Chef Infra Client 16.3 released!

Hey folks,

Happy Monday! We have a nice release of Chef Infra Client for July packed full of resource improvements, code cleanups, and optimizations.

Renamed Client Configuration Options

We took a hard look at many of the terms we've historically used throughout the Chef Infra Client configuration sub-system and came to the realization that we weren't living up to the words of our Community Code of Conduct. From the code of conduct: "Be careful in the words that you choose. Be kind to others. Practice empathy". Terms such as blacklist and sanity don't meet that bar so we've chosen to rename these configuration options:

  • automatic_attribute_blacklist -> blocked_automatic_attributes
  • default_attribute_blacklist -> blocked_default_attributes
  • normal_attribute_blacklist -> blocked_normal_attributes
  • override_attribute_blacklist -> blocked_override_attributes
  • automatic_attribute_whitelist -> allowed_automatic_attributes
  • default_attribute_whitelist -> allowed_default_attributes
  • normal_attribute_whitelist -> allowed_normal_attributes
  • override_attribute_whitelist -> allowed_override_attributes
  • enforce_path_sanity -> enforce_default_paths

Existing configuration options will continue to function for now, but will raise a deprecation warning and will be removed entirely from a future release of Chef Infra Client.

Chef InSpec 4.22.1

Chef InSpec has been updated from 4.21.1 to 4.22.1. This new release includes the following improvements:

  • The = character is now allowed for command line inputs
  • apt-cdrom repositories are now skipped when parsing out the list of apt repositories
  • Faulty profiles are now reported instead of causing a crash
  • Errors are no longer logged to stdout with the html2 reporter
  • macOS Big Sur is now correctly identified as macOS

New Resources


The windows_firewall_profile allows you to enable, disable, or configure Windows Firewall profiles. For example, you can now set up default actions and configure rules for the Public profile using this single resource instead of managing your own PowerShell code in a powershell_script resource:

windows_firewall_profile 'Public' do
  default_inbound_action 'Block'
  default_outbound_action 'Allow'
  allow_inbound_rules false
  display_notification false
  action :enable

For a complete guide to all properties and additional examples, see the windows_firewall_profile documentation.

Resource Updates


Log output has been improved in the build_essential resource when running on macOS systems.


The chef_client_scheduled_task resource no longer sets up the scheduled task with invalid double quoting around the specified command. Thanks for reporting this issue @tiobagio.


The user property in the execute resource can now accept user IDs as Integers.


The git resource will no longer fail if syncing a branch that already exists locally. Thanks for fixing this @lotooo.


The macos_user_defaults has received a ground-up refactoring with new actions, additional properties, and better overall reliability:

  • Improved idempotency by properly loading the current state of domains.
  • Improved how we set dict and array type data.
  • Improved logging to show the existing key/value pair that is changed, and improved the property state data that the resource sends to handlers and/or Chef Automate.
  • Fixed a failure when setting keys or values that included a space.
  • Replaced the existing non-functional global property with a new default for the domain property. To set a key/value pair on the NSGlobalDomain domain, you can either set that value explicitly or just skip the domain property entirely and Chef Infra Client will default to NSGlobalDomain. The existing property has been marked as deprecated and we will ship a Cookstyle rule to detect cookbooks using this property in the future.
  • Fixed the type property to only accept valid inputs. Previously typos or otherwise incorrect values would just be ignored resulting in unexpected behavior. This may cause failures in your codebase if you previously used incorrect values. We will be shipping a Cookstyle rule to detect and correct these values in the future.
  • Added a new delete action to allow users to remove a key from a domain.
  • Added a new host property that lets you set per-host values. If you set this to :current it sets the -currentHost flag.


The windows_dns_record resource includes a new optional property, dns_server, allowing you to make changes against remote servers. Thanks for this addition @jeremyciak.


A Chef Infra Client 16 regression within windows_package that prevented specifying path in the remote_file_attributes property has been resolved. Thanks for reporting this issue @asvinours.


The windows_security_policy resource has been refactored to improve idempotency and improve log output when changes are made. You'll now see more complete change information in logs and any handler consuming this data will also receive more detailed change information.

Knife Improvements

  • Ctrl-C can now be used to exit knife even when being prompted for input.
  • knife bootstrap will now properly error if attempting to bootstrap an AIX system using an account with an expired password.
  • knife profile commands will no longer error if an invalid profile was previously set.
  • The -o flag for knife cookbook upload can now be used on Windows systems.
  • knife ssh now once again accepts legacy DSS host keys although we highly recommend upgrading to a more secure key algorithm if possible.
  • Several changes were made to knife to that may prevent intermittent failures running cookbook commands

Habitat Package Improvements

Habitat packages for Windows, Linux and Linux2 are now built and tested against each pull request to Chef Infra Client. Additionally we've improved how these packages are built to reduce the size of the package, which reduces network utilization when using the Effortless deployment pattern.

Get the Build

As always, you can download binaries directly from or by using the mixlib-install command-line utility:

$ mixlib-install download chef -v 16.3.38

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl | sudo bash -s -- -P chef -v 16.3.38

# In Windows Powershell
. { iwr -useb } | iex; install -project chef -version 16.3.38

If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:

  product_name: chef
  product_version: 16.3.38