<The CFEngine Blog

Change in behavior: CFEngine roles inventory attribute

Posted by Ole Herman Elgesem
July 23, 2024

This is a heads up to anyone upgrading to CFEngine 3.24.0 or newer versions, about a small change that can be considered a breaking change.

In CFEngine versions prior to 3.24.0, the CFEngine roles inventory attribute showed up in Mission Portal with the value policy_server for the hub, and as (Not reported) for all the other hosts (clients). The technical reason for this was that the policy_server class was tagged with inventory,attribute_name=CFEngine roles. Now, (in 3.24.0+) the CFEngine roles attribute will show the roles Client, Policy server, and Reporting hub, as shown and explained below.

Before and after

Before we get into the details, a couple of pictures should help visualize the change.

Inventory report in 3.21.5 (latest LTS before 3.24.0), before the change:

Inventory report showing two hosts with roles: Not reported, and policy_server

Inventory report in 3.24.0, after the change:

Inventory report showing two hosts with roles: Client, and Reporting hub, Policy Server

Rationale

The previous behavior was unexpected and not very useful for a number of reasons:

  • Inventory attributes usually have a more human readable form, so Policy server would be more expected.
  • (Not reported) could either mean a client, or a hub which has not reported it yet - there is no good way to distinguish the two.
  • Should policy_server imply that it’s an Enterprise reporting hub? Intuitively we know that in a Community setup, there is a policy server which is not a reporting hub.

Specifics changed

To address these issues, we have made some changes to this inventory attribute, and the underlying classes / variables it’s based on:

  • The CFEngine roles inventory attribute is now based on a new string list policy variable: sys.cfengine_roles.
    • Includes Policy server, if the policy_server class is set (host bootstrapped to itself).
    • Includes Reporting hub, if the cf-hub binary exists in the expected location (CFEngine Enterprise hub package was installed).
    • Otherwise, the list has one element: Client.
  • All hosts report this new variable / inventory attribute, so you can now distinguished between the different options and not reported yet.
  • The policy_server class is defined as before (except for its inventory tags) - policy which uses the policy_server class still works as expected.
  • In order to make decisions in policy based on the CFEngine role, two classes were added:
    • cfengine_reporting_hub is defined when Reporting hub is in sys.cfengine_roles.
    • cfengine_client is defined when Client is in sys.cfengine_roles.

Thus, if you use the CFEngine roles inventory attribute in Mission Portal (for example for filtering hosts or compliance report conditions), you will need to adjust those conditions.

Detection

Running this query on the hub can help you find inventory reports which use the CFEngine roles attribute and thus might need to be updated:

command
sudo -u cfpostgres /var/cfengine/bin/psql cfmp -c "SELECT id, label, username FROM report WHERE advancedreportsdata::text ~* 'filters.*CFEngine roles.*columns';"
output
 id |    label     | username
----+--------------+----------
 22 | report title | admin
(1 row)

Similarly, to find other conditions which use the same attribute (in compliance reports or alerts), this query can be used:

command
sudo -u cfpostgres /var/cfengine/bin/psql cfmp -c "SELECT id, name, username FROM dashboard_rules WHERE inventoryconditions::text ~* 'filters.*CFEngine roles.*columns';"
output
 id | name | username
----+------+----------
 13 | test | admin
(1 row)

If you have questions or need help, reach out on the mailing list or GitHub discussions. If you have a support contract, feel free to open a ticket in our support system.

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free