Chef Infra Client 16.15.22 Released!

We are delighted to announce the availability of version 16.15.22 of Chef Infra Client.

Bug Fixes

  • Removed ERROR logs when retrying failed communication with the Chef Infra Server.
  • Several Ruby failures on Windows have been resolved.
  • The cookbook_name variable is now available in templates as expected.
  • YAML recipes can now end in .yaml and .yml.
  • The data collector for sending data to Chef Automate now respects attribute allowlist and denylist configurations.
  • An edge condition in the deprecations system could cause failures running Chef Infra Client.
  • Chef Vault has been updated to allow storing key data.

Chef InSpec 4.41.20

Chef InSpec has been updated from 4.38.9 to 4.41.20 with the following improvements:

  • New Open Policy Agent resources opa_cli and opa_api.
  • New mongodb_session resource.
  • The mssql_session resource now allows named connections by no longer forcing a port.
  • The PostgreSQL resources (postgres_session, postgres_conf, postgres_hba_conf, and postgres_ident_conf) now work with Windows.
  • Fixed a bug where the year in an expiration date was misinterpreted in waiver files.
  • Added support for Alibaba Cloud Linux 3 to the Chef InSpec service resource.
  • Replaced the WMI command-line (WMIC) utility in the Chef InSpec security_identifier resource with Common Information Model (CIM) cmdlets as the WMIC utility will be deprecated soon.
  • Fixed range-based filtering in filter tables.
  • Fixed an issue in the Chef InSpec apache_conf resource when the ServerRoot is not specified in the Apache configuration file.
  • Fixed an error in the Chef InSpec postgres_session resource where the resource was unable to connect to a database.
  • Fixed an error in the Chef InSpec apache_conf resource where it would overwrite any Apache configurations from the main Apache configuration file with configurations from any included configuration files.
  • Fixed an error where the Chef InSpec security_policy resource returned a comma-separated string of local groups (rather than SIDs) instead of an array.
  • Updated the Git fetcher to handle profiles with a default Git branch that is not master.

Resource Updates


We improved the archive_file resource has by upgrading the libarchive library it uses, which includes the following improvements:

  • Support for PWB and v7 binary CPIO formats.
  • Support for the deflate algorithm in symbolic link decompression with zip files.
  • Various bug fixes when working with CAB, ZIP, 7zip, and RAR files.


Updated the chef_client_config resource to properly format the client.rb config when the user sets the ohai_optional_plugins or ohai_disabled_plugins properties. Thanks for reporting this issue @caneylan.


The homebrew_cask resource now supports Homebrew Casks with '-' or '@' in their name. Thanks for this fix @byplayer! The resource also now passes the homebrew_path when creating or deleting taps. This change prevents failures when running Homebrew in a non-standard location or on an M1 system. Thanks for this fix @mattlqx!


The mount resource no longer strips trailing / values when the mount point is just /. Thanks for this fix @jiokmiso!


Updated the powershell_package resource to allow passing an array of install options via the options property. Thanks for reporting this issue @kimbernator


The rhsm_subscription resource now flushes all DNF or YUM caches after adding a new subscription so that subsequent package installs can use packages from the subscription. Thanks for fixing this @jasonwbarnett!


The systemd_unit resource now generates valid unit files when passing a hash of data. Thanks for reporting this issue @gregkare


The ulimit resource now supports setting sensitive true to prevent logging ulimit data as it is written to disk.


The windows_security_policy resource has been refactored to improve reliability and now supports setting AuditPolicyChange and LockoutDuration.


The windows_uac resource now sets the proper registry key value when using the consent_behavior_users property. Thanks for reporting this @ahembree!


The windows_user_privilege resource no longer fails with an error stating that the privilege property needs to be set, even if it is set.


OpenSSL 1.0.2za

OpenSSL has been updated from 1.0.2y to 1.0.2za on non-macOS systems to resolve CVE-2021-3712.

OpenSSL 1.1.1l

OpenSSL has been updated from 1.1.1k to 1.1.1l on macOS systems to resolve the following CVEs:

libarchive 3.5.2

Updated the libarchive library that powers the archive_file resource from 3.5.1 to 3.5.2 to resolve security vulnerabilities in libarchive's handling of symbolic links.

Package Improvements

Intel macOS Monterey Packages

We now produce Chef Infra Client packages for Apple's macOS Monterey preview release on Intel architecture in addition to M1 architecture.


Policyfile Compatibility Mode

The Chef Infra Server 11 era Policyfile Compatibility Mode is now deprecated. Users should upgrade to a newer release of Chef Infra Server 12+ that supports Policyfiles natively. With Chef Infra Server upgraded, you can remove policy_document_native_api from the client.rb config file or set it to true.

Attribute Whitelists

We deprecated the attribute whitelist feature in favor of attribute allowlists. Users will need to update whitelist configurations in their client.rb configuration file to be allowlist configurations.

Get the Build

As always, you can download binaries directly from or by using the mixlib-install command-line utility:

$ mixlib-install download chef -v 16.15.22

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl | sudo bash -s -- -P chef -v 16.15.22
# In Windows Powershell
. { iwr -useb } | iex; install -project chef -version 16.15.22

If you want to give this version a spin in Test Kitchen, create or add the following to your file:

  product_name: chef
  product_version: 16.15.22