_This file holds "in progress" release notes for the current release under development and is intended for consumption by the Chef Documentation team. Please see for the official Chef release notes._ # Chef Client Release Notes 13.12 ## Smaller Package and Install Size We trimmed unnecessary installation files, greatly reducing the sizes of both Chef packages and on disk installations. MacOS/Linux/FreeBSD packages are ~50% smaller and Windows are ~12% smaller. Chef 13 is now smaller than a legacy Chef 10 package. ## macOS Mojave (10.14) Chef is now tested against macOS Mojave and packages are now available at downloads.chef.io. ## SUSE Linux Enterprise Server 15 - Ohai now properly detects SLES 15 - The Chef package will no longer remove symlinks to chef-client and ohai when upgrading on SLES 15 ## Updated Chef-Vault Updating chef-vault to 3.4.2 resolved multiple bugs. ## Faster Windows Installations Improved Windows installation speed by skipping unnecessary steps when Windows Installer 5.0 or later is available. ## Ohai Release Notes 13.12 ### macOS Improvements - sysctl commands have been modified to gather only the bare minimum required data, which prevents sysctl hanging in some scenarios - Extra data has been removed from the system_profile plugin, reducing the amount of data stored on the chef-server for each node ## New Deprecations ### system_profile Ohai plugin removal The system_profile plugin will be removed from Chef/Ohai 15 in April, 2019. This plugin incorrectly returns data on modern Mac systems. Further, the hardware plugin returns the same data in a more readily consumable format. Removing this plugin reduces the speed of the Ohai return by ~3 seconds and also greatly reduces the node object size on the Chef server ### ohai_name property in ohai resource The ``ohai`` resource's unused ``ohai_name`` property has been deprecated. This will be removed in Chef 15.0. ## Security Updates ### Ruby 2.4.5 Ruby has been updated to from 2.4.4 to 2.4.5 to resolve multiple CVEs as well as bugs: - [CVE-2018-16396](https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/) - [CVE-2018-16395](https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/) # Chef Client Release Notes 13.11 ### Sensitive Properties on Windows - `windows_service` no longer logs potentially sensitive information when a service is setup - `windows_package` now respects the `sensitive` property to avoid logging sensitive data in the event of a package installation failure ### Other Fixes - `remote_directory` now properly loads files in the root of a cookbook's `files` directory - `osx_profile` now uses the full path the profiles CLI tool to avoid running other binaries of the same name in a users path - `package` resources that don't support the `allow_downgrade` property will no longer fail - `knife bootstrap windows` error messages have been improved ## Security Updates ### OpenSSL - OpenSSL has been updated to 1.0.2p to resolve [CVE-2018-0732](https://nvd.nist.gov/vuln/detail/CVE-2018-0732) and [CVE-2018-0737](https://nvd.nist.gov/vuln/detail/CVE-2018-0737) ### Rubyzip - Updated Rubyzip to 1.2.2 to resolve [CVE-2018-1000544](https://nvd.nist.gov/vuln/detail/CVE-2018-1000544) # Chef Client Release Notes 13.10 ## Bugfixes - Resolves a duplicate logging getting created when redirecting stdout - Using --recipe-url with a local file on Windows no longer fails - Service resource no longer throws Ruby deprecation warnings on Windows ## Ohai 13.10 Improvements - Correctly identify the platform_version on the final release of Amazon Linux 2.0 - Detect nodes with the DMI data of "OpenStack Compute" as being OpenStack nodes ## Security Updates ### ffi Gem - CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS # Chef Client Release Notes 13.9.X: ## Security Updates Ruby has been updated to 2.4.4 - CVE-2017-17742: HTTP response splitting in WEBrick - CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir - CVE-2018-8777: DoS by large request in WEBrick - CVE-2018-8778: Buffer under-read in String#unpack - CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket - CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir - Multiple vulnerabilities in RubyGems Nokogiri has been updated to 1.8.2 - [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). OpenSSL has been updated to 1.0.2o - CVE-2018-0739: Constructed ASN.1 types with a recursive definition could exceed the stack. ## Platform Updates As Debian 7 is now end of life we will no longer produce Debian 7 chef-client packages. ## Ifconfig on Ubuntu 18.04 Incompatibilities with Ubuntu 18.04 in the ifconfig resource have been resolved. ## Ohai Updated to 13.9.2 ### Virtualization detection on AWS Ohai now detects the virtualization hypervisor `amazonec2` when running on Amazon's new C5/M5 instances. ### Configurable DMI Whitelist The whitelist of DMI IDs is now user configurable using the `additional_dmi_ids` configuration setting, which takes an Array. ### Filesystem2 on BSD The Filesystem2 functionality has been backported to BSD systems to provide a consistent filesystem format. # Chef Client Release Notes 13.9.1: ## Platform Additions Enable Ubuntu-18.04 and Debian-9 tested chef-client packages. # Chef Client Release Notes 13.9: - On Windows, the installer now correctly re-extracts files during repair mode - The mount resource will now not create duplicate entries when the device type differs - Ensure we don't request every remote file when running with lazy loading enabled - Don't crash when getting the access rights for Windows system accounts ## Custom Resource Improvements We've expanded the DSL for custom resources with new functionality to better document your resources and help users with errors and upgrades. Many resources in Chef itself are now using this new functionality, and you'll see more updated to take advantage of this it in the future. ### Deprecations in Cookbook Resources Chef 13 provides new primitives that allow you to deprecate resources or properties with the same functionality used for deprecations in Chef Client resources. This allows you make breaking changes to enterprise or community cookbooks with friendly notifications to downstream cookbook consumers directly in the Chef run. Deprecate the foo_bar resource in a cookbook: ```ruby deprecated "The foo_bar resource has been deprecated and will be removed in the next major release of this cookbook scheduled for 12/25/2018!" property :thing, String, name_property: true action :create do # you'd probably have some actual chef code here end ``` Deprecate the thing2 property in a resource ```ruby property :thing2, String, deprecated: 'The thing2 property has been deprecated and will be removed in the next major release of this cookbook scheduled for 12/25/2018!' ``` Rename a property with a deprecation warning for users of the old property name ```ruby deprecated_property_alias 'thing2', 'the_second_thing', 'The thing2 property was renamed the_second_thing in the 2.0 release of this cookbook. Please update your cookbooks to use the new property name.' ``` ### validation_message Validation messages allow you give the user a friendly error message when any validation on a property fails. Provide a friendly message when a regex fails: ```ruby property :repo_name, String, regex: [/^[^\/]+$/], validation_message: "The repo_name property cannot contain a forward slash '/'", ``` ### Resource Documentation You can now include documentation that describes how a resource is to be used. Expect this data to be consumed by Chef and other tooling in future releases. A resource which includes description and introduced values in the resource, actions, and properties: ```ruby description 'The apparmor_policy resource is used to add or remove policy files from a cookbook file' introduced '14.1' property :source_cookbook, String, description: 'The cookbook to source the policy file from' property :source_filename, String, description: 'The name of the source file if it differs from the apparmor.d file being created' action :add do description 'Adds an apparmor policy' # you'd probably have some actual chef code here end ``` # Ohai Release Notes 13.9: - Fix uptime parsing on AIX - Fix Softlayer cloud detection - Use the current Azure metadata endpoint - Correctly detect macOS guests on VMware and VirtualBox # Chef Client Release Notes 13.8: ## Revert attributes changes from 13.7 Per , there was a regression in how arrays and hashes were handled in 13.7\. In 13.8, we've reverted to the same code as 13.6. ## Continuing work on `windows_task` 13.8 has better validation for the `idle_time` property, when using the `on_idle` frequency. ## Security Updates - Updated libxml2 to 2.9.7; fixes: CVE-2017-15412 # Chef Client Release Notes 13.7: ## The `windows_task` Resource should be better behaved We've spent a considerable amount of time testing and fixing the `windows_task` resource to ensure that it is properly idempotent and correct in more situations. ## Credentials handling Previously, chef on the workstation used `knife.rb` or `config.rb` to handle credentials. This didn't do a great job when interacting with multiple Chef servers, leading to the need for tools like `knife_block`. We've added support for a credentials file that can contain configuration for many Chef servers (or organizations), and we've made it easy to indicate which account you mean to use. ## New deprecations ### `erl_call` Resource We introduced `erl_call` to help us to manage CouchDB servers back in the olden times of Chef. Since then, we've noticed that no-one uses it, and so `erl_call` will be removed in Chef 14\. Foodcritic rule FC105 has been introduced to detect usage of erl_call. ### epic_fail The original name for the ignore_failure property in resources was epic_fail. Our documentation hasn't referred to epic_fail for years and out of the 3500 cookbooks on the Supermarket only one uses epic_fail. In Chef 14 we will remove the epic_fail property entirely. Foodcritic rule FC107 has been introduced to detect usage of epic_fail. ### Legacy Mixins In Chef 14 several legacy legacy mixins will be removed. Usage of these mixins has resulted in deprecation warnings for several years. They were traditionally used in some HWRPs, but are rarely found in code available on the Supermarket. Foodcritic rules FC097, FC098, FC099, FC100, and FC102 have been introduced to detect these mixins. - Chef::Mixin::LanguageIncludeAttribute - Chef::Mixin::RecipeDefinitionDSLCore - Chef::Mixin::LanguageIncludeRecipe - Chef::Mixin::Language - Chef::DSL::Recipe::FullDSL ### :uninstall action in chocolatey_package The chocolatey cookbook's chocolatey_package resource originally contained an :uninstall action. When chocolatey_package was moved into core Chef we made :uninstall an alias for :remove. In Chef 14 :uninstall will no longer be a valid action. Foodcritic rule FC103 has been introduced to detect the usage of the :uninstall action. ## Bugfixes - Resolved a bug where knife commands that prompted on Windows would never display the prompt - Fixed hiding of sensitive resources when converge_if_changed was used - Fixed scenarios where services would fail to start on Solaris ## Security Updates - OpenSSL has been upgraded to 1.0.2n to resolve CVE-2017-3738, CVE-2017-3737, CVE-2017-3736, and CVE-2017-3735. - Ruby has been upgraded to 2.4.3 to resolve CVE-2017-17405 ## Ohai 13.7 Release Notes: ### Network Tunnel Information The Network plugin on Linux hosts now gathers additional information on tunnels ### LsPci Plugin The new LsPci plugin provides a `node[:pci]` hash with information about the PCI bus based on `lspci`. Only runs on Linux. ### EC2 C5 Detection The EC2 plugin has been updated to properly detect the new AWS hypervisor used in the C5 instance types ### mdadm The mdadm plugin has been updated to properly handle arrays with more than 10 disks and to properly handle journal and spare drives in the disk counts # Chef Client Release Notes 13.6.4: ## Bugfixes - Resolved a regression in 13.6.0 that prevented upgrading packages on Debian/Ubuntu when the package name contained a tilde. ## Security Updates - OpenSSL has been upgraded to 1.0.2m to resolve CVE-2017-3735 and CVE-2017-3736 - RubyGems has been upgraded to 2.6.14 to resolve CVE-2017-0903 # Chef Client Release Notes 13.6: ## `deploy` Resource Is Deprecated The `deploy` resource (and its alter ego `deploy_revision`) have been deprecated, to be removed in Chef 14\. This is being done because this resource is considered overcomplicated and error-prone in the modern Chef ecosystem. A compatibility cookbook will be available to help users migrate during the Chef 14 release cycle. See [the deprecation documentation](https://docs.chef.io/deprecations_deploy_resource.html) for more information. ## zypper_package supports package downgrades `zypper_package` now supports downgrading installed packages with the `allow_downgrade` property. ## InSpec updated to 1.42.3 ## Reserve certain Data Bag names It's no longer possible to create data bags named `node`, `role`, `client`, or `environment`. Existing data bags will continue to work as before. ## Properly use yum on RHEL 7 If both dnf and yum were installed, in some circumstances the yum provider might choose to run dnf, which is not what we intended it to do. It now properly runs yum, all the time. ## Ohai 13.6 Release Notes: ### Critical Plugins Users can now specify a list of plugins which are `critical`. Critical plugins will cause Ohai to fail if they do not run successfully (and thus cause a Chef run using Ohai to fail). The syntax for this is: ``` ohai.critical_plugins << :Filesystem ``` ### Filesystem now has a `allow_partial_data` configuration option The Filesystem plugin now has a `allow_partial_data` configuration option. If set, the filesystem will return whatever data it can even if some commands it ran failed. ### Rackspace detection on Windows Windows nodes running on Rackspace will now properly detect themselves as running on Rackspace without a hint file. ### Package data on Amazon Linux The Packages plugin now supports gathering packages data on Amazon Linux ### Deprecation updates In Ohai 13 we replaced the filesystem and cloud plugins with the filesystem2 and cloud_v2 plugins. To maintain compatibility with users of the previous V2 plugins we write data to both locations. We had originally planned to continue writing data to both locations until Chef 15\. Instead due to the large amount of duplicate node data this introduces we are updating OHAI-11 and OHAI-12 deprecations to remove node['cloud_v2'] and node['filesystem2'] with the release of Chef 14 in April 2018. # Chef Client Release Notes 13.5: ## Mount's password property is now marked as sensitive This means that passwords passed to mount won't show up in logs. ## The `windows_task` resource now correctly handles `start_day` Previously, the resource would accept any date that was formatted correctly in the local locale, unlike the Windows cookbook and Windows itself. We now only support the `MM/DD/YYYY` format, in common with the Windows cookbook. ## InSpec updated to 1.39.1 ## Ohai 13.5 Release Notes: ### Correctly detect IPv6 routes ending in :: Previously we would ignore routes that ended `::`, and now we properly detect them. ### Plugin run time is now measured Debug logs will show the length of time each plugin takes to run, making debugging of long ohai runs easier. # Chef Client Release Notes 13.4: ## Security release of Ruby Chef Client 13.4 includes Ruby 2.4.2 to fix the following CVEs: - CVE-2017-0898 - CVE-2017-10784 - CVE-2017-14033 - CVE-2017-14064 ## Security release of RubyGems Chef Client 13.4 includes RubyGems 2.6.13 to fix the following CVEs: - CVE-2017-0899 - CVE-2017-0900 - CVE-2017-0901 - CVE-2017-0902 ## Ifconfig provider on Red Hat now supports additional properties It is now possible to set `ETHTOOL_OPTS`, `BONDING_OPTS`, `MASTER` and `SLAVE` properties on interfaces on Red Hat compatible systems. See for further information ### Properties - `ethtool\_opts`
**Ruby types:** String
**Platforms:** Fedora, RHEL, Amazon Linux A string containing arguments to ethtool. The string will be wrapped in double quotes, so ensure that any needed quotes in the property are surrounded by single quotes - `bonding\_opts`
**Ruby types:** String
**Platforms:** Fedora, RHEL, Amazon Linux A string containing configuration parameters for the bonding device. - `master`
**Ruby types:** String
**Platforms:** Fedora, RHEL, Amazon Linux The channel bonding interface that this interface is linked to. - `slave`
**Ruby types:** String
**Platforms:** Fedora, RHEL, Amazon Linux Whether the interface is controlled by the channel bonding interface defined by `master`, above. ## Chef Vault is now included Chef Client 13.4 now includes the `chef-vault` gem, making it easier for users of chef-vault to use their encrypted items. ## Windows `remote_file` resource with alternate credentials The `remote_file` resource now supports the use of credentials on Windows when accessing a remote UNC path on Windows such as `\\myserver\myshare\mydirectory\myfile.txt`. This allows access to the file at that path location even if the Chef client process identity does not have permission to access the file. The new properties `remote_user`, `remote_domain`, and `remote_password` may be used to specify credentials with access to the remote file so that it may be read. **Note**: This feature is mainly used for accessing files between two nodes in different domains and having different user accounts. In case the two nodes are in same domain, `remote_file` resource does not need `remote_user` and `remote_password` specified because the user has the same access on both systems through the domain. ### Properties The following properties are new for the `remote_file` resource: - `remote_user`
**Ruby types:** String
_Windows only:_ The user name of a user with access to the remote file specified by the `source` property. Default value: `nil`. The user name may optionally be specifed with a domain, i.e. `domain\user` or `user@my.dns.domain.com` via Universal Principal Name (UPN) format. It can also be specified without a domain simply as `user` if the domain is instead specified using the `remote_domain` attribute. Note that this property is ignored if `source` is not a UNC path. If this property is specified, the `remote_password` property **must** be specified. - `remote_password`
**Ruby types** String
_Windows only:_ The password of the user specified by the `remote_user` property. Default value: `nil`. This property is mandatory if `remote_user` is specified and may only be specified if `remote_user` is specified. The `sensitive` property for this resource will automatically be set to `true` if `remote_password` is specified. - `remote_domain`
**Ruby types** String
_Windows only:_ The domain of the user user specified by the `remote_user` property. Default value: `nil`. If not specified, the user and password properties specified by the `remote_user` and `remote_password` properties will be used to authenticate that user against the domain in which the system hosting the UNC path specified via `source` is joined, or if that system is not joined to a domain it will authenticate the user as a local account on that system. An alternative way to specify the domain is to leave this property unspecified and specify the domain as part of the `remote_user` property. ### Examples Accessing file from a (different) domain account ```ruby remote_file "E://domain_test.txt" do source "\\\\myserver\\myshare\\mydirectory\\myfile.txt" remote_domain "domain" remote_user "username" remote_password "password" end ``` OR ```ruby remote_file "E://domain_test.txt" do source "\\\\myserver\\myshare\\mydirectory\\myfile.txt" remote_user "domain\\username" remote_password "password" end ``` Accessing file using a local account on the remote machine ```ruby remote_file "E://domain_test.txt" do source "\\\\myserver\\myshare\\mydirectory\\myfile.txt" remote_domain "." remote_user "username" remote_password "password" end ``` OR ```ruby remote_file "E://domain_test.txt" do source "\\\\myserver\\myshare\\mydirectory\\myfile.txt" remote_user ".\\username" remote_password "password" end ``` ## windows_path resource `windows_path` resource has been moved to core chef from windows cookbook. Use the `windows_path` resource to manage the path environment variable on Microsoft Windows. ### Actions - `:add` - Add an item to the system path - `:remove` - Remove an item from the system path ### Properties - `path` - Name attribute. The name of the value to add to the system path ### Examples Add Sysinternals to the system path ```ruby windows_path 'C:\Sysinternals' do action :add end ``` Remove 7-Zip from the system path ```ruby windows_path 'C:\7-Zip' do action :remove end ``` ## Ohai Release Notes 13.4 ### Windows EC2 Detection Detection of nodes running in EC2 has been greatly improved and should now detect nodes 100% of the time including nodes that have been migrated to EC2 or were built with custom AMIs. ### Azure Metadata Endpoint Detection Ohai now polls the new Azure metadata endpoint, giving us additional configuration details on nodes running in Azure Sample data now available under azure: ```javascript { "metadata": { "compute": { "location": "westus", "name": "timtest", "offer": "UbuntuServer", "osType": "Linux", "platformFaultDomain": "0", "platformUpdateDomain": "0", "publisher": "Canonical", "sku": "17.04", "version": "17.04.201706191", "vmId": "8d523242-71cf-4dff-94c3-1bf660878743", "vmSize": "Standard_DS1_v2" }, "network": { "interfaces": { "000D3A33AF03": { "mac": "000D3A33AF03", "public_ipv6": [ ], "public_ipv4": [ "52.160.95.99", "23.99.10.211" ], "local_ipv6": [ ], "local_ipv4": [ "10.0.1.5", "10.0.1.4", "10.0.1.7" ] } }, "public_ipv4": [ "52.160.95.99", "23.99.10.211" ], "local_ipv4": [ "10.0.1.5", "10.0.1.4", "10.0.1.7" ], "public_ipv6": [ ], "local_ipv6": [ ] } } } ``` ### Package Plugin Supports Arch Linux The Package plugin has been updated to include package information on Arch Linux systems. # Chef Client Release Notes 13.3: ## Unprivileged Symlink Creation on Windows Chef can now create symlinks without privilege escalation, which allows for the creation of symlinks on Windows 10 Creator Update. ## nokogiri Gem The nokogiri gem is once again bundled with the omnibus install of Chef ## zypper_package Options It is now possible to pass additional options to the zypper in the zypper_package resource. This can be used to pass any zypper CLI option ### Example: ```ruby zypper_package 'foo' do options '--user-provided' end ``` ## windows_task Improvements The `windows_task` resource now properly allows updating the configuration of a scheduled task when using the `:create` action. Additionally the previous `:change` action from the windows cookbook has been aliased to `:create` to provide backwards compatibility. ## apt_preference Resource The apt_preference resource has been ported from the apt cookbook. This resource allows for the creation of APT preference files controlling which packages take priority during installation. Further information regarding apt-pinning is available via and ### Actions - `:add`: creates a preferences file under /etc/apt/preferences.d - `:remove`: Removes the file, therefore unpin the package ### Properties - `package_name`: name attribute. The name of the package - `glob`: Pin by glob() expression or regexp surrounded by /. - `pin`: The package version/repository to pin - `pin_priority`: The pinning priority aka "the highest package version wins" ### Examples Pin libmysqlclient16 to version 5.1.49-3: ```ruby apt_preference 'libmysqlclient16' do pin 'version 5.1.49-3' pin_priority '700' end ``` Unpin libmysqlclient16: ```ruby apt_preference 'libmysqlclient16' do action :remove end ``` Pin all packages from dotdeb.org: ```ruby apt_preference 'dotdeb' do glob '*' pin 'origin packages.dotdeb.org' pin_priority '700' end ``` ## zypper_repository Resource The zypper_repository resource allows for the creation of Zypper package repositories on SUSE Enterprise Linux and openSUSE systems. This resource maintains full compatibility with the resource in the existing [zypper](https://supermarket.chef.io/cookbooks/zypper) cookbooks ### Actions - `:add` - adds a repo - `:delete` - removes a repo ### Properties - `repo_name` - repository name if different from the resource name (name property) - `type` - the repository type. default: 'NONE' - `description` - the description of the repo that will be shown in `zypper repos` - `baseurl` - the base url of the repo - `path` - the relative path from the `baseurl` - `mirrorlist` - the url to the mirrorlist to use - `gpgcheck` - should we gpg check the repo (true/false). default: true - `gpgkey` - location of repo key to import - `priority` - priority of the repo. default: 99 - `autorefresh` - should the repository be automatically refreshed (true/false). default: true - `keeppackages` - should packages be saved (true/false). default: false - `refresh_cache` - should package cache be refreshed (true/false). default: true - `enabled` - should this repository be enabled (true/false). default: true - `mode` - the file mode of the repository file. default: "0644" ### Examples Add the Apache repository for openSUSE Leap 42.2 ```ruby zypper_repository 'apache' do baseurl 'http://download.opensuse.org/repositories/Apache' path '/openSUSE_Leap_42.2' type 'rpm-md' priority '100' end ``` ## Ohai Release Notes 13.3: ### Additional Platform Support Ohai now properly detects the [F5 Big-IP](https://www.f5.com/) platform and platform_version. - platform: bigip - platform_family: rhel # Chef Client Release Notes 13.2: ## Properly send policyfile data When sending events back to the Chef Server, we now correctly expand the run_list for nodes that use Policyfiles. This allows Automate to correctly report the node. ## Reconfigure between runs when daemonized When Chef performs a reconfigure, it re-reads the configuration files. It also re-opens its log files, which facilitates log file rotation. Chef normally will reconfigure when sent a HUP signal. As of this release if you send a HUP signal while it is converging, the reconfigure happens at the end of the run. This is avoids potential Ruby issues when the configuration file contains additional Ruby code that is executed. While the daemon is sleeping between runs, sending a SIGHUP will still cause an immediate reconfigure. Additionally, Chef now always performs a reconfigure after every run when daemonized. ## New Deprecations ### Explicit property methods In Chef 14, custom resources will no longer assume property methods are being called on `new_resource`, and instead require the resource author to be explicit. # Ohai Release Notes 13.2: Ohai 13.2 has been a fantastic release in terms of community involvement with new plugins, platform support, and critical bug fixes coming from community members. A huge thank you to msgarbossa, albertomurillo, jaymzh, and davide125 for their work. ## New Features ### Systemd Paths Plugin A new plugin has been added to expose system and user paths from systemd-path (see for details). ### Linux Network, Filesystem, and Mdadm Plugin Resilience The Network, Filesystem, and Mdadm plugins have been improved to greatly reduce failures to collect data. The Network plugin now better finds the binaries it requires for shelling out, filesystem plugin utilizes data from multiple sources, and mdadm handles arrays in bad states. ### Zpool Plugin Platform Expansion The Zpool plugin has been updated to support BSD and Linux in addition to Solaris. ### RPM version parsing on AIX The packages plugin now correctly parses RPM package name / version information on AIX systems. ### Additional Platform Support Ohai now properly detects the [Clear](https://clearlinux.org/) and [ClearOS](https://www.clearos.com/) Linux distributions. #### Clear Linux - platform: clearlinux - platform_family: clearlinux #### ClearOS - platform: clearos - platform_family: rhel ## New Deprecations ### Removal of IpScopes plugin. (OHAI-13) In Chef/Ohai 14 (April 2018) we will remove the IpScopes plugin. The data returned by this plugin is nearly identical to information already returned by individual network plugins and this plugin required the installation of an additional gem into the Chef installation. We believe that few users were installing the gem and users would be better served by the data returned from the network plugins. # 13.1 ## Socketless local mode by default For security reasons we are switching Local Mode to use socketless connections by default. This prevents potential attacks where an unprivileged user or process connects to the internal Zero server for the converge and changes data. If you use Chef Provisioning with Local Mode, you may need to pass `--listen` to `chef-client`. ## New Deprecations ### Removal of support for Ohai version 6 plugins (OHAI-10) In Chef/Ohai 14 (April 2018) we will remove support for loading Ohai v6 plugins, which we deprecated in Ohai 7/Chef 11.12. # 13.0 ## Rubygems provider sources behavior changed. The behavior of `gem_package` and `chef_gem` is now to always apply the `Chef::Config[:rubygems_url]` sources, which may be a String uri or an Array of Strings. If additional sources are put on the resource with the `source` property those are added to the configured `:rubygems_url` sources. This should enable easier setup of rubygems mirrors particularly in "airgapped" environments through the use of the global config variable. It also means that an admin may force all rubygems.org traffic to an internal mirror, while still being able to consume external cookbooks which have resources which add other mirrors unchanged (in a non-airgapped environment). In the case where a resource must force the use of only the specified source(s), then the `include_default_source` property has been added -- setting it to false will remove the `Chef::Config[:rubygems_url]` setting from the list of sources for that resource. The behavior of the `clear_sources` property is now to only add `--clear-sources` and has no magic side effects on the source options. ## Ruby version upgraded to 2.4.1 We've upgraded to the latest stable release of the Ruby programming language. See the Ruby [2.4.0 Release Notes](https://www.ruby-lang.org/en/news/2016/12/25/ruby-2-4-0-released/) for an overview of what's new in the language. ## Resource can now declare a default name The core `apt_update` resource can now be declared without any name argument, no need for `apt_update "this string doesn't matter but why do i have to type it?"`. This can be used by any other resource by just overriding the name property and supplying a default: ```ruby property :name, String, default: "" ``` Notifications to resources with empty strings as their name is also supported via either the bare resource name (`apt_update` -- matches what the user types in the DSL) or with empty brackets (`apt_update[]` -- matches the resource notification pattern). ## The knife ssh command applies the same fuzzifier as knife search node A bare name to knife search node will search for the name in `tags`, `roles`, `fqdn`, `addresses`, `policy_name` or `policy_group` fields and will match when given partial strings (available since Chef 11). The `knife ssh` search term has been similarly extended so that the search API matches in both cases. The node search fuzzifier has also been extracted out to a `fuzz` option to Chef::Search::Query for re-use elsewhere. ## Cookbook root aliases Rather than `attributes/default.rb`, cookbooks can now use `attributes.rb` in the root of the cookbook. Similarly for a single default recipe, cookbooks can use `recipe.rb` in the root of the cookbook. ## knife ssh can now connect to gateways with ssh key authentication The new `gateway_identity_file` option allows the operator to specify the key to access ssh gateways with. ## Windows Task resource added The `windows_task` resource has been ported from the windows cookbook, and many bugs have been fixed. ## Solaris SMF services can now been started recursively It is now possible to load Solaris services recursively, by ensuring the new `options` property of the `service` resource contains `-r`. ## It's now possible to blacklist node attributes This is the inverse of the pre-existing whitelisting functionality. ## The guard interpreter for `powershell_script` is Powershell, again When writing `not_if` or `only_if` statements, by default we now run those statements using powershell, rather than forcing the user to set `guard_interpreter` each time. ## Zypper GPG checks by default Zypper now defaults to performing gpg checks of packages. ## The InSpec gem is now shipped by default The `inspec` and `train` gems are shipped by default in the chef omnibus package, making it easier for users in airgapped environments to use InSpec. ## Properly support managing Sys-V services on Debian systemd hosts Chef now properly supports managing sys-v services on hosts running systemd. Previously Chef would incorrectly attempt to fallback to Upstart even if upstart was not installed. ## Backwards Compatibility Breaks ### Resource Cloning has been removed When Chef compiles resources, it will no longer attempt to merge the properties of previously compiled resources with the same name and type in to the new resource. See [the deprecation page](https://docs.chef.io/deprecations_resource_cloning.html) for further information. ### It is an error to specify both `default` and `name_property` on a property Chef 12 made this work by picking the first option it found, but it was always an error and has now been disallowed. ### The path property of the execute resource has been removed It was never implemented in the provider, so it was always a no-op to use it, the remediation is to simply delete it. ### Using the command property on any script resource (including bash, etc) is now a hard error This was always a usage mistake. The command property was used internally by the script resource and was not intended to be exposed to users. Users should use the code property instead (or use the command property on an execute resource to execute a single command). ### Omitting the code property on any script resource (including bash, etc) is now a hard error It is possible that this was being used as a no-op resource, but the log resource is a better choice for that until we get a null resource added. Omitting the code property or mixing up the code property with the command property are also common usage mistakes that we need to catch and error on. ### The chef_gem resource defaults to not run at compile time The `compile_time true` flag may still be used to force compile time. ### The Chef::Config[:chef_gem_compile_time] config option has been removed In order to for community cookbooks to behave consistently across all users this optional flag has been removed. ### The `supports[:manage_home]` and `supports[:non_unique]` API has been removed from all user providers The remediation is to set the manage_home and non_unique properties directly. ### Using relative paths in the `creates` property of an execute resource with specifying a `cwd` is now a hard error Without a declared cwd the relative path was (most likely?) relative to wherever chef-client happened to be invoked which is not deterministic or easy to intuit behavior. ### Chef::PolicyBuilder::ExpandNodeObject#load_node has been removed This change is most likely to only affect internals of tooling like chefspec if it affects anything at all. ### PolicyFile failback to create non-policyfile nodes on Chef Server < 12.3 has been removed PolicyFile users on Chef-13 should be using Chef Server 12.3 or higher. ### Cookbooks with self dependencies are no longer allowed The remediation is removing the self-dependency `depends` line in the metadata. ### Removed `supports` API from Chef::Resource Retained only for the service resource (where it makes some sense) and for the mount resource. ### Removed retrying of non-StandardError exceptions for Chef::Resource Exceptions not decending from StandardError (e.g. LoadError, SecurityError, SystemExit) will no longer trigger a retry if they are raised during the executiong of a resources with a non-zero retries setting. ### Removed deprecated `method_missing` access from the Chef::Node object Previously, the syntax `node.foo.bar` could be used to mean `node["foo"]["bar"]`, but this API had sharp edges where methods collided with the core ruby Object class (e.g. `node.class`) and where it collided with our own ability to extend the `Chef::Node` API. This method access has been deprecated for some time, and has been removed in Chef-13. ### Changed `declare_resource` API Dropped the `create_if_missing` parameter that was immediately supplanted by the `edit_resource` API (most likely nobody ever used this) and converted the `created_at` parameter from an optional positional parameter to a named parameter. These changes are unlikely to affect any cookbook code. ### Node deep-duping fixes The `node.to_hash`/`node.to_h` and `node.dup` APIs have been fixed so that they correctly deep-dup the node data structure including every string value. This results in a mutable copy of the immutable merged node structure. This is correct behavior, but is now more expensive and may break some poor code (which would have been buggy and difficult to follow code with odd side effects before). For example: ``` node.default["foo"] = "fizz" n = node.to_hash # or node.dup n["foo"] << "buzz" ``` before this would have mutated the original string in-place so that `node["foo"]` and `node.default["foo"]` would have changed to "fizzbuzz" while now they remain "fizz" and only the mutable `n["foo"]` copy is changed to "fizzbuzz". ### Freezing immutable merged attributes Since Chef 11 merged node attributes have been intended to be immutable but the merged strings have not been frozen. In Chef 13, in the process of merging the node attributes strings and other simple objects are dup'd and frozen. In order to get a mutable copy, you can now correctly use the `node.dup` or `node.to_hash` methods, or you should mutate the object correctly through its precedence level like `node.default["some_string"] << "appending_this"`. ### The Chef::REST API has been removed It has been fully replaced with `Chef::ServerAPI` in chef-client code. ### Properties overriding methods now raise an error Defining a property that overrides methods defined on the base ruby `Object` or on `Chef::Resource` itself can cause large amounts of confusion. A simple example is `property :hash` which overrides the Object#hash method which will confuse ruby when the Custom Resource is placed into the Chef::ResourceCollection which uses a Hash internally which expects to call Object#hash to get a unique id for the object. Attempting to create `property :action` would also override the Chef::Resource#action method which is unlikely to end well for the user. Overriding inherited properties is still supported. ### `chef-shell` now supports solo and legacy solo modes Running `chef-shell -s` or `chef-shell --solo` will give you an experience consistent with `chef-solo`. `chef-shell --solo-legacy-mode` will give you an experience consistent with `chef-solo --legacy-mode`. ### Chef::Platform.set and related methods have been removed The deprecated code has been removed. All providers and resources should now be using Chef >= 12.0 `provides` syntax. ### Remove `sort` option for the Search API This option has been unimplemented on the server side for years, so any use of it has been pointless. ### Remove Chef::ShellOut This was deprecated and replaced a long time ago with mixlib-shellout and the shell_out mixin. ### Remove `method_missing` from the Recipe DSL The core of chef hasn't used this to implement the Recipe DSL since 12.5.1 and its unlikely that any external code depended upon it. ### Simplify Recipe DSL wiring Support for actions with spaces and hyphens in the action name has been dropped. Resources and property names with spaces and hyphens most likely never worked in Chef-12\. UTF-8 characters have always been supported and still are. ### `easy_install` resource has been removed The Python `easy_install` package installer has been deprecated for many years, so we have removed support for it. No specific replacement for `pip` is being included with Chef at this time, but a `pip`-based `python_package` resource is available in the [`poise-python`](https://github.com/poise/poise-python) cookbooks. ### Removal of run_command and popen4 APIs All the APIs in chef/mixlib/command have been removed. They were deprecated by mixlib-shellout and the shell_out mixin API. ### Iconv has been removed from the ruby libraries and chef omnibus build The ruby Iconv library was replaced by the Encoding library in ruby 1.9.x and since the deprecation of ruby 1.8.7 there has been no need for the Iconv library but we have carried it forwards as a dependency since removing it might break some chef code out there which used this library. It has now been removed from the ruby build. This also removes LGPLv3 code from the omnibus build and reduces build headaches from porting iconv to every platform we ship chef-client on. This will also affect nokogiri, but that gem natively supports UTF-8, UTF-16LE/BE, ISO-8851-1(Latin-1), ASCII and "HTML" encodings. Users who really need to write something like Shift-JIS inside of XML will need to either maintain their own nokogiri installs or will need to convert to using UTF-8. ### Deprecated cookbook metadata has been removed The `recommends`, `suggests`, `conflicts`, `replaces` and `grouping` metadata fields are no longer supported, and have been removed, since they were never used. Chef will ignore them in existing `metadata.rb` files, but we recommend that you remove them. This was proposed in RFC 85. ### All unignored cookbook files will now be uploaded. We now treat every file under a cookbook directory as belonging to a cookbook, unless that file is ignored with a `chefignore` file. This is a change from the previous behaviour where only files in certain directories, such as `recipes` or `templates`, were treated as special. This change allows chef to support new classes of files, such as Ohai plugins or Inspec tests, without having to make changes to the cookbook format to support them. ### DSL-based custom resources and providers no longer get module constants Up until now, creating a `mycook/resources/thing.rb` would create a `Chef::Resources::MycookThing` name to access the resource class object. This const is no longer created for resources and providers. You can access resource classes through the resolver API like: ```ruby Chef::Resource.resource_for_node(:mycook_thing, node) ``` Accessing a provider class is a bit more complex, as you need a resource against which to run a resolution like so: ```ruby Chef::ProviderResolver.new(node, find_resource!("mycook_thing[name]"), :nothing).resolve ``` ### Default values for resource properties are frozen A resource declaring something like: ```ruby property :x, default: {} ``` will now see the default value set to be immutable. This prevents cases of modifying the default in one resource affecting others. If you want a per-resource mutable default value, define it inside a `lazy{}` helper like: ```ruby property :x, default: lazy { {} } ``` ### Resources which later modify their name during creation will have their name changed on the ResourceCollection and notifications ```ruby some_resource "name_one" do name "name_two" end ``` The fix for sending notifications to multipackage resources involved changing the API which inserts resources into the resource collection slightly so that it no longer directly takes the string which is typed into the DSL but reads the (possibly coerced) name off of the resource after it is built. The end result is that the above resource will be named `some_resource[name_two]` instead of `some_resource[name_one]`. Note that setting the name (_not_ the `name_property`, but actually renaming the resource) is very uncommon. The fix is to simply name the resource correctly in the first place (`some_resource "name_two" do ...`) ### `use_inline_resources` is always enabled The `use_inline_resources` provider mode is always enabled when using the `action :name do ... end` syntax. You can remove the `use_inline_resources` line. ### `knife cookbook site vendor` has been removed Please use `knife cookbook site install` instead. ### `knife cookbook create` has been removed Please use `chef generate cookbook` from the ChefDK instead. ### Verify commands no longer support "%{file}" Chef has always recommended `%{path}`, and `%{file}` has now been removed. ### The `partial_search` recipe method has been removed The `partial_search` method has been fully replaced by the `filter_result` argument to `search`, and has now been removed. ### The logger and formatter settings are more predictable The default now is the formatter. There is no more automatic switching to the logger when logging or when output is sent to a pipe. The logger needs to be specifically requested with `--force-logger` or it will not show up. The `--force-formatter` option does still exist, although it will probably be deprecated in the future. If your logfiles switch to the formatter, you need to include `--force-logger` for your daemonized runs. Redirecting output to a file with `chef-client > /tmp/chef.out` now captures the same output as invoking it directly on the command line with no redirection. ### Path Sanity disabled by default and modified The chef client itself no long modifies its `ENV['PATH']` variable directly. When using the `shell_out` API now, in addition to setting up LANG/LANGUAGE/LC_ALL variables that API will also inject certain system paths and the ruby bindir and gemdirs into the PATH (or Path on Windows). The `shell_out_with_systems_locale` API still does not mangle any environment variables. During the Chef-13 lifecycle changes will be made to prep Chef-14 to switch so that `shell_out` by default behaves like `shell_out_with_systems_locale`. A new flag will get introduced to call `shell_out(..., internal: [true|false])` to either get the forced locale and path settings ("internal") or not. When that is introduced in Chef 13.x the default will be `true` (backwards-compat with 13.0) and that default will change in 14.0 to 'false'. The PATH changes have also been tweaked so that the ruby bindir and gemdir PATHS are prepended instead of appended to the PATH. Some system directories are still appended. Some examples of changes: - `which ruby` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus - `which ruby` in 13.x will return any system ruby and will not find the embedded ruby if using omnibus - `shell_out_with_systems_locale("which ruby")` behaves the same as `which ruby` above - `shell_out("which ruby")` in 12.x will return any system ruby and fall back to the embedded ruby if using omnibus - `shell_out("which ruby")` in 13.x will always return the omnibus ruby first (but will find the system ruby if not using omnibus) The PATH in `shell_out` can also be overridden: - `shell_out("which ruby", env: { "PATH" => nil })` - behaves like shell_out_with_systems_locale() - `shell_out("which ruby", env: { "PATH" => [...include PATH string here...] })` - set it arbitrarily however you need Since most providers which launch custom user commands use `shell_out_with_systems_locale` (service, execute, script, etc) the behavior will be that those commands that used to be having embedded omnibus paths injected into them no longer will. Generally this will fix more problems than it solves, but may causes issues for some use cases. ### Default guard clauses (`not_if`/`only_if`) do not change the PATH or other env vars The implementation switched to `shell_out_with_systems_locale` to match `execute` resource, etc. ### Chef Client will now exit using the RFC062 defined exit codes Chef Client will only exit with exit codes defined in RFC 062\. This allows other tooling to respond to how a Chef run completes. Attempting to exit Chef Client with an unsupported exit code (either via `Chef::Application.fatal!` or `Chef::Application.exit!`) will result in an exit code of 1 (GENERIC_FAILURE) and a warning in the event log. When Chef Client is running as a forked process on unix systems, the standardized exit codes are used by the child process. To actually have Chef Client return the standard exit code, `client_fork false` will need to be set in Chef Client's configuration file.