The following items are new for Chef server 12:
- **Upgrades from Open Source Chef and Enterprise Chef servers to Chef
12 server** Upgrades to Chef server 12 are supported from Enterprise
Chef 11 high availability and standalone configurations and Open
Source Chef 11 standalone configurations. View the topic [Upgrade to
Chef Server 12](/upgrade_server/) for more information about
these processes.
- **chef-server.rb configuration file is created by default** Previous
versions of the Chef server did not create the chef-server.rb file
and users had to create the file first, before updates to tuneable
settings could be made.
- **Pluggable high availability architecture** Support for high
availability now provides alternatives to DRBD, including using
Amazon Web Services (AWS).
- **High availability using Amazon Web Services** Amazon Web Services
(AWS) is a supported high availability configuration option for the
Chef server. Machines are stored as Amazon Elastic Block Store (EBS)
volumes. A passive node monitors the availability of the active node,
and will take over if required.
- **Chef server replication** Chef replication provides a way to
asynchronously distribute cookbook, environment, role, and data bag
data from a single, primary Chef server to one (or more) replicas of
that Chef server.
- **New chef-server-ctl command line tool** The chef-server-ctl
command line tool is an update of the private-chef-ctl command line
tool. All of the previous functionality remains, with some new
commands added that are specific to Chef server version 12.
- **New command for installing features of the Chef server** The
`install` subcommand may be used to install Chef management console,
Chef Push Jobs, Chef replication, and Reporting.
- **New commands for managing organizations** New subcommands for the
chef-server-ctl command line tool: `org-user-add`, `org-create`,
`org-delete`, `org-user-remove`, `org-list`, and `org-show`.
- **New commands for managing users** New subcommands for the
chef-server-ctl command line tool: `user-create`, `user-delete`,
`user-edit`, `user-list`, and `user-show`.
- **New command for log files** Use the `gather-logs` command to
create a tarball of important log files and system information.
- **Solr has been upgraded to Solr 4** The search capabilities of the
Chef server now use Apache Solr 4. The config item for Apache Solr 4
has changed names from opscode-solr to opscode-solr4. Change
`/etc/opscode/chef-server.rb` accordingly.
- **CouchDB removed** CouchDB is no longer a component of the Chef
server. All data is migrated to PostgreSQL.
- **Services removed** The following services have been removed from
the Chef server: `opscode-account`, `opscode-certificate`,
`oc_authz_migrator`, `opscode-org-creator`, `orgmapper`, and
`opscode-webui`. `opscode-webui` is replaced by the Chef management
console.
- **private-chef.rb is now called chef-server.rb** The name of the
configuration file used by the Chef server has been changed. A
symlink from private-chef.rb to chef-server.rb is created during
upgrades from older versions of the Chef server.
- **New setting for the default organization name** Use the
`default_orgname` setting to ensure compatibility with Open Source
Chef version 11.
- **New settings for oc_chef_authz** The **opscode-authz** service
handles authorization requests to the Chef server.
- **Organization policy changes** Users must be removed from the
`admins` security group before they can be removed from an
organization. The chef-client is not granted **Create**, **Delete**,
or **Update** permissions to data bags when organizations are
created.
- **Administrators cannot be removed from organizations** The Chef
server requires that a member of an organization's `admins` group
cannot be removed from the organization without first being removed
from the `admins` group.
- **New settings for managing LDAP encryption** New settings that
manage LDAP encryption have been added, existing settings have been
deprecated.
- **New commands for managing keys** The following commands are new:
`add-client-key`, `add-user-key`, `delete-client-key`,
`delete-user-key`, `list-client-keys`, and `list-user-keys`. (These
are preview commands, new as-of the Chef server 12.0.3 release.)
## Upgrade to Chef server 12!
Upgrades to Chef server 12 are supported for both Enterprise Chef and
Open Source Chef users. See /server/upgrade_server.html for more
information about upgrades. If you are upgrading from Open Source Chef,
please see /server/upgrade_server_open_source_notes.html as well.
## HA using AWS
Amazon Web Services (AWS) is a supported high availability configuration
option for the Chef server.
Backend servers make use of a single Amazon Elastic Block Store (EBS)
volume.
For more information about Amazon Elastic Block Store (EBS), see
.
View the topic [High Availability: Backend
Cluster](/server/install_server_ha/) for more information about how to set
up the Chef server for high availability in Amazon Web Services (AWS).
## Chef Replication
Chef replication provides a way to asynchronously distribute cookbook,
environment, role, and data bag data from a single, primary Chef server
to one (or more) replicas of that Chef server.
**Scenarios**
Replication is configured on a per-organization and also a per-replica
basis. Each organization must be configured to synchronize with each
replica instance. Each organization may be configured to synchronize
with all, some, or none of the available replica instances.
For example, a single primary Chef server and a single replica:
![image](/images/chef_server_replication.png)
and for example, a single primary Chef server and multiple replicas:
![image](/images/chef_server_replication_many.png)
Chef replication should not be used for:
- Disaster recovery or backup/restore processes. The replication
process is read-only and cannot be changed to read-write
- Synchronizing a replica instance with another replica instance
- Node re-registration. A node may be associated only with a single
Chef server
**How Replication Works**
A daemon named **ec-syncd** runs on each of the replica instances of the
Chef server and periodically polls the primary Chef server via the
`updated_since` endpoint in the Chef server API. The **ec-syncd** daemon
requests a list of objects that have been updated since the last
successful synchronization time. If there are updates, the **ec-syncd**
daemon then pulls down the updated data from the primary Chef server to
the replica.
![image](/images/chef_server_replication_sequence.png)
View the topic Chef Replication for more
information about how to set up the Chef server for replication.
## chef-server-ctl
The command line tool for the Chef server has been renamed from
private-chef-ctl to chef-server-ctl. The same set of subcommands
available for private-chef-ctl are also available for chef-server-ctl,
but with an updated syntax:
```bash
chef-server-ctl command
```
In addition, the `install` subcommand is added, plus two new subcommand
groupings---`org-*` and `user-*`---have been added for managing
organizations and users. See below for more information about these new
subcommands.
## install Command
The `install` subcommand is used to install premium features of the Chef
server: Chef management console and chef-client run reporting, high
availability configurations, Chef Push Jobs, and Chef server
replication.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl install name_of_addon (options)
```
where `name_of_addon` represents the command line value associated with
the add-on or premium feature.
**Options**
This subcommand has the following options:
`--path PATH`
: Use to specify the location of a package. This option is not
required when packages are downloaded from
.
**Use Downloads**
The `install` subcommand downloads packages from
by default. For systems that are not behind
a firewall (and have connectivity to ), these
packages can be installed as described below.
Chef Manage |
Use Chef management console to manage data bags, attributes, run-lists, roles, environments, and cookbooks from a web user interface.
On the Chef server, run:
sudo chef-server-ctl install chef-manage
then:
sudo chef-server-ctl reconfigure
and then:
sudo chef-manage-ctl reconfigure
**Note:**
Starting with the Chef management console 2.3.0, the Chef MLSA must be accepted when reconfiguring the product. If the Chef MLSA has not already been accepted, the reconfigure process will prompt for a yes to accept it. Or run chef-manage-ctl reconfigure --accept-license to automatically accept the license.
|
**Use Local Packages**
The `install` subcommand downloads packages from
by default. For systems that are behind a
firewall (and may not have connectivity to packages.chef.io), these
packages can be downloaded from
Chef Downloads, and then installed manually.
First download the package that is appropriate for the platform, save it
to a local path, and then run the `install` command using the `--path`
option to specify the directory in which the package is located:
```bash
sudo chef-server-ctl install PACKAGE_NAME --path /path/to/package/directory
```
For example:
```bash
sudo chef-server-ctl install chef-manage --path /root/packages
```
The `chef-server-ctl` command will install the first `chef-manage`
package found in the `/root/packages` directory.
## gather-logs Command
The `gather-logs` subcommand is used to gather the Chef server log files
into a tarball that contains all of the important log files and system
information.
This subcommand has the following syntax:
```bash
chef-server-ctl gather-logs
```
## user-\* Commands
The following subcommands can be used to manage users:
### user-create
The `user-create` subcommand is used to create a user. (The validation
key for the organization may be returned to `STDOUT` when creating a
user with this command.)
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl user-create USER_NAME FIRST_NAME [MIDDLE_NAME] LAST_NAME EMAIL 'PASSWORD' (options)
```
**Options**
This subcommand has the following options:
`-f FILE_NAME`, `--filename FILE_NAME`
: Write the USER.pem to a file instead of `STDOUT`.
**Examples**
```bash
chef-server-ctl user-create john_smith John Smith john_smith@example.com p@s5w0rD!
```
```bash
chef-server-ctl user-create jane_doe Jane Doe jane_doe@example.com p@s5w0rD! -f /tmp/jane_doe.key
```
```bash
chef-server-ctl user-create waldendude Henry David Thoreau waldendude@example.com excursions
```
### user-delete
The `user-delete` subcommand is used to delete a user.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl user-delete USER_NAME
```
**Examples**
```bash
chef-server-ctl user-delete john_smith
```
```bash
chef-server-ctl user-delete jane_doe
```
### user-edit
The `user-edit` subcommand is used to edit the details for a user. The
data will be made available in the \$EDITOR for editing.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl user-edit USER_NAME
```
**Examples**
```bash
chef-server-ctl user-edit john_smith
```
```bash
chef-server-ctl user-edit jane_doe
```
### user-list
The `user-list` subcommand is used to view a list of users.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl user-list (options)
```
**Options**
This subcommand has the following options:
`-w`, `--with-uri`
: Show the corresponding URIs.
### user-show
The `user-show` subcommand is used to show the details for a user.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl user-show USER_NAME (options)
```
**Options**
This subcommand has the following options:
`-l`, `--with-orgs`
: Show all organizations.
## org-\* Commands
The following subcommands can be used to manage organizations:
### org-create
The `org-create` subcommand is used to create an organization. (The
validation key for the organization is returned to `STDOUT` when
creating an organization with this command.)
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl org-create ORG_NAME "ORG_FULL_NAME" (options)
```
where:
- The name must begin with a lower-case letter or digit, may only
contain lower-case letters, digits, hyphens, and underscores, and
must be between 1 and 255 characters. For example: `chef`.
- The full name must begin with a non-white space character and must
be between 1 and 1023 characters. For example:
`"Chef Software, Inc."`.
**Options**
This subcommand has the following options:
`-a USER_NAME`, `--association_user USER_NAME`
: Associate a user with an organization and add them to the `admins`
and `billing_admins` security groups.
`-f FILE_NAME`, `--filename FILE_NAME`
: Write the ORGANIZATION-validator.pem to `FILE_NAME` instead of
printing it to `STDOUT`.
**Examples**
```bash
chef-server-ctl org-create prod Production
```
```bash
chef-server-ctl org-create staging Staging -a chef-admin
```
```bash
chef-server-ctl org-create dev Development -f /tmp/id-dev.key
```
### org-delete
The `org-delete` subcommand is used to delete an organization.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl org-delete ORG_NAME
```
**Examples**
```bash
chef-server-ctl org-delete infra-testing-20140909
```
```bash
chef-server-ctl org-delete pedant-testing-org
```
### org-list
The `org-list` subcommand is used to list all of the organizations
currently present on the Chef server.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl org-list (options)
```
**Options**
This subcommand has the following options:
`-a`, `--all-orgs`
: Show all organizations.
`-w`, `--with-uri`
: Show the corresponding URIs.
### org-show
The `org-show` subcommand is used to show the details for an
organization.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl org-show ORG_NAME
```
### org-user-add
**Warning:**
Early RC candidates for the Chef server 12 release named this command
`org-associate`. This is the same command, with the exception of the
`--admin` flag, which is added to the command (along with the rename)
for the upcoming final release of Chef server 12.
The `org-user-add` subcommand is used to add a user to an organization.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl org-user-add ORG_NAME USER_NAME (options)
```
**Options**
This subcommand has the following options:
`--admin`
: Add the user to the `admins` group.
**Examples**
```bash
chef-server-ctl org-user-add prod john_smith
```
```bash
chef-server-ctl org-user-add preprod testmaster
```
```bash
chef-server-ctl org-user-add dev grantmc --admin
```
### org-user-remove
**Warning:**
Early RC candidates for the Chef server 12 release named this command
`org-disociate`. This is the same command, but renamed for the upcoming
final release of Chef server 12.
The `org-user-remove` subcommand is used to remove a user from an
organization.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl org-user-remove ORG_NAME USER_NAME (options)
```
**Examples**
```bash
chef-server-ctl org-user-remove prod john_smith
```
```bash
chef-server-ctl org-user-remove prod testmaster
```
## Configuration Settings
The name of the Chef server configuration file is now chef-server.rb.
The following configuration settings are new for Chef server version 12:
default_orgname |
The Chef server API used by the Open Source Chef server does not have an /organizations/ORG_NAME endpoint. Use this setting to ensure that migrated Open Source Chef servers are able to connect to the Chef server API. This value should be the same as the name of the organization that was created during the upgrade from Open Source Chef version 11 to Chef server version 12, which means it will be identical to the ORG_NAME part of the /organizations endpoint in Chef server version 12. Default value: the name of the organization specified during the upgrade process from Open Source Chef 11 to Chef server 12. |
postgresql['log_min_duration_statement'] |
When to log a slow PostgreSQL query statement. Possible values: -1 (disabled, do not log any statements), 0 (log every statement), or an integer greater than zero. When the integer is greater than zero, this value is the amount of time (in milliseconds) that a query statement must have run before it is logged. Default value: -1 . |
The following configuration settings have updated default values
starting with Chef server version 12:
api_version |
The version of the Chef server. Default value: "12.0.0" . |
The following configuration settings are new in Chef server version
12.0.5:
opscode_erchef['nginx_bookshelf_caching'] |
Whether Nginx is used to cache cookbooks. When :on , Nginx serves up the cached content instead of forwarding the request. Default value: :off . |
opscode_erchef['s3_url_expiry_window_size'] |
The frequency at which unique URLs are generated. This value may be a specific amount of time, i.e. 15m (fifteen minutes) or a percentage of the value of s3_url_ttl , i.e. 10% . Default value: :off . |
### oc_chef_authz
The **opscode-authz** service is used to handle authorization requests
to the Chef server.
This configuration file has the following settings for `oc_chef_authz`:
`oc_chef_authz['http_cull_interval']`
: Default value: `'{1, min}'`.
`oc_chef_authz['http_init_count']`
: Default value: `25`.
`oc_chef_authz['http_max_age']`
: Default value: `'{70, sec}'`.
`oc_chef_authz['http_max_connection_duration']`
: Default value: `'{70, sec}'`.
`oc_chef_authz['http_max_count']`
: Default value: `100`.
`oc_chef_authz['ibrowse_options']`
: The amount of time (in milliseconds) to wait for a connection to be
established. Default value: `'[{connect_timeout, 5000}]'`.
## Data Bag Policy Changes
In previous versions of the Chef server, the default permissions allowed
data bags to be updated by the chef-client during a chef-client run.
Starting with Chef server version 12, the chef-client is not granted
**Create**, **Delete**, or **Update** permissions to data bags when
organizations are created. Use the Chef management console or the
`knife-acl` plugin () to manage
permissions to data bags as required. For example:
```bash
knife acl add containers data update group clients
```
For cookbooks that create or delete data bags:
```bash
knife acl add containers data create group clients
knife acl add containers data delete group clients
```
For existing organizations that want to remove the **Create**,
**Delete**, or **Update** permissions from existing nodes:
```bash
knife acl remove containers data update group clients
knife acl remove containers data delete group clients
knife acl remove containers data create group clients
```
See this blog post for more information about the `knife-acl` plugin:
## New Settings for LDAP
The following settings are new:
ldap['ssl_enabled'] |
Use to enable SSL. Default value: false . Must be false when ldap['tls_enabled'] is true . |
ldap['tls_enabled'] |
Use to enable TLS. When enabled, communication with the LDAP server is done via a secure SSL connection on a dedicated port. When true , ldap['port'] is also set to 636 . Default value: false . Must be false when ldap['ssl_enabled'] is true . |
**Note:**
Previous versions of the Chef server used the `ldap['ssl_enabled']`
setting to first enable SSL, and then the `ldap['encryption']` setting
to specify the encryption type. These settings are deprecated.
## Key Rotation
Use the following commands to manage public and private key rotation for
users and clients.
## add-client-key
Use the `add-client-key` subcommand to add a client key.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl add-client-key ORG_NAME CLIENT_NAME [--public-key-path PATH] [--expiration-date DATE] [--key-name NAME]
```
**Warning:**
All options for this subcommand must follow all arguments.
**Options**
This subcommand has the following options:
`CLIENT_NAME`
: The name of the client that you wish to add a key for.
`-e DATE` `--expiration-date DATE`
: An ISO 8601 formatted string: `YYYY-MM-DDTHH:MM:SSZ`. For example:
`2013-12-24T21:00:00Z`. If not passed, expiration will default to
infinity.
`-k NAME` `--key-name NAME`
: String defining the name of your new key for this client. If not
passed, it will default to the fingerprint of the public key.
`ORG_NAME`
: The short name for the organization to which the client belongs.
`-p PATH` `--public-key-path PATH`
: The location to a file containing valid PKCS\#1 public key to be
added. If not passed, then the server will generate a new one for
you and return the private key to STDOUT.
## add-user-key
Use the `add-user-key` subcommand to add a user key.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl add-user-key USER_NAME [--public-key-path PATH] [--expiration-date DATE] [--key-name NAME]
```
**Warning:**
All options for this subcommand must follow all arguments.
**Options**
This subcommand has the following options:
`-e DATE` `--expiration-date DATE`
: An ISO 8601 formatted string: `YYYY-MM-DDTHH:MM:SSZ`. For example:
`2013-12-24T21:00:00Z`. If not passed, expiration will default to
infinity.
`-k NAME` `--key-name NAME`
: String defining the name of your new key for this user. If not
passed, it will default to the fingerprint of the public key.
`-p PATH` `--public-key-path PATH`
: The location to a file containing valid PKCS\#1 public key to be
added. If not passed, then the server will generate a new one for
you and return the private key to STDOUT.
`USER_NAME`
: The user name for the user for which a key is added.
## delete-client-key
Use the `delete-client-key` subcommand to delete a client key.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl delete-client-key ORG_NAME CLIENT_NAME KEY_NAME
```
**Options**
This subcommand has the following arguments:
`ORG_NAME`
: The short name for the organization to which the client belongs.
`CLIENT_NAME`
: The name of the client.
`KEY_NAME`
: The unique name to be assigned to the key you wish to delete.
## delete-user-key
Use the `delete-user-key` subcommand to delete a user key.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl delete-user-key USER_NAME KEY_NAME
```
**Warning:**
The parameters for this subcommand must be in the order specified above.
**Options**
This subcommand has the following arguments:
`USER_NAME`
: The user name.
`KEY_NAME`
: The unique name to be assigned to the key you wish to delete.
## list-client-key
Use the `list-client-keys` subcommand to list client keys.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl list-client-keys ORG_NAME CLIENT_NAME [--verbose]
```
**Warning:**
All options for this subcommand must follow all arguments.
**Options**
This subcommand has the following options:
`CLIENT_NAME`
: The name of the client.
`ORG_NAME`
: The short name for the organization to which the client belongs.
`--verbose`
: Use to show the full public key strings in command output.
## list-user-key
Use the `list-user-keys` subcommand to list client keys.
**Syntax**
This subcommand has the following syntax:
```bash
chef-server-ctl list-user-keys USER_NAME [--verbose]
```
**Warning:**
All options for this subcommand must follow all arguments.
**Options**
This subcommand has the following options:
`USER_NAME`
: The user name you wish to list keys for.
`--verbose`
: Use to show the full public key strings in command output.
**Example**
```bash
chef-server-ctl list-user-keys applejack
```
Returns:
```bash
2 total key(s) found for user applejack
key_name: test-key
expires_at: Infinity
public_key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4q9Dh+bwJSjhU/VI4Y8s
9WsbIPfpmBpoZoZVPL7V6JDfIaPUkdcSdZpynhRLhQwv9ScTFh65JwxC7wNhVspB
4bKZeW6vugNGwCyBIemMfxMlpKZQDOc5dnBiRMMOgXSIimeiFtL+NmMXnGBBHDaE
b+XXI8oCZRx5MTnzEs90mkaCRSIUlWxOUFzZvnv4jBrhWsd/yBM/h7YmVfmwVAjL
VST0QG4MnbCjNtbzToMj55NAGwSdKHCzvvpWYkd62ZOquY9f2UZKxYCX0bFPNVQM
EvBQGdNG39XYSEeF4LneYQKPHEZDdqe7TZdVE8ooU/syxlZgADtvkqEoc4zp1Im3
2wIDAQAB
-----END PUBLIC KEY-----
key_name: default
expires_at: Infinity
public_key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4q9Dh+bwJSjhU/VI4Y8s
9WsbIPfpmBpoZoZVPL7V6JDfIaPUkdcSdZpynhRLhQwv9ScTFh65JwxC7wNhVspB
4bKZeW6vugNGwCyBIemMfxMlpKZQDOc5dnBiRMMOgXSIimeiFtL+NmMXnGBBHDaE
b+XXI8oCZRx5MTnzEs90mkaCRSIUlWxOUFzZvnv4jBrhWsd/yBM/h7YmVfmwVAjL
VST0QG4MnbCjNtbzToMj55NAGwSdKHCzvvpWYkd62ZOquY9f2UZKxYCX0bFPNVQM
EvBQGdNG39XYSEeF4LneYQKPHEZDdqe7TZdVE8ooU/syxlZgADtvkqEoc4zp1Im3
2wIDAQAB
-----END PUBLIC KEY-----
```
## Changelog
For the list of issues that were addressed for this release, please see
the changelog on GitHub: