Masterfiles changelog
Table of contents
See also: Core changelog, Enterprise changelog
3.28.0
- Masterfiles builds are now bit-for-bit reproducible (ENT-14061)
- Added 2FA support and configurable admin username for distributed cleanup setup (ENT-12129)
- Added
dnfpackage module (ENT-11784) - Added workaround for
set_variable_values_iniwith missing sections (CFE-3866) - Changed
distributed_cleanup.pyto issue a realDELETE FROM __hostsinstead of soft deletion viaINSERTwith adeletedtimestamp (ENT-12129) - We now use
systemctl catinstead ofis-activeto checkcf-apache(ENT-11189) - Fixed bad regex in packages promise method for
pip(ENT-13667) - Fixed maximum recursion errors in
modules_presencefor CFEngine versions unaffected by (CFE-2852, CFE-4623) - Moved
update_health_failuresCLI task from policy tocf-reactor(ENT-7923) - Raised
cf-apache.servicestart timeout to avoid PID-file race (ENT-11189) - Refactored
cfe_autorun_inventory_packagesto dynamically identify use ofpackage_moduleinventory (ENT-13525) - We now reset
cf-apachefailed state before restarting it (ENT-11189) psqlcommands are now retried on transient errors in federated reporting (ENT-14140)standard_servicesbundle now invokessystemctlwithout--global(CFE-4639)
3.27.0
- Fixed
cfruncommandfor Windows causing “Too many arguments” error (ENT-13530) - Added
$(paths.dmidecode)for Red Hat (ENT-12988) - Added
fsattrsbodies to manage the immutable bit (CFE-4582) - Added recommendation about nfs server and consistent use of root dot (ENT-13223)
- Adjust nova API rest URL for custom https port (ENT-12653)
- Adjusted mission portal
httpd.confvalidation to show errors when they occur (ENT-12653) - Changed NFS Server inventory to report only unique servers (ENT-13223)
- Disabled policy version in masterfiles because it is now managed and inventoried by
default by the core agent inside
sys.policy_version(ENT-4043) - Disabled sync of Mission Portal config from
share/GUIunless explicitly enabled (ENT-13175, ENT-13172, ENT-13173) - Fixed duplicate
bundlesequence_endwhenbundlesequence_classificationnot defined (CFE-4588) - Fixed path to
lsofon Red Hat 7 and greater (ENT-12987) - Fixed issue with the “Run Agent” functionality by increasing timeout for php processing (ENT-13291)
- Made
protocol_versionconfigurable via Augments (CFE-4543) - Prevented nfs server inventory from doing unnecessary extra work (ENT-13210)
- Redirection from HTTP to HTTPS responsibility moved from Apache to PHP (ENT-11481)
- Removed duplicate
$(paths.ls)and$(paths.lsof)for opensuse (ENT-12990) - Stopped enforcing permission management of
$(sys.workdir)/share/GUI(ENT-13171) - Stopped enforcing permissions of public docroot scripts (ENT-13243)
- Added needed custom port to API in the API itself (LDAP related) (ENT-13612)
- Made
default_directory_create_modeconfigurable via Augments (CFE-4590) - Made
evaluation_orderinbody agent controlconfigurable via Augments (ENT-13495) - Stopped automatic mirroring of
WORKDIR/share/GUIto Mission Portal docroot (ENT-13172) - Stopped mirroring
.htaccessfromshare/GUIto Mission Portal docroot (ENT-13173)
3.26.0
- Inhibited management of share
config.phpfile whenmpf_disable_mission_portal_docroot_sync_from_share_guiis defined (ENT-12658) - Switched to using current process ID to investigate proc filesystem to workaround in-container non-root owned symlinks (CFE-3429)
- Added http2 support in Mission Portal with apache and
php-fpm(ENT-11440) - Added paths for the
dmsetup,fdisk, andlshwcommands (ENT-12560) - Added
service_configbundle to aid in service config check/replace/service restart (ENT-11440)
3.25.0
- Data dumping on Federated Reporting feeders no longer uses an AWK filter to merge
INSERTlines in the dumps - Made
system_log_levelconfigurable via Augments (CFE-4452) - Added inline docs showing valid values for
method(field_operation) inbody edit_field quoted_var(CFE-4426) - Added support for AIX System Resource Controller services promises (CFE-4447)
- Added trailing
/.to files promises targetinglocal_software_dir(ENT-12116) - Fixed failed to open
/dev/ttyerrors when using systemd unit management (CFE-4445) - Fixed issue with
yumpackage module regarding packages with epoch not validating (ENT-12538) - Fixed issues with ACE javascript editor due to CSP (Content Security Policy) (ENT-12010)
- Fixed issues with loading images from
raw.github.cominside CFEngine Build application in Mission Portal (ENT-12531)
3.24.0
- AIX watchdog now handles stale PIDs (CFE-4335)
- Aligned ownership and permission expectations between Mission Portal and MPF (ENT-11941)
- Changed mission-portal apache restart to graceful to minimize service interruptions (ENT-11526)
- Federated reporting policy now properly fixes SELinux context of the
~cftransport/.sshdirectory and its contents in a single agent run. (ENT-11136) - Freebsd service management now uses one prefixed service commands (CFE-4323)
- Improved federation policy handling of
cftransportselinux configuration (ENT-10959) - Improved instructions and added report to instruct users how to disable recommendations (ENT-11523)
- Inventory view is now refreshed in
cf-reactorinstead of through policy (ENT-11763) - Made enterprise federated reporting dump interval configurable via Augments (ENT-10900)
- Policy now manages Mission Portals
httpd.confownership and permissions (ENT-11096) - Refactored AWS IMDS retrieval to support both IMDSv1 and IMDSv2 (ENT-10988)
- Refactored extraction of home directory from parsing
getentoutput to getuserinfo() (CFE-4375) - Removed hour delay between CFEngine Enterprise PostgreSQL recommendation checks (ENT-11480)
- Squashed common error logged by Apache related to IPv6 (ENT-10646)
- When failing to detect platform, inventory attribute “OS” now
defaults to
PRETTY_NAMEfromos-releaseas a fallback (CFE-4342) - Added ability to configure Mission Portal Apache
SSLCACertificateFilevia Augments (ENT-11421) - Added ability to configure
SSLCipherSuitevia Augments (ENT-11393) - Added ability to influence default package manager and inventory via Augments (CFE-3612)
- Added freebsd
package_moduleandpackage_inventorysince we havepkgpackages module available (CFE-4345) - Added
no_backup_cp_comparecopy_frombody to stdlib Like the existingno_backup_cpthiscopy_frombody is used to copy files locally without making backups but with the additional ability to specify the comparison used. (ENT-10962) - Added recommendation for installing gnu
parallelon federated reporting superhubs (ENT-8785) - Added
set_escaped_user_fieldcomplementingset_user_field(CFE-4377) - Added
setup-feederoption to distributed cleanup script (ENT-11844) - Fixed comparison that caused
control_executor_mailfilter_*_configuredto never be set (CFE-4374) - Fixed
distributed_cleanuppolicy for feeders and rhel-8 superhubs (ENT-10960) - Fixed restoration of Mission Portal application to packaged content when modified (ENT-10962)
3.23.0
- Added ability to disable plain http for CFEngine Enterprise Mission Portal (ENT-10411)
- Added ability to enable backup archives during policy update (ENT-10481)
- Added ability to extend without overriding filename patterns to copy during policy update (ENT-10480)
- Added bundle to facilitate migration of
ignore_interfaces.rxfrominputdirtoworkdir(ENT-9402) - Added self upgrade support for Amazon Linux 2 (ENT-10820)
- Added
ssto paths for linux (ENT-10413) - Aligned systemd service templates with core
WantedBy=cfengine3.servicewas removed from systemd service templates for individual components. It was un-necessary ascfengine3.servicealready wants the individual services. https://github.com/cfengine/core/pull/5362 Ticket: (CFE-3982) - Avoided deleting
pythonsymlink whensys.bindiris not/var/cfengine/bin(CFE-4146) - Changed default self upgrade target version to be that of Hubs binary version (ENT-10664)
- Fixed OS inventory for Amazon Linux 2 (ENT-10817)
- Fixed apache listening on port 80 by default (ENT-10672)
- Fixed
cfe_autorun_inventory_aws_ec2_metadata_cachefile creation Ticket: (CFE-4221) - Removed
jqdependency and fixedlib/testing.cftap output (CFE-4245, CFE-4246, CFE-4223) - Fixed self-upgrade for Debian and Ubuntu aarch64 clients (ENT-10816)
- Guard against
/sys/hypervisor/uuidnot being readable (ENT-9931) - Made Mission Portal Apache
SSLProtocolconfigurable via augments (ENT-10412) - Made
allowconnectsandallowallconnectsconfigurable via Augments (ENT-10212) - Made
lastseenexpireafterinbody common controlconfigurable via Augments (ENT-10414) - Removed considerations for old versions from
bundle agent cfe_autorun_inventory_aws_ec2_metadata_cache(CFE-4222) - Stopped filtering
$(sys.bindir)from dynamically determined python path (CFE-4223) - Fixed recommendation policy execution (ENT-10915)
- Fixed
postgresql.confrecommendations (ENT-10916) - Added rendering of custom mustache templates to
$(sys.workdir)/modules(ENT-10793) - Fixed support for automatically installing
semanageon el9 for federated reporting (ENT-10918) - Improved failure logging during federated reporting schema import (ENT-10789)
- Added
default:cfengine_mp_fr_debug_importclass for federated reporting import debugging (ENT-10896) - Made
$(sys.policy_hub)always be included indefault:def.acl,allowconnects, andallowallconnectsunless explicitly disabled (ENT-10951)
3.22.0
- Added inventory for policy version (ENT-9806)
- Added condition to
runalertsservice to require stamp directory (ENT-9711) - Added guards against using regline() in cases where a file may not exist (ENT-9933)
- Added self upgrade support for Ubuntu 22.04, Debian 11, and EL9 (ENT-10290)
- Added
ssl_request_logto list of hub log files (ENT-10192) - Added support for Rocky Linux in self upgrade policy (ENT-10335)
- Adjusted
dump.shfor multiple runs in between superhub imports (ENT-10274) - Aligned module build result with release artifact (ENT-10345)
- Fixed
body perms system_ownedto account for Windows (ENT-9778) - Fixed SUSE
package_inventorydefaults (ENT-10248) - Improved federated reporting dump concurrency with database (ENT-10214)
- Made TLS settings for components other than
cf-serverdconfigurable via augments (ENT-10198) - Made
agentfacilityinbody agent controlconfigurable via Augments (ENT-10209) - Made
allowciphersinbody server controlconfigurable via Augments (ENT-10182) - Made
allowtlsversioninbody server controlconfigurable via Augments (ENT-10182) - Made body
maxmaillinesinbody executor controlconfigurable via Augments (ENT-9614) - Made
mailsubject,mailfilter_include, andmailfilter_excludeconfigurable via Augments (ENT-10210) - Made package cache refresh for
common_knowledge.list_update_ifelapsedconfigurable This change makes the number of minutes to wait between package cache updates for somepackage_methodbodies configurable via augments. Thepackage_methodbodies affected by this include:body package_method pip(flags)body package_method npm(dir)body package_method npm_gbody package_method brew(user)body package_method aptbody package_method apt_getbody package_method apt_get_permissivebody package_method apt_get_release(release)body package_method dpkg_version(repo)body package_method rpm_version(repo)body package_method yumbody package_method yum_rpmbody package_method yum_rpm_permissivebody package_method yum_rpm_enable_repo(repoid)body package_method yum_groupbody package_method rpm_filebased(path)body package_method ipsbody package_method smartosbody package_method opencswbody package_method emergebody package_method pacmanbody package_method zypperbody package_method genericAdditionally note that the package related bundles use thepackage_methodbodies mentioned above and are similarly influenced.bundle agent package_present(package)bundle agent package_latest(package)bundle agent package_specific_present(packageorfile, package_version, package_arch)bundle agent package_specific_absent(packageorfile, package_version, package_arch)bundle agent package_specific_latest(packageorfile, package_version, package_arch),bundle agent package_specific(package_name, desired, package_version, package_arch)(CFE-4178)
- Prevented management of runagent socket users when no users are listed (ENT-9535)
- Removed specific old CFEngine version package module handling for windows (ENT-9948)
- Started inventorying currently mounted file system types and mount points (ENT-8338)
3.21.0
- Added inventory for Raspberry Pi and DeviceTree devices (ENT-8628)
- Added policy to enforce proper permissions on Mission Portal ldap directory (ENT-9693)
- Added check to make sure
cf-execdis running after attempting self upgrade on Windows - Added exception for ldap directory perms for
settings.ldap.php(ENT-9697) (ENT-9573) - Added
dateto known paths for linux (CFE-4069) - Added fallback to top-level feeder dump directory (ENT-8936)
- Added self upgrade knowledge for Suse 12, 15 and opensuse leap 15 (ENT-9209)
- Added self upgrade knowledge for debian 11 (ENT-9210)
- Added
sshinpaths.cfso that policy writers can use$(paths.ssh)(CFE-4037) - Added support for multiple superhubs per feeder (ENT-8936)
- Amazon Linux now uses
--setopt-exit_on_lock=Trueinredhat_no_locking_knowledge(ENT-9057) - Avoided error stopping apache when no pid file exists (ENT-9108)
- Disabled explicit setting for
SSLCompressionfor Mission Portal Apache. OpenSSL3 does not provide compression capability, when enabled Apache will not start. (ENT-8933) - Fixed deleting multiple hosts with distributed cleanup utility (ENT-8979)
- Fixed directory in which windows agents source packages for upgrade (ENT-9010)
- Fixed
services_autorun_inputsworking independently fromservices_autorun(CFE-4017) - Fixed
set_line_based()for case whenedit_defaults.empty_before_useis true (ENT-5866) - Made proc inventory configurable via Augments (CFE-4056)
- Made device-tree inventory quieter in containers (ENT-9063)
- Stopped applying locks to
masterfiles-stage(ENT-9625) - Stopped loading several Apache modules on Enterprise Hubs by default:
mod_auth_basic,mod_authz_host,mod_authz_owner,mod_dbd,mod_authn_file,mod_authz_dbm(ENT-8607, ENT-8602, ENT-8706, ENT-8609, ENT-9072, ENT-8605) - Updated filename conventions for AIX and Solaris packages (ENT-9095)
- Fixed detection of location for
httpd.pid(ENT-9603) - Added policy to manage permissions for
php/runalerts-stamp(ENT-9703) - Ensured manual edits to
httpd.confare reverted (ENT-9686)
3.20.0
- Renamed
bundle agent maintobundle agent mpf_main(CFE-3947) - Added
prelinktopaths.cf - Added Enterprise Hub
postgresql.confto files monitored for diffs by default (ENT-8618) - Added PostgreSQL tunables for Federated Reporting (ENT-8617)
- Added
lib/templatesto packaged assets (ENT-8533) - Added policy to patch
apachectlfor more robust stopping on Enterprise Hubs (ENT-8823) - Added policy update exclusion for directories named
.no-distrib(ENT-8079) - Added support for
optionoption inpkgmodule (CFE-3568) - Added support for Amazon Linux in standalone self upgrade (ENT-8274)
- Added support for downloading windows packages as part of self upgrade (ENT-8283)
- Adjusted MPF to handle
rxdirsdefault from true to false (CFE-951) 755perms on hubhtdocsdir are now enforced (ENT-8212)- Proper owner and perms on docroot are now enforced (ENT-8280)
- Prevented
def.dir_masterfiles/.no-distribfrom being copied (ENT-8079) - Cleaned up policy related to versions prior to 3.12 (CFE-3920)
- Removed policy deprecated by
sys.os_release(CFE-3933) - Updated bundle names and wording to reflect current tooling (CFE-3921)
- Enabled setting
environmentattribute inbody agent controlvia augments (CFE-3925) - Fixed inclusion of distributed cleanup python files during install (ENT-8393)
- Fixed inventory for OS on Rocky Linux (ENT-8292)
- Fixed promise status from package upgrade when architecture specified in promise (CFE-3568)
- Made
body classes u_kept_successful_command_resultsinherit_fromu_results(CFE-3917) - Made CMDB update ignore locks (ENT-8847)
- Updating host-specific CMDB data files now happens asynchronously (ENT-7357)
- Fixed issue with
apt_getpackage module on Ubuntu 22 (CFE-3976) - Fixed parsing of
optionsattribute and addedrepoalias forrepositoryoption inpkgmodule (CFE-3568) - Fixed
pkgmodule parsing input when values include equals (=) (CFE-3568) - Warn about missing dependencies for Distributed Cleanup utility (ENT-8832)
- Fixed AIX watchdog default threshold for number of
cf-execdprocesses (CFE-3915) - Stopped lowercasing software inventory on Windows (ENT-8424)
- Fixed windows unattended self upgrade on Windows 2008 (ENT-8066)
- Invalid feeder dump files are now skipped during import (ENT-8229)
- Fixed FR clean bundle when off state (ENT-7969)
- Fixed
psqlnot found while FR import (ENT-8353) - Now
clean_when_offFR bundle is only run when needed (ENT-8294)
3.19.0
- Added
interpreterattribute to standalone self upgradepackage_modulebodies (CFE-3703, ENT-5752) - Added
almalinuxas a know derivative ofrhel(ENT-7644) - Added class to prevent hub from seeding binary packages for use in self upgrade (ENT-7544)
- Added cleanup of database and status semaphore when federation
target_stateis off (ENT-7233) - Added custom promise python library
- Added
distributed_cleanuputility for Federated Reporting (ENT-7215) - Added fallback logic for determining installed software version on Windows (ENT-7501)
- Added
lsmodto well known paths (CFE-3790) - Added script to cleanup artifacts after
cfbs build(CFE-3781) - Added self upgrade support for SUSE (ENT-7446)
- Added separate classes for controlling autorun inputs and bundles
The class
services_autoruncontinues to enable both automatic inclusion of.cffiles inservices/autorunand the running of bundles tagged with autorun. This change adds the classesservices_autorun_inputsandservices_autorun_bundlesfor independently enabling addition of.cffiles inservices/autorunand automatic execution of bundles tagged with autorun respectively. (CFE-3715) - Added support for downloading community packages on hub in preparation for binary upgrades
- Added variable for excluding files from Policy Analyzer (ENT-7684)
- Adjusted badges for 3.18.0 release (ENT-6713)
- Adjusted permissions for Mission Portal public tmp files (ENT-7261)
- Autorun bundles now run regardless of locks Previously, when the autorun feature was enabled to automatically run bundles tagged with autorun the bundle actuation was affected by promise locking. The effect of this is that agent runs that happen close together would skip running bundles run within the last minute. Now autorun bundles no longer wait for a lock to expire, they will be actuated each agent execution. Note, promises within those bundles have their own locks which still apply. (CFE-3795)
- Dropped un-necessary local variable The use of this local variable triggers a bug that prevents datastate() from printing. Since the variable is un-necessary, it’s been removed and the parameter is used directly. (CFE-3776)
- Enforced permissions for Postgres log (ENT-7961)
- Fixed package module augments settings usage for pre 3.15.3 binaries (ENT-7356, ENT-7358)
- Fixed path in permissions and ownership promise for application log dir (ENT-7731)
- Fixed
services_autorun_bundlesonly case (CFE-3799) - Fixup
zypperpackage module script to work properly withinterpreterattribute (ENT-7442) - Gave
cfapachegroup full access to docroot (ENT-8065) - Ensured exported reports from Mission Portal are in the correct location (ENT-7465)
- Made apache restart more robust (ENT-8045)
- Moved
httpd.pidto root of httpd workdir (ENT-7966) - Physical Memory (MB) inventory now handles
dmidecodeMB or GB units (ENT-7714) - Promised permissions for Mission Portal application and Apache log files This change ensures that both Mission Portal and Apache log files have restrictive permissions. Previously this was un-managed. (ENT-7730)
- Reduced scope of report informing of missing systemd service (CFE-290, ENT-7360)
- Removed build dir from
install/disttargets (ENT-7359) - Removed stale CMDB inventory policy (CFE-3712)
- Set apache umask to
0177(ENT-7948) - State changes of systemd services during agent run are now properly registered (CFE-3753)
- Stopped enforcing permissions of modules in inputs
This change removes explicit enforcement of permissions for modules in inputs.
Instead of explicitly enforcing permissions in inputs, we rely on the default
permissions (
600). The previous explicit permissions (755) are un-necessary as modules are not executed from within the inputs directory and have resulted in permission flip-flopping in some environments. Permissions on modules in the modules dir(sys.workdir)/modulesare still enforced. (ENT-7733) - Switched from using
package_method genericto defaultpackage_modulefor windows software inventory (ENT-2589) - Improved the reliability when detecting a Red Hat system.
Now if the
IDfield in/etc/os-releaseis set torhel, theredhat_pureclass will be defined. If the variablesys.os_releasedoes not exist,redhat_pureis defined if we have already definedredhatand we do not find classes for well known derivatives rocky, a class defined on Rocky Linux was added to the list of well known derivatives (ENT-7628)- Added advisory lock for Federated Reporting operations (ENT-7474)
controls/cf_serverd.cfno longer specifies explicit default forbindtointerfaceand relies on the default binding to both::and0.0.0.0on IPV6-enabled hosts (ENT-7362)setup-status.jsonis no longer being repaired over and over on FR feeder hubs (ENT-7967)
3.18.0
- Added
.ps1to list of file patterns considered during policy update (ENT-4094) - Added ability to specify additional directories to add autorun policy from (CFE-3524)
- Added default
cf_version_releaseof 1 when sys var missing (ENT-6219) - Added description of
psql_lock_wait_before_acquisitionmeasurement (ENT-6841) - Added inventory of Setgid files and Setgid files that are root owned (ENT-6793)
- Added inventory of users and hosts allowed to use
cf-runagent(ENT-6666) - Added measurement of entropy available on linux systems (ENT-6495)
- Added missing packages modules scripts in makefile (ENT-6814)
- Added new interface for controlling users allowed to initiate
cf-agentviacf-runagent(CFE-3544) - Added policy for permissions on
cf-execdsockets on Enterprise Hubs (ENT-6777) - Added redirect to remove
index.phpfrom Mission Portal’s URL (ENT-6464) - Added standalone self upgrade capability for Windows agents (ENT-6219, ENT-6823)
- Added
tail&tail_nto standard library (CFE-3558) - Added
vars.mpf_admit_cf_runagent_shellto control admission forcf-runagentrequests (ENT-6673) - Added verbose logfile for
msiexecpackage module file installs (ENT-6220, ENT-6824) - Changed default behavior of policy update to keep inputs in sync with masterfiles
Prior to this change, the default behavior of the MPF was to only ensure that
files in masterfiles were up to date with the files in inputs. Files in inputs
that did not exist in masterfiles were left undisturbed. To enable sync
behavior (a common user expectation) you had to explicitly define
cfengine_internal_purge_policies. Now, if you wish to return to the previous default behavior, define the classcfengine_internal_purge_policies_disabled. Ticket: (CFE-3662) - Changed
msiexecpackage module install logs to be unique for each msi file (ENT-6824) - Disabled TLSv1 by default for Mission Portal’s web server (ENT-6783)
- Do not apply redirect from
index.phpto internal APIs (ENT-6464) - Enabled packages promises using
package_modulewithoutbundle def(CFE-3504) - Fixed ability to define users authorized for using
cf-runagenton policy servers (CFE-3546) - Fixed alpine
apkpackages module to parse names properly (CFE-3585) - Fixed
cfengine_mp_fr_handle_duplicate_hostkeysclass usage in policy (ENT-7094) - Fixed docs describing
xdevbehavior indepth_searchbodies (CFE-3541) - Fixed loading of platform specific inventory on AIX (CFE-3614)
- Made Enterprise CMDB data update after policy update (ENT-6788)
- Prevent setgid files from causing continual repair related to setuid file inventory (ENT-6782)
- Removed stale unused copy of
u_kept_successful_commandbody. If you receive an error about undefined body, alter your policy to usekept_successful_commandinstead (CFE-3617) - Removed unused plugins directory (CFE-3618)
- Renamed
pythonsymlink tocfengine-selected-python(CFE-3512) - Shortened Inventory OS attribute to be more readable (ENT-6536)
- Suppressed inform output from Enterprise Hub database maintenance operations (ENT-6563)
- Suppressed output from watchdog on AIX to prevent the mail spool from filling up (CFE-3630)
- Added ability to specify a list of bundles to run before autorun (for classification) (ENT-6603)
- Update policy now moves obstructions (CFE-2984)
- Started using VBScript to enumerate installed packages (ENT-4669)
- Added
/usr/bin/yumtopaths.cffor aix (CFE-3615) - service status on FreeBSD now uses
onestatus(CFE-3515) - Guard again enforcing root ownership for CFEngine files on Windows (ENT-4628)
3.17.0
- Added
.csvto the list of file extensions considered by default during policy update (CFE-3425) - Added ability to extend known paths without modifying vendored policy (CFE-3426)
- Added
apkpackage module support for alpinelinux (CFE-3451) - Added bundle
edit_line converge_prependwith same behavior as bundleedit_line converge, but inserting at start of content. (CFE-3483) - Added inventory for Timezone and GMT Offset (ENT-6161)
- Added inventory for policy servers (ENT-6212)
- Added maintenance policy to update health diagnostics failures table on enterprise hubs (ENT-6228)
- Added optional handle duplicates step in federated reporting import (ENT-6035)
- Added
replace_uncommented_substrings(ENT-6117) - Added service states “active” and “inactive” for systemd (ENT-6074)
- Added watchdog for Windows (ENT-5538)
- Adjusted
package_moduleand paths for termux platform (CFE-3288) - Aligned systemd services behavior for
service_policy => "enable|enabled|disable|disabled"(ENT-6073) - Changed
bundle server access_rulestompf_default_access_rules(CFE-3427) - Cleaned up Mission Portal OS variable (
inventory_os.description) on RHEL 5 & 6 (ENT-6124) - De-duplicated license headers (ENT-6040)
- Fixed
convergeedit_linebundle not deleting lines containing marker (CFE-3482) - Fixed interpretation of
cf-hub --show-licensefrom REPAIRED to KEPT (ENT-6473) - Inventory OS variable (
inventory_os.descriptionin policy) is now based onos-release - Made
git_stashonly stash untracked files when capable (CFE-3383) - Moved systemd service management to own bundle (CFE-3381)
- Removed delay in refreshing software installed inventory (ENT-6154)
- Removed unnecessary packages promise on SuSE (ENT-5480, ENT-6375)
- Replaced
@ignorewith useful doc strings (CFE-3378)
3.16.0
/var/cfengine/bin/pythonsymlink creation on SLES was fixed- Added
datashortcut tocf-serverd, defaults tosys.workdir/data - Added inventory for CFEngine Enterprise License information (ENT-5089, ENT-5279)
- Added inventory of NFS servers in use (from
/proc/mounts, on linux) (CFE-3259) - Added inventory of license owner on enterprise hubs (ENT-5337)
- Added paths support for opensuse (CFE-3283)
- Added use of services promise for FR PostgreSQL reconfig in case of systemd (ENT-5420)
- Added
zypperas default package manager for opensuse (CFE-3284) - Admitted
::1as a query source on Enterprise hubs (ENT-5531) - Aligned unattended self upgrade package map with current state (ENT-6010)
- Always copy modules from masterfiles (CFE-3237)
- Changed
DocumentRootof Mission Portal inhttpd.confto/path/to/cfengine/httpd/htdocs/public(ENT-5372) - Changed group for state dir files promise to match defaults per OS (CFE-3362)
- Changed
m_inventorydumping behavior to exclude when values is null (ENT-5562) - Corrected
application/logspath to outside of docroot (ENT-5255) - Deleted deprecated
__PromiseExecutionsLogfrom process that cleans log tables (ENT-5170) - Fixed dmi inventory to prefer
sysfstodmidecodefor most variables for improved performance and to handle CoreOS hosts that don’t havedmidecode. (CFE-3249) - Fixed permission flipping when policy analyzer is enabled (ENT-5235)
- Fixed
runalertsprocesses promise on non-systemd systems (ENT-5432) - Fixed selection of
standard_serviceswhen used from non-default namespace (ENT-5406) - Fixed system UUID inventory for certain VMWare VMs where
dmidecodegives UUID bytes in wrong order. (CFE-3249) - Fixed typo preventing recommendation bundles from running (CFE-3305)
- HA setups no longer have flipping permissions on
/opt/cfengine/notification_scripts - Improved resilience of cron watchdog for linux (CFE-3258)
- Inventory refresh is no longer part of agent run on the hub (ENT-4864)
- Made
pythonsymlink fall back toplatform-python(CFE-3291) - Made
set_variable_values_iniprefer whitespace around=(CFE-3221) - Modified
cftransportcleanup to avoid errors (ENT-5555) - Moved
selinux_enabledclass to config bundle and namespace scope it - Prevented inventory of unresolved variables for
diskfreeandloadavg(ENT-5190) - Release number was added to MPF tarballs (ENT-5429)
- Standard services now considers systemd services in
ActiveState=activating active(CFE-3238) - Stopped continual repair of
ha_enabledsemaphore (ENT-4715) - Stopped disabling disabled systemd unit each run when disabled state requested (CFE-3367)
- Stopped trying to edit fields in
manage_variable_values_ini(CFE-3372) - Suppressed useless inform output from
/bin/truein ec2 inventory (ENT-5233) - Switched from hardcoded path to
/bin/trueto use paths from stdlib (ENT-5278) - The
zyppermodule is now fully compatible with Python 3 (CFE-3364) - Whitespace is now allowed at the beginning of ini key-values (CFE-3244)
apt_getpackage module now checks package state (CFE-3233)
3.15.0
- Added
package_moduleforsnap(CFE-2811) - Fixed
pkgsrcin case where multiplePrefixpaths are returned forpkg_install(CFE-3152) - Fixed
pkgsrcmodule on Solaris/NetBSD (CFE-3151) - Moved
zypperpackage module errors to thecf-agentoutput (CFE-3154) - Added new class
mpf_enable_cfengine_systemd_component_managementto enable component management on systemd hosts. When defined on systemd hosts policy will render systemd unit files in/etc/systemd/systemfor managed services and that all units are enabled unless explicitly disabled. When this class is not defined on systemd hosts the policy will not actively mange cfengine service units (no change from previous behavior) (CFE-2429) - Fixed detection of service state on FreeBSD (CFE-3167)
- Added known paths for
trueandfalseon linux (ENT-5060) - Fixed path for
restoreconon redhat systems to/sbin/restorecon - Added
usermodto known paths for redhat systems - Added policy to manage federated reporting with CFEngine Enterprise
- Introduced augments variable
control_hub_query_timeoutto controlcf-hubquery timeout. (ENT-3153) - Added OOTB inventory for IPv6 addresses (sans
::1loopback) (ENT-4987) - Added and transitioned to using
master_software_updatesshortcut in self upgrade policy (ENT-4953) - Added brief descriptions to bodies and bundles in
cfe_internal/CFE_cfengine.cf(CFE-3220) - Added support for SUSE 11, 12 in standalone self upgrade (ENT-5045, ENT-5152)
- Changed policy triggering cleanup of
__lastseenhostlogsto target only 3.12.x, 3.13.x and 3.14.x. From 3.15.0 on the table is absent. (ENT-5052) - Fixed agent disabling on systemd systems (CFE-2429, CFE-3416)
- Ensured directory for custom action scripts is present (ENT-5070)
- Excluded Enterprise federation policy parsing on incompatible versions (CFE-3193)
- Extended watchdog for AIX (ENT-4995)
- Fixed cleanup of future timestamps from status table (ENT-4331, ENT-4992)
- Fixed re-spawning of
cf-execdorcf-monitordafter remediating duplicate concurrent processes (CFE-3150) - Replaced
/var/cfenginewith proper$(sys.*)vars (ENT-4800)- Fixed selection of
standard_serviceswhen used from non-default namespace (ENT-5406)
- Fixed selection of
3.15.0b1
- Added continual checking for
policy_serverstate (CFE-3073) - Added monitoring for PostgreSQL lock acquisition times (ENT-4753)
- Added support for
awkfilters in the FR dump-import process (ENT-4839) - Added support for configuring
abortclassesandabortbundleclassesvia augments (ENT-4823) - Added support for filtering in both dump and import phases of the FR ETL process (ENT-4839)
- Added support for ordering FR
awkandsedscripts (ENT-4839) - Added support for setting periodic package inventory refresh interval via augments (CFE-2771)
- Changed FR policy to honor
target_stateproperly (ENT-4874) - Copy
.awkand.sedfiles from masterfiles to inputs (ENT-4839) - Fixed Python 3 incompatibility in
yumpackage module - Fixed synchronization of important configuration files from active to passive hub (ENT-4944)
- Made keys of all types from feeder hubs trusted on a superhub (ENT-4917)
- Speeded-up FR import process by merging
INSERT INTOstatements (ENT-4839) - Suppressed
stderroutput fromlldpctlwhen using path defined bydef.lldpctl_json(CFE-3109) - Added SQL to update feeder update timestamp during import (ENT-4776)
- Added
ssh_home_ttype tocftransport.sshdir (ENT-4906) - fix use of
_stdlib_path_exists_<command>in FRtransport_userpolicy bundle (ENT-4906) - partitioned
__inventorytable for federated reporting (ENT-4842) psql_wrapperneeded full path topsqlbinary (ENT-4912)yumpackage_modulegets updates available from online repos if local cache fails (CFE-3094)
3.14.0
- Fixed
isvariablesyntax error inupdate_def.cf(CFE-2953) - Added path support for
setfacl,timedatectlandjournalctl(CFE-3013) - Added trailing slash to access promises expecting directories (CFE-3024)
- Added scripts and templates for Federated Reporting (ENT-4473)
rpmpython module is no longer required to checkzypperversion- Changed cleanup consumer status SQL query (ENT-4365)
- Conditioned use of
curlfor ec2 metadata cache oncurlbinary being executable (CFE-3049) - Added augments variables to control
cf-hub(ENT-4269) - Prevented DB maintenance tasks on a passive High Availability hub (ENT-4706)
- Repair outcome for starting
cf-monitordorcf-execdis no longer suppressed (CFE-2964) - Restrictive permissions on hub install log are now enforced (ENT-4506)
- Ensured that asynchronous query API semaphores are writable (ENT-4551)
- Fixed
standalone_self_upgradenot triggering because of stale data (ENT-4317) - Fixed maintenance policy for promise log cleanup to respect
history_length_days(ENT-4588) - Improved efficiency and error handling of user specified policy update bundle
- Log version of Enterprise agent outside of state (ENT-4352)
- Added package module for managing windows packages using
msiexec(ENT-3719) - Prevented inventorying un-expanded memory values from
cf-monitord(ENT-4522) - Prevented performance overhead on hubs that don’t enable license utilization logging (ENT-4333)
- Collection status records in the future are now purged (ENT-4362)
- Reduced cost of knowing when
setoptis available inyum(CFE-2993) runalertsis now restarted if modified (ENT-4273)- Separated kill signals from restart class to avoid warning (CFE-2974)
- Separated termination and observation promises for
cf-monitord(CFE-2963) - Set default access promises for directories to only share if directory exists (CFE-3060)
- Set default value for
purge_scheduled_reports_older_than_days(ENT-4404) - Added more accurate and descriptive daemon classes
collect_windowinbody server controlcan now be set from augments (ENT-4283)- Guarded
varspromises incfe_internal_enterprise_mission_portal_apacheConstrainvarspromises incfe_internal_enterprise_mission_portal_apachetopolicy_server.enterprise_edition::, otherwisecf-promises --show-varsincludes a dump of the entire datastate from thedatavariable incfe_internal_enterprise_mission_portal_apache(line over 100K long). (CFE-3011) redhat_pureis no longer defined on Fedora hosts (CFE-3022)
3.13.0
- Added Debian 9 to the self upgrade package map (ENT-4255)
- Added
system-uuidto defaultdmidecodeinventory (CFE-2925) - Added inventory of AWS EC2 linux instances (CFE-2924)
- Added ubuntu 18 to package map for self upgrade (ENT-4118)
- Allowed
dmidefsinventory to be overridden via augments (CFE-2927) - Analyze
yumreturn code before parsing its output (CFE-2868) - Fixed issue when promise to edit file that does not exist caused “promise not kept” condition (ENT-3965)
- Avoided trying to read
/proc/meminfowhen it doesn’t exist (CFE-2922) - Avoided use of
$(version)forpackage_versionin legacy implementation (ENT-3963) - Cleanup old report data relative to the most recent
changetimestamp(ENT-4807) - Clear
__lastseenhostslogsevery 5 minutes. (ENT-3550) - Configure Enterprise hub pull collection schedule via augments (ENT-3834)
- Configure
agent_expireafterfrom augments (ENT-4308) - Create desired version tracking data when necessary (ENT-3937)
- Cron based watchdog for
cf-execdon AIX (ENT-3963) - Detect systemd service enablement for non native services (CFE-2932)
- Document how
def.aclis used and how to configure it (CFE-2861) - Fixed augments control state paths to work on windows (ENT-3839)
- Fixed
package_latestdetecting larger version in some cases (CFE-1743) - Fixed standalone self upgrade when path contains spaces (ENT-4117)
- Fixed unattended self upgrade on AIX (ENT-3972)
- Fixed services starting on windows (ENT-3883)
- Improve performance of enterprise license utilization logging
- Inventory Memory on HPUX (ENT-4188)
- Inventory Physical Memory MB when
dmidecodeis found (CFE-2896) - Inventory Setuid Files (ENT-4158)
- Inventory memory on Windows (ENT-4187)
- Made recommendations about
postgresql.conf(ENT-3958) - Only consider files that exist for rotation (ENT-3946)
- Prevent noise when a service that should be disabled is missing. (CFE-2690)
- Prevent standalone self upgrade from triggering un-necessarily (ENT-4092)
- Removed Design Center related policies Design center never left beta and has been deprecated. Supporting policies have been removed. If you wish to continue using design center sketches you must incorporate them into inputs and the bundlesequence manually. (ENT-4050)
- Removed unicode characters (ENT-3823)
- Removed templates for deprecated components (ENT-3781)
- Removed un-necessary agent run during self upgrade (ENT-4116)
- Slackware package module support (CFE-2827)
- Specified
scope => "namespace"when using persistent classes (CFE-2860) - Store the epoch of packages in cache db with
zypper - Sync
cf-runalertsoverride unit template with package (ENT-3923) - Update policy can now skip local copy optimization on policy servers (CFE-2932)
- Updated
yumpackage module to take arbitrary options (ENT-4177) - Started using default for package arch on aix (ENT-3963)
- Started using
rpmvercmpfor version comparison on AIX (ENT-3963) - Users allowed to request execution via
cf-runagentcan be configured (ENT-4054) apt_getpackage module includes held packages when listing updates (CFE-2855)
3.12.0b1
- Avoided executing self upgrade policy unnecessarily (ENT-3592)
- Added
amazon_linuxclass toyumpackage module - Introduce ability to set policy update bundle via augments (CFE-2687)
- Localize delete tidy in ha update policy (ENT-3659)
- Improve context notifying user of missing policy update bundle (ENT-3624)
- Configure
ignore_missing_inputsandignore_missing_bundlesvia augments (CFE-2773) - Changed class identifying runagent initiated executions from
cfruncommandtocf_runagent_initiated - Support
enablerepoanddisablerepooptions inyumpackage_module(CFE-2806) - Fixed
cf-runagentduring 3.7.x -> 3.10.x migration (CFE-2776, CFE-2781, CFE-2782) - Makes it possible to tune policy
master_locationvia augments in update policy (ENT-3692) - Fixed inventory for total memory on AIX (CFE-2797)
- Do not manage
redissince it’s no longer used (ENT-2797) - Server control
maxconnectionscan be configured via augments (CFE-2660) - Allowed configuration of
allowlegacyconnectsfrom augments (ENT-3375) - Fixed ability for
zypperpackage_moduleto downgrade packages splaytimeinbody executor controlcan now be configured via augments (CFE-2699)- Added maintenance policy to refresh events table on enterprise hubs (ENT-3537)
- Added apache config for new LDAP API (ENT-3265)
update.cfbundlesequence can be configured via augments (CFE-2521)- Update policy inputs can be extended via augments (CFE-2702)
- Added oracle linux support to standalone self upgrade
- Added bundle to track component variables to restart when necessary (CFE-2326)
- Retention of files found in log directories can now be configured via augments (CFE-2539)
- Allowed multiple sections in
insert_ini_section(CFE-2721) - Added
lines_presentedit_linesbundle scheduleinbody executor controlcan now be configured via augments (CFE-2508)- Include scheduled report assets in self maintenance (ENT-3558)
- Removed unused
body action aggregatorandbody file_select folder - Removed unused
body process_count check_process - Prevent
yumfrom locking inpackage_methodswhen possible (CFE-2759) - Render variables tagged for inventory from agent
host_info_report(CFE-2750) - Made
apt_getpackage module work with repositories containing spaces in the label (ENT-3438) - Allowed hubs to collect from themselves over loopback (ENT-3329)
- Log file max size and rotation limits can now be configured via augments (CFE-2538)
- Changed: Do not silence Enterprise hub maintenance
- Ensure HA standby hubs have
am_policy_hubstate marker (ENT-3328) - Added support for 32bit rpms in standalone self upgrade (ENT-3377)
- Added enterprise maintenance bundles to host info report (ENT-3537)
- Removed unnecessary promises for OOTB package inventory
- Added external watchdog support for stuck
cf-execd(ENT-3251) - Be less noisy when a promised service is not found (CFE-2690)
- Ignore empty options in
apt_getmodule (CFE-2685) - Added
postgres.logto enterprise log file rotation (ENT-3191) - Removed unnecessary support for including 3.6 controls
- Fixed
systemctlpath detection - Policy Release Id is now inventoried by default (CFE-2097)
- Fixed too frequent logging of enterprise license utilization (ENT-3390)
- Maintain access to exported CSV reports in older versions (ENT-3572)
cf-execdservice override template now only killscf-execdon stop (ENT-3395)- Fixed self upgrade for hosts older than 3.7.4 (ENT-3368)
- Avoided self upgrade from triggering during bootstrap (ENT-3394)
- Added json templates for rendering serial and multiline data (CFE-2713)
- Removed unused libraries and controls
- Fixed an error in the
file_make_mustache_*, incorrect variable name used (CFE-2714)
3.11.0
- Renamed
enable_client_initiated_reportingtoclient_initiated_reporting_enabled - Directories for ubuntu 16 and centos 7 should exist in
master_software_updates(ENT-3136) - Fixed: Automatic client upgrades for deb hosts
- Added AIX OOTB
oslevelinventory (ENT-3117) - Disable package inventory via modules on redhat like systems with unsupported python versions (CFE-2602)
- Made stock policy update more resilient (CFE-2587)
- Configure networks allowed to initiate report collection (client initiated reporting) via augments (#910) (CFE-2624)
apt_getpackage module: Fix bug which prevented updates from being picked up if there was more than one source listed in theapt upgradeoutput, without a comma in between (CFE-2605)- Enabled specification of
monitoring_includevia augments (CFE-2505) - Configure
call_collect_intervalfrom augments (enable_client_initiated_reporting) (#905) (CFE-2623) - Added
templatesshortcut (CFE-2582) - Behaviour changed: when used with CFEngine 3.10.0 or greater,
bundles
set_config_values()andset_line_based()are appending a trailing space when inserting a configuration option with empty value (CFE-2466) - Added default report collection exclusion based on promise handle (ENT-3061)
- Fixed ability to select INI region with metachars (CFE-2519)
- Changed: Verify transferred files during policy update
- Changed
select_regionINI_sectionto match end of section or end of file (CFE-2519) - Added class to enable post transfer verification during policy updates
- Added:
prunetreebundle to stdlib Theprunetreebundle allows you to delete files and directories up to a specified depth older than a specified number of days - Do not symlink agents to
/usr/local/binon CoreOS (ENT-3047) - Added: Ability to set
default_repositoryvia augments - Enabled setting
def.max_client_history_sizevia augments (CFE-2560) - Changed self upgrade now uses standalone policy (ENT-3155)
- Fixed
apt_getpackage module incorrectly using interactive mode - Added ability to append to bundlesequence with
def.json(CFE-2460) - Enabled paths to POSIX tools by default instead of native tools
- Removed
bundle agent cfe_internal_bins(CFE-2636) - Include
previous_stateanduntrackedreports when client clear a buildup of unreported data (ENT-3161) - Fixed command to restart apache on config change (ENT-3134)
cf-serverdlistens on ipv4 and ipv6 by default (CFE-528)- Fixed: Make
apt_getmodule compatible with Ubuntu 16.04 (CFE-2445) - Fixed rare bug that would sometimes prevent
redis-serverfrom launching - Added
oslevelto well known paths (ENT-3121) - Added policy to track CFEngine Enterprise license utilization (ENT-3186)
- Ensure MP SSL Cert is readable (ENT-3050)
3.10.0
- Added: Classes body tailored for use with
diff - Changed: Session Cookies use
HTTPOnlyandsecureattributes (ENT-2781) - Changed: Verify transferred files during policy update
- Added: Inventory for system product name (model) (ENT-2780)
- Added: Ensure appropriate permissions for SSL files (ENT-760)
- Fixed rare bug that would sometimes prevent
redis-serverfrom launching. - Changed: Enable strict transport security
- Added: Definition of
from_cfexecdforcf-execdinitiated runs (CFE-2386) - Added testing jUnit and TAP bundles and include them in
stdlib.cf - Changed: Rename duplicate bodies in
ha_update.cf(ENT-2753) - Changed: Disable RC4 Cipher for ssl in Mission Portal
- Pass package promise options to underlying
apt-getcall (#802) (CFE-2468) - Changed: Enable agent component management policy on systemd hosts (CFE-2429)
- Added: Enterprise application log dir to rotation
- Changed: re-enable hub process maintenance
- Added:
edit_linecontains_literal_stringto stdlib - Fixed: Services starting or stopping unnecessarily (CFE-2421)
- Allowed specifying agent
maxconnectionsviadef.json(CFE-2461) - Changed: Disabled http
TRACEmethod - Changed: Reduced Enterprise webserver info
- Changed:
cronjobbundle now tolerates different spacing - Fixed: CFEngine choking on standard services (CFE-2806)
- Changed
select_regionINI_sectionto match end of section or end of file (CFE-2519) - Fixed ability to manage INI sections with metachars for
manage_variable_values_iniandset_variable_values_ini(CFE-2519) - Fixed
apt_getpackage module incorrectly using interactive mode. - Added ability to append to bundlesequence with
def.json(CFE-2460) - Behaviour changed: when used with CFEngine 3.10.0 or greater,
bundles
set_config_values()andset_line_based()are appending a trailing space when inserting a configuration option with empty value. (CFE-2466)
3.7.0
- Support for user specified overriding of framework defaults without modifying
policy supplied by the framework itself (see
example_def.json) - Support for
def.jsonclass augmentation in update policy - Run vacuum operation on PostgreSQL every night as a part of maintenance.
- Added
measure_promise_timeaction body to lib (3.5, 3.6, 3.7, 3.8) - New negative class guard
cfengine_internal_disable_agent_emailso that agent email can be easily disabled by augmentingdef.json - Relocated
def.cftocontrols/VER/ - Relocated
update_deftocontrols/VER - Relocated all controls to
controls/VER - Only load
cf_hubandreports.cfon CFEngine Enterprise installs - Relocated acls related to report collection from
bundle server access_rulestocontrols/VER/reports.cfintobundle server report_access_rules - Re-organized
cfe_internalsplitting core from enterprise specific policies and loading the appropriate inputs only when necessary - Moved update directory into
cfe_internalas it is not generally intended to be modified services/autorun.cfmoved tolib/VER/as it is not generally intended to be modified- To improve predictability autorun bundles are activated in lexicographical order
- Relocated
services/file_change.cftocfe_internal/enterprise. This policy is most useful for a good OOTB experience with CFEngine Enterprise Mission Portal. - Relocated
service_cataloguefrompromises.cftoservices/main.cf. It is intended to be a user entry. This name change correlates with themainbundle being activated by default if there is no bundlesequence specified. - Reduced benchmarks sample history to 1 day.
- Update policy no longer generates a keypair if one is not found. (Redmine: #7167)
- Relocated
cfe_internal_postgresql_maintenancebundle tolib/VER/ - Set
postgresql_monitoring_maintenanceonly for versions 3.6.0 and 3.6.1 - Move hub specific bundles from
lib/VER/cfe_internal.cfintolib/VER/cfe_internal_hub.cfand load them only ifpolicy_serverpolicy if set. - Re-organized
lib/VER/stdlib.cffrom lists into classic array for use withgetvalues inform_modeclasses changed toDEBUG|DEBUG_$(this.bundle)::(Redmine: #7191)- Enabled
limit_robot_agentsin order to work around multiplecf-execdprocesses after upgrade. (Redmine #7185) - Removed Diff reporting on
/etc/shadow(Enterprise) - Update policy from
promise.cfinputs. There is no reason to include the update policy intopromises.cf,update.cfis the entry for the update policy _not_repairedoutcome fromclasses_genericandscoped_classes_generic(Redmine: # 7022)standard_servicesnow restarts the service if it was not already running when usingservice_policy => restartwithchkconfig(Redmine #7258)- Fixed
process_resultlogic to match the purpose ofbody process_selectdays_older_than(Redmine #3009)