Skip to main content

Chef Infra Client

Chef Infra Client is an agent that runs locally on every node that’s under management by Chef Infra Server. Chef Infra Client transforms your infrastructure into code by automatically configuring systems to match your desired state.

When Chef Infra Client runs, it performs all the steps required to bring a node into the expected state, including:

  • Registering and authenticating the node with Chef Infra Server
  • Synchronizing cookbooks from Chef Infra Server to the node
  • Compiling the resource collection by loading each of the required cookbooks, including recipes, attributes, and all other dependencies
  • Taking the appropriate and required actions to configure the node based on recipes and attributes
  • Reporting summary information on the run to Chef Automate

Chef Infra Client components

Chef Infra Client works with key components to manage your infrastructure:

Compliance Phase

The Compliance Phase is an integrated security and compliance feature that runs Chef InSpec profiles automatically as part of every Chef Infra Client run. This phase allows you to continuously audit your infrastructure for compliance with security policies and regulatory requirements without managing separate tools or processes.

For detailed information, see About the Compliance Phase.

Node

A node represents any system that Chef Infra Client manages - whether it’s a virtual machine, container instance, or physical server. Every node runs Chef Infra Client and maintains its configuration state according to the policies you define.

Cookbooks and recipes

Cookbooks contain the instructions (recipes) that tell Chef Infra Client how to configure your systems. Recipes use resources to describe the desired state of system components like packages, files, and services.

Run list

The run list defines which cookbooks and recipes Chef Infra Client should execute on a node and in what order. You can customize run lists for different node types or environments.

Ohai

Ohai is a system profiling tool that collects detailed information about your nodes, including hardware details, network configuration, and operating system data. Chef Infra Client uses this information to make intelligent configuration decisions.

Agentless

Agentless allows you to execute Infra Client runs on a target node over SSH without having Chef Infra Client installed on the node.

For more details and setup instructions, see the Agentless documentation.

How Chef Infra Client works

Chef Infra Client operates on a pull-based model where nodes periodically contact Chef Infra Server to retrieve their configuration policies. This approach ensures that your infrastructure remains in the desired state even if individual nodes experience temporary disconnections or issues.

Common use cases

You can use Chef Infra Client to automate infrastructure management tasks:

  • Server provisioning: Automatically configure new servers with required software and settings
  • Application deployment: Deploy and configure applications across different environments
  • Security compliance: Enforce security policies and compliance requirements
  • Configuration drift prevention: Continuously check and correct configuration changes
  • Environment management: Maintain consistent configurations across development, staging, and production environments

The Chef Infra Client run

A Chef Infra Client run describes the steps Chef Infra Client takes to configure a node when you run the chef-client command. The following diagram shows the various stages that occur during a Chef Infra Client run.

Flowchart diagram illustrating the sequential stages of a Chef Infra Client run, starting with getting configuration data and ending with waiting for the next run, with arrows connecting each step in a vertical flow.

During every Chef Infra Client run, the following happens:

  1. Get configuration data

    Chef Infra Client gets process configuration data from the client.rb file on the node and then gets node configuration data from Ohai. The node name is an important piece of configuration data. Chef Infra Client gets the node name from the node_name attribute in the client.rb file or from Ohai. If Ohai provides the node name, it’s typically the FQDN for the node, which is always unique within an organization.

  2. Authenticate to Chef Infra Server

    Chef Infra Client authenticates to Chef Infra Server using an RSA private key and the Chef Infra Server API. Authentication with Infra Server requires the node name. If this is the first Chef Infra Client run for a node, the chef-validator generates an RSA private key.

  3. Get and rebuild the node object

    Chef Infra Client pulls down the node object from Chef Infra Server and then rebuilds it. A node object contains the system attributes discovered by Ohai, the attributes set in Policyfiles or Cookbooks, and the run-list of cookbooks. The first time Chef Infra Client runs on a node, it creates a node object from the default run-list. A node that hasn’t yet had a Chef Infra Client run won’t have a node object or a Chef Infra Server entry for a node object. On any subsequent Chef Infra Client runs, the rebuilt node object also contains the run-list from the previous Chef Infra Client run.

  4. Expand the run-list

    Chef Infra Client expands the run-list from the rebuilt node object and compiles a complete list of recipes in the exact order that they will be applied to the node.

  5. Synchronize cookbooks

    Chef Infra Client requests all the cookbook files (including recipes, templates, resources, providers, attributes, and libraries) that it needs for every action identified in the run-list from Chef Infra Server. Chef Infra Server responds to Chef Infra Client with the complete list of files. Chef Infra Client compares the list of files to the files that already exist on the node from previous runs and then downloads a copy of every new or modified file from Chef Infra Server.

  6. Reset node attributes

    All attributes in the rebuilt node object are reset. All attributes from attribute files, Policyfiles, and Ohai are loaded. Attributes that are defined in attribute files are first loaded according to cookbook order. For each cookbook, attributes in the default.rb file are loaded first, and then additional attribute files (if present) are loaded in lexical sort order. If attribute files are found within any cookbooks that are listed as dependencies in the metadata.rb file, these are loaded as well. All attributes in the rebuilt node object are updated with the attribute data according to attribute precedence. When all the attributes are updated, the rebuilt node object is complete.

  7. Compile the resource collection

    Chef Infra Client identifies each resource in the node object and builds the resource collection. Libraries are loaded first to ensure that all language extensions and Ruby classes are available to all resources. Next, attributes are loaded, followed by custom resources. Finally, all recipes are loaded in the order specified by the expanded run-list. This is the compile phase.

  8. Converge the node

    Chef Infra Client configures the system based on the information that has been collected. Each resource is executed in the order identified by the run-list and then by the order in which each resource is listed in each recipe. Each resource defines an action to run, which configures a specific part of the system. This process, called convergence, is also called the execution phase.

  9. Update the node object and process exception and report handlers

    When all the actions identified by resources in the resource collection have been completed and Chef Infra Client finishes successfully, Chef Infra Client updates the node object on Chef Infra Server with the node object built during the Chef Infra Client run. Chef Infra Client will pull down this node object during the next Chef Infra Client run. This makes the node object (and the data in the node object) available for search.

    Chef Infra Client always checks the resource collection for the presence of exception and report handlers. If any are present, each one is processed appropriately.

  10. Get and run Chef InSpec Compliance Profiles

    After the Chef Infra Client run finishes, it begins the Compliance Phase, which is a Chef InSpec run within the Chef Infra Client. Chef InSpec retrieves tests from either a legacy audit cookbook or a current InSpec profile.

  11. Send or save Compliance Report

    When all the InSpec tests finish running, Chef InSpec checks the reporting handlers defined in the legacy audit cookbook or in a current InSpec profile and processes them appropriately.

  12. Stop and wait for the next run

    When everything is configured and the Chef Infra Client run is complete, Chef Infra Client stops and waits until the next time it’s asked to run.

Related content

Next steps

Thank you for your feedback!

×