Upgrading Chef Infra: Why Upgrade

Welcome back to Upgrading Chef Infra! Last week we kicked things off with a brief introduction and a review of some key concepts. Today we’ll see how Chef Infra has evolved in recent years, and take a look at improvements that have been implemented throughout major releases. While we will discuss some items in detail, this will by no means be an exhaustive list of updates. The five releases of Chef Infra we’ll be covering represent 16,688 commits from Chef, our community and our customers!

(Re)Introducing Chef Infra Client 16

That said, we still have plenty to talk about. We recently announced the release of Chef Infra Client 16, and I hosted a webinar discussing some of its features and improvements. Even there, I only scratched the surface of what’s available. In addition to new capabilities like YAML Recipes and a unified execution mode for custom resources, Chef Infra 16 has a ton of additional features, including:

• Expanded ARM support
  • aarch64 builds for RHEL8, Ubuntu 20.04, and SLES16
• Reduced disk usage by up to 30% with drastically improved performance on Windows systems
• 8 new resources
  • alternatives, plist, user_ulimit, windows_security_policy, windows_user_privilege, chef_client_cron, chef_client_systemd_timer, chef_client_scheduled_task
• Improvements to 10 existing resources
  • build_essential, cron, dnf_package, git, locale, msu_package, package, service, windows_firewall_rule, windows_package
• 2 new helper functions can be used in any resource or recipe
  • sanitized_path, which
• Ohai Plugin Improvements
  • Improved Azure & Linux Network data
  • New plugins for IPC and Interrupts
  • DMI plugin support for Windows
• Custom Resource Improvements
  • Improved property require behavior
  • Resource partials for code reuse between resources
  • New after_resource state
  • Improvements and default behavior for identity and desired_state properties
• The compile_time property is now available for all resources, including custom resources
• Upgraded to Ruby 2.7

Details for each of Chef Infra 16’s additions can be found in our release notes. While you can find notes for all of our releases on that very page, we’ve provided a condensed version of the highlights added in Chef Infra Client 12 through 15 below.

Security & Support

Before we dive into release-by-release improvements, it’s worth noting a few points that will be true regardless of the version we’re running. The most immediate reason to keep clients updated is to maintain support and ensure the most up-to-date security patches.

Chef officially supports the most recent two major releases, which at present are Infra Client 15 & 16. While new feature updates will be limited to the latest release, security patches and bug fixes will be provided for both during their support lifecycle. You can always find the full list of supported versions in our documentation.

Within a particular major release, Chef further recommends always running the latest version of that release. Updates published as minor or patch releases are as a rule intended to be non-breaking, backwards compatible, and most importantly, do not require updating associated cookbooks. These releases often feature performance improvements as underlying components are upgraded, additional platform support as new operating systems become available, and perhaps most importantly, timely updates and patches in response to any nascent vulnerabilities or CVEs in any of Chef Infra’s dependencies.

While we’ll be diving into client upgrades in more detail later in the series, be sure to check out the Upgrade Chef Client Learn Chef Rally module for some hands-on upgrade guidance in the meantime.

Chef Infra Client 12

Of the releases we’ll be discussing today, Chef Infra Client 12 is unique. It was the final release before we formalized the yearly cadence of major releases, and was one of the longest running stable releases of Chef Infra. As such, a huge number of improvements were added during its lifecycle.

Release Highlights

• AIX Support Added
• Expanded Windows Support
  • New Resources: windows_service, reboot, dsc_resource, chocolatey_package, cab_package, msu_package
  • 64-bit windows binaries
  • UNC path support in remote_file resource
• Expanded macOS Support
  • New Resources: homebrew_package, osx_profile
• Other New Resources
  • bff_package, openbsd_package, paludis_package, apt_update, launchd, yum_repository, ksh, systemd_unit
• Removable Cookbook Dependencies
  • Resources provided by the yum and systemd cookbooks are now natively implemented
• Notification Timers
  • Determine when a notifies or subscribes parameter is executed.
  • Supports :delayed (default), :before, :immediately
• Security Updates
  • Client/Server connections over HTTPS by default
  • FIPS Mode added
• Custom Resources Introduced
• Policyfiles Introduced
• Chef Automate data collection Introduced

Chef Infra Client 13

With Chef Infra Client 13, we established our current yearly major release cadence. Full details can be found in the Chef Infra Release and Support Schedule. As part of this change, any planned deprecations, syntax revisions, or other breaking changes must first be implemented as a non-breaking warning that indicates removal in the next major release. Similarly, while patches, bug fixes, and CVE remediations would continue to be implemented throughout each release, changes that might impact behavior or performance, like Ruby upgrades to the next minor release, would be scheduled for the next major release of Chef Infra Client.

Release Highlights

• New Resources
  • apt_preference, windows_task, zypper_repository
• Ohai Improvements
  • Improved cloud support with expanded detection of EC2/Softlayer clouds and metadata gathering for Azure/Rackspace in Ohai
• Removable Cookbook Dependencies
  • apt
• Encrypted Data Bags use more secure aes-256-gcm encryption method by default
• Chef InSpec and Chef Vault included by default
• Upgraded to Ruby 2.4

Chef Infra Client 14

Chef Infra Client 14 saw a vast improvement in performance and reduction in install size. Additionally, we added a huge number of new resources that were previously provided by cookbooks on the Chef Supermarket. With these changes, Chef Infra practitioners not only saw the client itself become easier to manage, but could greatly reduce the number of cookbooks they needed to manage.

Release Highlights

• New Resources
  • windows_workgroup, windows_shortcut, windows_printer_port, windows_printer, windows_font, windows_feature, windows_auto_run, windows_ad_join, sysctl, swap_file, sudo, rhsm_subscription, rhsm_repo, rhsm_register, rhsm_errata_level, rhsm_errata, openssl_rsa_public_key, openssl_rsa_private_key, openssl_dhparam, ohai_hint, macos_userdefaults, hostname, homebrew_tap, homebrew_cask, dmg_package, chef_handler, ssh_known_hosts_entry, kernel_module, powershell_package_source, chocolatey_source, chocolatey_config, openssl_ec_public_key, openssl_ec_private_key, openssl_x509_crl, openssl_x509_request, openssl_x509_certificate, cron_access, cron_d, windows_workgroup, locale, timezone, windows_firewall_rule, windows_share, windows_certificate, and build_essential
• Improved Resources
  • Windows_service can now create Windows services
  • Large improvements to yum package installation
• Removable Cookbook Dependencies
  • windows, build_essential, mac_os_x, openssl, sudo, sysctl, rhsm, homebrew, windows_firewall, swap, hostname-chef, locale, timezone_iii
• Expanded Platform Support
  • MacOS 10.14 (Mojave), SLES 15, Windows 2019, Windows 10, FreeBSD 12, AIX 7.2, and RHEL 8
• Improved FIPS detection
• Install size reduced by 50% on Linux/macOS, 12% on Windows
• Upgraded to Ruby 2.5

Chef Infra Client 15

Chef Infra Client 15 is currently supported, and will remain so through April 2021. It also coincided with an update to our licensing policies, in which we made all of Chef’s software open source under an Apache2 license, and their supported distributions (binaries) subject to an enterprise license for commercial use. More detail can be found in this blog post I wrote back in February. Additionally, this release featured a significant number of new helper functions to help with cookbook creation and the first phase of expanded ARM support that continued in Chef Infra 16.

Release Highlights

• New Resources
  • snap_package, archive_file, windows_uac, windows_dfs_folder, windows_dfs_server, windows_dns_record, windows_dns_zone, chocolatey_feature, chef_sleep, notify_group
• New Helpers to simplify writing cookbooks and resources
  • Multiple platform detection helpers for cloud, virtualization, and OS version
  • include_recipe? enables conditional execution based on other recipes in use
• Removable Cookbook Dependencies
  • windows_dfs, windows_dns, libarchive
• Expanded Platform Support
  • x86_64: Ubuntu 20.04, Debian 10, macOS 10.15 (Catalina), Amazon Linux 2
  • aarch64: Ubuntu 18.04, RHEL 7, Amazon Linux 2, SLES 15
• Support for Ed25519 SSH keys
• Unified Bootstrapping of *nix/Windows
• Target Mode introduced
  • provides platform-agnostic configuration over SSH
• Upgraded to Ruby 2.6

Up Next

Now that we’ve seen an overview of some of the improvements that have been added to Chef Infra Client, we’ll need a plan to realize the value these enhancements provide. Next week we’ll dive into some practical upgrade guidance, starting with ensuring that your cookbooks are compatible with the latest Chef Infra clients. If you want a head start, the Local Development and Testing track on Learn Chef Rally will get you comfortable working with Cookstyle and Test Kitchen.

And don’t forget, if you need help getting upgrades going, we’re offering discounted professional services through June 30th for qualifying engagements. Contact us to learn more!