<The CFEngine Blog

Show notes: The agent is in - Episode 53 - CFEngine and decomputing

Posted by Nick Anderson
September 25, 2025

In these times dominated by ever growing amounts of technology, have you ever considered the power of less?

In this very special episode, we celebrate Craig Comstock’s 8-year anniversary with the company! Craig takes us on a journey into the concept of “decomputing” - the idea of using computer systems less and within limits.

Join us as Craig explores how CFEngine’s philosophy and design principles, such as being lightweight and having few dependencies, align with the decomputing mindset. He shares some book recommendations (The Mechanic and the Luddite, Resist AI), and examples of fun, interesting, old, and resource constrained platforms where he exercises CFEngine regularly.

Video

The video recording is available on YouTube:

At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.

Post show discussion

After the show there was some brief discussion about access promise types.

How to integrate custom access promises with cfbs?

In the old days we would edit cf_serverd.cf and add new access promises next to the ones that ship in the Masterfiles Policy Framework. How should we do this with cfbs?

While there is absolutely nothing wrong with modifying the Masterfiles Policy Framework, reducing modifications to the vendored files can significantly benefit maintenance. Rather than editing an existing server bundle like mpf_default_access_rules, introduce your own server bundle.

bundle server custom_access_promises
{
     access:
       "/srv/customers/"
        handle => "customer_files_access",
        admit => { "0.0.0.0/0" };
}

Then to integrate this into the policy with cfbs, run cfbs add and provide the path to the policy file. Once the policy is in inputs on the host cf-serverd should notice and reload the policy, but it may require a service restart if the data is separate from the policy as we typically recommend.

How does the policy get run when not in the bundlesequence?

You might notice that server bundles aren’t listed in body common control bundlesequence. cf-serverd and cf-monitord don’t use bundlesequence. Instead they process server and monitor bundles as they are found during policy parsing.

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free