CFEngine 3.18 LTS released - Extensibility

June 24, 2021

Today, we are pleased to announce the release of CFEngine 3.18.0! The focus of this new version has been extensibility. It also marks an important event, the beginning of the 3.18 LTS series, which will be supported for 3 years.

Several new features have been added since the release of CFEngine 3.15 LTS, in the form of non-LTS releases. In this blog post we’ll primarily focus on what is new in 3.18, but we will also highlight some things released in 3.16 and 3.17.

What’s new

A new look

We are updating the visual look and usability of many parts of Mission Portal. The new style is more clean and modern, and focused on improving ease of use and accessibility. Some changes are in 3.18.0, but we are still working on this, so expect many improvements in this area going forward.

Host Specific Data (CMDB)

You can now assign data (CFEngine variables and classes) to individual hosts from Mission Portal. This is great for setting the owner of a machine, assigning it a role, or controlling what its policy is doing. As an example, you can have policy to automatically update all packages on a machine. You might not want this enabled at all times, but temporarily enabling it for specific hosts is very useful. The new UI can be found in the host info page, and the CMDB can also be controlled using a REST API.

Trigger agent runs and report collection

The host info page in Mission Portal has new buttons for triggering agent runs and report collection for the host. Combined with CMDB, this enables a powerful workflow, allowing you to very quickly make changes and see the result. You can change a variable in CMDB, and click the “Play” button in the host info page, causing the agent on that host to fetch the latest policy, evaluate it and report back on the results.

This developer demo video shows the new agent run and report collection buttons in action:

Custom promise types

CFEngine 3.17 introduced custom promise types. Since then, we’ve fixed several bugs and added more functionality to make the feature ready for production use. Using modules, you can add new promise types to CFEngine, allowing you to manage more complex resources with ease.

As an example, a promise to keep a git repo up to date, looks like this:

bundle agent main
      repository  => "",
      version     => "master";

Going over all of the capabilities of custom promise types would make this blog post too long, but our documentation has a good introduction, links to tutorials as well as complete specification of how they work.

So far, we have 4 modules implementing new promise types:

  • git - Manage local checkouts of git repos
  • systemd - Manage systemd services
  • ansible - Run Ansible playbooks on individual hosts
  • groups - Create and manage local user groups

Later this year, we will make it easier for you to incorporate these modules with your policy and keep them up to date.

Compliance Reports

CFEngine 3.16 introduced Compliance Reports, a new way to specify compliance requirements as checks, and group them all into 1 high level report. With it came some very useful inventory conditions; regex matches, regex doesn't match, is reported and is not reported. You can create checks to ensure you are running supported operating systems, that specific packages are up to date, or anything you can imagine using CFEngine’s extensible inventory system. Since their introduction, we’ve made countless usability and quality of life improvements to Compliance Reports. If you haven’t seen compliance reports in action, take a look at this video:

OS Inventory

We’ve cleaned up the OS Inventory strings in Mission Portal. Previously, this was based on policy attempting to use many different sources, including lsb-release, if installed. The new OS string is based on 2 new policy variables; $(sys.os_name_human) and $(sys.os_version_major). This makes it a lot easier to read, and much more predictable for filtering or compliance reports.

New policy language functions

In CFEngine policy language, several functions have been added since 3.15:

Other changes

There are other big changes introduced in the past 1.5 years, but not shown here. Automatic synchronization of ActiveDirectory and Mission Portal roles, end to end encryption of secrets, simulating and visualizing changes cf-agent would make, customizing information shown on host info page, Ansible compatible hosts API, are just some of the features we’ve introduced. We encourage you to read our previous release blog posts to see more of these changes:


As always, you can see a full list of changes and improvements in our changelogs:

If you are upgrading from the 3.15 LTS series, scroll down in the changelog to find changes made in 3.17 and 3.16 to see the older changes. Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.

Dependency updates

Compared to the recently released 3.15.4, these dependencies have been updated:

CFEngine 3.15.4 3.18.0
Apache 2.4.47 2.4.48
Git 2.31.1 2.32.0
libcurl 7.75.0 7.77.0
OpenLDAP 2.4.58 2.5.5
PHP 7.4.19 8.0.7
PostgreSQL 12.7 13.3

Thank you to all the developers and maintainers of Open Source Software which make CFEngine possible!


CFEngine Enterprise is free for up to 25 hosts, click here to go to the download pages with new packages. If you are using cf-remote, it will now default to 3.18.0, since this is the latest LTS release available.


We encourage all of our users to get involved in the community and contribute. Feel free to use one of the following channels: