13.17.0: 2 - cf-agent can now simulate the changes done to files in a chroot, printing 3 diff or manifest information about what it would do in a normal evaluation. 4 Use the new command line option: `--simulate=diff` or `--simulate=manifest`. 5 Please note that only files and packages promises are simulated currently. 6 - Custom promise types can now be added using promise modules (CFE-3273) 7 - cf-monitord now uses /proc/net/* files to get network information if 8 possible (CFE-2945) 9 - Added new policy function execresult_as_data() (CFE-3315) 10 - Added optional argument to execresult for choosing between stdout and 11 stderr (CFE-3108) 12 - Outcome classes are now always defined for promiser in files promises 13 (CFE-3369) 14 - and(), or(), not() now return boolean and cannot be used directly in 15 slist vars. They can now be used in other places where a boolean is 16 expected. (Most notably and / or promise attributes). The return values 17 can be converted to strings using concat(), if necessary (CFE-3470) 18 - Backgrounded commands are now correctly executed in the child process 19 (CFE-3379) 20 - CFEngine policy bodies can now be completely empty 21 - Directory listings in files changes monitoring are now only updated 22 when there is a change (CFE-3382) 23 - Promises with 'action => bg()' no longer break reporting data (ENT-6042) 24 - Spaces inside square brackets (slist/data index) are now allowed in 25 class expressions (CFE-3320) 26 - Variables specifying data/list names in @() references are now expanded 27 (CFE-2434) 28 - Added warnings when trying to use {{.}} to expand containers in mustache 29 templates (CFE-3457, CFE-3489) 30 - Limited unqualified host and domain name to 511 characters (CFE-3409) 31 - AVCs are no longer produced for CFEngine processes accessing /proc/net 32 (CFE-3240) 33 - Fixed how we check for `--cols` argument to `ps` (ENT-6098) 34 - Fixed a memory leak in users promises 35 - Fixed a small memory leak in cf-promises (CFE-3461) 36 - Fixed expansion of variables in data/list references (CFE-3299) 37 383.16.0: 39 - Added 'cf-secret' binary for host-specific encryption (CFE-2613) 40 - 'cf-check diagnose --test-write' can now be used to test writing 41 into LMDB files (ENT-4484) 42 - 'if' constraint now works in combination with class contexts 43 (CFE-2615) 44 - Added $(sys.cf_version_release) variable (ENT-5348) 45 - Added new macros to parser: else, maximum_version, between_versions, 46 before_version, at_version and after_version. Version macros now 47 accept single digits (CFE-3198) 48 - Added cf-postgres requirement to cf-apache and cf-hub systemd units 49 (ENT-5125) 50 - Added files promise content attribute (CFE-3276) 51 - Added string_trim() policy function (CFE-3074) 52 - Added warning if CSV parser parses nothing from non-empty file 53 (CFE-3256) 54 - All changes made by 'files' promises are now reported. Also, 55 directory and file creations are now properly reported as 'info' 56 messages. And failures in edit_xml result in promises marked as 57 failed not interrupted. Purged dirs and files are reported as 58 repaired (ENT-5291, CFE-3260) 59 - Bootstrap to loopback interface is now allowed, with a warning 60 (CFE-3304) 61 - Client initiated reporting was fixed on RHEL 8.1 (ENT-5415) 62 - Fixed rare crashing bug when parsing zombie entries in ps output. The 63 problem was only ever observed on AIX, but could theoretically happen 64 on any platform depending on exact libc behavior. (ENT-5329) 65 - Fixed an issue causing duplicate entries in sys.interfaces, and 66 sys.hardware. (CFE-3046) 67 - Fixed ifelse() to return fallback in case of unresolved variables 68 (ENT-4653) 69 - Fixed locking of promises using log_repaired / log_string with 70 timestamps (CFE-3376) 71 - Fixed memory leak in handling of inline JSON in policy evaluation 72 - Fixed memory leak in readlist functions (CFE-3263) 73 - Fixed race condition when multiple agents are acquiring critical 74 section locks simultaneously (CFE-3361) 75 - Fixed selection of standard_services when used from non-default 76 namespace (ENT-5406) 77 - Fixed service status cfengine3 on systemd managed hosts (ENT-5528) 78 - Fixed some memory leaks and crashes in policy evaluation (CFE-3263) 79 - Improved error message for invalid body attribute names (CFE-3273) 80 - Improved management of secondary groups to avoid intermediary state 81 failures (ENT-3710) 82 - LMDB files are now created with correct permissions (ENT-5986) 83 - Log messages about broken Mustache templates are now errors (CFE-3263) 84 - Made classfiltercsv() fail properly on invalid class expression index 85 - Measurements promises with no match no longer produce errors 86 (ENT-5171) 87 - Moved error reading file in countlinesmatching() from verbose to error 88 (CFE-3234) 89 - Added new data validation policy functions validdata() and validjson() 90 (CFE-2898) 91 - New version checking convenience policy functions (CFE-3197) 92 Added the following policy functions to check against local CFEngine version: 93 - cf_version_maximum() 94 - cf_version_minimum() 95 - cf_version_after() 96 - cf_version_before() 97 - cf_version_at() 98 - cf_version_between() 99 - Removed (USE AT YOUR OWN RISK) from cf-key help menu for -x (ENT-5090) 100 - Rewrote helloworld.cf to use files promises content attribute 101 (CFE-3276) 102 - The outcome classes are now defined for the top-level directory when 103 'include_basedir' is 'false' (ENT-5291) 104 - Variable references with nested parentheses no longer cause errors 105 (CFE-3242) 106 - cf-check: Added a more user friendly message when trying to print 107 unknown binary data (ENT-5234) 108 - cf-check: Added data validation for cf_lastseen.lmdb (CFE-2988) 109 - cf-check: Added nice printing for nova_agent_executions.lmdb 110 (ENT-5234) 111 - cf-check: Added validation for timestamps in cf_lock.lmdb (CFE-2988) 112 - cf-check: Added validation for timestamps in lastseen.lmdb (CFE-2988) 113 - cf-check: Fixed issue causing repair to target the wrong database file 114 (ENT-5309) 115 - cf-check: Symlinked LMDB databases are now preserved in repair 116 Performs diagnosis and repair on symlink target instead of symlink. 117 Repaired files / copies are placed alongside symlink target. 118 In some cases, the symlink target is deleted to repair a corrupt 119 database, and the symlink is left as a broken symlink. This is 120 handled gracefully by the agent, it will be recreated. Broken 121 symlinks are now detected as an acceptable condition in diagnose, 122 it won't try to repair them or delete them. (ENT-5162) 123 - storage promises managing nfs mounts should now correctly mount 124 after editing fstab entries 125 1263.15.0: 127 - New policy function basename() added (CFE-3196) 128 - Added read_module_protocol() policy function 129 This function reads module protocol from a file, and can be used 130 for caching the results of commands modules. (CFE-2973) 131 - The @ character is now allowed in the key of classic arrays defined 132 by the module protocol (CFE-3099) 133 - nth() policy function now supports negative indices (CFE-3194) 134 - Fixed .xy floating point numbers parsing in eval() (CFE-2762) 135 - Added inform constraint to commands promises, to allow suppression of 136 INFO log messages (CFE-2973) 137 - Changed unless constraint to be more consistent with if 138 For any situation where if would NOT skip a promise, unless 139 will cause the promise to be skipped. When there are 140 unresolved variables / function calls, if will skip, unless 141 will NOT skip. (CFE-3160) 142 - Default minimum allowed TLS version is now 1.1 (ENT-4616) 143 - Network protocol version 2 is now called "tls" 144 "tls" or "2" can be used in places where you specify network 145 protocol. Log messages were altered, to show "tls" instead of 146 "latest". (ENT-4406) 147 - Introduced protocol version 3 - "cookie" 148 This protocol is identical to version 2 ("tls"), 149 except it allows the enterprise reporting hub to send 150 the COOKIE command to enterprise hosts. This command is used for 151 detecting hosts using duplicate identities. Protocol version "latest" 152 now points to version 3. For community installations, it should not 153 make a difference, policy servers will not send this command. The only 154 visible difference is the new version number (in logs and policy). 155 (ENT-4406) 156 - Package modules now hit network when package cache is first initialized 157 (CFE-3094) 158 - Fixed promise skipping bug in unless (CFE-2689) 159 - Fixed error message for unexpanded variables in function calls in unless 160 (CFE-2689) 161 - Prevented buffer overflow when policy variable names are longer than 162 1024 bytes 163 - Zero bytes in class guards no longer cause crashes (CFE-3028) 164 - Fixed bug in ps parsing on OpenBSD / NetBSD causing bootstrap to fail 165 - Fixed crash in policy/JSON parsing of numbers with too many decimal 166 points (CFE-3138) 167 - copy_from without preserve now respects destination mode (ENT-4016) 168 - Removed stime_range and ttime_range constraints from promise hash 169 (ENT-4921) 170 - Fixed promise result when using process_stop in processes type promises 171 (ENT-4988) 172 - cf-execd now sends SIGKILL to the agent process in case of 173 agent_expireafter, after attempting SIGINT and SIGTERM (CFE-2664) 174 - cf-serverd now tries to accept connection multiple times (CFE-3066) 175 - Fixed multiple measurements tracking growth of same file (ENT-4814) 176 - Set create permissions of monitord files in state directory to 0600 177 0600 matches the permissions enforced by policy. 178 Affected files: 179 * state/cf_incoming.* 180 * state/cf_outgoing.* 181 * state/cf_users 182 * state/env_data 183 (ENT-4863) 184 - Clarified descriptions of io_writtendata and io_readdata (ENT-5127) 185 - Clarified log message about process_count and restart_class being used 186 concurrently (CFE-208) 187 - Agent runs that hit abortclasses now record results (ENT-2471) 188 - An ID of rhel in os-release file will now define both rhel and redhat 189 classes (CFE-3140) 190 - Version specific distro classes are now collected by default in 191 Enterprise (ENT-4752) 192 - redhat_8 and redhat_8_0 are now defined on RHEL 8 (CFE-3140) 193 - Added derived-from-file tag to hard classes based on /etc/redhat-release 194 (CFE-3140) 195 - Added sys.bootstrap_id policy variable containing the ID from 196 /var/cfengine/bootstrap_id.dat, if present (CFE-2977) 197 - sys.interfaces now contains interfaces even when they only have 198 IPv6 addresses (ENT-4858) 199 - IPv6-only interfaces added to sys.hardware_(addresses,mac) (CFE-3164) 200 - IPv6 addresses are now added to policy variable sys.ip_addresses 201 (CFE-682) 202 - IPv6 addresses now respect ignored_interfaces.rx (CFE-3156) 203 - hostname now allowed in bindtoaddress (CFE-3190) 204 - Fixed issue when removing comments from files in various policy functions 205 This also fixes many erroneous occurences of the error message 206 mentioning: 207 208 [...] because it legally matches nothing 209 210 (A warning can still appear if a comment regex actually matches nothing). 211 Also made this comment removing logic faster. 212 Affected functions include: 213 * readstringlist() 214 * readintlist() 215 * readreallist() 216 * peers() 217 * peerleader() 218 * peerleaders() 219 * data_readstringarray() 220 * data_readstringarrayidx() 221 * data_expand() 222 * readstringarray() 223 * readstringarrayidx() 224 * readintarray() 225 * readrealarray() 226 * parsestringarray() 227 * parsestringarrayidx() 228 * parseintarray() 229 * parserealarray() 230 (CFE-3188, ENT-5019) 231 - Fixed memory leak in JSON / env file parsing (CFE-3210) 232 - Fixed memory leak in handling of nfs / fstab (CFE-3210) 233 - Fixed memory leak in string_replace() and regex_replace() (CFE-3210) 234 - Fixed memory leak when using with constraint (CFE-3210) 235 - Fixed minor memory leak in policy evaluation (CFE-3210) 236 - Fixed small memory leak in SQL database promises (CFE-3210) 237 - Received SIGBUS now triggers a repair of local DBs (CFE-3127) 238 - Corrupted LMDB files are now automatically repaired (CFE-3127) 239 - Keys in the lock database, cf_lock.lmdb, are now human-readable 240 (CFE-2596) 241 - Local databases now use synchronous access on AIX and Solaris (ENT-4002) 242 - Report corrupted local database with a critical log message (CFE-2469) 243 - Local DB errors are now logged with the particular DB file path (CFE-2469) 244 - cf-check: repair now preserves readable data in corrupted LMDB files 245 (CFE-3127) 246 - cf-check: --dump option was added to the backup command 247 - cf-check: Added --no-fork to diagnose command (CFE-3145) 248 - cf-check: Added -M manpage option and other common options (CFE-3082) 249 - cf-check: No DB files in state dir now causes errors 250 - cf-check: dump command now dumps DB contents to JSON5 (CFE-3126) 251 - cf-check: help command can now take a topic as argument 252 2533.14.0: 254 - A bootstrap_id.dat file is now generated on every bootstrap 255 (CFE-2977) 256 - Added options to cf-net to set minimum TLS version and ciphers 257 (ENT-4617) 258 - Added --no-truncate option to cf-key 259 This option, when used with --show-hosts changes the formatting 260 of the output. Instead of padding and truncating each of the 261 fields, they are printed, in full, with no padding, and separated 262 by a single tab character. The output is not as pretty, but should 263 be more useful for parsing by other scripts / tooling. (CFE-3036) 264 - Added a new option --skip-db-check to agent and execd 265 This option allows you to enable/disable database (LMDB) consistency 266 checks. Initially it is disabled by default, but this will likely 267 change. (CFE-2893) 268 - Added a new utility to contrib: cf-remote 269 cf-remote is a python + fabric tool to log in to remote hosts 270 you have ssh access to. It can be used to download, transfer, 271 and install cfengine packages as well as bootstrapping etc. 272 At this point, cf-remote is not packaged with CFEngine, but can be 273 installed separately from: 274 https://github.com/cfengine/core/tree/master/contrib/cf-remote 275 (CFE-2889) 276 - Added derived-from-file tags to hard classes based on /etc/debian_version and /etc/issue 277 - Added a function to filter CSV-files by classes (CFE-2768) 278 - Forward slash is now an allowed character in module protocol commands 279 (CFE-2478) 280 - Augments files can now handle class expressions by appending '::' 281 A condition in an augments file is treated as a class expression 282 if it ends in ::. Otherwise it is treated as a regular 283 expression. (CFE-2954) 284 - Internal ps command can now handle longer usernames (CFE-2951) 285 - Made copylink_pattern honor '/../' in copy source (CFE-2960) 286 - CSV parser now supports CRLF inside double quotes (ENT-4504) 287 - Added an error when a function defining a variables still fails at 288 pass 3 (CFE-2983) 289 - Documented cf-execd and cf-serverd response to SIGHUP in manpage 290 (CFE-2853) 291 - Stopped trimming leading zeroes in ubuntu minor version class 292 The old version detection logic (using /etc/debian_version) was 293 converting the minor version part to an integer, defining 294 ubuntu_18_4 instead of ubuntu_18_04. The new platform detection 295 (based on /etc/os-release) defines ubuntu_18_04. Since both old 296 and new methods are running to maximize compatibility, both 297 ubuntu_18_04 and ubuntu_18_4 were defined. 298 This commit ensures that the old detection logic treats the 299 minor version (the 04 part) as a string, not an integer. The 300 change is specific to Ubuntu, and should affect Ubuntu 18.04, 301 16.04, 14.04, etc. (CFE-2882) 302 - SUID log permissions are now properly enforced (CFE-2919) 303 - Agent log file names are now always lowercase 304 - Extended module with file protocol for data (CFE-3050) 305 - Fixed a segfault in 'cf-promises -p json-full' (CFE-3019) 306 - Added cf-key help output to indicate ability to delete by key digest 307 (CFE-2997) 308 - Fixed disabling TLS 1.0 (CFE-3068) 309 - Fixed growing memory footprint of daemons (CFE-3032) 310 - Fixed the log message about setting collect_window (ENT-4238) 311 - Fixed the log message when parsing TIME in 'ps' output fails 312 - Fixed parsing of YAML values starting with numbers (CFE-2033) 313 - Fixed sys.flavor on AIX (ENT-3970) 314 - Fixed 6 cases where promises could get the wrong outcome 315 All cases were related to error handling and detected using 316 static code analysis (LGTM). They were limited to cf-monitord 317 and cf-agent (guest_environments and files promise types). Due 318 to a programming mistake, promise results would sometimes be 319 overwritten with 'skipped' outcome. Keeping the previous 320 value or making the promises 'not kept' is expected behavior. 321 Added a query to our CI (LGTM) to make sure we catch this error 322 on new contributions. 323 - Fixed an issue while parsing ps output on AIX (ENT-4295) 324 - Fixed a memory leak in filesexist function (ENT-4313) 325 - Fixed a memory leak in mustache rendering (ENT-4313) 326 - Fixed a memory leak in: differences(), intersection(), unique() 327 (ENT-4586) 328 - Fixed a segfault in policy parser (ENT-4022) 329 - Connection cache is now global (CFE-2678) 330 - Increased verbosity of AcquireLock permission error (ENT-4395) 331 - Message about invalid class characters from module protocol moved to VERBOSE 332 (CFE-2887, CFE-3008) 333 - Prevented buffer overflows in cf-monitord data parsing 334 - Private keys generated by cf-key are no longer encrypted 335 Private key files encrypted with a broken cipher and default 336 hard coded passphrase provide no real security, and is only an 337 inconvenience. Maybe it was intended to add a password prompt 338 later, but it's been 10 years now, and the cipher and passphrase 339 remain untouched. The function which reads keys still supports 340 both encrypted and unencrypted keys, it will decrypt if necessary. 341 - Reduce SSL/TLS shutdowns on bad networks (CFE-3023) 342 - Removed programming error in handling of process_count body 343 Previously, having a failing function call inside in_range_define 344 or out_of_range_define would cause a programming error when 345 trying to define that as a class. Fixed it by detecting the 346 case, printing a normal error, and skipping defining the class. (CFE-2067) 347 - Set policy->release_id to "failsafe"/"bootstrap" when running failsafe.cf 348 (CFE-3031) 349 - Switched permissions of various temporary files in state to 0600 350 These files were created with 0644 permissions, and then 351 repaired in policy. However, since they are deleted / recreated 352 periodically, it causes INFO noise. Safer and better user 353 experience to create them with restricted permissions to 354 begin with. 355 Affected files: 356 * $(sys.statedir)/cf_procs 357 * $(sys.statedir)/cf_rootprocs 358 * $(sys.statedir)/cf_otherprocs 359 (ENT-4601) 360 - string_split segments are now truncated to 1024 bytes instead of 361 crashing (CFE-3047) 362 - Unresolved function calls in process_select body are now skipped 363 Function calls which always fail, like getuid("nosuchuser"), are 364 never resolved. Previously this would cause a programming error, 365 since the body is expected to have a list of strings, not 366 unresolved function calls. 367 The function calls are silently skipped (with a verbose message) 368 as this matches the behavior of calling the functions in a vars 369 promise, and using that as a body parameter. 370 (CFE-1968) 371 - cf-check directories can now be controlled from ENV vars (CFE-2994) 372 - cf-check: Added backup command 373 This command copies lmdb files to a timestamped backup directory. 374 (ENT-4064) 375 - cf-check: diagnose and backup now use state directory by default 376 (ENT-4064) 377 3783.13.0: 379 - Add support for TLS 1.3 and its ciphersuites 380 - Add 'feature' hard classes for supported TLS versions 381 Different versions of TLS are supported depending on what version 382 of OpenSSL CFEngine was compiled and linked with. Newly added 383 feature hard classes bring that information to the 384 policy. Classes like these are now defined (for supported 385 versions of TLS): 386 feature_tls source=agent,hardclass 387 feature_tls_1 source=agent,hardclass 388 feature_tls_1_0 source=agent,hardclass 389 feature_tls_1_1 source=agent,hardclass 390 feature_tls_1_2 source=agent,hardclass 391 feature_tls_1_3 source=agent,hardclass 392 - Add a new variable $(sys.default_policy_path) 393 A new sys variable that provides the path of the default policy 394 file evaluated when no file is specified with the '-f' option. 395 - Add an option to skip the initial policy run on bootstrap 396 In some cases it may not be desired to run the policy as the last 397 step of the bootstrap. This can be done with the new 398 '--skip-bootstrap-policy-run' option for cf-agent. (CFE-2826) 399 - Trigger promises.cf as the last step of bootstrap (CFE-2826) 400 - Add support for overriding the package module's path (CFE-2103) 401 - Add support for setting package module interpreter (CFE-2880) 402 - Added --log-level option to all components 403 This allows you to specify any log level (info, verbose, debug etc.). 404 It is also less strict, allowing different spelling. As an example, 405 --log-level i, --log-level INFO, --log-level inform are all the same. 406 - Added a new binary: cf-check 407 Corrupt local databases (LMDB) continues to be a problem. 408 cf-check will be used to diagnose and remediate problems 409 with corrupt databases. It is a standalone binary, which 410 doesn't evaluate policy or use the local databases, thus 411 it can be used in situations where the other binaries 412 like cf-agent would hang. 413 cf-check replaces our lmdb database dumper, lmdump. 414 cf-check lmdump or symlinking / renaming it to lmdump 415 will make cf-check have the exact same behavior as lmdump. 416 cf-check will include much more functionality in the future 417 and some of the code will be added to other binaries, 418 for example to do health checks of databases on startup. 419 Ticket: (ENT-4064) 420 - Added function string_replace. (CFE-2850) 421 - Allow dots in variable identifiers with no such bundle 422 As described and discussed in CFE-1915, defining remote variables 423 (injecting variables into remote bundles) is dangerous and must 424 be blocked. However, using a dot-separated common prefix for 425 variables raises no security concerns and can be considered 426 valid. (CFE-1915) 427 - Allow requiring TLS 1.3 as the minimum version 428 - Apply augments after vars, classes and inputs in def.json 429 (CFE-2741, CFE-2844) 430 - Bundle name is now part of the log message when aborting a bundle 431 (CFE-2793) 432 - Class names set by module protocol are automatically canonified 433 (CFE-2877, CFE-2887) 434 - Classes failsafe_fallback and bootstrap_mode are now reported by default 435 - Correct log level for data_readstringarray* (CFE-2922) 436 - Do not iterate over JSON objects' properties in mustache (CFE-2125) 437 - Do not render templates when passed invalid data (CFE-2194) 438 - Eliminated error messages caused by attempting to kill expired processes 439 (CFE-2824) 440 - Fix cf-runalerts systemd unit conditions so the service will run 441 (ENT-3929) 442 - Fix the off-by-one error in cf-runagent background process spawning 443 (CFE-2873) 444 - Fixed OOB read / heap buffer overflow in evaluator (ENT-4136) 445 - Fixed a memory leak which occured when reloading RSA keys from disk 446 (CFE-2857) 447 - Fixed a memory leak which occured while loading augments files 448 (CFE-2913) 449 - Fixed an issue with splay time in cf-execd (CFE-2931) 450 - Fixed error handling and memory leak in cf-key (CFE-2918) 451 - Fixed memory leak in JSON to policy conversion (ENT-4136) 452 - Fixed memory leak in lmdb cleanup (CFE-2918) 453 - Fixed memory leaks in cf-agent during bootstrap (CFE-2918) 454 - Fixed memory leaks in variablesmatching() and findfiles() (CFE-2918) 455 - Fixed missing class with mustache templates in warn_only mode 456 (CFE-2600) 457 - Fixed small memory leak in cf-serverd (CFE-2918) 458 - Fixed small memory leak in cf-upgrade (ENT-4136) 459 - Fixed small memory leaks of environment variable strings (CFE-2918) 460 - LMDB database dumper, lmdump, no longer creates empty databases 461 (ENT-4064) 462 - Made variablesmatching functions treat args regexes more correctly 463 variablesmatching() and variablesmatching_as_data() no longer 464 use string comparison to find matches. The documentation is clear; 465 arguments should be regexes (so you have to escape special 466 characters). 467 bundle agent main 468 { 469 vars: 470 "myvar" 471 string => "example", 472 meta => {"os[linux]"}; 473 "matches" 474 slist => variablesmatching(".*", "os\[linux\]"); 475 reports: 476 "Match: $(matches)"; 477 } 478 The above example is correct. If you don't escape the brackets 479 like above, it will no longer work. (You probably shouldn't use 480 brackets in tags anyway). 481 - Prevent the init script from managing processes inside containers 482 (ENT-3800) 483 - Read mustache-rendered files in text mode when comparing digest 484 (ENT-2526) 485 - Reload persistent classes on config reload in cf-execd and cf-serverd 486 (CFE-2857) 487 - Fixed issue with @if macro failing when it is on the first line. 488 (CFE-2817) 489 - Fixed issue with cf-agent intermittently hanging on windows 490 sometimes (ENT-3756) 491 - change GIT_BRANCH to GIT_REFSPEC and remove Design Center vars 492 (ENT-4023) 493 - os-release file is now used for hard classes and sys.flavor on all linuxes 494 This will improve platform detection on newer operating systems where 495 /etc/os-release (or /usr/lib/os-release) is present. 496 A hard class will be set for the value of the ID key (canonified with 497 underscores), if it exists. If both ID and VERSION_ID exist, multiple 498 hard classes will be set for all parts of the version number. The 499 special variable sys.flavor will also be set by determining major 500 version from VERSION_ID. 501 Example os-release file: 502 ID=coreos 503 VERSION_ID=1185.3.0 504 For the example above, sys.flavor will be coreos_1185 and 4 hard 505 classes will be set; coreos_1185_3_0, coreos_1185_3, coreos_1185, 506 and coreos. 507 For backwards compatibility, older distribution specific logic is still 508 executed and may overwrite sys.flavor and define hard classes as before. 509 - refactor use of atexit to use custom cleanup function instead. On Windows 510 atexit() unloads DLLs before and/or during atexit functions being called 511 which causes bad behavior. (ENT-3756) 512 5133.12.0b1: 514 New Features: 515 - Add a --key-type option to specify RSA key size to cf-key 516 - New hash_to_int policy function (CFE-2733) 517 - Issue a warning on ignored locking attributes (CFE-2748) 518 - Add IPv6 hard classes with the "ipv6_" prefix (CFE-2310) 519 - Introduce "missing_ok" attribute in body copy_from 520 This allows to ignore missing sources in file copy operations (CFE-2365) 521 - Enable Xen hypervisor detection on all x86 platforms (CFE-2203) 522 - Add sys.policy_entry variables (CFE-2572) 523 - Added inline_mustache template method (CFE-1846) 524 - New component cf-net (cf-net is a CLI for the CFEngine network protocol, 525 useful for debugging, testing etc) and accompanying policy variable 526 sys.cf_net containing path to cf-net binary 527 528 Changes: 529 - Load augments at the end of context discovery 530 This means that classes defined as part of the context discovery 531 (e.g. 'am_policy_hub' and 'policy_server') can be used in the 532 augments (CFE-2482) 533 - Open measurements promise type from enterprise cf-monitord 534 - Transform filesexist() into a collecting function (CFE-2744) 535 - Load process table when actually needed for a processes promise (ENT-2536) 536 - Ignore commented out entries in fstab when edit_fstab is true (CFE-2198) 537 - Do not move obstructions in warn policy mode (CFE-2740) 538 - Made the max bytes parameter to file reading functions optional (CFE-2656) 539 - Do not tag large volatile variables for inventory 540 sys.interfaces_data, sys.inet and sys.inet6 are commonly larger than the 541 maximum data size allowed to be collected by cf-hub. Data larger than 1k 542 is truncated. Instead of reporting truncated data this change stops 543 tagging the variable so that it will not be collected to the Enterprise 544 hub and will not be available in Mission Portal. (ENT-3483) 545 - cf-execd now re-parses augments on policy reload (CFE-2406) 546 - Improve misleading verbose message 547 For constraints if/ifvarclass/unless, we now print the whole rval of the constraint. 548 Previously the message was just "skipping variable because ifvarclass is not defined" while the variable itself was defined. 549 Old message example: 550 verbose: Skipping promise 'mailto' because 'if'/'ifvarclass' is not defined 551 Changed to: 552 verbose: Skipping promise 'mailto' because 'ifvarclass => not(isvariable("mailto"))' is not defined 553 (CFE-2697) 554 - Promise comments for file changes moved to verbose (ENT-3414) 555 - Suppress output from systemctl based restart of services in 556 bootstrap/failsafe (CFE-1459) 557 - Parser can now handle larger inbut buffers (CFE-1886) 558 - Improve logging of ACL errors (ENT-3455) 559 - cf-execd systemd service now only kills cf-execd itself (ENT-3395) 560 - Load multiple augments from "augments" string array in def.json 561 (CFE-2084) 562 - Improve support for Alpine Linux 563 - Set the exit value when running cf-key 564 When running cf-key to generate new keys, set the exit value of the 565 program to be 0 on success and 1 on failure. This makes it easier to 566 catch errors during setup of a new machine. 567 Change the default behavior of the program to not write anything to stdout, 568 opting to use the Log() function which can write to stdout and will also 569 allow output to be sent to syslog. 570 Add a --inform option to set the global log level to LOG_LEVEL_INFO. 571 Change the permissions of the randseed file to 600 and catch the exception 572 if the chmod call fails. 573 - Properly reverse-resolve DNS names longer than 63 chars (ENT-3379) 574 - Properly redirect init script to systemd on debian systems (ENT-3326) 575 576 Bug fixes: 577 - Disallow modifications of variables from a remote bundle (CFE-1915) 578 - Speedup evalution by not copying variables table when expanding a promise 579 (CFE-2524) 580 - Resolve subkey conflicts when converting to JSON 581 Whenever there is a conflict of array variable definitions prefer 582 the container subkeys over simple values when converting to JSON 583 (CFE-2536) 584 - Do not ignore meta promises in server bundles (CFE-2066) 585 - Add a debug log for computed class in splayclass 586 - Don't error when calling isexecutable on broken link (CFE-741) 587 - Fix segfault when no show-evaluated-vars/classes is specified 588 - Fix memory leak in cf-execd, triggered when sending email failed (CFE-2712) 589 - Fix IPv6 parsing to be un-reversed (CFE-2580) 590 - Fix bug preventing permission changes on Unix sockets (CFE-1782) 591 - Fix storage mount promise when existing mountpoint has a similar path 592 (CFE-1960) 593 - Fix segfault when cf-promises -p is called against a file with syntax 594 errors (CFE-2696) 595 - Fix rare cf-execd hang (CFE-2719) 596 - Fix mergedata segfault when called on a non-container (CFE-2704) 597 - Do not segfault if policy_server.dat only contains whitespaces and/or line breaks 598 - Fix segfault on JSON policy files with no bundles and bodies (CFE-2754) 599 600 6013.11.0: 602 New Features: 603 - Allow function calls in promiser using universal "with" attribute 604 (CFE-1092) 605 - Add example of with attribute (CFE-1092) 606 - Detect Amazon Linux and set "AmazonLinux" hard class and 607 sys.flavour variable 608 - New sysctlvalue() and data_sysctlvalues() functions from /proc/sys 609 (CFE-2513) 610 - readdata() also auto-detects .yml files as YAML 611 - Added support for ENV and CSV file parsing (CFE-1881) 612 - Added vars and classes for CoreOS (ENT-3043) 613 - cf-agent: implement --show-evaluated-vars and --show-evaluated-classes 614 - Support for custom ports and host names as policy hub (CFE-953) 615 - cf-promises: allows --show-vars and --show-classes to take an optional filter 616 - Added a new tool: cf-net. cf-net is a CLI for the CFEngine 617 network protocol, useful for debugging, testing etc (CFE-2493) 618 - New policy variable: sys.cf_net contains path to cf-net binary 619 - Read /etc/os-release into sys.os_release (CFE-1881) 620 621 Changes: 622 - readintlist() now prints an error if the 623 file contains real numbers, not integers, and aborts; previously it was 624 printing an info-level error message, was half-reading an integer out of 625 the real, and was continuing successfully. 626 - "make tar-package" should create a tarball with the contents of 627 "make install" (ENT-3041) 628 - Allow opening symlinks owned by root or by the current user 629 (CFE-2516) 630 - Change warning message about depth_search on a non directory to 631 DEBUG level 632 - Ensure synchronous start and stop with systmectl (ENT-2841) 633 - Put logs in /var/log and PID files in /var/run when using FHS layout 634 (CFE-2449) 635 - readstringlist(), readintlist(), readreallist(): Print 636 verbose instead of error message if file can not be read 637 - cf-serverd: Do not close connection when file does not exist 638 (CFE-2532) 639 - policy_server.dat now appends a newline and supports host & port 640 - Allow string_head and string_tail to take negative arguments 641 - getvalues(inexistent_var) returns an empty list. 642 Restores 3.7.x and earlier behaviour. (CFE-2479) 643 - Partially restore old getvalues(array) behaviour 644 Bugfix: getvalues() now behaves correctly for old CFEngine 645 arrays of depth 1 646 Behaviour change: it always returns a list now. Even when v is a simple 647 string (i.e. not an iterable) it will return an slist with one element: 648 the value of the string variable. 649 Known issues: getvalues() still misbehaves with double-indexed arrays 650 (see CFE-2504, CFE-2536) 651 - The source version of CFEngine now installs binaries into 652 bin folder instead of sbin folder (CFE-2448) 653 - Don't error during dry run for proposed execution (CFE-2561) 654 - Print verbose instead of error message when readfile() fails (CFE-2512) 655 - cf-serverd: Auto configure max open files ulimit according to 656 maxconnections (CFE-2575) 657 - Made the max bytes parameter to file reading functions optional. 658 Affects readfile(), readenvfile(), readcsv() 659 660 Bug fixes: 661 - Fix insert_lines related memory corruption (CFE-2520) 662 - Prevent LMDB assertion on AIX by ensuring nested DB calls are 663 not occuring during signal handler cleanup (CFE-1996) 664 - Fix a bug which could cause cf-execd to believe there was 665 an error when sending the email report, when there really wasn't 666 - zendesk#3204: Fix "lastseenexpireafter" 32-bit signed int overflow 667 - Fix cf-execd not exiting immediately with SIGTERM on AIX (ENT-3147) 668 - Fix automatic service stops based on runlevel (redhat/centos) 669 (CFE-2611) 670 - Fix cf-serverd crash when reporting corrupted data (ENT-3023) 671 - Fix rare output truncation on Solaris 10/11 (CFE-2527) 672 - Fix crash on Solaris when ps ucb variant is not available (CFE-2506) 673 - Fix logic to detect when running under a Xen Hypervisor (CFE-1563) 674 - Fix "lastseenexpireafter" 32-bit signed int overflow (zendesk#3204) 675 - Fix IPv6 parsing to be un-reversed (CFE-2580) 676 6773.10.0: 678 New features/additions: 679 - All new features/additions for 3.8 and 3.9 are also included in 3.10. 680 - Add: Classes body tailored for use with diff 681 - New feature: Classes promise: allow classes without an expression to default to defined. 682 - Support for custom ports and host names as policy hub (CFE-953) 683 - Add: Definition of from_cfexecd for cf-execd initiated runs 684 (CFE-2386) 685 - Add < <= > >= operators to eval(). 686 - Add testing jUnit and TAP bundles and include them in stdlib.cf 687 - New function isipinsubnet() (ENT-7949) 688 - LogDebug(): implement module-based debug logging. 689 Now most DEBUG messages are *not* printed even when "-d" is in use, but 690 the specific debug module has to be enabled on the command line. For 691 example to enable all log modules, run: 692 cf-agent -d --log-modules=all 693 - Add: edit_line contains_literal_string to stdlib 694 - add variablesmatching_as_data() function paralleling variablesmatching() 695 (Redmine #7885) 696 - Allow specifying agent maxconnections via def.json (CFE-2461) 697 - Add getuserinfo() function 698 - Add body agent control select_end_match_eof option. (CFE-2390) 699 - Add class to enable post transfer verification during policy updates 700 - Add ability to append to bundlesequnece with def.json (CFE-2460) 701 - policy_server.dat now appends a newline and supports host & port 702 703 Changes: 704 - Rewrite iteration engine to avoid combinatorial explosion with nested variable expansions. 705 This speeds up enormously the execution of policies that included long 706 slists or JSON containers, that in the past didn't even terminate. 707 Change: "cf_null" string literal was changed to not be something 708 special, and it's now a string that can be used anywhere, like 709 in slists or part of bundlesequence etc. 710 NOTE: Old policy should be grep'ed for "cf_null" and in case such 711 occurences were handled specially, they should be reworked. 712 Change: "--empty-list--" is now never printed by format(), 713 an empty list is now printed as "{ }". 714 Change: Order of pre-evaluation was slightly changed, A new "vars" pass 715 at the beginning of pre-evaluation was added. It used to be 716 classes-vars, but it was changed to vars-classes-vars. As a 717 result some classes or variables might be evaluated at a 718 different time than before. As always try to write policy code that works no matter what the 719 order of execution is. 720 One way is to always *guard* the execution of functions to avoid 721 bogus function results. For example the following will avoid 722 running execresult() bevore the file has been created: 723 execresult("cmd /path/to/filename") if => fileexists("/path/to/filename"); 724 C internals: NULL Rlist is now perfectly valid, in fact it is the only 725 way to denote an empty Rlist. 726 C internals: Since a slist variable can be NULL, API of 727 EvalContextVariableGet() changed: The way to detect if a 728 variable is found, is not to check return value for NULL, 729 but to check returned *type* for CF_DATA_TYPE_NONE. 730 Fixed what I could find as wrong API uses. (CFE-2162) 731 - Allow arbitrary service policies (CFE-2402) 732 - Behaviour change: cf-execd: Do not append -Dfrom_cfexecd to exec_command . 733 (CFE-2386) 734 - Failsafe/Bootstrap no longer copy files starting with .git (like .gitignore) or .mailmap 735 (CFE-2439) 736 - Change: Enable strict transport security 737 - Change: Disable http TRACE method 738 - Change: Verify transfered files during policy update 739 - Allow getvariablemetatags() and getclassmetatags() to get a specific tag key 740 - Change: Use more restrictive unix socket perms (ENT-2705) 741 - Add sys.user_data container for user starting agent. 742 - Pass package promise options to underlying apt-get call (#802) 743 (CFE-2468) 744 - Change: Enable agent component management policy on systemd hosts 745 (CFE-2429) 746 - Change: Switch processes restart_class logging to verbose 747 - Change: Log level for keeping verbatim JSON to DEBUG (CFE-2141) 748 - Change: Require network before cfengine services (CFE-2435) 749 - Behaviour change: getvalues(inexistent_var) returns an empty list. 750 Restores 3.7.x and earlier behaviour. (CFE-2479) 751 - Behaviour change: when used with CFEngine 3.10.0 or greater, 752 bundles set_config_values() and set_line_based() are appending a 753 trailing space when inserting a configuration option with empty value. 754 (CFE-2466) 755 - Behaviour change: getvalues() always returns a list now. Even when v is a simple 756 string (i.e. not an iterable) it will return an slist with one element: 757 the value of the string variable. 758 - Behaviour change: readintlist() now prints an error if the 759 file contains real numbers, not integers, and aborts; previously it was 760 printing an info-level error message, was half-reading an integer out of 761 the real, and was continuing successfully. 762 - Ensure synchronous start and stop with systemctl (ENT-2841) 763 - Change select_region INI_section to match end of section or end of file 764 (CFE-2519) 765 766 Bug fixes: 767 - fix files promise not setting ACL properly on directories. (CFE-616) 768 - Upgrade CFEngine dependencies to the following versions: 769 - lixml2 2.9.4 770 - OpenSSL 1.0.2j 771 - LibYAML 0.1.7 772 - Curl 7.50.3 773 - Fix cumulative() to accept up to 1000 years, like it's documented. 774 - Fixed parsing of host name/IP and port number in cf-runagent 775 (CFE-546) 776 - Fix intermittent error message of type: 777 "error: Process table lacks space for last columns: <cmd>" (CFE-2371) 778 - storage: Properly initialize the list of current mounts (CFE-1803) 779 - Fix 'contain' attribute 'no_output' having no effect when 780 the 'commands' promise is using 'module => "true"'. (CFE-2412) 781 - Fix bug which caused empty emails to be sent from cf-execd 782 if there was no previous output log and the new log was fully filtered 783 by email filters. (ENT-2739) 784 - allow ifelse(FALSE, $(x), "something else") to work. (CFE-2260) 785 - Fix connection cache, reuse connections when possible. (CFE-2447) 786 - Fix rare bug that would sometimes prevent redis-server from launching. 787 - Fix bug in files promise when multiple owners are promised 788 but first one doesn't exist, and improve logging . (CFE-2432) 789 - define kept outcome with action warn if edit_line is as expected 790 (CFE-2424) 791 - Example using getvariablemetatags() and getclassmetatags() to get a specific tag key 792 - Remove 2k limit on strings length when writing JSON policies 793 (CFE-2383) 794 - Fix ttime_range constraint to go higher than 2G as number of seconds. 795 - Change: cronjob bundle tolerates different spacing 796 - Allow editing fields in lines longer than 4k (CFE-2438) 797 - Don't send empty emails for logs where everything is filtered. 798 (ENT-2739) 799 - allow maplist(), maparray(), and mapdata() to evaluate function calls during iteration 800 (ARCHIVE-1619) 801 - insert_lines is no longer implicitly matching EOF as 802 end of the region if 'select_end' pattern is not matched . (CFE-2263) 803 - Change: Remove executable bit from systemd units (CFE-2436) 804 - cf-serverd should reload def.json when reloading policy (CFE-2406) 805 - Fix cf-monitord detection of usernames of the process table on AIX. 806 - Speed up local and remote file copying and fix spurious errors. 807 (ENT-2769) 808 - Fix occasional segfault when running getindices() on a 809 variable that has indices of multiple depths (e.g. both "a[x]" and 810 "a[x][y]"). (CFE-2397) 811 - When no file is provided when calling cf-promises 812 with cf or json output, use promises.cf by default. This restores the 813 previous behavior. (CFE-2375) 814 - Fix: Services starting or stopping unnecessarily (CFE-2421) 815 - Change: Split systemd units (CFE-2278) 816 - EOF is matched as an end of the region in edit_line 817 promises only if 'select_end_match_eof' parameter is true. (CFE-2263) 818 - Fix double logging of output_prefix, and log process name for cf-agent syslog messages. 819 (CFE-2225) 820 - Be less verbose if a network interface doesn't have a MAC address. 821 (CFE-1995) 822 - Fix: CFEngine choking on standard services (CFE-2806) 823 - fix insert_lines related memory corruption (CFE-2520) 824 - fix cf-serverd crash when reporting corrupted data. (ENT-3023) 825 - Fix ability to manage INI sections with metachars for 826 manage_variable_values_ini and set_variable_values_ini (CFE-2519) 827 - Fix apt_get package module incorrectly using interactive mode. 828 - Fix crash on Solaris when ps ucb variant is not available. (CFE-2506) 829 - cf-serverd: Do not close connection when file does not exist. 830 (CFE-2532) 831 - getvalues() now behaves correctly for old CFEngine arrays of depth 1. 832 Known issues: getvalues() still misbehaves with double-indexed arrays 833 (see (CFE-2504, CFE-2536) 834 8353.9.0: 836 New features/additions: 837 - Add optional interface parameter to iprange() to match only one interface. 838 - Allow '=' in symbolic modes (Redmine #7826) 839 - Add: FreeBSD ports package module 840 - New package module for FreeBSD pkg package manager. 841 - Add support for adding/removing fifos in policy 842 - Add Linux parsing of /proc/net/ data. 843 - sys.inet 844 - sys.inet6 845 - sys.interface_data 846 - Data is returned as a data container. 847 - See documentation for more details. (Jira CFE-1991) 848 - sys.ip2iface: new reverse mapping variable from IP to interface name 849 - Namespaced classes can now be specified on the command line. 850 - namespaces can now be passed to cf-runagent -D and --remote-bundles 851 (Redmine #7856) 852 - Add 'cf-full' and 'json-full' to cf-promises '-p' option. 853 They generate output based on the entire policy. The existing 'cf' 854 already behaved this way, and it has now been changed to generate 855 output only for a single file, which the existing 'json' option 856 already does. 857 - New language functions: processexists() and findprocesses() 858 (Redmine #7633) 859 - Implement new regex_replace() function. (Redmine #7346) 860 - Add log rotation policy for state/classes.jsonl log. (Redmine #7951) 861 - Added collect_vars utility bundle to stdlib 862 - Intoduce report_class_log attribute to body agent control. 863 (Redmine #7951) 864 - Add standard_services service_method allowing for explicit usage 865 - cf-promises --show-vars can now show JSON variables. 866 - Add json_pipe mode to mapdata(), which allows piping a 867 JSON container to an external program for manipulation and receiving 868 JSON back. The jq tool is a good example where this mode can be 869 useful. A corresponding $(def.jq) variable has also been added with 870 a default path to this tool. See documentation for mapdata() for 871 more information and examples. (Jira CFE-2071) 872 - behaviour change: "true" is always defined and "false" is never defined in a context expression. 873 - Add: nimclient package module for AIX 874 This module provides basic functionality for using nimclient as a means 875 to ensure packages are either present or absent. It does not support 876 listing package updates available or provide any special caching. 877 - Add callstack_callers() and callstack_promisers() functions. 878 - Log variable definitions in debug output. (Redmine #7137) 879 - Add: Memory information to host info report (Jira CFE-1177) 880 - In Mustache templates, one can now use {{#-top-}} and 881 {{/-top-}} tags to iterate over the top level element in a 882 container. (Redmine #6545) 883 - Add network_connections() function that parses /proc/net 884 - Provide new -w argument to override the workdir for testing 885 - New feature: Emails sent by cf-execd can be filtered to get 886 rid of emails for unwanted log messages. The attributes 887 mailfilter_include and mailfilter_exclude in body executor 888 control control what to include. See documentation for cf-execd for 889 more information. (Jira CFE-2283) 890 - Add: file_make_mustache bundle to render mustache templates 891 - Add '-n' flag to cf-key to avoid host name lookups. 892 - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor multiple -D, -N and -s arguments 893 (Redmine #7191) 894 - Add "canonify" mode to mapdata(). 895 - Add: printfile bodies to stdlib 896 - Add: New results classes body [] (Redmine #7418, #7481) 897 - Implement cf-runagent --remote-bundles and cf-serverd "bundle" access promise. 898 (Redmine #7581) 899 - Add commands promise arglist attribute, augmenting args attribute. 900 - It's now possible to reference variables in inline JSON, 901 for example: mergedata('[ thing, { "mykey": otherthing[123] } ]'). 902 thing and otherthing[123] will be resolved as variables, since 903 they are unquoted. See the documentation for more details. 904 (Redmine #7871) 905 - Allow inline JSON to be used in the following function 906 calls: 907 - data_expand() 908 - difference() 909 - every() 910 - filter() 911 - format() 912 - getindices() 913 - getvalues() 914 - grep() 915 - intersection() 916 - join() 917 - length() 918 - makerule() 919 - mapdata() 920 - maplist() 921 - mean() 922 - mergedata() 923 - none() 924 - nth() 925 - parsejson() 926 - product() 927 - regarray() 928 - reglist() 929 - reverse() 930 - shuffle() 931 - some() 932 - sort() 933 - storejson() 934 - string_mustache() 935 - sublist() 936 - sum() 937 - unique() 938 - url_get() 939 - variance() 940 For example: mergedata('[ "thing", { "mykey": "myvalue" } ]') 941 See the documentation for more details. (Jira CFE-2253) 942 - Add: edit_line contains_literal_string to stdlib 943 - Add body agent control select_end_match_eof option. (Jira CFE-2390) 944 945 Changes: 946 - Change: classesmatching(): order of classes changed 947 - Change: getindices(), getvalues(), variablesmatching(), maparray(): 948 order of variables returned has changed 949 - Change: set_quoted_values uses bundle scoped classes 950 - Change: set_config_values uses bundle scoped classes 951 - Change: set_variable_values uses bundle scoped classes 952 - Change: set_config_values_matching uses bundle scoped classes 953 - Change: manage_variable_values_ini uses bundle scoped classes 954 - Change: set_line_based should use bundle scoped classes 955 (Jira CFE-1959) 956 - getvalues() will now return a list also for data containers, 957 and will descend recursively into the containers. (Redmine #7116) 958 - Change: Improve git drop user support 959 - Use new package promise as default package promise 960 implementation. (Jira CFE-2332) 961 - Don't follow symbolic links when copying extended attributes. 962 - When a bodydefault:<promise_type>_<body_type> body is 963 defined, it will be used by all promises of type <promise_type> 964 unless another body is explicitly used. 965 - cf-serverd no longer appends "-I -Dcfruncommand" to 966 cfruncommand, this has to be done manually in masterfiles 967 body server control. (Redmine #7732) 968 - eval() function arguments mode and options are now 969 optional. 970 - sort() function argument mode is now optional. 971 - Change: returnszero() no longer outputs the output of a command. 972 The output can be seen by enabling info mode (-I). 973 - cfruncommand is not executed under shell. (Redmine #7409) 974 - Remove: Apache CGI module 975 - Change: Make maxbytes arg of readjson() and readyaml() optional 976 - Classes matching agent control's abortclasses are 977 now printed before exit, even if they are defined in common bundles. 978 Previously the regex (in abortclasses) that matched the class was 979 printed if the class was defined in a common bundle, but the class 980 itself was printed if it was defined in an agent bundle. With this 981 change, the defined class that caused the abort is always printed. 982 - Remove: Support for email settings from augments_file (Redmine #7682) 983 - Change: set_variable_values_ini uses bundle scoped classes 984 - findfiles() now skips relative paths. (Redmine #7981) 985 - Clients connections using non TLS protocol are rejected 986 by default. . (Jira CFE-2339) 987 - Change: Policy files specified in the "inputs" section of 988 def.json will no longer be auto-loaded. One has to refer to the 989 which are using the "inputs" field inside def.json. (Redmine #7961) 990 - Change: Separate binary details from policy update (Redmine #7662) 991 - Add guard for binary upgrade during bootstrap (Redmine #7861) 992 - Change: Modernize pkg module and package_method 993 - Remove: Userdir apache module 994 - filestat(path, "linktarget") now follows non-absolute links and returns full path of target. 995 This introduces a change in behaviour. Here is an example: 996 $ ls -l /bin/sh 997 lrwxrwxrwx 1 root root 4 Jun 4 2015 /bin/sh -> dash 998 Previously the filestat function would return "dash", and would also log 999 an error that the file can not be read. Now it will return "/bin/dash" 1000 (or the final destination if it happens that /bin/dash is also a 1001 symlink). 1002 You can still get the previous behaviour by using 1003 filestat(path, "linktarget_shallow"). (Redmine #7404) 1004 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1005 (Redmine #7861) 1006 - Behavior change: The promise string of a processes 1007 promise now matches just the command line of each process instead of 1008 the line that is output by ps. This was done to reduce fragmentation 1009 between platforms, since ps is a very nonstandardized tool. 1010 (Jira CFE-2161) 1011 - Allowed namespace names made more strict, to disallow 1012 namespaces that cannot be reached. (Redmine #7903) 1013 - Behavior change: When using readintlist(), readreallist() 1014 or readstringlist(), parsing an empty file will no longer result in a 1015 failed function call, but instead an empty list. Failure to open the 1016 file will still result in a failed function call. 1017 - insert_lines is no longer implicitly matching EOF as 1018 end of the region if 'select_end' pattern is not matched . 1019 (Jira CFE-2263) 1020 - EOF is matched as an end of the region in edit_line 1021 promises only if 'select_end_match_eof' parameter is true. 1022 (Jira CFE-2263) 1023 1024 Bug fixes: 1025 - Upgrade CFEngine dependencies to the following versions: 1026 - Curl 7.48.0 1027 - libxml2 2.9.4 1028 - LMDB 0.9.18 1029 - OpenLDAP 2.4.44 1030 - OpenSSL 1.0.2h 1031 - PCRE 8.38 1032 (Jira ENT-2720) 1033 - Upgrade dependencies to latest minor versions. 1034 For Community / Enterprise: 1035 For Enterprise: 1036 - Fix bug which sometimes misparses user names in ps output. 1037 - Fix: Problem with git not dropping privileges soon enough 1038 - Allow def.json up to 5MB instead of 4K. 1039 - It is possible to edit the same value in multiple regions 1040 of one file. (Redmine #7460) 1041 - CFEngine on Windows no longer truncates log messages if the 1042 program in question is killed halfway through. 1043 - Fixed a bug which caused def.json not being able to define 1044 classes based on other hard classes. (Jira CFE-2333) 1045 - Change: Tighten Enterprise hub permissions (Jira ENT-2708) 1046 - Fix a regression which would sometimes cause "Permission 1047 denied" errors on files inside directories with very restricted 1048 permissions. (Redmine #7808) 1049 - Fix use-after-free in ArrayMap and HashMap (Redmine #7952) 1050 - Package repositories are no more hit every time package promise 1051 is evaluated on SUSE. 1052 - Fix a bug which sometimes caused package promises to be 1053 skipped with "XX Another cf-agent seems to have done this since I 1054 started" messages in the log, most notably in long running cf-agent 1055 runs (longer than one minute). (Redmine #7933) 1056 - TTY detection should be more reliable. (Redmine #7606) 1057 - cf-promises -p cf now produces valid cfengine code (Redmine #7956) 1058 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1059 - cf-runagent now properly supports multiple -D or -s arguments 1060 (Redmine #7191) 1061 - Fix: Work around impaired class definition from augments 1062 (Jira CFE-2333) 1063 - Fix "No such file or directory" LMDB error on heavily loaded hosts. 1064 (Jira CFE-2300) 1065 - Check for empty server response in RemoteDirList after decryption 1066 (Redmine #7908) 1067 - Small performance optimization when cf-execd scans emails before sending. 1068 - Fix handling of closed connections during transactions 1069 (Redmine #7926) 1070 - The core ps parsing engine used for processes promises 1071 has been rewritten from scratch, and should be more robust than 1072 before. (Jira CFE-2161) 1073 - Fix the lexer which could not handle empty newline(s) 1074 before a @endif. 1075 - groupexists() no longer fails to detect a group name 1076 starting with a digit. (Jira CFE-2351) 1077 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1078 - Fix unresolved variable (Redmine #7931) 1079 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1080 - Reduce verbosity of yum package module (Redmine #7485) 1081 - cf-runagent: Allow connections to localhost instead of failing silently. 1082 - Show errors regarding failure to copy extended attributes 1083 when doing a local file copy. Errors could happen when copying 1084 across two different mount points where the support for extended 1085 attributes is different between the mount points. 1086 - Fix classes being set because of hash collision in the implementation. 1087 (Redmine #7912) 1088 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1089 - Improve logging when managing setuid/setgid 1090 - Reduce verbosity of apt_get package module (Redmine #7485) 1091 - packagesmatching() and packageupdatesmatching() should work 1092 when new package promise is used. (Jira CFE-2246) 1093 - Fix bug which could render host unable to recover from a 1094 syntax error, even if failsafe.cf was utilized. This could happen if 1095 the file containing the syntax error was specified in the def.json 1096 special file. (Redmine #7961) 1097 - Prevent crash in cf-execd email code when policy server is not set. 1098 - In case of networking error, assume checksum is wrong 1099 - Fix two cases where action_policy warn still produces errors 1100 (Redmine #7274) 1101 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1102 - @if minimum_version now correctly ignores lines starting with '@' 1103 (Redmine #7862) 1104 - No longer hang when changing permissions/ownership on fifos 1105 (Redmine #7030) 1106 - readfile() and read*list() should print an error if they fail to read file. 1107 (Redmine #7702) 1108 - The isvariable() function call now correctly accepts all 1109 array variables when specified inline. Previously it would not accept 1110 certain special characters, even though they could be specified 1111 indirectly by using a variable to hold it. (Redmine #7088) 1112 - Fix file descriptor leak when there are network errors. 1113 - Improve robustness of process table parsing on Solaris. 1114 (Jira CFE-2161) 1115 - Installing packages containing version numbers using yum 1116 now works correctly. (Redmine #7825) 1117 - Parse def.json vars, classes and inputs from the C 1118 code. This fixes a bug where certain entries in this file would be 1119 parsed too late to have any effect on the evaluation. 1120 (Redmine #7453, #7615) 1121 - Change package modules permissions on hub package so that 1122 hub can execute package promises. (Redmine #7602) 1123 - Fix: CFEngine choking on standard services (Jira CFE-2086) 1124 - Fix: cf-upgrade on SUSE 1125 - Fix: Stop cfengine choking on systemctl output (Jira CFE-2806) 1126 - storage: Properly initialize the list of current mounts 1127 (Jira CFE-1803) 1128 - Fix bug which caused empty emails to be sent from cf-execd 1129 if there was no previous output log and the new log was fully filtered 1130 by email filters. (Jira ENT-2739) 1131 - Don't send empty emails for logs where everything is filtered. 1132 (Jira ENT-2739) 1133 - Fix intermittent error message of type: 1134 "error: Process table lacks space for last columns: <cmd>" 1135 (Jira CFE-2371) 1136 - Be less verbose if a network interface doesn't have a MAC address. 1137 (Jira CFE-1995) 1138 11393.8.2: 1140 Fixes: 1141 - Update library dependencies to latest version. 1142 Libraries upgraded: 1143 - curl 7.47.0 1144 - LMDB 0.9.18 1145 - MySQL 5.1.72 1146 - OpenLDAP 2.4.44 1147 - OpenSSL 1.0.2g 1148 - PostgreSQL 9.3.11 1149 - Redis 3.0.7 1150 - rsync 3.1.2 1151 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. 1152 - Reduce verbosity of apt_get package module (Redmine #7485) 1153 - Reduce verbosity of yum package module (Redmine #7485) 1154 - The isvariable() function call now correctly accepts all 1155 array variables when specified inline. Previously it would not accept 1156 certain special characters, even though they could be specified 1157 indirectly by using a variable to hold it. (Redmine #7088) 1158 - Don't follow symbolic links when copying extended attributes. 1159 - Fix a bug which sometimes caused package promises to be 1160 skipped with "XX Another cf-agent seems to have done this since I 1161 started" messages in the log, most notably in long running cf-agent 1162 runs (longer than one minute). (Redmine #7933) 1163 - Fix bug which could render host unable to recover from a 1164 syntax error, even if failsafe.cf was utilized. This could happen if 1165 the file containing the syntax error was specified in the def.json 1166 special file. (Redmine #7961) 1167 - Change: Policy files specified in the "inputs" section of 1168 def.json will no longer be auto-loaded. One has to refer to the 1169 $(def.augments_inputs) variable in the policy (the standard 1170 masterfiles policies include this by default). This only affects 1171 installations which are not based on the standard masterfiles, and 1172 which are using the "inputs" field inside def.json. (Redmine #7961) 1173 - Fix file descriptor leak when there are network errors. 1174 - Fix cf-serverd error messages with classic protocol clients 1175 (Redmine #7818) 1176 - Installing packages containing version numbers using yum 1177 now works correctly. (Redmine #7825) 1178 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1179 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1180 - Show errors regarding failure to copy extended attributes 1181 when doing a local file copy. Errors could happen when copying 1182 across two different mount points where the support for extended 1183 attributes is different between the mount points. 1184 - Fix classes being set because of hash collision in the implementation. 1185 (Redmine #7912) 1186 - Allow def.json up to 5MB instead of 4K. 1187 - Fix a regression which would sometimes cause "Permission 1188 denied" errors on files inside directories with very restricted 1189 permissions. (Redmine #7808) 1190 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1191 1192 Changes: 1193 - Change: classesmatching(): order of classes changed 1194 11953.8.1: 1196 Changes: 1197 - Upgrade CFEngine dependencies to the following versions: 1198 - OpenSSL 1.0.2e 1199 - PCRE 8.38 1200 - libxml2 2.9.3 1201 - OpenLDAP 2.4.43 1202 - libcurl 7.46.0 1203 - Upgrade LMDB to version 0.9.17. (Redmine #7879) 1204 1205 Bug fixes: 1206 - @if minimum_version now correctly ignores lines starting with '@' 1207 (Redmine #7862) 1208 - Add guard for binary upgrade during bootstrap (Redmine #7861) 1209 - Namespaced classes can now be specified on the command line. 1210 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1211 - Fix two cases where action_policy warn still produces errors 1212 (Redmine #7274) 1213 - Parse def.json vars, classes and inputs from the C 1214 code. This fixes a bug where certain entries in this file would be 1215 parsed too late to have any effect on the evaluation. 1216 (Redmine #7453, #7615) 1217 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1218 - Check for empty server response in RemoteDirList after decryption 1219 (Redmine #7908) 1220 - getvalues() will now return a list also for data containers, 1221 and will descend recursively into the containers. (Redmine #7116) 1222 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1223 (Redmine #7861) 1224 1225 12263.8.0: 1227 New features/additions: 1228 - New feature: Bodies can now inherit attribute values from 1229 other bodies by specifying "inherit_from" with the name of the body to 1230 inherit from, plus any arguments it accepts. For example: 1231 body classes myclasses 1232 { 1233 inherit_from => classes_generic("myname"); 1234 } 1235 (Redmine #4309) 1236 - Add url_get() function. (Redmine #6480) 1237 - Add @if feature() syntax 1238 @if feature work like @if minimum_version but allows distinguishing 1239 between features chosen at compile time. 1240 - Extend module protocol to create persistent classes. 1241 To use it, have the module print a line with "^persistence=<minutes>" 1242 before printing any class names. "persistence=0" goes back to non- 1243 persistent classes. (Redmine #7302) 1244 - Add: New results classes body (Redmine #7418) 1245 - Add: Debug reports in cfe_internal_cleanup_agent_reports 1246 - Add: Path to svcprop in stdlib 1247 - Add: masterfiles-stage script to contrib 1248 - Whitespace is now allowed in class expressions for 1249 readability, between class names and operators. (Redmine #7152) 1250 1251 Changes: 1252 - Change: Clarify bootstrap/failsafe reports 1253 - Change: Improve in-line docs for internal log maintenance 1254 - Change: Improve efficiency and debug reports (Redmine #7527) 1255 - Remove: 3.5 support from masterfiles policy framework 1256 - Long promiser strings with multiple lines are now 1257 abbreviated in logs. (Redmine #3964) 1258 - Change: Reunify Version based policy split 1259 - Change: Separate binary details from policy update (Redmine #7662) 1260 - Remove /var/cfengine/cf3.<host>.runlog. (Redmine #6957) 1261 - Change: sys.libdir and sys.local_libdir to non version specific path 1262 - sys.libdir now resolves to $(sys.inputdir)/lib 1263 - sys.local_libdir now resolves to lib (Redmine #7559) 1264 - Moved the following files to /var/cfengine/log/: 1265 - /var/cfengine/promise_summary.log 1266 - /var/cfengine/cfagent.<host>.log 1267 - Change: Separate binary details from policy update (Redmine #7662) 1268 - Remove: Support for email settings from augments_file (Redmine #7682) 1269 1270 Bug fixes: 1271 - It is possible to edit the same value in multiple regions 1272 of one file. (Redmine #7460) 1273 - Change package modules permissions on hub package so that 1274 hub can execute package promises. (Rednime #7602) (Redmine #7602) 1275 - Fix exporting CSV reports through HTTPS. (Redmine #7267) 1276 - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor 1277 multiple -D, -N and -s arguments (Redmine #7191) 1278 - readfile() and read*list() should print an error if they fail to read file. 1279 (Redmine #7702) 1280 - No longer hang when changing permissions/ownership on fifos 1281 (Redmine #7030) 1282 - Fix broken HA policy for 3rd disaster-recovery node. 1283 - Fix: Policy errors for 3.5 and 3.6 1284 - Mustache templates: Fix {{@}} key when value is not a 1285 primitive. The old behavior, when iterating across a map or array of 1286 maps, was to abort if the key was requested with {{@}}. The new 1287 behavior is to always replace {{@}} with either the key name or the 1288 iteration position in the array. An error is printed if {{@}} is used 1289 outside of a Mustache iteration section. 1290 - Fix build with musl libc. (Redmine #7455) 1291 - Fixed a bug which could cause daemons to not to be killed 1292 correctly when upgrading or manually running "service cfengine3 stop". 1293 (Redmine #7193) 1294 - Fix daemons not restarting correctly on upgrade on AIX. 1295 - Package promise: Fix inability to install certain packages 1296 with numbers. (Redmine #7421) 1297 - Redmine #6027 Directories should no more be changed randomly 1298 into files. (Redmine #6027) 1299 - Improve cf-serverd's lock contention because of getpwnam() 1300 call. (Redmine #7643) (Redmine #7643) 1301 - action_policy "warn" now correctly produces warnings instead 1302 of various other verbosity levels. (Redmine #7274) 1303 - If there is an error saving a mustache template file 1304 it is now logged with log-level error (was inform). 1305 - The JSON parser now supports unquoted strings as keys. 1306 - Reduce malloc() thread contention on heavily loaded 1307 cf-serverd, by not exiting early in the logging function, if no message 1308 is to be printed. (Redmine #7624) (Redmine #7624) 1309 - Fix a bug which caused daemons not to be restarted on 1310 upgrade. (Redmine #7528) 1311 - Include latest security updates for dependencies. 1312 - Fixed bug which would cause bff and depot packages not to 1313 run package scripts on removal. (Redmine #7193) 1314 - Fix upgrade causing error message under systemd because of open ports. 1315 - Fixed several bugs which prevented CFEngine from loading 1316 libraries from the correct location. This affected several platforms. 1317 (Redmine #6708) 1318 - Legacy package promise: Result classes are now defined if 1319 the package being promised is already up to date. (Redmine #7399) 1320 - failsafe.cf will be created when needed. (Redmine #7634) 1321 (Redmine #7634) 1322 - If file_select.file_types is set to symlink and there 1323 are regular files in the scanned directory, CFEngine no longer 1324 produces an unnecessary error message. (Redmine #6996) 1325 - Fix 'AIX_PREINSTALL_ALREADY_DONE.txt: cannot create' error 1326 message on AIX. 1327 - Fix package promise not removing dependent packages. (Redmine #7424) 1328 - Fix: Solaris packages no longer contain duplicate library 1329 files, but instead symlinks to them. (Redmine #7591) 1330 - Fix select_class not setting class when used in common bundle with slist. 1331 (Redmine #7482) 1332 - Fix "@endif" keyword sometimes being improperly processed 1333 by policy parser. (Redmine #7413) 1334 - Fix noise from internal policy to upgrade windows agents 1335 (Redmine #7456) 1336 - cfruncommand now works if it contains spaces, with the TLS protocol. 1337 (Redmine #7405) 1338 - Fix warning "Failed to parse csv file entry" with certain very long 1339 commands promises. (Redmine #7400) 1340 - CFEngine no longer erronously passes -M to useradd on HP-UX. (Redmine #6734) 1341 - cf-monitord no longer complains about missing thermal zone files. 1342 (Redmine #7238) 1343 - systemd is now detected correctly if it is a symlink (Redmine #7297) 1344 - TTY detection should be more reliable. (Redmine #7606) 1345 (Redmine #7606) 1346 1347 13483.7.3 1349 Fixes: 1350 - Reduce verbosity of yum package module (Redmine #7485) 1351 - Reduce verbosity of apt_get package module (Redmine #7485) 1352 - Upgrade dependencies to latest patch versions. 1353 Upgraded libraries: 1354 - curl 7.47.0 1355 - libxml2 2.9.3 1356 - LMDB 0.9.18 1357 - MySQL 5.1.72 1358 - OpenLDAP 2.4.44 1359 - OpenSSL 1.0.2g 1360 - PCRE 8.38 1361 - PostgreSQL 9.3.11 1362 - Redis 2.8.24 1363 - rsync 3.1.2 1364 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. 1365 - parse def.json vars, classes, and inputs in C (Redmine #7453) 1366 - Namespaced classes can now be specified on the command line. 1367 - getvalues() will now return a list also for data containers, 1368 and will descend recursively into the containers. (Redmine #7116) 1369 - @if minimum_version now correctly ignores lines starting with '@' 1370 (Redmine #7862) 1371 - Fix definition of classes from augments file 1372 - Don't follow symbolic links when copying extended attributes. 1373 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1374 - Fix cf-serverd error messages with classic protocol clients 1375 (Redmine #7818) 1376 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1377 - The isvariable() function call now correctly accepts all 1378 array variables when specified inline. Previously it would not accept 1379 certain special characters, even though they could be specified 1380 indirectly by using a variable to hold it. (Redmine #7088) 1381 - Show errors regarding failure to copy extended attributes 1382 when doing a local file copy. Errors could happen when copying 1383 across two different mount points where the support for extended 1384 attributes is different between the mount points. 1385 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1386 - Fix file descriptor leak when there are network errors. 1387 - Fix a regression which would sometimes cause "Permission 1388 denied" errors on files inside directories with very restricted 1389 permissions. (Redmine #7808) 1390 - Check for empty server response in RemoteDirList after decryption 1391 (Redmine #7908) 1392 - Allow def.json up to 5MB instead of 4K. 1393 - Add guard for binary upgrade during bootstrap (Redmine #7861) 1394 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1395 - Fix a bug which sometimes caused package promises to be 1396 skipped with "XX Another cf-agent seems to have done this since I 1397 started" messages in the log, most notably in long running cf-agent 1398 runs (longer than one minute). (Redmine #7933) 1399 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1400 (Redmine #7861) 1401 - Fix two cases where action_policy warn still produces errors 1402 (Redmine #7274) 1403 - Fix classes being set because of hash collision in the implementation. 1404 (Redmine #7912) 1405 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1406 - Installing packages containing version numbers using yum 1407 now works correctly. (Redmine #7825) 1408 1409 Changes: 1410 - Change: classesmatching(): order of classes changed 1411 1412 3.7.3 1413 Fixes: 1414 - Reduce verbosity of yum package module (Redmine #7485) 1415 - Reduce verbosity of apt_get package module (Redmine #7485) 1416 - Upgrade dependencies to latest patch versions. 1417 Upgraded libraries: 1418 - curl 7.47.0 1419 - libxml2 2.9.3 1420 - LMDB 0.9.18 1421 - MySQL 5.1.72 1422 - OpenLDAP 2.4.44 1423 - OpenSSL 1.0.2g 1424 - PCRE 8.38 1425 - PostgreSQL 9.3.11 1426 - Redis 2.8.24 1427 - rsync 3.1.2 1428 PHP was kept at 5.6.17 because of problems with the 5.6.19 version. 1429 - parse def.json vars, classes, and inputs in C (Redmine #7453) 1430 - Namespaced classes can now be specified on the command line. 1431 - getvalues() will now return a list also for data containers, 1432 and will descend recursively into the containers. (Redmine #7116) 1433 - @if minimum_version now correctly ignores lines starting with '@' 1434 (Redmine #7862) 1435 - Fix definition of classes from augments file 1436 - Don't follow symbolic links when copying extended attributes. 1437 - Fix ps options for FreeBSD to check processes only in current host and not in jails 1438 - Fix cf-serverd error messages with classic protocol clients 1439 (Redmine #7818) 1440 - Change: Suppress standard services noise on SUSE (Redmine #6968) 1441 - The isvariable() function call now correctly accepts all 1442 array variables when specified inline. Previously it would not accept 1443 certain special characters, even though they could be specified 1444 indirectly by using a variable to hold it. (Redmine #7088) 1445 - Show errors regarding failure to copy extended attributes 1446 when doing a local file copy. Errors could happen when copying 1447 across two different mount points where the support for extended 1448 attributes is different between the mount points. 1449 - Fix bad option nlwp to vzps on Proxmox / OpenVZ. (Redmine #6961) 1450 - Fix file descriptor leak when there are network errors. 1451 - Fix a regression which would sometimes cause "Permission 1452 denied" errors on files inside directories with very restricted 1453 permissions. (Redmine #7808) 1454 - Check for empty server response in RemoteDirList after decryption 1455 (Redmine #7908) 1456 - Allow def.json up to 5MB instead of 4K. 1457 - Add guard for binary upgrade during bootstrap (Redmine #7861) 1458 - Fix HP-UX specific bug that caused a lot of log output to disappear. 1459 - Fix a bug which sometimes caused package promises to be 1460 skipped with "XX Another cf-agent seems to have done this since I 1461 started" messages in the log, most notably in long running cf-agent 1462 runs (longer than one minute). (Redmine #7933) 1463 - Define (bootstrap|failsafe)_mode during update.cf when triggerd from failsafe.cf 1464 (Redmine #7861) 1465 - Fix two cases where action_policy warn still produces errors 1466 (Redmine #7274) 1467 - Fix classes being set because of hash collision in the implementation. 1468 (Redmine #7912) 1469 - fix build failure on FreeBSD 7.1 (Redmine #7415) 1470 - Installing packages containing version numbers using yum 1471 now works correctly. (Redmine #7825) 1472 1473 Changes: 1474 - Change: classesmatching(): order of classes changed 1475 1476 14773.7.2: 1478 Bug fixes: 1479 - readfile() and read*list() should print an error if they fail to read file. 1480 (Redmine #7702) 1481 - Fix 'AIX_PREINSTALL_ALREADY_DONE.txt: cannot create' error 1482 message on AIX. 1483 - If there is an error saving a mustache template file 1484 it is now logged with log-level error (was inform). 1485 - Change: Clarify bootstrap/failsafe reports 1486 - Fixed several bugs which prevented CFEngine from loading 1487 libraries from the correct location. This affected several platforms. 1488 (Redmine #6708) 1489 - If file_select.file_types is set to symlink and there 1490 are regular files in the scanned directory, CFEngine no longer 1491 produces an unnecessary error message. (Redmine #6996) 1492 - Fix: Solaris packages no longer contain duplicate library 1493 files, but instead symlinks to them. (Redmine #7591) 1494 - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor 1495 multiple -D, -N and -s arguments (Redmine #7191) 1496 - Fix "@endif" keyword sometimes being improperly processed 1497 by policy parser. (Redmine #7413) 1498 - It is possible to edit the same value in multiple regions 1499 of one file. (Redmine #7460) 1500 - Fix select_class not setting class when used in common bundle with slist. 1501 (Redmine #7482) 1502 - Fix broken HA policy for 3rd disaster-recovery node. 1503 - Directories should no more be changed randomly 1504 into files. (Redmine #6027) 1505 - Include latest security updates for 3.7. 1506 - Reduce malloc() thread contention on heavily loaded 1507 cf-serverd, by not exiting early in the logging function, if no message 1508 is to be printed. (Redmine #7624) 1509 - Improve cf-serverd's lock contention because of getpwnam() 1510 call. (Redmine #7643) 1511 - action_policy "warn" now correctly produces warnings instead 1512 of various other verbosity levels. (Redmine #7274) 1513 - Change: Improve efficiency and debug reports (Redmine #7527) 1514 - Change package modules permissions on hub package so that 1515 hub can execute package promises. (Redmine #7602) 1516 - No longer hang when changing permissions/ownership on fifos 1517 (Redmine #7030) 1518 - Fix exporting CSV reports through HTTPS. (Redmine #7267) 1519 - failsafe.cf will be created when needed. (Redmine #7634) 1520 - Mustache templates: Fix {{@}} key when value is not a 1521 primitive. The old behavior, when iterating across a map or array of 1522 maps, was to abort if the key was requested with {{@}}. The new 1523 behavior is to always replace {{@}} with either the key name or the 1524 iteration position in the array. An error is printed if {{@}} is used 1525 outside of a Mustache iteration section. 1526 - Legacy package promise: Result classes are now defined if 1527 the package being promised is already up to date. (Redmine #7399) 1528 - TTY detection should be more reliable. (Redmine #7606) 1529 1530 Masterfiles: 1531 - Add: Path to svcprop in stdlib 1532 - Add: New results classes body [] (Redmine #7418, #7481) 1533 - Remove: Support for email settings from augments_file (Redmine #7682) 1534 15353.7.1: 1536 Bug fixes: 1537 - Fix daemons not restarting correctly on upgrade on AIX. (Redmine #7550) 1538 - Fix upgrade causing error message under systemd because of open ports. 1539 - Fix build with musl libc. (Redmine #7455) 1540 - Long promiser strings with multiple lines are now 1541 abbreviated in logs. (Redmine #3964) 1542 - Fixed a bug which could cause daemons to not to be killed 1543 correctly when upgrading or manually running "service cfengine3 stop". 1544 (Redmine #7193) 1545 - Package promise: Fix inability to install certain packages 1546 with numbers. 1547 - Fix package promise not removing dependent packages. (Redmine #7424) 1548 - Fix warning "Failed to parse csv file entry" with certain very long 1549 commands promises. (Redmine #7400) 1550 - Fix misaligned help output in cf-hub. (Redmine #7273) 1551 - Augmenting inputs from the augments_file (Redmine #7420) 1552 - Add support for failover to 3rd HA node located outside cluster. 1553 - Upgrade all dependencies for patch release. 1554 - Fix a bug which caused daemons not to be restarted on 1555 upgrade. (Redmine #7528) 1556 15573.7.0: 1558 New features: 1559 - New package promise implementation. 1560 The syntax is much simpler, to try it out, check out the syntax: 1561 packages: 1562 "mypackage" 1563 policy => "absent/present", 1564 1565 # Optional, default taken from common control 1566 package_module => apt_get, 1567 1568 # Optional, will only match exact version. May be 1569 # "latest". 1570 version => "32.0", 1571 1572 # Optional. 1573 architecture => "x86_64"; 1574 1575 - Full systemd support for all relevant platforms 1576 - New classes to determine whether certain features are enabled: 1577 * feature_yaml 1578 * feature_xml 1579 For the official CFEngine packages, these are always enabled, but 1580 packages from other sources may be built without the support. 1581 - New readdata() support for generic data input (CSV, YAML, JSON, or auto) 1582 - YAML support: new readyaml() function and in readdata() 1583 - CSV support: new readcsv() function and in readdata() 1584 - New string_mustache() function 1585 - New data_regextract() function 1586 - eval() can now be called with "class" as the "mode" argument, which 1587 will cause it to return true ("any") if the calculated result is 1588 non-zero, and false ("!any") if it is zero. 1589 - New list_ifelse() function 1590 - New mapdata() function as well as JSON support in maparray(). 1591 - filestat() function now supports "xattr" argument for extended 1592 attributes. 1593 - "ifvarclass" now has "if" as an alias, and "unless" as an inverse 1594 alias. 1595 - Ability to expand JSON variables directory in Mustache templates: 1596 Prefix the name with '%' for multiline expansion, '$' for compact 1597 expansion. 1598 - Ability to expand the iteration *key* in Mustache templates with @ 1599 - Canonical JSON output: JSON output has reliably sorted keys so the 1600 same data structure will produce the same JSON every time. 1601 - New "@if minimum_version(x.x)" syntax in order to hide future language 1602 improvements from versions that don't understand them. 1603 - compile time option (--with-statedir) to 1604 override the default state/ directory path. 1605 - Fix error messages/ handling in process signalling which no longer 1606 allowed any signals to fail silently 1607 - Also enable shortcut keyword for cf-serverd classic protocol, eg to 1608 simplify the bootstrap process for clients that have different 1609 sys.masterdir settings (Redmine #3697) 1610 - methods promises now accepts the bundle name in the promiser string, 1611 as long as it doesn't have any parameters. 1612 - In a services promise, if the service_method bundle is not specified, 1613 it defaults to the promiser string (canonified) with "service_" as a 1614 prefix. The bundle must be in the same namespace as the promise. 1615 - inline JSON in policy files: surrounding with parsejson() is now 1616 optional *when creating a new data container*. 1617 - New data_expand() function to interpolate variables in a data container. 1618 - Add configurable network bandwidth limit for all outgoing 1619 connections ("bwlimit" attribute in "body common control") . To 1620 enforce it in both directions, make sure the attribute is set on both 1621 sides of the connection. 1622 - Secure bootstrap has been facilitated by use of 1623 "cf-agent --boostrap HUB_ADDRESS --trust-server=no" 1624 - Implement new TLS-relevant options (Redmine #6883): 1625 - body common control: tls_min_version 1626 - body server control: allowtlsversion 1627 - body common control: tls_ciphers 1628 - body server control: allowciphers (preexisting) 1629 1630 Changes: 1631 - Improved output format, less verbose, and messages are grouped. 1632 - cf-execd: agent_expireafter default was changed to 120 minutes 1633 (Redmine #7113) 1634 - All embedded databases are now rooted in the state/ directory. 1635 - TLS used as default for all outgoing connections. 1636 - process promise now reports kept status instead of repaired if a 1637 signal is not sent, even if the restart_class is set. The old 1638 behavior was to set the repaired status whenever the process was not 1639 running. (Redmine#7216). 1640 - Bootstrapping requires keys to be generated in advance using cf-key. 1641 - Disable class set on reverse lookup of interfaces IP addresses. 1642 (Redmine #3993, Redmine #6870) 1643 - Define a hard class with just the OS major version on FreeBSD. 1644 - Abort cf-agent if OpenSSL's random number generator can't 1645 be seeded securely. 1646 - Masterfiles source tarball now installs using the usual commands 1647 "./configure; make install". 1648 - Updated Emacs syntax highlighting template to support the latest 1649 syntax enhancements in 3.7. 1650 1651 Deprecations: 1652 - Arbitrary arguments to cfruncommand (using "cf-runagent -o") are 1653 not acceptable any more. (Redmine #6978) 1654 - 3.4 is no longer supported in masterfiles. 1655 1656 Bug fixes: 1657 - Fix server common bundles evaluation order (Redmine#7211). 1658 - Limit LMDB disk usage by preserving sparse areas in LMDB files 1659 (Redmine#7242). 1660 - Fixed LMDB corruption on HP-UX 11.23. (Redmine #6994) 1661 - Fixed insert_lines failing to converge if preserve_block was used. 1662 (Redmine #7094) 1663 - Fixed init script failing to stop/restart daemons on openvz/lxc 1664 hosts. (Redmine #3394) 1665 - rm_rf_depth now deletes base directory as advertised. (Redmine #7009) 1666 - Refactored cf-agent's connection cache to properly differentiate 1667 hosts using all needed attributes like host and port. 1668 (Redmine #4646) 1669 - Refactored lastseen database handling to avoid inconsistencies. 1670 (Redmine #6660) 1671 - cf-key --trust-key now supports new syntax to also update the 1672 lastseen database, so that clients using old protocol will trust 1673 the server correctly. 1674 - Fixed a bug which sometimes caused an agent or daemon to kill or stop 1675 itself. (Redmine #7075, #7244) 1676 - Fixed a bug which made it difficult to kill CFEngine daemons, 1677 particularly cf-execd. (Redmine #6659, #7193) 1678 - Fixed a bug causing systemd not to be detected correctly on Debian. 1679 (Redmine #7297) 1680 - "cf-promises -T" will now correctly report the checked out commit, 1681 even if you haven't checked out a Git branch. (Redmine #7332) 1682 - Reduce verbosity of harmless errors related to socket timeouts and 1683 missing thermal zone files. (Redmine #6486 and #7238) 1684 1685 Masterfiles: 1686 1687 Added: 1688 - Support for user specified overring of framework defaults without 1689 modifying policy supplied by the framework itself (see 1690 example_def.json) 1691 - Support for def.json class augmentation in update policy 1692 - Run vacuum operation on postgresql every night as a part of 1693 maintenance. 1694 - Add measure_promise_time action body to lib (3.5, 3.6, 3.7, 3.8) 1695 - New negative class guard cfengine_internal_disable_agent_email so 1696 that agent email can be easily disabled by augmenting def.json 1697 1698 Changed: 1699 - Relocate def.cf to controls/VER/ 1700 - Relocate update_def to controls/VER 1701 - Relocate all controls to controls/VER 1702 - Only load cf_hub and reports.cf on CFEngine Enterprise installs 1703 - Relocate acls related to report collection from bundle server 1704 access_rules to controls/VER/reports.cf into bundle server 1705 report_access_rules 1706 - Re-organize cfe_internal splitting core from enterprise specific 1707 policies and loading the appropriate inputs only when necessary 1708 - Moved update directory into cfe_internal as it is not generally 1709 intended to be modified 1710 - services/autorun.cf moved to lib/VER/ as it is not generally intended 1711 to be modified 1712 - To improve predictibility autorun bundles are activated in 1713 lexicographical order 1714 - Relocate services/file_change.cf to cfe_internal/enterprise. This 1715 policy is most useful for a good OOTB experience with CFEngine 1716 Enterprise Mission Portal. 1717 - Relocate service_catalogue from promsies.cf to services/main.cf. It is 1718 intended to be a user entry. This name change correlates with the main 1719 bundle being activated by default if there is no bundlesequence 1720 specified. 1721 - Reduce benchmarks sample history to 1 day. 1722 - Update policy no longer generates a keypair if one is not found. 1723 (Redmine: #7167) 1724 - Relocate cfe_internal_postgresql_maintenance bundle to lib/VER/ 1725 - Set postgresql_monitoring_maintenance only for versions 3.6.0 and 1726 3.6.1 1727 - Move hub specific bundles from lib/VER/cfe_internal.cf into 1728 lib/VER/cfe_internal_hub.cf and load them only if policy_server policy 1729 if set. 1730 - Re-organize lib/VER/stdlib.cf from lists into classic array for use 1731 with getvalues 1732 1733 Removed: 1734 - Diff reporting on /etc/shadow (Enterprise) 1735 - Update policy from promise.cf inputs. There is no reason to include 1736 the update policy into promsies.cf, update.cf is the entry for the 1737 update policy 1738 - _not_repaired outcome from classes_generic and scoped_classes generic 1739 (Redmine: # 7022) 1740 1741 Fixes: 1742 - standard_services now restarts the service if it was not already 1743 running when using service_policy => restart with chkconfig (Redmine 1744 #7258) 1745 1746 17473.6.5: 1748 Features: 1749 - Introduced "systemd" hard class. (Redmine #6995) 1750 - Added paths to dtrace, zfs and zpool on FreeBSD in masterfiles. 1751 1752 Bug fixes: 1753 - Fixed build error on certain RHEL5 and SLES10 setups. (Redmine #6841) 1754 - Fixed a bug which caused dangling symlinks not to be removed. 1755 (Redmine #6582) 1756 - Fixed data_readstringarrayidx function not preserving the order of the 1757 array it's producing. (Redmine #6920) 1758 - Fixed a bug which sometimes caused CFEngine to kill the wrong daemon 1759 if both the host and a container inside the host were running 1760 CFEngine. (Redmine #6906) 1761 - Made sure the rm_rf_depth bundle also deletes the base directory. 1762 (Redmine #7009) 1763 - Fixed monitord reporting wrongly on open ports. (Redmine #6926) 1764 - Skip adding the class when its name is longer than 1024 characters. 1765 Fixed core dump when the name is too large. (Redmine #7013) 1766 - Fixed detection of stopped process on Solaris. (Redmine #6946) 1767 - Fixed infinite loop (Redmine #6992) plus a couple more minor 1768 bugs in edit_xml promises. 1769 17703.6.4: 1771 Features: 1772 - Introduced users promises support on HP-UX platform. 1773 - Introduced process promises support on HP-UX platform. 1774 1775 Bug fixes: 1776 - Fixed bug on FreeBSD which sometimes led to the wrong process being 1777 killed (Redmine #2330) 1778 - Fixed package version comparison sometimes failing with rpm package 1779 manager (Redmine #6807) 1780 - Fixed a bug in users promises which would sometimes set the wrong 1781 password hash if the user would also be unlocked at the same time. 1782 - Fixed a bug on AIX which would occasionally kill the wrong process. 1783 - Improved error message for functions that require an absolute path. 1784 (Redmine #6877) 1785 - Fixed some spelling errors in examples. 1786 - Fixed error in out-of-tree builds when building cf-upgrade. 1787 - Fixed a bug which would make cf-agent exit with an error if it was 1788 built with a custom log directory, and that directory did not exist. 1789 - Fixed ordering of evaluating promises when depends_on is used. 1790 (Redmine #6484, Redmine #5462) 1791 - Skip non-empty directories silently when recursively deleting. 1792 (Redmine #6331) 1793 - Fix memory exhaustion with list larger than 4994 items. 1794 (Redmine # 6672) 1795 - Fix cf-execd segfault on IP address detection (Redmine #6905). 1796 - Fix hard class detection of RHEL6 ComputeNode (Redmine #3148). 1797 17983.6.3 1799 New features: 1800 - support for HP-UX 11.23 and later 1801 - experimental support for Red Hat Enterprise Linux 7 1802 1803 Bug fixes: 1804 - fix getindices on multi-dimensional arrays (Redmine #6779) 1805 - fix mustache template method to run in dryrun mode (Redmine #6739) 1806 - set mailto and mailfrom settings for execd in def.cf (Redmine #6702) 1807 - fix conflation of multi-index entries in arrays (Redmine #6674) 1808 - fix promise locking when transferring using update.cf (Redmine #6623) 1809 - update JSON parser to return an error on truncation (Redmine #6608) 1810 - fix sys.hardware_addresses not expanded (Redmine #6603) 1811 - fix opening database txn /var/cfengine/cf_lastseen.lmdb: 1812 MDB_READERS_FULL when running cf-keys --show-hosts (Redmine #6602) 1813 - fix segfault (Null pointer dereference) when select_end in 1814 delete_lines never matches (Redmine #6589) 1815 - fix max_file_size => "0" not disabling or allowing any size 1816 (Redmine #6588) 1817 - fix ifvarclass, with iteration over list, failing when deleting 1818 files with time condition (Redmine #6577) 1819 - fix classes defined with "or" constraint are never set if any value 1820 doesn't evaluate to a scalar (Redmine #6569) 1821 - update "mailfrom" default in default policy (Redmine #6567) 1822 - fix logrotate ambiguity of filename (Redmine #6563) 1823 - fix parsing JSON files (Redmine #6549) 1824 - reduce write count activity to /var partition (Redmine #6523) 1825 - fix files delete attribute incorrectly triggering promise_kept 1826 (Redmine #6509) 1827 - update services bundle output related to chkconfig when run in 1828 inform mode. (Redmine #6492) 1829 - fix Solaris serverd tests (Redmine #6406) 1830 - fix broken bechaviour of merging arrays with readstringarray 1831 (Redmine #6369) 1832 - fix ifelapsed bug with bundle nesting (Redmine #6334) 1833 - fix handling cf_null in bundlesequence (Redmine #6119) 1834 - fix maparray reading whole input array when using subarray 1835 (Redmine #6033) 1836 - fix directories being randomly changed to files (Redmine #6027) 1837 - update defaults promise type to work with classes (Redmine #5748) 1838 - systemd integration in services promises (Redmine #5415) 1839 - fix touch attribute ignoring action = warn_only (Redmine #3172) 1840 - fix 4KB string limit in functions readfile, string_downcase, 1841 string_head, string_reverse, string_length, string_tail, 1842 string_upcase (Redmine #2912) 1843 18443.6.2 1845 Bug fixes: 1846 - don't regenerate software_packages.csv every time (Redmine #6441) 1847 - improve verbose message for package_list_command 1848 - fix missing log output on AIX (Redmine #6434) 1849 - assorted fixes to dirname() esp on Windows (Redmine #4716) 1850 - fix package manager detection 1851 - fix build issues on FreeBSD 1852 - allow copying of dead symbolic links (Redmine #6175) 1853 - preserve order in readstringarrayidx (Redmine #6466) 1854 - fix passing of unexpanded variable references to arrays 1855 (Redmine #5893) 1856 - use entries for new {admin,deny}_{ips,hostnames} constraints in 1857 the relevant legacy lists (Redmine #6542) 1858 - cope with ps's numeric fields overflowing to the right 1859 - interpret failing function calls in ifvarclass as class not set 1860 (Redmine #6327) 1861 - remove unexpanded lists when extending lists (Redmine #6541) 1862 - infer start-time of a process from elapsed when needed 1863 (Redmine #4094) 1864 - fix input range definition for laterthan() function (Redmine #6530) 1865 - don't add trailing delimiter when join()'ing lists ending with a 1866 null-value (Redmine #6552) 1867 - 9999999999 (ten 9s) or higher has been historically used as an upper 1868 bound in CFEngine code and policy but because of overflow on 32-bit 1869 platforms it caused problems with big numbers. Fixed in two ways: 1870 first change all existing policy uses to 999999999 (nine 9s instead 1871 of eleven 9s), second fix the C code to not wrap-around in case of 1872 overflow, but use the LONG_MAX value (Redmine #6531). 1873 - cf-serverd and other daemons no longer reload their configuration 1874 every minute if CFEngine is built with an inputs directory outside 1875 of the work directory (not the default). (Redmine #6551) 1876 18773.6.1 1878 New features: 1879 - Introduced Solaris and AIX support into the 3.6 series, with many associated build and 1880 bug fixes. 1881 1882 Changes: 1883 - Short-circuit evaluation of classes promises if class is already set (Redmine #5241) 1884 - fix to assume all non-specified return codes are failed in commands promises (Redmine #5986) 1885 - cf-serverd logs reconfiguration message to NOTICE (was INFO) so that it's always logged in syslog 1886 1887 Bug fixes: 1888 - File monitoring has been completely rewritten (changes attribute in files promise), which 1889 eliminates many bugs, particularly regarding files that are deleted. Upgrading will keep 1890 all monitoring data, but downgrading again will reinitialize the DB, so all files will be 1891 reported as if they were new. (Redmine #2917) 1892 - $(this.promiser) expands in files promises for 'transformer', 'edit_template', 1893 'copy_from.source', 'file_select.exec_program', 'classes' and 'action' bodies 1894 (Redmine #1554, #1496, #3530, #1563) 1895 - 'body changes' notifies about disappeared files in file monitoring (Redmine #2917) 1896 - Fixed CFEngine template producing a zero sized file (Redmine #6088) 1897 - Add 0-9 A-Z _ to allowed context of module protocol (Redmine #6063) 1898 - Extend ps command column width and prepend zone name on Solaris 1899 - Fixed strftime() function on Solaris when called with certain specifiers. 1900 - Fixed users promise bug regarding password hashes in a NIS/NSS setup. 1901 - Fixed $(sys.uptime), $(sys.systime) and $(sys.sysday) in AIX. (Redmine #5148, #5206) 1902 - Fixed processes_select complaining about "Unacceptable model uncertainty examining processes" (Redmine #6337) 1903 - ps command for linux has been changed to cope with big rss values (Redmine #6337) 1904 - Address ps -axo shift on FreeBSD 10 and later (Redmine #5667) 1905 - methods and services promises respect action_policy => "warn" (Redmine #5924) 1906 - LMDB should no longer deadlock if an agent is killed on the hub while holding the DB lock. 1907 Note that the change only affects binary packages shipped by CFEngine, since the upstream 1908 LMDB project has not yet integrated the change. (Redmine #6013) 1909 19103.6.0 1911 1912 Changes: 1913 - Changes to logging output 1914 - add process name and pid in syslog message (GitHub #789) 1915 - cf-serverd logging levels are now more standardised: 1916 - INFO logs only failures 1917 - VERBOSE logs successful requests as well 1918 - DEBUG logs actual protocol traffic. 1919 - cf-serverd now logs the relevant client IP address on 1920 each message. 1921 - Logging contexts to local database (cf_classes.tcdb) has been deprecated. 1922 - 'usebundle' promisees are logged for all the bundle promises 1923 - output from 'reports' promises has nothing prefixed except 'R: ' 1924 - a log line with stack path is generated when the promise type evaluated changes 1925 - LMDB (symas.com/mdb) is the default database for local data storage : use version 0.9.9 or later 1926 cf-agent --self-diagnostics (-x) is only implemented for TCDB, not for LMDB 1927 - port argument in readtcp() and selectservers() may be a 1928 service name (e.g. "http", "pop3"). 1929 - Enable source file in agent copy_from promises to be a relative path. 1930 - file "changes" reporting now reports with log level "notice", instead of "error". 1931 - process_results default to AND'ing of set attributes if not specified (Redmine #3224) 1932 - interface is now canonified in sys.hardware_mac[interface] to align with 1933 sys.ipv4[interface] (Redmine #3418) 1934 - cf-promises no longer errors on missing bodies when run without --full-check (-c) 1935 - Linux flavor "SUSE" now correctly spelled with all uppercase in variables and class names 1936 (Redmine #3734). The "suse" lowercase version is also provided for convenience (Redmine #5417). 1937 - $(this.promise_filename) and $(..._dirname) variables are now absolute paths. (Redmine #3839) 1938 - including the same file multiple times in 'body control inputs' is not an error 1939 - portnumber in body copy_from now supports service names like 1940 "cfengine", "pop3" etc, check /etc/services for more. 1941 - The failsafe.cf policy, run on bootstrap and in some other 1942 unusual cases, has been extracted from C code into libpromises/failsafe.cf 1943 - masterfiles 1944 - cf_promises_validated is now in JSON format 1945 - timestamp key is timestamp (sec since unix epoch) of last time validated 1946 - the masterfiles now come from https://github.com/cfengine/masterfiles and are 1947 not in the core repository 1948 - cf-serverd calls cf-agent with -Dcfruncommand when executing cf-runagent requests 1949 - Mark as removed: promise_notkept_log_include, promise_notkept_log_exclude, promise_repaired_log_include, 1950 promise_repaired_log_exclude, classes_include, classes_exclude, variables_include, 1951 variables_exclude attributes from report_data_select body (syntax is valid but not functional). 1952 They have been replaced by the following attributes: promise_handle_include, 1953 promise_handle_exclude, metatags_include, metatags_exclude. 1954 1955 New features: 1956 - New promise type "users" for managing local user accounts. 1957 - TLS authentication and fully encrypted network protocol. 1958 Additions specific to the new type of connections: 1959 - New attribute "allowlegacyconnects" in body server control, 1960 which enables serving policy via non-latest cfengine protocol, 1961 to the given list of hosts. If the option is absent, it 1962 defaults to allow all hosts. To refuse non-TLS connections, 1963 specify an empty list. 1964 - New attribute "protocol_version" in body copy_from, and body 1965 common control, which defines the preferred protocol for 1966 outgoing connections.. Allowed values at the moment: "0" or 1967 "undefined", "classic" or "1", "latest" or "2". By leaving the 1968 copy_from option as undefined the common control option is 1969 used, and if both are undefined then classic protocol is used 1970 by default. 1971 - The new networking protocol uses TLS for authentication, 1972 after which all dialog is encrypted within the established 1973 TLS session. cf-serverd is still able to speak the legacy 1974 protocol with old agents. 1975 - The 'skipverify' option in 'body server control' is 1976 deprecated and only left for compatibility; it does 1977 nothing 1978 - cf-serverd does not hang up the connection if some request 1979 fails, so that the client can add more requests. 1980 - For the connections using the new protocol, all of the 1981 paths in bundle server access_rules now differentiate 1982 between a directory and a file using the trailing 1983 slash. If the path exists then this is auto-detected and 1984 trailing slash appended automatically. You have to append 1985 a trailing slash manually to an inexistent or symbolic 1986 path (e.g. "/path/to/$(connection.ip)/") to force 1987 recursive access. 1988 - New in 'access' promises for 'bundle server access_rules' 1989 - Attributes "admit_ips", "admit_hostnames", "admit_keys", 1990 "deny_ips", "deny_hostnames", "deny_keys" 1991 - "admit_keys" and "deny_keys" add the new functionality 1992 of controlling access according to host identity, 1993 regardless of the connecting IP. 1994 - For these new attributes, regular expressions 1995 are not allowed, only CIDR notation for "admit/deny_ips", exact 1996 "SHA=..." strings for "admit/deny_keys", and exact hostnames 1997 (e.g. "cfengine.com") or subdomains (starting with dot, 1998 e.g. ".cfengine.com") for "admit/deny"_hostnames. Same rules 1999 apply to 'deny_*' attributes. 2000 - These new constraints and the paths in access_rules, can contain 2001 special variables "$(connection.ip)", "$(connection.hostname)", 2002 "$(connection.key)", which are expanded dynamically for every 2003 received connection. 2004 - For connections using the new protocol, "admit" and "deny" 2005 constraints in bundle server access_rules are being phased 2006 out, preferred attributes are now "admit_ips", "deny_ips", 2007 "admit_hostnames", "deny_hostnames", "admit_keys", 2008 "deny_keys". 2009 - New "shortcut" attribute in bundle server access_rules used to 2010 dynamically expand non-absolute request paths. 2011 - masterfiles 2012 - standard library split: lib/3.5 (compatibility) and lib/3.6 (mainline) 2013 - many standard library bundles and bodies, especially packages- and file-related, 2014 were revised and fixed 2015 - supports both Community and Enterprise 2016 - new 'inventory/' structure to provide OS, dmidecode, LSB, etc. system inventory 2017 (configured mainly in def.cf) 2018 - cf_promises_release_id contains the policy release ID which is the GIT HEAD SHA 2019 if available or hash of tree 2020 - a bunch'o'bundles to make starting with CFEngine easier: 2021 - file-related: file_mustache, file_mustache_jsonstring, file_tidy, dir_sync, file_copy, 2022 file_link, file_hardlink, file_empty, file_make 2023 - packages-related: package_absent, package_present, package_latest, 2024 package_specific_present, package_specific_absent, package_specific_latest, package_specific 2025 - XML-related: xml_insert_tree_nopath, xml_insert_tree, xml_set_value, xml_set_attribute 2026 - VCS-related: git_init, git_add, git_checkout, git_checkout_new_branch, 2027 git_clean, git_stash, git_stash_and_clean, git_commit, git 2028 - process-related: process_kill 2029 - other: cmerge, url_ping, logrotate, prunedir 2030 - New command line options for agent binaries 2031 - New options to cf-promises 2032 - '--show-classes' and '--show-vars' 2033 - '--eval-functions' controls whether cf-promises should evaluate functions 2034 - Colorized output for agent binaries with command line option '--color' 2035 (auto-enabled if you set CFENGINE_COLOR=1) 2036 - New language features 2037 - New variable type 'data' for handling of structured data (ie JSON), 2038 including supporting functions: 2039 - 'data_readstringarray' - read a delimited file into a data map 2040 - 'data_readstringarrayidx' - read a delimited file into a data array 2041 - 'datastate' - create a data variable with currently set classes and variables 2042 - 'datatype' - determine the type of the top element of a container 2043 - 'format' - %S can be used to serialize 'data' containers into a string 2044 - 'mergedata' - merge two data containers, slists/ilists/rlists, or "classic" 2045 arrays into a data container 2046 - 'parsejson' - create a data container from a JSON string 2047 - 'readjson' - create a data container from a file that contains JSON 2048 - 'storejson' - serialize a data container into a string 2049 - Most functions operating on lists can also operate on data containers 2050 - pass a data container to a bundle with the @(container) notation 2051 - the module protocol accepts JSON for data containers with the '%' sigil 2052 - Tagging of classes and variables allows annotating of language construct with 2053 meta data; supporting functionality: 2054 - The module protocol in 'commands' promises has been extended to allow setting 2055 of tags of created variables and classes, and the context of created variables 2056 - 'getclassmetatags' - returns list of meta tags for a class 2057 - 'getvariablemetatags' - returns list of meta tags for a variable 2058 - 'body file control' has an 'inputs' attribute to include library files and other 2059 dependencies 2060 - bundlesequences can be built with bundlesmatching() based on bundle name and tags 2061 - New attributes in existing promise types and bodies 2062 - New option 'preserve_all_lines' for insert_type in insert_lines promises 2063 - Caching of expensive system functions to avoid multiple executions of 2064 execresult() etc, can be controlled via cache_system_functions attribute in 2065 body common control 2066 - New option 'mailsubject' in body executor control allows defining the subject 2067 in emails sent by CFEngine 2068 - Support for Mustache templates in 'files' promises; use 'template_method' and 2069 'template_data' attributes. Without 'template_data' specified, uses datastate(). 2070 - New and improved functions 2071 - 'bundlesmatching' - returns list of defined bundles matching a regex and tags 2072 - 'canonifyuniquely' - converts a string into a unique, legal class name 2073 - 'classesmatching' - returns list of set classes matching a regex and tags 2074 - 'eval' - evaluates mathematical expressions; knows SI k, m, g quantifiers, e.g. "100k" 2075 - 'findfiles' - list files matching a search pattern; use "**" for recursive searches 2076 - 'makerule' - evaluates whether a target file needs to be rebuilt from sources 2077 - 'max', 'min' - returns maximum and minimum of the numbers in a container or list 2078 (sorted by a 'sort' method) 2079 - 'mean' - returns the mean of the numbers in a container or list 2080 - 'nth' - learned to look up by key in a data container holding a map 2081 - 'packagesmatching' - returns a filtered list of installed packages. 2082 - 'readfile' - learned to read system files of unknown size like those in /proc 2083 - 'sort' - can sort lexicographically, numerically (int or real), by IP, or by MAC 2084 - 'string_downcase', 'string_upcase' - returns the lower-/upper-case version of a 2085 string 2086 - 'string_head', 'string_tail' - returns the beginning/end of a string 2087 - 'string_length' - returns the length of a string 2088 - 'string_reverse' - reverses a string 2089 - 'string_split' - improved implementation, deprecates 'splitstring' 2090 - 'variablesmatching' - returns a list of variables matching a regex and tags 2091 - 'variance' - returns the variance of numbers in a list or container 2092 - New hard classes 2093 - Introduced alias 'policy_server' for context 'am_policy_hub' (the latter will 2094 be deprecated) 2095 - all the time-based classes have GMT equivalents 2096 - New variables 2097 - 'sys.bindir' - the location of the CFEngine binaries 2098 - 'sys.failsafe_policy_path' - the location of the failsafe policy file 2099 - 'sys.inputdir' - the directory where CFEngine searches for policy files 2100 - 'sys.key_digest' - the digest of the host's cryptographic key 2101 - 'sys.libdir', 'sys.local_libdir' - the location of the CFEngine libraries 2102 - 'sys.logdir' - the directory where the CFEngine log files are saved 2103 - 'sys.masterdir' - the location of masterfiles on the policy server 2104 - 'sys.piddir' - the directory where the daemon pid files are saved 2105 - 'sys.sysday' - the number of days since the beginning of the UNIX epoch 2106 - 'sys.systime' - the number of seconds since the beginning of the UNIX epoch 2107 - 'sys.update_policy_path' - the name of the update policy file 2108 - 'sys.uptime' - the number of minutes the host has been online 2109 - 'this.promise_dirname' - the name of the file in which the current promise 2110 is defined 2111 - 'this.promiser_uid' - the ID of the user running cf-agent 2112 - 'this.promiser_gid' - the group ID of the user running cf-agent 2113 - 'this.promiser_ppid' - the ID of the parent process running cf-agent 2114 2115 Deprecations: 2116 - 'splitstring' - deprecated by 'string_split' 2117 - 'track_value' 2118 - 'skipverify' 2119 2120 Bug fixes: for a complete list of fixed bugs, see Redmine at https://cfengine.com/dev 2121 - various fixes in evaluation and variable resolution 2122 - Improve performance of list iteration (Redmine #1875) 2123 - Removed limitation of input length to internal buffer sizes 2124 - directories ending with "/" are not ignored 2125 - lsdir() always return a list now, never a scalar 2126 - 'abortclasses' fixed to work in common bundles and other cases 2127 - namespaced 'edit_line' bundles now work (Redmine#3781) 2128 - lists are interpolated in correct order (Redmine#3122) 2129 - cf-serverd reloads policies properly when they change 2130 - lots of leaks (memory and file descriptor) fixed 2131 21323.5.3 2133 Changes: 2134 - Improved security checks of symlink ownership. A symlink created by a user pointing 2135 to resources owned by a different user will no longer be followed. 2136 - Changed the way package versions are compared in package promises. (Redmine #3314) 2137 In previous versions the comparison was inconsistent. This has been fixed, but may 2138 also lead to behavior changes in certain cases. In CFEngine 3.5.3, the comparison 2139 works as follows: 2140 <package-being-considered> <package_select> <package_version> 2141 For instance: 2142 apache-2.2.31 ">=" "2.2.0" 2143 will result in the package being installed. 2144 2145 Bug fixes: 2146 - fix cf-monitord crash due to incorrect array initialization (Redmine #3180) 2147 - fix cf-serverd stat()'ing the file tree every second (Redmine #3479) 2148 - correctly populate sys.hardware_addresses variable (Redmine #2936) 2149 - add support for Debian's GNU/kfreebsd to build system (Redmine #3500) 2150 - fix possible stack corruption in guest_environments promises (Redmine #3552) 2151 - work-around hostname trunctation in HP-UX's uname (Redmine #3517) 2152 - fix body copy purging of empty directories (Redmine #3429) 2153 - make discovery and loading of avahi libraries more robust 2154 - compile and packaging fixes for HP-UX, AIX and Solaris 2155 - fix fatal error in lsdir() when directory doesn't exist (Redmine #3273) 2156 - fix epoch calculation for stime inrange calculation (Redmine #2921) 2157 21583.5.2 2159 Bug fixes: 2160 - fix delayed abortclasses checking (Redmine #2316, #3114, #3003) 2161 - fix maplist arguments bug (Redmine #3256) 2162 - fix segfaults in cf-pomises (Redmine #3173, 3194) 2163 - fix build on Solaris 10/SmartOS (Redmine #3097) 2164 - sanitize characters from /etc/issue in sys.flavor for Debian (Redmine #2988) 2165 - Fix segfault when dealing with files or data > 4K (Redmine #2912, 2698) 2166 - Don't truncate keys to 126 characters in getindices (Redmine #2626) 2167 - files created via log_* actions now have mode 600 (Redmine #1578) 2168 - fix wrong log message when a promise is ignored due to 'ifvarclass' not matching 2169 - fix lifetime of persistent classes (Redmine #3259) 2170 - fix segfault when process_select body had no process_result attribute 2171 Default to AND'ed expression of all specified attributes (Redmine #3224) 2172 - include system message in output when acl promises fail 2173 - fix invocation of standard_services bundle and corresponding promise compliance (Redmine #2869) 2174 21753.5.1 2176 2177 Changes: 2178 - file changes are logged with log level Notice, not Error 2179 - the CFEngine Standard Library in masterfiles/libraries is now split into 2180 promise-type specific policy files, and lives in a version-specific directory. 2181 This should have no impact on current code, but allows more granular include of 2182 needed stdlib elements (Redmine #3044) 2183 2184 Bug fixes: 2185 - fix recursive copying of files (Redmine #2965) 2186 - respect classes in templates (Redmine ##2928) 2187 - fix timestamps on Windows (Redmine #2933) 2188 - fix non-root cf-agent flooding syslog (Redmine #2980) 2189 - fix email flood from cf-execd due to timestamps in agent output (Redmine #3011) 2190 - Preserve security context when editing or copying local files (Redmine #2728) 2191 - fix path for sys.crontab on redhat systems (Redmine #2553) 2192 - prevent incorrect "insert_lines promise uses the same select_line_matching anchor" warning (Redmine #2778) 2193 - Fix regression of setting VIPADDRESS to 127.0.0.1 (Redmine #3010) 2194 - Fix "changes" promise not receiving status when file is missing (Redmine #2820) 2195 - Fix symlinks being destroyed when editing them (Redmine #2363) 2196 - Fix missing "promise kept" status for the last line in a file (Redmine #2943) 2197 21983.5.0 2199 2200 New features: 2201 - classes promises now take an optional scope constraint. 2202 - new built-in functions: every, none, some, nth, sublist, uniq, filter 2203 - every 2204 - none 2205 - some 2206 - nth 2207 - sublist 2208 - uniq 2209 - filter 2210 - classesmatching 2211 - strftime 2212 - filestat 2213 - ifelse 2214 - maparray 2215 - format 2216 - cf-promises flag --parse-tree is replaced by --policy-output-format=, requiring the 2217 user to specify the output format (none, cf, json) 2218 - cf-promises allows partial check of policy (without body common control) without integrity check; 2219 --full-check enforces integrity check 2220 - agent binaries support JSON input format (.json file as generated by cf-promises) 2221 - cf-key: new options --trust-key/-t and --print-digest/-p 2222 - Class "failsafe_fallback" is defined in failsafe.cf when main policy contains errors and 2223 failsafe is run because of this 2224 - add scope attribute for body classes (Redmine #2013) 2225 - Better diagnostics of parsing errors 2226 - Error messages from parser now show the context of error 2227 - new cf-agent option: --self-diagnostics 2228 - new output format, and --legacy-output 2229 - warnings for cf-promises. 2230 - Enable zeroconf-discovery of policy hubs for automatic bootstrapping 2231 if Avahi is present 2232 - Support for sys.cpus on more platforms than Linux & HPUX 2233 2234 Changes: 2235 - parser no longer allows ',' after promiser or promisee. must be either ';' or lval 2236 - Make parser output in GCC compatible format the only supported format 2237 (remove --gcc-brief-format flag) 2238 2239 - Silence license warnings in Enterprise Free25 installations 2240 - action_policy => "warn" causes not_kept classes to be set on promise needing repair. 2241 - command line option version (-V) now prints a shorter parsable version without graphic 2242 - implicit execution of server and common bundles taking arguments is skipped in cf-serverd. 2243 - WARNING: option --policy-server removed, require option to --bootstrap instead 2244 - process promises don't log if processes are out of range unless you 2245 run in verbose mode 2246 - reports promises are now allowed in any context (Redmine #2005) 2247 - cf-report has been removed 2248 - cf-execd: --once implies --no-fork 2249 - Version info removed from mail subject in the emails sent by cf-execd. 2250 The subject will only contain "[fqname/ipaddress]" instead of "communnity/nova [fqname/ipaddress]" 2251 Please change your email filters accordingly if necessary. 2252 - "outputs" promise type is retired. Their semantics was not clear, and the functionality 2253 is better suited for control body setting, not a promise. 2254 - Tokyo Cabinet databases are now automatically checked for 2255 correctness during opening. It should prevent a number of issues 2256 with corrupted TC databases causing binaries to hang. 2257 - Improved ACL handling on Windows, which led to some syntax changes. We now consistently 2258 use the term "default" to describe ACLs that can be inherited by child objects. These 2259 keywords have received new names: 2260 acl_directory_inherit -> acl_default 2261 specify_inherit_aces -> specify_default_aces 2262 The old keywords are deprecated, but still valid. In addition, a new keyword 2263 "acl_inherit" controls inheritance behavior on Windows. This feature does not exist on 2264 Unix platforms. (Redmine #1832) 2265 - Networking code is moved from libpromises to its own library, 2266 libcfnet. Work has begun on making the API more sane and thread-safe. 2267 Lots of legacy code was removed. 2268 - Add getaddrinfo() replacement in libcompat (borrowed from PostgreSQL). 2269 - Replace old deprecated and non thread-safe resolver calls with 2270 getaddrinfo() and getnameinfo(). 2271 - Hostname2IPString(), IPString2Hostname() are now thread-safe, and are 2272 returning error when resolution fails. 2273 - Running cf-execd --once now implies --no-fork, and also does not wait 2274 for splaytime to pass. 2275 - execresult(), returnszero() and commands promises no longer requires the first word 2276 word to be an absolute path when using the shell. (Part of Redmine #2143) 2277 - commands promises useshell attribute now accepts "noshell" and "useshell" values. Boolean 2278 values are accepted but deprecated. (Part of Redmine #2143) 2279 - returnszero() now correctly sets the class name in this scenario (Part of 2280 Redmine #2143): 2281 classes: 2282 "commandfailed" not => returnszero("/bin/nosuchcommand", "noshell"); 2283 2284 Bugfixes: 2285 - bundles are allowed to be empty (Redmine #2411) 2286 - Fixed '.' and '-' not being accepted by a commands module. (Redmine #2384) 2287 - Correct parsing of list variables by a command module. (Redmine #2239) 2288 - Fixed issue with package management and warn. (Redmine #1831) 2289 - Fixed JSON crash. (Redmine #2151) 2290 - Improved error checking when using fgets(). (Redmine #2451) 2291 - Fixed error message when deleting nonexistent files. (Redmine #2448) 2292 - Honor warn-only when purging from local directory. (Redmine #2162) 2293 - Make sure "restart" and "reload" are recognized keywords in packages. (Redmine #2468) 2294 - Allocate memory dynamically to avoid out-of-buffer or out-of-hash 2295 situations 2296 - fix edit_xml update of existing attributes (Redmine #2034) 2297 - use failsafe policy from compile-time specified workdir (Redmine #1991) 2298 - ifvarclass checked from classes promises in common bundles 2299 - do not wait for splaytime when executing only once 2300 - disable xml editing functionality when libxml2 doesn't provide necessary APIs (Redmine #1937) 2301 - Out-of-tree builds should work again, fixed a bunch of related bugs. 2302 - Fixed race condition in file editing. (Redmine #2545) 2303 - Fixed memory leak in cf-serverd and others (Redmine #1758) 2304 23053.4.5 (Bugfix and Stability release) 2306 2307 Bugfixes: 2308 2309 - make qualified arrays expand correcty (Redmine #1998, Mantis #1128) 2310 2311 - correct possible errors in tcdb files when opening 2312 2313 - avoid possible db corruption when mixing read/write and cursor operations 2314 2315 - Allow umask value of 002 (Redmine #2496) 2316 23173.4.4 (Bugfix and Stability release) 2318 2319 Bugfixes: 2320 2321 - prevent possible crash when archiving files (GitHub #316) 2322 2323 - don't create symlinks to cf-know in update policy 2324 2325 - don't enable xml support if libxml2 is too old (Redmine #1937) 2326 23273.4.3 (Bugfix and Stability release) 2328 2329 Bugfixes: 2330 2331 - Don't flood error messages when processes are out of defined range 2332 2333 - prevent segmentation fault in cf-monitord -x (Redmine #2021) 2334 2335 - when copying files, use same file mode as source file, rather than 0600 (Redmine #1804) 2336 2337 - include xpath in messages generated by edit_xml operations (Redmine #2057) 2338 23393.4.2 (Bugfix and Stability release) 2340 2341 Bugfixes: 2342 2343 - Fixes to policies in masterfiles (see masterfiles/Changelog for details) 2344 2345 - Fixes for OpenBSD (GitHub #278) 2346 2347 - Do not canonify values specified in abortbundleclasses/abortclasses (Redmine #1786) 2348 2349 - Fix build issues on NetBSD, SLES 12.2 2350 2351 - Improve error message when libxml2 support is not compiled (Redmine #1799) 2352 2353 - fix potential segmentation fault when trimming network socket data (GitHub #233) 2354 2355 - fix potential segmentation fault when address-lookups in lastseen db failed (GitHub #233) 2356 2357 - execute background promise serially when max_children was reached, rather 2358 than skipping them (GitHub #233) 2359 2360 - fix segmentation fault in cf-promises when invoked with --reports (Redmine #1931) 2361 2362 - fix compilation with Sun Studio 12 (Redmine #1901) 2363 2364 - silence type-pun warning when building on HP-UX (GitHub #287) 2365 23663.4.1 (Bugfix and Stability release) 2367 2368 New feature/behavior: 2369 2370 - cf-execd terminates agent processes that are not responsive 2371 for a configurable amount of time (see agent_expireafter in body 2372 executor control), defaulting to 1 week 2373 2374 Bugfixes: 2375 2376 - fix regression of classmatch() failing with hard classes (Redmine #1834) 2377 2378 - create promise-defined and persistent classes in correct 2379 namespace (Redmine #1836) 2380 2381 - several fixes to namespace support 2382 2383 - fix several crash bugs caused by buffer overflow and race 2384 conditions in cf-serverd 2385 2386 - regenerate time classes in cf-execd for each run (Redmine #1838) 2387 2388 - edit_xml: fix select_xpath implementation and update documentation 2389 NOTE: code that uses select_xpath_region needs to be changed to 2390 select_xpath 2391 2392 - edit_xml: make sure that text-modification functions don't overwrite 2393 child nodes 2394 2395 - edit_xml: improve error logging 2396 23973.4.0 2398 2399 New features: 2400 2401 - Added rpmvercmp utility to compare versions of RPM packages for 2402 accurate sorting of RPM packages for packages promises. 2403 2404 - Implement network timeout on server side to avoid keeping stale 2405 connections for hours. 2406 2407 - XML editing capabilities. See the documentation for edit_xml 2408 body. Note the new dependency: libxml2. 2409 2410 - Implement inheritance of local classes by bundles called using 2411 "usebundle". By default classes are not inherited. See the 2412 examples/unit_inherit.cf for an example. 2413 2414 - Moved from Nova/Enterprise: 2415 - POSIX ACL support, 2416 - "outputs" promise type, 2417 - remote syslog support. 2418 2419 - packages_default_arch_command hook in packages promises, to 2420 specify default architecture of the packages on the system. 2421 2422 - packages_version_less_command / packages_version_equal_command hooks 2423 in packages promises, to specify external command for native package 2424 manager versions comparison 2425 2426 - agent_expireafter in body executor control allows you to set a 2427 timeout on all cf-agent runs, to enforce a threshold on the 2428 number of concurrent agents 2429 2430 - Running in Solaris zone is now detected and classes "zone" and 2431 "zone_<name>" are created in this case. 2432 2433 - VirtualBox support added to guest_environment promises. 2434 2435 - guest_environment promises are supported under OS X. 2436 2437 - The "depends_on" attribute is now active, for the partal ordering 2438 of promises. If a promise depends on another (referred by handle) 2439 it will only be considered if the depends_on list is either kept 2440 or repaired already. 2441 2442 ** WARNING: When upgrading, make sure that any existing use 2443 of depends_on does not make some promises being 2444 unintentionally ignored. This can happen if you are 2445 currently referring to non-existent or never-run handles 2446 in depends_on attributes. 2447 2448 - methods return values, initial implementation 2449 2450 - New format for cf-key -s, includes timestamp of last connection 2451 2452 - cf-promises --parse-tree option to parse policy file and dump it 2453 in JSON format 2454 2455 - Namespaces support for bundles and bodies. See the 2456 examples/unit_namespace*.cf for the usage. 2457 2458 - Default arguments for bundles. See the examples/unit_defaults.cf 2459 2460 - Metadata promise type. See the examples/unit_meta.cf 2461 2462 New semantics: 2463 2464 - Methods promises now return the status of promises 2465 kept within them. If any promise was not kept, the method is not 2466 kept, else if any promise is repaired, the method was repaired 2467 else it was kept. 2468 - Remote variable access in namespaces by $(namespace:bundle.variable) 2469 2470 Changed functionality: 2471 2472 - cf-execd -F switch no longer implies 'run once'. New -O/--once 2473 option is added to achieve this behaviour. This makes cf-execd 2474 easier to run from systemd, launchd and other supervision 2475 systems. 2476 2477 Misc: 2478 2479 - Support for the following outdated platforms and corresponding 2480 classes has been removed. De facto those platforms were 2481 unsupported for a long time, as CFEngine codebase uses C99 2482 language features unavailable on old platforms: 2483 2484 - SunOS 3.x (sun3) 2485 - SunOS 4.x (sun4) 2486 - Ultrix (ultrix) 2487 - DEC OSF/1 AXP (osf) 2488 - Digital UNIX (digital) 2489 - Sony NEWS (newsos) 2490 - 4.3BSD (bsd4_3) 2491 - IRIX (irix, irix4, irix64) 2492 - IBM Academic Operating System (aos) 2493 - BSD/OS / BSDi / BSD/386 (bsdos) 2494 - NeXTSTEP (nextstep) 2495 - GNU Hurd (gnu) 2496 - NEC UX/4800 (ux4800) 2497 2498 - (Old news) Since 3.3.0 the layout of CFEngine Community packages 2499 has changed slightly. 2500 2501 cf-* binaries have been moved to /var/cfengine/bin, due to the 2502 following reasons: 2503 2504 - cf-* binaries are linked to libraries installed to 2505 /var/cfengine/lib, so placing binaries in /usr/local/sbin does not 2506 increase reliability of the CFEngine, 2507 2508 - keeping whole CFEngine under single prefix (/var/cfengine) 2509 makes packaging simpler, 2510 2511 - it matches the layout of CFEngine Enterprise packages. 2512 2513 Please adjust your policies (the recommended ways to deal with 2514 the move are either to adjust $PATH to include /var/cfengine or to 2515 create symlinks in /usr/local/sbin in case you are relying on 2516 binaries to be available in $PATH). 2517 2518 - Workdir location is properly changed if --prefix or --enable-fhs 2519 options are supplied to configure (Mantis #1195). 2520 2521 - Added check for broken libmysqlclient implementations (Mantis #1217). 2522 2523 - Standard library is updated from COPBL repository. 2524 2525 - cf-know is no longer built in Community releases. The only 2526 functionality useful in Community, namely the reference manual 2527 generation, is provided by new compile-time cf-gendoc tool. 2528 2529 - Filename (for storing filechanges) changed 2530 from file_change.log -> file_changes.log (in /var/cfengine/state) 2531 2532 New format for storing file changes introduced: 2533 [timestamp,filename,<N/C/S/R>,Message] 2534 2535 N = New file found 2536 C = Content Changed 2537 S = Stats changed 2538 R = File removed 2539 2540 - Acceptance test suite passes on Mac OS X. 2541 2542 - Changed some port numbers to replace old services with imap(s) 2543 2544 - archlinux hard class on Arch Linux. 2545 2546 - Detect BSD Make and automatically switch to GNU Make during build. 2547 2548 Bugfixes: 2549 2550 - cfruncommand for cf-execd is an arbitrary shell command now (Mantis #1268). 2551 - Fixed broken "daily" splayclasses (Mantis #1307). 2552 - Allow filenames up to 4096 bytes in network transfers (Redmine #1199). 2553 - Fix stale state preserved during cf-serverd reload (Redmine #1487). 2554 - Free disk space calculation is fixed (Mantis #1120). 2555 - Numerous portability bugfixes (especially OpenBSD, Solaris, AIX-related). 2556 - Compatibility fixes for AIX, HP-UX, Solaris (Mantis #1185, Mantis #1177, Mantis #1109). 2557 - Fixed broken socklen_t configure check under OpenBSD (Mantis #1168). 2558 - Fixed hang in cf-promises under OpenBSD (Mantis #1113). 2559 - Fixed endless loop in evaluating "$()" construct (Mantis #1023). 2560 - Fixed check for old PCRE versions (Mantis #1262). 2561 - Fixed insertion of multi-line blocks at the start of file (Mantis #809). 2562 - Fixed numerous memory leaks. 2563 - Fixes for metadata that were not resolvable 2564 - Fixes for namespaces that would not support metadata and variable expansion 2565 - Point-to-point network interfaces are detected and reported by CFEngine (Mantis #1246) 2566 - Partial non-GNU userspace support in acceptance testsuite (Mantis #1255) 2567 2568 Full list of issues fixed is available on 2569 https://cfengine.com/bugtracker/changelog_page.php (old bug tracker) 2570 and https://cfengine.com/dev/projects/core/versions/34 (new bug tracker) 2571 25723.3.9 (Bugfix and Stability release) 2573 2574 Bugfixes: 2575 2576 - Do not lose hard classes in cf-serverd during policy reload 2577 (Mantis #1218). 2578 - Implement receive network timeout in cf-serverd. Prevents 2579 overloading cf-serverd with stale connections. 2580 25813.3.8 (Bugfix and Stability release) 2582 2583 Versions 3.3.6, 3.3.7 were internal and weren't released. 2584 2585 Bugfixes: 2586 2587 - Propery set sys.domain variable if hostname is fully-qualified. 2588 - Fixed several small memory leaks. 2589 - Make network timeout for network reads configurable. Previously 2590 it was hardcoded to be 30 seconds, which was not enough for 2591 cf-runagent invoking cf-agent on big policies (Mantis #1028). 2592 25933.3.5 (Bugfix and Stability release) 2594 2595 Bugfixes: 2596 2597 - Fixed cf-execd memory leak on hosts with cf-monitord running. 2598 - Robustify against wrongly-sized entires in embedded databases. 2599 2600 Standard library: 2601 2602 - Bugfixes from upstream COPBL repository. 2603 - standard_services bundle from upstream COPBL repository. 2604 2605 26063.3.4 (Bugfix and Stability release) 2607 2608 Evaluation of policies: 2609 2610 - Fix wrong classes set after installation of several packages 2611 using packages promises (Mantis #829). 2612 - Fix segfault using edit_template on existing file (Mantis #1155). 2613 2614 Misc: 2615 2616 - Fix memory leak during re-read of network interfaces' 2617 information in cf-execd/cf-serverd. 2618 26193.3.3 (Bugfix and Stability release) 2620 2621 Evaluation of policies: 2622 2623 - Zero-length files are valid for readfile() and similar functions 2624 (Mantis #1136). 2625 - Unchoke agent in case it encounters symlinks in form ./foo 2626 (Similar to Mantis #1117). 2627 2628 Misc: 2629 2630 - Fix generation of reference manual on machines with umask more 2631 relaxed than 022. 2632 - Use statvfs(3) on OpenBSD to obtain filesystem information 2633 (Mantis #1135). 2634 26353.3.2 (Bugfix and Stability release) 2636 2637 Evaluation of policies: 2638 2639 - Do not segfault if file copy was interrupted due to network 2640 connectivity or server going away (Mantis #1089). 2641 - Do not segfault if log_failed attribute is present in body, but 2642 log_kept is not (Mantis #1107). 2643 - Do not mangle relative paths in symlinks during file copy 2644 Previously symlink a -> b was mangled to a -> ./b. 2645 (Mantis #1117) 2646 - Properly compare 1.0 and 1.0.1 in packages promises. Previously 2647 only versions with equal amount of "segments" were comparable 2648 (Mantis #890, #1066). 2649 2650 Base policy: 2651 2652 - Properly set permissions on files for /var/cfengine/lib on HP-UX 2653 (Mantis #1114). 2654 - Standard library (cfengine_stdlib.cf) is synced with COPBL 2655 repository. 2656 2657 Misc: 2658 2659 - Do not create huge file in case corrupted TokyoCabinet database 2660 is detected (Mantis #1106). 2661 - Fix file descriptor leak on error paths, may have caused crashes 2662 of cf-execd and cf-serverd (Issue #1096). 2663 - Fix intermittent segfault in cf-execd (Mantis #1116). 2664 - Impose an upper limit on amount of listening sockets reported by 2665 cf-monitord. Huge amounts of listening sockets caused cf-agent to 2666 segfault on next run (Mantis #1098). 2667 - Add missing function prototypes caused errors during compilation 2668 on HP-UX (Mantis #1109). 2669 - Fix compilation on Solaris 11 (Mantis #1091). 2670 26713.3.1 (Bugfix and Stability release) 2672 2673 Evaluation of policies: 2674 2675 - Do not cut off name of bundle in variables interpolation (Mantis #975). 2676 - Do not segfault in function evaluation guarded by ifvaclass clause (Mantis #1084, #864). 2677 - Do not segfault if "classes" promise does not declare any value to be evaluated (Mantis #1074). 2678 - Do not segfault in database promises if there is no 2679 database_operation provided (Mantis #1046). 2680 2681 Built-in functions: 2682 2683 - Fix countclassesmatching() function which was misbehaving trying 2684 to match classes starting with alphanumeric symbol (Mantis #1073). 2685 - Fix diskfree() to return kilobytes, as described in documentation (Mantis #980, #955). 2686 - Fix hostsseen() function to avoid treating all hosts as not 2687 being seen since 1970 (Mantis #886). 2688 - Do not output misleading error message if readtcp() is unable to connect (Mantis #1085). 2689 2690 Command-line interface: 2691 2692 - -d option previously reqired an argument, though help message disagreed (Mantis #1053). 2693 - Disable --parse-tree option, not ready for the release (Mantis #1063). 2694 - Acept -h as a --help option. 2695 - Ensure that cf-execd might be started right after being shut down. 2696 2697 Misc: 2698 2699 - Plug file descriptor leak after failed file copy (Mantis #990). 2700 - Fix unsafe admit rules in default promises.cf (Mantis #1040). 2701 - Fix splaytime to match documentation: it is specified in minutes, not seconds (Mantis #1099). 2702 2703 Packaging: 2704 2705 - Fix owner/group of initscript and profile.d snippet in RPM builds (Mantis #1061, #1058). 2706 - Fix location of libvirt socket CFEngine uses to connect to libvirtd (Mantis #1072). 2707 - Install CoreBase to /var/cfengine/masterfiles during installation (Mantis #1075). 2708 - Do not leave old cf-twin around after upgrade (Mantis #1068) 2709 - Do not leave rcS.d symlinks after purging .deb package (Mantis #1092). 2710 27113.3.0 2712 2713 New promise types: 2714 - Guest environments promises, which allow to manipulate virtual 2715 machines using libvirt. 2716 - Database promises, which allow to maintain schema of MySQL and 2717 PostgreSQL databases. Database promises are in "technical preview" 2718 status: this promise type is subject to change in future. 2719 - Services promises for Unix, allows abstraction of details 2720 on managing any service 2721 2722 New built-in functions: 2723 - dirname() to complement lastnode() 2724 - lsdir() 2725 - maplist() to apply functions over lists 2726 2727 New features: 2728 - Allow defining arrays from modules. 2729 - Allow both process_stop' and signals' constraints in 2730 processes' promises at the same time. 2731 - cf-promises --gcc-brief-format option to output warnings and 2732 errors in gcc-compatible syntax which to ease use "go to next 2733 error" feature of text editors. 2734 - Iteration over lists is now allowed for qualified (non-local) lists. 2735 2736 New built-in variables and classes (Linux): 2737 - Number of CPUs: $(sys.cpus), 1_cpu, 2_cpus etc 2738 2739 New built-in variables and classes (Unices): 2740 - $(sys.last_policy_update) - timestamp when last policy change was seen by host 2741 - $(sys.hardware_addresses) - list of MAC adresses 2742 - $(sys.ip_addresses) - list of IP addresses 2743 - $(sys.interfaces) - list of network interfaces 2744 - $(sys.hardware_mac[$iface]) - MAC address for network interface 2745 - mac_<mac_address>:: - discovered MAC addresses 2746 2747 Changes: 2748 2749 - Major cleanup of database handling code. Should radically decrease 2750 amount of database issues experienced under heavy load. 2751 2752 *WARNING*: Berkeley DB and SQLite backends are *removed*, use 2753 Tokyo Cabinet or QDBM instead. Both Tokyo Cabinet and QDBM are 2754 faster than Berkeley DB in typical CFEngine workloads. 2755 2756 Tokyo Cabinet requires C99 environment, so it should be 2757 available on every contemporary operating system. 2758 2759 For the older systems QDBM, which relies only on C89, is a 2760 better replacement, and deemed to be as portable, as Berkeley DB. 2761 2762 - Change of lastseen database schema. Should radically decrease 2763 I/O contention on lasteen database. 2764 2765 - Automatic reload of policies by cf-execd. 2766 - Documentation is generated during build, PDF and HTML files are 2767 retired from repository. 2768 - Rarely used feature retired: peer connectivity intermittency calculation. 2769 - Memory and CPU usage improvements. 2770 - Testsuite now uses 'make check' convention and does not need root 2771 privileges anymore. 2772 - cf_promises_validated now filled with timestamp, allows digest-copy 2773 for policy instead of mtime copy which is safer when clocks are unsynchronised 2774 - The bundled failsafe.cf policy now has trustkey=false to avoid IP spoofing 2775 attacks in default policy 2776 - See the full list of bugfixes at 2777 https://cfengine.com/bugtracker/changelog_page.php 2778 27793.2.4 (Bugfix and Stability release) 2780 2781 Fixed failure in network transfer in case of misbehaving peer 2782 2783 A few tiny memory leaks on error paths fixed 2784 27853.2.3 (Bugfix and Stability release) 2786 2787 A few tiny memory leaks fixed 2788 2789 Improved performance of cf-serverd under heavy load with 2790 TokyoCabinet database 2791 2792 Full list of issues fixed is available on 2793 https://cfengine.com/bugtracker/changelog_page.php 2794 27953.2.2 (Bugfix and Stability release) 2796 2797 Enabled compilation in "large files" mode under AIX 2798 2799 Alleviated problem with broken file transfers over unstable 2800 Internet links. 2801 2802 Full list of issues fixed is available on 2803 https://cfengine.com/bugtracker/changelog_page.php 2804 28053.2.1 (Bugfix and Stability release) 2806 2807 Fixed compilation under HP-UX and Solaris 2808 2809 Enabled compilation using HP ANSI C compiler 2810 2811 Full list of issues fixed is available on 2812 https://cfengine.com/bugtracker/changelog_page.php 2813 28143.2.0 2815 New bootstrap method with single-command bootstrapping: 2816 - cf-agent --bootstrap --policy-server 123.456.789.123 2817 - Associated policy template files are added, partially maintained 2818 by CFEngine 2819 2820 Bug fixes for file-editing, package versioning, and embedded 2821 database corruption (We recommend using TokyoCabinet instead of 2822 BerkeleyDB if building from source). 2823 2824 Improved upgrade path for Nova. 2825 2826 Patches for improved run-agent concurrency 2827 2828 Reorganization of documentation and community resources 2829 2830 100% on regression test suite on 3 operating systems 2831 (Ubuntu, Debian, SuSE on x86-64 hardware) 2832 2833 Support for multiple release environments 2834 2835 package_policy update and addupdate now check if user-supplied 2836 version is larger than currently installed - updates only if so 2837 2838 Help text of cf-report -r corrected - a list of key hashes is 2839 required, not ip addresses. 2840 2841 New Emacs mode for CFEngine policy files (thanks to Ted Zlatanov!) 2842 2843 Warnings are on edit_line changes can now give greater degree of information 2844 without spamming promise logs 2845 2846 Class expressions parser accepts '||' as an alias for '|' again. 2847 2848 Invalidation of package list cache on installation/removal of 2849 packages. 2850 2851 New option cf-key -r to remove host key by IP or hostname. 2852 2853 Added detection of network interfaces which belong to BSD jails. 2854 2855 Improve robustness of multi-threaded code, in particular fix 2856 problems with spurious access denials in server and losing of 2857 authentication rules after policy reload. 2858 2859 cf-promises accepts option -b matching cf-agent, which causes it 2860 to do not complain about missing bundlesequence. 2861 2862 New functions and(), not(), or() and concat() to ease use of 2863 ifvarclass() clause. 2864 2865 Full list of issues fixed is available on 2866 https://cfengine.com/bugtracker/changelog_page.php 2867 28683.1.5 2869 New class parser, '||' is no longer allowed in expressions (use '|'). 2870 2871 Class setting in the promise types insert_lines, delete_lines, 2872 replace_patterns, field_edits, vars, classes is restored. 2873 2874 suspiciousnames implemented. 2875 2876 New function getvalues(). 2877 2878 New functions parse{read,int,string}array to match read{read,int,string}array. 2879 2880 Testsuite added to check for core functionality. 2881 2882 Syslog prefix is fixed to say 'cf3' instead of 'community'. 2883 28843.1.4 (Bugfix and Stability release) 2885 2886 Some urgent patches to 3.1.3. 2887 Class validation parse bug fixed. 2888 Global zone handling error for solaris fixed. 2889 Package architectures handled correctly (bug #456). 2890 Reading and writing of key name "root-.pub" eliminated (bug #442, #453). 2891 cf-serverd crash because of race condition on SERVER_KEYSEEN fixed. 2892 Lock purging to avoid remnant complexity explosion (bug #430). 2893 Some copyright notices added that got lost. 2894 28953.1.3 (Stability release) 2896 2897 Major memory leaks in cf-monitord, cf-execd, cf-serverd fixed (bug #427). 2898 The daemons now show no growth even with very complex policies. 2899 2900 cf-serverd crash due to race condition in DeleteScope() fixed (bug #406). 2901 2902 Added 30 second timeout on recv() on Linux. 2903 2904 package_noverify_returncode implemented (bug #256). 2905 2906 A flexible mechanism for setting classes based on return codes of 2907 commands has been introduced. Allows for setting promise kept, 2908 repaired or failed based on any return codes. This is currently 2909 implemented for commands-promises, package-manager commands and 2910 transformer in files. In classes body, see attributes 2911 kept_returncodes, repaired_returncodes, failed_returncodes (bug 2912 #248, #329). 2913 2914 New function ip2host - reverse DNS lookup (bug #146). 2915 29163.1.2 (Scalability/efficiency release) 2917 2918 Big efficiency improvements by caching output from 2919 cf-promises. Can also be used for much more efficient policy 2920 deployment (only pull if changed). 2921 2922 Caching state of ps command for greater efficiency. Reloaded for each bundle. 2923 2924 Index class lookup improves efficiency of class evaluation for huge configurations. 2925 2926 Fixed issue where certain promiser strings got corrupted. 2927 2928 Minor memory access issues fixed. 2929 2930 Iterator bug introduced in 3.1.0 fixed 2931 29323.1.1 (Bugfix release) 2933 2934 Memory leaks in server tracked down and fixed. 2935 List expansion bug (one list items not executed) fixed. 2936 Security issue introduced by change of runcommand shell policy fixed. If users defined a runcommand for cf-runagent/cf-serverd communication, possible to execute commands. 2937 cf-key -s command for showing key hash/IP address identity pairs 2938 29393.1.0 2940 Change in storage of public keys. Cfengine now hashes the public key and uses this 2941 as the keyname. Keys will be converted automatically. 2942 2943 The old dynamic addresses lists are deprecated. 2944 Caching of dns and key information for greater server speed. 2945 Change in last-seen format reflects the public key usage. 2946 2947 New package policy addupdate - installs package if not there and 2948 updates it otherwise. 2949 2950 Support for package_changes => "bulk" in file repository as well. 2951 2952 New special function readstringarrayidx, similar to readstringarray, 2953 but uses integer indices. Very useful if first row elements are 2954 not good identifiers (e.g. contains spaces, non-unique, etc.). 2955 2956 Change two log formats to use time() instead of date() 2957 - filechanges 2958 - total compliance 2959 2960 Change from using md5 to sha256 as default digest for commercial version, 2961 community retains md5 for compat. 2962 2963 Commands not returning 0 in commands-promises are flagged 2964 as repair_failed. 2965 2966 Adjustable timeout on connect(). Defaults to 10 seconds, adjustable 2967 with default_timeout in agent control. 2968 2969 Redesign of the knowledge map infrastructure. 2970 2971 Now possible to use variables to call methods, e.g 2972 2973 methods: 2974 2975 "name $(list)" usebundle => $(list)("abc"); 2976 2977 See reference manual notes 2978 2979 Changes to normal ordering to optimize execution. 2980 2981 Increased stability by always initializing Attribute and Promise 2982 structures. 2983 2984 When running cf-promises in dry-run mode (-n), the user does not need 2985 to put binaries in WORKDIR/bin. For example, non-privileged users can verify root 2986 policies. 2987 2988 Source control revision added in version string if run in verbose mode 2989 (e.g. "cf-promises -vV"). This needs some refining, uses revision of a header now. 2990 2991 New semantics in return values of list functions. Null values are now allowed 2992 and there is no iteration over empty lists. The value "cf_null" is reserved for 2993 use as a null iterator. 2994 29953.0.5p1 2996 Showing paths allowed/denied access to when cf-serverd is run in verbose mode. 2997 Bug in server fixed for dynamic addresses. 2998 File handle closure bugfix - too many open databases. 2999 Seg fault in mount files fix. 3000 Twin used in cf-execd without checking. 3001 Check_root set wrong directory permissions at source not destination. 3002 Error message degraded in body definition. 3003 Undefined body not warned as error. 3004 Various build enahncements. 3005 Package_list_update called only once per manager, and fixed crash. 3006 Version number bug in packages. 3007 30083.0.5 3009 Encryption problems fixed - client key buffer was uninitialized. 3010 3011 Classes-promisers are now automatically canonified when class 3012 strings are defined, to simplifying the use of variables in classes. 3013 3014 New scalars sys.cf_version and sys.nova_version that hold Cfengine version information. 3015 3016 Attribute package_delete_convention added, to allow customizable 3017 package name in delete command during update. 3018 3019 package_list_update_ifelapsed limit added. 3020 3021 Private variable $(firstrepo) is available in package_name_convention 3022 and package_delete_convention in order to expand the full path to 3023 a package, which is required by some managers. 3024 3025 Some of the threading code is rewritten and made more robust. This includes 3026 synchronizing access to the lastseen database from the server. 3027 3028 Bad initialization of BSD flags fixed 3029 Multiple variable expansion issues in control fixed for server and agent 3030 Allow ignore_missing_bundles to affect methods: bundles too 3031 Run agent trust dialogue fixed 3032 3033 Bug in CPU monitoring, increasing time scale caused linear decay 3034 of CPU measurement. 3035 3036 Bug in Setuid log storage, fix. 3037 3038 Hooks added for new Nova virtualization promises. 3039 3040 Multithreading mutex failed to collide during cfservd leading to dropped authentication under heavy load. 3041 3042 30433.0.4 3044 Class cancellation in promises to create better class feedback, 3045 allows emulation of switch/case semantics etc 3046 3047 Value of SA measurement promises 3048 3049 Special function getenv() which returns the contents of an 3050 environment variable (on all platforms). 3051 New function translatepath for generic Windows 3052 New function escape() to escape literals as regular expressions (like SQL) 3053 New function host2ip for caching IP address lookup 3054 New function regextract for setting variables with backreferences 3055 3056 New variables for the components $(sys.cf_agent), $(sys.cf_know) etc 3057 pointing to the binaries. 3058 3059 More robust integrated database implementation; closing all 3060 handles when receiving signals, self-healing on corruption. 3061 3062 Package installation on localhost without a manager like yum completed, 3063 multiple repositories searched, and universal methods. 3064 3065 Numerous bugfixes 3066 3067 30683.0.3 3069 sha256 .. new hashes in openssl included in syntax tree. 3070 3071 End of line autocropping in readfile (hopefully intelligent) 3072 3073 hashmatch function incorrectly implemented - old debugging code left behind. Fix. 3074 3075 sys.crontab variable 3076 3077 Unknown user is now interpretated as "same user", so that we give cfengine a chance to 3078 fix 3079 3080 Unregistered addresses no longer report "(Non registered IP)", but return as the address 3081 itself when doing reverse lookups. 3082 30833.0.2 3084 IMPORTANT: Change in normal ordering of editing. replace comes 3085 after insert lines Much testing and minor bug fixing 3086 3087 Memory leaks fixed 3088 Many hooks added for Nova enterprise extensions. 3089 3090 promise_output reports now placed in WORKDIR/reports directory 3091 3092 Initialization correction and self-correx in monitord 3093 3094 Many new body constraints added. 3095 3096 Code readied for enterprise version Nova. 3097 3098 -b option can override the bundlesequence (must not contain parameters yet) 3099 3100 collapse_destination_dir option added to copy so that files can be 3101 aggregated from subdirectories into a single destination. 3102 3103 Preparation for release: 3104 unit_accessed_before.cf x 3105 unit_accumulated_time.cf x 3106 unit_acl.cf x 3107 unit_acl_generic.cf x 3108 unit_ago.cf x 3109 unit_arrays.cf x 3110 unit_backreferences_files.cf x 3111 unit_badpromise.cf x 3112 unit_badtype.cf x 3113 unit_bsdflags.cf x 3114 unit_cf2_integration.cf x 3115 unit_changedbefore.cf x 3116 unit_change_detect.cf x 3117 unit_chdir.cf x 3118 unit_classes_global.cf x 3119 unit_classmatch.cf x 3120 unit_classvar_convergence.cf x 3121 unit_compare.cf x 3122 unit_controlclasses.cf x 3123 unit_control_expand.cf x 3124 unit_copy.cf x 3125 unit_copy_edit.cf x 3126 unit_copylinks.cf x 3127 unit_createdb.cf x 3128 unit_create_filedir.cf x 3129 unit_definitions.cf x 3130 unit_deletelines.cf x 3131 unit_disable_and_rotate_files.cf x 3132 unit_dollar.cf x 3133 unit_edit_column_files.cf x 3134 unit_edit_comment_lines.cf x 3135 unit_edit_deletenotmatch.cf x 3136 unit_edit_insert_lines.cf x 3137 unit_edit_insert_lines_silly.cf x 3138 unit_edit_replace_string.cf x 3139 unit_edit_sectioned_file.cf x 3140 unit_edit_setvar.cf x 3141 unit_edit_triggerclass.cf x 3142 unit-env.cf x 3143 unit_epimenides.cf x 3144 unit_exec_args.cf x 3145 unit_execd.cf x 3146 unit_exec_in_sequence.cf x 3147 unit_execresult.cf x 3148 unit_expand.cf x 3149 unit_failsafe.cf x 3150 unit_file_change_detection.cf x 3151 unit_fileexists.cf x 3152 unit_file_owner_list_template.cf x 3153 unit_fileperms.cf x 3154 unit_filesexist2.cf x 3155 unit_filesexist.cf x 3156 unit_getgid.cf x 3157 unit_getindices.cf x 3158 unit_getregistry.cf x 3159 unit_getuid.cf x 3160 unit_global_list_expansion_2.cf x 3161 unit_global_list_expansion.cf x 3162 unit_groupexists.cf x 3163 unit_hash.cf x 3164 unit_hashcomment.cf x 3165 unit_hashmatch.cf x 3166 unit_helloworld.cf x 3167 unit_hostrange.cf x 3168 unit_intarray.cf x 3169 unit_iprange.cf x 3170 unit_irange.cf x 3171 unit_isdir.cf x 3172 unit_islink.cf x 3173 unit_isnewerthan.cf x 3174 unit_isplain.cf x 3175 unit_isvariable.cf x 3176 unit_iteration.cf x 3177 unit_knowledge_txt.cf x 3178 unit_lastnode.cf x 3179 unit_ldap.cf x 3180 unit_linking.cf x 3181 unit_literal_server.cf x 3182 unit_locate_files_and_compress.cf x 3183 unit_log_private.cf x 3184 unit_loops.cf x 3185 unit_measurements.cf x 3186 unit_method.cf x 3187 unit_method_validate.cf x 3188 unit_module_exec_2.cf 3189 unit_module_exec.cf 3190 unit_mount_fs.cf x 3191 unit_neighbourhood_watch.cf x 3192 unit_null_config.cf x 3193 unit_occurrences.cf x 3194 unit_ordering.cf x 3195 unit_package_apt.cf x 3196 unit_package_hash.cf x 3197 unit_package_rpm.cf x 3198 unit_package_yum.cf x 3199 unit_package_zypper.cf x 3200 unit_parallel_exec.cf x 3201 unit_pathtype.cf x 3202 unit_pattern_and_edit.cf x 3203 unit_peers.cf x 3204 unit_postfix.cf x 3205 unit_process_kill.cf x 3206 unit_process_matching2.cf x 3207 unit_process_matching.cf x 3208 unit_process_signalling.cf x 3209 unit_readlist.cf x 3210 unit_readtcp.cf x 3211 unit_regarray.cf x 3212 unit_registry.cf x 3213 unit_regline.cf x 3214 unit_reglist.cf x 3215 unit_remove_deadlinks.cf x 3216 unit_rename.cf x 3217 unit_report_state.cf x 3218 unit_reporttofile.cf x 3219 unit_returnszero.cf x 3220 unit_select_mode.cf x 3221 unit_select_region.cf x 3222 unit_selectservers.cf x 3223 unit_select_size.cf x 3224 unit_server_copy_localhost.cf x 3225 unit_server_copy_remote.cf x 3226 unit_server_copy_purge.cf x 3227 unit_splitstring.cf x 3228 unit_sql.cf x 3229 unit_storage.cf x 3230 unit_strcmp.cf x 3231 unit_stringarray.cf x 3232 unit_syslog.cf x 3233 unit_template.cf x 3234 unit_tidy_all_files.cf x 3235 unit_user_edit.cf x 3236 unit_user_edit_method.cf x 3237 unit_userexists.cf x 3238 unit_varclass.cf x 3239 unit_vars.cf x 3240 unit_warnifline.cf x 3241 unit_webserver.cf x 3242 3243 32443.0.1 3245 First standalone release, independent of cfengine 2 3246 Purge old definitions and check consistency. 3247 3248 NB: changed search_mode to be a list of matching values 3249 3250 Reporting rationalized in cf-promises with -r only to avoid 3251 leaving output files everywhere. 3252 3253 Hooks added for upcoming commercial additions to cfengine. 3254 3255 Added classify() and hostinnetgroup() functions 3256 Added additional change management options for change detection 3257 3258 Package management added - generic mechanisms. 3259 3260 Limits on backgrounding added to avoid resource contention during cfengine runs. 3261 Image type added to cf-know. 3262 3263 New classes for quartly shifts: Morning,Afternoon,Evening,Night 3264 3265 Bug fixes in editfiles - line insertion for multiple line objects 3266 3267 Change the name of the variables and context from the monitord for 3268 better separation of data, and shorter names. sys -> mon 3269 average -> av, stddev -> dev 3270 3271 canonical name for windows changed from "nt" to "windows", also version names 3272 added "vista","xp" etc.. 3273 3274 License notices updated for dual license editions. 3275 32763.0.0 3277 First release of cfengine 3. Known omissions: 3278 - no support for ACLs 3279 - no support for packages 3280 - no support for interface configuration 3281 These will be added in the next release. 3282