The following items are new for Chef Infra Client 12.8 and/or are changes from previous versions. The short version: - **Support for OpenSSL validation of FIPS** Chef Infra Client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. - **Support for multiple configuration files** Chef Infra Client supports reading multiple configuration files by putting them inside a `.d` configuration directory. - **New launchd resource** Use the **launchd** resource to manage system-wide services (daemons) and per-user services (agents) on the macOS platform. - **chef-zero support for Chef Infra Server API endpoints** chef-zero now supports using all Chef server API version 12 endpoints, with the exception of `/universe`. - **Updated support for OpenSSL** OpenSSL is updated to version 1.0.1. - **Ohai auto-detects hosts for Azure instances** Ohai will auto-detect hosts for instances that are hosted by Microsoft Azure. - **gem attribute added to metadata.rb** Specify a gem dependency to be installed via the **chef_gem** resource after all cookbooks are synchronized, but before any other cookbook loading is done. ## FIPS Mode Federal Information Processing Standards (FIPS) is a United States government computer security standard that specifies security requirements for cryptography. The current version of the standard is FIPS 140-2. Chef Infra Client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. This will disable cryptography that is explicitly disallowed in FIPS-validated software, including certain ciphers and hashing algorithms. Any attempt to use any disallowed cryptography will cause Chef Infra Client to throw an exception during a chef-client run.

Note

Chef uses MD5 hashes to uniquely identify files that are stored on the Chef server. MD5 is used only to generate a unique hash identifier and is not used for any cryptographic purpose.
Notes about FIPS: - May be enabled for nodes running on Microsoft Windows and Enterprise Linux platforms - Should only be enabled for environments that require FIPS 140-2 compliance - May not be enabled for any version of Chef Infra Client earlier than 12.8 ### Enable FIPS Mode Allowing OpenSSL to enforce FIPS-validated security may be enabled by using any of the following ways: - Set the `fips` configuration setting to `true` in the client.rb or knife.rb files - Set the `--fips` command-line option when running any knife command or Chef Infra Client executable - Set the `--fips` command-line option when bootstrapping a node using the `knife bootstrap` command ### Command Option The following command-line option may be used to with a knife or chef-client executable command: `--[no-]fips` : Allows OpenSSL to enforce FIPS-validated security during Chef Infra Client run. **Bootstrap a node using FIPS** ```bash knife bootstrap 192.0.2.0 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips ``` which shows something similar to: ```none OpenSSL FIPS 140 mode enabled ... 192.0.2.0 Chef Infra Client finished, 12/12 resources updated in 78.942455583 seconds ``` ### Configuration Setting The following configuration setting may be set in the knife.rb, client.rb, or config.rb files: `fips` : Allows OpenSSL to enforce FIPS-validated security during Chef Infra Client run. Set to `true` to enable FIPS-validated security. ## .d Directories Chef Infra Client supports reading multiple configuration files by putting them inside a `.d` configuration directory. For example: `/etc/chef/client.d`. All files that end in `.rb` in the `.d` directory are loaded; other non-`.rb` files are ignored. `.d` directories may exist in any location where the `client.rb`, `config.rb`, or `solo.rb` files are present, such as: - `/etc/chef/client.d` - `/etc/chef/config.d` - `~/chef/solo.d` (There is no support for a `knife.d` directory; use `config.d` instead.) For example, when using knife, the following configuration files would be loaded: - `~/.chef/config.rb` - `~/.chef/config.d/company_settings.rb` - `~/.chef/config.d/ec2_configuration.rb` - `~/.chef/config.d/old_settings.rb.bak` The `old_settings.rb.bak` file is ignored because it's not a configuration file. The `config.rb`, `company_settings.rb`, and `ec2_configuration` files are merged together as if they are a single configuration file.

Note

If multiple configuration files exists in a `.d` directory, ensure that the same setting has the same value in all files.
## launchd Use the **launchd** resource to manage system-wide services (daemons) and per-user services (agents) on the macOS platform. ### Syntax A **launchd** resource manages system-wide services (daemons) and per-user services (agents) on the macOS platform: ```ruby launchd 'call.mom.weekly' do program '/Library/scripts/call_mom.sh' start_calendar_interval 'Weekday' => 7, 'Hourly' => 10 time_out 300 end ``` The full syntax for all of the properties that are available to the **launchd** resource is: ```ruby launchd 'name' do abandon_process_group true, false backup Integer, false cookbook String debug true, false disabled true, false enable_globbing true, false enable_transactions true, false environment_variables Hash exit_timeout Integer group String, Integer hard_resource_limits Hash hash Hash ignore_failure true, false inetd_compatibility Hash init_groups true, false keep_alive true, false label String launch_only_once true, false limit_load_from_hosts Array limit_load_to_hosts Array limit_load_to_session_type String low_priority_io true, false mach_services Hash mode Integer, String nice Integer notifies # see description on_demand true, false owner Integer, String path String process_type String program String program_arguments Array provider Chef::Provider::Launchd queue_directories Array retries Integer retry_delay Integer root_directory String run_at_load true, false sockets Hash soft_resource_limits Array standard_error_path String standard_in_path String standard_out_path String start_calendar_interval Hash start_interval Integer start_on_mount true, false subscribes # see description throttle_interval Integer time_out Integer type String umask Integer username String wait_for_debugger true, false watch_paths Array working_directory String action Symbol # defaults to :create if not specified end ``` where - `launchd` is the resource - `name` is the name of the resource block - `action` identifies the steps Chef Infra Client will take to bring the node into the desired state - `abandon_process_group`, `backup`, `cookbook`, `debug`, `disabled`, `enable_globbing`, `enable_transactions`, `environment_variables`, `exit_timeout`, `group`, `hard_resource_limits`, `hash`, `inetd_compatibility`, `init_groups`, `keep_alive`, `label`, `launch_only_once`, `limit_load_from_hosts`, `limit_load_to_hosts`, `limit_load_to_session_type`, `low_priority_io`, `mach_services`, `mode`, `nice`, `on_demand`, `owner`, `path`, `process_type`, `program`, `program_arguments`, `queue_directories`, `retries`, `retry_delay`, `root_directory`, `run_at_load`, `sockets`, `soft_resource_limits`, `standard_error_path`, `standard_in_path`, `standard_out_path`, `start_calendar_interval`, `start_interval`, `start_on_mount`, `throttle_interval`, `time_out`, `type`, `umask`, `username`, `wait_for_debugger`, `watch_paths`, and `working_directory` are properties of this resource, with the Ruby type shown. See "Properties" section below for more information about all of the properties that may be used with this resource. ### Actions The launchd resource has the following actions: `:create` : Default. Create a launchd property list. `:create_if_missing` : Create a launchd property list, if it does not already exist. `:delete` : Delete a launchd property list. This will unload a daemon or agent, if loaded. `:disable` : Disable a launchd property list. `:enable` : Create a launchd property list, and then ensure that it is enabled. If a launchd property list already exists, but does not match, updates the property list to match, and then restarts the daemon or agent. `:restart` : Restart a launchd managed daemon or agent. `:nothing` : This resource block does not act unless notified by another resource to take action. Once notified, this resource block either runs immediately or is queued up to run at the end of the Chef Infra Client run. ### Properties This resource has the following properties: `backup` : **Ruby Type:** Integer, false The number of backups to be kept in `/var/chef/backup`. Set to `false` to prevent backups from being kept. `cookbook` : **Ruby Type:** String The name of the cookbook in which the source files are located. `group` : **Ruby Type:** String, Integer When launchd is run as the root user, the group to run the job as. If the `username` property is specified and this property is not, this value is set to the default group for the user. `hash` : **Ruby Type:** Hash A Hash of key value pairs used to create the launchd property list. `ignore_failure` : **Ruby Type:** true, false | **Default Value:** `false` Continue running a recipe if a resource fails for any reason. `label` : **Ruby Type:** String The unique identifier for the job. `mode` : **Ruby Type:** Integer, String A quoted 3-5 character string that defines the octal mode. For example: `'755'`, `'0755'`, or `00755`. If `mode` is not specified and if the directory already exists, the existing mode on the directory is used. If `mode` is not specified, the directory does not exist, and the `:create` action is specified, Chef Infra Client assumes a mask value of `'0777'`, and then applies the umask for the system on which the directory is to be created to the `mask` value. For example, if the umask on a system is `'022'`, Chef Infra Client uses the default value of `'0755'`. The behavior is different depending on the platform. UNIX- and Linux-based systems: A quoted 3-5 character string that defines the octal mode that is passed to chmod. For example: `'755'`, `'0755'`, or `00755`. If the value is specified as a quoted string, it works exactly as if the `chmod` command was passed. If the value is specified as an integer, prepend a zero (`0`) to the value to ensure that it is interpreted as an octal number. For example, to assign read, write, and execute rights for all users, use `'0777'` or `'777'`; for the same rights, plus the sticky bit, use `01777` or `'1777'`. Microsoft Windows: A quoted 3-5 character string that defines the octal mode that is translated into rights for Microsoft Windows security. For example: `'755'`, `'0755'`, or `00755`. Values up to `'0777'` are allowed (no sticky bits) and mean the same in Microsoft Windows as they do in UNIX, where `4` equals `GENERIC_READ`, `2` equals `GENERIC_WRITE`, and `1` equals `GENERIC_EXECUTE`. This property cannot be used to set `:full_control`. This property has no effect if not specified, but when it and `rights` are both specified, the effects are cumulative. `notifies` : **Ruby Type:** Symbol, 'Chef::Resource\[String\]' A resource may notify another resource to take action when its state changes. Specify a `'resource[name]'`, the `:action` that resource should take, and then the `:timer` for that action. A resource may notify more than one resource; use a `notifies` statement for each resource to be notified. A timer specifies the point during the Chef Infra Client run at which a notification is run. The following timers are available: `:before` : Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located. `:delayed` : Default. Specifies that a notification should be queued up, and then executed at the end of the Chef Infra Client run. `:immediate`, `:immediately` : Specifies that a notification should be run immediately, per resource notified. The syntax for `notifies` is: ```ruby notifies :action, 'resource[name]', :timer ``` `owner` : **Ruby Type:** Integer, String A string or ID that identifies the group owner by user name, including fully qualified user names such as `domain\user` or `user@domain`. If this value is not specified, existing owners remain unchanged and new owner assignments use the current user (when necessary). `path` : **Ruby Type:** String The path to the directory. Using a fully qualified path is recommended, but is not always required. Default value: the `name` of the resource block. See "Syntax" section above for more information. `retries` : **Ruby Type:** Integer | **Default Value:** `0` The number of attempts to catch exceptions and retry the resource. `retry_delay` : **Ruby Type:** Integer | **Default Value:** `2` The retry delay (in seconds). `session_type` : **Ruby Type:** String The type of launchd plist to be created. Possible values: `system` (default) or `user`. `source` : **Ruby Type:** String The path to the launchd property list. `subscribes` : **Ruby Type:** Symbol, 'Chef::Resource\[String\]' A resource may listen to another resource, and then take action if the state of the resource being listened to changes. Specify a `'resource[name]'`, the `:action` to be taken, and then the `:timer` for that action. Note that `subscribes` does not apply the specified action to the resource that it listens to - for example: ```ruby file '/etc/nginx/ssl/example.crt' do mode '0600' owner 'root' end service 'nginx' do subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately end ``` In this case the `subscribes` property reloads the `nginx` service whenever its certificate file, located under `/etc/nginx/ssl/example.crt`, is updated. `subscribes` does not make any changes to the certificate file itself, it merely listens for a change to the file, and executes the `:reload` action for its resource (in this example `nginx`) when a change is detected. A timer specifies the point during the Chef Infra Client run at which a notification is run. The following timers are available: `:before` : Specifies that the action on a notified resource should be run before processing the resource block in which the notification is located. `:delayed` : Default. Specifies that a notification should be queued up, and then executed at the end of the Chef Infra Client run. `:immediate`, `:immediately` : Specifies that a notification should be run immediately, per resource notified. The syntax for `subscribes` is: ```ruby subscribes :action, 'resource[name]', :timer ``` `supports` : **Ruby Type:** Array An array of options for supported mount features. Default value: `{ :remount => false }`. `type` : **Ruby Type:** String The type of resource. Possible values: `daemon` (default), `agent`. The following resource properties may be used to define keys in the XML property list for a daemon or agent. Please refer to the Apple man page documentation for launchd for more information about these keys: `abandon_process_group` : **Ruby Type:** true, false If a job dies, all remaining processes with the same process ID may be kept running. Set to `true` to kill all remaining processes. `debug` : **Ruby Type:** true, false Sets the log mask to `LOG_DEBUG` for this job. `disabled` : **Ruby Type:** true, false | **Default Value:** `false` Hints to `launchctl` to not submit this job to launchd. `enable_globbing` : **Ruby Type:** true, false Update program arguments before invocation. `enable_transactions` : **Ruby Type:** true, false Track in-progress transactions; if none, then send the `SIGKILL` signal. `environment_variables` : **Ruby Type:** Hash Additional environment variables to set before running a job. `exit_timeout` : **Ruby Type:** Integer | **Default Value:** `20` The amount of time (in seconds) launchd waits before sending a `SIGKILL` signal. `hard_resource_limits` : **Ruby Type:** Hash A Hash of resource limits to be imposed on a job. `inetd_compatibility` : **Ruby Type:** Hash Specifies if a daemon expects to be run as if it were launched from `inetd`. Set to `wait => true` to pass standard input, output, and error file descriptors. Set to `wait => false` to call the `accept` system call on behalf of the job, and then pass standard input, output, and error file descriptors. `init_groups` : **Ruby Type:** true, false Specify if `initgroups` is called before running a job. Default value: `true` (starting with macOS 10.5). `keep_alive` : **Ruby Type:** true, false, Hash | **Default Value:** `false` Keep a job running continuously (`true`) or allow demand and conditions on the node to determine if the job keeps running (`false`). Hash type was added in Chef client 12.14. `launch_only_once` : **Ruby Type:** true, false Specify if a job can be run only one time. Set this value to `true` if a job cannot be restarted without a full machine reboot. `limit_load_from_hosts` : **Ruby Type:** Array An array of hosts to which this configuration file does not apply, i.e. "apply this configuration file to all hosts not specified in this array". `limit_load_to_hosts` : **Ruby Type:** Array An array of hosts to which this configuration file applies. `limit_load_to_session_type` : **Ruby Type:** String The session type to which this configuration file applies. `low_priority_io` : **Ruby Type:** true, false Specify if the kernel on the node should consider this daemon to be low priority during file system I/O. `mach_services` : **Ruby Type:** Hash Specify services to be registered with the bootstrap subsystem. `nice` : **Ruby Type:** Integer The program scheduling priority value in the range `-20` to `20`. `on_demand` : **Ruby Type:** true, false Keep a job alive. Only applies to macOS version 10.4 (and earlier); use `keep_alive` instead for newer versions. `process_type` : **Ruby Type:** String The intended purpose of the job: `Adaptive`, `Background`, `Interactive`, or `Standard`. `program` : **Ruby Type:** String The first argument of `execvp`, typically the file name associated with the file to be executed. This value must be specified if `program_arguments` is not specified, and vice-versa. `program_arguments` : **Ruby Type:** Array The second argument of `execvp`. If `program` is not specified, this property must be specified and will be handled as if it were the first argument. `queue_directories` : **Ruby Type:** Array An array of non-empty directories which, if any are modified, will cause a job to be started. `root_directory` : **Ruby Type:** String `chroot` to this directory, and then run the job. `run_at_load` : **Ruby Type:** true, false | **Default Value:** `false` Launch a job once (at the time it is loaded). `sockets` : **Ruby Type:** Hash A Hash of on-demand sockets that notify launchd when a job should be run. `soft_resource_limits` : **Ruby Type:** Array A Hash of resource limits to be imposed on a job. `standard_error_path` : **Ruby Type:** String The file to which standard error (`stderr`) is sent. `standard_in_path` : **Ruby Type:** String The file to which standard input (`stdin`) is sent. `standard_out_path` : **Ruby Type:** String The file to which standard output (`stdout`) is sent. `start_calendar_interval` : **Ruby Type:** Hash A Hash (similar to `crontab`) that defines the calendar frequency at which a job is started. For example: `{ Minute => "0", Hour => "20", Day => "*", Weekday => "1-5", Month => "*" }` will run a job at 8:00 PM every day, Monday through Friday, every month of the year. `start_interval` : **Ruby Type:** Integer The frequency (in seconds) at which a job is started. `start_on_mount` : **Ruby Type:** true, false Start a job every time a file system is mounted. `throttle_interval` : **Ruby Type:** Integer | **Default Value:** `10` The frequency (in seconds) at which jobs are allowed to spawn. `time_out` : **Ruby Type:** Integer The amount of time (in seconds) a job may be idle before it times out. If no value is specified, the default timeout value for launchd will be used. `umask` : **Ruby Type:** Integer A decimal value to pass to `umask` before running a job. `username` : **Ruby Type:** String When launchd is run as the root user, the user to run the job as. `wait_for_debugger` : **Ruby Type:** true, false Specify if launchd has a job wait for a debugger to attach before executing code. `watch_paths` : **Ruby Type:** Array An array of paths which, if any are modified, will cause a job to be started. `working_directory` : **Ruby Type:** String `chdir` to this directory, and then run the job. ### Examples **Create a Launch Daemon from a cookbook file** ```ruby launchd 'com.chef.every15' do source 'com.chef.every15.plist' end ``` **Create a Launch Daemon using keys** ```ruby launchd 'call.mom.weekly' do program '/Library/scripts/call_mom.sh' start_calendar_interval 'Weekday' => 7, 'Hourly' => 10 time_out 300 end ``` **Remove a Launch Daemon** ```ruby launchd 'com.chef.every15' do action :delete end ``` ## gem, metadata.rb Specifies a gem dependency for installation into Chef Infra Client through bundler. The gem installation occurs after all cookbooks are synchronized but before loading any other cookbooks. Use this attribute one time for each gem dependency. For example: ```ruby gem "poise" gem "chef-sugar" ```