Here comes a profoundly belated blog post on a behavior change. Better late than never.
Due to various bugs with the glob engine on Windows, we decided to rewrite it in CFEngine 3.24.0. Not only does the new glob engine resolve these bugs on Windows, but it also adds support for brace expansion on all platforms. E.g.
findfiles.cf bundle agent main { vars: "matches" slist => findfiles("C:/{foo,bar}.txt"); reports: "$(matches)"; } command & 'C:\Program Files\Cfengine\bin\cf-agent.exe' -Kf C:\findfiles.cf output R: C:\bar.txt R: C:\foo.txt The introduction of brace expansions will probably not break your policy unless you have files with brackets in their names. But what may break your policy is the fact that the new glob engine outputs the matched paths with the system separator (i.e., $(const.dirsep)). E.g., given the following policy, you can see how the output with the matched files changed from having forward slashes in CFEngine 3.21 to having backslashes in CFEngine 3.24 on Windows.
No more default passwords! CFEngine 3.26.0 (“admin”) forces you to create an admin user from scratch.
Cody, Craig, and Nick take a look at the latest CFEngine release, 3.26.0, the “admin” release. After showing the new setup process to create an initial privileged user and highlighting cfbs and cf-remote updates and separate release schedule the majority of the conversation centered around new functions that were introduced.
findlocalusers() Stop parsing /etc/passwd in policy, let the C do it. getbundlemetatatags() More introspection capabilities from within policy. hostswithgroup() Generate lists of hosts that are in a group from policy on the hub (Enterprise Hub only). is_type() Ensure the data you are looking at is what you expect it to be. isconnectable() Speed up policy by probing a port to see if it’s even connectable. useringroup() Stop parsing /etc/group in policy, let the C do it. The audience chimed in with some ideas for new and existing functions:
Today, we are pleased to announce the release of CFEngine 3.26.0! Being a non-LTS (not supported) release, this release allows users to test the new functionality we’ve been working on before it arrives in an LTS release later this year. The codename for this release is a bit different, as it is named after a new feature introduced, and what it eliminates - the default admin user.
What’s new In recent releases, we’ve made important security improvements like stricter password policies, 2FA support, audit logs, and more. We’re continuing down this track of improving the overall account and login security of CFEngine Enterprise by eliminating the default admin user and introducing a much more secure first time setup feature to create your own user with administrative rights.
We are pleased to announce two new patch releases for CFEngine, version 3.21.7 and 3.24.2! These patch releases contain bug fixes and dependency updates.
Changes As these are patch releases for long term supported (LTS) branches of CFEngine, there are no new major features included.
Complete changelogs As always, you can see a full list of changes and improvements in our changelogs:
3.24.2 Changelog for CFEngine Community 3.24.2 Changelog for CFEngine Enterprise 3.24.2 Changelog for Masterfiles Policy Framework 3.21.7 Changelog for CFEngine Community 3.21.7 Changelog for CFEngine Enterprise 3.21.7 Changelog for Masterfiles Policy Framework Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.
Disclaimer: This post focuses on Debian-based and Fedora/RHEL-based distributions and packaging.
Everybody using a GNU/Linux distribution most likely knows that packages used by the given distribution are somehow signed and such signatures are somehow verified. Usually, this knowledge comes with the first requirement to import some key when an extra package repository is being added to the system (the standard repositories of a distribution use keys that are present and trusted by default). While users don’t usually pay much attention to the key import process and the particular key used, these keys and signatures are actually parts of the critical security mechanisms in their systems.
Manage your phone like a server. In this episode, Craig brings CFEngine to Android with custom package modules and creative hacks.
Cody and Herman join Craig while he shares his journey of integrating CFEngine into a Fairphone 4 running /e/OS (a privacy-focused Android fork), using Termux to enable a Unix-like environment, and extending CFEngine’s capabilities to manage and inventory Android applications.
He talks about running Termux on Android to create a CFEngine-compatible environment, a custom package module to install APKs from GitHub, enabling inventory collection and version tracking via ADB. Craig showed how the collected data is displayed in Mission Portal, offering visibility into Android environments.
The latest release of cfbs (4.4.0 released April 4th, 2025) introduces the analyze command.
Last time I used this (Show notes: The agent is in - Episode 47 - Preview of cfbs analyze) I had installed it from a git clone, now I want to go back to regular install
command pipx uninstall cfbs pipx install cfbs output uninstalled cfbs! ✨ 🌟 ✨ installed package cfbs 4.4.0, installed using Python 3.12.3 These apps are now globally available - cfbs Now, cfbs help should have our new cfbs analyze option:
Is your CFEngine policy set a Frankensteinian monster of outdated files and custom tweaks? Take a look at tooling we have in development (cfbs analyze) to help shed light on the makeup of your policy set.
In this episode the team showcases a new tool for analyzing CFEngine policy sets. Learn how to identify modifications, missing files, and stale policies from old MPF versions and hear about additional features we can look forward to when it’s fully released.
In the latest version of the CFEngine network protocol (filestream - v4), we leveraged librsync for efficient file copying using their Streaming API.
While implementing the file streaming in CFEngine, I found that the documentation on the Streaming API was a bit unclear. Thus, I created two example programs to experiment with how it works. I thought I’d share them in this blog post as a tutorial to help other developers get up to speed faster.
The MPF or Masterfiles Policy Framework is intended to provide a stable base policy for installations and upgrades, and is used by both CFEngine Enterprise and CFEngine community.
When you create a new cfbs project with cfbs init one of the questions is related to the MPF:
Do you wish to build on top of the default policy set, masterfiles? (Recommended) [YES/y/no/n]: Added module: masterfiles The default commit message is 'Added module 'masterfiles'' - edit it? [yes/y/NO/n] Committing using git: [main f84d0d4] Added module 'masterfiles' 1 file changed, 16 insertions(+), 1 deletion(-) Of particular interest to policy writers is the lib sub-directory:
