The benefits of automation with CFEngine – Speed, Security, Stability and Scalability

The benefits of automation with CFEngine – Speed, Security, Stability and Scalability


Who likes to deal with a slow-moving system? CFEngine takes great pride in developing and making available the industry’s fastest and leanest automation solution.


A CFEngine agent running on the client executes in less than one second, and it does so independently of other hosts in the CFEngine deployment. Being the only fully autonomous solution in the industry, it can operate and be fully functional without the need to always be connected to a central master. CFEngine is akin to a Formula One leader for the automation industry.

At one bank that was using a traditional push-based automation solution, it took 5-6 hours to update packages across several thousand servers. The performance impact on their system during deployment to the desktops was so severe, they had to wait for nights or weekends to make changes. With CFEngine you can update 100,000 hosts within just a few minutes.

When CFEngine 2 was introduced 10 years ago, the default run-interval of its agents was 30 minutes. In today’s fast changing world, this is no longer fast enough, and the new default run-interval has been shortened to 5 minutes. Since CFEngine runs so fast, and barely impacts available resources (memory and CPU) during each execution, one can even have the agent running every minute if they want. Most solutions in the industry today are either push-based where changes are invoked by humans or operate with run-intervals of 30 minutes or more.

A practical use of this speed would be around patching systems. Let’s say a new security vulnerability has been exposed and IT operations needs to patch 20,000 servers. With CFEngine, the change or patch can be applied almost instantaneously across all 20,000 servers. This is because of the autonomous nature of the agents running on each individual server as well as the speed at which they execute CFEngine policy.

If you want a self-healing system that is continuously in compliance, speed is important as it allows you to check your system more frequently. Fast execution ensures that you don’t have agent processes occupying your process table for long, and in turn using up costly resources (such as CPU or Memory).


Proof-points of Speed:

  • The leanest and fastest solution in the industry
  • Fully functional even without central connectivity (ideal for IOT)
  • ‘N’ numbers of hosts can be updated simultaneously
  • Default run-interval is 5 minutes, configurable to 1 minute
  • Low execution time, means low resource (CPU, memory) impact
  • Frequent run-intervals means a more compliant system
  • Small footprint compiled with few dependencies leads to higher performance when it comes to client changes


Security is a core pillar of CFEngine. The technology has been designed and built from the ground up with security in mind, and this is reflected in the architecture, how the components communicate, and the quality of code. The defaults of CFEngine is “deny:all”.


CFEngine is written in C and is very lightweight. It has been tested and hardened for many years in numerous small and large-scale production environments. Any third party libraries included in the code have been carefully reviewed from a security perspective. CFEngine normally only includes libraries that are mature and well-tested. In general, since it is a goal to keep CFEngine lean, new libraries are seldom added to the code.

All communication between the hub and clients can be encrypted, leveraging TLS. CFEngine uses its own protocol to communicate. CFEngine only requires one port to be open (5308 – and this is configurable). Most permissions, whether it relates to file copying or bootstrapping of new agents, must be explicitly allowed in the system configuration files. It is impossible to push any commands or instruction to CFEngine locally without going through a pre-defined and trackable change-process. Not only does this prevent potentially unrecoverable conditions resulting from accidental typos, but it also adds a layer of security to all your intended changes.

The bootstrapping of new agents to the hub uses a simple key exchange algorithm (like SSH key authentication). There is no need for external certificate servers with CFEngine.

CFEngine holds a very strong security track record according to NIST. The technology holds an extremely strong track record over the last 20 years!

Another testimonial to the security is our customer base. Verticals such as finance, government and other heavily regulated industries all tend to favor CFEngine because of its security track record.

If you are looking for an automation solution with a strong security track-record, a solution which is built and designed with security in mind, CFEngine is probably the best tool of choice.


Proof-points of Security:

  • Lightweight code (written in C)
  • Few third-party libraries
  • Only mature and well-tested libraries used
  • Only one port (5308) needs to be open for CFEngine to work
  • Encrypted Communication over TLS
  • Only automation tool that comes with natively built-in file integrity monitoring
  • Increased resiliency and security against client compromise as there is no way to push commands or
  • instructions to local hosts
  • Simple, but very secure and reliable trust between hosts and hub
  • Used in large-scale top-secret production environments
  • Very strong track-record for 20 years!
  • 0 security incidents reported since CFEngine 3 inception in 2009


CFEngine has been automating mission-critical production environments for more than 2 decades – when compared to other automation solutions, CFEngine has been deployed for much longer and is a very hardened solution.


CFEngine powers automation at one of the largest financial institutions in the US, and has done for many years.

The lightweight nature of CFEngine and the care exercised in selecting and implementing third party libraries has contributed to a lean, predictable and stable product. Regardless of the version (CFEngine 2 or 3), stability has been a cornerstone of the product. Even today there are countless installation of either version that form the backbone of IT automation for mission-critical production environments. The light weight also implies that there is no negative performance impact on the infrastructure, nor the applications running atop them.

In case of a user-error (say for example a typographic error in writing policy), or deployment of new policy code that has errors in it, CFEngine will detect the errors during validation and avoid the deployment of the policy. If, however, such a policy reaches the local host, CFEngine will still detect the syntax-error and fail back to run a fail-safe policy instead of executing the wrongly deployed policy.

CFEngine is built on Promise Theory. It regards each directive (or promise as it is called) as an autonomous unit. By decoupling the software this way, and ensuring autonomous execution, systems automated using CFEngine become less vulnerable to a catastrophic and domino-effect failure. In short, a single error does not cripple the system and CFEngine can intelligently work around issues – as well as rectify them where possible.

The robustness of CFEngine – from design & architecture to code implementation – has resulted in a very stable product that users and customers quickly entrust their production workloads and infrastructure with. In turn this trust yields confidence in the software, allows IT to make more frequent changes in a stable fashion, and thus lets the business remain competitive.


Proof-points of Stability:

  • Years of automating mission-critical and large-scale (thousands of servers) IT-infrastructure in production environments
  • Automating one of the world’s largest banks’ IT-infrastructure
  • Self-monitoring to ensure CFEngine itself is available and performant
  • Automatic failover policy to avoid negative effects of erroneous policy deployments
  • Designed from the ground up (promise-level) to be autonomous and anti-fragile


CFEngine grows with your infrastructure – its architecture allows easy scaling. CFEngine has been running 200,000 servers, across 12 different datacenters at one of the world’s largest IT operations.


The architecture of CFEngine is a star network and consists of hosts and hubs. Hosts are the end points where policy instructions are being executed. A hub serves as a policy distribution point and data collector for the hosts. One hub typically can serve 5,000 hosts that check in at a 5 minutes interval.

CFEngine is fully decentralized. All logic and decision making occurs on the hosts. Agents run locally and will check for and pull down policy updates from regional or global policy distribution points (hubs). After download, the agents evaluate the policy locally to decide which part of the policy to apply, given their current state.

One advantage of a fully decentralized architecture is that you don’t need to have a complex setup for the hubs. Other solutions typically would need to have load balancers and (at large scale) front-end and back-end servers to assist with host calculations; whereas CFEngine simply requires the hubs to serve policies and pull hosts for data of actual states – no calculation is needed. Assuming a medium specification hub and agents running both on the hub and the nodes at a 5 minutes interval, one hub can serve 5,000 nodes. A more powerful server with improved IOPS performance can serve several thousand more hosts.

Scaling out policy distribution hubs is easy with CFEngine. All that is needed is to add another server horizontally and add its IP address to the pool of allowed hubs an agent can connect to. CFEngine agents can use built-in functionality to ensure even load distribution on the hubs. We call this software based-load balancing. The advantage of scaling the hubs horizontally is that it’s cheap and easy to scale. The cost of scaling is not only the costs of a server, but also the cost of requiring a more complex setup. With complexity comes fragility and increased management costs.

Another big advantage of the lean architecture of CFEngine is resiliency. If you have two hubs, and one goes down, CFEngine agents will automatically connect to the second hub. You can add as many hubs as you like to the list of allowed hubs for the agent to trust.

CFEngine consists of various for-purpose processes with distinct responsibilities. A failure in one of the processes will not take down the whole system. CFEngine is designed to work autonomously with as few dependencies as possible.


Proof-points of Scalability:

  • Been running 200,000 servers, across 12 different datacenters at 5 minute interval (at one of the world’s largest IT operations)
  • Horizontal scaling of policy distribution hubs
  • 5,000 hosts per management server at 5 minute run intervals
  • 100% decentralized architecture
  • Software based resiliency (hub failovers)
  • Software based load balancing (agent connects to hubs evenly)
  • Written in C and compiled natively for each platform
  • Scales without the need for reverse proxies or load balancers
  • No certificate management and minimal dependencies
  • Several processes with distinct responsibilities. A failure in on one will not affect the operation of the others.


Try CFEngine Enterprise today – free for up to 25 hosts

Download CFEngine