Join Cody and Nick for a Christmas Special showcasing the new Audit Log in Mission Portal for CFEngine 3.25.
Nick walked through the new Audit Log demonstrating how actions in Mission Portal are tracked and available for review. He also took a quick look at changes to the global search and taking some questions of air from a few attendees.
Video
The video recording is available on YouTube:
At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.
Post Show Questions
Does CFEngine keep track of when the list of software updates change?
In Mission Portal the software updates available report shows a Discovered at timestamp:
This is the time when set of software updates have changed, you will notice that all the packages share the same times in this report.
Can I emit reports about the version a piece of software transitioned from and to?
e.g. can I emit updated Firefox from version 12 to 13.2?
Most of the information that CFEngine makes readily available has to do with current state. I can imagine ways to record histories of this locally on each client for each package but I think the value compared to the work necessary is quite low. Probably this would need a couple of separate bundles to be responsible for recording the current state early and late during the policy run and then comparing the states before emitting reports.
bundle agent __main__
{
reports:
firefox_reparied::
"Firefox updated $(with)"
with => concat(
"from '",
readfile( "$(sys.statedir)/software-versions/firefox.txt", "inf"),
"' to ",
$(CURRNENT VERSION)
);
}The value is in being able to point to a nice timeline of this is when we updated application X on your hosts.
Using Mission Portal in CFEngine Enterprise is probably a better way to get this information centrally.
For example, we can use custom SQL to get the two most recent records for libsqlite3-0 on hub.example.com:
WITH SoftwareUpdates AS (
SELECT
sl.hostkey,
sl.changetimestamp,
sl.changeoperation,
sl.softwarename,
sl.softwareversion,
ROW_NUMBER() OVER (PARTITION BY sl.hostkey, sl.softwarename ORDER BY sl.changetimestamp DESC) AS rn
FROM
softwarelog sl
)
SELECT
h.hostname,
su.changetimestamp,
su.changeoperation,
su.softwarename,
su.softwareversion
FROM
SoftwareUpdates su
JOIN
hosts h ON su.hostkey = h.hostkey
WHERE
su.rn <= 2
AND su.softwarename = 'libsqlite3-0'
AND h.hostname = 'hub.example.com'
ORDER BY
su.changetimestamp DESC;This shows us that the most recent change for package libsqlite3-0 which was an upgrade from 3.40.1-2 to 3.40.1-2+deb12u1:
hostname | changetimestamp | changeoperation | softwarename | softwareversion
-----------------+------------------------+-----------------+--------------+------------------
hub.example.com | 2024-12-23 22:57:34+00 | REMOVE | libsqlite3-0 | 3.40.1-2
hub.example.com | 2024-12-23 22:57:34+00 | ADD | libsqlite3-0 | 3.40.1-2+deb12u1
(2 rows)Does CFEngine Inventory hosts that need to be re-started after software update?
No, at least not by default however it would be pretty easy to write some policy for this. For example we could check if a reboot is required by inventorying the presence of /var/run/reboot-required on Debian derivatives or the return code and or output from needs-restarting on Red Hat derivatives. This would be a great candidate for a module on build.cfengine.com.
bundle agent inventory_host_needs_reboot
{
classes:
debian|ubuntu::
"host_needs_reboot"
expression => fileexists( "/var/run/reboot-required" ),
scope => "namespace";
redhat|centos|rocky_linux::
"host_needs_reboot"
expression => not( returnzero( "needs-restarting", "useshell" ) ),
scope => "namespace";
vars:
"status"
string => ifelse( "host_needs_reboot", "Yes", "No" ),
meta => { "inventory", "attribute_name=Needs reboot" };
}Links
- Connect on LinkedIn w/ Cody or Nick
- All Episodes
