Sketch Flow in CFEngine Enterprise

The CFEngine Enterprise Design Center graphical user interface (GUI) relies on several simple services and file structures. The interactions between these are shown in the diagram below.

Enterprise Design Center data-flow diagram

Git repository service

This service needs to offer git over ssh. It is the canonical place for masterfiles, and needs to be initialized with the CFEngine Enterprise masterfiles (version 3.5 and onwards). It can be hosted on an internal git server, or services like github.

Mission Portal GUI

The graphical interface that the users will interact with. It includes the Design Center app for using sketches and getting reports about them. The administrator of Mission Portal needs to configure its settings with the git version control repository. A user is only allowed to use the Design Center app if he is member of the cf_vcs role.


Distribution point for policies for CFEngine. A shared directory containing the policy for all hosts. CFEngine policy with sketches inside this directory will automatically get pulled down by all CFEngine hosts.


This is a stable version of the official Design Center repository. It contains all the sketches that becomes available to the Mission Portal Design Center GUI, as well as tools and APIs utilized internally by the GUI. Note in particular the tools/cf-sketch/constdata.conf file that contains out-of-the-box validations and other definitions. See the reference documentation for the sketch structure for a complete list of requirements for a sketch to work well with the GUI.


Each user of the Mission Portal has his own working directory here. It contains a local clone from the git repository service, using the shared Mission Portal git credentials that the administrator has set up for all users. The operations performed in the GUI will modify this directory, and it will be pushed to the git service for applying the changes to the CFEngine policy.

/opt/cfengine is chosen as the base directory rather than /var/cfengine due to space utilization concerns in /var when many users check out their local git clone. It should have enough free space to store the size of the git masterfiles clone times the number of users in the cf_vcs role.

The hosts and /var/cfengine/inputs

The hosts copy from /var/cfengine/masterfiles on the CFEngine server to their local /var/cfengine/inputs every time CFEngine runs. The policy they copy will include the sketches that have been activated by GUI users. The hosts will run the policy, including the sketches, that apply to them. During each run they will generate local reports that will be pulled by the CFEngine Enterprise server, and this will update the GUI with status about the sketch.

If a sketch is not compliant (red in the GUI), the user is given the option to invoke an agent run on a failing host from the GUI. This will capture the verbose agent output for the user. This is only allowed if the Mission Portal administrator has put the user in the cf_remoteagent role.