agsandrew - Fotolia

Chef software broadens scope amid IT automation disruption

Chef seeks a new niche as IT automation shifts toward Kubernetes and cloud-native tools, but IT pros have many options, with some more appealing than Chef in high-scale scenarios.

Chef Software expanded its product line this week in a bid to stand out among a plethora of IT automation tools for DevOps and cloud-native tech.

The company introduced two new products: Chef Compliance, which automatically remediates infrastructure configurations that drift away from corporate policy, and Chef Desktop, which consolidates endpoint management via infrastructure as code. Existing products such as Chef Habitat also gained new features this week to accommodate edge computing management, and Chef InSpec will integrate with ServiceNow's Configuration Management Database to identify infrastructure not managed by Chef and add it to InSpec.

Chef Software and its configuration management competitors, once primarily the domain of bleeding-edge tech companies such as Facebook, have faced new IT automation competition the last four years, as Kubernetes, containers and associated tools went mainstream.

As a result, Chef and rivals such as Puppet, Ansible and SaltStack have faced major business upheavals over the last two years. Puppet Labs went through multiple executive shakeups and discontinued several of its products, SaltStack overhauled its open source software development process and Chef reconfigured its open source licensing model a year ago.

"The future just in configuration management isn't strong," said Jim Mercer, an analyst at IDC. "Containers, GitOps, Kubernetes and declarative environments are all disruptive to that core business … it's not what it was a few years ago."

The future just in configuration management isn't strong. Containers, GitOps, Kubernetes and declarative environments are all disruptive to that core business…it's not what it was a few years ago.
Jim MercerAnalyst, IDC

Configuration management software may no longer be cutting-edge, but enterprises won't complete their shift to newer IT automation approaches overnight. Chef likely has at least a decade before its historic niche is fully eclipsed by new IT automation approaches, said Charles Betz, analyst at Forrester Research.

"There's a lot of legacy [infrastructure] out there, and where there's legacy, there's money to be made," Betz said.

Chef Habitat sets sights on IT edge

Chef Habitat 1.6 addresses a growing market for centralized management of edge computing environments, which can range from remote offices to IoT devices, and often have inconsistent connections to the centralized data center. The updated version of Habitat can filter and update application analytics views to focus on disconnected environments and supports layered containers to reduce the required time and network bandwidth to support package updates on edge devices.

Chef officials said enterprise customers, such as an unnamed food service company with 4,000 café locations, will use Chef Habitat to manage edge devices remotely. But it faces at least some erosion in its user base among early adopters of edge computing at very high scale.

Chef Habitat application delivery updates
Chef Habitat 1.6 includes application delivery updates for disconnected edge computing environments.

One former heavy Chef user, NCR Corp., will move away from Chef's commercial tools as it builds edge computing systems. Instead, NCR will use new free and open source tools developed by the Chef community, such as CINC (CINC Is Not Chef).

This came about in part because of Chef's 2019 licensing changes, in which customers are now required to engage commercially with Chef if they use Chef software for commercial purposes. This new policy made the Chef Infra product potentially cost-prohibitive for NCR to deploy in tens of thousands of customer restaurant locations.

Instead, NCR has begun to use Salt, Rundeck, Terraform and Kubernetes, among others, to support IT automation for new workloads, while tools such as Chef Automate and Chef Habitat haven't strongly resonated with its internal IT teams.

"It's hard for me because I really liked Chef Automate, but it hasn't attracted engagement [from end users]," said Michael Hedgpeth, software engineering director at NCR, who last evaluated Chef Automate and Chef Habitat over a year ago before deciding to move to different tools. At that time, "Chef Automate let you look at what's going on with your [infrastructure] fleet, but people just didn't really go to that [tool] for that information."

Hedgpeth said that with the shift to new licensing last year, he believes the vendor has refocused its business on mainstream enterprises with less specialized edge computing environments than his.

"I'm not going to hate on that, coming myself from a commercial software company serving enterprises," he said. "Chef Automate, Habitat, Desktop and Compliance could solve a lot of problems for more mainstream companies, but I'm not part of that target audience anymore."

Chef Compliance automates remediation

Chef first expanded beyond configuration management in 2016 with the Chef Automate software suite, which includes Habitat application deployment automation and InSpec security automation. These tools already had compliance automation and policy-as-code features, but they will be repackaged under Chef Compliance, which combines InSpec, Automate and Habitat, along with curated compliance templates based on Center for Internet Security (CIS) benchmarks.

The new product will be available in two versions: Chef Compliance Audit, which reports on compliance policy scans; and Chef Compliance Remediation, which includes pre-built Chef cookbooks that automatically remediate configurations that don't match corporate policies. Chef shops previously had to determine their own compliance baselines and write their own Chef cookbooks from scratch for compliance remediation. Chef officials declined to disclose pricing information for any of the company's new products.

Chef Compliance continues an accessibility theme that began with Chef 16 last month, which added support for YAML scripts to invoke certain features as an alternative to Chef cookbooks written in the Ruby programming language. Similarly, the Chef Workstation product, where users develop Chef cookbooks, supports coding novices with a new Upgrade Lab feature this week that auto-detects and auto-corrects Ruby errors.

Chef isn't alone in this approach -- competitor Ansible has always supported YAML -- or in seeking to diversify through security automation. Ansible Platform includes curated content collections meant to guide SecOps and NetOps users. Puppet offers Puppet Remediate, which integrates with security vulnerability scanning tools and automatically fixes vulnerabilities. Fresh approaches to declarative IT automation that enforces security and compliance through mechanisms such as the Open Policy Agent are also gaining traction.

Chef will need to expand its compliance content well beyond CIS benchmarks to capture a wide audience, Betz said.

"It's one thing to build capabilities to detect and change configurations," he said. "It's quite different to have the capability to detect security vulnerabilities across 5,000 or 50,000 software [instances] and keep them up to date."

Chef Desktop

As Chef begins its foray into endpoint management this week, it faces entrenched incumbents and a potentially unfamiliar audience.

Chef Desktop, offered in Chef Desktop Management and Chef Desktop Compliance editions, builds on tools created by Chef customers such as Facebook to manage user workstations with data center infrastructure as code (IaC) tools. Chef Desktop doesn't completely bypass established endpoint and mobile device management (MDM) tools such as Microsoft SCCM -- rather, Chef Desktop integrates with MDM systems from Apple and Microsoft, as well as Linux MDM tools, to add compliance scans and centralized fleet management as code. Chef officials contend that Chef Desktop will fill a centralized management gap for IT departments, especially those that manage multiple endpoint operating systems.

Industry analysts are split on Chef's future in endpoint and edge management. It wasn't generally expected of Chef, Betz said, but he sees it as a strong strategy that arose organically from its customer base.

However, IDC analyst Jim Mercer expressed skepticism that infrastructure as code will find a broad audience among "meat-and-potatoes" IT pros that manage workstations and mobile devices.

"In big Chef shops, the IT groups doing desktop management mostly don't know about Chef," Mercer said. "Chef saw potential here, but it feels like they're throwing something against the wall to see what sticks."

Next Steps

Progress steers Chef InSpec toward CSPM

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center