F1.2013.Update.6-RELOADED Unlimited Gems
Epicuro Kishore
The use_choco_list property uses the choco list command to return Chocolatey packages instead of querying for NuGet package files. This property is false by default because querying for NuGet package files is faster than executing the choco list command.
We fixed an issue with private keys that are encrypted in the certificate store on a Windows nodethat is under management by two or more users or by an admin and the SYSTEM account.The private key could not be decrypted by a user other than the user that bootstrapped the node because the password is user-specific.We now use an initialization vector to encrypt the private key, which is stored in the Windows registry.This allows multiple users to decrypt a private key. (#13552)
In Chef Infra Client 16, we introduced unified mode allowing you to collapse the sometimes confusing compile and converge phases into a single unified phase. Unified mode makes it easier to write and troubleshoot failures in custom resources and this is now the default execution phase for custom resources. Set unified_mode false in a custom resource if you need to disable unified mode.
If your custom resources have specific compile/converge phase behaviors, please test them for compatibility. For more information, see the Out-of-Order Execution section of the Unified Mode documentation.
Shortly before the final GA build of Chef Infra Client 18, we discovered an issue with FIPS support for Windows. We are currently investigating the root cause and correcting the issue; however, please note that FIPS support will not be available in the initial GA version of Chef Infra Client 18.0 for all Windows versions. We have prioritized this issue and FIPS support will be released in the next minor version of Chef Infra Client (18.1). We are reviewing the release date for Chef Infra Client 18.1 with FIPS support and will announce that date on all major communication channels when it is established.
Use the selinux_module module resource to create an SELinux policy module from a cookbook file or content provided as a string. See the selinux_module resourcedocumentation for additional information.
The user resource now has expire_date and inactive properties on Linux systems that specify the date a user account will be disabled and the number days after a password expires before an account is permanently disabled.
The Secrets Management Integration helper is now a fully supported feature. The Secrets Management Integration helper allows you to fetch secrets from the following secrets management systems within your Infra recipes or resources:
Use migrate_key_to_keystore true in the Chef Infra Client config.rb to migrate certificates to the Windows certificate store on Windows nodes.This creates a PFX certificate, extracts a public key from the certificate and sends it to the Chef Infra Server, and then stores the certificate in the local certificate store.
Use the selinux_install resource to encapsulate the set of SELinux packages to install in order to manage SELinux. See the selinux_install resource documentation for additional information.
Use the selinux_module module resource to create an SELinux policy module from a cookbook file or content provided as a string. See the selinux_module resource documentation for additional information.
We fixed an issue with private keys that are encrypted in the certificate store on a Windows node that is under management by two or more users or by an admin and the SYSTEM account.The private key could not be decrypted by a user other than the user that bootstrapped the node because the password is user-specific.We now use an initialization vector to encrypt the private key, which is stored in the Windows registry.This allows multiple users to decrypt a private key. (#13552)
The following ways of calling yum_package with a version property were not idempotent and that has been fixed (there was previously no way to correctly use the version property of the yum_package resource and have it behave idempotently):
We strongly encourage users to always provide the full epoch, version, and release (EVR) of an RPM since omitting the epoch is ambiguous and the RPM, YUM, and DNF libraries tend to assume zero when the epoch is omitted. Omitting the release is also not a best practice, but may be required due to the convention of embedding the distribution string in the release.
You can now run the Compliance Phase at less frequent intervals than the main Chef Infra Client Infra Phase. This is helpful if compliance scans impact the system performance and are only necessary on a less frequent cadence. To enable interval runs, set the following attributes:
Chef Infra Client RPMs now depend on coreutils. This resolves an issue where Chef Infra Client may install before coreutils when used in a kickstart script, causing the installation of the chef-client symlink to fail.
The beta secrets manager helper now supports Azure Key Vault on VMs with multiple User Assigned Managed Identities. You can now specify an identity with the client_id, object_id, and mi_res_id options. The default is the system-assigned identity, which is the same as in past releases. If you omit an option, the secrets manager uses the system-assigned identity. See the Azure docs for more information.
The chocolatey_source resource now supports setting up authenticated sources. See the chocolatey_source resource documentation for more information on the new properties introduced to support user/password or certificate authentication. Thanks for this improvement @gep13!
The macos_userdefaults resource now uses use native macOS API calls instead of shelling out to command line tools. This complete rewrite makes setting complex data types in the resource more reliable.
The powershell_package_source was updated to support authenticating to package sources with new user and password properties. The existing url property has also been renamed to source_location, which better describes the purpose of this property. The existing url property will continue to function for backward compatibility with any existing cookbook code.
We are once again producing packages for Ubuntu 16.04. Canonical, the maker of Ubuntu, has extended support for Ubuntu releases for a full 10 years, so the previously EOL Ubuntu 16.04 release is no longer EOL.
You can now ship Chef InSpec profiles, waivers, and inputs directly in cookbooks allowing you to combine infrastructure and compliance concerns in a single artifact. Bringing infra and compliance together ensures security is always considered when making changes to your systems and enables collaboration in DevSecOps through shared pipelines. Combining infrastructure and compliance content in cookbook artifacts also allows for the safe and controlled promotion of compliance content from development to production using Policyfiles.
InSpec content placed in these new directories will be available for execution during the Chef Infra Client Compliance Phase, similar to how recipes are shipped in cookbooks but must be executed with include_recipe. This gives you fine-grained control of when and how InSpec content runs using Chef Langauge helpers.
Our secrets management beta within Chef Infra Client has been updated to support HashiCorp Vault and Akeyless Vault secrets. These can be fetched using the new secrets helper using either AWS IAM authentication or token-based authentication.
The archive_file has a new strip_components property that allows you to strip any number of leading path elements similar to the tar --strip_components behavior. For example, if archive archive.tar contained some/file/name, then setting strip_components 2 would extract just name. Thanks for this improvement and a large number of new tests @jasonwbarnett!
The chef_client_scheduled_task resource now supports setting the scheduled task priority for the execution of the Chef Infra Client with a new priority property. You can also now set the scheduled task to run with the same splay value during each run using a new use_consistent_splay property. With this property set, a random splay will still be used for the node, but it will be the same splay during subsequent runs. This ensures that Chef Infra Client always runs with a consistent time between runs (i.e., always exactly 30 minutes). Thanks for these improvements @gholtiii!
The file resource and resources based on the file resource now include additional verifiers for YAML and JSON content in files. Set verify :json or verify :yaml to validate JSON and YAML content. Thanks for this addition @gogsbread!
The InSpec json-file reporter is no longer enabled by default in Compliance Phase. Outputting compliance data to file by default potentially exposed sensitive data to the filesystem, without much upside. If you rely on this file for processing by external systems you can produce it by setting the reporter attribute node['audit']['reporter'] to %wjson-file cli.
b37509886e