Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status

knife-bastion Knife Plugin

This plugin allows Knife to access Chef server over a secure SSH connection, without exposing Chef server port to your VPN network.

Install & Usage Instructions


Add this line to your Chef repository's Gemfile:

gem 'knife-bastion'

And then execute:

$ bundle

Or install it yourself as:

$ gem install knife-bastion


Configure your bastion server in .chef/knife.rb (at the bottom):

# ...
# your knife configurations goes here
# ...

# Bastion host SSH settings
knife[:bastion_host] = ""
knife[:bastion_user] = ENV["MYCORP_USER"] || ENV["CHEF_USER"] || ENV["USER"]

# If you have multiple networks, that require different MFA tokens, specify
# each network name here. (This configuration is referenced to clarify the
# token a user should employ.)
# knife[:bastion_network] = "mynet"

# By default, the proxy server is created on port 4443. You may configure the
# local bastion port here:
# knife[:bastion_local_port] = 4443

require "knife-bastion/activate"

Now, your workflow will look like this:

  1. Run knife bastion start - this command will establish SSH connection to bastion box for 10 minutes, and create a SOCKS proxy on port 4443, that will forward all Chef requests to Chef server via bastion box.
  2. Use Chef to do your work.
  3. At any time you can use knife bastion status - which will verify the proxy and make sure everything works as expected.
  4. After you finished, run knife bastion stop to shutdown the connection and turn off the proxy. If you forget to do this, it will die automatically after 10 minutes.

Sometimes when you work on a big change, default timeout of 10 minutes is too short.
You can increase timeout with --timeout flag:

knife bastion start --timeout 1800

Maximum timeout is 3600 (1 hour) for security reasons. You can re-establish bastion
connection by executing knife bastion start (if the connection is currently active,
it will be forcibly closed.)

Bastion troubleshooting

If something is not right, you need to ensure you have access to bastion box.
Try connecting to via SSH:


Check current bastion connection status (it will tell you if there is anything
wrong with your box):

knife bastion status