New in CFEngine
CFEngine 3.6 is the latest version of CFEngine. The Enterprise edition introduces numerous improvements to the Mission Portal - a dashboard for getting a quick overview of the system status and compliance, alerts and notifications for changes to the system, a new user interface for inventory management and a tighter integration with Design Center.
Policy writers and community users, CFEngine 3.6 introduces a broad range of improvements and new functionality to the policy language, new capabilities for configuration management and tighter integration with data from external sources.
Improvements for Policy Writers
A number of changes have been made to the CFEngine core to further improve stability, scalability and security.
User Account Management
users promise type allows for management and configuration of local user
accounts with CFEngine.
Data Containers for Structured Data
The new variable type
data allows handling of structured data within CFEngine policy.
Structured data can be read from JSON strings and files, which allows integrating of
CFEngine policies with any external data source that can export to JSON.
A range of new functions allow creating and operating on structured data.
Tagging with Meta Data
Classes and variables can be tagged with meta data for extended annotation and documentation of knowledge directly in the language. Classes and variables can be searched by tags in policy, and CFEngine Enterprise uses tags to identify relevant information reported by the host. CFEngine sets a number of tags on hard classes and special variables by default.
Improved File Templating Engine
CFEngine 3.6 introduces support for
mustache templates, which
is tightly integrated with data containers and provides easy and data-driven configuration
New and Improved Functions
CFEngine 3.6 adds a list of new built-in functions:
bundlesmatching()- returns list of defined bundles matching a regex
canonifyuniquely()- converts a string into a unique, legal class name
classesmatching()- returns list of set classes matching a regex
eval()- evaluates mathematical expressions
findfiles()- returns list of files matching a search pattern
makerule()- evaluates whether a target file needs to be rebuilt from sources
min()- returns maximum, mean and minimum in a container or list
packagesmatching()- returns a filtered list of installed packages.
string_upcase()- returns the lower-/upper-case version of a string
string_tail()- returns the beginning/end of a string
string_length()- returns the length of a string
string_reverse()- reverses a string
variablesmatching()- returns a list of variables matching a regex
variance()- returns the variance of numbers in a list
The following functions are added and improved to work with the new
data_readstringarray()- read a delimited file into a data map
data_readstringarrayidx()- read a delimited file into a data array
datastate()- create a
datavariable with currently set classes and variables
%Scan be used to serialize 'data' containers into a string
mergedata()- merge two data containers
parsejson()- create a data container from a JSON string
readjson()- create a data container from a file that contains JSON
storejson()- serialize a data container into a string
Network Protocol on top of TLS
CFEngine 3.6 introduces a new networking protocol, which uses TLS for authentication. After the authentication, all dialog is encrypted within the established TLS session.
To ease with the upgrade process,
cf-serverd is still able to speak the legacy
protocol with old agents, and new agents can speak the legacy protocol with old servers.
CFEngine operators should turn off support for the legacy protocol as soon as all hosts
are running 3.6 to benefit from the full encryption and future improvements.
The new network protocol supports a range of new attributes for more precise access control to server resources.
Other Core Changes
CFEngine 3.6 uses LMDB as the default embedded database. LMDB is both robust and fast, and replaces TokyoCabinet on the majority of supported platforms.
Logging output of the CFEngine binaries has been further improved:
cf-serverd now includes
the relevant client IP address in all messages;
reports promises generate messages without
R:, and execution state information (such as passes or promise type
changes) are included in the log.
Relative paths are supported in
copy_from promises, and can used together with the
shortcut aliasing based on
connection data in
access promises to implement simple
and dynamic multi-tenancy within a single policy server.
CFEngine 3.6 introduces a flexible and dynamic dashboard with alerts and notifications to the Mission Portal. Users can create conditions and group those together in dashboard widgets that provide a quick overview over various business-critical aspects of the CFEngine managed system.
Inventory reports provide fast access to the managed assets, be it hosts or software. Inventory data can be added through policy to read additional information from sources available to each host, such as a CMDB.
Enterprise Platform and API
The Enterprise platform in 3.6 is using PostgreSQL, which significantly improves the speed of reports in the Mission Portal and through the Enterprise APIs. The Enterprise Server uses an optimized data collection protocol that reduces the network traffic and allows for even greater scalability.
The Enterprise API provides faster access to more data about hosts, promise compliance, software inventories, classes and variables. Thanks to the PostgreSQL backend the API supports complex SQL queries. The API from CFEngine Enterprise 2.2 is no longer supported.
The integration with authentication services (LDAP or ActiveDirectory) has changed to allow filter stings to be specified, providing greater flexibility in controlling access to CFEngine Enterprise.
A number of improvements to CFEngine's string handling on Windows makes sure that line endings are preserved in modified files, and use Windows compliance CRLF endings in newly created files.