Show posts tagged:

Guest blog post: Don't use your distro's package manager

I have stopped using my Linux distro’s package manager, and you should, too. Maybe I should clarify that. I don’t install software with my distro’s package manager any more. I still upgrade my system. I became influenced by a few different factors. Top among these is something required in certain industries called a change advisory board or committee. This requirement says that changes to production computers have to be reviewed and approved by all stakeholders in that computer’s operations.

Posted by Jeff Carlson
January 23, 2023

Guest blog post: Quick-start guide to using Emacs for CFEngine

This guide is designed for the novice user of CFEngine who wishes to explore the power of Emacs while developing CFEngine policy files – and will introduce the use of some Emacs features and plugins along the way. There are two types of editors available in the Unix and Linux world: line and visual. Examples of line editors are ed and sed. These allow you to edit a file one line at a time.

Posted by Jeff Carlson
August 26, 2022

Upgrading from CFEngine 2 to 3: running the 2 agents side by side with 3

CFEngine 2 network communication is insecure by today’s standards. CFEngine 2 CVE-2016-6329: CFEngine 2 uses Blowfish cipher (1993) which today is considered: Weak Deprecated Subject to key recovery attack No security fixes since 2008. Protocol communications not encrypted; only data transfer (which facilitates attack). Encryption is off by default. CFEngine 3 All communication is encrypted Uses TLS 1.3 (current state of the art) Up to date, maintained, secure from the software vendor Full Enterprise support, with SLA.

January 28, 2020

Context-specific Security Settings

CFEngine is very simple to set up and use, especially if all of the clients and the hub are going to be using the same promises. But what if there are certain things you want to enforce on a hub and not a client? What if there are certain things you want to enforce on a client but not on a hub? For example, if you are using the Git Setup, you want the hub to pull from the Git repository, but you don’t want the clients to do this.

Posted by Eli Taft
February 12, 2019

Extending the CFEngine Policy Update Procedure

Introduction The policy update procedure in the masterfiles policy framework is fairly straightforward - copy all files matching $(update_def.input_name_patterns) from hub’s $(sys.masterdir) directory to clients $(sys.inputdir) directory. Copying everything everywhere and then use some selection (or “classes”) to determine what to do is fine at beginning. My first solution to manage computers in some computer system or landscape was to use “IPv4_*” (or hostname) classes, that pretty soon became hard to maintain and very hard to change.

Posted by Jurica Borozan
October 28, 2016

Dynamic bundlesequence with autorun, meta tags and hard classes

Thanks to Nick Anderson and Aleksey Tsalolikhin for feedback and valuable insight. Purpose In this document I will show you how autorun and meta tags will simplify your daily work with CFEngine. There will be no more hard coding of bundles in bundlesequence and you may still run bundles in order by name. Prerequisite This document assumes that you have installed a binary package from CFEngine’s official site The code in this document is tested with CFEngine community version 3.

Posted by Bernt Jernberg
June 11, 2015