Chef is a configuration management system written predominantly in Ruby (Private), previously Erlang (Private). Chef is built on the idea that configuration should be declarative and describe the desired start of the system, and the configuration management system should converge systems with this state, idempotently.
- Nodes are hosts running the Client.
- Environments group related Nodes.
- Resources declare types of things which can be managed and the logic to converge the actual and desired states.
- Recipes declare the desired state of individual Resources.
- Actions describe a declarative state of a Recipe. Recipes will set a default.
- Cookbooks contain sets of related Recipes for easier deployment.
- Roles package up Cookbooks for reuse across projects and organisations.
- Policies are expressed in
- Attributes are details about Nodes, defined by their state, CLI arguments, Roles, Environments and Policies.
- Methods allow expression conditionals and modelling changes to the run list.
- Data Bags are data declarations managed with Knife which can be reused in Cookbooks.
- Chef Infra Client is the agent which obtains configuration from the Server and applies it to the host.
- Chef Infra Server is responsible for orchestration across the clients:
- Bookshelf stores Cookbooks.
- Message Queues (RabbitMQ) are used for search index interactions.
- Search Index, using Solr for storage.
- Data Store stores node data (in PostgreSQL).
- Chef Workstation contains tools and utilities to maintain Chef assets and infrastructure:
ohaigathers system information.
knifeinteracts with the server to manage nodes.
chef-rungenerates temporary run lists and executes cookbooks locally.
- Test Kitchen allows integration testing of Chef configuration.
- InSpec adds compliance and auditing capabilities.
- ChefDK (Chef Development Kit) is the legacy product that was replaced with Chef Workstation.
- Chef Manage is a web UI for administration and compliance auditing.
- Hosted Chef hosts Chef Infra Server.
- Habitat provides automation pipelines for use in DevOps environments.
- Automate extends Habitat with collaboration features, collecting audit results and making them visible to compliance.
With Linux systems, Chef is distributed in a number of packages:
Recipes are declared using a Ruby DSL:
apt_repository 'nginx' do uri 'http://nginx.org/packages/ubuntu' components ['main'] arch 'amd64' key 'https://nginx.org/keys/nginx_signing.key' action :add end
Recipes are executed in the order in which they're declared.
Cookbooks can be found on the Chef Supermarket.
Custom resources allow extending the Infra Client with additional functionality, reusing existing resource definitions. They're declared in the
resources directory of cookbooks.
resource_name :my_resource property :my_property, RubyType, default: 'my default' action :do_something do # Chef DSL for recipes end action :other_thing do # More Chef DSL for recipes end
include_recipe(name)includes recipes declared elsewhere, useful for wrapping existing
platform_family(like_family)can be used in conditionals.
Nodes are hosts running the Chef Infra Client. Data about them is gathered by
ohai and stored in the Infra Server in a dictionary structure. You can inspect this data using Knife and Manage. There are two means of assigning roles to Nodes based on this collected data:
- Roles allow setting the
- Policies is a newer concept, consolidating Cookbook dependency management into the Chef Infra Server component.
From the above, Chef derives
run_lists to execute. Environments allow grouping related nodes and attribute values.
Knife plugins allow communication with platforms directly, facilitating provisioning virtual machines.
knife node list
knife node show my-node
knife node run_list
knife search node 'attribute_glob:value_glob' [-a attribute_filter]
Supermarkets are repositories of available cookbooks. A public one is hosted by Chef, and the source code is available for hosting privately. Note that hosting privately requires Chef Infra Server for OAuth.
Dependency managers like Berkshelf allow locking dependencies at specific versions.
Test Kitchen provides an environment for integration testing configurations, and a framework for performing assertions. It executes tests in a hypervisor or container runtime, using pre-built images assembled with tools like Bento or Packer.
- Drivers provide backends for controlling the compute environment.
- Provisioners describe how the configuration of the machine will be converged with the desired state (
chef_zeroin this context).
- Verifiers execute the suites against the machine, verifying it's in the expected state. Common verifiers:
- InSpec (
- ServerSpec (
- InSpec (
The structure of a test workspace is usually overlaid into the existing cookbook directory:
kitchen.ymlprovides the driver, provisioner and verifier details, along with a list of suites for execution.
Some common commands:
kitchen convergeexecutes the provisioner.
kitchen logingives us SSH or WinRM access.
kitchen verifyaudits the machine state.