CFEngine 3.7.0 released: New package promise and change reporting

Posted by: Eystein Maloy Stenberg

Share this

We’re happy to announce that CFEngine 3.7.0 is now ready!

The 3.7.0 release contains a brand new packages promise, expanded platform support, enhanced network security, improved Enterprise reporting capabilities and much more!

New packages promise

A new packages promise has been developed in collaboration the CFEngine community and users. It is designed to be reliable, simple and easy to use. We hope you enjoy the experience!

It reuses the same promise type as the previous packages promise (packages:), but CFEngine will determine which one to use based on the attributes that are used in the promise type. The packages: promise type is fully backward-compatible, so any packages promises that you have from 3.6 or earlier versions should still work with 3.7.

Currently supported platforms for the new packages promise include those based on yum/rpm (using package_module => yum) and apt/deb (using package_module => apt_get), but it can easily be extended by adding new package modules. Package modules are essentially wrappers for the package managers that implement the CFEngine package module protocol.

As an example, you can use the following promise in 3.7 to track the latest package of apache on Red Hat systems:



packages:

"httpd"

policy => "present",

version => "latest",

package_module => yum;



You can read more about the new packages promise type in the packages reference documentation.

Expanded platform support

CFEngine 3.7 improves the support for RHEL 7 and CentOS 7. These platforms were already supported as agent platforms, but the rpm packages have now been unified so that there is a single agent RPM that work across all of these platform versions. These platforms can now run CFEngine Enterprise hubs as well. In addition, both Debian 7 and 8 have been added to the supported platform list; both as Enterprise hubs and agents. In general, systemd-enabled distributions are now fully supported.

You can see the full list of of supported platforms for 3.7 in the Supported Platforms and Versions documentation page.

Enterprise multi-dashboard support

The Enterprise edition has new features for creating and managing multiple dashboards! In order to improve collaboration with your team, you can also share dashboards with your colleagues and see dashboards that your colleagues have shared.

Enterprise change reporting

CFEngine Enterprise users will also see the new Changes reporting feature; both the dashboard widget and reporting interface for displaying and filtering which changes CFEngine has made to the infrastructure.

The change reporting features also include a fully functional REST API, in addition to the user interface.

Network and security enhancements

In untrusted networks it is now easier to bootstrap securely, by pre-establishing trust with cf-key –trust-key and then run cf-agent –bootstrap <server> –trust-server=no.

The CFEngine network protocol now uses TLS by default to secure the connections. Note that this has the implication that 3.7 agents cannot bootstrap to servers with version 3.5 or earlier (3.6 supports both TLS and the legacy security protocol).

Which security protocol that is allowed on the server side can be controlled with allowlegacyconnects in body server control. On the client side you may use the protocol_version attribute found in body common control and body copy_from.

To control which TLS version and ciphers used, new attributes have been added. On the client side, body common control has the attributes tls_min_version and tls_ciphers. The siblings for the server side are found in body server control; allowtlsversion and allowciphers.

Other changes

Dependencies have been upgraded in the pre-compiled agent and hub packages; most notably OpenSSL 1.0.2d, PHP 5.6.9, LMDB 0.9.14, PCRE 8.37, PostgreSQL 9.3.7, Redis 2.8.20 and Codeigniter 2.2.2.

As usual, you can find a more detailed list of changes in the Community Change Log and Enterprise Change Log.

Upgrading?

If you’re upgrading from a previous release, check out the upgrade documentation for guidelines to make the process as smooth as possible.

Get it!

As always, you can download CFEngine Enterprise 3.7.0 packages for the supported platforms, or give it a quick spin with the CFEngine 3.7.0 vagrant environment.

If you are using the Community Edition, we provide you with source code, packages, and package repositories – to make sure we cover the distribution channel of your choice!

We hope you enjoy 3.7.0, and we look forward to hearing about your experience in the CFEngine Google Group!