Table of Contents

This guide documents our recommendation on how to upgrade an existing installation of CFEngine Enterprise to 3.18. Community users can use these instructions as a guide skipping the parts that are not relevant.

In short, the steps are:

  1. Backup
  2. Masterfiles Policy Framework upgrade
  3. Enterprise Hub binary upgrade
  4. Agent binary upgrade


  • Upgrades are supported from any currently supported version.

  • Clients should not run newer versions of binaries than the hub. While it may work in many cases, Enterprise reporting does not currently guarantee forward compatibility. For example, a host running 3.15.0 will not be able to report to a hub running 3.12.3.

  • Masterfiles Policy Framework (MPF) should always be newer than or equal to your newest binary version. While things often work without performing the MPF upgrade you may miss important changes where the policy has been instrumented to account for changes in binary behavior. For example, if you upgraded to 3.18.2 or later without upgrading your policy framework you would see many warnings that the framework upgrade would have suppressed. That specific change was detailed in this blog post about changes in behavior to directory permissions and the execute bit.


Backups are made during the hub package upgrade, but it's prudent to take a full backup from your policy hub before making any changes so that you can recover if anything goes wrong.

  1. Stop the CFEngine services.

    For systemd managed systems:

    root@hub:~# systemctl stop cfengine3

    For SysVinit:

    root@hub:~# service cfengine3 stop
  2. Create an archive containing all cfengine information.

    Ensure you have enough disk space where your backup archive will be created.

    root@hub:~# tar -czf /tmp/$(date +%Y-%m-%d)-cfengine-full-backup.tar.gz /var/cfengine /opt/cfengine

    For systemd managed systems:

    root@hub:~# find /usr/lib/systemd -name 'cf-*' -o -name 'cfengine*' | tar cfz /tmp/$(date +%Y-%m-%d)-cfengine-systemd-backup.tar.gz -T -

    For SysVinit:

    root@hub:~# find /etc -name 'cfengine*' | tar cfz /tmp/$(date +%Y-%m-%d)-cfengine-init-backup.tar.gz -T -

    See also: Hub administration backup and restore

  3. Copy the archive to a safe location.

  4. Start the CFEngine services.

    For systemd managed systems:

    root@hub:~# systemctl start cfengine3

    For SysVinit:

    root@hub:~# service cfengine3 start

Masterfiles Policy Framework upgrade

The Masterfiles Policy Framework is available in the hub package, separately on the download page, or directly from the masterfiles repository on github.

Normally most files can be replaced with new ones, files that typically contain user modifications include promises.cf, controls/*.cf, and services/main.cf.

Once the Masterfiles Policy Framework has been qualified and distributed to all agents you are ready to begin binary upgrades.

Enterprise Hub binary upgrade

Note: Enterprise Hub packages want at least as much free space in the backup directory (/var/cfengine/state/pg/backup by default) as what is currently consumed in /var/cfengine/state/pg/data. Also, the backup directory should be empty before performing an Enterprise Hub binary upgrade.

  1. Ensure the CFEngine services are running

    For systemd managed systems:

    root@hub:~# systemctl start cfengine3

    For SysVinit:

    root@hub:~# service cfengine3 start
  2. Install the new Enterprise Hub package (you may need to adjust the package name based on CFEngine edition, version and distribution). By default, backups made during upgrade are placed in /var/cfengine/state/pg/backup, this can be overridden by exporting BACKUP_DIR before package upgrade.

    Red Hat/CentOS:

    root@hub:~# export BACKUP_DIR="/mnt/plenty-of-free-space"
    root@hub:~# rpm -U cfengine-nova-hub-3.18.7-1.el6.x86_64.rpm


    root@hub:~# export BACKUP_DIR="/mnt/plenty-of-free-space"
    root@hub:~# dpkg --install cfengine-nova-hub_3.18.7-1_amd64-deb7.deb

    Community does not have a hub specific package.

  3. Check /var/log/CFEngine-Install.log for errors.

  4. Run the policy on the hub several times or wait for the system to converge.

    root@hub:~# for i in 1 2 3; do /var/cfengine/bin/cf-agent -KIf update.cf; /var/cfengine/bin/cf-agent -KI; done

Agent binary upgrade

  1. Publish binary packages under /var/cfengine/master_software_updates/$(sys.flavor)_$(sys.arch)/ on the policy server. To automatically download packages for all supported platforms execute the self upgrade policy with the cfengine_master_software_content_state_present class defined.

    For example:

    root@hub:~# cf-agent -KIf standalone_self_upgrade.cf --define cfengine_master_software_content_state_present
  2. Define the trigger_upgrade class to allow hosts to attempt self upgrade. In this example hosts with IPv4 addresses in or network range, or hosts running cfengine 3.10.x except for cfengine 3.10.2. It's recommended to start with a small scope, and gradually increase until all hosts are upgraded.

      "classes": {
       "trigger_upgrade": [

    Note: The negative look ahead regular expression is useful because it automatically turns off on hosts after they reach the target version.

  3. Verify that the selected hosts are upgrading successfully.

  • Mission Portal Inventory reporting interface Inventory Management

  • Inventory API

     root@hub:~# curl -k \
     --user <admin>:<password> \
     -X POST \
     https://hub.localdomain/api/inventory  \
     -H 'content-type: application/json' \
     -d '{
           "sort":"Host name",
              "CFEngine version":{
              "Host name",
              "CFEngine version"

    Once all hosts have been upgraded ensure the trigger_upgrade class is no longer defined so that agents stop trying to self upgrade.