CFEngine 3.10.6 LTS Released

Posted by:

10 May 2019

We are now happy to release the 6th update to the CFEngine 3.10 LTS series. This update comes with many important stability and performance improvements and is thus well worth the upgrade from an older version of 3.10 LTS.

Looking at the CFEngine release schedule, we can see that CFEngine 3.10 LTS is maintained and supported until December 27th, 2019.That is the end of this year, so you should start planning on upgrading to CFEngine 3.12 LTS, or the upcoming 3.15.0 LTS that is scheduled to be released around the same time as 3.10 reaches its end of life.

3.10.6 LTS is a maintenance release (also known as a patch release), with the goal to increase the stability and reliability for CFEngine users and enable a safe upgrade path. As such, this release primarily includes bug fixes and low-risk changes that do not impact the compatibility between previous patch releases.

Do you want to start contributing to CFEngine, but are unsure how? Here are some nifty tricks.

Improvements to CFEngine Core

The core of CFEngine is Open Source, and in this codebase we have done multiple improvements to CFEngine Core and the open source parts of CFEngine.


We have made several improvements to the usability of CFEngine in this release, for example, we have made a changed to cf-key help so that the output will indicate the ability to delete by key digest.

On AIX we have fixed sys.flavor variable on AIX to show more correct information, also an issue where CFEngine was not able to correctly parse the output of ‘ps‘ as some lines were not of the length CFEngine expected has been fixed on AIX.

When it comes to ‘ps‘ we have also improved it so that the ‘ps‘ command used internally can now handle longer usernames.

We have improved the “failsafe” policy run, by setting the policy release_id to “failsafe”/”bootstrap” when running

The CFEngine CSV parser now supports the CRLF line break inside double quotes. This was done as some policy did not run as expected while using this line break, but now it works well.

CFEngine has introduced an error when a function defining a variable still fails at the third evaluation pass.

Fixed log message about setting collect_window. Messages about invalid class characters from module protocol have been moved to VERBOSE to make logs less noisy, and copylink_pattern now honors ‘/../’ in copy source.

Forward slashes are now allowed in module protocol commands


The documentation of how cf-execd and cf-serverd respondes to SIGHUP has been added to the respective manpages, as we know that the online documentation is not always the most convenient option.

Improved Quality

In this release we have fixed a segfault in ‘cf-promises -p json-full‘, as well as fixed the parsing of YAML values starting with numbers, fixed a memory leak in ‘filesexist()‘ function and fixed a segfault in policy parser. This all improves the stability and quality of CFEngine.

All of this makes CFEngine easier to use, and more consistent. Documentation for the latest release of 3.10 LTS include changelogs for Core, Enterprise, and the MPF (Masterfiles Policy Framework).

CFEngine Enterprise

For use in larger infrastructure, where you have the need for accurate inventory and reporting, CFEngine Enterprise is the preferred option. These features have also received significant improvements in this release.

New and improved APIs

We have made the error log message for failed user authentication more specific.
Fixed Host API deletion status codes and added cleanup_historical_data() function to SQL schema.

With this release, we have also made sure that our detection of recent Windows versions is working correctly, also beyond the versions of Windows that are offically supported by this version of CFEngine.


An issue was discovered, where the generation of a report with no errors in the log would silently hang, and not be generated. This has been rectified.

An issue with error handling in cf-hub delta queries has been fixed so that cf-hub will now attempt a rebase if it cannot obtain the last report timestamp. This change only affects scheduled runs, not when invoked with `–query delta` from the command line. This also means that hosts which are not present in the status table will be rebased instead of generated from a delta from 0.

We have now also stopped logging it when we successfully find no pending alerts, to make that log a bit cleaner. 

Code Quality

As part of our continuous focus on code quality, we have discovered and fixed memory leaks in both cf-hub and in the enterprise agent. These fixes will improve the runtime performance and stability of CFEngine. 

Mission Portal

There are several improvements to the CFEngine Mission Portal frontend.
We have improved the readability of reporting information on the “host info” page, as well as r
enamed `IP Naming` to `Report Collection` to make it more clear what data we are actually referring to.

We have also fixed an error that caused wrong license expiration information to be shown in Mission Portal.


In CEngine 3.10 we recently discovered a security vulnerability that qualifies as a CVE, in fact, the first one since the release of CEngine 3.
This is only relevant for the enterprise customers, as it relates to our reporting capabilities and Mission Portal. The vulnerability has been mitigated, all customers notified, and in this release, it is no longer a problem. More details around this will be published soon.

Dependency updates

In CFEngine 3.10.6 we have updated the following dependencies. As usual, we have updated dependencies in order to get the latest security, performance and reliability improvements.

lcov 1.13 1.14
lmdb 0.9.22 0.9.23
pcre 8.42 8.43
libyaml 0.2.1 0.2.2
openldap 2.4.46 2.4.47
libcurl 7.61.1 7.64.1
libcurl-hub 7.61.1 7.64.1
apr 1.6.5 1.7.0
apache 2.4.35 2.4.39
git 2.13.6 2.13.7
postgresql-hub 9.6.10 9.6.12
php 5.6.38 5.6.40
redis 3.2.12 3.2.13
OpenSSL 1.0.2p 1.0.2r


If you’re upgrading an existing CFEngine Enterprise installation, check out the upgrade documentation for 3.10 for guidelines to make the process as smooth as possible.

We are always happy to assist our customers with upgrading! You can contact sales to receive a fixed-price quote for upgrading your CFEngine infrastructure, and get more out of CFEngine!

Get it now!

CFEngine Enterprise packages can be downloaded here or you can take a quick spin with the CFEngine Enterprise Vagrant environment for CFEngine 3.10.

Community Edition is released as source codepackages, and Linux package repositories — to make installation as easy as possible!

We hope you enjoy the new release, and we look forward to hearing about your experience in the CFEngine Google Group!

Brush up your CFEngine knowledge!

If you would like to refresh your CFEngine knowledge or are learning it from scratch, you can attend one of our training sessions. Check the event calendar on our website, or get in touch with us to see what the best option in your area is!

There is also an updated version of the Learning CFEngine book by Diego Zamboni now available on LeanPub.

Nils Christian Roscher-Nielsen