/
config.rb
1305 lines (1123 loc) · 56.5 KB
/
config.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#
# Author:: Adam Jacob (<adam@chef.io>)
# Author:: Christopher Brown (<cb@chef.io>)
# Author:: AJ Christensen (<aj@chef.io>)
# Author:: Mark Mzyk (<mmzyk@chef.io>)
# Author:: Kyle Goodwin (<kgoodwin@primerevenue.com>)
# Copyright:: Copyright (c) Chef Software Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
require "mixlib/config" unless defined?(Mixlib::Config)
autoload :Pathname, "pathname"
autoload :ChefUtils, "chef-utils"
require_relative "fips"
require_relative "logger"
require_relative "windows"
require_relative "path_helper"
require_relative "mixin/fuzzy_hostname_matcher"
module Mixlib
autoload :ShellOut, "mixlib/shellout"
end
autoload :URI, "uri"
module Addressable
autoload :URI, "addressable/uri"
end
autoload :OpenSSL, "openssl"
autoload :YAML, "yaml"
require "chef-utils/dist" unless defined?(ChefUtils::Dist)
module ChefConfig
class Config
extend Mixlib::Config
extend ChefConfig::Mixin::FuzzyHostnameMatcher
# Evaluates the given string as config.
#
# +filename+ is used for context in stacktraces, but doesn't need to be the name of an actual file.
def self.from_string(string, filename)
instance_eval(string, filename, 1)
end
def self.inspect
configuration.inspect
end
# given a *nix style config path return the platform specific path
# to that same config file
# @example client.pem path on Windows
# platform_specific_path("/etc/chef/client.pem") #=> "C:\\chef\\client.pem"
# @param path [String] The unix path to convert to a platform specific path
# @return [String] a platform specific path
def self.platform_specific_path(path)
path = PathHelper.cleanpath(path)
if ChefUtils.windows?
# turns \etc\chef\client.rb and \var\chef\client.rb into C:/chef/client.rb
# Some installations will be on different drives so use the drive that
# the expanded path to __FILE__ is found.
drive = windows_installation_drive
if drive && path[0] == "\\" && path.split("\\")[2] == "chef"
path = PathHelper.join(drive, path.split("\\", 3)[2])
end
end
path
end
# On *nix, /etc/chef, on Windows C:\chef
#
# @param windows [Boolean] optional flag to force to windows or unix-style
# @return [String] the platform-specific path
#
def self.etc_chef_dir(windows: ChefUtils.windows?)
@etc_chef_dir ||= {}
@etc_chef_dir[windows] ||= begin
path = windows ? c_chef_dir : PathHelper.join("/etc", ChefUtils::Dist::Infra::DIR_SUFFIX, windows: windows)
PathHelper.cleanpath(path, windows: windows)
end
end
# On *nix, /var/chef, on Windows C:\chef
#
# @param windows [Boolean] optional flag to force to windows or unix-style
# @return [String] the platform-specific path
#
def self.var_chef_dir(windows: ChefUtils.windows?)
path = windows ? c_chef_dir : PathHelper.join("/var", ChefUtils::Dist::Infra::DIR_SUFFIX, windows: windows)
PathHelper.cleanpath(path, windows: windows)
end
# On *nix, /var, on Windows C:\
#
# @param windows [Boolean] optional flag to force to windows or unix-style
# @return [String] the platform-specific path
#
def self.var_root_dir(windows: ChefUtils.windows?)
path = windows ? "C:\\" : "/var"
PathHelper.cleanpath(path, windows: windows)
end
# On windows, C:/chef/
#
# (should only be called in a windows-context)
#
# @return [String] the platform-specific path
#
def self.c_chef_dir(windows: ChefUtils.windows?)
drive = windows_installation_drive || "C:"
PathHelper.join(drive, ChefUtils::Dist::Infra::DIR_SUFFIX, windows: windows)
end
# On windows, C:/opscode
#
# (should only be called in a windows-context)
#
# @return [String] the platform-specific path
#
def self.c_opscode_dir(windows: ChefUtils.windows?)
drive = windows_installation_drive || "C:"
PathHelper.join(drive, ChefUtils::Dist::Org::LEGACY_CONF_DIR, ChefUtils::Dist::Infra::DIR_SUFFIX, windows: windows)
end
# the drive where Chef is installed on a windows host. This is determined
# either by the drive containing the current file or by the SYSTEMDRIVE ENV
# variable
#
# (should only be called in a windows-context)
#
# @return [String] the drive letter
#
def self.windows_installation_drive
if ChefUtils.windows?
drive = File.expand_path(__FILE__).split("/", 2)[0]
drive = ENV["SYSTEMDRIVE"] if drive.to_s == ""
drive
end
end
# @param name [String]
# @param file_path [String]
def self.add_formatter(name, file_path = nil)
formatters << [name, file_path]
end
# @param logger [String]
def self.add_event_logger(logger)
event_handlers << logger
end
def self.apply_extra_config_options(extra_config_options)
if extra_config_options
extra_parsed_options = extra_config_options.inject({}) do |memo, option|
# Sanity check value.
if option.empty? || !option.include?("=")
raise UnparsableConfigOption, "Unparsable config option #{option.inspect}"
end
# Split including whitespace if someone does truly odd like
# --config-option "foo = bar"
key, value = option.split(/\s*=\s*/, 2)
# Call to_sym because Chef::Config expects only symbol keys. Also
# runs a simple parse on the string for some common types.
memo[key.to_sym] = YAML.safe_load(value, permitted_classes: [Date])
memo
end
set_extra_config_options(extra_parsed_options)
end
end
# We use :[]= assignment here to not bypass any coercions that happen via mixlib-config writes_value callbacks
def self.set_extra_config_options(extra_parsed_options)
extra_parsed_options.each do |key, value|
self[key.to_sym] = value
end
end
# Config file to load (client.rb, knife.rb, etc. defaults set differently in knife, chef-client, etc.)
configurable(:config_file)
default(:config_dir) do
if config_file
PathHelper.dirname(PathHelper.canonical_path(config_file, false))
else
PathHelper.join(PathHelper.cleanpath(user_home), ChefUtils::Dist::Infra::USER_CONF_DIR, "")
end
end
default :formatters, []
# @param uri [String] the URI to validate
#
# @return [Boolean] is the URL valid
def self.is_valid_url?(uri)
url = uri.to_s.strip
%r{^http://} =~ url || %r{^https://} =~ url || /^chefzero:/ =~ url
end
# Override the config dispatch to set the value of multiple server options simultaneously
#
# @param [String] url String to be set for all of the chef-server-api URL's
#
configurable(:chef_server_url).writes_value do |uri|
unless is_valid_url? uri
raise ConfigurationError, "#{uri} is an invalid chef_server_url. The URL must start with http://, https://, or chefzero://."
end
uri.to_s.strip
end
# When you are using ActiveSupport, they monkey-patch 'daemonize' into Kernel.
# So while this is basically identical to what method_missing would do, we pull
# it up here and get a real method written so that things get dispatched
# properly.
configurable(:daemonize).writes_value { |v| v }
def self.expand_relative_paths(path)
unless path.nil?
if path.is_a?(String)
File.expand_path(path)
else
Array(path).map { |path| File.expand_path(path) }
end
end
end
configurable(:cookbook_path).writes_value { |path| expand_relative_paths(path) }
configurable(:chef_repo_path).writes_value { |path| expand_relative_paths(path) }
# The root where all local chef object data is stored. cookbooks, data bags,
# environments are all assumed to be in separate directories under this.
# chef-solo uses these directories for input data. knife commands
# that upload or download files (such as knife upload, knife role from file,
# etc.) work.
default :chef_repo_path do
if configuration[:cookbook_path]
if configuration[:cookbook_path].is_a?(String)
File.expand_path("..", configuration[:cookbook_path])
else
configuration[:cookbook_path].map do |path|
File.expand_path("..", path)
end
end
elsif configuration[:cookbook_artifact_path]
File.expand_path("..", configuration[:cookbook_artifact_path])
else
cache_path
end
end
def self.find_chef_repo_path(cwd)
# In local mode, we auto-discover the repo root by looking for a path with "cookbooks" under it.
# This allows us to run config-free.
path = cwd
until File.directory?(PathHelper.join(path, "cookbooks")) || File.directory?(PathHelper.join(path, "cookbook_artifacts"))
new_path = File.expand_path("..", path)
if new_path == path
ChefConfig.logger.warn("No cookbooks directory found at or above current directory. Assuming #{cwd}.")
return cwd
end
path = new_path
end
ChefConfig.logger.info("Auto-discovered #{ChefUtils::Dist::Infra::SHORT} repository at #{path}")
path
end
# @param child_path [String]
def self.derive_path_from_chef_repo_path(child_path)
if chef_repo_path.is_a?(String)
PathHelper.join(chef_repo_path, child_path)
else
chef_repo_path.uniq.map { |path| PathHelper.join(path, child_path) }
end
end
# Location of acls on disk. String or array of strings.
# Defaults to <chef_repo_path>/acls.
default(:acl_path) { derive_path_from_chef_repo_path("acls") }.writes_value { |path| expand_relative_paths(path) }
# Location of clients on disk. String or array of strings.
# Defaults to <chef_repo_path>/clients.
default(:client_path) { derive_path_from_chef_repo_path("clients") }.writes_value { |path| expand_relative_paths(path) }
# Location of client keys on disk. String or array of strings.
# Defaults to <chef_repo_path>/client_keys.
default(:client_key_path) { derive_path_from_chef_repo_path("client_keys") }.writes_value { |path| expand_relative_paths(path) }
# Location of containers on disk. String or array of strings.
# Defaults to <chef_repo_path>/containers.
default(:container_path) { derive_path_from_chef_repo_path("containers") }.writes_value { |path| expand_relative_paths(path) }
# Location of cookbook_artifacts on disk. String or array of strings.
# Defaults to <chef_repo_path>/cookbook_artifacts.
default(:cookbook_artifact_path) { derive_path_from_chef_repo_path("cookbook_artifacts") }.writes_value { |path| expand_relative_paths(path) }
# Location of cookbooks on disk. String or array of strings.
# Defaults to <chef_repo_path>/cookbooks. If chef_repo_path
# is not specified, this is set to /var/chef/cookbooks.
default(:cookbook_path) { derive_path_from_chef_repo_path("cookbooks") }
# Location of data bags on disk. String or array of strings.
# Defaults to <chef_repo_path>/data_bags.
default(:data_bag_path) { derive_path_from_chef_repo_path("data_bags") }.writes_value { |path| expand_relative_paths(path) }
# Location of environments on disk. String or array of strings.
# Defaults to <chef_repo_path>/environments.
default(:environment_path) { derive_path_from_chef_repo_path("environments") }.writes_value { |path| expand_relative_paths(path) }
# Location of groups on disk. String or array of strings.
# Defaults to <chef_repo_path>/groups.
default(:group_path) { derive_path_from_chef_repo_path("groups") }.writes_value { |path| expand_relative_paths(path) }
# Location of nodes on disk. String or array of strings.
# Defaults to <chef_repo_path>/nodes.
default(:node_path) { derive_path_from_chef_repo_path("nodes") }.writes_value { |path| expand_relative_paths(path) }
# Location of policies on disk. String or array of strings.
# Defaults to <chef_repo_path>/policies.
default(:policy_path) { derive_path_from_chef_repo_path("policies") }.writes_value { |path| expand_relative_paths(path) }
# Location of policy_groups on disk. String or array of strings.
# Defaults to <chef_repo_path>/policy_groups.
default(:policy_group_path) { derive_path_from_chef_repo_path("policy_groups") }.writes_value { |path| expand_relative_paths(path) }
# Location of roles on disk. String or array of strings.
# Defaults to <chef_repo_path>/roles.
default(:role_path) { derive_path_from_chef_repo_path("roles") }.writes_value { |path| expand_relative_paths(path) }
# Location of users on disk. String or array of strings.
# Defaults to <chef_repo_path>/users.
default(:user_path) { derive_path_from_chef_repo_path("users") }.writes_value { |path| expand_relative_paths(path) }
# DEPRECATED
default :enforce_path_sanity, false
# Enforce default paths by default for all APIs, not just the default internal shell_out
default :enforce_default_paths, false
# Formatted Chef Client output is a beta feature, disabled by default:
default :formatter, "null"
# The number of times the client should retry when registering with the server
default :client_registration_retries, 5
# An array of paths to search for knife exec scripts if they aren't in the current directory
default :script_path, []
# The root of all caches (checksums, cache and backup). If local mode is on,
# this is under the user's home directory.
default(:cache_path) do
if local_mode
PathHelper.join(config_dir, "local-mode-cache")
else
primary_cache_root = var_root_dir
primary_cache_path = var_chef_dir
# Use /var/chef as the cache path only if that folder exists and we can read and write
# into it, or /var exists and we can read and write into it (we'll create /var/chef later).
# Otherwise, we'll create .chef under the user's home directory and use that as
# the cache path.
unless path_accessible?(primary_cache_path) || path_accessible?(primary_cache_root)
secondary_cache_path = PathHelper.join(user_home, ChefUtils::Dist::Infra::USER_CONF_DIR)
secondary_cache_path = target_mode? ? PathHelper.join(secondary_cache_path, target_mode.host) : secondary_cache_path
ChefConfig.logger.trace("Unable to access cache at #{primary_cache_path}. Switching cache to #{secondary_cache_path}")
secondary_cache_path
else
target_mode? ? PathHelper.join(primary_cache_path, target_mode.host) : primary_cache_path
end
end
end
# Returns true only if the path exists and is readable and writeable for the user.
#
# @param path [String]
def self.path_accessible?(path)
File.exist?(path) && File.readable?(path) && File.writable?(path)
end
# Where cookbook files are stored on the server (by content checksum)
default(:checksum_path) { PathHelper.join(cache_path, "checksums") }
# Where chef's cache files should be stored
default(:file_cache_path) { PathHelper.join(cache_path, "cache") }.writes_value { |path| expand_relative_paths(path) }
# Where chef's cache files should be stored, used for bootstrap on unix filesystems
default(:unix_bootstrap_file_cache_path) { PathHelper.join("/var", ChefUtils::Dist::Infra::DIR_SUFFIX, "cache", windows: false) }
# Where chef's cache files should be stored, used for bootstrap on windows filesystems
default(:windows_bootstrap_file_cache_path) { PathHelper.join("C:", ChefUtils::Dist::Infra::DIR_SUFFIX, "cache", windows: true) }
# Where backups of chef-managed files should go
default(:file_backup_path) { PathHelper.join(cache_path, "backup") }
# Where chef's backup files should be stored, used for bootstrap on unix filesystems
default(:unix_bootstrap_file_backup_path) { PathHelper.join("/var", ChefUtils::Dist::Infra::DIR_SUFFIX, "backup", windows: false) }
# Where chef's backup files should be stored, used for bootstrap on windows filesystems
default(:windows_bootstrap_file_backup_path) { PathHelper.join("C:", ChefUtils::Dist::Infra::DIR_SUFFIX, "backup", windows: true) }
# The chef-client (or solo) lockfile.
#
# If your `file_cache_path` resides on a NFS (or non-flock()-supporting
# fs), it's recommended to set this to something like
# '/tmp/chef-client-running.pid'
default(:lockfile) { PathHelper.join(file_cache_path, "#{ChefUtils::Dist::Infra::CLIENT}-running.pid") }
## Daemonization Settings ##
# What user should Chef run as?
default :user, nil
default :group, nil
default :umask, 0022
# Valid log_levels are:
# * :trace
# * :debug
# * :info
# * :warn
# * :fatal
# These work as you'd expect. There is also a special `:auto` setting.
# When set to :auto, Chef will auto adjust the log verbosity based on
# context. When a tty is available (usually because the user is running chef
# in a console), the log level is set to :warn, and output formatters are
# used as the primary mode of output. When a tty is not available, the
# logger is the primary mode of output, and the log level is set to :info
default :log_level, :auto
# Logging location as either an IO stream or string representing log file path
default :log_location, nil
# Using `force_formatter` causes chef to default to formatter output when STDOUT is not a tty
default :force_formatter, false
# Using `force_logger` causes chef to default to logger output when STDOUT is a tty
default :force_logger, false
# When set to true always print the stacktrace even if we haven't done -l debug
default :always_dump_stacktrace, false
# Using 'stream_execute_output' will have Chef always stream the execute output
default :stream_execute_output, false
# Using `show_download_progress` will display the overall progress
# of a remote file download
default :show_download_progress, false
# How often to update the progress meter, in percent
default :download_progress_interval, 10
default :http_retry_count, 5
default :http_retry_delay, 5
# Whether or not to send the Authorization header again on http redirects.
# As per the plan in https://github.com/chef/chef/pull/7006, this will be
# False in Chef 14, True in Chef 15, and will be removed entirely in Chef 16.
default :http_disable_auth_on_redirect, true
default :interval, nil
default :once, nil
default :json_attribs, nil
# toggle info level log items that can create a lot of output
default :verbose_logging, true
default :node_name, nil
default :diff_disabled, false
default :diff_filesize_threshold, 10000000
default :diff_output_threshold, 1000000
# This is true for "local mode" which uses a chef-zero server listening on
# localhost one way or another. This is true for both `chef-solo` (without
# the --legacy-mode flag) or `chef-client -z` methods of starting a client run.
#
default :local_mode, false
# Configures the mode of operation for ChefFS, which is applied to the
# ChefFS-based knife commands and chef-client's local mode. (ChefFS-based
# knife commands include: knife delete, knife deps, knife diff, knife down,
# knife edit, knife list, knife show, knife upload, and knife xargs.)
#
# Valid values are:
# * "static": ChefFS only manages objects that exist in a traditional Chef
# Repo as of Chef 11.
# * "everything": ChefFS manages all object types that existed on the OSS
# Chef 11 server.
# * "hosted_everything": ChefFS manages all object types as of the Chef 12
# Server, including RBAC objects and Policyfile objects (new to Chef 12).
default :repo_mode do
if local_mode && !chef_zero.osc_compat
"hosted_everything"
elsif %r{/+organizations/.+}.match?(chef_server_url)
"hosted_everything"
else
"everything"
end
end
default :pid_file, nil
# Whether Chef Zero local mode should bind to a port. All internal requests
# will go through the socketless code path regardless, so the socket is
# only needed if other processes will connect to the local mode server.
default :listen, false
config_context :chef_zero do
config_strict_mode true
default(:enabled) { ChefConfig::Config.local_mode }
default :host, "localhost"
default :port, 8889.upto(9999) # Will try ports from 8889-9999 until one works
# When set to a String, Chef Zero disables multitenant support. This is
# what you want when using Chef Zero to serve a single Chef Repo. Setting
# this to `false` enables multi-tenant.
default :single_org, "chef"
# Whether Chef Zero should operate in a mode analogous to OSS Chef Server
# 11 (true) or Chef Server 12 (false). Chef Zero can still serve
# policyfile objects in Chef 11 mode, as long as `repo_mode` is set to
# "hosted_everything". The primary differences are:
# * Chef 11 mode doesn't support multi-tenant, so there is no
# distinction between global and org-specific objects (since there are
# no orgs).
# * Chef 11 mode doesn't expose RBAC objects
default :osc_compat, false
end
# RFCxxx Target Mode support, value is the name of a remote device to Chef against
# --target exists as a shortcut to enabling target_mode and setting the host
configurable(:target)
config_context :target_mode do
config_strict_mode false # we don't want to have to add all train configuration keys here
default :enabled, false
default :protocol, "ssh"
# typical additional keys: host, user, password
end
def self.target_mode?
target_mode.enabled
end
default :chef_server_url, "https://localhost:443"
default(:chef_server_root) do
# if the chef_server_url is a path to an organization, aka
# 'some_url.../organizations/*' then remove the '/organization/*' by default
if %r{/organizations/\S*$}.match?(configuration[:chef_server_url])
configuration[:chef_server_url].split("/")[0..-3].join("/")
elsif configuration[:chef_server_url] # default to whatever chef_server_url is
configuration[:chef_server_url]
else
"https://localhost:443"
end
end
default :rest_timeout, 300
# This solo setting is now almost entirely useless. It is set to true if chef-solo was
# invoked that way from the command-line (i.e. from Application::Solo as opposed to
# Application::Client). The more useful information is contained in the :solo_legacy_mode
# vs the :local_mode flags which will be set to true or false depending on how solo was
# invoked and actually change more of the behavior. There might be slight differences in
# the behavior of :local_mode due to the behavioral differences in Application::Solo vs.
# Application::Client and `chef-solo` vs `chef-client -z`, but checking this value and
# switching based on it is almost certainly doing the wrong thing and papering over
# bugs that should be fixed in one or the other class, and will be brittle and destined
# to break in the future (and not necessarily on a major version bump). Checking this value
# is also not sufficient to determine if we are not running against a server since this can
# be unset but :local_mode may be set. It would be accurate to check both :solo and :local_mode
# to determine if we're not running against a server, but the more semantically accurate test
# is going to be combining :solo_legacy_mode and :local_mode.
#
# TL;DR: `if Chef::Config[:solo]` is almost certainly buggy code, you should use:
# `if Chef::Config[:local_mode] || Chef::Config[:solo_legacy_mode]`
#
# @api private
default :solo, false
# This is true for old chef-solo legacy mode without any chef-zero server (chef-solo --legacy-mode)
default :solo_legacy_mode, false
default :splay, nil
default :why_run, false
default :color, false
default :client_fork, nil
default :ez, false
default :enable_reporting, true
default :enable_reporting_url_fatals, false
# Chef only needs ohai to run the hostname plugin for the most basic
# functionality. If the rest of the ohai plugins are not needed (like in
# most of our testing scenarios)
default :minimal_ohai, false
# When consuming Ohai plugins from cookbook segments, we place those plugins in this directory.
# Subsequent chef client runs will wipe and re-populate the directory to ensure cleanliness
default(:ohai_segment_plugin_path) { PathHelper.join(config_dir, "ohai", "cookbook_plugins") }
###
# Policyfile Settings
#
# Policyfile is a feature where a node gets its run list and cookbook
# version set from a single document on the server instead of expanding the
# run list and having the server compute the cookbook version set based on
# environment constraints.
#
# Policyfiles are auto-versioned. The user groups nodes by `policy_name`,
# which generally describes a hosts's functional role, and `policy_group`,
# which generally groups nodes by deployment phase (a.k.a., "environment").
# The Chef Server maps a given set of `policy_name` plus `policy_group` to
# a particular revision of a policy.
default :policy_name, nil
default :policy_group, nil
# Policyfiles can have multiple run lists, via the named run list feature.
# Generally this will be set by a CLI option via Chef::Application::Client,
# but it could be set in client.rb if desired.
default :named_run_list, nil
# Policyfiles can be used in a native mode (default) or compatibility mode.
# Native mode requires Chef Server 12.1 (it can be enabled via feature flag
# on some prior versions). In native mode, policies and associated
# cookbooks are accessed via feature-specific APIs. In compat mode,
# policies are stored as data bags and cookbooks are stored at the
# cookbooks/ endpoint. Compatibility mode can be dangerous on existing Chef
# Servers; it's recommended to upgrade your Chef Server rather than use
# compatibility mode. Compatibility mode remains available so you can use
# policyfiles with servers that don't yet support the native endpoints.
default :policy_document_native_api, true
# When policyfiles are used in compatibility mode, `policy_name` and
# `policy_group` are instead specified using a combined configuration
# setting, `deployment_group`. For example, if policy_name should be
# "webserver" and policy_group should be "staging", then `deployment_group`
# should be set to "webserver-staging", which is the name of the data bag
# item that the policy will be stored as. NOTE: this setting only has an
# effect if `policy_document_native_api` is set to `false`.
default :deployment_group, nil
# When using policyfiles you can optionally set it to read the node.run_list
# from the server and have that override the policyfile run_list or the
# named_run_list set in config. With policyfiles there is no depsolving done
# on the run_list items so every item in the run_list must be in the set of
# cookbooks pushed to the node. This enables flows where the node can change
# its run_list and have it persist or to bootstrap nodes with the -j flag. If
# no run_list is set on the server node object then the configured named_run_list
# or run_list out of the policy is used.
default :policy_persist_run_list, false
# Set these to enable SSL authentication / mutual-authentication
# with the server
# Client side SSL cert/key for mutual auth
default :ssl_client_cert, nil
default :ssl_client_key, nil
# Whether or not to verify the SSL cert for all HTTPS requests. When set to
# :verify_peer (default), all HTTPS requests will be validated regardless of other
# SSL verification settings. When set to :verify_none no HTTPS requests will
# be validated.
default :ssl_verify_mode, :verify_peer
# Needed to coerce string value to a symbol when loading settings from the
# credentials toml files which doesn't allow ruby symbol values
configurable(:ssl_verify_mode).writes_value do |value|
if value.is_a?(String) && value[0] == ":"
value[1..].to_sym
else
value.to_sym
end
end
# Whether or not to verify the SSL cert for HTTPS requests to the Chef
# server API. If set to `true`, the server's cert will be validated
# regardless of the :ssl_verify_mode setting. This is set to `true` when
# running in local-mode.
# NOTE: This is a workaround until verify_peer is enabled by default.
default(:verify_api_cert) { ChefConfig::Config.local_mode }
# Path to the default CA bundle files.
default :ssl_ca_path, nil
default(:ssl_ca_file) do
if ChefUtils.windows? && embedded_dir
cacert_path = File.join(embedded_dir, "ssl/certs/cacert.pem")
cacert_path if File.exist?(cacert_path)
else
nil
end
end
# A directory that contains additional SSL certificates to trust. Any
# certificates in this directory will be added to whatever CA bundle ruby
# is using. Use this to add self-signed certs for your Chef Server or local
# HTTP file servers.
default(:trusted_certs_dir) { PathHelper.join(config_dir, "trusted_certs") }
# A directory that contains additional configuration scripts to load for chef-client
default(:client_d_dir) { PathHelper.join(config_dir, "client.d") }
# A directory that contains additional configuration scripts to load for solo
default(:solo_d_dir) { PathHelper.join(config_dir, "solo.d") }
# A directory that contains additional configuration scripts to load for
# the workstation config
default(:config_d_dir) { PathHelper.join(config_dir, "config.d") }
# Where should chef-solo download recipes from?
default :recipe_url, nil
# Set to true if Chef is to set OpenSSL to run in FIPS mode
default(:fips) do
# CHEF_FIPS is used in testing to override checking for system level
# enablement. There are 3 possible values that this variable may have:
# nil - no override and the system will be checked
# empty - FIPS is NOT enabled
# a non empty value - FIPS is enabled
if ENV["CHEF_FIPS"] == ""
false
else
!ENV["CHEF_FIPS"].nil? || ChefConfig.fips?
end
end
# Initialize openssl
def self.init_openssl
if fips
enable_fips_mode
end
end
# Sets the version of the signed header authentication protocol to use (see
# the 'mixlib-authorization' project for more detail). Currently, versions
# 1.0, 1.1, and 1.3 are available.
default :authentication_protocol_version do
if fips || ssh_agent_signing
"1.3"
else
"1.1"
end
end
# This key will be used to sign requests to the Chef server. This location
# must be writable by Chef during initial setup when generating a client
# identity on the server.
#
# The chef-server will look up the public key for the client using the
# `node_name` of the client.
#
# If chef-zero is enabled, this defaults to nil (no authentication).
default(:client_key) do
if chef_zero.enabled
nil
elsif target_mode?
PathHelper.cleanpath("#{etc_chef_dir}/#{target_mode.host}/client.pem")
else
PathHelper.cleanpath("#{etc_chef_dir}/client.pem")
end
end
# A credentials file may contain a complete client key, rather than the path
# to one.
#
# We'll use this preferentially.
default :client_key_contents, nil
# We want to get all certificates OFF disk and into secure storage. This flag
# removes the client.pem from disk and a replacement is put into Keychain or the Certstore
# Then the public key from the new cert is pushed to Chef Server for authentication
default :migrate_key_to_keystore, false
# When we move certs into the certstore, we need to manage multi-user scenarios.
# This flag is used in conjunction with 'migrate_key_to_keystore'. If 2 users, Bob and Terri, are using
# this node, we need a means to separate the private keys of each user. Alternately, if an Admin
# configures the node and then relies on a system account to run chef afterward, we need a second
# method for that. Setting this in the client.rb file with a "user" flag will cause chef to create
# and manage separate private keys. We look for this flag to be set to "user" to manage distinct users keys with,
# However, if that key is set to anything else, we assume that keys are to be stored in the LocalMachine store.
# Leaving this key omitted has the same effect as setting it to anything other than "user"
default :auth_key_registry_type, nil
# When registering the client, should we allow the client key location to
# be a symlink? eg: /etc/chef/client.pem -> /etc/chef/prod-client.pem
# If the path of the key goes through a directory like /tmp this should
# never be set to true or its possibly an easily exploitable security hole.
default :follow_client_key_symlink, false
# Enable ssh-agent signing mode. This requires {client_key} be set to a
# public key rather than the usual private key.
default :ssh_agent_signing, false
# This secret is used to decrypt encrypted data bag items.
default(:encrypted_data_bag_secret) do
if target_mode? && File.exist?(PathHelper.cleanpath("#{etc_chef_dir}/#{target_mode.host}/encrypted_data_bag_secret"))
PathHelper.cleanpath("#{etc_chef_dir}/#{target_mode.host}/encrypted_data_bag_secret")
elsif File.exist?(PathHelper.cleanpath("#{etc_chef_dir}/encrypted_data_bag_secret"))
PathHelper.cleanpath("#{etc_chef_dir}/encrypted_data_bag_secret")
else
nil
end
end
# As of Chef 13.0, version "3" is the default encrypted data bag item
# format.
#
default :data_bag_encrypt_version, 3
# When reading data bag items, any supported version is accepted. However,
# if all encrypted data bags have been generated with the version 2 format,
# it is recommended to disable support for earlier formats to improve
# security. For example, the version 2 format is identical to version 1
# except for the addition of an HMAC, so an attacker with MITM capability
# could downgrade an encrypted data bag to version 1 as part of an attack.
default :data_bag_decrypt_minimum_version, 0
# If there is no file in the location given by `client_key`, chef-client
# will temporarily use the "validator" identity to generate one. If the
# `client_key` is not present and the `validation_key` is also not present,
# chef-client will not be able to authenticate to the server.
#
# The `validation_key` is never used if the `client_key` exists.
#
# If chef-zero is enabled, this defaults to nil (no authentication).
default(:validation_key) { chef_zero.enabled ? nil : PathHelper.cleanpath("#{etc_chef_dir}/validation.pem") }
default :validation_client_name do
# If the URL is set and looks like a normal Chef Server URL, extract the
# org name and use that as part of the default.
if chef_server_url.to_s =~ %r{/organizations/(.*)$}
"#{$1}-validator"
else
"#{ChefUtils::Dist::Infra::SHORT}-validator"
end
end
default :validation_key_contents, nil
# When creating a new client via the validation_client account, Chef 11
# servers allow the client to generate a key pair locally and send the
# public key to the server. This is more secure and helps offload work from
# the server, enhancing scalability. If enabled and the remote server
# implements only the Chef 10 API, client registration will not work
# properly.
#
# The default value is `true`. Set to `false` to disable client-side key
# generation (server generates client keys).
default(:local_key_generation) { true }
# Zypper package provider gpg checks. Set to false to disable package
# gpg signature checking globally. This will warn you that it is a
# bad thing to do.
default :zypper_check_gpg, true
# Report Handlers
default :report_handlers, []
# Event Handlers
default :event_handlers, []
default :disable_event_loggers, false
# Exception Handlers
default :exception_handlers, []
# Start handlers
default :start_handlers, []
# Syntax Check Cache. Knife keeps track of files that is has already syntax
# checked by storing files in this directory. `syntax_check_cache_path` is
# the new (and preferred) configuration setting. If not set, knife will
# fall back to using cache_options[:path], which is deprecated but exists in
# many client configs generated by pre-Chef-11 bootstrappers.
default(:syntax_check_cache_path) { cache_options[:path] }.writes_value { |path| expand_relative_paths(path) }
# Deprecated:
# Move this to the default value of syntax_cache_path when this is removed.
default(:cache_options) { { path: PathHelper.join(config_dir, "syntaxcache") } }
# Whether errors should be raised for deprecation warnings. When set to
# `false` (the default setting), a warning is emitted but code using
# deprecated methods/features/etc. should work normally otherwise. When set
# to `true`, usage of deprecated methods/features will raise a
# `DeprecatedFeatureError`. This is used by Chef's tests to ensure that
# deprecated functionality is not used internally by Chef. End users
# should generally leave this at the default setting (especially in
# production), but it may be useful when testing cookbooks or other code if
# the user wishes to aggressively address deprecations.
default(:treat_deprecation_warnings_as_errors) do
# Using an environment variable allows this setting to be inherited in
# tests that spawn new processes.
ENV.key?("CHEF_TREAT_DEPRECATION_WARNINGS_AS_ERRORS")
end
# Which deprecations warnings to silence. Can be set to `true` to silence
# all warnings, or an array of strings like either `"deprecation_type"` or
# `"filename.rb:lineno"`.
default :silence_deprecation_warnings, []
# Whether the resource count should be updated for log resource
# on running chef-client
default :count_log_resource_updates, false
# The selected profile when using credentials.
default :profile, nil
default :chef_guid_path do
PathHelper.join(config_dir, "#{ChefUtils::Dist::Infra::SHORT}_guid")
end
default :chef_guid, nil
# knife configuration data
config_context :knife do
default :hints, {}
end
def self.set_defaults_for_windows
# Those lists of regular expressions define what chef considers a
# valid user and group name
# From http://technet.microsoft.com/en-us/library/cc776019(WS.10).aspx
principal_valid_regex_part = '[^"\/\\\\\[\]\:;|=,+*?<>]+'
default :user_valid_regex, [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
default :group_valid_regex, [ /^(#{principal_valid_regex_part}\\)?#{principal_valid_regex_part}$/ ]
default :fatal_windows_admin_check, false
end
def self.set_defaults_for_nix
# Those lists of regular expressions define what chef considers a
# valid user and group name
#
# user/group cannot start with '-', '+' or '~'
# user/group cannot contain ':', ',' or non-space-whitespace or null byte
# everything else is allowed (UTF-8, spaces, etc) and we delegate to your O/S useradd program to barf or not
# copies: http://anonscm.debian.org/viewvc/pkg-shadow/debian/trunk/debian/patches/506_relaxed_usernames?view=markup
default :user_valid_regex, [ /^[^-+~:,\t\r\n\f\0]+[^:,\t\r\n\f\0]*$/ ]
default :group_valid_regex, [ /^[^-+~:,\t\r\n\f\0]+[^:,\t\r\n\f\0]*$/ ]
end
# Those lists of regular expressions define what chef considers a
# valid user and group name
if ChefUtils.windows?
set_defaults_for_windows
else
set_defaults_for_nix
end
# This provides a hook which rspec can stub so that we can avoid twiddling
# global state in tests.
def self.env
ENV
end
def self.windows_home_path
ChefConfig.logger.deprecation("Chef::Config.windows_home_path is now deprecated. Consider using Chef::Util::PathHelper.home instead.")
PathHelper.home
end
# returns a platform specific path to the user home dir if set, otherwise default to current directory.
default( :user_home ) { PathHelper.home || Dir.pwd }
# Enable file permission fixup for selinux. Fixup will be done
# only if selinux is enabled in the system.
default :enable_selinux_file_permission_fixup, true
# Use atomic updates (i.e. move operation) while updating contents
# of the files resources. When set to false copy operation is
# used to update files.
#
# NOTE: CHANGING THIS SETTING MAY CAUSE CORRUPTION, DATA LOSS AND
# INSTABILITY.
#
default :file_atomic_update, true
# There are 3 possible values for this configuration setting.
# true => file staging is done in the destination directory
# false => file staging is done via tempfiles under ENV['TMP']
# :auto => file staging will try using destination directory if possible and
# will fall back to ENV['TMP'] if destination directory is not usable.
#
default :file_staging_uses_destdir, :auto
# Exit if another run is in progress and the chef-client is unable to
# get the lock before time expires. If nil, no timeout is enforced. (Exits
# immediately if 0.)
#
default :run_lock_timeout, nil
# Number of worker threads for syncing cookbooks in parallel. Increasing
# this number can result in gateway errors from the server (namely 503 and 504).
# If you are seeing this behavior while using the default setting, reducing
# the number of threads will help.
#