The latest updates about everything CFEngine

Installing CFEngine Nightlies using cf-remote

Nightly packages are very useful for testing new features of CFEngine. Right now (as of August 2020), nightly packages can be used to test out these new features: Compliance Reports. Mission Portal Dark Mode. New host info page with variable pinning and copy buttons. Note that these features are in development, some parts may be unfinished or buggy. Nightly packages are not supported and should not be used in production environments.

August 28, 2020

CFEngine 3.17.0a1-termux - better Android Termux Support

As a follow up to my previous “personal policy” blog I have exciting news: An improved CFEngine is available for Termux! This provides a way to play with policy and implement policy on your non-rooted Android phone! Version 3.17.0a1-termux is an alpha release so understand it’s not heavily tested. That said, CFEngine for Termux is looking pretty awesome and useful. Highlights of features: allow self-bootstrap to loopback since Android devices often change their IP address and bootstrapping locally seems to make some sense for a developer device and ability to play around, this is just as helpful on the desktop for that matter. packages promises work with local masterfiles or with patched policy server masterfiles (pkg uses apt_get which CFE supports) since Termux supports “real” versions of commands and doesn’t rely exclusively on busybox, CFEngine considers a Termux environment as a fairly full featured linux box in terms of commands and features runs as un-privileged account, CFEngine for Termux does NOT require root files promises work inside the /data/data/com.termux/files scope, not outside (unless possibly you have a rooted device, which is completely untested) masterfiles policy framework works well, paths for common commands are modified to adjust to termux’s prefix $PREFIX being /data/data/com.termux/files/usr. Some common paths are setup for creating policy that works on Termux and other unices (etc_path, tmp_path, bin_path, var_path). Not supported (yet):

Posted by Craig Comstock
August 26, 2020

COVID-19's impact on infrastructure security

It’s no secret that COVID-19 is negatively impacting businesses of all sizes in a number of ways. Some more obvious than others. Unless you are in IT, you’re probably not thinking of how COVID-19 can affect the infrastructure security of your organization, but the truth is that as businesses make the tough decision to layoff employees in order to stay in business, basic security hygiene can easily be overlooked. Even organizations that are fortunate enough to not have to make cuts are still impacted in the form of needing access to specialized tools that allow IT & Security teams to enforce infrastructure changes remotely, efficiently, and at scale. If you’re looking to implement a configuration management tool to improve infrastructure security, such as CFEngine, it can be a little overwhelming to understand what types of questions to ask and criteria to consider. To help you brainstorm and prioritize, I’d like to cover what I believe are the top 3 most important criteria to consider during your evaluation.

Posted by Cody Valle
July 14, 2020

Personal Policy

My laptop was getting stale… I’ve been using it every work day for about 2.5 years now and so much software is installed it just boggles my mind. I really love it otherwise, open source, trying to be transparent, generally has worked amazingly! I have a Librem 15v3 from Purism. My home dir is a maze of old and new directories, odd files, tons of ~/Downloads junk. And the real kicker? I can’t build CFEngine core anymore! :( I tried to fix the situation but just couldn’t quite fix it. So the solution? Well reinstall PureOS of course and see if that helps things out.

Posted by Craig Comstock
July 6, 2020

CFEngine 3.16 released - Compliance

Today we announce the newest additions to CFEngine. CFEngine 3.16 brings several improvements, bug fixes, and new features. The theme for this release has been compliance, and it notably includes a new category of reports for proving compliance to regulation and other compliance frameworks in high level, easy to read reports. If you are interested to learn more about CFEngine, schedule training, or hear about pricing options, feel free to reach out to us!

June 25, 2020

How CFEngine stays ahead of the pack

Blazing the trail CFEngine was the first Configuration Management solution on the market, and while we have made many and significant changes and improvements to CFEngine in that time, we stay true to the principles that make it such a great product and technology. There are many things that have changed in the market, not at least the competitive situation, we believe that fundamentally many of the challenges stay the same. It then follows that good architecture should not be sacrificed for short term hype. In this short blog post, I will go over a few of the items that lead to CFEngine’s excellence, longevity in the market, and current strong position.

June 23, 2020

CFEngine in a High Performance Computing environment

CFEngine in HPC In High-Performance Computing (HPC) uptime and performance are very important. HPC is an area of computing that often focuses on research and development, supporting teams with extremely complex problems they need to solve, and heavy computation mathematical problems, such as protein folding for vaccine development. To achieve this, HPC systems rely on high performance, the equipment is expensive, and the average customer has very high demands. Any downtime, performance degradation, misconfiguration, or unexpected behavior will be a financial cost and will reduce the customers’ trust in the HPC provider. CFEngine is a configuration management tool that is created to manage such environments and truly excels at its tasks in an environment like this. The modular architecture, the small size, fast executables, self-healing properties, and autonomous execution are what make CFEngine ideal for these tasks. In this short blog post, we will look at these aspects of CFEngine, and how CFEngine users are saving money and improving the service they offer their users by leveraging CFEngine.

June 11, 2020

Getting out from under a SIGBUS BUS_ADRALN on Solaris/HP-UX

Introduction In the CFEngine Core team, we have recently been working on a fix for our WaitForCriticalSection() function. In short, the function checks a timestamp in a chunk of (lock) data stored in a local LMDB database and if the timestamp is too old, it writes a new chunk of (lock) data with the new timestamp. However, this used to be done in separate steps - read the data from the DB and close DB, check the data and potentially write the new data into the DB. So, there was a race condition because if multiple processes did the same steps at the same time, they could have read and checked the same timestamp value and then write their own data with their new timestamps one after another. On the high-level perspective that meant multiple processes could have entered the critical section at the same time.

June 8, 2020

CFEngine 3.12.5 and 3.15.2 released

Yesterday, packages for CFEngine 3.12.5 and 3.15.2 were made available. This release announcement was delayed in support of Blackout Tuesday in the United States of America. We are pleased to announce two new patch releases for CFEngine, version 3.12.5 and 3.15.2! These patch releases don’t contain major changes or new features, but rather fix important bugs reported by our community of users and customers. Some users reported issues with federated reporting, specifically related to non-reporting hosts. These issues are fixed in policy in the newest releases, upgrading to the latest version of Masterfiles Policy Framework (MPF) resolves them. A race condition during report collection was mitigated. This could in some cases cause a failed report collection, scheduling a retry (rebase), and emitting errors in syslog. The race condition only happened with long running agents, or agents running at the same time as report collection. It only caused errors in some very specific situations, so this was not caught by our tests, and most users did not experience the issue. Also, in relation to reporting, the hub can now query itself over the IPv6 loopback address, ::1, similar to 127.0.0.1.

June 3, 2020

Introducing cf-secret - Secret encryption in CFEngine

Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project. Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were: Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key). Added file format, with HTTP-like headers for metadata Files can be encrypted for multiple hosts (host keys) Name changed to cf-secret cf-secret is now merged and will be a part of the upcoming 3.16 release.

May 30, 2020