No more default passwords! CFEngine 3.26.0 (“admin”) forces you to create an admin user from scratch.
Cody, Craig, and Nick take a look at the latest CFEngine release, 3.26.0, the “admin” release. After showing the new setup process to create an initial privileged user and highlighting cfbs and cf-remote updates and separate release schedule the majority of the conversation centered around new functions that were introduced.
findlocalusers() Stop parsing /etc/passwd in policy, let the C do it. getbundlemetatatags() More introspection capabilities from within policy. hostswithgroup() Generate lists of hosts that are in a group from policy on the hub (Enterprise Hub only). is_type() Ensure the data you are looking at is what you expect it to be. isconnectable() Speed up policy by probing a port to see if it’s even connectable. useringroup() Stop parsing /etc/group in policy, let the C do it. The audience chimed in with some ideas for new and existing functions:
Manage your phone like a server. In this episode, Craig brings CFEngine to Android with custom package modules and creative hacks.
Cody and Herman join Craig while he shares his journey of integrating CFEngine into a Fairphone 4 running /e/OS (a privacy-focused Android fork), using Termux to enable a Unix-like environment, and extending CFEngine’s capabilities to manage and inventory Android applications.
He talks about running Termux on Android to create a CFEngine-compatible environment, a custom package module to install APKs from GitHub, enabling inventory collection and version tracking via ADB. Craig showed how the collected data is displayed in Mission Portal, offering visibility into Android environments.
The latest release of cfbs (4.4.0 released April 4th, 2025) introduces the analyze command.
Last time I used this (Show notes: The agent is in - Episode 47 - Preview of cfbs analyze) I had installed it from a git clone, now I want to go back to regular install
command pipx uninstall cfbs pipx install cfbs output uninstalled cfbs! ✨ 🌟 ✨ installed package cfbs 4.4.0, installed using Python 3.12.3 These apps are now globally available - cfbs Now, cfbs help should have our new cfbs analyze option:
Is your CFEngine policy set a Frankensteinian monster of outdated files and custom tweaks? Take a look at tooling we have in development (cfbs analyze) to help shed light on the makeup of your policy set.
In this episode the team showcases a new tool for analyzing CFEngine policy sets. Learn how to identify modifications, missing files, and stale policies from old MPF versions and hear about additional features we can look forward to when it’s fully released.
Ever tried to wrangle a fleet of servers with just a text file? Nick shows how CFEngine can take advantage of genders for classification.
In this episode, Nick dives into the configuration file, /etc/genders. Originally developed by Lawrence Livermore National Laboratory and currently maintained by the Chaos development team, genders often seen in use in High-Performance Computing (HPC) environments. Nick presents two practical examples demonstrating policy implementations, using genders for inventory reporting and grouping hosts.
Did you notice that CFEngine 3.25.0 shipped with librsync as a new dependency?
Lars joins Cody, Craig, Herman and Nick to show and tell the massive savings we can expect to see from librsync for remote file copies. Spoiler alert, Lars sees > 80% savings from a simple policy update between 3.24.0 and 3.24.1! From the audience, Jay mentioned that they saw similar rates of savings from their use of rsync with savings accumulating to over 16TB a day.
For the final post in the Feature Friday series I am here to tell you about something I use nearly hourly, ob-cfengine3 which extends Emacs Org Babel for executing CFEngine policy.
ob-cfengine3 has been around for a little over seven years now and it has saved me countless hours, seconds at a time. At it’s core it let’s you type a snippet of policy and execute it directly in your document, sort of like Jupyter.
Join Cody and Nick for a Christmas Special showcasing the new Audit Log in Mission Portal for CFEngine 3.25.
Nick walked through the new Audit Log demonstrating how actions in Mission Portal are tracked and available for review. He also took a quick look at changes to the global search and taking some questions of air from a few attendees.
Video The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Do you enjoy escaping quotes inside strings? I sure don’t, and I really appreciate the flexibility CFEngine provides with 3 different quoting characters (", ', ` ). Let’s take a look.
This came up in the post show discussion for The agent is in, episode 39.
If you have a string that contains double quotes you might see it written with escaped quotes like this:
CFEngine works by defining a desired state for a given context and converging towards that goal. Given there is no fixed starting point and that the current context might change wildly it can be challenging to succinctly answer the question “What would CFEngine do?”.
In Feature Friday #22: Don’t fix, just warn we saw how an individual promise could be made to warn instead of trying to automatically converge towards the desired state, a granular --dry-run mode. This time, let’s take a look at the --simulate option of cf-agent.
