs. This release also improves how the plugin finds VM hosts, in order to support hosts in nested directories.
knife-ec2 1.0.7
knife-ec2 has received a near-complete rewrite with this release of Chef Workstation. The new knife-ec2 release switches the underlying library used to communicate with AWS from fog-aws
to Amazon’s own aws-sdk
. The official AWS SDK has greatly improved support for the many AWS authentication methods available to users. It also has support for all of the latest AWS regions and instance types. As part of this switch to the new SDK we did have to remove the knife ec2 flavor list
command as this used hard coded values from fog-aws and not AWS API calls. The good news is, we were able to add several new commands to the plugin. This makes provisioning systems in AWS even easier.
knife ec2 vpc list
This command lists all VPCs in your environment including the ID, which you need when provisioning new systems into a specific VPC.
$ knife ec2 vpc list
ID State CIDR Block Instance Tenancy DHCP Options ID Default VPC?
vpc-b1bc8d9d available 10.0.0.0/16 default dopt-1d78412a No
vpc-daafd931 available 172.0.0.0/16 default dopt-1d78412a Yes
knife ec2 eni list
This command lists all ENIs in your environment including the ID, which you need when adding the ENI to a newly provisioned instance.
$ knife ec2 eni list
ID Status AZ Public IP Private IPs IPv6 IPs Subnet ID VPC ID
eni-0123f25ae7805b651 in-use us-west-2a 63.192.209.236 10.0.0.204 subnet-4ef3b123 vpc-b1bc8d9d
eni-2451c913 in-use us-west-2a 137.150.209.123 10.0.0.245 subnet-4ef3b123 vpc-b1bc8d9d
knife ec2 securitygroup list
This command lists all security groups in your environment including the ID, which you need when assigning a newly provisioned instance a group.
$knife ec2 securitygroup list
ID Name VPC ID
sg-12332d875a4a123d6 not-today-hackers vpc-dbbf59a2
sg-123708ab12388cac5 open-to-the-world vpc-dbbf59a2
knife ec2 subnet list
This command lists all subnets in your environment including the ID, which you need when placing a newly provisioned instance in a subnet.
$ knife ec2 subnet list
ID State CIDR Block AZ Available IPs AZ Default? Maps Public IP? VPC ID
subnet-bd2333a9 available 172.31.0.0/20 us-west-2b 4091 Yes Yes vpc-b1bc8d9d
subnet-ba1135c9 available 172.31.16.0/20 us-west-2a 4091 Yes Yes vpc-b1bc8d9d
End of Ubuntu 14.04 support
Ubuntu 14.04 entered the end-of-life phase April 30, 2019. Since this version of Ubuntu is now end-of-life, we have stopped building packages for Ubuntu 14.04. If you rely on Ubuntu 14.04 in your environment, we highly recommend upgrading your host to Ubuntu 16.04 or 18.04.
Security Updates
curl 7.65.1
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
- CVE-2019-5443: Windows OpenSSL engine code injection
cacerts 5-11-2019 release
- Our
cacert
bundle has been updated to the 5-11-2019 bundle, which adds four additional CAs.
Chef Workstation 0.4.2
https://packages.chef.io/release-notes/chef-workstation/0.4.2.mdBug Fixes
- Resolved a regression in Chef Workstation 0.4.1 where the binaries for chef-client and inspec were not available on the command line
Chef Workstation 0.4.1
https://packages.chef.io/release-notes/chef-workstation/0.4.1.mdBreaking Changes
Chef EULA
Usage of Chef Workstation 0.4, Chef Infra Client 15, and InSpec 4 requires accepting the Chef EULA. See the frequently asked questions for information about the license update and the associated business model change.
Chef Provisioning
Chef Provisioning is no longer included with Chef Workstation, and will be officially end of life on August 31, 2019. The source code of Chef Provisioning and the drivers have been moved into the chef-boneyard GitHub organization and will not be further maintained. Current users of Chef Provisioning should contact your Chef Customer Success Manager or Account Representative to review your options.
knife bootstrap
against cloud providers
knife bootstrap
was rewritten in Chef Infra Client 15.
The knife-*
cloud providers need to be updated to use this new API.
As of Chef Workstation 0.4, knife bootstrap
functionality against the cloud providers will be broken.
We will fix this ASAP in a Chef Workstation 0.5 release.
The only gem not affected is the knife-windows
gem.
It has already been re-written to leverage the new bootstrap library.
Affected gems:
knife-ec2
knife-google
knife-vsphere
If you leverage this functionality, please wait to update Chef Workstation until 0.5 is released with fixes for these gems.
Improved Chef Generate command
The chef generate
command has been updated to produce cookbooks and repositories that match Chef’s best practices.
chef generate repo
now generates a Chef repository with Policyfiles by default. You can revert to the previous roles / environment behavior with the--roles
flag.chef generate cookbook
now generates a cookbook with a Policyfile and no Berksfile by default. You can revert to the previous behavior with the--berks
flag.chef generate cookbook
now includes ChefSpecs that utilize the ChefSpec 7.3+ format. This is a much simpler syntax that requires less updating of specs as older platforms are deprecated.chef generate cookbook
no longer creates cookbook files with the unecessaryfrozen_string_literal: true
comments.chef generate cookbook
no longer generates a full Workflow (Delivery) build cookbook by default. A new--workflow
flag has been added to allow generating the build cookbook. This flag replaces the previously unused--delivery
flag.chef generate cookbook
now generates cookbooks with metadata requiring Chef 14 or later.chef generate cookbook --kitchen dokken
now generates a fully working kitchen-dokken config.chef generate cookbook
now generates Test Kitchen configs with theproduct_name
/product_version
method of specifying Chef Infra Client releases asrequire_chef_omnibus
will be removed in the next major Test Kitchen release.chef generate cookbook_file
no longer places the specified file in a “default” folder as these aren’t needed in Chef Infra Client 12 and later.chef generate repo
no longer outputs the full Chef Infra Client run information while generating the repository. Similar to thecookbook
command you can view this verbose output with the--verbose
flag.
Updated Components and Tools
Chef InSpec 4
Chef InSpec has been updated to 4.3.2 which includes the new InSpec AWS resource pack with 59 new AWS resources, multi-region support, and named credentials support. This release also includes support for auditing systems that use ed25519
SSH keys.
Chef Infra Client 15
Chef Infra Client has been updated to Chef 15 with 8 new resources, target mode prototype functionality, ed25519
SSH key support, and more. See the Chef Infra Client 15 Release Notes for more details.
Fauxhai 7.3
Fauxhai has been updated from 6.11 to 7.3. This removes all platforms that were previously marked as deprecated. So if you’ve noticed deprecation warnings during your ChefSpec tests, you will need to update those specs for the latest supported Faxhai platforms. This release also adds the following new platform releases for testing in ChefSpec:
- RHEL 6.10 and 8.0
- openSUSE 15.0
- CentOS 6.10
- Debian 9.8 / 9.9
- Oracle Linux 6.10, 7.5, and 7.6
Test Kitchen 2.2
Test Kitchen has been updated from 1.24 to 2.2.5. This update adds support for accepting the Chef Infra Client and Chef InSpec EULAs during testing, as well as support for newer ed25519
format SSH keys on guests. The newer release does remove support for the legacy Librarian depsolver and testing of Chef Infra Client 10/11 releases in some scenarios. See the Test Kitchen Release Notes for additional details on this release.
Kitchen-ec2 3.0
Kitchen-ec2 has been updated to 3.0, which uses the newer aws-sdk-v3
and includes a large number of improvements to the driver including improved hostname detection, backoff retries, additional security group configuration options, and more. See the kitchen-ec2 Changelog for additional details.
kitchen-dokken 2.6.9
Kitchen-dokken has been updated to 2.6.9 with a new config option pull_platform_image
, which allows you to disable pulling the platform Docker image on every Test Kitchen converge / test. This is particularly useful for local platform image testing.
kitchen.yml example:
driver:
name: dokken
pull_platform_image: false
Chef Workstation 0.3.2
https://packages.chef.io/release-notes/chef-workstation/0.3.2.mdSupport for managing Chef EULA required products
We have updated the included products to be able to manage remote installations of Chef EULA required products:
- Test Kitchen
chef-run
knife bootstrap
New Policy File Functionality
include_policy
now supports :remote
policy files. This new functionality allows you to include policy files over http. Remote policy files require remote cookbooks and install
will fail otherwise if the included policy file includes cookbooks with paths. Thanks @mattray!
Security Updates
Rubygems 2.7.9
Rubygems has been updated from 2.7.8 to 2.7.9 to resolves the following CVEs:
- CVE-2019-8320: Delete directory using symlink when decompressing tar
- CVE-2019-8321: Escape sequence injection vulnerability in verbose
- CVE-2019-8322: Escape sequence injection vulnerability in gem owner
- CVE-2019-8323: Escape sequence injection vulnerability in API response handling
- CVE-2019-8324: Installing a malicious gem may lead to arbitrary code execution
- CVE-2019-8325: Escape sequence injection vulnerability in errors
curl 7.65.0
- CVE-2019-5435: Integer overflows in curl_url_set
- CVE-2019-5436: tftp: use the current blksize for recvfrom()
- CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
- CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
- CVE-2019-3823: SMTP end-of-response out-of-bounds read
Updated Components and Tools
Chef 14.12.3
ChefDK now ships with Chef 14.13.11. See Chef 14.14 release notes for more information on what’s new.
It also updates knife bootstrap
to support installing and managing Chef Infra Client 15 on remote nodes. See Accepting the Chef EULA general instructions for accepting the license (command line flag, environment variable or configured in ~/.chef/config.rb
).
InSpec 3.9.0
ChefDK now ships with InSpec 3.9.0. See InSpec 3.9.0 release details for more information on what’s new.
Ruby 2.5.5
Ruby has been updated from 2.5.3 to 2.5.5, which includes a large number of bug fixes.
###Test Kitchen 1.25
Test Kitchen has been updated to 1.25 with backports of many non-breaking Test Kitchen 2.0 features:
- Support for accepting the Chef 15 license in Test Kitchen runs. See Accepting the Chef License for usage details.
- A new –fail-fast command line flag for use with the concurency flag. With this flag set, Test Kitchen will immediatly fail when any converge fails instead of continuing to test additional instances.
- The policyfile_path config option now accepts relative paths.
- A new berksfile_path config option allows specifying Berkshelf files in non-standard locations.
- Retries are now honored when using SSH proxies
kitchen-hyperv
kitchen-hyperv has been updated to 0.5.3, which now automatically disables snapshots on the VMs and properly waits for the IP to be set.
kitchen-vagrant
kitchen-vagrant has been updated to 1.5.1, which adds support for using the new bento/amazonlinux-2 box when setting the platform to amazonlinux-2.
kitchen-ec2
kitchen-ec2 has been updated to 2.5.0 with support for Amazon Linux 2.0 image searching using the platform ‘amazon2’. This release also adds supports Windows Server 1709 and 1803 image searching.
kitchen-dokken
kitchen-dokken has been updated to 2.7.0:
- The Chef Docker image is now pulled by default so that locally cached latest or curent container versions will be compared to those available on DockerHub. See the readme for instructions on reverting to the previous behavior.
- User namespace mode can be disabled when running privileged containers with a new userns_host config option. See the readme for details.
- You can now disable pulling the platform Docker images for local platform image testing or air gapped testing. See the readme for details.
knife-vsphere
knife-vsphere has been updated to 2.1.3, which adds support for knife’s bootstrap_template
flag and removes the legacy distro
and template_file
flags.
chef-run
The Chef Apply gem has been updated to 0.2.13, which adds support for installing and managing Chef Infra Client 15 on remote nodes. See Accepting the Chef EULA general instructions for accepting the license (command line flag or environment variable). Additionally the license can be accepted in the ~/.chef-workstation/config.toml
by adding:
[chef]
chef_license = "accept"
Push Jobs Client
Push Jobs Client has been updated to 2.5.6, which includes significant optimizations and minor bug fixes.
Other updates
openssl
: 1.0.2r -> 1.0.2s (bugfix only release)cacerts
: 2019-01-23 -> 2019-05-15kitchen-vagrant
: 1.5.1 -> 1.5.2mixlib-install
: 3.11.12 -> 3.11.18ohai
: 14.8.11 -> 14.8.12
Chef Workstation 0.2.53
https://packages.chef.io/release-notes/chef-workstation/0.2.53.mdUpdated Components and Tools
ChefDK 3.8.14
Chef Workstation now ships with ChefDK 3.8.14. Those changes included in these release notes.
InSpec 3.6.6
Chef Workstation now ships with Inspec 3.6.6. See https://github.com/inspec/inspec/releases/tag/v3.6.6 for more information on what’s new.
Fauxhai 6.11.0
- Added Windows 2019 Server, Red Hat Linux 7.6, Debian 9.6, and CentOS 7.6.1804.
- Updated Windows7, 8.1, and 10, 2008 R2, 2012, 2012 R2, and 2016 to Chef 14.10.
- Update Oracle Linux 6.8/7.2/7.3/7.4 to Ohai 14.8 in EC2
- Updated the fetcher logic to be compatible with ChefSpec 7.3+. Thanks @oscar123mendoza
- Removed duplicate json data in gentoo 4.9.6
Other updates
kitchen-digitalocean
: 0.10.1 -> 0.10.2mixlib-install
: 3.11.5 -> 3.11.11delivery-cli
: 0.5.0 -> 0.5.2
Security Updates
OpenSSL
OpenSSL updated to 1.0.2r to resolve CVE-2019-1559
Chef Workstation 0.2.48
https://packages.chef.io/release-notes/chef-workstation/0.2.48.mdImprovements
Chef 14.10.9
Chef Workstation now ships with Chef 14.10.9. See https://docs.chef.io/release_notes.html for more information on what’s new.
InSpec 3.4.1
Chef Workstation now ships with Inspec 3.4.1. See https://github.com/inspec/inspec/releases/tag/v3.4.1 for more information on what’s new.
kitchen-inspec 1.0.1
Support bastion configuration in transport options.
kitchen-vagrant 1.4.0
This fixes audio for virtualbox users by disabling audio in virtualbox by default to prevent interrupting the host’s Bluetooth audio.
kitchen-azurerm 0.14.8
Support Azure Managed Identities and apply vm_tags to all resources in resource group.
Updated Components and Tools
bundler
: 1.16.1 -> 1.17.3chef-apply
: 0.2.4 -> 0.2.7kitchen-tidy
: 1.2.0 -> 2.0.0rubygems
: 2.7.6 -> 2.7.8
Deprecations
chef provision
- Chef Provisioning has been in maintenance mode since 2015 and due to the age of it’s dependencies it cannot be included in ChefDK 4 which is scheduled for an April release. Additional information on the future of Chef Provisioning will be announced in the coming weeks
Chef Workstation 0.2.43
https://packages.chef.io/release-notes/chef-workstation/0.2.43.mdNew Features
- New option:
chef generate cookbook --kitchen (dokken|vagrant)
Generate cookbooks with a specific kitchen configuration (defaults to vagrant).
Improvements
Chef 14.8.12
ChefDK now ships with Chef 14.8.12. See https://docs.chef.io/release_notes.html for more information on what’s new.
OpenSSL
OpenSSL updated to 1.0.2q to resolve:
- Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
- Timing vulnerability in DSA signature generation (CVE-2018-0734)
Updated Components and Tools
kitchen-ec2
: 3.0.6 -> 3.0.6inspec
: 3.0.52 -> 3.2.6test-kitchen
: 1.23.2 -> 1.24.0
Chef Workstation 0.2.41
https://packages.chef.io/release-notes/chef-workstation/0.2.41.mdBug Fixes
- Fixed internal CI scripts that automatically post release notes to discord
Chef Workstation 0.2.40
https://packages.chef.io/release-notes/chef-workstation/0.2.40.mdNew Features
- Updated Kitchen EC2 to add support for new
arm64
architecture
Bug Fixes
- If there was an issue trying to create the local policyfile bundle,
chef-run
would not exit appropriately. This has been fixed.
Chef Workstation 0.2.39
https://packages.chef.io/release-notes/chef-workstation/0.2.39.mdNew Features
Improvements
Bug Fixes
Backward Incompatibilities
Chef Workstation 0.2.35
https://packages.chef.io/release-notes/chef-workstation/0.2.35.mdThis release does not have any release notes.
Chef Workstation 0.2.29
https://packages.chef.io/release-notes/chef-workstation/0.2.29.mdChef 14.6.47
ChefDK now ships with Chef 14.6.47. See https://docs.chef.io/release_notes.html for more information on what’s new.
Smaller package size
ChefDK RPM and Debian packages are now compressed. Additionally many gems were updated to remove extraneous files that do not need to be included. The download size of packages has decreased accordingly (all measurements in megabytes):
- .deb: 108 -> 84 (22%)
- .rpm: 112 -> 86 (24%)
Platform Additions
macOS 10.14 (Mojave) is now fully tested and packages are available on downloads.chef.io.
Updated Tooling
Fauxhai
Fauxhai has been updated from 6.6.0 to version 6.9.1. This update brings in the latest mocked Ohai run data for use with ChefSpec. This release adds data for Linux Mint 19, macOS 10.14, Solaris 5.11 (11.4 release), and SLES 15. This release also deprecates the following platforms for removal April 2018: Linux Mint 18.2, Gentoo 4.9.6, All versions of ios_xr, All versions of omnios, All versions of nexus, macOS 10.10, and Solaris 5.10. See https://github.com/chefspec/fauxhai/tree/master/lib/fauxhai/platforms for a complete list of non-deprecated platform data for use with ChefSpec.
Foodcritic
Foodcritic has been updated from 14.1 to 14.3. This updates the metadata that ships with Foodcritic to provide the latest Chef 13.11 and 14.5 metadata, while removing metadata from older Chef releases. This update also removes the FC121 rule, which was causing confusion with community cookbook authors. This rule will be added back when Chef 13 goes EOL in April 2019.
InSpec 3
This release updates Inspec from 2.2.112 to 3.0.12. This is a major milestone and includes the plugin system, global attributes, enhanced skip messaging, and more. Please head over to https://www.inspec.io for a full rundown.
Kitchen AzureRM
The Kitchen AzureRM driver now supports the Shared Image Gallery.
Kitchen DigitalOcean
The Kitchen DigitalOcean driver now supports FreeBSD 10.4 and 11.2 in Kitchen configs.
Kitchen EC2
Kitchen EC2 has been updated to better support Windows systems. The auto-generated security group will now include support for RDP and the log directory will alway be created.
Kitchen Google
Kitchen Google now includes support for adding labels to instances with a new labels
config that accepts labels as a hash.
Knife Windows
Knife Windows has improved Windows detection support to identify Windows 2012r2, 2016, and 10. Additionally when bootstrapping nodes, there is now support for using the client.d directories.
Security Updates
Ruby has been updated to 2.5.3 to resolve the following vulnerabilities:
CVE-2018-16396
: Tainted flags are not propagated in Array#pack and String#unpack with some directivesCVE-2018-16395
: OpenSSL::X509::Name equality check does not work correctly
Chef Workstation 0.2.27
https://packages.chef.io/release-notes/chef-workstation/0.2.27.mdThis release does not have any release notes.
Chef Workstation 0.2.21
https://packages.chef.io/release-notes/chef-workstation/0.2.21.mdThis release does not have any release notes.
Chef Workstation 0.1.162
https://packages.chef.io/release-notes/chef-workstation/0.1.162.mdThis release does not have any release notes.
Chef Workstation 0.1.155
https://packages.chef.io/release-notes/chef-workstation/0.1.155.mdThis release does not have any release notes.
Chef Workstation 0.1.150
https://packages.chef.io/release-notes/chef-workstation/0.1.150.mdThis release does not have any release notes.
Chef Workstation 0.1.148
https://packages.chef.io/release-notes/chef-workstation/0.1.148.mdThis release does not have any release notes.
Chef Workstation 0.1.142
https://packages.chef.io/release-notes/chef-workstation/0.1.142.mdThis release does not have any release notes.
Chef Workstation 0.1.139
https://packages.chef.io/release-notes/chef-workstation/0.1.139.mdThis release does not have any release notes.
Chef Workstation 0.1.137
https://packages.chef.io/release-notes/chef-workstation/0.1.137.mdThis release does not have any release notes.
Chef Workstation 0.1.133
https://packages.chef.io/release-notes/chef-workstation/0.1.133.mdThis release does not have any release notes.
Chef Workstation 0.1.120
https://packages.chef.io/release-notes/chef-workstation/0.1.120.mdThis release does not have any release notes.
Chef Workstation 0.1.119
https://packages.chef.io/release-notes/chef-workstation/0.1.119.mdThis release does not have any release notes.