CFEngine 3.23 released - Anniversary

December 6, 2023

Today, we are pleased to announce the release of CFEngine 3.23.0! This is a non-LTS (non-supported) release, where we introduce new features for users to test and give feedback on, allowing us to polish before the next LTS. (CFEngine 3.24 LTS is scheduled to release summer 2024).

The codename for this release is anniversary, as this year is CFEngine’s 30th anniversary. CFEngine was initially released in 1993, and to mark this special occasion we’ve created a limited edition anniversary coin:

Photograph of the CFEngine 30 year anniversary coin.

What’s new

Include / exclude hosts by hostname, IP address, subnet, MAC address

Within Mission Portal’s inventory reports you can easily control what pieces of information to show (which columns), as well as which hosts (rows) to filter out. In the previous releases, we’ve made several improvements to the UI for inventory reports, making them more intuitive to use and edit, as well as giving you more flexibility with the dynamic rules. For 3.23 we are continuing to improve the inventory reports and their host filters, by adding more ways to specify lists of hosts to include and exclude.

Host include / exclude dialog showing lists of hosts can be included and excluded based on hostname, IP, MAC address and CFEngine ID

By specifying lists of hosts by their IP, MAC, or hostname, they will stay in the list, even if their ID changes (for example after reinstalling CFEngine on a host, rotating a host’s key, or replacing one host with another). When combining rules with lists of hosts to include and exclude, exclusion will always take precedence, so the hosts you put into the exclusion list will never show up in the results.

Groups in Mission Portal

The groups functionality introduced in 3.22 also benefits from the host filter updates mentioned above. You now have a lot of flexibility when deciding what hosts should be in a group (editing its filter):

Screenshot from Mission Portal which shows an example group called Critical systems, with a combination of rules and hosts included / excluded.

In the example above, we’ve included all RHEL 7, 8, and 9 hosts with a regular expression, as well as included 1 specific host by IP address and all hosts in a subnet. We’ve also excluded one specific host which we didn’t want in the group (by its IP address).

Groups can now be static (such as lists of CFEngine IDs and MAC addresses), or much more dynamic (conditions based on reported inventory data). Or a mix of these, or something in between (IP addresses usually are quite static, but can also be changed around).

We will continue to improve and polish the groups and filter functionality before it lands in the next LTS release, CFEngine 3.24, scheduled for summer 2024.

Policy language function: version_compare()

In CFEngine policy language, we have many convenience functions and macros to make the policy behave differently for various versions of CFEngine. However, these always compare the CFEngine version number, and cannot be used to customize the behavior based on another version number (such as the version of an installed package). The new version_compare() function makes it easier to work with version numbers in general:

bundle agent __main__
      string => "1.2.3";
    "That's newer!"
      if => version_compare("$(version)", ">", "1.0.0");


As always, you can see a full list of changes and improvements in our changelogs:

Please note that the Enterprise changelogs contain only changes specific to enterprise. To get a full overview of all changes in a version, read all 3 changelogs.

Dependency updates

Compared to version 3.22, these dependencies have been updated:

CFEngine version 3.22.0 3.23.0
Apache 2.4.57 2.4.58
Git 2.41.0 2.42.1
libcurl 8.1.2 8.4.0
libxml2 2.11.4 2.11.5
LMDB 0.9.30 0.9.31
OpenSSL 3.1.1 3.1.4
PHP 8.2.7 8.2.12
PostgreSQL 15.3 15.5
zlib 1.2.13 1.3

Thank you to all the developers and maintainers of Open Source Software which make CFEngine possible!


CFEngine Enterprise is free for up to 25 hosts, click here to go to the download pages with new packages. If you are using cf-remote, you have to specify this release explicitly:

cf-remote --version 3.23.0 download

(cf-remote defaults to the latest LTS release, which is currently 3.21.3).


We encourage all of our users to get involved in the community and contribute. Feel free to use one of the following avenues: