This is a heads up to anyone upgrading to CFEngine 3.24.0 or newer versions, about a small change that can be considered a breaking change.
In CFEngine versions prior to 3.24.0, the CFEngine roles inventory attribute showed up in Mission Portal with the value policy_server
for the hub, and as (Not reported) for all the other hosts (clients).
The technical reason for this was that the policy_server
class was tagged with inventory,attribute_name=CFEngine roles
.
Now, (in 3.24.0+) the CFEngine roles attribute will show the roles Client, Policy server, and Reporting hub, as shown and explained below.
Before and after
Before we get into the details, a couple of pictures should help visualize the change.
Inventory report in 3.21.5 (latest LTS before 3.24.0), before the change:
Inventory report in 3.24.0, after the change:
Rationale
The previous behavior was unexpected and not very useful for a number of reasons:
- Inventory attributes usually have a more human readable form, so Policy server would be more expected.
- (Not reported) could either mean a client, or a hub which has not reported it yet - there is no good way to distinguish the two.
- Should policy_server imply that it’s an Enterprise reporting hub? Intuitively we know that in a Community setup, there is a policy server which is not a reporting hub.
Specifics changed
To address these issues, we have made some changes to this inventory attribute, and the underlying classes / variables it’s based on:
- The CFEngine roles inventory attribute is now based on a new string list policy variable:
sys.cfengine_roles
.- Includes
Policy server
, if thepolicy_server
class is set (host bootstrapped to itself). - Includes
Reporting hub
, if thecf-hub
binary exists in the expected location (CFEngine Enterprise hub package was installed). - Otherwise, the list has one element:
Client
.
- Includes
- All hosts report this new variable / inventory attribute, so you can now distinguished between the different options and not reported yet.
- The
policy_server
class is defined as before (except for its inventory tags) - policy which uses thepolicy_server
class still works as expected. - In order to make decisions in policy based on the CFEngine role, two classes were added:
cfengine_reporting_hub
is defined whenReporting hub
is insys.cfengine_roles
.cfengine_client
is defined whenClient
is insys.cfengine_roles
.
Thus, if you use the CFEngine roles inventory attribute in Mission Portal (for example for filtering hosts or compliance report conditions), you will need to adjust those conditions.
Detection
Running this query on the hub can help you find inventory reports which use the CFEngine roles attribute and thus might need to be updated:
sudo -u cfpostgres /var/cfengine/bin/psql cfmp -c "SELECT id, label, username FROM report WHERE advancedreportsdata::text ~* 'filters.*CFEngine roles.*columns';"
id | label | username
----+--------------+----------
22 | report title | admin
(1 row)
Similarly, to find other conditions which use the same attribute (in compliance reports or alerts), this query can be used:
sudo -u cfpostgres /var/cfengine/bin/psql cfmp -c "SELECT id, name, username FROM dashboard_rules WHERE inventoryconditions::text ~* 'filters.*CFEngine roles.*columns';"
id | name | username
----+------+----------
13 | test | admin
(1 row)
If you have questions or need help, reach out on the mailing list or GitHub discussions. If you have a support contract, feel free to open a ticket in our support system.