We are pleased to announce two new patch releases for CFEngine, version 3.21.7 and 3.24.2! These patch releases contain bug fixes and dependency updates.
Changes As these are patch releases for long term supported (LTS) branches of CFEngine, there are no new major features included.
Complete changelogs As always, you can see a full list of changes and improvements in our changelogs:
3.24.2 Changelog for CFEngine Community 3.24.2 Changelog for CFEngine Enterprise 3.24.2 Changelog for Masterfiles Policy Framework 3.21.7 Changelog for CFEngine Community 3.21.7 Changelog for CFEngine Enterprise 3.21.7 Changelog for Masterfiles Policy Framework Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.
Disclaimer: This post focuses on Debian-based and Fedora/RHEL-based distributions and packaging.
Everybody using a GNU/Linux distribution most likely knows that packages used by the given distribution are somehow signed and such signatures are somehow verified. Usually, this knowledge comes with the first requirement to import some key when an extra package repository is being added to the system (the standard repositories of a distribution use keys that are present and trusted by default). While users don’t usually pay much attention to the key import process and the particular key used, these keys and signatures are actually parts of the critical security mechanisms in their systems.
Manage your phone like a server. In this episode, Craig brings CFEngine to Android with custom package modules and creative hacks.
Cody and Herman join Craig while he shares his journey of integrating CFEngine into a Fairphone 4 running /e/OS (a privacy-focused Android fork), using Termux to enable a Unix-like environment, and extending CFEngine’s capabilities to manage and inventory Android applications.
He talks about running Termux on Android to create a CFEngine-compatible environment, a custom package module to install APKs from GitHub, enabling inventory collection and version tracking via ADB. Craig showed how the collected data is displayed in Mission Portal, offering visibility into Android environments.
The latest release of cfbs (4.4.0 released April 4th, 2025) introduces the analyze command.
Last time I used this (Show notes: The agent is in - Episode 47 - Preview of cfbs analyze) I had installed it from a git clone, now I want to go back to regular install
command pipx uninstall cfbs pipx install cfbs output uninstalled cfbs! ✨ 🌟 ✨ installed package cfbs 4.4.0, installed using Python 3.12.3 These apps are now globally available - cfbs Now, cfbs help should have our new cfbs analyze option:
Is your CFEngine policy set a Frankensteinian monster of outdated files and custom tweaks? Take a look at tooling we have in development (cfbs analyze) to help shed light on the makeup of your policy set.
In this episode the team showcases a new tool for analyzing CFEngine policy sets. Learn how to identify modifications, missing files, and stale policies from old MPF versions and hear about additional features we can look forward to when it’s fully released.
In the latest version of the CFEngine network protocol (filestream - v4), we leveraged librsync for efficient file copying using their Streaming API.
While implementing the file streaming in CFEngine, I found that the documentation on the Streaming API was a bit unclear. Thus, I created two example programs to experiment with how it works. I thought I’d share them in this blog post as a tutorial to help other developers get up to speed faster.
The MPF or Masterfiles Policy Framework is intended to provide a stable base policy for installations and upgrades, and is used by both CFEngine Enterprise and CFEngine community.
When you create a new cfbs project with cfbs init one of the questions is related to the MPF:
Do you wish to build on top of the default policy set, masterfiles? (Recommended) [YES/y/no/n]: Added module: masterfiles The default commit message is 'Added module 'masterfiles'' - edit it? [yes/y/NO/n] Committing using git: [main f84d0d4] Added module 'masterfiles' 1 file changed, 16 insertions(+), 1 deletion(-) Of particular interest to policy writers is the lib sub-directory:
Ever tried to wrangle a fleet of servers with just a text file? Nick shows how CFEngine can take advantage of genders for classification.
In this episode, Nick dives into the configuration file, /etc/genders. Originally developed by Lawrence Livermore National Laboratory and currently maintained by the Chaos development team, genders often seen in use in High-Performance Computing (HPC) environments. Nick presents two practical examples demonstrating policy implementations, using genders for inventory reporting and grouping hosts.
When writing CFEngine policy we create files ending in the .cf extension but this alone won’t cause the policy to be parsed and evaluated. By default cf-agent runs ${sys.inputdir}/promises.cf.
For a non-privileged user running cf-agent this will be in their $HOME directory:
command cf-promises --show-vars=sys.inputdir output Variable name Variable value Meta tags Comment default:sys.inputdir /home/craig/.cfagent/inputs source=agent Usually though, CFEngine is run as a privileged user so the more common value is:
Did you notice that CFEngine 3.25.0 shipped with librsync as a new dependency?
Lars joins Cody, Craig, Herman and Nick to show and tell the massive savings we can expect to see from librsync for remote file copies. Spoiler alert, Lars sees > 80% savings from a simple policy update between 3.24.0 and 3.24.1! From the audience, Jay mentioned that they saw similar rates of savings from their use of rsync with savings accumulating to over 16TB a day.
