- Chef Software's Desktop pattern and tools expands familiar device management systems with extensive application and configuration capabilities that are designed to scale with automation. Chef Desktop provides a cookbook with YAML settings that covers the most common (and some less common) device configuration needs.
- The Chef development kit supports Mac OS X, Red Hat Enterprise Linux, Ubuntu, and Microsoft Windows. Select a platform, and then a package. (chef-docs uses the Mac OS X setup within the documentation.) Click the download button. Follow the steps in the installer and install the Chef.
Welcome back to Upgrading Chef Infra! Last week we kicked things off with a brief introduction and a review of some key concepts. Today we'll see how Chef Infra has evolved in recent years, and take a look at improvements that have been implemented throughout major releases. While we will discuss some items in detail, this will by no means be an exhaustive list of updates. The five releases of Chef Infra we'll be covering represent 16,688 commits from Chef, our community and our customers!
(Re)Introducing Chef Infra Client 16
That said, we still have plenty to talk about. We recently announced the release of Chef Infra Client 16, and I hosted a webinar discussing some of its features and improvements. Even there, I only scratched the surface of what's available. In addition to new capabilities like YAML Recipes and a unified execution mode for custom resources, Chef Infra 16 has a ton of additional features, including:
- Expanded ARM support
- aarch64 builds for RHEL8, Ubuntu 20.04, and SLES16
- Reduced disk usage by up to 30% with drastically improved performance on Windows systems
- 8 new resources
alternatives
,plist
,user_ulimit
,windows_security_policy
,windows_user_privilege
,chef_client_cron
,chef_client_systemd_timer
,chef_client_scheduled_task
- Improvements to 10 existing resources
build_essential
,cron
,dnf_package
,git
,locale
,msu_package
,package
,service
,windows_firewall_rule
,windows_package
- 2 new helper functions can be used in any resource or recipe
sanitized_path
,which
- Ohai Plugin Improvements
- Improved Azure & Linux Network data
- New plugins for
IPC
andInterrupts
DMI
plugin support for Windows
- Custom Resource Improvements
- Improved property require behavior
- Resource partials for code reuse between resources
- New
after_resource
state - Improvements and default behavior for
identity
anddesired_state
properties
- The
compile_time
property is now available for all resources, including custom resources - Upgraded to Ruby 2.7
But UNIX operating system doesn't come under the broad category of an open-source operating system for which developers can edit it. Free of Cost: One of the biggest reason that it is broadly used is Linux operating system is free of cost. Linux operating system is free, but UNIX Operating system is not free. We can download it from the internet.
Details for each of Chef Infra 16's additions can be found in our release notes. While you can find notes for all of our releases on that very page, we've provided a condensed version of the highlights added in Chef Infra Client 12 through 15 below.
Security & Support
Before we dive into release-by-release improvements, it's worth noting a few points that will be true regardless of the version we're running. The most immediate reason to keep clients updated is to maintain support and ensure the most up-to-date security patches.
Chef officially supports the most recent two major releases, which at present are Infra Client 15 & 16. While new feature updates will be limited to the latest release, security patches and bug fixes will be provided for both during their support lifecycle. You can always find the full list of supported versions in our documentation.
Within a particular major release, Chef further recommends always running the latest version of that release. Updates published as minor or patch releases are as a rule intended to be non-breaking, backwards compatible, and most importantly, do not require updating associated cookbooks. These releases often feature performance improvements as underlying components are upgraded, additional platform support as new operating systems become available, and perhaps most importantly, timely updates and patches in response to any nascent vulnerabilities or CVEs in any of Chef Infra's dependencies.
While we'll be diving into client upgrades in more detail later in the series, be sure to check out the Upgrade Chef Client Learn Chef Rally module for some hands-on upgrade guidance in the meantime.
Chef Infra Client 12
Of the releases we'll be discussing today, Chef Infra Client 12 is unique. It was the final release before we formalized the yearly cadence of major releases, and was one of the longest running stable releases of Chef Infra. As such, a huge number of improvements were added during its lifecycle.
Release Highlights
- AIX Support Added
- Expanded Windows Support
- New Resources:
windows_service
,reboot
,dsc_resource
,chocolatey_package
,cab_package
,msu_package
- 64-bit windows binaries
- UNC path support in
remote_file
resource
- New Resources:
- Expanded macOS Support
- New Resources:
homebrew_package
,osx_profile
- New Resources:
- Other New Resources
bff_package
,openbsd_package
,paludis_package
,apt_update
,launchd
,yum_repository
,ksh
,systemd_unit
- Removable Cookbook Dependencies
- Resources provided by the
yum
andsystemd
cookbooks are now natively implemented
- Resources provided by the
- Notification Timers
- Determine when a
notifies
orsubscribes
parameter is executed. - Supports
:delayed
(default),:before
,:immediately
- Determine when a
- Security Updates
- Client/Server connections over HTTPS by default
- FIPS Mode added
- Custom Resources Introduced
- Policyfiles Introduced
- Chef Automate data collection Introduced
Chef Infra Client 13
With Chef Infra Client 13, we established our current yearly major release cadence. Full details can be found in the Chef Infra Release and Support Schedule. As part of this change, any planned deprecations, syntax revisions, or other breaking changes must first be implemented as a non-breaking warning that indicates removal in the next major release. Similarly, while patches, bug fixes, and CVE remediations would continue to be implemented throughout each release, changes that might impact behavior or performance, like Ruby upgrades to the next minor release, would be scheduled for the next major release of Chef Infra Client.
Release Highlights
- New Resources
apt_preference
,windows_task
,zypper_repository
- Ohai Improvements
- Improved cloud support with expanded detection of EC2/Softlayer clouds and metadata gathering for Azure/Rackspace in Ohai
- Removable Cookbook Dependencies
apt
- Encrypted Data Bags use more secure aes-256-gcm encryption method by default
- Chef InSpec and Chef Vault included by default
- Upgraded to Ruby 2.4
Chef Infra Client 14
Chef Infra Client 14 saw a vast improvement in performance and reduction in install size. Additionally, we added a huge number of new resources that were previously provided by cookbooks on the Chef Supermarket. With these changes, Chef Infra practitioners not only saw the client itself become easier to manage, but could greatly reduce the number of cookbooks they needed to manage.
Release Highlights
- New Resources
windows_workgroup
,windows_shortcut
,windows_printer_port
,windows_printer
,windows_font
,windows_feature
,windows_auto_run
,windows_ad_join
,sysctl
,swap_file
,sudo
,rhsm_subscription
,rhsm_repo
,rhsm_register
,rhsm_errata_level
,rhsm_errata
,openssl_rsa_public_key
,openssl_rsa_private_key
,openssl_dhparam
,ohai_hint
,macos_userdefaults
,hostname
,homebrew_tap
,homebrew_cask
,dmg_package
,chef_handler
,ssh_known_hosts_entry
,kernel_module
,powershell_package_source
,chocolatey_source
,chocolatey_config
,openssl_ec_public_key
,openssl_ec_private_key
,openssl_x509_crl
,openssl_x509_request
,openssl_x509_certificate
,cron_access
,cron_d
,windows_workgroup
,locale
,timezone
,windows_firewall_rule
,windows_share
,windows_certificate
, andbuild_essential
- Improved Resources
- Windows_service can now create Windows services
- Large improvements to yum package installation
- Removable Cookbook Dependencies
windows
,build_essential
,mac_os_x
,openssl
,sudo
,sysctl
,rhsm
,homebrew
,windows_firewall
,swap
,hostname-chef
,locale
,timezone_iii
- Expanded Platform Support
- MacOS 10.14 (Mojave), SLES 15, Windows 2019, Windows 10, FreeBSD 12, AIX 7.2, and RHEL 8
- Improved FIPS detection
- Install size reduced by 50% on Linux/macOS, 12% on Windows
- Upgraded to Ruby 2.5
Chef Infra Client 15
Chef Infra Client 15 is currently supported, and will remain so through April 2021. It also coincided with an update to our licensing policies, in which we made all of Chef's software open source under an Apache2 license, and their supported distributions (binaries) subject to an enterprise license for commercial use. More detail can be found in this blog post I wrote back in February. Additionally, this release featured a significant number of new helper functions to help with cookbook creation and the first phase of expanded ARM support that continued in Chef Infra 16.
Release Highlights
- New Resources
snap_package
,archive_file
,windows_uac
,windows_dfs_folder
,windows_dfs_server
,windows_dns_record
,windows_dns_zone
,chocolatey_feature
,chef_sleep
,notify_group
- New Helpers to simplify writing cookbooks and resources
- Multiple platform detection helpers for cloud, virtualization, and OS version
include_recipe?
enables conditional execution based on other recipes in use
- Removable Cookbook Dependencies
windows_dfs
,windows_dns
,libarchive
- Expanded Platform Support
- x86_64: Ubuntu 20.04, Debian 10, macOS 10.15 (Catalina), Amazon Linux 2
- aarch64: Ubuntu 18.04, RHEL 7, Amazon Linux 2, SLES 15
- Support for Ed25519 SSH keys
- Unified Bootstrapping of *nix/Windows
- Target Mode introduced
- provides platform-agnostic configuration over SSH
- Upgraded to Ruby 2.6
Up Next
Now that we've seen an overview of some of the improvements that have been added to Chef Infra Client, we'll need a plan to realize the value these enhancements provide. Next week we'll dive into some practical upgrade guidance, starting with ensuring that your cookbooks are compatible with the latest Chef Infra clients. If you want a head start, the Local Development and Testing track on Learn Chef Rally will get you comfortable working with Cookstyle and Test Kitchen.
And don't forget, if you need help getting upgrades going, we're offering discounted professional services through June 30th for qualifying engagements. Contact us to learn more!
Background
In Chef 12 the old Chef::Platform hashmap located in `lib/chef/platform/provider_mapping.rb` has been deprecated. In its place is a dynamic provider and resolver resolution mechanism which is preferred and which can be manipulated via DSL methods on the resource and provider. In Chef 11 it was common to add functionality for platforms in the Chef::Platform hashmap which looks like this:
[ruby]
class Chef
class Platform
class << self
attr_writer :platforms
def platforms
@platforms ||= begin
require ‘chef/providers'
{
:mac_os_x => {
:default => {
:package => Chef::Provider::Package::Macports,
:service => Chef::Provider::Service::Macosx,
:user => Chef::Provider::User::Dscl,
:group => Chef::Provider::Group::Dscl
}
},
:mac_os_x_server => {
:default => {
:package => Chef::Provider::Package::Macports,
:service => Chef::Provider::Service::Macosx,
:user => Chef::Provider::User::Dscl,
:group => Chef::Provider::Group::Dscl
}
},
:freebsd => {
:default => {
:group => Chef::Provider::Group::Pw,
:service => Chef::Provider::Service::Freebsd,
:user => Chef::Provider::User::Pw,
:cron => Chef::Provider::Cron
}
},
[…etc for 400 lines…]
}
end
end
[…etc…]
[/ruby]
Examples of New Syntax
With chef-12 we are starting to wire up providers and resolvers via the `provides` method on the provider and resource classes. Some examples of this include:
Wiring up a resource on all platforms
This is the most trivial example where all platforms get the same cookbook_file resource when the user types ‘cookbook_file' in a recipe:
[ruby]
class Chef
class Resource
class CookbookFile < Chef::Resource::File
provides :cookbook_file
[…etc…]
end
end
end
[/ruby]
Wiring up a resource on an os
This only wires up the ips_package resource when the node[‘os'] attribute is ‘solaris2'
[ruby]
class Chef
class Resource
class IpsPackage < ::Chef::Resource::Package
provides :ips_package, os: 'solaris2'
end
end
end
[/ruby]
Wiring up a resource on multiple platform_families
This is a more complicated example, showing that the provides line supports node[‘platform_family'] and that arrays of values can be used. This also wires up the the yum_package resource to whenever the user types ‘yum_package' in a recipe no matter which platform (so even on Solaris if you type ‘yum_package' in a recipe you'll get this kind of resource), but also on the redhat-like platform_families if the user types ‘package' we wire that up to resolve to the ‘yum_package' resource. This is a slight change from Chef 11 where if you typed ‘package 'foo'‘ on redhat you would get a vanilla Chef::Resource::Package object which would do vanilla package validation checking and any yum-specific options would be rejected. In Chef 12 on redhat you will get a Chef::Resource::YumPackage object which will do the correct validation for the YumPackage provider.
[ruby]
class Chef
class Resource
class YumPackage < Chef::Resource::Package
provides :yum_package
provides :package, os: 'linux', platform_family: [ 'rhel', 'fedora' ]
end
end
end
[/ruby]
Wiring up a Resource based on arbitrary node attributes
On Solaris2 for platform_version of <= 5.10 we need to use solaris_package while on platform_version of >= 5.11 we need to use ips_package so our provides line looks like this:
[ruby]
class Chef
class Resource
class SolarisPackage < Chef::Resource::Package
provides :solaris_package
provides :package, os: 'solaris2', platform_family: 'nexentacore'
provides :package, os: 'solaris2', platform_family: 'solaris2' do |node|
# on >= Solaris 11 we default to IPS packages instead
node[:platform_version].to_f <= 5.10
end
end
end
end
[/ruby]
Resource and Provider Provides Lines
For every provides line in a Resource file there should generally be a corresponding provides line in the Provider file. Resources should no longer set the provider explicitly in the constructor of the Resource. Exploration pro mac os. It still works to explicitly define the provider in the Resource but this will bypass dynamic provider resolution. It also still works to not have a provides line in the provider file and mangling based on the resource name will still be able to determine the provider, but this is deprecated and soon Chef will warn and then eventually fail if you don't have matching provides lines in both the Resource and Provider.
Supported Provides Syntax
The provides line has ‘os', ‘platform' and ‘platform_family' options which match either arrays or strings. It will also take a block that the node object is passed to and which is expect to return true if the wiring should be done on the node. When multiple matchers are present all of the conditionals must be true. Multiple provides lines can be used for multiple conditions, and the array syntax also matches any of the array components.
[ruby]
provides :cookbook_file
provides :package, os: 'windows'
provides :rpm_package, os: [ 'linux', 'aix' ]
provides :package, os: 'solaris2', platform_family: 'smartos'
provides :package, platform: 'freebsd'
provides :package, os: 'linux', platform_family: [ 'rhel', 'fedora' ]
provides :package, os: 'solaris2', platform_family: 'solaris2' do |node|
node[:platform_version].to_f <= 5.10
end
[/ruby]
The implementation of the syntax is contained within the lib/chef/node_map.rb file. A Chef::NodeMap object is a key-value store where the values can be inserted with conditions based on the node object (and then only if the node object matches will they be retrieved).
Chef Yum Mac Os Download
Dynamic Provider Resolution
Providers also do dynamic resolution. They also have additional methods that they can override to implement Chef::Provider.provides? and Chef::Provider.supports? methods to determine if the platform supports a given provider (e.g. 'is systemd the init system or not?') and if the provider provides? a given resource (e.g. 'is service ‘foo' managed by sysv init scripts or upstart?'). This is almost entirely designed to dynamically handle the use case of Linux init script systems, and the details are out of the scope of this blog post for today. Adventuresome users can poke around the service providers.
LWRP usage
This can be used to wire up LWRPs to arbitrary names! You are no longer bound by the ‘[cookbook_name]_[provider_filename]' default and can even wire up your own LWRPs to the package provider if you want to (although there be dragons — consider that if we ever implement the package provider on your platform in core chef that your custom package provider will collide with the new core chef one and you may break in a minor release since this is an API extension for us, and not a breaking change for our API).
A simple example:
resources/default.rb:
[ruby]
actions :run
default_action :run
provides :foo_bar
attribute :thing, kind_of: String, name_attribute: true
[/ruby]
providers/default.rb:
[ruby]
use_inline_resources
provides :foo_bar
action :run do
Chef::Log.warn new_resource.thing
end
[/ruby]
recipes/default.rb:
[ruby]
foo_bar 'baz'
[/ruby]
Mac Os Mojave
LWRP Chef-11 BackCompat
It turns out that Chef-11 supports the ‘provides' syntax on resources, so that this feature can be used in community cookbooks and other places where Chef-11 backcompat is still important. Chef-12 simply improved on the API which was already present for Resources. It does not allow the ‘provides' syntax on Providers, and it only takes an 'on_platform:' argument (Chef-12 also supports 'on_platform' as an alias for 'platform' for back-compat). To rename LWRPs and maintain Chef-11 backcompat simply drop the ‘provides' line from the Provider, or ideally protect it with an ‘if respond_to?(:provides)' check.
Mac Os Download
Status
The dynamic Provider and Resolver features are still under development and were not completed with Chef 12. There are still entries in the Chef::Platform platform_map which need to be converted into dynamic resolution and emptied out. Eventually that hash table needs to be completely dropped. There is magic name-to-class mangling that occurs in both Resources and Providers that will be dropped. There are useful helper modules for determining the init system the host is using which need to be exposed as DSL helper methods to assist in writing cookbook code that needs to switch behavior based on the init system actually being used.
There are also currently no docs at docs.chef.io for any of these APIs (if your name is James Scott you should ping me about fixing this).