The new version of Chef Automate comes with many new features

Robot Admin

Applications to the Fore

When considering the various changes to the architecture already described, especially the switch to REST APIs, you might wonder about the reasons behind these changes. The manufacturer gives a clear answer: Whereas Chef Automate was previously a tool for managing large server farms, version 2.0 focuses on the application.

With the open, clearly defined APIs, Chef Automate will connect far more easily with external services such as Jenkins or GitHub. For example, if you push code to GitHub, you can specify in Chef Automate 2.0 that it automatically builds new container images, which can even be rolled out automatically, if required. Life cycle management thus goes far beyond the limits of the operating system, which in previous versions of Automate was the logical limit of Chef's responsibility.

Meanwhile, the developers have also made Chef Automate fit for working with cloud environments, especially the top dogs Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP).

Chef Workstation

A product named Chef Workstation joins Chef Automate 2.0 for the first time. Until now, anyone who wanted to use Chef Automate usually started by setting up a Chef server – that is, a separate piece of hardware, whose only task was to be the master instance for the many clients in the setup. Moreover, it was necessary to roll out Chef clients on the target systems, because Chef is based on the server-agent principle of communication. The whole hullabaloo required a huge amount of planning and took quite a while.

Chef Workstation puts an end to this: The solution is a kind of mini-Chef server with all the required tools that can be rolled out on the local admin system. Up to now, Chef relied on the Chef agent described previously running on the target systems; this setup is now replaced by chef-target. As long as you have an option for talking to the target systems directly (e.g., via SSH), you can also run Chef code on the systems directly. A whiff of Ansible is discernible at this point, which might confuse some die-hard Chef admins.

In the end, however, the effort pays off: If you want to try out Chef or are looking for a quick way to roll out Chef in a small setup, you will reach your goal quickly with Workstation. What's more, systems that have been rolled out by Chef Workstation can then be easily taken under the wings of Chef Automate. This tool is primarily aimed at DevOps developers who want to set up an appropriate environment and later put it into regular operation.

A View to Compliance

For some time now, the focus at Chef has been increasingly on compliance. This is particularly important in large companies: Admins often find a rigid set of rules based partly on public standards and partly on in-house regulations.

However, automation offers a very good springboard for not only enabling compliance retrospectively, but making it an integral part of the entire deployment scenario, whether for the maintenance of physical machines or the roll-out of applications in the form of containers. This is probably why InSpec, a tool originally built by VulcanoSec [2] to monitor compliance standards automatically, was acquired by Chef.

Earlier versions of InSpec discussed in ADMIN [3] proved to be extremely powerful. With the use of a special syntax, you define the criteria that must be fulfilled on a system. At the same time, you assign scores for deviations from the standard in the InSpec configuration. InSpec then automatically checks whether the condition is met and sounds an alarm if a certain score is exceeded (Figure 2).

Figure 2: InSpec in Automate 2.0 helps admins and developers check compliance.

Chef incorporated InSpec because InSpec is an excellent addition to a complete automation solution like Chef Automate. The goal is clear: Compliance violations and security issues need to be addressed at the automation solution level before they are rolled out to production systems. If an admin checks in a configuration file or code that violates applicable compliance rules to a Git directory, Chef Automate refuses point blank to start the rollout.

InSpec also monitors the running systems. For example, if a newcomer to administration makes a manual change to the configuration on a server that might expose the system to security risks, the red light on the Chef Automate dashboard lights up (Figure 3).

Figure 3: If you have built up a treasure trove of InSpec tests, you can monitor systems comprehensively for compliance.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Automated compliance with Chef InSpec
    Chef InSpec is a practical tool for automated compliance monitoring with an intuitive, declarative scripting language.
  • Automated compliance testing with InSpec
    Don't equate compliance through certification with security, because compliance and security are not the same. We look at automated compliance testing with InSpec for the secure operation of enterprise IT.
  • Automation with Chef
    The Chef automator borrows some of its vocabulary from the world of cooking. Its cookbooks contain good recipes for many recurring tasks, and admins can follow them to prepare palatable results with manageable overhead.
  • A REST API automation strategy for DevOps
    Making resources available through REST APIs breaks down the automation silos that cater to the different IT and development environments and sets up an application-centric automation approach.
  • Setting up Windows clients with Chef
    Chef administrators unafraid of a learning curve can employ a powerful tool for Windows client management. Teamed with PowerShell, it offers more than some system management suites.
comments powered by Disqus