- Releasing 1.6.3
- In version 1.6.3 of cfengine, there is an important upgrade to use
BerkeleyDB version 3. The new Berekely databases are NOT compatible with
the old, but new GNU/Linux distributions are shipping with the new
databases. No way around this, everyone has to upgrade and this happens in
1.6.3. In addtition to recompiling cfengine, you must use a different
database file, since the data format itself has changed.
- Cfengine 2 workshop
- This will be held at LISA2001 in San Diego, USA, December
2001. Everyone interested in discussing and learning about the plans for
cfengine 2 are welcome to sign up, by visiting the conference site at usenix.
- SANS CAUTH security alert
- A buffer overflow problem in the cfd daemon could lead to a denial of service
attack. In some versions it could be possible to execute arbitrary code.
This does not apply to cfengine, only the daemon cfd.
Version 1.6.0.a11 is an alpha snaphot of cfengine 1.6.0 which fixes
all known vulnerabilities. All users are recommended to upgrade
to this version. This version is fully compatible with cfengine/cfd version 1.5.x.
It is compatible with cfengine version 1.x.x, but versions of cfd prior to
1.5.x are not compatible should be upgraded with care.
- Cfengine 2
- After the release of 1.6.0, later this year,
there will be large changes to cfengine. I intend to review
communication with other software/the system
In order to improve on cfengine, and still preserve its important
features it will be necessary to make radical changes to some
of the internals, particularly parsing. I would therefore welcome
suggestions for changes/improvements. Please think about this
and when you have thought VERY carefully about all of the ramifications
let the list know your ideas. Note: I am not thinking about
new options to existing comands here, but major changes to modus operandi.
Before submitting your idea, ask yourself: is this something
general for everyone, or some weird thing that I would like
for myself? I will be the final adjudicator of what cfengine
2 will be like.
At the end of august I shall be inviting interested parties
to take part in a meeting to discuss the plans for cfengine 2.
So put your thinking caps on and think carefully before
I am open to all suggestions, but my first priority is to preserve cfengine
as a too for research.
- New documentation project for cfengine, Feb 18, 2000
- Contribute your own hints and tips for other users, in a searchable
how. Or write an article about some special topic to add to the documentation.
- Cfengine version 1.5.4 released 1 Feb 2000
- Several security issues dealt with, such as improved protection
from denial of service attacks.
- Cfengine version 1.5.0 released
- This version of cfengine focusses on security and
efficiency. Several new features have been added to network
communication by cfd:
Other things like Tripwire functionality for md5 checksums
has been added for convenience.
- Encrypted transfers
- Better authentication (by user)
- More efficient transfers over single connection
- Regular expression libraries use Posix extended regular expressions.
This means that you might have to make changes to escape characters
in your configuration files in order for them to run.
- User authentication based on pidentd and key exchange for secure lines
- Allow DES-encrypted communication between client and server.
- Remote copy protocol semantics will are not compatible with 1.4.x,
owing optimizations which should improve performance on large transfers.
- This version also works on NT, using the cygwin-32
libraries available from http://www.cygnus.com
Please be careful installing this version of cfengine, even if you
have been following the beta versions. There are changes in threading
policy and protocol which make remote file transfers much more
efficient and reliable with cfd. The new threading policy makes
it impossible to support the old protocol simultenously. If you rely
on cfd for all copying, then upgrading should be done with caution.
If you only have a few hosts, upgrading by hand should not be
difficult, but if you have many, you might want to think about this:
Here are some hints for a safe upgrade.
This should take care of all hosts which are alive. If any hosts
are down, they will not be upgraded and they will not be able
to speak to cfd when they come up again, unless they read
cfengine from an NFS server.
- Copy the new cfengine files to NEWcfengine NEWcfd NEWcfrun
and make sure that they are all copied to every host before
- At some time of day or night when no remote copying is taking
place, use a process command in cfengine to kill the old
cfd, then move the NEW files to cfengine, cfd and cfrun
and restart cfd.
The port to NT has been done with my two students: Bjoern Gustafson
and Joergen Kjensli.
Cfengine 1.5.0 will compile and run on Windows NT, if you
have the cygwin32 Free Software installed. Some documentation
about the port will be available soon, including tips on
the configuration of cygwin.
Cfengine can set ACLs on files, but will not work
correctly on directories yet. This will be fixed
shortly, a long with some reasonable documentation.
We have not had sufficient opportunity to test cfengine
on NT, at the College, since we do not use NT for any real
tasks, so please treat this as beta quality software and
work somewhat defensively. It should be possible for us
to test it more next year.
As of 1.5.0 cfengine requires a posix regular expression library.
In most modern systems this will work automatically, but on old legacy
systems it might cause problems compiling. If your host does not
support regcomp() and regexec(), regex.h, you should collect
the GNU regular expression library (excerpted from the C library)
or later. This should cure the problem.
On solaris machines I have experienced trouble
with header files getting mixed up. rxposix.h and regex.h.
You should probably not install the GNU library on a solaris
machine, where the regex library seems to work well.
On NT with the cygwin32 library, it was necessary to compile
GNU librx on the system. The existing regex functions compiled
but did not work.
You can arrange to encrypt transferred files by symmetric
cipher, if you have the SSLeay-0.9.0 libraries installed.
The secure=true option instigates encrypted transfer.
A new program cfkey can be used to generate a key file
cfkey > /var/run/cfengine/keys
cfkey > /etc/cfengine/keys
which must then be distributed to all participating hosts.
The server can REQUIRE hosts to perform encrypted transfer
with secure=true in cfd.conf.
The handling of the network interface has grown increasingly
difficult. Apart from the fact the internet sockets and ioctl
calls are amongst the ugliest, actually disgusting, APIs I have
ever encountered, many OSes are going over to routing sockets
which I do not know anything about, so this will have to wait.
If anyone who understands the new route structures for routing
sockets would like to send me a patch to read and set routes
netmasks and brodcast addresses, I would be for ever grateful.
Return to GNU's home page.
Please send FSF & GNU inquiries & questions to
There are also other ways to
contact the FSF.
Please send comments on these web pages to
send other questions to
Copyright (C) 2001 Free Software Foundation, Inc.,
59 Temple Place - Suite 330, Boston, MA 02111, USA
Verbatim copying and distribution of this entire article is
permitted in any medium, provided this notice is preserved.
$Date: 2001/07/20 07:06:26 $ $Author: brett $