Chef Infra Client 17.3 Released!

Hey Everyone,

Today we released Chef Infra Client 17.3. This release is by far our largest "minor" release ever and it includes even more new functionality than we shipped in 17.0. Be sure to check out everything that's new, and let us know what you think on Community Slack.

What's New in 17.3

Compliance Phase Improvements

Chef InSpec 4.38

We've updated Chef InSpec from 4.37.23 to 4.38.3:

New Features
  • Added a new mongodb_conf resource.
Bug Fixes
  • Changed the Windows local pipe server connection to retry once on EPIPE.
  • Exceptions are now handled correctly in the oracledb_session resource.
  • Fixed the mysql_session resource to raise an exception if there is an error in a connection or query.
  • Fixed the postgres_session resource to raise an exception if there is an error in a connection or query

Run Lists with Policyfiles

You can now optionally execute Chef Infra Client with a specified run list on nodes that are managed with Policyfiles. This differs from the traditional Policyfile workflow by allowing you to run any cookbook/recipe combination that exists within the Policyfile lock.

Safety With Flexibility

Run lists with Policyfiles give you the safety of locked sets of cookbook dependencies while also giving you the flexibility to change run lists or run different run lists on nodes for adhoc Chef Infra Client converges. Without Policyfiles, manually specifying or overriding a run list determines an entirely new set of dependencies. When using run lists with Policyfiles, Chef Infra Client executes within the predefined set of cookbook dependencies in your Policyfile lock. This allows you to change or override run lists without introducing new, and potentially untested, cookbook dependencies.

To execute a run list defined on a node in Chef Infra Server instead of the run list defined directly in a Policyfile, set the Chef Config policy_persist_run_list to true. An override run list that is specified on the command line with Policyfiles will execute without any additional configuration.

How This Differs From Named Run Lists

Policyfiles with run lists offer additional flexibility over named run lists and are better suited for adhoc Chef Infra Client execution or programmatically changing run lists during bootstrap. Named run lists within Policyfiles need to be defined when the Policyfile is created, requiring you to predefine each potential run list you may want to run at a future date. Run lists with Policyfiles allows you to run any run list for cookbooks included in the Policyfile lock. Override run lists with Policyfiles offer adhoc flexibility as the override run list is not saved to the node on Chef Infra Server, unlike named run lists which permanently update the node.


Override Run List
chef-client -o my_cookbook::some_recipe
Set Permanent Run List via CLI
chef-client -r my_cookbook::some_recipe


chef-client -j my_run_list_and_attribute_data.json
Configuring Chef Infra Client to Use Run Lists
chef_client_config 'Configure Infra Client' do
  policy_persist_run_list true

New Resources


Use the habitat_package to install or remove Chef Habitat packages from Habitat Builder. See the habitat_package Resource documentation for additional details and example usage.


Use the habitat_sup resource to run a Chef Habitat supervisor for one or more Chef Habitat services. The resource is commonly used in conjunction with the habitat_service resource, which will manage the services loaded and started within the supervisor. See the habitat_sup Resource documentation for additional details and example usage.


Use the habitat_config resource to apply a configuration to a Chef Habitat service. See the habitat_config Resource documentation for additional details and example usage.


Use the habitat_install resource to install Chef Habitat. See the habitat_install Resource documentation for additional details and example usage.


Use the habitat_service resource to manage Chef Habitat services. This requires that core/hab-sup be running as a service. See the habitat_sup resource documentation for more information. See the habitat_service Resource documentation for additional details and example usage.


Use the habitat_user_toml resource to template a user.toml for Chef Habitat services. Configurations set in the user.toml override the default.toml for a given package, which makes it an alternative to applying service group level configuration. See the habitat_user_toml Resource documentation for additional details and example usage.


Use the windows_defender resource to enable, configure, or disable the Microsoft Windows Defender service. See the windows_defender Resource documentation for additional details and example usage.


Use the windows_defender_exclusion resource to exclude paths, processes, or file types from Windows Defender realtime protection scanning. See the windows_defender_exclusion Resource documentation for additional details and example usage.


Use the windows_update_settings resource to manage the various Windows Update patching options. See the windows_update_settings Resource documentation for additional details and example usage.

Updated Resources


Updated the powershell_package resource to allow passing an array of install options via the options property. Thanks for reporting this issue @kimbernator


Updated the windows_printer resource to better load the current state of the printer and to allow controlling the creation of the printer port. The resource now includes a create_port property that allows skipping the creation of the printer port and a port_name property that allows specifying the name of the port to use. With these new properties, users can create advanced printer ports using the windows_printer_port resource and then attach a new printer to those ports using the windows_printer resource.

windows_printer_port '' do
  port_name 'My awesome printer port'
  snmp_enabled true
  port_protocol 2

windows_printer 'HP LaserJet 5th Floor' do
  driver_name 'HP LaserJet 4100 Series PCL6'
  port_name 'My awesome printer port'
  ipv4_address ''
  create_port false


Updated the chef_client_config resource to properly format the client.rb config when the user sets the ohai_optional_plugins or ohai_disabled_plugins properties. Thanks for reporting this issue @caneylan. The resource can now also set the new policy_persist_run_list configuration with the client.rb file by setting the policy_persist_run_list property to true.

Chef Language Improvements

We've added several new helpers to the Chef Infra Language to make writing out various data formats easier. These helpers allow you to convert data from Ruby Hashes or Chef Infra attributes into YAML, JSON, or TOML formatted data. A great use case for these helpers is writing system or application configuration files to disk without having to template out data formats using a template resource.

Given this Ruby hash:

example_hash = {
          "golf": "hotel",
          "kilo": %w{lima mike},
          "india": {
                    "juliett": "blue",
          "alpha": {
                    "charlie": true,
                    "bravo": 10,
          "echo": "foxtrot",

Output the data in JSON format:

  "golf": "hotel",
  "kilo": [
  "india": {
    "juliett": "blue"
  "alpha": {
    "charlie": true,
    "bravo": 10
  "echo": "foxtrot"

Output the data in TOML format:

echo = "foxtrot"
golf = "hotel"
kilo = ["lima", "mike"]
bravo = 10
charlie = true
juliett = "blue"

Output the data in YAML format:

golf: hotel
- lima
- mike
  juliett: blue
  charlie: true
  bravo: 10
echo: foxtrot

Using this helper with the file resource:

file '/etc/some_app/config.yml' do
  content render_yml(example_hash)
  mode '0640'

Experimental Secrets Management

With Chef Infra Client 17.3, we're introducing experimental secrets management integration with a new secrets helper in the Infra Language. This helper has a pluggable model for fetching secrets from multiple secrets management systems. In this release of Chef Infra Client we're support AWS Secrets Manager and Azure Key Vault with additional secrets managers coming in future releases. This new functionality should be considered a beta and not not necessarily ready for production usage. We'd love to get feedback on how how this works for you and additional features you'd like, or need, in order to utilize secrets from secret managers within your cookbooks. E-mail us at


The secrets helper uses cloud instance authentication to access secrets in both Azure Key Vault and AWS Secrets Manager. This avoids the need to pass authentication in the helper and allows you to control access to secrets using existing cloud vendor access control models. When using AWS Secrets Manager, this is IAM roles applied to instances. In Azure this is Manged Identities applied to the VMs.

Fetching Secrets

The secrets helper accepts the secret name, and secrets service, secret version (optional), and connection options for the secrets service.

Fetching an AWS Secrets Manager secret
secret(name: 'test1', service: :aws_secrets_manager, config: { region: 'us-west-2' })
Fetching an Azure Key Vault secret
secret(name: 'test1', service: :azure_key_vault, config: { vault: 'vault1' })
Fetching a specific version of an Azure Key Vault secret
secret(name: 'test1', version: 'v1', service: :azure_key_vault, config: { vault: 'vault1' })

Using in Cookbooks

The secrets helper returns a text string, so it can be used anywhere in Chef Infra where you might hard code a value or access a value from a data bag.

Writing a Secret To a File
file '/home/ubuntu/aws-secret' do
  content secret(name: 'test1', service: :aws_secrets_manager)
Passing a Secret to a Template
template '/etc/my_fancy_service/my_fancy_service.conf' do
  source 'config.erb'
    db_token: secret(name: 'db_token', service: :aws_secrets_manager)

System Detection Improvements

virtuozzo Support

The virtuozzo platform is now detected as a member of the RHEL platform family. Thanks for this addition @robertmasztalerz!

Linux Livepatch Detection

A new Ohai optional plugin :Livepatch has been added to detect Linux kernel Livepatch modules that have been loaded on a system. This plugin can be enabled on systems using the ohai_optional_plugins property in the chef_client_config resource. Thanks for this new plugin @liu-song-6!

Package Improvements

M1 macOS Monterey Packages

Chef Infra Client packages are now produced for Apple's macOS Monterey preview release. Packages for Intel-based Macs will ship at a later date.

Solaris 11.3 EOL / Solaris 11.4 Packages

Oracle Solaris 11.3 became end-of-life (EOL) in January 2021. Chef Infra Client packages are no longer produced for Solaris 11.3 and new Solaris 11.4 packages are available in their place.


Failures initializing Chef Infra Client on FIPS enabled PowerPC RHEL systems have been resolved.

RPM Package Digests

The file digest in Chef Infra RPM packages has been updated from MD5 to SHA256 to prevent failures installing on some FIPS-enabled systems.


Ruby 3.0.2

Ruby has been updated to 3.0.2 to resolve a large number of bugs as well as the following CVEs:


We've updated the addressable gem from 2.7 to 2.8 to resolve CVE-2021-32740.

Get the Build

As always, you can download binaries directly from or by using the mixlib-install command-line utility:

$ mixlib-install download chef -v 17.3.48

Alternatively, you can install Chef Infra Client using one of the following command options:

# In Shell
$ curl | sudo bash -s -- -P chef -v 17.3.48
# In Windows Powershell
. { iwr -useb } | iex; install -project chef -version 17.3.48

If you want to give this version a spin in Test Kitchen, create or add the following to your kitchen.yml file:

  product_name: chef
  product_version: 17.3.48