As we’ve hinted at before, 2021 will be a big year for CFEngine. In the summer, we will release CFEngine 3.18 LTS. This is the first LTS release with Compliance Reports, Custom Promise types, and all of the other improvements we’ve made over the past year.
Collaboration In addition to implementing valuable functionality for our users, we are focusing on better ways of interacting with them, and more opportunities for contribution, collaboration and sharing. The beginning of this was the introduction of GitHub Discussions - a platform where users can ask questions, submit ideas, or show off their CFEngine-related creations. One month later, in March, we launched our new website. The new website should make it easier for users to find what they’re looking for, and also has some sections with great content, such as videos, case studies, and white papers. Now, we are excited to share our plans for the rest of the year.
If you are debugging issues with a host, it is quite common to want to make changes to CFEngine policy, and speed up the process of fetching, evaluating and reporting for that host. You can do this by running cf-runagent and cf-hub from the command line, now we’ve brought this functionality into Mission Portal:
You can see the feature in action, here:
Generally speaking, CFEngine and Ansible can be used to solve the same problems, but their approaches are different. In this blog post I’d like to discuss the different approaches, their consequences, some advantages of each tool, and even using them together.
CFEngines autonomous agents CFEngine works by installing and running an agent on every host of your infrastructure. It is distributed, each CFEngine agent will evaluate its policy periodically and independently. They rely on a centralized hub for refreshing policy and reporting. Updating the policy, enforcing it, and reporting on the results are decoupled - each of these 3 steps can happen with different configurations / schedules.
cf-remote is a tool for downloading and installing/deploying CFEngine. It automates a lot of the things you have to do before CFEngine is actually installed on your infrastructure, such as provisioning cloud instances, downloading CFEngine installers, copying them to remote hosts and installing / bootstrapping. To make it as easy as possible to get started with cf-remote and CFEngine, it is now available on pypi.
Getting started Installing cf-remote is as easy as:
We are excited to announce that CFEngine is now using GitHub Discussions. GitHub Discussions is a feature of GitHub repos, and similar to Q&A platforms like Stack Overflow, and other online forums. After testing it out for a few weeks we are pleased with how it works and want to encourage all our users to try it. We hope this fuels more discussion and sharing among CFEngine users - it is easy to discover on GitHub, many of you already have GitHub users, the UI is nice, and so the barrier to entry should be very low.
2020 is nearly over, and we’d like to take a couple of minutes to reflect on our year as well as provide a sneak peek into what you can expect from us in 2021. Although it has been a year full of distractions, the CFEngine team has continued to make significant strides when it comes to product improvements and new features that help our users.
Build powerful compliance reports based on important inventory data Compliance reports are high level reports, allowing you to see how compliant your infrastructure is. Checks are run against reporting data from all of your hosts, or a filtered subset, to find how many of them meet a certain compliance requirement. They are easy to build and use, entirely from the UI, with no programming needed, but flexible and powerful, allowing you to use package version information, custom inventory from your policy or even SQL queries if you need it. Compliance reports are not limited to a one regulation or framework, like CIS or HIPAA, but allow you to build your own checklists, based on your organizations requirements and compliance goals. See Compliance Reports in this video:
This tutorial focuses on how to write a promise module, implementing a new CFEngine promise type. It assumes you already know how to install promise modules and use custom promise types, as shown in the previous blog post.
Why Python? Promise modules can be written in any programming language, but there are some advantages of using python:
Readable and beginner friendly language / syntax Popular and familiar to a lot of people, also used in some CFEngine package modules Big standard library, allowing you to reuse data structures, parsers, etc. without reinventing the wheel or adding dependencies Official CFEngine promise module library Most of the code needed is already done (protocol, parsing, etc.) You can focus on only the business logic, what is unique to your new promise type With that said, there are some reasons why you might not always want to use python:
In CFEngine 3.17, custom promise types were introduced. This allows you to extend policy language, managing resources which don’t have built in promise types. The implementation of custom promise types is open source, and available in both CFEngine Enterprise and CFEngine Community. To implement a new custom promise type, you need a promise module. (The promise type is what you use in policy language (the concept), while the module is the underlying implementation - can be a python script, compiled executable or similar).
We are pleased to announce the release of CFEngine 3.17.0, with the theme Flexibility! This is a non-LTS release and allows the CFEngine community to test the features which will be in CFEngine 3.18.0 LTS (Summer 2021).
What’s new? A new look - Mission Portal Dark Mode Mission portal now gives you the option of switching to an alternate color theme, dark mode:
Trigger report collection from Host Info Page You no longer have to wait for the next reporting interval, or use the command line to get updated reports. Click the button on the host info page to trigger a report collection:
We are pleased to announce two new patch releases for CFEngine, version 3.12.6 and 3.15.3! These releases mainly contain bug fixes and dependency updates, but in 3.15.3 there are also some new enhancements in Mission Portal. The new cf-secret binary is also included in 3.15.3 packages.
New in Mission Portal 3.15.3 Synchronizing roles between Mission Portal and Active Directory When using LDAP for authentication, Mission Portal can now automatically grant roles based on the tags received from your LDAP server (for example Active Directory). This means that new users can start using Mission Portal immediately, without having to wait for an administrator to grant the appropriate roles manually. Enable this in Mission Portal Authentication Settings:
