CFEngine 3.15 LTS released

Posted by:

19 Dec 2019

Today marks a new milestone for CFEngine, with the release of the new CFEngine 3.15.0 LTS. This is the newest Long Term Supported CFEngine series, introducing a lot of great stuff.

The biggest new feature in CFEngine 3.15 is Federated Reporting, which we will cover later in this blog post, but there are many other new improvements as well.

If you are interested to learn more, schedule training, or hear about pricing options, feel free to reach out to us!

Last week, we launched the last release of the CFEngine 3.10 LTS series, and support for 3.10 is coming to an end at the end of this year. CFEngine 3.12 LTS is still under standard support for another 18 months, and CFEngine 3.15 will receive standard support for the next 3 years. This is all described in the CFEngine release schedule.

We are always looking for new contributions to CFEngine! Are you unsure how to get started? Please check out our contributing guide in addition to the following suggestions.

New in CFEngine Core

We have made a lot of improvements to CFEngine Core. Some of these are brand new to CFEngine 3.15, while some we were also able to backport to the 3.12 series. You can read all the details in our changelogs:

Platform Support

In CFEngine 3.15 we have made a few changes to the supported platforms, based on customer conversations, surveys, and as we have earlier announced.

For the Enterprise Hub, we have dropped support for

  • Ubuntu 14.04
  • Debian 7

For the agent, we have dropped standard support for the following platforms (contact us for extended support):

  • CentOS/RHEL 5
  • Debian 7

CFEngine 3.15 LTS adds agent support for CentOS/RHEL 8, and also provides a new file system image for use in container environments.

In our documentation, you can see the full list of supported platforms. If you have any questions or would like extended support for additional platforms, please let us know!

Improved database stability

We have focused a lot on the stability of the LMDB databases used by CFEngine on the hosts lately. If these end up in a confused state, it can cause problems for the  CFEngine Agent. We have made several changes to improve the overall stability to avoid this from happening.

Also, in CFEngine we now have a tool called cf-check that is used to check and manage LMDB database consistency. This tool has received significant improvements and is also available for direct utilization when needed. CFEngine will itself use this to automatically mitigate issues where the LMDB data is not in a consistent state.

New features in Enterprise

Many of the new features we have worked on will greatly benefit the reporting capabilities, Mission Portal and other aspects of the Enterprise version of CFEngine.

Federated Reporting

Federated reporting is a major new feature in CFEngine. It was introduced in the CFEngine 3.14 release earlier this year, and we have received a lot of really good feedback since then. Thank you to all who provided feedback and opinions.

Federated Reporting is a fairly simple addition to our already flexible reporting scheme. Currently, we support up to 5000 reporting hosts per CFEngine Hub. This enables a single pane of glass for all your reporting, across sites, security zones, datacenters, or however you wish to set up your infrastructure. It simplifies creating and sharing reports on the entire infrastructure you have running, for compliance monitoring or whatever other needs your organization has.

Using the new Hub Management app in Mission Portal, you can control the settings of the Federated Reporting feature.

The new host info page has a lot more in-depth information immediately available.

File Integrity Monitoring

In CFEngine 3.15 we have significantly improved the File Integrity Monitoring (FIM) capabilities. We have added a range of new features in Mission Portal, as well as on the back-end.

There is now a file changed alert condition, and you can trigger events in Mission Portal based on this. There is also a widget in Mission Portal you can use to track changes and In reports, you can see all the file diffs directly in Mission Portal.

Improved Query Builder

In Mission Portal, we have a UI based query builder, to enable anyone to build their own SQL queries to all the data in CFEngine without actually writing complex SQL themselves. This has now been significantly improved. The UI experience has gotten a touch-up and feels more intuitive and straight forward to use.

The query builder now also has the opportunity to add custom schemas to your queries, not just the data that comes out of the box with Mission Portal. In addition to that, we have now improved the flexibility of the available Join types.

Our goal is to make your data more accessible and understandable so you can make the right choices for your infrastructure.

Query Builder in action. Now with more flexible ways to construct your SQL queries.

Improved Role-Based Access Control (RBAC) features in Mission Portal

We have now improved the RBAC control potential in Mission Portal. This makes it simpler for Admins to make sure that all the Mission Portal users have the correct access rights, and to make it simpler to create new Roles.

We have added a powerful UI in Mission Portal to enable the admin role in Mission Portal to assign access to features to roles and groups as they want to.

An admin can also easily create new roles. In association with this, we have now also optimized the default RBAC settings of new roles to be more conservative.

Previously, RBAC settings were limiting even the Admins’ possibility to delete hosts that had never reported. This issue has now been fixed.

Policy Analyzer

In CFEngine 3.13 we introduced the Policy Analyzer for the first time. This is now finally released in a Long Term Supported release. This is a very helpful feature that makes the work of policy writers simpler and more fun. The Policy Analyzer provides a UI to see the status of a policy run, and directly correlate the actual policy and the outcome on the host. Easily filter on policy outcome, dig into each policy file, and understand the outcome of the policy.

The new policy Analyzer provides in-depth details about your policy and its status.

Improved Host Info page

Several very valuable improvements have been made to the Host Info page, making all the information about any host in your infrastructure immediately available in one place.

We have added a long list of new data to the Host Info page, that was previously available but much harder to find. This includes.

  • Average agent execution interval
  • Average agent execution time for each policy entry,
  • First report collection time,
  • Host bootstrapped time
  • Last agent execution time
  • Inventory attributes and corresponding values
  • All defined classes
  • All defined variables

This improved Host Info page has been requested by several customers, and we hope this can significantly improve your workflow with Mission Portal.

Report on Promises NOT KEPT

In CFEngine, a promise can have thee outcomes, KEPT, REPAIRED or NOT KEPT.

KEPT means that everything was as it should be.
REPAIRED means that something was not as it should be, but CFEngine fixed it, while
NOT KEPT are the issues that CFEngine for whatever reason was not able to repair.

For every policy run, we update the information about the outcome of all promises that are executed. In some cases though, we have seen that infrequently-run promises that are NOT KEPT are easy to lose track of. We have therefore added a new widget to Mission Portal that keeps track of all promises that were NOT KEPT and have not subsequently been KEPT or REPAIRED.

Faster Reporting after bootstrapping

The reporting toolchain of CFEngine is very efficient – but it is not optimized to be immediate – because CFEngine is optimized for managing large scale infrastructure, not small-scale demo environments. However, in 3.15 we have now made several improvements to make sure that bootstrapped hosts show up in Mission Portal and report almost immediately. This improves the workflow of bootstrapping new hosts, as you will more quickly be able to verify they are all there, and reporting as they should be.

High Availability

CFEngine supports a High Availability (HA) setup, where multiple Hubs are available to ensure no disruption to service, even if one of the hubs should go down for whatever reason.

This is not supported in the 3.15.0 release of CFEngine. We have upgraded to PostgreSQL 12, to get the benefit of many improvements. The drawback is that there is currently no support for PostgreSQL 12 in a part of the setup we use for HA. We will support HA from 3.15.1, so please wait for that release if you depend on an HA setup.

Miscellaneous

We have fixed a myriad of large and small issues, made improvements and added small features. Some examples include

  • Improved all password fields to not show characters unless you ask for it
  • Fixed an issue where certain IPv6 addresses showed as IPv4
  • Improved discovery of license information. cf-hub --show-licensewill now show you the up to date license information on your CFEngine Hub. You can use this to see how the license utilization of each Hub in your infrastructure is.

Updated dependencies

As always, CFEngine bundles all dependencies in our product, so there is no need to worry about meeting these, or managing them yourself. We have updated some dependencies since CFEngine 3.14, and here is a list of the new requirements.

LMDB 0.9.23 0.9.24
openSSL 1.1.1b 1.1.1d
openLDAP 2.4.47 2.4.48
libcurl 7.64.1 7.67.0
libcurl-hub 7.64.1 7.67.0
apache 2.4.39 2.4.41
postgresql 10.7 12.1
php 7.3.5 7.4.0
git 2.21.0 2.24.0

For a full list of dependencies, you can see the changelogs in our documentation.

Feedback

We would love to hear what you think about this release, and what features you are looking forward to the most.

What more do you want? We are still collecting data on what our customers and users are most interested in, and would greatly appreciate more feedback on this short survey!

Nils Christian Roscher-Nielsen