CFEngine Tools and Utilities

Below you’ll find a set of tools that we find very useful while cfengineering. Any comments or feedback can be posted either on or using our contact emailĀ


cf-keycrypt is a small utility written in C that can encrypt/decrypt file contents using CFEngine cryptographic keys. This is ideal when you eg. want to add an extra layer of client or client group security when distributing passwords, certificates, keys etc. It can also write to stdout so that you can read file data into variables execution time and the unencrypted data only exists in memory (no need for intermediate storage).

The source code is available here:


# ./cf-keycrypt -o - -i /var/cfengine/inputs/secret.dat -d /var/cfengine/ppkeys/localhost.priv


cf-profile is a small Perl script that parses verbose output from cf-agent, records timing and prints an execution tree.

The source code is available here:


# /var/cfengine/bin/cf-agent -v | ./


cf-runwrapper simple Bourne shell script functioning as a wrapper for cf-agent executions. This is especially useful to control cf-runagent behavior as it gives many options to activate different parts of the policy. To make it work you will need to make the following configurations.

In body server control:

cfruncommand => "/var/cfengine/libexec/";

In bundle server access_rules():

    admit => { "$(sys.policy_hub)" };

The source code is available here:

Example for running failsafe remotely in non-dryrun and no-lock mode with verbose output using cf-runagent:

/var/cfengine/bin/cf-runagent -H -o "-b FAILSAFE_VERBOSE_NODRYRUN_NOLOCK"

Example for running promises remotely in non-dryrun and no-lock mode with inform output and defining class class1 using cf-runagent:

/var/cfengine/bin/cf-runagent -H -o "-b PROMISES_QUIET_NODRYRUN_NOLOCK -D class1"

For this to work you will also need to distribute the shell script to the appropriate location, which is easily done with CFEngine itself.