CFEngine 3.15 LTS released
Posted by: Nils Christian Roscher-Nielsen
Today marks a new milestone for CFEngine, with the release of the new CFEngine 3.15.0 LTS. This is the newest Long Term Supported CFEngine series, introducing a lot of great stuff.
The biggest new feature in CFEngine 3.15 is Federated Reporting, which we will cover later in this blog post, but there are many other new improvements as well.
If you are interested to learn more, schedule training, or hear about pricing options, feel free to reach out to us!
Last week, we launched the last release of the CFEngine 3.10 LTS series, and support for 3.10 is coming to an end at the end of this year. CFEngine 3.12 LTS is still under standard support for another 18 months, and CFEngine 3.15 will receive standard support for the next 3 years. This is all described in the CFEngine release schedule.
We are always looking for new contributions to CFEngine! Are you unsure how to get started? Please check out our contributing guide in addition to the following suggestions.
- Send documentation updates as pull requests to cfengine/documentation.
- Search for issues labeled easy or help_wanted that are OPEN or TODO that are good candidates for new contributors to cfengine/core or cfengine/masterfiles.
- Fix issues pointed out by code analysis: https://lgtm.com/projects/g/cfengine/core/alerts/ (We recently added some custom rules, so there are many alerts to fix)
New in CFEngine Core
We have made a lot of improvements to CFEngine Core. Some of these are brand new to CFEngine 3.15, while some we were also able to backport to the 3.12 series. You can read all the details in our changelogs:
In CFEngine 3.15 we have made a few changes to the supported platforms, based on customer conversations, surveys, and as we have earlier announced.
For the Enterprise Hub, we have dropped support for
- Ubuntu 14.04
- Debian 7
- CentOS/RHEL 5
- Debian 7
CFEngine 3.15 LTS adds agent support for CentOS/RHEL 8, and also provides a new file system image for use in container environments.
In our documentation, you can see the full list of supported platforms. If you have any questions or would like extended support for additional platforms, please let us know!
Improved database stability
We have focused a lot on the stability of the LMDB databases used by CFEngine on the hosts lately. If these end up in a confused state, it can cause problems for the CFEngine Agent. We have made several changes to improve the overall stability to avoid this from happening.
Also, in CFEngine we now have a tool called
cf-check that is used to check and manage LMDB database consistency. This tool has received significant improvements and is also available for direct utilization when needed. CFEngine will itself use this to automatically mitigate issues where the LMDB data is not in a consistent state.
New features in Enterprise
Many of the new features we have worked on will greatly benefit the reporting capabilities, Mission Portal and other aspects of the Enterprise version of CFEngine.
Federated reporting is a major new feature in CFEngine. It was introduced in the CFEngine 3.14 release earlier this year, and we have received a lot of really good feedback since then. Thank you to all who provided feedback and opinions.
Federated Reporting is a fairly simple addition to our already flexible reporting scheme. Currently, we support up to 5000 reporting hosts per CFEngine Hub. This enables a single pane of glass for all your reporting, across sites, security zones, datacenters, or however you wish to set up your infrastructure. It simplifies creating and sharing reports on the entire infrastructure you have running, for compliance monitoring or whatever other needs your organization has.
The new host info page has a lot more in-depth information immediately available.
File Integrity Monitoring
In CFEngine 3.15 we have significantly improved the File Integrity Monitoring (FIM) capabilities. We have added a range of new features in Mission Portal, as well as on the back-end.
There is now a file changed alert condition, and you can trigger events in Mission Portal based on this. There is also a widget in Mission Portal you can use to track changes and In reports, you can see all the file diffs directly in Mission Portal.
Improved Query Builder
In Mission Portal, we have a UI based query builder, to enable anyone to build their own SQL queries to all the data in CFEngine without actually writing complex SQL themselves. This has now been significantly improved. The UI experience has gotten a touch-up and feels more intuitive and straight forward to use.
The query builder now also has the opportunity to add custom schemas to your queries, not just the data that comes out of the box with Mission Portal. In addition to that, we have now improved the flexibility of the available Join types.
Our goal is to make your data more accessible and understandable so you can make the right choices for your infrastructure.
Improved Role-Based Access Control (RBAC) features in Mission Portal
We have now improved the RBAC control potential in Mission Portal. This makes it simpler for Admins to make sure that all the Mission Portal users have the correct access rights, and to make it simpler to create new Roles.
We have added a powerful UI in Mission Portal to enable the admin role in Mission Portal to assign access to features to roles and groups as they want to.
An admin can also easily create new roles. In association with this, we have now also optimized the default RBAC settings of new roles to be more conservative.
Previously, RBAC settings were limiting even the Admins’ possibility to delete hosts that had never reported. This issue has now been fixed.
In CFEngine 3.13 we introduced the Policy Analyzer for the first time. This is now finally released in a Long Term Supported release. This is a very helpful feature that makes the work of policy writers simpler and more fun. The Policy Analyzer provides a UI to see the status of a policy run, and directly correlate the actual policy and the outcome on the host. Easily filter on policy outcome, dig into each policy file, and understand the outcome of the policy.
Improved Host Info page
Several very valuable improvements have been made to the Host Info page, making all the information about any host in your infrastructure immediately available in one place.
We have added a long list of new data to the Host Info page, that was previously available but much harder to find. This includes.
- Average agent execution interval
- Average agent execution time for each policy entry,
- First report collection time,
- Host bootstrapped time
- Last agent execution time
- Inventory attributes and corresponding values
- All defined classes
- All defined variables
This improved Host Info page has been requested by several customers, and we hope this can significantly improve your workflow with Mission Portal.
Report on Promises NOT KEPT
In CFEngine, a promise can have thee outcomes, KEPT, REPAIRED or NOT KEPT.
KEPT means that everything was as it should be.
REPAIRED means that something was not as it should be, but CFEngine fixed it, while
NOT KEPT are the issues that CFEngine for whatever reason was not able to repair.
For every policy run, we update the information about the outcome of all promises that are executed. In some cases though, we have seen that infrequently-run promises that are NOT KEPT are easy to lose track of. We have therefore added a new widget to Mission Portal that keeps track of all promises that were NOT KEPT and have not subsequently been KEPT or REPAIRED.
Faster Reporting after bootstrapping
The reporting toolchain of CFEngine is very efficient – but it is not optimized to be immediate – because CFEngine is optimized for managing large scale infrastructure, not small-scale demo environments. However, in 3.15 we have now made several improvements to make sure that bootstrapped hosts show up in Mission Portal and report almost immediately. This improves the workflow of bootstrapping new hosts, as you will more quickly be able to verify they are all there, and reporting as they should be.
CFEngine supports a High Availability (HA) setup, where multiple Hubs are available to ensure no disruption to service, even if one of the hubs should go down for whatever reason.
This is not supported in the 3.15.0 release of CFEngine. We have upgraded to PostgreSQL 12, to get the benefit of many improvements. The drawback is that there is currently no support for PostgreSQL 12 in a part of the setup we use for HA. We will support HA from 3.15.1, so please wait for that release if you depend on an HA setup.
We have fixed a myriad of large and small issues, made improvements and added small features. Some examples include
- Improved all password fields to not show characters unless you ask for it
- Fixed an issue where certain IPv6 addresses showed as IPv4
- Improved discovery of license information.
cf-hub --show-licensewill now show you the up to date license information on your CFEngine Hub. You can use this to see how the license utilization of each Hub in your infrastructure is.
As always, CFEngine bundles all dependencies in our product, so there is no need to worry about meeting these, or managing them yourself. We have updated some dependencies since CFEngine 3.14, and here is a list of the new requirements.
For a full list of dependencies, you can see the changelogs in our documentation.
We would love to hear what you think about this release, and what features you are looking forward to the most.
What more do you want? We are still collecting data on what our customers and users are most interested in, and would greatly appreciate more feedback on this short survey!