/usr/lib/ruby/vendor_ruby/chef-config/config.rb is in ruby-chef-config 12.14.60-3ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 | #
# Author:: Adam Jacob (<adam@chef.io>)
# Author:: Christopher Brown (<cb@chef.io>)
# Author:: AJ Christensen (<aj@chef.io>)
# Author:: Mark Mzyk (<mmzyk@chef.io>)
# Author:: Kyle Goodwin (<kgoodwin@primerevenue.com>)
# Copyright:: Copyright 2008-2016, Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require "mixlib/config"
require "pathname"
require "chef-config/fips"
require "chef-config/logger"
require "chef-config/windows"
require "chef-config/path_helper"
require "chef-config/mixin/fuzzy_hostname_matcher"
require "mixlib/shellout"
require "uri"
require "addressable/uri"
require "openssl"
module ChefConfig
class Config
extend Mixlib::Config
extend ChefConfig::Mixin::FuzzyHostnameMatcher
# Evaluates the given string as config.
#
# +filename+ is used for context in stacktraces, but doesn't need to be the name of an actual file.
def self.from_string(string, filename)
self.instance_eval(string, filename, 1)
end
def self.inspect
configuration.inspect
end
def self.platform_specific_path(path)
path = PathHelper.cleanpath(path)
if ChefConfig.windows?
# turns \etc\chef\client.rb and \var\chef\client.rb into C:/chef/client.rb
if env["SYSTEMDRIVE"] && path[0] == '\\' && path.split('\\')[2] == "chef"
path = PathHelper.join(env["SYSTEMDRIVE"], path.split('\\', 3)[2])
end
end
path
end
def self.add_formatter(name, file_path = nil)
formatters << [name, file_path]
end
def self.add_event_logger(logger)
event_handlers << logger
end
# Config file to load (client.rb, knife.rb, etc. defaults set differently in knife, chef-client, etc.)
configurable(:config_file)
default(:config_dir) do
if config_file
PathHelper.dirname(PathHelper.canonical_path(config_file, false))
else
PathHelper.join(user_home, ".chef", "")
end
end
default :formatters, []
def self.is_valid_url?(uri)
url = uri.to_s.strip
/^http:\/\// =~ url || /^https:\/\// =~ url || /^chefzero:/ =~ url
end
# Override the config dispatch to set the value of multiple server options simultaneously
#
# === Parameters
# url<String>:: String to be set for all of the chef-server-api URL's
#
configurable(:chef_server_url).writes_value do |uri|
unless is_valid_url? uri
raise ConfigurationError, "#{uri} is an invalid chef_server_url."
end
uri.to_s.strip
end
# When you are using ActiveSupport, they monkey-patch 'daemonize' into Kernel.
# So while this is basically identical to what method_missing would do, we pull
# it up here and get a real method written so that things get dispatched
# properly.
configurable(:daemonize).writes_value { |v| v }
# The root where all local chef object data is stored. cookbooks, data bags,
# environments are all assumed to be in separate directories under this.
# chef-solo uses these directories for input data. knife commands
# that upload or download files (such as knife upload, knife role from file,
# etc.) work.
default :chef_repo_path do
if self.configuration[:cookbook_path]
if self.configuration[:cookbook_path].kind_of?(String)
File.expand_path("..", self.configuration[:cookbook_path])
else
self.configuration[:cookbook_path].map do |path|
File.expand_path("..", path)
end
end
elsif configuration[:cookbook_artifact_path]
File.expand_path("..", self.configuration[:cookbook_artifact_path])
else
cache_path
end
end
def self.find_chef_repo_path(cwd)
# In local mode, we auto-discover the repo root by looking for a path with "cookbooks" under it.
# This allows us to run config-free.
path = cwd
until File.directory?(PathHelper.join(path, "cookbooks")) || File.directory?(PathHelper.join(path, "cookbook_artifacts"))
new_path = File.expand_path("..", path)
if new_path == path
ChefConfig.logger.warn("No cookbooks directory found at or above current directory. Assuming #{cwd}.")
return cwd
end
path = new_path
end
ChefConfig.logger.info("Auto-discovered chef repository at #{path}")
path
end
def self.derive_path_from_chef_repo_path(child_path)
if chef_repo_path.kind_of?(String)
PathHelper.join(chef_repo_path, child_path)
else
chef_repo_path.uniq.map { |path| PathHelper.join(path, child_path) }
end
end
# Location of acls on disk. String or array of strings.
# Defaults to <chef_repo_path>/acls.
default(:acl_path) { derive_path_from_chef_repo_path("acls") }
# Location of clients on disk. String or array of strings.
# Defaults to <chef_repo_path>/clients.
default(:client_path) { derive_path_from_chef_repo_path("clients") }
# Location of client keys on disk. String or array of strings.
# Defaults to <chef_repo_path>/client_keys.
default(:client_key_path) { derive_path_from_chef_repo_path("client_keys") }
# Location of containers on disk. String or array of strings.
# Defaults to <chef_repo_path>/containers.
default(:container_path) { derive_path_from_chef_repo_path("containers") }
# Location of cookbook_artifacts on disk. String or array of strings.
# Defaults to <chef_repo_path>/cookbook_artifacts.
default(:cookbook_artifact_path) { derive_path_from_chef_repo_path("cookbook_artifacts") }
# Location of cookbooks on disk. String or array of strings.
# Defaults to <chef_repo_path>/cookbooks. If chef_repo_path
# is not specified, this is set to [/var/chef/cookbooks, /var/chef/site-cookbooks]).
default(:cookbook_path) do
if self.configuration[:chef_repo_path]
derive_path_from_chef_repo_path("cookbooks")
else
Array(derive_path_from_chef_repo_path("cookbooks")).flatten +
Array(derive_path_from_chef_repo_path("site-cookbooks")).flatten
end
end
# Location of data bags on disk. String or array of strings.
# Defaults to <chef_repo_path>/data_bags.
default(:data_bag_path) { derive_path_from_chef_repo_path("data_bags") }
# Location of environments on disk. String or array of strings.
# Defaults to <chef_repo_path>/environments.
default(:environment_path) { derive_path_from_chef_repo_path("environments") }
# Location of groups on disk. String or array of strings.
# Defaults to <chef_repo_path>/groups.
default(:group_path) { derive_path_from_chef_repo_path("groups") }
# Location of nodes on disk. String or array of strings.
# Defaults to <chef_repo_path>/nodes.
default(:node_path) { derive_path_from_chef_repo_path("nodes") }
# Location of policies on disk. String or array of strings.
# Defaults to <chef_repo_path>/policies.
default(:policy_path) { derive_path_from_chef_repo_path("policies") }
# Location of policy_groups on disk. String or array of strings.
# Defaults to <chef_repo_path>/policy_groups.
default(:policy_group_path) { derive_path_from_chef_repo_path("policy_groups") }
# Location of roles on disk. String or array of strings.
# Defaults to <chef_repo_path>/roles.
default(:role_path) { derive_path_from_chef_repo_path("roles") }
# Location of users on disk. String or array of strings.
# Defaults to <chef_repo_path>/users.
default(:user_path) { derive_path_from_chef_repo_path("users") }
# Location of policies on disk. String or array of strings.
# Defaults to <chef_repo_path>/policies.
default(:policy_path) { derive_path_from_chef_repo_path("policies") }
# Turn on "path sanity" by default. See also: http://wiki.opscode.com/display/chef/User+Environment+PATH+Sanity
default :enforce_path_sanity, true
# Formatted Chef Client output is a beta feature, disabled by default:
default :formatter, "null"
# The number of times the client should retry when registering with the server
default :client_registration_retries, 5
# An array of paths to search for knife exec scripts if they aren't in the current directory
default :script_path, []
# The root of all caches (checksums, cache and backup). If local mode is on,
# this is under the user's home directory.
default(:cache_path) do
if local_mode
PathHelper.join(config_dir, "local-mode-cache")
else
primary_cache_root = platform_specific_path("/var")
primary_cache_path = platform_specific_path("/var/chef")
# Use /var/chef as the cache path only if that folder exists and we can read and write
# into it, or /var exists and we can read and write into it (we'll create /var/chef later).
# Otherwise, we'll create .chef under the user's home directory and use that as
# the cache path.
unless path_accessible?(primary_cache_path) || path_accessible?(primary_cache_root)
secondary_cache_path = PathHelper.join(user_home, ".chef")
ChefConfig.logger.info("Unable to access cache at #{primary_cache_path}. Switching cache to #{secondary_cache_path}")
secondary_cache_path
else
primary_cache_path
end
end
end
# Returns true only if the path exists and is readable and writeable for the user.
def self.path_accessible?(path)
File.exists?(path) && File.readable?(path) && File.writable?(path)
end
# Where cookbook files are stored on the server (by content checksum)
default(:checksum_path) { PathHelper.join(cache_path, "checksums") }
# Where chef's cache files should be stored
default(:file_cache_path) { PathHelper.join(cache_path, "cache") }
# Where backups of chef-managed files should go
default(:file_backup_path) { PathHelper.join(cache_path, "backup") }
# The chef-client (or solo) lockfile.
#
# If your `file_cache_path` resides on a NFS (or non-flock()-supporting
# fs), it's recommended to set this to something like
# '/tmp/chef-client-running.pid'
default(:lockfile) { PathHelper.join(file_cache_path, "chef-client-running.pid") }
## Daemonization Settings ##
# What user should Chef run as?
default :user, nil
default :group, nil
default :umask, 0022
# Valid log_levels are:
# * :debug
# * :info
# * :warn
# * :fatal
# These work as you'd expect. There is also a special `:auto` setting.
# When set to :auto, Chef will auto adjust the log verbosity based on
# context. When a tty is available (usually because the user is running chef
# in a console), the log level is set to :warn, and output formatters are
# used as the primary mode of output. When a tty is not available, the
# logger is the primary mode of output, and the log level is set to :info
default :log_level, :auto
# Logging location as either an IO stream or string representing log file path
default :log_location, STDOUT
# Using `force_formatter` causes chef to default to formatter output when STDOUT is not a tty
default :force_formatter, false
# Using `force_logger` causes chef to default to logger output when STDOUT is a tty
default :force_logger, false
# Using 'stream_execute_output' will have Chef always stream the execute output
default :stream_execute_output, false
# Using `show_download_progress` will display the overall progress
# of a remote file download
default :show_download_progress, false
# How often to update the progress meter, in percent
default :download_progress_interval, 10
default :http_retry_count, 5
default :http_retry_delay, 5
default :interval, nil
default :once, nil
default :json_attribs, nil
# toggle info level log items that can create a lot of output
default :verbose_logging, true
default :node_name, nil
default :diff_disabled, false
default :diff_filesize_threshold, 10000000
default :diff_output_threshold, 1000000
default :local_mode, false
# Configures the mode of operation for ChefFS, which is applied to the
# ChefFS-based knife commands and chef-client's local mode. (ChefFS-based
# knife commands include: knife delete, knife deps, knife diff, knife down,
# knife edit, knife list, knife show, knife upload, and knife xargs.)
#
# Valid values are:
# * "static": ChefFS only manages objects that exist in a traditional Chef
# Repo as of Chef 11.
# * "everything": ChefFS manages all object types that existed on the OSS
# Chef 11 server.
# * "hosted_everything": ChefFS manages all object types as of the Chef 12
# Server, including RBAC objects and Policyfile objects (new to Chef 12).
default :repo_mode do
if local_mode && !chef_zero.osc_compat
"hosted_everything"
elsif chef_server_url =~ /\/+organizations\/.+/
"hosted_everything"
else
"everything"
end
end
default :pid_file, nil
# Whether Chef Zero local mode should bind to a port. All internal requests
# will go through the socketless code path regardless, so the socket is
# only needed if other processes will connect to the local mode server.
#
# For compatibility this is set to true but it will be changed to false in
# the future.
default :listen, true
config_context :chef_zero do
config_strict_mode true
default(:enabled) { ChefConfig::Config.local_mode }
default :host, "localhost"
default :port, 8889.upto(9999) # Will try ports from 8889-9999 until one works
# When set to a String, Chef Zero disables multitenant support. This is
# what you want when using Chef Zero to serve a single Chef Repo. Setting
# this to `false` enables multi-tenant.
default :single_org, "chef"
# Whether Chef Zero should operate in a mode analogous to OSS Chef Server
# 11 (true) or Chef Server 12 (false). Chef Zero can still serve
# policyfile objects in Chef 11 mode, as long as `repo_mode` is set to
# "hosted_everything". The primary differences are:
# * Chef 11 mode doesn't support multi-tennant, so there is no
# distinction between global and org-specific objects (since there are
# no orgs).
# * Chef 11 mode doesn't expose RBAC objects
default :osc_compat, false
end
default :chef_server_url, "https://localhost:443"
default(:chef_server_root) do
# if the chef_server_url is a path to an organization, aka
# 'some_url.../organizations/*' then remove the '/organization/*' by default
if self.configuration[:chef_server_url] =~ /\/organizations\/\S*$/
self.configuration[:chef_server_url].split("/")[0..-3].join("/")
elsif self.configuration[:chef_server_url] # default to whatever chef_server_url is
self.configuration[:chef_server_url]
else
"https://localhost:443"
end
end
default :rest_timeout, 300
default :yum_timeout, 900
default :yum_lock_timeout, 30
default :solo, false
# Are we running in old Chef Solo legacy mode?
default :solo_legacy_mode, false
default :splay, nil
default :why_run, false
default :color, false
default :client_fork, true
default :ez, false
default :enable_reporting, true
default :enable_reporting_url_fatals, false
# Possible values for :audit_mode
# :enabled, :disabled, :audit_only,
#
# TODO: 11 Dec 2014: Currently audit-mode is an experimental feature
# and is disabled by default. When users choose to enable audit-mode,
# a warning is issued in application/client#reconfigure.
# This can be removed when audit-mode is enabled by default.
default :audit_mode, :disabled
# Chef only needs ohai to run the hostname plugin for the most basic
# functionality. If the rest of the ohai plugins are not needed (like in
# most of our testing scenarios)
default :minimal_ohai, false
###
# Policyfile Settings
#
# Policyfile is a feature where a node gets its run list and cookbook
# version set from a single document on the server instead of expanding the
# run list and having the server compute the cookbook version set based on
# environment constraints.
#
# Policyfiles are auto-versioned. The user groups nodes by `policy_name`,
# which generally describes a hosts's functional role, and `policy_group`,
# which generally groups nodes by deployment phase (a.k.a., "environment").
# The Chef Server maps a given set of `policy_name` plus `policy_group` to
# a particular revision of a policy.
default :policy_name, nil
default :policy_group, nil
# Policyfiles can have multiple run lists, via the named run list feature.
# Generally this will be set by a CLI option via Chef::Application::Client,
# but it could be set in client.rb if desired.
default :named_run_list, nil
# During initial development, users were required to set `use_policyfile true`
# in `client.rb` to opt-in to policyfile use. Chef Client now examines
# configuration, node json, and the stored node to determine if policyfile
# usage is desired. This flag is still honored if set, but is unnecessary.
default :use_policyfile, false
# Policyfiles can be used in a native mode (default) or compatibility mode.
# Native mode requires Chef Server 12.1 (it can be enabled via feature flag
# on some prior versions). In native mode, policies and associated
# cookbooks are accessed via feature-specific APIs. In compat mode,
# policies are stored as data bags and cookbooks are stored at the
# cookbooks/ endpoint. Compatibility mode can be dangerous on existing Chef
# Servers; it's recommended to upgrade your Chef Server rather than use
# compatibility mode. Compatibility mode remains available so you can use
# policyfiles with servers that don't yet support the native endpoints.
default :policy_document_native_api, true
# When policyfiles are used in compatibility mode, `policy_name` and
# `policy_group` are instead specified using a combined configuration
# setting, `deployment_group`. For example, if policy_name should be
# "webserver" and policy_group should be "staging", then `deployment_group`
# should be set to "webserver-staging", which is the name of the data bag
# item that the policy will be stored as. NOTE: this setting only has an
# effect if `policy_document_native_api` is set to `false`.
default :deployment_group, nil
# Set these to enable SSL authentication / mutual-authentication
# with the server
# Client side SSL cert/key for mutual auth
default :ssl_client_cert, nil
default :ssl_client_key, nil
# Whether or not to verify the SSL cert for all HTTPS requests. When set to
# :verify_peer (default), all HTTPS requests will be validated regardless of other
# SSL verification settings. When set to :verify_none no HTTPS requests will
# be validated.
default :ssl_verify_mode, :verify_peer
# Whether or not to verify the SSL cert for HTTPS requests to the Chef
# server API. If set to `true`, the server's cert will be validated
# regardless of the :ssl_verify_mode setting. This is set to `true` when
# running in local-mode.
# NOTE: This is a workaround until verify_peer is enabled by default.
default(:verify_api_cert) { ChefConfig::Config.local_mode }
# Path to the default CA bundle files.
default :ssl_ca_path, nil
default(:ssl_ca_file) do
if ChefConfig.windows? && embedded_dir
cacert_path = File.join(embedded_dir, "ssl/certs/cacert.pem")
cacert_path if File.exist?(cacert_path)
else
nil
end
end
# A directory that contains additional SSL certificates to trust. Any
# certificates in this directory will be added to whatever CA bundle ruby
# is using. Use this to add self-signed certs for your Chef Server or local
# HTTP file servers.
default(:trusted_certs_dir) { PathHelper.join(config_dir, "trusted_certs") }
# A directory that contains additional configuration scripts to load for chef-client
default(:client_d_dir) { PathHelper.join(config_dir, "client.d") }
# A directory that contains additional configuration scripts to load for solo
default(:solo_d_dir) { PathHelper.join(config_dir, "solo.d") }
# A directory that contains additional configuration scripts to load for
# the workstation config
default(:config_d_dir) { PathHelper.join(config_dir, "config.d") }
# Where should chef-solo download recipes from?
default :recipe_url, nil
# Set to true if Chef is to set OpenSSL to run in FIPS mode
default(:fips) do
# CHEF_FIPS is used in testing to override checking for system level
# enablement. There are 3 possible values that this variable may have:
# nil - no override and the system will be checked
# empty - FIPS is NOT enabled
# a non empty value - FIPS is enabled
if ENV["CHEF_FIPS"] == ""
false
else
!ENV["CHEF_FIPS"].nil? || ChefConfig.fips?
end
end
# Initialize openssl
def self.init_openssl
if fips
self.enable_fips_mode
end
end
# Sets the version of the signed header authentication protocol to use (see
# the 'mixlib-authorization' project for more detail). Currently, versions
# 1.0, 1.1, and 1.3 are available.
default :authentication_protocol_version do
if fips
"1.3"
else
"1.1"
end
end
# This key will be used to sign requests to the Chef server. This location
# must be writable by Chef during initial setup when generating a client
# identity on the server.
#
# The chef-server will look up the public key for the client using the
# `node_name` of the client.
#
# If chef-zero is enabled, this defaults to nil (no authentication).
default(:client_key) { chef_zero.enabled ? nil : platform_specific_path("/etc/chef/client.pem") }
# When registering the client, should we allow the client key location to
# be a symlink? eg: /etc/chef/client.pem -> /etc/chef/prod-client.pem
# If the path of the key goes through a directory like /tmp this should
# never be set to true or its possibly an easily exploitable security hole.
default :follow_client_key_symlink, false
# This secret is used to decrypt encrypted data bag items.
default(:encrypted_data_bag_secret) do
if File.exist?(platform_specific_path("/etc/chef/encrypted_data_bag_secret"))
platform_specific_path("/etc/chef/encrypted_data_bag_secret")
else
nil
end
end
# As of Chef 11.0, version "1" is the default encrypted data bag item
# format. Version "2" is available which adds encrypt-then-mac protection.
# To maintain compatibility, versions other than 1 must be opt-in.
#
# Set this to `2` if you have chef-client 11.6.0+ in your infrastructure.
# Set this to `3` if you have chef-client 11.?.0+, ruby 2 and OpenSSL >= 1.0.1 in your infrastructure. (TODO)
default :data_bag_encrypt_version, 1
# When reading data bag items, any supported version is accepted. However,
# if all encrypted data bags have been generated with the version 2 format,
# it is recommended to disable support for earlier formats to improve
# security. For example, the version 2 format is identical to version 1
# except for the addition of an HMAC, so an attacker with MITM capability
# could downgrade an encrypted data bag to version 1 as part of an attack.
default :data_bag_decrypt_minimum_version, 0
# If there is no file in the location given by `client_key`, chef-client
# will temporarily use the "validator" identity to generate one. If the
# `client_key` is not present and the `validation_key` is also not present,
# chef-client will not be able to authenticate to the server.
#
# The `validation_key` is never used if the `client_key` exists.
#
# If chef-zero is enabled, this defaults to nil (no authentication).
default(:validation_key) { chef_zero.enabled ? nil : platform_specific_path("/etc/chef/validation.pem") }
default :validation_client_name, "chef-validator"
# When creating a new client via the validation_client account, Chef 11
# servers allow the client to generate a key pair locally and send the
# public key to the server. This is more secure and helps offload work from
# the server, enhancing scalability. If enabled and the remote server
# implements only the Chef 10 API, client registration will not work
# properly.
#
# The default value is `true`. Set to `false` to disable client-side key
# generation (server generates client keys).
default(:local_key_generation) { true }
# Zypper package provider gpg checks. Set to true to enable package
# gpg signature checking. This will be default in the
# future. Setting to false disables the warnings.
# Leaving this set to nil or false is a security hazard!
default :zypper_check_gpg, nil
# Report Handlers
default :report_handlers, []
# Event Handlers
default :event_handlers, []
default :disable_event_loggers, false
# Exception Handlers
default :exception_handlers, []
# Start handlers
default :start_handlers, []
# Syntax Check Cache. Knife keeps track of files that is has already syntax
# checked by storing files in this directory. `syntax_check_cache_path` is
# the new (and preferred) configuration setting. If not set, knife will
# fall back to using cache_options[:path], which is deprecated but exists in
# many client configs generated by pre-Chef-11 bootstrappers.
default(:syntax_check_cache_path) { cache_options[:path] }
# Deprecated:
# Move this to the default value of syntax_cache_path when this is removed.
default(:cache_options) { { :path => PathHelper.join(config_dir, "syntaxcache") } }
# Whether errors should be raised for deprecation warnings. When set to
# `false` (the default setting), a warning is emitted but code using
# deprecated methods/features/etc. should work normally otherwise. When set
# to `true`, usage of deprecated methods/features will raise a
# `DeprecatedFeatureError`. This is used by Chef's tests to ensure that
# deprecated functionality is not used internally by Chef. End users
# should generally leave this at the default setting (especially in
# production), but it may be useful when testing cookbooks or other code if
# the user wishes to aggressively address deprecations.
default(:treat_deprecation_warnings_as_errors) do
# Using an environment variable allows this setting to be inherited in
# tests that spawn new processes.
ENV.key?("CHEF_TREAT_DEPRECATION_WARNINGS_AS_ERRORS")
end
# knife configuration data
config_context :knife do
# XXX: none of these default values are applied to knife (and would create a backcompat
# break in knife if this bug was fixed since many of the defaults below are wrong). this appears
# to be the start of an attempt to be able to use config_strict_mode true? if so, this approach
# is fraught with peril because this namespace is used by every knife plugin in the wild and
# we would need to validate every cli option in every knife attribute out there and list them all here.
#
# based on the way that people may define `knife[:foobar] = "something"` for the knife-foobar
# gem plugin i'm pretty certain we can never turn on anything like config_string_mode since
# any config value may be a typo or it may be in some gem in some knife plugin we don't know about.
#
# we do still need to maintain at least one of these so that the knife config hash gets
# created.
#
# this whole situation is deeply unsatisfying.
default :ssh_port, nil
default :ssh_user, nil
default :ssh_attribute, nil
default :ssh_gateway, nil
default :bootstrap_version, nil
default :bootstrap_proxy, nil
default :bootstrap_template, nil
default :secret, nil
default :secret_file, nil
default :identity_file, nil
default :host_key_verify, nil
default :forward_agent, nil
default :sort_status_reverse, nil
default :hints, {}
end
def self.set_defaults_for_windows
# Those lists of regular expressions define what chef considers a
# valid user and group name
# From http://technet.microsoft.com/en-us/library/cc776019(WS.10).aspx
principal_valid_regex_part = '[^"\/\\\\\[\]\:;|=,+*?<>]+'
default :user_valid_regex, [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
default :group_valid_regex, [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
default :fatal_windows_admin_check, false
end
def self.set_defaults_for_nix
# Those lists of regular expressions define what chef considers a
# valid user and group name
#
# user/group cannot start with '-', '+' or '~'
# user/group cannot contain ':', ',' or non-space-whitespace or null byte
# everything else is allowed (UTF-8, spaces, etc) and we delegate to your O/S useradd program to barf or not
# copies: http://anonscm.debian.org/viewvc/pkg-shadow/debian/trunk/debian/patches/506_relaxed_usernames?view=markup
default :user_valid_regex, [ /^[^-+~:,\t\r\n\f\0]+[^:,\t\r\n\f\0]*$/ ]
default :group_valid_regex, [ /^[^-+~:,\t\r\n\f\0]+[^:,\t\r\n\f\0]*$/ ]
end
# Those lists of regular expressions define what chef considers a
# valid user and group name
if ChefConfig.windows?
set_defaults_for_windows
else
set_defaults_for_nix
end
# This provides a hook which rspec can stub so that we can avoid twiddling
# global state in tests.
def self.env
ENV
end
def self.windows_home_path
ChefConfig.logger.deprecation("Chef::Config.windows_home_path is now deprecated. Consider using Chef::Util::PathHelper.home instead.")
PathHelper.home
end
# returns a platform specific path to the user home dir if set, otherwise default to current directory.
default( :user_home ) { PathHelper.home || Dir.pwd }
# Enable file permission fixup for selinux. Fixup will be done
# only if selinux is enabled in the system.
default :enable_selinux_file_permission_fixup, true
# Use atomic updates (i.e. move operation) while updating contents
# of the files resources. When set to false copy operation is
# used to update files.
#
# NOTE: CHANGING THIS SETTING MAY CAUSE CORRUPTION, DATA LOSS AND
# INSTABILITY.
default :file_atomic_update, true
# There are 3 possible values for this configuration setting.
# true => file staging is done in the destination directory
# false => file staging is done via tempfiles under ENV['TMP']
# :auto => file staging will try using destination directory if possible and
# will fall back to ENV['TMP'] if destination directory is not usable.
default :file_staging_uses_destdir, :auto
# Exit if another run is in progress and the chef-client is unable to
# get the lock before time expires. If nil, no timeout is enforced. (Exits
# immediately if 0.)
default :run_lock_timeout, nil
# Number of worker threads for syncing cookbooks in parallel. Increasing
# this number can result in gateway errors from the server (namely 503 and 504).
# If you are seeing this behavior while using the default setting, reducing
# the number of threads will help.
default :cookbook_sync_threads, 10
# At the beginning of the Chef Client run, the cookbook manifests are downloaded which
# contain URLs for every file in every relevant cookbook. Most of the files
# (recipes, resources, providers, libraries, etc) are immediately synchronized
# at the start of the run. The handling of "files" and "templates" directories,
# however, have two modes of operation. They can either all be downloaded immediately
# at the start of the run (no_lazy_load==true) or else they can be lazily loaded as
# cookbook_file or template resources are converged which require them (no_lazy_load==false).
#
# The advantage of lazily loading these files is that unnecessary files are not
# synchronized. This may be useful to users with large files checked into cookbooks which
# are only selectively downloaded to a subset of clients which use the cookbook. However,
# better solutions are to either isolate large files into individual cookbooks and only
# include those cookbooks in the run lists of the servers that need them -- or move to
# using remote_file and a more appropriate backing store like S3 for large file
# distribution.
#
# The disadvantages of lazily loading files are that users some time find it
# confusing that their cookbooks are not fully synchronzied to the cache initially,
# and more importantly the time-sensitive URLs which are in the manifest may time
# out on long Chef runs before the resource that uses the file is converged
# (leading to many confusing 403 errors on template/cookbook_file resources).
#
default :no_lazy_load, true
# Default for the chef_gem compile_time attribute. Nil is the same as true but will emit
# warnings on every use of chef_gem prompting the user to be explicit. If the user sets this to
# true then the user will get backcompat behavior but with a single nag warning that cookbooks
# may break with this setting in the future. The false setting is the recommended setting and
# will become the default.
default :chef_gem_compile_time, nil
# A whitelisted array of attributes you want sent over the wire when node
# data is saved.
# The default setting is nil, which collects all data. Setting to [] will not
# collect any data for save.
default :automatic_attribute_whitelist, nil
default :default_attribute_whitelist, nil
default :normal_attribute_whitelist, nil
default :override_attribute_whitelist, nil
# Pull down all the rubygems versions from rubygems and cache them the first time we do a gem_package or
# chef_gem install. This is memory-expensive and will grow without bounds, but will reduce network
# round trips.
default :rubygems_cache_enabled, false
config_context :windows_service do
# Set `watchdog_timeout` to the number of seconds to wait for a chef-client run
# to finish
default :watchdog_timeout, 2 * (60 * 60) # 2 hours
end
# Add an empty and non-strict config_context for chefdk. This lets the user
# have code like `chefdk.generator_cookbook "/path/to/cookbook"` in their
# config.rb, and it will be ignored by tools like knife and ohai. ChefDK
# itself can define the config options it accepts and enable strict mode,
# and that will only apply when running `chef` commands.
config_context :chefdk do
end
# Configuration options for Data Collector reporting. These settings allow
# the user to configure where to send their Data Collector data, what token
# to send, and whether Data Collector should report its findings in client
# mode vs. solo mode.
config_context :data_collector do
# Full URL to the endpoint that will receive our data. If nil, the
# data collector will not run.
# Ex: http://my-data-collector.mycompany.com/ingest
default :server_url, nil
# An optional pre-shared token to pass as an HTTP header (x-data-collector-token)
# that can be used to determine whether or not the poster of this
# run data should be trusted.
# Ex: some-uuid-here
default :token, nil
# The Chef mode during which Data Collector is allowed to function. This
# can be used to run Data Collector only when running as Chef Solo but
# not when using Chef Client.
# Options: :solo (for both Solo Legacy Mode and Client Local Mode), :client, :both
default :mode, :both
# When the Data Collector cannot send the "starting a run" message to
# the Data Collector server, the Data Collector will be disabled for that
# run. In some situations, such as highly-regulated environments, it
# may be more reasonable to prevent Chef from performing the actual run.
# In these situations, setting this value to true will cause the Chef
# run to raise an exception before starting any converge activities.
default :raise_on_failure, false
# A user-supplied Organization string that can be sent in payloads
# generated by the DataCollector when Chef is run in Solo mode. This
# allows users to associate their Solo nodes with faux organizations
# without the nodes being connected to an actual Chef Server.
default :organization, nil
end
configurable(:http_proxy)
configurable(:http_proxy_user)
configurable(:http_proxy_pass)
configurable(:https_proxy)
configurable(:https_proxy_user)
configurable(:https_proxy_pass)
configurable(:ftp_proxy)
configurable(:ftp_proxy_user)
configurable(:ftp_proxy_pass)
configurable(:no_proxy)
# Public method that users should call to export proxies to the appropriate
# environment variables. This method should be called after the config file is
# parsed and loaded.
# TODO add some post-file-parsing logic that automatically calls this so
# users don't have to
def self.export_proxies
export_proxy("http", http_proxy, http_proxy_user, http_proxy_pass) if http_proxy
export_proxy("https", https_proxy, https_proxy_user, https_proxy_pass) if https_proxy
export_proxy("ftp", ftp_proxy, ftp_proxy_user, ftp_proxy_pass) if ftp_proxy
export_no_proxy(no_proxy) if no_proxy
end
# Character classes for Addressable
# See https://www.ietf.org/rfc/rfc3986.txt 3.2.1
# The user part may not have a : in it
USER = Addressable::URI::CharacterClasses::UNRESERVED + Addressable::URI::CharacterClasses::SUB_DELIMS
# The password part may have any valid USERINFO characters
PASSWORD = USER + "\\:"
# Builds a proxy uri and exports it to the appropriate environment variables. Examples:
# http://username:password@hostname:port
# https://username@hostname:port
# ftp://hostname:port
# when
# scheme = "http", "https", or "ftp"
# hostport = hostname:port or scheme://hostname:port
# user = username
# pass = password
# @api private
def self.export_proxy(scheme, path, user, pass)
path = "#{scheme}://#{path}" unless path.include?("://")
# URI.split returns the following parts:
# [scheme, userinfo, host, port, registry, path, opaque, query, fragment]
uri = Addressable::URI.encode(path, Addressable::URI)
if user && !user.empty?
userinfo = Addressable::URI.encode_component(user, USER)
if pass
userinfo << ":#{Addressable::URI.encode_component(pass, PASSWORD)}"
end
uri.userinfo = userinfo
end
path = uri.to_s
ENV["#{scheme}_proxy".downcase] = path unless ENV["#{scheme}_proxy".downcase]
ENV["#{scheme}_proxy".upcase] = path unless ENV["#{scheme}_proxy".upcase]
end
# @api private
def self.export_no_proxy(value)
ENV["no_proxy"] = value unless ENV["no_proxy"]
ENV["NO_PROXY"] = value unless ENV["NO_PROXY"]
end
# Given a scheme, host, and port, return the correct proxy URI based on the
# set environment variables, unless exluded by no_proxy, in which case nil
# is returned
def self.proxy_uri(scheme, host, port)
proxy_env_var = ENV["#{scheme}_proxy"].to_s.strip
# Check if the proxy string contains a scheme. If not, add the url's scheme to the
# proxy before parsing. The regex /^.*:\/\// matches, for example, http://. Reusing proxy
# here since we are really just trying to get the string built correctly.
proxy = if !proxy_env_var.empty?
if proxy_env_var =~ /^.*:\/\//
URI.parse(proxy_env_var)
else
URI.parse("#{scheme}://#{proxy_env_var}")
end
end
return proxy unless fuzzy_hostname_match_any?(host, ENV["no_proxy"])
end
# Chef requires an English-language UTF-8 locale to function properly. We attempt
# to use the 'locale -a' command and search through a list of preferences until we
# find one that we can use. On Ubuntu systems we should find 'C.UTF-8' and be
# able to use that even if there is no English locale on the server, but Mac, Solaris,
# AIX, etc do not have that locale. We then try to find an English locale and fall
# back to 'C' if we do not. The choice of fallback is pick-your-poison. If we try
# to do the work to return a non-US UTF-8 locale then we fail inside of providers when
# things like 'svn info' return Japanese and we can't parse them. OTOH, if we pick 'C' then
# we will blow up on UTF-8 characters. Between the warn we throw and the Encoding
# exception that ruby will throw it is more obvious what is broken if we drop UTF-8 by
# default rather than drop English.
#
# If there is no 'locale -a' then we return 'en_US.UTF-8' since that is the most commonly
# available English UTF-8 locale. However, all modern POSIXen should support 'locale -a'.
def self.guess_internal_locale
# https://github.com/opscode/chef/issues/2181
# Some systems have the `locale -a` command, but the result has
# invalid characters for the default encoding.
#
# For example, on CentOS 6 with ENV['LANG'] = "en_US.UTF-8",
# `locale -a`.split fails with ArgumentError invalid UTF-8 encoding.
cmd = Mixlib::ShellOut.new("locale -a").run_command
cmd.error!
locales = cmd.stdout.split
case
when locales.include?("C.UTF-8")
"C.UTF-8"
when locales.include?("en_US.UTF-8"), locales.include?("en_US.utf8")
"en_US.UTF-8"
when locales.include?("en.UTF-8")
"en.UTF-8"
else
# Will match en_ZZ.UTF-8, en_ZZ.utf-8, en_ZZ.UTF8, en_ZZ.utf8
guesses = locales.select { |l| l =~ /^en_.*UTF-?8$/i }
unless guesses.empty?
guessed_locale = guesses.first
# Transform into the form en_ZZ.UTF-8
guessed_locale.gsub(/UTF-?8$/i, "UTF-8")
else
ChefConfig.logger.warn "Please install an English UTF-8 locale for Chef to use, falling back to C locale and disabling UTF-8 support."
"C"
end
end
rescue
if ChefConfig.windows?
ChefConfig.logger.debug "Defaulting to locale en_US.UTF-8 on Windows, until it matters that we do something else."
else
ChefConfig.logger.debug "No usable locale -a command found, assuming you have en_US.UTF-8 installed."
end
"en_US.UTF-8"
end
default :internal_locale, guess_internal_locale
# Force UTF-8 Encoding, for when we fire up in the 'C' locale or other strange locales (e.g.
# japanese windows encodings). If we do not do this, then knife upload will fail when a cookbook's
# README.md has UTF-8 characters that do not encode in whatever surrounding encoding we have been
# passed. Effectively, the Chef Ecosystem is globally UTF-8 by default. Anyone who wants to be
# able to upload Shift_JIS or ISO-8859-1 files needs to mark *those* files explicitly with
# magic tags to make ruby correctly identify the encoding being used. Changing this default will
# break Chef community cookbooks and is very highly discouraged.
default :ruby_encoding, Encoding::UTF_8
default :rubygems_url, "https://rubygems.org"
# If installed via an omnibus installer, this gives the path to the
# "embedded" directory which contains all of the software packaged with
# omnibus. This is used to locate the cacert.pem file on windows.
def self.embedded_dir
Pathname.new(_this_file).ascend do |path|
if path.basename.to_s == "embedded"
return path.to_s
end
end
nil
end
# Path to this file in the current install.
def self._this_file
File.expand_path(__FILE__)
end
# Set fips mode in openssl. Do any patching necessary to make
# sure Chef runs do not crash.
# @api private
def self.enable_fips_mode
OpenSSL.fips_mode = true
require "digest"
require "digest/sha1"
require "digest/md5"
# Remove pre-existing constants if they do exist to reduce the
# amount of log spam and warnings.
Digest.send(:remove_const, "SHA1") if Digest.const_defined?("SHA1")
Digest.const_set("SHA1", OpenSSL::Digest::SHA1)
OpenSSL::Digest.send(:remove_const, "MD5") if OpenSSL::Digest.const_defined?("MD5")
OpenSSL::Digest.const_set("MD5", Digest::MD5)
ChefConfig.logger.debug "FIPS mode is enabled."
end
end
end
|