CFEngine Build System version 3

Posted by Lars Erik Wik
November 15, 2022

Our beloved cfbs CLI tool for working with CFEngine Build is rapidly evolving. At the time of writing, we are currently at version 3.2.1. Thus I would like to take this opportunity to talk a bit about the latest and greatest features; including support for users to manipulate input parameters in modules, as well as a couple of new build steps.

If you haven’t yet got a hold of the latest version of cfbs, you can update it with pip using the following command:

$ pip3 install --upgrade cfbs
Collecting cfbs
  Using cached cfbs-3.2.1-py3-none-any.whl (46 kB)
Installing collected packages: cfbs
Successfully installed cfbs-3.2.1

We’ll start off with a simple CFEngine Build project containing only the default master policy files. Note that I have disabled git, in order to make the examples a bit less noisy.

$ cfbs status
Name:        My awesome CFEngine Build project
Description: A project to demo new features in cfbs 3
File:        cfbs.json

001 masterfiles @ a87b7fea6f7a88808b327730a4ba784a3dc664eb (Not downloaded)

New build steps

Build steps are usually added by module developers or advanced cfbs users in order to manipulate temporary files while building the policy set. An overview of all available build steps - and what they do - can be found in the cfbs repository here.

The build steps policy_files, bundles and input were added in cfbs version 3. The two former provide a more powerful way in which module developers can choose which policy files and bundles shall be evaluated by the agent during an agent run. This is in contrast to the autorun functionality that was previously used. While the latter build step is used to generate and merge augments from user input.

Adding local policy files

The main motivation for adding the policy_files and bundles build steps, was to improve the ease of use when it comes to adding local policy files for new CFEngine users. Previously bundles in local policy files had to be tagged with "autorun" using the meta promise type in order for the bundle to be evaluated. See example below:


bundle agent my_bundle {
        slist => { "autorun" };

      "Hello from $(this.bundle)";
$ cfbs add 
Added module: autorun (Dependency of ./
Added module: ./

Adding a local policy file should be a primitive operation that can be used as a beginner example for new CFEngine users. Thus having to explain the autorun feature is undesirable. With the powers of our new build steps, cfbs version 3 is now able to ask you which bundle to run instead of users having to implicitly state this into their bundles.


bundle agent my_bundle {
      "Hello from $(this.bundle)";
$ cfbs add 
Which bundle should be evaluated (added to bundle sequence)?
 1. ./ (default)
 2. (None)
 [1/2]: 1
Added module: ./

Let’s see what this looks like if we have multiple bundles spread over multiple policy files. Given the two policy files below, we can add bogus/ as a local module directory. The CLI will browse the module directory looking for candidate bundles for you to choose from. I’ll choose the foobar bundle.

# bogus/

bundle agent foo {
      "Hello from $(this.bundle)";

bundle agent bar {
      "Hello from $(this.bundle)";

bundle agent baz {
      "Hello from $(this.bundle)";
# bogus/doofus/

bundle agent foobar {
      "Hello from $(this.bundle)";

bundle agent foobaz {
      "Hello from $(this.bundle)";
$ cfbs add bogus/
Which bundle should be evaluated (added to bundle sequence)?
 1. ./bogus/ (default)
 2. ./bogus/
 3. ./bogus/
 4. ./bogus/doofus/
 5. ./bogus/doofus/
 6. (None)
 [1/2/3/4/5/6]: 4
Added module: ./bogus/

If we build the project we can see the build steps in action:

$ cfbs build

001 masterfiles @ a87b7fea6f7a88808b327730a4ba784a3dc664eb (Downloaded)
002 ./ @ local                                    (Copied)
003 ./bogus/    @ local                                    (Copied)

001 masterfiles : run './ -y'
001 masterfiles : copy './' 'masterfiles/'
002 ./ : copy './' 'masterfiles/services/cfbs/'
002 ./ : policy_files 'services/cfbs/'
002 ./ : bundles 'my_bundle'
003 ./bogus/    : directory './' 'masterfiles/services/cfbs/bogus/'
003 ./bogus/    : policy_files 'services/cfbs/bogus/' 'services/cfbs/bogus/doofus/'
003 ./bogus/    : bundles 'foobar'

Generating tarball...

Build complete, ready to deploy 🐿
 -> Directory: out/masterfiles
 -> Tarball:   out/masterfiles.tgz

To install on this machine: sudo cfbs install
To deploy on remote hub(s): cf-remote deploy

By installing the policy set, followed by running the agent, we can see that the correct bundles are in fact run.

$ sudo cfbs install 
Installed to /var/cfengine/masterfiles
$ sudo cf-agent --no-lock --file
$ sudo cf-agent --no-lock
R: Hello from my_bundle
R: Hello from foobar

Pretty neat, right?

Adding user input

The greatest new feature by far is nothing less than the added support for user input in modules. This new feature allows for module developers to specify prompts that allow users to customize module parameters. User inputs can be added using the cfbs input command, or during cfbs add. Input is stored as JSON in the project repository, and can be converted into augments and merged into the policy framework using the input build step.

An example of a module that currently uses this feature, is the delete-files promise module, written by none other than the notorious CFEngine ninja Nick Anderson. Let’s check it out!

$ cfbs add delete-files
Added module: delete-files
The added module 'delete-files' accepts user input. Do you want to add it now? [yes/y/NO/n] yes
Collecting input for module 'delete-files'
Path to file: /tmp/virus
Why should this file be deleted? [Unknown] We don't want it to do malicious stuff on our host.
Specify another file you want deleted on your hosts? [yes/y/NO/n] no

We build and install using cfbs, followed by running the agent with the policy, just like we did in the previous example. Then we create a “good” file and a “bad” one in the /tmp/ directory. Running the agent now makes sure the bad file is deleted.

$ echo "Malicious code" > /tmp/virus
$ echo "Important stuff" > /tmp/important
$ sudo /var/cfengine/bin/cf-agent --no-lock --inform
    info: Deleted file '/tmp/virus'

A sneak peek

We are currently working hard on integrating the new input feature into the CFEngine Enterprise Web UI, Mission Portal. Without revealing too much of what is coming next, here is a little sneak peek on what we can expect.

CFEngine Build sneak peek

Share your thoughts

If you have any ideas of new features or tips on how we can improve CFEngine Build? Please share your thoughts over at GitHub Discussions, we are eager to hear your feedback.