Today we announce the newest additions to CFEngine. CFEngine 3.16 brings several improvements, bug fixes, and new features. The theme for this release has been compliance, and it notably includes a new category of reports for proving compliance to regulation and other compliance frameworks in high level, easy to read reports. If you are interested to learn more about CFEngine, schedule training, or hear about pricing options, feel free to reach out to us!
Blazing the trail CFEngine was the first Configuration Management solution on the market, and while we have made many and significant changes and improvements to CFEngine in that time, we stay true to the principles that make it such a great product and technology. There are many things that have changed in the market, not at least the competitive situation, we believe that fundamentally many of the challenges stay the same. It then follows that good architecture should not be sacrificed for short term hype. In this short blog post, I will go over a few of the items that lead to CFEngine’s excellence, longevity in the market, and current strong position.
CFEngine in HPC In High-Performance Computing (HPC) uptime and performance are very important. HPC is an area of computing that often focuses on research and development, supporting teams with extremely complex problems they need to solve, and heavy computation mathematical problems, such as protein folding for vaccine development. To achieve this, HPC systems rely on high performance, the equipment is expensive, and the average customer has very high demands. Any downtime, performance degradation, misconfiguration, or unexpected behavior will be a financial cost and will reduce the customers’ trust in the HPC provider. CFEngine is a configuration management tool that is created to manage such environments and truly excels at its tasks in an environment like this. The modular architecture, the small size, fast executables, self-healing properties, and autonomous execution are what make CFEngine ideal for these tasks. In this short blog post, we will look at these aspects of CFEngine, and how CFEngine users are saving money and improving the service they offer their users by leveraging CFEngine.
Introduction In the CFEngine Core team, we have recently been working on a fix for our WaitForCriticalSection() function. In short, the function checks a timestamp in a chunk of (lock) data stored in a local LMDB database and if the timestamp is too old, it writes a new chunk of (lock) data with the new timestamp. However, this used to be done in separate steps - read the data from the DB and close DB, check the data and potentially write the new data into the DB. So, there was a race condition because if multiple processes did the same steps at the same time, they could have read and checked the same timestamp value and then write their own data with their new timestamps one after another. On the high-level perspective that meant multiple processes could have entered the critical section at the same time.
Yesterday, packages for CFEngine 3.12.5 and 3.15.2 were made available. This release announcement was delayed in support of Blackout Tuesday in the United States of America. We are pleased to announce two new patch releases for CFEngine, version 3.12.5 and 3.15.2! These patch releases don’t contain major changes or new features, but rather fix important bugs reported by our community of users and customers. Some users reported issues with federated reporting, specifically related to non-reporting hosts. These issues are fixed in policy in the newest releases, upgrading to the latest version of Masterfiles Policy Framework (MPF) resolves them. A race condition during report collection was mitigated. This could in some cases cause a failed report collection, scheduling a retry (rebase), and emitting errors in syslog. The race condition only happened with long running agents, or agents running at the same time as report collection. It only caused errors in some very specific situations, so this was not caught by our tests, and most users did not experience the issue. Also, in relation to reporting, the hub can now query itself over the IPv6 loopback address, ::1, similar to 127.0.0.1.
Contributor and CFEngine Champion, Jon Henrik Bjørnstad, developed a tool for encrypting files using CFEngine host keys, called cf-keycrypt. Thank you to Jon Henrik and all of our contributors for helping improve the CFEngine project. Our developer, Vratislav Podzimek, recently took some time to review the cf-keycrypt code, and made many improvements and fixes. The most notable changes were:
Switched to hybrid encryption (payload is encrypted with randomly generated AES key, AES key is encrypted with RSA key). Added file format, with HTTP-like headers for metadata Files can be encrypted for multiple hosts (host keys) Name changed to cf-secret cf-secret is now merged and will be a part of the upcoming 3.16 release.
A vulnerability was recently discovered in CFEngine Mission Portal and has now been fixed. Under certain circumstances, it was possible to inject JavaScript code into data presented in Mission Portal, that would be run in the user’s browser. This security issue was fixed in CFEngine 3.10.7, 3.12.3, and 3.15.0, and will be mitigated by upgrading your hub to one of these versions (or later). No other action is required than upgrading the Hub. This issue is present in CFEngine Enterprise 3.7 versions, 3.10.0 through 3.10.6, as well as 3.12.0, 3.12.1, and 3.12.2. All customers have been notified prior to this announcement and had time to address the issue. Any community users who use CFEngine Enterprise Free 25 should upgrade immediately. Open source versions of CFEngine (CFEngine Community) are not affected, as they do not include the Mission Portal Web UI. The security of the CFEngine product and our users is something we take very seriously, and we will continue to look for, fix and responsibly disclose serious weaknesses in our product(s). This issue has been registered as CVE-2019-19394 in the official public CVE registry. If you have any questions or concerns please contact CFEngine support if you have a support contract or email security@cfengine.com
Today we released 3.12.4-2. Shortly after releasing 3.12.4-1, we identified a permissions problem that prevents 3.12.4-1 from contributing data to a 3.15 hub setup for federated reporting; this release fixes that permission issue. As always, you can find Enterprise packages on our Enterprise downloads page and Community packages can be found in our public repositories and on our Community downloads page. Additionally, please note, cf-remote can be used to install our released Enterprise or Community packages.
Announcing CF4! (or is it CF-FORTH?!) I imagine you didn’t expect such a big release so soon after our most recent release of 3.12.4 and 3.15.1 on March 26, but here it is: our alpha-release. Thus the reason for the .-4 in the version number. Of course choosing -4 has something to do with the fun of spelling FORTH without the ‘U’. Also, it’s nearly a palindrome and I imagine we’ll have a few alphas/betas before the final release is finished. (a good palindrome: a man a plan a canal panama)
We are today very excited to bring you new updates to CFEngine. This is a set of patch releases for the CFEngine 3.12 LTS and 3.15 LTS series. We usually release new patch releases every 6 months, but we want to bring new features and all improvements and bug fixes to our users as soon as possible. Hence these early releases. In CFEngine 3.15 LTS we introduced Federated Reporting, our single pane of glass reporting architecture. This is a great new feature that allows you to set up a dedicated Hub that collects all reporting data from your entire infrastructure to really provide a single pane of glass into all your operations. In this patch release, we have included several performance improvements and bug fixes. There are no new features or larger changes in these patch releases. We focus on stability, improving performance, fixing bugs and are actively listening to open source users and customers alike when planning what to fix. We hope you enjoy the faster release this time and benefit from some of the improvements we have made.
