chef · RoyShravani · Aug 6, 2025 · Aug 6, 2025
@@ -47,6 +47,6 @@ jobs:
 
     # Upload the SARIF file generated in the previous step
     - name: Upload SARIF
-      uses: github/codeql-action/upload-sarif@v1
+      uses: github/codeql-action/upload-sarif@v2
       with:
         sarif_file: output.sarif.json
@@ -15,7 +15,7 @@ jobs:
     - uses: ruby/setup-ruby@v1
       with:
         working-directory: omnibus/files/server-ctl-cookbooks/infra-server/
-        ruby-version: 2.6
+        ruby-version: 3.1.7
         bundler-cache: true
     - uses: r7kamura/rubocop-problem-matchers-action@v1 # this shows the failures in the PR
     - name: run cookstyle
@@ -28,7 +28,7 @@ jobs:
     - uses: ruby/setup-ruby@v1
       with:
         working-directory: omnibus/files/server-ctl-cookbooks/infra-server/
-        ruby-version: 2.6
+        ruby-version: 3.1.7
         bundler-cache: true
     - uses: r7kamura/rubocop-problem-matchers-action@v1 # this shows the failures in the PR
     - name: run chefspec

@@ -25,16 +25,14 @@
 
 # TODO: we don't seem to reference removed_services anywhere.
 default['private_chef']['removed_services'] = %w(
-opscode-webui
-opscode-solr
-couchdb
-opscode-account
-opscode-org-creator
-opscode-certificate
-opscode-chef-mover
-)
-
-###
+  opscode-webui
+  opscode-solr
+  couchdb
+  opscode-account
+  opscode-org-creator
+  opscode-certificate
+  opscode-chef-mover
+)###
 # High level options
 ###
 default['private_chef']['api_version'] = '12.0.0'
@@ -894,7 +892,7 @@
 # Select whether data_collector affects overall status in _status endpoint
 default['private_chef']['data_collector']['health_check'] = true
 
-default['private_chef']['ctl_command'] = "#{ChefUtils::Dist::Server::SERVER_CTL}"
+default['private_chef']['ctl_command'] = ChefUtils::Dist::Server::SERVER_CTL.to_s
 default['private_chef']['running_filepath'] = "/etc/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/#{ChefUtils::Dist::Server::SERVER}-running.json"
 ##
 # Compliance Profiles

@@ -19,12 +19,12 @@ def self.with_connection(node, database = 'template1', opts = {})
     end
     max_retries = retries
     begin
-      connection = PG::Connection.open('user' =>     postgres['db_connection_superuser'] || postgres['db_superuser'],
-                                       'host' =>     postgres['vip'],
+      connection = PG::Connection.open('user'     => postgres['db_connection_superuser'] || postgres['db_superuser'],
+                                       'host'     => postgres['vip'],
                                        'password' => postgres['db_superuser_password'],
-                                       'port' =>     postgres['port'],
-                                       'sslmode' =>  postgres['sslmode'],
-                                       'dbname' =>   database)
+                                       'port'     => postgres['port'],
+                                       'sslmode'  => postgres['sslmode'],
+                                       'dbname'   => database)
     rescue => e
       if retries > 0
         sleep_time = 2**((max_retries - retries))

@@ -35,7 +35,7 @@ def parse_stats_table(table)
 
   def transform_header(line)
     columns = line.split(',').map(&:strip)
-    columns[0] = columns[0].gsub('# ', '')
+    columns.first = columns.first.gsub('# ', '')
     columns
   end
 

@@ -1,4 +1,4 @@
-require_relative './warnings'
+require_relative 'warnings'
 
 class NginxErb
   attr_reader :node
@@ -59,7 +59,7 @@ def ipv6?
 
   def local_ip_addresses
     ret = []
-    node['network']['interfaces'].each do |_name, iface|
+    node['network']['interfaces'].each_value do |iface|
       next unless iface['addresses'].respond_to?(:each)
 
       iface['addresses'].each do |addr, addr_info|
@@ -77,7 +77,7 @@ def listen_port(proto, options = {})
     listen_opts = ''
     listen_port = case proto
                   when 'http'
-                    node['private_chef']['nginx']['non_ssl_port'].to_s || '80'
+                    node['private_chef']['nginx']['non_ssl_port'].to_s
                   when 'https'
                     listen_opts << ' ssl'
                     node['private_chef']['nginx']['ssl_port'].to_s

@@ -45,8 +45,8 @@ def major
     @major ||=
       begin
         segments = self.segments
-        if segments[0].to_i >= 10
-          self.class.new segments[0].to_s
+        if segments.first.to_i >= 10
+          self.class.new segments.first.to_s
         else
           self.class.new segments[0..1].join('.')
         end
@@ -71,14 +71,14 @@ def self.new(input)
   # is at or greater than 8.2, otherwise, zero.
   def to_i
     segments = self.segments
-    if segments[0].to_i >= 10
+    if segments.first.to_i >= 10
       format('%<major>d%<minor>04d',
-             major: segments[0].to_i,
+             major: segments.first.to_i,
              minor: segments[1].to_i
             ).to_i
-    elsif segments[0].to_i == 9 || (segments[0].to_i == 8 && segments[1].to_i >= 2)
+    elsif segments.first.to_i == 9 || (segments.first.to_i == 8 && segments[1].to_i >= 2)
       format('%<major1>d%<major2>02d%<minor>02d',
-             major1: segments[0].to_i,
+             major1: segments.first.to_i,
              major2: segments[1].to_i,
              minor: segments[2].to_i
             ).to_i

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative './preflight_checks'
-require_relative './elasticsearch'
+require_relative 'preflight_checks'
+require_relative 'elasticsearch'
 
 class IndexingPreflightValidator < PreflightValidator
   # The cs_*attr variables hold the user-defined configuration

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative './preflight_checks'
-require_relative './opensearch'
+require_relative 'preflight_checks'
+require_relative 'opensearch'
 
 class OpensearchPreflightValidator < PreflightValidator
   # This check used to verify that the external PG version matches the version
@@ -171,7 +171,7 @@ def opensearch_enabled?
 
   def verify_external_url
     if cfg_opensearch_attr['external'] && !cfg_opensearch_attr['external_url']
-      fail_with err_OPENSEARCH007_bad_external_config()
+      fail_with err_OPENSEARCH007_bad_external_config
     end
   end
 

@@ -13,8 +13,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative './warnings'
-require_relative './pgversion'
+require_relative 'warnings'
+require_relative 'pgversion'
 
 class PostgresqlPreflightValidator < PreflightValidator
   # This check used to verify that the external PG version matches the version
@@ -187,7 +187,7 @@ def backend_verify_database_access(connection)
   def backend_verify_postgres_version(connection)
     # Make sure the server is a supported version.
     r = connection.exec('SHOW server_version;')
-    v = PgVersion.new /^([0-9\.]+)/.match(r[0]['server_version'])[0]
+    v = PgVersion.new /^([0-9\.]+)/.match(r.first['server_version']).first
 
     # Note that we're looking for the same major, and using our minor as the minimum version
     # This provides compatibility with external databases that use < 13 before we make use

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative './preflight_checks'
+require_relative 'preflight_checks'
 
 class RequiredRecipePreflightValidator < PreflightValidator
   def initialize(node)

@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-require_relative './preflight_checks'
+require_relative 'preflight_checks'
 
 class SslPreflightValidator < PreflightValidator
   def initialize(node)

@@ -21,7 +21,7 @@
 require 'chef/json_compat'
 require 'chef/mixin/deep_merge'
 require 'veil'
-require_relative './warnings'
+require_relative 'warnings'
 
 module PrivateChef
   extend(Mixlib::Config)
@@ -132,7 +132,7 @@ def from_file(filename)
 
       instance_eval(IO.read(filename), filename, 1)
     rescue
-      raise "Error loading file: #{$ERROR_INFO.backtrace[0]}: #{$ERROR_INFO.message}"
+      raise "Error loading file: #{$ERROR_INFO.backtrace.first}: #{$ERROR_INFO.message}"
     end
 
     def import_legacy_service_config(old_service_key, new_service_key, keys)
@@ -525,7 +525,7 @@ def gen_ldap
         end
       end
       if ldap_encryption
-        Chef::Log.warn("Please note that the ldap 'encryption' setting is deprecated as of #{ChefUtils::Dist::Server::PRODUCT} 12.0. Use either "\
+        Chef::Log.warn("Please note that the ldap 'encryption' setting is deprecated as of #{ChefUtils::Dist::Server::PRODUCT} 12.0. Use either " \
                        "ldap['ssl_enabled'] = true or ldap['tls_enabled'] = true.")
         case ldap_encryption.to_s
         when 'simple_tls'
@@ -535,7 +535,7 @@ def gen_ldap
         when 'none'
           Chef::Log.info('Configuring ldap without encryption.')
         else
-          raise "Invalid ldap configuration: unknown value #{ldap_encryption} for deprecated ldap['encryption'] option. "\
+          raise "Invalid ldap configuration: unknown value #{ldap_encryption} for deprecated ldap['encryption'] option. " \
                 "Please set ldap['ssl_enabled'] = true or ldap['tls_enabled'] = true instead"
         end
       elsif ssl_enabled && tls_enabled

@@ -21,18 +21,18 @@ class Statfs
   # See http://man7.org/linux/man-pages/man2/statvfs.2.html
   class Statvfs < FFI::Struct
     spec = [
-            :f_bsize,   :ulong,      # Filesystem block size
-            :f_frsize,  :ulong,      # Fragement size
-            :f_blocks,  FSBLKCNT_T,  # Size of fs in f_frsize units
-            :f_bfree,   FSBLKCNT_T,  # Number of free blocks
-            :f_bavail,  FSBLKCNT_T,  # Number of free blocks for unpriviledged users
-            :f_files,   FSBLKCNT_T,  # Number of inodes
-            :f_ffree,   FSBLKCNT_T,  # Number of free inodes
-            :f_favail,  FSBLKCNT_T,  # Number of free inodes for unprivilged users
-            :f_fsid,    :ulong,      # Filesystem ID
-            :f_flag,    :ulong,      # Mount Flags
-            :f_namemax, :ulong       # Max filename length
-           ]
+      :f_bsize,   :ulong,      # Filesystem block size
+      :f_frsize,  :ulong,      # Fragement size
+      :f_blocks,  FSBLKCNT_T,  # Size of fs in f_frsize units
+      :f_bfree,   FSBLKCNT_T,  # Number of free blocks
+      :f_bavail,  FSBLKCNT_T,  # Number of free blocks for unpriviledged users
+      :f_files,   FSBLKCNT_T,  # Number of inodes
+      :f_ffree,   FSBLKCNT_T,  # Number of free inodes
+      :f_favail,  FSBLKCNT_T,  # Number of free inodes for unprivilged users
+      :f_fsid,    :ulong,      # Filesystem ID
+      :f_flag,    :ulong,      # Mount Flags
+      :f_namemax, :ulong       # Max filename length
+    ]
 
     # Linux has this at the end of the struct and if we don't include
     # it we end up getting a memory corruption error when th object

@@ -1,5 +1,11 @@
 # Copyright:: Chef Software, Inc.
-# License:: Apache License, Version 2.0
+# Licenseprivate_chef_path = "/etc/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/private-chef.rb"
+
+if File.exist?(chef_server_json_path) &&
+   !(File.exist?(private_chef_path) || File.exist?(chef_server_path))
+  Chef::Log.fatal("Configuration via #{chef_server_json_path} is not supported. Please use #{chef_server_path}")
+  exit!(1)
+elsehe License, Version 2.0
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -44,7 +50,7 @@
 private_chef_path = "/etc/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/private-chef.rb"
 
 if File.exist?(chef_server_json_path) &&
-   !(File.exist?(private_chef_path) || File.exist?())
+   !(File.exist?(private_chef_path) || File.exist?)
   Chef::Log.fatal("Configuration via #{chef_server_json_path} is not supported. Please use #{chef_server_path}")
   exit!(1)
 else
@@ -54,7 +60,7 @@
   chef_server_rb_exists = File.exist?(chef_server_path)
 
   if chef_server_rb_exists
-    chef_server_rb_not_empty = !File.zero?(chef_server_path)
+    chef_server_rb_not_empty = !File.empty?(chef_server_path)
   end
 
   # Things are a bit tricky here, because there are multiple scenarios.  But the

@@ -138,8 +138,8 @@ def get_chef_backend_cluster_members
 
         # We expect the status checks to fail on all but 1 backend
         # (the current leader) thus we wait for that to be the case.
-        if active_servers['chef_backend_elasticsearch'].count == 1 &&
-           active_servers['chef_backend_postgresql'].count == 1
+        if active_servers['chef_backend_elasticsearch'].one? &&
+           active_servers['chef_backend_postgresql'].one?
           stable = true
           break
         else

@@ -267,8 +267,8 @@
 # Fix permissions for nginx directories, if required, based on nginx_no_root flag
 [
   "/opt/#{ChefUtils::Dist::Org::LEGACY_CONF_DIR}/embedded/nginx",
-  "#{node['private_chef']['nginx']['dir']}",
-  "#{node['private_chef']['nginx']['log_directory']}",
+  node['private_chef']['nginx']['dir'].to_s,
+  node['private_chef']['nginx']['log_directory'].to_s,
 ].each do |nginx_no_root_perms_fix_path|
   execute "find #{nginx_no_root_perms_fix_path} -user 'root' -exec chown #{node['private_chef']['user']['username']} {} \\;" do
     user 'root'

@@ -72,8 +72,8 @@
     ssl_version: ssl_version,
     reindex_endpoint: reindex_endpoint,
     required_recipe_enabled: node['private_chef']['required_recipe']['enable'],
-    chef_pgsql_collector: (node['private_chef']['postgresql']['enable'] &&
-                               !node['private_chef']['postgresql']['external']),
+    chef_pgsql_collector: node['private_chef']['postgresql']['enable'] &&
+                               !node['private_chef']['postgresql']['external'],
     topology: node['private_chef']['topology'],
     role: node['private_chef']['role'],
   }.merge(node['private_chef']['oc-chef-pedant'].to_hash))

@@ -37,6 +37,6 @@
     echo 'net.ipv6.bindv6only = 0' >> /etc/sysctl.conf
   EOF
   notifies :run, 'execute[sysctl-reload]', :immediately
-  not_if "egrep '^net\.ipv6\.bindv6only = 0' /etc/sysctl.conf"
+  not_if "egrep '^net.ipv6.bindv6only = 0' /etc/sysctl.conf"
   only_if { PrivateChef['use_ipv6'] == true }
 end
@@ -20,11 +20,11 @@
 describe IndexingPreflightValidator do
   let(:indexing_preflight) do
     s = IndexingPreflightValidator.new('private_chef' => {
-      'opscode-erchef' => {
-        'reindex_sleep_min_ms' => 500,
-        'reindex_sleep_max_ms' => 2000,
-      },
-      'postgresql' => {} })
+                                         'opscode-erchef' => {
+                                           'reindex_sleep_min_ms' => 500,
+                                           'reindex_sleep_max_ms' => 2000,
+                                         },
+                                         'postgresql' => {} })
     allow(s).to receive(:fail_with).and_return(:i_failed)
     s
   end