3.11.0 Beta ready for testing!

Posted by:

14 Jun 2017

We’re happy to announce that CFEngine 3.11.0 Beta (non-LTS) is now ready. Thanks to everyone for all of the contributions! Please test extensively and submit bug reports.

3.11.x introduces some new features and deprecates some underutilized functionality.

Please note that 3.11.0 will be a non-LTS release, which means that it will be maintained only for 6 months from the release date and not supported for CFEngine Enterprise customers (but Enterprise packages will be available). Looking at the CFEngine release schedule, we can see:

  • 3.7 LTS is maintained (and supported for Enterprise customers) until July 17th 2018
  • 3.10 LTS is maintained (and supported for Enterprise customers) until December 27th 2019
  • 3.11 non-LTS will be maintained for 6 months after the release of 3.11.0.

The guest_environments promise type has been removed and the associated libvirt dependency has been dropped. Support for postgres in database type promises has been removed and the associated agent dependency has also been removed.

Additionally please note that upgrades are unsupported for the BETA release.

The new with attribute that allows the use of function calls on a promiser (CFE-1092). This feature can help in simplifying policy by removing the need for intermediary variables.

bundle agent main
      "todo" slist => { "a 1", "b 2", "c 3" };
      # Here, `with` is the canonified version of $(todo), letting us avoid an

      # intermediate canonification array.
      "$(with)" string => "$(todo)", with => canonify($(todo));

      "complex" data => '
  "x": 200,
  "y": [ 1, 2, null, true, false ]

      "For iterable '$(todo)' we created variable '$(with)' and its value is '$(todo)'"
        with => canonify($(todo));

      "We can print a data container compactly without creating a temporary variable: $(with)"
        with => format("%S", complex);

      "We can print a data container fully without creating a temporary variable: $(with)"
        with => storejson(complex);
R: For iterable 'a 1' we created variable 'a_1' and its value is 'a 1'
R: For iterable 'b 2' we created variable 'b_2' and its value is 'b 2'
R: For iterable 'c 3' we created variable 'c_3' and its value is 'c 3'
R: We can print a data container compactly without creating a temporary variable: {"x":200,"y":[1,2,null,true,false]}
R: We can print a data container fully without creating a temporary variable: {
  "x": 200,
  "y": [

System discovery now leverages /etc/os-release and populates sys.os_release with the parsed data. Amazon Linux and CoreOS are now automatically detected during system discovery. Now, when running on Amazon Linux the AmazonLinux class will be defined and sys.flavour will be set to AmazonLinux and when running on CoreOS the coreos class is defined and sys.flavor is set to coreos_VERSION where VERSION is derived from /etc/os-release. For example coreos_1185.3.0 (ENT-3046, CFE-1881).

The new functions sysctlvalue() and data_sysctlvalues() for extracting data from /proc/sys are available on Linux systems (CFE-2513).

The new readenvfile() function parses environment files ( KEY = VALUE, or KEY = "VALUE" ). The readdata() function can now parse ENV files now detects files ending in .yml as YAML and files ending in .env as ENV (CFE-1881).

cf-agent gained the --show-evaluated-vars and --show-evaluated-classes options which works similarly to cf-promises --show-vars and cf-promises --show-classes. The difference being that it is displayed at the end of the agent run and thus has access to classes and variables that were defined during full policy evaluation instead of only those available after system discovery and pre-evaluation. Additionally cf-promises  –-show-vars and show-classes options can now take an optional regular expression used to filter the output.

A new tool cf-net has been added. It is a CLI tool targeted at testing and debugging the network protocol (CFE-2493).

In the MPF the default update policy has been made more resilient against partial or corrupt updates. You can now enable additional verification on files transferred during policy updates by defining the cfengine_internal_verify_update_transfers class. Additionally if there is a problem transferring any policy file the cf_promises_validated marker is cleared in order to ensure a full update scan on the next agent execution (CFE-2587).

The self upgrade policy has been re-factored into a standalone policy entry (standalone_self_upgrade.cf). Agents run this standalone policy as a sub agent. On systemd managed hosts the run is executed via systemd-run in order to allow for the package upgrade to not be terminated early when the service unit shuts down (ENT-3155).

The files_single_copy agent control can now be specified via augments (CFE-2458).

The bundlesequence for the main policy (promises.cf) can now be augmented by defining the variable def.control_common_bundlesequence_end.

The apt_get package_module now works with both python 2 and 3 (CFE-2445) and is now version aware. For apt-get versions prior to 1.1 --force-yes is used and in versions 1.1 and later is replaced by --allow-downgrades--allow=remove-essential, and --allow-change-held-packages (CFE-2360). Additionally a bug preventing package updates when multiple sources are available (CFE-2605).

Fix apt_get package_module incorrectly using interactive mode when a configuration file is created before a package is installed by always using the --force-confold and --force-confdef options

Fix bug which prevented updates from being picked up if there was more than one source listed in the apt upgrade output, without a comma in between (CFE-2605).

oslevel inventory has been added for AIX hosts (ENT-3117) and package_module based package inventory is disabled on old distributions with unsupported python versions (e.g. redhat_4) (CFE-2602).

A new class client_initated_reporting_enable (CFE-2623) introduced along with the new variable def.mpf_access_rules_collect_calls_admit_ips (CFE-2624), and def.control_hub_exclude_hosts controlling the networks for which the hub should not initiate report collection (CFE-2622) in order to make it easier to enable and configure client initiated reporting in CFEngine Enterprise without modifying policy.

New variables def.default_data_select_host_monitoring_include and def.default_data_select_policy_hub_monitoring_include (CFE-2505) were introduced to make it easier to specify which measurements taken by cf-monitord should be collected for central reporting.

The default_repository can now be configured by defining the variable def.control_agent_default_repository when the mpf_control_agent_default_repository class is defined.

The new variable def.max_client_history_size was introduced to allow controlling the amount of client side reports waiting to be collected into the CFEngine Enterprise hub that are allowed to build up before being purged. Additionally previous_state and untracked_reports are now included in the purge when def.max_client_history_size threshold is reached (ENT-3161).

Promises with handles matching the regular expression noreport_.* are no longer collected for central reporting in CFEngine Enterprise by default (ENT-3061).

The prunetree agent bundle has been added to the standard library (CFE-2608) complementing the existing prunedir bundle.

The ability to select an INI region containing meta characters has been fixed (CFE-2519). For example this fixes the ability to manage hidden smb shares like [hidden$]. select_region INI_section has also been fixed so that the end of a file is sufficient to match the end of the section (CFE-2519).

A new shortcut for templates was added (CFE-2582).

The set_config_values() and set_line_based() edit_line bundles behavior changed. Now when inserting a configuration option with an empty value a trailing space is no longer inserted (CFE-2466).

systemd services are now only “re-started” if the service is already running (CFE-2541). If the service is NOT running, it will simply be started.

The paths bundle in the standard library now uses the path to POSIX compliant tools by default. The behavior can be disabled by defining the class disable_mpf_stdlib_use_posix_utils (CFE-2616).

Directories for ubuntu_16 and centos_7 are now automatically created on Enterprise hubs (ENT-3136).

The default files for which detailed change monitoring is tracked are now only monitored if the files actually exist (ENT-3040).

cf-serverd now listens on both IPv4 and IPv6 interfaces by default (CFE-528).

A new package_module for zypper was introduced (CFE-2533).

In addition to the improvements in core CFEngine Enterprise has seen the addition of a global search box allowing for hosts to be easily located by hostname or IP address (ENT-3059).

Host info pages now include a button to copy the url for a direct link to the currently viewed host (ENT-3096) and hostnames shown the host tree summary reports now link to the host specific info page (ENT-3094). The Changes report now defaults to “todays” changes instead of changes from the last 7 days (ENT-2840).

Exporting of CSV reports and access to reports shared with users having multiple roles has been fixed (ENT-3099). The query API has been optimized (ENT-2829) and the sorting of columns from an exported inventory report are now retained (ENT-614).

A new binary tarball package was introduced making it easier to test and use cfengine on platforms without traditional native package managers.

Mission Portal’s application logs have been relocated from /var/cfengine/httpd/htdocs/application/logs to /var/cfengine/httpd/logs/application (ENT-2758).

The following dependencies have been upgraded:

  • Update redis from 3.2.6 to 3.2.8
  • Update git from 2.10.2 to 2.13.0
  • Update autoconf from 2.60 to 2.69
  • Update postgresql for hub from 9.6.1 to 9.6.2
  • Update curl from 7.50.3 to 7.53.1
  • Update libiconv from 1.14 to 1.15
  • Update pcre from 8.39 to 8.40
  • Upgrade to LMDB 0.9.19
  • Update postgresql from 9.0.22 to 9.0.23
  • Update libcurl to 7.54.0
  • Update php from 5.6.29 to 5.6.30
  • Update lcov from 1.10 to 1.13
Nick Anderson