Upgrading from CFEngine 2 to 3: running the 2 agents side by side with 3

January 28, 2020

CFEngine 2 network communication is insecure by today’s standards.

CFEngine 2

  • CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered:
  • No security fixes since 2008.
  • Protocol communications not encrypted; only data transfer (which facilitates attack).
  • Encryption is off by default.

CFEngine 3

  • All communication is encrypted
  • Uses TLS 1.3 (current state of the art)
  • Up to date, maintained, secure from the software vendor
  • Full Enterprise support, with SLA.

Solution

CFEngine 3 was intentionally designed so that you can install it side by side with 2, so you have time to migrate your policies from 2 to 3.

If you are running a large CFEngine 2 installation, you can increase the security of your site by installing CFEngine 3 side by side with CFEngine 2 and using CFEngine 3 for network transport.

The following demonstration of running 2 and 3 side by side was done in the CFEngine Vagrant sandbox environment, which provides two CentOS 6.5 VMs, called “hub” and “host001”, to represent a CFEngine policy distribution server and a managed host.

The rest of this write-up documents my steps for building and installing CFEngine 2 and configuring CFEngine 3 to run the version 2 agent alongside the version 3 agent.

The idea being, once you’ve got 3 running side by side with 2, you can take your time to transition your CFEngine policy code base from 2 to 3.

Procedure

Get the latest CFEngine 2 source code (2008).

Install build tool prerequisites:

yum install -y byacc flex

Install library prerequisites:

yum install -y db4-devel openssl-devel

Build and install CFE2:

./configure --prefix=/opt/cfengine-2.2.9
make install

Create a stub CFEngine 2 file, /var/cfengine/masterfiles/cfagent.conf on the Hub.

control:

  actionsequence = ( shellcommands )

shellcommands:

  any::

   '/bin/echo $(version) agent says "Hello world"'

Make sure it works:

[root@hub ~]# /opt/cfengine-2.2.9/sbin/cfagent
cfengine:hub:/bin/echo 2.2.9: 2.2.9 agent says Hello world
[root@hub ~]#

Add a comparable promise to the CFE3 code base, /var/cfengine/masterfiles/services/main.cf:

###############################################################################
#
# bundle agent main
#  - User/Site policy entry
#
###############################################################################

bundle agent main
# User Defined Service Catalogue
{
  commands:
    any::
      "/bin/echo $(sys.cf_version) agent says 'Hello world'";

}

Update CFE3 controls to run CFE2 agent after CFE3 agent:

[root@hub masterfiles]# git diff --color=never controls/cf_execd.cf
diff --git a/controls/cf_execd.cf b/controls/cf_execd.cf
index 74e5c4b..6d46080 100644
--- a/controls/cf_execd.cf
+++ b/controls/cf_execd.cf
@@ -51,6 +51,6 @@ body executor control
       exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.update_policy_path)\" & $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated";

     !windows::
-      exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.update_policy_path)\" ; $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated";
+      exec_command => "$(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated -f \"$(sys.update_policy_path)\" ; $(sys.cf_agent) -Dfrom_cfexecd,cf_execd_initiated ; /opt/cfengine-2.2.9/sbin/cfagent";

 }
[root@hub masterfiles]#

Allow some time for the host to pick up the changes from the hub (it should happen within 5-10 minutes).

Observe the host (host001) is now running CFEngine 3 and 2 agents:

/var/cfengine/outputs/previous:

[root@host001 outputs]# cat previous
  notice: Q: ".../bin/echo 3.15.": 3.15.0 agent says Hello world
cfengine:host001:/bin/echo 2.2.9: 2.2.9 agent says Hello world
[root@host001 outputs]#

The first line of output is from CFEngine 3, and the second from CFEngine 2.

Credits

I want to acknowledge the team at Nortern.tech, especially Nils Christian Flinder Roscher-Nielsen and Nick Anderson, who helped with this research and reviewed this article.

Get in touch with us
to discuss how we can help!
Contact us
Sign up for
our newsletter
By signing up, you agree to your email address being stored and used to receive newsletters about CFEngine. We use tracking in our newsletter emails to improve our marketing content.