13.16.0: 2 - Added `cf-secret` binary for host-specific encryption (CFE-2613) 3 - 'cf-check diagnose --test-write' can now be used to test writing 4 into LMDB files (ENT-4484) 5 - 'if' constraint now works in combination with class contexts 6 (CFE-2615) 7 - Added $(sys.cf_version_release) variable (ENT-5348) 8 - Added new macros to parser: else, maximum_version, between_versions, 9 before_version, at_version and after_version. Version macros now 10 accept single digits (CFE-3198) 11 - Added cf-postgres requirement to cf-apache and cf-hub systemd units 12 (ENT-5125) 13 - Added files promise content attribute (CFE-3276) 14 - Added string_trim() policy function (CFE-3074) 15 - Added warning if CSV parser parses nothing from non-empty file 16 (CFE-3256) 17 - All changes made by 'files' promises are now reported. Also, 18 directory and file creations are now properly reported as 'info' 19 messages. And failures in edit_xml result in promises marked as 20 failed not interrupted. Purged dirs and files are reported as 21 repaired (ENT-5291, CFE-3260) 22 - Bootstrap to loopback interface is now allowed, with a warning 23 (CFE-3304) 24 - Client initiated reporting was fixed on RHEL 8.1 (ENT-5415) 25 - Fixed rare crashing bug when parsing zombie entries in ps output. The 26 problem was only ever observed on AIX, but could theoretically happen 27 on any platform depending on exact libc behavior. (ENT-5329) 28 - Fixed an issue causing duplicate entries in sys.interfaces, and 29 sys.hardware. (CFE-3046) 30 - Fixed ifelse() to return fallback in case of unresolved variables 31 (ENT-4653) 32 - Fixed locking of promises using log_repaired / log_string with 33 timestamps (CFE-3376) 34 - Fixed memory leak in handling of inline JSON in policy evaluation 35 - Fixed memory leak in readlist functions (CFE-3263) 36 - Fixed race condition when multiple agents are acquiring critical 37 section locks simultaneously (CFE-3361) 38 - Fixed selection of standard_services when used from non-default 39 namespace (ENT-5406) 40 - Fixed service status cfengine3 on systemd managed hosts (ENT-5528) 41 - Fixed some memory leaks and crashes in policy evaluation (CFE-3263) 42 - Improved error message for invalid body attribute names (CFE-3273) 43 - Improved management of secondary groups to avoid intermediary state 44 failures (ENT-3710) 45 - LMDB files are now created with correct permissions (ENT-5986) 46 - Log messages about broken Mustache templates are now errors (CFE-3263) 47 - Made classfiltercsv() fail properly on invalid class expression index 48 - Measurements promises with no match no longer produce errors 49 (ENT-5171) 50 - Moved error reading file in countlinesmatching() from verbose to error 51 (CFE-3234) 52 - Added new data validation policy functions validdata() and validjson() 53 (CFE-2898) 54 - New version checking convenience policy functions (CFE-3197) 55 Added the following policy functions to check against local CFEngine version: 56 - cf_version_maximum() 57 - cf_version_minimum() 58 - cf_version_after() 59 - cf_version_before() 60 - cf_version_at() 61 - cf_version_between() 62 - Removed (USE AT YOUR OWN RISK) from cf-key help menu for -x (ENT-5090) 63 - Rewrote helloworld.cf to use files promises content attribute 64 (CFE-3276) 65 - The outcome classes are now defined for the top-level directory when 66 'include_basedir' is 'false' (ENT-5291) 67 - Variable references with nested parentheses no longer cause errors 68 (CFE-3242) 69 - cf-check: Added a more user friendly message when trying to print 70 unknown binary data (ENT-5234) 71 - cf-check: Added data validation for cf_lastseen.lmdb (CFE-2988) 72 - cf-check: Added nice printing for nova_agent_executions.lmdb 73 (ENT-5234) 74 - cf-check: Added validation for timestamps in cf_lock.lmdb (CFE-2988) 75 - cf-check: Added validation for timestamps in lastseen.lmdb (CFE-2988) 76 - cf-check: Fixed issue causing repair to target the wrong database file 77 (ENT-5309) 78 - cf-check: Symlinked LMDB databases are now preserved in repair 79 Performs diagnosis and repair on symlink target instead of symlink. 80 Repaired files / copies are placed alongside symlink target. 81 In some cases, the symlink target is deleted to repair a corrupt 82 database, and the symlink is left as a broken symlink. This is 83 handled gracefully by the agent, it will be recreated. Broken 84 symlinks are now detected as an acceptable condition in diagnose, 85 it won't try to repair them or delete them. (ENT-5162) 86 - storage promises managing nfs mounts should now correctly mount 87 after editing fstab entries 88 893.15.0: 90 - New policy function basename() added (CFE-3196) 91 - Added read_module_protocol() policy function 92 This function reads module protocol from a file, and can be used 93 for caching the results of commands modules. (CFE-2973) 94 - The @ character is now allowed in the key of classic arrays defined 95 by the module protocol (CFE-3099) 96 - nth() policy function now supports negative indices (CFE-3194) 97 - Fixed .xy floating point numbers parsing in eval() (CFE-2762) 98 - Added inform constraint to commands promises, to allow suppression of 99 INFO log messages (CFE-2973) 100 - Changed unless constraint to be more consistent with if 101 For any situation where if would NOT skip a promise, unless 102 will cause the promise to be skipped. When there are 103 unresolved variables / function calls, if will skip, unless 104 will NOT skip. (CFE-3160) 105 - Default minimum allowed TLS version is now 1.1 (ENT-4616) 106 - Network protocol version 2 is now called "tls" 107 "tls" or "2" can be used in places where you specify network 108 protocol. Log messages were altered, to show "tls" instead of 109 "latest". (ENT-4406) 110 - Introduced protocol version 3 - "cookie" 111 This protocol is identical to version 2 ("tls"), 112 except it allows the enterprise reporting hub to send 113 the COOKIE command to enterprise hosts. This command is used for 114 detecting hosts using duplicate identities. Protocol version "latest" 115 now points to version 3. For community installations, it should not 116 make a difference, policy servers will not send this command. The only 117 visible difference is the new version number (in logs and policy). 118 (ENT-4406) 119 - Package modules now hit network when package cache is first initialized 120 (CFE-3094) 121 - Fixed promise skipping bug in unless (CFE-2689) 122 - Fixed error message for unexpanded variables in function calls in unless 123 (CFE-2689) 124 - Prevented buffer overflow when policy variable names are longer than 125 1024 bytes 126 - Zero bytes in class guards no longer cause crashes (CFE-3028) 127 - Fixed bug in ps parsing on OpenBSD / NetBSD causing bootstrap to fail 128 - Fixed crash in policy/JSON parsing of numbers with too many decimal 129 points (CFE-3138) 130 - copy_from without preserve now respects destination mode (ENT-4016) 131 - Removed stime_range and ttime_range constraints from promise hash 132 (ENT-4921) 133 - Fixed promise result when using process_stop in processes type promises 134 (ENT-4988) 135 - cf-execd now sends SIGKILL to the agent process in case of 136 agent_expireafter, after attempting SIGINT and SIGTERM (CFE-2664) 137 - cf-serverd now tries to accept connection multiple times (CFE-3066) 138 - Fixed multiple measurements tracking growth of same file (ENT-4814) 139 - Set create permissions of monitord files in state directory to 0600 140 0600 matches the permissions enforced by policy. 141 Affected files: 142 * state/cf_incoming.* 143 * state/cf_outgoing.* 144 * state/cf_users 145 * state/env_data 146 (ENT-4863) 147 - Clarified descriptions of io_writtendata and io_readdata (ENT-5127) 148 - Clarified log message about process_count and restart_class being used 149 concurrently (CFE-208) 150 - Agent runs that hit abortclasses now record results (ENT-2471) 151 - An ID of rhel in os-release file will now define both rhel and redhat 152 classes (CFE-3140) 153 - Version specific distro classes are now collected by default in 154 Enterprise (ENT-4752) 155 - redhat_8 and redhat_8_0 are now defined on RHEL 8 (CFE-3140) 156 - Added derived-from-file tag to hard classes based on /etc/redhat-release 157 (CFE-3140) 158 - Added sys.bootstrap_id policy variable containing the ID from 159 /var/cfengine/bootstrap_id.dat, if present (CFE-2977) 160 - sys.interfaces now contains interfaces even when they only have 161 IPv6 addresses (ENT-4858) 162 - IPv6-only interfaces added to sys.hardware_(addresses,mac) (CFE-3164) 163 - IPv6 addresses are now added to policy variable sys.ip_addresses 164 (CFE-682) 165 - IPv6 addresses now respect ignored_interfaces.rx (CFE-3156) 166 - hostname now allowed in bindtoaddress (CFE-3190) 167 - Fixed issue when removing comments from files in various policy functions 168 This also fixes many erroneous occurences of the error message 169 mentioning: 170 171 [...] because it legally matches nothing 172 173 (A warning can still appear if a comment regex actually matches nothing). 174 Also made this comment removing logic faster. 175 Affected functions include: 176 * readstringlist() 177 * readintlist() 178 * readreallist() 179 * peers() 180 * peerleader() 181 * peerleaders() 182 * data_readstringarray() 183 * data_readstringarrayidx() 184 * data_expand() 185 * readstringarray() 186 * readstringarrayidx() 187 * readintarray() 188 * readrealarray() 189 * parsestringarray() 190 * parsestringarrayidx() 191 * parseintarray() 192 * parserealarray() 193 (CFE-3188, ENT-5019) 194 - Fixed memory leak in JSON / env file parsing (CFE-3210) 195 - Fixed memory leak in handling of nfs / fstab (CFE-3210) 196 - Fixed memory leak in string_replace() and regex_replace() (CFE-3210) 197 - Fixed memory leak when using with constraint (CFE-3210) 198 - Fixed minor memory leak in policy evaluation (CFE-3210) 199 - Fixed small memory leak in SQL database promises (CFE-3210) 200 - Received SIGBUS now triggers a repair of local DBs (CFE-3127) 201 - Corrupted LMDB files are now automatically repaired (CFE-3127) 202 - Keys in the lock database, cf_lock.lmdb, are now human-readable 203 (CFE-2596) 204 - Local databases now use synchronous access on AIX and Solaris (ENT-4002) 205 - Report corrupted local database with a critical log message (CFE-2469) 206 - Local DB errors are now logged with the particular DB file path (CFE-2469) 207 - cf-check: repair now preserves readable data in corrupted LMDB files 208 (CFE-3127) 209 - cf-check: --dump option was added to the backup command 210 - cf-check: Added --no-fork to diagnose command (CFE-3145) 211 - cf-check: Added -M manpage option and other common options (CFE-3082) 212 - cf-check: No DB files in state dir now causes errors 213 - cf-check: dump command now dumps DB contents to JSON5 (CFE-3126) 214 - cf-check: help command can now take a topic as argument 215 2163.14.0: 217 - A bootstrap_id.dat file is now generated on every bootstrap 218 (CFE-2977) 219 - Added options to cf-net to set minimum TLS version and ciphers 220 (ENT-4617) 221 - Added --no-truncate option to cf-key 222 This option, when used with --show-hosts changes the formatting 223 of the output. Instead of padding and truncating each of the 224 fields, they are printed, in full, with no padding, and separated 225 by a single tab character. The output is not as pretty, but should 226 be more useful for parsing by other scripts / tooling. (CFE-3036) 227 - Added a new option --skip-db-check to agent and execd 228 This option allows you to enable/disable database (LMDB) consistency 229 checks. Initially it is disabled by default, but this will likely 230 change. (CFE-2893) 231 - Added a new utility to contrib: cf-remote 232 cf-remote is a python + fabric tool to log in to remote hosts 233 you have ssh access to. It can be used to download, transfer, 234 and install cfengine packages as well as bootstrapping etc. 235 At this point, cf-remote is not packaged with CFEngine, but can be 236 installed separately from: 237 https://github.com/cfengine/core/tree/master/contrib/cf-remote 238 (CFE-2889) 239 - Added derived-from-file tags to hard classes based on /etc/debian_version and /etc/issue 240 - Added a function to filter CSV-files by classes (CFE-2768) 241 - Forward slash is now an allowed character in module protocol commands 242 (CFE-2478) 243 - Augments files can now handle class expressions by appending '::' 244 A condition in an augments file is treated as a class expression 245 if it ends in ::. Otherwise it is treated as a regular 246 expression. (CFE-2954) 247 - Internal ps command can now handle longer usernames (CFE-2951) 248 - Made copylink_pattern honor '/../' in copy source (CFE-2960) 249 - CSV parser now supports CRLF inside double quotes (ENT-4504) 250 - Added an error when a function defining a variables still fails at 251 pass 3 (CFE-2983) 252 - Documented cf-execd and cf-serverd response to SIGHUP in manpage 253 (CFE-2853) 254 - Stopped trimming leading zeroes in ubuntu minor version class 255 The old version detection logic (using /etc/debian_version) was 256 converting the minor version part to an integer, defining 257 ubuntu_18_4 instead of ubuntu_18_04. The new platform detection 258 (based on /etc/os-release) defines ubuntu_18_04. Since both old 259 and new methods are running to maximize compatibility, both 260 ubuntu_18_04 and ubuntu_18_4 were defined. 261 This commit ensures that the old detection logic treats the 262 minor version (the 04 part) as a string, not an integer. The 263 change is specific to Ubuntu, and should affect Ubuntu 18.04, 264 16.04, 14.04, etc. (CFE-2882) 265 - SUID log permissions are now properly enforced (CFE-2919) 266 - Agent log file names are now always lowercase 267 - Extended module with file protocol for data (CFE-3050) 268 - Fixed a segfault in 'cf-promises -p json-full' (CFE-3019) 269 - Added cf-key help output to indicate ability to delete by key digest 270 (CFE-2997) 271 - Fixed disabling TLS 1.0 (CFE-3068) 272 - Fixed growing memory footprint of daemons (CFE-3032) 273 - Fixed the log message about setting collect_window (ENT-4238) 274 - Fixed the log message when parsing TIME in 'ps' output fails 275 - Fixed parsing of YAML values starting with numbers (CFE-2033) 276 - Fixed sys.flavor on AIX (ENT-3970) 277 - Fixed 6 cases where promises could get the wrong outcome 278 All cases were related to error handling and detected using 279 static code analysis (LGTM). They were limited to cf-monitord 280 and cf-agent (guest_environments and files promise types). Due 281 to a programming mistake, promise results would sometimes be 282 overwritten with 'skipped' outcome. Keeping the previous 283 value or making the promises 'not kept' is expected behavior. 284 Added a query to our CI (LGTM) to make sure we catch this error 285 on new contributions. 286 - Fixed an issue while parsing ps output on AIX (ENT-4295) 287 - Fixed a memory leak in filesexist function (ENT-4313) 288 - Fixed a memory leak in mustache rendering (ENT-4313) 289 - Fixed a memory leak in: differences(), intersection(), unique() 290 (ENT-4586) 291 - Fixed a segfault in policy parser (ENT-4022) 292 - Connection cache is now global (CFE-2678) 293 - Increased verbosity of AcquireLock permission error (ENT-4395) 294 - Message about invalid class characters from module protocol moved to VERBOSE 295 (CFE-2887, CFE-3008) 296 - Prevented buffer overflows in cf-monitord data parsing 297 - Private keys generated by cf-key are no longer encrypted 298 Private key files encrypted with a broken cipher and default 299 hard coded passphrase provide no real security, and is only an 300 inconvenience. Maybe it was intended to add a password prompt 301 later, but it's been 10 years now, and the cipher and passphrase 302 remain untouched. The function which reads keys still supports 303 both encrypted and unencrypted keys, it will decrypt if necessary. 304 - Reduce SSL/TLS shutdowns on bad networks (CFE-3023) 305 - Removed programming error in handling of process_count body 306 Previously, having a failing function call inside in_range_define 307 or out_of_range_define would cause a programming error when 308 trying to define that as a class. Fixed it by detecting the 309 case, printing a normal error, and skipping defining the class. (CFE-2067) 310 - Set policy->release_id to "failsafe"/"bootstrap" when running failsafe.cf 311 (CFE-3031) 312 - Switched permissions of various temporary files in state to 0600 313 These files were created with 0644 permissions, and then 314 repaired in policy. However, since they are deleted / recreated 315 periodically, it causes INFO noise. Safer and better user 316 experience to create them with restricted permissions to 317 begin with. 318 Affected files: 319 * $(sys.statedir)/cf_procs 320 * $(sys.statedir)/cf_rootprocs 321 * $(sys.statedir)/cf_otherprocs 322 (ENT-4601) 323 - string_split segments are now truncated to 1024 bytes instead of 324 crashing (CFE-3047) 325 - Unresolved function calls in process_select body are now skipped 326 Function calls which always fail, like getuid("nosuchuser"), are 327 never resolved. Previously this would cause a programming error, 328 since the body is expected to have a list of strings, not 329 unresolved function calls. 330 The function calls are silently skipped (with a verbose message) 331 as this matches the behavior of calling the functions in a vars 332 promise, and using that as a body parameter. 333 (CFE-1968) 334 - cf-check directories can now be controlled from ENV vars (CFE-2994) 335 - cf-check: Added backup command 336 This command copies lmdb files to a timestamped backup directory. 337 (ENT-4064) 338 - cf-check: diagnose and backup now use state directory by default 339 (ENT-4064) 340 3413.13.0: 342 - Add support for TLS 1.3 and its ciphersuites 343 - Add 'feature' hard classes for supported TLS versions 344 Different versions of TLS are supported depending on what version 345 of OpenSSL CFEngine was compiled and linked with. Newly added 346 feature hard classes bring that information to the 347 policy. Classes like these are now defined (for supported 348 versions of TLS): 349 feature_tls source=agent,hardclass 350 feature_tls_1 source=agent,hardclass 351 feature_tls_1_0 source=agent,hardclass 352 feature_tls_1_1 source=agent,hardclass 353 feature_tls_1_2 source=agent,hardclass 354 feature_tls_1_3 source=agent,hardclass 355 - Add a new variable $(sys.default_policy_path) 356 A new sys variable that provides the path of the default policy 357 file evaluated when no file is specified with the '-f' option. 358 - Add an option to skip the initial policy run on bootstrap 359 In some cases it may not be desired to run the policy as the last 360 step of the bootstrap. This can be done with the new 361 '--skip-bootstrap-policy-run' option for cf-agent. (CFE-2826) 362 - Trigger promises.cf as the last step of bootstrap (CFE-2826) 363 - Add support for overriding the package module's path (CFE-2103) 364 - Add support for setting package module interpreter (CFE-2880) 365 - Added --log-level option to all components 366 This allows you to specify any log level (info, verbose, debug etc.). 367 It is also less strict, allowing different spelling. As an example, 368 --log-level i, --log-level INFO, --log-level inform are all the same. 369 - Added a new binary: cf-check 370 Corrupt local databases (LMDB) continues to be a problem. 371 cf-check will be used to diagnose and remediate problems 372 with corrupt databases. It is a standalone binary, which 373 doesn't evaluate policy or use the local databases, thus 374 it can be used in situations where the other binaries 375 like cf-agent would hang. 376 cf-check replaces our lmdb database dumper, lmdump. 377 cf-check lmdump or symlinking / renaming it to lmdump 378 will make cf-check have the exact same behavior as lmdump. 379 cf-check will include much more functionality in the future 380 and some of the code will be added to other binaries, 381 for example to do health checks of databases on startup. 382 Ticket: (ENT-4064) 383 - Added function string_replace. (CFE-2850) 384 - Allow dots in variable identifiers with no such bundle 385 As described and discussed in CFE-1915, defining remote variables 386 (injecting variables into remote bundles) is dangerous and must 387 be blocked. However, using a dot-separated common prefix for 388 variables raises no security concerns and can be considered 389 valid. (CFE-1915) 390 - Allow requiring TLS 1.3 as the minimum version 391 - Apply augments after vars, classes and inputs in def.json 392 (CFE-2741, CFE-2844) 393 - Bundle name is now part of the log message when aborting a bundle 394 (CFE-2793) 395 - Class names set by module protocol are automatically canonified 396 (CFE-2877, CFE-2887) 397 - Classes failsafe_fallback and bootstrap_mode are now reported by default 398 - Correct log level for data_readstringarray* (CFE-2922) 399 - Do not iterate over JSON objects' properties in mustache (CFE-2125) 400 - Do not render templates when passed invalid data (CFE-2194) 401 - Eliminated error messages caused by attempting to kill expired processes 402 (CFE-2824) 403 - Fix cf-runalerts systemd unit conditions so the service will run 404 (ENT-3929) 405 - Fix the off-by-one error in cf-runagent background process spawning 406 (CFE-2873) 407 - Fixed OOB read / heap buffer overflow in evaluator (ENT-4136) 408 - Fixed a memory leak which occured when reloading RSA keys from disk 409 (CFE-2857) 410 - Fixed a memory leak which occured while loading augments files 411 (CFE-2913) 412 - Fixed an issue with splay time in cf-execd (CFE-2931) 413 - Fixed error handling and memory leak in cf-key (CFE-2918) 414 - Fixed memory leak in JSON to policy conversion (ENT-4136) 415 - Fixed memory leak in lmdb cleanup (CFE-2918) 416 - Fixed memory leaks in cf-agent during bootstrap (CFE-2918) 417 - Fixed memory leaks in variablesmatching() and findfiles() (CFE-2918) 418 - Fixed missing class with mustache templates in warn_only mode 419 (CFE-2600) 420 - Fixed small memory leak in cf-serverd (CFE-2918) 421 - Fixed small memory leak in cf-upgrade (ENT-4136) 422 - Fixed small memory leaks of environment variable strings (CFE-2918) 423 - LMDB database dumper, lmdump, no longer creates empty databases 424 (ENT-4064) 425 - Made variablesmatching functions treat args regexes more correctly 426 variablesmatching() and variablesmatching_as_data() no longer 427 use string comparison to find matches. The documentation is clear; 428 arguments should be regexes (so you have to escape special 429 characters). 430 bundle agent main 431 { 432 vars: 433 "myvar" 434 string => "example", 435 meta => {"os[linux]"}; 436 "matches" 437 slist => variablesmatching(".*", "os\[linux\]"); 438 reports: 439 "Match: $(matches)"; 440 } 441 The above example is correct. If you don't escape the brackets 442 like above, it will no longer work. (You probably shouldn't use 443 brackets in tags anyway). 444 - Prevent the init script from managing processes inside containers 445 (ENT-3800) 446 - Read mustache-rendered files in text mode when comparing digest 447 (ENT-2526) 448 - Reload persistent classes on config reload in cf-execd and cf-serverd 449 (CFE-2857) 450 - Fixed issue with @if macro failing when it is on the first line. 451 (CFE-2817) 452 - Fixed issue with cf-agent intermittently hanging on windows 453 sometimes (ENT-3756) 454 - change GIT_BRANCH to GIT_REFSPEC and remove Design Center vars 455 (ENT-4023) 456 - os-release file is now used for hard classes and sys.flavor on all linuxes 457 This will improve platform detection on newer operating systems where 458 /etc/os-release (or /usr/lib/os-release) is present. 459 A hard class will be set for the value of the ID key (canonified with 460 underscores), if it exists. If both ID and VERSION_ID exist, multiple 461 hard classes will be set for all parts of the version number. The 462 special variable sys.flavor will also be set by determining major 463 version from VERSION_ID. 464 Example os-release file: 465 ID=coreos 466 VERSION_ID=1185.3.0 467 For the example above, sys.flavor will be coreos_1185 and 4 hard 468 classes will be set; coreos_1185_3_0, coreos_1185_3, coreos_1185, 469 and coreos. 470 For backwards compatibility, older distribution specific logic is still 471 executed and may overwrite sys.flavor and define hard classes as before. 472 - refactor use of atexit to use custom cleanup function instead. On Windows 473 atexit() unloads DLLs before and/or during atexit functions being called 474 which causes bad behavior. (ENT-3756) 475 4763.12.0b1: 477 New Features: 478 - Add a --key-type option to specify RSA key size to cf-key 479 - New hash_to_int policy function (CFE-2733) 480 - Issue a warning on ignored locking attributes (CFE-2748) 481 - Add IPv6 hard classes with the "ipv6_" prefix (CFE-2310) 482 - Introduce "missing_ok" attribute in body copy_from 483 This allows to ignore missing sources in file copy operations (CFE-2365) 484 - Enable Xen hypervisor detection on all x86 platforms (CFE-2203) 485 - Add sys.policy_entry variables (CFE-2572) 486 - Added inline_mustache template method (CFE-1846) 487 - New component cf-net (cf-net is a CLI for the CFEngine network protocol, 488 useful for debugging, testing etc) and accompanying policy variable 489 sys.cf_net containing path to cf-net binary 490 491 Changes: 492 - Load augments at the end of context discovery 493 This means that classes defined as part of the context discovery 494 (e.g. 'am_policy_hub' and 'policy_server') can be used in the 495 augments (CFE-2482) 496 - Open measurements promise type from enterprise cf-monitord 497 - Transform filesexist() into a collecting function (CFE-2744) 498 - Load process table when actually needed for a processes promise (ENT-2536) 499 - Ignore commented out entries in fstab when edit_fstab is true (CFE-2198) 500 - Do not move obstructions in warn policy mode (CFE-2740) 501 - Made the max bytes parameter to file reading functions optional (CFE-2656) 502 - Do not tag large volatile variables for inventory 503 sys.interfaces_data, sys.inet and sys.inet6 are commonly larger than the 504 maximum data size allowed to be collected by cf-hub. Data larger than 1k 505 is truncated. Instead of reporting truncated data this change stops 506 tagging the variable so that it will not be collected to the Enterprise 507 hub and will not be available in Mission Portal. (ENT-3483) 508 - cf-execd now re-parses augments on policy reload (CFE-2406) 509 - Improve misleading verbose message 510 For constraints if/ifvarclass/unless, we now print the whole rval of the constraint. 511 Previously the message was just "skipping variable because ifvarclass is not defined" while the variable itself was defined. 512 Old message example: 513 verbose: Skipping promise 'mailto' because 'if'/'ifvarclass' is not defined 514 Changed to: 515 verbose: Skipping promise 'mailto' because 'ifvarclass => not(isvariable("mailto"))' is not defined 516 (CFE-2697) 517 - Promise comments for file changes moved to verbose (ENT-3414) 518 - Suppress output from systemctl based restart of services in 519 bootstrap/failsafe (CFE-1459) 520 - Parser can now handle larger inbut buffers (CFE-1886) 521 - Improve logging of ACL errors (ENT-3455) 522 - cf-execd systemd service now only kills cf-execd itself (ENT-3395) 523 - Load multiple augments from "augments" string array in def.json 524 (CFE-2084) 525 - Improve support for Alpine Linux 526 - Set the exit value when running cf-key 527 When running cf-key to generate new keys, set the exit value of the 528 program to be 0 on success and 1 on failure. This makes it easier to 529 catch errors during setup of a new machine. 530 Change the default behavior of the program to not write anything to stdout, 531 opting to use the Log() function which can write to stdout and will also 532 allow output to be sent to syslog. 533 Add a --inform option to set the global log level to LOG_LEVEL_INFO. 534 Change the permissions of the randseed file to 600 and catch the exception 535 if the chmod call fails. 536 - Properly reverse-resolve DNS names longer than 63 chars (ENT-3379) 537 - Properly redirect init script to systemd on debian systems (ENT-3326) 538 539 Bug fixes: 540 - Disallow modifications of variables from a remote bundle (CFE-1915) 541 - Speedup evalution by not copying variables table when expanding a promise 542 (CFE-2524) 543 - Resolve subkey conflicts when converting to JSON 544 Whenever there is a conflict of array variable definitions prefer 545 the container subkeys over simple values when converting to JSON 546 (CFE-2536) 547 - Do not ignore meta promises in server bundles (CFE-2066) 548 - Add a debug log for computed class in splayclass 549 - Don't error when calling isexecutable on broken link (CFE-741) 550 - Fix segfault when no show-evaluated-vars/classes is specified 551 - Fix memory leak in cf-execd, triggered when sending email failed (CFE-2712) 552 - Fix IPv6 parsing to be un-reversed (CFE-2580) 553 - Fix bug preventing permission changes on Unix sockets (CFE-1782) 554 - Fix storage mount promise when existing mountpoint has a similar path 555 (CFE-1960) 556 - Fix segfault when cf-promises -p is called against a file with syntax 557 errors (CFE-2696) 558 - Fix rare cf-execd hang (CFE-2719) 559 - Fix mergedata segfault when called on a non-container (CFE-2704) 560 - Do not segfault if policy_server.dat only contains whitespaces and/or line breaks 561 - Fix segfault on JSON policy files with no bundles and bodies (CFE-2754) 562 563 5643.11.0: 565 New Features: 566 - Allow function calls in promiser using universal "with" attribute 567 (CFE-1092) 568 - Add example of with attribute (CFE-1092) 569 - Detect Amazon Linux and set "AmazonLinux" hard class and 570 sys.flavour variable 571 - New sysctlvalue() and data_sysctlvalues() functions from /proc/sys 572 (CFE-2513) 573 - readdata() also auto-detects .yml files as YAML 574 - Added support for ENV and CSV file parsing (CFE-1881) 575 - Added vars and classes for CoreOS (ENT-3043) 576 - cf-agent: implement --show-evaluated-vars and --show-evaluated-classes 577 - Support for custom ports and host names as policy hub (CFE-953) 578 - cf-promises: allows --show-vars and --show-classes to take an optional filter 579 - Added a new tool: cf-net. cf-net is a CLI for the CFEngine 580 network protocol, useful for debugging, testing etc (CFE-2493) 581 - New policy variable: sys.cf_net contains path to cf-net binary 582 - Read /etc/os-release into sys.os_release (CFE-1881) 583 584 Changes: 585 - readintlist() now prints an error if the 586 file contains real numbers, not integers, and aborts; previously it was 587 printing an info-level error message, was half-reading an integer out of 588 the real, and was continuing successfully. 589 - "make tar-package" should create a tarball with the contents of 590 "make install" (ENT-3041) 591 - Allow opening symlinks owned by root or by the current user 592 (CFE-2516) 593 - Change warning message about depth_search on a non directory to 594 DEBUG level 595 - Ensure synchronous start and stop with systmectl (ENT-2841) 596 - Put logs in /var/log and PID files in /var/run when using FHS layout 597 (CFE-2449) 598 - readstringlist(), readintlist(), readreallist(): Print 599 verbose instead of error message if file can not be read 600 - cf-serverd: Do not close connection when file does not exist 601 (CFE-2532) 602 - policy_server.dat now appends a newline and supports host & port 603 - Allow string_head and string_tail to take negative arguments 604 - getvalues(inexistent_var) returns an empty list. 605 Restores 3.7.x and earlier behaviour. (CFE-2479) 606 - Partially restore old getvalues(array) behaviour 607 Bugfix: getvalues() now behaves correctly for old CFEngine 608 arrays of depth 1 609 Behaviour change: it always returns a list now. Even when v is a simple 610 string (i.e. not an iterable) it will return an slist with one element: 611 the value of the string variable. 612 Known issues: getvalues() still misbehaves with double-indexed arrays 613 (see CFE-2504, CFE-2536) 614 - The source version of CFEngine now installs binaries into 615 bin folder instead of sbin folder (CFE-2448) 616 - Don't error during dry run for proposed execution (CFE-2561) 617 - Print verbose instead of error message when readfile() fails (CFE-2512) 618 - cf-serverd: Auto configure max open files ulimit according to 619 maxconnections (CFE-2575) 620 - Made the max bytes parameter to file reading functions optional. 621 Affects readfile(), readenvfile(), readcsv() 622 623 Bug fixes: 624 - Fix insert_lines related memory corruption (CFE-2520) 625 - Prevent LMDB assertion on AIX by ensuring nested DB calls are 626 not occuring during signal handler cleanup (CFE-1996) 627 - Fix a bug which could cause cf-execd to believe there was 628 an error when sending the email report, when there really wasn't 629 - zendesk#3204: Fix "lastseenexpireafter" 32-bit signed int overflow 630 - Fix cf-execd not exiting immediately with SIGTERM on AIX (ENT-3147) 631 - Fix automatic service stops based on runlevel (redhat/centos) 632 (CFE-2611) 633 - Fix cf-serverd crash when reporting corrupted data (ENT-3023) 634 - Fix rare output truncation on Solaris 10/11 (CFE-2527) 635 - Fix crash on Solaris when ps ucb variant is not available (CFE-2506) 636 - Fix logic to detect when running under a Xen Hypervisor (CFE-1563) 637 - Fix "lastseenexpireafter" 32-bit signed int overflow (zendesk#3204) 638 - Fix IPv6 parsing to be un-reversed (CFE-2580) 639 6403.10.0: 641 New features/additions: 642 - All new features/additions for 3.8 and 3.9 are also included in 3.10. 643 - Add: Classes body tailored for use with diff 644 - New feature: Classes promise: allow classes without an expression to default to defined. 645 - Support for custom ports and host names as policy hub (CFE-953) 646 - Add: Definition of from_cfexecd for cf-execd initiated runs 647 (CFE-2386) 648 - Add < <= > >= operators to eval(). 649 - Add testing jUnit and TAP bundles and include them in stdlib.cf 650 - New function isipinsubnet() (ENT-7949) 651 - LogDebug(): implement module-based debug logging. 652 Now most DEBUG messages are *not* printed even when "-d" is in use, but 653 the specific debug module has to be enabled on the command line. For 654 example to enable all log modules, run: 655 cf-agent -d --log-modules=all 656 - Add: edit_line contains_literal_string to stdlib 657 - add variablesmatching_as_data() function paralleling variablesmatching() 658 (Redmine #7885) 659 - Allow specifying agent maxconnections via def.json (CFE-2461) 660 - Add getuserinfo() function 661 - Add body agent control select_end_match_eof option. (CFE-2390) 662 - Add class to enable post transfer verification during policy updates 663 - Add ability to append to bundlesequnece with def.json (CFE-2460) 664 - policy_server.dat now appends a newline and supports host & port 665 666 Changes: 667 - Rewrite iteration engine to avoid combinatorial explosion with nested variable expansions. 668 This speeds up enormously the execution of policies that included long 669 slists or JSON containers, that in the past didn't even terminate. 670 Change: "cf_null" string literal was changed to not be something 671 special, and it's now a string that can be used anywhere, like 672 in slists or part of bundlesequence etc. 673 NOTE: Old policy should be grep'ed for "cf_null" and in case such 674 occurences were handled specially, they should be reworked. 675 Change: "--empty-list--" is now never printed by format(), 676 an empty list is now printed as "{ }". 677 Change: Order of pre-evaluation was slightly changed, A new "vars" pass 678 at the beginning of pre-evaluation was added. It used to be 679 classes-vars, but it was changed to vars-classes-vars. As a 680 result some classes or variables might be evaluated at a 681 different time than before. As always try to write policy code that works no matter what the 682 order of execution is. 683 One way is to always *guard* the execution of functions to avoid 684 bogus function results. For example the following will avoid 685 running execresult() bevore the file has been created: 686 execresult("cmd /path/to/filename") if => fileexists("/path/to/filename"); 687 C internals: NULL Rlist is now perfectly valid, in fact it is the only 688 way to denote an empty Rlist. 689 C internals: Since a slist variable can be NULL, API of 690 EvalContextVariableGet() changed: The way to detect if a 691 variable is found, is not to check return value for NULL, 692 but to check returned *type* for CF_DATA_TYPE_NONE. 693 Fixed what I could find as wrong API uses. (CFE-2162) 694 - Allow arbitrary service policies (CFE-2402) 695 - Behaviour change: cf-execd: Do not append -Dfrom_cfexecd to exec_command . 696 (CFE-2386) 697 - Failsafe/Bootstrap no longer copy files starting with .git (like .gitignore) or .mailmap 698 (CFE-2439) 699 - Change: Enable strict transport security 700 - Change: Disable http TRACE method 701 - Change: Verify transfered files during policy update 702 - Allow getvariablemetatags() and getclassmetatags() to get a specific tag key 703 - Change: Use more restrictive unix socket perms (ENT-2705) 704 - Add sys.user_data container for user starting agent. 705 - Pass package promise options to underlying apt-get call (#802) 706 (CFE-2468) 707 - Change: Enable agent component management policy on systemd hosts 708 (CFE-2429) 709 - Change: Switch processes restart_class logging to verbose 710 - Change: Log level for keeping verbatim JSON to DEBUG (CFE-2141) 711 - Change: Require network before cfengine services (CFE-2435) 712 - Behaviour change: getvalues(inexistent_var) returns an empty list. 713 Restores 3.7.x and earlier behaviour. (CFE-2479) 714 - Behaviour change: when used with CFEngine 3.10.0 or greater, 715 bundles set_config_values() and set_line_based() are appending a 716 trailing space when inserting a configuration option with empty value. 717 (CFE-2466) 718 - Behaviour change: getvalues() always returns a list now. Even when v is a simple 719 string (i.e. not an iterable) it will return an slist with one element: 720 the value of the string variable. 721 - Behaviour change: readintlist() now prints an error if the 722 file contains real numbers, not integers, and aborts; previously it was 723 printing an info-level error message, was half-reading an integer out of 724 the real, and was continuing successfully. 725 - Ensure synchronous start and stop with systemctl (ENT-2841) 726 - Change select_region INI_section to match end of section or end of file 727 (CFE-2519) 728 729 Bug fixes: 730 - fix files promise not setting ACL properly on directories. (CFE-616) 731 - Upgrade CFEngine dependencies to the following versions: 732 - lixml2 2.9.4 733 - OpenSSL 1.0.2j 734 - LibYAML 0.1.7 735 - Curl 7.50.3 736 - Fix cumulative() to accept up to 1000 years, like it's documented. 737 - Fixed parsing of host name/IP and port number in cf-runagent 738 (CFE-546) 739 - Fix intermittent error message of type: 740 "error: Process table lacks space for last columns: <cmd>" (CFE-2371) 741 - storage: Properly initialize the list of current mounts (CFE-1803) 742 - Fix 'contain' attribute 'no_output' having no effect when 743 the 'commands' promise is using 'module => "true"'. (CFE-2412) 744 - Fix bug which caused empty emails to be sent from cf-execd 745 if there was no previous output log and the new log was fully filtered 746 by email filters. (ENT-2739) 747 - allow ifelse(FALSE, $(x), "something else") to work. (CFE-2260) 748 - Fix connection cache, reuse connections when possible. (CFE-2447) 749 - Fix rare bug that would sometimes prevent redis-server from launching. 750 - Fix bug in files promise when multiple owners are promised 751 but first one doesn't exist, and improve logging . (CFE-2432) 752 - define kept outcome with action warn if edit_line is as expected 753 (CFE-2424) 754 - Example using getvariablemetatags() and getclassmetatags() to get a specific tag key 755 - Remove 2k limit on strings length when writing JSON policies 756 (CFE-2383) 757 - Fix ttime_range constraint to go higher than 2G as number of seconds. 758 - Change: cronjob bundle tolerates different spacing 759 - Allow editing fields in lines longer than 4k (CFE-2438) 760 - Don't send empty emails for logs where everything is filtered. 761 (ENT-2739) 762 - allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration 763 (ARCHIVE-1619) 764 - insert_lines is no longer implicitly matching EOF as 765 end of the region if 'select_end' pattern is not matched . (CFE-2263) 766 - Change: Remove executable bit from systemd units (CFE-2436) 767 - cf-serverd should reload def.json when reloading policy (CFE-2406) 768 - Fix cf-monitord detection of usernames of the process table on AIX. 769 - Speed up local and remote file copying and fix spurious errors. 770 (ENT-2769) 771 - Fix occasional segfault when running getindices() on a 772 variable that has indices of multiple depths (e.g. both "a[x]" and 773 "a[x][y]"). (CFE-2397) 774 - When no file is provided when calling cf-promises 775 with cf or json output, use promises.cf by default. This restores the 776 previous behavior. (CFE-2375) 777 - Fix: Services starting or stopping unnecessarily (CFE-2421) 778 - Change: Split systemd units (CFE-2278) 779 - EOF is matched as an end of the region in edit_line 780 promises only if 'select_end_match_eof' parameter is true. (CFE-2263) 781 - Fix double logging of output_prefix, and log process name for cf-agent syslog messages. 782 (CFE-2225) 783 - Be less verbose if a network interface doesn't have a MAC address. 784 (CFE-1995) 785 - Fix: CFEngine choking on standard services (CFE-2806) 786 - fix insert_lines related memory corruption (CFE-2520) 787 - fix cf-serverd crash when reporting corrupted data. (ENT-3023) 788 - Fix ability to manage INI sections with metachars for 789 manage_variable_values_ini and set_variable_values_ini (CFE-2519) 790 - Fix apt_get package module incorrectly using interactive mode. 791 - Fix crash on Solaris when ps ucb variant is not available. (CFE-2506) 792 - cf-serverd: Do not close connection when file does not exist. 793 (CFE-2532) 794 - getvalues() now behaves correctly for old CFEngine arrays of depth 1. 795 Known issues: getvalues() still misbehaves with double-indexed arrays 796 (see (CFE-2504, CFE-2536) 797 7983.9.0: 799 New features/additions: 800 - Add optional interface parameter to iprange() to match only one interface. 801 - Allow '=' in symbolic modes (Redmine #7826) 802 - Add: FreeBSD ports package module 803 - New package module for FreeBSD pkg package manager. 804 - Add support for adding/removing fifos in policy 805 - Add Linux parsing of /proc/net/ data. 806 - sys.inet 807 - sys.inet6 808 - sys.interface_data 809 - Data is returned as a data container. 810 - See documentation for more details. (Jira CFE-1991) 811 - sys.ip2iface: new reverse mapping variable from IP to interface name 812 - Namespaced classes can now be specified on the command line. 813 - namespaces can now be passed to cf-runagent -D and --remote-bundles 814 (Redmine #7856) 815 - Add 'cf-full' and 'json-full' to cf-promises '-p' option. 816 They generate output based on the entire policy. The existing 'cf' 817 already behaved this way, and it has now been changed to generate 818 output only for a single file, which the existing 'json' option 819 already does. 820 - New language functions: processexists() and findprocesses() 821 (Redmine #7633) 822 - Implement new regex_replace() function. (Redmine #7346) 823 - Add log rotation policy for state/classes.jsonl log. (Redmine #7951) 824 - Added collect_vars utility bundle to stdlib 825 - Intoduce report_class_log attribute to body agent control. 826 (Redmine #7951) 827 - Add standard_services service_method allowing for explicit usage 828 - cf-promises --show-vars can now show JSON variables. 829 - Add json_pipe mode to mapdata(), which allows piping a 830 JSON container to an external program for manipulation and receiving 831 JSON back. The jq tool is a good example where this mode can be 832 useful. A corresponding $(def.jq) variable has also been added with 833 a default path to this tool. See documentation for mapdata() for 834 more information and examples. (Jira CFE-2071) 835 - behaviour change: "true" is always defined and "false" is never defined in a context expression. 836 - Add: nimclient package module for AIX 837 This module provides basic functionality for using nimclient as a means 838 to ensure packages are either present or absent. It does not support 839 listing package updates available or provide any special caching. 840 - Add callstack_callers() and callstack_promisers() functions. 841 - Log variable definitions in debug output. (Redmine #7137) 842 - Add: Memory information to host info report (Jira CFE-1177) 843 - In Mustache templates, one can now use {{#-top-}} and 844 {{/-top-}} tags to iterate over the top level element in a 845 container. (Redmine #6545) 846 - Add network_connections() function that parses /proc/net 847 - Provide new -w argument to override the workdir for testing 848 - New feature: Emails sent by cf-execd can be filtered to get 849 rid of emails for unwanted log messages. The attributes 850 mailfilter_include and mailfilter_exclude in body executor 851 control control what to include. See documentation for cf-execd for 852 more information. (Jira CFE-2283) 853 - Add: file_make_mustache bundle to render mustache templates 854 - Add '-n' flag to cf-key to avoid host name lookups. 855 - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor multiple -D, -N and -s arguments 856 (Redmine #7191) 857 - Add "canonify" mode to mapdata(). 858 - Add: printfile bodies to stdlib 859 - Add: New results classes body [] (Redmine #7418, #7481) 860 - Implement cf-runagent --remote-bundles and cf-serverd "bundle" access promise. 861 (Redmine #7581) 862 - Add commands promise arglist attribute, augmenting args attribute. 863 - It's now possible to reference variables in inline JSON, 864 for example: mergedata('[ thing, { "mykey": otherthing[123] } ]'). 865 thing and otherthing[123] will be resolved as variables, since 866 they are unquoted. See the documentation for more details. 867 (Redmine #7871) 868 - Allow inline JSON to be used in the following function 869 calls: 870 - data_expand() 871 - difference() 872 - every() 873 - filter() 874 - format() 875 - getindices() 876 - getvalues() 877 - grep() 878 - intersection() 879 - join() 880 - length() 881 - makerule() 882 - mapdata() 883 - maplist() 884 - mean() 885 - mergedata() 886 - none() 887 - nth() 888 - parsejson() 889 - product() 890 - regarray() 891 - reglist() 892 - reverse() 893 - shuffle() 894 - some() 895 - sort() 896 - storejson() 897 - string_mustache() 898 - sublist() 899 - sum() 900 - unique() 901 - url_get() 902 - variance() 903 For example: mergedata('[ "thing", { "mykey": "myvalue" } ]') 904 See the documentation for more details. (Jira CFE-2253) 905 - Add: edit_line contains_literal_string to stdlib 906 - Add body agent control select_end_match_eof option. (Jira CFE-2390) 907 908 Changes: 909 - Change: classesmatching(): order of classes changed 910 - Change: getindices(), getvalues(), variablesmatching(), maparray(): 911 order of variables returned has changed 912 - Change: set_quoted_values uses bundle scoped classes 913 - Change: set_config_values uses bundle scoped classes 914 - Change: set_variable_values uses bundle scoped classes 915 - Change: set_config_values_matching uses bundle scoped classes 916 - Change: manage_variable_values_ini uses bundle scoped classes 917 - Change: set_line_based should use bundle scoped classes 918 (Jira CFE-1959) 919 - getvalues() will now return a list also for data containers, 920 and will descend recursively into the containers. (Redmine #7116) 921 - Change: Improve git drop user support 922 - Use new package promise as default package promise 923 implementation. (Jira CFE-2332) 924 - Don't follow symbolic links when copying extended attributes. 925 - When a bodydefault:<promise_type>_<body_type> body is 926 defined, it will be used by all promises of type <promise_type> 927 unless another body is explicitly used. 928 - cf-serverd no longer appends "-I -Dcfruncommand" to 929 cfruncommand, this has to be done manually in masterfiles 930 body server control. (Redmine #7732) 931 - eval() function arguments mode and options are now 932 optional. 933 - sort() function argument mode is now optional. 934 - Change: returnszero() no longer outputs the output of a command. 935 The output can be seen by enabling info mode (-I). 936 - cfruncommand is not executed under shell. (Redmine #7409) 937 - Remove: Apache CGI module 938 - Change: Make maxbytes arg of readjson() and readyaml() optional 939 - Classes matching agent control's abortclasses are 940 now printed before exit, even if they are defined in common bundles. 941 Previously the regex (in abortclasses) that matched the class was 942 printed if the class was defined in a common bundle, but the class 943 itself was printed if it was defined in an agent bundle. With this 944 change, the defined class that caused the abort is always printed. 945 - Remove: Support for email settings from augments_file (Redmine #7682) 946 - Change: set_variable_values_ini uses bundle scoped classes 947 - findfiles() now skips relative paths. (Redmine #7981) 948 - Clients connections using non TLS protocol are rejected 949 by default. . (Jira CFE-2339) 950 - Change: Policy files specified in the "inputs" section of 951 def.json will no longer be auto-loaded. One has to refer to the 952 which are using the "inputs" field inside def.json. (Redmine #7961) 953 - Change: Separate binary details from policy update (Redmine #7662) 954 - Add guard for binary upgrade during bootstrap (Redmine #7861) 955 - Change: Modernize pkg module and package_method 956 - Remove: Userdir apache module 957 - filestat(path, "linktarget") now follows non-absolute links and returns full path of target. 958 This introduces a change in behaviour. Here is an example: 959 $ ls -l /bin/sh 960 lrwxrwxrwx 1 root root 4 Jun 4 2015 /bin/sh -> dash 961 Previously the filestat function would return "dash", and would also log 962 an error that the file can not be read. Now it will return "/bin/dash" 963 (or the final destination if it happens that /bin/dash is also a 964 symlink). 965 You can still get the previous behaviour by using 966 filestat(path, "linktarget_shallow"). (Redmine #7404) 967 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 968 (Redmine #7861) 969 - Behavior change: The promise string of a processes 970 promise now matches just the command line of each process instead of 971 the line that is output by ps. This was done to reduce fragmentation 972 between platforms, since ps is a very nonstandardized tool. 973 (Jira CFE-2161) 974 - Allowed namespace names made more strict, to disallow 975 namespaces that cannot be reached. (Redmine #7903) 976 - Behavior change: When using readintlist(), readreallist() 977 or readstringlist(), parsing an empty file will no longer result in a 978 failed function call, but instead an empty list. Failure to open the 979 file will still result in a failed function call. 980 - insert_lines is no longer implicitly matching EOF as 981 end of the region if 'select_end' pattern is not matched . 982 (Jira CFE-2263) 983 - EOF is matched as an end of the region in edit_line 984 promises only if 'select_end_match_eof' parameter is true. 985 (Jira CFE-2263) 986 987 Bug fixes: 988 - Upgrade CFEngine dependencies to the following versions: 989 - Curl 7.48.0 990 - libxml2 2.9.4 991 - LMDB 0.9.18 992 - OpenLDAP 2.4.44 993 - OpenSSL 1.0.2h 994 - PCRE 8.38 995 (Jira ENT-2720) 996 - Upgrade dependencies to latest minor versions. 997 For Community / Enterprise: 998 For Enterprise: 999 - Fix bug which sometimes misparses user names in ps output. 1000 - Fix: Problem with git not dropping privileges soon enough 1001 - Allow def.json up to 5MB instead of 4K. 1002 - It is possible to edit the same value in multiple regions 1003 of one file. (Redmine #7460) 1004 - CFEngine on Windows no longer truncates log messages if the 1005 program in question is killed halfway through. 1006 - Fixed a bug which caused def.json not being able to define 1007 classes based on other hard classes. (Jira CFE-2333) 1008 - Change: Tighten Enterprise hub permissions (Jira ENT-2708) 1009 - Fix a regression which would sometimes cause "Permission 1010 denied" errors on files inside directories with very restricted 1011 permissions. (Redmine #7808) 1012 - Fix use-after-free in ArrayMap and HashMap (Redmine #7952) 1013 - Package repositories are no more hit every time package promise 1014 is evaluated on SUSE. 1015 - Fix a bug which sometimes caused package promises to be 1016 skipped with "XX Another cf-agent seems to have done this since I 1017 started" messages in the log, most notably in long running cf-agent 1018 runs (longer than one minute). (Redmine #7933) 1019 - TTY detection should be more reliable. (Redmine #7606) 1020 - cf-promises -p cf now produces valid cfengine code (Redmine #7956) 1021 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1022 - cf-runagent now properly supports multiple -D or -s arguments 1023 (Redmine #7191) 1024 - Fix: Work around impaired class definition from augments 1025 (Jira CFE-2333) 1026 - Fix "No such file or directory" LMDB error on heavily loaded hosts. 1027 (Jira CFE-2300) 1028 - Check for empty server response in RemoteDirList after decryption 1029 (Redmine #7908) 1030 - Small performance optimization when cf-execd scans emails before sending. 1031 - Fix handling of closed connections during transactions 1032 (Redmine #7926) 1033 - The core ps parsing engine used for processes promises 1034 has been rewritten from scratch, and should be more robust than 1035 before. (Jira CFE-2161) 1036 - Fix the lexer which could not handle empty newline(s) 1037 before a @endif. 1038 - groupexists() no longer fails to detect a group name 1039 starting with a digit. (Jira CFE-2351) 1040 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1041 - Fix unresolved variable (Redmine #7931) 1042 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1043 - Reduce verbosity of yum package module (Redmine #7485) 1044 - cf-runagent: Allow connections to localhost instead of failing silently. 1045 - Show errors regarding failure to copy extended attributes 1046 when doing a local file copy. Errors could happen when copying 1047 across two different mount points where the support for extended 1048 attributes is different between the mount points. 1049 - Fix classes being set because of hash collision in the implementation. 1050 (Redmine #7912) 1051 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1052 - Improve logging when managing setuid/setgid 1053 - Reduce verbosity of apt_get package module (Redmine #7485) 1054 - packagesmatching() and packageupdatesmatching() should work 1055 when new package promise is used. (Jira CFE-2246) 1056 - Fix bug which could render host unable to recover from a 1057 syntax error, even if failsafe.cf was utilized. This could happen if 1058 the file containing the syntax error was specified in the def.json 1059 special file. (Redmine #7961) 1060 - Prevent crash in cf-execd email code when policy server is not set. 1061 - In case of networking error, assume checksum is wrong 1062 - Fix two cases where action_policy warn still produces errors 1063 (Redmine #7274) 1064 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1065 - @if minimum_version now correctly ignores lines starting with '@' 1066 (Redmine #7862) 1067 - No longer hang when changing permissions/ownership on fifos 1068 (Redmine #7030) 1069 - readfile() and read*list() should print an error if they fail to read file. 1070 (Redmine #7702) 1071 - The isvariable() function call now correctly accepts all 1072 array variables when specified inline. Previously it would not accept 1073 certain special characters, even though they could be specified 1074 indirectly by using a variable to hold it. (Redmine #7088) 1075 - Fix file descriptor leak when there are network errors. 1076 - Improve robustness of process table parsing on Solaris. 1077 (Jira CFE-2161) 1078 - Installing packages containing version numbers using yum 1079 now works correctly. (Redmine #7825) 1080 - Parse def.json vars, classes and inputs from the C 1081 code. This fixes a bug where certain entries in this file would be 1082 parsed too late to have any effect on the evaluation. 1083 (Redmine #7453, #7615) 1084 - Change package modules permissions on hub package so that 1085 hub can execute package promises. (Redmine #7602) 1086 - Fix: CFEngine choking on standard services (Jira CFE-2086) 1087 - Fix: cf-upgrade on SUSE 1088 - Fix: Stop cfengine choking on systemctl output (Jira CFE-2806) 1089 - storage: Properly initialize the list of current mounts 1090 (Jira CFE-1803) 1091 - Fix bug which caused empty emails to be sent from cf-execd 1092 if there was no previous output log and the new log was fully filtered 1093 by email filters. (Jira ENT-2739) 1094 - Don't send empty emails for logs where everything is filtered. 1095 (Jira ENT-2739) 1096 - Fix intermittent error message of type: 1097 "error: Process table lacks space for last columns: <cmd>" 1098 (Jira CFE-2371) 1099 - Be less verbose if a network interface doesn't have a MAC address. 1100 (Jira CFE-1995) 1101 11023.8.2: 1103 Fixes: 1104 - Update library dependencies to latest version. 1105 Libraries upgraded: 1106 - curl 7.47.0 1107 - LMDB 0.9.18 1108 - MySQL 5.1.72 1109 - OpenLDAP 2.4.44 1110 - OpenSSL 1.0.2g 1111 - PostgreSQL 9.3.11 1112 - Redis 3.0.7 1113 - rsync 3.1.2 1114 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. 1115 - Reduce verbosity of apt_get package module (Redmine #7485) 1116 - Reduce verbosity of yum package module (Redmine #7485) 1117 - The isvariable() function call now correctly accepts all 1118 array variables when specified inline. Previously it would not accept 1119 certain special characters, even though they could be specified 1120 indirectly by using a variable to hold it. (Redmine #7088) 1121 - Don't follow symbolic links when copying extended attributes. 1122 - Fix a bug which sometimes caused package promises to be 1123 skipped with "XX Another cf-agent seems to have done this since I 1124 started" messages in the log, most notably in long running cf-agent 1125 runs (longer than one minute). (Redmine #7933) 1126 - Fix bug which could render host unable to recover from a 1127 syntax error, even if failsafe.cf was utilized. This could happen if 1128 the file containing the syntax error was specified in the def.json 1129 special file. (Redmine #7961) 1130 - Change: Policy files specified in the "inputs" section of 1131 def.json will no longer be auto-loaded. One has to refer to the 1132 $(def.augments_inputs) variable in the policy (the standard 1133 masterfiles policies include this by default). This only affects 1134 installations which are not based on the standard masterfiles, and 1135 which are using the "inputs" field inside def.json. (Redmine #7961) 1136 - Fix file descriptor leak when there are network errors. 1137 - Fix cf-serverd error messages with classic protocol clients 1138 (Redmine #7818) 1139 - Installing packages containing version numbers using yum 1140 now works correctly. (Redmine #7825) 1141 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1142 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1143 - Show errors regarding failure to copy extended attributes 1144 when doing a local file copy. Errors could happen when copying 1145 across two different mount points where the support for extended 1146 attributes is different between the mount points. 1147 - Fix classes being set because of hash collision in the implementation. 1148 (Redmine #7912) 1149 - Allow def.json up to 5MB instead of 4K. 1150 - Fix a regression which would sometimes cause "Permission 1151 denied" errors on files inside directories with very restricted 1152 permissions. (Redmine #7808) 1153 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1154 1155 Changes: 1156 - Change: classesmatching(): order of classes changed 1157 11583.8.1: 1159 Changes: 1160 - Upgrade CFEngine dependencies to the following versions: 1161 - OpenSSL 1.0.2e 1162 - PCRE 8.38 1163 - libxml2 2.9.3 1164 - OpenLDAP 2.4.43 1165 - libcurl 7.46.0 1166 - Upgrade LMDB to version 0.9.17. (Redmine #7879) 1167 1168 Bug fixes: 1169 - @if minimum_version now correctly ignores lines starting with '@' 1170 (Redmine #7862) 1171 - Add guard for binary upgrade during bootstrap (Redmine #7861) 1172 - Namespaced classes can now be specified on the command line. 1173 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1174 - Fix two cases where action_policy warn still produces errors 1175 (Redmine #7274) 1176 - Parse def.json vars, classes and inputs from the C 1177 code. This fixes a bug where certain entries in this file would be 1178 parsed too late to have any effect on the evaluation. 1179 (Redmine #7453, #7615) 1180 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1181 - Check for empty server response in RemoteDirList after decryption 1182 (Redmine #7908) 1183 - getvalues() will now return a list also for data containers, 1184 and will descend recursively into the containers. (Redmine #7116) 1185 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1186 (Redmine #7861) 1187 1188 11893.8.0: 1190 New features/additions: 1191 - New feature: Bodies can now inherit attribute values from 1192 other bodies by specifying "inherit_from" with the name of the body to 1193 inherit from, plus any arguments it accepts. For example: 1194 body classes myclasses 1195 { 1196 inherit_from => classes_generic("myname"); 1197 } 1198 (Redmine #4309) 1199 - Add url_get() function. (Redmine #6480) 1200 - Add @if feature() syntax 1201 @if feature work like @if minimum_version but allows distinguishing 1202 between features chosen at compile time. 1203 - Extend module protocol to create persistent classes. 1204 To use it, have the module print a line with "^persistence=<minutes>" 1205 before printing any class names. "persistence=0" goes back to non- 1206 persistent classes. (Redmine #7302) 1207 - Add: New results classes body (Redmine #7418) 1208 - Add: Debug reports in cfe_internal_cleanup_agent_reports 1209 - Add: Path to svcprop in stdlib 1210 - Add: masterfiles-stage script to contrib 1211 - Whitespace is now allowed in class expressions for 1212 readability, between class names and operators. (Redmine #7152) 1213 1214 Changes: 1215 - Change: Clarify bootstrap/failsafe reports 1216 - Change: Improve in-line docs for internal log maintenance 1217 - Change: Improve efficiency and debug reports (Redmine #7527) 1218 - Remove: 3.5 support from masterfiles policy framework 1219 - Long promiser strings with multiple lines are now 1220 abbreviated in logs. (Redmine #3964) 1221 - Change: Reunify Version based policy split 1222 - Change: Separate binary details from policy update (Redmine #7662) 1223 - Remove /var/cfengine/cf3.<host>.runlog. (Redmine #6957) 1224 - Change: sys.libdir and sys.local_libdir to non version specific path 1225 - sys.libdir now resolves to $(sys.inputdir)/lib 1226 - sys.local_libdir now resolves to lib (Redmine #7559) 1227 - Moved the following files to /var/cfengine/log/: 1228 - /var/cfengine/promise_summary.log 1229 - /var/cfengine/cfagent.<host>.log 1230 - Change: Separate binary details from policy update (Redmine #7662) 1231 - Remove: Support for email settings from augments_file (Redmine #7682) 1232 1233 Bug fixes: 1234 - It is possible to edit the same value in multiple regions 1235 of one file. (Redmine #7460) 1236 - Change package modules permissions on hub package so that 1237 hub can execute package promises. (Rednime #7602) (Redmine #7602) 1238 - Fix exporting CSV reports through HTTPS. (Redmine #7267) 1239 - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor 1240 multiple -D, -N and -s arguments (Redmine #7191) 1241 - readfile() and read*list() should print an error if they fail to read file. 1242 (Redmine #7702) 1243 - No longer hang when changing permissions/ownership on fifos 1244 (Redmine #7030) 1245 - Fix broken HA policy for 3rd disaster-recovery node. 1246 - Fix: Policy errors for 3.5 and 3.6 1247 - Mustache templates: Fix {{@}} key when value is not a 1248 primitive. The old behavior, when iterating across a map or array of 1249 maps, was to abort if the key was requested with {{@}}. The new 1250 behavior is to always replace {{@}} with either the key name or the 1251 iteration position in the array. An error is printed if {{@}} is used 1252 outside of a Mustache iteration section. 1253 - Fix build with musl libc. (Redmine #7455) 1254 - Fixed a bug which could cause daemons to not to be killed 1255 correctly when upgrading or manually running "service cfengine3 stop". 1256 (Redmine #7193) 1257 - Fix daemons not restarting correctly on upgrade on AIX. 1258 - Package promise: Fix inability to install certain packages 1259 with numbers. (Redmine #7421) 1260 - Redmine #6027 Directories should no more be changed randomly 1261 into files. (Redmine #6027) 1262 - Improve cf-serverd's lock contention because of getpwnam() 1263 call. (Redmine #7643) (Redmine #7643) 1264 - action_policy "warn" now correctly produces warnings instead 1265 of various other verbosity levels. (Redmine #7274) 1266 - If there is an error saving a mustache template file 1267 it is now logged with log-level error (was inform). 1268 - The JSON parser now supports unquoted strings as keys. 1269 - Reduce malloc() thread contention on heavily loaded 1270 cf-serverd, by not exiting early in the logging function, if no message 1271 is to be printed. (Redmine #7624) (Redmine #7624) 1272 - Fix a bug which caused daemons not to be restarted on 1273 upgrade. (Redmine #7528) 1274 - Include latest security updates for dependencies. 1275 - Fixed bug which would cause bff and depot packages not to 1276 run package scripts on removal. (Redmine #7193) 1277 - Fix upgrade causing error message under systemd because of open ports. 1278 - Fixed several bugs which prevented CFEngine from loading 1279 libraries from the correct location. This affected several platforms. 1280 (Redmine #6708) 1281 - Legacy package promise: Result classes are now defined if 1282 the package being promised is already up to date. (Redmine #7399) 1283 - failsafe.cf will be created when needed. (Redmine #7634) 1284 (Redmine #7634) 1285 - If file_select.file_types is set to symlink and there 1286 are regular files in the scanned directory, CFEngine no longer 1287 produces an unnecessary error message. (Redmine #6996) 1288 - Fix 'AIX_PREINSTALL_ALREADY_DONE.txt: cannot create' error 1289 message on AIX. 1290 - Fix package promise not removing dependent packages. (Redmine #7424) 1291 - Fix: Solaris packages no longer contain duplicate library 1292 files, but instead symlinks to them. (Redmine #7591) 1293 - Fix select_class not setting class when used in common bundle with slist. 1294 (Redmine #7482) 1295 - Fix "@endif" keyword sometimes being improperly processed 1296 by policy parser. (Redmine #7413) 1297 - Fix noise from internal policy to upgrade windows agents 1298 (Redmine #7456) 1299 - cfruncommand now works if it contains spaces, with the TLS protocol. 1300 (Redmine #7405) 1301 - Fix warning "Failed to parse csv file entry" with certain very long 1302 commands promises. (Redmine #7400) 1303 - CFEngine no longer erronously passes -M to useradd on HP-UX. (Redmine #6734) 1304 - cf-monitord no longer complains about missing thermal zone files. 1305 (Redmine #7238) 1306 - systemd is now detected correctly if it is a symlink (Redmine #7297) 1307 - TTY detection should be more reliable. (Redmine #7606) 1308 (Redmine #7606) 1309 1310 13113.7.3 1312 Fixes: 1313 - Reduce verbosity of yum package module (Redmine #7485) 1314 - Reduce verbosity of apt_get package module (Redmine #7485) 1315 - Upgrade dependencies to latest patch versions. 1316 Upgraded libraries: 1317 - curl 7.47.0 1318 - libxml2 2.9.3 1319 - LMDB 0.9.18 1320 - MySQL 5.1.72 1321 - OpenLDAP 2.4.44 1322 - OpenSSL 1.0.2g 1323 - PCRE 8.38 1324 - PostgreSQL 9.3.11 1325 - Redis 2.8.24 1326 - rsync 3.1.2 1327 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. 1328 - parse def.json vars, classes, and inputs in C (Redmine #7453) 1329 - Namespaced classes can now be specified on the command line. 1330 - getvalues() will now return a list also for data containers, 1331 and will descend recursively into the containers. (Redmine #7116) 1332 - @if minimum_version now correctly ignores lines starting with '@' 1333 (Redmine #7862) 1334 - Fix definition of classes from augments file 1335 - Don't follow symbolic links when copying extended attributes. 1336 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1337 - Fix cf-serverd error messages with classic protocol clients 1338 (Redmine #7818) 1339 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1340 - The isvariable() function call now correctly accepts all 1341 array variables when specified inline. Previously it would not accept 1342 certain special characters, even though they could be specified 1343 indirectly by using a variable to hold it. (Redmine #7088) 1344 - Show errors regarding failure to copy extended attributes 1345 when doing a local file copy. Errors could happen when copying 1346 across two different mount points where the support for extended 1347 attributes is different between the mount points. 1348 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1349 - Fix file descriptor leak when there are network errors. 1350 - Fix a regression which would sometimes cause "Permission 1351 denied" errors on files inside directories with very restricted 1352 permissions. (Redmine #7808) 1353 - Check for empty server response in RemoteDirList after decryption 1354 (Redmine #7908) 1355 - Allow def.json up to 5MB instead of 4K. 1356 - Add guard for binary upgrade during bootstrap (Redmine #7861) 1357 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1358 - Fix a bug which sometimes caused package promises to be 1359 skipped with "XX Another cf-agent seems to have done this since I 1360 started" messages in the log, most notably in long running cf-agent 1361 runs (longer than one minute). (Redmine #7933) 1362 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1363 (Redmine #7861) 1364 - Fix two cases where action_policy warn still produces errors 1365 (Redmine #7274) 1366 - Fix classes being set because of hash collision in the implementation. 1367 (Redmine #7912) 1368 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1369 - Installing packages containing version numbers using yum 1370 now works correctly. (Redmine #7825) 1371 1372 Changes: 1373 - Change: classesmatching(): order of classes changed 1374 1375 3.7.3 1376 Fixes: 1377 - Reduce verbosity of yum package module (Redmine #7485) 1378 - Reduce verbosity of apt_get package module (Redmine #7485) 1379 - Upgrade dependencies to latest patch versions. 1380 Upgraded libraries: 1381 - curl 7.47.0 1382 - libxml2 2.9.3 1383 - LMDB 0.9.18 1384 - MySQL 5.1.72 1385 - OpenLDAP 2.4.44 1386 - OpenSSL 1.0.2g 1387 - PCRE 8.38 1388 - PostgreSQL 9.3.11 1389 - Redis 2.8.24 1390 - rsync 3.1.2 1391 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. 1392 - parse def.json vars, classes, and inputs in C (Redmine #7453) 1393 - Namespaced classes can now be specified on the command line. 1394 - getvalues() will now return a list also for data containers, 1395 and will descend recursively into the containers. (Redmine #7116) 1396 - @if minimum_version now correctly ignores lines starting with '@' 1397 (Redmine #7862) 1398 - Fix definition of classes from augments file 1399 - Don't follow symbolic links when copying extended attributes. 1400 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1401 - Fix cf-serverd error messages with classic protocol clients 1402 (Redmine #7818) 1403 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1404 - The isvariable() function call now correctly accepts all 1405 array variables when specified inline. Previously it would not accept 1406 certain special characters, even though they could be specified 1407 indirectly by using a variable to hold it. (Redmine #7088) 1408 - Show errors regarding failure to copy extended attributes 1409 when doing a local file copy. Errors could happen when copying 1410 across two different mount points where the support for extended 1411 attributes is different between the mount points. 1412 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1413 - Fix file descriptor leak when there are network errors. 1414 - Fix a regression which would sometimes cause "Permission 1415 denied" errors on files inside directories with very restricted 1416 permissions. (Redmine #7808) 1417 - Check for empty server response in RemoteDirList after decryption 1418 (Redmine #7908) 1419 - Allow def.json up to 5MB instead of 4K. 1420 - Add guard for binary upgrade during bootstrap (Redmine #7861) 1421 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1422 - Fix a bug which sometimes caused package promises to be 1423 skipped with "XX Another cf-agent seems to have done this since I 1424 started" messages in the log, most notably in long running cf-agent 1425 runs (longer than one minute). (Redmine #7933) 1426 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1427 (Redmine #7861) 1428 - Fix two cases where action_policy warn still produces errors 1429 (Redmine #7274) 1430 - Fix classes being set because of hash collision in the implementation. 1431 (Redmine #7912) 1432 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1433 - Installing packages containing version numbers using yum 1434 now works correctly. (Redmine #7825) 1435 1436 Changes: 1437 - Change: classesmatching(): order of classes changed 1438 1439 14403.7.2: 1441 Bug fixes: 1442 - readfile() and read*list() should print an error if they fail to read file. 1443 (Redmine #7702) 1444 - Fix 'AIX_PREINSTALL_ALREADY_DONE.txt: cannot create' error 1445 message on AIX. 1446 - If there is an error saving a mustache template file 1447 it is now logged with log-level error (was inform). 1448 - Change: Clarify bootstrap/failsafe reports 1449 - Fixed several bugs which prevented CFEngine from loading 1450 libraries from the correct location. This affected several platforms. 1451 (Redmine #6708) 1452 - If file_select.file_types is set to symlink and there 1453 are regular files in the scanned directory, CFEngine no longer 1454 produces an unnecessary error message. (Redmine #6996) 1455 - Fix: Solaris packages no longer contain duplicate library 1456 files, but instead symlinks to them. (Redmine #7591) 1457 - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor 1458 multiple -D, -N and -s arguments (Redmine #7191) 1459 - Fix "@endif" keyword sometimes being improperly processed 1460 by policy parser. (Redmine #7413) 1461 - It is possible to edit the same value in multiple regions 1462 of one file. (Redmine #7460) 1463 - Fix select_class not setting class when used in common bundle with slist. 1464 (Redmine #7482) 1465 - Fix broken HA policy for 3rd disaster-recovery node. 1466 - Directories should no more be changed randomly 1467 into files. (Redmine #6027) 1468 - Include latest security updates for 3.7. 1469 - Reduce malloc() thread contention on heavily loaded 1470 cf-serverd, by not exiting early in the logging function, if no message 1471 is to be printed. (Redmine #7624) 1472 - Improve cf-serverd's lock contention because of getpwnam() 1473 call. (Redmine #7643) 1474 - action_policy "warn" now correctly produces warnings instead 1475 of various other verbosity levels. (Redmine #7274) 1476 - Change: Improve efficiency and debug reports (Redmine #7527) 1477 - Change package modules permissions on hub package so that 1478 hub can execute package promises. (Redmine #7602) 1479 - No longer hang when changing permissions/ownership on fifos 1480 (Redmine #7030) 1481 - Fix exporting CSV reports through HTTPS. (Redmine #7267) 1482 - failsafe.cf will be created when needed. (Redmine #7634) 1483 - Mustache templates: Fix {{@}} key when value is not a 1484 primitive. The old behavior, when iterating across a map or array of 1485 maps, was to abort if the key was requested with {{@}}. The new 1486 behavior is to always replace {{@}} with either the key name or the 1487 iteration position in the array. An error is printed if {{@}} is used 1488 outside of a Mustache iteration section. 1489 - Legacy package promise: Result classes are now defined if 1490 the package being promised is already up to date. (Redmine #7399) 1491 - TTY detection should be more reliable. (Redmine #7606) 1492 1493 Masterfiles: 1494 - Add: Path to svcprop in stdlib 1495 - Add: New results classes body [] (Redmine #7418, #7481) 1496 - Remove: Support for email settings from augments_file (Redmine #7682) 1497 14983.7.1: 1499 Bug fixes: 1500 - Fix daemons not restarting correctly on upgrade on AIX. (Redmine #7550) 1501 - Fix upgrade causing error message under systemd because of open ports. 1502 - Fix build with musl libc. (Redmine #7455) 1503 - Long promiser strings with multiple lines are now 1504 abbreviated in logs. (Redmine #3964) 1505 - Fixed a bug which could cause daemons to not to be killed 1506 correctly when upgrading or manually running "service cfengine3 stop". 1507 (Redmine #7193) 1508 - Package promise: Fix inability to install certain packages 1509 with numbers. 1510 - Fix package promise not removing dependent packages. (Redmine #7424) 1511 - Fix warning "Failed to parse csv file entry" with certain very long 1512 commands promises. (Redmine #7400) 1513 - Fix misaligned help output in cf-hub. (Redmine #7273) 1514 - Augmenting inputs from the augments_file (Redmine #7420) 1515 - Add support for failover to 3rd HA node located outside cluster. 1516 - Upgrade all dependencies for patch release. 1517 - Fix a bug which caused daemons not to be restarted on 1518 upgrade. (Redmine #7528) 1519 15203.7.0: 1521 New features: 1522 - New package promise implementation. 1523 The syntax is much simpler, to try it out, check out the syntax: 1524 packages: 1525 "mypackage" 1526 policy => "absent/present", 1527 1528 # Optional, default taken from common control 1529 package_module => apt_get, 1530 1531 # Optional, will only match exact version. May be 1532 # "latest". 1533 version => "32.0", 1534 1535 # Optional. 1536 architecture => "x86_64"; 1537 1538 - Full systemd support for all relevant platforms 1539 - New classes to determine whether certain features are enabled: 1540 * feature_yaml 1541 * feature_xml 1542 For the official CFEngine packages, these are always enabled, but 1543 packages from other sources may be built without the support. 1544 - New readdata() support for generic data input (CSV, YAML, JSON, or auto) 1545 - YAML support: new readyaml() function and in readdata() 1546 - CSV support: new readcsv() function and in readdata() 1547 - New string_mustache() function 1548 - New data_regextract() function 1549 - eval() can now be called with "class" as the "mode" argument, which 1550 will cause it to return true ("any") if the calculated result is 1551 non-zero, and false ("!any") if it is zero. 1552 - New list_ifelse() function 1553 - New mapdata() function as well as JSON support in maparray(). 1554 - filestat() function now supports "xattr" argument for extended 1555 attributes. 1556 - "ifvarclass" now has "if" as an alias, and "unless" as an inverse 1557 alias. 1558 - Ability to expand JSON variables directory in Mustache templates: 1559 Prefix the name with '%' for multiline expansion, '$' for compact 1560 expansion. 1561 - Ability to expand the iteration *key* in Mustache templates with @ 1562 - Canonical JSON output: JSON output has reliably sorted keys so the 1563 same data structure will produce the same JSON every time. 1564 - New "@if minimum_version(x.x)" syntax in order to hide future language 1565 improvements from versions that don't understand them. 1566 - compile time option (--with-statedir) to 1567 override the default state/ directory path. 1568 - Fix error messages/ handling in process signalling which no longer 1569 allowed any signals to fail silently 1570 - Also enable shortcut keyword for cf-serverd classic protocol, eg to 1571 simplify the bootstrap process for clients that have different 1572 sys.masterdir settings (Redmine #3697) 1573 - methods promises now accepts the bundle name in the promiser string, 1574 as long as it doesn't have any parameters. 1575 - In a services promise, if the service_method bundle is not specified, 1576 it defaults to the promiser string (canonified) with "service_" as a 1577 prefix. The bundle must be in the same namespace as the promise. 1578 - inline JSON in policy files: surrounding with parsejson() is now 1579 optional *when creating a new data container*. 1580 - New data_expand() function to interpolate variables in a data container. 1581 - Add configurable network bandwidth limit for all outgoing 1582 connections ("bwlimit" attribute in "body common control") . To 1583 enforce it in both directions, make sure the attribute is set on both 1584 sides of the connection. 1585 - Secure bootstrap has been facilitated by use of 1586 "cf-agent --boostrap HUB_ADDRESS --trust-server=no" 1587 - Implement new TLS-relevant options (Redmine #6883): 1588 - body common control: tls_min_version 1589 - body server control: allowtlsversion 1590 - body common control: tls_ciphers 1591 - body server control: allowciphers (preexisting) 1592 1593 Changes: 1594 - Improved output format, less verbose, and messages are grouped. 1595 - cf-execd: agent_expireafter default was changed to 120 minutes 1596 (Redmine #7113) 1597 - All embedded databases are now rooted in the state/ directory. 1598 - TLS used as default for all outgoing connections. 1599 - process promise now reports kept status instead of repaired if a 1600 signal is not sent, even if the restart_class is set. The old 1601 behavior was to set the repaired status whenever the process was not 1602 running. (Redmine#7216). 1603 - Bootstrapping requires keys to be generated in advance using cf-key. 1604 - Disable class set on reverse lookup of interfaces IP addresses. 1605 (Redmine #3993, Redmine #6870) 1606 - Define a hard class with just the OS major version on FreeBSD. 1607 - Abort cf-agent if OpenSSL's random number generator can't 1608 be seeded securely. 1609 - Masterfiles source tarball now installs using the usual commands 1610 "./configure; make install". 1611 - Updated Emacs syntax highlighting template to support the latest 1612 syntax enhancements in 3.7. 1613 1614 Deprecations: 1615 - Arbitrary arguments to cfruncommand (using "cf-runagent -o") are 1616 not acceptable any more. (Redmine #6978) 1617 - 3.4 is no longer supported in masterfiles. 1618 1619 Bug fixes: 1620 - Fix server common bundles evaluation order (Redmine#7211). 1621 - Limit LMDB disk usage by preserving sparse areas in LMDB files 1622 (Redmine#7242). 1623 - Fixed LMDB corruption on HP-UX 11.23. (Redmine #6994) 1624 - Fixed insert_lines failing to converge if preserve_block was used. 1625 (Redmine #7094) 1626 - Fixed init script failing to stop/restart daemons on openvz/lxc 1627 hosts. (Redmine #3394) 1628 - rm_rf_depth now deletes base directory as advertised. (Redmine #7009) 1629 - Refactored cf-agent's connection cache to properly differentiate 1630 hosts using all needed attributes like host and port. 1631 (Redmine #4646) 1632 - Refactored lastseen database handling to avoid inconsistencies. 1633 (Redmine #6660) 1634 - cf-key --trust-key now supports new syntax to also update the 1635 lastseen database, so that clients using old protocol will trust 1636 the server correctly. 1637 - Fixed a bug which sometimes caused an agent or daemon to kill or stop 1638 itself. (Redmine #7075, #7244) 1639 - Fixed a bug which made it difficult to kill CFEngine daemons, 1640 particularly cf-execd. (Redmine #6659, #7193) 1641 - Fixed a bug causing systemd not to be detected correctly on Debian. 1642 (Redmine #7297) 1643 - "cf-promises -T" will now correctly report the checked out commit, 1644 even if you haven't checked out a Git branch. (Redmine #7332) 1645 - Reduce verbosity of harmless errors related to socket timeouts and 1646 missing thermal zone files. (Redmine #6486 and #7238) 1647 1648 Masterfiles: 1649 1650 Added: 1651 - Support for user specified overring of framework defaults without 1652 modifying policy supplied by the framework itself (see 1653 example_def.json) 1654 - Support for def.json class augmentation in update policy 1655 - Run vacuum operation on postgresql every night as a part of 1656 maintenance. 1657 - Add measure_promise_time action body to lib (3.5, 3.6, 3.7, 3.8) 1658 - New negative class guard cfengine_internal_disable_agent_email so 1659 that agent email can be easily disabled by augmenting def.json 1660 1661 Changed: 1662 - Relocate def.cf to controls/VER/ 1663 - Relocate update_def to controls/VER 1664 - Relocate all controls to controls/VER 1665 - Only load cf_hub and reports.cf on CFEngine Enterprise installs 1666 - Relocate acls related to report collection from bundle server 1667 access_rules to controls/VER/reports.cf into bundle server 1668 report_access_rules 1669 - Re-organize cfe_internal splitting core from enterprise specific 1670 policies and loading the appropriate inputs only when necessary 1671 - Moved update directory into cfe_internal as it is not generally 1672 intended to be modified 1673 - services/autorun.cf moved to lib/VER/ as it is not generally intended 1674 to be modified 1675 - To improve predictibility autorun bundles are activated in 1676 lexicographical order 1677 - Relocate services/file_change.cf to cfe_internal/enterprise. This 1678 policy is most useful for a good OOTB experience with CFEngine 1679 Enterprise Mission Portal. 1680 - Relocate service_catalogue from promsies.cf to services/main.cf. It is 1681 intended to be a user entry. This name change correlates with the main 1682 bundle being activated by default if there is no bundlesequence 1683 specified. 1684 - Reduce benchmarks sample history to 1 day. 1685 - Update policy no longer generates a keypair if one is not found. 1686 (Redmine: #7167) 1687 - Relocate cfe_internal_postgresql_maintenance bundle to lib/VER/ 1688 - Set postgresql_monitoring_maintenance only for versions 3.6.0 and 1689 3.6.1 1690 - Move hub specific bundles from lib/VER/cfe_internal.cf into 1691 lib/VER/cfe_internal_hub.cf and load them only if policy_server policy 1692 if set. 1693 - Re-organize lib/VER/stdlib.cf from lists into classic array for use 1694 with getvalues 1695 1696 Removed: 1697 - Diff reporting on /etc/shadow (Enterprise) 1698 - Update policy from promise.cf inputs. There is no reason to include 1699 the update policy into promsies.cf, update.cf is the entry for the 1700 update policy 1701 - _not_repaired outcome from classes_generic and scoped_classes generic 1702 (Redmine: # 7022) 1703 1704 Fixes: 1705 - standard_services now restarts the service if it was not already 1706 running when using service_policy => restart with chkconfig (Redmine 1707 #7258) 1708 1709 17103.6.5: 1711 Features: 1712 - Introduced "systemd" hard class. (Redmine #6995) 1713 - Added paths to dtrace, zfs and zpool on FreeBSD in masterfiles. 1714 1715 Bug fixes: 1716 - Fixed build error on certain RHEL5 and SLES10 setups. (Redmine #6841) 1717 - Fixed a bug which caused dangling symlinks not to be removed. 1718 (Redmine #6582) 1719 - Fixed data_readstringarrayidx function not preserving the order of the 1720 array it's producing. (Redmine #6920) 1721 - Fixed a bug which sometimes caused CFEngine to kill the wrong daemon 1722 if both the host and a container inside the host were running 1723 CFEngine. (Redmine #6906) 1724 - Made sure the rm_rf_depth bundle also deletes the base directory. 1725 (Redmine #7009) 1726 - Fixed monitord reporting wrongly on open ports. (Redmine #6926) 1727 - Skip adding the class when its name is longer than 1024 characters. 1728 Fixed core dump when the name is too large. (Redmine #7013) 1729 - Fixed detection of stopped process on Solaris. (Redmine #6946) 1730 - Fixed infinite loop (Redmine #6992) plus a couple more minor 1731 bugs in edit_xml promises. 1732 17333.6.4: 1734 Features: 1735 - Introduced users promises support on HP-UX platform. 1736 - Introduced process promises support on HP-UX platform. 1737 1738 Bug fixes: 1739 - Fixed bug on FreeBSD which sometimes led to the wrong process being 1740 killed (Redmine #2330) 1741 - Fixed package version comparison sometimes failing with rpm package 1742 manager (Redmine #6807) 1743 - Fixed a bug in users promises which would sometimes set the wrong 1744 password hash if the user would also be unlocked at the same time. 1745 - Fixed a bug on AIX which would occasionally kill the wrong process. 1746 - Improved error message for functions that require an absolute path. 1747 (Redmine #6877) 1748 - Fixed some spelling errors in examples. 1749 - Fixed error in out-of-tree builds when building cf-upgrade. 1750 - Fixed a bug which would make cf-agent exit with an error if it was 1751 built with a custom log directory, and that directory did not exist. 1752 - Fixed ordering of evaluating promises when depends_on is used. 1753 (Redmine #6484, Redmine #5462) 1754 - Skip non-empty directories silently when recursively deleting. 1755 (Redmine #6331) 1756 - Fix memory exhaustion with list larger than 4994 items. 1757 (Redmine # 6672) 1758 - Fix cf-execd segfault on IP address detection (Redmine #6905). 1759 - Fix hard class detection of RHEL6 ComputeNode (Redmine #3148). 1760 17613.6.3 1762 New features: 1763 - support for HP-UX 11.23 and later 1764 - experimental support for Red Hat Enterprise Linux 7 1765 1766 Bug fixes: 1767 - fix getindices on multi-dimensional arrays (Redmine #6779) 1768 - fix mustache template method to run in dryrun mode (Redmine #6739) 1769 - set mailto and mailfrom settings for execd in def.cf (Redmine #6702) 1770 - fix conflation of multi-index entries in arrays (Redmine #6674) 1771 - fix promise locking when transferring using update.cf (Redmine #6623) 1772 - update JSON parser to return an error on truncation (Redmine #6608) 1773 - fix sys.hardware_addresses not expanded (Redmine #6603) 1774 - fix opening database txn /var/cfengine/cf_lastseen.lmdb: 1775 MDB_READERS_FULL when running cf-keys --show-hosts (Redmine #6602) 1776 - fix segfault (Null pointer dereference) when select_end in 1777 delete_lines never matches (Redmine #6589) 1778 - fix max_file_size => "0" not disabling or allowing any size 1779 (Redmine #6588) 1780 - fix ifvarclass, with iteration over list, failing when deleting 1781 files with time condition (Redmine #6577) 1782 - fix classes defined with "or" constraint are never set if any value 1783 doesn't evaluate to a scalar (Redmine #6569) 1784 - update "mailfrom" default in default policy (Redmine #6567) 1785 - fix logrotate ambiguity of filename (Redmine #6563) 1786 - fix parsing JSON files (Redmine #6549) 1787 - reduce write count activity to /var partition (Redmine #6523) 1788 - fix files delete attribute incorrectly triggering promise_kept 1789 (Redmine #6509) 1790 - update services bundle output related to chkconfig when run in 1791 inform mode. (Redmine #6492) 1792 - fix Solaris serverd tests (Redmine #6406) 1793 - fix broken bechaviour of merging arrays with readstringarray 1794 (Redmine #6369) 1795 - fix ifelapsed bug with bundle nesting (Redmine #6334) 1796 - fix handling cf_null in bundlesequence (Redmine #6119) 1797 - fix maparray reading whole input array when using subarray 1798 (Redmine #6033) 1799 - fix directories being randomly changed to files (Redmine #6027) 1800 - update defaults promise type to work with classes (Redmine #5748) 1801 - systemd integration in services promises (Redmine #5415) 1802 - fix touch attribute ignoring action = warn_only (Redmine #3172) 1803 - fix 4KB string limit in functions readfile, string_downcase, 1804 string_head, string_reverse, string_length, string_tail, 1805 string_upcase (Redmine #2912) 1806 18073.6.2 1808 Bug fixes: 1809 - don't regenerate software_packages.csv every time (Redmine #6441) 1810 - improve verbose message for package_list_command 1811 - fix missing log output on AIX (Redmine #6434) 1812 - assorted fixes to dirname() esp on Windows (Redmine #4716) 1813 - fix package manager detection 1814 - fix build issues on FreeBSD 1815 - allow copying of dead symbolic links (Redmine #6175) 1816 - preserve order in readstringarrayidx (Redmine #6466) 1817 - fix passing of unexpanded variable references to arrays 1818 (Redmine #5893) 1819 - use entries for new {admin,deny}_{ips,hostnames} constraints in 1820 the relevant legacy lists (Redmine #6542) 1821 - cope with ps's numeric fields overflowing to the right 1822 - interpret failing function calls in ifvarclass as class not set 1823 (Redmine #6327) 1824 - remove unexpanded lists when extending lists (Redmine #6541) 1825 - infer start-time of a process from elapsed when needed 1826 (Redmine #4094) 1827 - fix input range definition for laterthan() function (Redmine #6530) 1828 - don't add trailing delimiter when join()'ing lists ending with a 1829 null-value (Redmine #6552) 1830 - 9999999999 (ten 9s) or higher has been historically used as an upper 1831 bound in CFEngine code and policy but because of overflow on 32-bit 1832 platforms it caused problems with big numbers. Fixed in two ways: 1833 first change all existing policy uses to 999999999 (nine 9s instead 1834 of eleven 9s), second fix the C code to not wrap-around in case of 1835 overflow, but use the LONG_MAX value (Redmine #6531). 1836 - cf-serverd and other daemons no longer reload their configuration 1837 every minute if CFEngine is built with an inputs directory outside 1838 of the work directory (not the default). (Redmine #6551) 1839 18403.6.1 1841 New features: 1842 - Introduced Solaris and AIX support into the 3.6 series, with many associated build and 1843 bug fixes. 1844 1845 Changes: 1846 - Short-circuit evaluation of classes promises if class is already set (Redmine #5241) 1847 - fix to assume all non-specified return codes are failed in commands promises (Redmine #5986) 1848 - cf-serverd logs reconfiguration message to NOTICE (was INFO) so that it's always logged in syslog 1849 1850 Bug fixes: 1851 - File monitoring has been completely rewritten (changes attribute in files promise), which 1852 eliminates many bugs, particularly regarding files that are deleted. Upgrading will keep 1853 all monitoring data, but downgrading again will reinitialize the DB, so all files will be 1854 reported as if they were new. (Redmine #2917) 1855 - $(this.promiser) expands in files promises for 'transformer', 'edit_template', 1856 'copy_from.source', 'file_select.exec_program', 'classes' and 'action' bodies 1857 (Redmine #1554, #1496, #3530, #1563) 1858 - 'body changes' notifies about disappeared files in file monitoring (Redmine #2917) 1859 - Fixed CFEngine template producing a zero sized file (Redmine #6088) 1860 - Add 0-9 A-Z _ to allowed context of module protocol (Redmine #6063) 1861 - Extend ps command column width and prepend zone name on Solaris 1862 - Fixed strftime() function on Solaris when called with certain specifiers. 1863 - Fixed users promise bug regarding password hashes in a NIS/NSS setup. 1864 - Fixed $(sys.uptime), $(sys.systime) and $(sys.sysday) in AIX. (Redmine #5148, #5206) 1865 - Fixed processes_select complaining about "Unacceptable model uncertainty examining processes" (Redmine #6337) 1866 - ps command for linux has been changed to cope with big rss values (Redmine #6337) 1867 - Address ps -axo shift on FreeBSD 10 and later (Redmine #5667) 1868 - methods and services promises respect action_policy => "warn" (Redmine #5924) 1869 - LMDB should no longer deadlock if an agent is killed on the hub while holding the DB lock. 1870 Note that the change only affects binary packages shipped by CFEngine, since the upstream 1871 LMDB project has not yet integrated the change. (Redmine #6013) 1872 18733.6.0 1874 1875 Changes: 1876 - Changes to logging output 1877 - add process name and pid in syslog message (GitHub #789) 1878 - cf-serverd logging levels are now more standardised: 1879 - INFO logs only failures 1880 - VERBOSE logs successful requests as well 1881 - DEBUG logs actual protocol traffic. 1882 - cf-serverd now logs the relevant client IP address on 1883 each message. 1884 - Logging contexts to local database (cf_classes.tcdb) has been deprecated. 1885 - 'usebundle' promisees are logged for all the bundle promises 1886 - output from 'reports' promises has nothing prefixed except 'R: ' 1887 - a log line with stack path is generated when the promise type evaluated changes 1888 - LMDB (symas.com/mdb) is the default database for local data storage : use version 0.9.9 or later 1889 cf-agent --self-diagnostics (-x) is only implemented for TCDB, not for LMDB 1890 - port argument in readtcp() and selectservers() may be a 1891 service name (e.g. "http", "pop3"). 1892 - Enable source file in agent copy_from promises to be a relative path. 1893 - file "changes" reporting now reports with log level "notice", instead of "error". 1894 - process_results default to AND'ing of set attributes if not specified (Redmine #3224) 1895 - interface is now canonified in sys.hardware_mac[interface] to align with 1896 sys.ipv4[interface] (Redmine #3418) 1897 - cf-promises no longer errors on missing bodies when run without --full-check (-c) 1898 - Linux flavor "SUSE" now correctly spelled with all uppercase in variables and class names 1899 (Redmine #3734). The "suse" lowercase version is also provided for convenience (Redmine #5417). 1900 - $(this.promise_filename) and $(..._dirname) variables are now absolute paths. (Redmine #3839) 1901 - including the same file multiple times in 'body control inputs' is not an error 1902 - portnumber in body copy_from now supports service names like 1903 "cfengine", "pop3" etc, check /etc/services for more. 1904 - The failsafe.cf policy, run on bootstrap and in some other 1905 unusual cases, has been extracted from C code into libpromises/failsafe.cf 1906 - masterfiles 1907 - cf_promises_validated is now in JSON format 1908 - timestamp key is timestamp (sec since unix epoch) of last time validated 1909 - the masterfiles now come from https://github.com/cfengine/masterfiles and are 1910 not in the core repository 1911 - cf-serverd calls cf-agent with -Dcfruncommand when executing cf-runagent requests 1912 - Mark as removed: promise_notkept_log_include, promise_notkept_log_exclude, promise_repaired_log_include, 1913 promise_repaired_log_exclude, classes_include, classes_exclude, variables_include, 1914 variables_exclude attributes from report_data_select body (syntax is valid but not functional). 1915 They have been replaced by the following attributes: promise_handle_include, 1916 promise_handle_exclude, metatags_include, metatags_exclude. 1917 1918 New features: 1919 - New promise type "users" for managing local user accounts. 1920 - TLS authentication and fully encrypted network protocol. 1921 Additions specific to the new type of connections: 1922 - New attribute "allowlegacyconnects" in body server control, 1923 which enables serving policy via non-latest cfengine protocol, 1924 to the given list of hosts. If the option is absent, it 1925 defaults to allow all hosts. To refuse non-TLS connections, 1926 specify an empty list. 1927 - New attribute "protocol_version" in body copy_from, and body 1928 common control, which defines the preferred protocol for 1929 outgoing connections.. Allowed values at the moment: "0" or 1930 "undefined", "classic" or "1", "latest" or "2". By leaving the 1931 copy_from option as undefined the common control option is 1932 used, and if both are undefined then classic protocol is used 1933 by default. 1934 - The new networking protocol uses TLS for authentication, 1935 after which all dialog is encrypted within the established 1936 TLS session. cf-serverd is still able to speak the legacy 1937 protocol with old agents. 1938 - The 'skipverify' option in 'body server control' is 1939 deprecated and only left for compatibility; it does 1940 nothing 1941 - cf-serverd does not hang up the connection if some request 1942 fails, so that the client can add more requests. 1943 - For the connections using the new protocol, all of the 1944 paths in bundle server access_rules now differentiate 1945 between a directory and a file using the trailing 1946 slash. If the path exists then this is auto-detected and 1947 trailing slash appended automatically. You have to append 1948 a trailing slash manually to an inexistent or symbolic 1949 path (e.g. "/path/to/$(connection.ip)/") to force 1950 recursive access. 1951 - New in 'access' promises for 'bundle server access_rules' 1952 - Attributes "admit_ips", "admit_hostnames", "admit_keys", 1953 "deny_ips", "deny_hostnames", "deny_keys" 1954 - "admit_keys" and "deny_keys" add the new functionality 1955 of controlling access according to host identity, 1956 regardless of the connecting IP. 1957 - For these new attributes, regular expressions 1958 are not allowed, only CIDR notation for "admit/deny_ips", exact 1959 "SHA=..." strings for "admit/deny_keys", and exact hostnames 1960 (e.g. "cfengine.com") or subdomains (starting with dot, 1961 e.g. ".cfengine.com") for "admit/deny"_hostnames. Same rules 1962 apply to 'deny_*' attributes. 1963 - These new constraints and the paths in access_rules, can contain 1964 special variables "$(connection.ip)", "$(connection.hostname)", 1965 "$(connection.key)", which are expanded dynamically for every 1966 received connection. 1967 - For connections using the new protocol, "admit" and "deny" 1968 constraints in bundle server access_rules are being phased 1969 out, preferred attributes are now "admit_ips", "deny_ips", 1970 "admit_hostnames", "deny_hostnames", "admit_keys", 1971 "deny_keys". 1972 - New "shortcut" attribute in bundle server access_rules used to 1973 dynamically expand non-absolute request paths. 1974 - masterfiles 1975 - standard library split: lib/3.5 (compatibility) and lib/3.6 (mainline) 1976 - many standard library bundles and bodies, especially packages- and file-related, 1977 were revised and fixed 1978 - supports both Community and Enterprise 1979 - new 'inventory/' structure to provide OS, dmidecode, LSB, etc. system inventory 1980 (configured mainly in def.cf) 1981 - cf_promises_release_id contains the policy release ID which is the GIT HEAD SHA 1982 if available or hash of tree 1983 - a bunch'o'bundles to make starting with CFEngine easier: 1984 - file-related: file_mustache, file_mustache_jsonstring, file_tidy, dir_sync, file_copy, 1985 file_link, file_hardlink, file_empty, file_make 1986 - packages-related: package_absent, package_present, package_latest, 1987 package_specific_present, package_specific_absent, package_specific_latest, package_specific 1988 - XML-related: xml_insert_tree_nopath, xml_insert_tree, xml_set_value, xml_set_attribute 1989 - VCS-related: git_init, git_add, git_checkout, git_checkout_new_branch, 1990 git_clean, git_stash, git_stash_and_clean, git_commit, git 1991 - process-related: process_kill 1992 - other: cmerge, url_ping, logrotate, prunedir 1993 - New command line options for agent binaries 1994 - New options to cf-promises 1995 - '--show-classes' and '--show-vars' 1996 - '--eval-functions' controls whether cf-promises should evaluate functions 1997 - Colorized output for agent binaries with command line option '--color' 1998 (auto-enabled if you set CFENGINE_COLOR=1) 1999 - New language features 2000 - New variable type 'data' for handling of structured data (ie JSON), 2001 including supporting functions: 2002 - 'data_readstringarray' - read a delimited file into a data map 2003 - 'data_readstringarrayidx' - read a delimited file into a data array 2004 - 'datastate' - create a data variable with currently set classes and variables 2005 - 'datatype' - determine the type of the top element of a container 2006 - 'format' - %S can be used to serialize 'data' containers into a string 2007 - 'mergedata' - merge two data containers, slists/ilists/rlists, or "classic" 2008 arrays into a data container 2009 - 'parsejson' - create a data container from a JSON string 2010 - 'readjson' - create a data container from a file that contains JSON 2011 - 'storejson' - serialize a data container into a string 2012 - Most functions operating on lists can also operate on data containers 2013 - pass a data container to a bundle with the @(container) notation 2014 - the module protocol accepts JSON for data containers with the '%' sigil 2015 - Tagging of classes and variables allows annotating of language construct with 2016 meta data; supporting functionality: 2017 - The module protocol in 'commands' promises has been extended to allow setting 2018 of tags of created variables and classes, and the context of created variables 2019 - 'getclassmetatags' - returns list of meta tags for a class 2020 - 'getvariablemetatags' - returns list of meta tags for a variable 2021 - 'body file control' has an 'inputs' attribute to include library files and other 2022 dependencies 2023 - bundlesequences can be built with bundlesmatching() based on bundle name and tags 2024 - New attributes in existing promise types and bodies 2025 - New option 'preserve_all_lines' for insert_type in insert_lines promises 2026 - Caching of expensive system functions to avoid multiple executions of 2027 execresult() etc, can be controlled via cache_system_functions attribute in 2028 body common control 2029 - New option 'mailsubject' in body executor control allows defining the subject 2030 in emails sent by CFEngine 2031 - Support for Mustache templates in 'files' promises; use 'template_method' and 2032 'template_data' attributes. Without 'template_data' specified, uses datastate(). 2033 - New and improved functions 2034 - 'bundlesmatching' - returns list of defined bundles matching a regex and tags 2035 - 'canonifyuniquely' - converts a string into a unique, legal class name 2036 - 'classesmatching' - returns list of set classes matching a regex and tags 2037 - 'eval' - evaluates mathematical expressions; knows SI k, m, g quantifiers, e.g. "100k" 2038 - 'findfiles' - list files matching a search pattern; use "**" for recursive searches 2039 - 'makerule' - evaluates whether a target file needs to be rebuilt from sources 2040 - 'max', 'min' - returns maximum and minimum of the numbers in a container or list 2041 (sorted by a 'sort' method) 2042 - 'mean' - returns the mean of the numbers in a container or list 2043 - 'nth' - learned to look up by key in a data container holding a map 2044 - 'packagesmatching' - returns a filtered list of installed packages. 2045 - 'readfile' - learned to read system files of unknown size like those in /proc 2046 - 'sort' - can sort lexicographically, numerically (int or real), by IP, or by MAC 2047 - 'string_downcase', 'string_upcase' - returns the lower-/upper-case version of a 2048 string 2049 - 'string_head', 'string_tail' - returns the beginning/end of a string 2050 - 'string_length' - returns the length of a string 2051 - 'string_reverse' - reverses a string 2052 - 'string_split' - improved implementation, deprecates 'splitstring' 2053 - 'variablesmatching' - returns a list of variables matching a regex and tags 2054 - 'variance' - returns the variance of numbers in a list or container 2055 - New hard classes 2056 - Introduced alias 'policy_server' for context 'am_policy_hub' (the latter will 2057 be deprecated) 2058 - all the time-based classes have GMT equivalents 2059 - New variables 2060 - 'sys.bindir' - the location of the CFEngine binaries 2061 - 'sys.failsafe_policy_path' - the location of the failsafe policy file 2062 - 'sys.inputdir' - the directory where CFEngine searches for policy files 2063 - 'sys.key_digest' - the digest of the host's cryptographic key 2064 - 'sys.libdir', 'sys.local_libdir' - the location of the CFEngine libraries 2065 - 'sys.logdir' - the directory where the CFEngine log files are saved 2066 - 'sys.masterdir' - the location of masterfiles on the policy server 2067 - 'sys.piddir' - the directory where the daemon pid files are saved 2068 - 'sys.sysday' - the number of days since the beginning of the UNIX epoch 2069 - 'sys.systime' - the number of seconds since the beginning of the UNIX epoch 2070 - 'sys.update_policy_path' - the name of the update policy file 2071 - 'sys.uptime' - the number of minutes the host has been online 2072 - 'this.promise_dirname' - the name of the file in which the current promise 2073 is defined 2074 - 'this.promiser_uid' - the ID of the user running cf-agent 2075 - 'this.promiser_gid' - the group ID of the user running cf-agent 2076 - 'this.promiser_ppid' - the ID of the parent process running cf-agent 2077 2078 Deprecations: 2079 - 'splitstring' - deprecated by 'string_split' 2080 - 'track_value' 2081 - 'skipverify' 2082 2083 Bug fixes: for a complete list of fixed bugs, see Redmine at https://cfengine.com/dev 2084 - various fixes in evaluation and variable resolution 2085 - Improve performance of list iteration (Redmine #1875) 2086 - Removed limitation of input length to internal buffer sizes 2087 - directories ending with "/" are not ignored 2088 - lsdir() always return a list now, never a scalar 2089 - 'abortclasses' fixed to work in common bundles and other cases 2090 - namespaced 'edit_line' bundles now work (Redmine#3781) 2091 - lists are interpolated in correct order (Redmine#3122) 2092 - cf-serverd reloads policies properly when they change 2093 - lots of leaks (memory and file descriptor) fixed 2094 20953.5.3 2096 Changes: 2097 - Improved security checks of symlink ownership. A symlink created by a user pointing 2098 to resources owned by a different user will no longer be followed. 2099 - Changed the way package versions are compared in package promises. (Redmine #3314) 2100 In previous versions the comparison was inconsistent. This has been fixed, but may 2101 also lead to behavior changes in certain cases. In CFEngine 3.5.3, the comparison 2102 works as follows: 2103 <package-being-considered> <package_select> <package_version> 2104 For instance: 2105 apache-2.2.31 ">=" "2.2.0" 2106 will result in the package being installed. 2107 2108 Bug fixes: 2109 - fix cf-monitord crash due to incorrect array initialization (Redmine #3180) 2110 - fix cf-serverd stat()'ing the file tree every second (Redmine #3479) 2111 - correctly populate sys.hardware_addresses variable (Redmine #2936) 2112 - add support for Debian's GNU/kfreebsd to build system (Redmine #3500) 2113 - fix possible stack corruption in guest_environments promises (Redmine #3552) 2114 - work-around hostname trunctation in HP-UX's uname (Redmine #3517) 2115 - fix body copy purging of empty directories (Redmine #3429) 2116 - make discovery and loading of avahi libraries more robust 2117 - compile and packaging fixes for HP-UX, AIX and Solaris 2118 - fix fatal error in lsdir() when directory doesn't exist (Redmine #3273) 2119 - fix epoch calculation for stime inrange calculation (Redmine #2921) 2120 21213.5.2 2122 Bug fixes: 2123 - fix delayed abortclasses checking (Redmine #2316, #3114, #3003) 2124 - fix maplist arguments bug (Redmine #3256) 2125 - fix segfaults in cf-pomises (Redmine #3173, 3194) 2126 - fix build on Solaris 10/SmartOS (Redmine #3097) 2127 - sanitize characters from /etc/issue in sys.flavor for Debian (Redmine #2988) 2128 - Fix segfault when dealing with files or data > 4K (Redmine #2912, 2698) 2129 - Don't truncate keys to 126 characters in getindices (Redmine #2626) 2130 - files created via log_* actions now have mode 600 (Redmine #1578) 2131 - fix wrong log message when a promise is ignored due to 'ifvarclass' not matching 2132 - fix lifetime of persistent classes (Redmine #3259) 2133 - fix segfault when process_select body had no process_result attribute 2134 Default to AND'ed expression of all specified attributes (Redmine #3224) 2135 - include system message in output when acl promises fail 2136 - fix invocation of standard_services bundle and corresponding promise compliance (Redmine #2869) 2137 21383.5.1 2139 2140 Changes: 2141 - file changes are logged with log level Notice, not Error 2142 - the CFEngine Standard Library in masterfiles/libraries is now split into 2143 promise-type specific policy files, and lives in a version-specific directory. 2144 This should have no impact on current code, but allows more granular include of 2145 needed stdlib elements (Redmine #3044) 2146 2147 Bug fixes: 2148 - fix recursive copying of files (Redmine #2965) 2149 - respect classes in templates (Redmine ##2928) 2150 - fix timestamps on Windows (Redmine #2933) 2151 - fix non-root cf-agent flooding syslog (Redmine #2980) 2152 - fix email flood from cf-execd due to timestamps in agent output (Redmine #3011) 2153 - Preserve security context when editing or copying local files (Redmine #2728) 2154 - fix path for sys.crontab on redhat systems (Redmine #2553) 2155 - prevent incorrect "insert_lines promise uses the same select_line_matching anchor" warning (Redmine #2778) 2156 - Fix regression of setting VIPADDRESS to 127.0.0.1 (Redmine #3010) 2157 - Fix "changes" promise not receiving status when file is missing (Redmine #2820) 2158 - Fix symlinks being destroyed when editing them (Redmine #2363) 2159 - Fix missing "promise kept" status for the last line in a file (Redmine #2943) 2160 21613.5.0 2162 2163 New features: 2164 - classes promises now take an optional scope constraint. 2165 - new built-in functions: every, none, some, nth, sublist, uniq, filter 2166 - every 2167 - none 2168 - some 2169 - nth 2170 - sublist 2171 - uniq 2172 - filter 2173 - classesmatching 2174 - strftime 2175 - filestat 2176 - ifelse 2177 - maparray 2178 - format 2179 - cf-promises flag --parse-tree is replaced by --policy-output-format=, requiring the 2180 user to specify the output format (none, cf, json) 2181 - cf-promises allows partial check of policy (without body common control) without integrity check; 2182 --full-check enforces integrity check 2183 - agent binaries support JSON input format (.json file as generated by cf-promises) 2184 - cf-key: new options --trust-key/-t and --print-digest/-p 2185 - Class "failsafe_fallback" is defined in failsafe.cf when main policy contains errors and 2186 failsafe is run because of this 2187 - add scope attribute for body classes (Redmine #2013) 2188 - Better diagnostics of parsing errors 2189 - Error messages from parser now show the context of error 2190 - new cf-agent option: --self-diagnostics 2191 - new output format, and --legacy-output 2192 - warnings for cf-promises. 2193 - Enable zeroconf-discovery of policy hubs for automatic bootstrapping 2194 if Avahi is present 2195 - Support for sys.cpus on more platforms than Linux & HPUX 2196 2197 Changes: 2198 - parser no longer allows ',' after promiser or promisee. must be either ';' or lval 2199 - Make parser output in GCC compatible format the only supported format 2200 (remove --gcc-brief-format flag) 2201 2202 - Silence license warnings in Enterprise Free25 installations 2203 - action_policy => "warn" causes not_kept classes to be set on promise needing repair. 2204 - command line option version (-V) now prints a shorter parsable version without graphic 2205 - implicit execution of server and common bundles taking arguments is skipped in cf-serverd. 2206 - WARNING: option --policy-server removed, require option to --bootstrap instead 2207 - process promises don't log if processes are out of range unless you 2208 run in verbose mode 2209 - reports promises are now allowed in any context (Redmine #2005) 2210 - cf-report has been removed 2211 - cf-execd: --once implies --no-fork 2212 - Version info removed from mail subject in the emails sent by cf-execd. 2213 The subject will only contain "[fqname/ipaddress]" instead of "communnity/nova [fqname/ipaddress]" 2214 Please change your email filters accordingly if necessary. 2215 - "outputs" promise type is retired. Their semantics was not clear, and the functionality 2216 is better suited for control body setting, not a promise. 2217 - Tokyo Cabinet databases are now automatically checked for 2218 correctness during opening. It should prevent a number of issues 2219 with corrupted TC databases causing binaries to hang. 2220 - Improved ACL handling on Windows, which led to some syntax changes. We now consistently 2221 use the term "default" to describe ACLs that can be inherited by child objects. These 2222 keywords have received new names: 2223 acl_directory_inherit -> acl_default 2224 specify_inherit_aces -> specify_default_aces 2225 The old keywords are deprecated, but still valid. In addition, a new keyword 2226 "acl_inherit" controls inheritance behavior on Windows. This feature does not exist on 2227 Unix platforms. (Redmine #1832) 2228 - Networking code is moved from libpromises to its own library, 2229 libcfnet. Work has begun on making the API more sane and thread-safe. 2230 Lots of legacy code was removed. 2231 - Add getaddrinfo() replacement in libcompat (borrowed from PostgreSQL). 2232 - Replace old deprecated and non thread-safe resolver calls with 2233 getaddrinfo() and getnameinfo(). 2234 - Hostname2IPString(), IPString2Hostname() are now thread-safe, and are 2235 returning error when resolution fails. 2236 - Running cf-execd --once now implies --no-fork, and also does not wait 2237 for splaytime to pass. 2238 - execresult(), returnszero() and commands promises no longer requires the first word 2239 word to be an absolute path when using the shell. (Part of Redmine #2143) 2240 - commands promises useshell attribute now accepts "noshell" and "useshell" values. Boolean 2241 values are accepted but deprecated. (Part of Redmine #2143) 2242 - returnszero() now correctly sets the class name in this scenario (Part of 2243 Redmine #2143): 2244 classes: 2245 "commandfailed" not => returnszero("/bin/nosuchcommand", "noshell"); 2246 2247 Bugfixes: 2248 - bundles are allowed to be empty (Redmine #2411) 2249 - Fixed '.' and '-' not being accepted by a commands module. (Redmine #2384) 2250 - Correct parsing of list variables by a command module. (Redmine #2239) 2251 - Fixed issue with package management and warn. (Redmine #1831) 2252 - Fixed JSON crash. (Redmine #2151) 2253 - Improved error checking when using fgets(). (Redmine #2451) 2254 - Fixed error message when deleting nonexistent files. (Redmine #2448) 2255 - Honor warn-only when purging from local directory. (Redmine #2162) 2256 - Make sure "restart" and "reload" are recognized keywords in packages. (Redmine #2468) 2257 - Allocate memory dynamically to avoid out-of-buffer or out-of-hash 2258 situations 2259 - fix edit_xml update of existing attributes (Redmine #2034) 2260 - use failsafe policy from compile-time specified workdir (Redmine #1991) 2261 - ifvarclass checked from classes promises in common bundles 2262 - do not wait for splaytime when executing only once 2263 - disable xml editing functionality when libxml2 doesn't provide necessary APIs (Redmine #1937) 2264 - Out-of-tree builds should work again, fixed a bunch of related bugs. 2265 - Fixed race condition in file editing. (Redmine #2545) 2266 - Fixed memory leak in cf-serverd and others (Redmine #1758) 2267 22683.4.5 (Bugfix and Stability release) 2269 2270 Bugfixes: 2271 2272 - make qualified arrays expand correcty (Redmine #1998, Mantis #1128) 2273 2274 - correct possible errors in tcdb files when opening 2275 2276 - avoid possible db corruption when mixing read/write and cursor operations 2277 2278 - Allow umask value of 002 (Redmine #2496) 2279 22803.4.4 (Bugfix and Stability release) 2281 2282 Bugfixes: 2283 2284 - prevent possible crash when archiving files (GitHub #316) 2285 2286 - don't create symlinks to cf-know in update policy 2287 2288 - don't enable xml support if libxml2 is too old (Redmine #1937) 2289 22903.4.3 (Bugfix and Stability release) 2291 2292 Bugfixes: 2293 2294 - Don't flood error messages when processes are out of defined range 2295 2296 - prevent segmentation fault in cf-monitord -x (Redmine #2021) 2297 2298 - when copying files, use same file mode as source file, rather than 0600 (Redmine #1804) 2299 2300 - include xpath in messages generated by edit_xml operations (Redmine #2057) 2301 23023.4.2 (Bugfix and Stability release) 2303 2304 Bugfixes: 2305 2306 - Fixes to policies in masterfiles (see masterfiles/Changelog for details) 2307 2308 - Fixes for OpenBSD (GitHub #278) 2309 2310 - Do not canonify values specified in abortbundleclasses/abortclasses (Redmine #1786) 2311 2312 - Fix build issues on NetBSD, SLES 12.2 2313 2314 - Improve error message when libxml2 support is not compiled (Redmine #1799) 2315 2316 - fix potential segmentation fault when trimming network socket data (GitHub #233) 2317 2318 - fix potential segmentation fault when address-lookups in lastseen db failed (GitHub #233) 2319 2320 - execute background promise serially when max_children was reached, rather 2321 than skipping them (GitHub #233) 2322 2323 - fix segmentation fault in cf-promises when invoked with --reports (Redmine #1931) 2324 2325 - fix compilation with Sun Studio 12 (Redmine #1901) 2326 2327 - silence type-pun warning when building on HP-UX (GitHub #287) 2328 23293.4.1 (Bugfix and Stability release) 2330 2331 New feature/behavior: 2332 2333 - cf-execd terminates agent processes that are not responsive 2334 for a configurable amount of time (see agent_expireafter in body 2335 executor control), defaulting to 1 week 2336 2337 Bugfixes: 2338 2339 - fix regression of classmatch() failing with hard classes (Redmine #1834) 2340 2341 - create promise-defined and persistent classes in correct 2342 namespace (Redmine #1836) 2343 2344 - several fixes to namespace support 2345 2346 - fix several crash bugs caused by buffer overflow and race 2347 conditions in cf-serverd 2348 2349 - regenerate time classes in cf-execd for each run (Redmine #1838) 2350 2351 - edit_xml: fix select_xpath implementation and update documentation 2352 NOTE: code that uses select_xpath_region needs to be changed to 2353 select_xpath 2354 2355 - edit_xml: make sure that text-modification functions don't overwrite 2356 child nodes 2357 2358 - edit_xml: improve error logging 2359 23603.4.0 2361 2362 New features: 2363 2364 - Added rpmvercmp utility to compare versions of RPM packages for 2365 accurate sorting of RPM packages for packages promises. 2366 2367 - Implement network timeout on server side to avoid keeping stale 2368 connections for hours. 2369 2370 - XML editing capabilities. See the documentation for edit_xml 2371 body. Note the new dependency: libxml2. 2372 2373 - Implement inheritance of local classes by bundles called using 2374 "usebundle". By default classes are not inherited. See the 2375 examples/unit_inherit.cf for an example. 2376 2377 - Moved from Nova/Enterprise: 2378 - POSIX ACL support, 2379 - "outputs" promise type, 2380 - remote syslog support. 2381 2382 - packages_default_arch_command hook in packages promises, to 2383 specify default architecture of the packages on the system. 2384 2385 - packages_version_less_command / packages_version_equal_command hooks 2386 in packages promises, to specify external command for native package 2387 manager versions comparison 2388 2389 - agent_expireafter in body executor control allows you to set a 2390 timeout on all cf-agent runs, to enforce a threshold on the 2391 number of concurrent agents 2392 2393 - Running in Solaris zone is now detected and classes "zone" and 2394 "zone_<name>" are created in this case. 2395 2396 - VirtualBox support added to guest_environment promises. 2397 2398 - guest_environment promises are supported under OS X. 2399 2400 - The "depends_on" attribute is now active, for the partal ordering 2401 of promises. If a promise depends on another (referred by handle) 2402 it will only be considered if the depends_on list is either kept 2403 or repaired already. 2404 2405 ** WARNING: When upgrading, make sure that any existing use 2406 of depends_on does not make some promises being 2407 unintentionally ignored. This can happen if you are 2408 currently referring to non-existent or never-run handles 2409 in depends_on attributes. 2410 2411 - methods return values, initial implementation 2412 2413 - New format for cf-key -s, includes timestamp of last connection 2414 2415 - cf-promises --parse-tree option to parse policy file and dump it 2416 in JSON format 2417 2418 - Namespaces support for bundles and bodies. See the 2419 examples/unit_namespace*.cf for the usage. 2420 2421 - Default arguments for bundles. See the examples/unit_defaults.cf 2422 2423 - Metadata promise type. See the examples/unit_meta.cf 2424 2425 New semantics: 2426 2427 - Methods promises now return the status of promises 2428 kept within them. If any promise was not kept, the method is not 2429 kept, else if any promise is repaired, the method was repaired 2430 else it was kept. 2431 - Remote variable access in namespaces by $(namespace:bundle.variable) 2432 2433 Changed functionality: 2434 2435 - cf-execd -F switch no longer implies 'run once'. New -O/--once 2436 option is added to achieve this behaviour. This makes cf-execd 2437 easier to run from systemd, launchd and other supervision 2438 systems. 2439 2440 Misc: 2441 2442 - Support for the following outdated platforms and corresponding 2443 classes has been removed. De facto those platforms were 2444 unsupported for a long time, as CFEngine codebase uses C99 2445 language features unavailable on old platforms: 2446 2447 - SunOS 3.x (sun3) 2448 - SunOS 4.x (sun4) 2449 - Ultrix (ultrix) 2450 - DEC OSF/1 AXP (osf) 2451 - Digital UNIX (digital) 2452 - Sony NEWS (newsos) 2453 - 4.3BSD (bsd4_3) 2454 - IRIX (irix, irix4, irix64) 2455 - IBM Academic Operating System (aos) 2456 - BSD/OS / BSDi / BSD/386 (bsdos) 2457 - NeXTSTEP (nextstep) 2458 - GNU Hurd (gnu) 2459 - NEC UX/4800 (ux4800) 2460 2461 - (Old news) Since 3.3.0 the layout of CFEngine Community packages 2462 has changed slightly. 2463 2464 cf-* binaries have been moved to /var/cfengine/bin, due to the 2465 following reasons: 2466 2467 - cf-* binaries are linked to libraries installed to 2468 /var/cfengine/lib, so placing binaries in /usr/local/sbin does not 2469 increase reliability of the CFEngine, 2470 2471 - keeping whole CFEngine under single prefix (/var/cfengine) 2472 makes packaging simpler, 2473 2474 - it matches the layout of CFEngine Enterprise packages. 2475 2476 Please adjust your policies (the recommended ways to deal with 2477 the move are either to adjust $PATH to include /var/cfengine or to 2478 create symlinks in /usr/local/sbin in case you are relying on 2479 binaries to be available in $PATH). 2480 2481 - Workdir location is properly changed if --prefix or --enable-fhs 2482 options are supplied to configure (Mantis #1195). 2483 2484 - Added check for broken libmysqlclient implementations (Mantis #1217). 2485 2486 - Standard library is updated from COPBL repository. 2487 2488 - cf-know is no longer built in Community releases. The only 2489 functionality useful in Community, namely the reference manual 2490 generation, is provided by new compile-time cf-gendoc tool. 2491 2492 - Filename (for storing filechanges) changed 2493 from file_change.log -> file_changes.log (in /var/cfengine/state) 2494 2495 New format for storing file changes introduced: 2496 [timestamp,filename,<N/C/S/R>,Message] 2497 2498 N = New file found 2499 C = Content Changed 2500 S = Stats changed 2501 R = File removed 2502 2503 - Acceptance test suite passes on Mac OS X. 2504 2505 - Changed some port numbers to replace old services with imap(s) 2506 2507 - archlinux hard class on Arch Linux. 2508 2509 - Detect BSD Make and automatically switch to GNU Make during build. 2510 2511 Bugfixes: 2512 2513 - cfruncommand for cf-execd is an arbitrary shell command now (Mantis #1268). 2514 - Fixed broken "daily" splayclasses (Mantis #1307). 2515 - Allow filenames up to 4096 bytes in network transfers (Redmine #1199). 2516 - Fix stale state preserved during cf-serverd reload (Redmine #1487). 2517 - Free disk space calculation is fixed (Mantis #1120). 2518 - Numerous portability bugfixes (especially OpenBSD, Solaris, AIX-related). 2519 - Compatibility fixes for AIX, HP-UX, Solaris (Mantis #1185, Mantis #1177, Mantis #1109). 2520 - Fixed broken socklen_t configure check under OpenBSD (Mantis #1168). 2521 - Fixed hang in cf-promises under OpenBSD (Mantis #1113). 2522 - Fixed endless loop in evaluating "$()" construct (Mantis #1023). 2523 - Fixed check for old PCRE versions (Mantis #1262). 2524 - Fixed insertion of multi-line blocks at the start of file (Mantis #809). 2525 - Fixed numerous memory leaks. 2526 - Fixes for metadata that were not resolvable 2527 - Fixes for namespaces that would not support metadata and variable expansion 2528 - Point-to-point network interfaces are detected and reported by CFEngine (Mantis #1246) 2529 - Partial non-GNU userspace support in acceptance testsuite (Mantis #1255) 2530 2531 Full list of issues fixed is available on 2532 https://cfengine.com/bugtracker/changelog_page.php (old bug tracker) 2533 and https://cfengine.com/dev/projects/core/versions/34 (new bug tracker) 2534 25353.3.9 (Bugfix and Stability release) 2536 2537 Bugfixes: 2538 2539 - Do not lose hard classes in cf-serverd during policy reload 2540 (Mantis #1218). 2541 - Implement receive network timeout in cf-serverd. Prevents 2542 overloading cf-serverd with stale connections. 2543 25443.3.8 (Bugfix and Stability release) 2545 2546 Versions 3.3.6, 3.3.7 were internal and weren't released. 2547 2548 Bugfixes: 2549 2550 - Propery set sys.domain variable if hostname is fully-qualified. 2551 - Fixed several small memory leaks. 2552 - Make network timeout for network reads configurable. Previously 2553 it was hardcoded to be 30 seconds, which was not enough for 2554 cf-runagent invoking cf-agent on big policies (Mantis #1028). 2555 25563.3.5 (Bugfix and Stability release) 2557 2558 Bugfixes: 2559 2560 - Fixed cf-execd memory leak on hosts with cf-monitord running. 2561 - Robustify against wrongly-sized entires in embedded databases. 2562 2563 Standard library: 2564 2565 - Bugfixes from upstream COPBL repository. 2566 - standard_services bundle from upstream COPBL repository. 2567 2568 25693.3.4 (Bugfix and Stability release) 2570 2571 Evaluation of policies: 2572 2573 - Fix wrong classes set after installation of several packages 2574 using packages promises (Mantis #829). 2575 - Fix segfault using edit_template on existing file (Mantis #1155). 2576 2577 Misc: 2578 2579 - Fix memory leak during re-read of network interfaces' 2580 information in cf-execd/cf-serverd. 2581 25823.3.3 (Bugfix and Stability release) 2583 2584 Evaluation of policies: 2585 2586 - Zero-length files are valid for readfile() and similar functions 2587 (Mantis #1136). 2588 - Unchoke agent in case it encounters symlinks in form ./foo 2589 (Similar to Mantis #1117). 2590 2591 Misc: 2592 2593 - Fix generation of reference manual on machines with umask more 2594 relaxed than 022. 2595 - Use statvfs(3) on OpenBSD to obtain filesystem information 2596 (Mantis #1135). 2597 25983.3.2 (Bugfix and Stability release) 2599 2600 Evaluation of policies: 2601 2602 - Do not segfault if file copy was interrupted due to network 2603 connectivity or server going away (Mantis #1089). 2604 - Do not segfault if log_failed attribute is present in body, but 2605 log_kept is not (Mantis #1107). 2606 - Do not mangle relative paths in symlinks during file copy 2607 Previously symlink a -> b was mangled to a -> ./b. 2608 (Mantis #1117) 2609 - Properly compare 1.0 and 1.0.1 in packages promises. Previously 2610 only versions with equal amount of "segments" were comparable 2611 (Mantis #890, #1066). 2612 2613 Base policy: 2614 2615 - Properly set permissions on files for /var/cfengine/lib on HP-UX 2616 (Mantis #1114). 2617 - Standard library (cfengine_stdlib.cf) is synced with COPBL 2618 repository. 2619 2620 Misc: 2621 2622 - Do not create huge file in case corrupted TokyoCabinet database 2623 is detected (Mantis #1106). 2624 - Fix file descriptor leak on error paths, may have caused crashes 2625 of cf-execd and cf-serverd (Issue #1096). 2626 - Fix intermittent segfault in cf-execd (Mantis #1116). 2627 - Impose an upper limit on amount of listening sockets reported by 2628 cf-monitord. Huge amounts of listening sockets caused cf-agent to 2629 segfault on next run (Mantis #1098). 2630 - Add missing function prototypes caused errors during compilation 2631 on HP-UX (Mantis #1109). 2632 - Fix compilation on Solaris 11 (Mantis #1091). 2633 26343.3.1 (Bugfix and Stability release) 2635 2636 Evaluation of policies: 2637 2638 - Do not cut off name of bundle in variables interpolation (Mantis #975). 2639 - Do not segfault in function evaluation guarded by ifvaclass clause (Mantis #1084, #864). 2640 - Do not segfault if "classes" promise does not declare any value to be evaluated (Mantis #1074). 2641 - Do not segfault in database promises if there is no 2642 database_operation provided (Mantis #1046). 2643 2644 Built-in functions: 2645 2646 - Fix countclassesmatching() function which was misbehaving trying 2647 to match classes starting with alphanumeric symbol (Mantis #1073). 2648 - Fix diskfree() to return kilobytes, as described in documentation (Mantis #980, #955). 2649 - Fix hostsseen() function to avoid treating all hosts as not 2650 being seen since 1970 (Mantis #886). 2651 - Do not output misleading error message if readtcp() is unable to connect (Mantis #1085). 2652 2653 Command-line interface: 2654 2655 - -d option previously reqired an argument, though help message disagreed (Mantis #1053). 2656 - Disable --parse-tree option, not ready for the release (Mantis #1063). 2657 - Acept -h as a --help option. 2658 - Ensure that cf-execd might be started right after being shut down. 2659 2660 Misc: 2661 2662 - Plug file descriptor leak after failed file copy (Mantis #990). 2663 - Fix unsafe admit rules in default promises.cf (Mantis #1040). 2664 - Fix splaytime to match documentation: it is specified in minutes, not seconds (Mantis #1099). 2665 2666 Packaging: 2667 2668 - Fix owner/group of initscript and profile.d snippet in RPM builds (Mantis #1061, #1058). 2669 - Fix location of libvirt socket CFEngine uses to connect to libvirtd (Mantis #1072). 2670 - Install CoreBase to /var/cfengine/masterfiles during installation (Mantis #1075). 2671 - Do not leave old cf-twin around after upgrade (Mantis #1068) 2672 - Do not leave rcS.d symlinks after purging .deb package (Mantis #1092). 2673 26743.3.0 2675 2676 New promise types: 2677 - Guest environments promises, which allow to manipulate virtual 2678 machines using libvirt. 2679 - Database promises, which allow to maintain schema of MySQL and 2680 PostgreSQL databases. Database promises are in "technical preview" 2681 status: this promise type is subject to change in future. 2682 - Services promises for Unix, allows abstraction of details 2683 on managing any service 2684 2685 New built-in functions: 2686 - dirname() to complement lastnode() 2687 - lsdir() 2688 - maplist() to apply functions over lists 2689 2690 New features: 2691 - Allow defining arrays from modules. 2692 - Allow both process_stop' and signals' constraints in 2693 processes' promises at the same time. 2694 - cf-promises --gcc-brief-format option to output warnings and 2695 errors in gcc-compatible syntax which to ease use "go to next 2696 error" feature of text editors. 2697 - Iteration over lists is now allowed for qualified (non-local) lists. 2698 2699 New built-in variables and classes (Linux): 2700 - Number of CPUs: $(sys.cpus), 1_cpu, 2_cpus etc 2701 2702 New built-in variables and classes (Unices): 2703 - $(sys.last_policy_update) - timestamp when last policy change was seen by host 2704 - $(sys.hardware_addresses) - list of MAC adresses 2705 - $(sys.ip_addresses) - list of IP addresses 2706 - $(sys.interfaces) - list of network interfaces 2707 - $(sys.hardware_mac[$iface]) - MAC address for network interface 2708 - mac_<mac_address>:: - discovered MAC addresses 2709 2710 Changes: 2711 2712 - Major cleanup of database handling code. Should radically decrease 2713 amount of database issues experienced under heavy load. 2714 2715 *WARNING*: Berkeley DB and SQLite backends are *removed*, use 2716 Tokyo Cabinet or QDBM instead. Both Tokyo Cabinet and QDBM are 2717 faster than Berkeley DB in typical CFEngine workloads. 2718 2719 Tokyo Cabinet requires C99 environment, so it should be 2720 available on every contemporary operating system. 2721 2722 For the older systems QDBM, which relies only on C89, is a 2723 better replacement, and deemed to be as portable, as Berkeley DB. 2724 2725 - Change of lastseen database schema. Should radically decrease 2726 I/O contention on lasteen database. 2727 2728 - Automatic reload of policies by cf-execd. 2729 - Documentation is generated during build, PDF and HTML files are 2730 retired from repository. 2731 - Rarely used feature retired: peer connectivity intermittency calculation. 2732 - Memory and CPU usage improvements. 2733 - Testsuite now uses 'make check' convention and does not need root 2734 privileges anymore. 2735 - cf_promises_validated now filled with timestamp, allows digest-copy 2736 for policy instead of mtime copy which is safer when clocks are unsynchronised 2737 - The bundled failsafe.cf policy now has trustkey=false to avoid IP spoofing 2738 attacks in default policy 2739 - See the full list of bugfixes at 2740 https://cfengine.com/bugtracker/changelog_page.php 2741 27423.2.4 (Bugfix and Stability release) 2743 2744 Fixed failure in network transfer in case of misbehaving peer 2745 2746 A few tiny memory leaks on error paths fixed 2747 27483.2.3 (Bugfix and Stability release) 2749 2750 A few tiny memory leaks fixed 2751 2752 Improved performance of cf-serverd under heavy load with 2753 TokyoCabinet database 2754 2755 Full list of issues fixed is available on 2756 https://cfengine.com/bugtracker/changelog_page.php 2757 27583.2.2 (Bugfix and Stability release) 2759 2760 Enabled compilation in "large files" mode under AIX 2761 2762 Alleviated problem with broken file transfers over unstable 2763 Internet links. 2764 2765 Full list of issues fixed is available on 2766 https://cfengine.com/bugtracker/changelog_page.php 2767 27683.2.1 (Bugfix and Stability release) 2769 2770 Fixed compilation under HP-UX and Solaris 2771 2772 Enabled compilation using HP ANSI C compiler 2773 2774 Full list of issues fixed is available on 2775 https://cfengine.com/bugtracker/changelog_page.php 2776 27773.2.0 2778 New bootstrap method with single-command bootstrapping: 2779 - cf-agent --bootstrap --policy-server 123.456.789.123 2780 - Associated policy template files are added, partially maintained 2781 by CFEngine 2782 2783 Bug fixes for file-editing, package versioning, and embedded 2784 database corruption (We recommend using TokyoCabinet instead of 2785 BerkeleyDB if building from source). 2786 2787 Improved upgrade path for Nova. 2788 2789 Patches for improved run-agent concurrency 2790 2791 Reorganization of documentation and community resources 2792 2793 100% on regression test suite on 3 operating systems 2794 (Ubuntu, Debian, SuSE on x86-64 hardware) 2795 2796 Support for multiple release environments 2797 2798 package_policy update and addupdate now check if user-supplied 2799 version is larger than currently installed - updates only if so 2800 2801 Help text of cf-report -r corrected - a list of key hashes is 2802 required, not ip addresses. 2803 2804 New Emacs mode for CFEngine policy files (thanks to Ted Zlatanov!) 2805 2806 Warnings are on edit_line changes can now give greater degree of information 2807 without spamming promise logs 2808 2809 Class expressions parser accepts '||' as an alias for '|' again. 2810 2811 Invalidation of package list cache on installation/removal of 2812 packages. 2813 2814 New option cf-key -r to remove host key by IP or hostname. 2815 2816 Added detection of network interfaces which belong to BSD jails. 2817 2818 Improve robustness of multi-threaded code, in particular fix 2819 problems with spurious access denials in server and losing of 2820 authentication rules after policy reload. 2821 2822 cf-promises accepts option -b matching cf-agent, which causes it 2823 to do not complain about missing bundlesequence. 2824 2825 New functions and(), not(), or() and concat() to ease use of 2826 ifvarclass() clause. 2827 2828 Full list of issues fixed is available on 2829 https://cfengine.com/bugtracker/changelog_page.php 2830 28313.1.5 2832 New class parser, '||' is no longer allowed in expressions (use '|'). 2833 2834 Class setting in the promise types insert_lines, delete_lines, 2835 replace_patterns, field_edits, vars, classes is restored. 2836 2837 suspiciousnames implemented. 2838 2839 New function getvalues(). 2840 2841 New functions parse{read,int,string}array to match read{read,int,string}array. 2842 2843 Testsuite added to check for core functionality. 2844 2845 Syslog prefix is fixed to say 'cf3' instead of 'community'. 2846 28473.1.4 (Bugfix and Stability release) 2848 2849 Some urgent patches to 3.1.3. 2850 Class validation parse bug fixed. 2851 Global zone handling error for solaris fixed. 2852 Package architectures handled correctly (bug #456). 2853 Reading and writing of key name "root-.pub" eliminated (bug #442, #453). 2854 cf-serverd crash because of race condition on SERVER_KEYSEEN fixed. 2855 Lock purging to avoid remnant complexity explosion (bug #430). 2856 Some copyright notices added that got lost. 2857 28583.1.3 (Stability release) 2859 2860 Major memory leaks in cf-monitord, cf-execd, cf-serverd fixed (bug #427). 2861 The daemons now show no growth even with very complex policies. 2862 2863 cf-serverd crash due to race condition in DeleteScope() fixed (bug #406). 2864 2865 Added 30 second timeout on recv() on Linux. 2866 2867 package_noverify_returncode implemented (bug #256). 2868 2869 A flexible mechanism for setting classes based on return codes of 2870 commands has been introduced. Allows for setting promise kept, 2871 repaired or failed based on any return codes. This is currently 2872 implemented for commands-promises, package-manager commands and 2873 transformer in files. In classes body, see attributes 2874 kept_returncodes, repaired_returncodes, failed_returncodes (bug 2875 #248, #329). 2876 2877 New function ip2host - reverse DNS lookup (bug #146). 2878 28793.1.2 (Scalability/efficiency release) 2880 2881 Big efficiency improvements by caching output from 2882 cf-promises. Can also be used for much more efficient policy 2883 deployment (only pull if changed). 2884 2885 Caching state of ps command for greater efficiency. Reloaded for each bundle. 2886 2887 Index class lookup improves efficiency of class evaluation for huge configurations. 2888 2889 Fixed issue where certain promiser strings got corrupted. 2890 2891 Minor memory access issues fixed. 2892 2893 Iterator bug introduced in 3.1.0 fixed 2894 28953.1.1 (Bugfix release) 2896 2897 Memory leaks in server tracked down and fixed. 2898 List expansion bug (one list items not executed) fixed. 2899 Security issue introduced by change of runcommand shell policy fixed. If users defined a runcommand for cf-runagent/cf-serverd communication, possible to execute commands. 2900 cf-key -s command for showing key hash/IP address identity pairs 2901 29023.1.0 2903 Change in storage of public keys. Cfengine now hashes the public key and uses this 2904 as the keyname. Keys will be converted automatically. 2905 2906 The old dynamic addresses lists are deprecated. 2907 Caching of dns and key information for greater server speed. 2908 Change in last-seen format reflects the public key usage. 2909 2910 New package policy addupdate - installs package if not there and 2911 updates it otherwise. 2912 2913 Support for package_changes => "bulk" in file repository as well. 2914 2915 New special function readstringarrayidx, similar to readstringarray, 2916 but uses integer indices. Very useful if first row elements are 2917 not good identifiers (e.g. contains spaces, non-unique, etc.). 2918 2919 Change two log formats to use time() instead of date() 2920 - filechanges 2921 - total compliance 2922 2923 Change from using md5 to sha256 as default digest for commercial version, 2924 community retains md5 for compat. 2925 2926 Commands not returning 0 in commands-promises are flagged 2927 as repair_failed. 2928 2929 Adjustable timeout on connect(). Defaults to 10 seconds, adjustable 2930 with default_timeout in agent control. 2931 2932 Redesign of the knowledge map infrastructure. 2933 2934 Now possible to use variables to call methods, e.g 2935 2936 methods: 2937 2938 "name $(list)" usebundle => $(list)("abc"); 2939 2940 See reference manual notes 2941 2942 Changes to normal ordering to optimize execution. 2943 2944 Increased stability by always initializing Attribute and Promise 2945 structures. 2946 2947 When running cf-promises in dry-run mode (-n), the user does not need 2948 to put binaries in WORKDIR/bin. For example, non-privileged users can verify root 2949 policies. 2950 2951 Source control revision added in version string if run in verbose mode 2952 (e.g. "cf-promises -vV"). This needs some refining, uses revision of a header now. 2953 2954 New semantics in return values of list functions. Null values are now allowed 2955 and there is no iteration over empty lists. The value "cf_null" is reserved for 2956 use as a null iterator. 2957 29583.0.5p1 2959 Showing paths allowed/denied access to when cf-serverd is run in verbose mode. 2960 Bug in server fixed for dynamic addresses. 2961 File handle closure bugfix - too many open databases. 2962 Seg fault in mount files fix. 2963 Twin used in cf-execd without checking. 2964 Check_root set wrong directory permissions at source not destination. 2965 Error message degraded in body definition. 2966 Undefined body not warned as error. 2967 Various build enahncements. 2968 Package_list_update called only once per manager, and fixed crash. 2969 Version number bug in packages. 2970 29713.0.5 2972 Encryption problems fixed - client key buffer was uninitialized. 2973 2974 Classes-promisers are now automatically canonified when class 2975 strings are defined, to simplifying the use of variables in classes. 2976 2977 New scalars sys.cf_version and sys.nova_version that hold Cfengine version information. 2978 2979 Attribute package_delete_convention added, to allow customizable 2980 package name in delete command during update. 2981 2982 package_list_update_ifelapsed limit added. 2983 2984 Private variable $(firstrepo) is available in package_name_convention 2985 and package_delete_convention in order to expand the full path to 2986 a package, which is required by some managers. 2987 2988 Some of the threading code is rewritten and made more robust. This includes 2989 synchronizing access to the lastseen database from the server. 2990 2991 Bad initialization of BSD flags fixed 2992 Multiple variable expansion issues in control fixed for server and agent 2993 Allow ignore_missing_bundles to affect methods: bundles too 2994 Run agent trust dialogue fixed 2995 2996 Bug in CPU monitoring, increasing time scale caused linear decay 2997 of CPU measurement. 2998 2999 Bug in Setuid log storage, fix. 3000 3001 Hooks added for new Nova virtualization promises. 3002 3003 Multithreading mutex failed to collide during cfservd leading to dropped authentication under heavy load. 3004 3005 30063.0.4 3007 Class cancellation in promises to create better class feedback, 3008 allows emulation of switch/case semantics etc 3009 3010 Value of SA measurement promises 3011 3012 Special function getenv() which returns the contents of an 3013 environment variable (on all platforms). 3014 New function translatepath for generic Windows 3015 New function escape() to escape literals as regular expressions (like SQL) 3016 New function host2ip for caching IP address lookup 3017 New function regextract for setting variables with backreferences 3018 3019 New variables for the components $(sys.cf_agent), $(sys.cf_know) etc 3020 pointing to the binaries. 3021 3022 More robust integrated database implementation; closing all 3023 handles when receiving signals, self-healing on corruption. 3024 3025 Package installation on localhost without a manager like yum completed, 3026 multiple repositories searched, and universal methods. 3027 3028 Numerous bugfixes 3029 3030 30313.0.3 3032 sha256 .. new hashes in openssl included in syntax tree. 3033 3034 End of line autocropping in readfile (hopefully intelligent) 3035 3036 hashmatch function incorrectly implemented - old debugging code left behind. Fix. 3037 3038 sys.crontab variable 3039 3040 Unknown user is now interpretated as "same user", so that we give cfengine a chance to 3041 fix 3042 3043 Unregistered addresses no longer report "(Non registered IP)", but return as the address 3044 itself when doing reverse lookups. 3045 30463.0.2 3047 IMPORTANT: Change in normal ordering of editing. replace comes 3048 after insert lines Much testing and minor bug fixing 3049 3050 Memory leaks fixed 3051 Many hooks added for Nova enterprise extensions. 3052 3053 promise_output reports now placed in WORKDIR/reports directory 3054 3055 Initialization correction and self-correx in monitord 3056 3057 Many new body constraints added. 3058 3059 Code readied for enterprise version Nova. 3060 3061 -b option can override the bundlesequence (must not contain parameters yet) 3062 3063 collapse_destination_dir option added to copy so that files can be 3064 aggregated from subdirectories into a single destination. 3065 3066 Preparation for release: 3067 unit_accessed_before.cf x 3068 unit_accumulated_time.cf x 3069 unit_acl.cf x 3070 unit_acl_generic.cf x 3071 unit_ago.cf x 3072 unit_arrays.cf x 3073 unit_backreferences_files.cf x 3074 unit_badpromise.cf x 3075 unit_badtype.cf x 3076 unit_bsdflags.cf x 3077 unit_cf2_integration.cf x 3078 unit_changedbefore.cf x 3079 unit_change_detect.cf x 3080 unit_chdir.cf x 3081 unit_classes_global.cf x 3082 unit_classmatch.cf x 3083 unit_classvar_convergence.cf x 3084 unit_compare.cf x 3085 unit_controlclasses.cf x 3086 unit_control_expand.cf x 3087 unit_copy.cf x 3088 unit_copy_edit.cf x 3089 unit_copylinks.cf x 3090 unit_createdb.cf x 3091 unit_create_filedir.cf x 3092 unit_definitions.cf x 3093 unit_deletelines.cf x 3094 unit_disable_and_rotate_files.cf x 3095 unit_dollar.cf x 3096 unit_edit_column_files.cf x 3097 unit_edit_comment_lines.cf x 3098 unit_edit_deletenotmatch.cf x 3099 unit_edit_insert_lines.cf x 3100 unit_edit_insert_lines_silly.cf x 3101 unit_edit_replace_string.cf x 3102 unit_edit_sectioned_file.cf x 3103 unit_edit_setvar.cf x 3104 unit_edit_triggerclass.cf x 3105 unit-env.cf x 3106 unit_epimenides.cf x 3107 unit_exec_args.cf x 3108 unit_execd.cf x 3109 unit_exec_in_sequence.cf x 3110 unit_execresult.cf x 3111 unit_expand.cf x 3112 unit_failsafe.cf x 3113 unit_file_change_detection.cf x 3114 unit_fileexists.cf x 3115 unit_file_owner_list_template.cf x 3116 unit_fileperms.cf x 3117 unit_filesexist2.cf x 3118 unit_filesexist.cf x 3119 unit_getgid.cf x 3120 unit_getindices.cf x 3121 unit_getregistry.cf x 3122 unit_getuid.cf x 3123 unit_global_list_expansion_2.cf x 3124 unit_global_list_expansion.cf x 3125 unit_groupexists.cf x 3126 unit_hash.cf x 3127 unit_hashcomment.cf x 3128 unit_hashmatch.cf x 3129 unit_helloworld.cf x 3130 unit_hostrange.cf x 3131 unit_intarray.cf x 3132 unit_iprange.cf x 3133 unit_irange.cf x 3134 unit_isdir.cf x 3135 unit_islink.cf x 3136 unit_isnewerthan.cf x 3137 unit_isplain.cf x 3138 unit_isvariable.cf x 3139 unit_iteration.cf x 3140 unit_knowledge_txt.cf x 3141 unit_lastnode.cf x 3142 unit_ldap.cf x 3143 unit_linking.cf x 3144 unit_literal_server.cf x 3145 unit_locate_files_and_compress.cf x 3146 unit_log_private.cf x 3147 unit_loops.cf x 3148 unit_measurements.cf x 3149 unit_method.cf x 3150 unit_method_validate.cf x 3151 unit_module_exec_2.cf 3152 unit_module_exec.cf 3153 unit_mount_fs.cf x 3154 unit_neighbourhood_watch.cf x 3155 unit_null_config.cf x 3156 unit_occurrences.cf x 3157 unit_ordering.cf x 3158 unit_package_apt.cf x 3159 unit_package_hash.cf x 3160 unit_package_rpm.cf x 3161 unit_package_yum.cf x 3162 unit_package_zypper.cf x 3163 unit_parallel_exec.cf x 3164 unit_pathtype.cf x 3165 unit_pattern_and_edit.cf x 3166 unit_peers.cf x 3167 unit_postfix.cf x 3168 unit_process_kill.cf x 3169 unit_process_matching2.cf x 3170 unit_process_matching.cf x 3171 unit_process_signalling.cf x 3172 unit_readlist.cf x 3173 unit_readtcp.cf x 3174 unit_regarray.cf x 3175 unit_registry.cf x 3176 unit_regline.cf x 3177 unit_reglist.cf x 3178 unit_remove_deadlinks.cf x 3179 unit_rename.cf x 3180 unit_report_state.cf x 3181 unit_reporttofile.cf x 3182 unit_returnszero.cf x 3183 unit_select_mode.cf x 3184 unit_select_region.cf x 3185 unit_selectservers.cf x 3186 unit_select_size.cf x 3187 unit_server_copy_localhost.cf x 3188 unit_server_copy_remote.cf x 3189 unit_server_copy_purge.cf x 3190 unit_splitstring.cf x 3191 unit_sql.cf x 3192 unit_storage.cf x 3193 unit_strcmp.cf x 3194 unit_stringarray.cf x 3195 unit_syslog.cf x 3196 unit_template.cf x 3197 unit_tidy_all_files.cf x 3198 unit_user_edit.cf x 3199 unit_user_edit_method.cf x 3200 unit_userexists.cf x 3201 unit_varclass.cf x 3202 unit_vars.cf x 3203 unit_warnifline.cf x 3204 unit_webserver.cf x 3205 3206 32073.0.1 3208 First standalone release, independent of cfengine 2 3209 Purge old definitions and check consistency. 3210 3211 NB: changed search_mode to be a list of matching values 3212 3213 Reporting rationalized in cf-promises with -r only to avoid 3214 leaving output files everywhere. 3215 3216 Hooks added for upcoming commercial additions to cfengine. 3217 3218 Added classify() and hostinnetgroup() functions 3219 Added additional change management options for change detection 3220 3221 Package management added - generic mechanisms. 3222 3223 Limits on backgrounding added to avoid resource contention during cfengine runs. 3224 Image type added to cf-know. 3225 3226 New classes for quartly shifts: Morning,Afternoon,Evening,Night 3227 3228 Bug fixes in editfiles - line insertion for multiple line objects 3229 3230 Change the name of the variables and context from the monitord for 3231 better separation of data, and shorter names. sys -> mon 3232 average -> av, stddev -> dev 3233 3234 canonical name for windows changed from "nt" to "windows", also version names 3235 added "vista","xp" etc.. 3236 3237 License notices updated for dual license editions. 3238 32393.0.0 3240 First release of cfengine 3. Known omissions: 3241 - no support for ACLs 3242 - no support for packages 3243 - no support for interface configuration 3244 These will be added in the next release. 3245