CFEngine 3.12.2 LTS Released

Posted by:

20 May 2019

We are happy to release the 2nd update to the CFEngine 3.12 LTS series. This update comes with many important stability and performance improvements and is thus well worth the upgrade from an older version of 3.12 LTS. CFEngine 3.12 LTS brings a lot of innovation, new features and improved performance to CFEngine, and allows you to make the most efficient use of your time. We are looking forward to your feedback on this release.

Looking at the CFEngine release schedule, we can see that CFEngine 3.12 LTS is maintained and supported until June, 2021

3.12.2 LTS is a maintenance release (also known as a patch release), with the goal to increase the stability and reliability for CFEngine users and enable a safe upgrade path. As such, this release primarily includes bug fixes and low-risk changes that do not impact the compatibility between previous patch releases.

Do you want to start contributing to CFEngine, but are unsure how? Please check out our contributing guide in addition to the following suggestions.

Improvements to CFEngine Core

The core of CFEngine is Open Source, and in this codebase, we have done multiple improvements to CFEngine Core and the open source part of CFEngine.

Platform Support

With the 3.12.2 release, CFEngine now officially supports Ubuntu 18.10. Ubuntu continues to gain popularity and many CFEngine users are rely on it daily.

CFEngine provides a wide set of supported platforms, and we are proud to keep support for older, yet widely used platforms, as well as very recent ones. This enables a diverse group of users and customer to get the most out of CFEngine across very different infrastructures.


For improved flexibility, we have added support for setting the package module interpreter more flexibly, and we have made it possible to override the package module’s path.

We have improved cf-key by adding the –no-truncate option. This option, when used with –show-hosts changes the formatting of the output to be printed in full, with no padding, separated by a single tab character. The output is more useful for parsing by other scripts and tooling. As in the recently released 3.10.6 cf-key help properly notes the ability to delete by key digest.

CFEngine has added a new option –skip-db-check to the agent and execd. This option allows you to enable/disable database (LMDB) consistency checks. For now, this is disabled by default, but this will possibly change in the future.

On AIX the sys.flavor variable has been fixed to show more accurate information, also an issue where CFEngine was not able to correctly parse the output of ‘ps‘ as some lines were not of the length CFEngine expected has been fixed on AIX.

When it comes to ‘ps‘ we have also improved it so that the ‘ps‘ command used internally can now handle longer usernames.

Unresolved function calls in process_select body are now skipped. Function calls which always fail, like getuid(“nosuchuser”), are never resolved. Previously this would cause a programming error, since the body is expected to have a list of strings, not unresolved function calls. The function calls are silently skipped (with a verbose message) as this matches the behavior of calling the functions in a vars promise, and using that as a body parameter.

We have improved the “failsafe” policy run, by setting the policy release_id to “failsafe”/”bootstrap” when running

The CFEngine CSV parser now supports the CRLF line break inside double quotes. This was done as some policy did not run as expected while using this line break, but now it works well.

CFEngine has introduced an error when a function defining a variable still fails at the third evaluation pass.

Messages about invalid class characters from module protocol have been moved to VERBOSE to make logs less noisy, and copylink_pattern now honors ‘/../’ in copy source and forward slashes are now allowed in module protocol commands.


The documentation of how cf-execd and cf-serverd respondes to SIGHUP has been added to the respective manpages, as we know that the online documentation is not always the most convenient option.

Improved Quality

In this release we have fixed a segfault in ‘cf-promises -p json-full‘, as well as fixed the parsing of YAML values starting with numbers, fixed a memory leak in ‘filesexist()‘ function and fixed a segfault in the policy parser. This all improves the stability and quality of CFEngine.

All of this makes CFEngine easier to use, and more consistent. Documentation for the latest release of 3.12 LTS includes changelogs for Core, Enterprise, and the MPF (Masterfiles Policy Framework).

CFEngine Enterprise

For use in larger infrastructure, where you have the need for accurate inventory and reporting, CFEngine Enterprise is the preferred option. These features have received significant improvements in the 3.12.2 release.

New and improved APIs

In CFEngine 3.12.2 we have added API support (and documentation of them) for the Health Diagnostics feature. As a part of this, we have also expanded the capabilities of the Health Diagnostics feature, so you can dismiss warnings more easily, and also through the API.

We have made the error log message for failed user authentication more specific.
Fixed Host API deletion status codes and added cleanup_historical_data() function to our SQL schema.

With this release, we have also made sure that our detection of recent Windows versions is working correctly.


An issue was discovered, where the generation of a report with no errors in the log would silently hang, and not be generated. This has been rectified.

In the Inventory reports, we have now improved the filters. This includes fixing a bug where multiple filters on the same attribute, would only result in filtering on the first instance. Now the report will honor all the filters, also on the same attribute.

An issue with error handling in cf-hub delta queries has been fixed so that cf-hub will now attempt to do a rebase if it cannot obtain the last report timestamp. This change only affects scheduled runs, not when invoked with `–query delta` from the command line. This also means that hosts which are not present in the status table will be rebased instead of generated from a delta from 0.

We have now also stopped logging it when we successfully find no pending alerts

Code Quality

As part of our continuous focus on code quality, we have discovered and fixed memory leaks in both cf-hub and in the enterprise agent.

We have also discovered an issue where a few data structures were not correctly managed, and slowly kept growing, but were not detected as memory leaks as they were technically not leaks. This, along with actual memory leaks, has been fixed to make the memory use of CFEngine 3.12.2 LTS much better than in the previous 3.12 releases. This has caused unstable behavior on certain platforms, we have specifically seen it on AIX.

These fixes will improve the runtime performance and stability of CFEngine. 

Mission Portal

In the Mission Portal in 3.12.2, we have added the ability to do a full export and import of settings from one instance to another. This includes dashboards, users and their access rights, scheduled reports, and much more.

We have also made sure that new widgets in CFEngine are now added to the default dashboard after a CFEngine upgrade, so they are simpler to evaluate and learn how to use.

The new Mission Portal Export/Import feature

CFEngine 3.12.2 also introduces a new out of the box widget for decommissioned hosts. Combined with the Added Hosts Widget, this gives you full insight into the number of hosts under management and a continuous view of the changes made to your system.

In Mission Portal, we have also fixed an issue where custom categorized host list fails to show the correct host, but instead only shows an error.


In CEngine 3.12 we recently discovered a security vulnerability that qualifies as a CVE, in fact, the first one since the release of CEngine 3.
This is only relevant for the enterprise customers, as it relates to our reporting capabilities and Mission Portal. The vulnerability has been mitigated, all customers notified, and in this release, it is no longer a problem. More details around this will be published soon.

Dependency updates

In CFEngine 3.12.2 we have updated the following dependencies. As usual, we have updated dependencies in order to get the latest security, performance and reliability improvements.

lcov 1.13 1.14
pcre 8.42 8.43
libyaml 0.2.1 0.2.2
openldap 2.4.46 2.4.47
libcurl 7.62.0 7.64.1
libcurl-hub 7.62.0 7.64.1
apr 1.6.5 1.7.0
apache 2.4.35 2.4.39
git 2.19.1 2.21.0
postgresql-hub 10.6 10.7
php 7.2.12 7.2.18
libxml2 2.9.8 2.9.9
OpenSSL 1.1.0i 1.1.1b
sasl2 2.1.26 2.1.27
libiconv 1.15 1.16
CodeIgniter 3.1.3 3.1.10

OpenSSL 1.1.1b provides support for TLS 1.3, a new major update to the TLS protocol family. It will be used whenever both hub and agent support it, unless explicitly disabled in the policy.


If you’re upgrading an existing CFEngine Enterprise installation, check out the upgrade documentation for 3.12 for guidelines to make the process as smooth as possible.

We are always happy to assist our customers with upgrading! You can contact sales to receive a fixed-price quote for upgrading your CFEngine infrastructure, and get more out of CFEngine!

Get it!

CFEngine Enterprise packages can be downloaded here or you can take a quick spin with the CFEngine Enterprise Vagrant environment for CFEngine 3.12.

Community Edition is released as source codepackages, and Linux package repositories — to make installation as easy as possible!

We hope you enjoy the new release, and we look forward to hearing about your experience in the CFEngine Google Group!

Brush up your CFEngine knowledge!

If you would like to refresh your CFEngine knowledge or are learning it from scratch, you can attend one of our training sessions. Check the event calendar on our website, or get in touch with us to see what the best option in your area is!

There is also an updated version of the Learning CFEngine book by Diego Zamboni now available on LeanPub.


Nils Christian Roscher-Nielsen