We are pleased to announce two new patch releases for CFEngine, version 3.18.8 and 3.21.5! These patch releases contain bug fixes and dependency updates.
Changes We’d like to highlight one specific change in behavior, which some users will want to adjust to;
Change in behavior - depth_search can now be used (but warns) with an individual file as source Users of the depth_search attribute of file promises should be aware of this change in behavior. See the blog post on the topic for more details:
You may see a new warning in the upcoming releases of 3.21.5 and 3.24.0. A new warning was introduced with a fix to the behavior of depth_search when combined with a copy_from source targeting a file:
depth_search (recursion) is promised for a base object '<filename>' that is not a directory Prior to versions 3.21.5 and 3.24.0 CFEngine would copy the file initially but would subsequently avoid updating the file providing only debug log message about the fact that the file was being skipped (because it’s not possible to descend into a file). Beginning with 3.21.5 and 3.24.0 CFEngine will copy the file and properly update the file but will also emit a warning that recursion was promised for something that was not a directory.
Did you know you can find variables by name and tag?
Like the ability to find currently defined classes (as described in Feature Friday #13: classesmatching()) that match a name or tag, you can find variables by name and tag. It’s a nifty capability. variablesmatching() returns a list of variable names that match the name and tag criteria.1 variablesmatching_as_data() returns a data container of the matching variables along with their values2.
Did you know you can find classes by name and tag?
classesmatching() dynamically sources information from the current state. For example, let’s say you have classes representing a system’s role. Furthermore, let’s say that we want a host to only have a single role class defined. Finally, if we have more than one role class defined, then we don’t want to proceed.
To achieve this without classesmatching(), we might have a policy file that looks like this (/tmp/feature-friday-13/tags-on-classes-0.cf)
Whether you are migrating from Ansible to CFEngine to gain some of the benefits of scale or autonomy or just need some functionality in an Ansible module, the ansible promise type can be a great tool to utilize.
It also provides a compelling alternative to ansible-pull and works around some of the caveats included with that strategy. CFEngine has battle-tested features needed for the pull architecture:
cf-execd handles scheduling periodic runs as ansible-pull suggests using cron cf-agent handles locking to avoid concurrent runs of the same playbooks A tiny Ansible project example Taking some first-step tips from 5 ways to harden a new system with Ansible let’s make a sample playbook project which patches Linux systems.
Are you familiar with CFEngines special variables?
Probably you are familiar with sys variables like sys.fqhost (the fully qualified host name) and sys.policy_hub (the IP address of the machine the host is bootstrapped to) but I want to highlight a few other special variables you may not be so familiar with.
sys Sys variables are derived from the system discovery done by the agent as it initializes.
sys.os_release - A data structure derived from /etc/os-release /etc/os-release, introduced by systemd provides a nice record of the current distributions release information.1 CFEngine prefers information from this file for determining system classification like the definition of the redhat and debian classes. The file can also be extended with custom keys, like I have done on my system to set NORTHERN_TECH_OWNER=Nick Anderson. Since files information is exposed as a data container in this sys variable it can be useful for influencing policy behavior, like selecting additional Augments to load.2
Curious about package management with CFEngine on Windows?
After sharing some history on Microsoft’s global advertising campaign for “Where do you want to go today?” Craig shared some of his recent experiments with several windows based package managers as well as their related challenges.
Craig discussed difficulties with the msiexec package module, such as distinguishing which packages need installation through msi while also identifying software for removal by name, a task that can be challenging. He demonstrated this using examples from winget, chocolatey, Scoop, and PowerShell’s install-module commands.
Did you know that CFEngine has namespaces? Let’s see how they can facilitate policy sharing while avoiding “duplicate definitions of bundle” errors.
Most of the Masterfiles Policy Framework (MPF) and policy examples for CFEngine use the default namespace. However, body file control allows you to specify a namespace that applies for the rest of the file or until it’s set again by another body file control.
Let’s consider a contrived example. Say we have two policy files (policy-1.cf, policy-2.cf) for different services. In each policy file, we want to have a bundle where we store settings related to that policy. Traditionally this would be handled by using some bundle naming convention, so we might have bundle agent policy_1_settings and bundle agent policy_2_settings. Using namespaces you can keep your bundle names brief and use different namespaces to avoid “duplicate definitions of bundle” errors.
Found a bug, asking for help? Use cf-support to collect info quickly.
cf-support was born from interactions supporting Enterprise customers to streamline data collection and was introduced in late 2022 with the release of 3.18.31 and 3.21.02. Furthermore, it was featured on The Agent is In3 episode 21 Troubleshooting with cf-support. It gathers various details about the system and creates an archive that you can attach to your ticket. While its inception was geared towards Enterprise customers, it’s still both useful and available for community users as well.
Editing and copying large files or large numbers of files is slow. For a configuration management tool, it is probably one of the slowest things we do, apart from waiting for other programs to finish or waiting for network communication. In this blog post, we look at how to copy files. More specifically, the most performant approaches available on modern Linux systems. We are working on implementing these techniques so CFEngine and all your policy will copy files more efficiently.
