If your custom resources have specific compile/converge phase behaviors, please test them for compatibility. For more information, see the Out-of-Order Execution section of the Unified Mode documentation.
The Secrets Management Integration helper is now a fully supported feature. The Secrets Management Integration helper allows you to fetch secrets from the following secrets management systems within your Infra recipes or resources:
You can now ship Chef InSpec profiles, waivers, and inputs directly in cookbooks allowing you to combine infrastructure and compliance concerns in a single artifact. Bringing infra and compliance together ensures security is always considered when making changes to your systems and enables collaboration in DevSecOps through shared pipelines. Combining infrastructure and compliance content in cookbook artifacts also allows for the safe and controlled promotion of compliance content from development to production using Policyfiles.
InSpec content placed in these new directories will be available for execution during the Chef Infra Client Compliance Phase, similar to how recipes are shipped in cookbooks but must be executed with include_recipe. This gives you fine-grained control of when and how InSpec content runs using Chef Langauge helpers.
Run lists with Policyfiles give you the safety of locked sets of cookbook dependencies while also giving you the flexibility to change run lists or run different run lists on nodes for adhoc Chef Infra Client converges. Without Policyfiles, manually specifying or overriding a run list determines an entirely new set of dependencies. When using run lists with Policyfiles, Chef Infra Client executes within the predefined set of cookbook dependencies in your Policyfile lock. This allows you to change or override run lists without introducing new, and potentially untested, cookbook dependencies.
Chef Infra Client now supports both .yaml and .yml file extensions for recipes. If a .yml and .yaml recipe of the same name is present, Chef Infra Client will now fail as there is no way to determine which recipe should be loaded in this case.
The windows_task resource now has a new backup property that allows you to control the number of XML backups that will be kept of your Windows Scheduled Task definition. This default for this setting is 5 and can be disabled by setting the property to false. Thanks @ kimbernator!
We now include a centos_stream_platform helper to determine if your CentOS release is a standard CentOS release or a CentOS Stream release. This helper can be used in attributes files, recipes, and custom resources. Thanks for this new helper @ramereth!
With the inclusion of the chef_client_config resource in Chef Infra Client 16.6, it is now possible to fully manage the Chef Infra Client without the need for the chef-client cookbook. We highly recommend using the chef_client_config, chef_client_trusted_certificate, and chef_client_* service resources to manage your clients instead of the chef-client cookbook. In the future we will mark that cookbook as deprecated, at which time it will no longer receive updates.
The windows_firewall_profile allows you to enable, disable, or configure Windows Firewall profiles. For example, you can now set up default actions and configure rules for the Public profile using this single resource instead of managing your own PowerShell code in a powershell_script resource:
If you have a repository that contains a site-cookbooks directory, we highly recommend using Policyfiles or Berkshelf to properly resolve these external cookbook dependencies without the need to copy them locally. Alternatively, you can move the contents of this folder into your main cookbook directory and they will continue to be seen by knife commands.
We added support for writing recipes in YAML to provide a low-code syntax for simple use cases. To write recipes in YAML, Chef resources and any user-defined parameters can be added as elements in a resources hash, such as the example below:
This implementation is restrictive and does not support arbitrary Ruby code, helper functions, or attributes. However, if the need for additional customization arises, YAML recipes can be automatically converted into the DSL via the knife yaml convert command.
The example above shows a resource partial that contains properties for use in multiple resources. You can also use resource partials to define helper methods that you want to use in your actions instead of defining the same helper methods in each action_class.
A new always_dump_stacktrace client.rb configuration option and command line option allows you to have any Ruby stacktraces from Chef Infra Client logged directly to the log file. This may help troubleshooting when used in conjunction with centralized logging systems such as Splunk. To enable this new option, run chef-client --always-dump-stacktrace or add the following to your client.rb:
Chef Infra Client now includes a new notify_group feature that can be used to extract multiple common notifies out of individual resources to reduce duplicate code in your cookbooks and custom resources. Previously cookbook authors would often use a log resource to achieve a similar outcome, but using the log resource results in unnecessary Chef Infra Client log output. The notify_group method produces no additional logging, but fires all defined notifications when the :run action is set.
With unified mode, you opt in to a single phase per resource where all Ruby and Chef Infra resources are executed at once. This makes it far easier to determine how your code will be evaluated and run. Additionally, you no longer need to force any resources to run at compile time, as all code is run in the compile phase. To enable this new mode just add unified_mode true to your resources like this:
As of this release, only the execute resource and guards are supported, but modifying existing resources or writing new resources to support Target Mode is relatively easy. Using Target Mode is as easy as running chef-client --target hostname. The authentication credentials should be stored in your local /.chef/credentials file with the hostname of the target node as the profile name. Each key/value pair is passed to Train for authentication.
The legacy require_recipe method in recipes has been removed. This method was replaced with include_recipe in Chef Infra Client 10, and a FoodCritic rule has been warning to update cookbooks for multiple years.
We removed the Ohai::Util::Win32::GroupHelper helper class from Ohai. This class was intended for use internally in several Windows plugins, but it was never marked private in the codebase. If any of your Ohai plugins rely on this helper class, you will need to update your plugins for Ohai 15.
The refresh_plugins method in the Ohai::System class has been removed as it has been unused for multiple major Ohai releases. If you are programmatically using Ohai in your own Ruby application, you will need to update your code to use the load_plugins method instead.
Knife now fails with a descriptive error message when attempting to bootstrap nodes with Chef Infra Client 15. You will need to bootstrap these nodes using Knife from Chef Infra Client 15.x. We recommend performing this bootstrap from Chef Workstation, which includes the Knife CLI in addition to other useful tools for managing your infrastructure with Chef Infra.
The CHEF-25 deprecation for resource collisions between cookbooks and resources in Chef Infra Client has been removed. Instead you will see a log warning that a collision has occurred, which advises you to update your run_list or cookbooks.
AIX and Solaris now ship with a filesystem2 plugin that updates the filesystem data to match that of Linux, macOS, and BSD hosts. This new data structure makes accessing filesystem data in recipes easier and especially improves the layout and depth of data on ZFS filesystems. In Chef Infra Client 15 (April 2019) we will begin writing this same format of data to the existing node['filesystem'] namespace. In Chef Infra Client 16 (April 2020) we will remove the node['filesystem2'] namespace, completing the transition to the new format. Thank you @jaymzh for continuing the updates to our filesystem plugins with this change.
The silence_deprecation_warnings configuration value can be set in your client.rb or solo.rb config file, either to true to silence all deprecation warnings or to an array of deprecations to silence. You can specify which to silence either by the deprecation key name (e.g. \"internal_api\"), the numeric deprecation ID (e.g. 25 or \"CHEF-25\"), or by specifying the filename and line number where the deprecation is being raised from (e.g. \"default.rb:67\").
You can now use ssh-agent to hold your user key when using knife. This allows storing your user key in an encrypted form as well as using ssh -A agent forwarding for running knife commands from remote devices.
Use the rhsm_errata resource to install packages associated with a given Red Hat Subscription Manager Errata ID. This is helpful if packages to mitigate a single vulnerability must be installed on your hosts. This resource was ported from the redhat_subscription_manager community cookbook.
node.set and node.set_unless were deprecated in Chef Infra Client 12 and have been removed in Chef Infra Client 14. To replicate this same functionality users should use node.normal and node.normal_unless, although we highly recommend reading our attribute documentation to make sure normal is in fact the your desired attribute level. 59ce067264