From black box magic to automation transparency

Posted by Thomas Ryd
January 17, 2019

The CFEngine policy analyzer is an awesome new service introduced in CFEngine 3.13. The policy analyzer allows you to quickly debug policies and inspect what is going on under hood of CFEngine. A known challenge with CFEngine, and most DSL based automation tools, relates to understanding what is actually going on during live operations. Many users view it as “black-box magic”. Unfortunately, the amount of magic and the size of the black box increases with the level of automation. This is undesirable. Enter the policy analyzer.

The Policy Analyzer

The policy analyzer allows you to easily debug out-of-compliance settings (promise not-kept) and quickly navigate to the relevant places in your CFEngine policies so you can fix it. If you want to understand why there are thousands of “promises repaired” states, where CFEngine continuously fix out-of-compliance events, you can use the policy analyzer to inspect the relevant policies and get a better understanding on what is really going on. The CFEngine policy analyzer comes in the form of a file browser that allows you to easily browse and filter all of your CFEngine policies. You can now, with a few clicks get to the exact line in a policy that is causing an out-of-compliance event. Thanks to the intuitive filtering capabilities, it is extremely intuitive to use.

Apply the broken windows theory

An inherent beauty of automation is to watch machines do massive amount of work. CFEngine is often used at large-scale. Highly automated IT-infrastructures enjoy seeing tens and hundreds of thousands of rules being automatically enforced and, if needed, fixed by CFEngine. However, if the amount of out-of-compliance incidents grows to big, fatigue enters the scene. At this stage one typically starts to prioritize, and accept a certain level of out-of-compliance states. This is of course highly undesirable. The best-of-the-best IT-operations apply the broken windows theory, and do not accept any degradation. With the policy analyzer we hope that many more CFEngine users can apply the same principle and end up with an IT-infrastructure where the part under CFEngine management stays at 100% compliance. This is absolutely feasible, and we are confident that the policy analyzer will help you greatly on this journey. The carrot waiting for you will be a life of proactive and creative work, as opposed to reactive and boring.

Check out the demo

We have made an introductory video to the policy analyzer below. Please check it out. Remember, the first 25 hosts are always free with CFEngine! Try it out now. Download.