We just released Chef Client version 12.8.1 to the chef downloads site. Highlights of this release include:
Federal Information Processing Standards (FIPS) is a United States government computer security standard that specifies security requirements for cryptography. The current version of the standard is FIPS 140-2. The chef-client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. This will disable cryptography in OpenSSL that is explicitly disallowed in FIPS-validated software, including certain ciphers and hashing algorithms. Any attempt to use any disallowed cryptography will cause the chef-client to throw an exception during a chef-client run.
Note:
Chef uses MD5 hashes to uniquely identify files that are stored on the Chef server. MD5 is used only to generate a unique hash identifier and is not used for any cryptographic purpose.
Notes about FIPS:
Allowing OpenSSL to enforce FIPS-validated security may be enabled by using any of the following ways:
fips
configuration setting to true
in the client.rb or knife.rb files--fips
command-line option when running any knife command or the chef-client executable--fips
command-line option when bootstrapping a node using the knife bootstrap commandThe following command-line option may be used to with a knife or chef-client executable command:
--[no-]fips
Allows OpenSSL to enforce FIPS-validated security during the chef-client run.
$ knife bootstrap 12.34.56.789 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips
which shows something similar to:
OpenSSL FIPS 140 mode enabled ... 12.34.56.789 Chef Client finished, 12/12 resources updated in 78.942455583 seconds
The following configuration setting may be set in the knife.rb, client.rb, or config.rb files:
fips
Allows OpenSSL to enforce FIPS-validated security during the chef-client run. Set to true
to enable FIPS-validated security.
Use the launchd resource to manage system-wide services (daemons) and per-user services (agents) on the Mac OS X platform.
launchd 'call.mom.weekly' do program '/Library/scripts/call_mom.sh' start_calendar_interval 'Weekday' => 7, 'Hourly' => 10 time_out 300 end
Use the This was not included in the release as previously stated.mdadm_defaults
property to set the default values for chunk and metadata to nil
, which allows mdadm to apply its own default values.
chef-zero now supports using all Chef server API version 12 endpoints, with the exception of /universe.
OpenSSL is updated to version 1.0.1s.
Ohai will auto-detect hosts for instances that are hosted by Microsoft Azure or Amazon EC-2.
Support a ‘gem’ DSL method for cookbook metadata to create a dependency on a rubygem. The gem will be installed via chef_gem after all the cookbooks are synchronized but before any other cookbook loading is done.