How CFEngine stays ahead of the pack

June 23, 2020

Blazing the trail

CFEngine was the first Configuration Management solution on the market, and while we have made many and significant changes and improvements to CFEngine in that time, we stay true to the principles that make it such a great product and technology. There are many things that have changed in the market, not at least the competitive situation, we believe that fundamentally many of the challenges stay the same. It then follows that good architecture should not be sacrificed for short term hype. In this short blog post, I will go over a few of the items that lead to CFEngine’s excellence, longevity in the market, and current strong position.

What is a promise?

Let’s start with the basics of what makes CFEngine tick! CFEngine provides a declarative policy language that focuses on the outcomes you want to achieve, not the instructions or steps needed to get there. While some other automation solutions only provide a set of instructions or workflows, CFEngine does not take this approach. Why not? Because a sequence of instructions will only lead to the correct outcome if we truly know where we are starting from. We cannot plan for the specific error state or misconfiguration we want to mitigate, so a declarative approach is the most stable approach to large scale automation.
Over time, any given state can occur that we never planned for. In order to consistently achieve a desired state or outcome, a promise is what you need. When using CFEngine you will find yourself writing policy that only promises something about the outcome, not focusing on the process. This makes the architecture of CFEngine highly effective, provides great cross-platform support and makes it very effective at achieving the desired state. The agent will then act on the promise, sometimes taking different paths but always leading to a predictable outcome. We call this convergence.

Promise theory

When we use the word “promise” in CFEngine, it comes from Promise Theory, an area of research pioneered by Mark Burgess, the original creator of CFEngine. Maybe you have never heard of Promise Theory, maybe you are a big fan. Either way, using CFEngine is unrelated to Promise Theory today. So what does Promise Theory mean for CFEngine? In short, it means that CFEngine is underpinned by a rigorous scientific framework, and we know that the promises you implement using our Policy language will be kept, and behave in a certain way. There are many great resources available on Promise Theory here, here, here and here. Learning promise theory, or even knowing what it is, is not a requirement or advantage when using CFEngine, but could be interesting to have a look at for those of you that are curious.

Best practices

With the promise as our base “unit”, it enables us to help you solve some of the hardest problems you have. Here we present some best-practices and ways of thinking to get the most out of your infrastructure, and of CFEngine.

Infrastructure as code

Infrastructure as code has long been a goal for many organizations. It should not be a pipe dream, indeed it is exactly what you can easily achieve with CFEngine. Any change to your infrastructure can easily be made by modifying your CFEngine Policy, or better yet the data that your Policy leverages. Do you want to switch a machine over from Testing to Prod, you can change one variable, and CFEngine will take care of the rest. Do you need to upgrade a software version, a database type or any default settings across 50 or 50 000 machines, it is equally simple using CFEngine. The more you can rely on code to drive your infrastructure the better. And CFEngine makes that simple.

Source data externally

To simplify things further; build a Policy for your framework and use external data sources for your quickly changing variables. One key to success with CFEngine is to work in a dual mindset. Let Policy define your architecture, and the variables should all be sourced from external data files like an MDR or CMDB system. In this way, anyone with the appropriate access rights can easily modify for example an application version across the entire infrastructure without modifying the underlying Policy. A great example of this way of working is our Success Story LinkedIn that you can read more about in this whitepaper.

Ad-hoc changes

Making quick fixes and fast ad-hoc changes is not the design pattern of CFEngine. While we do not recommend doing this, we provide simple ways to make sure you can put out a fire, before making the needed changes that can avoid such fires in the first place. With the powerful Mission Portal UI, you can find issues and drill down to any host in your infrastructure. The best solution if something is not correctly configured or implemented, is usually to fix the policy so that the problem never repeats neither on that one server nor anywhere else. Before you have an opportunity to do that, CFEngine makes it simple to integrate with Ansible or other tools that focus on small scale infrastructure and ad-hoc, manual processes for firefighting. You should always use the tool that is best suited for the task.

Scale effortlessly

CFEngine is the best choice you can make, not only for large scale infrastructure but complex and hard to manage systems. CFEngine thrives with complexity, many operating systems, complicated timescales, and many users with different needs. The main idea behind CFEngine is to make the infrastructure work for you, not the other way around. Define policy once, and you are good to go. No need to babysit or watch over your configuration like a hawk.

Best in class reporting

CFEngine Enterprise comes with the best and most effortless large-scale reporting capabilities in the market. Set up custom reports, email them automatically to management, get in-depth compliance data, and much more through the simple to use Mission Portal UI. Each host in your infrastructure will gather a lot of information, some of it is configured out-of-the-box, but the options are limitless. The architecture is highly optimized, so it consumes a minimal amount of capacity on your nodes. The cost of having to run an agent that requires several hundred MB of memory vs an agent that requires less than 10MB of memory quickly adds up. This is then all propagated to a reporting hub, where it’s available for analysis. Unlike many others, we make all the data immediately available, and you can query our database for anything you want.


In short, we believe that CFEngine is the best tool available for a range of automation, configuration, security, and report collection tasks. CFEngine was the fist successful tool in configuration management and has been blazing the trail of this field since. You should always choose the best tool for the job you need to get done. You should choose CFEngine!