The following items are new for Chef Infra Client 12.8 and/or are changes from previous versions. The short version:
- **Support for OpenSSL validation of FIPS** Chef Infra Client can be
configured to allow OpenSSL to enforce FIPS-validated security
during a chef-client run.
- **Support for multiple configuration files** Chef Infra Client supports
reading multiple configuration files by putting them inside a `.d`
configuration directory.
- **New launchd resource** Use the **launchd** resource to manage
system-wide services (daemons) and per-user services (agents) on the
macOS platform.
- **chef-zero support for Chef Infra Server API endpoints** chef-zero now
supports using all Chef server API version 12 endpoints, with the
exception of `/universe`.
- **Updated support for OpenSSL** OpenSSL is updated to version 1.0.1.
- **Ohai auto-detects hosts for Azure instances** Ohai will
auto-detect hosts for instances that are hosted by Microsoft Azure.
- **gem attribute added to metadata.rb** Specify a gem dependency to
be installed via the **chef_gem** resource after all cookbooks are
synchronized, but before any other cookbook loading is done.
## FIPS Mode
Federal Information Processing Standards (FIPS) is a United States
government computer security standard that specifies security
requirements for cryptography. The current version of the standard is
FIPS 140-2. Chef Infra Client can be configured to allow OpenSSL to enforce
FIPS-validated security during a chef-client run. This will disable
cryptography that is explicitly disallowed in FIPS-validated software,
including certain ciphers and hashing algorithms. Any attempt to use any
disallowed cryptography will cause Chef Infra Client to throw an exception
during a chef-client run.
Note
Chef uses MD5 hashes to uniquely identify files that are stored on the
Chef server. MD5 is used only to generate a unique hash identifier and
is not used for any cryptographic purpose.
Notes about FIPS:
- May be enabled for nodes running on Microsoft Windows and Enterprise
Linux platforms
- Should only be enabled for environments that require FIPS 140-2
compliance
- May not be enabled for any version of Chef Infra Client earlier than 12.8
### Enable FIPS Mode
Allowing OpenSSL to enforce FIPS-validated security may be enabled by
using any of the following ways:
- Set the `fips` configuration setting to `true` in the client.rb or
knife.rb files
- Set the `--fips` command-line option when running any knife command
or Chef Infra Client executable
- Set the `--fips` command-line option when bootstrapping a node using
the `knife bootstrap` command
### Command Option
The following command-line option may be used to with a knife or
chef-client executable command:
`--[no-]fips`
: Allows OpenSSL to enforce FIPS-validated security during Chef Infra Client
run.
**Bootstrap a node using FIPS**
```bash
knife bootstrap 192.0.2.0 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips
```
which shows something similar to:
```none
OpenSSL FIPS 140 mode enabled
...
192.0.2.0 Chef Infra Client finished, 12/12 resources updated in 78.942455583 seconds
```
### Configuration Setting
The following configuration setting may be set in the knife.rb,
client.rb, or config.rb files:
`fips`
: Allows OpenSSL to enforce FIPS-validated security during Chef Infra Client
run. Set to `true` to enable FIPS-validated security.
## .d Directories
Chef Infra Client supports reading multiple configuration files by putting
them inside a `.d` configuration directory. For example:
`/etc/chef/client.d`. All files that end in `.rb` in the `.d` directory
are loaded; other non-`.rb` files are ignored.
`.d` directories may exist in any location where the `client.rb`,
`config.rb`, or `solo.rb` files are present, such as:
- `/etc/chef/client.d`
- `/etc/chef/config.d`
- `~/chef/solo.d`
(There is no support for a `knife.d` directory; use `config.d` instead.)
For example, when using knife, the following configuration files would
be loaded:
- `~/.chef/config.rb`
- `~/.chef/config.d/company_settings.rb`
- `~/.chef/config.d/ec2_configuration.rb`
- `~/.chef/config.d/old_settings.rb.bak`
The `old_settings.rb.bak` file is ignored because it's not a
configuration file. The `config.rb`, `company_settings.rb`, and
`ec2_configuration` files are merged together as if they are a single
configuration file.
Note
If multiple configuration files exists in a `.d` directory, ensure that
the same setting has the same value in all files.
## launchd
Use the **launchd** resource to manage system-wide services (daemons)
and per-user services (agents) on the macOS platform.
### Syntax
A **launchd** resource manages system-wide services (daemons) and
per-user services (agents) on the macOS platform:
```ruby
launchd 'call.mom.weekly' do
program '/Library/scripts/call_mom.sh'
start_calendar_interval 'Weekday' => 7, 'Hourly' => 10
time_out 300
end
```
The full syntax for all of the properties that are available to the
**launchd** resource is:
```ruby
launchd 'name' do
abandon_process_group true, false
backup Integer, false
cookbook String
debug true, false
disabled true, false
enable_globbing true, false
enable_transactions true, false
environment_variables Hash
exit_timeout Integer
group String, Integer
hard_resource_limits Hash
hash Hash
ignore_failure true, false
inetd_compatibility Hash
init_groups true, false
keep_alive true, false
label String
launch_only_once true, false
limit_load_from_hosts Array
limit_load_to_hosts Array
limit_load_to_session_type String
low_priority_io true, false
mach_services Hash
mode Integer, String
nice Integer
notifies # see description
on_demand true, false
owner Integer, String
path String
process_type String
program String
program_arguments Array
provider Chef::Provider::Launchd
queue_directories Array
retries Integer
retry_delay Integer
root_directory String
run_at_load true, false
sockets Hash
soft_resource_limits Array
standard_error_path String
standard_in_path String
standard_out_path String
start_calendar_interval Hash
start_interval Integer
start_on_mount true, false
subscribes # see description
throttle_interval Integer
time_out Integer
type String
umask Integer
username String
wait_for_debugger true, false
watch_paths Array
working_directory String
action Symbol # defaults to :create if not specified
end
```
where
- `launchd` is the resource
- `name` is the name of the resource block
- `action` identifies the steps Chef Infra Client will take to bring the
node into the desired state
- `abandon_process_group`, `backup`, `cookbook`, `debug`, `disabled`,
`enable_globbing`, `enable_transactions`, `environment_variables`,
`exit_timeout`, `group`, `hard_resource_limits`, `hash`,
`inetd_compatibility`, `init_groups`, `keep_alive`, `label`,
`launch_only_once`, `limit_load_from_hosts`, `limit_load_to_hosts`,
`limit_load_to_session_type`, `low_priority_io`, `mach_services`,
`mode`, `nice`, `on_demand`, `owner`, `path`, `process_type`,
`program`, `program_arguments`, `queue_directories`, `retries`,
`retry_delay`, `root_directory`, `run_at_load`, `sockets`,
`soft_resource_limits`, `standard_error_path`, `standard_in_path`,
`standard_out_path`, `start_calendar_interval`, `start_interval`,
`start_on_mount`, `throttle_interval`, `time_out`, `type`, `umask`,
`username`, `wait_for_debugger`, `watch_paths`, and
`working_directory` are properties of this resource, with the Ruby
type shown. See "Properties" section below for more information
about all of the properties that may be used with this resource.
### Actions
The launchd resource has the following actions:
`:create`
: Default. Create a launchd property list.
`:create_if_missing`
: Create a launchd property list, if it does not already exist.
`:delete`
: Delete a launchd property list. This will unload a daemon or agent,
if loaded.
`:disable`
: Disable a launchd property list.
`:enable`
: Create a launchd property list, and then ensure that it is enabled.
If a launchd property list already exists, but does not match,
updates the property list to match, and then restarts the daemon or
agent.
`:restart`
: Restart a launchd managed daemon or agent.
`:nothing`
: This resource block does not act unless notified by another resource
to take action. Once notified, this resource block either runs
immediately or is queued up to run at the end of the Chef Infra Client
run.
### Properties
This resource has the following properties:
`backup`
: **Ruby Type:** Integer, false
The number of backups to be kept in `/var/chef/backup`. Set to
`false` to prevent backups from being kept.
`cookbook`
: **Ruby Type:** String
The name of the cookbook in which the source files are located.
`group`
: **Ruby Type:** String, Integer
When launchd is run as the root user, the group to run the job as.
If the `username` property is specified and this property is not,
this value is set to the default group for the user.
`hash`
: **Ruby Type:** Hash
A Hash of key value pairs used to create the launchd property list.
`ignore_failure`
: **Ruby Type:** true, false | **Default Value:** `false`
Continue running a recipe if a resource fails for any reason.
`label`
: **Ruby Type:** String
The unique identifier for the job.
`mode`
: **Ruby Type:** Integer, String
A quoted 3-5 character string that defines the octal mode. For
example: `'755'`, `'0755'`, or `00755`. If `mode` is not specified
and if the directory already exists, the existing mode on the
directory is used. If `mode` is not specified, the directory does
not exist, and the `:create` action is specified, Chef Infra Client
assumes a mask value of `'0777'`, and then applies the umask for the
system on which the directory is to be created to the `mask` value.
For example, if the umask on a system is `'022'`, Chef Infra Client uses
the default value of `'0755'`.
The behavior is different depending on the platform.
UNIX- and Linux-based systems: A quoted 3-5 character string that
defines the octal mode that is passed to chmod. For example:
`'755'`, `'0755'`, or `00755`. If the value is specified as a quoted
string, it works exactly as if the `chmod` command was passed. If
the value is specified as an integer, prepend a zero (`0`) to the
value to ensure that it is interpreted as an octal number. For
example, to assign read, write, and execute rights for all users,
use `'0777'` or `'777'`; for the same rights, plus the sticky bit,
use `01777` or `'1777'`.
Microsoft Windows: A quoted 3-5 character string that defines the
octal mode that is translated into rights for Microsoft Windows
security. For example: `'755'`, `'0755'`, or `00755`. Values up to
`'0777'` are allowed (no sticky bits) and mean the same in Microsoft
Windows as they do in UNIX, where `4` equals `GENERIC_READ`, `2`
equals `GENERIC_WRITE`, and `1` equals `GENERIC_EXECUTE`. This
property cannot be used to set `:full_control`. This property has no
effect if not specified, but when it and `rights` are both
specified, the effects are cumulative.
`notifies`
: **Ruby Type:** Symbol, 'Chef::Resource\[String\]'
A resource may notify another resource to take action when its state
changes. Specify a `'resource[name]'`, the `:action` that resource
should take, and then the `:timer` for that action. A resource may
notify more than one resource; use a `notifies` statement for each
resource to be notified.
A timer specifies the point during the Chef Infra Client run at which a
notification is run. The following timers are available:
`:before`
: Specifies that the action on a notified resource should be run
before processing the resource block in which the notification
is located.
`:delayed`
: Default. Specifies that a notification should be queued up, and
then executed at the end of the Chef Infra Client run.
`:immediate`, `:immediately`
: Specifies that a notification should be run immediately, per
resource notified.
The syntax for `notifies` is:
```ruby
notifies :action, 'resource[name]', :timer
```
`owner`
: **Ruby Type:** Integer, String
A string or ID that identifies the group owner by user name,
including fully qualified user names such as `domain\user` or
`user@domain`. If this value is not specified, existing owners
remain unchanged and new owner assignments use the current user
(when necessary).
`path`
: **Ruby Type:** String
The path to the directory. Using a fully qualified path is
recommended, but is not always required. Default value: the `name`
of the resource block. See "Syntax" section above for more
information.
`retries`
: **Ruby Type:** Integer | **Default Value:** `0`
The number of attempts to catch exceptions and retry the resource.
`retry_delay`
: **Ruby Type:** Integer | **Default Value:** `2`
The retry delay (in seconds).
`session_type`
: **Ruby Type:** String
The type of launchd plist to be created. Possible values: `system`
(default) or `user`.
`source`
: **Ruby Type:** String
The path to the launchd property list.
`subscribes`
: **Ruby Type:** Symbol, 'Chef::Resource\[String\]'
A resource may listen to another resource, and then take action if
the state of the resource being listened to changes. Specify a
`'resource[name]'`, the `:action` to be taken, and then the `:timer`
for that action.
Note that `subscribes` does not apply the specified action to the
resource that it listens to - for example:
```ruby
file '/etc/nginx/ssl/example.crt' do
mode '0600'
owner 'root'
end
service 'nginx' do
subscribes :reload, 'file[/etc/nginx/ssl/example.crt]', :immediately
end
```
In this case the `subscribes` property reloads the `nginx` service
whenever its certificate file, located under
`/etc/nginx/ssl/example.crt`, is updated. `subscribes` does not make
any changes to the certificate file itself, it merely listens for a
change to the file, and executes the `:reload` action for its
resource (in this example `nginx`) when a change is detected.
A timer specifies the point during the Chef Infra Client run at which a
notification is run. The following timers are available:
`:before`
: Specifies that the action on a notified resource should be run
before processing the resource block in which the notification
is located.
`:delayed`
: Default. Specifies that a notification should be queued up, and
then executed at the end of the Chef Infra Client run.
`:immediate`, `:immediately`
: Specifies that a notification should be run immediately, per
resource notified.
The syntax for `subscribes` is:
```ruby
subscribes :action, 'resource[name]', :timer
```
`supports`
: **Ruby Type:** Array
An array of options for supported mount features. Default value:
`{ :remount => false }`.
`type`
: **Ruby Type:** String
The type of resource. Possible values: `daemon` (default), `agent`.
The following resource properties may be used to define keys in the XML
property list for a daemon or agent. Please refer to the Apple man page
documentation for launchd for more information about these keys:
`abandon_process_group`
: **Ruby Type:** true, false
If a job dies, all remaining processes with the same process ID may
be kept running. Set to `true` to kill all remaining processes.
`debug`
: **Ruby Type:** true, false
Sets the log mask to `LOG_DEBUG` for this job.
`disabled`
: **Ruby Type:** true, false | **Default Value:** `false`
Hints to `launchctl` to not submit this job to launchd.
`enable_globbing`
: **Ruby Type:** true, false
Update program arguments before invocation.
`enable_transactions`
: **Ruby Type:** true, false
Track in-progress transactions; if none, then send the `SIGKILL`
signal.
`environment_variables`
: **Ruby Type:** Hash
Additional environment variables to set before running a job.
`exit_timeout`
: **Ruby Type:** Integer | **Default Value:** `20`
The amount of time (in seconds) launchd waits before sending a
`SIGKILL` signal.
`hard_resource_limits`
: **Ruby Type:** Hash
A Hash of resource limits to be imposed on a job.
`inetd_compatibility`
: **Ruby Type:** Hash
Specifies if a daemon expects to be run as if it were launched from
`inetd`. Set to `wait => true` to pass standard input, output, and
error file descriptors. Set to `wait => false` to call the `accept`
system call on behalf of the job, and then pass standard input,
output, and error file descriptors.
`init_groups`
: **Ruby Type:** true, false
Specify if `initgroups` is called before running a job. Default
value: `true` (starting with macOS 10.5).
`keep_alive`
: **Ruby Type:** true, false, Hash | **Default Value:** `false`
Keep a job running continuously (`true`) or allow demand and
conditions on the node to determine if the job keeps running
(`false`).
Hash type was added in Chef client 12.14.
`launch_only_once`
: **Ruby Type:** true, false
Specify if a job can be run only one time. Set this value to `true`
if a job cannot be restarted without a full machine reboot.
`limit_load_from_hosts`
: **Ruby Type:** Array
An array of hosts to which this configuration file does not apply,
i.e. "apply this configuration file to all hosts not specified in
this array".
`limit_load_to_hosts`
: **Ruby Type:** Array
An array of hosts to which this configuration file applies.
`limit_load_to_session_type`
: **Ruby Type:** String
The session type to which this configuration file applies.
`low_priority_io`
: **Ruby Type:** true, false
Specify if the kernel on the node should consider this daemon to be
low priority during file system I/O.
`mach_services`
: **Ruby Type:** Hash
Specify services to be registered with the bootstrap subsystem.
`nice`
: **Ruby Type:** Integer
The program scheduling priority value in the range `-20` to `20`.
`on_demand`
: **Ruby Type:** true, false
Keep a job alive. Only applies to macOS version 10.4 (and earlier);
use `keep_alive` instead for newer versions.
`process_type`
: **Ruby Type:** String
The intended purpose of the job: `Adaptive`, `Background`,
`Interactive`, or `Standard`.
`program`
: **Ruby Type:** String
The first argument of `execvp`, typically the file name associated
with the file to be executed. This value must be specified if
`program_arguments` is not specified, and vice-versa.
`program_arguments`
: **Ruby Type:** Array
The second argument of `execvp`. If `program` is not specified, this
property must be specified and will be handled as if it were the
first argument.
`queue_directories`
: **Ruby Type:** Array
An array of non-empty directories which, if any are modified, will
cause a job to be started.
`root_directory`
: **Ruby Type:** String
`chroot` to this directory, and then run the job.
`run_at_load`
: **Ruby Type:** true, false | **Default Value:** `false`
Launch a job once (at the time it is loaded).
`sockets`
: **Ruby Type:** Hash
A Hash of on-demand sockets that notify launchd when a job should be
run.
`soft_resource_limits`
: **Ruby Type:** Array
A Hash of resource limits to be imposed on a job.
`standard_error_path`
: **Ruby Type:** String
The file to which standard error (`stderr`) is sent.
`standard_in_path`
: **Ruby Type:** String
The file to which standard input (`stdin`) is sent.
`standard_out_path`
: **Ruby Type:** String
The file to which standard output (`stdout`) is sent.
`start_calendar_interval`
: **Ruby Type:** Hash
A Hash (similar to `crontab`) that defines the calendar frequency at
which a job is started. For example:
`{ Minute => "0", Hour => "20", Day => "*", Weekday => "1-5", Month => "*" }`
will run a job at 8:00 PM every day, Monday through Friday, every
month of the year.
`start_interval`
: **Ruby Type:** Integer
The frequency (in seconds) at which a job is started.
`start_on_mount`
: **Ruby Type:** true, false
Start a job every time a file system is mounted.
`throttle_interval`
: **Ruby Type:** Integer | **Default Value:** `10`
The frequency (in seconds) at which jobs are allowed to spawn.
`time_out`
: **Ruby Type:** Integer
The amount of time (in seconds) a job may be idle before it times
out. If no value is specified, the default timeout value for launchd
will be used.
`umask`
: **Ruby Type:** Integer
A decimal value to pass to `umask` before running a job.
`username`
: **Ruby Type:** String
When launchd is run as the root user, the user to run the job as.
`wait_for_debugger`
: **Ruby Type:** true, false
Specify if launchd has a job wait for a debugger to attach before
executing code.
`watch_paths`
: **Ruby Type:** Array
An array of paths which, if any are modified, will cause a job to be
started.
`working_directory`
: **Ruby Type:** String
`chdir` to this directory, and then run the job.
### Examples
**Create a Launch Daemon from a cookbook file**
```ruby
launchd 'com.chef.every15' do
source 'com.chef.every15.plist'
end
```
**Create a Launch Daemon using keys**
```ruby
launchd 'call.mom.weekly' do
program '/Library/scripts/call_mom.sh'
start_calendar_interval 'Weekday' => 7, 'Hourly' => 10
time_out 300
end
```
**Remove a Launch Daemon**
```ruby
launchd 'com.chef.every15' do
action :delete
end
```
## gem, metadata.rb
Specifies a gem dependency for installation into Chef Infra Client through
bundler. The gem installation occurs after all cookbooks are
synchronized but before loading any other cookbooks. Use this attribute
one time for each gem dependency. For example:
```ruby
gem "poise"
gem "chef-sugar"
```