CFEngine 3.10.7 LTS and 3.12.3 LTS released

December 6, 2019

We are now happy to release two new LTS versions of CFEngine, 3.10.7 LTS, and 3.12.3 LTS.

CFEngine 3.10.7 - end of life

This will be the last release of the CFEngine 3.10 LTS series. Standard Support of CFEngine 3.10 LTS ends end of this year. If you would like extended support, please contact us. From the CFEngine release schedule, we see that CFEngine 3.10 LTS is maintained and supported until December 28th, 2019. That is the end of this year, so you should start planning on upgrading to CFEngine 3.12 LTS, or the soon to be released CFEngine 3.15.0 LTS that is scheduled to be released in the next few weeks. 3.10.7 LTS is the last maintenance release (patch release) of the CFEngine 3.10 LTS series. The goal of this release is to make sure that the stability and reliability for CFEngine users that cannot immediately upgrade to 3.12, and enable a safe upgrade path. As such, this release includes bug fixes and low-risk changes that do not impact the compatibility between previous patch releases.

CFEngine 3.12.3 LTS

This update comes with many important stability and performance improvements and is thus well worth the upgrade from an older version of 3.12 LTS. CFEngine 3.12 LTS brings a lot of innovation, new features and improved performance to CFEngine, and allows you to make the most efficient use of your time. We are looking forward to your feedback on this release. From the CFEngine release schedule, we can see that CFEngine 3.12 LTS is maintained and supported until June 2021 The goal of 3.12.3 LTS is to increase the stability and reliability of CFEngine for users and enable a safe upgrade path. As such, this release primarily includes bug fixes and low-risk changes that do not impact the compatibility with earlier patch releases. Do you want to start contributing to CFEngine, but are unsure how? Please check out our contributing guide in addition to the following suggestions.

Improvements to CFEngine 3.10.7

In 3.10.7 we have made a series of small improvements. This will be the last update to the 3.10 LTS series, so if you depend on further improvements, please consider upgrading.

Core

We have fixed a bug in ps parsing on OpenBSD / NetBSD causing bootstrap to fail. A crash that was caused by Zero-bytes in class guards is no longer causing crashes. Fixed promise results when using process_stop in processes type promises. The package modules now hit the network when the package cache is first initialized. The @ character is now allowed in the key of classic arrays defined by the module protocol. Added derived-from-file tag on hard classes based on the content of /etc/redhat-release.

Enterprise

Version specific distro classes are now collected by default in Enterprise (ENT-4752) We have set create permissions for cf-monitord files in state directory to 0600. This now matches the permissions enforced by policy. The affected files are:

  • state/cf_incoming.*
  • state/cf_outgoing.*
  • state/cf_users
  • state/env_data

Key rotation now waits for PostgreSQL to be available when starting or restarting the service.

Masterfiles

We have added the ability to avoid limiting robot agents, added and transitioned to using themaster_software_updates shortcut, added continual checking for policy_server state and added documentation on how to enable systemd unit management and disable agents on all hosts Also, a new package_module for snap packages has been added. We have made a change to always set files_single_copy from augments if it is available, and fixed cleanup of future timestamps from the status table. There are also many other fixes and improvements. You can see the full changelogs for Core, Masterfiles, and Enterprise here.

Changes in CFEngine 3.12.3

There are many improvements to CFEngine 3.12 in addition to the fixes made for 3.10. In addition to that, there are many other fixes details below. You can also see the documentation for the latest release of 3.12 LTS that includes changelogs for Core, Enterprise, and the MPF (Masterfiles Policy Framework).

Platform Support

We have implemented a change in how we build CFEngine packages from 3.12.3. We now build on all the platforms we support, as opposed to a single older platform. This means that there are now more packages to download, and while all the packages should work on the platform they are built on and newer, we now only test packages on the platform they are intended to work on. To clarify this new policy as much as possible. While we officially support these platforms (and more):

  • RHEL/CentOS 5,6,7
  • Debian 7,8,9
  • Ubuntu 14,16,18

To support these platforms we used to build only on:

  • RHEL/CentOS 4 and 6
  • Debian 4 and 7

Now we’re building on:

  • RHEL/CentOS 5, 6, 7
  • Debian 7, 8, 9
  • Ubuntu 14, 16, 18

Containers

We have also improved the support for running CFEngine in a containerized environment. While we have for a long time supported running CFEngine in a CoreOS environment, we now provide a much better way of doing this. We have simplified the packaging and management of CFEngine for container hosts by packaging CFEngine as a file system image, you can easily install, and uninstall to upgrade. You can download that image from our downloads page.

Core

Abortclasses cause the agent to terminate when a matching class is defined. However, in the past it was terminating too fast, not saving the last recorded values properly. Agent runs that hit abortclasses now record the results. We have add a newline to API error responses, and changed response codes in the User API from 204 No Content to 202 Accepted in case of update or delete requests. In this version of CFEngine, with the help of community member Joseph Holsten, we have added a snapcraft package module. Thank you very much for your contribution!

Enterprise

To make managing the utilization of licenses a bit easier, the Hub now properly logs an error if license counts are exceeded. Several issues around this have been fixed and improved. We have made many improvements to the reporting capabilities. We have fixed a SQL schema error during the upgrade, improved logging of reporting patch failures, and turned on verbose logging to see more in-depth information when patch failure errors show up.

Improved database consistency

We have done a lot of work in CFEngine 3.12.3 to make LMDB behave better. We have added several capabilities that make it more self-healing. Corrupt databases will now automatically be backed up, deleted, and if the backup contains usable information, CFEngine will copy that back, to ensure that as much information is kept as possible. We have also changed some time dependant values that caused some databases to change state a lot, to no longer trigger a change. All in all, these changes will make CFEngine 3.13.3 more stable. We have also improved the tool,cf-check that does these operations. This tool has gotten a number of improvements in this version of CFEngine.

  • directories can now be controlled from ENV vars
  • Added the --no-fork to diagnose command
  • Added the -M manpage option and other common options
  • Thedump command now dumps DB contents to JSON5, and print structs as JSON objects
  • The help command can now take a topic as an argument
  • --dump option was added to the backup command
  • The repair command now preserves readable data in corrupted LMDB files
  • Errors are now printed when there are no DB files in the state directory

Mission Portal

In Mission Portal, we have added a lot of new features in 3.12.3. In the Host Info page, we have added a lot more information out-of-the-box. You can now find all the details about the host in question in one place, such as the average agent execution interval, the average agent execution time for each policy entry, first report collection time, host bootstrapped time, last agent execution time, and inventory attributes and values on the Host page.

New improved Host Info page.

Here, you can also see a list of all the classes and variables that are defined on this host. You can also directly access measurements taken by CFEngine, such as CPU load or memory usage. We have also made the list of Inventory attributes scrollable, so you don’t need to scroll the whole page to find a given value. Admin users of Mission Portal are now allowed to delete hosts that have no classes currently reported. This fixes an issue that made non-reporting hosts difficult to manage. We have also fixed several issues around Scheduled Reports, among others an issue where scheduled reports were not saved properly. In order to search for specific package versions, we have added an exact match option to the Software Update Alert type. We have also added a number of new ways to customize Mission Portal. You can now add a company logo, and customize the text on the login page, as well as customize the color scheme of Mission Portal. We have made changes to how the widgets on the Mission Portal Dashboard display information. That they are now quite a bit faster than they used to be. We have added a 10 minutes threshold to “Agent not run recently” health diagnostics category to avoid showing false-positive warnings in case of manual cf-agent execution. We have also fixed another issue with the health diagnostics, where the “Hosts never collected from” was erroneously empty. The Host count widget has been renamed to Newly bootstrapped hosts

Dependency updates - 3.10.7

In CFEngine 3.10.7 we have updated the following dependencies. As usual, we have updated dependencies in order to get the latest security, performance and reliability improvements.

LMDB 0.9.23 0.9.24
openSSL 1.0.2r 1.0.2t
sasl2 2.1.26 2.1.27
libiconv 1.15 1.16
libxml2 2.9.8 2.9.10
openLDAP 2.4.47 2.4.48
libcurl 7.64.1 7.66.0
libcurl-hub 7.64.1 7.66.0
apache 2.4.39 2.4.41
postgresql-hub 9.6.12 9.6.15

Dependency updates - 3.12.3

In CFEngine 3.12.3 we have updated the following dependencies. As usual, we have updated dependencies in order to get the latest security, performance and reliability improvements.

LMDB 0.9.23 0.9.24
openSSL 1.1.1b 1.1.1d
sasl2 2.1.26 2.1.27
libiconv 1.15 1.16
libxml2 2.9.9 2.9.10
openLDAP 2.4.47 2.4.48
libcurl 7.64.1 7.67.0
libcurl-hub 7.64.1 7.67.0
apache 2.4.39 2.4.41
postgresql 10.7 10.11
php 7.2.18 7.2.24
git 2.21.0 2.24.0

Upgrading? If you’re upgrading an existing CFEngine Enterprise installation, check out the upgrade documentation for 3.12 for guidelines to make the process as smooth as possible. We are always happy to assist our customers with upgrading! You can contact sales to receive a fixed-price quote for upgrading your CFEngine infrastructure, and get more out of CFEngine!

Get it!

CFEngine Enterprise packages can be downloaded here or you can take a quick spin with the CFEngine Enterprise Vagrant environment for CFEngine 3.12. Community Edition is released as source code, packages, and Linux package repositories - to make installation as easy as possible! We hope you enjoy the new release, and we look forward to hearing about your experience in the CFEngine Google Group!

Brush up your CFEngine knowledge!

If you would like to refresh your CFEngine knowledge or are learning it from scratch, you can attend one of our training sessions. Check the event calendar on our website, or get in touch with us to see what the best option in your area is! There is also an updated version of the Learning CFEngine book by Diego Zamboni now available on LeanPub.