We just released Chef Client version 12.8.1 to the chef downloads site. Highlights of this release include:
Support for OpenSSL validation of FIPS
Federal Information Processing Standards (FIPS) is a United States government computer security standard that specifies security requirements for cryptography. The current version of the standard is FIPS 140-2. The chef-client can be configured to allow OpenSSL to enforce FIPS-validated security during a chef-client run. This will disable cryptography in OpenSSL that is explicitly disallowed in FIPS-validated software, including certain ciphers and hashing algorithms. Any attempt to use any disallowed cryptography will cause the chef-client to throw an exception during a chef-client run.
Note:
Chef uses MD5 hashes to uniquely identify files that are stored on the Chef server. MD5 is used only to generate a unique hash identifier and is not used for any cryptographic purpose.
Notes about FIPS:
- May only be enabled for nodes running on Microsoft Windows and Enterprise Linux platforms
- Should should only be enabled for environments that require FIPS 140-2 compliance
- May not be enabled for any version of the chef-client earlier than 12.8
Enable FIPS Mode
Allowing OpenSSL to enforce FIPS-validated security may be enabled by using any of the following ways:
- Set the
fipsconfiguration setting totruein the client.rb or knife.rb files - Set the
--fipscommand-line option when running any knife command or the chef-client executable - Set the
--fipscommand-line option when bootstrapping a node using the knife bootstrap command
Command Option
The following command-line option may be used to with a knife or chef-client executable command:
--[no-]fips
Allows OpenSSL to enforce FIPS-validated security during the chef-client run.
Bootstrap a node using FIPS
$ knife bootstrap 12.34.56.789 -P vanilla -x root -r 'recipe[apt],recipe[xfs],recipe[vim]' --fips
which shows something similar to:
OpenSSL FIPS 140 mode enabled ... 12.34.56.789 Chef Client finished, 12/12 resources updated in 78.942455583 seconds
Configuration Setting
The following configuration setting may be set in the knife.rb, client.rb, or config.rb files:
fips
Allows OpenSSL to enforce FIPS-validated security during the chef-client run. Set to true to enable FIPS-validated security.
New launchd resource
Use the launchd resource to manage system-wide services (daemons) and per-user services (agents) on the Mac OS X platform.
launchd 'call.mom.weekly' do program '/Library/scripts/call_mom.sh' start_calendar_interval 'Weekday' => 7, 'Hourly' => 10 time_out 300 end
New property for the mdadm resource
Use the This was not included in the release as previously stated.mdadm_defaults property to set the default values for chunk and metadata to nil, which allows mdadm to apply its own default values.
chef-zero support for Chef Server API endpoints
chef-zero now supports using all Chef server API version 12 endpoints, with the exception of /universe.
Updated OpenSSL Version
OpenSSL is updated to version 1.0.1s.
Ohai auto-detects hosts for Azure and EC-2 instances
Ohai will auto-detect hosts for instances that are hosted by Microsoft Azure or Amazon EC-2.
Added gem keyword to metadata.rb per RFC-060
Support a ‘gem’ DSL method for cookbook metadata to create a dependency on a rubygem. The gem will be installed via chef_gem after all the cookbooks are synchronized but before any other cookbook loading is done.