Masterfiles ChangeLog

Table of Contents

See Also: Core Changelog, Enterprise Changelog

# Changelog
Notable changes to the framework should be documented here

    - Added .ps1 to list of file patterns considered during policy update
      (CFE-3425, ENT-4094)
    - Added apk package module support for alpinelinux (CFE-3451)
    - Added default cf_version_release of 1 when sys var missing (ENT-6219)
    - Added missing packages modules scripts in makefile (ENT-6814)
    - Added standalone self upgrade capability for Windows agents
      (ENT-6219, ENT-6823, ENT-4094)
    - Added verbose logfile for msiexec package module file installs
      (ENT-6220, ENT-6824)
    - Adjust modules/packages/ for lack of msiexec packages module
    - Disabled TLSv1 by default for Mission Portal's web server (ENT-6783)
    - Fixed ability to define users authorized for using cf-runagent on policy servers
    - Fixed alpine apk packages module to parse names properly (CFE-3585)
    - Fixed docs describing xdev behavior in depth_search bodies (CFE-3541)
    - Fixed loading of platform specific inventory on AIX (CFE-3614)
    - Suppressed output from watchdog on AIX to prevent the mail spool from filling up
    - Use VBScript to enumerate installed packages on Windows (ENT-4669)
    - service status on FreeBSD now uses onestatus (CFE-3515)

    - Added inventory for Timezone and GMT Offset (ENT-6161)
    - Added inventory for policy servers (ENT-6212)
    - Aligned systemd services behavior for service_policy => "enable|enabled|disable|disabled"
    - Changed group for state dir files promise to match defaults per OS (CFE-3362)
    - Replaced @ignore with useful doc strings (CFE-3378)
    - Stopped disabling disabled systemd unit each run when disabled state requested
    - Stopped trying to edit fields in manage_variable_values_ini (CFE-3372)
    - Fixed converge edit_line bundle not deleting lines containing marker (CFE-3482)
    - Added bundle edit_line converge_prepend with same behavior as bundle edit_line converge,
      but inserting at start of content. (CFE-3483)

    - Admitted ::1 as a query source on Enterprise hubs (ENT-5531)
    - Changed m_inventory dumping behavior to exclude when values are null
    - Fixed typo preventing recommendation bundles from running (CFE-3305)
    - Made python symlink fall back to platform-python (CFE-3291)
    - Modified cftransport cleanup to avoid errors (ENT-5555)
    - Release number was added to MPF tarballs (ENT-5429)
    - Stopped continual repair of ha_enabled semaphore (ENT-4715)
    - The zypper module is now fully compatible with Python 3 (CFE-3364)

    - Added 'data' shortcut to cf-serverd, defaults to sys.workdir/data
    - Added inventory of NFS servers in use (from /proc/mounts, on linux)
    - Added paths support for opensuse (CFE-3283)
    - Added zypper as default package manager for opensuse (CFE-3284)
    - Corrected application/logs path to outside of docroot (ENT-5255)
    - Enabled SUSE 12 for self upgrade (ENT-5152)
    - Fixed Python 3 incompatibility in yum package module
    - Improved resliliance of cron watchdog for linux (CFE-3258)
    - Modified federated reporting's to catch errors in psql run (ENT-5040)
    - Move 'selinux_enabled' class to config bundle and namespace scope it
    - Prevented inventory of unresolved variables for diskfree and loadavg
    - Setup our own symlink for Python interpreter and use it
      (ENT-4668, ENT-4682)
    - Standard services now considers systemd services in ActiveState=activating active
    - Fixed selection of standard_services when used explicitly from non-default namespace (ENT-5406)

    - Extended watchdog for AIX (ENT-4995)
    - Added AIX support to body perms system_owned (ENT-4773)
    - Added ability to avoid limiting robot agents (CFE-3161)
    - Added and transitioned to using master_software_updates shortcut
    - Added continual checking for policy_server state (CFE-3073)
    - Added documentation how to enable systemd unit management and disable
      agents on all hosts (CFE-3416)
    - Added package_module for snap (CFE-2811)
    - Added scripts and templates for Federated Reporting (ENT-4473)
    - Added support for 'awk' filters in the FR dump-import process (ENT-4839)
    - Added support for configuring abortclasses and abortbundleclasses via
      augments (ENT-4823)
    - Added support for filtering in both dump and import phases of the FR
      ETL process (ENT-4839)
    - Added support for ordering FR awk and sed scripts (ENT-4839)
    - Added support for setting periodic package inventory refresh interval
      via augments (CFE-2771)
    - Always set files_single_copy from augments if available (CFE-3064)
    - Changed FR policy to honor target_state properly (ENT-4874)
    - Copy .awk and .sed files from masterfiles to inputs (ENT-4839)
    - Do not run DB maintenance tasks on a passive HA hub (ENT-4706)
    - Fixed agent disabling on systemd systems (CFE-2429, CFE-3416)
    - Fixed cleanup of future timestamps from status table (ENT-4331,
    - Fixed pkgsrc in case where multiple Prefix paths are returned for
      pkg_install (CFE-3153)
    - Fixed pkgsrc module on Solaris/NetBSD (CFE-3151)
    - Fixed re-spawning of cf-execd or cf-monitord after remediating
      duplicate concurrent processes (CFE-3150)
    - Fixed state ownership on aix (ENT-4773)
    - Fixed synchronization of important configuration files from active to
      passive hub (ENT-4944)
    - Fixed the CFEngine 3.7.x class guard in
    - Made keys of all types from feeder hubs trusted on a superhub
    - Set default access promises for directories to only share if directory
      exists (CFE-3060)
    - Speeded-up FR import process by merging INSERT INTO statements
    - Suppressed stderr output from lldpctl when using path defined by
      def.lldpctl_json (CFE-3109)
    - added SQL to update feeder update timestamp during import (ENT-4776)
    - added ssh_home_t type to cftransport .ssh dir (ENT-4906)
    - fix use of _stdlib_path_exists_ in FR transport_user policy
      bundle (ENT-4906)
    - lib/ Add usermod path for redhat systems
    - modules/packages/ Moved zypper package module errors to the
      cf-agent output (CFE-3154)
    - partitioned __inventory table for federated reporting (ENT-4842)
    - psql_wrapper needed full path to psql binary (ENT-4912)
    - yum package_module gets updates available from online repos if local
      cache fails (CFE-3094)

    - Fixed isvariable() syntax error in (CFE-2953)
    - Fixed maintenance policy for promise log cleanup to respect history_length_days (ENT-4588)
    - Added setfacl to paths
    - Added path support for timedatectl and journalctl (CFE-3013)
    - Added trailing slash to access promises expecting directories (CFE-3024)
    - Conditioned use of curl for ec2 metadata cache on curl binary being executable (CFE-3049)
    - Instrumented cf-hub pull schedule for augments (ENT-4269)
    - Stopped suppressing repair outcome for starting cf-monitord or cf-execd (CFE-2964)
    - Enforced restrictive permissions on hub install log (ENT-4506)
    - Ensured that asynchronous query API semaphores are writable (ENT-4551)
    - Fixed standalone_self_upgrade not triggering because of stale data (ENT-4317)
    - Improved efficiency and error handling of user specified policy update bundle
    - Improved performance of enterprise license utilization logging
    - Added version logging for Enterprise agent outside of state (ENT-4352)
    - Added package_module for managing windows packages using msiexec (ENT-3719)
    - Prevented inventorying un-expanded free memory from cf-monitord
    - Prevented mon.value_mem_total from being inventoried if not defined (ENT-4522)
    - Prevented performance overhead on hubs that don't enable license utilization logging (ENT-4333)
    - Added purging of future status records (ENT-4362)
    - Reduced cost of knowing when setopt is available in yum (CFE-2993)
    - Added restart of runalerts if modified (ENT-4273)
    - Separated kill signals from restart class to avoid warning (CFE-2974)
    - Separated termination and observation promises for cf-monitord (CFE-2963)
    - Set default value for purge_scheduled_reports_older_than_days (ENT-4404)
    - Changed internal class name to describes daemon state instead of desired action
    - Changed internal class names to be more descriptive when identifying concurrent daemons
    - Implemented augments support for collect_window in body server control (ENT-4283)
    - Added guard for vars promises in cfe_internal_enterprise_mission_portal_apache
      Constrain vars promises in cfe_internal_enterprise_mission_portal_apache
      to policy_server.enterprise_edition::, otherwise "cf-promises --show-vars"
      includes a dump of the entire datastate from the "data" variable in
      cfe_internal_enterprise_mission_portal_apache (line over 100K long).
    - Stopped defining redhat_pure on Fedora hosts (CFE-3022)

    - Add 'system-uuid' to default dmidecode inventory (CFE-2925)
    - Add inventory of AWS EC2 linux instances (CFE-2924)
    - Add ubuntu 18 to package map for self upgrade (ENT-4118)
    - Allow dmidefs inventory to be overridden via augments (CFE-2927)
    - Also list  packages updates for hold packages: (CFE-2855)
    - Analyze yum return code before parsing its output (CFE-2868)
    - Fixed an issue when Promise to edit file that does not exist caused
      "promise not kept" condition (ENT-3965)
    - Avoid trying to read /proc/meminfo when it doesn't exist (CFE-2922)
    - Avoid use of $(version) for package_version in legacy implementation
    - Cleanup old report data relative to the most recent changetimestamp
    - Configure agent_expireafter from augments (ENT-4308)
    - Consider sles when considering suse (CFE-2897)
    - Fixed an issue when standalone self upgrade policy did not create
      desired-cfengine-package-version.json file (ENT-3937)
    - Cron based watchdog for cf-execd on AIX (ENT-3963)
    - Detect systemd service enablement for non native services (CFE-2932)
    - Document how def.acl is used and how to configure it (CFE-2861)
    - Fix name of tunable to control max client side report history
    - Fix package_latest detecting larger version in some cases (CFE-1743)
    - Fix standalone self upgrade when path contains spaces (ENT-4117)
    - Fix unattended self upgrade on AIX (ENT-3972)
    - Inventory Memory on HPUX (ENT-4188)
    - Inventory Physical Memory MB when dmidecode is found (CFE-2896)
    - Inventory memory on Windows (ENT-4187)
    - Make recommendations about postgresql.conf (ENT-3958)
    - Only consider files that exist for rotation (ENT-3946)
    - Prevent noise when a service that should be disabled is missing.
    - Prevent standalone self upgrade from triggering un-necessarily
    - Remove un-necessary agent run during self upgrade (ENT-4116)
    - Specify scope => "namespace" when using persistent classes (CFE-2860)
    - Store timestamp for packages managed by zypper module (CFE-2875)
    - Store timestamp of packages in cache db with zypper
    - Sync cf-runalerts override unit template with package (ENT-3923)
    - Updated yum package module to take arbitrary options (ENT-4177)
    - Use default for package arch on aix (ENT-3963)
    - Use rpmvercmp for version comparison on AIX (ENT-3963)
    - Users allowed to request execution via cf-runagent can be configured
          via augments (ENT-4054)
    - apt_get package module includes held packages when listing updates

    - Avoid executing self upgrade policy unnecessarily (ENT-3592)
    - Add amazon_linux class to yum package module
    - Introduce ability to set policy update bundle via augments (CFE-2687)
    - Localize delete tidy in ha update policy (ENT-3659)
    - Improve context notifying user of missing policy update bundle
    - Configure ignore_missing_inputs and ignore_missing_bundles via augments
    - Change class identifying runagent initiated executions from cfruncommand to cf_runagent_initated
    - Support enablerepo and disablerepo options in yum package_module
    - Fix cf-runagent during 3.7.x -> 3.10.x migration
      (CFE-2776, CFE-2781, CFE-2782)
    - Makes it possible to tune policy master_location via augments in update policy
    - Fix inventory for total memory on AIX (CFE-2797)
    - Do not manage redis since it's no longer used (ENT-2797)
    - Server control maxconnections can be configured via augments
    - Allow configuration of allowlegacyconnects from augments (ENT-3375)
    - Fix ability for zypper package_module to downgrade packages
    - Splaytime in body executor control can now be configured via augments
    - Add maintenance policy to refresh events table on enterprise hubs
    - Add apache config for new LDAP API (ENT-3265)
    - bundlesequence can be configured via augments (CFE-2521)
    - Update policy inputs can be extended via augments (CFE-2702)
    - Add oracle linux support to standalone self upgrade
    - Add bundle to track component variables to restart when necessary
    - Retention of files found in log directories can now be configured via augments
    - Allow multiple sections in insert_ini_section (CFE-2721)
    - Add lines_present edit_lines bundle
    - Schedule in body executor control can now be configured via augments
    - Include scheduled report assets in self maintenance (ENT-3558)
    - Remove unused body action aggregator and body file_select folder
    - Remove unused body process_count check_process
    - Prevent yum from locking in package_methods when possible
    - Render variables tagged for inventory from agent host_info_report
    - Make apt_get package module work with repositories containing spaces in the label
    - Allow hubs to collect from themselves over loopback (ENT-3329)
    - Log file max size and rotation limits can now be configured via augments
    - Change: Do not silence Enterprise hub maintenance
    - Ensure HA standby hubs have am_policy_hub state marker (ENT-3328)
    - Add support for 32bit rpms in standalone self upgrade (ENT-3377)
    - Add enterprise maintenance bundles to host info report (ENT-3537)
    - Removed unnecessary promises for OOTB package inventory
    - Add external watchdog support for stuck cf-execd (ENT-3251)
    - Be less noisy when a promised service is not found (CFE-2690)
    - Ignore empty options in apt_get module (CFE-2685)
    - Add postgres.log to enterprise log file rotation (ENT-3191)
    - Removed unnecessary support for including 3.6 controls
    - Fix systemctl path detection
    - Policy Release Id is now inventoried by default (CFE-2097)
    - Fix to frequent logging of enterprise license utilization (ENT-3390)
    - Maintain access to exported CSV reports in older versions (ENT-3572)
    - cf-execd service override template now only kills cf-execd on stop
    - Fix self upgrade for hosts older than 3.7.4 (ENT-3368)
    - Avoid self upgrade from triggering during bootstrap (ENT-3394)
    - Add json templates for rendering serial and multiline data (CFE-2713)
    - Removed unused libraries and controls
    - Fixed an error in the file_make_mustache_*, incorrect variable name used
    - Fix augments control state paths to work on windows (ENT-3839)
    - Remove templates for deprecated components (ENT-3781)
    - Replace unicode smartquotes with apostrophe (ENT-3823)
    - Configure Enterprise hub pull collection schedule via augments

    - Rename enable_client_initiated_reporting to client_initiated_reporting_enabled
    - Directories for ubuntu 16 and centos 7 should exist in master_software_updates
    - Fix: Automatic client upgrades for deb hosts
    - Add AIX OOTB oslevel inventory (ENT-3117)
    - Disable package inventory via modules on redhat like systems with unsupported python versions
    - Make stock policy update more resiliant (CFE-2587)
    - Configure networks allowed to initiate report collection (client initiated reporting) via augments (#910)
    - apt_get package module: Fix bug which prevented updates
      from being picked up if there was more than one source listed in the
      'apt upgrade' output, without a comma in between (CFE-2605)
    - Enable specification of monitoring_include via augments (CFE-2505)
    - Configure call_collect_interval from augments (enable_client_initiated_reporting) (#905)
    - Add templates shortcut (CFE-2582)
    - Behaviour change: when used with CFEngine 3.10.0 or greater,
      bundles set_config_values() and set_line_based() are appending a
      trailing space when inserting a configuration option with empty value
    - Add default report collection exclusion based on promise handle
    - Fix ability to select INI region with metachars (CFE-2519)
    - Change: Verify transfered files during policy update
    - Change select_region INI_section to match end of section or end of file
    - Add class to enable post transfer verrification during policy updates
    - Add: prunetree bundle to stdlib
      The prunetree bundle allws you to delete files and directories up to a
      sepcified depth older than a specified number of days
    - Do not symlink agents to /usr/local/bin on coreos (ENT-3047)
    - Add: Ability to set default_repository via augments
    - Enable settig def.max_client_history_size via augments (CFE-2560)
    - Change self upgrade now uses standalone policy (ENT-3155)
    - Fix apt_get package module incorrectly using interactive mode
    - Add ability to append to bundlesequnece with def.json (CFE-2460)
    - Enable paths to POSIX tools by default instead of native tools
    - Remove bundle agent cfe_internal_bins (CFE-2636)
    - Include previous_state and untracked reports when client clear a buildup of unreported data
    - Fix command to restart apache on config change (ENT-3134)
    - cf-serverd listens on ipv4 and ipv6 by default (CFE-528)
    - FixesMake apt_get module compatible with Ubuntu 16.04 (CFE-2445)
    - Fix rare bug that would sometimes prevent redis-server from launching
    - Add oslevel to well known paths (ENT-3121)
    - Add policy to track CFEngine Enterprise license utilization
    - Ensure MP SSL Cert is readable (ENT-3050)

    - Add: Classes body tailored for use with diff
    - Change: Session Cookies use HTTPOnly and secure attribtues (ENT-2781)
    - Change: Verify transfered files during policy update
    - Add: Inventory for system product name (model) (ENT-2780)
    - Add: Ensure appropriate permissions for SSL files (ENT-760)
    - Fix rare bug that would sometimes prevent redis-server from launching.
    - Change: Enable strict transport security
    - Add: Definition of from_cfexecd for cf-execd initiated runs
    - Add testing jUnit and TAP bundles and include them in
    - Change: Rename duplicate bodies in (ENT-2753)
    - Change: Disable RC4 Cipher for ssl in Mission Portal
    - Pass package promise options to underlying apt-get call (#802)
    - Change: Enable agent component management policy on systemd hosts
    - Add: Enterprise appliaction log dir to rotation
    - Change: re-enable hub process maintainance
    - Add: edit_line contains_literal_string to stdlib
    - Fix: Services starting or stopping unnecessarily (CFE-2421)
    - Allow specifying agent maxconnections via def.json (CFE-2461)
    - Change: Disable http TRACE method
    - Change: Reduce Enteprise webserver info
    - Change: cronjob bundle tolerates different spacing
    - Fix: CFEngine choking on standard services (CFE-2806)
    - Change select_region INI_section to match end of section or end of file
    - Fix ability to manage INI sections with metachars for
      manage_variable_values_ini and set_variable_values_ini (CFE-2519)
    - Fix apt_get package module incorrectly using interactive mode.
    - Add ability to append to bundlesequnece with def.json (CFE-2460)
    - Behaviour change: when used with CFEngine 3.10.0 or greater,
      bundles set_config_values() and set_line_based() are appending a
      trailing space when inserting a configuration option with empty value.

 - Support for user specified overring of framework defaults without modifying
   policy supplied by the framework itself (see example_def.json)
 - Support for def.json class augmentation in update policy
 - Run vacuum operation on postgresql every night as a part of maintenance.
 - Add measure_promise_time action body to lib (3.5, 3.6, 3.7, 3.8)
 - New negative class guard `cfengine_internal_disable_agent_email` so that
   agent email can be easily disabled by augmenting def.json
 - Relocate to controls/VER/
 - Relocate update_def to controls/VER
 - Relocate all controls to controls/VER
 - Only load cf_hub and on CFEngine Enterprise installs
 - Relocate acls related to report collection from bundle server access_rules
   to controls/VER/ into bundle server report_access_rules
 - Re-organize cfe_internal splitting core from enterprise specific policies
   and loading the appropriate inputs only when necessary
 - Moved update directory into cfe_internal as it is not generally intended to
   be modified
 - services/ moved to lib/VER/ as it is not generally intended to be
 - To improve predictibility autorun bundles are activated in lexicographical
 - Relocate services/ to cfe_internal/enterprise. This policy is
   most useful for a good OOTB experience with CFEngine Enterprise Mission
 - Relocate service_catalogue from to services/ It is
   intended to be a user entry. This name change correlates with the main
   bundle being activated by default if there is no bundlesequence specified.
 - Reduce benchmarks sample history to 1 day.
 - Update policy no longer generates a keypair if one is not found. (Redmine: #7167)
 - Relocate cfe_internal_postgresql_maintenance bundle to lib/VER/
 - Set postgresql_monitoring_maintenance only for versions 3.6.0 and 3.6.1
 - Move hub specific bundles from lib/VER/ into lib/VER/
   and load them only if policy_server policy if set.
 - Re-organize lib/VER/ from lists into classic array for use with getvalues
 - inform_mode classes changed to DEBUG|DEBUG_$(this.bundle):: (Redmine: #7191)
 - Enabled limit_robot_agents in order to work around multiple cf-execd
   processes after upgrade. (Redmine #7185)
 - Remove Diff reporting on /etc/shadow (Enterprise)
 - Update policy from inputs. There is no reason to include the
   update policy into, is the entry for the update policy
 - _not_repaired outcome from classes_generic and scoped_classes generic (Redmine: # 7022)
 - standard_services now restarts the service if it was not already running
   when using service_policy => restart with chkconfig (Redmine #7258)
 - Fix process_result logic to match the purpose of body process_select
   days_older_than (Redmine #3009)