Chef Infra Best Practices: #5 Using Chef Infra Policyfiles

The fifth installment of the Shape-Up Your Infrastructure Webinar Series – Building Immutable Infrastructure with Policyfiles.  

What is a Chef Infra Policyfile 

A Chef Infra Policyfile is the simplest method to manage role, environment, and community cookbook data with a single document uploaded to the Chef Infra Server. The file, written in Ruby, helps you define which Chef cookbooks run on your system, run-list (which recipes will be run), along with configuration parameters required by your application. Moreover, Policyfiles resolve all the dependencies for your cookbooks during the first run. 

Policyfiles combine the very best parts of Roles, Environments, and Berkshelf into a single workflow. As such, it has quickly become the most recommended technique to handle dependencies and change management across Chef Infra managed infrastructure. 

Creating the Policyfile 

Policyfiles can be automatically generated using the chef generate command.

chef generate policyfile 

A Policyfile has three major required components:  

• Name: This specifies the name of the policy, which the client can use to identify it quickly. 
• Default Source: The location where the cookbooks are located. This could include various locations like the Chef (public or private) Supermarket, any chef repo, or even an Artifactory server. You can also use multiple sources.  
• Run list: Indicates the run-list the client will use to apply the policy to the nodes as specified.  

Installing the Policyfile 

Once you are ready to install the Policyfile, you can use the chef install command. The install command will find the required cookbooks, build a run-list, create a local cache, and generate the Policyfile.lock.json.  

The Policyfile.lock.json contains the immutable policy set described in the Policyfile. Alongside the source and version of all the cookbooks required by the Policyfile, this file also has a unique hash of the cookbook content. This hash is used to verify that the cookbooks are genuine and helps maintain the security of the system.  

The Policyfile.lock.json can then be pushed to the Chef Infra Server using the chef push command. Once uploaded to the server, Chef will apply all the policies and configurations to all the nodes.  

Advantages of using a Policyfile 

• Immutability: The Policyfile uses a cookbook publishing API that does not allow cookbook mutability. This mechanism ensures that once the Lockfile is generated, it cannot be tampered with during successive runs. This means even if a new version of the cookbook is available, the Policyfile will continue using the specified version unless specifically instructed to do otherwise.  
• Less computation: The Chef Infra Client no longer recalculates dependencies at the start of every run, making them faster and more efficient. This also means more robust and safer builds which are less prone to manual errors.  
  Safer workflows: Policyfile fosters safer workflows by publishing development versions of cookbooks to the Chef Infra Server without the risk of mutating the production versions without requiring a complicated versioning scheme to work around cookbook mutability issues. 
• Role and Environment Management: Policyfile helps to manage roles and environments efficiently. Since Policyfiles are versioned automatically, newer versions are applied to systems if and only when promoted. This takes away the hassles of having to pin cookbook versions in environments or managing roles that cannot be versioned.  

Learn More about Policyfiles 

If Policyfiles excites you and you want to deep-dive into the nitty-gritty, head over to the Chef Documentation. If you want to know the latest feature additions to Policyfiles, do register for the upcoming webinar. 

Also, if you’re looking for more ways to optimize your usage of Chef Infra, we recommend checking out the Chef Infra Best Practices Quickfire Webinar Series and downloading the Chef Infra Automation Best Practices eBook.