Chef is a configuration management system written predominantly in Ruby (Private), previously Erlang (Private). Chef is built on the idea that configuration should be declarative and describe the desired start of the system, and the configuration management system should converge systems with this state, idempotently.


  • Nodes are hosts running the Client.
  • Environments group related Nodes.
  • Resources declare types of things which can be managed and the logic to converge the actual and desired states.
  • Recipes declare the desired state of individual Resources.
  • Actions describe a declarative state of a Recipe. Recipes will set a default.
  • Cookbooks contain sets of related Recipes for easier deployment.
  • Roles package up Cookbooks for reuse across projects and organisations.
  • Policies are expressed in Policyfiles.
  • Attributes are details about Nodes, defined by their state, CLI arguments, Roles, Environments and Policies.
  • Methods allow expression conditionals and modelling changes to the run list.
  • Data Bags are data declarations managed with Knife which can be reused in Cookbooks.


  • Chef Infra Client is the agent which obtains configuration from the Server and applies it to the host.
  • Chef Infra Server is responsible for orchestration across the clients:
    • Bookshelf stores Cookbooks.
    • Message Queues (RabbitMQ) are used for search index interactions.
    • Search Index, using Solr for storage.
    • Data Store stores node data (in PostgreSQL).
  • Chef Workstation contains tools and utilities to maintain Chef assets and infrastructure:
    • chef-client executes cookbooks.
    • ohai gathers system information.
    • chef manages cookbooks.
    • knife interacts with the server to manage nodes.
    • chef-run generates temporary run lists and executes cookbooks locally.
    • Test Kitchen allows integration testing of Chef configuration.
    • InSpec adds compliance and auditing capabilities.
  • ChefDK (Chef Development Kit) is the legacy product that was replaced with Chef Workstation.
  • Chef Manage is a web UI for administration and compliance auditing.
  • Hosted Chef hosts Chef Infra Server.
  • Habitat provides automation pipelines for use in DevOps environments.
  • Automate extends Habitat with collaboration features, collecting audit results and making them visible to compliance.


With Linux systems, Chef is distributed in a number of packages:

  • chef-workstation



Recipes are declared using a Ruby DSL:

apt_repository 'nginx' do
  uri ''
  components ['main']
  arch 'amd64'
  key ''
  action :add

Recipes are executed in the order in which they're declared.



  • my-cookbook/:
    • attributes/
    • recipes/
      • default.rb
    • files/
    • templates/
    • metadata.rb

Cookbooks can be found on the Chef Supermarket.


Custom resources allow extending the Infra Client with additional functionality, reusing existing resource definitions. They're declared in the resources directory of cookbooks.

resource_name :my_resource
property :my_property, RubyType, default: 'my default'

action :do_something do
  # Chef DSL for recipes

action :other_thing do
  # More Chef DSL for recipes


  • include_recipe(name) includes recipes declared elsewhere, useful for wrapping existing
  • platform_family(like_family) can be used in conditionals.


Nodes are hosts running the Chef Infra Client. Data about them is gathered by ohai and stored in the Infra Server in a dictionary structure. You can inspect this data using Knife and Manage. There are two means of assigning roles to Nodes based on this collected data:

  • Roles allow setting the run_list.
  • Policies is a newer concept, consolidating Cookbook dependency management into the Chef Infra Server component.

From the above, Chef derives run_lists to execute. Environments allow grouping related nodes and attribute values.

Knife plugins allow communication with platforms directly, facilitating provisioning virtual machines.

  • knife node list
  • knife node show my-node
  • knife node run_list
  • knife search node 'attribute_glob:value_glob' [-a attribute_filter]


Supermarkets are repositories of available cookbooks. A public one is hosted by Chef, and the source code is available for hosting privately. Note that hosting privately requires Chef Infra Server for OAuth.

Dependency managers like Berkshelf allow locking dependencies at specific versions.

Test Kitchen

Test Kitchen provides an environment for integration testing configurations, and a framework for performing assertions. It executes tests in a hypervisor or container runtime, using pre-built images assembled with tools like Bento or Packer.

  • Drivers provide backends for controlling the compute environment.
  • Provisioners describe how the configuration of the machine will be converged with the desired state (chef_zero in this context).
  • Verifiers execute the suites against the machine, verifying it's in the expected state. Common verifiers:
    • InSpec (inspec)
    • ServerSpec (serverspec)

The structure of a test workspace is usually overlaid into the existing cookbook directory:

  • my-cookbook/
    • spec/
    • test/
      • integration/
        • default_test.rb
        • my-cookbook_test.rb
    • kitchen.yml provides the driver, provisioner and verifier details, along with a list of suites for execution.

Some common commands:

  • kitchen converge executes the provisioner.
  • kitchen login gives us SSH or WinRM access.
  • kitchen verify audits the machine state.

InSpec profiles


  • controls/
    • app.rb
    • other_app.rb
  • libraries/
    • resource.rb
  • files/
    • someconfig.yml
  • inspect.yml