Release Notes: Enterprise Chef 11.1

Chef is a systems and cloud infrastructure automation framework that makes it easy to deploy servers and applications to any physical, virtual, or cloud location, no matter the size of the infrastructure. Each organization is comprised of one (or more) workstations, a single server, and every node that will be configured and maintained by the chef-client. Cookbooks (and recipes) are used to tell the chef-client how each node in your organization should be configured. The chef-client (which is installed on every node) does the actual configuration.

What’s New

The following items are new for Enterprise Chef 11.1 and/or are changes from previous versions:

  • Support for IPv6 Support has been added to allow the Enterprise Chef server and the chef-client to run in an IPv6 infrastructure.
  • Lua / Redis-based API routing The routing mechanisms used by the API proxy have been reworked. This allows for more dynamic and fine-tuned control over routing upstreams and feature flags.
  • Bookshelf hostname configuration The host for the location in which cookbooks are stored—bookshelf—is now configurable. Previous versions of Enterprise Chef directed this traffic directly to the backend host:port of the bookshelf service. Enterprise Chef defaults to the host header that is set by the incoming HTTP request. This ensures that URLs generated by the bookshelf service based on requests to the API front end will be directed back to that front end and will be correctly proxied to the back end service. This also ensures that all bookshelf traffic travels over HTTPS.

Configuration Setting for IPv6

The following setting is used to configure IPv6 for Enterprise Chef:

Setting Description
ip_version Use to set the IP version: ipv4 or ipv6. When configuring for IPv6 in a high availability configuration, be sure to set the netmask on the IPv6 backend_vip attribute. Default value: ipv4.

What’s Fixed

The following bugs were fixed:

  • [opscode-bookshelf] — Disable synchronous request logging to prevent failure during heavy load
  • [opscode-account] — Allow non-admin users to leave an organization
  • [opscode-account] — Don’t log password changes in plain text
  • [opscode-account] — /organizations API cannot show billing admins group
  • [opscode-account] — 500s appear when updating a user ACL
  • [enterprise-chef-cookbooks] — Banned/whitelist IP checking breaks IPv6 clients

The following security issues were fixed:

  • [openssl] CVE-2013-4353 — TLS handshake causes null pointer in OpenSSL
  • [libyaml] CVE-2013-6393 — Incorrect cast allows remote attacker to cause a denial of service