Introducing AI agent: Get information about your infrastructure faster. Learn more >
<The CFEngine Blog

Show notes: The agent is in - Episode 60 - Improved package management on Enterprise Linux

Posted by Nick Anderson
April 30, 2026

We’re 60 episodes in, and today we’re getting back to one of the most fundamental tasks in systems management, package management.

In this episode we look at three new dnf-related improvements for managing packages on Enterprise Linux (Red Hat, Rocky Linux , AlmaLinux). We walk through the new dnf and dnf_group package modules, and the appstreams custom promise type.

Why new package modules?

The existing yum package module works, but it shells out to run commands. The new dnf module takes a different approach: it uses the dnf and rpm Python libraries directly. This matters for security, reliability, and performance on modern Enterprise Linux where dnf has replaced yum as the native package manager.

Both dnf and dnf_group are merged into the maintained branches (3.27.x and 3.24.x) but not yet the default for any platform, you will need to explicitly specify package_module => dnf or package_module => dnf_group. The appstreams custom promise type is available from CFEngine Build.

The dnf package module

The dnf module handles individual packages:

bundle agent dnf_examples
{
  packages:
    "vim-enhanced"
      policy => "present",
      package_module => dnf,
      version => "8.2.2637-23.el9_7.1";

    "httpd"
      policy => "present",
      version => "latest",
      package_module => dnf;

    "emacs-nox"
      policy => "present",
      package_module => dnf;
}

To integrate it before the next release, you need the dnf.mustache module and the associated body definition.

The dnf_group package module

The dnf_group package module lets you manage a curated set of packages as a single unit.

bundle agent dnf_group_example
{
  packages:
    "development"
      policy => "present",
      package_module => dnf_group,
      options => {
        "group_package_types=mandatory,default,optional",
        "install_weak_deps=false"
      },
      version => "latest";
}

The options attribute controls which package types within the group get installed (mandatory, default, optional) and whether weak dependencies are pulled in. This gives you fine-grained control over what a group actually installs on your systems.

AppStreams promise type

AppStreams help to solve the issue where you need PHP 8.3 on one set of hosts and PHP 8.1 on another, from the same OS repositories. AppStreams let multiple versions coexist and you pick which stream to enable.

The appstreams promise type is available via CFEngine Build:

cfbs add promise-type-appstreams

Or using the shorter alias:

cfbs add appstreams

Then in policy:

bundle agent appstreams_example
{
  appstreams:
    "php"
      state => "installed",
      stream => "8.3",
      profile => "minimal",
      options => {"install_weak_deps=false"};
}

This ensures PHP is installed from the 8.3 stream using the minimal profile. Unlike the package modules, the appstreams promise type is a custom module distributed through CFEngine Build, not vendored in masterfiles.

Video

The video recording is available on YouTube:

At the end of every webinar, we stop the recording for a nice and relaxed, off-the-record chat with attendees. Join the next webinar to not miss this discussion.

Try CFEngine Enterprise for free

Sign up for CFEngine Enterprise and connect up to 25 hosts for free. No credit card required. Get started in minutes.

Try enterprise for free