Today we released 3.12.4-2. Shortly after releasing 3.12.4-1, we identified a permissions problem that prevents 3.12.4-1 from contributing data to a 3.15 hub setup for federated reporting; this release fixes that permission issue. As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page. Additionally, please note, cf-remote can be used to install our released Enterprise or Community packages.
As we enter 2020 and reflect on the various contributions the project has received we want to take a moment to recognize one of the more prolific contributors as a CFEngine Champion.
It’s my honor to announce and welcome Dimitrios Apostolou as the latest CFEngine Champion. At the time of this writing, he is the fourth most prolific committer in cfengine/core with 1101 commits.
2584 Mikhail Gusarov 2045 Mark Burgess 1430 Sigurd Teigen 1101 Dimitrios Apostolou 825 Kristian Amlie Notably, as an employee of CFEngine AS and Northern.tech AS Dimitrios was responsible for introducing Protocol 2 (TLS), greatly improving the performance of cf-serverd, and refactoring the policy evaluation to improve the speed of iteration over large and complex lists and data structures. As a community member, Dimitrios worked in his spare time to open source cf-monitord bringing the ability to write custom measurement promises to the Community edition. Thank you, Jimis. You have significantly enhanced the CFEngine community through your individual efforts. Know someone that has significantly enhanced CFEngine through their contributions to the project itself or via their engagement with the community? Nominate them!
We recently released new builds for our Enterprise and Community packages. This release fixes an issue causing Enterprise Hub packages to fail upgrade in some cases. As part of this release, we also made changes to package names to ensure consistent naming that also includes the target platform in the filename.
As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page.
Recently I wanted to start measuring the length of time it took for PostgreSQL to acquire a lock so that I could keep an eye on how it changes over time.
My PostgreSQL logs contain entries like the following that record the amount of time in ms it took to acquire a lock.
2019-06-11 18:49:39 GMT LOG: process 10427 acquired AccessShareLock on relation 17949 of database 16384 after 1118.396 ms at character 269 Measurement promises store and track values. Values can be sampled from either a pipe (command output) or a file as defined by the promises stream_type. Values are stored according to the promises history_type. When a measured value is not expected to change frequently a history_type of scalar or static will result in the measurement being sampled less frequently and the single value with compressed statistics will be stored. A history_type of log results in the measured value being logged as an infinite time-series in $(sys.statedir)/<PromiseHandle>_measure.log. A history_type of weekly results in the storing of a two-dimensional time average over a weekly period. Measurements with history_type of weekly are automatically graphed in Mission Portal if they are collected.
On [2019-07-29 Mon] we released new builds of our Enterprise Hub packages for 3.12.2 and 3.14.0. This release addresses CVE-2019-10164.
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user’s own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
CFEngine Enterprise LTS versions 3.12.0, 3.12.1, 3.12.2-1, 3.12.2-2, and non-LTS version 3.14.0 vendor PostgreSQL versions affected by this vulnerability. In the default configuration as access to root or cfpostgres local users must be achieved first.
This post has been re-published with permission.
CFEngine provides the services promise type to manage the state of a given service. services type promises are an abstraction of agent bundles, they can be used to declare the desired state for a collection of things identified by a name. Most commonly services type promises are used to manage standard operating system services though they can be used for abstracting other logical states. By default, bundle agent standard_services is used for the service_method in promises that specify no specific service_method.
This was originally published here, it has been re-published with permission.
How can I execute a command that uses command substitution in CFEngine?
On the console I might execute something like this:
Listing 1: Example command substitution
touch /tmp/file-$(date --iso-8601) ls /tmp/file-* /tmp/file-2019-03-08 I recommend not executing commands using substitution. Instead, prepare all that you need up front. Get the result of the data command and put it into a CFEngine variable, then use the CFEngine variable directly.
This post was syndicated with permission from the original source.
CFEngine 3.12.0 introduced the augments key to the Augments file format. If you are not already familiar with Augments, check it out. It’s a very easy way to define classes and variables very early during agent execution, before policy.
The new augments key allows you to merge additional data in the augments format on top of the base augments. I However, there is, I think, still a simple way to accomplish this. This can provide a flexible way of providing different data to different sets of machines.
This post was syndicated with permission from the original source.
How do you deal with config files that need different settings based on various services that are running on a host and cooperate with other teams? It’s a common question, and it came up on in #cfengine on libera.chat recently.
The issue is that team A might be working on package A, which requires some environment variables set. But team B might be working on a totally different thing – and want to achieve the same thing. I hoped to give them a bit of ’library’ code to take care of it, rather than have them touch a centralized environment-setting policy file.
We’re happy to announce that CFEngine 3.7.6 is released! With 3.7 being a stable LTS branch, 3.7.6 brings bug fixes and stability enhancements to the CFEngine customers and community. Looking at the CFEngine release schedule, we can see:
3.7 LTS is maintained (and supported for enterprise customers) until July 17th 2018. 3.10 LTS is maintained (and supported for enterprise customers) until December 27th 2019. If you are planning to contribute feature to the next feature release (thank you!), please note that we wold need the pull requests ready for merging by the end of September for incorporation into 3.12. If you are planning to contribute fixes to 3.10 or 3.7 LTS please note that we would need the pull requests ready for merging by the end of September for incorporation into 3.7.7 and 3.10.3. RPM packages now respect the chkconfig specified state when stopping a service. Now if the cfengine3 service is off for runlevel 2 the CFEngine services are stopped when you switch to runlevel 2. cf-monitord now correctly detects the usernames for processes on AIX. Classification when running under the Xen Hypervisor was also fixed. Masterfiles got fixes to the apt_get package module so that it works correctly when more than one source repository contains the package. Masterfiles also saw the addition of oslevel (on AIX), mailx (on Linux, Darwin, OpenBSD, NetBSD, and FreeBSD) to the paths bundle. The prunetree bundle was added to the standard library making it easier to recursively delete files and directories up to a specified depth older than a specified number of days. Enterprise gets bug fixes related to exporting reports and sharing host categorization views and reports. Additionally when hostnames are displayed in reports they now link to the individual host info page and usernames are now allowed to contain dots (.). Masterfiles now ensures the postrgres log file is rotated. The verbosity of some maintenance policy was increased and the policy to clear a build up of unreported data now includes previous_state and untracked reports. Some Enterprise dependencies were updated:
