Chef Infra Client 15.3.14 Released!

Hey folks!

We have a great new Chef Infra Client release to announce today with updated resources, a new way to write streamlined custom resources, and updated platform support!

Custom Resource Unified Mode

Chef Infra Client 15.3 introduces an exciting new way to easily write custom resources that mix built-in Chef Infra resources with Ruby code. Previously custom resources would use Chef Infra's standard compile and converge phases, which meant that Ruby would be evaluated first and then the resources would be converged. This often results in confusing and undesirable behavior when you are trying to mix resources with Ruby logic. Many custom resource authors would attempt to get around this by forcing resources to run at compile time so that all the code in their resource would execute during the compile phase.

An example of forcing a resource to run at compile time:

resource_name 'foo' do
  action :nothing

With unified mode, you opt in to a single phase per resource where all Ruby and Chef Infra resources are executed at once. This makes it far easier to determine how your code will be evaluated and run. Additionally, you no longer need to force any resources to run at compile time, as all code is run in the compile phase. To enable this new mode just add unified_mode true to your resources like this:

property :Some_property, String

unified_mode true

action :create do
  # some code

Interval Mode Now Fails on Windows

Chef Infra Client 15.3 will now raise an error if you attempt to keep the chef-client process running long-term by enabling interval runs. Interval runs have already raised failures on non-Windows platforms and we've suggested that users move away from them on Windows for many years. The long-running chef-client process on Windows will load and reload cookbooks over each other in memory. This could produce a running state which is not a representation of the cookbook code that the authors wrote or tested, and behavior that may be wildly different depending on how long the chef-client process has been running and on the sequence that the cookbooks were uploaded.

Updated Resources


The ifconfig resource has been updated to properly support interfaces with a hyphen in their name. This is most commonly encountered with bridge interfaces that are named br-1234.


The archive_file resource now supports archives in the RAR 5.0 format as well as zip files compressed using xz, lzma, ppmd8 and bzip2 compression.


macOS 10.14 / 10.15 support

The user resource now supports the creation of users on macOS 10.14 and 10.15 systems. The updated resource now complies with macOS TCC policies by using a user with admin privileges to create and modify users. The following new properties have been added for macOS user creation:

  • admin sets a user to be an admin.

  • admin_username and admin_password define the admin user credentials required for toggling SecureToken for a user. The value of 'admin_username' must correspond to a system user that is part of the 'admin' with SecureToken enabled in order to toggle SecureToken.

  • secure_token is a boolean property that sets the desired state for SecureToken. FileVault requires a SecureToken for full disk encryption.

  • secure_token_password is the plaintext password required to enable or disable secure_token for a user. If no salt is specified we assume the 'password' property corresponds to a plaintext password and will attempt to use it in place of secure_token_password if it is not set.

Password property is now sensitive

The password property is now set to sensitive to prevent the password from being shown in debug or failure logs.

gid property can now be a string

The gid property now allows specifying the user's gid as a string. For example:

user 'tim' do
  gid '123'

Platform Support Updates

macOS 10.15 Support

Chef Infra Client is now validated against macOS 10.15 (Catalina) with packages now available at and via the Omnitruck API. Additionally, Chef Infra Client will no longer be validated against macOS 10.12.

AIX 7.2

Chef Infra Client is now validated against AIX 7.2 with packages now available at and via the Omnitruck API.

Chef InSpec 4.16

Chef InSpec has been updated from 4.10.4 to 4.16.0 with the following changes:

  • A new postfix_conf has been added for inspecting Postfix configuration files.
  • A new plugins section has been added to the InSpec configuration file which can be used to pass secrets or other configurations into Chef InSpec plugins.
  • The service resource now includes a new startname property for determining which user is starting the Windows services.
  • The groups resource now properly gathers membership information on macOS hosts.

Security Updates


Ruby has been updated from 2.6.3 to 2.6.4 in order to resolve CVE-2012-6708 and CVE-2015-9251.


openssl has been updated from 1.0.2s to 1.0.2t in order to resolve CVE-2019-1563 and CVE-2019-1547.


nokogori has been updated from 1.10.2 to 1.10.4 in order to resolve CVE-2019-5477

Get the Build

As always, you can download binaries directly from or by using the mixlib-install command line utility:

$ mixlib-install download chef -v 15.3.14

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl | sudo bash -s -- -P chef -v 15.3.14

# In Windows Powershell
. { iwr -useb } | iex; install -project chef -version 15.3.14

If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:

  product_name: chef
  product_version: 15.3.14


If you're interested in 32-bit builds for ARM platforms like the Raspberry Pi or BeagleBone Black I've posted builds and instructions here:

I've also updated docs for installing Debian 10 and Raspbian 10 on those platforms: