Merge branch 'master' into 11-stable

Conflicts:
	CHANGELOG.md
	CONTRIBUTIONS.md
	RELEASE_NOTES.md
	chef.gemspec
	lib/chef/version.rb
	spec/unit/application/client_spec.rb

1 files changed, 84 insertions, 197 deletions

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index a3d675c48c..d05d98eedd 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,232 +1,119 @@
-<!---
-This file is reset every time a new release is done. The contents of this file are for the currently unreleased version.
+# Chef Client Release Notes 11.14.0:
 
-Example Note:
+### CHEF-5223 OS X Service provider regression.
 
-## Example Heading
-Details about the thing that changed that needs to get included in the Release Notes in markdown.
--->
-# Chef Client Release Notes 11.12.0:
-
-#### `knife ssl check` and `knife ssl fetch` Commands
-
-As part of our process to transition to verifying SSL certificates by
-default, we've added knife commands to help you test (and fix, if
-needed) your SSL configuration.
-
-`knife ssl check` makes an SSL connection to your Chef server or any
-other HTTPS server and tells you if the server presents a valid
-certificate. If the certificate is not valid, knife will give further
-information about the cause and some instructions on how to remedy the
-issue. For example, if your Chef server uses an untrusted self-signed
-certificate:
-
-```
-ERROR: The SSL certificate of chefserver.test could not be
-verified
-Certificate issuer data:
-/C=US/ST=WA/L=Seattle/O=YouCorp/OU=Operations/CN=chefserver.test/emailAddress=you@example.com
+This commit: https://github.com/opscode/chef/commit/024b1e3e4de523d3c1ebbb42883a2bef3f9f415c
+introduced a requirement that a service have a plist file for any
+action, but a service that is being created will not have a plist file
+yet. Chef now only requires that a service have a plist for the enable
+and disable actions.
 
-Configuration Info:
+### Signal Regression Fix
 
-OpenSSL Configuration:
-* Version: OpenSSL 1.0.1e 11 Feb 2013
-* Certificate file: /usr/local/etc/openssl/cert.pem
-* Certificate directory: /usr/local/etc/openssl/certs
-Chef SSL Configuration:
-* ssl_ca_path: nil
-* ssl_ca_file: nil
-* trusted_certs_dir: "/Users/ddeleo/.chef/trusted_certs"
+CHEF-1761 introduced a regression for signal handling when not in daemon mode
+(see CHEF-5172). Chef will now, once again, exit immediately on SIGTERM if it
+is not in daemon mode, otherwise it will complete it's current run before
+existing.
 
-TO FIX THIS ERROR:
+### Ubuntu 13.10+ uses Upstart service provider.
 
-If the server you are connecting to uses a self-signed certificate, you
-must
-configure chef to trust that server's certificate.
+The "compatibility interface" for /etc/init.d/ is no longer used at least as of
+13.10 (per the Ubuntu wiki page). The default service provider in Chef for Ubuntu
+is C:\:\P::S::Debian, which uses /etc/init.d/service_name with the start, stop,
+etc commands to manage the script. If you are able to use the init provider just
+fine, you will need to manually override the provider back to Debian.
 
-By default, the certificate is stored in the following location on the
-host
-where your chef-server runs:
 
-  /var/opt/chef-server/nginx/ca/SERVER_HOSTNAME.crt
+### New knife command: knife serve
+You can now run a persistent chef-zero against your local repository:
 
-Copy that file to you trusted_certs_dir (currently: /home/user/.chef/trusted_certs)
-using SSH/SCP or some other secure method, then re-run this command to confirm
-that the server's certificate is now trusted.
+```
+knife serve
 ```
 
-`knife ssl fetch` allows you to automatically fetch a server's
-certificates to your trusted certs directory. This provides an easy way
-to configure chef to trust your self-signed certificates. Note that
-knife cannot verify that the certificates haven't been tampered with, so
-you should verify their content after downloading.
-
-
-#### Unsecure SSL Verification Mode Now Triggers a Warning
-
-When `ssl_verify_mode` is set to `:verify_none`, Chef will print a
-warning. Use `knife ssl check` to test SSL connectivity and then add
-`ssl_verify_mode :verify_peer` to your configuration file to fix the
-warning. Though `:verify_none` is currently the default, this will be
-changed in a future release, so users are encouraged to be proactive in
-testing and updating their SSL configuration.
-
-#### Chef Solo Missing Dependency Warning ([CHEF-4367](https://tickets.opscode.com/browse/CHEF-4367))
-
-Chef 11.0 introduced ordered evaluation of non-recipe files in
-cookbooks, based on the dependencies specified in your cookbooks'
-metadata. This was a huge improvement on the previous behavior for all
-chef users, but it also introduced a problem for chef-solo users:
-because of the way chef-solo works, it was possible to use
-`include_recipe` to load a recipe from a cookbook without specifying the
-dependency in the metadata. This would load the recipe without having
-evaluated the associated attributes, libraries, LWRPs, etc. in that
-recipe's cookbook, and the recipe would fail to load with errors that
-did not suggest the actual cause of the failure.
-
-We've added a check to `include_recipe` so that attempting to include a
-recipe which is not a dependency of any cookbook specified in the run
-list will now log a warning with a message describing the problem and
-solution. In the future, this warning will become an error.
-
-#### Windows MSI Package Provider
+knife serve takes --chef-zero-host=HOST, --chef-zero-port=PORT and --chef-repo-path=PATH variables. By default, it will do exactly the same thing as the local mode argument to knife and chef-client (-z), locating your chef-repo-path automatically and binding to port 8900.  It will print the URL it is bound to so that you can add it to your knife.rb files.
 
-The first windows package provider has been added to core Chef. It supports Windows Installer (MSI) files only,
-and maintains idempotency by using the ProductCode from inside the MSI to determine if the products installation state.
+### --run-lock-timeout for chef-client and chef-solo
+You can now add a timeout for the maximum time a client run waits on another client run to finish.
+The default is to wait indefinitely.
+Setting the run lock timeout to 0 causes the second client run to exit immediately.
 
+This can be configured in your config file:
 ```
-package "install 7zip" do
-  action :install
-  source 'c:\downloads\7zip.msi'
-end
+run_lock_timeout SECONDS
 ```
 
-You can continue to use the windows_package LWRP from the windows cookbook alongside this provider.
-
-#### reboot_pending?  
-
-We have added a ```reboot_pending?``` method to the recipe DSL. This method returns true or false if the operating system
-has a rebooting pending due to updates and a reboot being necessary to complete the installation. It does not report if a reboot has been requested, e.g. if someone has scheduled a restart using shutdown. It currently supports Windows and Ubuntu Linux.
-
+Or via the command line:
 ```
-Chef::Log.warn "There is a pending reboot, which will affect this Chef run" if reboot_pending?
-
-execute "Install Application" do
-  command 'C:\application\setup.exe'
-  not_if { reboot_pending? }
-end
+chef-client --run-lock-timeout SECONDS
 ```
 
-#### FileEdit
-
-Chef::Util::FileEdit has been refactored into a Chef::Util::Editor class. The existing class continues to manage the files being edited while the new class handles the actual modification of the data.
-Along with this refactor, #insert_line_if_no_match can now manipulate a file multiple times. FileEdit also now has a #file_edited? method that can be used to tell if changes were made to the file on disk.
-
-#### DeepMerge sub-hash precedence bugfix ([CHEF-4918](https://tickets.opscode.com/browse/CHEF-4918))
-
-We discovered a bug where Chef incorrectly merged override attribute sub-hashes that were at least three levels deep as normal attributes.
-This has been corrected, and is not expected to cause any behavior change
-If you're an advanced user of attribute precedence, you may find some attributes were saved to your node object that you hadn't expected.
-
-#### Cron Resource
-
-The weekday attribute now accepts the weekday as a symbol, e.g. :monday or :thursday.
-There is a new attribute named ```time``` that takes special cron time values as a symbol, such as :reboot or :monthly.
-
-#### `guard_interpreter` attribute
-
-All Chef resources now support the `guard_interpreter` attribute, which
-enables you to use a Chef `script` such as `bash`, `powershell_script`,
-`perl`, etc., to evaluate the string command passed to a
-guard (i.e. `not_if` or `only_if` attribute). This addresses the related ticket
-[CHEF-4553](https://tickets.opscode.com/browse/CHEF-4453) which is concerned
-with the usability of the `powershell_script` resource, but also benefits
-users of resources like `python`, `bash`, etc:
-
-    # See CHEF-4553 -- let powershell_script execute the guard
-    powershell_script 'make_logshare' do
-      guard_interpreter :powershell_script
-      code 'new-smbshare logshare $env:systemdrive\\logs'
-      not_if 'get-smbshare logshare'
-    end
+### New knife command: knife node environment set
+You can now easily set the environment for an existing node without editing the node object:
 
-#### `convert_boolean_return` attribute for `powershell_script`
-
-When set to `true`, the `convert_boolean_return` attribute will allow any script executed by
-`powershell_script` that exits with a PowerShell boolean data type to convert
-PowerShell boolean `$true` to exit status 0 and `$false` to exit status 1.
-
-The new attribute defaults to `false` except when the `powershell_script` resource is executing script passed to a guard attribute
-via the `guard_interpreter` attribute in which case it is `true` by default.
-
-#### knife bootstrap log_level
-
-Running ```knife bootstrap -V -V``` will run the initial chef-client with a log level of debug.
-
-#### knife cookbook test
-
-Knife cookbook test now respects [chefignore files](http://docs.opscode.com/essentials_repository.html#chefignore-files), allowing you to exclude unrelated ruby code such as unit tests.
-
-#### Miscellaneous
-
-* The subversion resource will now mask plaintext passwords in error output.
-* The debian pkg provider now supports epochs in the version string.
-* When a cookbook upload is missing multiple dependencies, all of them are now listed.
-* knife node run_list add now supports a --before option.
-
-#### OHAI 7
-
-After spending 3 months in the RC stage, OHAI 7 is now included in Chef Client 11.10.0. Note that Chef Client 10.32.0 still includes OHAI 6.
-
-For more information about the changes in OHAI 7 please see our previous blog post [here](http://www.getchef.com/blog/2014/01/20/ohai-7-0-release-candidate/).
-
-# Chef Client Breaking Changes:
-
-#### OpenSuse and Suse Differentiation
-
-The Ohai version currently included in Chef reports both SUSE and OpenSUSE platforms as "suse" and the way to differentiate between these two platforms has been to use the version numbers. But since SUSE version numbers have caught up with OpenSUSE, it's not possible to differentiate between these platforms anymore.
-
-This issue is being resolved in Ohai 7 that is included in the current release of Chef Client by reporting these two platforms separately. This resolves the overall problem however it's a breaking change in the sense that OpenSUSE platforms will be reported as "opensuse" as the platform.
-
-Normally Chef would require a major version bump for this change but since the original scenario is currently broken we've decided to include this change without a major version bump in Chef.
+```
+knife node environment set NODE ENVIRONMENT
+```
+### New configurable knife bootstrap options for chef-full template
+You can now modify the chef-full template with the following options in `knife bootstrap`:
 
-If you need to differentiate between OpenSUSE and SUSE in your cookbooks, please make sure the differentiation logic is updated to use the new :platform attribute values rather than the :platform_version in your cookbooks before upgrading to this version.
+* `--bootstrap-install-sh URL` fetches and executes an installation bash script from the provided URL.
+* `--bootstrap-wget-options OPTIONS` and `--bootstrap-curl-options OPTIONS` allow arbitrary options to be added to wget and curl.
+* `--bootstrap-install-command COMMAND` can be used to execute a custom chef-client installation command sequence. Take note that this cannot be used in conjunction with the above options.
 
-#### CHEF-5223 OS X Service provider regression.
+### Parallelize cookbook synchronization
 
-This commit: https://github.com/opscode/chef/commit/024b1e3e4de523d3c1ebbb42883a2bef3f9f415c
-introduced a requirement that a service have a plist file for any
-action, but a service that is being created will not have a plist file
-yet. Chef now only requires that a service have a plist for the enable
-and disable actions.
+You can now synchronize your cookbooks faster by parallelizing the process. You can specify the number of helper threads in your config file with `cookbook_sync_threads NUM_THREADS`. The default is 10. Increasing `NUM_THREADS` can result in gateway errors from the chef server (namely 503 and 504). If you are experiencing these often, consider decreasing `NUM_THREADS` to fewer than default.
 
-#### Signal Regression Fix
+### New chef config options: Whitelisting for the attributes saved by the node
 
-CHEF-1761 introduced a regression for signal handling when not in daemon mode
-(see CHEF-5172). Chef will now, once again, exit immediately on SIGTERM if it
-is not in daemon mode, otherwise it will complete it's current run before
-existing.
+You can now whitelist attributes that will be saved by the node by providing a hash with the keys you want to include. Whitelist filters are described for each attribute level: `automatic_attribute_whitelist`, `default_attribute_whitelist`, `normal_attribute_whitelist`, and `override_attribute_whitelist`.
 
-#### Disabling plugins with Ohai 7
+If your automatic attribute data looks like
+````
+{
+  "filesystem" => {
+    "/dev/disk0s2" => {
+      "size" => "10mb"
+    },
+    "map - autohome" => {
+      "size" => "10mb"
+    }
+  },
+  "network" => {
+    "interfaces" => {
+      "eth0" => {...},
+      "eth1" => {...},
+    }
+  }
+}
+````
+and your config file looks like
+````
+automatic_attribute_whitelist = ["network/interfaces/eth0"]
+````
+then the entire `filesystem` and `eth1` subtrees will not be saved by the node. To save the `/dev/disk0s2` subtree, you must write `automatic_attribute_whitelist = [ ["filesystem", "/dev/disk0s2"] ]`.
 
-Ohai 7 is backwards compatible with Ohai 6 plugins. However the code to disable plugins have changed slightly.
+If your config file looks like `automatic_attribute_whitelist = []`, then none of your automatic attribute data will be saved by the node.
 
-Previously the code to disable plugins:
+The default behavior is for the node to save all the attribute data. This can be ensured by setting your whitelist filter to `nil`.
 
-```
-Ohai::Config[:disabled_plugins] = ["passwd","dmi"]
-```
+We recommend only using `automatic_attribute_whitelist` to reduce the size of the system data being stored for nodes, and discourage the use of the other attribute whitelists except by advanced users.
 
-should change to
+### Set proxy environment variables if present in your config file.
 
-```
-Ohai::Config[:disabled_plugins] = [:Passwd,:Dmi]
+If `:http_proxy`, `:https_proxy`, `:ftp_proxy`, or `:no_proxy` is found in your config file, we will configure your environment variables according to the variable form and configuration info given. If your config file looks like
 
-```
+````
+http_proxy "http://proxy.example.org:8080"
+http_proxy_user "myself"
+http_proxy_pass "Password1"
+````
 
-if you want to disable custom Ohai 6 plugins in addition to Ohai 7 plugins you can do:
+then Chef will set `ENV['http_proxy'] = "http://myself:Password1@proxy.example.org:8080"`
 
-```
-Ohai::Config[:disabled_plugins] = [:Passwd,:Dmi,"my_plugin"]
+### -E is not respected by knife ssh [search]
+knife now includes a warning in the -E/--environment option that this setting is ignored by knife searches.
 
-```
+### New configurable option :yum-lock-timeout
+You can now set the timeout for receiving the yum lock in `config.rb` by adding `yum-lock-timeout SECONDS` (default is 30 seconds).