CFEngine 3.13.0 released

Posted by:

23 Nov 2018

Today we are very happy to announce the release of CFEngine 3.13.0. This is a non-LTS release, introducing new features and functionality.
There is a lot happening with CFEngine these days! This release is closely following last weeks release of CFEngine 3.10.5 LTS, and soon we will also release the next patch version of our 3.12 LTS series. So keep following our updates!


Contribute to CFEngine

Did you know that CFEngine is a dual license open source project? And not only that, we are encouraging community contributions, and are always looking for ways to improve and grow our ecosystem. We encourage you to contribute and participate in the fun development of CFEngine!
Do you want to start contributing but are unsure how?


New Features

CFEngine 3.13.0 has received all of the bug fixes and improvements that have been applied to CFEngine since 3.12.0 was released, and is as such a great release, with a lot of improvements. In addition, there are some new features we are very excited about.


Policy Analyzer

Perhaps the most prominent feature we have introduced in CFEngine Enterprise 3.13 is the new Policy Analyzer. This allows you to visually inspect your policy, and understand what parts of it is kept, not kept or repaired – and at what hosts this is happening, directly from the Mission Portal.

This new feature enables you to drill down into policy and see inline in the code viewer embedded in Mission Portal how the policy works on each host and what the outcome is. You can filter on promises status, specific hosts or classes to get insight into all policy evaluation there.

The resulting promise outcomes can be sorted by promise outcome, promise type, hostname or other properties. It will also tell you if the version of policy executing on the host is up to date with the latest version from the host.

In order to enable the Policy Analyzer, you will need to consent to the copying of Masterfiles to a location readable by Mission Portal. Out of the box, Mission Portal does not have this ability and we have decided not to change the default behavior. For this reason, the Policy Analyzer tool is not enabled by default, so please go ahead and enable it – go to Mission Portal, and to the Policy Analyzer tab, and follow the instructions. But don’t worry, you are just one click away!

A new visual Policy Language inspection tool for use in Mission Portal
CFEngine Policy Analyzer

We are very interested in more feedback on this new feature and hope that many people would like to use it. We have a long list of features and value we will add to this tool in the next few versions of CFEngine, but are excited to hear more about what you want to use it for and what can make it better for you.

Here is a small screencast of how the Policy Analyser can show you the policy that does not work as expected. The correct package name on Ubuntu should not be httpd but apache2.

Changes in CFEngine Core

In 3.13.0 we have introduced a number of interesting new features and fixes to CFEngine Core. All of the bug fixes and improvements that have been fixed for 3.10.5 LTS is also included in 3.13.

In August, OpenSSL released version 1.1.1 and we have upgraded to this in 3.13. This brings the new TLS 1.3 that provides significant security and performance benefits. It will be used by default whenever both hub and agent are running 3.13.

We have introduced a new inventory policy that will gather metadata from Amazon EC2 instances, improving the user experience and functionality in that cloud environment. This is a part of our ongoing push to improve the CFEngine cloud experience.

We have introduced a new class for forcing the policy to be requested from the network. Running update policy with mpf_skip_local_copy_optimization results in policy update connecting to cf-serverd instead of using a local copy. This can be valuable in both testing and real-life examples.

Also worth mentioning is that we have added support for Ubuntu 18.04 to CFEngine 3.13.0. It is nice to see old and new software working together as when we are using Ubuntu 18 with Windows server 2008, and the support for more than decades-old infrastructure is one of the benefits of such a wide platform support as what CFEngine provides. You can see all the supported platforms for 3.13 here.


New in CFEngine Enterprise

In CFEngine Enterprise, we have done a lot of work!

A lot of it is internal, such as improving our multi-threaded code for performance and stability.

As mentioned above, we have the new Policy Analyzer. We have also implemented a new way to get your own documentation displayed in Mission Portal so that you can document e.g. your own policy, and make that documentation available in a simple and RBAC-protected way to the users of your system. This has also been backported to 3.10.5 and the upcoming version of 3.12.

In Mission Portal, we have made several improvements. We have resolved an issue that prevented some users from exporting reports as CSV, we have fixed a bug that caused some custom notification scripts not to fire, fixed a bug that caused alerts not to show up in the Mission Portal Events Log on some platforms, and made it possible for multiple users to create independent reports with the same name, something that was causing issues previously.

In 3.13 we have changed the old Design Center API for version control, into a new VCS API (Version Control System) that makes it easier and more intuitive to maintain your policy in a Git repository, and check it out for use in CFEngine. You can read more about this API in our documentation here.

You can see a list of the issues fixed in our public Jira for 3.13.0 here. And for more details, please see the relevant ChangeLog entries:



CFEngine is an enterprise product, and we have always been proud of our code quality, both with regards to the languages and patterns we use, the development team, and the end product we provide for our customers at the end of a development cycle. We have a lot of tests covering the CFEngine source code, and we think the time has come to share some of the results that we see, that make us confident in the quality of CFEngine.

We are using both Jenkins and Travis to run automated tests on all of our builds, to ensure that the quality is always high. And as we are adding new features or improving existing code, we are always adding new test cases to make sure we keep a close eye on the performance of our product.

For 3.13 we are running a base set of more than 2 000 tests on each build, resulting in 23 000 tests across all the platform combinations we support. At the time of releasing 3.13, all the tests we run are passing, giving us a good indication of our quality. We are fully aware that automated tests are not the only way to ensure quality, so we also spend a lot of time using our own software, both on a day to day basis, as well as executing a rigorous manual testing scheme before the release of each version of CFEngine.

We will continue to improve our test coverage and code quality and keep the community up to date with the quality metrics we are introducing.

For 3.13 we have also enabled a tool called LGTM to track several quality metrics of our source code. We have spent quite a bit of time resolving all the issues reported and have significantly improved with this tool. For now, we have only subjected CFEngine Core to this tool, but we are looking for ways to add other parts of CFEngine as well.

One view of how LGTM is scoring the quality of CFEngine Core. Note that the large project to the right is the Linux kernel.



CFEngine is not depending on many external libraries, but we do depend on a few. With 3.13 we have updated some dependencies from what we used in 3.12 in order to get the latest security, performance and reliability improvements.

3.12.0 3.13.0
libacl 2.2.52 2.2.53
libattr 2.4.47 2.4.48
libcurl 7.59.0 7.61.0
php 7.2.6 7.2.11
postgresql 10.4 11.0
git 2.17.0 2.19.1
apache 2.4.33 2.4.35
apr 1.6.3 1.6.5
libyaml 0.1.7 0.2.1
openssl 1.0.0h 1.1.1



If you are upgrading an existing CFEngine Enterprise installation, you can check out the upgrade documentation for 3.13 for guidelines to make the process as smooth as possible.
We are of course always happy to assist customers with upgrading! If you are a community user, you can contact sales to receive a fixed-price quote for upgrading your CFEngine infrastructure to the Enterprise version of CFEngine. We are here to help you get more out of CFEngine!


Get CFEngine 3.13 now!

CFEngine Enterprise packages can be downloaded here or you can take a quick spin with the CFEngine Enterprise Vagrant environment for 3.13.
Community Edition is released as source codepackages, and Linux package repositories — to make installation as easy as possible!

We hope you enjoy this new release, and we are looking forward to hearing about your experience in the CFEngine Google Group!

Nils Christian Roscher-Nielsen