Habitat-managed Chef with Policyfiles: Learn how to leverage the power of Habitat, chef-client and Policyfiles to produce an immutable application containing all of your chef cookbooks that can be locally tested and provides a consistent and guaranteed picture of desired configuration state across all target environments.

1. Habitat Managed
Chef
Jon Cowie, Principal Customer Architect @ Chef

2. Habitat managed Chef is a new method of building, delivering, and running
Chef cookbooks on your infrastructure.
It uses Habitat to package and deliver your Chef cookbooks, chef-client,
attributes, and run-list together, as one atomic package.
Habitat Managed Chef

3. Some quick use-cases

4. ● Simple cookbooks remediate audit and security issues
● Great for automating server correctness across your
estate, even on ephemeral servers
● Regular Chef, nothing special required
Harden servers using Chef

5. ● Replaces workflows such as the Berkshelf way, role
cookbooks, or environment cookbook pattern with a
simpler, more reliable cookbook development pattern
● Provides a simple way to move cookbooks and chef-
client versions together in lockstep
● Still uses familiar Chef development tools
Improve Cookbook development workflow

6. ● Remove the need for a Chef Server
● Eliminate complex cookbook deployment and
versioning practices
● Great for increasing infrastructure agility or preparing
for application modernization efforts
Simplify Chef

7. ● Modernize applications instead of rewriting them, use
existing, Chef code to help bridge the gap
● Incrementally move services to Habitat, preparing the
way to use Docker, Kubernetes, Mesos, or other
runtime formats
● Great for increasing application reliability and lift-and-
shift plays
Modernize your applications

8. How it all works

9. Use your existing Chef cookbooks
for your infrastructure.
Write a Habitat Plan and a Policyfile
Use a Habitat Plan and a policyfile
to create an artifact that contains
all of your cookbook code, chef-
client version of your choice,
attribute overrides, and run-list.
Use Habitat Studio to test your
Plan, and build and iterate quickly.

10. Write a Habitat Plan and a Policyfile
Plan.sh
pkg_name=hardening
pkg_origin=jonlives
pkg_version="0.1.0"
pkg_scaffolding="core/scaffolding-chef"
scaffold_policy_name="hardening"
pkg_svc_user=("root")

11. Write a Habitat Plan and a Policyfile
hardening.rb
name 'hardening'
default_source :chef_repo, '../'
default['auth'] = { 'is_active_directory' => true }
...
cookbook 'line'
cookbook 'os-hardening'
...
run_list [
'hardening::default', 'mycompany-standards::default', 'mycompany-production::default'
]

12. Use Habitat Builder or the On-Prem Habitat
Builder Depot to automate your cookbook
builds and have complete control over your
chef-client version that ships to your
infrastructure, and vendored cookbooks.
Build your Cookbooks
Rest easy knowing that by bundling the
chef-client with your vendored cookbooks,
you're eliminating entire classes of runtime
errors.
Get automatic rebuilds when a new version
of chef-client or any other runtime
dependencies is available.

13. Build your Cookbooks

14. I love it when a plan.sh
comes together.

15. origin-package-1.2.3-20180808182731-x86_64-linux.hart

16. Now you have a .hart file that contains:
● Your desired chef-client version
● All of your vendored cookbooks
● A policyfile, containing your run-list and attribute
overrides
Build your Cookbooks

17. Install the Habitat Supervisor through your
provisioning tool. Use the Habitat Supervisor
to install the cookbook + chef-client Habitat
package.
Deploy your Cookbooks
Define an update strategy to automatically
update your server's cookbook + chef-client
Habitat package by subscribing to Builder
channels.

18. Deploy your Cookbooks
terraform.tf
provisioner "remote-exec" {
inline = [
"sudo groupadd hab",
"sudo adduser hab -g hab",
"chmod +x /tmp/install_hab.sh",
"sudo /tmp/install_hab.sh",
"sudo mv /home/${var.aws_ami_user}/hab-sup.service /etc/systemd/system/hab-
sup.service",
"sudo systemctl daemon-reload",
"sudo systemctl start hab-sup",
"sudo systemctl enable hab-sup",
"sleep 15",
"sudo hab svc load ${var.habitat_origin}/chef-hardening --group ${var.group} --channel
${var.release_channel} --strategy ${var.update_strategy}",
]
}

19. Deploy your Cookbooks

20. The Habitat Supervisor executes the chef-
client in solo mode. No Chef Server is
required, because all of the cookbooks
already are on your server.
Run your Cookbooks
Use traditional Chef .erb templates, or you
can move configuration templates to
Habitat, to take advantage of information in
the gossip ring.
Your Chef Solo run can still report into Chef
Automate using a data collector token to log
runs.

21. Run your Cookbooks
● Chef-client runs in Chef Solo mode, providing isolation and server stability
● Report handlers still function through a data collector token, which still
allows you to collect Ohai and Node Run data.
● Cookbooks are vendored into the Habitat package and delivered with the
chef-client as one, atomic package, ensuring you'll always have the right
versions.
● Removes the need to resolve and download cookbooks at runtime,
reducing chef run times and eliminating run time depsolver issues.

22. Automatically update chef-client through
Habitat Builder - allowing you to continually
keep your infrastructure up to date.
Manage Chef
See exactly which cookbook versions you
are running in each environment. Have
complete dependency and transitive
dependency control and visibility.
Maintain working cookbook versions paired
with working chef-client versions - so you'll
never get in a bad state again for any server.

23. "It is tempting, if the only tool you have is a hammer,
to treat everything as if it were a nail"
-- Abraham Maslow, law of the instrument
Simplify Chef

24. What is modern Chef, without restrictions?
● Configuration Management
● Service Discovery
● Provisioning
● Scheduling
● Clustering
● Dependency verification
● Secrets Management
Simplify Chef

25. Habitat-managed Chef gives Chef a clear responsibility.
● Configuration Management
● Service Discovery Habitat
● Provisioning Your provisioning tool (ie: Terraform)
● Scheduling Your scheduling tool (ie: Kubernetes, Nomad)
● Clustering Habitat
● Dependency verification Habitat
● Secrets Management Encryption at rest service (ie: Vault)
Simplify Chef

26. What problems does maintaining a Chef Server give us?
● Taking outages for long periods of fleet-wide infrastructure upgrades
● Backups for a Chef Server, including planning for HA or DR scenarios
● Complicated, runtime attribute precedence override problems
● Out-of-sync cookbooks and versioning issues
● Depsolver performance at runtime and network failures
● Run-list management
● Managing data bags, roles, and other mutable run-time json blob storage
● Difficult cookbook code + chef-client version upgrade scenarios
Simplify Chef

27. Habitat-managed Chef uses Chef Solo mode, and eliminates the need for a
Chef Server. Seriously, you don't need one.
Simplify Chef

28. If you're not prepared to switch to Habitat-managed Chef today, you can use
some of these techniques to make your Chef runs more robust by treating
your Chef Server as stateless.
Simplify Chef

29. Remove references to any Chef Server data accesses in your cookbooks:
● Attribute overrides - Replace with policyfile.rb attribute overrides
● Data bags / encrypted data bags / Chef Vault - Replace with Hashicorp
Vault for encrypted data at rest, or policyfile.rb for non-encrypted data
● Chef Search / node state orchestration techniques - replace with
Habitat templates and gossip ring data
● External scripts that manipulate run lists - replace with a proper
provisioning toolset
Simplify Chef

30. ● In our experience, the most complex and error-prone cookbooks attempt
to deploy and orchestrate applications. There is a better way.
● A Habitat plan allows you to package your application and all of its runtime
dependencies together.
● Habitat-managed Chef gives us a bridge to modernize legacy applications.
We can continue running applications using Chef, and then modernize
parts of those applications by creating a Habitat plan. In effect, we can
imbue legacy applications with more agility quickly, without throwing away
years of work or rewriting the application.
Modernize your applications

31. More Information
● Website: https://www.Habitat.sh/
● Docs: https://www.Habitat.sh/docs/overview/
● Blog: https://www.Habitat.sh/blog/
● Slack: http://slack.Habitat.sh/
● Github: https://github.com/Habitat-sh/
● Architecture diagrams: https://www.Habitat.sh/docs/diagrams/

32. Habitat Managed
InSpec

33. Verify servers using InSpec
● Run server verification locally with InSpec
● InSpec doesn't need Chef or other tools; it runs entirely
independently
● Great for clean room environment server and
deployment verification

34. Thank You