We’re 60 episodes in, and today we’re getting back to one of the most fundamental tasks in systems management, package management.
In this episode we look at three new dnf-related improvements for managing packages on Enterprise Linux (Red Hat, Rocky Linux , AlmaLinux). We walk through the new dnf and dnf_group package modules, and the appstreams custom promise type.
Why new package modules? The existing yum package module works, but it shells out to run commands. The new dnf module takes a different approach: it uses the dnf and rpm Python libraries directly. This matters for security, reliability, and performance on modern Enterprise Linux where dnf has replaced yum as the native package manager.
Three notable dnf related improvements making it easier to manage packages on modern Enterprise Linux based systems (Red Hat, Rocky Linux, Alama Linux, etc …) have been merged recently.
dnf package module - Manage packages using dnf
dnf_group package module - Manage package groups using dnf
appstreams promise type - Manage application stream modules and profiles
dnf package module The new dnf package module unlike the existing yum module does not perform any shell operations, instead it leverages only the dnf and rpm python libraries for querying and modifying the system.
CFEngine 3.24.4+, 3.27.1+, and 3.28.0+ include a change to how findfiles() handles trailing slashes on directory paths. This change restores trailing slashes to directory results, but with improved consistency compared to earlier versions. The new behavior ensures that directory paths always include a trailing slash, making them reliably distinguishable from file paths regardless of the glob pattern used.
The behavior changes CFEngine 3.23.0 and earlier: Pattern-dependent behavior The presence of a trailing slash in the returned paths depended on whether the glob pattern itself included a trailing slash. If you use findfiles("/path/*/") (with trailing slash in pattern), the results include trailing slashes. If you use findfiles("/path/*") (without trailing slash in pattern), the results do not include trailing slashes.
(This blog post was updated February 10th, 2026)
We are writing to inform you of multiple recently discovered security issues in the CFEngine policy and Mission Portal. These issues have been fixed in the recently released 3.27.0, 3.24.3 and 3.21.8 versions. Prior versions (3.24.2, 3.21.7, and below) are affected. We have no indications of these issues being exploited or known outside of the company and the security researchers that reported them.
We here at CFEngine have seen the collaboration possibilities with Ansible for a long time. See our many ansible related blog posts including previously where I discussed our promise-type-ansible module which enables you to run ansible playbooks from CFEngine policy.
You might ask why you would want to do such a thing?
We came up with one possible answer: what happens if you block ssh access to a host? Now you can certainly setup ansible-pull but that requires configuring credentials and access to a repository.
When you first told me that this change was coming I was astonished because I know that normal order, the normal ordering is very intentional like a lot of thought went into it right and it’s not configurable, again on purpose, right!?
In this episode, Nick is joined by long-time CFEngine user and trainer, Aleksey Tsalolikhin. It was a conversation with Aleksey at a LISA conference in 2010 that set Nick on his CFEngine journey, asking, “What do you want from your configuration management tooling?”. Nick knew immediately that the tool he was using, while great, didn’t fit the characteristics he was looking for.
We recently introduced a new policy function classfilterdata(), which will be available in the next LTS release of CFEngine, version 3.27. If you can’t wait for the release, feel free to grab the latest master non-LTS from our nightly packages.
In this blog post, we’ll illustrate how the classfilterdata() policy function works. However, if you want a more real-world example, you should check out The agent is in - Episode 51 - Data-Driven Configuration with classfilterdata() by Jay Goldberg from Two Sigma.
Note: this blog post was updated January 29th, 2026
Here comes a profoundly belated blog post on a behavior change. Better late than never.
Due to various bugs with the glob engine on Windows, we decided to rewrite it in CFEngine 3.24.0. Not only does the new glob engine resolve these bugs on Windows, but it also adds support for brace expansion on all platforms. E.g.
findfiles.cf bundle agent main { vars: "matches" slist => findfiles("C:/{foo,bar}.txt"); reports: "$(matches)"; } command & 'C:\Program Files\Cfengine\bin\cf-agent.exe' -Kf C:\findfiles.cf output R: C:\bar.txt R: C:\foo.txt Users may experience issues due to the fact that the new glob engine outputs the matched paths with the system separator (i.e., $(const.dirsep)). E.g., given the following policy, you can see how the output with the matched files changed from having forward slashes in CFEngine 3.21 to having backslashes in CFEngine 3.24 on Windows.
The MPF or Masterfiles Policy Framework is intended to provide a stable base policy for installations and upgrades, and is used by both CFEngine Enterprise and CFEngine community.
When you create a new cfbs project with cfbs init one of the questions is related to the MPF:
Do you wish to build on top of the default policy set, masterfiles? (Recommended) [YES/y/no/n]: Added module: masterfiles The default commit message is 'Added module 'masterfiles'' - edit it? [yes/y/NO/n] Committing using git: [main f84d0d4] Added module 'masterfiles' 1 file changed, 16 insertions(+), 1 deletion(-) Of particular interest to policy writers is the lib sub-directory:
Ever tried to wrangle a fleet of servers with just a text file? Nick shows how CFEngine can take advantage of genders for classification.
In this episode, Nick dives into the configuration file, /etc/genders. Originally developed by Lawrence Livermore National Laboratory and currently maintained by the Chaos development team, genders often seen in use in High-Performance Computing (HPC) environments. Nick presents two practical examples demonstrating policy implementations, using genders for inventory reporting and grouping hosts.
