CFEngine 3.22 released - Coordination

June 16, 2023

Today, we are pleased to announce the release of CFEngine 3.22.0! The focus of this new version has been coordination. This is a non-LTS (non-supported) release, where we introduce new features for users to test and give feedback on, allowing us to polish before the next LTS. (CFEngine 3.24 LTS is scheduled to release summer 2024).

What’s new

New host filters

The host filter from inventory reports have been upgraded. You can now add rules based on classes, such as linux, windows, redhat, ubuntu, xen, policy_server, cfengine_3_21, ipv4_172_31, etc:

Host filter selecting hosts with an OS regex for Ubuntu 18, 20 or 22, and ipv4_172_31 class as well as 2 hosts explicitly.

Below the rules, which are dynamic conditions, there are lists of hosts to include and exclude in a more static manner. The new filters allow you to view a dynamically changing list of hosts, a static selection, or a mix of both. When used together, the list of hosts to include is added in addition to the condition based rules. You can easily add some hosts to your results which were not captured by the rules.

Groups in Mission Portal

You can now create groups of your hosts in Mission Portal. They are based on the same host filter system shown above.

A group is a saved host filter with a name.

Each group has a name and a filter, and allows you to see details about the hosts in it:

Groups application showing a group of Ubuntu hosts across different versions.

With groups, you can split up your infrastructure into logically distinct groups, based on operating system, function, environment, CFEngine version, etc.

Listing of groups, with names such as All hosts, CFEngine 3.22, Ubuntu, and Production.

Personal and shared groups

2 types of groups are available: personal and shared.

Personal groups allow individual users to organize hosts on their own, without the affecting what others see or the behavior of the hosts. Shared groups are available to the entire organization, and can be used to set data for the hosts in that group, controlling what the hosts in that group are doing.

The RBAC (Role Based Access Control) system specifies who can do what with groups. By default users are able to create personal groups, but only see shared groups (not create, delete, or edit).

Group data (CMDB)

Through the Data tab of a shared group, you can assign variables and classes to the hosts, in a similar manner to Host specific data in the host’s info page:

UI for editing group data, showing the Production group with the class to enable autorun and a list of files to delete as a variable.

In case of conflicts, users should be aware of the merging behavior:

  • As before, data from the CMDB will be preferred over data from the augments file (def.json).
    • This allows you to completely overwrite the values set in this JSON file which is commonly kept together with the policy set, with data from your (per-hub) database.
  • CMDB data is merged:
    • Shared groups with data are sorted by their priority, with host specific data at the end. (Host specific data is treated as more specific and thus preferred over group data).
    • Values (strings) are overwritten, lists and data containers are extended.

We plan to expand the possibilities of the CMDB, allowing different merging behavior and enabling users to add CFEngine Build module input per group.

Adding columns in inventory reports

As shown in the release blog post for 3.21.2, there is a new UI to modify columns in an inventory report:

Modal window with options to add or remove columns of inventory attributes.

The new window allows you to easily find columns you want to add (among a large collection of inventory attributes), and also enables adding multiple columns and deleting columns at the same time.

Policy language function: isreadable()

In some situations, reading a file can be slow, especially if it’s an NFS drive over a slow network. Blindly attempting to read a large file over a slow network can cause the agent to block for an extended period of time. To try to mitigate this, we’ve added a function which allows you to try reading a file, with some timeout, and then letting you react based on the result;

bundle agent __main__
{
  vars:
    "filename"
      string => "/tmp/foo.txt";
    "timeout"
      int => "3";
  reports:
    "File '$(filename)' is readable"
      if => isreadable("$(filename)", "$(timeout)");
}

This function attempts to read 1 byte from the specified file, and times out in the specified number of seconds. Thus, if the file is not readable within x seconds you can choose to not read it and print an error message, for example.

It should be noted that this is very much a best-effort approach, there is no guarantee about that file. After having checked that the file is readable, it can still become unreadable, or very slow to read before you actually try to read the contents of the file.

Changelogs

As always, you can see a full list of changes and improvements in our changelogs:

Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.

Dependency updates

Compared to the recently released 3.21.2, these dependencies have been updated:

CFEngine version 3.21.2 3.22.0
Apache 2.4.55 2.4.57
diffutils 3.9 3.10
Git 2.40.1 2.41.0
libcurl 8.0.1 8.1.2
libexpat - 2.5.0
libxml2 2.11.2 2.11.4
OpenSSL 3.0.8 3.1.1
PHP 8.1.12 8.2.7
PostgreSQL 15.2 15.3

Thank you to all the developers and maintainers of Open Source Software which make CFEngine possible!

Downloads

CFEngine Enterprise is free for up to 25 hosts, click here to go to the download pages with new packages. If you are using cf-remote, you have to specify this release explicitly:

command
cf-remote --version 3.22.0 download

(cf-remote defaults to the latest LTS release, which is currently 3.21.2).

Contributions

We encourage all of our users to get involved in the community and contribute. Feel free to use one of the following avenues: