delivery.rb Settings
Danger
This documentation applies to a deprecated product. Chef Automate includes newer out-of-the-box compliance profiles, an improved compliance scanner with total cloud scanning functionality, better visualizations, role-based access control and many other features. Chef Automate is included as part of the Workflow license agreement and is available via subscription.
The delivery.rb
file, located at /etc/delivery/delivery.rb
, contains
all of the non-default configuration settings used by the Chef Automate.
(The default settings are built-in to the Chef Automate configuration
and should only be added to the delivery.rb
file to apply non-default
values.) These configuration settings are processed when the
delivery-server-ctl reconfigure
command is run, such as immediately
after setting up Chef Automate or after making a change to the
underlying configuration settings after the server has been deployed.
The delivery.rb
file is a Ruby file, which means that conditional
statements can be used in the configuration file.
Recommended Settings
The following settings are typically added to the server configuration file, including:
- Logging directories
- Maximum file sizes at which log rotation occurs
- The number of log files to keep
These values have the same default across all Chef Automate services,
but individual services can have their values overwritten. Add the
service-specific values to the delivery.rb
file. The list of services
delivery starts which include logging can be determined by looking in
the node['delivery']['log_directory']
directory.
<service_name>['log_directory']
The directory in which log data is stored. The default value is the recommended value. Default value:
/var/log/delivery/<service_name>
.<service_name>['log_rotation']['file_maxbytes']
The log rotation policy for this service. Log files are rotated when they exceed
file_maxbytes
. The maximum number of log files in the rotation is defined bynum_to_keep
. Default value:100 * 1024 * 1024
(100MB).<service_name>['log_rotation']['num_to_keep']
The log rotation policy for this service. Log files are rotated when they exceed
file_maxbytes
. The maximum number of log files in the rotation is defined bynum_to_keep
. Default value:10
.
SSL Protocols
The following settings are often modified from the default as part of the tuning effort for the nginx service and to configure the Chef Automate server to use SSL certificates:
delivery['ssl_certificates']
A hash of SSL certificate files to use for FQDNs. Uses
remote_file
to download the key and certificate specified to the standard location of/var/opt/delivery/nginx/ca
and replaces the contents of any file found there using the namedelivery.example.com.crt
ordelivery.example.com.key
. If the content in the new custom certificate and key files and the original files match, these files are not reconfigured. To use a pre-generated SSL certificate for the main FQDN (delivery_fqdn
), follow this example:delivery['ssl_certificates'] = { 'delivery.example.com' => { 'key' => 'file:///etc/ssl_certificates/delivery.example.com.key', 'crt' => 'file:///etc/ssl_certificates/delivery.example.com.crt' } }
nginx['ssl_ciphers']
The list of supported cipher suites that are used to establish a secure connection. To favor AES256 with ECDHE forward security, drop the
RC4-SHA:RC4-MD5:RC4:RSA
prefix. See this link for more information. Default value:"RC4-SHA:RC4-MD5:RC4:RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
nginx['ssl_protocols']
The SSL protocol versions that are enabled. For the highest possible security, disable SSL 3.0 and allow only TLS:
nginx['ssl_protocols'] = 'TLSv1 TLSv1.1 TLSv1.2'
Default value: Default value:
"SSLv3 TLSv1"
.
Note
nginx['ssl_ciphers']
and
nginx['ssl_protocols']
settings.For example, after copying the SSL certificate files to the Chef
Automate server, update the delivery['ssl_certificates']
hash settings
to specify the paths to those files, and then (optionally) update the
nginx['ssl_ciphers']
and nginx['ssl_protocols']
settings to reflect
the desired level of hardness for the Chef Automate server:
delivery['ssl_certificates'] = {
'delivery.example.com' => {
'key' => 'file:///etc/ssl_certificates/delivery.example.com.key',
'crt' => 'file:///etc/ssl_certificates/delivery.example.com.crt'
}
}
nginx['ssl_ciphers'] = "HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK"
nginx['ssl_protocols'] = "TLSv1 TLSv1.1 TLSv1.2"
Proxy Settings
If you wish to operate your Chef Automate server from behind a proxy, you may specify you proxy host name and configuration using these options.
delivery['proxy']['host']
The hostname to your proxy server such as
foo.bar.com
or192.0.2.00
.delivery['proxy']['port']
The port to connect on. This will be used for all connections (http and https).
delivery['proxy']['user']
Optional authentication user name when contacting the proxy server.
delivery['proxy']['password']
Optional authentication password when contacting the proxy server.
delivery['proxy']['no_proxy']
A list of hostnames that are blacklisted from using the proxy. Chef Automate will attempt to connect directly to these hosts. By default, this is set to
["localhost", "127.0.0.1"]
.
Optional Settings
Additional settings are available for performance tuning of the Chef Automate server.
Note
When changes are made to the delivery.rb
file the Chef Automate server
must be reconfigured by running the following command:
delivery-server-ctl reconfigure
Note
delivery.rb
file. Many of these optional settings should not be
added without first consulting with Chef support.