Skip to content

Chef

← Back to all decks

110 cards — 🟢 31 easy | 🟡 34 medium | 🔴 30 hard

🟢 Easy (31)

1. How do you include external recipes in a Chef Cookbook?

Show answer Use include_recipe 'other_cookbook::other_recipe' in your recipe file. Chef processes the included recipe during convergence, applying its resources and actions.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

2. What is a Chef Role, and how is it different from a Cookbook?

Show answer Chef is a Ruby-based configuration management tool using a client-server model. Chef Infra Client runs on nodes, pulling cookbooks from Chef Server (or runs standalone via chef-solo/chef-zero). Configs are written as Ruby DSL recipes organized into cookbooks.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

3. Explain the process of restoring Chef Server data.

Show answer Resources are the building blocks of Chef recipes. Each declares a desired state: package, file, service, template, user, etc. Resources are idempotent -- they only make changes if the current state differs from desired.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

4. What is the purpose of the metadata.rb file in a Chef Cookbook?

Show answer Knife is Chef's CLI for interacting with Chef Server. Key commands: knife cookbook upload, knife node list, knife role show, knife search, knife ssh, knife bootstrap. Configure via .chef/knife.rb or credentials file.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

5. Explain the importance of version control with Chef Cookbooks.

Show answer Ohai is Chef's system profiler that auto-detects node attributes at the start of each run: OS, network, CPU, memory, virtualization, cloud provider. Access via node['platform'], node['ipaddress']. Custom Ohai plugins extend detection.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

6. What is Chef Search?

Show answer A run_list is an ordered list of recipes and roles that Chef Client executes on a node. Chef processes sequentially, compiling and converging resources. Example: recipe[base], role[webserver], recipe[monitoring].

Remember: Chef uses Ruby DSL for 'recipes' (config scripts) and 'cookbooks' (collections of recipes). Pull-based: chef-client daemon runs on each node.

Chef vs Ansible: Chef = pull-based, Ruby, agent required. Ansible = push-based, YAML, agentless. Chef has a steeper learning curve.

7. How do you version a Chef Cookbook?

Show answer chef-solo runs Chef locally without a Chef Server. Cookbooks stored on the node. Configure via solo.rb and JSON run_list. Useful for bootstrapping, testing, and small environments. chef-zero is the modern alternative (in-memory server).

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

8. How do you write unit tests for Chef Cookbooks using ChefSpec?

Show answer Standard cookbook layout: metadata.rb (identity), recipes/default.rb (main recipe), templates/ (ERB), files/ (static), attributes/ (defaults), resources/ (custom resources), spec/ (ChefSpec tests), test/ (Kitchen tests).

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

9. Explain the role of Chef Automate in reporting and analytics.

Show answer Chef resources are idempotent -- running them multiple times produces the same result. Chef checks current state before acting: installs only if absent, writes only if content differs, starts only if stopped. Repeated runs are safe.

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

10. What is the role of the chef-client in the Chef architecture?

Show answer File resources manage files on nodes. Types: file (inline content), cookbook_file (static from cookbook), remote_file (download URL), template (ERB-rendered). All support ownership, permissions, and create/delete actions.

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

11. Explain the process of managing Windows services with Chef.

Show answer Chef Supermarket (supermarket.chef.io) is the community cookbook repository. Search/download with knife or Berksfile. Quality metrics, version history, and dependencies listed. Private Supermarket available for internal cookbooks.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

12. How does Chef support Windows environments?

Show answer Service resources manage system services. Actions: start, stop, restart, reload, enable, disable. Commonly paired with template notifications to restart on config change. Example: service 'nginx' do action [:enable, :start] end.

Remember: Chef environments pin cookbook versions per stage: production locks to 1.2.3, staging allows 1.x.x. Prevents untested cookbook versions from reaching prod.

13. How do you perform a search for nodes using the knife command?

Show answer metadata.rb defines cookbook identity: name, version, description, depends (dependencies), supports (platforms), chef_version. Required for Supermarket and Berkshelf resolution. Follows SemVer.

Remember: knife = Chef's CLI for server interaction. knife bootstrap provisions a new node. knife ssh runs commands across nodes.

14. How can you create a new Cookbook using the knife command?

Show answer Directory resource creates and manages directories. Supports owner, group, mode, recursive (create parent dirs). Actions: create, delete. Example: directory '/opt/myapp' do recursive true end.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

15. How can you use Data Bags to store sensitive information?

Show answer Package resource installs system packages. Actions: install, upgrade, remove, purge. Auto-selects correct provider (apt, yum) based on platform. Shorthand: package 'nginx' (defaults to :install). Supports arrays for multiple packages.

Remember: data bags = global JSON data available to all nodes. Use encrypted data bags for secrets. Think 'Ansible group_vars' but stored on the Chef Server.

16. What are the benefits of using Policyfiles over traditional roles?

Show answer User resource manages system users. Properties: uid, home, shell, manage_home. Actions: create, remove, modify, lock, unlock. Often paired with group and directory resources.

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

17. How can you optimize Chef Cookbooks for performance?

Show answer Cron resource manages cron jobs. Properties: minute, hour, day, month, weekday, command, user. Actions: create, delete. Manages entries in the system crontab.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

18. What is an LWRP (Lightweight Resource and Provider)?

Show answer cookbook_file deploys static files from a cookbook's files/ directory. No variable substitution -- use template for dynamic content. Supports platform-specific subdirectories.

Remember: Chef resources are the building blocks: package, service, file, template, execute, cron, user, group. Each declares a desired state and converges to it.

19. Explain the purpose of InSpec in Chef testing.

Show answer A recipe is a Ruby file in a cookbook that defines resources to configure a node. Listed in run_lists, processed in order. The default recipe runs when only the cookbook name is specified. Recipes can include other recipes.

Remember: Test Kitchen = integration testing for Chef cookbooks. Spins up VMs/containers, converges, and runs InSpec tests. Essential for CI/CD of infrastructure code.

20. How do Policyfiles differ from traditional Chef Roles?

Show answer Group resource manages system groups. Actions: create, remove, modify, manage. Use append true to add members without removing existing ones. Properties: gid, members.

Remember: Policyfiles replace roles + environments + Berkshelf with a single lock file. Think 'Gemfile.lock for Chef.' Modern best practice over traditional workflow.

21. How does Chef integrate with cloud providers such as AWS or Azure?

Show answer remote_file downloads files from URLs. Use checksum to prevent re-download if file matches. Supports HTTP, HTTPS, FTP sources. Actions: create, create_if_missing.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

22. Explain the use of the search method in Chef Recipes.

Show answer Mount resource manages filesystem mounts. Actions: mount, umount, enable (add to fstab), disable (remove from fstab). Properties: device, fstype, options.

Remember: recipe = 'a single configuration file in Ruby DSL.' It declares resources (package, service, file) in the desired state.

23. What is the role of the Berksfile in Chef?

Show answer Link resource manages symbolic and hard links. Actions: create, delete. Default link_type is :symbolic. Properties: to (target path), link_type.

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

24. Explain the purpose of the use_inline_resources method in custom resources.

Show answer apt_update refreshes apt package cache. action :periodic (default frequency 86400s), action :update (immediate). Essential at start of Debian/Ubuntu recipes before package installs.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

25. How do you create a custom LWRP in Chef?

Show answer Bash resource runs bash scripts. Use creates guard to prevent re-execution. Also: script, powershell_script, python resources. Prefer native resources (package, file) when possible.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

26. How do you configure a Chef Node to communicate with the Chef Server?

Show answer http_request makes HTTP calls during convergence. Actions: get, post, put, patch, delete, head. Properties: url, message (body), headers. Useful for webhooks and API integrations.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

27. How can you monitor Chef infrastructure?

Show answer Create users with home directories using manage_home true. Pair with ssh_authorized_keys cookbook for SSH access. manage_home creates/removes the home directory with the user.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

28. Compare and contrast Chef Attributes and Data Bags.

Show answer Pass variables to templates via the variables property. Access in template as @variable_name. Node attributes also available directly in templates.

Remember: data bags = global JSON data available to all nodes. Use encrypted data bags for secrets. Think 'Ansible group_vars' but stored on the Chef Server.

29. How can you set default attributes in a Cookbook?

Show answer Git resource clones/updates repositories. action :sync updates to latest revision. :checkout only clones if missing. Supports SSH deploy keys. Properties: repository, revision.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

30. What is Ohai, and what information does it collect?

Show answer systemd_unit manages systemd service files. Actions: create, enable, start, delete, disable, stop. Specify unit content as a hash with Unit, Service, Install sections.

Remember: Ohai = Chef's fact-gathering tool (like Ansible's setup module). Collects OS, network, CPU, memory info as node attributes.

31. Explain the role of front-end and back-end servers in a high-availability Chef Server.

Show answer sysctl manages kernel parameters. Applies immediately and persists in /etc/sysctl.d/. No restart required. Example: sysctl 'net.ipv4.ip_forward' do value '1' end.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

🟡 Medium (34)

1. Explain the use of Chef with containers and container orchestration tools.

Show answer Chef integrates with containers via: Docker cookbook resources for container management, Chef Habitat for app packaging/deployment, Kubernetes resource management through Chef Infra, and InSpec for container security/compliance scanning.

Remember: Chef + containers: use the docker cookbook for container management, or chef-client in a container for testing. Modern approach: use Chef to configure the host, containers handle the app.

2. What is the role of the "compile" phase in a Chef client run?

Show answer Chef environments group nodes for lifecycle management (dev/staging/prod). Each environment can pin cookbook versions and override default attributes. Create with knife environment create or JSON files. Assign nodes via knife node environment_set.

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

3. How can you use notifications in Chef to trigger actions?

Show answer Attribute precedence (lowest to highest): default, force_default, normal, override, force_override, automatic (Ohai). Set in cookbooks, recipes, roles, environments. Higher precedence wins during merge. Use default for most cases; override sparingly.

Remember: Chef notifications: notifies :restart triggers a resource. subscribes watches another resource. Use :delayed (default, end of run) or :immediately for timing control.

4. How can you override attributes based on the Chef environment?

Show answer Chef uses ERB (Embedded Ruby) templates for dynamic file generation. In the resource, specify source and variables. In the template, use <%= @variable %> for interpolation. Templates support Ruby logic, loops, and conditionals.

Remember: Chef environments pin cookbook versions per stage: production locks to 1.2.3, staging allows 1.x.x. Prevents untested cookbook versions from reaching prod.

5. What are custom resources, and how can you create them in Chef?

Show answer Data bags store global JSON data on Chef Server, accessible via data_bag_item('bag', 'item'). Encrypted data bags store secrets (create with --secret-file). Chef Vault provides easier secret management with node-based access control.

Remember: Chef resources are the building blocks: package, service, file, template, execute, cron, user, group. Each declares a desired state and converges to it.

6. Explain the process of rotating secrets in Chef.

Show answer Berkshelf manages cookbook dependencies declared in a Berksfile. berks install resolves and downloads. berks upload pushes to Chef Server. Berksfile.lock pins exact versions for reproducibility.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

7. Describe the typical workflow using Chef Automate.

Show answer Roles group related recipes and attributes for a node function (e.g., webserver). Define as Ruby DSL or JSON. Apply via run_list. Roles cannot be versioned -- prefer Policyfiles or wrapper cookbooks for version control.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

8. How do you write compliance profiles using InSpec?

Show answer Resources can notify others to take action: notifies :restart, 'service[nginx]', :delayed. :delayed (end of run, default) or :immediately. subscribes is the reverse. Use for restart-on-config-change patterns.

Remember: InSpec = compliance-as-code testing framework. Write tests like 'describe port(80) do it { should be_listening } end.' Works with Chef, Ansible, or standalone.

9. How does Chef use the client-server architecture?

Show answer Chef search queries the server's index for nodes, roles, environments, and data bags. Used for dynamic configuration (e.g., finding all app servers for LB config). knife search from CLI, search() function in recipes.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

10. What is the purpose of the depends keyword in a metadata.rb file?

Show answer Guards control resource execution: not_if/only_if accept shell commands (string) or Ruby blocks. Essential for idempotency with execute/script resources. Example: execute 'apt update' do not_if { File.exist?('/tmp/updated') } end.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

11. Describe the process of bootstrapping a node in Chef.

Show answer Cookbook versions follow SemVer in metadata.rb. Pin in environments or Policyfiles. Berksfile.lock records resolved versions. Freezing (--freeze) prevents accidental overwrites on Chef Server.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

12. Explain the purpose of the knife command in Chef.

Show answer Handlers run at the start or end of a chef-client run. Exception handlers on failure; report handlers on success/failure. Use for notifications (Slack, email), monitoring updates, external logging. Configure in client.rb or chef_handler cookbook.

Remember: knife = Chef's CLI for server interaction. knife bootstrap provisions a new node. knife ssh runs commands across nodes.

13. How do you unregister a node from the Chef Server?

Show answer The node object stores all data about a managed node: automatic attributes (Ohai), cookbook/role/environment attributes, run_list, and environment. Access in recipes with node['attribute']. Saved to Chef Server after each run.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

14. What are Chef Attributes?

Show answer Chef supports Windows with platform-specific resources: windows_package, windows_service, windows_feature, registry_key, powershell_script, dsc_resource. Use platform?/platform_family? guards for cross-platform cookbooks.

Remember: Chef attribute precedence: default < normal < override < automatic (Ohai). Use default for most settings; override sparingly. Normal attributes persist across runs.

15. Explain the difference between Chef Server, Chef Workstation, and Chef Node.

Show answer Execute and script resources run commands. Use creates/not_if/only_if guards for idempotency. Prefer native resources (package, file) when available. script resource supports bash, powershell, python interpreters.

Remember: Chef architecture: Workstation (write cookbooks) -> Chef Server (stores cookbooks) -> Nodes (pull and apply). Three-tier model.

16. What is a Chef Resource?

Show answer Chef Vault wraps encrypted data bags with node-based access control. Items encrypted with node public keys -- only authorized nodes decrypt. Commands: knife vault create/update. In recipes: chef_vault_item('vault', 'item').

Remember: Chef resources are the building blocks: package, service, file, template, execute, cron, user, group. Each declares a desired state and converges to it.

17. Name some popular community-contributed Chef Cookbooks and their use cases.

Show answer Community cookbooks from Supermarket avoid reinventing common patterns. Add to Berksfile, configure via attributes. Evaluate quality: test coverage, maintenance, downloads. Wrapper cookbook pattern extends community cookbooks safely.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

18. How can you use Policyfiles to manage Cookbook dependencies?

Show answer Chef Automate provides run history, failure analysis, and compliance dashboards. Use handlers for external systems (Slack, PagerDuty, Datadog). knife status shows recent converge times.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

19. How can you secure sensitive data in Chef Cookbooks?

Show answer knife ssh executes commands across multiple nodes via SSH using Chef Server search for targeting. Example: knife ssh 'role:webserver' 'sudo chef-client'. Configure SSH user/key in knife.rb.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

20. What is a Chef Cookbook?

Show answer Lazy evaluation defers attribute computation to converge time. Use lazy { } block when attributes depend on values set by earlier resources during convergence, not available at compile time.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

21. What tools are commonly used on the Chef Workstation?

Show answer Providers implement resource actions for specific platforms. Chef auto-selects based on platform (apt for Ubuntu, yum for CentOS). In modern Chef (12.5+), custom resources replace the older LWRP provider pattern.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

22. What is Chef Vault, and how is it used to manage secrets?

Show answer Test Kitchen runs integration tests against real instances. Configure in .kitchen.yml: driver (vagrant/docker), provisioner (chef_zero), verifier (inspec). Commands: kitchen create, converge, verify, destroy, test (all-in-one).

Remember: Chef uses Ruby DSL for 'recipes' (config scripts) and 'cookbooks' (collections of recipes). Pull-based: chef-client daemon runs on each node.

Chef vs Ansible: Chef = pull-based, Ruby, agent required. Ansible = push-based, YAML, agentless. Chef has a steeper learning curve.

23. How do you install Chef on a system?

Show answer Wrapper cookbooks customize community cookbooks without forking. Override attributes and include the upstream recipe. Keeps upstream upgradeable while adding customizations.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

24. What is Chef and how does it manage infrastructure?

Show answer Log resource outputs messages during chef-client run. Levels: debug, info, warn, error, fatal. Useful for debugging convergence flow and inspecting attribute values during runs.

Remember: Chef uses Ruby DSL for 'recipes' (config scripts) and 'cookbooks' (collections of recipes). Pull-based: chef-client daemon runs on each node.

Chef vs Ansible: Chef = pull-based, Ruby, agent required. Ansible = push-based, YAML, agentless. Chef has a steeper learning curve.

25. How do you handle sensitive information like passwords in Chef?

Show answer Chef runs in two phases: compile (reads recipes, builds resource collection) and converge (executes resources). Attributes and Ruby code run at compile time; resource actions at converge time. This matters for lazy evaluation and ordering.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

26. What is the purpose of the service resource in Chef?

Show answer Resource actions define what Chef does: :create, :install, :delete, :start, :stop, etc. Multiple actions in array run in order. action :nothing makes resource passive -- only triggered by notifications.

Remember: Chef resources are the building blocks: package, service, file, template, execute, cron, user, group. Each declares a desired state and converges to it.

27. How do you use the file resource to manage files in Chef?

Show answer Chef uses SSL for client-server communication. knife ssl check / knife ssl fetch for cert management. For self-signed certs, add to trusted_certs directory. ssl_verify_mode :verify_peer for production.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

28. What is the role of Test Kitchen in automated testing within a CI/CD pipeline?

Show answer Bootstrap a node with knife bootstrap HOST -x USER -r 'role[base]'. SSHs in, installs Chef Client, configures server connection, runs initial converge. Supports SSH keys, sudo, and custom bootstrap templates.

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

29. How do you back up Chef Server data?

Show answer Chef client log levels: auto, debug, info, warn, error, fatal. Set via CLI (-l debug), client.rb, or attribute. Logs to STDOUT and /var/log/chef/client.log. debug shows resource state comparisons.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

30. What is the significance of the chef-repo directory in Chef?

Show answer Environment cookbook pattern: lightweight cookbook per environment that pins dependencies and sets attributes. Version-controlled, testable, promotable through CI/CD. Combined with Policyfiles for robust workflow.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

31. Explain the structure of a Chef Cookbook.

Show answer Search data bags from recipes with search(:bag_name, 'query'). Data bags indexed on Chef Server. Use for dynamic user management, service discovery, and shared configuration.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

32. List and explain some common actions available for the file resource.

Show answer Modern Chef workflow: Policyfile.rb replaces roles + environments + Berksfile. chef install -> chef push staging -> chef push production. Immutable, versioned, testable deployments.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

33. Explain the difference between immediate, delayed, and sub-resource notifications.

Show answer Unified mode (Chef 17+) eliminates compile/converge distinction -- resources run immediately when declared. Enable with unified_mode true in custom resources. Default in Chef 18+. Simplifies ordering.

Remember: Chef notifications: notifies :restart triggers a resource. subscribes watches another resource. Use :delayed (default, end of run) or :immediately for timing control.

34. Explain the use of Node Attributes in Chef.

Show answer Custom resource properties support validation: required, callbacks (custom validators), equal_to (allowed values), coerce (type transformation), default and lazy defaults.

Remember: Chef attribute precedence: default < normal < override < automatic (Ohai). Use default for most settings; override sparingly. Normal attributes persist across runs.

🔴 Hard (30)

1. Explain the integration between Chef and InSpec for compliance automation.

Show answer Debug convergence failures: run chef-client -l debug for verbose output. Check /var/log/chef/client.log. Common issues: cookbook dependency conflicts (Berksfile.lock), attribute precedence surprises, template rendering errors, resource notification chains. Use why-run mode (-W) to preview.

Remember: InSpec = compliance-as-code testing framework. Write tests like 'describe port(80) do it { should be_listening } end.' Works with Chef, Ansible, or standalone.

2. How can you integrate Chef into a CI/CD pipeline?

Show answer Custom resources define reusable abstractions. Place in cookbook's resources/ directory. Define properties (name, type, default) and actions with standard resource DSL inside. Use like built-in resources in any recipe.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

3. How do you assign a role to a Chef Node?

Show answer Test Chef code at multiple levels: ChefSpec (unit, fast, no convergence), Test Kitchen (integration, real VMs/containers), InSpec (compliance/verification). CI pipeline: lint (Cookstyle) -> unit (ChefSpec) -> integration (Kitchen) -> compliance (InSpec).

Remember: Chef role = predefined run_list + attribute overrides. Assign role[webserver] to nodes instead of listing individual recipes.

4. What reports and analytics does Chef Automate provide?

Show answer Chef Server is the central hub storing cookbooks, roles, environments, data bags, and node objects. Components: Erchef (API, Erlang), PostgreSQL, Elasticsearch, Bookshelf (cookbook storage), Nginx frontend. HA uses Chef Backend or external PostgreSQL/Elasticsearch.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

5. How do you set up a high-availability configuration for the Chef Server?

Show answer Policyfiles replace roles + environments + Berksfile with a single file. Pin exact cookbook versions, define run_lists, set attributes. Benefits: versioned, testable, promote-through-environments workflow. Commands: chef install, chef push. Preferred over roles.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

6. Explain the role of the knife bootstrap command in bare-metal provisioning.

Show answer Chef compliance uses InSpec profiles for continuous auditing against CIS benchmarks, SOC2, HIPAA. Chef Automate provides compliance dashboard, scan scheduling, and remediation workflows. Profiles are reusable and shareable on Supermarket.

Remember: knife = Chef's CLI for server interaction. knife bootstrap provisions a new node. knife ssh runs commands across nodes.

7. What is Chef Habitat, and how does it fit into the Chef ecosystem?

Show answer Chef Habitat packages apps with dependencies into immutable artifacts (harts). Plans define build/runtime deps, config, and lifecycle hooks. Supervisor manages services with topology awareness. Benefits: consistent packaging across bare metal, containers, PaaS.

Remember: Chef uses Ruby DSL for 'recipes' (config scripts) and 'cookbooks' (collections of recipes). Pull-based: chef-client daemon runs on each node.

Chef vs Ansible: Chef = pull-based, Ruby, agent required. Ansible = push-based, YAML, agentless. Chef has a steeper learning curve.

8. Explain the concept of Chef Environments.

Show answer Chef Automate is the enterprise dashboard: converge history, compliance scans, InSpec reports, node visibility, workflow pipelines, and RBAC. It replaced Chef Visibility and Chef Compliance as a unified platform.

Remember: Chef environments pin cookbook versions per stage: production locks to 1.2.3, staging allows 1.x.x. Prevents untested cookbook versions from reaching prod.

9. How do you set up and configure a Chef Workstation?

Show answer Common convergence issues: resource ordering (use notifies/subscribes), attribute precedence (check node.debug_value), cookbook version conflicts (check Berksfile.lock), failed guards. Use chef-client -l debug and why-run mode to diagnose.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

10. How can you extend Ohai to gather additional system information?

Show answer Zero-downtime deploys: rolling strategy (deploy to subset, verify, continue), LB integration (remove node, converge, re-add), versioned deploy resource with rollback, health check guards before proceeding. Coordinate with search and orchestration.

Remember: Ohai = Chef's fact-gathering tool (like Ansible's setup module). Collects OS, network, CPU, memory info as node attributes.

11. What is Test Kitchen, and how does it work with Chef?

Show answer Optimize Chef runs: minimize search calls (cache results), use lazy evaluation for expensive attributes, batch similar resources, reduce cookbook size, use Policyfiles (pre-computed dependency resolution), tune client.rb (splay, interval).

Remember: Test Kitchen = integration testing for Chef cookbooks. Spins up VMs/containers, converges, and runs InSpec tests. Essential for CI/CD of infrastructure code.

12. What is the purpose of the environment directive in a Chef Recipe?

Show answer Upgrade Chef strategy: test new version in dev, check deprecated resource syntax, update cookbooks for API changes, verify custom resources and Ohai plugins, test with Kitchen, roll out incrementally. Pin chef_version in metadata.rb.

Remember: recipe = 'a single configuration file in Ruby DSL.' It declares resources (package, service, file) in the desired state.

13. How does Chef support bare-metal provisioning?

Show answer Chef Client run phases: 1) Ohai (build node), 2) Authenticate, 3) Sync cookbooks, 4) Load libraries/attributes/recipes, 5) Compile resource collection, 6) Converge, 7) Run handlers, 8) Save node. Failures at any phase halt the run.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

14. How can you rotate secrets in Chef Vault?

Show answer Chef Server supports multi-tenancy via organizations. Each org has isolated cookbooks, nodes, data bags, and RBAC. Users can belong to multiple orgs. Useful for MSPs, large enterprises, or dev/prod isolation.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

15. How can you enable verbose logging for Chef client runs?

Show answer Air-gapped Chef: install Server from RPM/DEB, use internal Supermarket, pre-download dependencies with berks vendor, distribute client packages via internal repo. No internet required after initial setup.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

16. What is Chef Automate, and how does it enhance Chef workflows?

Show answer Chef Server HA options: Chef Backend (built-in clustering with leader election), external PostgreSQL + Elasticsearch, or Chef Automate HA. Frontend servers are stateless and load-balanced. Backup with knife ec backup or pg_dump.

Remember: Chef uses Ruby DSL for 'recipes' (config scripts) and 'cookbooks' (collections of recipes). Pull-based: chef-client daemon runs on each node.

Chef vs Ansible: Chef = pull-based, Ruby, agent required. Ansible = push-based, YAML, agentless. Chef has a steeper learning curve.

17. How does Chef ensure idempotence?

Show answer Harden Chef: encrypt data bags and vault items, TLS for all server communication, RBAC for knife access, audit cookbook changes, sign cookbooks, InSpec for compliance, rotate keys/tokens regularly, isolate Chef Server network access.

Remember: Chef resources are idempotent by default — 'package nginx action :install' only installs if missing, just like Ansible's state: present.

18. What steps would you take to troubleshoot a Chef client run failure?

Show answer Non-idempotent behavior usually comes from execute/script resources without guards. Fix: add creates, not_if, or only_if. Other causes: resources that always report updated, file resources with dynamic content, notification cascades.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

19. How can you migrate from another configuration management tool to Chef?

Show answer ChefSpec simulates convergence without real systems. Fast feedback loop. Mock Ohai data, search results, and data bags. Example: expect(chef_run).to install_package('nginx'). Run with rspec.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

20. What is a Chef Recipe?

Show answer Chef Push Jobs sends commands to nodes without waiting for client runs. Server pushes jobs for on-demand execution. Use cases: restart services across fleet, trigger ad-hoc commands, coordinate multi-node deployments.

Remember: recipe = 'a single configuration file in Ruby DSL.' It declares resources (package, service, file) in the desired state.

21. Explain how you can use Policyfiles for versioning and managing Cookbook dependencies.

Show answer Cookbook dependency conflicts arise when cookbooks require incompatible versions. Diagnose with berks list/graph. Fix: relax version constraints (~> instead of =), update cookbooks, use Policyfiles, or create wrapper cookbooks.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

22. Explain the concept of the package resource in Chef.

Show answer Chef Server API enables programmatic access. Authenticate with client key + node name. Libraries: chef-api gem (Ruby), PyChef (Python). Use for custom dashboards, inventory, CI/CD integration. knife raw for ad-hoc API calls.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

23. How can you use the template resource in Chef to manage configuration files?

Show answer Debug attributes with node.debug_value('path','to','attr'). Precedence: default < normal < override < automatic. Within each level: attribute file < recipe < role < environment. Avoid normal (persists on server).

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

24. Explain the purpose of the /etc/chef/client.pem file on a Chef Node.

Show answer Advanced Chef search: partial search (returns only specified attributes, faster), wildcard and boolean queries, filter_result parameter. Used for dynamic config, inventory, and service discovery in recipes.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

25. How can you use the remote_file resource in Chef?

Show answer CI pipeline for cookbooks: 1) Cookstyle lint, 2) ChefSpec unit tests, 3) Test Kitchen integration (vagrant/docker/cloud), 4) InSpec verification, 5) Upload to Chef Server. Pin Kitchen driver to avoid environment drift.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

26. Describe the three phases of a Chef client run.

Show answer Scale Chef: splay client runs to avoid thundering herd, use Policyfiles for faster dependency resolution, multiple Chef Server orgs, push jobs or SSH for controlled rollouts, Chef Automate for centralized management.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

27. Explain how dependencies are managed in a Chef Cookbook.

Show answer Upgrade Chef Client across fleet: test in dev, check deprecated features, update cookbooks, phased rollout (canary first), pin chef-client version via cookbook, and have rollback plan. Review release notes for breaking changes.

Remember: cookbook = collection of recipes, templates, files, and metadata. Think 'Ansible role' equivalent. Versioned and shareable via Chef Supermarket.

28. What are some best practices for writing clean and maintainable Chef code?

Show answer Resource cloning occurs when same resource declared multiple times with different attributes. Chef merges (last wins) and warns. Fix: consolidate declarations, use different names, or refactor into custom resources. Chef 13+ raises error.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

29. Compare Chef with other configuration management tools such as Puppet or Ansible.

Show answer InSpec compliance-as-code: profiles encode security/regulatory requirements. Run during or after chef-client. Aggregate in Chef Automate. CIS, STIG, PCI-DSS profiles on Supermarket. Custom profiles extend standard baselines.

Remember: Chef's 'compile then converge' model means all resources are compiled into a resource collection first, then executed in order. This catches dependency issues early.

30. How can you use Environments to manage configurations in different stages (e.g., development, production)?

Show answer Target mode (Chef 17+) converges remote nodes via SSH/WinRM without installing Chef Client. Enable with --target ssh://host. Useful for network devices, locked-down servers, edge deployments. Limited to supporting resources.

Remember: Chef environments pin cookbook versions per stage: production locks to 1.2.3, staging allows 1.x.x. Prevents untested cookbook versions from reaching prod.