Blog-L_News_2_1283x494

Chef Client 12.8.1 Release

client-release-wide

We just released Chef Client version 12.8.1 to the chef downloads site. Highlights of this release include:

Support for OpenSSL validation of FIPS

Federal Information Processing Standards (FIPS) is a United States government computer security standard that specifies security requirements for cryptography. The current version of the standard is FIPS 140-2. The chef-client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. This will disable cryptography in OpenSSL that is explicitly disallowed in FIPS-validated software, including certain ciphers and hashing algorithms. Any attempt to use any disallowed cryptography will cause the chef-client to throw an exception during a chef-client run.

Note:
Chef uses MD5 hashes to uniquely identify files that are stored on the Chef server. MD5 is used only to generate a unique hash identifier and is not used for any cryptographic purpose.

Notes about FIPS:

  • May only be enabled for nodes running on Microsoft Windows and Enterprise Linux platforms
  • Should should only be enabled for environments that require FIPS 140-2 compliance
  • May not be enabled for any version of the chef-client earlier than 12.8

Enable FIPS Mode

Allowing OpenSSL to enforce FIPS-validated security may be enabled by using any of the following ways:

  • Set the fips configuration setting to true in the client.rb or knife.rb files
  • Set the --fips command-line option when running any knife command or the chef-client executable
  • Set the --fips command-line option when bootstrapping a node using the knife bootstrap command

Command Option

The following command-line option may be used to with a knife or chef-client executable command:

--[no-]fips
Allows OpenSSL to enforce FIPS-validated security during the chef-client run.

Bootstrap a node using FIPS

$ knife bootstrap 12.34.56.789 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips

which shows something similar to:

OpenSSL FIPS 140 mode enabled
...
12.34.56.789 Chef Client finished, 12/12 resources updated in 78.942455583 seconds

Configuration Setting

The following configuration setting may be set in the knife.rb, client.rb, or config.rb files:

fips
Allows OpenSSL to enforce FIPS-validated security during the chef-client run. Set to true to enable FIPS-validated security.

New launchd resource

Use the launchd resource to manage system-wide services (daemons) and per-user services (agents) on the Mac OS X platform.

launchd 'call.mom.weekly' do
program '/Library/scripts/call_mom.sh'
start_calendar_interval 'Weekday' => 7, 'Hourly' => 10
time_out 300
end

New property for the mdadm resource

Use the mdadm_defaults property to set the default values for chunk and metadata to nil, which allows mdadm to apply its own default values. This was not included in the release as previously stated.

chef-zero support for Chef Server API endpoints

chef-zero now supports using all Chef server API version 12 endpoints, with the exception of /universe.

Updated OpenSSL Version

OpenSSL is updated to version 1.0.1s.

Ohai auto-detects hosts for Azure and EC-2 instances

Ohai will auto-detect hosts for instances that are hosted by Microsoft Azure or Amazon EC-2.

Added gem keyword to metadata.rb per RFC-060

Support a ‘gem’ DSL method for cookbook metadata to create a dependency on a rubygem. The gem will be installed via chef_gem after all the cookbooks are synchronized but before any other cookbook loading is done.

Matt Wrock

I am a software developer for Chef and much of my focus has been making Chef better on Windows. When not developing Chef code, I'm usually contributing to other projects in the Chef ecosystem. I regularly contribute to the WinRM gem and Vagrant, I am a member of the core Chocolatey team, author of Boxstarter and was an early contributor to Pester creating its Powershell Mocking functionality. I am a former Microsoft engineer and write regularly on Windows automation topics at hurryupandwait.io