CFEngine 2020 Retrospective

December 16, 2020

2020 is nearly over, and we’d like to take a couple of minutes to reflect on our year as well as provide a sneak peek into what you can expect from us in 2021. Although it has been a year full of distractions, the CFEngine team has continued to make significant strides when it comes to product improvements and new features that help our users.

Build powerful compliance reports based on important inventory data

Compliance reports are high level reports, allowing you to see how compliant your infrastructure is. Checks are run against reporting data from all of your hosts, or a filtered subset, to find how many of them meet a certain compliance requirement. They are easy to build and use, entirely from the UI, with no programming needed, but flexible and powerful, allowing you to use package version information, custom inventory from your policy or even SQL queries if you need it. Compliance reports are not limited to a one regulation or framework, like CIS or HIPAA, but allow you to build your own checklists, based on your organizations requirements and compliance goals. See Compliance Reports in this video:

A beta version was introduced in CFEngine 3.16, and we keep working on it to make it production ready for CFEngine 3.18 LTS. We encourage everyone to try it out, using nightly packages, and send us feedback/suggestions via the public issue tracker, or the customer support portal.

Ansible and CFEngine white paper

In September, the team posted a white paper, discussing how Ansible and CFEngine can solve problems together. Read the full report:

Preview of the first page of the white paper fading into the background.

Extend CFEngine policy language and manage new resources

Custom promise types allow you to extend CFEngine policy language, and manage more complex resources, software or services with ease. Details of what files to edit, commands to run, etc. can be abstracted away in a promise module, and the policy file can focus on the high level business logic. It’s now possible to implement promise types to manage git repos, AWS instances, kubernetes pods, docker containers, software firewalls, etc. Previously, you would have to know C, edit the CFEngine source code, compile and deploy new binaries to do this. Now you can add new promise types as modules, written in any programming language, for example Python. Custom promises are easy to use, and once added, the syntax is the same as built in promises:

promise agent git
{
  path => "/var/cfengine/modules/promises/git.py";
  interpreter => "/usr/bin/python3";
}

bundle agent __main__
{
  git:
    "/opt/cfengine/masterfiles"
      repository => "https://github.com/cfengine/masterfiles";
}

If you are interested in contributing new promise types to CFEngine, by writing your own modules, take a look at our latest blog post.

Refresh reporting data with the click of a button

You can now get fresh reporting data from a host, by clicking the refresh button in its host info page:

This is very useful if you are debugging issues with a given host, or want to see how it’s affected by a change you just made.

Simulate changes made by CFEngine

Understanding what CFEngine is doing is crucial, especially for complex environments and larger policy sets. It can be a challenge to know exactly what changes will be made after a policy change, upgrade or on a brand new machine. The new --simulate modes address this, expanding existing dry-run functionality to simulate file changes and show you manifests or diffs once done. You can run a new policy set, or new CFEngine binary, and see exactly what the difference will be:

$ /var/cfengine/bin/cf-agent -KI test.cf --simulate=diff
 warning: All changes in files will be made in the '/var/cfengine/state/29830.changes' chroot
    info: Updated content of '/tmp/hello-world' with content 'Hello, world!
'
    info: files promise '/tmp/hello-world' repaired
    info: Showing diff for changed files (in the changes chroot)
===========================================================================
--- original /tmp/hello-world
+++ changed  /tmp/hello-world
@@ -1 +1 @@
-Some data
+Hello, world!

Distribute secrets with end-to-end file encryption

We also added a new binary, cf-secret which allows you to encrypt secrets for specific hosts. See it in action:

cf-secret makes it easier to distribute things like API tokens and encryption keys between hosts, using end-to-end encryption. While originally released in CFEngine 3.16.0, we decided to include the binary in version 3.15.3 as well, to give it to our LTS-users sooner.

Contributions and statistics

Looking at our issue tracker, we find that across CFEngine Community and Enterprise, there were 208 bugs fixed and 294 tasks done. That gives us a total of 502 tickets, 122 of which relate to the open source project and are publicly accessible. Across our 5 Open Source repos there were 25 unique contributors, here are their commit counts:

libntech core masterfiles buildscripts documentation Committer
8 7 63 4 Aleksei Shpakovskii
1 Aleksey Tsalolikhin
1 Alexis Mousset
3 Bas van der Vlies
1 Chris Rorvick
6 42 17 4 12 Craig Comstock
1 1 David Lee
1 dependabot
1 6 14 9 Ihor Aleksandrychiev
1 Jon Henrik Bjørnstad
3 9 2 Karl Hole Totland
1 Klaus Kämpf
1 Kristian Amlie
1 Lars Erik Wik
4 5 7 Lluis Campos
4 Mike Weilgart
32 57 1 44 Nick Anderson
3 odidev
48 274 9 7 21 Ole Herman Schumacher Elgesem
1 1 Ole Petter
1 Oliver Kett
1 Patrick Steinhardt
2 Ted Zlatanov
1 troymuller
10 211 11 22 4 Vratislav Podzimek

We’d like to thank all our contributors, including those not listed, who contributed through other channels, like the issue tracker, IRC, or mailing list. (Commit stats generated on 2020-12-16, using command: git shortlog --summary --since 2020-01-01 --no-merges).

Next year

As we wrap up 2020, the team is excited for what we have in store for 2021. We won’t spoil everything now, but there will be some big announcements in the first half of 2021. Here are few things you can look forward to:

  • Innovative promise types to manage modern resources or services
  • More power within the Mission Portal Web UI to perform actions and make changes to your infrastructure
  • Better integrations with cloud providers and other devops software you might already be using
  • New ways to contribute to CFEngine and communicate with other CFEngine users
  • CFEngine 3.18 LTS - all the features of 3.16 and 3.17 in a Long Term Supported release

We’d like to say thank you to all the dedicated CFEngine users out there. Your continued feedback & enthusiasm keeps us motivated and focused on making meaningful improvements for CFEngine. We wish you all a healthy & prosperous rest of the year and we’ll see you in 2021!