[
{
"path": ".gitignore",
"content": "# Ignore paths from OS X\n.DS_Store\n"
},
{
"path": "ANNOUNCEMENT.md",
"content": "# The Future of Ægir 3 is Bryght!\n*Announcement from Omega8.cc*\n\nOmega8.cc is now the lead developer team for Ægir 3 running on BOA (Barracuda-Octopus-Ægir stack). We want to thank all past contributors who brought Ægir to life – your work makes today’s progress possible. Because of you, there is still a Bryght Future for Ægir.\n\n![\"Ægir-Sector\"](\"https://github.com/user-attachments/assets/8d444437-6931-481c-b0f7-66c09a953413\")
\n\n## What to Expect\n\n- **Active maintenance and development**: Ægir 3 on BOA is alive and under active development. [See Adam’s comments here](https://www.drupal.org/project/hostmaster/issues/3517915).\n- **Migration made easier**: We are working to make it simple to migrate entire legacy Ægir instances (Apache or Nginx) into self-hosted BOA as Octopus Ægir.\n- **Standalone Ægir with BOA features**: We are doing our best to enable many BOA-derived features within Ægir standalone, so users can pick their flavour without adopting the full BOA stack.\n- **Modern compatibility**: The BOA-based fork already supports **Drupal 11** and **PHP 8.4**, using vanilla **Drush 13** for site installs and updates while still relying on forked and improved **Drush 8** for daily operations.\n\n## Development & Community\n\nDevelopment of BOA stack components continues here on GitHub:\n👉 https://github.com/omega8cc/boa\n\nAt the same time, we continue to leverage the Drupal.org issue queues so **the community effort continues there** too, and all BOA improvements can be systematically **backported**.\n\nÆgir is still very much alive, and together we can keep its **Bryght** Future shining!\n"
},
{
"path": "BARRACUDA.sh.txt",
"content": "#!/bin/bash\n\n\n###----------------------------------------###\n###\n### Barracuda Ægir Installer\n###\n### Copyright (C) 2009-2026 Omega8.cc\n### noc@omega8.cc www.omega8.cc\n###\n### This program is free software. You can\n### redistribute it and/or modify it under\n### the terms of the GNU GPL as published by\n### the Free Software Foundation, version 2\n### or later.\n###\n### This program is distributed in the hope\n### that it will be useful, but WITHOUT ANY\n### WARRANTY; without even the implied\n### warranty of MERCHANTABILITY or FITNESS\n### FOR A PARTICULAR PURPOSE. See the GNU GPL\n### for more details.\n###\n### You should have received a copy of the\n### GNU GPL along with this program.\n### If not, see http://www.gnu.org/licenses/\n###\n### Code: https://github.com/omega8cc/boa\n###\n###----------------------------------------###\n\nexport PATH=/usr/local/bin:/usr/local/sbin:/opt/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/libexec\nexport SHELL=/bin/bash\n\n###\n### Software versions\n###\n_ADMINER_VRN=4.8.1\n_BZR_VRN=2.6.0\n_CGP_VRN=master-22-07-2020\n_CHIVE_VRN=1.3\n_COMPOSER_VRN=2.8.2\n_CSF_VRN=15.00\n_CURL_VRN=8.20.0\n_DB_SRC=repo.percona.com\n###\n###\n_DRUSH_ELEVEN_VRN=11.6.0.9\n_DRUSH_TEN_VRN=10.6.2.9\n_DRUSH_EIGHT_VRN=8.5.0.5\n_DRUSH_EIGHT_TEST_VRN=8.5.0-force\n###\n###\n_GEOS_VRN=3.7.1\n_GIT_VRN=2.51.0\n_GOACCESS_VRN=1.9.4\n_ICU_LEGACY_VRN=52_2\n_ICU_MODERN_VRN=73-1\n_IMAGE_MAGICK_VRN=7.1.1-7\n_IMAGICK_OLD_VRN=3.1.2\n_IMAGICK_VRN=3.8.1\n_IONCUBE_VRN=15.0.0\n_JETTY_7_VRN=7.6.17.v20150415\n_JETTY_8_VRN=8.1.17.v20150415\n_JETTY_9_VRN=9.2.16.v20160414\n_JSMIN_PHP_LEGACY_VRN=2.0.1\n_JSMIN_PHP_MODERN_VRN=3.1.0\n_LIB_TIDY_VRN=5.2.0\n_LIB_YAML_VRN=0.2.5\n_LOGJ4_VRN=1.2.17\n_LSHELL_VRN=0.10\n_MAILPARSE_VRN=2.1.6\n_NEW_RELIC_VRN=12.6.0.34\n_NODE_VRN=v22.21.0\n_MONGO_VRN=1.6.14\n_MONGODB_VRN=1.2.5\n_MSS_VRN=master-29-06-2024\n_MYQUICK_VRN_ONE=0.19.3-3\n_MYQUICK_VRN_TWO=0.21.3-2\n_MYSQLTUNER_VRN=1.9.4\n_NGINX_VRN=1.29.8\n_OPENSSH_VRN=10.3p1\n_OPENSSL_LEGACY_VRN=1.0.2u\n_OPENSSL_EOL_VRN=1.1.1w\n_OPENSSL_MODERN_VRN=3.5.6\n_PERCONA_5_7_VRN=5.7\n_PERCONA_8_0_VRN=8.0\n_PERCONA_8_4_VRN=8.4\n_PHP56_API=20131226\n_PHP56_VRN=5.6.40\n_PHP70_API=20151012\n_PHP70_VRN=7.0.33\n_PHP71_API=20160303\n_PHP71_VRN=7.1.33\n_PHP72_API=20170718\n_PHP72_VRN=7.2.34\n_PHP73_API=20180731\n_PHP73_VRN=7.3.33\n_PHP74_API=20190902\n_PHP74_VRN=7.4.33\n_PHP80_API=20200930\n_PHP80_VRN=8.0.30\n_PHP81_API=20210902\n_PHP81_VRN=8.1.34\n_PHP82_API=20220829\n_PHP82_VRN=8.2.31\n_PHP83_API=20230831\n_PHP83_VRN=8.3.31\n_PHP84_API=20240924\n_PHP84_VRN=8.4.21\n_PHP85_API=20250925\n_PHP85_VRN=8.5.6\n_PHP_APCU=5.1.27\n_PHP_IGBINARY_EIGHT_FIVE=3.2.17\n_PHP_IGBINARY_THREE=3.2.16\n_PHP_IGBINARY_TWO=2.0.8\n_PHP_MCRYPT=1.0.9\n_PHPREDIS_SIX_LATEST_VRN=6.3.0\n_PHPREDIS_SIX_MODERN_VRN=6.3.0\n_PHPREDIS_SIX_LEGACY_VRN=6.0.2\n_PHPREDIS_FIVE_VRN=5.3.7\n_PHPREDIS_FOUR_VRN=4.3.0\n_PHPREDIS_THREE_VRN=3.1.6\n_PURE_FTPD_VRN=1.0.52\n_PXC_VRN=1.4.16\n_VALKEY_NINE_VRN=9.0.3\n_VALKEY_EIGHT_VRN=8.1.4\n_VALKEY_SEVEN_VRN=7.2.11\n_REDIS_FOUR_VRN=4.0.14\n_REDIS_FIVE_VRN=5.0.9\n_REDIS_SIX_VRN=6.2.7\n_REDIS_SEVEN_VRN=7.0.15\n_RUBY_VRN=3.3.4\n_SLF4J_VRN=1.7.21\n_SOLR_1_VRN=1.4.1\n_SOLR_3_VRN=3.6.2\n_SOLR_4_VRN=4.9.1\n_SOLR_7_VRN=7.7.3\n_SOLR_9_VRN=9.8.1\n_TWIGC_VRN=1.24.0\n_UNBOUND_VRN=1.24.2\n_UPROGRESS_LEGACY_VRN=1.0.3.1\n_UPROGRESS_SEVEN_VRN=2.0.1.6\n_UPROGRESS_EIGHT_VRN=2.0.2\n_VNSTAT_VRN=2.13\n_WKHTMLTOX_VRN=12.6-1\n_YAML_PHP_LEGACY_VRN=1.3.2\n_YAML_PHP_SEVENO_VRN=2.1.0\n_YAML_PHP_MODERN_VRN=2.2.5\n_ZLIB_VRN=1.3.1\n\n\n###\n### Default variables\n###\n_CUSTOM_NAME=\"nginx\"\n_DRUSH_VERSION=\"${_DRUSH_EIGHT_VRN}\"\n_DRUSH_VERSION_TEST=\"${_DRUSH_EIGHT_TEST_VRN}\"\n_FORCE_REDIS_RESTART=NO\n_LOC_OS_CODE=\"\"\n_PURGE_ALL_THISHTIP=NO\nexport _SMALLCORE7_V=7.105.1\nexport _DRUPAL7=\"drupal-${_SMALLCORE7_V}\"\n_SPINNER=NO\n_THIS_DB_PORT=3306\nif [ -n \"${STY+x}\" ]; then\n _SPINNER=NO\nfi\n\n\n###\n### Helper variables\n###\n_aptLiSys=\"/etc/apt/sources.list\"\n_barCnf=\"/root/.barracuda.cnf\"\n_bldPth=\"/opt/tmp/boa\"\n_crlGet=\"-L --max-redirs 3 -k -s --retry 9 --retry-delay 9 -A iCab\"\n_wgetGet=\"--max-redirect=3 --no-check-certificate -q --tries=9 --wait=9 --user-agent='iCab'\"\n_aptAllow=\"--allow-unauthenticated\"\n_aptYesUnth=\"-y ${_aptAllow}\"\n_filIncB=\"barracuda.sh.cnf\"\n_gitHub=\"https://github.com/omega8cc\"\n_gitLab=\"https://gitlab.com/omega8cc\"\n_libFnc=\"${_bldPth}/lib/functions\"\n_locCnf=\"${_bldPth}/aegir/conf\"\n_mtrInc=\"/var/aegir/config/includes\"\n_mtrNgx=\"/var/aegir/config/server_master/nginx\"\n_mtrTpl=\"/var/aegir/.drush/sys/provision/http/Provision/Config/Nginx\"\n_pthLog=\"/var/log/boa\"\n_vBs=\"/var/backups\"\n\n\n###\n### SA variables\n###\n_saCoreN=\"SA-CORE-2014-005\"\n_saCoreS=\"${_saCoreN}-D7\"\n_saIncDb=\"includes/database/database.inc\"\n_saPatch=\"/var/xdrago/conf/${_saCoreS}.patch\"\n\n\n###\n### Avoid too many questions\n###\nexport DEBIAN_FRONTEND=noninteractive\nexport APT_LISTCHANGES_FRONTEND=none\nif [ -z \"${TERM+x}\" ]; then\n export TERM=vt100\nfi\n\n\n###\n### Clean pid files on exit\n###\n_clean_pid_exit() {\n if [ -n \"${1}\" ]; then\n echo \"REASON ${1} on $(date)\" >> /root/.barracuda.sh.exit.exceptions.log\n [ -e \"/opt/tmp/boa\" ] && rm -rf /opt/tmp/*\n fi\n [ -e \"/run/boa_wait.pid\" ] && rm -f /run/boa_wait.pid\n [ -e \"/run/boa_run.pid\" ] && rm -f /run/boa_run.pid\n service cron start &> /dev/null\n _CNT=$(pgrep -fc 'tee -a /var/backups/barracuda-')\n if (( _CNT > 1 )); then\n pkill -f 'tee -a /var/backups/barracuda-'\n fi\n exit 1\n}\n\n\n###\n### Panic on missing include\n###\n_panic_exit() {\n echo\n echo \" EXIT: Required lib file not available?\"\n echo \" EXIT: $1\"\n echo \" EXIT: Cannot continue\"\n echo \" EXIT: Bye (0)\"\n echo\n _clean_pid_exit _panic_exit_a\n}\n\n\n###\n### Include default settings and basic functions\n###\n[ -r \"${_vBs}/${_filIncB}\" ] || _panic_exit \"${_vBs}/${_filIncB}\"\n source \"${_vBs}/${_filIncB}\"\n\n\n###\n### Download helpers and libs\n###\nif [ \"${_OS_CODE}\" = \"excalibur\" ]; then\n _DB_SERVER=Percona\nelse\n _DB_SERVER=Percona\nfi\nif [ \"$(boa info | grep -c ${_DB_SERVER})\" -lt 3 ] || [ ! -e \"/usr/sbin/csf\" ]; then\n if [ ! -e \"/opt/tmp/boa/aegir/helpers/apt.conf.noi.nrml\" ] \\\n || [ ! -e \"/opt/tmp/boa/aegir/helpers/apt.conf.noi.dist\" ]; then\n _download_helpers_libs\n fi\nelse\n _download_helpers_libs\nfi\n\n\n###\n### Include shared functions\n###\n_FL=\"helper dns system sql valkey redis nginx php solr master xtra firewall hotfix\"\nfor f in ${_FL}; do\n [ -r \"${_libFnc}/${f}.sh.inc\" ] || _panic_exit \"${f}\"\n source \"${_libFnc}/${f}.sh.inc\"\ndone\n\n\n###\n### Make sure we are running as root\n###\n_if_running_as_root_barracuda\n\n\n###\n### Welcome msg\n###\necho \" \"\n_msg \"Skynet Agent v.${_X_VERSION} on $(dmidecode -s system-manufacturer 2>&1) welcomes you aboard!\"\necho \" \"\nsleep 3\n\n\n###\n### Early procedures\n###\n_normalize_ip_name_variables\n_mode_detection\n_check_exception_mycnf\n_virt_detection\n_os_detection\n_os_detection_minimal\n_if_rebuild_src_on_major_os_upgrade\n_if_long_generate_on_major_os_upgrade\n\n\n###\n### Quick php-idle ON/OFF procedure only\n###\n_if_php_idle_on_off\n\n\n###\n### Packages install/update on init\n###\n_sources_list_update\n_basic_packages_install_on_init\n_more_packages_install_on_init\n_run_aptitude_full_upgrade\n\n\n###\n### Misc checks\n###\n_check_boa_php_compatibility\n_check_boa_version\nif [ \"${_CHECKS_REMOTE_REPOS}\" = \"YES\" ]; then\n _check_github_for_aegir_head_mode\n _check_db_src\n _check_git_repos\nfi\n_check_ip_hostname\n_check_prepare_dirs_permissions\n\n\n###\n### Turn Off AppArmor temporarily while running barracuda\n###\nif [ \"${_OS_CODE}\" = \"stretch\" ] || [ \"${_OS_CODE}\" = \"jessie\" ]; then\n [ ! -e \"/root/.turn_off_apparmor_in_octopus.cnf\" ] && touch /root/.turn_off_apparmor_in_octopus.cnf\nelse\n _turn_off_apparmor_temporarily\nfi\n\n\n###\n### Optional major system upgrades\n###\n_early_sys_ctrl_mark\n_if_post_major_os_upgrade\n_if_major_os_upgrade\n_normal_sys_ctrl_mark\n\n\n###\n### Upgrade only Ægir Master Instance (obsolete mode)\n###\nif [ \"${_ALLOW_HEAVY_REBUILDS}\" = \"YES\" ]; then\n _if_upgrade_only_aegir_master\nfi\n\n###\n### System packages install and update\n###\n_sys_packages_update\n_if_proxysql_update\n_sys_packages_install\n_java_check_fix\n_locales_check_fix\n\n\n###\n### Do not allow strong passwords until locales work properly\n###\nif [ \"${_LOCALE_TEST}\" = \"BROKEN\" ]; then\n _STRONG_PASSWORDS=NO\nfi\n\n\n###\n### Install key packages first\n###\n_run_aptitude_full_upgrade\n_run_aptitude_deps_install\n_kill_nash\n\n\n###\n### OpenSSL modern and legacy support\n###\n_LC_SSL_CTRL=\"/root/.install.legacy.openssl.cnf\"\n_MD_SSL_CTRL=\"/root/.install.modern.openssl.cnf\"\nif [ \"${_STATUS}\" = \"INIT\" ] || [ ! -x \"/usr/local/ssl/bin/openssl\" ]; then\n if [ -e \"${_MD_SSL_CTRL}\" ]; then\n chattr -i ${_MD_SSL_CTRL}\n rm -f ${_MD_SSL_CTRL}\n fi\n touch ${_LC_SSL_CTRL}\n _if_ssl_install_src\n _sync_system_ssl_certs\n _ssl_paths_sync\n _ssl_crypto_lib_fix\n _curl_install_src\nfi\nif [ -x \"/usr/local/ssl/bin/openssl\" ]; then\n [ -e \"${_LC_SSL_CTRL}\" ] && rm -f ${_LC_SSL_CTRL}\nfi\nif [ \"${_STATUS}\" = \"INIT\" ] || [ ! -x \"/usr/local/ssl3/bin/openssl\" ]; then\n if [ ! -e \"${_LC_SSL_CTRL}\" ]; then\n if [ ! -e \"${_MD_SSL_CTRL}\" ]; then\n touch ${_MD_SSL_CTRL}\n chattr +i ${_MD_SSL_CTRL}\n fi\n fi\nelif [ \"${_STATUS}\" = \"UPGRADE\" ]; then\n if [ ! -e \"/opt/php73/bin/php\" ] \\\n && [ ! -e \"/opt/php72/bin/php\" ] \\\n && [ ! -e \"/opt/php71/bin/php\" ] \\\n && [ ! -e \"/opt/php70/bin/php\" ] \\\n && [ ! -e \"/opt/php56/bin/php\" ]; then\n if [ ! -e \"${_MD_SSL_CTRL}\" ] \\\n && [ ! -e \"${_LC_SSL_CTRL}\" ]; then\n touch ${_MD_SSL_CTRL}\n chattr +i ${_MD_SSL_CTRL}\n fi\n fi\n if [ ! -x \"/usr/local/ssl/bin/openssl\" ] \\\n && [ -e \"${_LC_SSL_CTRL}\" ]; then\n if [ -e \"${_MD_SSL_CTRL}\" ]; then\n chattr -i ${_MD_SSL_CTRL}\n rm -f ${_MD_SSL_CTRL}\n fi\n fi\nfi\nif [ -x \"/usr/local/ssl/bin/openssl\" ] \\\n && [ -x \"/usr/local/ssl3/bin/openssl\" ]; then\n if [ ! -e \"${_MD_SSL_CTRL}\" ]; then\n touch ${_MD_SSL_CTRL}\n chattr +i ${_MD_SSL_CTRL}\n fi\nfi\n\n\n###\n### Install OpenSSL and cURL from sources\n###\nif [ \"${_ALLOW_HEAVY_REBUILDS}\" = \"YES\" ] || [ ! -x \"/usr/local/ssl3/bin/openssl\" ]; then\n _if_ssl_install_src\n _sync_system_ssl_certs\n _ssl_paths_sync\n _ssl_crypto_lib_fix\n _curl_install_src\nfi\n\n\n###\n### Install OpenSSH from sources\n###\nif [ \"${_SSH_FROM_SOURCES}\" = \"YES\" ] && [ \"${_ALLOW_HEAVY_REBUILDS}\" = \"YES\" ]; then\n if [ \"${_STATUS}\" = \"INIT\" ] || [ \"${_STATUS}\" = \"UPGRADE\" ]; then\n if [ \"${_OS_DIST}\" = \"Debian\" ] || [ \"${_OS_DIST}\" = \"Devuan\" ]; then\n _sshd_install_src\n _sshd_armour\n fi\n fi\nfi\n\n\n###\n### Install Percona server\n###\n_db_server_install\n\n\n###\n### Finalize initial Percona server and tools setup\n###\n_init_sql_root_credentials\n_sql_root_credentials_update\n_myquick_install_upgrade\n\n\n###\n### Install other services\n###\nif [ \"${_ALLOW_HEAVY_REBUILDS}\" = \"YES\" ]; then\n _nginx_install_upgrade\n _nginx_initd_check\n _nginx_mime_check_fix\n if [ \"${_VALKEY_MAJOR_RELEASE}\" = \"7\" ] \\\n || [ \"${_VALKEY_MAJOR_RELEASE}\" = \"8\" ] \\\n || [ \"${_VALKEY_MAJOR_RELEASE}\" = \"9\" ]; then\n _valkey_install_upgrade\n else\n _redis_install_upgrade\n fi\n _lshell_install_upgrade\n _magick_install_upgrade\n _php_install_deps\n _php_libs_fix\n _php_if_versions_cleanup_cnf\n if [ \"${_STATUS}\" = \"UPGRADE\" ]; then\n _php_ioncube_check_if_update\n _php_check_if_rebuild\n _mytop_install\n fi\n _php_install_upgrade\n _php_config_check_update\n _php_upgrade_all\n _if_install_php_newrelic\n _newrelic_check_fix\nfi\n_smtp_check\n_xdrago_install_upgrade\n_if_drupal_patches_update\n_mc_panels_ini_update\n\n\n###\n### Download system-wide Drush versions\n###\n_drush_system_install_update\n\n\n###\n### Install or upgrade Ægir Master Instance\n###\nif [ \"${_ALLOW_HEAVY_REBUILDS}\" = \"YES\" ]; then\n _aegir_master_install_upgrade\n _aegir_bin_extra_check_fix\n _nginx_wildcard_ssl_install\n _nginx_config_update_fix\n _aegir_master_display_login_link\nfi\n\n\n###\n### Install or upgrade DNS cache server\n###\nif [ \"${_STATUS}\" = \"UPGRADE\" ]; then\n _dns_unbound_install_upgrade\nfi\n\n\n###\n### Install or upgrade csf/lfd monitoring\n###\nif [ \"${_STATUS}\" = \"UPGRADE\" ]; then\n _csf_lfd_install_upgrade\nfi\n\n\n###\n### Optional add-on services\n###\nif [ \"${_STATUS}\" = \"INIT\" ] || [ \"${_STATUS}\" = \"UPGRADE\" ]; then\n if [ \"${_ALLOW_HEAVY_REBUILDS}\" = \"YES\" ]; then\n _if_install_ftpd\n _if_install_vnstat\n _if_install_wkhtmltox\n _if_install_chromium\n _if_install_git_src\n _if_install_ffmpeg\n _if_install_bzr\n [ ! -e \"/root/.deny.java.cnf\" ] && _if_install_upgrade_solr\n _if_install_adminer\n _if_install_chive\n _if_install_sqlbuddy\n _if_install_collectd\n _if_install_webmin\n _if_install_bind\n _if_install_ruby\n _if_install_node\n _sftp_ftps_modern_fix\n fi\nfi\n\n\n###\n### Update rsyslog configuration\n###\n_rsyslog_config_update\n\n\n###\n### Install or uninstall AppArmor after barracuda install and upgrade\n###\nif [ -e \"/root/.keep_apparmor_on.cnf\" ] && [ ! -e \"/root/.deny.apparmor.cnf\" ]; then\n [ ! -e \"/root/.allow.apparmor.cnf\" ] && touch /root/.allow.apparmor.cnf\n if [ ! -e \"/root/.run-to-excalibur.cnf\" ] \\\n && [ ! -e \"/root/.run-to-daedalus.cnf\" ] \\\n && [ ! -e \"/root/.run-to-chimaera.cnf\" ] \\\n && [ ! -e \"/root/.run-to-beowulf.cnf\" ]; then\n if [ \"${_OS_CODE}\" != \"stretch\" ] && [ \"${_OS_CODE}\" != \"jessie\" ]; then\n _if_install_apparmor\n fi\n fi\nelse\n [ -e \"/root/.allow.apparmor.cnf\" ] && rm -f /root/.allow.apparmor.cnf\n [ ! -e \"/root/.deny.apparmor.cnf\" ] && touch /root/.deny.apparmor.cnf\n if [ \"${_OS_CODE}\" != \"stretch\" ] && [ \"${_OS_CODE}\" != \"jessie\" ]; then\n _if_remove_apparmor\n fi\nfi\n\n\n###\n### Update barracuda log, tools and system settings\n###\n_pam_umask_check_fix\n_pam_many_check_fix\n_avatars_check_fix\n_sysctl_update\n_initd_update\n_apticron_update\n_barracuda_log_update\n_find_server_city\n\n\n###\n### Complete system checks and cleanup\n###\n_complete\nexit 0\n\n\n###----------------------------------------###\n###\n### Barracuda Ægir Installer\n### Copyright (C) 2009-2026 Omega8.cc\n### noc@omega8.cc www.omega8.cc\n###\n###----------------------------------------###\n"
},
{
"path": "BOA.sh.txt",
"content": "#!/bin/bash\n\n\n###----------------------------------------###\n###\n### BOA Meta Installer\n###\n### Copyright (C) 2009-2026 Omega8.cc\n### noc@omega8.cc www.omega8.cc\n###\n### This program is free software. You can\n### redistribute it and/or modify it under\n### the terms of the GNU GPL as published by\n### the Free Software Foundation, version 2\n### or later.\n###\n### This program is distributed in the hope\n### that it will be useful, but WITHOUT ANY\n### WARRANTY; without even the implied\n### warranty of MERCHANTABILITY or FITNESS\n### FOR A PARTICULAR PURPOSE. See the GNU GPL\n### for more details.\n###\n### You should have received a copy of the\n### GNU GPL along with this program.\n### If not, see http://www.gnu.org/licenses/\n###\n### Code: https://github.com/omega8cc/boa\n###\n###----------------------------------------###\n\n\n###----------------------------------------###\n### How To: run it with bash, not with sh ###\n###----------------------------------------###\n###\n### $ wget -qO- http://files.aegir.cc/BOA.sh.txt | bash\n###\n\n###----------------------------------------###\n### DON'T EDIT ANYTHING BELOW THIS LINE ###\n###----------------------------------------###\n\nexport HOME=/root\nexport SHELL=/bin/bash\nexport PATH=/usr/local/bin:/usr/local/sbin:/opt/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/libexec\nexport _tRee=dev\nexport _xSrl=591devT01\nexport _rLsn=\"BOA-5.9.1\"\nexport _bTs=591v02\n\n###\n### Avoid too many questions\n###\nexport DEBIAN_FRONTEND=noninteractive\nexport APT_LISTCHANGES_FRONTEND=none\nif [ -z \"${TERM+x}\" ]; then\n export TERM=vt100\nfi\n\n_NOW=$(date +%y%m%d-%H%M%S)\nexport _NOW=${_NOW//[^0-9-]/}\n_TODAY=$(date +%y%m%d)\nexport _TODAY=${_TODAY//[^0-9]/}\n#\n_barCnf=\"/root/.barracuda.cnf\"\n_crlGet=\"-L --max-redirs 3 -k -s --retry 9 --retry-delay 9 -A iCab\"\n_wgetGet=\"--max-redirect=3 --no-check-certificate -q --tries=9 --wait=9 --user-agent='iCab'\"\n_aptAllow=\"--allow-unauthenticated\"\n_aptYesUnth=\"-y ${_aptAllow}\"\n_optBin=\"/opt/local/bin\"\n_usrBin=\"/usr/local/bin\"\n_xpthLog=\"/var/xdrago/log\"\n_pthLog=\"/var/log/boa\"\n_tBn=\"tools/bin\"\n_vBs=\"/var/backups\"\n_boaToolsPid=\"${_pthLog}/updateBOAtools.${_bTs}.ctrl.${_tRee}.${_xSrl}.pid\"\n_INITINS=\"/usr/bin/apt-get ${_aptAllow} -y install\"\n#\nif [ ! -e \"${_pthLog}/.migrated.txt\" ] && [ -d \"${_xpthLog}\" ]; then\n mkdir -p \"${_pthLog}\"\n cp -a ${_xpthLog}/*.pid ${_pthLog}/\n cp -a ${_xpthLog}/.*pid ${_pthLog}/\n cp -a ${_xpthLog}/*.log ${_pthLog}/\n cp -a ${_xpthLog}/*.txt ${_pthLog}/\n cp -a ${_xpthLog}/usage ${_pthLog}/\n cp -a ${_xpthLog}/daily ${_pthLog}/\n cp -a ${_xpthLog}/core ${_pthLog}/\n cp -a ${_xpthLog}/le ${_pthLog}/\n touch \"${_pthLog}/.migrated.txt\"\nfi\n[ ! -d \"${_pthLog}/usage\" ] && mkdir -p \"${_pthLog}/usage\"\n[ ! -d \"${_pthLog}/daily\" ] && mkdir -p \"${_pthLog}/daily\"\n[ ! -d \"${_pthLog}/core\" ] && mkdir -p \"${_pthLog}/core\"\n[ ! -d \"${_pthLog}/le\" ] && mkdir -p \"${_pthLog}/le\"\n#\n_eldirF=\"0001-Print-site_footer-if-defined.patch\"\n_eldirP=\"/var/xdrago/conf/${_eldirF}\"\n#\n_tenCorePatchFname=\"drupal-ten-aegir-core-01.patch\"\n_tenCorePatchPath=\"/data/conf/patches/${_tenCorePatchFname}\"\n#\n_tenConsolePatchFname=\"drupal-ten-aegir-console-02.patch\"\n_tenConsolePatchPath=\"/data/conf/patches/${_tenConsolePatchFname}\"\n#\n_elevenCorePatchFname=\"drupal-eleven-aegir-core-01.patch\"\n_elevenCorePatchPath=\"/data/conf/patches/${_elevenCorePatchFname}\"\n#\n_elevenConsolePatchFname=\"drupal-eleven-aegir-console-02.patch\"\n_elevenConsolePatchPath=\"/data/conf/patches/${_elevenConsolePatchFname}\"\n#\n_elevenValidatorPatchFname=\"drupal-eleven-aegir-validator-03.patch\"\n_elevenValidatorPatchPath=\"/data/conf/patches/${_elevenValidatorPatchFname}\"\n#\n_provLeInc=\"provision_hosting_le.drush.inc\"\n_provLeIncFull=\"/var/xdrago/conf/${_provLeInc}\"\n#\n_hoLeInc=\"hosting_le_vhost.drush.inc\"\n_hoLeIncFull=\"/var/xdrago/conf/${_hoLeInc}\"\n#\n_dehydName=\"dehydrated\"\n_dehydSrcPath=\"/var/xdrago/conf/${_dehydName}\"\n_legacyLeSh=\"/var/xdrago/conf/letsencrypt.sh\"\n\n_DEBUG_MODE=$([ -e \"/root/.debug-barracuda-installer.cnf\" ] && echo \"YES\" || echo \"NO\")\n\n_os_detection_minimal() {\n _APT_UPDATE=\"apt-get update\"\n _OS_CODE=$(lsb_release -ar 2>/dev/null | grep -i codename | cut -s -f2)\n _OS_LIST=\"excalibur daedalus chimaera beowulf buster bullseye bookworm trixie\"\n for e in ${_OS_LIST}; do\n if [ \"${e}\" = \"${_OS_CODE}\" ]; then\n _APT_UPDATE=\"apt-get update --allow-releaseinfo-change\"\n fi\n done\n}\n\n_apt_clean_update() {\n ${_APT_UPDATE} -qq 2>/dev/null\n _CALLER_SCRIPT=\"$(basename \"${BASH_SOURCE[-1]}\")\"\n _CALLER_SCRIPT=\"${_CALLER_SCRIPT//[^a-zA-Z0-9._-]/_}\"\n date +%s > \"/run/_latest_apt_clean_update.${_CALLER_SCRIPT}.pid\"\n}\n\n_if_hosted_sys() {\n _hName=\"$(cat /etc/hostname 2>/dev/null | tr -d '\\n' || hostname -f 2>/dev/null)\"\n if [ -e \"/root/.host8.cnf\" ] \\\n || [[ \"${_hName}\" =~ \".aegir.cc\"($) ]]; then\n _hostedSys=YES\n else\n _hostedSys=NO\n fi\n}\n\n#\n# Find server city.\n_find_server_city() {\n if [ -e \"/root/.found_correct_city.cnf\" ]; then\n _LOC_CITY=$(cat /root/.found_correct_city.cnf 2>/dev/null | tr -d '\\n')\n else\n if [ -e \"/root/.found_correct_ipv4.cnf\" ]; then\n _LOC_IP=$(cat /root/.found_correct_ipv4.cnf 2>/dev/null | tr -d '\\n')\n _LOC_CITY=$(curl ${_crlGet} ipinfo.io/${_LOC_IP}/city 2>&1)\n _LOC_CITY=$(echo -n ${_LOC_CITY} | tr -d \"\\n\" 2>&1)\n fi\n if [ ! -z \"${_LOC_CITY}\" ]; then\n _LOC_CITY=$(echo \"${_LOC_CITY}\" | tr ' ' '+' 2>&1)\n echo ${_LOC_CITY} > /root/.found_correct_city.cnf\n fi\n fi\n}\n\n#\n# Find correct IP.\n_find_correct_ip() {\n if [ -e \"/root/.found_correct_ipv4.cnf\" ]; then\n _LOC_IP=$(cat /root/.found_correct_ipv4.cnf 2>/dev/null | tr -d '\\n')\n else\n _LOC_IP=$(curl ${_crlGet} https://api.ipify.org | sed 's/[^0-9\\.]//g')\n if [ -z \"${_LOC_IP}\" ]; then\n _LOC_IP=$(curl ${_crlGet} http://ipv4.icanhazip.com | sed 's/[^0-9\\.]//g')\n fi\n if [ ! -z \"${_LOC_IP}\" ]; then\n echo ${_LOC_IP} > /root/.found_correct_ipv4.cnf\n fi\n fi\n if [ -n \"${_LOC_IP}\" ] && grep -qE \"${_LOC_IP}\\s\" /etc/hosts; then\n cp -af /etc/hosts /etc/.was.hosts\n sed -i \"s/^${_LOC_IP}.*//g\" /etc/hosts\n [ -x \"/etc/init.d/unbound\" ] && [ ! -e \"/usr/etc/unbound/unbound.conf.d\" ] && mkdir -p /usr/etc/unbound/unbound.conf.d\n [ -x \"/etc/init.d/unbound\" ] && service unbound restart &> /dev/null\n fi\n}\n\n_fix_dns_settings() {\n [ ! -d \"${_vBs}\" ] && mkdir -p ${_vBs}\n rm -f ${_vBs}/resolv.conf.tmp\n if ! grep -q \"nameserver 127.0.0.1\" /etc/resolv.conf; then\n if [ -x \"/usr/sbin/unbound\" ] && [ -e \"/run/unbound/unbound.pid\" ]; then\n _FORCE_RESOLV_UPDATE=YES\n else\n _FORCE_RESOLV_UPDATE=NO\n fi\n fi\n if ! grep -q \"BOA-DNS-Config\" /etc/resolv.conf || [ \"${_FORCE_RESOLV_UPDATE}\" = \"YES\" ]; then\n echo \"### BOA-DNS-Config ###\" > ${_vBs}/resolv.conf.tmp\n if [ -x \"/usr/sbin/unbound\" ] && [ -e \"/run/unbound/unbound.pid\" ]; then\n echo \"nameserver 127.0.0.1\" >> ${_vBs}/resolv.conf.tmp\n fi\n echo \"nameserver 1.1.1.1\" >> ${_vBs}/resolv.conf.tmp\n echo \"nameserver 8.8.8.8\" >> ${_vBs}/resolv.conf.tmp\n echo \"nameserver 9.9.9.9\" >> ${_vBs}/resolv.conf.tmp\n fi\n if [ -e \"${_vBs}/resolv.conf.tmp\" ]; then\n chattr -i /etc/resolv.conf\n rm -f /etc/resolv.conf\n cp -a ${_vBs}/resolv.conf.tmp /etc/resolv.conf\n chmod 0644 /etc/resolv.conf\n chattr +i /etc/resolv.conf\n cp -a ${_vBs}/resolv.conf.tmp ${_vBs}/resolv.conf.vanilla\n fi\n if [ -x \"/usr/sbin/unbound-control\" ] \\\n && [ -e \"/etc/resolvconf/run/interface/lo.unbound\" ]; then\n unbound-control reload &> /dev/null\n fi\n}\n\n_check_dns_settings() {\n _EHU=NO\n if ! grep -q \"127.0.0.1 localhost\" /etc/hosts; then\n sed -i \"s/^127.0.0.1.*//g\" /etc/hosts\n echo \"\" >> /etc/hosts\n echo \"127.0.0.1 localhost\" >> /etc/hosts\n _EHU=YES\n fi\n if grep -q \"files.aegir.cc\" /etc/hosts; then\n sed -i \"s/.*files.aegir.cc.*//g\" /etc/hosts\n _EHU=YES\n fi\n if grep -q \"github\" /etc/hosts; then\n sed -i \"s/.*github.*//g\" /etc/hosts\n _EHU=YES\n fi\n if [ \"${_EHU}\" = \"YES\" ]; then\n echo >>/etc/hosts\n sed -i \"/^$/d\" /etc/hosts\n fi\n if [ -L \"/etc/resolv.conf\" ]; then\n _fix_dns_settings\n return 1 # Exit the function but continue the script\n fi\n if [ -e \"/root/.use.default.nameservers.cnf\" ]; then\n if [ -e \"/root/.use.local.nameservers.cnf\" ]; then\n rm -f /root/.use.local.nameservers.cnf\n fi\n _USE_DEFAULT_DNS=YES\n if ! grep -q \"BOA-DNS-Config\" /etc/resolv.conf; then\n _fix_dns_settings\n return 1 # Exit the function but continue the script\n fi\n fi\n if [ -e \"/root/.use.local.nameservers.cnf\" ]; then\n _USE_PROVIDER_DNS=YES\n else\n _REMOTE_DNS_TEST=$(host files.aegir.cc 1.1.1.1 -w 10 2>&1)\n if ! grep -q \"BOA-DNS-Config\" /etc/resolv.conf; then\n _fix_dns_settings\n return 1 # Exit the function but continue the script\n fi\n fi\n if [[ \"${_REMOTE_DNS_TEST}\" =~ \"no servers could be reached\" ]] \\\n || [[ \"${_REMOTE_DNS_TEST}\" =~ \"Host files.aegir.cc not found\" ]] \\\n || [ \"${_USE_PROVIDER_DNS}\" = \"YES\" ]; then\n _fix_dns_settings\n fi\n}\n\n_find_fast_mirror_early() {\n _isNetc=\"$(which netcat)\"\n if [ ! -x \"${_isNetc}\" ] || [ -z \"${_isNetc}\" ]; then\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n _apt_clean_update\n apt-get install netcat-traditional ${_aptYesUnth} &> /dev/null\n fi\n _ffMirr=/opt/local/bin/ffmirror\n if [ -x \"${_ffMirr}\" ]; then\n _ffList=\"/var/backups/boa-mirrors-2025-01.txt\"\n [ -d \"/var/backups\" ] || mkdir -p /var/backups\n if [ ! -e \"${_ffList}\" ]; then\n echo \"eu.files.aegir.cc\" > ${_ffList}\n echo \"us.files.aegir.cc\" >> ${_ffList}\n echo \"ao.files.aegir.cc\" >> ${_ffList}\n fi\n if [ -e \"${_ffList}\" ]; then\n _BROKEN_FFMIRR_TEST=$(grep \"stuff\" ${_ffMirr} 2>&1)\n if [[ \"${_BROKEN_FFMIRR_TEST}\" =~ \"stuff\" ]]; then\n _CHECK_MIRROR=$(bash ${_ffMirr} < ${_ffList} 2>&1)\n _CHECK_MIRROR=$(bash ${_ffMirr} < ${_ffList} 2>&1)\n _USE_MIR=\"${_CHECK_MIRROR}\"\n [[ \"${_USE_MIR}\" =~ \"printf\" ]] && _USE_MIR=\"files.aegir.cc\"\n else\n _USE_MIR=\"files.aegir.cc\"\n fi\n else\n _USE_MIR=\"files.aegir.cc\"\n fi\n else\n _USE_MIR=\"files.aegir.cc\"\n fi\n _urlDev=\"http://${_USE_MIR}/dev\"\n _urlHmr=\"http://${_USE_MIR}/versions/${_tRee}/boa/aegir\"\n}\n\n_extract_archive() {\n if [ ! -z \"$1\" ]; then\n case $1 in\n *.tar.bz2) tar xjf $1 ;;\n *.tar.gz) tar xzf $1 ;;\n *.tar.xz) tar xvf $1 ;;\n *.bz2) bunzip2 $1 ;;\n *.rar) unrar x $1 ;;\n *.gz) gunzip -q $1 ;;\n *.tar) tar xf $1 ;;\n *.tbz2) tar xjf $1 ;;\n *.tgz) tar xzf $1 ;;\n *.zip) unzip -qq $1 ;;\n *.Z) uncompress $1 ;;\n *.7z) 7z x $1 ;;\n *) echo \"'$1' cannot be extracted via >extract<\" ;;\n esac\n rm -f $1\n fi\n}\n\n#\n# Download and extract from dev/contrib mirror.\n_get_dev_contrib() {\n if [ ! -z \"$1\" ]; then\n _max_attempts=10\n _attempt_num=1\n _success=0\n while [ ${_attempt_num} -le ${_max_attempts} ]; do\n [ \"${_DEBUG_MODE}\" = \"YES\" ] && echo \"DNLD: Attempt ${_attempt_num} of ${_max_attempts}: Downloading $1...\"\n if curl ${_crlGet} \"${_urlDev}/${_tRee}/contrib/$1\" -o \"$1\"; then\n _success=1\n break\n else\n [ \"${_DEBUG_MODE}\" = \"YES\" ] && echo \"DNLD: Attempt ${_attempt_num} failed.\"\n _attempt_num=$((_attempt_num+1))\n if [ \"${_attempt_num}\" -le \"${_max_attempts}\" ]; then\n [ \"${_DEBUG_MODE}\" = \"YES\" ] && echo \"DNLD: Retrying in 9 seconds...\"\n sleep 9\n fi\n fi\n done\n if [ \"${_success}\" -eq 1 ]; then\n _extract_archive \"$1\"\n else\n echo \"OOPS: Failed to download ${_urlDev}/${_tRee}/contrib/$1 after ${_max_attempts} attempts\"\n return 1 # Exit the function but continue the script\n fi\n fi\n}\n\n#\n# Download and extract archive from dev/src mirror.\n_get_dev_src() {\n if [ ! -z \"$1\" ]; then\n _max_attempts=10\n _attempt_num=1\n _success=0\n while [ ${_attempt_num} -le ${_max_attempts} ]; do\n [ \"${_DEBUG_MODE}\" = \"YES\" ] && echo \"DNLD: Attempt ${_attempt_num} of ${_max_attempts}: Downloading $1...\"\n if curl ${_crlGet} \"${_urlDev}/src/$1\" -o \"$1\"; then\n _success=1\n break\n else\n [ \"${_DEBUG_MODE}\" = \"YES\" ] && echo \"DNLD: Attempt ${_attempt_num} failed.\"\n _attempt_num=$((_attempt_num+1))\n if [ \"${_attempt_num}\" -le \"${_max_attempts}\" ]; then\n [ \"${_DEBUG_MODE}\" = \"YES\" ] && echo \"DNLD: Retrying in 9 seconds...\"\n sleep 9\n fi\n fi\n done\n if [ \"${_success}\" -eq 1 ]; then\n _extract_archive \"$1\"\n else\n echo \"OOPS: Failed to download ${_urlDev}/src/$1 after ${_max_attempts} attempts\"\n return 1 # Exit the function but continue the script\n fi\n fi\n}\n\n_if_clean_boa_env() {\n if [ ! -x \"/etc/init.d/clean-boa-env\" ]; then\n curl ${_crlGet} \"${_urlHmr}/conf/var/clean-boa-env\" -o /etc/init.d/clean-boa-env\n if [ -e \"/etc/init.d/clean-boa-env\" ]; then\n chmod 700 /etc/init.d/clean-boa-env\n chown root:root /etc/init.d/clean-boa-env\n update-rc.d clean-boa-env defaults &> /dev/null\n fi\n fi\n}\n\n###\n### Function to verify BOA keys\n###\n_verify_boa_keys() {\n if [ -e \"/root/.dev.server.cnf\" ]; then\n echo \"PROC: _verify_boa_keys in BOA.sh.txt\"\n fi\n if [ \"${_tRee}\" = \"pro\" ] || [ \"${_tRee}\" = \"dev\" ]; then\n _if_hosted_sys\n _allw=NO\n _urlEnc=\"http://${_USE_MIR}/enc/2024\"\n _encName=$(echo ${_hName} \\\n | openssl md5 \\\n | awk '{ print $2}' \\\n | tr -d \"\\n\" 2>&1)\n if [[ \"${_hName}\" =~ \".aegir.cc\"($) ]] \\\n || [[ \"${_hName}\" =~ \".o8.io\"($) ]] \\\n || [[ \"${_hName}\" =~ \".boa.io\"($) ]]; then\n _allw=YES\n fi\n mkdir -p /var/opt\n rm -f /var/opt/_encN*\n curl ${_crlGet} \"${_urlEnc}/${_encName}\" -o /var/opt/_encN.${_encName}.tmp\n wait\n echo \"${_hName}.${_encName}\" > /var/opt/_encN_local.${_encName}.tmp\n wait\n if [ -e \"/var/opt/_encN.${_encName}.tmp\" ] && [ -e \"/var/opt/_encN_local.${_encName}.tmp\" ]; then\n _diffTestIf=$(diff -w -B /var/opt/_encN.${_encName}.tmp /var/opt/_encN_local.${_encName}.tmp 2>&1)\n if [ ! -z \"${_diffTestIf}\" ] && [ \"${_allw}\" = \"NO\" ]; then\n echo\n echo \"Your system requires valid license for access to ${_rLsn}-${_tRee}\"\n echo \"Please visit https://omega8.cc/licenses to purchase your own\"\n echo\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"/var/aegir/key/barracuda_key.txt\" ]; then\n mkdir -p /var/aegir/key\n cat /var/opt/_encN_local.${_encName}.tmp > /var/aegir/key/barracuda_key.txt\n fi\n rm -f /var/opt/_encN*\n exit 0\n else\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"/var/aegir/key/barracuda_key.txt\" ]; then\n mkdir -p /var/aegir/key\n cat /var/opt/_encN_local.${_encName}.tmp > /var/aegir/key/barracuda_key.txt\n fi\n fi\n else\n echo\n echo \"Your system requires valid license to use this BOA version (${_tRee})\"\n echo \"Unfortunately it was not possible to verify your system status\"\n echo \"Please contact our support but visit https://omega8.cc/licenses first\"\n echo\n exit 0\n fi\n fi\n}\n\n_locales_check_fix_early() {\n _isLoc=\"$(which locale)\"\n if [ ! -x \"${_isLoc}\" ] || [ -z \"${_isLoc}\" ]; then\n apt-get update -qq &> /dev/null\n ${_INITINS} locales locales-all &> /dev/null\n fi\n _LOC_TEST=$(locale 2>&1)\n if [[ \"${_LOC_TEST}\" =~ LANG=.*UTF-8 ]]; then\n _LOCALE_TEST=OK\n fi\n if [[ \"${_LOC_TEST}\" =~ \"Cannot\" ]]; then\n _LOCALE_TEST=BROKEN\n fi\n if [ \"${_LOCALE_TEST}\" = \"BROKEN\" ]; then\n _LOCALE_GEN_TEST=$(grep -v \"^#\" /etc/locale.gen 2>&1)\n if [[ ! \"${_LOCALE_GEN_TEST}\" =~ \"en_US.UTF-8 UTF-8\" ]]; then\n echo \"en_US.UTF-8 UTF-8\" >> /etc/locale.gen\n fi\n sed -i \"/^$/d\" /etc/locale.gen\n locale-gen &> /dev/null\n locale-gen en_US.UTF-8 &> /dev/null\n # Explicitly enforce all locale settings\n update-locale \\\n LANG=en_US.UTF-8 \\\n LC_CTYPE=en_US.UTF-8 \\\n LC_COLLATE=POSIX \\\n LC_NUMERIC=POSIX \\\n LC_TIME=en_US.UTF-8 \\\n LC_MONETARY=en_US.UTF-8 \\\n LC_MESSAGES=en_US.UTF-8 \\\n LC_PAPER=en_US.UTF-8 \\\n LC_NAME=en_US.UTF-8 \\\n LC_ADDRESS=en_US.UTF-8 \\\n LC_TELEPHONE=en_US.UTF-8 \\\n LC_MEASUREMENT=en_US.UTF-8 \\\n LC_IDENTIFICATION=en_US.UTF-8 \\\n LC_ALL= &> /dev/null\n # Define all locale settings on the fly to prevent unnecessary\n # warnings during installation of packages.\n export LANG=en_US.UTF-8 &> /dev/null\n export LC_CTYPE=en_US.UTF-8 &> /dev/null\n export LC_COLLATE=POSIX &> /dev/null\n export LC_NUMERIC=POSIX &> /dev/null\n export LC_TIME=en_US.UTF-8 &> /dev/null\n export LC_MONETARY=en_US.UTF-8 &> /dev/null\n export LC_MESSAGES=en_US.UTF-8 &> /dev/null\n export LC_PAPER=en_US.UTF-8 &> /dev/null\n export LC_NAME=en_US.UTF-8 &> /dev/null\n export LC_ADDRESS=en_US.UTF-8 &> /dev/null\n export LC_TELEPHONE=en_US.UTF-8 &> /dev/null\n export LC_MEASUREMENT=en_US.UTF-8 &> /dev/null\n export LC_IDENTIFICATION=en_US.UTF-8 &> /dev/null\n export LC_ALL= &> /dev/null\n else\n _LOCALE_GEN_TEST=$(grep -v \"^#\" /etc/locale.gen 2>&1)\n if [[ ! \"${_LOCALE_GEN_TEST}\" =~ \"en_US.UTF-8 UTF-8\" ]]; then\n echo \"en_US.UTF-8 UTF-8\" >> /etc/locale.gen\n fi\n sed -i \"/^$/d\" /etc/locale.gen\n locale-gen &> /dev/null\n locale-gen en_US.UTF-8 &> /dev/null\n # Explicitly enforce locale settings required for consistency\n update-locale \\\n LANG=en_US.UTF-8 \\\n LC_CTYPE=en_US.UTF-8 \\\n LC_COLLATE=POSIX \\\n LC_NUMERIC=POSIX \\\n LC_ALL= &> /dev/null\n # Define locale settings required for consistency also on the fly\n export LC_COLLATE=POSIX &> /dev/null\n export LC_NUMERIC=POSIX &> /dev/null\n export LC_ALL= &> /dev/null\n fi\n _LOCALES_BASHRC_TEST=$(grep LC_COLLATE /root/.bashrc 2>&1)\n if [[ ! \"${_LOCALES_BASHRC_TEST}\" =~ \"LC_COLLATE\" ]]; then\n printf \"\\n\" >> /root/.bashrc\n echo \"export LANG=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_CTYPE=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_COLLATE=POSIX\" >> /root/.bashrc\n echo \"export LC_NUMERIC=POSIX\" >> /root/.bashrc\n echo \"export LC_TIME=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_MONETARY=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_MESSAGES=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_PAPER=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_NAME=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_ADDRESS=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_TELEPHONE=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_MEASUREMENT=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_IDENTIFICATION=en_US.UTF-8\" >> /root/.bashrc\n echo \"export LC_ALL=\" >> /root/.bashrc\n printf \"\\n\" >> /root/.bashrc\n fi\n}\n\n_if_fix_iptables_symlinks() {\n ###\n ### Fix for iptables paths backward compatibility\n ###\n if [ -x \"/sbin/iptables\" ] && [ ! -e \"/usr/sbin/iptables\" ]; then\n ln -sfn /sbin/iptables /usr/sbin/iptables\n fi\n if [ -x \"/usr/sbin/iptables\" ] && [ ! -e \"/sbin/iptables\" ]; then\n ln -sfn /usr/sbin/iptables /sbin/iptables\n fi\n if [ -x \"/sbin/iptables-save\" ] && [ ! -e \"/usr/sbin/iptables-save\" ]; then\n ln -sfn /sbin/iptables-save /usr/sbin/iptables-save\n fi\n if [ -x \"/usr/sbin/iptables-save\" ] && [ ! -e \"/sbin/iptables-save\" ]; then\n ln -sfn /usr/sbin/iptables-save /sbin/iptables-save\n fi\n if [ -x \"/sbin/iptables-restore\" ] && [ ! -e \"/usr/sbin/iptables-restore\" ]; then\n ln -sfn /sbin/iptables-restore /usr/sbin/iptables-restore\n fi\n if [ -x \"/usr/sbin/iptables-restore\" ] && [ ! -e \"/sbin/iptables-restore\" ]; then\n ln -sfn /usr/sbin/iptables-restore /sbin/iptables-restore\n fi\n if [ -x \"/sbin/ip6tables\" ] && [ ! -e \"/usr/sbin/ip6tables\" ]; then\n ln -sfn /sbin/ip6tables /usr/sbin/ip6tables\n fi\n if [ -x \"/usr/sbin/ip6tables\" ] && [ ! -e \"/sbin/ip6tables\" ]; then\n ln -sfn /usr/sbin/ip6tables /sbin/ip6tables\n fi\n if [ -x \"/sbin/ip6tables-save\" ] && [ ! -e \"/usr/sbin/ip6tables-save\" ]; then\n ln -sfn /sbin/ip6tables-save /usr/sbin/ip6tables-save\n fi\n if [ -x \"/usr/sbin/ip6tables-save\" ] && [ ! -e \"/sbin/ip6tables-save\" ]; then\n ln -sfn /usr/sbin/ip6tables-save /sbin/ip6tables-save\n fi\n if [ -x \"/sbin/ip6tables-restore\" ] && [ ! -e \"/usr/sbin/ip6tables-restore\" ]; then\n ln -sfn /sbin/ip6tables-restore /usr/sbin/ip6tables-restore\n fi\n if [ -x \"/usr/sbin/ip6tables-restore\" ] && [ ! -e \"/sbin/ip6tables-restore\" ]; then\n ln -sfn /usr/sbin/ip6tables-restore /sbin/ip6tables-restore\n fi\n ###\n ### Fix for iptables paths backward compatibility\n ###\n}\n\n###\n### Prefer Devuan APT sources\n###\n_prefer_devuan_repositories() {\n # Prefer Devuan; force base-files from Devuan (handles lower version vs Debian).\n mkdir -p /etc/apt/preferences.d\n cat >/etc/apt/preferences.d/99-prefer-devuan <<'EOF'\nPackage: *\nPin: release o=Devuan\nPin-Priority: 700\n\nPackage: base-files\nPin: release o=Devuan\nPin-Priority: 1001\nEOF\n _apt_clean_update\n}\n\n###\n### Display not supported VM or bare metal info\n###\n_not_supported_virt() {\n echo\n echo \"=== OOPS! ===\"\n echo\n echo \"You are running not supported virtualization system:\"\n echo \" $1\"\n echo\n echo \"If you wish to try BOA on this system anyway,\"\n echo \"please create an empty control file:\"\n echo \" /root/.allow.any.virt.cnf\"\n echo\n echo \"Please be aware that it may not work at all,\"\n echo \"or you can experience errors breaking BOA.\"\n echo\n echo \"WARNING! BOA IS NOT DESIGNED TO RUN DIRECTLY ON A BARE METAL.\"\n echo \"WARNING! IT IS VERY DANGEROUS AND THUS EXTREMELY BAD IDEA!\"\n echo \"WARNING! You are free to experiment but don't expect *ANY* support.\"\n echo\n echo \"BOA is known to work well on:\"\n echo\n echo \" * Linux Containers (LXC)\"\n echo \" * Linux KVM guest\"\n echo \" * Microsoft Hyper-V\"\n echo \" * OpenVZ Containers\"\n echo \" * Parallels guest\"\n echo \" * Red Hat KVM guest\"\n echo \" * VirtualBox guest\"\n echo \" * VMware ESXi guest (but excluding vCloud Air)\"\n echo \" * VServer guest\"\n echo \" * Xen guest fully virtualized (HVM)\"\n echo \" * Xen guest\"\n echo \" * Xen paravirtualized guest domain\"\n echo\n echo \"Bye\"\n echo\n exit 1\n}\n\n# --- internal: print message only in debug mode\n_msg() {\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"[virt-what-fix] $*\"\n fi\n}\n\n# --- internal: run virt-what under strace and parse the helper's exec path\n_discover_with_strace() {\n local _path_found=\"\"\n if ! command -v strace >/dev/null 2>&1; then\n _msg \"strace not available, skipping strace-based discovery\"\n echo \"\"\n return 0\n fi\n # Temporarily extend PATH so virt-what can exec the helper for strace to see.\n PATH=\"${PATH}:${_CANDIDATE_PATHS}\" strace -f -qq -e trace=execve -o \"${_TRACE}\" virt-what >/dev/null 2>&1\n\n # mawk-safe parsing: pull the first quoted arg from execve(\"…\") and check suffix\n if [ -s \"${_TRACE}\" ]; then\n _path_found=$(\n awk -v n=\"${_HELPER_NAME}\" '\n /execve\\(\"/ {\n # Find start of execve(\" then extract up to next quote\n i = index($0, \"execve(\\\"\")\n if (i) {\n s = substr($0, i + 8) # after execve(\"\n j = index(s, \"\\\"\")\n if (j) {\n p = substr(s, 1, j - 1) # the path inside quotes\n if (p ~ (\"/\" n \"$\")) { print p; exit }\n }\n }\n }\n ' \"${_TRACE}\"\n )\n fi\n rm -f \"${_TRACE}\"\n\n if [ -n \"${_path_found}\" ] && [ -x \"${_path_found}\" ]; then\n _msg \"strace discovered helper at: ${_path_found}\"\n echo \"${_path_found}\"\n return 0\n fi\n _msg \"strace discovery failed\"\n echo \"\"\n return 0\n}\n\n# --- internal: dpkg-based discovery (Debian/Devuan)\n_discover_with_dpkg() {\n local _p=\"\"\n if command -v dpkg >/dev/null 2>&1; then\n _p=$(dpkg -L virt-what 2>/dev/null | grep -E \"/${_HELPER_NAME}$\" | head -n1)\n if [ -n \"${_p}\" ] && [ -x \"${_p}\" ]; then\n _msg \"dpkg discovered helper at: ${_p}\"\n echo \"${_p}\"\n return 0\n fi\n fi\n echo \"\"\n return 0\n}\n\n# --- internal: filesystem search fallback (bounded)\n_discover_with_find() {\n local _p=\"\"\n # Keep it bounded to /usr to stay fast/noisy-free.\n _p=$(find /usr -maxdepth 4 -type f -name \"${_HELPER_NAME}\" 2>/dev/null | head -n1)\n if [ -n \"${_p}\" ] && [ -x \"${_p}\" ]; then\n _msg \"find discovered helper at: ${_p}\"\n echo \"${_p}\"\n return 0\n fi\n echo \"\"\n return 0\n}\n\n# --- main: ensure symlink\n_ensure_virt_what_helper_symlink() {\n # If the symlink already exists and is working, nothing to do.\n if [ -L \"${_SYMLINK}\" ] && [ -x \"${_SYMLINK}\" ] && [ -e \"$(readlink -f \"${_SYMLINK}\")\" ]; then\n _msg \"Symlink already present and valid: ${_SYMLINK} -> $(readlink -f \"${_SYMLINK}\")\"\n return 0\n fi\n\n local _helper_path=\"\"\n _helper_path=\"$(_discover_with_strace)\"\n if [ -z \"${_helper_path}\" ]; then\n _helper_path=\"$(_discover_with_dpkg)\"\n fi\n if [ -z \"${_helper_path}\" ]; then\n _helper_path=\"$(_discover_with_find)\"\n fi\n\n if [ -z \"${_helper_path}\" ]; then\n echo \"ERROR: Could not locate ${_HELPER_NAME} anywhere under /usr.\" 1>&2\n return 1\n fi\n\n # Safety: if a non-symlink file already exists at the target, back it up once.\n if [ -e \"${_SYMLINK}\" ] && [ ! -L \"${_SYMLINK}\" ]; then\n _msg \"Backing up existing non-symlink at ${_SYMLINK} to ${_SYMLINK}.orig\"\n mv -f \"${_SYMLINK}\" \"${_SYMLINK}.orig\"\n fi\n\n ln -sfn \"${_helper_path}\" \"${_SYMLINK}\"\n if [ -x \"${_SYMLINK}\" ]; then\n _msg \"Symlink created: ${_SYMLINK} -> ${_helper_path}\"\n return 0\n else\n echo \"ERROR: Failed to create working symlink ${_SYMLINK} -> ${_helper_path}\" 1>&2\n return 2\n fi\n}\n\n###\n### Fix VM system detection\n###\n_fix_virt_what() {\n _VIRT_TEST=\"$(which virt-what)\"\n if [ -n \"${_VIRT_TEST}\" ] && [ -x \"${_VIRT_TEST}\" ]; then\n _SHELL_TEST_A=$(grep -I -o \"\\#\\!.*/usr/bin/sh\" ${_VIRT_TEST} 2>&1)\n _SHELL_TEST_B=$(grep -I -o \"\\#\\!.*/bin/sh\" ${_VIRT_TEST} 2>&1)\n if [[ \"${_SHELL_TEST_A}\" =~ \"/usr/bin/sh\" ]]; then\n sed -i \"s/\\/usr\\/bin\\/sh/\\/bin\\/dash/g\" ${_VIRT_TEST}\n fi\n if [[ \"${_SHELL_TEST_B}\" =~ \"/bin/sh\" ]]; then\n sed -i \"s/\\/bin\\/sh/\\/bin\\/dash/g\" ${_VIRT_TEST}\n fi\n _HELPER_NAME=\"virt-what-cpuid-helper\"\n _SYMLINK=\"/usr/sbin/${_HELPER_NAME}\"\n _TRACE=\"/tmp/virtwhat.$$.strace\"\n # Extra dirs we temporarily expose to PATH so virt-what can exec the helper for strace discovery\n _CANDIDATE_PATHS=\"/usr/libexec:/usr/lib/x86_64-linux-gnu:/usr/lib64/virt-what:/usr/lib/virt-what\"\n if [ ! -e \"${_SYMLINK}\" ]; then\n echo \"INFO: virt-what tool requires small update, fixing...\"\n if ! command -v strace &> /dev/null; then\n _apt_clean_update\n apt-get install strace ${_aptYesUnth}\n fi\n _ensure_virt_what_helper_symlink\n fi\n fi\n}\n\n###\n### Fix or install VM system detection\n###\n_fix_or_install_virt_what() {\n _VIRT_TEST=\"$(which virt-what)\"\n if [ -n \"${_VIRT_TEST}\" ] && [ -x \"${_VIRT_TEST}\" ]; then\n _fix_virt_what\n else\n echo \"INFO: installing required virt-what tool ...\"\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n _apt_clean_update\n apt-get install virt-what ${_aptYesUnth}\n wait\n _fix_virt_what\n fi\n}\n\n_check_virt() {\n _fix_or_install_virt_what\n _VIRT_TOOL=\"$(which virt-what)\"\n if [ -x \"${_VIRT_TOOL}\" ]; then\n _VIRT_TEST=$(virt-what)\n _VIRT_TEST=$(echo -n ${_VIRT_TEST} | fmt -su -w 2500 2>&1)\n if [[ \"${_VIRT_TEST}\" =~ \"program not found\" ]]; then\n echo \"ERROR: virt-what says: ${_VIRT_TEST}\"\n echo \"ERROR: virt-what detection fails for unknown reason\"\n fi\n if [ ! -e \"/root/.allow.any.virt.cnf\" ]; then\n if [ -e \"/proc/self/status\" ]; then\n _VS_GUEST_TEST=$(grep -E \"VxID:[[:space:]]*[0-9]{2,}$\" /proc/self/status 2> /dev/null)\n _VS_HOST_TEST=$(grep -E \"VxID:[[:space:]]*0$\" /proc/self/status 2> /dev/null)\n fi\n if [ ! -z \"${_VS_HOST_TEST}\" ] || [ ! -z \"${_VS_GUEST_TEST}\" ]; then\n if [ -z \"${_VS_HOST_TEST}\" ] && [ ! -z \"${_VS_GUEST_TEST}\" ]; then\n _VIRT_IS=\"Linux VServer guest\"\n else\n if [ ! -z \"${_VS_HOST_TEST}\" ]; then\n _not_supported_virt \"Linux VServer host\"\n else\n _not_supported_virt \"unknown / not a virtual machine\"\n fi\n fi\n else\n if [ -z \"${_VIRT_TEST}\" ] || [ \"${_VIRT_TEST}\" = \"0\" ]; then\n _not_supported_virt \"unknown / not a virtual machine\"\n elif [[ \"${_VIRT_TEST}\" =~ \"xen-dom0\" ]]; then\n _not_supported_virt \"Xen privileged domain\"\n elif [[ \"${_VIRT_TEST}\" =~ \"linux_vserver-host\" ]]; then\n _not_supported_virt \"Linux VServer host\"\n else\n if [[ \"${_VIRT_TEST}\" =~ \"xen xen-hvm\" ]]; then\n _VIRT_TEST=\"xen-hvm\"\n elif [[ \"${_VIRT_TEST}\" =~ \"xen xen-domU\" ]]; then\n _VIRT_TEST=\"xen-domU\"\n elif [[ \"${_VIRT_TEST}\" =~ \"virtualbox kvm\" ]]; then\n _VIRT_TEST=\"virtualbox\"\n elif [[ \"${_VIRT_TEST}\" =~ \"hyperv qemu\" ]]; then\n _VIRT_TEST=\"hyperv\"\n elif [[ \"${_VIRT_TEST}\" =~ \"kvm aws\" ]]; then\n _VIRT_TEST=\"kvm\"\n elif [[ \"${_VIRT_TEST}\" =~ \"redhat kvm\" ]]; then\n _VIRT_TEST=\"redhat-kvm\"\n elif [[ \"${_VIRT_TEST}\" =~ \"openvz lxc\" ]]; then\n _VIRT_TEST=\"openvz\"\n fi\n case \"${_VIRT_TEST}\" in\n hyperv) _VIRT_IS=\"Microsoft Hyper-V\" ;;\n kvm) _VIRT_IS=\"Linux KVM guest\" ;;\n lxc) _VIRT_IS=\"Linux Containers (LXC)\" ;;\n openvz) _VIRT_IS=\"OpenVZ Containers\" ;;\n parallels) _VIRT_IS=\"Parallels guest\" ;;\n redhat-kvm) _VIRT_IS=\"Red Hat KVM guest\" ;;\n virtualbox) _VIRT_IS=\"VirtualBox guest\" ;;\n vmware) _VIRT_IS=\"VMware ESXi guest\" ;;\n xen-domU) _VIRT_IS=\"Xen paravirtualized guest domain\" ;;\n xen-hvm) _VIRT_IS=\"Xen guest fully virtualized (HVM)\" ;;\n xen) _VIRT_IS=\"Xen guest\" ;;\n *) _not_supported_virt \"${_VIRT_TEST}\"\n ;;\n esac\n fi\n fi\n else\n if [ -z \"${_VIRT_TEST}\" ] || [ \"${_VIRT_TEST}\" = \"0\" ]; then\n _VIRT_TEST=\"unknown / not a virtual machine\"\n fi\n fi\n fi\n}\n\n###\n### Make local OpenSSL new/legacy ssl/certs symlinked to system ssl/certs\n###\n_fix_sync_system_ssl_certs() {\n if [ -e \"/etc/ssl/certs/ca-certificates.crt\" ] \\\n && [ ! -e \"/usr/local/ssl3/.old-certs\" ] \\\n && [ -d \"/usr/local/ssl3/certs\" ] \\\n && [ ! -L \"/usr/local/ssl3/certs\" ]; then\n mv -f /usr/local/ssl3/certs /usr/local/ssl3/.old-certs\n ln -sfn /etc/ssl/certs /usr/local/ssl3/certs\n fi\n if [ -e \"/etc/ssl/certs/ca-certificates.crt\" ] \\\n && [ ! -e \"/usr/local/ssl/.old-certs\" ] \\\n && [ -d \"/usr/local/ssl/certs\" ] \\\n && [ ! -L \"/usr/local/ssl/certs\" ]; then\n mv -f /usr/local/ssl/certs /usr/local/ssl/.old-certs\n ln -sfn /etc/ssl/certs /usr/local/ssl/certs\n fi\n}\n\n_update_agents() {\n\n _if_hosted_sys\n if [ \"${_hostedSys}\" = \"YES\" ]; then\n if [ ! -e \"/root/.extended.firewall.exceptions.cnf\" ]; then\n echo host8 > /root/.extended.firewall.exceptions.cnf\n fi\n fi\n\n if [ \"${_VMFAMILY}\" = \"HOSTED\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -d \"/data/u\" ] \\\n && [ -e \"/var/xdrago\" ]; then\n [ ! -e \"/root/.fast.cron.cnf\" ] && echo ON > /root/.fast.cron.cnf\n _PrTestPower=$(grep \"POWER\" /root/.*.octopus.cnf 2>&1)\n _PrTestPhantom=$(grep \"PHANTOM\" /root/.*.octopus.cnf 2>&1)\n _PrTestCluster=$(grep \"CLUSTER\" /root/.*.octopus.cnf 2>&1)\n _PrTestUltra=$(grep \"ULTRA\" /root/.*.octopus.cnf 2>&1)\n _PrTestMonster=$(grep \"MONSTER\" /root/.*.octopus.cnf 2>&1)\n _InTest=$(ls /data/disk/*/static/control/cli.info | wc -l 2>&1)\n _SQL_PSWD=$(cat /root/.my.pass.txt 2>/dev/null | tr -d '\\n')\n if [ \"${_InTest}\" -lt 9 ] \\\n && [[ ! \"${_PrTestPower}\" =~ \"POWER\" ]] \\\n && [[ ! \"${_PrTestPhantom}\" =~ \"PHANTOM\" ]] \\\n && [[ ! \"${_PrTestCluster}\" =~ \"CLUSTER\" ]] \\\n && [[ ! \"${_PrTestUltra}\" =~ \"ULTRA\" ]] \\\n && [[ ! \"${_PrTestMonster}\" =~ \"MONSTER\" ]]; then\n [ ! -e \"/root/.fast.cron.cnf\" ] && echo ${_InTest} > /root/.fast.cron.cnf\n [ -e \"/root/.hr.monitor.cnf\" ] && rm -f /root/.hr.monitor.cnf\n [ -e \"/root/.slow.cron.cnf\" ] && [ ! -e \"/root/.slow.cron.cnf.protected\" ] && rm -f /root/.slow.cron.cnf\n [ -e \"/root/.tg.cnf\" ] && rm -f /root/.tg.cnf\n mysql -u root -e \"SET GLOBAL max_connect_errors = 555;\"\n mysql -u root -e \"SET GLOBAL max_connections = 111;\"\n mysql -u root -e \"SET GLOBAL max_user_connections = 111;\"\n mysql -u root -e \"SET GLOBAL group_concat_max_len = 10000;\"\n fi\n if [ \"${_InTest}\" -ge 9 ] && [ \"${_InTest}\" -le 50 ]; then\n [ ! -e \"/root/.fast.cron.cnf\" ] && echo ${_InTest} > /root/.fast.cron.cnf\n [ -e \"/root/.hr.monitor.cnf\" ] && rm -f /root/.hr.monitor.cnf\n [ -e \"/root/.slow.cron.cnf\" ] && [ ! -e \"/root/.slow.cron.cnf.protected\" ] && rm -f /root/.slow.cron.cnf\n [ -e \"/root/.tg.cnf\" ] && rm -f /root/.tg.cnf\n mysql -u root -e \"SET GLOBAL max_connect_errors = 777;\"\n mysql -u root -e \"SET GLOBAL max_connections = 555;\"\n mysql -u root -e \"SET GLOBAL max_user_connections = 111;\"\n mysql -u root -e \"SET GLOBAL group_concat_max_len = 10000;\"\n fi\n if [ \"${_InTest}\" -gt 50 ]; then\n [ -e \"/root/.fast.cron.cnf\" ] && rm -f /root/.fast.cron.cnf\n [ ! -e \"/root/.tg.cnf\" ] && echo ${_InTest} > /root/.tg.cnf\n [ ! -e \"/root/.hr.monitor.cnf\" ] && echo ${_InTest} > /root/.hr.monitor.cnf\n [ ! -e \"/root/.slow.cron.cnf\" ] && echo ${_InTest} > /root/.slow.cron.cnf\n mysql -u root -e \"SET GLOBAL max_connect_errors = 999;\"\n mysql -u root -e \"SET GLOBAL max_connections = 777;\"\n mysql -u root -e \"SET GLOBAL max_user_connections = 111;\"\n mysql -u root -e \"SET GLOBAL group_concat_max_len = 10000;\"\n fi\n if [[ \"${_PrTestPower}\" =~ \"POWER\" ]]; then\n [ ! -e \"/root/.tg.cnf\" ] && echo ${_InTest} > /root/.tg.cnf\n [ ! -e \"/root/.fast.cron.cnf\" ] && echo ${_InTest} > /root/.fast.cron.cnf\n [ -e \"/root/.hr.monitor.cnf\" ] && rm -f /root/.hr.monitor.cnf\n [ -e \"/root/.slow.cron.cnf\" ] && [ ! -e \"/root/.slow.cron.cnf.protected\" ] && rm -f /root/.slow.cron.cnf\n mysql -u root -e \"SET GLOBAL max_connect_errors = 555;\"\n mysql -u root -e \"SET GLOBAL max_connections = 333;\"\n mysql -u root -e \"SET GLOBAL max_user_connections = 111;\"\n mysql -u root -e \"SET GLOBAL group_concat_max_len = 10000;\"\n fi\n if [[ \"${_PrTestPhantom}\" =~ \"PHANTOM\" ]]; then\n [ ! -e \"/root/.tg.cnf\" ] && echo ${_InTest} > /root/.tg.cnf\n [ ! -e \"/root/.fast.cron.cnf\" ] && echo ${_InTest} > /root/.fast.cron.cnf\n [ -e \"/root/.hr.monitor.cnf\" ] && rm -f /root/.hr.monitor.cnf\n [ -e \"/root/.slow.cron.cnf\" ] && [ ! -e \"/root/.slow.cron.cnf.protected\" ] && rm -f /root/.slow.cron.cnf\n mysql -u root -e \"SET GLOBAL max_connect_errors = 777;\"\n mysql -u root -e \"SET GLOBAL max_connections = 555;\"\n mysql -u root -e \"SET GLOBAL max_user_connections = 333;\"\n mysql -u root -e \"SET GLOBAL group_concat_max_len = 10000;\"\n fi\n if [[ \"${_PrTestCluster}\" =~ \"CLUSTER\" ]]; then\n [ ! -e \"/root/.tg.cnf\" ] && echo ${_InTest} > /root/.tg.cnf\n [ ! -e \"/root/.fast.cron.cnf\" ] && echo ${_InTest} > /root/.fast.cron.cnf\n [ -e \"/root/.hr.monitor.cnf\" ] && rm -f /root/.hr.monitor.cnf\n [ -e \"/root/.slow.cron.cnf\" ] && [ ! -e \"/root/.slow.cron.cnf.protected\" ] && rm -f /root/.slow.cron.cnf\n mysql -u root -e \"SET GLOBAL max_connect_errors = 999;\"\n mysql -u root -e \"SET GLOBAL max_connections = 777;\"\n mysql -u root -e \"SET GLOBAL max_user_connections = 555;\"\n mysql -u root -e \"SET GLOBAL group_concat_max_len = 10000;\"\n fi\n mysql -u root -e \"SET GLOBAL optimizer_switch='derived_merge=off';\"\n mysql -u root -e \"SET GLOBAL sort_buffer_size = 262144;\"\n if [ -e \"/root/.tg.cnf\" ]; then\n if [ ! -e \"/root/.fixed_fpm_workers.cnf\" ]; then\n sed -i \"s/^_PHP_FPM_WORKERS=.*/_PHP_FPM_WORKERS=100/g\" ${_barCnf}\n touch /root/.fixed_fpm_workers.cnf\n fi\n fi\n if [ ! -e \"/root/.high_traffic.cnf\" ]; then\n echo ${_InTest} > /root/.high_traffic.cnf\n echo ${_InTest} > /root/.no.swap.clear.cnf\n fi\n [ -e \"/root/.randomize_duplicity_full_backup_day.cnf\" ] && rm -f /root/.randomize_duplicity_full_backup_day.cnf\n [ -e \"/root/.skip_duplicity_monthly_cleanup.cnf\" ] && rm -f /root/.skip_duplicity_monthly_cleanup.cnf\n [ -e \"/root/.my.batch_innodb.cnf\" ] && rm -f /root/.my.batch_innodb.cnf\n [ -e \"/root/.batch_innodb.cnf\" ] && rm -f /root/.batch_innodb.cnf\n [ -e \"/root/.force.drupalgeddon.cnf\" ] && rm -f /root/.force.drupalgeddon.cnf\n [ -e \"/root/.skip_cleanup.cnf\" ] && rm -f /root/.skip_cleanup.cnf\n [ -e \"/root/.giant_traffic.cnf\" ] && rm -f /root/.giant_traffic.cnf\n [ -e \"/root/.default.cnf\" ] && rm -f /root/.default.cnf\n [ -e \"/root/.debug.cnf\" ] && rm -f /root/.debug.cnf\n if [ -e \"/data/conf/override.global.inc\" ] \\\n && [ ! -e \"/data/conf/.prev6.override.global.inc.off\" ]; then\n mv -f /data/conf/override.global.inc /data/conf/.prev6.override.global.inc.off\n fi\n# if [ ! -e \"/data/conf/override.global.inc\" ]; then\n# echo \" /data/conf/override.global.inc.tmp\n# echo \"\" >> /data/conf/override.global.inc.tmp\n# echo \"\\$use_valkey = TRUE;\" >> /data/conf/override.global.inc.tmp\n# chmod 644 /data/conf/override.global.inc.tmp\n# mv -f /data/conf/override.global.inc.tmp /data/conf/override.global.inc\n# fi\n fi\n\n\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n\n _pthCtrl=\"/root/.remote_backups/ctrl\"\n if [ \"${_tRee}\" = \"pro\" ] || [ \"${_tRee}\" = \"dev\" ]; then\n [ ! -e \"${_pthCtrl}\" ] && mkdir -p ${_pthCtrl}\n [ ! -e \"/root/.remote_backups/run\" ] && mkdir -p /root/.remote_backups/run\n else\n rm -rf /root/.remote_backups\n fi\n\n [ ! -e \"/var/xdrago/monitor/check\" ] && mkdir -p /var/xdrago/monitor/check\n [ ! -e \"/var/xdrago/monitor/log\" ] && mkdir -p /var/xdrago/monitor/log\n\n if [ ! -e \"${_pthLog}/.force.f89.${_tRee}.${_xSrl}.ctrl\" ]; then\n rm -f ${_pthLog}/*.ctrl.*.pid\n touch ${_pthLog}/.force.f89.${_tRee}.${_xSrl}.ctrl\n fi\n\n [ ! -e \"/var/xdrago/checksql.pl\" ] && rm -f ${_pthLog}/checksql.pl.ctrl.*.pid\n [ ! -e \"/var/xdrago/clear.sh\" ] && rm -f ${_pthLog}/clear.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/daily.sh\" ] && rm -f ${_pthLog}/daily.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/graceful.sh\" ] && rm -f ${_pthLog}/graceful.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/guest-fire.sh\" ] && rm -f ${_pthLog}/guest-fire.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/guest-water.sh\" ] && rm -f ${_pthLog}/guest-water.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/ip_access.sh\" ] && rm -f ${_pthLog}/ip_access.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/manage_ltd_users.sh\" ] && rm -f ${_pthLog}/manage_ltd_users.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/manage_solr_config.sh\" ] && rm -f ${_pthLog}/manage_solr_config.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/minute.sh\" ] && rm -f ${_pthLog}/minute.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/move_sql.sh\" ] && rm -f ${_pthLog}/move_sql.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/mysql_backup.sh\" ] && rm -f ${_pthLog}/mysql_backup.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/mysql_cleanup.sh\" ] && rm -f ${_pthLog}/mysql_cleanup.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/mysql_cluster_backup.sh\" ] && rm -f ${_pthLog}/mysql_cluster_backup.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/mysql_repair.sh\" ] && rm -f ${_pthLog}/mysql_repair.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/proc_num_ctrl.pl\" ] && rm -f ${_pthLog}/proc_num_ctrl.pl.ctrl.*.pid\n [ ! -e \"/var/xdrago/purge_binlogs.sh\" ] && rm -f ${_pthLog}/purge_binlogs.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/runner.sh\" ] && rm -f ${_pthLog}/runner.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/second.sh\" ] && rm -f ${_pthLog}/second.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/usage.sh\" ] && rm -f ${_pthLog}/usage.sh.ctrl.*.pid\n\n [ ! -e \"/var/xdrago/monitor/check/java.sh\" ] && rm -f ${_pthLog}/java.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/mysql.sh\" ] && rm -f ${_pthLog}/mysql.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/nginx.sh\" ] && rm -f ${_pthLog}/nginx.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/php.sh\" ] && rm -f ${_pthLog}/php.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/valkey.sh\" ] && rm -f ${_pthLog}/valkey.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/redis.sh\" ] && rm -f ${_pthLog}/redis.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/scan_nginx.sh\" ] && rm -f ${_pthLog}/scan_nginx.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/system.sh\" ] && rm -f ${_pthLog}/system.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/unbound.sh\" ] && rm -f ${_pthLog}/unbound.sh.ctrl.*.pid\n\n [ ! -e \"/var/xdrago/monitor/check/escapecheck.sh\" ] && rm -f ${_pthLog}/escapecheck.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/hackcheck.sh\" ] && rm -f ${_pthLog}/hackcheck.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/hackftp.sh\" ] && rm -f ${_pthLog}/hackftp.sh.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/segfault_alert.pl\" ] && rm -f ${_pthLog}/segfault_alert.pl.ctrl.*.pid\n [ ! -e \"/var/xdrago/monitor/check/sqlcheck.pl\" ] && rm -f ${_pthLog}/sqlcheck.pl.ctrl.*.pid\n\n [ -e \"/var/xdrago/proc_num_ctrl.cgi\" ] && rm -f /var/xdrago/proc_num_ctrl.cgi\n [ -e \"/var/xdrago/checksql.cgi\" ] && rm -f /var/xdrago/checksql.cgi\n [ -e \"/var/xdrago/mysql_hourly.sh\" ] && rm -f /var/xdrago/mysql_hourly.sh\n\n [ -e \"/var/xdrago/monitor/check/sqlcheck\" ] && rm -f ${_pthLog}/*.ctrl.*.pid\n [ -e \"/var/xdrago/monitor/check/sqlcheck\" ] && rm -f /var/xdrago/monitor/check/*\n\n [ -e \"/var/xdrago/monitor/hackcheck.archive.log\" ] && rm -f /var/xdrago/monitor/.scan_nginx_arch*\n [ -e \"/var/xdrago/monitor/hackcheck.archive.log\" ] && mv -f /var/xdrago/monitor/*.log /var/xdrago/monitor/log/\n fi\n\n if [ -e \"/root/.remote_backups/schedule/backup_schedule.txt\" ] \\\n && [ -d \"/var/aegir/drush\" ]; then\n if grep -q \"Out of memory: Killed process.*duplicity\" /var/log/iptables.log; then\n if [ ! -e \"/root/.remote_backups/schedule/backup_schedule.txt-off\" ]; then\n cp -a /root/.remote_backups/schedule/backup_schedule.txt /root/.remote_backups/schedule/backup_schedule.txt-off\n echo \"# Backup schedule (service user) OFF\" > /root/.remote_backups/schedule/backup_schedule.txt\n chattr +i /root/.remote_backups/schedule/backup_schedule.txt\n fi\n else\n if [ -e \"/root/.remote_backups/schedule/backup_schedule.txt-off\" ]; then\n chattr -i /root/.remote_backups/schedule/backup_schedule.txt\n rm -f /root/.remote_backups/schedule/backup_schedule.txt\n mv /root/.remote_backups/schedule/backup_schedule.txt-off /root/.remote_backups/schedule/backup_schedule.txt\n fi\n fi\n if [ \"$(pgrep -fc duplicity)\" -gt 0 ] \\\n && [ \"$(pgrep -fc dcysetup)\" -lt 1 ] \\\n && [ \"$(pgrep -fc mybackup)\" -lt 1 ] \\\n && [ \"$(pgrep -fc multiback)\" -lt 1 ]; then\n pkill -9 -f duplicity\n rm -rf /tmp/duplicity*\n rm -rf /root/.cache/duplicity/*/duplicity-*tempdir\n rm -f /root/.cache/duplicity/*/lockfile\n echo \"$(date) Orphaned duplicity processes killed\" >> /var/log/duplicity-cleanup.log\n fi\n fi\n\n if ! grep -q \"OFF\" ${_optBin}/lock.inc; then\n rm -f ${_pthLog}/lock.inc.sh.ctrl.*\n fi\n if [ ! -e \"${_optBin}/lock.inc\" ] \\\n || [ ! -e \"${_pthLog}/lock.inc.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc foobar)\n if (( _CNT > 0 )); then\n echo \"The foobar is running!\"\n else\n if [ -e \"${_optBin}/lock.inc\" ]; then\n mv -f ${_optBin}/lock.inc ${_optBin}/lock.inc.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/lock.inc\" -o ${_optBin}/lock.inc\n if [ -e \"${_optBin}/lock.inc\" ]; then\n chmod 700 ${_optBin}/lock.inc\n chown root:root ${_optBin}/lock.inc\n touch ${_pthLog}/lock.inc.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/lock.inc.old\" ]; then\n mv -f ${_optBin}/lock.inc.old ${_optBin}/lock.inc\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/vmnetfix\" ] \\\n || [ ! -e \"${_pthLog}/vmnetfix.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc vmnetfix)\n if (( _CNT > 0 )); then\n echo \"The vmnetfix is running!\"\n else\n if [ ! -e \"/etc/init.d/networking\" ]; then\n mkdir -p /etc/init.d\n curl ${_crlGet} \"${_urlHmr}/conf/network/networking\" -o /etc/init.d/networking\n chmod 0755 /etc/init.d/networking\n chown root:root /etc/init.d/networking\n update-rc.d networking defaults >/dev/null 2>&1 || true\n fi\n if [ -e \"${_optBin}/vmnetfix\" ]; then\n mv -f ${_optBin}/vmnetfix ${_optBin}/vmnetfix.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/vmnetfix\" -o ${_optBin}/vmnetfix\n if [ -e \"${_optBin}/vmnetfix\" ]; then\n chmod 700 ${_optBin}/vmnetfix\n chown root:root ${_optBin}/vmnetfix\n touch ${_pthLog}/vmnetfix.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/vmnetfix.old\" ]; then\n mv -f ${_optBin}/vmnetfix.old ${_optBin}/vmnetfix\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/screenfetch\" ] \\\n || [ ! -e \"${_pthLog}/screenfetch.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc screenfetch)\n if (( _CNT > 0 )); then\n echo \"The screenfetch is running!\"\n else\n if [ -e \"${_optBin}/screenfetch\" ]; then\n mv -f ${_optBin}/screenfetch ${_optBin}/screenfetch.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/screenfetch\" -o ${_optBin}/screenfetch\n if [ -e \"${_optBin}/screenfetch\" ]; then\n chmod 700 ${_optBin}/screenfetch\n chown root:root ${_optBin}/screenfetch\n touch ${_pthLog}/screenfetch.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/screenfetch.old\" ]; then\n mv -f ${_optBin}/screenfetch.old ${_optBin}/screenfetch\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/fixrepo\" ] \\\n || [ ! -e \"${_pthLog}/fixrepo.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc fixrepo)\n if (( _CNT > 0 )); then\n echo \"The fixrepo is running!\"\n else\n if [ -e \"${_optBin}/fixrepo\" ]; then\n mv -f ${_optBin}/fixrepo ${_optBin}/fixrepo.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/fixrepo\" -o ${_optBin}/fixrepo\n if [ -e \"${_optBin}/fixrepo\" ]; then\n chmod 700 ${_optBin}/fixrepo\n chown root:root ${_optBin}/fixrepo\n touch ${_pthLog}/fixrepo.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/fixrepo.old\" ]; then\n mv -f ${_optBin}/fixrepo.old ${_optBin}/fixrepo\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/renameaegirhost\" ] \\\n || [ ! -e \"${_pthLog}/renameaegirhost.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc renameaegirhost)\n if (( _CNT > 0 )); then\n echo \"The renameaegirhost is running!\"\n else\n if [ -e \"${_optBin}/renameaegirhost\" ]; then\n mv -f ${_optBin}/renameaegirhost ${_optBin}/renameaegirhost.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/renameaegirhost\" -o ${_optBin}/renameaegirhost\n if [ -e \"${_optBin}/renameaegirhost\" ]; then\n chmod 700 ${_optBin}/renameaegirhost\n chown root:root ${_optBin}/renameaegirhost\n touch ${_pthLog}/renameaegirhost.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/renameaegirhost.old\" ]; then\n mv -f ${_optBin}/renameaegirhost.old ${_optBin}/renameaegirhost\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/autosymlink\" ] \\\n || [ ! -e \"${_pthLog}/autosymlink.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc autosymlink)\n if (( _CNT > 0 )); then\n echo \"The autosymlink is running!\"\n else\n if [ -e \"${_optBin}/autosymlink\" ]; then\n mv -f ${_optBin}/autosymlink ${_optBin}/autosymlink.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/autosymlink\" -o ${_optBin}/autosymlink\n if [ -e \"${_optBin}/autosymlink\" ]; then\n chmod 700 ${_optBin}/autosymlink\n chown root:root ${_optBin}/autosymlink\n touch ${_pthLog}/autosymlink.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/autosymlink.old\" ]; then\n mv -f ${_optBin}/autosymlink.old ${_optBin}/autosymlink\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/updatesymlinks\" ] \\\n || [ ! -e \"${_pthLog}/updatesymlinks.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc updatesymlinks)\n if (( _CNT > 0 )); then\n echo \"The updatesymlinks is running!\"\n else\n if [ -e \"${_optBin}/updatesymlinks\" ]; then\n mv -f ${_optBin}/updatesymlinks ${_optBin}/updatesymlinks.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/updatesymlinks\" -o ${_optBin}/updatesymlinks\n if [ -e \"${_optBin}/updatesymlinks\" ]; then\n chmod 700 ${_optBin}/updatesymlinks\n chown root:root ${_optBin}/updatesymlinks\n touch ${_pthLog}/updatesymlinks.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/updatesymlinks.old\" ]; then\n mv -f ${_optBin}/updatesymlinks.old ${_optBin}/updatesymlinks\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/aptcleanup\" ] \\\n || [ ! -e \"${_pthLog}/aptcleanup.sh.ctrl.f97.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc aptcleanup)\n if (( _CNT > 0 )); then\n echo \"The aptcleanup is running!\"\n else\n if [ -e \"${_optBin}/aptcleanup\" ]; then\n mv -f ${_optBin}/aptcleanup ${_optBin}/aptcleanup.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/aptcleanup\" -o ${_optBin}/aptcleanup\n if [ -e \"${_optBin}/aptcleanup\" ]; then\n chmod 700 ${_optBin}/aptcleanup\n chown root:root ${_optBin}/aptcleanup\n touch ${_pthLog}/aptcleanup.sh.ctrl.f97.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/aptcleanup.old\" ]; then\n mv -f ${_optBin}/aptcleanup.old ${_optBin}/aptcleanup\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/loadguard\" ] \\\n || [ ! -e \"${_pthLog}/loadguard.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc xloadguard)\n if (( _CNT > 0 )); then\n echo \"The xloadguard is running!\"\n else\n if [ -e \"${_optBin}/loadguard\" ]; then\n mv -f ${_optBin}/loadguard ${_optBin}/loadguard.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/loadguard\" -o ${_optBin}/loadguard\n if [ -e \"${_optBin}/loadguard\" ]; then\n chmod 700 ${_optBin}/loadguard\n chown root:root ${_optBin}/loadguard\n touch ${_pthLog}/loadguard.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/loadguard.old\" ]; then\n mv -f ${_optBin}/loadguard.old ${_optBin}/loadguard\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/ffmirror\" ] \\\n || [ ! -e \"${_pthLog}/ffmirror.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc xffmirror)\n if (( _CNT > 0 )); then\n echo \"The xffmirror is running!\"\n else\n if [ -e \"${_optBin}/ffmirror\" ]; then\n mv -f ${_optBin}/ffmirror ${_optBin}/ffmirror.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/ffmirror\" -o ${_optBin}/ffmirror\n if [ -e \"${_optBin}/ffmirror\" ]; then\n chmod 700 ${_optBin}/ffmirror\n chown root:root ${_optBin}/ffmirror\n touch ${_pthLog}/ffmirror.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/ffmirror.old\" ]; then\n mv -f ${_optBin}/ffmirror.old ${_optBin}/ffmirror\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/ffdevuan\" ] \\\n || [ ! -e \"${_pthLog}/ffdevuan.sh.ctrl.f95.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc xffdevuan)\n if (( _CNT > 0 )); then\n echo \"The xffdevuan is running!\"\n else\n if [ -e \"${_optBin}/ffdevuan\" ]; then\n mv -f ${_optBin}/ffdevuan ${_optBin}/ffdevuan.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/ffdevuan\" -o ${_optBin}/ffdevuan\n if [ -e \"${_optBin}/ffdevuan\" ]; then\n chmod 700 ${_optBin}/ffdevuan\n chown root:root ${_optBin}/ffdevuan\n touch ${_pthLog}/ffdevuan.sh.ctrl.f95.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/ffdevuan.old\" ]; then\n mv -f ${_optBin}/ffdevuan.old ${_optBin}/ffdevuan\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/webserver\" ] \\\n || [ ! -e \"${_pthLog}/webserver.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc xwebserver)\n if (( _CNT > 0 )); then\n echo \"The xwebserver is running!\"\n else\n if [ -e \"${_optBin}/webserver\" ]; then\n mv -f ${_optBin}/webserver ${_optBin}/webserver.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/webserver\" -o ${_optBin}/webserver\n if [ -e \"${_optBin}/webserver\" ]; then\n chmod 700 ${_optBin}/webserver\n chown root:root ${_optBin}/webserver\n touch ${_pthLog}/webserver.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/webserver.old\" ]; then\n mv -f ${_optBin}/webserver.old ${_optBin}/webserver\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/xboa\" ] \\\n || [ ! -e \"${_pthLog}/xboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc /local/bin/xboa)\n if (( _CNT > 0 )); then\n echo \"The xboa is running!\"\n else\n if [ -e \"${_optBin}/xboa\" ]; then\n mv -f ${_optBin}/xboa ${_optBin}/xboa.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/xboa\" -o ${_optBin}/xboa\n if [ -e \"${_optBin}/xboa\" ]; then\n chmod 700 ${_optBin}/xboa\n chown root:root ${_optBin}/xboa\n touch ${_pthLog}/xboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/xboa.old\" ]; then\n mv -f ${_optBin}/xboa.old ${_optBin}/xboa\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/boa\" ] \\\n || [ ! -e \"${_pthLog}/boa.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc /local/bin/boa)\n if (( _CNT > 0 )); then\n echo \"The boa is running!\"\n else\n if [ -e \"${_optBin}/boa\" ]; then\n mv -f ${_optBin}/boa ${_optBin}/boa.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/boa\" -o ${_optBin}/boa\n if [ -e \"${_optBin}/boa\" ]; then\n chmod 700 ${_optBin}/boa\n chown root:root ${_optBin}/boa\n touch ${_pthLog}/boa.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/boa.old\" ]; then\n mv -f ${_optBin}/boa.old ${_optBin}/boa\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/barracuda\" ] \\\n || [ ! -e \"${_pthLog}/barracuda.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc /local/bin/barracuda)\n if (( _CNT > 0 )); then\n echo \"The barracuda is running!\"\n else\n if [ -e \"${_optBin}/barracuda\" ]; then\n mv -f ${_optBin}/barracuda ${_optBin}/barracuda.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/barracuda\" -o ${_optBin}/barracuda\n if [ -e \"${_optBin}/barracuda\" ]; then\n chmod 700 ${_optBin}/barracuda\n chown root:root ${_optBin}/barracuda\n touch ${_pthLog}/barracuda.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/barracuda.old\" ]; then\n mv -f ${_optBin}/barracuda.old ${_optBin}/barracuda\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/octopus\" ] \\\n || [ ! -e \"${_pthLog}/octopus.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc /local/bin/octopus)\n if (( _CNT > 0 )); then\n echo \"The octopus is running!\"\n else\n if [ -e \"${_optBin}/octopus\" ]; then\n mv -f ${_optBin}/octopus ${_optBin}/octopus.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/octopus\" -o ${_optBin}/octopus\n if [ -e \"${_optBin}/octopus\" ]; then\n chmod 700 ${_optBin}/octopus\n chown root:root ${_optBin}/octopus\n touch ${_pthLog}/octopus.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/octopus.old\" ]; then\n mv -f ${_optBin}/octopus.old ${_optBin}/octopus\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/perftest\" ] \\\n || [ ! -L \"${_usrBin}/perftest\" ] \\\n || [ ! -e \"${_pthLog}/perftest.sh.ctrl.f97.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc /local/bin/perftest)\n if (( _CNT > 0 )); then\n echo \"The perftest is running!\"\n else\n if [ -e \"${_optBin}/perftest\" ]; then\n mv -f ${_optBin}/perftest ${_optBin}/perftest.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/perftest\" -o ${_optBin}/perftest\n if [ -e \"${_optBin}/perftest\" ]; then\n chmod 700 ${_optBin}/perftest\n chown root:root ${_optBin}/perftest\n ln -sf ${_optBin}/perftest ${_usrBin}/perftest\n rm -f ${_pthLog}/perftest.sh.ctrl.*\n touch ${_pthLog}/perftest.sh.ctrl.f97.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/perftest.old\" ]; then\n mv -f ${_optBin}/perftest.old ${_optBin}/perftest\n fi\n fi\n fi\n fi\n\n if [ ! -e \"${_optBin}/aptfast\" ] \\\n || [ ! -e \"${_pthLog}/aptfast.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc /local/bin/aptfast)\n if (( _CNT > 0 )); then\n echo \"The aptfast is running!\"\n else\n if [ -e \"${_optBin}/aptfast\" ]; then\n mv -f ${_optBin}/aptfast ${_optBin}/aptfast.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/aptfast\" -o ${_optBin}/aptfast\n if [ -e \"${_optBin}/aptfast\" ]; then\n chmod 700 ${_optBin}/aptfast\n chown root:root ${_optBin}/aptfast\n touch ${_pthLog}/aptfast.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/aptfast.old\" ]; then\n mv -f ${_optBin}/aptfast.old ${_optBin}/aptfast\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/backboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc duplicity)\n if (( _CNT > 0 )); then\n echo \"The duplicity backup is running!\"\n else\n if [ -e \"${_optBin}/backboa\" ]; then\n mv -f ${_optBin}/backboa ${_optBin}/backboa.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/backboa\" -o ${_optBin}/backboa\n if [ -e \"${_optBin}/backboa\" ]; then\n chmod 700 ${_optBin}/backboa\n chown root:root ${_optBin}/backboa\n touch ${_pthLog}/backboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/backboa.old\" ]; then\n mv -f ${_optBin}/backboa.old ${_optBin}/backboa\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/duobackboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc duplicity)\n if (( _CNT > 0 )); then\n echo \"The duplicity backup is running!\"\n else\n if [ -e \"${_optBin}/duobackboa\" ]; then\n mv -f ${_optBin}/duobackboa ${_optBin}/duobackboa.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/duobackboa\" -o ${_optBin}/duobackboa\n if [ -e \"${_optBin}/duobackboa\" ]; then\n chmod 700 ${_optBin}/duobackboa\n chown root:root ${_optBin}/duobackboa\n touch ${_pthLog}/duobackboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/duobackboa.old\" ]; then\n mv -f ${_optBin}/duobackboa.old ${_optBin}/duobackboa\n fi\n fi\n fi\n fi\n\n if [ -e \"/root/.remote_backups/schedule/backup_schedule.txt\" ]; then\n _BROKEN_UPDATE_TEST=$(grep \"Under Construction\" /root/.remote_backups/run/*.sh 2>&1)\n if [ ! -z \"${_BROKEN_UPDATE_TEST}\" ]; then\n rm -f ${_pthCtrl}/*.pid\n fi\n _BROKEN_UPDATE_TEST=$(grep \"404 Not Found\" /root/.remote_backups/run/*.sh 2>&1)\n if [ ! -z \"${_BROKEN_UPDATE_TEST}\" ]; then\n rm -f ${_pthCtrl}/*.pid\n fi\n fi\n\n if [ -e \"/root/.remote_backups/schedule/backup_schedule.txt\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/dcysetup.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc duplicity)\n if (( _CNT > 0 )); then\n echo \"The duplicity backup is running!\"\n else\n if [ -e \"${_optBin}/dcysetup\" ]; then\n mv -f ${_optBin}/dcysetup ${_optBin}/dcysetup.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/dcysetup\" -o ${_optBin}/dcysetup\n if [ -e \"${_optBin}/dcysetup\" ]; then\n chmod 700 ${_optBin}/dcysetup\n chown root:root ${_optBin}/dcysetup\n touch ${_pthCtrl}/dcysetup.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/dcysetup.old\" ]; then\n mv -f ${_optBin}/dcysetup.old ${_optBin}/dcysetup\n fi\n fi\n fi\n fi\n\n if [ -e \"/root/.remote_backups/schedule/backup_schedule.txt\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/multiback.sh.ctrl.f37.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc duplicity)\n if (( _CNT > 0 )); then\n echo \"The duplicity backup is running!\"\n else\n if [ -e \"${_optBin}/multiback\" ]; then\n mv -f ${_optBin}/multiback ${_optBin}/multiback.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/multiback\" -o ${_optBin}/multiback\n if [ -e \"${_optBin}/multiback\" ]; then\n chmod 700 ${_optBin}/multiback\n chown root:root ${_optBin}/multiback\n touch ${_pthCtrl}/multiback.sh.ctrl.f37.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/multiback.old\" ]; then\n mv -f ${_optBin}/multiback.old ${_optBin}/multiback\n fi\n fi\n fi\n fi\n\n if [ -e \"/root/.remote_backups/schedule/backup_schedule.txt\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/mybackup.sh.ctrl.f37.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc duplicity)\n if (( _CNT > 0 )); then\n echo \"The duplicity backup is running!\"\n else\n if [ -e \"${_optBin}/mybackup\" ]; then\n mv -f ${_optBin}/mybackup ${_optBin}/mybackup.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/mybackup\" -o ${_optBin}/mybackup\n if [ -e \"${_optBin}/mybackup\" ]; then\n chmod 755 ${_optBin}/mybackup\n chown root:root ${_optBin}/mybackup\n touch ${_pthCtrl}/mybackup.sh.ctrl.f37.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/mybackup.old\" ]; then\n mv -f ${_optBin}/mybackup.old ${_optBin}/mybackup\n fi\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/install_dependencies.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -e \"/root/.remote_backups/run/install_dependencies.sh\" ]; then\n mv -f /root/.remote_backups/run/install_dependencies.sh /root/.remote_backups/run/install_dependencies.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/install_dependencies.sh\" -o /root/.remote_backups/run/install_dependencies.sh\n if [ -e \"/root/.remote_backups/run/install_dependencies.sh\" ]; then\n chmod 700 /root/.remote_backups/run/install_dependencies.sh\n chown root:root /root/.remote_backups/run/install_dependencies.sh\n touch ${_pthCtrl}/install_dependencies.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/install_dependencies.sh.old\" ]; then\n mv -f /root/.remote_backups/run/install_dependencies.sh.old /root/.remote_backups/run/install_dependencies.sh\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/create_credentials_templates.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\" ]; then\n rm -f /.backboa*\n if [ -e \"/root/.remote_backups/run/create_credentials_templates.sh\" ]; then\n mv -f /root/.remote_backups/run/create_credentials_templates.sh /root/.remote_backups/run/create_credentials_templates.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/create_credentials_templates.sh\" -o /root/.remote_backups/run/create_credentials_templates.sh\n if [ -e \"/root/.remote_backups/run/create_credentials_templates.sh\" ]; then\n chmod 700 /root/.remote_backups/run/create_credentials_templates.sh\n chown root:root /root/.remote_backups/run/create_credentials_templates.sh\n touch ${_pthCtrl}/create_credentials_templates.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/create_credentials_templates.sh.old\" ]; then\n mv -f /root/.remote_backups/run/create_credentials_templates.sh.old /root/.remote_backups/run/create_credentials_templates.sh\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/create_global_paths_config.sh.ctrl.f44.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -e \"/root/.remote_backups/run/create_global_paths_config.sh\" ]; then\n mv -f /root/.remote_backups/run/create_global_paths_config.sh /root/.remote_backups/run/create_global_paths_config.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/create_global_paths_config.sh\" -o /root/.remote_backups/run/create_global_paths_config.sh\n if [ -e \"/root/.remote_backups/run/create_global_paths_config.sh\" ]; then\n chmod 700 /root/.remote_backups/run/create_global_paths_config.sh\n chown root:root /root/.remote_backups/run/create_global_paths_config.sh\n touch ${_pthCtrl}/create_global_paths_config.sh.ctrl.f44.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/create_global_paths_config.sh.old\" ]; then\n mv -f /root/.remote_backups/run/create_global_paths_config.sh.old /root/.remote_backups/run/create_global_paths_config.sh\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/create_user_paths_config.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\" ]; then\n rm -f /.backboa*\n if [ -e \"/root/.remote_backups/run/create_user_paths_config.sh\" ]; then\n mv -f /root/.remote_backups/run/create_user_paths_config.sh /root/.remote_backups/run/create_user_paths_config.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/create_user_paths_config.sh\" -o /root/.remote_backups/run/create_user_paths_config.sh\n if [ -e \"/root/.remote_backups/run/create_user_paths_config.sh\" ]; then\n chmod 700 /root/.remote_backups/run/create_user_paths_config.sh\n chown root:root /root/.remote_backups/run/create_user_paths_config.sh\n touch ${_pthCtrl}/create_user_paths_config.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/create_user_paths_config.sh.old\" ]; then\n mv -f /root/.remote_backups/run/create_user_paths_config.sh.old /root/.remote_backups/run/create_user_paths_config.sh\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/create_cron_entries.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -e \"/root/.remote_backups/run/create_cron_entries.sh\" ]; then\n mv -f /root/.remote_backups/run/create_cron_entries.sh /root/.remote_backups/run/create_cron_entries.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/create_cron_entries.sh\" -o /root/.remote_backups/run/create_cron_entries.sh\n if [ -e \"/root/.remote_backups/run/create_cron_entries.sh\" ]; then\n chmod 700 /root/.remote_backups/run/create_cron_entries.sh\n chown root:root /root/.remote_backups/run/create_cron_entries.sh\n touch ${_pthCtrl}/create_cron_entries.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/create_cron_entries.sh.old\" ]; then\n mv -f /root/.remote_backups/run/create_cron_entries.sh.old /root/.remote_backups/run/create_cron_entries.sh\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/create_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -e \"/root/.remote_backups/run/create_readme.sh\" ]; then\n mv -f /root/.remote_backups/run/create_readme.sh /root/.remote_backups/run/create_readme.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/create_readme.sh\" -o /root/.remote_backups/run/create_readme.sh\n if [ -e \"/root/.remote_backups/run/create_readme.sh\" ]; then\n chmod 700 /root/.remote_backups/run/create_readme.sh\n chown root:root /root/.remote_backups/run/create_readme.sh\n touch ${_pthCtrl}/create_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/create_readme.sh.old\" ]; then\n mv -f /root/.remote_backups/run/create_readme.sh.old /root/.remote_backups/run/create_readme.sh\n fi\n fi\n fi\n\n if [ -d \"/root/.remote_backups/run\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthCtrl}/create_config_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -e \"/root/.remote_backups/run/create_config_readme.sh\" ]; then\n mv -f /root/.remote_backups/run/create_config_readme.sh /root/.remote_backups/run/create_config_readme.sh.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/backup/run/create_config_readme.sh\" -o /root/.remote_backups/run/create_config_readme.sh\n if [ -e \"/root/.remote_backups/run/create_config_readme.sh\" ]; then\n chmod 700 /root/.remote_backups/run/create_config_readme.sh\n chown root:root /root/.remote_backups/run/create_config_readme.sh\n touch ${_pthCtrl}/create_config_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"/root/.remote_backups/run/create_config_readme.sh.old\" ]; then\n mv -f /root/.remote_backups/run/create_config_readme.sh.old /root/.remote_backups/run/create_config_readme.sh\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/scan_nginx.sh.ctrl.f81.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/scan_nginx.sh /var/xdrago/monitor/check/scan_nginx.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/scan_nginx.sh\" -o /var/xdrago/monitor/check/scan_nginx.sh\n if [ -e \"/var/xdrago/monitor/check/scan_nginx.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/scan_nginx.sh\n chown root:root /var/xdrago/monitor/check/scan_nginx.sh\n touch ${_pthLog}/scan_nginx.sh.ctrl.f81.${_tRee}.${_xSrl}.pid\n if [ ! -e \"/var/xdrago/monitor/log/.scan_nginx_arch.${_xSrl}.pid\" ]; then\n if [ -e \"/var/xdrago/monitor/scan_nginx.archive.log\" ]; then\n mv -f /var/xdrago/monitor/scan_nginx.archive.log /var/xdrago/monitor/log/.scan_nginx_legacy.archive.f81.${_tRee}.${_xSrl}.log\n fi\n if [ -e \"/var/xdrago/monitor/log/scan_nginx.archive.log\" ]; then\n mv -f /var/xdrago/monitor/log/scan_nginx.archive.log /var/xdrago/monitor/log/scan_nginx.archive.f81.${_tRee}.${_xSrl}.log\n fi\n rm -f /var/xdrago/monitor/log/.scan_nginx_arch*.pid\n touch /var/xdrago/monitor/log/.scan_nginx_arch.${_xSrl}.pid\n csf -df\n wait\n [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ] && synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n fi\n if [ ! -e \"/var/xdrago/monitor/log/.hackcheck.arch.${_xSrl}.pid\" ]; then\n if [ -e \"/var/xdrago/monitor/hackcheck.archive.log\" ]; then\n mv -f /var/xdrago/monitor/hackcheck.archive.log /var/xdrago/monitor/log/.scan_nginx_legacy.archive.f81.${_tRee}.${_xSrl}.log\n fi\n if [ -e \"/var/xdrago/monitor/log/hackcheck.archive.log\" ]; then\n mv -f /var/xdrago/monitor/log/hackcheck.archive.log /var/xdrago/monitor/log/hackcheck.archive.f81.${_tRee}.${_xSrl}.log\n fi\n rm -f /var/xdrago/monitor/log/.hackcheck.arch*.pid\n touch /var/xdrago/monitor/log/.hackcheck.arch.${_xSrl}.pid\n csf -df\n wait\n [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ] && synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n fi\n else\n mv -f /var/xdrago/monitor/check/scan_nginx.sh.old /var/xdrago/monitor/check/scan_nginx.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/java.sh.ctrl.f90.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/java.sh /var/xdrago/monitor/check/java.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/java.sh\" -o /var/xdrago/monitor/check/java.sh\n if [ -e \"/var/xdrago/monitor/check/java.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/java.sh\n chown root:root /var/xdrago/monitor/check/java.sh\n touch ${_pthLog}/java.sh.ctrl.f90.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/java.sh.old /var/xdrago/monitor/check/java.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/mysql.sh.ctrl.f82.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/mysql.sh /var/xdrago/monitor/check/mysql.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/mysql.sh\" -o /var/xdrago/monitor/check/mysql.sh\n if [ -e \"/var/xdrago/monitor/check/mysql.sh\" ]; then\n if [ -e \"/root/.debug.cnf\" ] && [ ! -e \"/root/.default.cnf\" ]; then\n _DO_NOTHING=YES\n else\n if [ -e \"/root/.high_load.cnf\" ] \\\n && [ ! -e \"/root/.big_db.cnf\" ] \\\n && [ ! -e \"/root/.tg.cnf\" ]; then\n sed -i \"s/3600/300/g\" /var/xdrago/monitor/check/mysql.sh\n elif [ -e \"/root/.big_db.cnf\" ] || [ -e \"/root/.tg.cnf\" ]; then\n _DO_NOTHING=YES\n else\n sed -i \"s/3600/1800/g\" /var/xdrago/monitor/check/mysql.sh\n fi\n fi\n chmod 700 /var/xdrago/monitor/check/mysql.sh\n chown root:root /var/xdrago/monitor/check/mysql.sh\n touch ${_pthLog}/mysql.sh.ctrl.f82.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/mysql.sh.old /var/xdrago/monitor/check/mysql.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/nginx.sh.ctrl.f92.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/nginx.sh /var/xdrago/monitor/check/nginx.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/nginx.sh\" -o /var/xdrago/monitor/check/nginx.sh\n if [ -e \"/var/xdrago/monitor/check/nginx.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/nginx.sh\n chown root:root /var/xdrago/monitor/check/nginx.sh\n touch ${_pthLog}/nginx.sh.ctrl.f92.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/nginx.sh.old /var/xdrago/monitor/check/nginx.sh\n fi\n fi\n\n if [ ! -e \"/var/xdrago/monitor/check/nginx_guard.sh\" ]; then\n rm -f ${_pthLog}/nginx_guard.sh.ctrl.*\n fi\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/nginx_guard.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/nginx_guard.sh /var/xdrago/monitor/check/nginx_guard.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/nginx_guard.sh\" -o /var/xdrago/monitor/check/nginx_guard.sh\n if [ -e \"/var/xdrago/monitor/check/nginx_guard.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/nginx_guard.sh\n chown root:root /var/xdrago/monitor/check/nginx_guard.sh\n touch ${_pthLog}/nginx_guard.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/nginx_guard.sh.old /var/xdrago/monitor/check/nginx_guard.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/php.sh.ctrl.f85.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/php.sh /var/xdrago/monitor/check/php.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/php.sh\" -o /var/xdrago/monitor/check/php.sh\n if [ -e \"/var/xdrago/monitor/check/php.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/php.sh\n chown root:root /var/xdrago/monitor/check/php.sh\n touch ${_pthLog}/php.sh.ctrl.f85.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/php.sh.old /var/xdrago/monitor/check/php.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/valkey.sh.ctrl.f87.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/valkey.sh /var/xdrago/monitor/check/valkey.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/valkey.sh\" -o /var/xdrago/monitor/check/valkey.sh\n if [ -e \"/var/xdrago/monitor/check/valkey.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/valkey.sh\n chown root:root /var/xdrago/monitor/check/valkey.sh\n touch ${_pthLog}/valkey.sh.ctrl.f87.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/valkey.sh.old /var/xdrago/monitor/check/valkey.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/redis.sh.ctrl.f90.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/redis.sh /var/xdrago/monitor/check/redis.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/redis.sh\" -o /var/xdrago/monitor/check/redis.sh\n if [ -e \"/var/xdrago/monitor/check/redis.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/redis.sh\n chown root:root /var/xdrago/monitor/check/redis.sh\n touch ${_pthLog}/redis.sh.ctrl.f90.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/redis.sh.old /var/xdrago/monitor/check/redis.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/system.sh.ctrl.f83.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/system.sh /var/xdrago/monitor/check/system.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/system.sh\" -o /var/xdrago/monitor/check/system.sh\n if [ -e \"/var/xdrago/monitor/check/system.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/system.sh\n chown root:root /var/xdrago/monitor/check/system.sh\n touch ${_pthLog}/system.sh.ctrl.f83.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/system.sh.old /var/xdrago/monitor/check/system.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/unbound.sh.ctrl.f86.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/unbound.sh /var/xdrago/monitor/check/unbound.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/unbound.sh\" -o /var/xdrago/monitor/check/unbound.sh\n if [ -e \"/var/xdrago/monitor/check/unbound.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/unbound.sh\n chown root:root /var/xdrago/monitor/check/unbound.sh\n touch ${_pthLog}/unbound.sh.ctrl.f86.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/unbound.sh.old /var/xdrago/monitor/check/unbound.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/escapecheck.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/escapecheck.sh /var/xdrago/monitor/check/escapecheck.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/escapecheck.sh\" -o /var/xdrago/monitor/check/escapecheck.sh\n if [ -e \"/var/xdrago/monitor/check/escapecheck.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/escapecheck.sh\n chown root:root /var/xdrago/monitor/check/escapecheck.sh\n touch ${_pthLog}/escapecheck.sh.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/escapecheck.sh.old /var/xdrago/monitor/check/escapecheck.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/hackcheck.sh.ctrl.f95.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/hackcheck.sh /var/xdrago/monitor/check/hackcheck.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/hackcheck.sh\" -o /var/xdrago/monitor/check/hackcheck.sh\n if [ -e \"/var/xdrago/monitor/check/hackcheck.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/hackcheck.sh\n chown root:root /var/xdrago/monitor/check/hackcheck.sh\n touch ${_pthLog}/hackcheck.sh.ctrl.f95.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/hackcheck.sh.old /var/xdrago/monitor/check/hackcheck.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/hackftp.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/hackftp.sh /var/xdrago/monitor/check/hackftp.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/hackftp.sh\" -o /var/xdrago/monitor/check/hackftp.sh\n if [ -e \"/var/xdrago/monitor/check/hackftp.sh\" ]; then\n chmod 700 /var/xdrago/monitor/check/hackftp.sh\n chown root:root /var/xdrago/monitor/check/hackftp.sh\n touch ${_pthLog}/hackftp.sh.ctrl.f98.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/hackftp.sh.old /var/xdrago/monitor/check/hackftp.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/segfault_alert.pl.ctrl.f94.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/segfault_alert.pl /var/xdrago/monitor/check/segfault_alert.pl.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/segfault_alert.pl\" -o /var/xdrago/monitor/check/segfault_alert.pl\n if [ -e \"/var/xdrago/monitor/check/segfault_alert.pl\" ]; then\n chmod 700 /var/xdrago/monitor/check/segfault_alert.pl\n chown root:root /var/xdrago/monitor/check/segfault_alert.pl\n touch ${_pthLog}/segfault_alert.pl.ctrl.f94.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/segfault_alert.pl.old /var/xdrago/monitor/check/segfault_alert.pl\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/sqlcheck.pl.ctrl.f94.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/monitor/check/sqlcheck.pl /var/xdrago/monitor/check/sqlcheck.pl.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/monitor/check/sqlcheck.pl\" -o /var/xdrago/monitor/check/sqlcheck.pl\n if [ -e \"/var/xdrago/monitor/check/sqlcheck.pl\" ]; then\n chmod 700 /var/xdrago/monitor/check/sqlcheck.pl\n chown root:root /var/xdrago/monitor/check/sqlcheck.pl\n touch ${_pthLog}/sqlcheck.pl.ctrl.f94.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/monitor/check/sqlcheck.pl.old /var/xdrago/monitor/check/sqlcheck.pl\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ ! -e \"${_pthLog}/cv-phar-symlink.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -x \"/usr/local/bin/cv.phar\" ] \\\n && [ -L \"/usr/bin/cv\" ]; then\n _CV_SYMLINK=$(readlink -n /usr/bin/cv 2>&1)\n _CV_SYMLINK=$(echo -n ${_CV_SYMLINK} | tr -d \"\\n\" 2>&1)\n if [ \"${_CV_SYMLINK}\" != \"/usr/local/bin/cv.phar\" ]; then\n rm -f /usr/bin/cv\n ln -sfn /usr/local/bin/cv.phar /usr/bin/cv\n touch ${_pthLog}/cv-phar-symlink.ctrl.${_tRee}.${_xSrl}.pid\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ ! -e \"${_pthLog}/drush8-classic-symlink.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -L \"/usr/bin/drush8\" ]; then\n _DRUSH_SYMLINK=$(readlink -n /usr/bin/drush8 2>&1)\n _DRUSH_SYMLINK=$(echo -n ${_DRUSH_SYMLINK} | tr -d \"\\n\" 2>&1)\n if [ \"${_DRUSH_SYMLINK}\" != \"/opt/tools/drush/8/drush/drush.php\" ]; then\n rm -f /usr/bin/drush8\n rm -f /usr/bin/drush\n ln -sfn /opt/tools/drush/8/drush/drush.php /usr/bin/drush8\n ln -sfn /opt/tools/drush/8/drush/drush.php /usr/bin/drush\n touch ${_pthLog}/drush8-classic-symlink.ctrl.${_tRee}.${_xSrl}.pid\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/clean-boa-env.ctrl.f97.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /etc/init.d/clean-boa-env /var/xdrago/clean-boa-env.old\n curl ${_crlGet} \"${_urlHmr}/conf/var/clean-boa-env\" -o /etc/init.d/clean-boa-env\n if [ -e \"/etc/init.d/clean-boa-env\" ]; then\n chmod 700 /etc/init.d/clean-boa-env\n chown root:root /etc/init.d/clean-boa-env\n touch ${_pthLog}/clean-boa-env.ctrl.f97.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/clean-boa-env.old /etc/init.d/clean-boa-env\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/mysql_backup.sh.ctrl.f88.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc mysql_backup.sh)\n if (( _CNT > 0 )); then\n echo \"The mysql_backup.sh is running!\"\n else\n mv -f /var/xdrago/mysql_backup.sh /var/xdrago/mysql_backup.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/mysql_backup.sh\" -o /var/xdrago/mysql_backup.sh\n if [ -e \"/var/xdrago/mysql_backup.sh\" ]; then\n chmod 700 /var/xdrago/mysql_backup.sh\n chown root:root /var/xdrago/mysql_backup.sh\n touch ${_pthLog}/mysql_backup.sh.ctrl.f88.${_xSrl}.pid\n else\n mv -f /var/xdrago/mysql_backup.sh.old /var/xdrago/mysql_backup.sh\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/unbound-helper.ctrl.f95.${_xSrl}.pid\" ]; then\n mv -f /usr/libexec/unbound-helper /usr/libexec/unbound-helper.old\n curl ${_crlGet} \"${_urlHmr}/conf/dns/unbound-helper\" -o /usr/libexec/unbound-helper\n if [ -e \"/usr/libexec/unbound-helper\" ]; then\n chmod 755 /usr/libexec/unbound-helper\n chown root:root /usr/libexec/unbound-helper\n touch ${_pthLog}/unbound-helper.ctrl.f95.${_xSrl}.pid\n else\n mv -f /usr/libexec/unbound-helper.old /usr/libexec/unbound-helper\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/mysql_cleanup.sh.ctrl.f92.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/mysql_cleanup.sh /var/xdrago/mysql_cleanup.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/mysql_cleanup.sh\" -o /var/xdrago/mysql_cleanup.sh\n if [ -e \"/var/xdrago/mysql_cleanup.sh\" ]; then\n chmod 700 /var/xdrago/mysql_cleanup.sh\n chown root:root /var/xdrago/mysql_cleanup.sh\n touch ${_pthLog}/mysql_cleanup.sh.ctrl.f92.${_xSrl}.pid\n else\n mv -f /var/xdrago/mysql_cleanup.sh.old /var/xdrago/mysql_cleanup.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/mysql_cluster_backup.sh.ctrl.f91.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc mysql_cluster_backup.sh)\n if (( _CNT > 0 )); then\n echo \"The mysql_cluster_backup.sh is running!\"\n else\n mv -f /var/xdrago/mysql_cluster_backup.sh /var/xdrago/mysql_cluster_backup.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/mysql_cluster_backup.sh\" -o /var/xdrago/mysql_cluster_backup.sh\n if [ -e \"/var/xdrago/mysql_cluster_backup.sh\" ]; then\n chmod 700 /var/xdrago/mysql_cluster_backup.sh\n chown root:root /var/xdrago/mysql_cluster_backup.sh\n touch ${_pthLog}/mysql_cluster_backup.sh.ctrl.f91.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/mysql_cluster_backup.sh.old /var/xdrago/mysql_cluster_backup.sh\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/runner.sh.ctrl.f86.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/runner.sh /var/xdrago/runner.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/runner.sh\" -o /var/xdrago/runner.sh\n if [ -e \"/var/xdrago/runner.sh\" ]; then\n chmod 700 /var/xdrago/runner.sh\n chown root:root /var/xdrago/runner.sh\n touch ${_pthLog}/runner.sh.ctrl.f86.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/runner.sh.old /var/xdrago/runner.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/minute.sh.ctrl.f91.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/minute.sh /var/xdrago/minute.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/minute.sh\" -o /var/xdrago/minute.sh\n if [ -e \"/var/xdrago/minute.sh\" ]; then\n chmod 700 /var/xdrago/minute.sh\n chown root:root /var/xdrago/minute.sh\n touch ${_pthLog}/minute.sh.ctrl.f91.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/minute.sh.old /var/xdrago/minute.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/second.sh.ctrl.f88.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/second.sh /var/xdrago/second.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/second.sh\" -o /var/xdrago/second.sh\n if [ -e \"/var/xdrago/second.sh\" ]; then\n chmod 700 /var/xdrago/second.sh\n chown root:root /var/xdrago/second.sh\n touch ${_pthLog}/second.sh.ctrl.f88.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/second.sh.old /var/xdrago/second.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/ip_access.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/ip_access.sh /var/xdrago/ip_access.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/ip_access.sh\" -o /var/xdrago/ip_access.sh\n if [ -e \"/var/xdrago/ip_access.sh\" ]; then\n chmod 700 /var/xdrago/ip_access.sh\n chown root:root /var/xdrago/ip_access.sh\n touch ${_pthLog}/ip_access.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/ip_access.sh.old /var/xdrago/ip_access.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/move_sql.sh.ctrl.f90.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/move_sql.sh /var/xdrago/move_sql.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/move_sql.sh\" -o /var/xdrago/move_sql.sh\n if [ -e \"/var/xdrago/move_sql.sh\" ]; then\n chmod 700 /var/xdrago/move_sql.sh\n chown root:root /var/xdrago/move_sql.sh\n touch ${_pthLog}/move_sql.sh.ctrl.f90.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/move_sql.sh.old /var/xdrago/move_sql.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/mysql_repair.sh.ctrl.f95.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/mysql_repair.sh /var/xdrago/mysql_repair.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/mysql_repair.sh\" -o /var/xdrago/mysql_repair.sh\n if [ -e \"/var/xdrago/mysql_repair.sh\" ]; then\n chmod 700 /var/xdrago/mysql_repair.sh\n chown root:root /var/xdrago/mysql_repair.sh\n touch ${_pthLog}/mysql_repair.sh.ctrl.f95.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/mysql_repair.sh.old /var/xdrago/mysql_repair.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/purge_binlogs.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/purge_binlogs.sh /var/xdrago/purge_binlogs.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/purge_binlogs.sh\" -o /var/xdrago/purge_binlogs.sh\n if [ -e \"/var/xdrago/purge_binlogs.sh\" ]; then\n chmod 700 /var/xdrago/purge_binlogs.sh\n chown root:root /var/xdrago/purge_binlogs.sh\n touch ${_pthLog}/purge_binlogs.sh.ctrl.f93.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/purge_binlogs.sh.old /var/xdrago/purge_binlogs.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/checksql.pl.ctrl.f95.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/checksql.pl /var/xdrago/checksql.pl.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/checksql.pl\" -o /var/xdrago/checksql.pl\n if [ -e \"/var/xdrago/checksql.pl\" ]; then\n chmod 700 /var/xdrago/checksql.pl\n chown root:root /var/xdrago/checksql.pl\n touch ${_pthLog}/checksql.pl.ctrl.f95.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/checksql.pl.old /var/xdrago/checksql.pl\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/clear.sh.ctrl.f85.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/clear.sh /var/xdrago/clear.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/clear.sh\" -o /var/xdrago/clear.sh\n if [ -e \"/var/xdrago/clear.sh\" ]; then\n chmod 700 /var/xdrago/clear.sh\n chown root:root /var/xdrago/clear.sh\n touch ${_pthLog}/clear.sh.ctrl.f85.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/clear.sh.old /var/xdrago/clear.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/autoupboa.ctrl.f76.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc autoupboa)\n if (( _CNT > 0 )); then\n echo \"The autoupboa is running!\"\n else\n if [ -e \"${_optBin}/autoupboa\" ]; then\n mv -f ${_optBin}/autoupboa ${_optBin}/autoupboa.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/autoupboa\" -o ${_optBin}/autoupboa\n if [ -e \"${_optBin}/autoupboa\" ]; then\n chmod 700 ${_optBin}/autoupboa\n chown root:root ${_optBin}/autoupboa\n touch ${_pthLog}/autoupboa.ctrl.f76.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/autoupboa.old\" ]; then\n mv -f ${_optBin}/autoupboa.old ${_optBin}/autoupboa\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/fixmounts.ctrl.f98.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc fixmounts)\n if (( _CNT > 0 )); then\n echo \"The fixmounts is running!\"\n else\n if [ -e \"${_optBin}/fixmounts\" ]; then\n mv -f ${_optBin}/fixmounts ${_optBin}/fixmounts.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/fixmounts\" -o ${_optBin}/fixmounts\n if [ -e \"${_optBin}/fixmounts\" ]; then\n chmod 700 ${_optBin}/fixmounts\n chown root:root ${_optBin}/fixmounts\n touch ${_pthLog}/fixmounts.ctrl.f98.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/fixmounts.old\" ]; then\n mv -f ${_optBin}/fixmounts.old ${_optBin}/fixmounts\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/daily.sh.ctrl.f73.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/daily.sh /var/xdrago/daily.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/daily.sh\" -o /var/xdrago/daily.sh\n if [ -e \"/var/xdrago/daily.sh\" ]; then\n chmod 700 /var/xdrago/daily.sh\n chown root:root /var/xdrago/daily.sh\n touch ${_pthLog}/daily.sh.ctrl.f73.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/daily.sh.old /var/xdrago/daily.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/graceful.sh.ctrl.f86.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/graceful.sh /var/xdrago/graceful.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/graceful.sh\" -o /var/xdrago/graceful.sh\n if [ -e \"/var/xdrago/graceful.sh\" ]; then\n chmod 700 /var/xdrago/graceful.sh\n chown root:root /var/xdrago/graceful.sh\n touch ${_pthLog}/graceful.sh.ctrl.f86.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/graceful.sh.old /var/xdrago/graceful.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/usage.sh.ctrl.f80.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/usage.sh /var/xdrago/usage.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/usage.sh\" -o /var/xdrago/usage.sh\n if [ -e \"/var/xdrago/usage.sh\" ]; then\n chmod 700 /var/xdrago/usage.sh\n chown root:root /var/xdrago/usage.sh\n touch ${_pthLog}/usage.sh.ctrl.f80.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/usage.sh.old /var/xdrago/usage.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/manage_ltd_users.sh.ctrl.f67.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/manage_ltd_users.sh /var/xdrago/manage_ltd_users.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/manage_ltd_users.sh\" \\\n -o /var/xdrago/manage_ltd_users.sh\n if [ -e \"/var/xdrago/manage_ltd_users.sh\" ]; then\n chmod 700 /var/xdrago/manage_ltd_users.sh\n chown root:root /var/xdrago/manage_ltd_users.sh\n touch ${_pthLog}/manage_ltd_users.sh.ctrl.f67.${_tRee}.${_xSrl}.pid\n [ -e \"/run/manage_ltd_users.pid\" ] && rm -f /run/manage_ltd_users.pid\n [ -d \"/var/backups/ltd/log\" ] && rm -rf /var/backups/ltd/log\n mkdir -p /var/backups/ltd/{conf,log,old}\n else\n mv -f /var/xdrago/manage_ltd_users.sh.old /var/xdrago/manage_ltd_users.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/manage_solr_config.sh.ctrl.f85.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/manage_solr_config.sh /var/xdrago/manage_solr_config.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/manage_solr_config.sh\" \\\n -o /var/xdrago/manage_solr_config.sh\n if [ -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n chmod 700 /var/xdrago/manage_solr_config.sh\n chown root:root /var/xdrago/manage_solr_config.sh\n touch ${_pthLog}/manage_solr_config.sh.ctrl.f85.${_tRee}.${_xSrl}.pid\n rm -f /run/manage_solr_config.pid\n else\n mv -f /var/xdrago/manage_solr_config.sh.old /var/xdrago/manage_solr_config.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/proc_num_ctrl.pl.ctrl.f83.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/proc_num_ctrl.pl /var/xdrago/proc_num_ctrl.pl.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/proc_num_ctrl.pl\" \\\n -o /var/xdrago/proc_num_ctrl.pl\n if [ -e \"/var/xdrago/proc_num_ctrl.pl\" ]; then\n chmod 700 /var/xdrago/proc_num_ctrl.pl\n chown root:root /var/xdrago/proc_num_ctrl.pl\n touch ${_pthLog}/proc_num_ctrl.pl.ctrl.f83.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/proc_num_ctrl.pl.old /var/xdrago/proc_num_ctrl.pl\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/fast_shutdown.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n sed -i \"s/.*opcache.fast_shutdown.*//g\" /opt/etc/fpm/fpm-pool-commo*.conf\n _PHP_V=\"85 84 83 82 81 80 74 73 72 71 70 56\"\n for e in ${_PHP_V}; do\n if [ -e \"/etc/init.d/php${e}-fpm\" ] && [ -e \"/opt/php${e}/bin/php\" ]; then\n service \"php${e}-fpm\" reload &> /dev/null\n fi\n done\n _PHP_V=\"55 54 53\"\n for e in ${_PHP_V}; do\n if [ -e \"/etc/init.d/php${e}-fpm\" ] && [ -e \"/opt/php${e}/bin/php\" ]; then\n service \"php${e}-fpm\" force-quit &> /dev/null\n fi\n done\n touch ${_pthLog}/fast_shutdown.ctrl.${_tRee}.${_xSrl}.pid\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -x \"/usr/sbin/csf\" ] \\\n && [ -e \"/etc/csf/csf.deny\" ] \\\n && [ ! -e \"${_pthLog}/guest-fire.sh.ctrl.f92.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/guest-fire.sh /var/xdrago/guest-fire.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/guest-fire.sh\" \\\n -o /var/xdrago/guest-fire.sh\n if [ -e \"/var/xdrago/guest-fire.sh\" ]; then\n chmod 700 /var/xdrago/guest-fire.sh\n chown root:root /var/xdrago/guest-fire.sh\n touch ${_pthLog}/guest-fire.sh.ctrl.f92.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/guest-fire.sh.old /var/xdrago/guest-fire.sh\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -x \"/usr/sbin/csf\" ] \\\n && [ -e \"/etc/csf/csf.deny\" ] \\\n && [ ! -e \"${_pthLog}/guest-water.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/guest-water.sh /var/xdrago/guest-water.sh.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/guest-water.sh\" \\\n -o /var/xdrago/guest-water.sh\n if [ -e \"/var/xdrago/guest-water.sh\" ]; then\n chmod 700 /var/xdrago/guest-water.sh\n chown root:root /var/xdrago/guest-water.sh\n touch ${_pthLog}/guest-water.sh.ctrl.f89.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/guest-water.sh.old /var/xdrago/guest-water.sh\n fi\n fi\n\n if ! grep -q \"whoami\" /var/xdrago/conf/lshell.conf; then\n rm -f ${_pthLog}/lshell.ctrl.*\n fi\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/lshell.ctrl.f91.${_tRee}.${_xSrl}.pid\" ]; then\n if [ -z \"${_CUSTOM_CONFIG_LSHELL}\" ] \\\n || [ \"${_CUSTOM_CONFIG_LSHELL}\" = \"NO\" ]; then\n mv -f /var/xdrago/conf/lshell.conf /var/xdrago/conf/lshell.conf.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/conf/lshell.conf\" \\\n -o /var/xdrago/conf/lshell.conf\n if [ -e \"/var/xdrago/conf/lshell.conf\" ]; then\n chmod 644 /var/xdrago/conf/lshell.conf\n chown root:root /var/xdrago/conf/lshell.conf\n touch ${_pthLog}/lshell.ctrl.f91.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/lshell.conf.old /var/xdrago/conf/lshell.conf\n fi\n fi\n fi\n\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n _BROKEN_UPDATE_TEST=$(grep \"Under Construction\" /var/xdrago/conf/fpm-pool* 2>&1)\n if [ ! -z \"${_BROKEN_UPDATE_TEST}\" ]; then\n rm -f /var/xdrago/conf/fpm-pool*\n rm ${_pthLog}/multi.ctrl.*\n rm ${_pthLog}/legacy.ctrl.*\n rm ${_pthLog}/modern.ctrl.*\n rm ${_pthLog}/single.ctrl.*\n rm ${_pthLog}/common.ctrl.*\n fi\n _BROKEN_UPDATE_TEST=$(grep \"404 Not Found\" /var/xdrago/conf/fpm-pool* 2>&1)\n if [ ! -z \"${_BROKEN_UPDATE_TEST}\" ]; then\n rm -f /var/xdrago/conf/fpm-pool*\n rm ${_pthLog}/multi.ctrl.*\n rm ${_pthLog}/legacy.ctrl.*\n rm ${_pthLog}/modern.ctrl.*\n rm ${_pthLog}/single.ctrl.*\n rm ${_pthLog}/common.ctrl.*\n fi\n _BROKEN_UPDATE_TEST=$(grep \"max_execution_time\" /var/xdrago/conf/fpm-pool* 2>&1)\n if [ -z \"${_BROKEN_UPDATE_TEST}\" ]; then\n rm -f /var/xdrago/conf/fpm-pool*\n rm ${_pthLog}/multi.ctrl.*\n rm ${_pthLog}/legacy.ctrl.*\n rm ${_pthLog}/modern.ctrl.*\n rm ${_pthLog}/single.ctrl.*\n rm ${_pthLog}/common.ctrl.*\n fi\n _BROKEN_UPDATE_TEST=$(grep \"max_accelerated_files\" /var/xdrago/conf/fpm-pool* 2>&1)\n if [ ! -z \"${_BROKEN_UPDATE_TEST}\" ]; then\n rm -f /var/xdrago/conf/fpm-pool*\n rm ${_pthLog}/multi.ctrl.*\n rm ${_pthLog}/legacy.ctrl.*\n rm ${_pthLog}/modern.ctrl.*\n rm ${_pthLog}/single.ctrl.*\n rm ${_pthLog}/common.ctrl.*\n fi\n fi\n\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/common.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/conf/fpm-pool-common.conf /var/xdrago/conf/fpm-pool-common.conf.old\n curl ${_crlGet} \"${_urlHmr}/conf/php/fpm-pool-common.conf\" \\\n -o /var/xdrago/conf/fpm-pool-common.conf\n if [ -e \"/var/xdrago/conf/fpm-pool-common.conf\" ]; then\n sed -i \"s/127.0.0.1/127.0.0.1,${_LOC_IP}/g\" /var/xdrago/conf/fpm-pool-common.conf\n chmod 644 /var/xdrago/conf/fpm-pool-common.conf\n chown root:root /var/xdrago/conf/fpm-pool-common.conf\n touch ${_pthLog}/common.ctrl.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/fpm-pool-common.conf.old /var/xdrago/conf/fpm-pool-common.conf\n fi\n fi\n\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/legacy.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/conf/fpm-pool-common-legacy.conf /var/xdrago/conf/fpm-pool-common-legacy.conf.old\n curl ${_crlGet} \"${_urlHmr}/conf/php/fpm-pool-common-legacy.conf\" \\\n -o /var/xdrago/conf/fpm-pool-common-legacy.conf\n if [ -e \"/var/xdrago/conf/fpm-pool-common-legacy.conf\" ]; then\n sed -i \"s/127.0.0.1/127.0.0.1,${_LOC_IP}/g\" /var/xdrago/conf/fpm-pool-common-legacy.conf\n chmod 644 /var/xdrago/conf/fpm-pool-common-legacy.conf\n chown root:root /var/xdrago/conf/fpm-pool-common-legacy.conf\n touch ${_pthLog}/legacy.ctrl.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/fpm-pool-common-legacy.conf.old /var/xdrago/conf/fpm-pool-common-legacy.conf\n fi\n fi\n\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/modern.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/conf/fpm-pool-common-modern.conf /var/xdrago/conf/fpm-pool-common-modern.conf.old\n curl ${_crlGet} \"${_urlHmr}/conf/php/fpm-pool-common-modern.conf\" \\\n -o /var/xdrago/conf/fpm-pool-common-modern.conf\n if [ -e \"/var/xdrago/conf/fpm-pool-common-modern.conf\" ]; then\n sed -i \"s/127.0.0.1/127.0.0.1,${_LOC_IP}/g\" /var/xdrago/conf/fpm-pool-common-modern.conf\n chmod 644 /var/xdrago/conf/fpm-pool-common-modern.conf\n chown root:root /var/xdrago/conf/fpm-pool-common-modern.conf\n touch ${_pthLog}/modern.ctrl.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/fpm-pool-common-modern.conf.old /var/xdrago/conf/fpm-pool-common-modern.conf\n fi\n fi\n\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/multi.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/conf/fpm-pool-foo-multi.conf /var/xdrago/conf/fpm-pool-foo-multi.conf.old\n curl ${_crlGet} \"${_urlHmr}/conf/php/fpm-pool-foo-multi.conf\" \\\n -o /var/xdrago/conf/fpm-pool-foo-multi.conf\n if [ -e \"/var/xdrago/conf/fpm-pool-foo-multi.conf\" ]; then\n chmod 644 /var/xdrago/conf/fpm-pool-foo-multi.conf\n chown root:root /var/xdrago/conf/fpm-pool-foo-multi.conf\n touch ${_pthLog}/multi.ctrl.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/fpm-pool-foo-multi.conf.old /var/xdrago/conf/fpm-pool-foo-multi.conf\n fi\n fi\n\n if [ -e \"/opt/tools/drush\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/single.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/conf/fpm-pool-foo.conf /var/xdrago/conf/fpm-pool-foo.conf.old\n curl ${_crlGet} \"${_urlHmr}/conf/php/fpm-pool-foo.conf\" \\\n -o /var/xdrago/conf/fpm-pool-foo.conf\n if [ -e \"/var/xdrago/conf/fpm-pool-foo.conf\" ]; then\n chmod 644 /var/xdrago/conf/fpm-pool-foo.conf\n chown root:root /var/xdrago/conf/fpm-pool-foo.conf\n touch ${_pthLog}/single.ctrl.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/fpm-pool-foo.conf.old /var/xdrago/conf/fpm-pool-foo.conf\n fi\n fi\n\n if [ -e \"/etc/ImageMagick-6/policy.xml\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ ! -e \"${_pthLog}/policymap-hf-06.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n _isCurlBin=\"$(which curl)\"\n chmod 755 ${_isCurlBin} &> /dev/null\n chgrp root ${_isCurlBin} &> /dev/null\n cp -af /etc/ImageMagick-6/policy.xml /var/xdrago/conf/etc-ImageMagick-6-policy.xml.hf-06.old\n rm -f /var/xdrago/conf/etc-ImageMagick-6-policy.xml\n curl ${_crlGet} \"${_urlHmr}/conf/etc/etc-ImageMagick-6-policy.xml\" \\\n -o /var/xdrago/conf/etc-ImageMagick-6-policy.xml\n if [ -e \"/var/xdrago/conf/etc-ImageMagick-6-policy.xml\" ]; then\n cp -af /var/xdrago/conf/etc-ImageMagick-6-policy.xml /etc/ImageMagick-6/policy.xml\n chmod 644 /etc/ImageMagick-6/policy.xml\n chown root:root /etc/ImageMagick-6/policy.xml\n touch ${_pthLog}/policymap-hf-06.ctrl.${_tRee}.${_xSrl}.pid\n _PHP_V=\"85 84 83 82 81 80 74 73 72 71 70 56\"\n for e in ${_PHP_V}; do\n if [ -e \"/etc/init.d/php${e}-fpm\" ]; then\n service \"php${e}-fpm\" reload &> /dev/null\n fi\n done\n else\n if [ -e \"/var/xdrago/conf/etc-ImageMagick-6-policy.xml.hf-06.old\" ]; then\n cp -af /var/xdrago/conf/etc-ImageMagick-6-policy.xml.hf-06.old /etc/ImageMagick-6/policy.xml\n fi\n fi\n fi\n\n if [ -e \"/opt/tools/drush\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/dispatch.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n sed -i \"s/.*cache.*//g; s/.*cc drush.*//g; s/ *$//g; /^$/d\" /data/disk/*/aegir.sh\n touch ${_pthLog}/dispatch.ctrl.${_tRee}.${_xSrl}.pid\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/xdrago/conf/control-readme.txt\" ] \\\n && [ ! -e \"${_pthLog}/control-readme.txt.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /var/xdrago/conf/control-readme.txt /var/xdrago/conf/control-readme.txt.old\n curl ${_crlGet} \"${_urlHmr}/tools/system/conf/control-readme.txt\" -o /var/xdrago/conf/control-readme.txt\n if [ -e \"/var/xdrago/conf/control-readme.txt\" ]; then\n chmod 644 /var/xdrago/conf/control-readme.txt\n chown root:root /var/xdrago/conf/control-readme.txt\n touch ${_pthLog}/control-readme.txt.ctrl.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/conf/control-readme.txt.old /var/xdrago/conf/control-readme.txt\n fi\n fi\n\n if [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/hosting.cron.queue.ctrl.f96.${_tRee}.${_xSrl}.pid\" ]; then\n _hQueueF=\"hosting_cron.module\"\n _hQueueP=\"/var/xdrago/conf/${_hQueueF}\"\n [ -e \"${_hQueueP}\" ] && _isPatchedTpl=$(grep \"url_own\" \"${_hQueueP}\")\n if [ ! -e \"${_hQueueP}\" ] || [[ ! \"${_isPatchedTpl}\" =~ \"url_own\" ]]; then\n curl ${_crlGet} \"${_urlHmr}/patches/${_hQueueF}\" -o ${_hQueueP}\n fi\n for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do\n _tUsr=\n _tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)\n if [ -n \"${_tUsr}\" ] && [ \"${_tUsr}\" != \"arch\" ]; then\n if [ -e \"${_pthSysUsr}/log/hosting_cron_use_backend.txt\" ]; then\n rm -f ${_pthSysUsr}/log/hosting_cron_use_backend.txt\n fi\n _hmPlr=$(cat ${_pthSysUsr}/.drush/hostmaster.alias.drushrc.php \\\n | grep \"root'\" \\\n | cut -d: -f2 \\\n | awk '{ print $3}' \\\n | sed \"s/[\\,']//g\" 2>&1)\n _hmDir=\"${_hmPlr}/profiles/hostmaster/modules/aegir/hosting\"\n _hmQmd=\"${_hmDir}/cron/hosting_cron.module\"\n if [ -e \"${_hmDir}/cron/hosting_cron.module.orig\" ]; then\n rm -f ${_hmDir}/cron/hosting_cron.module.orig\n fi\n if [ -e \"${_hmDir}/cron/hosting_cron.module.rej\" ]; then\n rm -f ${_hmDir}/cron/hosting_cron.module.rej\n fi\n if [ -e \"${_hmQmd}\" ] && [ -e \"${_hQueueP}\" ]; then\n _isPatched=$(grep \"url_own\" \"${_hmQmd}\")\n if [[ ! \"${_isPatched}\" =~ \"url_own\" ]]; then\n cp -a ${_hQueueP} ${_hmDir}/cron/\n if [ -e \"${_hmDir}/cron/${_hQueueF}\" ]; then\n sed -i \"s/127.0.0.1/${_LOC_IP}/g\" \"${_hmDir}/cron/${_hQueueF}\"\n fi\n fi\n fi\n fi\n done\n touch ${_pthLog}/hosting.cron.queue.ctrl.f96.${_tRee}.${_xSrl}.pid\n fi\n\n if [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/hosting.cron.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do\n _tUsr=\n _tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)\n if [ -n \"${_tUsr}\" ] && [ \"${_tUsr}\" != \"arch\" ]; then\n if [ -e \"${_pthSysUsr}/log/hosting_cron_use_backend.txt\" ]; then\n rm -f ${_pthSysUsr}/log/hosting_cron_use_backend.txt\n fi\n fi\n done\n touch ${_pthLog}/hosting.cron.ctrl.f99.${_tRee}.${_xSrl}.pid\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/data/u\" ] \\\n && [ -e \"/usr/sbin/csf\" ] \\\n && [ ! -e \"${_pthLog}/fpm-cli.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n _usrGroup=users\n [ -d \"/var/backups/off-run/\" ] && cp -a /var/backups/off-run/run* /var/xdrago/ &> /dev/null\n for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do\n _tUsr=\n _tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)\n if [ \"${_tUsr}\" != \"arch\" ]; then\n if [ ! -e \"${_pthSysUsr}/static/control/MyQuick.info\" ] \\\n && [ ! -e \"${_pthSysUsr}/static/control/MyClassic.info\" ]; then\n echo ON > ${_pthSysUsr}/static/control/MyQuick.info\n fi\n if [ ! -e \"${_pthSysUsr}/static/control/.disFastTrack.pid\" ]; then\n rm -f ${_pthSysUsr}/static/control/FastTrack.info\n touch ${_pthSysUsr}/static/control/.disFastTrack.pid\n fi\n if [ ! -e \"${_pthSysUsr}/static/control/FastTrack.info\" ] \\\n && [ ! -e \"${_pthSysUsr}/static/control/ClassicTrack.info\" ]; then\n echo ON > ${_pthSysUsr}/static/control/ClassicTrack.info\n fi\n if [ -e \"${_pthSysUsr}/static/control/fpm.info\" ] \\\n && [ ! -e \"${_pthSysUsr}/static/control/cli.info\" ]; then\n cp ${_pthSysUsr}/static/control/fpm.info ${_pthSysUsr}/static/control/cli.info\n fi\n if [ -e \"${_pthSysUsr}/log/CANCELLED\" ] \\\n || [ -e \"${_pthSysUsr}/log/proxied.pid\" ] \\\n || [ ! -e \"${_pthSysUsr}/static/control/cli.info\" ]; then\n if [ -e \"/var/xdrago/run-${_tUsr}\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n [ -d \"/var/backups/off-run\" ] || mkdir -p /var/backups/off-run\n mv -f /var/xdrago/run-${_tUsr} /var/backups/off-run/\n fi\n else\n _dscUsr=\"/data/disk/${_tUsr}\"\n _ngxCnf=\"${_dscUsr}/config/includes/nginx_vhost_common.conf\"\n _NGINX_CNF_TEST=$(grep \"foobaroff\" ${_ngxCnf} 2>&1)\n if [[ \"${_NGINX_CNF_TEST}\" =~ \"foobaroff\" ]]; then\n _DO_NOTHING=YES\n else\n sed -i \"s/args.*q=/args ~* \\\"foobaroff=/g\" ${_ngxCnf}\n fi\n for _version in 84 85 83 82 81 74 56; do\n if [ -x \"/opt/php${_version}/bin/php\" ]; then\n if [ \"${_version}\" = \"74\" ]; then\n _useCli=\"7.4\"\n _useFpm=\"7.4\"\n elif [ \"${_version}\" = \"56\" ]; then\n _useCli=\"5.6\"\n _useFpm=\"5.6\"\n else\n _useCli=\"8.${_version:1}\"\n _useFpm=\"8.${_version:1}\"\n fi\n break\n fi\n done\n if [ ! -e \"${_dscUsr}/static/control/fpm.info\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n if [ -n \"${_useFpm}\" ]; then\n echo ${_useFpm} > ${_dscUsr}/static/control/fpm.info\n chown ${_tUsr}.ftp:${_usrGroup} ${_dscUsr}/static/control/fpm.info\n chmod 0644 ${_dscUsr}/static/control/fpm.info\n fi\n fi\n if [ ! -e \"${_dscUsr}/static/control/cli.info\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n if [ -e \"${_dscUsr}/static/control/fpm.info\" ]; then\n cp -af ${_dscUsr}/static/control/fpm.info ${_dscUsr}/static/control/cli.info\n else\n if [ -n \"${_useCli}\" ]; then\n echo ${_useCli} > ${_dscUsr}/static/control/cli.info\n chown ${_tUsr}.ftp:${_usrGroup} ${_dscUsr}/static/control/cli.info\n chmod 0644 ${_dscUsr}/static/control/cli.info\n fi\n fi\n fi\n if [ ! -e \"${_dscUsr}/static/control/.ctrl.${_tRee}.${_xSrl}.pid\" ] \\\n && [ -e \"/home/${_tUsr}.ftp/clients\" ]; then\n mkdir -p ${_dscUsr}/static/control\n chmod 755 ${_dscUsr}/static/control\n if [ -e \"/var/xdrago/conf/control-readme.txt\" ]; then\n cp -af /var/xdrago/conf/control-readme.txt \\\n ${_dscUsr}/static/control/README.txt &> /dev/null\n chmod 0644 ${_dscUsr}/static/control/README.txt\n fi\n chown -R ${_tUsr}.ftp:${_usrGroup} ${_dscUsr}/static/control\n rm -f ${_dscUsr}/static/control/.ctrl.*\n echo OK > ${_dscUsr}/static/control/.ctrl.${_tRee}.${_xSrl}.pid\n fi\n fi\n fi\n done\n touch ${_pthLog}/fpm-cli.ctrl.${_tRee}.${_xSrl}.pid\n fi\n\n # Create the destination directory if it doesn't exist\n [ -d \"/var/backups/off-run\" ] || mkdir -p /var/backups/off-run\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/data/u\" ] \\\n && [ -e \"/usr/sbin/csf\" ]; then\n # Loop through all files matching the pattern /var/xdrago/run-USER\n for _file in /var/xdrago/run-*; do\n # Skip iteration if no files match the pattern\n [ -e \"${_file}\" ] || continue\n\n # Extract the _USER from the filename\n _USER=${_file#/var/xdrago/run-}\n\n # Define the paths to check\n _USER_DIR=\"/data/disk/${_USER}\"\n _CANCELLED_FILE=\"${_USER_DIR}/log/CANCELLED\"\n _PROXIED_PID_FILE=\"${_USER_DIR}/log/proxied.pid\"\n _CLI_INFO_FILE=\"${_USER_DIR}/static/control/cli.info\"\n\n # Check the conditions\n if [ ! -d \"${_USER_DIR}\" ] || \\\n [ -f \"${_CANCELLED_FILE}\" ] || \\\n [ -f \"${_PROXIED_PID_FILE}\" ] || \\\n [ ! -f \"${_CLI_INFO_FILE}\" ]; then\n # Move the file if any condition is met\n mv -f \"${_file}\" /var/backups/off-run/\n fi\n\n if grep -q \"renice 0\" \"${_file}\"; then\n sed -i \"s/renice 0/renice 9/g\" \"${_file}\"\n fi\n done\n fi\n\n if [ -x \"/opt/tools/drush/8/drush/drush.php\" ] \\\n && [ -e \"${_provLeIncFull}\" ] \\\n && [ -e \"${_hoLeIncFull}\" ] \\\n && [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/le_renewal_days_69.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n _leBasePath=\"profiles/hostmaster/modules/aegir/hosting_le\"\n _lePath=\"${_leBasePath}/drush/${_provLeInc}\"\n _leVhPath=\"${_leBasePath}/hosting_le_vhost/drush/${_hoLeInc}\"\n for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do\n if [ -e \"${_pthSysUsr}/config/server_master/nginx/vhost.d\" ] \\\n && [ -e \"${_pthSysUsr}/static/control/cli.info\" ] \\\n && [ ! -e \"${_pthSysUsr}/log/proxied.pid\" ] \\\n && [ ! -e \"${_pthSysUsr}/log/CANCELLED\" ]; then\n _tUsr=\n _validReg=\n _validIPr=\n _tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)\n _dscUsr=\"/data/disk/${_tUsr}\"\n _hmPf=$(cat ${_dscUsr}/.drush/hostmaster.alias.drushrc.php \\\n | grep \"root'\" \\\n | cut -d: -f2 \\\n | awk '{ print $3}' \\\n | sed \"s/[\\,']//g\" 2>&1)\n _locFile=\"${_hmPf}/${_lePath}\"\n if [ -e \"${_locFile}\" ] && [ -e \"${_provLeIncFull}\" ]; then\n cp -af ${_provLeIncFull} ${_locFile}\n chown ${_tUsr}:users ${_locFile}\n chmod 0644 ${_locFile}\n fi\n _locVhFile=\"${_hmPf}/${_leVhPath}\"\n if [ -e \"${_locVhFile}\" ] && [ -e \"${_hoLeIncFull}\" ]; then\n cp -af ${_hoLeIncFull} ${_locVhFile}\n chown ${_tUsr}:users ${_locVhFile}\n chmod 0644 ${_locVhFile}\n fi\n _leRoot=\"${_dscUsr}/tools/le\"\n _exeLe=\"${_leRoot}/dehydrated\"\n _dehydFull=\"${_leRoot}/${_dehydName}\"\n _legacyLeShFile=\"${_leRoot}/letsencrypt.sh\"\n _lockLeFile=\"${_leRoot}/lock\"\n _configIni=\"${_leRoot}/config\"\n _acctsDir=\"${_leRoot}/accounts\"\n _acctsDemoDir=\"${_leRoot}/accounts-demo\"\n _demoPid=\"${_leRoot}/.ctrl/ssl-demo-mode.pid\"\n _normalRegPid=\"${_leRoot}/.ctrl/normal-re6-register.pid\"\n _forcedRegPid=\"${_leRoot}/.ctrl/forced-re6-register.pid\"\n _onDemandRegPid=\"${_leRoot}/.ctrl/onDemand-register.pid\"\n _validIdn=$(grep \"letsencrypt\" ${_acctsDir}/*/account_id.json 2>&1)\n _validReg=$(grep \"valid\" ${_acctsDir}/*/registration_info.json 2>&1)\n _validIPr=$(grep \"${_LOC_IP}\" ${_acctsDir}/*/registration_info.json 2>&1)\n _HOUR=$(date +%H 2>&1)\n _HOUR=${_HOUR//[^0-9-]/}\n if [ -e \"${_dehydSrcPath}\" ]; then\n cp -af ${_dehydSrcPath} ${_dehydFull}\n chown ${_tUsr}:users ${_dehydFull}\n chmod 0700 ${_dehydFull}\n fi\n if [ -e \"${_dehydFull}\" ] \\\n && [ ! -e \"${_normalRegPid}\" ]; then\n if [ \"${_HOUR}\" = \"5\" ] \\\n || [ \"${_HOUR}\" = \"17\" ] \\\n || [ -e \"${_onDemandRegPid}\" ]; then\n su -s /bin/bash - ${_tUsr} -c \"bash ${_exeLe} --register --accept-terms\"\n wait\n touch ${_normalRegPid}\n fi\n fi\n if [ -e \"${_lockLeFile}\" ]; then\n rm -f ${_lockLeFile}\n sleep 1\n fi\n if [ -e \"${_demoPid}\" ]; then\n rm -f ${_demoPid}\n fi\n if [ \"${_HOUR}\" = \"11\" ] \\\n || [ \"${_HOUR}\" = \"23\" ] \\\n || [ -e \"${_onDemandRegPid}\" ]; then\n if [ -e \"${_legacyLeShFile}\" ] \\\n || [ -e \"${_acctsDemoDir}\" ] \\\n || [[ ! \"${_validIdn}\" =~ \"letsencrypt\" ]] \\\n || [[ ! \"${_validReg}\" =~ \"valid\" ]] \\\n || [[ ! \"${_validIPr}\" =~ \"${_LOC_IP}\" ]] \\\n || [ ! -e \"${_forcedRegPid}\" ]; then\n rm -f ${_legacyLeShFile}\n rm -rf ${_acctsDemoDir}\n rm -rf ${_acctsDir}\n rm -f ${_leRoot}/.ctrl/.forced*\n rm -f ${_leRoot}/.ctrl/.normal*\n rm -f ${_leRoot}/.ctrl/forced*\n rm -f ${_leRoot}/.ctrl/normal*\n if [ -e \"${_exeLe}\" ]; then\n su -s /bin/bash - ${_tUsr} -c \"bash ${_exeLe} --register --accept-terms\"\n wait\n touch ${_forcedRegPid}\n touch ${_normalRegPid}\n fi\n fi\n fi\n fi\n done\n touch ${_pthLog}/le_renewal_days_69.ctrl.${_tRee}.${_xSrl}.pid\n fi\n\n if ! grep -q \"defunct\" /opt/local/bin/websh; then\n rm -f ${_pthLog}/websh.ctrl.*\n fi\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_pthLog}/websh.ctrl.f72.${_tRee}.${_xSrl}.pid\" ]; then\n mv -f /opt/local/bin/websh /var/xdrago/websh.sh.old\n curl ${_crlGet} \"${_urlHmr}/helpers/websh.sh.txt\" -o /opt/local/bin/websh\n if [ -e \"/opt/local/bin/websh\" ] \\\n && grep -i '_forward_to_dash' /opt/local/bin/websh &> /dev/null; then\n chmod 755 /opt/local/bin/websh\n chown root:root /opt/local/bin/websh\n [ -x \"/bin/websh\" ] && [ ! -L \"/bin/websh\" ] && ln -sfn /opt/local/bin/websh /bin/websh\n touch ${_pthLog}/websh.ctrl.f72.${_tRee}.${_xSrl}.pid\n else\n mv -f /var/xdrago/websh.sh.old /opt/local/bin/websh\n fi\n _WEB_SH=\"$(readlink -n /bin/sh)\"\n if [ -x \"/opt/local/bin/websh\" ] \\\n && grep -i '_forward_to_dash' /opt/local/bin/websh &> /dev/null; then\n if [ \"${_WEB_SH}\" != \"/opt/local/bin/websh\" ]; then\n ln -sfn /opt/local/bin/websh /bin/sh\n if [ -e \"/usr/bin/sh\" ]; then\n ln -sfn /opt/local/bin/websh /usr/bin/sh\n fi\n [ -x \"/bin/websh\" ] && [ ! -L \"/bin/websh\" ] && ln -sfn /opt/local/bin/websh /bin/websh\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -x \"/etc/cron.hourly/systemtime\" ] \\\n && [ ! -e \"${_pthLog}/systemtime.ctrl.f95.${_tRee}.${_xSrl}.pid\" ]; then\n curl ${_crlGet} \"${_urlHmr}/helpers/systemtime\" -o /etc/cron.hourly/systemtime\n if [ -e \"/etc/cron.hourly/systemtime\" ]; then\n chmod 755 /etc/cron.hourly/systemtime\n chown root:root /etc/cron.hourly/systemtime\n service cron restart\n touch ${_pthLog}/systemtime.ctrl.f95.${_tRee}.${_xSrl}.pid\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy.ctrl.f93.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy\" ]; then\n mv -f ${_optBin}/synproxy ${_optBin}/synproxy.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy\" -o ${_optBin}/synproxy\n if [ -e \"${_optBin}/synproxy\" ]; then\n chmod 700 ${_optBin}/synproxy\n chown root:root ${_optBin}/synproxy\n touch ${_pthLog}/synproxy.ctrl.f93.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy.old\" ]; then\n mv -f ${_optBin}/synproxy.old ${_optBin}/synproxy\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy_rollback.ctrl.f94.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy_rollback\" ]; then\n mv -f ${_optBin}/synproxy_rollback ${_optBin}/synproxy_rollback.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy_rollback\" -o ${_optBin}/synproxy_rollback\n if [ -e \"${_optBin}/synproxy_rollback\" ]; then\n chmod 700 ${_optBin}/synproxy_rollback\n chown root:root ${_optBin}/synproxy_rollback\n touch ${_pthLog}/synproxy_rollback.ctrl.f94.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy_rollback.old\" ]; then\n mv -f ${_optBin}/synproxy_rollback.old ${_optBin}/synproxy_rollback\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy_reassert.ctrl.f88.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy_reassert\" ]; then\n mv -f ${_optBin}/synproxy_reassert ${_optBin}/synproxy_reassert.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy_reassert\" -o ${_optBin}/synproxy_reassert\n if [ -e \"${_optBin}/synproxy_reassert\" ]; then\n chmod 700 ${_optBin}/synproxy_reassert\n chown root:root ${_optBin}/synproxy_reassert\n touch ${_pthLog}/synproxy_reassert.ctrl.f88.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy_reassert.old\" ]; then\n mv -f ${_optBin}/synproxy_reassert.old ${_optBin}/synproxy_reassert\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy_hook_fix.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy_hook_fix\" ]; then\n mv -f ${_optBin}/synproxy_hook_fix ${_optBin}/synproxy_hook_fix.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy_hook_fix\" -o ${_optBin}/synproxy_hook_fix\n if [ -e \"${_optBin}/synproxy_hook_fix\" ]; then\n chmod 700 ${_optBin}/synproxy_hook_fix\n chown root:root ${_optBin}/synproxy_hook_fix\n touch ${_pthLog}/synproxy_hook_fix.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy_hook_fix.old\" ]; then\n mv -f ${_optBin}/synproxy_hook_fix.old ${_optBin}/synproxy_hook_fix\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy_snapshot.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy_snapshot\" ]; then\n mv -f ${_optBin}/synproxy_snapshot ${_optBin}/synproxy_snapshot.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy_snapshot\" -o ${_optBin}/synproxy_snapshot\n if [ -e \"${_optBin}/synproxy_snapshot\" ]; then\n chmod 700 ${_optBin}/synproxy_snapshot\n chown root:root ${_optBin}/synproxy_snapshot\n touch ${_pthLog}/synproxy_snapshot.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy_snapshot.old\" ]; then\n mv -f ${_optBin}/synproxy_snapshot.old ${_optBin}/synproxy_snapshot\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy_status.ctrl.f99.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy_status\" ]; then\n mv -f ${_optBin}/synproxy_status ${_optBin}/synproxy_status.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy_status\" -o ${_optBin}/synproxy_status\n if [ -e \"${_optBin}/synproxy_status\" ]; then\n chmod 700 ${_optBin}/synproxy_status\n chown root:root ${_optBin}/synproxy_status\n touch ${_pthLog}/synproxy_status.ctrl.f99.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy_status.old\" ]; then\n mv -f ${_optBin}/synproxy_status.old ${_optBin}/synproxy_status\n fi\n fi\n fi\n fi\n\n if [ -e \"/var/xdrago/monitor/check\" ] \\\n && [ -d \"/var/aegir/drush\" ] \\\n && [ ! -e \"${_pthLog}/synproxy_monitor.ctrl.f98.${_tRee}.${_xSrl}.pid\" ]; then\n _CNT=$(pgrep -fc synproxy_rollback)\n if (( _CNT > 0 )); then\n echo \"The synproxy_rollback is running!\"\n else\n if [ -e \"${_optBin}/synproxy_monitor\" ]; then\n mv -f ${_optBin}/synproxy_monitor ${_optBin}/synproxy_monitor.old\n fi\n curl ${_crlGet} \"${_urlHmr}/tools/bin/synproxy_monitor\" -o ${_optBin}/synproxy_monitor\n if [ -e \"${_optBin}/synproxy_monitor\" ]; then\n chmod 700 ${_optBin}/synproxy_monitor\n chown root:root ${_optBin}/synproxy_monitor\n touch ${_pthLog}/synproxy_monitor.ctrl.f98.${_tRee}.${_xSrl}.pid\n else\n if [ -e \"${_optBin}/synproxy_monitor.old\" ]; then\n mv -f ${_optBin}/synproxy_monitor.old ${_optBin}/synproxy_monitor\n fi\n fi\n fi\n fi\n\n _Dir=\"/data/all/000/modules\"\n _REDIS_E_VERSION=8.x-1.11.2\n if [ -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n if [ ! -e \"${_Dir}/redis_ten_eleven/ver-${_REDIS_E_VERSION}.${_xSrl}.info\" ]; then\n mkdir -p ${_Dir}\n cd ${_Dir}\n rm -rf ${_Dir}/redis_ten_eleven\n _get_dev_contrib \"redis_ten_eleven-${_REDIS_E_VERSION}.tar.gz\"\n echo update > ${_Dir}/redis_ten_eleven/ver-${_REDIS_E_VERSION}.${_xSrl}.info\n find ${_Dir} -type d -exec chmod 0755 {} \\; &> /dev/null\n find ${_Dir} -type f -exec chmod 0644 {} \\; &> /dev/null\n touch ${_pthLog}/redis_ten_eleven.ctrl.${_xSrl}.log\n fi\n fi\n\n _Dir=\"/data/all/000/modules\"\n _REDIS_T_VERSION=8.x-1.8.2\n if [ -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n if [ ! -e \"${_Dir}/redis_nine_ten/ver-${_REDIS_T_VERSION}.${_xSrl}.info\" ]; then\n mkdir -p ${_Dir}\n cd ${_Dir}\n rm -rf ${_Dir}/redis_nine_ten\n _get_dev_contrib \"redis_nine_ten-${_REDIS_T_VERSION}.tar.gz\"\n echo update > ${_Dir}/redis_nine_ten/ver-${_REDIS_T_VERSION}.${_xSrl}.info\n find ${_Dir} -type d -exec chmod 0755 {} \\; &> /dev/null\n find ${_Dir} -type f -exec chmod 0644 {} \\; &> /dev/null\n touch ${_pthLog}/redis_nine_ten.ctrl.${_xSrl}.log\n fi\n fi\n\n _Dir=\"/data/all/000/modules\"\n _REDIS_C_VERSION=com-19-04-2021\n if [ -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n if [ ! -e \"${_Dir}/redis_compr/ver-${_REDIS_C_VERSION}.${_xSrl}.info\" ]; then\n mkdir -p ${_Dir}\n cd ${_Dir}\n rm -rf ${_Dir}/redis_compr\n _get_dev_contrib \"redis_compr-${_REDIS_C_VERSION}.tar.gz\"\n echo update > ${_Dir}/redis_compr/ver-${_REDIS_C_VERSION}.${_xSrl}.info\n find ${_Dir} -type d -exec chmod 0755 {} \\; &> /dev/null\n find ${_Dir} -type f -exec chmod 0644 {} \\; &> /dev/null\n touch ${_pthLog}/redis_compr.ctrl.${_xSrl}.log\n fi\n fi\n\n _Dir=\"/data/all/000/modules\"\n _REDIS_L_VERSION=7.x-3.19.1\n if [ -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n if [ ! -e \"${_Dir}/redis_edge/ver-${_REDIS_L_VERSION}.${_xSrl}.info\" ]; then\n mkdir -p ${_Dir}\n cd ${_Dir}\n rm -rf ${_Dir}/redis_edge\n _get_dev_contrib \"redis_edge-${_REDIS_L_VERSION}.tar.gz\"\n echo update > ${_Dir}/redis_edge/ver-${_REDIS_L_VERSION}.${_xSrl}.info\n find ${_Dir} -type d -exec chmod 0755 {} \\; &> /dev/null\n find ${_Dir} -type f -exec chmod 0644 {} \\; &> /dev/null\n touch ${_pthLog}/redis_edge.ctrl.${_xSrl}.log\n fi\n fi\n\n _Dir=\"/data/all/000/modules\"\n _REDIS_N_VERSION=com-19-04-2021\n if [ -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n if [ ! -e \"${_Dir}/redis_eight/ver-${_REDIS_N_VERSION}.${_xSrl}.info\" ]; then\n mkdir -p ${_Dir}\n cd ${_Dir}\n rm -rf ${_Dir}/redis_eight\n _get_dev_contrib \"redis_eight-${_REDIS_N_VERSION}.tar.gz\"\n echo update > ${_Dir}/redis_eight/ver-${_REDIS_N_VERSION}.${_xSrl}.info\n find ${_Dir} -type d -exec chmod 0755 {} \\; &> /dev/null\n find ${_Dir} -type f -exec chmod 0644 {} \\; &> /dev/null\n touch ${_pthLog}/redis_eight.ctrl.${_xSrl}.log\n fi\n fi\n}\n\n_fix_core_dgd() {\n # sed -i \"s/^_PERMISSIONS_FIX=.*/_PERMISSIONS_FIX=YES/g\" ${_barCnf}\n\n _saCoreS=\"${_saCoreN}-D7\"\n _saIncDb=\"includes/database/database.inc\"\n _saPatch=\"/var/xdrago/conf/${_saCoreS}.patch\"\n\n _saQCoreN=\"${_saCoreN}\"\n _saQCoreS=\"${_saQCoreN}-D8\"\n _saQIncDb=\"core/includes/database.inc\"\n _saQPatch=\"/var/xdrago/conf/${_saQCoreS}.patch\"\n\n _saXCoreN=\"${_saCoreN}\"\n _saXCoreS=\"${_saXCoreN}-D6\"\n _saXIncDb=\"includes/database.inc\"\n _saXPatch=\"/var/xdrago/conf/${_saXCoreS}.patch\"\n\n _saBCoreP=\"${_saCoreN}-provision\"\n _saBPatch=\"/var/xdrago/conf/${_saBCoreP}.patch\"\n\n # SA-CORE D8 patch\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_saQPatch}\" ]; then\n mkdir -p /var/xdrago/conf\n curl ${_crlGet} \"${_urlHmr}/patches/8-core/${_saQCoreS}.patch\" -o ${_saQPatch}\n fi\n\n # SA-CORE D7 patch\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_saPatch}\" ]; then\n mkdir -p /var/xdrago/conf\n curl ${_crlGet} \"${_urlHmr}/patches/7-core/${_saCoreS}.patch\" -o ${_saPatch}\n fi\n\n # SA-CORE D6 patch\n # if [ -e \"/var/xdrago\" ] \\\n # && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n\t# && [ ! -e \"${_saXPatch}\" ]; then\n\t# mkdir -p /var/xdrago/conf\n\t# curl ${_crlGet} \"${_urlHmr}/patches/6-core/${_saXCoreS}.patch\" -o ${_saXPatch}\n # fi\n\n # SA-CORE for Octopus hostmaster platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -d \"/data/u\" ] \\\n && [ -e \"${_saPatch}\" ]; then\n if [ -d \"/data/all\" ] \\\n && [ ! -e \"${_pthLog}/hostmaster-octopus-${_saCoreN}-fixed-d7.log\" ]; then\n for _File in `find /data/disk/*/aegir/distro/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n fi\n done\n touch ${_pthLog}/hostmaster-octopus-${_saCoreN}-fixed-d7.log\n fi\n cd\n fi\n\n # SA-CORE for Barracuda hostmaster platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saPatch}\" ]; then\n if [ -d \"/data/all\" ] \\\n && [ ! -e \"${_pthLog}/hostmaster-barracuda-${_saCoreN}-fixed-d7.log\" ]; then\n for _File in `find /var/aegir/host_master/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n fi\n done\n\n for _File in `find /var/aegir/hostmaster*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n fi\n done\n\n touch ${_pthLog}/hostmaster-barracuda-${_saCoreN}-fixed-d7.log\n fi\n cd\n fi\n\n # SA-CORE for built-in D7 platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saPatch}\" ] \\\n && [ ! -e \"${_pthLog}/${_saCoreN}-fixed-d7.log\" ]; then\n if [ -d \"/data/all/000/core\" ]; then\n for _Core in `find /data/all/000/core/drupal-7* \\\n -maxdepth 0 -mindepth 0 | sort`; do\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n done\n elif [ -d \"/data/disk/all/000/core\" ]; then\n for _Core in `find /data/disk/all/000/core/drupal-7* \\\n -maxdepth 0 -mindepth 0 | sort`; do\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n done\n fi\n touch ${_pthLog}/${_saCoreN}-fixed-d7.log\n cd\n fi\n\n # SA-CORE for ancient D7 platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saPatch}\" ]; then\n if [ -d \"/data/all\" ] \\\n && [ ! -e \"${_pthLog}/legacy-${_saCoreN}-fixed-d7.log\" ]; then\n for _File in `find /data/all/*/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n fi\n done\n touch ${_pthLog}/legacy-${_saCoreN}-fixed-d7.log\n elif [ -d \"/data/disk/all\" ] \\\n && [ ! -e \"${_pthLog}/legacy-${_saCoreN}-fixed-d7eee.log\" ]; then\n for _File in `find /data/disk/all/*/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n fi\n done\n touch ${_pthLog}/legacy-${_saCoreN}-fixed-d7eee.log\n fi\n cd\n fi\n\n # SA-CORE for custom D7 platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saPatch}\" ]; then\n if [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/batch-custom-${_saCoreN}-fixed-d7.log\" ]; then\n for _File in `find /data/disk/*/static/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/*/*/${_saIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info\n fi\n done\n fi\n cd\n touch ${_pthLog}/batch-custom-${_saCoreN}-fixed-d7.log\n fi\n\n # SA-CORE for D8 platforms in ~/static\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saQPatch}\" ]; then\n if [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/batch-custom-${_saQCoreN}-fixed-d8.log\" ]; then\n for _File in `find /data/disk/*/static/*/${_saQIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/core.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saQCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saQPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/${_saQIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/core.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saQCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saQPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/${_saQIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/core.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saQCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saQPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/*/${_saQIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/core.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saQCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saQPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/*/*/${_saQIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/core.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saQCoreS}-fix.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saQPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info\n fi\n done\n fi\n cd\n touch ${_pthLog}/batch-custom-${_saQCoreN}-fixed-d8.log\n fi\n\n # SA-CORE for built-in D6 platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saXPatch}\" ] \\\n && [ ! -e \"${_pthLog}/${_saXCoreN}-finally-fixed-d6.log\" ]; then\n if [ -d \"/data/all/000/core\" ]; then\n for _Core in `find /data/all/000/core/pressflow-6* \\\n -maxdepth 0 -mindepth 0 | sort`; do\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n done\n elif [ -d \"/data/disk/all/000/core\" ]; then\n for _Core in `find /data/disk/all/000/core/pressflow-6* \\\n -maxdepth 0 -mindepth 0 | sort`; do\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n done\n fi\n touch ${_pthLog}/${_saXCoreN}-finally-fixed-d6.log\n cd\n fi\n\n # SA-CORE for ancient D6 platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saXPatch}\" ]; then\n if [ -d \"/data/all\" ] \\\n && [ ! -e \"${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6.log\" ]; then\n for _File in `find /data/all/*/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n fi\n done\n touch ${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6.log\n elif [ -d \"/data/disk/all\" ] \\\n && [ ! -e \"${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6eee.log\" ]; then\n for _File in `find /data/disk/all/*/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] && [ ! -e \"${_Core}/core\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n fi\n done\n touch ${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6eee.log\n fi\n cd\n fi\n\n # SA-CORE for custom D6 platforms\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ -e \"${_saXPatch}\" ]; then\n if [ -d \"/data/u\" ] \\\n && [ ! -e \"${_pthLog}/batch-custom-${_saXCoreN}-finally-fixed-d6.log\" ]; then\n for _File in `find /data/disk/*/static/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saXCoreS}-fix-finally.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saXCoreS}-fix-finally.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saXCoreS}-fix-finally.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saXCoreS}-fix-finally.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info\n fi\n done\n for _File in `find /data/disk/*/static/*/*/*/*/*/${_saXIncDb} \\\n -maxdepth 0 -mindepth 0 | sort`; do\n _Core=$(echo ${_File} \\\n | sed 's/\\/includes.*//g' \\\n | awk '{print $1}' 2> /dev/null)\n if [ -d \"${_Core}\" ] \\\n && [ ! -e \"${_Core}/core\" ] \\\n && [ ! -e \"${_Core}/profiles/${_saXCoreS}-fix-finally.info\" ]; then\n cd ${_Core}\n patch -p1 < ${_saXPatch} &> /dev/null\n echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info\n fi\n done\n fi\n cd\n touch ${_pthLog}/batch-custom-${_saXCoreN}-finally-fixed-d6.log\n fi\n}\n\n_fix_ping_perms() {\n if [ -e \"/bin/ping\" ]; then\n _PING_TEST=$(ls -la /bin/ping | grep rwsr-xr-x 2>&1)\n if [ -z \"${_PING_TEST}\" ]; then\n chown root:root /bin/ping\n chmod 4755 /bin/ping\n fi\n fi\n}\n\n_fix_fpm_process_max() {\n if [ ! -e \"${_pthLog}/process.max.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n sed -i \"s/process.max =.*/process.max = 0/g\" /opt/php*/etc/php*-fpm.conf\n touch ${_pthLog}/process.max.ctrl.${_tRee}.${_xSrl}.pid\n fi\n}\n\n_fix_node_in_lshell_access() {\n if [ ! -e \"${_pthLog}/node.lshell-fix-npx.ctrl.${_tRee}.${_xSrl}.pid\" ] \\\n && [ -e \"/etc/lshell.conf\" ]; then\n _PrTestPhantom=$(grep \"PHANTOM\" /root/.*.octopus.cnf 2>&1)\n _PrTestCluster=$(grep \"CLUSTER\" /root/.*.octopus.cnf 2>&1)\n _PrTestUltra=$(grep \"ULTRA\" /root/.*.octopus.cnf 2>&1)\n _PrTestMonster=$(grep \"MONSTER\" /root/.*.octopus.cnf 2>&1)\n if [[ \"${_PrTestPhantom}\" =~ \"PHANTOM\" ]] \\\n || [[ \"${_PrTestCluster}\" =~ \"CLUSTER\" ]] \\\n || [[ \"${_PrTestUltra}\" =~ \"ULTRA\" ]] \\\n || [[ \"${_PrTestMonster}\" =~ \"MONSTER\" ]] \\\n || [ -e \"/root/.allow.node.lshell.cnf\" ]; then\n _ALLOW_NODE=YES\n else\n _ALLOW_NODE=NO\n sed -i \\\n -e \"s/, 'node', 'npm', 'npx',/,/gi\" \\\n -e \"s/, 'scp',/,/gi\" \\\n /etc/lshell.conf /var/xdrago/conf/lshell.conf\n fi\n touch ${_pthLog}/node.lshell-fix-npx.ctrl.${_tRee}.${_xSrl}.pid\n fi\n}\n\n_fix_php_in_lshell_access() {\n if [ ! -e \"${_pthLog}/php.lshell-fix-php.ctrl.${_tRee}.${_xSrl}.pid\" ] \\\n && [ -e \"/etc/lshell.conf\" ]; then\n _PrTestPhantom=$(grep \"PHANTOM\" /root/.*.octopus.cnf 2>&1)\n _PrTestCluster=$(grep \"CLUSTER\" /root/.*.octopus.cnf 2>&1)\n _PrTestUltra=$(grep \"ULTRA\" /root/.*.octopus.cnf 2>&1)\n _PrTestMonster=$(grep \"MONSTER\" /root/.*.octopus.cnf 2>&1)\n if [[ \"${_PrTestPhantom}\" =~ \"PHANTOM\" ]] \\\n || [[ \"${_PrTestCluster}\" =~ \"CLUSTER\" ]] \\\n || [[ \"${_PrTestUltra}\" =~ \"ULTRA\" ]] \\\n || [[ \"${_PrTestMonster}\" =~ \"MONSTER\" ]] \\\n || [ -e \"/root/.allow.php.lshell.cnf\" ]; then\n _ALLOW_PHP=YES\n else\n _ALLOW_PHP=NO\n sed -i \\\n -e \"s/, 'php.*':.*php',/,/gi\" \\\n -e \"s/, '\\/opt\\/php.*',/,/gi\" \\\n /etc/lshell.conf /var/xdrago/conf/lshell.conf\n fi\n touch ${_pthLog}/php.lshell-fix-php.ctrl.${_tRee}.${_xSrl}.pid\n fi\n}\n\n_if_fix_lshell() {\n if [ ! -e \"/usr/local/etc/lshell.conf\" ] \\\n && [ ! -L \"/usr/local/etc/lshell.conf\" ] \\\n && [ -e \"/etc/lshell.conf\" ]; then\n [ ! -d \"/usr/local/etc\" ] && mkdir -p /usr/local/etc\n ln -sfn /etc/lshell.conf /usr/local/etc/lshell.conf\n fi\n _LSHELL_VRN=0.10\n _PATH_LSHELL=\"${_usrBin}/lshell\"\n _LSHELL_CHK_VRN=0.10\n _LSHELL_FORCE_REINSTALL=NO\n _isLshell=\"$(which lshell)\"\n _LSHELL_ITD=$(${_isLshell} --version 2>&1 \\\n | tr -d \"\\n\" \\\n | cut -d\"-\" -f2 \\\n | awk '{ print $1}' 2>&1)\n if [ -z \"${_isLshell}\" ] \\\n || [ -z \"${_PATH_LSHELL}\" ] \\\n || [ \"${_LSHELL_ITD}\" != \"${_LSHELL_CHK_VRN}\" ] \\\n || [[ \"${_LSHELL_ITD}\" =~ \"Traceback\" ]] \\\n || [[ \"${_LSHELL_ITD}\" =~ \"bad interpreter\" ]] \\\n || [[ \"${_LSHELL_ITD}\" =~ \"ImportError\" ]]; then\n _LSHELL_FORCE_REINSTALL=YES\n fi\n if [ \"${_LSHELL_FORCE_REINSTALL}\" = \"YES\" ]; then\n [ -f \"/etc/lshell.conf\" ] && cp -af /etc/lshell.conf /etc/lshell.conf-bak-${_LSHELL_VRN}\n _apt_clean_update\n apt-get install python3-pip ${_aptYesUnth}\n if [ -x \"/usr/bin/pip3\" ]; then\n _usePip=/usr/bin/pip3\n elif [ -x \"/usr/local/bin/pip3\" ]; then\n _usePip=/usr/local/bin/pip3\n fi\n _PIP_TEST=$(${_usePip} --version 2>&1)\n if [[ \"${_PIP_TEST}\" =~ \"python 3.11\" ]] \\\n || [[ \"${_PIP_TEST}\" =~ \"python 3.12\" ]] \\\n || [[ \"${_PIP_TEST}\" =~ \"python 3.13\" ]]; then\n ${_usePip} install --upgrade pip --root-user-action ignore\n else\n ${_usePip} install --upgrade pip\n fi\n cd /var/opt\n rm -rf lshell*\n _get_dev_src \"lshell-${_LSHELL_VRN}.tar.gz\"\n for _Files in `find /var/opt/lshell-${_LSHELL_VRN} -type f`; do\n sed -i \"s/kicked/logged/g\" ${_Files} &> /dev/null\n wait\n sed -i \"s/Kicked/Logged/g\" ${_Files} &> /dev/null\n wait\n done\n rm -rf /usr/local/lib/python*/site-packages/lshell*\n rm -rf /usr/local/lib/python*/dist-packages/lshell*\n cd /var/opt/lshell-${_LSHELL_VRN}\n _PIP_TEST=$(${_usePip} --version 2>&1)\n if [[ \"${_PIP_TEST}\" =~ \"python 3.11\" ]] \\\n || [[ \"${_PIP_TEST}\" =~ \"python 3.12\" ]] \\\n || [[ \"${_PIP_TEST}\" =~ \"python 3.13\" ]]; then\n ${_usePip} install . --break-system-packages --root-user-action ignore\n else\n ${_usePip} install .\n fi\n [ -f \"/etc/lshell.conf-bak-${_LSHELL_VRN}\" ] && cp -af /etc/lshell.conf-bak-${_LSHELL_VRN} /etc/lshell.conf\n rm -f /etc/logrotate.d/lshell\n addgroup --system lshellg &> /dev/null\n addgroup --system ltd-shell-more &> /dev/null\n mkdir -p /var/log/lsh\n chown :lshellg /var/log/lsh\n chmod 770 /var/log/lsh &> /dev/null\n # Kill all non-root logged-in users\n who | awk '$1 !~ /^root$/ { cmd = \"pkill -KILL -u \" $1; system(cmd) }'\n touch ${_pthLog}/lshell-fix-build-${_LSHELL_VRN}.log\n fi\n if [ -e \"${_usrBin}/lshell\" ]; then\n chown root:users ${_usrBin}/lshell\n chmod 750 ${_usrBin}/lshell\n if [ ! -L \"/usr/bin/lshell\" ]; then\n ln -sfn ${_usrBin}/lshell /usr/bin/lshell &> /dev/null\n fi\n fi\n}\n\n_fix_start_stop_ports_solr() {\n if [ -x \"/etc/init.d/solr9\" ] && [ -e \"/etc/default/solr9.in.sh\" ]; then\n _SOLR9_STOP_TEST=$(grep \"STOP\\.PORT=19099\" /etc/default/solr9.in.sh 2>&1)\n _SOLR9_WAIT_TEST=$(grep \"SOLR_START_WAIT=\" /etc/default/solr9.in.sh 2>&1)\n if [ ! -e \"/var/log/boa/solr9.in.004.fixed.pid\" ] \\\n || [[ ! \"${_SOLR9_STOP_TEST}\" =~ \"19099\" ]] \\\n || [[ ! \"${_SOLR9_WAIT_TEST}\" =~ \"10\" ]]; then\n sed -i \"s/^SOLR_STOP_PORT.*//g\" /etc/default/solr9.in.sh\n sed -i \"s/^SOLR_STOP_KEY.*//g\" /etc/default/solr9.in.sh\n sed -i \"s/.*mycustomkey9.*//g\" /etc/default/solr9.in.sh\n sed -i \"s/.*_WAIT.*//g\" /etc/default/solr9.in.sh\n echo \"SOLR_OPTS=\\\"\\$SOLR_OPTS -DSTOP.PORT=19099 -DSTOP.KEY=mycustomkey9\\\"\" >> /etc/default/solr9.in.sh\n echo \"SOLR_START_WAIT=\\\"10\\\"\" >> /etc/default/solr9.in.sh\n echo \"SOLR_STOP_WAIT=\\\"10\\\"\" >> /etc/default/solr9.in.sh\n echo \"SOLR_WAIT_FOR_ZK=\\\"10\\\"\" >> /etc/default/solr9.in.sh\n sed -i \"/^$/d\" /etc/default/solr9.in.sh\n echo \"_restartSolr9 at $(date)\" >> ${_pthLog}/_fix_start_stop_ports_solr.log\n touch /var/log/boa/solr9.in.004.fixed.pid\n service solr9 restart\n fi\n fi\n if [ -x \"/etc/init.d/solr7\" ] && [ -e \"/etc/default/solr7.in.sh\" ]; then\n _SOLR7_STOP_TEST=$(grep \"STOP\\.PORT=17077\" /etc/default/solr7.in.sh 2>&1)\n _SOLR7_WAIT_TEST=$(grep \"SOLR_START_WAIT=\" /etc/default/solr7.in.sh 2>&1)\n if [ ! -e \"/var/log/boa/solr7.in.004.fixed.pid\" ] \\\n || [[ ! \"${_SOLR7_STOP_TEST}\" =~ \"17077\" ]] \\\n || [[ ! \"${_SOLR7_WAIT_TEST}\" =~ \"10\" ]]; then\n sed -i \"s/^SOLR_STOP_PORT.*//g\" /etc/default/solr7.in.sh\n sed -i \"s/^SOLR_STOP_KEY.*//g\" /etc/default/solr7.in.sh\n sed -i \"s/.*mycustomkey7.*//g\" /etc/default/solr7.in.sh\n sed -i \"s/.*_WAIT.*//g\" /etc/default/solr7.in.sh\n echo \"SOLR_OPTS=\\\"\\$SOLR_OPTS -DSTOP.PORT=17077 -DSTOP.KEY=mycustomkey7\\\"\" >> /etc/default/solr7.in.sh\n echo \"SOLR_START_WAIT=\\\"10\\\"\" >> /etc/default/solr7.in.sh\n echo \"SOLR_STOP_WAIT=\\\"10\\\"\" >> /etc/default/solr7.in.sh\n echo \"SOLR_WAIT_FOR_ZK=\\\"10\\\"\" >> /etc/default/solr7.in.sh\n sed -i \"/^$/d\" /etc/default/solr7.in.sh\n echo \"_restartSolr7 at $(date)\" >> ${_pthLog}/_fix_start_stop_ports_solr.log\n touch /var/log/boa/solr7.in.004.fixed.pid\n service solr7 restart\n fi\n fi\n if [ -x \"/etc/init.d/jetty9\" ]; then\n _restartSolr4=FALSE\n _ctrl_jetty_nr=$(ls -la /tmp/jetty-0.0.0.0-8099-solr.war* | wc -l 2>&1)\n if [[ ! \"${_ctrl_jetty_nr}\" =~ \"No such file\" ]] && [ \"${_ctrl_jetty_nr}\" -gt 8 ]; then\n _restartSolr4=TRUE\n fi\n if [ \"${_restartSolr4}\" = \"TRUE\" ]; then\n if [ ! -x \"/etc/init.d/jenkins\" ] && [ ! -e \"/var/lib/jenkins\" ]; then\n find /tmp -mindepth 1 -user jetty9 -exec rm -rf {} + 2>/dev/null\n pkill -9 -f jetty9\n echo \"_restartSolr4 at $(date)\" >> ${_pthLog}/_fix_start_stop_ports_solr.log\n fi\n fi\n fi\n}\n\n_fix_log4j_solr7() {\n _LOG4J_VRN=2.17.1\n _DO_SOLR_RESTART=\n if [ -x \"/etc/init.d/solr7\" ] && [ -e \"/etc/default/solr7.in.sh\" ]; then\n if [ -e \"/opt/solr-7.7.3\" ] \\\n && [ ! -e \"/opt/solr-7.7.3/server/lib/ext/log4j-core-${_LOG4J_VRN}.jar\" ]; then\n cd /var/opt\n rm -rf apache-log4j*\n _get_dev_src \"apache-log4j-${_LOG4J_VRN}-bin.tar.gz\"\n if [ -e \"/var/opt/apache-log4j-${_LOG4J_VRN}-bin/log4j-core-${_LOG4J_VRN}.jar\" ]; then\n cd /var/opt/apache-log4j-${_LOG4J_VRN}-bin\n [ -d \"/var/backups/log4j/solr-7.7.3\" ] || mkdir -p /var/backups/log4j/solr-7.7.3\n mv -f /opt/solr-7.7.3/server/lib/ext/log4j* /var/backups/log4j/solr-7.7.3/\n rm -f /opt/solr-7.7.3/contrib/prometheus-exporter/lib/log4j*\n cp -af log4j-1.2-api-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/\n cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/\n cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.7.3/contrib/prometheus-exporter/lib/\n cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/\n cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.7.3/contrib/prometheus-exporter/lib/\n cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/\n cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.7.3/contrib/prometheus-exporter/lib/\n chown root:root /opt/solr-7.7.3/server/lib/ext/log4j*\n chown root:root /opt/solr-7.7.3/contrib/prometheus-exporter/lib/log4j*\n _DO_SOLR_RESTART=YES\n fi\n fi\n if [ -e \"/opt/solr-7.6.0\" ] \\\n && [ ! -e \"/opt/solr-7.6.0/server/lib/ext/log4j-core-${_LOG4J_VRN}.jar\" ]; then\n cd /var/opt\n rm -rf apache-log4j*\n _get_dev_src \"apache-log4j-${_LOG4J_VRN}-bin.tar.gz\"\n if [ -e \"/var/opt/apache-log4j-${_LOG4J_VRN}-bin/log4j-core-${_LOG4J_VRN}.jar\" ]; then\n cd /var/opt/apache-log4j-${_LOG4J_VRN}-bin\n [ -d \"/var/backups/log4j/solr-7.6.0\" ] || mkdir -p /var/backups/log4j/solr-7.6.0\n mv -f /opt/solr-7.6.0/server/lib/ext/log4j* /var/backups/log4j/solr-7.6.0/\n rm -f /opt/solr-7.6.0/contrib/prometheus-exporter/lib/log4j*\n cp -af log4j-1.2-api-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/\n cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/\n cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.6.0/contrib/prometheus-exporter/lib/\n cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/\n cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.6.0/contrib/prometheus-exporter/lib/\n cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/\n cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.6.0/contrib/prometheus-exporter/lib/\n chown root:root /opt/solr-7.6.0/server/lib/ext/log4j*\n chown root:root /opt/solr-7.6.0/contrib/prometheus-exporter/lib/log4j*\n _DO_SOLR_RESTART=YES\n fi\n fi\n _RESULT_LOG4J=$(grep \"LOG4J_FORMAT_MSG_NO_LOOKUPS=true\" /etc/default/solr7.in.sh 2>&1)\n if [[ ! \"${_RESULT_LOG4J}\" =~ \"LOG4J\" ]]; then\n echo \"LOG4J_FORMAT_MSG_NO_LOOKUPS=true\" >> /etc/default/solr7.in.sh\n fi\n if [[ ! \"${_RESULT_LOG4J}\" =~ \"LOG4J\" ]] || [ ! -z \"${_DO_SOLR_RESTART}\" ]; then\n #pkill -9 -f solr7\n service solr7 restart &> /dev/null\n fi\n fi\n}\n\n_fix_authorized_keys() {\n if [ ! -e \"${_pthLog}/_fix_authorized_keys.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n chmod 0600 /home/*/.ssh/authorized_keys &> /dev/null\n chmod 0700 /home/*/.ssh &> /dev/null\n touch ${_pthLog}/_fix_authorized_keys.ctrl.${_tRee}.${_xSrl}.pid\n fi\n}\n\n_fix_aio() {\n _AIO_FIX=$(grep \"fs.aio-max-nr\" /etc/sysctl.conf 2>&1)\n if [ -z \"${_AIO_FIX}\" ]; then\n echo \"fs.aio-max-nr = 1048576\" >> /etc/sysctl.conf\n fi\n}\n\n_fix_console_print() {\n _PRK_FIX=$(grep \"kernel.printk\" /etc/sysctl.conf 2>&1)\n if [ -z \"${_PRK_FIX}\" ]; then\n echo \"kernel.printk = 4 1 1 7\" >> /etc/sysctl.conf\n fi\n}\n\n_fix_java_symlinks() {\n if [ \"${_OS_CODE}\" = \"jessie\" ] && [ -x \"/usr/lib/jvm/java-7-openjdk/jre/bin/java\" ]; then\n if [ ! -e \"/usr/bin/java\" ] || [ ! -e \"/etc/alternatives/java\" ]; then\n ln -sfn /usr/lib/jvm/java-7-openjdk/jre/bin/java /etc/alternatives/java\n ln -sfn /etc/alternatives/java /usr/bin/java\n echo fixed java symlinks for ${_OS_CODE}\n fi\n fi\n if [ \"${_OS_CODE}\" = \"stretch\" ] && [ -x \"/usr/lib/jvm/java-8-openjdk/jre/bin/java\" ]; then\n if [ ! -e \"/usr/bin/java\" ] || [ ! -e \"/etc/alternatives/java\" ]; then\n ln -sfn /usr/lib/jvm/java-8-openjdk/jre/bin/java /etc/alternatives/java\n ln -sfn /etc/alternatives/java /usr/bin/java\n echo fixed java symlinks for ${_OS_CODE}\n fi\n fi\n if [ \"${_OS_CODE}\" = \"excalibur\" ] \\\n || [ \"${_OS_CODE}\" = \"daedalus\" ] \\\n || [ \"${_OS_CODE}\" = \"chimaera\" ]; then\n if [ ! -e \"/usr/lib/jvm/java-21-openjdk\" ] \\\n && [ -d \"/usr/lib/jvm/java-21-openjdk-amd64\" ]; then\n ln -sfn /usr/lib/jvm/java-21-openjdk-amd64 /usr/lib/jvm/java-21-openjdk\n fi\n if [ ! -e \"/usr/bin/java21\" ] \\\n && [ -e \"/usr/lib/jvm/java-21-openjdk-amd64/bin/java\" ]; then\n ln -sfn /usr/lib/jvm/java-21-openjdk-amd64/bin/java /usr/bin/java21\n fi\n if [ ! -e \"/usr/lib/jvm/java-17-openjdk\" ] \\\n && [ -d \"/usr/lib/jvm/java-17-openjdk-amd64\" ]; then\n ln -sfn /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/java-17-openjdk\n fi\n if [ ! -e \"/usr/bin/java17\" ] \\\n && [ -e \"/usr/lib/jvm/java-17-openjdk-amd64/bin/java\" ]; then\n ln -sfn /usr/lib/jvm/java-17-openjdk-amd64/bin/java /usr/bin/java17\n fi\n if [ ! -e \"/usr/lib/jvm/java-11-openjdk\" ] \\\n && [ -d \"/usr/lib/jvm/java-11-openjdk-amd64\" ]; then\n ln -sfn /usr/lib/jvm/java-11-openjdk-amd64 /usr/lib/jvm/java-11-openjdk\n fi\n if [ ! -e \"/usr/bin/java11\" ] \\\n && [ -e \"/usr/lib/jvm/java-11-openjdk-amd64/bin/java\" ]; then\n ln -sfn /usr/lib/jvm/java-11-openjdk-amd64/bin/java /usr/bin/java11\n fi\n if [ -x \"/etc/init.d/jenkins\" ] && [ -e \"/var/lib/jenkins\" ]; then\n _LOOK_LIKE_JENKINS=TRUE\n elif [ -e \"/root/.look.like.jenkins.cnf\" ]; then\n _LOOK_LIKE_JENKINS=TRUE\n else\n _LOOK_LIKE_JENKINS=FALSE\n fi\n if [ \"${_LOOK_LIKE_JENKINS}\" = \"TRUE\" ] \\\n || [ \"${_OS_CODE}\" = \"daedalus\" ] \\\n || [ \"${_OS_CODE}\" = \"excalibur\" ]; then\n if [ -x \"/usr/lib/jvm/java-17-openjdk/bin/java\" ] \\\n && [ ! -e \"/var/log/boa/.fixed-java17-symlinks.log\" ]; then\n if [ -e \"/usr/lib/jvm/java-17-openjdk-amd64\" ]; then\n rm -f /usr/lib/jvm/default-java\n ln -sfn /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/default-java\n fi\n ln -sfn /usr/lib/jvm/java-17-openjdk/bin/java /etc/alternatives/java\n ln -sfn /etc/alternatives/java /usr/bin/java\n touch /var/log/boa/.fixed-java17-symlinks.log\n echo \"Fixed Java 17 symlinks for ${_OS_CODE}\"\n fi\n if [ -x \"/usr/lib/jvm/java-21-openjdk/bin/java\" ] \\\n && [ ! -e \"/var/log/boa/.fixed-java21-symlinks.log\" ]; then\n if [ -e \"/usr/lib/jvm/java-21-openjdk-amd64\" ]; then\n rm -f /usr/lib/jvm/default-java\n ln -sfn /usr/lib/jvm/java-21-openjdk-amd64 /usr/lib/jvm/default-java\n fi\n ln -sfn /usr/lib/jvm/java-21-openjdk/bin/java /etc/alternatives/java\n ln -sfn /etc/alternatives/java /usr/bin/java\n touch /var/log/boa/.fixed-java21-symlinks.log\n echo \"Fixed Java 21 symlinks for ${_OS_CODE}\"\n fi\n else\n if [ -x \"/usr/lib/jvm/java-11-openjdk/bin/java\" ]; then\n if [ -e \"/usr/lib/jvm/java-11-openjdk-amd64\" ]; then\n rm -f /usr/lib/jvm/default-java\n ln -sfn /usr/lib/jvm/java-11-openjdk-amd64 /usr/lib/jvm/default-java\n fi\n if [ ! -e \"/usr/bin/java\" ] || [ ! -e \"/etc/alternatives/java\" ]; then\n ln -sfn /usr/lib/jvm/java-11-openjdk/bin/java /etc/alternatives/java\n ln -sfn /etc/alternatives/java /usr/bin/java\n echo \"Fixed Java 11 symlinks for ${_OS_CODE}\"\n fi\n fi\n fi\n else\n if [ -x \"/usr/lib/jvm/java-11-openjdk/bin/java\" ]; then\n if [ ! -e \"/usr/bin/java\" ] || [ ! -e \"/etc/alternatives/java\" ]; then\n ln -sfn /usr/lib/jvm/java-11-openjdk/bin/java /etc/alternatives/java\n ln -sfn /etc/alternatives/java /usr/bin/java\n echo \"Fixed Java 11 symlinks for ${_OS_CODE}\"\n fi\n fi\n fi\n}\n\n_fix_composer_version() {\n _COMPOSER_VRN=2.8.2\n if [ -x \"/usr/local/bin/composer\" ]; then\n _COMPOSER_IS=$(composer --no-interaction --version 2>&1 \\\n | tr -d \"\\n\" \\\n | cut -d\" \" -f35 \\\n | awk '{ print $1}' 2>&1)\n if [ \"${_COMPOSER_IS}\" != \"${_COMPOSER_VRN}\" ]; then\n composer self-update ${_COMPOSER_VRN} &> /dev/null\n fi\n fi\n}\n\n_fix_sftp_server() {\n if [ -e \"/etc/ssh/sshd_config\" ]; then\n _SFTP_UMASK_TEST=$(grep \"sftp-server -u 0002\" /etc/ssh/sshd_config 2>&1)\n if [[ ! \"${_SFTP_UMASK_TEST}\" =~ \"sftp-server -u 0002\" ]]; then\n sed -i \"s/^Subsystem.*//g\" /etc/ssh/sshd_config\n echo \"Subsystem sftp /usr/lib/openssh/sftp-server -u 0002\" >> /etc/ssh/sshd_config\n sed -i \"/^$/d\" /etc/ssh/sshd_config\n service ssh restart 2> /dev/null\n fi\n fi\n}\n\n_fix_wkhtml_perms() {\n\n _WKHTML_ARRAY=\"/usr/local/bin/wkhtmltopdf \\\n /usr/bin/wkhtmltopdf \\\n /usr/bin/wkhtmltopdf-0.12.4 \\\n /usr/local/bin/wkhtmltoimage \\\n /usr/bin/wkhtmltoimage \\\n /usr/bin/wkhtmltoimage-0.12.4\"\n\n for _WKHTML_ITEM in ${_WKHTML_ARRAY}; do\n if [ -x \"${_WKHTML_ITEM}\" ]; then\n _PERM_TEST=$(ls -la ${_WKHTML_ITEM} | grep rwxr-xr-x 2>&1)\n if [ -z \"${_PERM_TEST}\" ]; then\n chgrp root ${_WKHTML_ITEM} &> /dev/null\n chmod 755 ${_WKHTML_ITEM} &> /dev/null\n fi\n fi\n done\n}\n\n_fix_wkhtml() {\n if [ -x \"/usr/local/bin/wkhtmltopdf\" ] \\\n && [ -L \"/usr/bin/wkhtmltopdf\" ]; then\n rm -f /usr/bin/wkhtmltopdf\n cp -af /usr/local/bin/wkhtmltopdf /usr/bin/wkhtmltopdf\n chgrp root /usr/bin/wkhtmltopdf &> /dev/null\n chmod 755 /usr/bin/wkhtmltopdf &> /dev/null\n fi\n if [ -x \"/usr/local/bin/wkhtmltoimage\" ] \\\n && [ -L \"/usr/bin/wkhtmltoimage\" ]; then\n rm -f /usr/bin/wkhtmltoimage\n cp -af /usr/local/bin/wkhtmltoimage /usr/bin/wkhtmltoimage\n chgrp root /usr/bin/wkhtmltoimage &> /dev/null\n chmod 755 /usr/bin/wkhtmltoimage &> /dev/null\n fi\n if [ -x \"/usr/local/bin/wkhtmltopdf\" ] \\\n && [ ! -e \"/usr/bin/wkhtmltopdf\" ]; then\n cp -af /usr/local/bin/wkhtmltopdf /usr/bin/wkhtmltopdf\n chgrp root /usr/bin/wkhtmltopdf &> /dev/null\n chmod 755 /usr/bin/wkhtmltopdf &> /dev/null\n fi\n if [ -x \"/usr/local/bin/wkhtmltoimage\" ] \\\n && [ ! -e \"/usr/bin/wkhtmltoimage\" ]; then\n cp -af /usr/local/bin/wkhtmltoimage /usr/bin/wkhtmltoimage\n chgrp root /usr/bin/wkhtmltoimage &> /dev/null\n chmod 755 /usr/bin/wkhtmltoimage &> /dev/null\n fi\n if [ ! -x \"/usr/local/bin/wkhtmltopdf\" ] \\\n && [ -x \"/usr/bin/wkhtmltopdf\" ]; then\n rm -f /usr/local/bin/wkhtmltopdf\n cp -af /usr/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf\n chgrp root /usr/local/bin/wkhtmltopdf &> /dev/null\n chmod 755 /usr/local/bin/wkhtmltopdf &> /dev/null\n fi\n if [ ! -x \"/usr/local/bin/wkhtmltoimage\" ] \\\n && [ -x \"/usr/bin/wkhtmltoimage\" ]; then\n rm -f /usr/local/bin/wkhtmltoimage\n cp -af /usr/bin/wkhtmltoimage /usr/local/bin/wkhtmltoimage\n chgrp root /usr/local/bin/wkhtmltoimage &> /dev/null\n chmod 755 /usr/local/bin/wkhtmltoimage &> /dev/null\n fi\n}\n\n_fix_eldir() {\n if [ -e \"/var/xdrago\" ] \\\n && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ ! -e \"${_eldirP}\" ]; then\n mkdir -p /var/xdrago/conf\n curl ${_crlGet} \"${_urlHmr}/patches/${_eldirF}\" -o ${_eldirP}\n fi\n}\n\n_if_drupal_patches_update() {\n if [ -e \"/var/xdrago\" ]; then\n _BROKEN_UPDATE_TEST_A=$(grep \"Under Construction\" /data/conf/patches/* 2>&1)\n _BROKEN_UPDATE_TEST_B=$(grep \"404 Not Found\" /data/conf/patches/* 2>&1)\n if [ ! -z \"${_BROKEN_UPDATE_TEST_A}\" ] \\\n || [ ! -z \"${_BROKEN_UPDATE_TEST_B}\" ] \\\n || [ ! -e \"/data/conf/patches/ctrl.f96.${_tRee}.${_xSrl}.pid\" ]; then\n mkdir -p /data/conf/patches\n rm -f /data/conf/patches/*\n touch /data/conf/patches/ctrl.f96.${_tRee}.${_xSrl}.pid\n fi\n fi\n}\n\n_fix_drupal_core_ten() {\n if [ -e \"/var/xdrago\" ]; then\n if [ ! -e \"${_tenCorePatchPath}\" ]; then\n mkdir -p /data/conf/patches\n curl ${_crlGet} \"${_urlHmr}/patches/${_tenCorePatchFname}\" -o ${_tenCorePatchPath}\n fi\n if [ ! -e \"${_tenConsolePatchPath}\" ]; then\n mkdir -p /data/conf/patches\n curl ${_crlGet} \"${_urlHmr}/patches/${_tenConsolePatchFname}\" -o ${_tenConsolePatchPath}\n fi\n fi\n}\n\n_fix_drupal_core_eleven() {\n if [ -e \"/var/xdrago\" ]; then\n if [ ! -e \"${_elevenCorePatchPath}\" ]; then\n mkdir -p /data/conf/patches\n curl ${_crlGet} \"${_urlHmr}/patches/${_elevenCorePatchFname}\" -o ${_elevenCorePatchPath}\n fi\n if [ ! -e \"${_elevenConsolePatchPath}\" ]; then\n mkdir -p /data/conf/patches\n curl ${_crlGet} \"${_urlHmr}/patches/${_elevenConsolePatchFname}\" -o ${_elevenConsolePatchPath}\n fi\n if [ ! -e \"${_elevenValidatorPatchPath}\" ]; then\n mkdir -p /data/conf/patches\n curl ${_crlGet} \"${_urlHmr}/patches/${_elevenValidatorPatchFname}\" -o ${_elevenValidatorPatchPath}\n fi\n fi\n}\n\n_fix_pure_ftpd() {\n if [ -e \"/usr/local/etc/pure-ftpd.conf\" ]; then\n _PAM_AUTH=$(grep \"^PAMAuthentication\" /usr/local/etc/pure-ftpd.conf 2>&1)\n if [ ! -z \"${_PAM_AUTH}\" ]; then\n sed -i \"s/^PAMAuthentication/# PAMAuthentication/g\" /usr/local/etc/pure-ftpd.conf\n killall -9 pure-ftpd &> /dev/null\n fi\n fi\n}\n\n_fix_hosting_le() {\n if [ -d \"/var/xdrago/conf\" ]; then\n if [ ! -e \"${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\" ] \\\n || [ ! -e \"${_pthLog}/dehydrated-up01.ctrl.${_tRee}.${_xSrl}.pid\" ] \\\n || [ -e \"/var/xdrago/${_provLeInc}\" ] \\\n || [ -e \"/var/xdrago/${_hoLeInc}\" ] \\\n || [ -e \"/var/xdrago/${_dehydName}\" ] \\\n || [ -e \"/root/${_provLeInc}\" ] \\\n || [ -e \"/root/hosting_le_vhost.drush.inc.ctrl.${_tRee}.${_xSrl}.pid\" ] \\\n || [ -e \"/root/${_hoLeInc}\" ] \\\n || [ -e \"${_legacyLeSh}\" ] \\\n || [ ! -e \"${_dehydSrcPath}\" ] \\\n || [ ! -e \"${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n mkdir -p /var/xdrago/conf\n rm -f /var/xdrago/*.drush.inc*\n rm -f /root/*.drush.inc*\n rm -f ${_legacyLeSh}\n rm -f ${_dehydSrcPath}.ctrl.${_tRee}.${_xSrl}.pid\n rm -f ${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\n rm -f ${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\n curl ${_crlGet} \"${_urlHmr}/helpers/${_dehydName}\" -o ${_dehydSrcPath}.ctrl.${_tRee}.${_xSrl}.pid\n cp -af ${_dehydSrcPath}.ctrl.${_tRee}.${_xSrl}.pid ${_dehydSrcPath}\n curl ${_crlGet} \"${_urlHmr}/patches/${_hoLeInc}\" -o ${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\n cp -af ${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid ${_hoLeIncFull}\n curl ${_crlGet} \"${_urlHmr}/patches/${_provLeInc}\" -o ${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\n if [ -e \"${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n cp -af ${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid ${_provLeIncFull}\n [ -e \"${_provLeIncFull}\" ] && touch ${_pthLog}/dehydrated-up01.ctrl.${_tRee}.${_xSrl}.pid\n fi\n fi\n fi\n}\n\n_fix_newrelic() {\n _PHP_EXT_DIR_84=\"/opt/php84/lib/php/extensions/no-debug-non-zts-20240924\"\n _NR_SO=\"/usr/lib/newrelic-php5/agent/x64/newrelic-20240924.so\"\n if [ -e \"${_PHP_EXT_DIR_84}\" ] \\\n && [ -e \"${_NR_SO}\" ] \\\n && [ ! -e \"${_PHP_EXT_DIR_84}/newrelic.so\" ]; then\n ln -sfn ${_NR_SO} ${_PHP_EXT_DIR_84}/newrelic.so\n service php84-fpm reload\n fi\n\n _PHP_EXT_DIR_74=\"/opt/php74/lib/php/extensions/no-debug-non-zts-20190902\"\n _NR_SO=\"/usr/lib/newrelic-php5/agent/x64/newrelic-20190902.so\"\n if [ -e \"${_PHP_EXT_DIR_74}\" ] \\\n && [ -e \"${_NR_SO}\" ] \\\n && [ ! -e \"${_PHP_EXT_DIR_74}/newrelic.so\" ]; then\n ln -sfn ${_NR_SO} ${_PHP_EXT_DIR_74}/newrelic.so\n service php74-fpm reload\n fi\n\n _PHP_EXT_DIR_71=\"/opt/php71/lib/php/extensions/no-debug-non-zts-20160303\"\n _NR_SO=\"/usr/lib/newrelic-php5/agent/x64/newrelic-20160303.so\"\n if [ -e \"${_PHP_EXT_DIR_71}\" ] \\\n && [ ! -e \"${_NR_SO}\" ] \\\n && [ -L \"${_PHP_EXT_DIR_71}/newrelic.so\" ]; then\n rm -f ${_PHP_EXT_DIR_71}/newrelic.so\n service php71-fpm reload\n fi\n\n _PHP_EXT_DIR_70=\"/opt/php70/lib/php/extensions/no-debug-non-zts-20151012\"\n _NR_SO=\"/usr/lib/newrelic-php5/agent/x64/newrelic-20151012.so\"\n if [ -e \"${_PHP_EXT_DIR_70}\" ] \\\n && [ ! -e \"${_NR_SO}\" ] \\\n && [ -L \"${_PHP_EXT_DIR_70}/newrelic.so\" ]; then\n rm -f ${_PHP_EXT_DIR_70}/newrelic.so\n service php70-fpm reload\n fi\n\n _PHP_EXT_DIR_56=\"/opt/php56/lib/php/extensions/no-debug-non-zts-20131226\"\n _NR_SO=\"/usr/lib/newrelic-php5/agent/x64/newrelic-20131226.so\"\n if [ -e \"${_PHP_EXT_DIR_56}\" ] \\\n && [ ! -e \"${_NR_SO}\" ] \\\n && [ -L \"${_PHP_EXT_DIR_56}/newrelic.so\" ]; then\n rm -f ${_PHP_EXT_DIR_56}/newrelic.so\n service php56-fpm reload\n fi\n}\n\n_fix_leftovers() {\n if [ -e \"/data/disk/arch/static/control\" ]; then\n rm -rf /data/disk/arch/static\n fi\n}\n\n_force_rebuild() {\n if [ ! -e \"${_pthLog}/forced.rebuild.glibc.txt\" ]; then\n echo \"_GIT_FORCE_REINSTALL=YES\" >> ${_barCnf}\n echo \"_NGX_FORCE_REINSTALL=YES\" >> ${_barCnf}\n echo \"_PHP_FORCE_REINSTALL=YES\" >> ${_barCnf}\n echo \"_SSH_FORCE_REINSTALL=YES\" >> ${_barCnf}\n echo \"_SSL_FORCE_REINSTALL=YES\" >> ${_barCnf}\n rm -f ${_pthLog}/pure-ftpd-build*\n rm -f ${_pthLog}/mss-build*\n rm -f ${_pthLog}/lshell-build*\n rm -f ${_pthLog}/redis-*\n rm -f ${_pthLog}/valkey-*\n touch ${_pthLog}/forced.rebuild.glibc.txt\n fi\n}\n\n#\n# Detect, remove, and report broken symlinks\n_check_and_remove_broken_symlinks() {\n local _dir=$1\n\n # Find broken symlinks in the directory\n _broken_symlinks=$(find \"${_dir}\" -maxdepth 1 -type l ! -exec test -e {} \\; -print)\n\n if [ -n \"${_broken_symlinks}\" ]; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"CLNP: Removing the following broken symlinks from ${_dir}:\"\n echo \"CLNP: ${_broken_symlinks}\"\n fi\n\n for _symlink in ${_broken_symlinks}; do\n rm \"${_symlink}\"\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"CLNP: Removed broken symlink: ${_symlink}\"\n fi\n done\n\n # Set the _ifAnySymlinksCleaned variable to true since we removed broken symlinks\n _ifAnySymlinksCleaned=YES\n else\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"CLNP: No broken symlinks found in ${_dir}\"\n fi\n fi\n}\n\n#\n# Check and move disallowed versions\n_check_and_move() {\n local _dir=$1\n\n # Determine the name of the backup subdirectory based on the source directory\n local _backup_dir=\"${_backLegBase}$(echo \"${_dir}\" | tr '/' '_')\"\n\n # Find any libcurl.so files in the directory, excluding the allowed version and those without a complete version number\n _found_versions=$(find \"${_dir}\" -maxdepth 1 -type f -name \"libcurl.so.*\" ! -name \"${_allowedFile}\" | grep -E \"libcurl\\.so\\.[0-9]+\\.[0-9]+\\.[0-9]+$\")\n\n if [ -n \"${_found_versions}\" ]; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"CLNP: Moving the following disallowed versions from ${_dir} to ${_backup_dir}:\"\n echo \"CLNP: ${_found_versions}\"\n fi\n\n # Create the backup directory if it doesn't exist\n mkdir -p \"${_backup_dir}\"\n\n # Move each found version to the backup directory\n for _file in ${_found_versions}; do\n mv -f \"${_file}\" \"${_backup_dir}/\"\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"CLNP: Moved ${_file} to ${_backup_dir}/\"\n fi\n done\n\n # Set the _ifAnyFilesCleaned variable to true since we moved files\n _ifAnyFilesCleaned=YES\n else\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"CLNP: Only the allowed version (${_allowedFile}) is present in ${_dir}\"\n fi\n fi\n}\n\n_if_reinstall_curl() {\n _CURL_VRN=8.20.0\n _CURL_INSTALL_REQUIRED=NO\n if ! command -v lsb_release &> /dev/null; then\n apt-get update -qq &> /dev/null\n apt-get install lsb-release ${_aptYesUnth} -qq &> /dev/null\n fi\n _OS_CODE=$(lsb_release -ar 2>/dev/null | grep -i codename | cut -s -f2)\n [ \"${_OS_CODE}\" = \"wheezy\" ] && _CURL_VRN=7.50.1\n [ \"${_OS_CODE}\" = \"jessie\" ] && _CURL_VRN=7.71.1\n [ \"${_OS_CODE}\" = \"stretch\" ] && _CURL_VRN=8.2.1\n\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] \\\n && [ \"${_OS_CODE}\" != \"jessie\" ] \\\n && [ \"${_OS_CODE}\" != \"stretch\" ]; then\n\n # Target version\n _allowedFile=\"libcurl.so.4.8.0\"\n\n # Directories to check\n _dirsToClean=(\"/usr/lib\" \"/usr/local/lib\" \"/usr/lib/x86_64-linux-gnu\")\n\n # Backup base directory\n _backLegBase=\"/var/backups/legacy-libcurl-boa-${_NOW}\"\n\n # Variable to track if any files were moved\n _ifAnyFilesCleaned=NO\n\n # Variable to track if any broken symlinks were found and removed\n _ifAnySymlinksCleaned=NO\n\n # Iterate over the directories and apply the _check_and_move function\n for _dir in \"${_dirsToClean[@]}\"; do\n _check_and_move \"${_dir}\"\n done\n\n # Iterate over the directories and apply the _check_and_remove_broken_symlinks function\n for _dir in \"${_dirsToClean[@]}\"; do\n _check_and_remove_broken_symlinks \"${_dir}\"\n done\n\n # Export the _ifAnyFilesCleaned variable for later use\n export _ifAnyFilesCleaned\n\n # Export the _ifAnySymlinksCleaned variable for later use\n export _ifAnySymlinksCleaned\n\n fi\n\n if [ \"${_ifAnySymlinksCleaned}\" = \"YES\" ] \\\n || [ \"${_ifAnyFilesCleaned}\" = \"YES\" ]; then\n ldconfig 2> /dev/null\n _CURL_INSTALL_REQUIRED=YES\n _bkLibcurlPre=\"/var/backups/legacy-libcurl-pre-${_CURL_VRN}-${_NOW}\"\n mkdir -p ${_bkLibcurlPre}\n mv -f /usr/lib/x86_64-linux-gnu/libcurl.so* ${_bkLibcurlPre}/ &> /dev/null\n mv -f /usr/lib/x86_64-linux-gnu/libcurl.la ${_bkLibcurlPre}/ &> /dev/null\n mv -f /usr/lib/x86_64-linux-gnu/libcurl.a ${_bkLibcurlPre}/ &> /dev/null\n fi\n\n _isCurl=$(curl --version 2>&1)\n if [[ ! \"${_isCurl}\" =~ \"OpenSSL\" ]] \\\n || [[ \"${_isCurl}\" =~ \"libcurl.so.4\" ]] \\\n || [ -z \"${_isCurl}\" ] \\\n || [ \"${_ifAnySymlinksCleaned}\" = \"YES\" ] \\\n || [ \"${_ifAnyFilesCleaned}\" = \"YES\" ] \\\n || [ \"${_CURL_INSTALL_REQUIRED}\" = \"YES\" ]; then\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n echo \"OOPS: cURL is broken! Re-installing..\"\n fi\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n echo \"curl install\" | dpkg --set-selections 2> /dev/null\n _apt_clean_update\n # Check for libssl1.0-dev and remove conditionally\n if dpkg-query -W -f='${Status}' libssl1.0-dev 2>/dev/null | grep -q \"install ok installed\"; then\n apt-get remove libssl1.0-dev -y --purge --auto-remove -qq 2>/dev/null\n fi\n apt-get autoremove -y 2> /dev/null\n apt-get install libssl-dev ${_aptYesUnth} -qq 2> /dev/null\n apt-get build-dep curl ${_aptYesUnth} 2> /dev/null\n if [ ! -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n apt-get install curl --reinstall ${_aptYesUnth} -qq 2> /dev/null\n fi\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n echo \"INFO: Installing curl from sources...\"\n mkdir -p /var/opt\n rm -rf /var/opt/curl*\n cd /var/opt\n wget ${_wgetGet} http://files.aegir.cc/dev/src/curl-${_CURL_VRN}.tar.gz &> /dev/null\n tar -xzf curl-${_CURL_VRN}.tar.gz &> /dev/null\n if [ -e \"/root/.install.modern.openssl.cnf\" ] \\\n && [ -x \"/usr/local/ssl3/bin/openssl\" ]; then\n _SSL_BINARY=/usr/local/ssl3/bin/openssl\n else\n _SSL_BINARY=/usr/local/ssl/bin/openssl\n fi\n if [ -e \"/usr/local/ssl3/lib64/libssl.so.3\" ]; then\n _SSL_PATH=\"/usr/local/ssl3\"\n _SSL_LIB_PATH=\"${_SSL_PATH}/lib64\"\n else\n _SSL_PATH=\"/usr/local/ssl\"\n _SSL_LIB_PATH=\"${_SSL_PATH}/lib\"\n fi\n _PKG_CONFIG_PATH=\"${_SSL_LIB_PATH}/pkgconfig\"\n\n if [ -e \"${_PKG_CONFIG_PATH}\" ] \\\n && [ -e \"/var/opt/curl-${_CURL_VRN}\" ]; then\n cd /var/opt/curl-${_CURL_VRN}\n LIBS=\"-ldl -lpthread\" PKG_CONFIG_PATH=\"${_PKG_CONFIG_PATH}\" ./configure \\\n --with-openssl \\\n --with-zlib=/usr \\\n --prefix=/usr/local &> /dev/null\n make -j $(nproc) --quiet &> /dev/null\n make --quiet install &> /dev/null\n ldconfig 2> /dev/null\n fi\n fi\n if [ -x \"/usr/local/bin/curl\" ] && [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n _CURL_ITD=$(/usr/local/bin/curl --version 2>&1 \\\n | tr -d \"\\n\" \\\n | cut -d\" \" -f2 \\\n | awk '{ print $1}' 2>&1)\n if [[ ! \"${_CURL_ITD}\" =~ OpenSSL ]]; then\n echo \"ERRR: /usr/local/bin/curl is broken\"\n echo \"ERRR: Please install cURL and debug manually\"\n else\n echo \"GOOD: /usr/local/bin/curl works\"\n echo \"curl hold\" | dpkg --set-selections &> /dev/null\n if [ -x \"/usr/local/bin/curl\" ]; then\n if [ -x \"/usr/bin/curl\" ] && [ ! -L \"/usr/bin/curl\" ]; then\n mv -f /usr/bin/curl /usr/bin/old-curl-$(date +%y%m%d-%H%M%S)\n fi\n ln -sfn /usr/local/bin/curl /usr/bin/curl\n fi\n if [ ! -e \"${_SSL_PATH}/certs/ca-certificates.crt\" ]; then\n cp -af /etc/ssl/certs/* ${_SSL_PATH}/certs/ &> /dev/null\n fi\n if [ -e \"/usr/local/lib/libcurl.so.4.8.0\" ]; then\n ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/libcurl.so\n ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/libcurl.so.4\n ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/libcurl.so.4.8.0\n ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/x86_64-linux-gnu/libcurl.so\n ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4\n ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0\n fi\n if [ -e \"/usr/local/lib/libcurl.a\" ]; then\n ln -sfn /usr/local/lib/libcurl.a /usr/lib/x86_64-linux-gnu/libcurl.a\n ln -sfn /usr/local/lib/libcurl.a /usr/lib/libcurl.a\n fi\n if [ -e \"/usr/local/lib/libcurl.la\" ]; then\n ln -sfn /usr/local/lib/libcurl.la /usr/lib/x86_64-linux-gnu/libcurl.la\n ln -sfn /usr/local/lib/libcurl.la /usr/lib/libcurl.la\n fi\n ldconfig 2> /dev/null\n if [ -e \"/usr/local/include/curl/curl.h\" ] \\\n && [ -e \"/usr/local/include/curl/easy.h\" ] \\\n && [ -d \"/usr/include/x86_64-linux-gnu/curl\" ] \\\n && [ ! -L \"/usr/include/x86_64-linux-gnu/curl\" ]; then\n _apt_clean_update\n if dpkg-query -W -f='${Status}' libcurl4-openssl-dev 2>/dev/null | grep -q \"install ok installed\"; then\n apt-get remove libcurl4-openssl-dev -y --purge --auto-remove -qq 2> /dev/null\n fi\n ln -sfn /usr/local/include/curl /usr/include/x86_64-linux-gnu/curl\n ldconfig 2> /dev/null\n fi\n fi\n fi\n fi\n}\n\n_if_boa_key_tools_update_allowed() {\n if [ -e \"/root/.run-to-excalibur.cnf\" ] \\\n || [ -e \"/root/.run-to-daedalus.cnf\" ] \\\n || [ -e \"/root/.run-to-chimaera.cnf\" ] \\\n || [ -e \"/root/.run-to-beowulf.cnf\" ]; then\n _BOA_KEY_TOOLS_UPDATE_ALLOWED=NO\n else\n _BOA_KEY_TOOLS_UPDATE_ALLOWED=YES\n fi\n}\n\n_update_boa_tools() {\n mkdir -p ${_usrBin}\n if [ -e \"${_pthLog}\" ] && [ ! -e \"${_pthLog}/updateFx30.ctrl.${_tRee}.${_xSrl}.pid\" ]; then\n _fxPp=\"fix-drupal-platform-permissions.sh\"\n _fxSp=\"fix-drupal-site-permissions.sh\"\n _fxPo=\"fix-drupal-platform-ownership.sh\"\n _fxSo=\"fix-drupal-site-ownership.sh\"\n _fxLo=\"lock-local-drush-permissions.sh\"\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_fxPp}\" -o ${_usrBin}/${_fxPp}\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_fxSp}\" -o ${_usrBin}/${_fxSp}\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_fxPo}\" -o ${_usrBin}/${_fxPo}\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_fxSo}\" -o ${_usrBin}/${_fxSo}\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_fxLo}\" -o ${_usrBin}/${_fxLo}\n chmod 700 ${_usrBin}/${_fxPp}\n chmod 700 ${_usrBin}/${_fxSp}\n chmod 700 ${_usrBin}/${_fxPo}\n chmod 700 ${_usrBin}/${_fxSo}\n chmod 700 ${_usrBin}/${_fxLo}\n touch ${_pthLog}/updateFx30.ctrl.${_tRee}.${_xSrl}.pid\n fi\n mkdir -p ${_optBin}\n _boaBins=\"aptcleanup \\\n aptfast \\\n autobeowulf \\\n autochimaera \\\n autodaedalus \\\n autoexcalibur \\\n autoinit \\\n automini \\\n autosymlink \\\n autoupboa \\\n backboa \\\n backchain \\\n barracuda \\\n boa \\\n codebasecheck \\\n copydbackup \\\n dcysetup \\\n dhcpfix \\\n duobackboa \\\n fancynow \\\n ffdevuan \\\n ffmirror \\\n fixmounts \\\n fixrepo \\\n killer \\\n loadguard \\\n lock.inc \\\n memorytuner \\\n mergecsf \\\n multiback \\\n mybackup \\\n mycnfup \\\n mysqltuner5 \\\n mysqltuner8 \\\n octopus \\\n perftest \\\n randpass \\\n renameaegirhost \\\n screenfetch \\\n setprio \\\n smtpgapps \\\n sqlclean \\\n sqlmagic \\\n syncpass \\\n synproxy \\\n synproxy_hook_fix \\\n synproxy_monitor \\\n synproxy_reassert \\\n synproxy_rollback \\\n synproxy_snapshot \\\n synproxy_status \\\n thinkdifferent \\\n updatesymlinks \\\n verifyvhostsdns \\\n vhostcheck \\\n vmnetfix \\\n weblogx \\\n webserver \\\n websh \\\n xboa \\\n xcopy\"\n for _cbn in ${_boaBins}; do\n if [ -e \"${_optBin}/${_cbn}\" ]; then\n _CNT=$(pgrep -fc /local/bin/${_cbn})\n if (( _CNT > 0 )); then\n echo \"The ${_cbn} is running!\"\n else\n _CNT=$(pgrep -fc /var/xdrago/daily.sh)\n if [ \"${_cbn}\" = \"weblogx\" ] && (( _CNT > 0 )); then\n echo \"The ${_cbn} and daily.sh is running!\"\n else\n rm -f ${_optBin}/${_cbn}.new\n if [ \"${_cbn}\" = \"mysqltuner5\" ] || [ \"${_cbn}\" = \"mysqltuner8\" ]; then\n curl ${_crlGet} \"${_urlHmr}/helpers/${_cbn}\" -o ${_optBin}/${_cbn}.new\n else\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_cbn}\" -o ${_optBin}/${_cbn}.new\n fi\n mv -f ${_optBin}/${_cbn} ${_optBin}/${_cbn}.prev\n mv -f ${_optBin}/${_cbn}.new ${_optBin}/${_cbn}\n if [ -e \"${_optBin}/${_cbn}\" ]; then\n chmod 755 ${_optBin}/${_cbn}\n rm -f ${_optBin}/${_cbn}.prev\n else\n mv -f ${_optBin}/${_cbn}.prev ${_optBin}/${_cbn}\n fi\n fi\n fi\n else\n if [ \"${_cbn}\" = \"mysqltuner5\" ] || [ \"${_cbn}\" = \"mysqltuner8\" ]; then\n curl ${_crlGet} \"${_urlHmr}/helpers/${_cbn}\" -o ${_optBin}/${_cbn}\n else\n curl ${_crlGet} \"${_urlHmr}/${_tBn}/${_cbn}\" -o ${_optBin}/${_cbn}\n fi\n fi\n done\n\n if [ -e \"${_optBin}/fixmounts\" ] && [ ! -e \"${_usrBin}/fixmounts\" ]; then\n rm -f ${_usrBin}/{aptcleanup*,autoinit*,automini*,backchain*,barracuda*,boa*,dhcpfix*,ffdevuan*,ffmirror*,fixmounts*}\n rm -f ${_usrBin}/{aptfast*,killer*,loadguard*,perftest*,octopus*,screenfetch*,vmnetfix*,webserver*,websh*}\n ln -sfn ${_optBin}/aptcleanup ${_usrBin}/aptcleanup\n ln -sfn ${_optBin}/autoinit ${_usrBin}/autoinit\n ln -sfn ${_optBin}/automini ${_usrBin}/automini\n ln -sfn ${_optBin}/backchain ${_usrBin}/backchain\n ln -sfn ${_optBin}/barracuda ${_usrBin}/barracuda\n ln -sfn ${_optBin}/boa ${_usrBin}/boa\n ln -sfn ${_optBin}/dhcpfix ${_usrBin}/dhcpfix\n ln -sfn ${_optBin}/ffdevuan ${_usrBin}/ffdevuan\n ln -sfn ${_optBin}/ffmirror ${_usrBin}/ffmirror\n ln -sfn ${_optBin}/fixmounts ${_usrBin}/fixmounts\n ln -sfn ${_optBin}/killer ${_usrBin}/killer\n ln -sfn ${_optBin}/loadguard ${_usrBin}/loadguard\n ln -sfn ${_optBin}/octopus ${_usrBin}/octopus\n ln -sfn ${_optBin}/perftest ${_usrBin}/perftest\n ln -sfn ${_optBin}/screenfetch ${_usrBin}/screenfetch\n ln -sfn ${_optBin}/vmnetfix ${_usrBin}/vmnetfix\n ln -sfn ${_optBin}/webserver ${_usrBin}/webserver\n ln -sfn ${_optBin}/websh ${_usrBin}/websh\n fi\n\n if [ -e \"/data/u\" ]; then\n if [ ! -e \"${_usrBin}/dcysetup\" ] && [ -e \"${_optBin}/dcysetup\" ]; then\n ln -sfn ${_optBin}/dcysetup ${_usrBin}/dcysetup\n fi\n if [ ! -e \"${_usrBin}/multiback\" ] && [ -e \"${_optBin}/multiback\" ]; then\n ln -sfn ${_optBin}/multiback ${_usrBin}/multiback\n fi\n if [ ! -e \"${_usrBin}/mybackup\" ] && [ -e \"${_optBin}/mybackup\" ]; then\n ln -sfn ${_optBin}/mybackup ${_usrBin}/mybackup\n fi\n fi\n\n echo \"=== BOA executables permissions setup ===\"\n echo \"Last updated: $(date)\"\n echo \"Groups are organized by function.\"\n\n # _AUTO (700): automatic install/upgrade helpers\n chmod 700 ${_optBin}/{autobeowulf,autochimaera,autodaedalus,autoexcalibur,autoinit,automini,autoupboa}\n\n # _BACKUP (700): backup helpers\n chmod 700 ${_optBin}/{backboa,copydbackup,dcysetup,duobackboa,multiback}\n\n # _CORE (700): core BOA tools\n chmod 700 ${_optBin}/{barracuda,boa,ffdevuan,ffmirror,killer,octopus,webserver}\n chmod 700 ${_optBin}/{loadguard,lock.inc,renameaegirhost,syncpass,weblogx,xboa,xcopy}\n\n # _DB (700): performance and DB tuners\n chmod 700 ${_optBin}/{memorytuner,mycnfup,mysqltuner5,mysqltuner8,perftest}\n\n # _MAIL (700): mail + priority tools\n chmod 700 ${_optBin}/{setprio,smtpgapps}\n\n # _NET (700): network protection\n chmod 700 ${_optBin}/synproxy*\n\n # _SYS (700): system utilities\n chmod 700 ${_optBin}/{aptfast,codebasecheck,dhcpfix,fancynow,fixmounts,fixrepo,mergecsf,screenfetch,vmnetfix}\n\n # _SYS (700): cleanup tools\n chmod 700 ${_optBin}/{aptcleanup,autosymlink,sqlclean,updatesymlinks,verifyvhostsdns,vhostcheck}\n\n # _MISC (755): misc user-space utilities\n chmod 755 ${_optBin}/{backchain,mybackup,randpass,sqlmagic,thinkdifferent,websh}\n\n echo \"Permissions applied successfully\"\n echo \"=== End of BOA executables permissions setup ===\"\n\n}\n\n# Ensure /usr/sbin/ipset and /sbin/ipset both resolve to the actual ipset binary.\n_ensure_ipset_symlinks() {\n _IPSET_REAL=\"$(command -v ipset 2>/dev/null || true)\"\n if [ -z \"${_IPSET_REAL}\" ]; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"ipset not installed; skipping symlink fixes\"\n fi\n return 0\n fi\n\n # Resolve through any intermediate symlinks.\n if [ -L \"${_IPSET_REAL}\" ]; then\n _IPSET_REAL=\"$(readlink -f \"${_IPSET_REAL}\")\"\n fi\n\n for _CAND in /usr/sbin/ipset /sbin/ipset; do\n _PARENT=\"$(dirname \"${_CAND}\")\"\n [ -d \"${_PARENT}\" ] || mkdir -p \"${_PARENT}\"\n\n # If the candidate *is* the real file, nothing to do.\n if [ \"${_CAND}\" = \"${_IPSET_REAL}\" ]; then\n continue\n fi\n\n # If it exists, check whether it already resolves to the right target.\n if [ -e \"${_CAND}\" ] || [ -L \"${_CAND}\" ]; then\n _TARGET=\"$(readlink -f \"${_CAND}\" 2>/dev/null || true)\"\n if [ \"${_TARGET}\" = \"${_IPSET_REAL}\" ]; then\n continue\n fi\n fi\n\n ln -sfn \"${_IPSET_REAL}\" \"${_CAND}\"\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"Linked ${_CAND} -> ${_IPSET_REAL}\"\n fi\n done\n}\n\n_if_update_boa_key_tools_only() {\n\n _check_dns_settings\n _if_reinstall_curl\n\n _CURL_TEST=$(curl -L -k -s \\\n --max-redirs 10 \\\n --retry 3 \\\n --retry-delay 10 \\\n -I \"http://${_USE_MIR}\" 2> /dev/null)\n if [[ ! \"${_CURL_TEST}\" =~ \"200 OK\" ]]; then\n if [[ \"${_CURL_TEST}\" =~ \"unknown option was passed in to libcurl\" ]]; then\n echo \"ERROR: cURL libs are out of sync! Re-installing..\"\n _if_reinstall_curl\n fi\n echo \"ERROR: ${_USE_MIR} is not available, please try later\"\n exit 1\n else\n _urlHmr=\"http://${_USE_MIR}/versions/${_tRee}/boa/aegir\"\n fi\n _LSB_TEST=\"$(which lsb_release)\"\n if [ ! -x \"${_LSB_TEST}\" ]; then\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n _apt_clean_update\n apt-get install lsb-release ${_aptYesUnth} &> /dev/null\n fi\n _IPSET_TEST=\"$(which ipset)\"\n if [ ! -x \"${_IPSET_TEST}\" ]; then\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n _apt_clean_update\n if [ -L \"/sbin/ipset\" ]; then\n rm -f /sbin/ipset\n fi\n if [ -L \"/usr/sbin/ipset\" ]; then\n rm -f /usr/sbin/ipset\n fi\n apt-get install ipset ${_aptYesUnth} &> /dev/null\n fi\n\n _ensure_ipset_symlinks\n\n if [ -x \"/usr/sbin/csf\" ] \\\n && [ -e \"/etc/csf/csf.deny\" ] \\\n && [ ! -x \"/etc/csf/csfpost.sh\" ]; then\n echo \"\" > /etc/csf/csfpost.sh\n echo \"iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp\" >> /etc/csf/csfpost.sh\n echo \"iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp\" >> /etc/csf/csfpost.sh\n chmod 700 /etc/csf/csfpost.sh\n _CSF_TEST=\"$(which csf)\"\n if [ -x \"${_CSF_TEST}\" ]; then\n service clean-boa-env start &> /dev/null\n _if_fix_iptables_symlinks\n ### csf -uf\n ### wait\n _NFTABLES_TEST=$(iptables -V)\n if [[ \"${_NFTABLES_TEST}\" =~ \"nf_tables\" ]]; then\n if [ -e \"/usr/sbin/iptables-legacy\" ]; then\n update-alternatives --set iptables /usr/sbin/iptables-legacy &> /dev/null\n fi\n if [ -e \"/usr/sbin/ip6tables-legacy\" ]; then\n update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy &> /dev/null\n fi\n if [ -e \"/usr/sbin/arptables-legacy\" ]; then\n update-alternatives --set arptables /usr/sbin/arptables-legacy &> /dev/null\n fi\n if [ -e \"/usr/sbin/ebtables-legacy\" ]; then\n update-alternatives --set ebtables /usr/sbin/ebtables-legacy &> /dev/null\n fi\n fi\n sed -i \"s/.*DHCP.*//g\" /etc/csf/csf.allow\n wait\n sed -i \"/^$/d\" /etc/csf/csf.allow\n if [ -e \"/var/log/daemon.log\" ]; then\n _DHCP_LOG=\"/var/log/daemon.log\"\n else\n _DHCP_LOG=\"/var/log/syslog\"\n fi\n grep DHCPREQUEST \"${_DHCP_LOG}\" | awk '{print $12}' | sort -u | while read -r _IP; do\n if [[ ${_IP} =~ ^([0-9]{1,3}\\.){3}[0-9]{1,3}$ ]]; then\n IFS='.' read -r oct1 oct2 oct3 oct4 <<< \"${_IP}\"\n if (( oct1 <= 255 && oct2 <= 255 && oct3 <= 255 && oct4 <= 255 )); then\n echo \"udp|out|d=67|d=${_IP} # Local DHCP out\" >> /etc/csf/csf.allow\n fi\n fi\n done\n if [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ]; then\n csf -ra &> /dev/null\n synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n else\n csf -r &> /dev/null\n fi\n ### Linux kernel TCP SACK CVEs mitigation\n ### CVE-2019-11477 SACK Panic\n ### CVE-2019-11478 SACK Slowness\n ### CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values\n if [ -x \"/usr/sbin/csf\" ] && [ -e \"/etc/csf/csf.deny\" ]; then\n _SACK_TEST=$(ip6tables --list | grep tcpmss)\n if [[ ! \"${_SACK_TEST}\" =~ \"tcpmss\" ]]; then\n sysctl net.ipv4.tcp_mtu_probing=0 &> /dev/null\n iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null\n ip6tables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null\n [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ] && synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n fi\n fi\n fi\n fi\n if [ -x \"/usr/sbin/csf\" ] && [ -e \"/etc/csf/csf.conf\" ]; then\n _CC_SRC_TEST=$(grep 'CC_SRC\\ =' /etc/csf/csf.conf 2>&1)\n ### echo _CC_SRC_TEST 1 is \"${_CC_SRC_TEST}\"\n if [[ ! ${_CC_SRC_TEST} =~ CC_SRC\\ =\\ \\\"2\\\" ]]; then\n echo _CC_SRC_TEST 2 is \"${_CC_SRC_TEST}\"\n service clean-boa-env start &> /dev/null\n _if_fix_iptables_symlinks\n ### csf -uf\n ### wait\n _NFTABLES_TEST=$(iptables -V)\n if [[ \"${_NFTABLES_TEST}\" =~ \"nf_tables\" ]]; then\n if [ -e \"/usr/sbin/iptables-legacy\" ]; then\n update-alternatives --set iptables /usr/sbin/iptables-legacy &> /dev/null\n fi\n if [ -e \"/usr/sbin/ip6tables-legacy\" ]; then\n update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy &> /dev/null\n fi\n if [ -e \"/usr/sbin/arptables-legacy\" ]; then\n update-alternatives --set arptables /usr/sbin/arptables-legacy &> /dev/null\n fi\n if [ -e \"/usr/sbin/ebtables-legacy\" ]; then\n update-alternatives --set ebtables /usr/sbin/ebtables-legacy &> /dev/null\n fi\n fi\n sed -i \"s/^CC_SRC .*/CC_SRC = \\\"2\\\"/g\" /etc/csf/csf.conf\n wait\n sed -i \"s/^AUTO_UPDATES .*/AUTO_UPDATES = \\\"0\\\"/g\" /etc/csf/csf.conf\n if [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ]; then\n csf -ra &> /dev/null\n synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n else\n csf -r &> /dev/null\n fi\n fi\n fi\n _BOA_TOOLS_UPDATE=NO\n if [ -e \"${_pthLog}\" ]; then\n if [ ! -x \"/opt/local/bin/xcopy\" ] \\\n || [ ! -e \"${_boaToolsPid}\" ]; then\n _BOA_TOOLS_UPDATE=YES\n fi\n fi\n [ ! -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] && _BOA_TOOLS_UPDATE=YES\n if [ \"${_BOA_TOOLS_UPDATE}\" = \"YES\" ]; then\n _update_boa_tools\n [ -e \"${_pthLog}\" ] && rm -f ${_pthLog}/updateBOAtools*.pid\n [ -e \"${_pthLog}\" ] && touch ${_boaToolsPid}\n if [ \"${1}\" = \"verbose\" ] || [ -z \"${1}\" ]; then\n echo\n echo \"BOA Meta Installers setup completed\"\n echo \"Please check INSTALL.md and UPGRADE.md at https://github.com/omega8cc/boa\"\n echo \"Bye\"\n echo\n fi\n fi\n}\n\n_boa_setup() {\n _BENG_VS=NO\n _VMFAMILY=NO\n _RANDOMIZE=NO\n _VM_TEST=\"$(uname -a)\"\n if [[ \"${_VM_TEST}\" =~ \"-beng\" ]]; then\n _BENG_VS=YES\n _RANDOMIZE=YES\n fi\n _if_hosted_sys\n if [ \"${_hostedSys}\" = \"YES\" ]; then\n _VMFAMILY=HOSTED\n fi\n\n _check_dns_settings\n\n if [ -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ]; then\n [ -d /run/unbound ] || mkdir -p /run/unbound\n [ -d /run/unbound ] && chown -R unbound:unbound /run/unbound\n fi\n\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n\n _APT_CONFIG_FILE=\"/etc/apt/apt.conf.d/99ignorestrict\"\n\n # Desired configuration content\n _DESIRED_APT_CONFIG='Acquire::AllowInsecureRepositories \"true\";\n APT::Get::AllowUnauthenticated \"true\";\n Aptitude::CmdLine::Fix-Broken \"true\";'\n\n # Remove leading whitespace from each line\n _CLEANED_DESIRED_APT_CONFIG=$(echo \"${_DESIRED_APT_CONFIG}\" | sed 's/^[[:space:]]\\+//')\n\n # Normalize the existing file content\n if [[ -f \"${_APT_CONFIG_FILE}\" ]]; then\n _CURRENT_APT_CONFIG=$(tr -d '[:space:]' < \"${_APT_CONFIG_FILE}\")\n else\n _CURRENT_APT_CONFIG=\"\"\n fi\n\n # Normalize the cleaned desired configuration content\n _NORMALIZED_DESIRED_APT_CONFIG=$(echo \"${_CLEANED_DESIRED_APT_CONFIG}\" | tr -d '[:space:]')\n\n # Compare normalized contents and update if necessary\n if [[ \"${_CURRENT_APT_CONFIG}\" != \"${_NORMALIZED_DESIRED_APT_CONFIG}\" ]]; then\n echo \"${_CLEANED_DESIRED_APT_CONFIG}\" | tee \"${_APT_CONFIG_FILE}\" > /dev/null\n fi\n\n if [ ! -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] && [ ! -e \"/var/xdrago/manage_solr_config.sh\" ]; then\n# apt-get remove unscd -y --purge --auto-remove -qq &> /dev/null\n# apt-get remove dbus -y --purge --auto-remove -qq &> /dev/null\n# if [ -e \"/usr/share/dbus-1\" ]; then\n# rm -f /usr/share/dbus-1/*/*freedesktop*\n# fi\n userdel -r debian &> /dev/null\n sed -i \"s/^#startup_message off/startup_message off/g\" /etc/screenrc &> /dev/null\n fi\n\n _isScreen=$(screen --version 2>&1)\n if [[ ! \"${_isScreen}\" =~ \"GNU\" ]] || [ -z \"${_isScreen}\" ]; then\n apt-get install screen -y &> /dev/null\n apt-get install net-tools -y &> /dev/null\n apt-get install hostname -y &> /dev/null\n apt-get install ntpsec-ntpdate -y &> /dev/null\n fi\n\n _if_reinstall_curl\n\n _CURL_TEST=$(curl -L -k -s \\\n --max-redirs 10 \\\n --retry 3 \\\n --retry-delay 10 \\\n -I \"http://${_USE_MIR}\" 2> /dev/null)\n if [[ ! \"${_CURL_TEST}\" =~ \"200 OK\" ]]; then\n if [[ \"${_CURL_TEST}\" =~ \"unknown option was passed in to libcurl\" ]]; then\n echo \"ERROR: cURL libs are out of sync! Re-installing..\"\n _if_reinstall_curl\n fi\n echo \"ERROR: ${_USE_MIR} is not available, please try later\"\n exit 1\n else\n _urlHmr=\"http://${_USE_MIR}/versions/${_tRee}/boa/aegir\"\n fi\n\n _if_clean_boa_env\n\n _LSB_TEST=\"$(which lsb_release)\"\n if [ ! -x \"${_LSB_TEST}\" ]; then\n if [ ! -e \"/etc/apt/apt.conf.d/00sandboxoff\" ] \\\n && [ -e \"/etc/apt/apt.conf.d\" ]; then\n echo \"APT::Sandbox::User \\\"root\\\";\" > /etc/apt/apt.conf.d/00sandboxoff\n fi\n _apt_clean_update\n apt-get install lsb-release ${_aptYesUnth}\n fi\n\n ### Fix or install VM system detection\n _check_virt\n\n _BOA_TOOLS_UPDATE=NO\n if [ -e \"${_pthLog}\" ] && [ ! -e \"${_boaToolsPid}\" ]; then\n _BOA_TOOLS_UPDATE=YES\n fi\n [ ! -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] && _BOA_TOOLS_UPDATE=YES\n if [ \"${_BOA_TOOLS_UPDATE}\" = \"YES\" ]; then\n _update_boa_tools\n [ -e \"${_pthLog}\" ] && rm -f ${_pthLog}/updateBOAtools*.pid\n [ -e \"${_pthLog}\" ] && touch ${_boaToolsPid}\n echo\n echo \"BOA Meta Installers setup completed\"\n echo \"Please check INSTALL.md and UPGRADE.md at https://github.com/omega8cc/boa\"\n echo \"Bye\"\n echo\n fi\n}\n\n_count_cpu() {\n _CPU_INFO=\"$(grep -c processor /proc/cpuinfo)\"\n _CPU_INFO=${_CPU_INFO//[^0-9]/}\n _NPROC_TEST=\"$(which nproc)\"\n if [ -z \"${_NPROC_TEST}\" ]; then\n _CPU_NR=\"${_CPU_INFO}\"\n else\n _CPU_NR=$(nproc 2>&1)\n fi\n _CPU_NR=${_CPU_NR//[^0-9]/}\n if [ ! -z \"${_CPU_NR}\" ] \\\n && [ ! -z \"${_CPU_INFO}\" ] \\\n && [ \"${_CPU_NR}\" -gt \"${_CPU_INFO}\" ] \\\n && [ \"${_CPU_INFO}\" -gt 0 ]; then\n _CPU_NR=\"${_CPU_INFO}\"\n fi\n if [ -z \"${_CPU_NR}\" ] || [ \"${_CPU_NR}\" -lt 1 ]; then\n _CPU_NR=1\n fi\n mkdir -p /data/all\n chmod 755 /data/all\n echo ${_CPU_NR} > /data/all/cpuinfo\n chmod 644 /data/all/cpuinfo\n}\n\n_sysctl_update() {\n if [ ! -e \"/root/.no.sysctl.update.cnf\" ] \\\n && [ ! -e \"/var/backups/.sysctl.conf.mod-disable-ipv6-${_xSrl}.log\" ]; then\n [ -d \"/var/backups\" ] || mkdir -p /var/backups\n cd /var/backups\n rm -f /var/backups/sysctl.conf\n curl ${_crlGet} \"${_urlHmr}/conf/var/sysctl.conf\" -o sysctl.conf\n if [ -e \"/var/backups/sysctl.conf\" ]; then\n cp -af /var/backups/sysctl.conf /etc/sysctl.conf\n fi\n if [ -e \"/etc/security/limits.conf\" ]; then\n _IF_NF=$(grep '2097152' /etc/security/limits.conf 2>&1)\n if [ ! -z \"${_IF_NF}\" ]; then\n sed -i \"s/.*2097152.*//g\" /etc/security/limits.conf\n wait\n fi\n _IF_NF=$(grep '524288' /etc/security/limits.conf 2>&1)\n if [ -z \"${_IF_NF}\" ]; then\n echo \"* hard nofile 524288\" >> /etc/security/limits.conf\n echo \"* soft nofile 524288\" >> /etc/security/limits.conf\n echo \"root hard nofile 1048576\" >> /etc/security/limits.conf\n echo \"root soft nofile 1048576\" >> /etc/security/limits.conf\n fi\n _IF_NF=$(grep '65556' /etc/security/limits.conf 2>&1)\n if [ -z \"${_IF_NF}\" ]; then\n echo \"* hard nproc 65556\" >> /etc/security/limits.conf\n echo \"* soft nproc 65556\" >> /etc/security/limits.conf\n fi\n fi\n if [ -e \"/boot/grub/grub.cfg\" ] || [ -e \"/boot/grub/menu.lst\" ]; then\n #echo never > /sys/kernel/mm/transparent_hugepage/enabled\n if [ -e \"/etc/sysctl.conf\" ]; then\n sysctl -p /etc/sysctl.conf &> /dev/null\n fi\n else\n if [ -e \"/etc/sysctl.conf\" ]; then\n sysctl -p /etc/sysctl.conf &> /dev/null\n fi\n fi\n if [ -e \"/etc/default/nginx\" ]; then\n _IF_ULNX=$(grep '524288' /etc/default/nginx 2>&1)\n if [ -z \"${_IF_ULNX}\" ]; then\n sed -i \"s/^ULIMIT=.*//gi\" /etc/default/nginx\n wait\n echo ULIMIT=\\\"-n 524288\\\" >> /etc/default/nginx\n ulimit -n 524288 &> /dev/null\n service nginx restart &> /dev/null\n fi\n fi\n if [ -e \"/etc/security/limits.d\" ] \\\n && [ ! -e \"/etc/security/limits.d/solr9.conf\" ]; then\n echo \"sshd soft nofile 524288\" > /etc/security/limits.d/sshd.conf\n echo \"sshd hard nofile 999999\" >> /etc/security/limits.d/sshd.conf\n echo \"redis soft nofile 65535\" > /etc/security/limits.d/redis.conf\n echo \"redis hard nofile 524288\" >> /etc/security/limits.d/redis.conf\n echo \"nginx soft nofile 524288\" > /etc/security/limits.d/nginx.conf\n echo \"nginx hard nofile 999999\" >> /etc/security/limits.d/nginx.conf\n echo \"jetty9 soft nofile 65535\" > /etc/security/limits.d/jetty9.conf\n echo \"jetty9 hard nofile 524288\" >> /etc/security/limits.d/jetty9.conf\n echo \"solr7 soft nofile 65535\" > /etc/security/limits.d/solr7.conf\n echo \"solr7 hard nofile 524288\" >> /etc/security/limits.d/solr7.conf\n echo \"solr9 soft nofile 65535\" > /etc/security/limits.d/solr9.conf\n echo \"solr9 hard nofile 524288\" >> /etc/security/limits.d/solr9.conf\n echo \"@www-data soft nofile 65535\" > /etc/security/limits.d/www.conf\n echo \"@www-data hard nofile 524288\" >> /etc/security/limits.d/www.conf\n if [ -e \"/etc/init.d/valkey-server\" ]; then\n service valkey-server restart &> /dev/null\n elif [ -e \"/etc/init.d/redis-server\" ]; then\n service redis-server restart &> /dev/null\n fi\n service nginx restart &> /dev/null\n service ssh restart &> /dev/null\n _PHP_V=\"85 84 83 82 81 80 74 73 72 71 70 56\"\n for e in ${_PHP_V}; do\n if [ -e \"/etc/init.d/php${e}-fpm\" ]; then\n service \"php${e}-fpm\" reload &> /dev/null\n fi\n done\n fi\n touch /var/backups/.sysctl.conf.mod-disable-ipv6-${_xSrl}.log\n fi\n}\n\n###\n### Load + normalize _INCIDENT_REPORT\n###\n### Legacy values:\n### NO becomes OFF (see below)\n### YES becomes MINI (see below)\n###\n### Current values:\n### OFF == Total silence, no email alerts\n### ALL == Very noisy, good for debugging\n### MINI == Only the most important alerts (default)\n### CRIT == Only critical if _lvl=ALERT\n###\n_normalize_incident_report() {\n : \"${_INCIDENT_REPORT:=MINI}\"\n _INCIDENT_REPORT=\"${_INCIDENT_REPORT^^}\"\n _INCIDENT_REPORT=\"${_INCIDENT_REPORT//[^A-Z]/}\"\n ###\n ### Map legacy + validate\n ###\n case \"${_INCIDENT_REPORT}\" in\n NO) _INCIDENT_REPORT=\"OFF\" ;;\n YES) _INCIDENT_REPORT=\"MINI\" ;;\n OFF|ALL|MINI|CRIT) : ;;\n *) _INCIDENT_REPORT=\"MINI\" ;;\n esac\n}\n\n# Function to notify about still running backup\n_backup_waiting_notify() {\n _hName=\"$(cat /etc/hostname 2>/dev/null | tr -d '\\n' || hostname -f 2>/dev/null)\"\n _templog=\"${_bLogB}\"\n cat /root/.remote_backups/schedule/backup_schedule.txt > ${_templog}\n ps axf | grep multiback >> ${_templog}\n ps axf | grep duplicity >> ${_templog}\n ls -la /tmp/duplicity-*-tempdir >> ${_templog}\n tree /root/.cache/duplicity >> ${_templog}\n ls -laR /root/.cache/duplicity >> ${_templog}\n grep \"Out of memory: Killed process.*duplicity\" /var/log/iptables.log >> ${_templog}\n boa info >> ${_templog}\n if [ -n \"${_MY_EMAIL}\" ] && [ \"${_INCIDENT_REPORT}\" != \"OFF\" ]; then\n s-nail -s \"Multiback Waiting Report for [${_hName}] on $(date)\" ${_MY_EMAIL} < ${_templog}\n fi\n}\n\n# Load kTLS module only if it is not already loaded.\n_load_ktls_module() {\n if ! lsmod 2>/dev/null | awk '{print $1}' | grep -qx \"tls\"; then\n if [ -e \"/lib/modules/$(uname -r)/kernel/net/tls/tls.ko\" ] \\\n || modinfo tls >/dev/null 2>&1; then\n modprobe -q tls >/dev/null 2>&1 || true\n grep -qxF \"tls\" /etc/modules 2>/dev/null || printf '%s\\n' \"tls\" >> /etc/modules\n fi\n fi\n}\n\n# Fix CSF config only if Quic HTTP3 support is not enabled yet\n_csf_allow_quic_udp_443() {\n _CSF_CONF=\"/etc/csf/csf.conf\"\n _CSF_CHANGED=\"NO\"\n\n if ! command -v csf >/dev/null 2>&1; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"INFO: csf not found - skipping UDP/443 (QUIC) firewall check\"\n fi\n return 0\n fi\n\n if [ ! -s \"${_CSF_CONF}\" ]; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"WARN: ${_CSF_CONF} not found or empty - skipping\"\n fi\n return 0\n fi\n\n _csf_add_port_to_list_var() {\n # $1 = VAR (UDP_IN / UDP6_IN), $2 = PORT (443)\n _VAR=\"${1}\"\n _PORT=\"${2}\"\n\n # Extract current value between quotes\n _CUR=\"$(grep -E \"^${_VAR}[[:space:]]*=\" \"${_CSF_CONF}\" 2>/dev/null | head -n1 | sed -E 's/^[^\"]*\"([^\"]*)\".*$/\\1/')\"\n\n # If var not present, do nothing\n if ! grep -q -E \"^${_VAR}[[:space:]]*=\" \"${_CSF_CONF}\" 2>/dev/null; then\n return 0\n fi\n\n # If already present as a whole list item, do nothing\n if echo \",${_CUR},\" | grep -q \",${_PORT},\"; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"INFO: CSF ${_VAR} already includes ${_PORT}\"\n fi\n return 0\n fi\n\n # Append port (handle empty list)\n if [ -n \"${_CUR}\" ]; then\n _NEW=\"${_CUR},${_PORT}\"\n else\n _NEW=\"${_PORT}\"\n fi\n\n # Replace only the FIRST matching line for this var, keep surrounding quotes\n # Make a backup once (csf.conf.bak) if not already present\n if [ ! -e \"${_CSF_CONF}.bak\" ]; then\n cp -af \"${_CSF_CONF}\" \"${_CSF_CONF}.bak\"\n fi\n\n sed -i -E \"0,/^${_VAR}[[:space:]]*=/{s|^(${_VAR}[[:space:]]*=[[:space:]]*\\\").*(\\\".*)|\\1${_NEW}\\2|}\" \"${_CSF_CONF}\"\n\n _CSF_CHANGED=\"YES\"\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"INFO: CSF updated: ${_VAR}=\\\"${_NEW}\\\"\"\n fi\n }\n\n # QUIC needs inbound UDP/443\n _csf_add_port_to_list_var \"UDP_IN\" \"443\"\n\n # If your CSF has separate IPv6 var, update it too\n if grep -q -E '^UDP6_IN[[:space:]]*=' \"${_CSF_CONF}\" 2>/dev/null; then\n _csf_add_port_to_list_var \"UDP6_IN\" \"443\"\n fi\n\n if [ \"${_CSF_CHANGED}\" = \"YES\" ]; then\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"INFO: Reloading CSF to apply UDP/443 change\"\n fi\n csf -r >/dev/null 2>&1 || csf -ra >/dev/null 2>&1\n else\n if [ \"${_DEBUG_MODE}\" = \"YES\" ]; then\n echo \"INFO: CSF config unchanged\"\n fi\n fi\n\n return 0\n}\n\n###--------------------###\nif [ \"$(id -u)\" -eq 0 ]; then\n\n # Load kTLS module only if it is not already loaded\n _load_ktls_module\n\n # Fix CSF config only if Quic HTTP3 support is not enabled yet\n _csf_allow_quic_udp_443\n\n if ! command -v bc &> /dev/null; then\n apt-get update -qq &> /dev/null\n ${_INITINS} bc &> /dev/null\n fi\n\n if ! command -v curl &> /dev/null; then\n apt-get update -qq &> /dev/null\n ${_INITINS} curl &> /dev/null\n fi\n\n _find_correct_ip\n _find_server_city\n\n [ ! -e \"/var/aegir/.drush/hm.alias.drushrc.php\" ] && _locales_check_fix_early\n _os_detection_minimal\n _find_fast_mirror_early\n _verify_boa_keys\n\n ### Prefer Devuan apt sources\n if [ -d \"/var/aegir\" ] && [ ! -e \"/etc/apt/preferences.d/99-prefer-devuan\" ]; then\n if grep -qi 'ID=devuan' /etc/os-release 2>/dev/null; then\n _prefer_devuan_repositories\n fi\n fi\n\n ### Fix VM system detection\n _check_virt\n\n if [ -e \"${_barCnf}\" ]; then\n source ${_barCnf}\n _normalize_incident_report\n fi\n\n ### Notify if multiback backups seem to run for too long\n _DCY=$(pgrep -fc duplicity)\n _MLT=$(pgrep -fc multiback)\n if (( _DCY > 0 )) && (( _MLT > 0 )); then\n _bLogA=\"/var/backups/multiback_waiting_queue.log\"\n _bLogB=\"/var/backups/tmp_multiback_waiting_queue.log\"\n if [ ! -e \"${_bLogA}\" ] && [ ! -e \"${_bLogB}\" ]; then\n _backup_waiting_notify\n fi\n fi\n\n ### Make local OpenSSL new/legacy ssl/certs symlinked to system ssl/certs\n if [ -d \"/var/aegir\" ]; then\n _fix_sync_system_ssl_certs\n fi\n\n ### Fix Solr 4/7/9 conflicting ports\n if [ -d \"/var/aegir\" ]; then\n _fix_start_stop_ports_solr\n fi\n\n ### CVE-2021-44228 Log4j 2 Vulnerability\n ### CVE-2021-45046 Log4j 2 Vulnerability\n ### CVE-2021-45105 Log4j 2 Vulnerability\n _fix_log4j_solr7\n\n ### Linux kernel TCP SACK CVEs mitigation\n ### CVE-2019-11477 SACK Panic\n ### CVE-2019-11478 SACK Slowness\n ### CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values\n if [ -x \"/usr/sbin/csf\" ] && [ -e \"/etc/csf/csf.deny\" ]; then\n _SACK_TEST=$(ip6tables --list | grep tcpmss)\n if [[ ! \"${_SACK_TEST}\" =~ \"tcpmss\" ]]; then\n sysctl net.ipv4.tcp_mtu_probing=0 &> /dev/null\n iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null\n ip6tables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null\n [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ] && synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n fi\n fi\n ### More aggressive mitigation affecting network performance\n # if [ -e \"/proc/sys/net/ipv4/tcp_sack\" ]; then\n # _SACK_TEST=$(cat /proc/sys/net/ipv4/tcp_sack 2>&1)\n # _SACK_TEST=$(echo -n ${_SACK_TEST} | tr -d \"\\n\" 2>&1)\n # if [[ \"${_SACK_TEST}\" =~ \"1\" ]]; then\n # echo \"0\" > /proc/sys/net/ipv4/tcp_sack\n # fi\n # fi\n\n ### Block known attackers IPs\n _CSF_TEST=\"$(which csf)\"\n if [ -x \"${_CSF_TEST}\" ]; then\n _IP_BLOCK=\"47.82.0.0/16 47.79.0.0/16 2.57.121.0/24 2.57.122.0/24 45.148.10.0/24 80.94.92.0/24 92.118.39.0/24 185.177.72.0/24\"\n for _IP in ${_IP_BLOCK}; do\n _FW_TEST=$(csf -g ${_IP} 2>&1)\n if [[ \"${_FW_TEST}\" =~ \"DENY Match:${_IP} Setting\" ]] \\\n && [[ \"${_FW_TEST}\" =~ \"csf.deny: ${_IP}\" ]]; then\n echo \"${_IP} already denied for Brute force SSH/Web Server attacks\"\n else\n csf -d ${_IP} do not delete Brute force SSH/Web Server attacks\n [ -e \"/etc/csf/csfpost.d/synproxy.sh\" ] && synproxy_reassert -p \"443 80\" --no-quic -q &> /dev/null\n fi\n done\n fi\n\n ### Linux kernel CVE-2017-2636 hotfix\n if [ -e \"/etc/modprobe.d\" ] \\\n && [ ! -e \"/etc/modprobe.d/blacklist-n_hdlc.conf\" ]; then\n echo \"install n_hdlc /bin/true\" > /etc/modprobe.d/blacklist-n_hdlc.conf\n rmmod n_hdlc &> /dev/null\n fi\n\n ### Linux kernel CVE-2017-6074 hotfix\n if [ -e \"/etc/modprobe.d\" ] \\\n && [ ! -e \"/etc/modprobe.d/blacklist-dccp-all.conf\" ]; then\n echo \"install dccp /bin/true\" > /etc/modprobe.d/blacklist-dccp-all.conf\n echo \"install dccp_diag /bin/true\" >> /etc/modprobe.d/blacklist-dccp-all.conf\n echo \"install dccp_ipv4 /bin/true\" >> /etc/modprobe.d/blacklist-dccp-all.conf\n echo \"install dccp_ipv6 /bin/true\" >> /etc/modprobe.d/blacklist-dccp-all.conf\n echo \"install dccp_probe /bin/true\" >> /etc/modprobe.d/blacklist-dccp-all.conf\n rmmod dccp &> /dev/null\n rmmod dccp_diag &> /dev/null\n rmmod dccp_ipv4 &> /dev/null\n rmmod dccp_ipv6 &> /dev/null\n rmmod dccp_probe &> /dev/null\n fi\n\n if [ ! -e \"/data/all/cpuinfo\" ]; then\n _count_cpu\n fi\n\n _if_boa_key_tools_update_allowed\n\n if [ \"${_BOA_KEY_TOOLS_UPDATE_ALLOWED}\" = \"YES\" ] \\\n && [ -e \"/opt/etc/fpm/fpm-pool-common.conf\" ] \\\n && [ -e \"/var/xdrago\" ]; then\n if [ ! -z \"${_SKYNET_MODE}\" ] && [ \"${_SKYNET_MODE}\" = \"OFF\" ]; then\n if [ -n \"${SSH_TTY+x}\" ]; then\n echo\n echo \"STATUS: BOA Skynet Agent is Inactive!\"\n echo\n echo \"HINT: Please remove the _SKYNET_MODE=OFF line from\"\n echo \"HINT: ${_barCnf} to enable me again.\"\n echo\n echo \"NOTE: Critically important BOA tools will be still updated\"\n echo\n _if_update_boa_key_tools_only verbose\n exit 0\n else\n _if_update_boa_key_tools_only silent\n exit 0\n fi\n else\n if [ -n \"${SSH_TTY+x}\" ]; then\n echo\n echo \"STATUS: BOA Skynet Agent is Active, OK!\"\n echo\n echo \"HINT: You can add the _SKYNET_MODE=OFF line in\"\n echo \"HINT: ${_barCnf} to disable me, if needed.\"\n echo\n fi\n fi\n else\n if [ -z \"$STY\" ]; then\n _SCREEN_INIT=YES\n fi\n fi\n if [ -d \"/.newrelic\" ]; then\n rm -rf /.newrelic\n fi\n chmod a+w /dev/null\n if [ ! -e \"/dev/fd\" ]; then\n if [ -e \"/proc/self/fd\" ]; then\n rm -rf /dev/fd\n ln -sfn /proc/self/fd /dev/fd\n fi\n fi\n if [ \"${_BOA_KEY_TOOLS_UPDATE_ALLOWED}\" = \"YES\" ]; then\n _boa_setup\n fi\n if [ \"${_BOA_KEY_TOOLS_UPDATE_ALLOWED}\" = \"YES\" ] \\\n && [ -e \"/var/log/barracuda_log.txt\" ]; then\n _fix_sftp_server\n _fix_ping_perms\n _fix_fpm_process_max\n _if_fix_lshell\n _fix_node_in_lshell_access\n # _fix_php_in_lshell_access\n _fix_authorized_keys\n _fix_aio\n _fix_console_print\n _fix_java_symlinks\n _fix_composer_version\n _fix_wkhtml\n _fix_wkhtml_perms\n _fix_eldir\n _if_drupal_patches_update\n _fix_drupal_core_ten\n _fix_drupal_core_eleven\n _fix_pure_ftpd\n _fix_hosting_le\n _fix_newrelic\n _fix_leftovers\n _update_agents\n _sysctl_update\n # _saCoreN=\"SA-CORE-2018-002\"\n # _fix_core_dgd\n # sleep 3\n # _saCoreN=\"SA-CORE-2018-004\"\n # _fix_core_dgd\n # sleep 3\n # _saCoreN=\"SA-CORE-2018-006\"\n # _fix_core_dgd\n # sleep 3\n # _saCoreN=\"SA-CORE-2019-004\"\n # _fix_core_dgd\n # sleep 3\n # _saCoreN=\"3143016-83\"\n # _fix_core_dgd\n fi\n if [ ! -e \"/etc/ssl/private/4096.dhp\" ] && [ -d \"/var/xdrago\" ]; then\n echo \"Generating 4096.dhp -- it may take a very long time...\"\n openssl dhparam -out /etc/ssl/private/4096.dhp 4096 > /dev/null 2>&1 &\n fi\n if [ -e \"/etc/ssl/private/4096.dhp\" ]; then\n chown -R root:ssl-cert /etc/ssl/private\n chmod 640 /etc/ssl/private/*\n chmod 710 /etc/ssl/private\n fi\n if [ ! -e \"/root/.upstart.cnf\" ]; then\n service cron reload &> /dev/null\n fi\n if [ \"${_SCREEN_INIT}\" = \"YES\" ]; then\n if [ \"${_DEBUG_MODE}\" != \"YES\" ]; then\n clear\n fi\n echo\n echo \"The system is ready for BOA installation!\"\n echo\n echo \"We will start screen session for you automatically\"\n echo \"to avoid problems with dropped SSH connections\"\n echo \"during BOA stack installation, which may take up to\"\n echo \"45-60 minutes, depending on your server speed.\"\n echo\n echo \"If your connection will drop, simply log in again\"\n echo \"and re-attach your session with 'screen -R' command.\"\n echo\n echo \"Enjoy!\"\n echo\n if [ -x \"/usr/sbin/aa-teardown\" ]; then\n aa-teardown &> /dev/null\n fi\n else\n exit 0\n fi\nelse\n echo \"ERROR: This script should be run as a root user\"\n exit 1\nfi\n"
},
{
"path": "CHANGELOG.txt",
"content": "\n###\n### Stable BOA-5.9.1-pro/lts - HTTP/3 Edition\n### Date: Sun Feb 8 10:02:06 PM NZDT 2026 in Auckland\n### Welcome Fast Lane HTTPS: HTTP/3 and KTLS\n### 333 commits since BOA-5.8.5-pro\n###\n\n@=> 4 NEW, 12 UPDATED, 32 TOTAL Drupal distros/platforms available\n\n While most of you typically build your own codebases/platforms with Composer\n these days, we still deliver a list of 32 platforms ready to use in your Ægir.\n\n Since these platforms are updated only with BOA releases, they are not really\n intended for production use per se, because you typically need a faster\n lifecycle to keep your sites secure.\n\n However, they provide a wide range of testing playgrounds, because you can\n install only those you wish to test or use, and reinstall if needed, with\n the help of our BOA-only feature that allows you to upgrade your Ægir\n on demand with two simple control files, as described in the built-in docs\n you can always find in ~/static/control/README.txt.\n\n The complete list of 32 is further below, in the section \"Drupal platforms\n available for installation\".\n\n@=> Going Local with Infrastructure\n\n We’ve expanded our network considerably to meet the growing expectations of\n the Data Sovereignty movement. This isn’t just about adding more cities\n to our hosting map — it’s also about going local with infrastructure\n wherever we can.\n\n We no longer rely solely on big-name vendors and hyperscalers. Instead, we’re\n gradually migrating to local providers and data centers in every country where\n we offer hosted BOA for Drupal.\n\n For example, in Canada you can now choose not only Toronto, but also Montreal,\n Calgary, and Vancouver. In Australia, it’s no longer just Sydney — we also\n offer Adelaide, Brisbane, and Perth.\n\n We’ve also added an excellent facility in New Zealand.\n\n Of course, we continue to support our original Singapore location and still\n offer EU, UK, and US options.\n\n@=> Usage disk/sql limits x2 + Aero and Archive plans added to hosted BOA\n\n It's worth mentioning that our hosted BOA plans have received a huge upgrade:\n several new locations have been added around the world, our vendors are now\n local (instead of the previous US-only hyperscalers), and an entirely new\n Archive Tier has been added for those looking to host collections of\n low-traffic sites at low cost.\n\n Take a look if you are interested: https://omega8.cc/hosted\n\n@=> New BOA-5.9.1 PRO/LTS Release\n\n Yes, we said that BOA-LTS would enter complete code freeze for 2026, but\n we think that the major new features and many security updates introduced in\n the last two months must be shared with the entire community before we enter\n a less rapid feature development cycle for the next few months.\n\n The future of 100% Open Source Drupal hosting is brighter than ever!\n\n With BOA-5.9.1 PRO/LTS, we proudly deliver full HTTP/3 and KTLS support —\n a fundamental change in the way modern browsers communicate with modern\n HTTPS web servers — along with the latest OpenSSL 3.5 LTS, which made it\n possible, a clever and very professional tool to diagnose your server hardware\n performance in the context of BOA-specific requirements and capabilities,\n and many critical security and bug fixes related to system components.\n\n This groundbreaking feature not only pushes the boundaries of what BOA\n can achieve but also reaffirms our commitment to staying ahead of the curve\n for modern Drupal deployments.\n\n We are thrilled to introduce BOA-5.9.1 PRO/LTS, our 8th release under the\n new branch structure and dual licensing model. It merges 2 months of\n intense development from the DEV branch, delivering 333 commits packed\n with powerful features, critical fixes, and enhancements.\n\n Thank you to everyone who supports our work by purchasing a BOA PRO license:\n https://omega8.cc/boapro.\n\n@=> Key Improvements Explained\n\n * HTTP/3 and KTLS support. If you run Drupal sites that should feel fast and\n responsive (and stay that way during spikes), this is genuinely good news.\n Why is this a big deal? What should visitors notice?\n\n Read the full story: https://github.com/omega8cc/boa/tree/5.x-dev/HTTP3.md\n\n * Percona 8.4 comes to Excalibur. We no longer need vanilla MySQL 8.4 now that\n Percona has released its own build for Debian Trixie, which can be used on\n Devuan Excalibur. There is no MySQL-to-Percona upgrade option yet, though.\n Please note that we still recommend Devuan Daedalus as the most versatile\n system, which can also support Percona 8.0 and 5.7.\n\n * Curious if your VM is good enough to fully benefit from BOA optimisations\n and deliver a first-class Drupal hosting environment? There’s a deep\n hardware and network analysis tool available: simply type `perftest` as root.\n\n * From now on, all BOA installers will download their components as packaged\n batches instead of dozens of separate little modules. They will also no longer\n rely on fetching complete repositories from GitHub, instead downloading only\n the latest packaged code from our mirrors. You can revert to the old method\n by changing _DL_MODE=BATCH to _DL_MODE=GIT in /root/.barracuda.cnf\n\n@=> New Features\n\n * Add chromium as alternative for wkhtmltopdf\n * Add Java 21 for Solr 9 and Jenkins\n * Add kTLS support in Nginx config\n * Add Red Hat KVM guest to supported virtualization systems\n * Allow access to site-specific well-known/mta-sts.txt file\n * Enable quic/http3 support in Nginx\n * Percona 8.4 comes to Excalibur to replace vanilla MySQL 8.4\n\n@=> New Improvements\n\n * Add _disable_systemd_networkd_for_next_boot\n * Add _init_debian_networkd_handoff in autoinit\n * Add _install_net_rollback in vmnetfix\n * Add aptfast as multi-lane aptitude wrapper for faster downloads\n * Add ciphers required by kTLS in Nginx\n * Add triple check for base-files\n * Improve and modernize Nginx build configuration options\n * Improve autoinit support for some vendors with _init_sysv_net_repair\n * Improve autoinit with _init_sysv_insserv_repair\n * Improve DHCP/NAT support in vmnetfix\n * Improve ffmirror\n * Improve reliability of autoinit on 10+ vendors tested\n * Improve usage info\n * Improve vmnetfix with _iface_has_dhcp_for_if\n * Modernize 301 redirects\n * Nginx: extend log_format to include protocol used\n * Prefer ifupdown over ifupdown2\n * Simplify and sync _if_off_apparmor/_turn_off_apparmor\n * Special-case Java 11/17/21 force install if version is too old\n * Sync Ægir naming convention\n * Sync config for GeoLite2\n * Uninstall cloud-utils if not required -- makes reboot faster\n * Update networking with vmnetfix early\n * Update SSL proxy vhosts if KTLS is missing\n * Use _DL_MODE=BATCH by default\n * Use Java 21 also on older systems if installed\n\n@=> Changes\n\n * Add strict locking to /etc/resolv.conf\n * Enable access_log in proxy so DoS-guard can still work\n * Prioritize modern ed25519 SSH keys\n * Run /var/xdrago/clear.sh every 3 minutes\n * Run /var/xdrago/ip_access.sh every 2 minutes\n * Run /var/xdrago/manage_ltd_users.sh every minute\n * Run /var/xdrago/manage_solr_config.sh every minute\n * Switch default PHP to 8.4\n * Turn off AppArmor in autoinit phase\n * Use nginx restart instead of quietupgrade\n\n@=> Upgrades\n\n * cURL 8.17.0\n * cURL 8.18.0\n * GoAccess 1.9.4\n * ionCube 15.0.0 (up to PHP 8.4)\n * Nginx 1.29.4\n * Nginx 1.29.5\n * OpenSSL 3.4.4\n * OpenSSL 3.5.6 LTS\n * PHP 8.1.34\n * PHP 8.2.30\n * PHP 8.3.29\n * PHP 8.3.30\n * PHP 8.4.16\n * PHP 8.4.17\n * PHP 8.5.1\n * PHP 8.5.2\n * screenFetch 3.9.9\n * Sync dehydrated updates\n * Valkey 9.0.1\n * Valkey 9.0.2\n\n@=> Important Fixes\n\n * Block language-prefix chain URL mutation crawlers spam\n * Block node-chain URL mutation crawlers spam\n * Fix for PHP 5.6 in Block node and language-prefix chain URL mutation spam\n * Percona 8.4 from Trixie requires percona-telemetry-agent\n * Remove unconditional _apt_clean_update running every 3 minutes\n * Removing all .drush.inc files under modules/contrib/webform\n * Restore less noisy _manage_sec_access_paths\n * Restore nginx auto-reload after PHP version update\n * Sync all PHP logs backup/cleanup after upgrade to force PHP-FPM reload\n * Use _check_virt/_not_supported_virt early\n\n@=> Drupal platforms available for installation -- docs/PLATFORMS.md\n\n\t## Drupal 11\n\n\tCK3 - [Commerce 3.2.0] with core (11.3.3) (UPDATED)\n\tCMS - [Drupal CMS 2.0.0] with core (11.3.3) (NEW)\n\tDE1 - [Drupal 11.1.9] with Drush included -- dev/stage/prod\n\tDE2 - [Drupal 11.2.10] with Drush included -- dev/stage/prod (UPDATED)\n\tDE3 - [Drupal 11.3.3] with Drush included -- dev/stage/prod (NEW)\n\tSCR - [Sector 11.0.x-dev] with core (11.3.3) (UPDATED)\n\tTHR - [Thunder 8.3.1] with core (11.3.3) (UPDATED)\n\tVBX - [Varbase 10.1.0] with core (11.3.1) (NEW)\n\n\t## Drupal 10\n\n\tCK2 - [Commerce v.2] with core (10.1.8)\n\tDX0 - [Drupal 10.0.11] with Drush included -- dev/stage/prod\n\tDX1 - [Drupal 10.1.8] with Drush included -- dev/stage/prod\n\tDX2 - [Drupal 10.2.12] with Drush included -- dev/stage/prod\n\tDX3 - [Drupal 10.3.14] with Drush included -- dev/stage/prod\n\tDX4 - [Drupal 10.4.9] with Drush included -- dev/stage/prod\n\tDX5 - [Drupal 10.5.8] with Drush included -- dev/stage/prod (UPDATED)\n\tDX6 - [Drupal 10.6.3] with Drush included -- dev/stage/prod (NEW)\n\tDXP - [DXPR Marketing 10.3.0] with core (10.3.6)\n\tEZC - [EzContent 2.2.15] with core (10.3.6)\n\tFOS - [farmOS 3.5.1] with core (10.6.2) (UPDATED)\n\tLGV - [LocalGov 3.4.0] with core (10.6.3) (UPDATED)\n\tOCS - [OpenCulturas 2.5.4] with core (10.5.8) (UPDATED)\n\tOFD - [OpenFed 12.2.4] with core (10.2.10)\n\tSOC - [Social 12.4.5] with core (10.2.10)\n\tVB9 - [Varbase 9.1.13] with core (10.6.1) (UPDATED)\n\n\t## Drupal 9\n\n\tDL9 - [Drupal 9.5.11] -- dev/stage/prod\n\tOLS - [OpenLucius 2.0.0] with core (9.5.11)\n\tOPG - [Opigno LMS 3.1.0] with core (9.5.11)\n\n\t## Drupal 7\n\n\tCK1 - [Commerce v.1] with core (7.105.1) (UPDATED)\n\tDL7 - [Drupal 7.105.1] -- dev/stage/prod (UPDATED)\n\tUC7 - [Ubercart 3.13] with core (7.105.1) (UPDATED)\n\n\t## Drupal 6\n\n\tDL6 - [Pressflow 6.60.1] -- dev/stage/prod\n\tUC6 - [Ubercart 2.15] with core (6.60.1)\n\n\n###\n### Stable BOA-5.8.5-pro/lts - 30 Years of Heritage Edition\n### Date: Mon Dec 1 09:58:58 AM AEDT 2025 in Sydney\n### Welcome Devuan Excalibur and PHP 8.5\n### 1092 commits since BOA-5.7.12-pro\n###\n\n@=> 30 Years of Heritage -- Why We’re Different\n\n We are unique within the hosting industry for many important reasons.\n\n Our 15 years of Ægir-based hosting, plus earlier experience with Adgrafix\n (the first company to offer a control panel for website management in 1995),\n have helped shape what makes us different today.\n\n We take Open Source seriously, it's not a buzzword for us. It's about freedom\n from corporate control. Here's a short look back at our 15-year Ægir journey\n and 19 years with Drupal.\n\n Read the full story: https://bit.ly/different30y\n\n@=> The Future of Ægir 3 is Bryght!\n\n Omega8.cc is now the lead developer team for Ægir 3 running on BOA\n (Barracuda-Octopus-Ægir stack). We want to thank all past contributors\n who brought Ægir to life – your work makes today’s progress possible.\n\n Because of you, there is still a Bryght Future for Ægir. What to Expect?\n\n Read the full story: https://bit.ly/aegirbryghtfuture\n\n@=> New BOA-5.8.5 PRO/LTS Release\n\n The future of Drupal hosting is here! With BOA-5.8.5 PRO/LTS, we proudly\n deliver both full Drupal 11 support integrated with Ægir and latest PHP 8.5,\n now available on the latest Devuan Excalibur / Debian Trixie system.\n\n This groundbreaking feature not only pushes the boundaries of what the BOA\n can achieve but also reaffirms our commitment to staying ahead of the curve\n for modern Drupal deployments.\n\n Powered by Percona 8.4 and fine-tuned to leverage the latest innovations\n across the stack, this update sets a new standard for hosting next-generation\n Drupal applications while continuing to fully support legacy Drupal versions,\n ensuring smooth operations for every site in your ecosystem, old or new.\n\n We are thrilled to introduce BOA-5.8.5 PRO/LTS, our 7th release under the\n new branch structure and dual licensing model. It merges four months of\n intense development from the DEV branch, delivering 1092 commits packed\n with powerful features, critical fixes, and enhancements.\n\n Thank you to everyone who supports our work by purchasing a BOA PRO license:\n https://omega8.cc/boapro.\n\n As always, this announcement highlights only the most impactful changes.\n For a full breakdown, explore the complete commit history.\n\n@=> Key Improvements Explained\n\n * Any expected downtime during barracuda system upgrades has been reduced\n from 2-3 minutes to 10-14 seconds on average thanks to our improvements\n across the board in the BOA system logic.\n\n * BOA now consistently pauses Ægir tasks queue if any system-backend tasks\n are running -- this includes any barracuda/octopus upgrades, the heavy\n daily.sh script and nightly DB backups, so no Ægir tasks should ever\n collide with those important system tasks.\n\n * The auto-healing system has been rewritten from scratch and greatly\n improved for precision, stability and protection from race conditions,\n with added smart cooldown pause to avoid unnecessary interventions.\n\n * The _SKYNET_MODE=OFF now strictly blocks any updates otherwise applied\n via the autoupboa tool running every 6 minutes, but also blocks any attempt\n to run barracuda or octopus upgrades, even if invoked manually.\n\n * Many vendor-specific issues affecting BOA installation on VPS platforms\n have been addressed for both older and newer Devuan/Debian releases,\n especially for the autoinit procedure recommended as the first step.\n\n * We no longer hardcode Devuan's own APT sources lottery alias deb.devuan.org\n and instead test and pick reputable mirrors to use the fastest in the\n given server's location.\n\n * We limit the messaging noise generated by various parts of the new\n auto-healing system by switching the _INCIDENT_REPORT to NO by default,\n so only really critical incidents like service restarts caused by OOM\n (out of memory) incidents are still reported.\n\n * The legacy _XTRAS_LIST logic has been improved with changes documented.\n Now _XTRAS_LIST is by default EMPTY and extended only minimally depending\n on mode, so almost no BOA xtras are installed by default like before.\n\n * The _CUSTOM_CONFIG_CSF should protect only /etc/csf/csf.conf.\n Previously it blocked CSF/LFD upgrades completely while it should protect\n only the main config file. If the protected config file becomes incompatible\n as a result, it’s the system admin's responsibility to update it manually.\n\n * New control file /root/.dont.touch.permissions.cnf allows blocking any\n otherwise defined/run actions globally by taking precedence over any other\n settings in .barracuda.cnf and site/platform-level INI files.\n\n\n@=> New Features\n\n * Add _UPGRADE_MODE=FAST/FULL mode to speed up barracuda upgrades\n * Add /data/conf/sites-cron-off.ctrl to turn off all sites wget-cron\n * Add autosymlink tool to automate symlinking sites files directories\n * Add cooldown to max/critical load actions in auto-healing\n * Add dhcpfix tool used to fix vendor-specific forced-dns issues if needed\n * Add Droplet Agent to auto-healing\n * Add environment_indicator to Ægir hostmaster control panel\n * Add ffdevuan tool to update the list of reliable and fastest mirrors\n * Add instant SQL fallback for Valkey/Redis to global-valkey.inc\n * Add loadguard as future auto-healing orchestrator for testing\n * Add new dedicated tools: aptcleanup and vmnetfix in autoinit\n * Add support for python 3.13\n * Add synproxy tool: SYNPROXY (TCP/443/80) + QUIC limiter (UDP/443) for CSF\n * Add system level /root/.dont.touch.permissions.cnf\n * Allow _LOCAL_DEVUAN_MIRROR but use _find_fast_devuan_mirror otherwise\n * Auto-enable/disable slow_query_log with /root/.mysqladmin.monitor.cnf\n * PHP 8.5 Support is ready\n * Protect from any autoupboa updates when _SKYNET_MODE=OFF\n * Protect from any barracuda updates when _SKYNET_MODE=OFF\n * Protect from any octopus updates when _SKYNET_MODE=OFF\n * Use MySQL 8.4 from Trixie on Excalibur until Percona releases own version\n\n@=> New Improvements\n\n * Add \"How we build newer codebases for testing\" in docs/BUILDTESTS.md\n * Add waiting before running octopus upgrade on init\n * Always check if /etc/hosts update is needed\n * Always use _spawn_detached procedure for Perl scripts\n * Always use nohup for detached Bash scripts\n * Build OpenSSL 3 w/o no-comp, no-hw\n * Check LE status and run another octopus upgrade if needed on boa install\n * Do not install Git from sources on BOA install\n * Do not send email on Spider Protection on/off\n * Enable APCu by default\n * Improve Ægir accelerated task queue\n * Make Solr/Java versions mapping strict\n * No automatic task queue on CI instance\n * Notify if multiback backups seem to run for too long\n * Pause Ægir queue when /run/boa_run.pid is present\n * Pause Ægir queue when daily.sh runs\n * Pause Ægir tasks queue during system DB backups\n * Prevent a flood of alerts on services up/down status if uptime < 15 min\n * Reload nginx if access log is missing or empty\n * Run _CHECK_MIRROR twice to prime DNS cache before the final speed test\n * Run _satellite_download_for_local_build only once on install\n * Run auto-healing only on fully installed system\n * Run improved scan_nginx.sh every 5 seconds\n * Save CPU cycles by disabling never used master Ægir cron/task queue\n * Sync /root/.allow.clamav.cnf and /root/.deny.clamav.cnf logic\n * Update APT sources on each upgrade\n * Update Devuan mirrors daily\n * Upgrade some held packages if needed and then rebuild from sources\n * Use _find_fast_devuan_mirror by default but static for archived beowulf\n * Use 180s opcache.revalidate_freq for heavy apps like CiviCRM\n * Use 60s opcache.revalidate_freq by default\n * Use Atomic lock/unlock to prevent TOCTOU race conditions globally\n * Use separate verbose logs for barracuda/octopus upgrade details and errors\n * Use special /var/log/boa/reset_no_new_password.pid to allow auto-healing\n\n@=> Changes\n\n * Add New Relic support for PHP 8.4\n * Add Pinterest to $is_crawler list in Nginx configuration\n * Always log all barracuda/octopus upgrades, even self-upgrades\n * Debian Buster has been archived already\n * Display BOA Skynet Agent mesages only for logged in root\n * Do not automate /root/.force.reinstall.cnf\n * Don't invoke old proc_num_ctrl (replaced by new-generation auto-healing)\n * Don't run codebasecheck daily unless /root/.allow-codebasecheck.cnf exists\n * Drop legacy IMAP in PHP on Excalibur\n * Force _VALKEY_MAJOR_RELEASE=9 unless _CUSTOM_CONFIG_VALKEY=YES\n * Force slow Ægir tasks cron mode on VM with 4GB RAM or less\n * Move APCu config to parent INI\n * Move Zend OPcache config to parent INI\n * Remove 60s wait on boa reboot\n * Remove Percona 8.3 support\n * Restore the _SQLMONITOR feature\n * Turn _INCIDENT_REPORT globally off by default\n * Use _BINLOG_KEEP_HOURS 24\n * Use Ægir install check for /var/aegir/.drush/hm.alias.drushrc.php\n * Use cache.backend.chainedfast for selected bins\n * Use slower _iteration in second.sh in auto-healing system\n\n@=> Upgrades\n\n * Commerce 3.2.0 with core 11.2.8\n * CSF/LFD 15.00\n * cURL 8.16.0\n * Drupal 10.4.9\n * Drupal 10.5.6\n * Drupal 11.1.9\n * Drupal 11.2.8\n * Drupal 7.103.2 +Extra core\n * Drupal 7.105.1 +Extra core LTS\n * Drupal CMS 1.2.8 with core 11.2.8\n * Duplicity 3.0.6\n * farmOS 3.4.6 with core 10.4.9\n * Git 2.51.0\n * LocalGov 3.3.1 with core 10.5.6\n * New Relic 12.2.0.27\n * Nginx 1.29.1\n * Nginx 1.29.3\n * Node v22.20.0\n * Node v22.21.0\n * OpenCulturas 2.5.4 with core 10.5.6\n * Openjdk 11.0.29\n * OpenSSH 10.2p1\n * OpenSSL 3.4.3\n * PHP 8.3.24\n * PHP 8.3.25\n * PHP 8.3.26\n * PHP 8.3.27\n * PHP 8.3.28\n * PHP 8.4.11\n * PHP 8.4.12\n * PHP 8.4.13\n * PHP 8.4.14\n * PHP 8.4.15\n * PHP APCu 5.1.27\n * PHP igbinary 3.2.16\n * PHP igbinary 3.2.17 for 8.5\n * PHP imagick 3.8.0\n * PHP Yaml Pecl 2.2.5\n * PHP_MCRYPT 1.0.9 for 7.3 and newer\n * PHPREDIS 6.3.0\n * Pure-FTPd 1.0.52\n * Python 3.13.9 for Duplicity\n * REDIS integration module 8.x-1.11.2 for Drupal 11.x\n * Sector 11.0.x-dev with core 11.2.8\n * Thunder 8.2.6 with core 11.2.8\n * Unbound 1.24.1\n * Unbound 1.24.2\n * Valkey 7.2.11\n * Valkey 9.0.0\n * Varbase 10.0.8 with core 10.5.6\n * Varbase 9.1.12 with core 10.5.2\n * vnStat 2.13\n\n@=> Important Fixes\n\n * Add _fix_stop_solr to Fix Solr 7/9 conflicting ports\n * Add _if_drupal_patches_update — fixes #1892\n * Allow cron web based requests even with HTTP Basic enabled in Ægir\n * Always call updatedb with -y in Ægir Provision backend\n * Always fix /etc/hosts before checking /etc/hostname\n * Auto-update hostname if doesn’t match /etc/hostname\n * Cron-only PHP entrypoint for Drupal 8+ w/ auth_basic turned off on the fly\n * Detect and fix broken downloads in /data/conf/patches/ — fixes #1906\n * Do not add date stamps to scripts — fixes #1891\n * Do not run duplicate unbound-control reload\n * Don't execute daily.sh until all installation procedures are finalized\n * Duplicity backups: replace --file-to-restore w/ --path-to-restore (#1901)\n * Fix access control for packages view in Ægir control panel\n * Fix broken _XTRAS_LIST logic and document changes\n * Hotfix for legacy vnStat installs — fixes #1908\n * Improve _if_mydumper_is_locked procedure action/reporting in auto-healing\n * Improve _solr_health_check_fix to detect stale pid files\n * Install igbinary before redis extension to avoid redis ext build failure\n * Install key DNS tools early with autoinit\n * Java 17 should be set as default on Daedalus\n * Limited Shell wrapper for Drush improvements — fixes #1907\n * Make local OpenSSL new/legacy ssl/certs symlinked to system ssl/certs\n * Remove duplicate unbound auto-healing\n * Remove Permissions-Policy headers from Nginx level\n * Remove server own IP from /etc/hosts if exists\n * Set /etc/hostname before barracuda install\n * Stop displaying useless expired one-time login link on boa install\n * The _CUSTOM_CONFIG_CSF should protect only /etc/csf/csf.conf\n * The maxmemory update for Valkey was missing — fixes #1893\n * Update Nodejs/NPM install logic to always force upstream — fixes #1910\n * Use drupal-ten-aegir-core-01.patch for Drupal 11.1.x\n * Use strict check for virt-what tool\n\n@=> Drupal platforms available for installation -- docs/PLATFORMS.md\n\n\t## Drupal 11\n\n\tCK3 - [Commerce 3.2.0] with core (11.2.8) (NEW)\n\tCMS - [Drupal CMS 1.2.8] with core (11.2.8) (NEW)\n\tDE1 - [Drupal 11.1.9] with Drush included -- dev/stage/prod (NEW)\n\tDE2 - [Drupal 11.2.8] with Drush included -- dev/stage/prod (NEW)\n\tSCR - [Sector 11.0.x-dev] with core (11.2.8) (NEW)\n\tTHR - [Thunder 8.2.6] with core (11.2.8) (NEW)\n\n\t## Drupal 10\n\n\tCK2 - [Commerce v.2] with core (10.1.8)\n\tDX0 - [Drupal 10.0.11] with Drush included -- dev/stage/prod\n\tDX1 - [Drupal 10.1.8] with Drush included -- dev/stage/prod\n\tDX2 - [Drupal 10.2.12] with Drush included -- dev/stage/prod\n\tDX3 - [Drupal 10.3.14] with Drush included -- dev/stage/prod\n\tDX4 - [Drupal 10.4.9] with Drush included -- dev/stage/prod (NEW)\n\tDX5 - [Drupal 10.5.6] with Drush included -- dev/stage/prod (NEW)\n\tDXP - [DXPR Marketing 10.3.0] with core (10.3.6)\n\tEZC - [EzContent 2.2.15] with core (10.3.6)\n\tFOS - [farmOS 3.4.6] with core (10.4.9) (NEW)\n\tLGV - [LocalGov 3.3.1] with core (10.5.6) (NEW)\n\tOCS - [OpenCulturas 2.5.4] with core (10.5.6) (NEW)\n\tOFD - [OpenFed 12.2.4] with core (10.2.10)\n\tSOC - [Social 12.4.5] with core (10.2.10)\n\tVB9 - [Varbase 9.1.12] with core (10.5.2) (NEW)\n\tVBX - [Varbase 10.0.8] with core (10.5.6) (NEW)\n\n\t## Drupal 9\n\n\tDL9 - [Drupal 9.5.11] -- dev/stage/prod\n\tOLS - [OpenLucius 2.0.0] with core (9.5.11)\n\tOPG - [Opigno LMS 3.1.0] with core (9.5.11)\n\n\t## Drupal 7\n\n\tCK1 - [Commerce v.1] with core (7.105.1) (NEW)\n\tDL7 - [Drupal 7.105.1] -- dev/stage/prod (NEW)\n\tUC7 - [Ubercart 3.13] with core (7.105.1) (NEW)\n\n\t## Drupal 6\n\n\tDL6 - [Pressflow 6.60.1] -- dev/stage/prod\n\tUC6 - [Ubercart 2.15] with core (6.60.1)\n\n\n###\n### Stable BOA-5.7.12-pro - Full Edition\n### Date: Tue Jul 29 08:44:02 AM AEST 2025 in Sydney\n###\n\n@=> New BOA-5.7.12 PRO Release\n\n This maintenance release delivers critical hot-fixes and essential\n component upgrades to ensure maximum stability and compatibility across\n all environments.\n\n Immediate upgrade of both Barracuda and Octopus is strongly recommended\n to benefit from these fixes and avoid potential issues.\n\n@=> Important Fixes\n\n * Add _elevenValidatorPatch to fix Drupal 11 CMS distro fatal error\n * Fix typo in --with-avif for PHP 8.1+ — fixes #1881\n * Removing all .drush.inc files only in Drupal 11 -- fixes #1885 and #5\n\n@=> Changes\n\n * Back to non-phar drush8 to restore PHP-CLI live PHP switch capability\n\n@=> Upgrades\n\n * Drush 8.5.0.4 classic\n * Unbound 1.23.1\n\n\n###\n### Stable BOA-5.7.11-pro - Full Edition\n### Date: Fri Jul 25 06:53:03 PM BST 2025 in London\n### Welcome Drupal 11—Ægir Mission Impossible—Again!\n###\n\n@=> New BOA-5.7.11 PRO Release\n\n Drupal 11 with Ægir 3: They Said It Couldn’t Be Done — We Did It Anyway\n\n The future of Drupal hosting is here! With BOA-5.7.11 PRO, we proudly deliver\n what many thought impossible—full Drupal 11 support integrated with Ægir 3.\n\n This groundbreaking feature not only pushes the boundaries of what the BOA\n can achieve but also reaffirms our commitment to staying ahead of the curve\n for modern Drupal deployments.\n\n This release marks a major milestone: for the first time, BOA users can\n seamlessly install, manage, and scale Drupal 11 sites with all the automation,\n performance, and reliability you’ve come to expect.\n\n Powered by Percona 8 and fine-tuned to leverage the latest innovations\n across the stack, this update sets a new standard for hosting next-generation\n Drupal applications while continuing to fully support legacy Drupal versions,\n ensuring smooth operations for every site in your ecosystem, old or new.\n\n We are thrilled to introduce BOA-5.7.11 PRO, our 5th release under the\n new branch structure and dual licensing model. It merges seven months of\n intense development from the DEV branch, delivering over 340 commits packed\n with powerful features, critical fixes, and enhancements.\n\n Thank you to everyone who supports our work by purchasing a BOA PRO license:\n https://omega8.cc/boapro.\n\n As always, this announcement highlights only the most impactful changes.\n For a full breakdown, explore the complete commit history.\n\n@=> New Features\n\n * Drupal 11 support (requires Percona 8)\n * Install or update CiviCRM CLI Tool phar\n * MultiCore Apache Solr 9 support\n * Use Valkey and drop Redis support\n * Write usage reports also to ~/static/usage/\n\n@=> Improvements\n\n * Add _mysql_high_load procedure\n * Add --with-avif to compatible PHP versions 8.1+\n * Add check for downloaded dehydrated script integrity\n * Add fstab helper for Linode Volumes\n * Add mysql root password reset helper\n * Allow to force symlinks mode with empty /data/conf/force_symlinks.conf\n * Drupal 10+ core patches files are no longer added to codebase\n * Drupal 11 site installation details including admin pwd in the task log\n * Drupal 11 site is installed via site-platform-local Drush\n * Improve _PHP_CLI detection, also from static/control/cli.info\n * Improve permissions fix to include parent dir if app root != web root\n * Local Drush locking/unlocking no longer adds control files in codebase\n * Lock Local Drush and Symfony Console Input/Style in daily.sh\n * Lock/Unlock Local Drush is more reliable with both Provision and bash\n * More robust support for real IP detection behind vaious proxies\n * Symfony Console Input/Style locking more reliable with live diff/patch\n * Use faster SQL auto-healing for Too many connections\n * Use older CSF/LFD for legacy systems\n * Use queue.redis_reliable but only for core D8 to D10\n\n@=> Changes\n\n * Always use system Drush 8 PHAR instead of Ægir local Drush\n * Install System Drush 8 as PHAR (self-contained)\n * Mark Apache Solr 4 with Jetty 9 as (deprecated)\n * Solr is no longer included via ALL keyword in the _XTRAS_LIST\n\n@=> Upgrades\n\n * CSF 14.24\n * cURL 8.14.1\n * dehydrated 0.7.3\n * Drush 8.5.0.4\n * MultiCore Apache Solr 9.8.1\n * Nginx 1.29.0\n * OpenSSH 10.0p2\n * OpenSSL 3.4.2\n * PHP 8.1.33\n * PHP 8.2.29\n * PHP 8.3.23\n * PHP 8.4.10\n * Valkey 7.2.10\n\n@=> Important Fixes\n\n * Allow LE with HTTP Basic Auth fixed by Naurisr in #1790\n * Remove too aggressive bots protection on /civicrm URLs\n\n@=> Drupal platforms available for installation -- docs/PLATFORMS.md\n\n\t## Drupal 11\n\n\tCK3 - [Commerce v.3] with core (11.2.2)\n\tDE2 - [Drupal 11.2.2]\n\tSCR - [Sector 11.0.x-dev] with core (11.2.0)\n\tTHR - [Thunder 8.2.1] with core (11.2.2)\n\n\t## Drupal 10\n\n\tCK2 - [Commerce v.2] with core (10.1.8)\n\tDX0 - [Drupal 10.0.11]\n\tDX1 - [Drupal 10.1.8]\n\tDX2 - [Drupal 10.2.12]\n\tDX3 - [Drupal 10.3.14]\n\tDX4 - [Drupal 10.4.8]\n\tDX5 - [Drupal 10.5.1]\n\tDXP - [DXPR Marketing 10.3.0] with core (10.3.6)\n\tEZC - [EzContent 2.2.15] with core (10.3.6)\n\tFOS - [farmOS 3.3.1] with core (10.3.6)\n\tLGV - [LocalGov 3.1.3] with core (10.5.1)\n\tOCS - [OpenCulturas 2.2.1] with core (10.3.6)\n\tOFD - [OpenFed 12.2.4] with core (10.2.10)\n\tSOC - [Social 12.4.5] with core (10.2.10)\n\tVBX - [Varbase 10.0.6] with core (10.5.1)\n\tVB9 - [Varbase 9.1.10] with core (10.5.1)\n\n\t## Drupal 9\n\n\tDL9 - [Drupal 9.5.11]\n\tOLS - [OpenLucius 2.0.0] with core (9.5.11)\n\tOPG - [Opigno LMS 3.1.0] with core (9.5.11)\n\n\t## Drupal 7\n\n\tCK1 - [Commerce v.1] with core (7.103.1)\n\tDL7 - [Drupal 7.103.1]\n\tUC7 - [Ubercart 3.13] with core (7.103.1)\n\n\t## Drupal 6\n\n\tDL6 - [Pressflow 6.60.1]\n\tUC6 - [Ubercart 2.15] with core (6.60.1)\n\n\n###\n### Stable BOA-5.6.0-pro - Full Edition\n### Date: Tue Dec 31 06:12:44 AM AEDT 2024 in Sydney\n### Happy New Year!\n###\n\n@=> New BOA-5.6.0 PRO Release – Happy New Year!\n\n We're thrilled to introduce BOA-5.6.0 PRO, our latest release and the fourth\n under our new branch structure and dual licensing model.\n\n This PRO release brings the project fully in sync with the DEV branch,\n which has been actively developed over the past two months, incorporating\n over 750 commits since BOA-5.5.0.\n\n We extend our heartfelt thanks to all of you who support our work\n by purchasing a BOA Pro license: https://omega8.cc/boapro.\n\n As always, this announcement covers only the most impactful new features,\n critical fixes, and enhancements. For a comprehensive list of all updates,\n please refer to the full commit history.\n\n@=> New Features\n\n * Active Sites Databases Backups are available in ~/static/files/dbackup/\n * Add experimental support for Cloudflare R2 Object Storage\n * Add mergecsf tool to join and de-duplicate legacy csf configuration\n * Add perftest tool to test hardware performance within VM\n * Add php-cli access for [grp:ltd-shell-more]\n * Add smtpgapps tool to install and configure msmtp on Devuan\n * Add support for all AWS S3 regions, including dual-stack endpoints\n * Add support for php-rebuild or php-reinstall on barracuda upgrade\n * Add support for separate /root/.deny.solr7.cnf and /root/.deny.jetty9.cnf\n * Add verifyvhostsdns tool to check all vhosts for aliases with invalid DNS\n * New Relic Integration for Drupal with Drush Compatibility (8, 12, 13)\n * PHP 8.4 is fully supported and installed by default\n * Remote System Backups use `global`, `data` and optional `custom` buckets\n\n * Completely New Backups! There is too much to cover, so please refer to\n our extensive new documentation pages for all details.\n\n This new feature is exclusive to BOA PRO and will not be ported to LTS.\n\n New PRO Backups for BOA SysAdmin:\n https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_ROOT.md\n\n New PRO Backups for Octopus Lshell User:\n https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_USER.md\n\n New PRO Backups Retention Policy Configuration:\n https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_RETENTION.md\n\n New PRO Backups Supported Regions and Bucket Creation Guidelines:\n https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_REGIONS.md\n\n\n@=> Improvements\n\n * Add _backup_waiting_notify to make admin aware of the backup status\n * Add _csf_lfd_gateway_allow()\n * Add _linode_vm_postinstall()\n * Add _turn_off_apparmor unless /root/.keep_apparmor_on.cnf\n * Add /etc/cron.hourly/systemtime\n * Add auto-restore of backup_schedule\n * Add boa info to all backup reports\n * Add cleanup for /var/lib/redis/ on OOM incident\n * Add d7security_client-7.x-1.3 to o_contrib_seven and Hostmaster\n * Add early aa-teardown on init to make sure that AppArmor is turned off\n * Add function to auto-repair incomplete backup sets\n * Add local Ægir Third Party Libraries\n * Add more checks to make sure that OpenSSL is fully up to date\n * Add support for /root/.turn.off.auto.update.cnf\n * Add support for cloudflare-dns-ssl-py.info and cloudflare-dns-ssl-sh.info\n * Add wkhtmltox_0.12.6.1-3 for Daedalus\n * Ægir Hostmaster: Log wget cron runs\n * Ægir Provision: Install local Drush automatically on platform verify and unlock\n * Always run dist-upgrade twice -- helps with slow access to Devuan servers\n * Configure backups --concurrency dynamically\n * Disable _if_start_screen with noscreen in the args\n * Disable backup_schedule on systems with too low free RAM\n * Do not install CSF until BOA installation is complete on Linode\n * Do not install csf/lfd on Linode early\n * Do not reinstall Duplicity unless /root/.force.duplicity.reinstall.cnf exists\n * Drupal 7 now supports and expects Trusted Host Patterns\n * Improve all wget/curl downloads with proper re-try logic\n * Improve and simplify _switch_php()\n * Improve sysctl.conf template\n * Improve tools/le/hooks/cloudflare logic\n * Install or upgrade csf/lfd monitoring early\n * Install wkhtmltopdf from packages first to get all dependencies\n * Integrate original _SKYNET_MODE docs/history\n * More fixes in the vdrush wrapper to support Drush 13\n * Move /data/disk/arch to global and /home to data backups\n * Move certain log scanners from the slow minute.sh to fast second.sh loop\n * Replace direct exec with _forward_to_shell in shell wrapper\n * Report also on newrelic-daemon and monagent versions in boa info\n * Run guest-water.sh right after CSF install or upgrade\n * Run orphaned duplicity processes cleanup separately\n * Sync _sql_busy_detection with max_connect_errors\n * Sync barracuda.cnf templates and docs\n * Sync sshd restart procedure across all scripts\n * Update barracuda config with missing vars if any\n * Update email template to remove confusing legacy details\n * Update xboa email templates\n * Use include/exclude instead of exclude/include logic\n * Use just one graceful csf restart on upgrade\n * Use newer, supported --copy-links option in Duplicity\n * Use noscreen in non-interactive scripts launched by parent scripts or cron\n * Waiting 8 minutes before attempting to run enforced post-install upgrade\n\n@=> Changes\n\n * Add docs/IPv6.md to explain why BOA disables IPv6 by default\n * Disable confusing hosting_client_send_welcome with non-working login link\n * Disable memory swap when running duplicity\n * Disable no longer supported GSSAPIAuthentication in SSH config\n * Disable performance_schema for Percona 5.7 but enable for 8.0+\n * Disable ssl_stapling and fix http2 directive\n * Do not auto-re-enable swap\n * Enforce Composer 2.8.2 (because 2.8.3+ breaks previously working builds)\n * Force sysctl.conf.mod-disable-ipv6\n * Introducing the New BOA Branching Scheme -- see docs/BRANCHES.md\n * Move /bin/websh to /opt/local/bin/websh\n * Newest Python should be installed only with barracuda or backup tools\n * Remove hosting_cron_use_backend.txt support\n * Remove no longer supported legacy _SCOUT_KEY\n * Remove no longer supported legacy HHVM\n * Set SOLR WAIT to 8s to speed up reboot and services restarts\n * The oldest NewRelic supported PHP version is 7.2\n * Update and Sync nice/renice logic for scripts and services\n * Update boa-mirrors-2024-12.txt\n * Updates for lshell.conf template\n * Use gzip to compress classic myslqdump backups\n * Use zero tolerance mode for SSH/FTP failed login attempts\n * Use zstd to compress mydumper sql backups\n * We have now doubled the disk space in all our hosted plans\n\n@=> Upgrades\n\n * Composer 2.8.2\n * cURL 8.11.1\n * Drupal 7.103.1\n * Drush 8.5.0.1\n * Duplicity 3.0.3.2\n * ionCube 14.0.0 (up to PHP 8.3)\n * New Relic 11.4.0.17\n * Nginx 1.27.3\n * OpenSSL 3.4.0\n * PHP 8.1.31\n * PHP 8.2.27\n * PHP 8.3.15\n * PHP 8.4.2\n * PHP APCu 5.1.24\n * PHP MCRYPT 1.0.7\n * Unbound 1.23.1\n * Use phpredis 4.3.0 with PHP 5.6\n * Use phpredis 6.1.0 for 7.4 and newer\n\n@=> Important Fixes\n\n * Ægir Hostmaster: Improve hosting_cron_queue reliability\n * Ægir Hostmaster: Unset variables at the end of the loop\n * Ægir Provision: Add backup mode ctrl file cleanup on clone and migrate\n * Ægir Provision: Add more supported compression variants\n * Ægir Provision: Do not confuse PDO and MySQLi conventions\n * Ægir Provision: Fix Drush 13 support by invoking vendor/drush/drush/drush.php\n * Ægir Provision: Follow symlinks to include all files in custom backup task only\n * Ægir Provision: Improve function revoke()\n * Ægir Provision: Prioritize '.tar.zst' as provision_backup_suffix\n * Ægir Provision: Use supported localhost in can_grant_privileges()\n * Allow _php_if_versions_cleanup_cnf if Master Ægir was not upgraded yet\n * Barracuda downgrade protection should not rely on key/barracuda_key.txt\n * Constant E_STRICT is deprecated in PHP 8.4\n * Disable shell wrapper on system stop/start early\n * Double check if /etc/init.d/nginx is really updated\n * Excessive email notifications due to DHCP error checks #1829\n * Final fixes in shell wrapper make it rock solid again\n * Fix and sync all apt options\n * Fix autoinit conflicting functions\n * Fix for --enable-redis-lzf also in _php_extensions_update()\n * Fix for counting symlinked files in resources usage monitoring\n * Fix for duplicate http2 in all vhosts on upgrade\n * Fix for platforms deployed using Manage with Git method\n * Fix for SFTP chroot by using external mode in Subsystem sftp\n * Fix the bug in the shell wrapper when composer is both a command and argument\n * Fix the logic for Devuan base-files update for Daedalus\n * Fix the logic in _ifnames_grub_check_sync()\n * Improve the http2/ssl_stapling logic\n * Legacy MCRYPT can’t be used with PHP 8.4\n * Make sure that both web and app root dirs are group writable\n * Make sure we add keys in a new line in xboa\n * More capabilities to satisfy complex composer tasks\n * Octopus downgrade protection should not rely on tools/key/octopus_key.txt\n * Patch hosting_cron.module automatically to make web cron 100% reliable\n * Remove duplicate ssl directives in all vhosts templates\n * Sync include/openssl extended check for latest version\n * Sync max allowed PHP-FPM versions running (11)\n * Sync maxBooleanClauses for new Solr cores to 4096\n * Sync PHP 8.3 precedence -- it's still default version\n * Use dash by default and limit the use of _forward_to_shell\n\n\n###\n### Stable BOA-5.5.0-pro - Full Edition\n### Date: Sat 26 Oct 2024 09:49:51 AM PDT in Santa Clara\n###\n\n@=> New BOA-5.5.0 PRO Release – Thank You for Your Support!\n\n We're thrilled to introduce BOA-5.5.0 PRO, our latest release and the third\n under our new branch structure and dual licensing model.\n\n This PRO release brings the project fully in sync with the DEV branch,\n which has been actively developed over the past several months, incorporating\n nearly 400 commits since BOA-5.4.0.\n\n BOA-5.5.0 PRO also comes equipped with 26 Ægir-ready platforms, supporting\n either Drupal core alone or various popular Drupal distributions—seven of\n which are new! These platforms include options like Commerce, DXPR Marketing,\n EzContent, farmOS, LocalGov, OpenCulturas, OpenFed, OpenLucius, Opigno LMS,\n Sector, Social, Thunder, Ubercart, and Varbase.\n\n We extend our heartfelt thanks to all of you who support our work\n by purchasing a BOA Pro license: https://omega8.cc/boapro.\n\n As always, this announcement covers only the most impactful new features,\n critical fixes, and enhancements. For a comprehensive list of all updates,\n please refer to the full commit history.\n\n@=> New Features\n\n * Added codebasecheck tool for codebase compatibility check with Percona 8.0\n * Added Drush 13 support by invoking vendor/drush/drush/drush.php directly\n * Added dedicated memorytuner (for testing for now)\n * Added mysqltuner5 and mysqltuner8\n * Added bash version scan_nginx.sh -- the Nginx DoS Guard\n * Added support for more granular load limits like 1.2 2.5 3.\n * Added support for non-standard /hdd mount point\n * Added support for /mnt/ paths in Drush\n * Added sqlclean and vhostcheck tools for root\n * SQL Adminer access moved to Octopus Ægir HTTPS vhost URL at /sqladmin\n * Added incident_email_report() feature to all monitor/check/ scripts\n * Allow SSH based access authorization to SQL Adminer at new /sqladmin/ URL\n * Added incident detection and email reporting for LE certs renewal failures\n * Added screen auto-start in boa, barracuda and octopus\n * Added support for Percona 8.4 LTS (for testing only, you should use 8.0)\n * Added support for Percona 8.3 (for testing only, you should use 8.0)\n * Added support for Percona 8.0 (production ready)\n\n@=> Improvements\n\n * Added _redis_cold_restart to mysql restart in the monitor/check/ scripts\n * Rewrite the code used to install many new Drupal distros in Octopus\n * Added Troubleshooting Docs in docs/FIXME.md (more entries soon)\n * Faster _sql_busy_detection() in the monitor/check/ scripts\n * Added _mysql_downgrade_protection() to avoid downgrade from Percona 8.0\n * Many improvements in the Nginx DoS Guard in the monitor/check/ scripts\n * Do not use fast firewall block unless /root/.instant.csf.block.cnf\n * Pause some new monitors sub-tasks during BOA upgrades and backups\n * Use underscore as prefix for all functions and camelCase vars\n * Block only relevant ports using the monitor/check/ scripts\n * Added docs on _NGINX_DOS_ variables\n * Added doc on PHP versions management — fixes #1807\n * Added separate docs/PHP-FPM.md and docs/DRUSH-CLI.md\n * Added docs on Importance of Keeping SKYNET Enabled in BOA\n * Added _CPU_TASK_RATIO to the CPU logic in auto-healing scripts\n * Display currently used GRUB config in boa info\n * Make the not_supported_virt() BOLD ENOUGH in boa info\n * Added WARNING if /root/.allow.any.virt.cnf exists in boa info\n * Display _DSK Usage for relevant partitions only in boa info\n * Improved _XSY System Uptime/Load/Kernel/Disk/Memory Report in boa info\n * Added Lshell version to boa info\n * Always attach basic boa info report to barracuda upgrade log/email\n * Improve check_php_rebuild() and add separate check_php_ssl_version()\n * Explained _INCIDENT_EMAIL_REPORT variable\n * Explained _SQL_MAX_TTL variable\n * Explained _SQL_LOW_MAX_TTL variable\n * Split big minute.sh into smaller auto-healing scripts\n * Added procedure to fix empty or missing .dhp files\n * Improved /root/.dont.use.fancy.bash.login.cnf logic\n * Improved the octopus upgrade email tpl\n * Added Key Services Uptime Report to boa info\n * Pretty large defunct code cleanup\n\n@=> Changes\n\n * Install python3-full packages\n * Duplicity: Remove Python 2 support and require OpenSSL 3\n * Remove restrictions for opcache_compile_file (Grav CMS support)\n * Removed legacy manage_ip_auth_access() for SQL Adminer access\n * PHP 8.3 is the new default version\n * Prefer system default Python3 for Lshell and src build for Duplicity\n * Always run ifnames_grub_check_sync in DEMO mode unless ctrl file exists\n * Remove chrony if preinstalled\n * PHP 8.1 is the max version supported on Stretch and Jessie\n * New Relic removed support for legacy PHP 7.0 and 7.1\n * Run _update_boa_tools only when new serial or pid key is detected\n * Redis extension 8.x-1.8.2 (with not needed db schema update reverted)\n * Disabled backboa install in auto mode\n * Allow all 7.x PHP versions on legacy (Debian) systems\n * Amazon EC2 No Longer Supported (system crashes, doesn't support Devuan)\n * Use legacy PHP 7.x by default on legacy Debian systems\n\n@=> Upgrades\n\n * Lshell 0.10\n * Composer 2.8.1\n * Unbound 1.21.1\n * OpenSSL 3.3.2\n * PHP 8.3.13\n * PHP 8.2.25\n * PHP 8.1.30\n * OpenSSH 9.9p1\n * Python 3.12.5 (for Duplicity)\n * cURL 8.10.1\n * Nginx 1.27.2\n * ionCube 13.3.1 (also for PHP 8.3)\n * MyQuick 0.16.7-3\n * CSF 14.21\n * Duplicity 3.0.2\n\n@=> Important Fixes\n\n * Fix PATH in the websh wrapper (fixes git and OpenSSL issues)\n * Fix for _PHP_FPM_TIMEOUT logic\n * Remove apt-listchanges on Debian (for legacy systems with broken debconf)\n * Improve _if_fix_python() procedure logic\n * Fix the logic for _update_boa_tools on init\n * Do not remove usage.sh — fixes #1824\n * Add cleanup for exclude.tag (could result with no files on clone)\n * Do not restart sshd every minute\n * Do not reload nginx every few minutes by default\n * cURL version upgrade should happen only with barracuda upgrade\n * Fix for too broad cleanup in /var/xdrago/log/\n * Ignore all dynamic requests related to css/js while they are generated\n * Do not log redirects (Nginx)\n * Inconsistent checks for SSL version in check_php_rebuild — fixes #1815\n * Use _CURL_VRN=7.50.1 for Wheezy compatibility\n * Use separate log for mysql notices — fixes #1805\n * Add built-in /run/unbound setup — fixes #1804\n * Percona 5.7 still depends on legacy packages naming — fixes #1808\n * Compatibility with legacy Python 3.5\n\n@=> Drupal platforms available for installation -- docs/PLATFORMS.md\n\n * Commerce Kickstart 2.77 (7.101.1)\n * Commerce Base 2.40 (10.1.8)\n * Commerce Kickstart 3.0.0 (10.3.6)\n * DXPR Marketing 10.3.0 (10.3.6)\n * EzContent 2.2.15 (10.3.6)\n * farmOS 3.3.1 (10.3.6)\n * LocalGov 3.0.11 (10.3.6)\n * OpenCulturas 2.2.1 (10.3.6)\n * OpenFed 12.2.4 (10.2.10)\n * OpenLucius 2.0.0 (9.5.11)\n * Opigno LMS 3.1.0 (9.5.11)\n * Sector 10.0.0-rc5 (10.2.10)\n * Social 12.4.5 (10.2.10)\n * Thunder 7.3.7 (10.3.6)\n * Ubercart 2.15 (6.60.1)\n * Ubercart 3.13 (7.101.1)\n * Varbase 9.1.6 (10.3.6)\n * Varbase 10.0.2 (10.3.6)\n * Pressflow 6.60.1 (core only)\n * Drupal 7.101.1 (core only)\n * Drupal 9.5.11 (core only)\n * Drupal 10.0.11 (core only)\n * Drupal 10.1.8 (core only)\n * Drupal 10.2.10 (core only)\n * Drupal 10.3.6 (core only)\n * Drupal 10.4.x-dev (core only)\n\n\n###\n### Stable BOA-5.4.0-pro - Full Edition\n### Date: Wed 14 Aug 2024 06:24:03 AM AEST in Sydney\n###\n\n@=> New BOA PRO Release & Comparison with LTS and DEV Branches\n\n We are excited to announce the release of BOA-5.4.0 PRO and BOA-5.4.0 LTS,\n marking the second release under our new branch structure and dual licensing\n model, which began with BOA-5.2.0.\n\n These new PRO and LTS versions bring the project fully up to date with the\n DEV branch, which has been actively developed over the past several months.\n\n As always, this announcement highlights only the most significant new features,\n critical fixes, and improvements. For a detailed list of all changes,\n please refer to the commit history.\n\n@=> New Features\n\n * Simplify and speed up BOA install/upgrades -- please check all details in\n the updated and greatly improved documentation:\n\n docs/INSTALL.md\n docs/UPGRADE.md\n docs/SELFUPGRADE.md\n docs/MAJORUPGRADE.md\n\n * AppArmor BOA integration for more strict system protection (needs docs)\n * Barracuda install without Octopus is now possible -- docs/INSTALL.md\n * Enable instant php-cli version switch for Ægir backend -- docs/DRUSH.md\n * Improve Ruby Gems and Node/NPM security and speed x3 -- docs/GEM.md\n * Let's Encrypt for Ægir Hostmaster installed automatically -- docs/SSL.md\n * Let's Encrypt Live Mode is enabled by default -- docs/SSL.md\n * Add three manual backup modes in Ægir (incomplete feature at the moment)\n * New Relic support with Octopus/Platform/Site Config -- docs/NEWRELIC.md\n * Restore _AEGIR_UPGRADE_ONLY {aegir} as supported barracuda upgrade mode\n * Restore {aegir|platforms|both} as supported octopus upgrade modes\n * Security Considerations for Multi-Ægir Systems -- docs/SECURITY.md\n * Use /root/.deny.clamav.cnf to auto-disable clamav if installed\n * Use /root/.deny.java.cnf to auto-disable Solr and Jetty if not used\n\n * Drush 12 in Ægir Tasks: Dynamically Utilize Site-Local Drush for\n the updatedb Operations on Drupal 10+ (needs docs).\n\n For now here is a brief explanation on how it works:\n\n # Both Migrate and Clone tasks in Ægir by default run the updatedb\n with Ægir own Drush 8 in the final deploy internal procedure.\n\n # This may cause unexpected issues in Drupal 10 and newer versions, so\n we have added a switch which allows you to tell Ægir to skip running\n `updatedb` on Drupal 10+ -- either globally with empty control file\n ~/static/control/DisAutoUpDb.info or per site with empty control file\n ~/static/control/sitename_DisAutoUpDb.info where `sitename` is the site\n main domain name used in its Drush alias. You could then unlock the\n Site-Local Drush and run it manually with `vdrush` in the platform\n app root (not web root) to better control what happens on `updatedb`\n using command: `vdrush @site-alias updatedb`\n\n # Automatic mode does it even better for Drupal 10+ Here's how it works,\n given no control file listed above exists:\n\n 1. Platform Verify task locks Site-Local Drush and patches Drupal core.\n\n 2. If the site is migrated to different platform or cloned to different\n platform, Ægir will check if **both old and new** platforms have\n the Site-Local Drush in their codebases.\n\n 3. If Site-Local Drush is detected in both platforms Ægir will unlock\n Drush in both platforms, will also revert the Drupal core patch it\n normally needs to use its own Drush 8.\n\n 4. Now Ægir will run the Site-Local Drush for `updatedb` command and\n will report all details in the task log in the admin interface.\n\n 5. Once the `updatedb` is complete, Ægir will automatically apply\n the Drupal core patch again and will lock Site-Local Drush, so you\n could run any other tasks in the control panel as usual. Magic!\n\n@=> Drupal platforms available for installation -- docs/PLATFORMS.md\n\n * Drupal 10.4.x-dev\n * Drupal 10.3.1\n * Drupal 10.2.7\n * Drupal 10.1.8\n * Drupal 10.0.11\n * Social 12.4.2 (10.2.6)\n * Thunder 7.3.0 (10.3.1)\n * Varbase 10.0.0 (10.3.1)\n * Varbase 9.1.3 (10.2.6)\n\n * Drupal 9.5.11\n * OpenLucius 2.0.0 (9.5.11)\n * Opigno LMS 3.1.0 (9.5.11)\n\n * Commerce 1.72\n * Commerce 2.77\n * Drupal 7.101.1\n * Ubercart 3.13\n\n * Pressflow 6.60.1\n * Ubercart 2.15\n\n@=> Improvements\n\n * Add better protection from duplicate sql tasks\n * Improve Ægir tasks messages to identify new improvements in the backend\n * Update Drush 10+ aliases on the fly within Ægir deploy procedure\n * Add BOA Roadmap & Progress Update in ROADMAP.md\n * Add bring_all_ram_cpu_online\n * Add CSF self-update debugging log in /var/backups/csf/water/\n * Add Dual License and BOA Branches Explained in DUALLICENSE.md\n * Add INI (platform level) docs in docs/ini/platform/INI.md\n * Add INI (site level) docs in docs/ini/site/INI.md\n * Add killer script for hanging apt-get update\n * Add support for /root/.force.queue.runner.cnf\n * Add switch_to_bash_in_octopus\n * Detect and remove stale pid faster\n * Display also system-manufacturer in the welcome messages and reports\n * Do not lower proc nice on init and major OS upgrades\n * Do not restart slow starting services during major OS upgrade\n * Execute post-install octopus auto-upgrade on boa and octopus install\n * Explain how upgrades affect BOA special shell wrapper\n * Improve and simplify is_logged_in early check in global.inc\n * Improve rsyslog to use separate log files for cron, mail, lfd, iptables\n * Limit noise printed in the console\n * Protect csf.allow from removing custom entries\n * Rewrite and improve all BOA project docs to use Markdown\n * Rewrite and improve the main README.md\n * Simplify upgrade docs\n * Turn Off AppArmor while running octopus\n * Update tests for Amazon EC2 environment detection\n * Use `drush11 aliases` or `drush11 sa` for Drupal 8+ core and PHP 8.2+\n * Use new `fancynow` welcome screen only for interactive root sessions\n * Nginx: Sync js/css aggregation support\n * Nginx: Sync static files regex\n\n@=> Changes and Upgrades\n\n * Add compatibility with Redis 8.x-1.7.1\n * Add igbinary support to PHP 5.6\n * Add recommended security and privacy HTTP headers in Nginx config\n * Add required now $settings['state_cache'] = TRUE; in global.inc\n * Adjust patches and PHP versions\n * AdvAgg is no longer added to D8+ o_contrib\n * Barracuda upgrade after boa install is now automated\n * Build OpenSSH from sources by default\n * cURL 8.9.1\n * Disable man-db/auto-update to speed up also autoinit and boa install\n * Duplicity 3.0.0\n * Force mysql root password update on barracuda upgrade\n * Git 2.45.2\n * Image Optimize toolkit binaries are now included by default\n * Install Python 3.12.4 for Duplicity\n * ionCube 13.0.4\n * Launch daily.sh automatically after barracuda upgrade\n * Lshell 0.9.18.10\n * MySecureShell master-29-06-2024\n * New Relic 19.9.9.93\n * New Relic no longer supports PHP 5.6\n * Nginx 1.27.0\n * Nginx: http2 is now a separate directive\n * OpenSSL 3.0.14 LTS\n * Re-enable cleanup for GHOST distros revisions\n * Remove /etc/apt/preferences\n * Remove cloud-utils if detected\n * Remove legacy i386/x32 support\n * Remove no longer supported MariaDB code\n * Remove not used mysql_hourly.sh\n * Removing old boa-init no longer needed after introducing fast autoinit\n * Removing systemd cleanup from boa, now handled by the fast autoinit\n * Replace mail with s-nail\n * Replace pdnsd with unbound\n * Restrict also find/scp to prevent lshell escape\n * Upgrade to openjdk 11.0.24\n * Use /etc/ssh for OpenSSH built from sources (no new server keys, finally)\n * Use maximum compatible PhpRedis versions for legacy PHP\n * Use PermitRootLogin prohibit-password\n * We no longer allow to install BOA on Debian to avoid confusion\n * We no longer override server sshd keys to avoid confusion\n * Nginx: Remove the legacy X-XSS-Protection header\n * Nginx: block bytedance and PetalBot aggressive crawlers\n\n@=> Important Fixes\n\n * Add python3.5 compatibility for Stretch\n * Add second cron entry for critically important /var/xdrago/clear.sh\n * Add support for legacy python3.4\n * Always copy hostmaster LE cert to /etc/ssl/private/ if just updated\n * Avoid any AppArmor code on legacy Debian systems\n * Bash 5.2 compatibility\n * Detect broken GIT early and reinstall from sources\n * Do not install PHP 8.2 8.3 with _OPENSSL_EOL_VRN and _OPENSSL_LEGACY_VRN\n * Do not use --with-http_v3_module for Nginx on legacy systems\n * Do not use --with-imap for PHP on Jessie\n * Do not use --with-imap for PHP on major upgrade on any OS\n * Do not use --with-sodium for PHP on Jessie\n * Fix confusing ICU logic\n * Fix for ignored nofile limits\n * Fix for iptables paths backward compatibility\n * Fix for non-blocking ntpdate\n * Fix New Relic APT config\n * Fix Percona apt config logic\n * Fix platforms symlinking in the limited shell account\n * Fix Pure-FTPD install and config\n * Force crontab update on major OS upgrade\n * Improve resolvconf auto-config\n * Let's Encrypt actually supports wildcard names already\n * Make sure that _PHP_SINGLE_INSTALL exists before disabling other versions\n * Modernize Percona keys logic\n * Nginx: Sync http2 in legacy tpl\n * Remove blocking cnf file if php-max is used\n * Show PHP patch results on _DEBUG_MODE=YES\n * Sync for python3.11\n * Sync PHP extensions existence check directly, not just via ctrl files\n * Sync PhpRedis build options with versions compatibility\n * Sync with python3.9\n * Update wkhtmltopdf versions logic\n * Use cURL 7.71.1 on Jessie\n * Use cURL 8.2.1 on Stretch\n * Use OpenSSH 8.3p1 on Jessie\n * Use OpenSSH 9.3p1 on Stretch\n * Use OpenSSL 1.0.2u on Jessie\n * Use OpenSSL 1.1.1w on Stretch\n * Fix for composer.json and composer.lock protection\n\n\n###\n### Stable BOA-5.3.0-pro - Full Edition\n### Date: Mon 12 Aug 2024 05:33:46 AM AEST in Sydney\n###\n\n@=> New BOA LTS Release & Comparison with PRO and DEV Branches\n\n We are excited to announce the release of the latest BOA LTS version,\n marking the first LTS release since the introduction of our new branch\n structure and dual licensing model, which began with the BOA-5.2.0 release.\n\n This LTS version brings the project up to date with BOA-5.3.0-pro, which\n has been available for several months. Both BOA-5.3.0-pro and BOA-5.3.0-lts\n are officially released today.\n\n Looking ahead, BOA-5.4.0-pro will be released within the next 48 hours,\n incorporating all recent developments from the DEV branch.\n\n Please note that the project README and documentation displayed on GitHub\n by default apply primarily to the BOA DEV branch, and shortly to BOA PRO.\n These do not cover BOA LTS. If you are working with the LTS version, ensure\n you switch to the appropriate branch to access legacy documentation\n relevant to BOA LTS.\n\n As always, we highlight only the most critical fixes and improvements in\n this announcement. For a comprehensive list of changes, please refer to\n the commit history.\n\n@=> New Features\n\n * PHP 8.3 Support\n\n * Update sFTP password and password expiration date with temporary pid file\n ~/static/control/run-sftp-password-update.pid\n Now the main Octopus limited shell user can easily self-update password\n based access if still has working SSH keys but lost working password.\n New password will be written to ~/static/control/new-USER-password.txt\n\n * Add boa cleanup {detect|purge} {user|batch} to automate Octopus instances\n cleanup. Requires existence of /data/disk/USER/log/CANCELLED file and\n no vhosts existing in /data/disk/USER/config/server_master/nginx/vhost.d/\n It will archive only config files and delete everything else, but will not\n delete any databases nor db users (yet).\n\n@=> Improvements\n\n * Add ltd-shell account client access to moved sites files in static/files\n * Always install legacy OpenSSL first and force new on upgrade\n * Disable man-db/auto-update to speed up barracuda upgrades\n * MySQL: Disable performance_schema by default\n * MySQL: Do not run mysql_cleanup.sh on servers with >100 dbs\n * Nginx DoS-Guard: Add ignore_admin to protect site admin activity\n * Nginx DoS-Guard: Catch typical hack probe requests early\n * Nginx DoS-Guard: Detect and block ‘unknown’ IPs requests\n * Nginx DoS-Guard: Track and block 500/403/404 flood\n * Prepare for but do not enable http3/quic yet\n * Use cold solr7 restart only on barracuda upgrade\n\n@=> Changes and Upgrades\n\n * Build PHP --with-bz2\n * Build Redis with --enable-redis-lzf --enable-redis-igbinary\n * Composer 2.7.7\n * cURL 8.7.1\n * Drupal 7.101.1\n * Enable ClassicTrack for Ægir tasks by default\n * ionCube 13.0.2\n * Nginx 1.26.0\n * OpenSSH 9.8p1\n * OpenSSL LTS with 3.0.13 (new default version)\n * PHP 8.1.29\n * PHP 8.2.22\n * PHP 8.3.10\n * PHP APCu 5.1.23\n * PHP igbinary 3.2.15\n * PHP imagick 3.7.0\n * Ruby 3.3.4\n * Use _USE_FPM=1024 as minimum\n * Use phpredis 6.0.2 for 7.2 and newer\n\n@=> Important Fixes\n\n * Add clamd/freshclam to auto-healing\n * Add cleanup for ctrl files blocking PHP upgrade\n * Always check if all /var/xdrago/* scripts are present or force update\n * Always install openjdk-11-jre-headless\n * Fix for vdrush @site updb in Drush 12\n * Fix protection from duplicate sql backups\n * Legacy PHP versions require legacy OpenSSL version\n * More protection from race conditions in auto-healing\n * Remove old auto-healing pids if detected\n * Restore ULIMIT in nginx init.d\n * Sync autoupboa cron to not collide with sql backups\n * The adduser no longer automates —home\n * Use only php-fpm reload instead of start on upgrade\n * Use PHP 7.4 in run_drush8_cmd if available\n\n\n###\n### Stable BOA-5.2.0 - Full Edition\n### Date: Wed 03 Apr 2024 02:11:56 PM CEST in Warsaw\n###\n\n@=> Notes on new available BOA branches and licenses\n\n BOA is available in three main branches, but only LTS for installation:\n\n * LTS which remains completely free to use without any kind of license\n as it was from the beginning (previously named HEAD or STABLE).\n This branch should be considered as BOA LTS with slow updates, focused\n on both security and bug fixes, but very limited new features additions.\n\n * DEV which requires paid license for both install and upgrade and includes\n the latest features, security and bug fixes and installed services versions.\n This branch shouldn't be used in production without extensive testing.\n\n * PRO which requires paid license and is available only as an upgrade\n from either LTS or DEV (or previous HEAD/STABLE) is the branch with regular\n monthly or bi-monthly releases, closely following tested DEV branch.\n\n Once you install BOA LTS and want to upgrade to PRO with license obtained\n from https://omega8.cc/licenses you will need to use up-pro command.\n\n Once you install BOA LTS or PRO and want to upgrade to DEV with license\n from https://omega8.cc/licenses you will need to use up-dev command.\n\n Old commands using in-head, in-stable, up-head and up-stable no longer work\n to avoid confusion and have been replaced with in-lts and up-lts in all\n installation and upgrade scripts.\n\n Please make sure to read updated docs/INSTALL.txt and docs/UPGRADE.txt\n\n@=> New Features\n\n * Add autodaedalus tool for easy automated major system upgrades\n * Add Linux Containers (LXC) guest as supported (tested only by others)\n * Add mysql_cleanup running hourly to keep known caches overhead at minimum\n * Add OpenVZ Containers guest as supported (tested only by others)\n * Add support for ~/static/control/disable_user_register_protection.info\n * Add support for du command in limited shell with /root/.allow.du.cnf\n * Debian Bookworm and Devuan Daedalus support (needs further testing)\n * Full Drupal 10.2 support for install and upgrades from Drupal 9 and 10\n\n@=> Improvements\n\n * Add control/enable-drush-sa.info for native drush sa command\n * Add hyperv qemu and kvm aws as supported\n * Add ltd-shell alias vdrush:vendor/bin/drush\n * Do not enforce newrelic_background_job(FALSE)\n * Document BOA planned features in the ROADMAP.txt\n * Document Drush usage in docs/DRUSH.txt\n * Make it clear that only Devuan Chimaera should be used in production\n * New Relic: Separate Web and Drush stats\n * Purge firewall deny rules before reboot for faster system restart\n * README rewrite and improvements\n\n@=> Changes and Upgrades\n\n * Ægir D10 Platforms: 3x Drupal core 10.0.11\n * Ægir D10 Platforms: 3x Drupal core 10.1.8\n * Ægir D10 Platforms: 3x Drupal core 10.2.4\n * Ægir D10 Platforms: Social 12.2.2 with core 10.2.4\n * Ægir D10 Platforms: Thunder 7.2.0 with core 10.2.4\n * Ægir D10 Platforms: Varbase 9.1.1 with core 10.2.4\n * Disable support for several built-in legacy D7 distros\n * Do not enable /root/.fast.cron.cnf by default\n * Drush 8.4.12.9\n * Nginx 1.24.0\n * Nginx: update ssl_ciphers remove 4 weak but leave 2 to support Safari 6-8\n * OpenSSH 9.7p1\n * OpenSSL LTS with 3.0.13 (prepare, optional)\n * PHP 8.1.27\n * PHP 8.2.17\n * Redis 7.0.15\n * Remove legacy Ubuntu support\n\n@=> Important Fixes\n\n * Always revert to iptables-legacy from nf_tables\n * Fix for broken cURL self-healing\n * Fix for cURL/libcurl version conflict\n * Force Nginx cold restart if status is locked\n * Improve auto-healing for duplicate move_sql and mysql_backup\n * Improve downgrade_protection\n * Revert \"Sync /etc/security/limits.conf\"\n * Update Drush yml sites aliases also for Ægir system user\n\n\n###\n### Stable BOA-5.1.0 - Full Edition\n### Date: Sat 04 Nov 2023 03:26:41 PM CET in Warsaw\n###\n### Documenting details in progress...\n###\n\n@=> New Features\n\n * Automatically detect and add known web-root dir names on Add New Platform\n * Lock Drush in any platform with Ægir task: Verify + Lock Drush\n * Manage pid files in platforms web-root for Drush Lock/Unlock status\n * Unlock Drush in any platform with new Ægir task: Unlock Local Drush\n\n@=> Improvements\n\n * Document ~/static/control/FastTrack.info in docs/FASTTRACK.txt\n * Improve BOA forks compatibility with standalone Ægir paths\n * Improve tasks labels in the Ægir control panel\n * Use Ægir backend built-in chmod for Unlock Drush w/o external scripts\n\n@=> Changes and Upgrades\n\n * Ægir D10 Platforms: 3x Drupal core 10.1.6\n * Ægir D10 Platforms: Social 12.0.0-rc3 with core 10.0.11\n * Ægir D10 Platforms: Thunder 7.1.2 with core 10.1.6\n * Ægir D10 Platforms: Varbase 9.0.16 with core 10.1.6\n * Enable hosting_site_backup_manager Ægir extension by default again\n * Fix permissions and ownership on every Platform Verify for Drupal 8/9/10\n * OpenSSL 3.1.4\n * PHP 8.1.25\n * PHP 8.2.12\n\n@=> Important Fixes\n\n * Added missing web-root paths in built-in platforms for Drupal 9/10\n * Fix the ability to rename existing platforms in the Ægir control panel\n * Multiple fixes for built-in permissions and ownership Ægir scripts\n\n\n###\n### Stable BOA-5.0.0 - Full Edition\n### Date: Thu 26 Oct 2023 09:55:22 PM CEST in Warsaw\n###\n### Documenting details in progress...\n###\n\n@=> New Features\n\n * Add support for verbose Drush like 'drush -vvv @site status'\n * Ægir in BOA is now fully compatible with PHP 8.1 and 8.2\n * Do not purge cache tables listed in /root/.my.cache.exceptions.cnf\n * Drupal 10 is fully supported (needs docs)\n * Drupal 10 platforms available: Thunder, Varbase, Drupal 10.1 and 10.0\n * Make system reboot much faster, also with 'boa reboot' command\n * OpenSSL 3.x optional/test support with /root/.install.modern.openssl.cnf\n\n@=> Improvements\n\n * Always install latest Composer on barracuda upgrade\n * Enable ~/static/control/FastTrack.info by default (needs docs)\n * Minimize services downtime on upgrade using soft reload only if possible\n * Site Local Drush is no longer removed on platform Verify (only locked)\n * Use 'barracuda php-idle disable' to speed up major upgrades\n\n@=> Changes and Upgrades\n\n * Ægir D10 Platforms: 3x Drupal core 10.0.11\n * Ægir D10 Platforms: 3x Drupal core 10.1.5\n * Ægir D10 Platforms: Thunder 7.1.2 with core 10.1.5\n * Ægir D10 Platforms: Varbase 9.0.16 with core 10.1.5\n * Ægir D7 Platforms: Commerce 1.72 with core 7.98.1\n * Ægir D7 Platforms: Commerce 2.77 with core 7.98.1\n * Ægir D7 Platforms: Guardr 2.57 with core 7.98.1\n * Ægir D7 Platforms: OpenOutreach 1.69 with core 7.98.1\n * Ægir D7 Platforms: Opigno LMS 1.59 with core 7.98.1\n * Ægir D7 Platforms: Panopoly 1.92 with core 7.98.1\n * Ægir D7 Platforms: Ubercart 3.13 with core 7.98.1\n * Ægir D9 Platforms: 3x Drupal 9.5.11\n * Ægir D9 Platforms: OpenLucius 2.0.0 with core 9.5.11\n * Ægir D9 Platforms: Opigno LMS 3.1.0 with core 9.5.11\n * Ægir D9 Platforms: Social 11.9.14 with core 9.5.11\n * BOA requires at least PHP 7.4 or newer as default version\n * Change redis_perm_ttl from 6h to 24h\n * Do not inlcude advagg/cdn in o_contrib_eight\n * Drupal 10: add minimum patch for core\n * Drupal 10: disable not working yet welcome email on install\n * Drupal 10: fix compatibility and add missing code in Drush 8\n * Drupal 10: lock vendor/drush\n * Drupal 10: lock vendor/symfony/console/Input\n * Drupal 10: replace psr/log in core with Drush 8 version\n * Drush Launcher is not supported anymore so removed\n * Enable /root/.fast.cron.cnf by default (needs docs)\n * Remove confusing -bin suffix from Drush 10+ (needs docs)\n * Set _PURGE_BACKUPS default to 14 or 7 on hosted BOA\n * Set Composer Install Support in Ægir Backend as disabled by default\n * The redis_use_modern is no longer optional in the INI files\n * Update vendor code in the Ægir backend / Provision\n * Use _STRONG_PASSWORDS=YES by default\n * Use _USE_MYSQLTUNER=NO by default\n\n@=> Important Fixes\n\n * Do not enable redis on D7/D6 automatically, it works anyway\n * Fast DNS Cache Server (pdnsd) install is no longer optional since 2014 (!)\n * Fix for hosting_cron_queue() with ADV_CRON_MAX_PLL logic\n * Make sure that expired password will not hang backend task\n * Nginx: Add missing no-cache checks from @cache to @drupal\n * Nginx: Move exceptions to the /index.php location\n * Nginx: The css/js aggregation logic has changed in Drupal 10.1\n\n\n###\n### Cutting Edge BOA-5.0.0-dev - Initial Edition\n### Date: Sat 06 May 2023 08:42:31 AM EEST in Kyiv\n### Слава Україні!\n###\n### Documenting details in progress...\n###\n\n@=> New Features\n\n * Add 'barracuda php-idle disable/enable' (needs docs)\n * Automatic BOA System Major Upgrade Tool -- see docs/UPGRADE.txt\n * Debian Bullseye and Buster support\n * Devuan Chimaera and Beowulf support (systemd-free Debian alternative)\n * Make Composer running with PHP defined in ~/static/control/cli.info\n * Make PHP-CLI for Composer and Drush configurable on the fly (needs docs)\n * New multi-step BOA install procedure -- see docs/INSTALL.txt\n * PHP 8.2 support\n\n@=> Major Improvements\n\n * Barracuda first upgrade after boa install no longer requires reboot\n * Use all available CPU cores for much faster PHP, Nginx, OpenSSL etc builds\n\n@=> Important Changes\n\n * BOA requires the classic network interface naming convention (needs docs)\n * Disable all nightly codebase cleanup procedures\n * Nginx: Add PATCH to allowed $request_method list\n * Nginx: Remove deprecated upload_progress support\n * Remove AdvAgg and CDN from D9+ o_contrib\n * Rewrite the _PHP_MULTI_INSTALL cleanup to make it optional (needs docs)\n * Stop running any Drush operations on Drupal 8+ in daily.sh\n * Switch to Redis Server 7.x by default\n * The php-all should no longer include 7.3 and older versions (needs docs)\n * Ubuntu support is deprecated\n * Use php-max to install ALL nine (9) PHP versions (needs docs)\n\n@=> Important Fixes\n\n * Discover the system IPv4 once and store in a file\n * Fix several issues with ~/static/control/MyQuick.info logic\n * Maintain csf.allow/ignore backup on serial update in /var/backups/csf/\n * Nginx: Fix protected access to /update.php\n * Nginx: Protect composer.json if exists in the Drupal web-root\n\n\n###\n### NEW BOA-4.2.0-stable - Full Edition\n### Date: Sat 06 May 2023 07:42:19 AM EEST in Ivano-Frankivsk\n### Слава Україні!\n###\n### Documenting details in progress...\n###\n\n@=> New Features\n\n * Add 'barracuda php-idle disable/enable' (needs docs)\n * Automatic BOA System Major Upgrade Tool -- see docs/UPGRADE.txt\n * Debian Bullseye and Buster support\n * Devuan Chimaera and Beowulf support (systemd-free Debian alternative)\n * Make Composer running with PHP defined in ~/static/control/cli.info\n * Make PHP-CLI for Composer and Drush configurable on the fly (needs docs)\n * New multi-step BOA install procedure -- see docs/INSTALL.txt\n * PHP 8.2 support\n\n@=> Major Improvements\n\n * Barracuda first upgrade after boa install no longer requires reboot\n * Use all available CPU cores for much faster PHP, Nginx, OpenSSL etc builds\n\n@=> Important Changes\n\n * BOA requires the classic network interface naming convention (needs docs)\n * Disable all nightly codebase cleanup procedures\n * Remove AdvAgg and CDN from D9+ o_contrib\n * Rewrite the _PHP_MULTI_INSTALL cleanup to make it optional (needs docs)\n * Stop running any Drush operations on Drupal 8+ in daily.sh\n * Switch to Redis Server 7.x by default\n * The php-all should no longer include 7.3 and older versions (needs docs)\n * Ubuntu support is deprecated\n * Use php-max to install ALL nine (9) PHP versions (needs docs)\n\n@=> Important Fixes\n\n * Discover the system IPv4 once and store in a file\n * Maintain csf.allow/ignore backup on serial update in /var/backups/csf/\n\n\n###\n### Stable BOA-4.1.4-rel - Full Edition\n### Date: Fri Dec 10 22:30:49 CET 2021 in Warsaw\n###\n### Documenting details in progress...\n###\n\n@=> New Features\n\n *\n *\n *\n\n@=> Major Improvements\n\n *\n *\n *\n\n@=> Important Changes\n\n *\n *\n *\n\n@=> Important Fixes\n\n *\n *\n *\n\n\n### Stable BOA-4.1.3 Release - Full Edition\n### Date: Thu Sep 24 18:51:49 CEST 2020\n### Milestone URL: https://github.com/omega8cc/boa/milestones/4.1.3\n\n# Release Notes:\n\n This BOA release is a second transitional release before switching to rolling\n release policy. Detailed changelog will follow.\n\n This BOA update provides latest PHP versions, system updates, including\n security fixes, many bug fixes, latest Ægir version ..but no Ægir platforms\n are installed by default anymore, unless their keywords are listed in the file\n\n ~/static/control/platforms.info (please read further below for details)\n\n TL;DR\n * Yes, blazing fast site clone/migrate mode is available even for giant sites!\n * Yes, BOA still supports Pressflow 6 (LTS version only!)\n * No, we no longer install any supported distros as platforms by default.\n\n@=> Super fast site cloning and migration mode (NEW!)\n\n It is now possible to enable blazing fast migrations and cloning even sites\n with complex and giant databases with this empty control file:\n\n ~/static/control/MyQuick.info\n\n By the way, how fast is the super-fast? It's faster than you would expect!\n We have seen it speeding up the clone and migrate tasks normally taking\n 1-2 hours to... even 3-6 minutes! Yes, that's how fast it's!\n\n This file, if exists, will enable a super fast per table and parallel DB\n dump and import, although without leaving a conventional complete database\n dump file in the site archive normally created by Ægir when you run\n not only the backup task, but also clone, migrate and delete tasks, hence\n also restore task will not work anymore.\n\n We need to emphasise this again: with this control file present all normally\n super slow tasks will become blazing fast, but at the cost of not keeping\n an archived complete database dump file in the archive of the site directory\n where it would be otherwise included.\n\n Of course the system still maintains nightly backups of all your sites\n using the new split sql dump archives, but with this control file present\n you won't be able to use restore task in Ægir, because the site archive\n won't include the database dump -- you can still find that sql dump split\n into per table files in the backups directory, though, in the subdirectory\n with timestamp added, so you can still access it manually, if needed.\n\n@=> Drupal platforms and Composer support\n\n We no longer install any supported Drupal distros as platforms by default, but\n you can customize Octopus platform list via control file, which will be used\n on the next Octopus upgrade (you can request it individually if you are on\n hosted Ægir service):\n\n ~/static/control/platforms.info\n\n This file, if exists and contains a list of symbols used to define supported\n platforms, allows to control/override the value of _PLATFORMS_LIST variable\n normally defined in the /root/.${_USER}.octopus.cnf file, which can't be\n modified by the Ægir instance owner with no system root access.\n\n IMPORTANT: If used, it will replace/override the value defined on initial\n instance install and all previous upgrades. It takes effect on every future\n Octopus instance upgrade, which means that you will miss all newly added\n distributions, if they will not be listed also in this control file.\n\n Supported values which can be written in this file, listed in a single line\n or one per line:\n\n Drupal 9 based\n\n THR ----------- Thunder\n\n Drupal 8 based\n\n LHG ----------- Lightning\n OPG ----------- Opigno LMS\n SOC ----------- Social\n VBE ----------- Varbase\n\n Drupal 7 based\n\n D7P D7S D7D --- Drupal 7 prod/stage/dev\n AGV ----------- aGov\n CME ----------- Commerce v.2\n CS7 ----------- Commons\n DCE ----------- Commerce v.1\n GDR ----------- Guardr\n OA7 ----------- OpenAtrium\n OAD ----------- OpenAid\n OLS ----------- OpenLucius\n OOH ----------- OpenOutreach\n OPC ----------- OpenPublic\n OPO ----------- Opigno LMS\n PPY ----------- Panopoly\n RST ----------- Restaurant\n UC7 ----------- Ubercart\n\n Drupal 6 based\n\n D6P D6S D6D --- Pressflow (LTS) prod/stage/dev\n DCS ----------- Commons\n UCT ----------- Ubercart\n\n You can also use special keyword 'ALL' instead of any other symbols to have\n all available platforms installed, including newly added in all future BOA\n system releases.\n\n Examples:\n\n ALL\n LHG VBE D7P D7S D7D\n\n Composer will now use PHP 7.3 by default, and you can find many useful hints at:\n https://github.com/omega8cc/boa/blob/master/docs/COMPOSER.txt\n\n IMPORTANT: You must switch your ~/static/control/cli.info to 7.2 or newer\n PHP version (BOA hosted on Omega8.cc comes with 7.4, 7.3 and 7.2), because\n D8 based distros require at least PHP 7.2 -- this also means that to run\n the sites installed after switching cli.info to 7.2 or newer, you will also\n need to either switch your ~/static/control/fpm.info to 7.2 or newer, or\n more probably, to not break any existing sites not compatible with PHP 7.2+\n you will need to list these D8 sites names in ~/static/control/multi-fpm.info\n\n Please check for more information:\n https://learn.omega8.cc/how-to-quickly-switch-php-to-newer-version-330\n\n BOA supports Drupal 8 codebases both with classic directory structure like\n in Drupal 7 and also Drupal 8 distros you can download from Drupal.org, but\n if you use Composer based codebase with different structure, the platform path\n is not the codebase root directory, but the subdirectory where you see the\n Drupal own index.php and \"core\" subdirectory. It can be platform-name/web or\n platform-name/docroot or something similar depending on the distro design.\n\n\n### Stable BOA-4.1.2 Release - Full Edition\n### Date: Tue Sep 22 05:30:08 CEST 2020\n### Milestone URL: https://github.com/omega8cc/boa/milestones/4.1.2\n\n# Release Notes:\n\n This BOA release is a transitional release before switching to rolling\n release policy. Detailed changelog will follow.\n\n\n### Stable BOA-4.0.1 Release - Full Edition\n### Date: Mon May 6 01:14:59 CEST 2019\n### Milestone URL: https://github.com/omega8cc/boa/milestones/4.0.1\n\n# Release Notes:\n\n This BOA release provides three new PHP versions, system updates, including\n security fixes, many bug fixes, latest Ægir version, plus all included\n Drupal distributions updated to latest versions, and supplied with latest\n Drupal 7 or Drupal 8 core, if possible. Yes, BOA still supports Pressflow 6.\n Yes, Debian Stretch is supported. No newer Ubuntu releases are supported yet.\n Yes, we have added Solr 7 support and every 5 minutes updates!\n\n Four Drupal 8 based popular distributions have been included by default,\n plus much improved Composer support and automatic permissions-fix-magic\n on Platform and Site Verify tasks. No more manual fixes!\n\n By the way, Composer will now use PHP 7.3 by default, and you can find\n many useful hints at:\n https://github.com/omega8cc/boa/blob/master/docs/COMPOSER.txt\n\n Big improvements and changes are coming to (auto)managing Solr cores too!\n Solr cores are are now created every 5 minutes if needed, instead of during\n the nightly procedure only, and Solr 7 is used by default. Existing Solr 4\n cores will continue to work as before, but the system will create new Solr 7\n cores for all compatible sites, and will update the sites/foo.com/solr.php\n accordingly. For existing Solr 4 cores there can be namespace conflicts,\n so please make sure to check the updated sites/foo.com/solr.php file and\n adjust your site configuration if needed.\n\n Note: If you are using WinSCP and/or Putty on Windows, or Transmit/Coda\n by Panic on a Mac, please check the Known Issues section at the bottom of this\n BOA-4.0.1 release notes.\n\n@=> Solr 7 and Solr 4 support changes and improvements\n\n Both Solr 7 and Solr 4 powered by Jetty 9 server are available. Supported\n integration modules are limited to latest versions of either search_api_solr\n (D8/Solr7 and D7/Solr7 ) or apachesolr (D7/Solr4 and D6/Solr4).\n\n Currently supported versions are listed below:\n\n https://ftp.drupal.org/files/projects/search_api_solr-8.x-2.7.tar.gz\n https://ftp.drupal.org/files/projects/search_api_solr-7.x-1.14.tar.gz\n https://ftp.drupal.org/files/projects/apachesolr-7.x-1.11.tar.gz\n https://ftp.drupal.org/files/projects/apachesolr-6.x-3.1.tar.gz\n\n Note that you still need to add preferred integration module along with\n any its dependencies in your codebase since this feature doesn't modify\n your platform or site - it only creates Solr core with configuration\n files provided by integration module: schema.xml and solrconfig.xml etc.\n\n Important: search_api_solr-8.x-2.x is different from all previous versions,\n as it requires Composer to install the module and its dependencies, then\n you will need to configure it, and only then you will be able to generate\n customized Solr core config files, which you should upload in the path:\n sites/foo.com/files/solr/ and wait 5-10 minutes to have them activated\n on the Solr 7 core the system will create for you.\n\n This will affect the running every 5 minutes auto-installer, hence\n no need to wait until next morning to be able to use new Solr core. Win!\n\n Once the Solr core is ready to use, you will find a special file in your\n site directory: sites/foo.com/solr.php with details on how to access\n your new Solr core with correct credentials.\n\n Side note: the sites/foo.com/solr.php will be automatically deleted on every\n site Verify task in Ægir, to prevent copying it across with incorrect\n access credentials when you clone the site. As soon as the site is verified,\n its sites/foo.com/solr.php will get re-created automatically within 5-10 min.\n and the cloned site will also get its own Solr core created.\n\n For more details please check the docs at:\n https://github.com/omega8cc/boa/blob/master/docs/SOLR.txt\n\n@=> Drupal 8.7.0 platforms and Composer support\n\n Since BOA-4.0.1 new Drupal 8.7.0 based platforms are included:\n\n Lightning 3.3.0 -------------- https://drupal.org/project/lightning\n Thunder 8.2.39 --------------- https://drupal.org/project/thunder\n Varbase 8.6.8 ---------------- https://drupal.org/project/varbase\n Social 8.5.1 (8.6.15 core) --- https://drupal.org/project/social\n\n IMPORTANT: You must switch your ~/static/control/cli.info to 7.1 or newer\n PHP version (BOA hosted on Omega8.cc comes with 7,1, 7.2 and 7.3), because\n D8 based distros require at least PHP 7.1 -- this also means that to run\n the sites installed after switching cli.info to 7.1 or newer, you will also\n need to either switch your ~/static/control/fpm.info to 7.1 or newer, or\n more probably, to not break any existing sites not compatible with PHP 7.1+\n you will need to list these D8 sites names in ~/static/control/multi-fpm.info\n\n Please check for more information:\n https://learn.omega8.cc/how-to-quickly-switch-php-to-newer-version-330\n\n BOA supports Drupal 8 codebases both with classic directory structure like\n in Drupal 7 and also Drupal 8 distros you can download from Drupal.org, but\n if you use Composer based codebase with different structure, the platform path\n is not the codebase root directory, but the subdirectory where you see the\n Drupal own index.php and \"core\" subdirectory. It can be platform-name/web or\n platform-name/docroot or something similar depending on the distro design.\n\n As you have discovered if you have already tried, the path you should use\n in Ægir when adding Composer based codebase as a platform is the directory\n where index.php resides, so effectively anything above that directory is not\n available for web requests and thus safely protected.\n\n The information from Ægir project docs saying \"When verifying a platform,\n Ægir runs composer install if a composer.json file is found.\" doesn't apply\n to BOA. We have disabled this. There are several reasons, most importantly:\n\n a/ having this feature enabled is actually against the codebase management\n workflow in Ægir, because it may modify codebase on a live site,\n\n b/ some tasks launch verify many times during clone and migrate, which\n results with giant overhead and conflicts if we allowed it to run composer\n install many times in parallel,\n\n c/ from our experience, having this poorly implemented feature enabled breaks\n clone and migration tasks between platforms when both have the composer.json\n file. It just doesn't make any sense in our opinion. The implementation\n should be improved to make it actually work similarly to Drush Makefiles.\n\n You should think about Composer like it was Drush Make replacement, and you\n should not re-build nor upgrade the codebase on a platform with sites already\n hosted. Just use it to build new codebases and then add them as platforms\n when the build works without errors.\n\n@=> Important PHP versions availability changes\n\n Still on PHP 5.6? You should switch to PHP 7.3 — It’s twice as fast as 5.6!\n But don't switch blindly -- even sites already running on PHP 7.0 before\n are most probably not ready for PHP 7.2 or 7.3 without proper fixes.\n\n Note: BOA-4.0.1 release removes PHP 5.3, 5.4 and 5.5, if installed.\n In addition to still supported, even if officially deprecated 5.6 and 7.0\n versions, this release adds support for PHP 7.3, 7.2 and 7.1\n\n Please check the PHP officially supported versions list at:\n http://php.net/supported-versions.php\n\n In our limited testing Drupal 7 core version included in this release works\n without noticeable issues with both PHP 7.2 and 7.3, although many contrib\n modules may not be ready to switch your instance to 7.3 or 7.2 just yet,\n especially if you have not used PHP 7.0 already.\n\n We recommend to test your sites clones with newer PHP versions using BOA\n multi-PHP-version support via ~/static/control/multi-fpm.info before\n switching your instance to use 7.3 or 7.2 by default.\n\n Please check for more information:\n https://learn.omega8.cc/how-to-quickly-switch-php-to-newer-version-330\n\n We still include Pressflow 6 platforms, because in the meantime the LTS\n community support made the latest Pressflow 6 version compatible with PHP 7.2\n\n If you still have a reason to use Drupal 6 core, we recommend to use\n our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus\n\n@=> BOA release policy changes\n\n In over 15 months since BOA-3.2.2 release we have tested a more agile\n approach with Rolling Release policy for BOA system part known as Barracuda.\n\n We have implemented many changes and updates only in BOA HEAD and used\n carefully tested HEAD in production. This worked flawlessly and allowed us\n to keep all BOA hosted and maintained systems continuosly updated without\n waiting for stable release.\n\n BOA project is very complex, build atop of many packages and individually\n built from sources components, plus other projects like Ægir, Drush and\n Drupal core and distributions -- each of them with their own release policy.\n\n After years of efforts to keep healthy balance between providing necessary\n upgrades and avoiding BOA users maintenance fatigue due to frequent releases,\n which usually results with skipping releases which has many adverse effects,\n including requirement to keep new versions backward compatible with 2-3 years\n old releases, we have decided that it's time to introduce Rolling Release\n policy for Barracuda while still using standard point releases policy for\n Octopus installer, which covers Ægir, Drush and Drupal platforms updates.\n\n We will still use point releases for Barracuda when there will be major\n changes introduced, like deprecating old PHP versions or changing components\n like Let's Encrypt integration agents or methods.\n\n BOA project docs will be updated to reflect these changes once another\n standard point release is made either for Octopus, Barracuda or both.\n The docs will explain how to run Barracuda system continuous updates properly.\n\n # New features:\n\n * Add auto-cleanup for empty old platforms in /var/aegir\n * Add experimental support for autoslave and cache_consistent\n * Add initial Composer docs\n * Add jsmin support for PHP7 #1250\n * Add mongodb extension for PHP 7 and Drupal 8.2.x support #1127\n * Add redis_oom_check() to monitoring\n * Add set_composer_manager_vendor_dir INI variable\n * Add support for include/exclude filelist for duplicity. #1159\n * Add support for Percona 5.7 and use MariaDB 10.1 by default\n * Add UTF8MB4 Convert Drush extension #1047\n * Automatically check and remove drush from codebase\n * Debian Stretch support #1176\n * Do not run Verify daily if ~/static/control/noverify.info exists\n * Install ClamAV daemon by default\n * PHP 7.3, 7.2 and 7.1 Support #1126\n * Run manage_solr_config.sh every 5 minutes\n * Update Solr with BOA #1305\n * Use _DB_BACKUPS_TTL variable for local and cluster db backups rotation\n\n # Changes:\n\n * Add innodb_default_row_format = dynamic — fixes #1366\n * Advanced Nginx microcaching to improve cache HITs #1271\n * Change to dashes in bucket names and upgrade boto/duplicity #1247\n * Create fpm.info and cli.info ctrl files on Octopus install\n * Deprecate MariaDB 5.5 and force 10.1 instead\n * Enable uploadprogress.so for testing on PHP 7+\n * Force Composer to use PHP 7.2 if available #1213\n * Higher PHP CLI limits to make Composer happy\n * Increase default TTLs to make BOA more friendly for big sites\n * Make DNS Cache Server pdnsd optional -- needs DCS keyword in _XTRAS_LIST\n * Minimum 4 GB RAM and 2 CPU (with Solr minimum 8 GB RAM and 4+ CPU rec.)\n * Re-verify LE enabled sites daily\n * Refresh the tasks list more frequently\n * Remove deprecated PHP versions #801\n * Remove problematic opcache.fast_shutdown\n * Remove ultimate_cron and background_process from the blacklist\n * Replace Google DNS servers for Cloudflare DNS servers #1317\n * Replace the complex public IP detection with an external API #1089\n * Set PHP CLI to FPM version if only FPM is defined\n * SQL: disable innodb_adaptive_hash_index by default\n * Upgrade imagick to 3.4.3 for PHP7 support #1253\n * Use /root/.backboa.autoupdate by default\n * Use utf8mb4/utf8mb4_general_ci by default\n\n # System upgrades:\n\n * Adminer 4.7.0\n * CSF/LFD 12.10\n * Drush 8.2.3.1\n * Galera 10.0.37\n * Lshell 0.9.18.9\n * MariaDB Server 10.1.39\n * MariaDB Server 10.2.19\n * MariaDB Server 10.3.14\n * MySQLTuner 1.7.15\n * Nginx 1.16.0\n * Node.js v10.x LTS\n * OpenSSH Server 8.0p1\n * OpenSSL 1.0.2r for Nginx\n * PHP 7.3.5, 7.2.18, 7.1.29, 7.0.33, 5.6.40\n * PHP Redis extension 4.2.0\n * Pure-FTPd 1.0.49\n * Redis Module 8.x mod-05-02-2019\n * Redis Server 4.0.14\n * Ruby 2.6.0\n * Use latest Duplicity and dependencies\n\n # Fixes:\n\n * Add fix_ping_perms()\n * Add libzip-dev to satisfy PHP 7.3 requirements\n * Add nginx config to mitigate SA-CORE-2018-002\n * Add patches for CORE-2018-004 and SA-CORE-2018-002\n * Add procedure satellite_fix_broken_entity_module()\n * Add re_set_default_php_cli() procedure\n * Add redis_slow_check()\n * Ajax 200 parsererror on every Drupal site #1344\n * Avoid potentially problematic --force-yes for apt-get\n * Backboa AWS S3 backup integration no longer working #1138\n * Backboa not installed #1310\n * Backboa: Certificate error #1141\n * Cannot switch php-cli, cannot create varbase composer project. #1308\n * Check sshd not ssh version\n * CiviCRM 4.7 not working under BOA #1223\n * Crawlers see 403 on public path #1329\n * Debian 9 (Stretch) _apt user + _STRICT_BIN_PERMISSIONS errors #1352\n * Do not lock old/all hostmaster platforms automatically\n * Downgrade MySecureShell until we can figure out compatibility issues\n * Errors using site with CiviCRM #1304\n * Extra cleanup for any codebase level drush copy\n * Fix for empty old hostmaster platforms cleanup\n * Fix for incomplete logic in multi-fpm mode\n * Fix for jessie-backports\n * Fix SA-CORE-2018-006 for D8 and D7\n * Fix the site specific composer_manager dir also for D8\n * Fix to include gitlab.com in ~/.ssh/known_hosts\n * Improve gpg keys handling\n * Improve pdnsd self-repair procedures\n * Infinite loop on INFO: Retrieving F1656F24C74CD1D8 key.. #1323\n * Known issues with contrib module Redirect in Drupal 8 and BOA #1239\n * Make sure redis-server is up immediately after upgrade\n * Make sure that ~/.rvmrc is fixed\n * Make sure that composer permissions are fixed\n * Make sure that the ownership on static/control is correct\n * Make sure to fix Redis permissions\n * Nginx: the \"ssl\" directive is deprecated since 1.15.0\n * No live certificates from Let's Encrypt #1255\n * No Web Server is added when BOA is installed locally #1306\n * PSA-2018-003: Drupal core security release #1283\n * Remove deprecated option UsePrivilegeSeparation if exists\n * Restore Jessie default apt mode on Stretch+\n * Solr dir is not defined in in setup_solr() #1370\n * SSHD - use without-password for backward compatibility\n * Switching out DNS servers caused breakage #1318\n * Sync permissions fix on platform verify for D8, D7, D6\n * Sync Solr 7 memory management logic\n * The _PERMISSIONS_FIX var gets overridden to YES daily basis #1311\n * The innodb_lazy_drop_table has been deprecated in Percona\n * Update ~/static/control/README.txt if needed\n * Update boa info [more] for current years #1248\n * Update lshell.config to not break valid D8 specific Drush commands\n * Update, sync and de-duplicate Zend OPcache config directives\n * Updated default robots.txt #1172\n * Use gpg2 directly instead of deprecated apt-key\n * Use IP directly as a last fallback\n * xboa migrate Solr 7 data #1376\n\n # Known issues:\n\n * SSH/SFTP WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!\n In short, nothing to worry about, but please read on how to fix this:\n https://learn.omega8.cc/2019-remote-host-identification-ssh-388\n\n * PHP 7.1+ can't be installed w/ MariaDB 10.2+ until compatibility is fixed:\n https://jira.mariadb.org/browse/MDEV-14555\n\n * Existing Solr 4 cores may experience namespace conflicts.\n Please make sure to check the updated sites/foo.com/solr.php file\n and adjust your site configuration if needed.\n\n * Error decoding SFTP packet -- affects WinSCP/Putty\n We recommend to use CybderDuck for reliable SFTP access.\n For known fix please check https://bit.ly/2HMGd6u -- quote below:\n >>>>>\n Basically we need to set the ‘Preferred SFTP protocol version’ to 3.\n How to do this:\n Edit the connection in WinSCP\n Open the Advanced menu\n Choose Advanced\n This will bring up a new popup.\n Under Environment click on SFTP\n Change ‘Preferred SFTP protocol version’ to 3\n Save the changes.\n >>>>>\n\n * SFTP connection doesn't work with Transmit nor Coda by Panic software.\n We have not figured out the workaround yet, so we recommend using\n working alternatives on a Mac, like Cyberduck or ForkLift.\n\n * The filefield_nginx_progress module, which is deprecated for years,\n no longer works and breaks upload fields. The module has been removed\n from the supported modules list, and will be automatically disabled\n if active in any D7 site daily, so we recommend to use the current\n similar alternative (even if not so fancy) included now by default:\n https://www.drupal.org/project/file_resup\n\n\n### Stable BOA-3.2.2 Release - Full Edition\n### Date: Sat Jan 20 11:03:34 PST 2018\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.2\n\n# Release Notes:\n\n This BOA release provides system security upgrades, many bug fixes,\n latest Ægir version, plus all supported Drupal distributions updated\n to latest versions, and supplied with latest Drupal 7 core, if possible.\n Thanks to Drush 8.1.15-dev we support also the newest Drupal 8.4.4 core.\n\n@=> Important changes planned in the next BOA feature release\n\n BOA-3.2.2 is the last release still supporting PHP 5.3, 5.4 and 5.5 versions.\n These versions will be *removed* in the next release, and instead\n there will be support for PHP 7.1 and 7.2 added.\n\n Future releases will no longer include Pressflow 6 platforms, but Pressflow 6\n will be fully supported, and can still use PHP 5.6 -- We recommend to use\n our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus\n\n # Changes:\n\n * Add support for WOFF 2.0\n * Commerce 2.51\n * Guardr 2.40\n * OpenAtrium 2.624\n * Panopoly 1.49\n\n # System upgrades:\n\n * Adminer 4.3.1\n * Galera 10.0.33\n * MariaDB 10.1.30\n * MariaDB 10.2.12\n * MariaDB 5.5.59\n * Nginx 1.13.8\n * OpenSSL 1.0.2n (used only in Nginx)\n * PHP 5.6.33\n * PHP 7.0.27\n * PHP extension for Redis 3.1.6\n * Pure-FTPd 1.0.49\n * Redis Server 4.0.6\n * Ruby 2.4.2\n * Use Redis integration mod-30-12-2017 (D7)\n\n # Fixes:\n\n * Add mongo to the list of permissions exceptions, if installed\n * Do not delete empty platforms if ~/static/control/platforms.info is used\n * Do not restart Redis daily if /root/.high_traffic.cnf exists\n * Fix Drupal 8 detection for distros with vendor dir moved out of docroot\n * Fix requirements for the latest compass version\n * Hints config update\n * LE not renewing expired certificates due to IPv6 DNS entries -- #1179\n * Notifications about new BOA editions are sent to notify@omega8.cc -- #1219\n * Override fastcgi_params to make geoip headers work again\n * Redirect module conflict with manual cron execution in D8 -- #1215\n * Remove hmac-ripemd160 MAC, deprecated in OpenSSH 7.6 -- #1217\n * The _SSH_ARMOUR=YES not compatible with OpenSSH 7.6 -- #1218\n * Update keys for rvm.io\n * Update LE License to LE-SA-v1.2-November-15-2017.pdf\n * Use advagg-7.x-2.30\n * Use modified rvm-installer.sh for user-level installations\n * Use reroute_email-7.x-1.3\n * Use rvm_silence_path_mismatch_check_flag=1\n\n\n### Stable BOA-3.2.1 Release - Full Edition\n### Date: Sat Oct 7 19:58:53 PDT 2017\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.1\n\n# Release Notes:\n\n This BOA release provides system security upgrades, many bug fixes,\n latest Ægir version, plus all supported Drupal distributions updated\n to latest versions, and supplied with latest Drupal 7 core, if possible.\n Thanks to Drush 8.1.15-dev we support also the newest Drupal 8.4 core.\n\n@=> Important changes planned in the next BOA release\n\n BOA-3.2.1 is the last release still supporting PHP 5.3, 5.4 and 5.5 versions.\n These versions will be *removed* in the next release, and instead\n there will be support for PHP 7.1 and 7.2 added.\n\n Future releases will no longer include Pressflow 6 platforms, but Pressflow 6\n will be fully supported, and can still use PHP 5.6 -- We recommend to use\n our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus\n\n@=> Drupal 6 vanilla core is deprecated starting with BOA-3.2.1\n\n Drupal 6 vanilla core is no longer supported. It was never really supported,\n but could still work. Those running Drupal 6 instead of supported Pressflow 6\n will notice that their site displays only the homepage and all links/menus\n no longer display expected content. This change is a result of new rewrite\n in the Nginx configuration, required to properly support both Drupal 8 and\n Drupal 7. Time to migrate to latest, included in this release, Pressflow 6!\n\n # Changes:\n\n * Add chained commands to forbidden list in lshell\n * Add Nginx Headers More module support\n * Add support for --include/exclude-filelist for duplicity -- #1158\n * Add support for upcoming MariaDB 10.2\n * Auto-update duplicity if installed\n * Deny bots on non-prod domains, not only on aliases -- #1178\n * Do not pause the tasks queue during mysql backup\n * Do not truncate queue and accesslog tables by default\n * Enable New Relic integration for PHP 7.0\n * Install ipset to improve CSF performance\n * mongodb.so for D8.2 and PHP7.0 -- #1128\n * Run 3 queue tasks in parallel by default\n * Use redis_scan_enable = FALSE by default\n\n # System upgrades:\n\n * CSF 10.22\n * Drush micro-8-07-10-2017\n * Galera 10.0.32\n * MariaDB 10.1.28\n * MariaDB 10.2.9\n * MariaDB 5.5.57\n * Nginx 1.13.5\n * Node 6.x version bump -- #1129\n * OpenSSH 7.6p1\n * OpenSSL 1.0.2l (used only in Nginx)\n * PHP 5.6.31\n * PHP 7.0.24\n * PHP extension for Redis 3.1.4\n * Pure-FTPd 1.0.46\n * Redis Server 4.0.2\n * Update Redis module for Drupal 8\n * Upgrade drush to support Drupal 8.4 -- #1206\n * Upgrade wkhtmltopdf and wkhtmltoimage to 0.12.4\n\n # Fixes:\n\n * Add SSH (RSA) keys how-to\n * Add support for tar.xz archives\n * Add symlink suggested in #999\n * Allow a bit higher load limits for queue runner\n * Barracuda is not installing ipset so csf doesn't work -- #1203\n * Deprecate no longer working distros\n * Disable innodb_corrupt_table_action in 10.2\n * Do not enable entitycache in the Commons distro\n * Exclude special https.* proxy vhosts from daily cleanup\n * Fix permissions on password files for HTTP Basic Auth -- #1187\n * Fix syntax and race conditions in fire/water\n * Galera compatibility: do not edit mysql.user directly\n * Improve CSF race conditions protection\n * Improve default system cron queue\n * Improve repo.psand.net/pubkey update\n * Improved PHP OPCache default configuration\n * Linux kernel CVE-2017-2636 hotfix\n * Linux kernel CVE-2017-6074 hotfix\n * Make sure that not supported tools are not re-installed on VServer\n * Move excludes first as they are more specific than includes -- #1168\n * PHP not installed after Wheezy to Jessie upgrade -- #999\n * Redirect module breaks Drupal 8 sites in BOA if present -- #1061\n * Remove --numeric-ids option from xboa -- #1146\n * Restart DB server on upgrade only if config has changed\n * Run fast enough fire.sh again\n * Silence mysql cleanup output -- #1180\n * Site in subdirectory cookie is not set correctly -- #1211\n * Sync PHP disable_functions across all versions\n * Update default robots.txt -- #1172\n * Use --skip-add-locks — Galera Cluster compatibility\n * Use absolutely graceful MySQLD restart procedure\n * VServer 4.1.42-vs2.3.8.6-beng compatibility\n * Wait for MySQLD availability before running DB backup\n * Whitelist known search engines bots IPs\n\n\n### Stable BOA-3.2.0 Release - Full Edition\n### Date: Sun Feb 26 09:11:39 PST 2017\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.0\n\n# Release Notes:\n\n This BOA release provides many new features, system security upgrades, many\n improvements and bug fixes, latest Ægir version, plus all supported Drupal\n platforms updated to latest versions, and supplied with latest Drupal 7 core,\n if possible.\n\n The reason we list here also new features and changes already listed in\n previous BOA-3.1.4 version is that they were supposed to be included in this\n (3.2.0) release, since we normally don't include new features in bugfix\n releases, but we had to publish more bugfix/security releases in the 3.1.x\n series than initially expected, while new features were already pushed to HEAD\n in anticipation of delayed 3.2.0 release.\n\n We have also moved some new features originally intended to be included\n in the (3.2.0) release to the next 3.3.0 milestone, which is expected\n in about one month after 3.2.0 release.\n\n@=> Magic permissions fix now happens on-the-fly\n\n The most interesting new Ægir feature is probably the ability to fix files\n permissions and ownership on any site and platform, without waiting for\n the running daily magic fix. Now it happens on-the-fly, when you run normal\n platform and site Verify tasks.\n\n@=> MariaDB 10.1 is now the new default version\n\n If you are already running 10.0, BOA will upgrade it to _DB_SERIES=10.1\n but if you still run _DB_SERIES=5.5 it will continue to use MariaDB 5.5\n on your system (not recommended).\n\n# New features and enhancements:\n\n * Add Microsoft Hyper-V to supported virtualization systems\n * Add support for _HOURLY_DB_BACKUPS=YES via Percona XtraBackup\n * Add support for ‘boa version’ command\n * Add support for /root/.my.batch_innodb.cnf weekly procedure\n * Add support for /root/.my.restart_after_optimize.cnf procedure\n * Add support for fix_ownership and fix_permissions on-the-fly\n * Add support for latest 3.18.44-vs2.3.7.5-beng VS kernel\n * Add support for latest 4.1.33-vs2.3.8.5.2-beng VS kernel\n * Add support for the Open Lucius Distribution to Ægir —- #888\n * Add support for the Opigno LMS Distribution to Ægir —- #953\n * Automatically whitelist CloudFlare and Sucuri IPs (faster version)\n * Bundle Opigno LMS dependencies: TinCanPHP and pdf.js\n * Configure _INNODB_LOG_FILE_SIZE automatically\n * Docs for Twig Debbuging in Drupal 8.2.x and BOA #1085\n * Improve InnoDB performance\n * Improve Let's Encrypt docs\n * Include advagg, cdn, and robotstxt in o_contrib_eight -- #1096\n * Install ClamAV and RKhunter by default —- #1019\n * Make boost cache clearing configurable via _CLEAR_BOOST variable -- #1115\n * MariaDB 10.1 support (new default version) -- #866\n * Open LDAP ports 389 and 3268 for outgoing TCP connections\n * Speed up mysql stop/start\n * Update S3 regions list for backboa backups\n * Use blazing fast Redis (SCAN) method on wildcard cache delete\n * Use Redis_CacheCompressed mode, if available (saves a ton of RAM)\n\n# Changes:\n\n * Allow to run global OPTIMIZE only once per month, on the last Sunday\n * Always update barracuda, boa and octopus wrappers, ignore _SKYNET_MODE=OFF\n * Enable ARCHIVE Storage Engine in MariaDB 10.1\n * Force _CUSTOM_CONFIG_SQL=NO on MariaDB major upgrade/reinstall\n * Remove exception for cache_form bin in Redis configuration\n * Remove no longer supported textile module\n * Run db OPTIMIZE only weekly, if configured\n * Use bzip2 also for standard db backups\n * Use lower system load limit for queue runner\n * Use MySQLTuner to configure SQL limits — enabled by default\n\n# System upgrades:\n\n * CSF/LFD 9.30\n * Drupal 7.54.2\n * Drush micro-8-07-02-2017\n * Duplicity 0.7.11 (please run 'backboa install' to upgrade)\n * MariaDB 10.1.21\n * MariaDB 5.5.54\n * MariaDB Galera Cluster 10.0.29\n * Nginx 1.11.10\n * OpenSSL 1.0.2k (used only in Nginx)\n * PHP 5.6.30\n * PHP 7.0.16\n * Pure-FTPd 1.0.45\n * Redis 3.2.8\n * Redis D8/D7 integration mod-09-02-2017\n * Use ImageMagick 7.0.4-6 if built from sources\n * Use Redis integration mod-14-02-2017 (D7)\n\n# Fixes:\n\n * Can't add clients on BOA3 -- #926\n * Do not add newer InnoDB settings when old server version is in use -- #1122\n * Do not disable site_readonly daily on migrated instances\n * Fix the not working hostmaster LE cert auto-update (typo)\n * Force vnstat restart on version upgrade\n * Improve disable_chattr() and enable_chattr() logic\n * Improve docs/FAQ.txt as suggested in #1119\n * Improve userprotect initial-only setup -- #926\n * MariaDB server not running properly alert -- #1122\n * Migration should re-use Let's Encrypt certs in HTTPS proxy vhosts -- #1106\n * Randomize SQL backup schedule\n * Rebuild hosting_custom_settings feature after enabling Redis on install\n * Sync db server (optional) restart with optimize\n * Sync max_execution_time for PHP-FPM\n * Sync max_input_time for PHP-FPM\n * Update docs/SSL.txt -- #1109\n * Whitelist /dev/urandom in open_basedir\n\n\n### Stable BOA-3.1.4 Release - Full Edition\n### Date: Tue Dec 20 14:09:21 PST 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.4\n### Latest hotfix added on: Wed Dec 21 12:44:58 PST 2016\n\n# Release Notes:\n\n This BOA release provides system security upgrades, many improvements\n and bug fixes, latest Ægir version, plus all supported Drupal platforms\n updated to latest versions, and supplied with latest Drupal 7 core,\n if possible.\n\n@=> Magic permissions fix now happens on-the-fly\n\n The most interesting new Ægir feature included in this release is probably\n the ability to fix files permissions and ownership on any site and platform,\n without waiting for the running daily magic fix. Now it happens on-the-fly,\n when you run normal platform and site Verify tasks.\n\n@=> MariaDB 10.1 is now the new default version\n\n If you are already running _DB_SERIES=10.0, this BOA release will upgrade it\n to _DB_SERIES=10.1 -- but if you still run _DB_SERIES=5.5 it will continue\n to use MariaDB 5.5 on your system.\n\n# New features and enhancements:\n\n * Add Microsoft Hyper-V to supported virtualization systems\n * Add support for ‘boa version’ command\n * Add support for fix_ownership and fix_permissions on-the-fly\n * Add support for latest 3.18.44-vs2.3.7.5-beng VS kernel\n * Add support for latest 4.1.33-vs2.3.8.5.2-beng VS kernel\n * Automatically whitelist CloudFlare and Sucuri IPs (faster version)\n * Configure _INNODB_LOG_FILE_SIZE automatically\n * MariaDB 10.1 support (new default version) -- #866\n * Use Redis_CacheCompressed mode, if available (saves a ton of RAM)\n\n# Changes:\n\n * Always update barracuda, boa and octopus wrappers, ignore _SKYNET_MODE=OFF\n * Enable ARCHIVE Storage Engine in MariaDB 10.1\n * Force _CUSTOM_CONFIG_SQL=NO on MariaDB major upgrade/reinstall\n * Remove no longer supported textile module\n * Run db OPTIMIZE only weekly, if configured\n * Use MySQLTuner to configure SQL limits — enabled by default\n\n# System upgrades:\n\n * CSF 9.28\n * Drush micro-8-17-12-2016\n * MariaDB 10.1.20\n * MariaDB Galera Cluster 10.0.28\n * Nginx 1.11.7\n * OpenSSH 7.4p1 (if installed from sources)\n * OpenSSL 1.0.2j (used only in Nginx)\n * PHP 5.6.29\n * PHP 7.0.14\n * PHPRedis 3.1.0\n * Redis 3.2.6\n * Use mydropwizard-6.x-1.6\n * Use Redis module mod-20-12-2016\n\n# Fixes:\n\n * Allow to run downgrade to _DB_SERIES 5.5 (experimental, not recommended!)\n * Always reinstall cURL from packages if broken\n * AMP support -- #948\n * Archive PHP logs in /var/backups/php-logs/\n * Check if bind should be installed early enough\n * Do not enable innodb-defragment — it may crash the server\n * Fix for check_root_keys_pwd()\n * Fix for disable_chattr()\n * Fix for missing PHP config regression -- #1105\n * Fix for VnStat sysconfdir\n * Fix the check in detect_deprecated_php()\n * Ignore search lines to avoid breaking pdnsd config -- #1069\n * Improve SQL defaults\n * Make sure innodb_buffer_pool_instances is always defined\n * Migration between installation profiles -- #1076\n * Monitor more lines when /root/.hr.monitor.cnf exists\n * Multiply already high opcache.max_accelerated_files\n * Nginx: Set Access-Control-Allow-Origin header only for static files\n * Remove duplicate config updates and restarts\n * Remove various tmp/dot files breaking du command\n * Sync the new on-the-fly permissions magic with BOA daily.sh logic\n * The .git/* files are downloadable -- #1091\n * Triple check that all sql tables are upgraded\n * Update JS module to 7.x-2.1 -- #586\n * Update migrate docs to avoid issues with already migrated instances\n * Use long enough wait times for big SQL servers restarts\n * Use Open Atrium own patched Drupal core -- #1083\n\n\n### Stable BOA-3.1.3 Release - Barracuda Edition\n### Date: Mon Sep 12 17:54:50 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.3\n\n# Release Notes:\n\n This BOA release provides important security upgrades and bug fixes.\n You should upgrade via 'barracuda up-stable system' immediately.\n Note: Octopus upgrade is **not** included in this BOA release.\n\n Technically, even by running normal system update with previous BOA release\n you would apply all security upgrades, since they are provided by MariaDB\n packages, and thus enforced no matter if we release new BOA version, or not,\n so we are doing this purely to make sure that all users have been alerted\n about the situation affecting their systems.\n\n# Changes:\n\n * Move Nginx cache cleanup to daily cleanup procedure\n * Use standard hourly schedule for self-update in clear.sh\n\n# System upgrades:\n\n * Add all Tika versions from 1.1 to 1.13 in /opt/tika9/\n * MariaDB 10.0.27 (critical security upgrade)\n * MariaDB Galera Cluster 10.0.27 (critical security upgrade)\n * MongoDB database driver 1.6.14 for all PHP versions < 7 -- fixes #981\n * Pure-FTPd 1.0.43\n\n# Fixes:\n\n * Check if curl works and re-install if needed before running auto-update\n * Log LE renewal attempts\n * Log out all users after lshell em upgrade\n * Make sure that cURL is always listed in packages\n * Move permissions fix overrides check to the correct place\n * Nginx: default FastCGI cache levels value may exhaust all inodes -- #2791885\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.1.x\n\n\n### Stable BOA-3.1.2 Release - Full Edition\n### Date: Sat Aug 20 14:43:43 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.2\n### Latest hotfix added on: Thu Aug 25 09:17:59 PDT 2016\n\n# Release Notes:\n\n This BOA release provides system security upgrades, improvements\n and bug fixes, plus all supported Drupal platforms updated to latest\n versions, and supplied with latest Drupal 7 core.\n\n@=> You can use NPM to install Grunt/Gulp/Bower -- #1028 by @pricejn2 (thanks!)\n\n Now the same ~/static/control/compass.info file will activate not only\n RVM, which can be used to install Compass Tools, but also NPM, which\n can be used to install Grunt/Gulp/Bower.\n\n You will need to re-initialize your account to have it added, by\n deleting the control file, and adding it again after ~10 minutes.\n\n More details: https://github.com/omega8cc/boa/blob/master/docs/RVM.txt\n\n@=> Redis integration works with Drupal 8 -- with no effort on your side\n\n We have added a smart activation procedure, to meet the D8 Redis module\n requirements. The system will add Redis integration to your Drupal 8\n sites automatically, but will keep it inactive, until the module will be\n installed properly, during nightly system autonomous maintenance.\n\n This means that Redis will start working in every existing and newly\n installed Drupal 8 site with some initial delay, to get things installed\n in the correct order, and still without any effort on your side.\n\n# Other enhancements:\n\n * Add mydropwizard to Drush extensions for Drush Make D6 support\n * Add support for Drupal 8 specific development.services.yml file\n * Allow to configure stable/head BOA auto-upgrades via _AUTO_VER variable\n * Compatibility with Multi-byte UTF-8 support in Drupal 7\n\n# Changes:\n\n * Add Adminer database manager and deprecate Chive manager -- #1036\n * Enable Let's Encrypt LIVE mode via ~/static/control/ssl-live-mode.info\n * Force /root/.use.curl.from.packages.cnf to install cURL from packages\n * Run db sqlmagic auto conversion also on test/dev sites, if activated\n\n# System upgrades:\n\n * CSF 9.11\n * Drush micro-8-23-07-2016\n * Lshell 0.9.18.8 (security update for shell escalation issues)\n * MariaDB 10.0.26\n * MariaDB 5.5.51\n * Mysqltuner v1.6.15\n * Nginx 1.11.3\n * OpenSSH 7.3p1 (if installed from sources)\n * PHP 5.5.38\n * PHP 5.6.25\n * PHP 7.0.10\n * PHPRedis dev5-11-08-2016\n * PHPRedis dev7-11-08-2016\n * Redis 3.2.3\n * Redis D8 integration mod-12-08-2016\n * vnStat 1.15\n\n# Fixes:\n\n * Avoid race conditions on web system user update\n * Debian Jessie 8.3+ needs grub update -- fixes #912\n * Detection of Amazon AWS / EC2 instance -- fixes #930\n * Disable Redis integration until module is installed (D8 only)\n * Do not force --default-character-set=utf8 -- see #1020\n * Don’t set $MANPATH when npm support is enabled\n * Fix for openssh-sftp-server status on Jessie\n * FMG installation hangs on keyring install -- fixes #1050\n * Force InnoDB in sqlmagic for Drupal 7+ -- see #1020\n * Ignore ~/control/multi-fpm.info on too old Octopus (2.4) instances\n * Linux Kernel CVE-2016-5696 mitigation\n * Mitigate httpoxy vulnerability\n * Nginx: Fix for not working autodiscover flood protection\n * Nginx: Fix for the add_header inheritance\n * Nginx: Improve fastcgi_cache_valid TTL settings\n * Octopus auto-upgrade should set _AUTOPILOT=YES on the fly -- fixes #1041\n * Remove deprecated MyISAM exceptions in sqlmagic command\n * Run detect_cdorked_malware() only if /usr/sbin/nginx exists\n * Run registry-rebuild directly after hostmaster upgrade\n * Single _tmp_ dir is enough to require forced cleanup (Drush cache)\n * Sync keyring install command with BOA standard -- #1052\n * Sync modules auto en/dis for Drupal 8\n * Update check_boa_php_compatibility()\n * Upgrade to panels-7.x-3.7 (security) in all distros using the module\n * Whitelist elFinder requests\n * Workaround for aegir_backup_export_path\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.1.x\n\n\n### Stable BOA-3.1.1 Release - Full Edition\n### Date: Wed Jun 22 12:24:17 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.1\n### Latest hotfix added on: Fri Jun 24 06:01:07 PDT 2016\n\n# Release Notes:\n\n This BOA release provides system security upgrades, improvements\n and bug fixes, plus all supported Drupal platforms updated to latest\n versions, and supplied with latest Drupal 7 core (security release).\n\n# New features and enhancements:\n\n * Add _SSH_ARMOUR feature\n * Add strict check for supported virtualization systems\n * Allow to install ImageMagick from sources when _MAGICK_FROM_SOURCES=YES\n\n# Changes:\n\n * Deprecate support for old Solr versions <4\n * Switch cluster support to 3.x\n\n# System upgrades:\n\n * Drush micro-8-15-06-2016\n * MariaDB 5.5.50\n * Nginx 1.11.1\n * PHP 5.5.37\n * PHP 5.6.23\n * PHP 7.0.8\n * Redis 3.2.1\n\n# Fixes:\n\n * Add compatibility with magick src\n * Add ToC (Table of Contents) for the Let's Encrypt section in docs/SSL.txt\n * Downgrade JSmin from 2.0.1 to 2.0.0 -- fixes #993\n * Fix for legacy cluster support\n * Fix for virtualbox detection -- see #972\n * Fix permissions on sites directories\n * Fix sites/all/drush permissions compatibility with Drush 8.2\n * Improve protection for custom solrconfig.xml and schema.xml -- fixes #969\n * Migration: xboa supports only Ægir 2.x -- #960\n * Reinstall default-jre on major OS upgrade, if needed -- fixes #986\n * Remote Drush support regression -- fixes #984\n * The ~/static/control/README.txt is not updated on octopus upgrade #965\n * Update docs/SOLR.txt to match currently supported procedures -- fixes #963\n * Use st_runner() wrapper only for apt-get/aptitude\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.1.x\n\n\n### Stable BOA-3.1.0 Release - Full Edition\n### Date: Thu May 26 16:41:40 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.0\n### Latest hotfix added on: Mon May 30 08:55:03 PDT 2016\n\n @=> Includes Ægir Hostmaster 3.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 8 customized for BOA\n\n# Release Notes:\n\n This BOA release includes new features, system upgrades, improvements\n and bug fixes, with most notable features and changes listed below.\n All supported Drupal platforms have been updated to latest versions.\n\n @=> Let's Encrypt free SSL certificates are supported directly in Ægir\n @=> PHP-FPM version can be switched per site hosted on the same instance\n @=> Both Ægir control panel and its backend are compatible with PHP 7.0.7\n @=> Support for forced Drush cache clear in the Ægir backend\n @=> BOA can run Debian Wheezy to Debian Jessie upgrades easily\n\n More details on new features, enhancements and changes can be found below.\n\n\n ###\n#-### Let's Encrypt free SSL certificates are supported directly in Ægir\n ###\n\n You can find these important Let's Encrypt topics discussed below:\n\n # Introduction\n # How it works?\n # How to add Letsencrypt.org SSL certificate to hosted site?\n # How to add Letsencrypt.org SSL certificate to the Ægir Hostmaster site?\n # How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site?\n # Are there any requirements, limitations or exceptions?\n # How to enable live mode?\n # How to replace Let's Encrypt certificate with custom certificate?\n\n [ Available also at: https://omega8.cc/node/381 ]\n\n This BOA release opens a new era in SSL support for all hosted Drupal sites.\n The old method of creating SSL proxy vhosts is officially deprecated,\n as explained in the docs/SSL.txt how-to:\n\n NOTE ###===>>>\n\n The old how-to is still useful if you prefer to use SSL termination separated\n from your Ægir system, or if you don't want to use built-in Letsencrypt.org\n SSL certificates support (available since BOA-3.1.0).\n\n But if you can use Letsencrypt.org SSL certificates, or you are willing to use\n also built-in BOA feature which allows you to replace Letsencrypt.org SSL\n certificate with any third-party certificate per site, while still managing SSL\n via Ægir control panel (for redirects, forced/required SSL mode), we highly\n recommend to use Ægir built-in SSL support, which is enabled and ready to use\n in all Octopus instances since BOA-3.1.0 release.\n\n NOTE ###===>>>\n\n * How it works?\n\n BOA leverages letsencrypt.sh utility to talk to Letsencrypt.org servers,\n and on the Ægir side it's using new `hosting_le` extension, which replaces\n self-signed SSL certificates generated by Ægir with Let's Encrypt ones.\n You can find more information on both at these URLs:\n\n https://github.com/lukas2511/letsencrypt.sh\n https://github.com/omega8cc/hosting_le\n\n * How to add Letsencrypt.org SSL certificate to hosted site?\n\n In your Ægir control panel please go to the site's node Edit tab, then\n under `SSL Settings > Encryption` choose either `Enabled` or `Required`,\n if you want to enable HTTP->HTTPS redirection on the fly. Now click `Save`\n and wait until you will see the Verify task completed. Done!\n\n NOTE: SSL Settings are not available in the Add Site form, only in Edit.\n\n * How to add Letsencrypt.org SSL certificate to the Ægir Hostmaster site?\n\n !!! WARNING\n !!! ###===>>> Don't enable SSL option for the Hostmaster site in Ægir\n !!! WARNING\n\n Let's Encrypt SSL for Ægir control panel is handled in BOA outside of\n the control panel, and you should never enable it within control panel.\n\n During octopus upgrade you will see this message, explaining what to do:\n\n BOA [02:44:59] ==> UPGRADE B: Letsencrypt SSL initial mode: DEMO\n BOA [02:44:59] ==> UPGRADE B: LE -- No real SSL certs will be generated\n BOA [02:44:59] ==> UPGRADE B: LE -- To enable live SSL mode, please delete file:\n BOA [02:44:59] ==> UPGRADE B: LE -- /data/disk/o1/tools/le/.ctrl/ssl-demo-mode.pid\n BOA [02:44:59] ==> UPGRADE B: LE -- Then run octopus forced upgrade\n\n * How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site?\n\n When you modify aliases or redirections, Ægir will re-create the SSL\n certificate on the fly, to match current settings and aliases to list.\n\n BOA runs auto-renewal checks for you weekly, and forces renewal if there is\n less than 30 days to the certificate expiration date (Let's Encrypt certs\n are valid for up to 90 days before they have to be renewed).\n\n Also every Verify task against SSL enabled site runs this check on the fly.\n\n * Are there any requirements, limitations or exceptions?\n\n Yes, there are some:\n\n * All aliases must have valid DNS names pointing to your server IP address\n * Even with aliases redirection enabled all aliases are listed as SAN names\n * Avoid renaming SSL-enabled sites; move aliases between site's clones instead\n * Before you rename a site, disable SSL first; then re-enable once it's renamed\n\n NOTE: The Subject Alternative Names (SAN) is a feature which allows to issue\n multi-domain / multi-subdomain SSL certificates -- it is automated in BOA.\n\n Let's Encrypt API for live, real certificates has its own requirements\n and limits you should be aware of. Please visit their website for details:\n\n https://letsencrypt.org/docs/rate-limits/\n\n To make this new BOA feature easy to test before you will be ready to\n generate real, live SSL certificates, BOA comes with Let's Encrypt demo\n mode enabled by default, so it will not hit limits enforced for live,\n real Let's Encrypt SSL certificates. It allows to generate \"fake\" certs,\n similar to self-signed certificate used in BOA by default.\n\n NOTE: All sites with one or more keywords (listed below) in the site's\n main name (this exception rule doesn't apply to aliases) will be ignored,\n and they will receive only self-signed SSL certificates generated by Ægir,\n once you will switch their SSL settings to `Enabled` or `Required`.\n\n `.(dev|devel|temp|tmp|temporary|test|testing|stage|staging).`\n\n Examples: `foo.temp.bar.org`, `foo.test.bar.org`, `foo.dev.bar.org`\n\n NOTE: This exception rule doesn't apply to aliases which are not used\n as a redirection target. Even aliases with listed special keywords in their\n names will be listed as SAN entries, as long as they are valid DNS names.\n\n * How to enable live mode?\n\n It is enough to delete the `[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid`\n control file and run Verify task on any SSL enabled site again.\n\n NOTE: If you are on hosted BOA, you don't have an access to this location\n on your system, so please open a ticket at: https://omega8.cc/support\n\n You could switch it back and forth to demo/live mode by adding and deleting\n the control file, and it will re-register your system via Let's Encrypt API,\n but we have not tested how it may affect already generated live certificates\n once you will run the switch many times, so please try not to abuse\n this feature.\n\n It is important to remember that once you will switch the Let's Encrypt mode\n to demo from live, or from live to demo, by adding or removing the\n `[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid` control file, it will not\n replace all previously issued certificates instantly, because certificates\n are updated, if needed, only when you (or the BOA system for you during its\n daily maintenance, if used) will run Verify tasks on SSL enabled sites.\n\n These BOA specific Verify tasks are normally scheduled to run weekly,\n between Monday and Sunday, depending on the first character in the site's\n main name, so both live and demo certificates may still work in parallel\n for SSL enabled sites until it will be their turn to run Verify and update\n the certificate according to currently set Let's Encrypt mode.\n\n NOTE: You may find some helpful details in the Verify task log -- look for\n lines with `[hosting_le]` prefix.\n\n * How to replace Let's Encrypt certificate with custom certificate?\n\n 1. Create an empty control file (replace `example.com` with your site name):\n\n `[aegir_root]/tools/le/.ctrl/dont-overwrite-example.com.pid`\n\n 2. Replace `privkey.pem` symlink with single file containing your custom\n certificate key -- use `privkey.pem` as a filename in the directory:\n\n `[aegir_root]/tools/le/certs/example.com/`\n\n 3. Replace `fullchain.pem` symlink with single file containing your custom\n certificate and all intermediate certificates beneath it -- use\n `fullchain.pem` as a filename in the same directory:\n\n `[aegir_root]/tools/le/certs/example.com/`\n\n 4. Run Verify task for your site in the Ægir control panel. Done!\n\n NOTE: If you are on hosted BOA, you don't have an access to this location\n on your system, so please open a ticket at: https://omega8.cc/support\n\n\n ###\n#-### Support for PHP-FPM version switch per Octopus instance (also per site)\n ###\n\n ### ~/static/control/fpm.info\n ###\n ### This file, if exists and contains supported and installed PHP-FPM version,\n ### will be used by running every 2-3 minutes system agent to switch PHP-FPM\n ### version used for serving web requests by this Octopus instance.\n ###\n ### IMPORTANT: If used, it will switch PHP-FPM for all Drupal sites\n ### hosted on the instance, unless multi-fpm.info control file also exists.\n ###\n ### Supported values for single PHP-FPM mode which can be written in this file:\n ###\n ### 7.0\n ### 5.6\n ### 5.5\n ### 5.4\n ### 5.3\n ###\n ### NOTE: There must be only one line and one value (like: 7.0) in this file.\n ### Otherwise it will be ignored.\n ###\n ### It is now possible to make all installed PHP-FPM versions available\n ### simultaneously for sites on the Octopus instance with additional\n ### control file:\n ###\n ### ~/static/control/multi-fpm.info\n ###\n ### This file, if exists, will switch all hosted sites to highest\n ### available PHP-FPM version within the 5.3-5.6 range, with ability\n ### to override PHP-FPM version per site, if the site's name is listed\n ### in this additional control file, as shown below:\n ###\n ### foo.com 7.0\n ### bar.com 5.5\n ### old.com 5.3\n ###\n ### NOTE: Each line in the multi-fpm.info file must start with main site name,\n ### followed by single space, and then the PHP-FPM version to use.\n ###\n\n\n ###\n#-### Support for PHP-CLI version switch per Octopus instance (all sites)\n ###\n\n ### ~/static/control/cli.info\n ###\n ### This file, while similar to fpm.info, if exists and contains supported\n ### and installed PHP version, will be used by running every 2-3 minutes\n ### system agent to switch PHP-CLI version for this Octopus instance, but\n ### it will do this for all hosted sites. There is no option to switch this\n ### or override per site hosted.\n ###\n ### NOTE: While current Ægir version 3.x included in BOA works fine with\n ### latest PHP 7.0, many hosted sites, especially using Pressflow 6 core or\n ### older Drupal 7 core without required patch we have included since 7.43.2,\n ### will not work properly and Ægir tasks run against those sites may fail,\n ### so it's recommended to use PHP-CLI 5.6, unless you have verified that all\n ### sites on the instance support PHP 7.0 without issues.\n ###\n ### Supported values which can be written in this file:\n ###\n ### 7.0\n ### 5.6\n ### 5.5\n ### 5.4\n ### 5.3\n ###\n ### There must be only one line and one value (like: 5.6) in this control file.\n ### Otherwise it will be ignored.\n ###\n\n\n ###\n#-### Support for forced Drush cache clear in the Ægir backend\n ###\n\n ### ~/static/control/clear-drush-cache.info\n ###\n ### Octopus instance will pause all scheduled tasks in its queue, if it will\n ### detect a platform build from the makefile in progress, to make sure\n ### that no other running task could break the build.\n ###\n ### This is great, until there will be a broken build, and Drush will fail\n ### to clean up all leftovers from its .tmp/cache directory, which in turn\n ### will pause all tasks in the queue for up to 24-48 hours, until the cache\n ### directory will be automatically purged by running daily cleanup tasks,\n ### designed to not touch anything not old enough (24 hours at minimum)\n ### to not break any running builds.\n ###\n ### If you need to unlock the tasks queue by forcefully removing everything\n ### from the Ægir backend Drush cache, you can create an empty control file:\n ### ~/static/control/clear-drush-cache.info\n ###\n\n\n ###\n#-### BOA can run Debian Wheezy to Debian Jessie upgrades easily\n ###\n\n This feature works like it worked before for `_LENNY_TO_SQUEEZE=YES` and then\n for `_SQUEEZE_TO_WHEEZY=YES`. But make sure you follow all the steps exactly\n as listed below:\n\n 1. Upgrade both barracuda and octopus to current stable:\n\n $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt\n $ barracuda up-stable\n $ octopus up-stable all both\n\n NOTE: You can upgrade octopus selectively, if you still need one running\n the old stable BOA-2.4.9 version, example:\n\n $ octopus up-2.4 o1 force\n $ octopus up-stable o2 force\n $ octopus up-stable o3 force\n\n 2. Add to your /root/.barracuda.cnf this line:\n\n _WHEEZY_TO_JESSIE=YES\n\n 3. Run another barracuda upgrade with command:\n\n $ barracuda up-stable\n\n 4. If there are no errors reported, try to run manual update:\n\n $ aptitude update\n $ aptitude full-upgrade\n\n It should tell you that there are no packages to upgrade left.\n\n 5. Reboot your system (preferably via remote console)\n\n $ reboot\n\n 6. Run barracuda upgrade again:\n\n $ barracuda up-stable\n\n 7. Try to run manual update:\n\n $ aptitude update\n $ aptitude full-upgrade\n\n It should tell you that there are no packages to upgrade left.\n\n 8. Congrats! You are running BOA stable on Debian Jessie.\n\n\n# New features and enhancements:\n\n * Add all aliases as Subject Alternative Names in Let's encrypt certs -- #941\n * Add auto-renewal procedure for Let's encrypt certs -- #942\n * Add option to exclude *.tar.gz Drush archives in backboa -- #936\n * Add Restaurant 1.11\n * Add support for arbitrarily selected redirection targets as valid SSL names\n * Allow to define PHP-FPM version per site hosted -- #935\n * Allow to use drush7 and drush8 on command line directly\n * Even with redirection enabled all aliases are listed as SAN names -- #964\n * Feature: _WHEEZY_TO_JESSIE major upgrade procedure -- #870\n * Let's encrypt support -- #500\n * New Relic integration compatibility with multi-FPM mode\n * Support for forced Drush cache clear in the Ægir backend\n * Use Let's encrypt for Hostmaster site (after Octopus upgrade) -- #940\n\n# Changes:\n\n * Do not allow XtraDB to crash the server due to single broken cache table\n * Nginx: Use faster 301/302 redirects\n * Nginx: Use only TLSv1.1 TLSv1.2\n * Redis: Exclude cache_form bin again to avoid rare issues with contrib\n * Use dynamic httpredir.debian.org mirrors\n\n# System upgrades:\n\n * cURL 7.49.0 (if installed from sources)\n * Jetty 9.2.16.v20160414\n * Nginx 1.11.0\n * PHP 5.5.36\n * PHP 5.6.22\n * PHP 7.0.7\n * Redis 3.2.0\n * SLF4J 1.7.21\n\n# Fixes:\n\n * Add compatibility with \"config.sh\" renamed to \"config\" in letsencrypt.sh\n * Add ssl_trusted_certificate directive required by ssl_stapling\n * Add warning: \"Don't enable SSL option for the Hostmaster site in Ægir\" -- #962\n * Check if parent dir exists before touching ctrl file -- #945\n * Do not clear drush cache on every hosting-dispatch -- #943\n * Do not create Letsencrypt cert for Hostmaster if still in demo mode\n * Do not force PHP rebuild on new cURL install from sources\n * Drush is broken error -- clear drush cache before testing it -- #946\n * Fix for backward compatibility with FPM pool tpl in 2.4\n * Fix for Chive auth (via SSH) access filtering\n * Fix for conflicting Jetty libs\n * Fix ownership and attr on usr home dirs / subdirs\n * Improve sub-accounts zombie cleanup\n * Let's Encrypt SSL - switching from demo to live -- #959\n * Make backboa sub-tasks delays optional and disable them by default -- #919\n * Nginx: Fix for ssl_dhparam if/else logic\n * Remove deprecated wildcard HTTPS warning\n * Run registry-rebuild before updatedb with --no-cache-clear -- #938\n * Set LE mode to DEMO on initial setup -- both on octopus install and upgrade\n * Skynet upgrades for limited shell configuration -- #950\n * Something is stuck after BOA upgrade to 3.0.2 -- #951\n * The makefile based platform creation fails with permissions error -- #943\n * The site's files should have Ægir backend user as an owner\n * Use strict paths checks to avoid running chown/chmod on parent dirs\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.1.x\n\n\n### Stable BOA-3.0.2 Release - Full Edition\n### Date: Tue May 3 22:26:09 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.2\n### Latest hotfix added on: Fri May 6 08:42:13 PDT 2016\n\n @=> Includes Ægir Hostmaster 3.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 8 customized for BOA\n\n# Release Notes:\n\n This BOA release includes several important system upgrades, improvements\n and bug fixes. All supported platforms have been updated to latest versions.\n\n @=> Latest Drupal 7 core version used in BOA in all built-in platforms is\n compatible with latest PHP 7.0.6 -- you can switch your Octopus instance\n easily via fpm.info control file: https://omega8.cc/node/330 but please\n don't use 7.0 in cli.info, because it is not supported in the Ægir\n backend yet. PHP 7.0 can't be used if you have any Pressflow 6 site.\n\n# New features and enhancements:\n\n * Add idna_convert to hostmaster for IDN domain names auto-conversion -- #916\n * Allow to disable redis.path.inc feature via INI variable -- #815\n * Drupal 7.43.2 (with PHP 7 compatibility patch)\n * PHP 7 compatibility improvements -- #716\n * Pressflow 6.38.2 (only version update)\n * Truncate giant watchdog tables\n\n# Changes:\n\n * Disable (temporarily) support for outdated ERPAL distro\n * Disable auto-upgrade for legacy Octopus instances\n * Disable page cache only in hostmaster\n * Disable PAMAuthentication in pure-ftpd\n * Force PHP 5.6 or 5.5 cli.info in Octopus 2.4.9\n * Force Redis SOCKET mode if PORT was used before\n * Redis module mod-03-05-2016\n * Redis: Limit methods to define site prefix\n * Redis: Use maxmemory-policy volatile-ttl\n * Set redis_client_base\n * Use Redis in hostmaster\n * Use standard profile by default\n\n# System upgrades:\n\n * Drush micro-8-24-04-2016\n * MariaDB 10.0.25\n * MariaDB 5.5.49\n * MariaDB Galera Cluster 10.0.25\n * Nginx 1.9.15\n * OpenSSL 1.0.2h (used only in custom built Nginx)\n * PHP 5.5.35\n * PHP 5.6.21\n * PHP 7.0.6\n\n# Fixes:\n\n * Add check_boa_php_compatibility() procedure -- fixes #906\n * Add patch for registration error (Commons)\n * Avoid duplicate entries in hosting_cron on hostmaster install -- #928\n * Cron not running on cloned sites -- fixes #922\n * Disable hosting-pause / Provision -- not needed in BOA, may hang upgrade\n * Do not force TERM\n * Do not set $conf['redis_eval_enabled'] = TRUE;\n * Enable _DEBUG_MODE=YES on Octopus upgrade from BOA-2.4.9\n * Experimental hosting_git error, platform not installed -- fixes #904\n * Improve the provision_autoload_register_prefix check\n * Make sure that auto-generated robots.txt is OK -- fixes #925\n * Make sure that hostmaster cron is never disabled\n * Make sure to not set PHP 7 as system default\n * Restart php-fpm on upgrade as soon as possible\n * Run registry-rebuild directly after hostmaster-migrate\n * Run update_php_cli_cron() twice\n * Use inetutils-syslogd on VZ systems -- fixes #905\n * Use syncpass during hostmaster upgrade\n * Workaround for hostmaster upgrade from 2.x\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.1.1\n\n\n### Stable BOA-3.0.1 Release - Full Edition\n### Date: Mon Apr 11 18:49:43 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.1\n\n @=> Includes Ægir Hostmaster 3.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 8 customized for BOA\n\n# Release Notes:\n\n This BOA release includes important fixes and improvements in the upgrade\n procedure from BOA-2.4.9 and in the initial install procedures, along with\n support for latest Drupal 8.0.x and 8.1.x as custom platforms you can create\n in the ~/static directory tree. We list here also all hot-fixes applied\n after initial BOA-3.0.1 release.\n\n @=> BOA will not include built-in Drupal 8 platforms until Drupal 8 will\n support symlinks in the codebase, like all previous core versions.\n\n @=> Octopus Ægir instances hosted on Power Engine option will *not* receive\n upgrade to BOA-3.x unless requested via https://omega8.cc/support\n to prevent issues with (often) customized Hostmaster modules not ready\n for Drupal 7 based Ægir control panel. All hosted BOA systems will still\n continue to receive the Barracuda system upgrades.\n\n @=> It is possible to host previous stable BOA-2.4.9 Octopus instances\n on systems with Barracuda upgraded to BOA-3.0.1\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.0.2\n\n# New features and enhancements:\n\n * Allow boa in-octopus to specify version {stable|head|2.4}\n\n# Changes:\n\n * Allow to execute compass over SSH\n * Allow to upload dot-files via SFTP\n * Remove/don't install not used blocks in Hostmaster\n\n# System upgrades:\n\n * Add mydropwizard-6.x-1.4 to all existing D6 platforms\n * Drush micro-8-08-04-2016\n * Lshell 0.9.18.3 -- #895\n * Nginx 1.9.14\n * PHP 5.5.34\n * PHP 5.6.20\n * PHP 7.0.5 (for testing only)\n * Redis module 7.x-3.12\n\n# Fixes:\n\n * 3.0.0 clean install is broken -- #899\n * boa in-2.4 fails to install on Debian Jessie -- #898\n * Can't git pull -- #890\n * CiviCRM error on verification D6 site -- #897\n * D7 API compatibility fix for node_save() in Hostmaster\n * Do not switch default PHP to 7.0 if installed\n * Drush issues: no aliases available -- #887\n * Fix for 3.x to 3.x upgrades\n * Fix for FPM master proc monitor\n * Fix for input filters upgrade path\n * Fix for series test to avoid downgrade attempts\n * Fix the legacy install mode -- #898\n * Less and more no longer allowed -- #896\n * Limit the list of allowed_shell_escape commands\n * Missing VBO options -- #892\n * Overlay header title not showing -- #889\n * Problems installing rvm / compass -- #895\n * Remove deprecated sftp restriction\n * Require BOA-2.4.9 before upgrade to BOA-3.x also in barracuda -- #886\n * Switch octopus upgrade mode automatically to legacy if needed\n * tar and gunzip fails because of permission denied -- #894\n * Use Drush 8 on command line -- #887\n * vi and vim both open nano instead of vim -- #893\n\n\n### Stable BOA-3.0.0 Release - Full Edition\n### Date: Wed Mar 30 10:48:54 PDT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.0\n### Latest hotfix added on: Wed Apr 6 17:40:12 PDT 2016\n\n @=> Includes Ægir Hostmaster 3.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 8 customized for BOA\n\n# Release Notes:\n\n This BOA release includes complete Ægir 3 with Drush 8, and introduces\n full support for latest Drupal 8.0.5 and Drupal 8.1.0-beta2 as custom\n platforms you can create in the ~/static directory tree.\n\n @=> BOA will not include built-in Drupal 8 platforms until Drupal 8 will\n support symlinks in the codebase, like all previous core versions.\n\n @=> All supported Ægir platforms have been updated to their latest releases\n\n @=> Octopus Ægir instances hosted on Power Engine option will *not* receive\n upgrade to BOA-3.x unless requested via https://omega8.cc/support\n to prevent issues with (often) customized Hostmaster modules not ready\n for Drupal 7 based Ægir control panel. All hosted BOA systems will still\n continue to receive the Barracuda system upgrades.\n\n @=> It is possible to host previous stable BOA-2.4.9 Octopus instances\n on systems with Barracuda upgraded to BOA-3.0.0\n\n# Known problems:\n\n https://github.com/omega8cc/boa/milestones/3.0.1\n\n While clean 3.0.0 install worked in our tests before the release, it doesn't\n work for others. Until this problem is fixed properly without regressions,\n we are switching boa installer back to 2.4.9, which makes getting 3.0.0\n on initial installation a two step operation: first 'boa in-stable' install\n to get 2.4.9, and then 'barracuda up-stable' plus 'octopus up-stable' upgrade\n to get 3.0.0, because upgrades for barracuda and octopus from 2.4.9 to 3.0.0\n work fine.\n\n This also means that 'boa in-octopus' will still install the legacy 2.4.9\n octopus extra instances, and you can upgrade them to 3.0.0 with standard\n 'octopus up-stable' mode.\n\n It is still possible to test/debug boa 3.0.0 clean installs -- just create\n an empty /root/.debug-boa-installer.cnf file before running the installer.\n\n# New features and enhancements:\n\n * Add Hosting Git optional feature -- fixes #753\n * Add mydropwizard module to D6 o_contrib by default\n * Add support for ap-northeast-2 Asia Pacific (Seoul) S3\n * Add support for PHP 7.0 -- experimental ! -- fixes #716\n * Add support for VServer kernel 4.1.19-vs2.3.8.4-beng\n * BOA with Ægir Hostmaster 3.x -- fixes #715\n * Switch to Drush 8 for Drupal 8 -- fixes #729\n * Allow to randomize duplicity full backup schedule\n * Monitor and block SSH connections flood\n * Run registry-rebuild in drush_provision_drupal_post_provision_deploy()\n\n# Changes:\n\n * Add linkchecker module to Contrib [F]orce[D]isabled\n * Deny sudo/su switch if used for root access - fixes #879\n * Do not install / remove auditd on VServer systems\n * Do not install / remove udev on VServer systems\n * Merge hosting_advanced_cron into Ægir core cron\n * Use Redis 7.x-3.x integration module\n\n# System upgrades:\n\n * Boto 2.39.0-fix-python-2.7.9 (please run 'backboa install' to upgrade)\n * CSF 8.16\n * Drush mini-8-08-03-2016\n * Duplicity 0.7.06 (please run 'backboa install' to upgrade)\n * Lshell 0.9.18.3\n * MongoDB database driver 1.6.13 for all PHP versions < 7 -- fixes #521\n * Nginx 1.9.14\n * OpenSSH 7.2p2 (if installed from sources)\n * OpenSSL 1.0.2g (used only in custom built Nginx)\n * PHP 5.5.34\n * PHP 5.6.20\n * PHP 7.0.5 (for testing only)\n * Twig C extension for PHP - v.1.24.0\n * Use PHP jsmin 2.0.1 ext with newer PHP versions - fixes #878\n\n# Fixes:\n\n * [system] sync fix_locales for root -- fixes #880\n * Add mydropwizard-6.x-1.4 to all existing D6 platforms\n * Auto-Update lshell.conf on all systems\n * Fix for 3.x to 3.x upgrades\n * Fix for entitycache 1.2 to 1.5 upgrade problem #868\n * Fix for FPM master proc monitor\n * Fix for series test to avoid downgrade attempts\n * Numerous lshell problems -- fixes #896 #895 #894 #893 #890\n * Problems installing rvm / compass -- fixes #895\n * Require 2.4.9 before upgrade to 3.0.0 also in barracuda -- fixes #886\n * Restart rsyslog/sysklogd aggressively enough\n * Switch boa meta installer to 2.4.9 until #899 is fixed\n * Switch octopus upgrade mode automatically to legacy if needed\n * Sync max_user_connections\n * Update map $http_user_agent $is_crawler\n * Use Drush 7 on command line until #887 is fixed\n\n\n### Stable BOA-2.4.9 Release - Full Edition\n### Date: Sat Feb 27 15:22:11 GMT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.9\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes latest Drupal 7 and Pressflow 6 security updates,\n along with bug fixes and other system software updates.\n\n @=> All supported Ægir platforms have been updated to their latest releases\n\n @=> What are BOA plans for Drupal 6 support after February 24th, 2016?\n\n We will support Drupal/Pressflow 6 in all new releases, as long as\n available PHP versions will allow to use it (we run our own Pressflow 6\n based site on PHP 5.6 for many months with zero issues). For more details\n please check: https://github.com/omega8cc/boa/issues/824\n\n @=> Even if deprecated PHP versions are still included in this release,\n any Octopus instance running PHP older than 5.5 will not be able to\n receive upgrade to BOA-2.4.9, as announced before -- Please switch your\n Octopus to PHP 5.6 or at least 5.5 to be able to upgrade not only\n the Barracuda system part of BOA, but also Octopus Satellite --\n The how-to can be found at: https://omega8.cc/node/330\n\n @=> Drupal 8 support for custom platforms in the ~/static directory tree\n will be included, along with Drush 8 and Hostmaster 3.x in the upcoming\n BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0\n Note: BOA will not include built-in Drupal 8 platforms until Drupal 8\n will support symlinks in the codebase, like all previous core versions\n\n# System upgrades:\n\n * MariaDB Galera Cluster 10.0.24\n * Nginx 1.9.12\n\n# Fixes:\n\n * Do not force Ruby with RVM for root on every upgrade\n * SQL max_user_connections autoconf value can be too low -- fixes #873\n\n\n### Stable BOA-2.4.8 Release - Full Edition\n### Date: Sat Feb 20 11:28:05 GMT 2016\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.8\n### Latest hotfix added on: Mon Feb 22 18:28:51 GMT 2016\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes several important system upgrades and bug fixes,\n with most notable features and changes listed below.\n\n @=> Debian 8 Jessie is fully supported, but includes only PHP 5.5 and 5.6\n\n @=> All supported Ægir platforms have been updated with latest Drupal cores\n\n @=> Even if deprecated PHP versions are still included in this release,\n any Octopus instance running PHP older than 5.5 will not be able to\n receive upgrade to BOA-2.4.8, as announced before -- Please switch your\n Octopus to PHP 5.6 or at least 5.5 to be able to upgrade not only\n the Barracuda system part of BOA, but also Octopus Satellite --\n The how-to can be found at: https://omega8.cc/node/330\n\n @=> Drupal 8 support for custom platforms in the ~/static directory tree\n will be included, along with Drush 8 and PHP 7 in the *upcoming*\n BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0\n Note: BOA will not include built-in Drupal 8 platforms until Drupal 8\n will support symlinks in the codebase, like all previous core versions\n\n @=> What are BOA plans for Drupal 6 support after February 24th, 2016?\n\n We will support Drupal/Pressflow 6 in all new releases, as long as\n available PHP versions will allow to use it (we run our own Pressflow 6\n based site on PHP 5.6 for many months with zero issues). For more details\n please check: https://github.com/omega8cc/boa/issues/824\n\n# Changes:\n\n * Add \"boa info\" and 'boa info more' helper command\n * Add branch support in the boa wrapper\n * Allow to force re-install with /root/.force.reinstall.cnf present\n * Allow to run existing Octopus 2.4 on the upcoming Barracuda 3.0\n * Deny Octopus upgrade unless it is running on a compatible PHP version 5.5+\n * Full backboa backups are scheduled on Sunday, unless custom _AWS_FLC is set\n * Full duobackboa backups will run on Saturday, unless custom _AWS_FLC is set\n * Make base nice configurable via _B_NICE variable\n * Nginx: Sync htaccess level protection with Drupal core\n * Nginx: Update map $http_user_agent $is_crawler\n * Only instance already running 2.4.8 can upgrade to upcoming 3.0.0\n * Remove no longer supported T1lib in PHP\n * Remove support for deprecated OS versions -- fixes #802\n * Replace in-legacy and up-legacy with version specific commands\n * Revert \"Issue #2377819: Gzipping backups suppresses file permissions errors\"\n * Run minimal modules en/dis procedure on Wednesday and full on Saturday\n * Skip legacy PHP 5.3 and 5.4 on Jessie\n * Support for Debian 8 Jessie -- fixes #702\n * The _MODULES_FIX variable is set to YES by default\n * The _PERMISSIONS_FIX variable is set to YES by default -- fixes #593\n\n# System upgrades:\n\n * Git 2.7.0 (if installed from sources)\n * MariaDB 10.0.24\n * MariaDB 5.5.48\n * Nginx 1.9.11\n * OpenSSH 7.1p2 (if installed from sources)\n * OpenSSL 1.0.2f (used only in custom built Nginx)\n * PHP 5.5.32\n * PHP 5.6.18\n * PHP: Imagick 3.3.0\n * Redis 3.0.7\n * Ruby 2.3.0\n\n# Fixes:\n\n * Add duobackboa docs\n * Add missing libs in Jessie\n * Allow to install a specific PHP version on a local install -- fixes #848\n * Allow to run upgrade from not really 3.x HEAD to 2.4.8\n * Automate /root/.force.reinstall.cnf and improve docs\n * Disable Octopus 3.x specific version check (tmp) for 2.4.8\n * Disable spinner on Jessie\n * Do not force rebuild on systems installed with 2.4.8\n * Do not kill long running php-fpm childs\n * Do not run the old D7 core fix on newer BOA versions -- fixes #842\n * Do not wait for simple sed replacements -- fixes #838\n * Fix a typo in some locCnf variable calls -- fixes #854\n * Fix for ignored boa_platform_control.ini\n * Fix for MariaDB version check\n * Fix for not working S3 bucket connection test\n * Fix for process.max and pm.max_children\n * Fix for undefined locCnf variable in BOND - fixes #748\n * Fix the logic in mysql_proc_kill()\n * Fix too aggressive Jetty monitoring\n * Force clean rsyslog/sysklogd restart if required\n * Force rebuild for affected services built from sources -- CVE-2015-7547\n * Improve backup sub-tasks randomized schedule\n * Improve initial install how-to with screen\n * Locales check should not be used with screen session -- fixes #871\n * Nginx: Remove duplicate $args on redirects\n * Nginx: Workaround for broken autocomplete\n * Remove dependency on _MODULES_FIX=YES -- fixes #592\n * Remove no longer used _SSL_FROM_SOURCES logic\n * Remove systemd on Debian Jessie -- fixes #840\n * Restart syslog hourly\n * Run drush cache cleanup only once per account\n * Speed up backup tasks by removing extra conn_test\n * Speed up backup tasks by running extended cleanup and reporting weekly\n * Speed up initial setup procedure\n * Sync wait randomizer max value\n * Upgrade wkhtmltopdf and wkhtmltoimage to 0.12.3 - fixes #858\n * Use date %u day of week (1..7); 1 is Monday\n * Whitelist missing upload progress path\n\n\n### Stable BOA-2.4.7 Release - Full Edition\n### Date: Fri Dec 4 08:09:21 PST 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.7\n### Latest hotfix added on: Thu Dec 10 10:10:26 PST 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes several important system upgrades and bug fixes,\n with most notable features and changes listed below.\n\n @=> All supported Ægir platforms have been updated with latest Drupal cores\n\n @=> Drupal 8 support for custom platforms in the ~/static directory tree\n will be included, along with Drush 8 and PHP 7 in the *upcoming*\n BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0\n\n @=> This BOA release (2.4.7) is the last release which still supports\n deprecated PHP versions: 5.3 and 5.4 -- You should switch to PHP 5.6\n or at least 5.5 as soon as possible, or you will not be able to upgrade\n to newer BOA versions after 2.4.7 -- https://omega8.cc/node/330\n\n @=> What are BOA plans for Drupal 6 support after February 24th, 2016?\n\n We will support Drupal/Pressflow 6 in all new releases, as long as\n available PHP versions will allow to use it (we run our own Pressflow 6\n based site on PHP 5.6 for many months with zero issues). For more details\n please check: https://github.com/omega8cc/boa/issues/824\n\n @=> SSH (RSA) keys for root are required by newer OpenSSH versions used in BOA\n\n BOA installs SSH from sources by default (Debian only). This means that\n password based access for root will not work once BOA is installed or\n upgraded to current stable version. It is a result of OpenSSH changes\n in recent releases and not BOA specific change. BOA will deny the initial\n install and Barracuda will refuse to run upgrade if it detects that system\n root has no SSH (RSA) keys added and only password based access is available.\n You can still modify this behaviour in /usr/etc/sshd_config but future\n OpenSSH versions may still revert such changes, so it is not recommended.\n\n @=> BOA switched from SPDY to HTTP/2 + PFS on all supported OS versions\n\n# Changes:\n\n * Allow to disable SQL monitoring with /root/.no.sql.cpu.limit.cnf -- #799\n * Disable page caching on the fly where needed\n * Disable temporarily support for broken Restaurant distro\n * Do not rebuild features and entities on cache clear\n * Document new requirement: SSH (RSA) keys for root -- fixes #786 #833\n * Make ioncube_loader optional and disable by default with _PHP_IONCUBE=NO\n * Nginx SSL: enable OCSP stapling by default\n * Nginx SSL: enable OCSP stapling for existing HTTPS vhosts\n * Nginx: Add ssl_dhparam to existing vhosts, if needed\n * Nginx: HTTP/2 replaces SPDY -- fixes #624\n * PHP: Add YAML extension with LibYAML\n * Preserve customized /etc/sysctl.conf -- fixes #789\n * Run modules ON/OFF only weekly -- requires _MODULES_FIX=YES (default is NO)\n * Run most of crontab, install and upgrade tasks with low priority using\n nice and ionice -- fixes #780\n\n# System upgrades:\n\n * cURL 7.45.0 (if installed from sources)\n * GEOS 3.5.0 (requires _PHP_GEOS=YES)\n * Git 2.6.1 (if installed from sources)\n * MariaDB 10.0.22\n * MariaDB 5.5.47\n * MariaDB Galera Cluster 10.0.22\n * Nginx 1.9.7\n * OpenSSL 1.0.2e (used only in custom built Nginx)\n * PHP 5.5.30\n * PHP 5.6.16\n * Redis 3.0.5\n\n# Fixes:\n\n * Add /root/.skip_cleanup.cnf support\n * Add feature branch testing in HEAD\n * Avoid load spikes caused by long running tasks\n * Avoid race conditions on multi-line sed replacement -- fixes #806\n * Clean up any remaining procs zombies\n * Clean up postfix queue to get rid of bounced emails\n * Disable ioncube and opcache for HHVM\n * Disable Redis for Hostmaster in the backend\n * Do not allow to install non-standard OpenSSH on Ubuntu\n * Do not break /data/all/cpuinfo permissions on Octopus upgrade\n * Do not run 'apt-get autoremove' automatically\n * Do not use wrapper for dot-files cleanup\n * Document better BOA aggressive installation behavior -- fixes #811\n * Document boa in-octopus command -- fixes #817\n * Don't strip $args from $request_uri in redirects\n * Fix cron schedule for upgrades\n * Fix for /etc/sudoers on _SQUEEZE_TO_WHEEZY\n * Fix for broken Git on Ubuntu\n * Fix for DNS on _SQUEEZE_TO_WHEEZY\n * Fix for not working PHP rebuild check\n * Fix for not working syncpass tool\n * Fix for Ruby rebuild on _SQUEEZE_TO_WHEEZY\n * Fix PHP deprecated warning in D8 -- fixes #804\n * Ignore 'env COLUMNS' sent by Drush remotely -- fixes #373\n * Ignore daily.sh in clear.sh\n * Improve _SQUEEZE_TO_WHEEZY procedure -- #627\n * Improve cron tasks schedule\n * Improve daily cleanup performance + support for /root/.giant_traffic.cnf\n * Improve devpts check -- fixes #788\n * Improve docs/MIGRATE.txt\n * Improve resolv.conf auto-recovery procedure\n * Improve system check -- fixes #811\n * Move Redis restart procedure to correct script\n * PHP: Add missing path to open_basedir for CLI\n * Remove debug code to not kill the initial install\n * Remove not working /etc/logrotate.d/lshell -- fixes #823\n * Update advagg auto configuration variables -- fixes #792\n * Update boa/lib/functions/helper.sh.inc with current OS -- fixes #787\n * Update FPM workers autoconf logic\n * Update the cache cleanup logic\n * Use better placeholder for solr_integration_module variable\n * Use correct DPkg::Options for dist-upgrade -- fixes #627\n * Use known MySQLTuner version -- fixes #827\n * Use LibYAML 0.1.6\n * Use opcache.restrict_api\n * Use sha256 for self-signed certs\n\n\n### Stable BOA-2.4.6 Release - Full Edition\n### Date: Sat Sep 19 11:09:09 PDT 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.6\n### Latest hotfix added on: Mon Sep 21 05:18:33 PDT 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes several important system upgrades and bug fixes.\n All supported Ægir platforms have been updated with latest Drupal cores.\n\n# Changes:\n\n * Add Twig C extension to PHP - v.1.22.1\n * Allow to customize auto-upgrades mode\n * Disable support for broken OpenScholar and Recruiter\n * Open default Postgres port for outgoing connections\n * Remove support for deprecated Feature Server distro\n * Remove support for deprecated OpenAcademy distro\n * Remove support for deprecated OpenBlog distro\n * Remove support for deprecated OpenChurch v.1 distro\n * Remove support for deprecated OpenDeals distro\n * Use distro specific Drupal core for problematic distros\n\n# System upgrades:\n\n * cURL 7.44.0 (if installed from sources)\n * Duplicity 0.7.05 (please run 'backboa install' to upgrade)\n * Jetty 7.6.17.v20150415\n * Jetty 8.1.17.v20150415\n * MariaDB 10.0.21\n * MariaDB 5.5.45\n * MariaDB Galera Cluster 10.0.21\n * Nginx 1.9.4\n * OpenSSH 7.1p1 (if installed from sources)\n * PHP 5.6.13, 5.5.29, 5.4.45\n * PHP: ionCube loader 5.0.18\n * Pure-FTPd 1.0.42\n * Redis 3.0.4\n * Ruby 2.2.3, 2.0.0-p647\n * Use pecl-jsmin-1.1.0\n\n# Fixes:\n\n * Allow to re-install deleted D7/D6 platforms when dev doesn't exist\n * Do not install phpunit -- it adds many PHP tools we don't need\n * Drush requires php-eval to run drush_find_tmp() in sql-sync\n * Fix apache cleanup\n * Fix invalid regex in the INI docs\n * Improve auto-healing for SSHd\n * Improve Nginx DoS an DDoS protection\n * Improve pdnsd auto-healing\n * Improve SSL Docs to add more detail about multidomain certificates #757\n * Issue #766 - Fix for broken boa in-octopus procedure\n * Nginx: Fix support for s3/files/styles (s3fs)\n * Restart PHP-FPM if too many running childs are detected\n * Sync .htaccess with D7 core\n * Sync keywords for exceptions in daily.sh with global.inc\n * Use short sleep on firewall temp blocks cleanup\n\n\n### Stable BOA-2.4.5 Release - Full Edition\n### Date: Fri Jul 10 11:25:43 PDT 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.5\n### Latest hotfix added on: Fri Jul 10 14:49:11 PDT 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes PHP security upgrade for versions 5.6, 5.5 and 5.4\n plus security upgrade for Redis server and four updated Octopus platforms.\n\n Support for Drupal 8 is temporarily removed, because now it would require\n an upgrade to Drush 8, which in turn completely removes support for PHP 5.3,\n while it's still more important to support legacy Pressflow 6 sites, if they\n are not ready to move beyond PHP 5.3 yet, than trying to support some\n (too fast) moving targets like Drupal 8 beta, and Drush 8 head.\n\n# Updated Octopus platforms:\n\n Commerce 2.26 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 3.28 ----------------- https://drupal.org/project/commons\n OpenAtrium 2.43 -------------- https://drupal.org/project/openatrium\n Panopoly 1.25 ---------------- https://drupal.org/project/panopoly\n\n# Changes:\n\n * Drupal 8 is not supported until we can switch to Drush 8 and remove PHP 5.3\n\n# System upgrades:\n\n * Nginx 1.9.2\n * PHP 5.4.43\n * PHP 5.5.27\n * PHP 5.6.11\n * Redis 3.0.2\n\n\n### Stable BOA-2.4.4 Release - Full Edition\n### Date: Fri Jul 3 12:08:29 PDT 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.4\n### Latest hotfix added on: Thu Jul 9 10:28:42 PDT 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes several important system upgrades and bug fixes.\n\n All supported Ægir platforms have been updated with latest Drupal cores.\n\n This version automatically switches all hosted sites to PHP 5.5 on systems\n hosted and managed remotely by Omega8.cc support team, unless you have\n explicitly switched your Octopus instance to use PHP version you prefer.\n Using PHP older than 5.5 is strongly discouraged, for security, stability and\n performance reasons.\n\n# Changes:\n\n * Do not change mysql root password by default -- workaround for #642\n * Enable advagg_async_generation by default\n * Logic update for /root/.high_traffic.cnf\n * Redis Integration Module: Update to version mod-26-06-2015\n * Use modern ssl_ciphers in all templates by default\n\n# System upgrades:\n\n * cURL 7.43.0 (if installed from sources)\n * Drush mini-7-30-06-2015 -- fixes #734\n * MariaDB 5.5.44\n * MariaDB Galera Cluster 10.0.20\n * Nginx 1.9.1\n * OpenSSH 6.9p1 (if installed from sources)\n * OpenSSL 1.0.1p (if installed from sources)\n * PHP 5.4.42\n * PHP 5.5.26\n * PHP 5.6.10\n * PHPRedis master-27-06-2015\n * Pure-FTPd 1.0.41\n * vnStat 1.14\n\n# Fixes:\n\n * Add 'grep' to overssh -- a list of commands allowed to execute over SSH\n * Broken pdnsd configuration breaks DNS resolver -- fixes #701\n * Do not force update_agents()\n * Do not modify rkey/debug args in barracuda log/system upgrade mode\n * Don't remove Drupal 6 core themes -- fixes #738\n * Fix for legacy vnStat config\n * Fixed backboa/duobackboa retrieve from remote host -- fixes #741\n * Improve system cron tasks queue\n * Incorrect permissions on /usr/bin/optipng - fixes #722\n * Mitigate LOGJAM - fixes #723\n * Restart Postfix after system DNS update -- #701\n * Skip daily reload on high traffic instances\n * Sync SQL connection limits with _PHP_FPM_WORKERS variable - fixes #699\n * Use _AWS_URL to properly handle us-east-1 exception\n * Use 2048 bit where possible - see #723\n * Use better default value for advagg_cache_level - fixes #726\n\n\n### Stable BOA-2.4.3 Release - Full Edition\n### Date: Tue May 19 13:40:40 PDT 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.3\n### Latest hotfix added on: Fri Jun 5 04:43:50 PDT 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release is focused on Ægir platforms update with latest Drupal core\n included. There are also a few system updates and bug fixes, as listed below.\n\n# Changes:\n\n * Redis Integration Module: Update to version mod-08-05-2015\n * Use HTTPS intermediate mode to support legacy systems like XP/IE8 - see #718\n\n# System upgrades:\n\n * Drush mini-7-08-05-2015\n * MariaDB 10.0.19\n * MariaDB Galera Cluster 10.0.19\n * PHP 5.4.41\n * PHP 5.5.25\n * PHP 5.6.9\n * Redis 3.0.1\n\n# Fixes:\n\n * CiviCRM known bugs and regressions fixed\n * Improve drush aliases cleanup\n * Redis: sync net.core.somaxconn with tcp-backlog\n * sqlmagic: do not escape backslashes and EOL character - fixes #672\n * SQL dump definer regexp causes invalid SQL during migrate/clone - #2497091\n * Fix for backward compatibility with old Galera versions\n\n\n### Stable BOA-2.4.2 Release - Full Edition\n### Date: Mon Apr 27 11:12:09 PDT 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.2\n### Latest hotfix added on: Fri May 1 02:07:54 PDT 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7 customized for BOA\n\n# Release Notes:\n\n This BOA release includes 15 updated Ægir platforms with latest Drupal core,\n 2 new features and enhancements, 13 new software versions, 3 other changes,\n plus over 20 bug fixes.\n\n# Updated Octopus platforms:\n\n aGov 1.7 --------------------- https://drupal.org/project/agov\n Commerce 1.36 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.23 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 2.24 ----------------- https://drupal.org/project/commons\n Commons 3.25 ----------------- https://drupal.org/project/commons\n Guardr 2.11 ------------------ https://drupal.org/project/guardr\n OpenAid 2.1 ------------------ https://drupal.org/project/openaid\n OpenAtrium 2.33 -------------- https://drupal.org/project/openatrium\n OpenChurch 1.17-b2 ----------- https://drupal.org/project/openchurch\n OpenChurch 2.1-b7 ------------ https://drupal.org/project/openchurch\n OpenOutreach 1.19 ------------ https://drupal.org/project/openoutreach\n OpenPublic 1.5 --------------- https://drupal.org/project/openpublic\n Panopoly 1.21 ---------------- https://drupal.org/project/panopoly\n Recruiter 1.6 ---------------- https://drupal.org/project/recruiter\n Restaurant 1.0-b12 ----------- https://drupal.org/project/restaurant\n\n @=> NOTE: Drupal 8 support is broken in this release, because latest Drush\n doesn't support older Drupal 8 beta versions, while new D8 beta is not\n released and tested yet, and we really need latest Drush to fix broken\n D6->D7 upgrade path, so we could prepare for full Ægir 3, which comes\n with D7 in the frontend.\n\n# New features and enhancements:\n\n * Re-create files/robots.txt if older than 7 days\n * Restore default DNS when /root/.use.default.nameservers.cnf exists\n\n# Changes:\n\n * Enable SPDY and PFS by default - fixes #545\n * Use GitLab as a secondary mirror\n * Whitelist drush pm-updatestatus\n\n# System upgrades:\n\n * cURL 7.42.1 (if installed from sources)\n * Drush mini-7-25-04-2015\n * Duplicity 0.7.02 (please run 'backboa install' to upgrade)\n * MariaDB 5.5.43\n * MariaDB Galera Cluster 10.0.17\n * MySecureShell master-20-03-2015\n * Nginx 1.8.0\n * OpenSSH 6.8p1 (if installed from sources)\n * OpenSSL 1.0.2a (if installed from sources)\n * PHP 5.6.8, 5.5.24, 5.4.40\n * PHPRedis master-18-03-2015\n * Redis 3.0.0\n * Ruby 2.2.2\n\n# Fixes:\n\n * Add service cron start to migrate docs - fixes #654\n * BOA.sh.txt should update installers when invoked interactively - fixes #644\n * Do not add Google DNS when custom DNS is expected\n * Do not count requests for images derivatives if private files mode is used\n * Do not create conflicting plain HTTP proxy for single IP mode - fixes #465\n * Force csf/lfd update before and after running barracuda upgrade - fixes #685\n * How to enable permanent redirect to HTTPS with single IP - #465\n * Improve DNS self-healing magic - see #674\n * Improve FPM auto-healing to properly detect conflicting instances\n * Make sure that dl mirrors never get blocked\n * Nginx: Stop the POST flood to /autodiscover/autodiscover.xml\n * Nginx: Use dummy db fastcgi_param placeholders if any of them is empty\n * Remove aggresive firewall cleanup - fixes #688\n * Remove onetime fix intended to sync new defaults - fixes #678\n * Update absolute URLs to files for sites cloned/migrated/renamed\n * Update composer on barracuda upgrade\n * Use _TOMCAT_TO_JETTY=NO in cnf template to avoid confusion - see #676\n * Use correct placeholder in the xboa proxy - fixes #655\n * Use MAIN_SITE_NAME instead of possibly fake SERVER_NAME - see #385\n * Where to add the SSL redirect configuration snippet - fixes #681\n\n\n### Stable BOA-2.4.1 Release - Full Edition\n### Date: Sun Mar 8 14:56:51 PDT 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.1\n### Latest hotfix added on: Wed Mar 11 11:58:52 PDT 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7.0.0-alpha9 customized for BOA\n\n# Release Notes:\n\n This new BOA release includes one new and 12 updated Ægir platforms,\n 8 new features and enhancements, 15 new software versions, 10 other changes,\n plus over 38 bug fixes, with most notable features and changes listed below:\n\n @=> Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups\n @=> Add SSL with TLS/SNI on server with one IP, multiple certificates support\n @=> Add support for Octopus batch migration - see docs/MIGRATE.txt for details\n @=> Allow to use _PHP_GEOS=YES with all PHP versions\n\n# New Octopus platforms:\n\n OpenAid 2.0 ------------------ https://drupal.org/project/openaid\n\n# Updated Octopus platforms:\n\n Commerce 1.33 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.21 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 2.22 ----------------- https://drupal.org/project/commons\n Commons 3.22 ----------------- https://drupal.org/project/commons\n Drupal 8.0.0-b7 -------------- https://drupal.org/drupal-8.0\n Guardr 2.8 ------------------- https://drupal.org/project/guardr\n OpenAtrium 2.32 -------------- https://drupal.org/project/openatrium\n OpenChurch 2.1-b5 ------------ https://drupal.org/project/openchurch\n OpenOutreach 1.16 ------------ https://drupal.org/project/openoutreach\n OpenScholar 3.20.0 ----------- http://theopenscholar.org\n Panopoly 1.18 ---------------- https://drupal.org/project/panopoly\n Recruiter 1.5 ---------------- https://drupal.org/project/recruiter\n\n# New features and enhancements:\n\n * Add compatibility with latest VS beng kernel\n * Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups\n * Add support for multivalued fields in SOLR 4 - pull request #626\n * Add support for mysqladmin proc logging\n * Add support for Octopus batch migration - see docs/MIGRATE.txt for details\n * Add support for scout/mysql monitoring\n * CSF: Add popular ports 222 and 2222 to TCP_OUT by default\n * SSL with TLS/SNI on server with one IP, multiple certificates - fixes #465\n\n# Changes:\n\n * Allow to run automated SQL conversion only weekly\n * Allow to use _PHP_GEOS=YES with all PHP versions\n * Do not send extra nocache cookie on GET requests\n * Drush mini-7-07-03-2015\n * Make barracuda wrapper available on initial install to avoid confusion\n * Nginx: Update for crawlers exceptions list\n * Redis Integration Module: Update to version mod-05-03-2015\n * Remove dependency on legacy Drush 4\n * Use latest Apache Solr Search 6.x-3.x config\n * Use latest Apache Solr Search 7.x-1.x config\n\n# System upgrades:\n\n * Apache Solr 4.9.1\n * cURL 7.41.0 (if installed from sources)\n * Git 2.3.0 (if installed from sources)\n * Jetty 9.2.7.v20150116\n * MariaDB 10.0.17\n * MariaDB 5.5.42\n * MariaDB Galera Cluster 10.0.17\n * Nginx 1.7.10\n * OpenSSL 1.0.2 (if installed from sources)\n * PHP 5.4.38\n * PHP 5.5.22\n * PHP 5.6.6\n * PHP: ionCube loader 4.7.4\n * Pure-FTPd 1.0.37\n * Ruby 2.2.1\n * Use duplicity 0.7.01 and boto 2.36.0 - fixes #630\n * Vnstat 1.13\n\n# Fixes:\n\n * [provision] False \"load on system too heavy\" messages - fixes #619\n * [provision] Issue #2350695 - Profile is registered twice, also as a module\n * [provision] Nginx: Remove webform keyword from regex locations - fixes #599\n * Add also manage_ltd_users to the list - fixes #616\n * Avoid installing New Relic with no valid license key provided - fixes #608\n * Do not add no longer used symlink\n * Do not create conflicting plain HTTP proxy for single IP mode - fixes #465\n * Do not delete backboa while duplicity is running\n * Do not replace any contrib in latest OA - fixes #2420131\n * Do not run D7 core hotfix on already fixed instances\n * Fix for legacy systems autoupdate logic\n * Fix for missing chattr -i on web user update\n * Fix for missing datestamp\n * Fix for too dangerous pdnsd auto-config logic\n * Fix pdnsd restarts procedures - fixes #610\n * Fix permissions for pdnsd if needed\n * Fix variable in autoupboa - pull request #629\n * Force php.ini update\n * Hotfix for cluster instances\n * Hotfix for OpenSSL/cURL versions out of sync\n * How to enable permanent redirect to HTTPS with single IP - #465\n * Issue #2425963 - Broken slider in Commerce Kickstart 2.21\n * Make sure that @hostmaster alias works after migration\n * Provide a patch for older civicrm versions to make them Drush 7 compatible\n * Randomize backups schedule to avoid issues with AWS limits\n * Reload nginx service automatically - #465\n * Remove conflicting pdnsd restarts to avoid race conditions - fixes #610\n * Remove deprecated sysctl options\n * Remove post-install leftovers if needed\n * Single PHP-version installation fails - fixes #598\n * Typo - fixes #539\n * Unable to connect to SOLR on latest head - fixes #623\n * Update installers as expected, also with _SKYNET_MODE=OFF - fixes #644\n * Update meta-installers for new stable\n * Update the upgrade procedure how-to - fixes ##616\n * Use civicrm-4.5.6 compatible with Drush 7\n * Use correct AWS Endpoint when us-east-1 Region is specified\n * Use correct open_basedir for lshell user - fixes #603\n * Use separate loops for symlinks and ghost cleanup\n * Workaround for EntityMalformedException in Open Outreach - fixes #229\n * Workaround for missing interface/lo.pdnsd on legacy systems\n * Workaround for SA-CONTRIB-2015-063 - Webform - Cross Site Scripting\n\n\n### Stable BOA-2.4.0 Release - Full Edition\n### Date: Wed Feb 4 20:30:04 CET 2015\n### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.0\n### Latest hotfix added on: Sat Feb 21 10:18:15 UTC 2015\n\n @=> Includes Ægir Hostmaster 2.x-head with improvements\n @=> Includes Ægir Provision 3.x-head with improvements\n @=> Includes Drush 7.0.0-alpha8 customized for BOA\n\n# Release Notes:\n\n This new BOA release includes 7 updated Ægir platforms, over 28 new features\n and enhancements, 12 new software versions, over 36 important changes, plus\n over 100 bug fixes, with most notable features and changes listed below:\n\n @=> Added Support for latest Drupal 8.0.0-beta with D8B platform keyword\n @=> Added Support for latest Drupal 8.0.0-dev with D8D platform keyword\n @=> Added Support for latest PHP 5.6\n @=> BOA can auto-detect its fastest download mirror on install, upgrade etc.\n @=> BOA Code Refactoring to make it modular and easier to read (in progress)\n @=> BOA Skynet auto-updates can be turned off with _SKYNET_MODE=OFF\n @=> Cron is run only for live sites with no tmp, temp, dev, test etc keywords\n @=> Force single PHP version with command keyword on install and upgrade\n @=> Introducing Support for HHVM -- see docs/HHVM.txt for details.\n @=> PHP 5.5 is used by default on new installs instead of old 5.3\n @=> PHP-FPM (and HHVM) runs now as a separate, very limited system user\n @=> Removed Support for legacy PHP 5.2\n @=> Sites Names Exceptions and Special Keywords have changed\n @=> The _MODULES_FIX variable is set to NO by default\n @=> The _PERMISSIONS_FIX variable is set to NO by default\n @=> The built-in registry-rebuild on every Verify task is not run by default\n @=> The Dev-Mode works only for site aliases, no longer for main site name\n\n Please read further below for more details.\n\n# Caveats for self-hosted BOA:\n\n We recommend to proceed with major upgrade procedure as follows:\n\n $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt\n $ barracuda up-stable\n $ barracuda up-stable system\n $ octopus up-stable all both\n $ bash /var/xdrago/manage_ltd_users.sh\n $ bash /var/xdrago/daily.sh\n\n# Updated Octopus platforms:\n\n aGov 1.6 --------------------- https://drupal.org/project/agov\n Commerce 1.32 (with 1.11) ---- https://drupal.org/project/commerce_kickstart\n Guardr 2.7 ------------------- https://drupal.org/project/guardr\n OpenAtrium 2.26 -------------- https://drupal.org/project/openatrium\n OpenChurch 1.17-b1 ----------- https://drupal.org/project/openchurch\n OpenPublic 1.4 --------------- https://drupal.org/project/openpublic\n Panopoly 1.15 ---------------- https://drupal.org/project/panopoly\n\n# New features and enhancements:\n\n * Add backboa variables to configure full backup cycle and log verbosity.\n * Add Backdrop CMS compatibility in global.inc (experimental)\n * Add Drupal 8 compatibility in global.inc\n * Add Drush Make Local - fixes #332\n * Add safe_cache_form_clear Drush extension by default - fixes #568\n * Add support for writable .aws directory in the web user home.\n * Allow to set _PHP_SINGLE_INSTALL on command line - on install and upgrade.\n * Allow to use both platform specific and ALL keyword in _PLATFORMS_LIST.\n * BOA auto-selects the fastest download mirror on install, upgrade and update.\n * Detect critically low free RAM and forcefully restart services if needed.\n * Detect OOM incidents and forcefully restart services if needed.\n * Improve backboa with AWS connection testing.\n * Install latest D8-dev with D8D keyword specified.\n * Monitor and rotate PHP error logs if too big (over 1 GB).\n * Monitor the number of master PHP-FPM processes and force restart if needed.\n * New 'nodns' option to skip DNS and SMTP checks on the fly.\n * Nginx: Add support for images derivatives with URI shortcuts - fixes #481\n * Nginx: Add support for URI shortcuts for sites in subdirectories.\n * PHP: Add HHVMinfo.\n * PHP: Add support for latest 5.6\n * PHP: Allow to define version to install and use on command line - fixes #536\n * PHP: Disable not used CLI versions if _PHP_SINGLE_INSTALL is defined.\n * PHP: Disable not used FPM and CLI versions.\n * PHP: HHVM experimental support - fixes #443\n * Provide default value for composer_manager_vendor_dir variable - fixes #385\n * Redis: Allow to configure remote IP via _REDIS_LISTEN_MODE /cluster support.\n * Use cron scheduler fast mode (every 10 sec) if /root/.fast.cron.cnf exists.\n * Use Drush Make Local for Hostmaster with download mirrors auto-detection.\n\n# Changes:\n\n * Alter the cron_interval for existing sites to match Ægir default.\n * Change required exceptions keywords to .temporary. and .testing.\n * Dev mode detection and URLs protection - now works only for aliases.\n * Do not display .cnf files contents if _DEBUG_MODE is not set to YES.\n * Do not restart Redis daily if /root/.high_traffic.cnf exists - fixes #533\n * Drush 7 is now used by default instead of Drush 6.\n * Drush: Upgrade to mini-7-02-02-2015\n * Force _TOMCAT_TO_JETTY=YES - fixes #570\n * Hostmaster: Use Drush Make Local instead of downloading contrib with Drush\n * Limit status messages verbosity if _DEBUG_MODE is not set to YES\n * Make it possible to opt-out from BOA Skynet auto-updates - fixes #557\n * Nginx: Block SEOkicks crawler.\n * PHP: Always use by default version 5.5\n * PHP: Disable legacy 5.2 version if installed.\n * PHP: Ignore --with-curlwrappers defined in _PHP_EXTRA_CONF for 5.5 and 5.6\n * PHP: Rebuild to remove --with-curlwrappers unless added in _PHP_EXTRA_CONF\n * PHP: Remove no longer working custom config protection - see #559\n * PHP: Tune FPM defaults for speed and RAM optimization.\n * PHP: Use built-in Zend OPcache in 5.5\n * PHP: Use built-in Zend OPcache in 5.6\n * Redis Integration Module: Update to version mod-14-12-2014\n * Reload system cron hourly.\n * Remove deprecated RC4 from ssl_protocols.\n * Remove the _O_CONTRIB_UP variable/feature.\n * Run cron for 3 sites at once max.\n * Set _MODULES_FIX=NO by default\n * Set _PERMISSIONS_FIX=NO by default\n * Site mode detection and cron protection - cron works only for live sites\n * Split huge BARRACUDA script into lib includes.\n * Switch to special limited system user also in PHP-FPM mode - fixes #551\n * There is no need to update drupalgeddon every 5 minutes.\n * Use 86400 as a default cron_interval to sync with Drupal default.\n * Use MySQLTuner only if _USE_MYSQLTUNER=YES is set in .barracuda.cnf\n * Use provision_civicrm 6.x-2.x directly.\n * Use separate versioning for Ægir extensions download URLs.\n * Run built-in registry-rebuild on Verify only if empty ctrl file\n sites/all/modules/registry-rebuild.ini exists.\n\n# System upgrades:\n\n * cURL 7.40.0 (if installed from sources)\n * Git 2.2.1 (if installed from sources)\n * MariaDB 10.0.16\n * MariaDB 5.5.42\n * MariaDB Galera Cluster 10.0.16\n * Nginx 1.7.9\n * PHP 5.4.37\n * PHP 5.5.21\n * PHP 5.6.5\n * PHP: ionCube loader 4.7.3\n * Redis 2.8.19\n * Ruby 2.2.0\n\n# Fixes:\n\n * Add CONTRIBUTING.txt guidelines.\n * Add in docs/HINTS.txt Helper locations to avoid 404 on legacy images paths.\n * Add still missing updates for migrated instances.\n * Add warning about vCloud Air incompatibility with Drupal.\n * Aliases are wiped out after site rename - fixes #542\n * Allow slower DNS response.\n * Always disable spinner when running boa in-octopus.\n * Avoid broken install on D8 core where sites/all doesn't exist by default.\n * Avoid confusing EXIT: You must specify already installed PHP version.\n * Avoid sed warnings in old stable and legacy modes.\n * Backward compatibility with Drush 6.\n * Block attempts to lookup /etc/passwd via web shell.\n * Check only LANG environment variable in locale test - fixes #584\n * Compare $new_uri with d()->name and not d()->uri in the Site Rename Check.\n * Delete duplicity ghost pid file if older than 2 days.\n * Do not confuse D7 with D8 or Backdrop CMS.\n * Do not force cURL reinstall from packages - fixes #565\n * Do not try to add platforms nodes if no new platform has been installed.\n * Do not update backboa if duplicity is running.\n * Document when to use /root/.fast.cron.cnf\n * Drupal 8 removed drupal_mail()\n * Drupal 8 requires container_yamls defined.\n * Drupal 8 requires read permissions in sites/all\n * Drupal 8 requires trusted_host_patterns defined in settings.php\n * Drupal 8 with $clean_urls=1 should use /cron/ URI.\n * Drush 7 requires composer.\n * Fix and Improve Squeeze to Wheezy upgrade procedure.\n * Fix for $HOME detection if not set for some reason.\n * Fix for Drush aliases protection.\n * Fix for octopus batch upgrade mode.\n * Fix for octopus single upgrade mode.\n * Fix for pdnsd install/update logic.\n * Fix missing symlinks after broken openjdk-6 upgrade.\n * Fix path to PHP-CLI if needed.\n * Fix public IP auto-detection on AWS in Octopus.\n * Fix the logic for aegir/platforms upgrade mode.\n * Fix the logic for TMPDIR set on the fly - fixes #552\n * Fix: LANGUAGE (en_US.UTF-8) is not compatible with LC_ALL (). Disabling it.\n * Force _PHP_MULTI_INSTALL to match defined _PHP_FPM_VERSION on cluster nodes.\n * Force _THIS_DB_HOST=localhost on AWS.\n * HHVM: Add /home/ to open_basedir so access to the .tmp works - fixes #569\n * HHVM: Add workarounds for potential security issues - fixes #443\n * Improve Ægir tasks scheduling and load spikes protection.\n * Improve docs for backboa.\n * Improve pdnsd configuration update by removing non-IP lines early enough.\n * Improve procs monitor.\n * Improve web wrapper.\n * Increase inotify defaults to improve lsyncd support.\n * Issue #2372653: Add --no-autocommit when dumping MySQL tables.\n * Jetty: Detect if running as zombie and force restart if needed.\n * Make sure that AcceptEnv is set in sshd_config.\n * Make sure to never run cron on just cloned site.\n * MariaDB patch is no longer needed.\n * Monitor lsyncd and xinetd if installed and expected to run.\n * Never delete tmp dirs to avoid Drush/PHP segfaults and race conditions.\n * Nginx: Add missing variables in subdirectory config template.\n * Nginx: Fix for D8-specific /cron/ location regex.\n * Nginx: Force clean URLs for Drupal 8.\n * Nginx: Helper locations to avoid 404 on legacy images paths (subdir only)\n * Nginx: Hide X-Drupal-Cache-Tags header.\n * Nginx: Use safe fallback for mysteriously empty $db_port\n * PHP: Avoid version guessing for Octopus when _PHP_SINGLE_INSTALL is used.\n * PHP: Make sure that _PHP_SINGLE_INSTALL takes precedence.\n * PHP: OPcache configuration for Drupal 8 - fixes #419\n * PHP: Re-install libmagickwand-dev to avoid broken extension build.\n * PHP: The fallback version should be detected and not hardcoded.\n * Prevent 'Could not change permissions' warnings with CiviCRM - fixes #523\n * Remove Drupal 8 specific code from settings template used in older Drupal.\n * Remove known sensitive credentials from barracuda upgrade log.\n * Revert \"Issue #2313327: Fixed Unknown options for provision-verify.\"\n * Run agents update on cluster nodes.\n * Run single mirror check - fixes #565\n * RVM: Install also eventmachine-1.0.3\n * Set files paths on D8 install to avoid using system default /tmp.\n * Silence confusing noise - fixes #589\n * Skip auto-update for agents not compatible with older versions.\n * Skip extra SQL connection test on AWS.\n * Standardize platforms version and naming convention.\n * Support for _NGINX_NAXSI is experimental (don't use)\n * Symlinks directories expected by Drush/Ægir in D8 root.\n * Sync defaults for hosting_advanced_cron_default_interval\n * Syntax error - fixes #587\n * Syntax error - fixes #588\n * The _NGINX_FORWARD_SECRECY=YES is ignored on Debian Wheezy - fixes #591\n * The /login suffix is no longer supported in Drupal 8 and results with 404.\n * The backend verify sub-task breaks site import for Drupal 8.\n * Tomcat is not used anymore - see #570\n * Use consistent stderr 2 stdout redirects in grep checks.\n * Use correct _THIS_DB_HOST on master instance.\n * Use correct pid file in procs monitor.\n * Use correct user to run drush test commands.\n * Use extended display mode for messages longer than 200 chars.\n * Use faster mysqldump mode/flags.\n * Use mirror to download complete vendor directory for Drush 7.\n * Use more intuitive PHP keyword naming convention.\n * Use mutatable interface in install_8.inc - fxes #2409085\n * Use recommended releases for views404 and views_accelerator - fixes #578\n * Use release specific o_contrib downloads.\n * Use safe tmp cleanup to avoid race conditions.\n * Where to set _USE_MYSQLTUNER variable - fixes #594\n\n\n### Stable BOA-2.3.8 Release - Full Edition\n### Date: Sat Nov 29 09:58:45 SGT 2014\n### Includes Ægir 2.x-head with improvements\n\n# Release Notes:\n\n This new BOA release includes new features, improvements and bug fixes.\n\n#-### Support for optional Drupalgeddon daily checks on all hosted D7 sites\n\n ~/static/control/drupalgeddon.info\n\n Previously enabled by default, now requires this control file to still\n run daily, because it may generate some false positives not always possible\n to avoid or silence, so it no longer makes sense to run this check daily,\n especially after BOA has run it automatically for a month and finally even\n disabled automatically all clearly compromised sites.\n\n Note that your system administrator may still enable this with root level\n control file /root/.force.drupalgeddon.cnf, so it will still run, even\n if you will not create the Octopus instance level empty control file:\n ~/static/control/drupalgeddon.info\n\n Please note that current version of Drupalgeddon Drush extension needs\n the 'update' module to be enabled to avoid even more false positives,\n so BOA will enable the 'update' module temporarily while running this\n check, which in turn will result with even more emails notices sent\n to the site admin email, if these notices are enabled.\n\n#-### Support for automated BOA upgrades: weekly and one-time\n\n You can configure BOA to run automated upgrades to latest stable version\n for both Barracuda and all Octopus instances with three variables, empty\n by default. All three variables must be defined to enable auto-upgrade.\n You can set _AUTO_UP_MONTH and _AUTO_UP_DAY to any date in the past\n if you wish to enable only weekly system upgrades.\n\n Remember that one-time upgrades will include complete upgrade to latest BOA\n stable for Barracuda and all Octopus instances, while weekly upgrade is\n designed to run only 'barracuda up-stable system' upgrade.\n\n _AUTO_UP_WEEKLY= #------ Day of week (1-7) for weekly system upgrades\n _AUTO_UP_MONTH= #------- Month (1-12) to define date of one-time upgrade\n _AUTO_UP_DAY= #--------- Day (1-31) to define date of one-time upgrade\n\n All three variables should be added in your /root/.barracuda.cnf file.\n\n# Updated Octopus platforms:\n\n ERPAL 2.2 -------------------- https://drupal.org/project/erpal\n\n# New features and enhancements in this release:\n\n * Support for automated BOA upgrades: weekly and one-time.\n\n# Changes in this release:\n\n * Drupalgeddon daily checks on all hosted D7 sites are now optional.\n\n# Fixes in this release:\n\n * Issue #508 - The _EASY_HOSTNAME is not required in local install mode.\n * Issue #516 - Do not break binaries detection with 'which'.\n\n\n### Stable BOA-2.3.7 Release - Full Edition\n### Date: Tue Nov 25 15:44:48 PST 2014\n### Includes Ægir 2.x-head with improvements\n\n# Release Notes:\n\n This new BOA release includes updated versions of all supported Drupal\n platforms to provide latest Drupal 7.34 and Pressflow 6.34 cores, plus\n new features, improvements and bug fixes.\n\n We recommend that you upgrade your D7 sites using this safe workflow:\n\n https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298\n\n For up-to-date information on #Drupageddon please check:\n\n https://omega8.cc/drupageddon-psa-2014-003-342\n\n#-### Support for locking/unlocking web server write access in all codebases\n\n This new, auto-enabled by default protection will enhance your system\n security, especially for sites in custom platforms you maintain\n in the ~/static directory tree.\n\n It is important to understand that your web server / PHP-FPM runs as your\n shell/ftps user, although with a different group. This allows to maintain\n virtual chroot for Octopus instances, which significantly improves security.\n\n However, it had a serious drawback: the web server had write access in all\n your platforms codebases located in the ~/static directory tree, because\n all files you have uploaded there have the same owner.\n\n While it allows you to use code management which requires web hooks, it also\n opens a door for possible attack vectors, like for the infamous #drupageddon\n disaster, where Drupal allowed attackers to create .php files intended\n to be used as backdoors in future attacks - inside your codebase.\n\n Even if it could affect only custom platforms you maintain in the ~/static\n directory tree, since all built-in Octopus platforms always had Drupal core\n completely write-protected, plus, even if created by attacking bot, these\n extra .php files are completely useless for attackers, because BOA default\n restricted configuration doesn't allow to execute not whitelisted, unknown\n .php files, having codebase writable by your web server is still dangerous,\n because at least theoretically it may open a possibility to overwrite valid\n .php files, so they could be used as an entry point in a future attack.\n\n BOA now protects all your codebases by reverting (daily) ownership on all\n files and directories in your codebase (modules and themes) so they are\n owned by the Ægir backend user and not your shell/ftps user.\n\n While this new default procedure protects all your codebases in the ~/static\n directory tree, and even in the sites/all directory tree, and even in the\n sites/foo.com/modules|themes tree in all your built-in Octopus platforms,\n you can still manage the code and themes with your main and extra shell\n accounts as usual, because your codebase is still group writable, and your\n shell accounts are members of the group not available for the web server.\n\n You can easily disable this default daily procedure with a single switch:\n\n ~/static/control/unlock.info\n\n You can also exclude any custom platform you maintain in the ~/static\n directory tree from this global procedure by adding an empty skip.info\n control file in the given platform root directory, so all other platforms\n are still protected, and only excluded platform is open for write access\n also for the web server. But normally you should never need this unlock!\n\n Please note that this procedure will not affect any platform if you have\n the non-default _PERMISSIONS_FIX=NO setting in your /root/.barracuda.cnf\n file. It will also skip any platform with fix_files_permissions_daily\n variable set to FALSE in the given platform active INI file.\n\n# Updated Octopus platforms:\n\n Commerce 1.32 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.20 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 2.21 ----------------- https://drupal.org/project/commons\n Commons 3.20 ----------------- https://drupal.org/project/commons\n Guardr 2.5 ------------------- https://drupal.org/project/guardr\n Open Atrium 2.25 ------------- https://drupal.org/project/openatrium\n Open Outreach 1.13 ----------- https://drupal.org/project/openoutreach\n Panopoly 1.14 ---------------- https://drupal.org/project/panopoly\n\n# New features and enhancements in this release:\n\n * Support for locking/unlocking web server write access in all codebases.\n\n# Changes in this release:\n\n * Do not force site_readonly to be disabled on non-dev sites.\n\n# System upgrades in this release:\n\n * MariaDB 10.0.15\n\n# Fixes in this release:\n\n * Allow any single site to use 1/2 of available SQL connections max.\n * Clean up dot files after installing or updating RVM.\n * Do not run extra updates on systems running latest head version.\n * Improve ghost sites cleanup.\n * Issue #467 - Centralize control files outside of codebases tree.\n * Issue #498 - ERPAL: Fatal error: Unsupported operand types.\n * Issue #499 - RVM: Add oily_png gem version 1.1.1\n * Issue #504 - Add docs/RVM.txt\n * Issue #504 - Remove ~/.rvm/scripts/notes script breaking lshell.\n * Issue #509 - Do not delete anything from hostmaster site level modules.\n * It is safe to run manage_ltd_users every minute.\n * Never touch hostmaster aliases and vhosts even they appear broken.\n * Nginx: Fix for possible problem with files/imagecache in legacy D6 sites.\n * Use gnupg2 by default.\n * Use latest Ruby 2.1.x or 2.0.x available.\n * Use verbose RVM install mode to improve debugging.\n\n\n### Stable BOA-2.3.6 Release - Full Edition\n### Date: Mon Nov 17 08:11:17 SGT 2014\n### Includes Ægir 2.x-head with improvements\n\n# Release Notes:\n\n This new BOA release includes updated versions of all supported Drupal\n platforms to provide latest Drupal 7.33 core, plus great new features,\n improvements and bug fixes.\n\n We recommend that you upgrade your D7 sites using this safe workflow:\n\n https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298\n\n For up-to-date information on #Drupageddon please check:\n\n https://omega8.cc/drupageddon-psa-2014-003-342\n\n#-### Support for automated, encrypted, daily backups to Amazon S3\n\n * This new feature is available on self-hosted BOA and hosted Power Engines.\n * Note that provided 'backboa' tool uses symmetric password-only encryption.\n * You can configure AWS Region you prefer to use and Backup Rotation policy.\n\n It will archive all directories required to restore your data (sites files,\n databases archives, Nginx configuration and more) on a freshly installed BOA:\n\n /etc /var/aegir /var/www /home /data\n\n It will start to run nightly at 2:08 AM (server time) only once you will add\n five required _AWS_* variables in the /root/.barracuda.cnf file and run the\n special command 'backboa install' while logged in as root.\n\n To restore any file from backups created with 'backboa' tool, you can use\n the same script on the same or any other BOA server.\n\n Please read docs/BACKUPS.txt at https://github.com/omega8cc/boa for details.\n\n# Updated Octopus platforms:\n\n Commons 3.19 ----------------- https://drupal.org/project/commons\n Open Atrium 2.24 ------------- https://drupal.org/project/openatrium\n Open Deals 1.35 -------------- https://drupal.org/project/opendeals\n OpenChurch 1.15 -------------- https://drupal.org/project/openchurch\n OpenChurch 2.0-b2 ------------ https://drupal.org/project/openchurch\n OpenScholar 3.16.0 ----------- http://theopenscholar.org\n Panopoly 1.13 ---------------- https://drupal.org/project/panopoly\n Restaurant 1.0-b10 ----------- https://drupal.org/project/restaurant\n Ubercart 2.14 ---------------- https://drupal.org/project/ubercart\n Ubercart 3.8 ----------------- https://drupal.org/project/ubercart\n\n# New features and enhancements in this release:\n\n * Add support for automated, encrypted, daily backups to Amazon S3.\n * Automatic shutdown for sites with known #Drupageddon users/roles added.\n * Drush drupalgeddon extension added in all accounts.\n * Make _STRONG_PASSWORDS length configurable: 8-128, YES (32), NO (8).\n * Support for web and db clusters with MariaDB Galera (work in progress).\n * Apply SA-CORE-2014-005 hot-fix daily everywhere, also on BOA (any version)\n servers left on the auto-pilot.\n\n# Changes in this release:\n\n * Do not force site_readonly to be disabled on non-dev sites.\n * Ignore disabled sites in daily monitoring and healing procedures.\n * Remove support for abandoned Managing News distro.\n * Remove support for abandoned Open Atrium 6.x distro.\n * Remove support for abandoned Spark distro.\n * Remove support for abandoned Totem distro.\n * Set _PERMISSIONS_FIX=YES by default, so important fixes can be applied.\n * Update BOA wrappers hourly.\n\n# System upgrades in this release:\n\n * cURL 7.39.0 (if installed from sources)\n * Drush: Upgrade command line version 6 to mini-6-30-10-2014\n * Nginx 1.7.7\n * PHP 5.4.35\n * PHP 5.5.19\n * PHP: Zend OPcache master-08-11-2014\n\n# Fixes in this release:\n\n * Add scout user if _SCOUT_KEY is not empty or cron entry exists.\n * Always escape dots in preg_replace() to not truncate www. by mistake.\n * Check if directory tree exists before running extended checks/fixes.\n * Clear drush cache directly before running hostmaster-migrate.\n * Disable scout if installed and enable later.\n * Do not export LC_CTYPE on initial install.\n * Do not use Redis on provision-save.\n * Fix for edge case when incorrect permissions were set in custom platform.\n * Fix for openatrium-7.x-2.22-7.32.1\n * Fix for site_readonly mode in migrated instances.\n * Force setting to avoid issues with not expected to work RVM self-update.\n * Hint for Apache Solr Attachments and Java path possible confusion.\n * Improve web wrapper filtering.\n * Issue #2163979 - Check if field_info_field_map() is available.\n * Issue #2373923 - HTTPS and aliases redirection problem with Nginx.\n * Issue #438 - PHP: Remove support for 5.5 built-in Zend OPcache.\n * Issue #452 - PHP build could be broken also with MariaDB newer than 5.5.40\n * Issue #456 - Aliases redirection: problems with AdvAgg paths.\n * Issue #457 - Aliases redirection: 404 file not found for resources.\n * Issue #461 - Remote Import needs Drush strict=0 mode.\n * Issue #463 - The yajl-ruby gem needs native binaries building.\n * Issue #480 - Normalize /etc/hosts to avoid FQDN mapped to 127.0.1.1\n * Issue #490 - Nginx: Block semalt botnet.\n * Issue #496 - RVM 1.26.0 introduces signed releases (rvm: not found error).\n * Make sure that hostmaster site usage is not counted.\n * Move DB GRANTS setup for master instance to the correct level.\n * Move redis server daily restart to daily.sh agent.\n * Nginx: Fail if required db creds are empty to never create a broken vhost.\n * Remove hardcoded DNS for files.aegir.cc\n * Strict Permissions on All Binaries are default, not optional.\n * There is no point in running MySQLTuner on initial install.\n * Whitelist mysql command for overssh in lshell.\n\n\n### Stable BOA-2.3.5 Release - Full Edition\n### Date: Wed Oct 15 16:28:25 PDT 2014\n### Includes Ægir 2.1 with improvements\n### Latest hotfix added on: Thu Oct 16 08:55:02 PDT 2014\n\n# Release Notes:\n\n This new BOA release includes important updates and bug fixes.\n\n * All new Drupal 7 platforms received Drupal core security upgrade.\n For details please read: https://www.drupal.org/SA-CORE-2014-005\n\n * All existing Drupal 7 built-in platforms will receive a hot-fix for\n this known vulnerability: https://www.drupal.org/SA-CORE-2014-005\n once you will run 'barracuda up-stable' command on your server.\n This procedure is automated on hosted and managed Ægir at Omega8.cc\n\n * Your custom D7 platforms created in the ~/static directory tree\n will be checked in the next 12 hours after the upgrade, and if you\n have not applied this patch yet, it will be applied automatically\n for you - but only if there is at least one active site present\n in the given custom D7 platform. Note that while this procedure is\n automated on hosted and managed Ægir at Omega8.cc, on self-hosted\n BOA systems it will work only if you will set _PERMISSIONS_FIX=YES\n in /root/.barracuda.cnf (default is NO)\n\n We recommend that you upgrade your D7 sites using safe workflow:\n\n https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298\n\n# Updated Octopus platforms:\n\n aGov 1.5 --------------------- https://drupal.org/project/agov\n Commerce 1.31 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.19 ---------------- https://drupal.org/project/commerce_kickstart\n ERPAL 2.1 -------------------- https://drupal.org/project/erpal\n Guardr 1.14 ------------------ https://drupal.org/project/guardr\n Open Atrium 2.22 ------------- https://drupal.org/project/openatrium\n Open Outreach 1.12 ----------- https://drupal.org/project/openoutreach\n OpenPublic 1.2 --------------- https://drupal.org/project/openpublic\n Panopoly 1.12 ---------------- https://drupal.org/project/panopoly\n Recruiter 1.3 ---------------- https://drupal.org/project/recruiter\n\n# New features and enhancements in this release:\n\n * Explain that Solr self-provisioning works only if _MODULES_FIX=YES is set.\n * Reverify all sites daily if /root/.force.sites.verify.cnf ctrl file exists\n and _PERMISSIONS_FIX=YES is set in /root/.barracuda.cnf (default is NO)\n\n# Changes in this release:\n\n * Security: Remove support for SSLv3 due to POODLE vulnerability.\n * Disable Redis in Hostmaster until we will fix the Views based pages/blocks.\n * Disable site_readonly for non-dev sites by default.\n * Drush: Upgrade command line version 6 to mini-6-04-10-2014\n * Enable AllowUserFXP in Pure-FTPd config by default.\n * Remove support for already deprecated non-LTS Ubuntu versions.\n * Run manage_ip_auth_access only once per minute.\n * The INI variable redis_flush_forced_mode is enabled by default (again).\n * Use sysklogd instead of rsyslog on Ubuntu.\n\n# System upgrades in this release:\n\n * MariaDB 5.5.40\n * Nginx 1.7.6\n * OpenSSH 6.7p1 (if installed from sources)\n * OpenSSL 1.0.1j (if installed from sources) - security upgrade.\n * PHP 5.5.18\n * PHPRedis: master-03-10-2014\n\n# Fixes in this release:\n\n * Add auto-detection of Legacy Ruby patch level update on old systems.\n * Add cleanup for ghost/broken sites dirs leftovers.\n * Add missing cleanup for backup_migrate leftovers.\n * Always cleanup pid files on exit/abort.\n * Apply patch for SA-CORE-2014-005 in all shared D7 cores/built-in platforms.\n * Compass Tools: Install 1.9.3 ffi expected by older themes.\n * Fix db_port entry in all vhosts hourly.\n * Fix for broken erpal-7.x-2.0-7.31.1\n * Fix for broken site level drushrc.php file.\n * Fix for false alarm caused by ghost sites leftovers.\n * Fix for incorrect hash filtering on systems with OpenSSL built from sources.\n * Fix locales: Numerous fixes and improvements -- thanks ar-jan!\n * Fix typo in REVISIONS.\n * Force site Verify via frontend if drushrc.php has been fixed.\n * Issue #435 - SQL: Remove deprecated table_cache +update table_open_cache\n * Issue #440 - Improve innodb_buffer_pool_size calculation and add 10%\n * Issue #441 - New Relic is not disabled after removing newrelic.info file.\n * Issue #442 - Skip locked/fpmcheck if /root/.high_traffic.cnf exists.\n * Issue #444 - PHP: Remove useless sed replacement in pool.d/www{*}.conf\n * Issue #445 - Remote Import: update 6.x-2.x branch for Ægir 2.x and Drush 6\n * Issue #447 - Export LANG, LANGUAGE and all LC_ environment variables.\n * Issue #447 - Improve locales consistency.\n * Issue #447 - Set default LC_CTYPE and LC_COLLATE environment variables.\n * Issue #447 - Simplify locales configuration on Ubuntu.\n * Issue #448 - Enforce locale settings by configuring defaults.\n * Issue #452 - PHP build is broken with latest MariaDB 5.5.40\n * Make sure that db_port is never empty and defaults to 3306.\n * Make sure that firewall monitoring scripts never run simultaneously.\n * Make sure that standard caching is enabled in hostmaster.\n * Pause hostmaster tasks when RVM install for any user is running.\n * PHP: Do not run rebuilds if not needed.\n * PHP: Fix for broken upgrade logic on libcurl or libssl packages upgrade.\n * Remove acquia_connector from latest Commons to avoid broken installs.\n * Remove all legacy gems and re-install RVM/Ruby for root from scratch.\n * Remove legacy replacement to avoid converting symlinked includes into files.\n * SQL: Use correct defaults if MySQLTuner test failed.\n * Workaround for Drupal flood using 127.0.0.1 for all requests behind proxy.\n\n\n### Stable BOA-2.3.4 Release - Full Edition\n### Date: Wed Oct 15 09:51:08 PDT 2014\n### Includes Ægir 2.1 with improvements\n\n Release Notes and changelog for BOA-2.3.4 has been merged into BOA-2.3.5\n above after security upgrades related to OpenSSL and SSLv3 have been added\n shortly after 2.3.4 release.\n\n\n### Stable BOA-2.3.3 Release - Full Edition\n### Date: Sat Sep 27 01:25:46 PDT 2014\n### Includes Ægir 2.1 with improvements\n\n# Release Notes:\n\n This BOA Edition includes important fixes to address some issues discovered\n after BOA-2.3.1 release. Please read also the release notes for BOA-2.3.1\n further below before running the upgrade!\n\n#-### Important details on CiviCRM versions compatibility and profiles support\n\n * All BOA-2.3.x Editions fully support latest CiviCRM 4.5.0 for Drupal 7.\n * CiviCRM for Drupal 6 is not supported because of known CiviCRM issues.\n * CiviCRM support for Drupal 7 works great when added in sites/all/modules\n * CiviCRM support for Drupal 7 also works when added in profiles/foo/modules\n but no CiviCRM cron is currently managed until this known issue is fixed,\n therefore BOA-2.3.3 will check all platforms on the Octopus instance and if\n it will detect any with CiviCRM added in the installation profile directory\n tree, it will refuse to upgrade such instance to not break things for those\n using currently not fully supported CiviCRM codebase structure.\n\n# New Octopus platforms:\n\n OpenChurch 2.0-b1 ------------ https://drupal.org/project/openchurch\n\n# Updated Octopus platforms:\n\n ERPAL 2.0 -------------------- https://drupal.org/project/erpal\n Guardr 1.13 ------------------ https://drupal.org/project/guardr\n Open Outreach 1.11 ----------- https://drupal.org/project/openoutreach\n OpenChurch 1.14 -------------- https://drupal.org/project/openchurch\n OpenPublic 1.0-rc5 ----------- https://drupal.org/project/openpublic\n OpenScholar 3.15.1 ----------- http://theopenscholar.org\n\n# New features and enhancements in this release:\n\n * Add makefiles for CiviCRM 4.4.7\n * Add makefiles for CiviCRM 4.5.0\n\n# Changes in this release:\n\n * Drush: Upgrade command line version 6 to mini-6-27-09-2014\n * Restart SSH hourly.\n * The INI variable redis_flush_forced_mode is now disabled by default.\n * Use aegir_custom_settings-6.x-3.12\n * Use Provision CiviCRM boa-2.3.3-dev\n\n# System upgrades in this release:\n\n * MariaDB 10.0.14\n * Nginx 1.7.5\n * PHP 5.4.33\n * PHP 5.5.17\n * PHPRedis: master-02-09-2014\n * Redis 2.8.17\n\n# Fixes in this release:\n\n * Add extra cleanup for Drush related caches.\n * Always respect _SSH_PORT if set.\n * Always start cron before aborting on error.\n * Do not add duplicate cron entry for runner.sh\n * Do not allow system only upgrades if Master Instance is still on 2.2.x\n * Do not disable _DNS_SETUP_TEST\n * Enable path_alias_cache by default also in the hostmaster site.\n * Fix for broken pdnsd configuration if wrong IPs are detected.\n * Fix for insufficient permissions on files/civicrm/ConfigAndLog\n * Fix for insufficient permissions on files/civicrm/custom\n * Fix for insufficient permissions on files/civicrm/dynamic\n * Fix for missing cron entry for Scout, if _SCOUT_KEY is not empty.\n * Fix the not working procedure to revert hostmaster features.\n * Force problematic gems install to add them on accounts with enabled RVM.\n * Fox for Java version for Jetty 9 on newer systems.\n * Hardcode files.aegir.cc DNS entry.\n * Improve docs/ctrl/system.ctrl readability.\n * Install openjdk on CI instances by default.\n * Issue #411 - Unable to update Octopus Instance - Reports PHP on 5.2\n * Issue #423 - Make sure that innodb_buffer_pool_size is not smaller than 64M\n * Issue #424 - Update mysqltuner.pl to support MariaDB 10.0\n * Make sure that lsb-release is installed properly.\n * Make the check_civicrm_compatibility more reliable to avoid false alarms.\n * New Relic not enabled if no custom ~/static/control/{fpm|cli}.info exists.\n * Nginx: Auto-Switch to wildcard all vhosts existing in the Master Instance.\n * Nginx: Avoid any downtime on upgrade by using www53.fpm.socket temporarily.\n * Nginx: Convert all config templates to wildcard mode in legacy instances.\n * Nginx: Convert all Octopus vhosts to wildcard mode on Barracuda upgrade.\n * Nginx: Convert config to use PHP 5.2 if the instance still depends on it.\n * Nginx: Delete ghost, outdated or broken config includes in all instances.\n * Nginx: Delete ghost, outdated or broken vhosts in all instances.\n * Nginx: Force special vhosts access rules rebuild hourly.\n * Nginx: Improve wildcard conversion procedure on some really old instances.\n * Purge all ghost delete tasks before running hostmaster-migrate / upgrade.\n * Purge Drush related caches cleanly when needed.\n * Recreate possibly broken vhosts.\n * Remove duplicate cron entry for runner.sh to avoid critical system load.\n * Remove legacy replacement to not convert config symlinks into regular files.\n * Run check_civicrm_compatibility only on upgrade.\n * Single feature revert may not be enough.\n * Update contrib in Open Atrium D7 to maintain upgrade path.\n * Update cron defaults and remove legacy code.\n * Update default SSL Wildcard Nginx Proxy to use wildcard listen mode.\n * Use strict regex in vhosts listen mode conversion to not break ports.\n\n\n### Stable BOA-2.3.2 Release - Full Edition\n### Date: Thu Sep 18 15:16:33 PDT 2014\n### Includes Ægir 2.1 with improvements\n\n Release Notes and changelog for BOA-2.3.2 has been merged into BOA-2.3.3\n above after several hotfixes and various updates have been added shortly\n after 2.3.2 release to address all identified post-release issues.\n\n\n### Stable BOA-2.3.1 Release - Full Edition\n### Date: Sun Sep 14 15:53:25 SGT 2014\n### Includes Ægir 2.1 with improvements\n### Latest hotfix added on: Mon Sep 15 19:10:07 SGT 2014\n\n# Release Notes:\n\n This major BOA Edition introduces many new features, changes and fixes.\n\n You should carefully read about some caveats further below **before** running\n this major upgrade on your system. Please secure a fresh system backup first.\n\n If you haven't run full barracuda+octopus upgrade to latest BOA Stable\n Edition yet, don't use any partial/system upgrade modes.\n\n Once new BOA Stable is released, you must run *full* upgrades with commands:\n\n $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt\n $ barracuda up-stable\n $ octopus up-stable all both\n\n @=> Key new features:\n\n * BOA-2.3.1 comes with new, shiny Ægir 2.1 stable version!\n * Support for Drupal sites in subdirectories is enabled by default\n * Solr 4 cores can be added/updated/deleted via site level INI settings\n * Super-easy to use New Relic support with per Octopus license key\n * Ability to add new Octopus instances with new, simple command syntax\n\n @=> Ægir control panel new features:\n\n * The list of sites is searchable by name or installation profile\n * Sites have dedicated tabs: Backups, Task log, Edit and Packages\n * Platform have tabs: Add site, Clients, Task log, Edit and Packages\n * You can schedule tasks against filtered sites in batches\n * Scheduling tasks in batches is available also on the platform view\n * Scheduling tasks in batches is available also on the profile view\n * Scheduling tasks in batches is available also on the client view\n * You can schedule tasks also against platforms in batches\n * You can safely apply db updates via 'Run db updates' task on any site\n * The new 'Clients' menu item allows to list and manage sub-accounts\n * Profiles are listed with both human-readable and machine names\n * It is now possible to choose any existing alias or the main site name\n as a redirect target, but without the need to rename the site --\n it will just re-verify the site and create new vhost automatically\n\n @=> Ægir control panel changes:\n\n * The hosting/signup form is still available but not included in the menu\n * The node/add/site form is no longer included in the main menu\n * The optional pseudo-CDN-aliases feature is now disabled by default\n\n @=> Other important changes:\n\n * Support for PHP 5.2 has been officially deprecated\n * The www53 PHP-FPM pool has been switched from port to default socket mode\n * All existing vhosts must use wildcard in the Nginx 'listen' directive\n * Legacy mode for Install and Upgrade moves to 2.2.x branch\n * DB credentials are no longer in settings.php, only in drushrc.php\n * Latest Drush 6 version is used in the Ægir backend by default\n\n But what if you are not ready for this major upgrade and you would like\n to have more time for testing, but still be able to run system upgrades,\n thus effectively still using previous version 2.2.9 ?\n\n#-### Legacy mode for Install and Upgrade moves to 2.2.x branch\n\n From now on, the 'legacy' install and upgrade mode available in all meta-\n installers will utilize branch 2.2.x instead of deprecated 2.1.x series.\n\n This means that starting with meta installers updated to use BOA-2.3.1\n version you can use commands like shown below to update Barracuda, Octopus\n and also to install more Octopus instances, while still using version 2.2.9:\n\n $ boa in-legacy public server.mydomain.org my@email o1\n $ barracuda up-legacy system\n $ octopus up-legacy o1\n $ boa in-legacy public server.mydomain.org my@email o2 mini\n etc.\n\n Remember to update your meta-installers first!\n\n $ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt\n\n Note also that if you will upgrade to current 'stable', it is not possible\n to downgrade back to the 'old stable' with 'legacy' mode, so please proceed\n with care!\n\n Remember also that current legacy version will not receive any further\n updates, even for security issues (besides those provided as packages by\n your OS vendor - Debian or Ubuntu, which will still work), because it is\n already different enough from current 2.3.1 stable, so we can't reliably\n maintain both with working upgrade path.\n\n#-### Caveats: This upgrade will force wildcard in the Nginx 'listen' directive\n\n If you have old enough BOA system which still uses legacy IP mode and not\n a wildcard in the Nginx 'listen' directive, which is both Ægir and BOA\n standard for a long time already, this upgrade will fix the problem and\n update directives only in vhosts known and controlled by BOA.\n\n If you have any other vhosts, located in standard or non-standard Nginx/BOA\n directories for vhosts, you have to update them manually after upgrade to\n BOA-2.3.0 or newer, or they will take over all other vhosts on the system\n and cause redirects to /install.php which results with Nginx error 403 or 404,\n depending on the prior configuration.\n\n It will happen because IP based 'listen' directive in Nginx has higher\n priority, and will mess things horribly if there are vhosts using wildcard\n and some using the main system IP address.\n\n What and how to replace? Here are the commands you need to run as root:\n\n $ sed -i \"s/.*listen.*:80;/ listen \\*:80;/g\" /path/to/vhost.file\n $ service nginx reload\n\n Note: this **doesn't** affect special vhosts for SSL enabled sites, if used,\n because they are designed to use IP based 'listen' directives to provide\n separation between SSL enabled IPs and their associated certificates,\n while their associated 'upstream' block may even point to either local or\n remote IP address, so there is no wildcard to use in this case, and it will\n not conflict with all other vhosts managed by Ægir, because all SSL enabled\n vhosts listen on other IP addresses than the main system IP, which is\n by default used by all vhosts with wildcard in the 'listen' directive.\n\n The problem may happen only when you have vhosts using wildcard and also\n some vhosts using **main** system IP address in the 'listen' directive,\n which may happen also unintentionally during upgrade to BOA-2.3.0 or never,\n if there are either vhosts BOA doesn't control, or there are ghost vhosts\n not yet purged if you didn't upgrade to BOA-2.2.9 before, or there are\n some disabled sites, so their vhosts will not be re-created by Ægir\n during this major upgrade (because only active sites can be re-verified).\n\n While BOA will fix also any such ghost vhosts anyway, it will not be able\n to detect and fix vhosts outside of the standard directories managed by Ægir.\n\n#-### Ability to add new Octopus instances with new, simple command syntax\n\n It is now possible to add stable Octopus instances w/o forcing Barracuda\n upgrade, plus optionally with no platforms added by default -- usage:\n\n $ boa {in-octopus} {email} {o2} {mini|max|none}\n\n#-### The www53 PHP-FPM pool has been switched from port to default socket mode.\n\n Note that we are breaking backward compatibility here, so it will cause\n downtime on upgrade from any too old BOA version, until you will upgrade also\n Octopus instance(s) and update any other non-standard vhosts or includes\n still using legacy port mode for 'fastcgi_pass' Nginx directive.\n\n If you have 'fastcgi_pass 127.0.0.1:9090;' in any custom vhost or Nginx\n include file on the Octopus instance, you should replace it with:\n\n fastcgi_pass unix:/var/run/o1.fpm.socket;\n\n where 'o1' is your corresponding Octopus system username.\n\n Note that if you have custom vhosts or includes in the Ægir Master Instance,\n you should instead replace 'fastcgi_pass 127.0.0.1:9090;' with:\n\n fastcgi_pass unix:/var/run/www53.fpm.socket;\n\n where '53' is related to PHP version defined via _PHP_FPM_VERSION in your\n /root/.barracuda.cnf file. Note that while variable has a dot, the socket\n name doesn't.\n\n#-### Support for PHP 5.2 has been officially deprecated\n\n While Barracuda 2.3.1 can continue to run and even upgrade if needed also\n the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3\n or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.1 Edition.\n\n If you are still using PHP 5.2 in your Octopus instance, you will not\n receive Ægir nor Drupal Platforms upgrade, but the Barracuda part of your\n system will receive upgrade to 2.3.1 anyway, so it will be ready to support\n your outdated Octopus instance upgrade as soon as you will switch it to\n modern and secure PHP version -- which is easy!\n\n Let's quote the original how-to for reference:\n\n#-### Support for PHP FPM/CLI version safe switch per Octopus instance\n\n This allows to easily switch PHP version by the instance owner w/o system\n admin (root) help. All you need to do is to create ~/static/control/fpm.info\n and ~/static/control/cli.info file with a single line telling the system\n which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3\n\n Only one of them can be set, but you can use separate versions for web access\n (fpm.info) and the Ægir backend (cli.info). The system will switch versions\n defined via these control files in 5 minutes or less. We use external control\n files and not any option in the Ægir interface to make sure you will never\n lock yourself by switching to version which may cause unexpected problems.\n\n#-### Support for New Relic monitoring with per Octopus instance license key\n\n This new feature will disable global New Relic monitoring by deactivating\n server-level license key, so it can safely auto-enable or auto-disable it\n every 5 minutes, but per Octopus instance -- for all sites hosted on\n the given instance -- when a valid license key is present in the special\n new ~/static/control/newrelic.info control file.\n\n Please note that valid license key is a 40-character hexadecimal string\n that New Relic provides when you sign up for an account.\n\n To disable New Relic monitoring for the Octopus instance, simply delete\n its ~/static/control/newrelic.info control file and wait a few minutes.\n\n Please note that on a self-hosted BOA you still need to add your valid\n license key as _NEWRELIC_KEY in the /root/.barracuda.cnf file and run\n system upgrade with at least 'barracuda up-stable' first. This step is\n not required on Omega8.cc hosted service, where New Relic agent is already\n pre-installed for you.\n\n#-### Solr 4 cores can be added/updated/deleted via site level INI settings\n\n;;\n;; This option allows to activate Solr 4 core configuration for the site.\n;;\n;; Only Solr 4 powered by Jetty server is available. Supported integration\n;; modules are limited to latest versions of either search_api_solr (D7 only)\n;; or apachesolr (will use Drupal core specific version automatically).\n;;\n;; Currently used versions are listed below:\n;;\n;; https://ftp.drupal.org/files/projects/search_api_solr-7.x-1.6.tar.gz\n;; https://ftp.drupal.org/files/projects/apachesolr-7.x-1.7.tar.gz\n;; https://ftp.drupal.org/files/projects/apachesolr-6.x-3.0.tar.gz\n;;\n;; Note that you still need to add preferred integration module along with\n;; any its dependencies in your codebase since this feature doesn't modify\n;; your platform or site - it only creates Solr core with configuration\n;; files provided by integration module: schema.xml and solrconfig.xml\n;;\n;; This setting affects only the running daily maintenance system behaviour,\n;; so you need to wait until next morning to be able to use new Solr 4 core.\n;;\n;; Once the Solr core is ready to use, you will find a special file in your\n;; site directory: sites/foo.com/solr.php with details on how to access\n;; your new Solr core with correct credentials.\n;;\n;; The site with enabled Solr core can be safely migrated between platforms,\n;; integration module can be moved within your codebase and even upgraded,\n;; as long as it is using compatible schema.xml and solrconfig.xml files.\n;;\n;; Supported values for the solr_integration_module variable:\n;;\n;; apachesolr\n;; search_api_solr\n;;\n;; To delete existing Solr core simply comment out this line.\n;; The system will cleanly delete existing Solr core next morning.\n;;\n;; IMPORTANT if you are using self-hosted BOA: _MODULES_FIX=YES must be set\n;; in the /root/.barracuda.cnf file (this is default value) to make this\n;; feature active.\n;;\n;solr_integration_module = your_module_name_here\n\n;;\n;; This option allows to auto-update your Solr 4 core configuration files:\n;;\n;; schema.xml\n;; solrconfig.xml\n;;\n;; If there is new release for either apachesolr or search_api_solr, your\n;; Solr core will not be automatically upgraded to use newer schema.xml and\n;; solrconfig.xml, unless allowed by switching solr_update_config to YES.\n;;\n;; This option will be ignored if you will set solr_custom_config to YES.\n;;\n;solr_update_config = NO\n\n;;\n;; This option allows to protect custom Solr 4 core configuration files:\n;;\n;; schema.xml\n;; solrconfig.xml\n;;\n;; To use customized version of either schema.xml or solrconfig.xml, you need\n;; to switch solr_custom_config to YES below and if you are using hosted\n;; Ægir service, submit a support ticket to get these files updated with\n;; your custom versions. On self-hosted BOA simply update these files directly.\n;;\n;; Please remember to use Solr 4 compatible config files.\n;;\n;solr_custom_config = NO\n\n\n# Updated Octopus platforms:\n\n aGov 1.4 --------------------- https://drupal.org/project/agov\n Guardr 1.12 ------------------ https://drupal.org/project/guardr\n Open Academy 1.1 ------------- https://drupal.org/project/openacademy\n Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant\n Ubercart 3.7 ----------------- https://drupal.org/project/ubercart\n\n# New features and enhancements in this release:\n\n * Ability to add new Octopus instances with new, simple command syntax\n * Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf\n * Allow to define always disabled modules via _MODULES_FORCE variable.\n * Better wait limits on connection testing for slow network / long distance.\n * Issue #1927522 - Add support for easy Solr cores self-management.\n * Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST\n * Issue #376 - Add New Relic support with per Octopus instance license key.\n * Make firewall management faster with randomized schedule.\n * Procs monitor runs every 3 seconds.\n * Run mysql_proc_control every 5 seconds for better results.\n * You can safely apply db updates via 'Run db updates' task on any site.\n\n# Changes in this release:\n\n * DB credentials are no longer visible in settings.php, only in drushrc.php\n * Delete default profiles in the hostmaster platform.\n * Disable _DEBUG_MODE if not enabled on the fly.\n * Disable newrelic-sysmond unless /root/.enable.newrelic.sysmond.cnf exists.\n * Drush: Upgrade command line version 6 to mini-6-14-09-2014\n * Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.\n * Nginx: Use limit_conn protection only for known dynamic requests.\n * Redis Integration Module (cache_backport): Update to version 6.x-1.0-rc2\n * Redis Integration Module: Update to version mod-12-09-2014\n * Remove _ALLOW_UNSUPPORTED legacy and no longer working properly feature.\n * Remove dependency on Update Manager globally.\n * Remove deprecated multi-instance labels in the New Relic configuration.\n * Replace old hosting_civicrm_cron with newer hosting_civicrm module.\n * Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.\n * The www53 PHP-FPM pool has been switched from port to default socket mode.\n * Use Provision CiviCRM boa-2.3.1-dev\n\n# System upgrades in this release:\n\n * cURL 7.38.0 (if installed from sources)\n * Git 2.1.0 (if installed from sources)\n * Jetty 7.6.16.v20140903\n * Jetty 8.1.16.v20140903\n * Jetty 9.2.3.v20140905\n * PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1\n * PHP 5.4.32\n * PHP 5.5.16\n * Redis 2.8.14\n\n# Fixes in this release:\n\n * Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf\n * Add missing drush cache-clear drush to improve upgrade path.\n * Add new features in the README.txt\n * Add wheezy to the exceptions list where required.\n * Allow to clear drush cache without directory restrictions.\n * Always set correct TMP path for supported users.\n * Cleanup for cron pid files in user specific .tmp dirs.\n * Count properly also symlinked files directories (improved).\n * D6 colorbox module requires old 1.3.18 library.\n * Delete drush_make leftovers.\n * Delete duplicate menu items on upgrade.\n * Do not allow to install SSH from sources on Trusty to avoid problems.\n * Do not skip daily.sh during barracuda system only update.\n * Eldir theme: Use max width for buttons, if possible.\n * Explain why installing RVM may take longer than expected.\n * Fix cleanup for drush aliases in sub-accounts.\n * Fix daily cleanup for user specific .tmp directories.\n * Fix docs/HINTS.txt\n * Fix for broken mariadb.list\n * Fix for broken, way too aggressive PHP-FPM monitoring.\n * Fix for ghost dirs cleanup.\n * Fix for ghost vhosts cleanup.\n * Fix for missing symlinks to existing platforms.\n * Fix for not working protection from blocking local IPs on multi-IP systems.\n * Fix for subdirs_support universal check.\n * Fix for unreliable _IS_OLD check on Octopus instances upgrade.\n * Fix for warning \"Could not create directory .\" on Hostmaster site Verify.\n * Fix the fields order in the site edit form.\n * Fix the regex to not whitelist unexpected IP ranges inadvertently.\n * Force cURL rebuild if installed with outdated OpenSSL version.\n * Guard against destructive or insecure tasks run on the hostmaster site.\n * Improve cleanup for empty platforms directories.\n * Improve monitoring to protect against convert trying to overload the system.\n * Issue #2330781 - Use Drush dt() wrapper instead of not always available t()\n * Issue #357 - Fix the logic for Git (re)install from sources.\n * Issue #360 - Exclude special --CDN vhosts from daily cleanup.\n * Issue #361 - Update and improve docs/FAQ.txt\n * Issue #369 - Automatically download and fix /bin/websh if missing.\n * Issue #369 - Restore classic /bin/sh symlink automatically if needed.\n * Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.\n * Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.\n * Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.\n * Issue #381 - Zend OPcache forced adds useless noise in the log.\n * Issue #388 - Version 6.x-2.x of provision_civicrm requires hosting_civicrm\n * Issue #389 - hosting_civicrm breaks site install form with confusing error.\n * Issue #390 - Duplicate platforms nodes are created after upgrade to 2.3.0\n * Issue #395 - Validate username isn't reserved before running install script.\n * Issue #396 - Locale isn't getting set properly.\n * Issue #397 - Not actually prompted for platforms during installation.\n * Issue #398 - Make locales setup/fix for Debian always OS compatible.\n * Issue #399 - The hitimes gem needs to be pre-installed to support Omega4.\n * Issue #400 - CiviCRM is not installed on 2.3.0\n * Issue #401 - Create sites/all/* subdirs in Hostmaster early enough.\n * Issue #402 - Fix for ghost or disabled vhosts which still listen on IP.\n * Issue #405 - Installer hangs due to yes/no dialog - \"Untrusted packages\"\n * Issue #406 - Force keyring reinstall also upon 'GPG error'.\n * Issue #407 - Fix for 'username is already taken' error on a local VM install\n * Issue #408 - Fix for multiple funny typos. Thanks ar-jan!\n * Make it clear that subdomain and subdirectory name must be identical.\n * Make sure that keys subdirectory exists to avoid active platforms cleanup.\n * Make the PHP-FPM processes monitor less aggressive by default.\n * New Relic not enabled if no custom ~/static/control/{fpm|cli}.info exists.\n * Nginx: Add config symlinks only on legacy instances.\n * Nginx: Add cron access support for subdir sites.\n * Nginx: Convert all vhosts to wildcard mode on Barracuda upgrade.\n * Nginx: Disable monitoring for POST requests related to cart/checkout URI.\n * Nginx: Do not touch nginx_wild_ssl.conf during this upgrade.\n * Nginx: Improve wildcard conversion procedure on some really old instances.\n * Nginx: Remove deprecated code and config templates.\n * Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.\n * Nginx: Update config includes to match optional BOA features improvements.\n * Nginx: Update unified configuration templates in Provision to unfork BOA.\n * Nginx: Update vhosts templates to match BOA improvements.\n * PHP: Avoid unintended duplicate rebuilds.\n * PHP: Sync disable_functions list.\n * Protect sites/all/drush\n * Provision: Backport provision_hosting_feature_enabled()\n * Provision: Remove legacy subdir code and update checks.\n * Redis config should sync with PHP-CLI, not PHP-FPM.\n * Remove legacy procs monitoring code.\n * Remove no longer needed limreq global fixes.\n * Remove no longer needed/used contrib updates.\n * Remove redundant file_exists() if is_readable() is also used.\n * Replace old hosting_civicrm_cron with newer hosting_civicrm module.\n * Restart pdnsd before running barracuda upgrade.\n * Restore BOA formatting for tasks log to improve readability.\n * Restore BOA naming convention and docs in Hostmaster.\n * Restore BOA naming convention for Installation profiles in Hostmaster.\n * Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.\n * Restore BOA weight defaults in the form in Hostmaster.\n * Restore punycode in Hostmaster.\n * Restore tasks sort to always show tasks scheduled and running at the top.\n * Sanitize cli.info and fpm.info\n * Set _PLATFORMS_LIST properly.\n * Silence early sed replacements to avoid confusion.\n * Simplify colorbox-1.3.18 download.\n * Simplify colorbox-1.5.13 download.\n * Switch branch on the fly and add support for Ægir vanilla mode.\n * Sync /tmp access restrictions.\n * The hosting_civicrm_cron is now a submodule and should be also auto-enabled.\n * The wildcard transition **doesn't** affect vhosts for SSL enabled sites.\n * There is no need to force backend clone from GitHub on initial upgrade.\n * Update for the Hostmaster welcome page.\n * Update FPM monitoring settings.\n * Use as short labels on the site node as possible.\n * Use control files properly to not run redundant Jetty/Solr upgrade.\n * Use correct paths to platform level drushrc.php file.\n * Use correct Provision version on initial upgrade to 2.3.0\n * Use Drush6 with @hostmaster.\n * Use is_dir() instead of file_exists() when checking directory existence.\n * Use is_file() and is_link() instead of file_exists() before trying unlink()\n * Use is_readable() and file_exists() instead of file_exists() for backup.\n * Use is_readable() check instead of insufficient file_exists() for includes.\n * Use is_readable() instead of file_exists() when checking alias existence.\n * Install latest Git even if not specified via _XTRAS_LIST but previous\n version built from sources is detected.\n * Issue #2278847 - Derivatives can't be created on install with Drush and\n Ægir or when no vhost is available yet (Drupal Commons)\n\n\n### Stable BOA-2.3.0 Release - Full Edition\n### Date: Mon Sep 8 08:42:01 PDT 2014\n### Includes Ægir 2.1 with improvements\n\n Release Notes and changelog for BOA-2.3.0 has been merged into BOA-2.3.1\n above after several hotfixes and some great new features have been added\n shortly after 2.3.0 release to address all identified post-release issues.\n\n\n### Stable BOA-2.2.9 Release - Full Edition\n### Date: Wed Aug 6 17:08:10 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n### Latest hotfix added on: Fri Aug 15 09:37:04 PDT 2014\n\n# Release Notes:\n\n This release includes updated versions of all supported Drupal platforms to\n provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,\n bug fixes, and many updated Octopus platforms.\n\n NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release\n yet, and new Drupal core has been released to fix security issues, followed\n by yet another release to fix serious regressions, followed by yet another\n security release, we have decided to make it available to everyone and release\n yet another stable BOA-2.2.x Edition.\n\n IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end\n of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,\n which will allow us to provide newer Ægir version with built-in Drush 6\n support, sites in subdirectories, and many Ægir User Interface improvements.\n\n If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,\n you will not be able to upgrade to the next 2.3.x Edition and you will have to\n stay on the 'legacy' BOA 2.2.x version, which will receive only system\n security upgrades, but no further feature nor bugfix releases.\n\n This also means that from now on the 'legacy' 2.2.x version will no longer\n receive Drupal core upgrades, even if there will be security core releases.\n\n It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.\n\n# Updated Octopus platforms:\n\n aGov 1.2 --------------------- https://drupal.org/project/agov\n Commerce 1.29 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.17 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 2.20 ----------------- https://drupal.org/project/commons\n Commons 3.17 ----------------- https://drupal.org/project/commons\n ERPAL 2.0-b5 ----------------- https://drupal.org/project/erpal\n Guardr 1.11 ------------------ https://drupal.org/project/guardr\n Open Atrium 2.21 ------------- https://drupal.org/project/openatrium\n Open Outreach 1.10 ----------- https://drupal.org/project/openoutreach\n OpenPublic 1.0-rc4 ----------- https://drupal.org/project/openpublic\n Panopoly 1.11 ---------------- https://drupal.org/project/panopoly\n Restaurant 1.0-b2 ------------ https://drupal.org/project/restaurant\n\n# New features and enhancements in this release:\n\n * Allow to define always disabled modules via _MODULES_FORCE variable.\n * Eldir: Add subtle 3D and round some edges.\n * Eldir: Improve spacing and hide useless headers.\n * Fix permissions on sites/all/{modules,libraries,themes} on Platform Verify.\n * Make firewall management faster with randomized schedule.\n * Merge pull request #362 from pricejn2/imageapi-optimize-binaries\n * RVM: Add exceptions for gems which can't be installed in Limited Shell.\n * Shell: Compass Tools: Allow to access guard.\n * Shell: Improve config to better support advanced Drush commands over SSH.\n\n# Changes in this release:\n\n * Drush: Upgrade command line version 6 to mini-6-14-08-2014\n * Nginx: Add DBot to is_crawler list.\n * Remove no longer supported NodeStream distro.\n * Run complete modules-dis-list weekly (Saturday) and basic list daily.\n\n# System upgrades in this release:\n\n * MariaDB 10.0.13\n * MariaDB 5.5.39\n * Nginx 1.7.4\n * OpenSSL 1.0.1i (if installed from sources)\n * PHP: ionCube loader 4.6.1\n * PHP: Zend OPcache master-30-07-2014\n\n# Fixes in this release:\n\n * Add cleanup for .tmp in sub-accounts.\n * Add cleanup for drush-backups leftovers.\n * Add cleanup for various /var/backups/* leftovers.\n * Add daily auto-cleanup for ghost vhosts, platforms and drush aliases.\n * Add exception for symlinked /data/all\n * Add hint for HTTPS-only mode forced in local.settings.php\n * Allow to clear drush cache without directory restrictions.\n * Avoid \"Is a directory\" noise in the log.\n * Commons 2.20 has changed its profile name from drupal_commons to commons.\n * Do not modify site_footer on hostmaster upgrade.\n * Do not rename the legacy Commons profile name.\n * Fix -mtime expected values.\n * Fix cleanup for .restore vhost leftovers.\n * Fix cleanup for drush aliases in sub-accounts.\n * Fix for unreliable _IS_OLD check on Octopus instances upgrade.\n * Fix Nginx monitor to respect all whitelisted POST requests in both modes.\n * Fix permissions on sites/all/{modules,libraries,themes} globally.\n * Fix weird typo in global.inc\n * Improve cleanup for empty platforms directories.\n * Improve RVM cleanup.\n * Issue #2278847 - Derivatives (Drupal Commons) can't be created on install.\n * Issue #334 - Backported provision_civicrm #1485920\n * Issue #334 - Delete the civicrm_class_loader variable after deploying.\n * Issue #334 - Install civicrm in any location (sites/ profiles + contrib).\n * Issue #360 - Exclude special --CDN vhosts from daily cleanup.\n * Make sure that /keys subdirectory exists to avoid active platforms cleanup.\n * Make sure that local IPs are never blocked by mistake.\n * Never touch websh wrapper to avoid high load because of redirect loop.\n * Nginx: Detected $device is not used in Boost config, only in Speed Booster.\n * Nginx: Fix limreq also for some really old vhosts.\n * Nginx: Modify only vhosts known as included in the protected mode.\n * Remove /var/run/daily-fix.pid if exists when it shouldn't.\n * Remove debugging mode in old codebases cleanup.\n * Remove no longer needed/used contrib updates.\n * Restore default websh wrapper symlink as fast as possible.\n * Run manage_ltd_users every 3 minutes instead of every minute.\n * Simplify colorbox-1.3.18 download.\n * Simplify colorbox-1.5.13 download.\n * Uninstall css_emimage only on hostmaster upgrade.\n * Update and improve docs/FAQ.txt\n * Update regex for exceptions in Nginx monitoring.\n\n\n### Stable BOA-2.2.8 Release - Full Edition\n### Date: Sat Jul 26 15:31:29 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n### Latest hotfix added on: Tue Aug 5 14:47:17 PDT 2014\n\n# Release Notes:\n\n This release includes updated versions of all supported Drupal platforms to\n provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,\n bug fixes, and six (6) updated Octopus platforms.\n\n NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release\n yet, and new Drupal core has been released to fix security issues, followed by\n yet another release to fix serious regressions, we have decided to make it\n available to everyone and release yet another stable BOA-2.2.x Edition.\n\n IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end\n of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,\n which will allow us to provide newer Ægir version with built-in Drush 6\n support, sites in subdirectories, and many Ægir User Interface improvements.\n\n If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,\n you will not be able to upgrade to the next 2.3.x Edition and you will have to\n stay on the 'legacy' BOA 2.2.x version, which will receive only system\n security upgrades, but no further feature nor bugfix releases.\n\n This also means that from now on the 'legacy' 2.2.x version will no longer\n receive Drupal core upgrades, even if there will be security core releases.\n\n It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.\n\n# Updated Octopus platforms:\n\n Commerce 1.28 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.16 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 3.16 ----------------- https://drupal.org/project/commons\n Open Outreach 1.8 ------------ https://drupal.org/project/openoutreach\n OpenBlog 1.0-v3 -------------- https://drupal.org/project/openblog\n Panopoly 1.8 ----------------- https://drupal.org/project/panopoly\n\n# New features and enhancements in this release:\n\n * Allow to force OpenSSL etc. re-install with _SSL_FORCE_REINSTALL=YES\n * Auto-Move no longer used shared codebases to /var/backups/codebases-cleanup\n\n# Changes in this release:\n\n * Drush: Upgrade command line version 6 to mini-6-29-07-2014\n * Issue #334 - Update provision_civicrm version - code by ixiam - thanks!\n * Redis Integration Module: Update to version mod-21-07-2014\n * Uninstall css_emimage in hostmaster to avoid broken upgrades.\n * Update for Contrib [F]orce[D]isabled modules list.\n * Use more aggressive defaults for _PURGE_BACKUPS and _PURGE_TMP if not set.\n\n# System upgrades in this release:\n\n * PHP 5.4.31\n * PHP 5.5.15\n\n# Fixes in this release:\n\n * Add auto-cleanup for civimail ghost leftovers.\n * Add cleanup drush aliases in the main SSH account properly.\n * Add cleanup for RVM archives and logs.\n * Fix for default value on hot fix update.\n * Fix for dev regression - it shouldn't set $conf['cache'] on valid dev URLs.\n * Fix the logic for custom _DEL_OLD_EMPTY_PLATFORMS defaults.\n * Issue #333 - Update BOA changelog URL shortcut.\n * Nginx: Automate SPDY test to determine if OpenSSL re-install is required.\n * Nginx: Silence access log for already protected /civicrm admin requests.\n * Remove special one-time variables if set, once used.\n * RVM: Install OS compatible Ruby version + various related adjustments.\n * Silence useless noise in the log.\n * Sync firewall limits.\n\n\n### Stable BOA-2.2.7 Release - Full Edition\n### Date: Thu Jul 17 03:11:47 CEST 2014\n### Includes Ægir 2.x-boa-custom version.\n### Latest hotfix added on: Fri Jul 18 18:21:40 CDT 2014\n\n# Release Notes:\n\n This release includes some nice new features, improvements, bug fixes, one\n new Octopus platform, five (5) updated Octopus platforms, along with latest\n Drupal core security upgrades for all supported platforms.\n\n NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release\n yet, and new Drupal core has been released today to fix security issues,\n we have decided to make it available to everyone and release yet another\n stable BOA-2.2.x series Edition.\n\n IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end\n of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,\n which will allow us to provide newer Ægir version with built-in Drush 6\n support, sites in subdirectories, and many Ægir User Interface improvements.\n\n If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,\n you will not be able to upgrade to the next 2.3.x Edition and you will have to\n stay on the 'legacy' BOA 2.2.x version, which will receive only system\n security upgrades, but no further feature nor bugfix releases.\n\n This also means that from now on the 'legacy' 2.2.x version will no longer\n receive Drupal core upgrades, even if there will be security core releases.\n\n It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.\n\n# New Octopus platforms:\n\n OpenPublic 1.0-b23 ----------- https://drupal.org/project/openpublic\n\n# Updated Octopus platforms:\n\n Commerce 1.27 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 3.15 ----------------- https://drupal.org/project/commons\n ERPAL 2.0-b4 ----------------- https://drupal.org/project/erpal\n Guardr 1.9 ------------------- https://drupal.org/project/guardr\n Open Deals 1.33 -------------- https://drupal.org/project/opendeals\n\n# New features and enhancements in this release:\n\n * Add early auto-repair procedure if Provision is missing for any reason.\n * Add support for Debian Squeeze LTS updates.\n * Add support for Debian Squeeze Stable Proposed Updates.\n * Add views_accelerator in all D7 platforms by default via o_contrib bundle.\n * Issue #307 - Support for Compass Tools via RVM with local user gems.\n * Make $conf['cache'] configurable via disable_drupal_page_cache INI variable.\n\n# Changes in this release:\n\n * Nginx: Send Boost compatible Cache-Control headers also with Speed Booster.\n\n This is to mimic Drupal core behaviour when full-page cache is disabled,\n even if it is not really disabled via disable_drupal_page_cache INI variable.\n Note that Speed Booster continues to ignore Cache-Control headers sent by\n Drupal backend, as before, to force its own TTL set via INI variable:\n speed_booster_anon_cache_ttl or in the custom local.settings.php code.\n\n * Add css_emimage to hostmaster makefile to remove dependency on o_contrib.\n * Do not upgrade existing o_contrib, only add new if missing in old platforms.\n * Drush: Upgrade command line version 6 to mini-6-16-07-2014\n * Limited Shell configuration update.\n * Nginx: Do not log HTTPS redirects.\n * PHP: AutoRemove 5.2 from _PHP_MULTI_INSTALL if no instance is using it.\n * Prefer dash if available.\n * Redis Integration Module: Update to version mod-10-07-2014\n * The ?nocache=1 in the URL should also force $conf['cache'] = 0; on the fly.\n * Update lfd default configuration.\n\n# System upgrades in this release:\n\n * cURL 7.37.1 (if installed from sources)\n * Nginx 1.7.3\n * PHP 5.4.30\n * PHP 5.5.14\n * PHPRedis: master-06-07-2014\n * Redis 2.8.13\n\n# Fixes in this release:\n\n * Authorized IPs detection - it should ignore serial/remote console logins.\n * BND --- Bind9 DNS Server (available on Debian only).\n * Clear packages cache more aggressively to avoid issues during OS upgrades.\n * Configure RVM env properly if installed in the user home directory.\n * Contrib update: filefield-6.x-3.13\n * Disable redis integration during hostmaster upgrade.\n * Do not allow known bots to activate nocache and noredis URLs behaviour.\n * Do not use css_emimage in hostmaster to avoid broken upgrades.\n * Fix for o_contrib update logic.\n * Fix for possible permissions problem with redis log file.\n * Fix incorrect version in the permissions fix.\n * Fix legacy test logic to allow head instances to upgrade to another 2.2.x\n * Fix regex in procs monitor.\n * Fix the check for legacy systems on upgrade.\n * Force keyring reinstall if reported as broken.\n * Issue #316 - Octopus upgrade fails because of missing cd $_ROOT/.drush/sys\n * Issue #319 - XTRAS_LIST settings are being overwritten (Ubuntu).\n * Issue #320 - Compass Tools available on Squeeze, Wheezy, Precise and Trusty.\n * Issue #324 - HTTPS results in redirect loop on AWS due to ignored _MY_OWNIP.\n * Issue #328 - The /bin/sh symlink modified daily causes false lfd alarm.\n * Make it clear that we recommend and support Debian 64bit.\n * Make sure that redis and cache_backport are available for hostmaster.\n * Purge no longer used jdk leftovers.\n * Readme improvements.\n * Remove no longer needed tmp chown -R\n * Remove no longer used /data/src directory.\n * Remove remote_import if found if the wrong directory.\n * Sanitize logs lines before analyzing them.\n * The list of platforms symbols can be in a single line or one per line.\n * There is no need to force SHELL in the websh wrapper.\n * Update nginx documentation URL.\n * Use static ftp.debian.org instead of unreliable http.debian.net mirrors.\n\n\n### Stable BOA-2.2.6 Release - Full Edition\n### Date: Sat Jun 21 06:14:18 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n### Latest hotfix added on: Mon Jul 14 14:54:04 CDT 2014\n\n# Release Notes:\n\n This release includes great new features, improvements, important changes,\n many bug fixes, plus 3 new and 7 updated Octopus platforms.\n\n IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end\n of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,\n which will allow us to provide newer Ægir version with built-in Drush 6\n support, sites in subdirectories, and many Ægir User Interface improvements.\n\n If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,\n you will not be able to upgrade to the next 2.3.x Edition and you will have to\n stay on the 'legacy' BOA 2.2.x version, which will receive only system\n security upgrades, but no further feature nor bugfix releases.\n\n This also means that from now on the 'legacy' 2.2.x version will no longer\n receive Drupal core upgrades, even if there will be security core releases.\n\n It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.\n\n# New Octopus platforms:\n\n aGov 1.0-rc8 ----------------- https://drupal.org/project/agov\n ERPAL 2.0-b2 ----------------- https://drupal.org/project/erpal\n Restaurant 1.0-a5 ------------ https://drupal.org/project/restaurant\n\n# Updated Octopus platforms:\n\n Commerce 2.15 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 2.18 ----------------- https://drupal.org/project/commons\n Commons 3.14 ----------------- https://drupal.org/project/commons\n Guardr 1.5 ------------------- https://drupal.org/project/guardr\n Open Atrium 2.19 ------------- https://drupal.org/project/openatrium\n Open Outreach 1.7 ------------ https://drupal.org/project/openoutreach\n Panopoly 1.6 ----------------- https://drupal.org/project/panopoly\n\n# New features and enhancements in this release:\n\n * Drush aliases based workflows are now supported also remotely over SSH.\n\n This is significant improvement since we have added automatically generated\n and updated Drush aliases for the on-the-server use in BOA-2.2.0\n\n * Add gems: compass_radix v2 and compass_twitter_bootstrap\n * Add support for automatic Scout App upgrade on RVM/Ruby/Gems upgrade.\n * Install headless JRE and only if Solr is expected to run.\n * Issue #2268889 - Allow to whitelist IPs for chive, cgp and sqlbuddy access.\n * Issues #2248907 #1299526 - Allow to use comments for admin notes.\n * Nginx: Disable proxy_buffering to avoid useless extra layer in local proxy.\n * SQL: Allow to change InnoDB log file size via _INNODB_LOG_FILE_SIZE variable\n * Use better subdirectory tree for Drush extensions.\n * Add support for disable_user_register_protection INI variable on the\n platform level - on self-hosted BOA and Power Engines only.\n\n * Issue #2240277 - Customize Octopus platforms list via control file.\n\n ~/static/control/platforms.info\n\n This file, if exists and contains a single line with supported platforms\n symbols, allows to control/override the value of _PLATFORMS_LIST variable\n normally defined in the /root/.${_USER}.octopus.cnf file, which can't be\n modified by the Ægir instance owner with no system root access.\n\n IMPORTANT: If used, it will replace/override the value defined on initial\n instance install and all previous upgrades. It takes effect on every\n future Octopus instance upgrade, which means that you will miss all newly\n added distributions, if they will not be listed also in this control file.\n\n Supported values which can be written in this file - remember: all in a\n single line, space separated, so not one per line, as listed below\n only for readability:\n\n # D7P D7S D7D --- Drupal 7 prod/stage/dev\n # D6P D6S D6D --- Pressflow 6 p/s/d\n # AGV ----------- aGov\n # CME ----------- Commerce v.2\n # CS7 ----------- Commons 7\n # DCE ----------- Commerce v.1\n # DCS ----------- Commons 6\n # ERP ----------- ERPAL\n # FSR ----------- Feature Server\n # GDR ----------- Guardr\n # MNS ----------- Managing News\n # OA7 ----------- Open Atrium D7\n # OAM ----------- Open Atrium D6\n # OAY ----------- Open Academy\n # OBG ----------- OpenBlog\n # OCH ----------- OpenChurch\n # ODS ----------- Open Deals\n # OOH ----------- Open Outreach\n # OSR ----------- OpenScholar\n # PPY ----------- Panopoly\n # RER ----------- Recruiter\n # RST ----------- Restaurant\n # SRK ----------- Spark\n # TTM ----------- Totem\n # UC7 ----------- Ubercart D7\n # UCT ----------- Ubercart D6\n\n You can also use special keyword 'ALL' to have all available platforms\n installed, including newly added in the future BOA system releases.\n\n Examples:\n\n ALL\n D7P D6P OAM MNS OOH RST\n\n * Issue #314 - Make _BACKEND_ITEMS configurable via _BACKEND_ITEMS_LIST\n\n You can whitelist extra binaries to make them available for web server\n requests, in addition to already whitelisted, known as safe binaries.\n\n NOTE: This feature is available only on self-hosted BOA systems.\n\n Please be aware that you could easily open security holes by whitelisting\n commands which may provide access to otherwise not available parts of\n the system, because the exec() in PHP doesn't respect other limitations\n like open_basedir directive.\n\n You should list only filenames, not full paths, for example:\n\n _BACKEND_ITEMS_LIST=\"git foo bar\"\n\n# Changes in this release:\n\n * Add memcache, memcache_admin to the list of automatically disabled modules.\n * Add support for Debian Squeeze LTS updates.\n * Add support for Debian Squeeze Stable Proposed Updates.\n * Add varnish to the list of automatically disabled modules.\n * Add watchdog_live to the list of automatically disabled modules.\n * Disable and remove not used init scripts on known VM systems.\n * Drush: Upgrade command line version 6 to mini-6-21-06-2014\n * Fast DNS Cache Server (pdnsd) install is no longer optional.\n * Install only vanilla core platforms by default (can be overridden)\n * Nginx: Update default limit_conn settings.\n * Nginx: Use only newer control file to force DoS monitor aggressive mode.\n * Sync permissions with new defaults in the hardened setup.\n * Update files ownership to match defaults in the hardened setup.\n * Use dynamic mirror selection provided by Debian instead of forced static.\n\n * The BOA project has moved to Github!\n\n We no longer use repositories and issue queues on drupal.org, in an effort\n to avoid fragmentation and duplication. We have moved all downloads used\n by Barracuda and Octopus to our mirrors a few months ago, and it helped to\n make BOA faster and more reliable during both system install and upgrades.\n\n The next step is to use http://boa.readthedocs.org as a new home for all\n future documentation efforts - it will build the docs, including printable\n versions, on the fly, using dedicated Github repository as a backend, where\n you can help migrate existing docs and improve them, both via boa-docs\n project issue queue and pull requests:\n\n https://github.com/omega8cc/boa-docs\n\n We also encourage you to use drupal.stackexchange.com for BOA support:\n\n http://drupal.stackexchange.com/questions/tagged/aegir\n\n Please use our Github project for contributing code, reporting bugs,\n and also suggesting new features and ideas:\n\n https://github.com/omega8cc/boa\n\n# System upgrades in this release:\n\n * cURL 7.37.0 (if installed from sources)\n * MariaDB 10.0.12\n * MariaDB 5.5.38\n * MySecureShell 1.33\n * Nginx 1.7.2\n * OpenSSL 1.0.1h (if installed from sources)\n * PHP 5.4.29\n * PHP 5.5.13\n * PHP: Zend OPcache master-28-05-2014\n * Redis 2.8.11\n * Ruby 2.1.2\n\n# Fixes in this release:\n\n * Add caveats to docs/REMOTE.txt\n * Add explicit whitelisting in websh wrapper to avoid any edge case problems.\n * Add info about Two-Factor Auth for Chive in the welcome email template.\n * Add missing exceptions in global.inc and simplify docs/REMOTE.txt\n * Add missing wrapper exceptions required by daily.sh script.\n * Clean up packages cache on finale()\n * Create symlink for boa wrapper on the initial install only.\n * Delete daily both files and directories in the ~/static/trash/\n * Do not remove bundler in CI instances if /root/.keep.bundler.cnf exists.\n * Explain that _ALLOW_UNSUPPORTED works only with head.\n * Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.\n * Fix for already installed Open Atrium 2.18 7.28.1\n * Fix for Postfix configuration.\n * Fix incorrect version in the permissions fix.\n * Fix permissions after every upgrade.\n * Fix permissions and owner/group required for feeds (upload) support.\n * Fix regex in procs monitor.\n * Force apticron re-install if apticron.conf is outdated.\n * Generate /data/all/cpuinfo daily to be used in Provision.\n * GPL Ghostscript should be available for the web (PHP-FPM) access.\n * Issue #2248037 - Add Platform and Site INI files Templates on Verify task.\n * Issue #2262935 - Modules dir must be group writable in custom platforms.\n * Issue #315 - Upgrading from older versions of BOA fails\n * Issue #316 - Upgrade fails because of missing cd $_ROOT/.drush/sys line.\n * Issue #319 - XTRAS_LIST settings are being overwritten (Ubuntu)\n * Issue #324 - HTTPS results in redirect loop on AWS due to ignored _MY_OWNIP.\n * PHP: Add protection from switching to not installed CLI or FPM version.\n * PHP: Do not block getenv function.\n * Provision: Use /data/all/cpuinfo generated by BOA daily, if exists.\n * Remove redundant downloads silencer.\n * Remove remote_import if found in the wrong directory.\n * Sanitize logs lines before analyzing them.\n * SQL: Do not run update_innodb_log_file_size() if the size is the same.\n * Sync BOND with BARRACUDA.\n * Update for switch_to_bash procedure.\n * Use already downloaded patches.\n * Use Debian release specific proposed-updates.\n * Use full path to sqlmagic in daily.sh to avoid 'command not found' error.\n * Use static ftp.debian.org instead of unreliable http.debian.net mirrors.\n * Fix for authorized IPs detection in the protected vhosts logic - it should\n ignore serial/remote console logins.\n * Provision: Use higher hardcoded threshold to avoid breaking tasks due to\n high load on multi-CPU systems when provision can't determine the real load.\n\n\n### Stable BOA-2.2.5 Release - Full Edition\n### Date: Thu May 8 11:59:23 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014\n\n# Release Notes:\n\n This release includes no new features, but does include bug fixes plus latest\n Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.\n There are also three updated distributions included, as listed below.\n We also list here all hot-fixes applied to previous stable after its release.\n\n# Important - Read This First! (for self-hosted BOA only)\n\n If you haven't run full barracuda+octopus upgrade to latest BOA Stable\n Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt\n Once new BOA Stable is released, you must run *full* upgrades with commands:\n\n $ barracuda up-stable\n $ octopus up-stable all both\n\n For silent, logged mode with email message sent once the upgrade is\n complete, but no progress is displayed in the terminal window, you can run\n alternatively, starting with screen session to avoid incomplete upgrade\n if your SSH session will be closed for any reason before the upgrade\n will complete:\n\n $ screen\n $ barracuda up-stable log\n $ octopus up-stable all both log\n\n Note that the silent, non-interactive mode will automatically say Y/Yes\n to all prompts and is thus useful to run auto-upgrades scheduled in cron.\n\n If you have skipped some recent BOA releases, and you have new default config\n option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,\n plus, you are not sure if you follow best practices for managing permissions\n as recommended in our docs: https://omega8.cc/node/116 then we recommend\n that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently\n if your VPS is fast enough, and then run this powerful script as root:\n\n $ bash /var/xdrago/daily.sh\n\n Note that BOA 'legacy' mode is still at version 2.1.3\n\n# Updated Octopus platforms:\n\n Commons 3.12 ----------------- https://drupal.org/project/commons\n Open Atrium 2.18 ------------- https://drupal.org/project/openatrium\n Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach\n\n# Changes in this release:\n\n * Add rsyslog/sysklogd to auto-healing procedures.\n * Make the aggressive scan_nginx mode optional and use old mode by default.\n * Nginx: Add HiScan to blocked crawlers list.\n * Nginx: Add Riddler to blocked crawlers list.\n * PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.\n\n# System upgrades in this release:\n\n * MySecureShell 1.33\n * PHP 5.4.28\n * PHP 5.5.12\n\n# Fixes in this release:\n\n * Always define _PHP_CN variable properly.\n * Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.\n * Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.\n * Force Pure-FTPd server re-install if key files are missing for any reason.\n * Issue #2237167 - Improve authorized IPs detection in all protected vhosts.\n * Issue #2262935 - Modules dir must be group writable in custom platforms.\n * Nginx: Do not overwrite custom symlinks to the Under Construction template.\n * Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.\n * PHP: Delete pear in legacy paths, if still exists.\n * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)\n * Postfix: Force re-install if broken permissions detected on upgrade.\n * Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().\n * Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.\n * Pressflow 6: Remove duplicate openid_update_6001().\n * Revert \"Force MariaDB 5.5 re-install\".\n * Set the TERM env variable if missing to avoid errors.\n * Skip packages set on hold when running apticron.\n * The ~/static/control must be writeable by lshell user to manage ctrl files.\n * Add extra cron semaphore to prevent concurrent cron invocations via\n multiple running runner.sh instances.\n\n\n### Stable BOA-2.2.4 Release - Full Edition\n### Date: Wed Apr 30 17:03:36 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n### Latest hotfix added on: Fri May 2 04:54:25 PDT 2014\n\n# Release Notes:\n\n This release includes several bug fixes along with five updated platforms,\n plus some hot-fixes applied to previous stable after its release. We have\n also added a fix for known problem is recent Drupal 7.27 [#2245331] hence\n the change from Drupal 7.27.1 to 7.27.2 in all D7 platforms.\n\n# Updated Octopus platforms:\n\n ### Drupal 7.27.2\n\n Commerce 1.25 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.14 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 3.11 ----------------- https://drupal.org/project/commons\n Panopoly 1.5 ----------------- https://drupal.org/project/panopoly\n\n ### Pressflow 6.31.1\n\n Commons 2.17 ----------------- https://drupal.org/project/commons\n\n Note: Always read and follow upgrade procedure if explained in the distro\n release notes, like for Panopoly 1.5 at https://drupal.org/node/2255133\n\n# New o_contrib modules:\n\n * print-6.x-1.19 (includes patch to auto-detect /usr/bin/wkhtmltopdf)\n * print-7.x-2.0 (includes patch to auto-detect /usr/bin/wkhtmltopdf)\n\n# New features and enhancements in this release:\n\n * Support for session.gc_maxlifetime configurable via INI files.\n\n You can control session garbage collector (EOL) per site and per platform.\n The value (in seconds) of the session_gc_eol variable is used as\n session.gc_maxlifetime value and specifies the number of seconds after which\n data will be seen as 'garbage' and potentially cleaned up, resulting with\n $_SESSION variable discarded and affected authenticated users logged out.\n\n BOA default defined in the system level global.inc file is 86400 == 24h.\n\n# Changes in this release:\n\n * Drush: Upgrade command line version 6 to mini-6-26-04-2014\n * Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)\n * Nginx: Use more aggressive limits against spambots trying to rgstr accounts.\n * Redis: Integration module (the modern variant) upgrade to 7.x-2.x-o8-2.6-B\n\n# System upgrades in this release:\n\n * Nginx 1.7.0\n * PHP 5.5.12\n * Redis 2.8.9\n\n# Fixes in this release:\n\n * Add symlinks in the home directory if missing (every 5 minutes).\n * Add warning that Compass Tools install and upgrade may take a LONG time.\n * Always define _PHP_CN variable properly.\n * Do not delete symlinks to wrappers to avoid false LFD alarms.\n * Fix for 'Force backward compatible SERVER_SOFTWARE'.\n * Fix in websh for _IN_PATH logic to not break backend Drush tasks.\n * Fix the logic for wrappers update and symlinks.\n * Improve status messages to display when silent mode is used on upgrade.\n * Improve whitelisting in the websh wrapper.\n * Issue #2238805 - Command filtering - no word containing *drush* is allowed.\n * Issue #2241495 - wkhtmltopdf stopped working after upgrade.\n * Issue #2247997 - Update docs/REMOTE.txt with workaround for websh issue.\n * Issue #2250397 - Always follow (limited) redirects in cURL requests.\n * Issue #GH-304 - [rvm] use $_RUBY_VERSION as default.\n * Issue #GH-305 - Check disk usage before running install/upgrade.\n * Issue #GH-306 - Allow ruby 1.8 to remain installed.\n * Nginx: Allow to configure keywords for aggressive requests rate monitoring.\n * Nginx: Do not overwrite custom symlinks to the Under Construction template.\n * Nginx: Sync FastCGI timeouts with other Nginx and PHP-FPM defaults.\n * PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.\n * PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)\n * PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0\n * PHP: Better defaults for realpath_cache_ttl and realpath_cache_size.\n * PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)\n * PHP: pm.max_children was not properly updated on FPM version self-switch.\n * PHP: Sync incorrect default_socket_timeout with max_execution_time (180s).\n * PHP: Use 30s for pm.process_idle_timeout - it prevents too high RAM usage.\n * PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.\n * Postfix: Force re-install if broken permissions detected on upgrade.\n * Prevent duplicate cron invocations with more strict delays.\n * Restart rsyslog once the install or upgrade is complete.\n * Set the TERM env variable if missing to avoid errors.\n * Shell: Proper fix for wildcard in the path (cd command only)\n * Standardize install and upgrade for Chive, SQL Buddy and CGP.\n * Sync Redis timeout with default FPM timeout (180s).\n * Sync SQL connect_timeout with default mysql.connect_timeout in PHP (60s).\n * The ~/static/control must be writeable by lshell user to manage ctrl files.\n * Update the logic for multi-version PHP support in BOND.\n * Update the logic for multi-version PHP support in docs/REMOTE.txt\n\n\n### Stable BOA-2.2.3 Release - Full Edition\n### Date: Fri Apr 18 12:57:40 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n This release includes several bug fixes and security upgrades both for the\n system services and Drupal core, along with three updated platforms and new\n features, including support for MariaDB 10.0 and Ubuntu 14.04 LTS Trusty.\n\n# Updated Octopus platforms:\n\n ### Drupal 7.27.1\n\n Guardr 1.3 ------------------- https://drupal.org/project/guardr\n Open Atrium 2.17 ------------- https://drupal.org/project/openatrium\n Recruiter 1.2 ---------------- https://drupal.org/project/recruiter\n\n# New features and enhancements in this release:\n\n * Add docs/FAQ.txt\n * Add support for MariaDB 10.0 or 5.5 install via _DB_SERIES variable.\n * Add support for Ubuntu 14.04 LTS Trusty.\n * Improve auto-healing for multi-version PHP-FPM setup.\n * Improve docs/UPGRADE.txt\n * Improve health check for protected vhosts during live SSH-auth update.\n * Nginx: More aggressive limits against spambots trying to register accounts.\n\n# Changes in this release:\n\n * Issue #GH-299 - Force disable LESS developer mode on production sites.\n * Move custom scripts to /opt/local/bin/\n * Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)\n * Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1\n * PHP: Do not use separate FPM pool for cron if _PHP_FPM_DENY is empty.\n\n# System upgrades in this release:\n\n * MariaDB 5.5.37\n\n# Fixes in this release:\n\n * Add 'exit 0' line if missing.\n * Add /opt/local/bin to PATH by default.\n * Add symlinks for wrappers only temporarily.\n * Add warning that Compass Tools install and upgrade may take a LONG time.\n * Better gem uninstall options.\n * Compass: Multiple fixes for various expected gems versions install/upgrades.\n * Do not override lshell env_path in websh wrapper.\n * Do not use monitored bin path for custom scripts to avoid LFD false alarms.\n * Extra db GRANT for 127.0.0.1 not added when migrating site.\n * Improve auto-healing to create required directories in /var/run/ if missing.\n * Issue #2230269 - New Jetty 9 version overrides JETTY_PORT=8099 with 8080.\n * Issue #2235991 - Drush make needs better exceptions in websh wrapper.\n * Issue #2236475 - Clarify what the Legacy mode really means.\n * Issue #2238965 - Add missing path to switch_to_bash().\n * Issue #2241013 - Git commands should be whitelisted in websh wrapper.\n * Issue #2241495 - wkhtmltopdf stopped working after upgrade.\n * Issue #GH-301 - Update the list of restricted keywords for Octopus username.\n * Issue #GH-304 - [rvm] use $_RUBY_VERSION as default.\n * Make sure that permissions on Chive Manager dir/files are correct.\n * Note: _SSL_FROM_SOURCES=YES is ignored and not needed on Wheezy and Precise.\n * PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.\n * PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)\n * PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0\n * PHP: pm.max_children was not properly updated on FPM version self-switch.\n * PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.\n * Remove the line with header TABLE_NAME (sqlmagic).\n * Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.\n * Shell: Allow to run 'drush cache-clear drush' in any directory.\n * The _PHP_MODERN_ONLY variable is no longer used.\n * Ubuntu 14.04 LTS Trusty requires MariaDB 10.0\n * Use hostname -b instead of deprecated hostname -v.\n\n\n### Stable BOA-2.2.2 Release - Barracuda Edition\n### Date: Tue Apr 8 07:24:18 PDT 2014\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n This is a bug-fix only release to address issues discovered after recent\n major BOA-2.2.0 and subsequent BOA-2.2.1 Releases.\n\n The most important problem fixed in this Release is related to known OpenSSL\n security issue, which has been fixed in OpenSSL 1.0.1g\n\n To learn more please visit: http://heartbleed.com\n\n @=> Note for those on self-hosted BOA (skip this if you are on a hosted Ægir)\n\n We recommend that you enable _SSL_FROM_SOURCES=YES option in your system\n /root/.barracuda.cnf file, to always build latest OpenSSL from sources.\n Note that it will also trigger OpenSSH and cURL install from sources, plus\n subsequent PHP rebuild to include latest SSL libraries.\n\n Note that _SSL_FROM_SOURCES=YES will not force the build from sources on\n Debian Wheezy and Ubuntu Precise, to avoid confirmed conflicts and because\n both OS versions already provide custom, patched OpenSSL packages.\n\n This Release doesn't include any updates to the Octopus installer, so there is\n no point in running full upgrade. It is enough to run the barracuda only,\n system upgrade in the \"silent mode\" with:\n\n $ screen\n $ barracuda up-stable system\n\n The system will send you an email with results when the upgrade is complete,\n but there will be no upgrade progress displayed in the console. You can watch\n it, if you prefer, with command (DATE/TIME are placeholders for real values):\n\n $ tail -f /var/backups/reports/up/barracuda/DATE/barracuda-up-DATE-TIME.log\n\n# System upgrades in this release:\n\n * Nginx 1.5.13\n * OpenSSL 1.0.1g (if installed from sources)\n * PHP 5.4.27\n * PHP 5.5.11\n\n# Fixes in this release:\n\n * Chive Authentication via SSH session may break Nginx due to race conditions.\n * Drush specific dt() wrapper is required in Provision for custom platforms.\n * Fix Compass Tools support for Omega (gems dependencies via bundle install).\n * Fix default shell for system level cron tasks.\n * Fix for csf firewall compatibility test.\n * Force better health check on protected vhosts on live SSH-auth update.\n * Improved health check for protected vhosts during live SSH-auth update.\n * Issue #2229555 - On fresh boa install link missing durring install.\n * Issue #2229715 - Tasks queue doesn't work on the Master Instance.\n * Issue #2231093 - Add new line before 'UseDNS no' in the sshd_config file.\n * Issue #2235991 - Drush make needs better exceptions in websh wrapper.\n * Issue #294 - New Relic ext not installed even if _NEWRELIC_KEY is not empty.\n * Nginx: Backup and re-create default wildcard SSL cert/key with rsa:4096\n * Nginx: Generate 4096 bit long DH parameters when _NGINX_FORWARD_SECRECY=YES\n * Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1\n * PHP: Better default workers limits for the ondemand mode.\n * PHP: max_input_time should be set to 180 and not 60, by default.\n * PHP: Zend OPcache directive opcache.enable=1 must be set in all ini files.\n * Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.\n * The 'scp' command is broken in limited shell.\n * Too broad whitelisting breaks commands in limited shell with 'tmp' keyword.\n * Too restrictive open_basedir defaults break access to valid PEAR paths.\n * Too restrictive open_basedir defaults break access to valid Tika paths.\n * Use rsa:4096 by default in self-signed certs for Nginx and FTPS.\n\n\n### Stable BOA-2.2.1 Release - Full Edition\n### Date: Tue Apr 1 10:28:45 SGT 2014\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n This is a bug-fix only release to address issues discovered after recent\n major BOA-2.2.0 Release.\n\n# Fixes in this release:\n\n * Chive Authentication via SSH session doesn't work on some older instances.\n * Compass Tools don't use correct paths to Ruby 2.1.1\n * Cron for sites doesn't work on old instances without Nginx wildcard vhost.\n * FTPS (FTP over SSL) connections may experience TLS problems.\n * PHP: Disabled 'assert' may cause warnings on features revert.\n * PHP: Disabled 'create_function' may break some contrib modules or code.\n * The 'git pull' command is broken in limited shell.\n * The 'rsync' command is broken in limited shell.\n * The 'drush dl foo' command can't be run outside of site directory.\n\n# Known Issues on systems upgraded to BOA-2.2.1 (and 2.2.0) releases\n\n ==> Updated on Tue Apr 8 01:26:47 PDT 2014\n\n @=> Issues fixed in BOA head (running the hotfix in stable is enough):\n\n * Chive Authentication via SSH session may break Nginx due to race conditions.\n * Drush specific dt() wrapper is required in Provision for custom platforms.\n * Issue #2229715 - Tasks queue doesn't work on the Master Instance.\n * PHP: max_input_time should be set to 180 and not 60, by default.\n * The 'scp' command is broken in limited shell.\n * Too broad whitelisting breaks commands in limited shell with 'tmp' keyword.\n * Too restrictive open_basedir defaults break access to valid Tika paths.\n * Zend OPcache directive opcache.enable=1 must be set in all php.ini files.\n\n To fix all those problems you can run as root on self-hosted system:\n\n $ wget -q -U iCab http://files.aegir.cc/update/boa221fix.txt\n $ bash boa221fix.txt\n\n We have fixed this on all hosted and remotely managed Ægir instances already.\n\n @=> Other issues fixed in BOA head (run 'barracuda up-head system' to apply):\n\n * PHP: New Relic extension not installed even if _NEWRELIC_KEY is not empty.\n * Too restrictive open_basedir defaults break access to valid PEAR paths.\n\n\n### Stable BOA-2.2.0 Release - Full Edition\n### Date: Mon Mar 31 06:44:08 SGT 2014\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n There are many important changes and improvements in this release\n you should be aware of *before* running your BOA system upgrade.\n\n Even if you are on a hosted BOA system with upgrades managed for you,\n it is very important to read at least this extensive release notes.\n\n Here is a list of topics covered in detail further below:\n\n * New 'legacy' mode available for installs and upgrades\n * Important Note For Those Using Our Hosted Ægir Service!\n * Custom php.ini protection has changed and will not honor old settings\n * Barracuda no longer supports Percona since 2.2.0 release\n * Support for PHP FPM/CLI version safe switch per Octopus instance\n * All PHP FPM workers in 5.5, 5.4 and 5.3 now use the 'ondemand' mode\n * Drush aliases are now automatically copied to all relevant accounts\n * Drush is now restricted to use only trusted modules installed by default\n * The ~/.drush and other important directories and symlinks are protected\n * Support for safely configurable cache bins exceptions in Redis\n * Two-Factor-like Authentication to protect access to Chive DB Manager\n * Support for session.cookie_lifetime configurable via INI files\n * Support for files permissions-fix exceptions via platform level INI file\n * High-performance JavaScript callback handler (js) in all platforms\n\n And if you are more curious, read also the big changelog further below,\n which covers only a small number of over 560 commits since BOA-2.1.3 release.\n\n But what if you are not ready for this major upgrade and you would like\n to have more time for testing, but still be able to run system upgrades,\n thus effectively still using previous version 2.1.3 with standard command\n 'barracuda up-stable system', as explained in the docs/UPGRADE.txt?\n\n#-### New 'legacy' mode available for installs and upgrades\n\n We are introducing special 'legacy' mode both for BOA installs and upgrades.\n\n This means that starting with BOA-2.2.0 you can use commands like:\n\n $ boa in-legacy public server.mydomain.org my@email o1\n $ barracuda up-legacy system\n $ octopus up-legacy o1\n etc.\n\n These special 'legacy' commands allow you to install and/or upgrade the 'old\n stable', once the 'new stable' is released. But only until another 'stable'\n is released, of course. Thus you can use it only as an interim solution\n if you are not yet ready for latest 'stable' BOA Edition, for any reason,\n but you want to update at least the low level system packages, kernel etc.\n\n Note also that if you will upgrade to current 'stable', it is not possible\n to downgrade back to the 'old stable' with 'legacy' mode, so please proceed\n with care!\n\n This option will be particularly important once we release *next* major BOA\n Edition. It will come with terminated support for Drush 4, Drupal 5 and, yes,\n PHP 5.2 (finally). This step is required to use latest Drush 6+ with supported\n Drupal cores versions and supported PHP versions, which in fact is required\n to introduce the real Ægir 2.0 in BOA -- we are still using older, customized\n for backward compatibility, Ægir 2 HEAD version, so it is time to move on and\n stay up to date with everything, get new features like ability to manage\n Drupal sites in subdirectories etc.\n\n Once that *next* major BOA Edition is released, we will freeze the 'legacy'\n mode at 2.2.x series level, which will receive only security upgrades and\n no further feature nor bugfix releases. At that point you will have to stick\n to the 'legacy' BOA version if you will need to run PHP 5.2 and Drupal 5\n with Ægir based on Drush 4. It will be still possible, but not recommended\n and not really supported, besides security related issues outside of Drupal.\n This also means that at that point the 'legacy' version will no longer\n receive Drupal core upgrades, even if there will be security core releases.\n\n Note that we don't use the term \"major release\" in the known convention\n for versions naming. It is because the first digit, for historical reasons,\n refers to the Ægir version supported, the second digit refers to BOA stack\n major release, and the last digit refers to both feature and bugfix BOA\n stack upgrades.\n\n#-### Important Note For Those Using Our Hosted Ægir Service!\n\n NOW is the time (and last chance) to upgrade all your legacy Drupal 5 sites\n and outdated Drupal 6 sites still not compatible with at least PHP 5.3,\n because once we upgrade to the *next* major BOA Edition, it will be no longer\n possible to still run Drupal sites not compatible with PHP 5.3 -- there\n were literally years of this legacy support provided, and this finally\n comes to the end, because we will not use the BOA 'legacy' mode on our own\n servers. It will be still available for remotely managed 'Ægir on Your Own\n Server' option, though, but only on request: https://omega8.cc/support\n\n#-### Custom php.ini protection has changed and will not honor old settings\n\n If you have custom settings in any of your php.ini files protected with\n old variable in the /root/.barracuda.cnf, make a backup of your ini files\n before running this upgrade. While these files will not get overwritten,\n they will no longer be used, because we have introduced new, standardized\n directory structure to properly support multi-PHP-versions systems.\n\n Respective php.ini files are now located in /opt/phpXX/etc/phpXX.ini\n for FPM and /opt/phpXX/lib/php.ini for CLI, where XX is 55, 54, 53 or 52,\n depending on the versions listed via _PHP_MULTI_INSTALL variable in the\n /root/.barracuda.cnf file. Also the variables used to protect ini files\n from being overwritten have changed to _CUSTOM_CONFIG_PHPXX.\n\n If you need any non-standard settings in any of active ini files, don't\n overwrite them with the old files, but rather carefully review and apply\n only the differences you need.\n\n#-### Barracuda no longer supports Percona since 2.2.0 release\n\n If you have used Percona before, Barracuda will force upgrade to MariaDB 5.5\n and PHP rebuild automatically. We plan to add possibility to install\n MariaDB 10.0 once released as stable and tested. MariaDB is the default\n DB server in Barracuda for a long time already.\n\n#-### Support for PHP FPM/CLI version safe switch per Octopus instance\n\n This allows to easily switch PHP version by the instance owner w/o system\n admin (root) help. All you need to do is to create ~/static/control/fpm.info\n and ~/static/control/cli.info file with a single line telling the system\n which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3\n\n Only one of them can be set, but you can use separate versions for web access\n (fpm.info) and the Ægir backend (cli.info). The system will switch versions\n defined via these control files in 5 minutes or less. We use external control\n files and not any option in the Ægir interface to make sure you will never\n lock yourself by switching to version which may cause unexpected problems.\n\n Note that the same version will be used in all platforms and all sites hosted\n on the same Octopus instance. Why not to try latest and greatest PHP 5.5 now?\n\n#-### All PHP FPM workers in 5.5, 5.4 and 5.3 now use the 'ondemand' mode\n\n This change will help to better manage memory use, especially on systems with\n multiple PHP versions running in parallel. This will also free resources\n and allocate them dynamically only when requests are coming and only to\n the active FPM pools. Note that the 'ondemand' mode doesn't affect Zend\n OPcache, because it is managed by the parent process(es) which stay(s) active.\n\n The net result is that on a vanilla BOA install, without non-hostmaster sites\n running, the complete stack consumes just ~200 MB of RAM (in total, so with\n MariaDB, Redis and Nginx etc. included) with all three PHP-FPM versions\n running in parallel: 5.5, 5.4 and 5.3:\n\n CPU[#* 2.0%]\n Mem[|||||||||||||###***********************************209/1002MB]\n Swp[ 0/0MB]\n\n magic:~# ps axf | grep fpm\n 8380 ? Ss 0:00 php-fpm: master process (/opt/php55/etc/php55-fpm.conf)\n 8391 ? Ss 0:00 php-fpm: master process (/opt/php54/etc/php54-fpm.conf)\n 8402 ? Ss 0:00 php-fpm: master process (/opt/php53/etc/php53-fpm.conf)\n magic:~#\n\n#-### Drush aliases are now automatically copied to all relevant accounts\n\n While Ægir manages Drush aliases for its backend needs, they are normally\n not available for the main nor the extra shell users on the instance.\n\n But starting with 2.2.0, BOA automatically manages copies of all Drush\n aliases, by adding them, updating or removing, every 5 minutes, once it\n detects that there are changes applied, like: the site has been migrated\n to another platform, or associated client/owner has been updated, etc.\n\n You no longer need to `cd` to the respective site directory to perform\n some available Drush tasks. Just check the available aliases list with\n `drush aliases` and then enjoy the beauty of `drush @foo.com command` syntax.\n\n#-### Drush is now restricted to use only trusted modules installed by default\n\n Note: this change affects only Ægir backend/system user, typically o1,\n while all other limited shell accounts are not affected, because they are\n already individually jailed with protected custom php.ini and special\n Drush wrappers and settings.\n\n This means that you can skip this section if you are on a hosted Ægir.\n\n Customized Drush now included in BOA by default, will be able to use only\n extensions/commands bundled with contrib modules which are either a part\n of modules added in every platform via shared o_contrib/o_contrib_seven\n symlink located in the platform core modules directory, or are included\n in the built-in platforms installation profiles space, or in the system\n account, protected .drush sub-directory.\n\n This means that any Drush extension/command bundled with contrib module\n uploaded to the sites/all/modules space in all built-in platforms will be\n ignored and not available on command line for the backend user. The same\n applies to site level contrib space, if used.\n\n Additionally, any Drush extension/command bundled with custom platforms\n located in the ~/static directory tree will be completely ignored by Drush,\n no matter where uploaded: core, profiles, sites/all or sites/foo.com space.\n\n This is not a problem in hosted environments, where users normally never\n should have an access to the Ægir backend user, anyway.\n\n If you have any reason to use Drush on command line as an Ægir backend/system\n user, for example to escape limited shell restrictions, we recommend to\n install vanilla Drush 6, for example in /opt/tools/drush/vanilla/drush/ and\n then symlink it into /usr/local/bin/ with custom name, so it will be available\n automatically in your backend o1 user's PATH.\n\n Further improvements to secure sites and instances in a completely locked\n virtual jails are planned in next BOA releases, which will address all other\n known and even potential security issues in Ægir.\n\n#-### The ~/.drush and other important directories and symlinks are protected\n\n There are directories, files and symlinks which should be protected from\n any changes and managed exclusively by the BOA system. The reasons may vary\n from security to avoidable support requests when the less experienced user\n will delete his sites or platforms symlinks, while they can't be easily nor\n automatically recreated. It also prevents the sub-accounts users from using\n their account home directory as a private upload/archive disk space.\n\n#-### Support for safely configurable cache bins exceptions in Redis\n\n Sometimes you may want to exclude some problematic cache bins from Redis\n so they will use default SQL engine, at least until related issue will be\n fixed either in your contrib code or in the Redis integration module.\n\n Normally you had to edit the local.settings.php file which is both tedious\n and dangerous because of extra steps: https://omega8.cc/node/230 to add\n a line, for example: $conf['cache_class_cache_foo'] = 'DrupalDatabaseCache';\n Plus, it had to be done for every site separately.\n\n Now you can simply list the cache bins to exclude, comma separated, either\n in the site or platform level active INI file.\n\n Example: redis_exclude_bins = \"cache_views,cache_foo,cache_bar\"\n\n#-### Two-Factor-like Authentication to protect access to Chive DB Manager\n\n We are introducing Two-Factor-like Authentication logic - now extended also\n to protect Chive DB Manager, Collectd Graph Panel and SQL Buddy DB Manager.\n You must be logged in via SSH and run any auto-continuos command, for example:\n `ping -i 30 google.com` to keep the access open for your IP address.\n\n Why is this important?\n\n While BOA forces HTTPS connection for Chive, anyone who knows the URL can\n access it and attempt to either run brute-force attack to get into your\n site's database, or at least attempt to hammer the server and cause DoS-like\n effects, at least until the system will block his IP on the firewall.\n\n The other important reason is that your site's DB credentials change only\n when you migrate or rename the site, and otherwise remain intact. Now, what\n if you have an employee or a freelancer whom you no longer want to be able\n to access your site? If you think that deleting his SFTP sub-account is\n enough, think again. He still can access your site's database via Chive, if\n he knows the site's DB credentials and the Chive URL.\n\n But now it's no longer possible. Only the visitor who is able to successfully\n authenticate himself via SSH, and keeps active SSH session, will be able\n to access the Chive URL. The rest of the world will see just dummy Nginx 403\n Access Denied error.\n\n And in case you are using self-hosted BOA, the same protection is applied\n also to Collectd Graph Panel and SQL Buddy DB Manager.\n\n#-### Support for session.cookie_lifetime configurable via INI files\n\n You can control session cookies expiration (TTL) per site and per platform.\n The value (in seconds) of the session_cookie_ttl variable is used as\n session.cookie_lifetime value.\n\n BOA default defined in the system level global.inc file is 86400 == 24h.\n\n We also recommend that you enable and configure built-in session_expire\n module, which allows you to keep the sessions DB table tidy. Make sure that\n TTL set via session_cookie_ttl variable is *lower* than TTL configured\n in the session_expire module, because the module does not care about PHP\n settings and simply deletes old entries from the sessions table on cron run.\n\n#-### Support for files permissions-fix exceptions via platform level INI file\n\n You can opt-out from globally enabled daily-permissions-fix procedure per\n platform with new fix_files_permissions_daily variable.\n\n This feature can be useful when you prefer to manage custom platform in\n a monolithic codebase mode in Git, so forcing permissions could conflict\n with your workflow or development tools. Otherwise you should never disable\n this to avoid issues with Ægir tasks related to sites on this platform.\n\n Note that the system level option _PERMISSIONS_FIX (introduced in BOA-2.1.0\n and set to NO by default) should be also enabled with YES in the system level\n /root/.barracuda.cnf file, if you prefer to have permissions fixed in all\n sites on all platforms, except those with fix_files_permissions_daily = FALSE\n set in the platform level, active INI file.\n\n#-### High-performance JavaScript callback handler (js) in all platforms\n\n All platforms, both built-in and custom in the ~/static directory tree, enjoy\n automatically added High-performance JavaScript callback handler (js) support,\n which requires extra /js.php file in the platform root and also proper Nginx\n rewrites. The module itself is also included in the built-in o_contrib bundle.\n\n All you need is to enable the module, if recommended by any other module,\n and enjoy much faster page generation, where possible. You can review the\n full list of modules which will benefit from this great helper module on its\n project page: https://drupal.org/project/js\n\n\n Enjoy another super-fast and even more powerful BOA Edition!\n\n\n# New Octopus platforms:\n\n ### Drupal 7.26.4\n\n Guardr 1.1 ------------------- https://drupal.org/project/guardr\n\n# Updated Octopus platforms:\n\n ### Drupal 7.26.4\n\n Commerce 1.24 ---------------- https://drupal.org/project/commerce_kickstart\n Commerce 2.13 ---------------- https://drupal.org/project/commerce_kickstart\n Commons 3.9.1 ---------------- https://drupal.org/project/commons\n Drupal 7.26.4 ---------------- https://drupal.org/drupal-7.26\n Open Academy 1.0 ------------- https://drupal.org/project/openacademy\n Open Atrium 2.15 ------------- https://drupal.org/project/openatrium\n Open Deals 1.32 -------------- https://drupal.org/project/opendeals\n Open Outreach 1.5 ------------ https://drupal.org/project/openoutreach\n OpenBlog 1.0-a3 -------------- https://drupal.org/project/openblog\n OpenChurch 1.12 -------------- https://drupal.org/project/openchurch\n OpenScholar 3.12.1 ----------- http://theopenscholar.org\n Panopoly 1.2 ----------------- https://drupal.org/project/panopoly\n Recruiter 1.1.2 -------------- https://drupal.org/project/recruiter\n Spark 1.0-b1 ----------------- https://drupal.org/project/spark\n Totem 1.1.2 ------------------ https://drupal.org/project/totem\n Ubercart 3.6 ----------------- https://drupal.org/project/ubercart\n\n ### Pressflow 6.30.1\n\n Commons 2.16 ----------------- https://drupal.org/project/commons\n Feature Server 1.2 ----------- http://bit.ly/fserver\n Managing News 1.2.4 ---------- https://drupal.org/project/managingnews\n Open Atrium 1.7.2 ------------ https://drupal.org/project/openatrium\n Pressflow 6.30.1 ------------- http://pressflow.org\n Ubercart 2.13 ---------------- https://drupal.org/project/ubercart\n\n# New features and enhancements in this release:\n\n * Add High-performance JavaScript callback handler (js) in all platforms.\n * Add session_expire module to shared contrib space in all platforms.\n * Add support for session.cookie_lifetime configurable via INI variable.\n * Allow to control swap clear with control file /root/.no.swap.clear.cnf\n * Auto-Update all BOA install and upgrade wrappers daily.\n * Default system /bin/sh symlink target replaced with /bin/websh wrapper.\n * Disable tcp_slow_start_after_idle for better SPDY performance.\n * Improve the logic in the global.inc for faster processing.\n * Issue #1217486 - Add o_contrib symlinks on platform Verify task.\n * Issue #1310054 - Add support for drush aliases in all lshell accounts.\n * Issue #2148335 - Add Default Localhost Vhost.\n * Issue #2166641 - Make hard-coded load thresholds configurable.\n * Issue #2170079 - Use _CUSTOM_CONFIG_LSHELL to protect lshell.conf template.\n * Issue #2226919 - Custom Platforms in Version Control (skip permissions fix).\n * Lshell: Update /etc/lshell.conf only when required instead of every 5 min.\n * Manage extra db GRANT for 127.0.0.1 to allow SSH tunneling for SQL access.\n * New option _REDIS_LISTEN_MODE to configure PORT or SOCKET mode globally.\n * Nginx: Add support for protected PHP-FPM monitor.\n * Nginx: Force aggressive no-cache headers for the under construction page.\n * Nginx: Switch to buffered logging when /root/.high_traffic.cnf exists.\n * PHP: Add support for FPM/CLI version safe switch per Octopus instance.\n * PHP: Allow to install and run all supported versions: 5.5, 5.4, 5.3, 5.2\n * PHP: Extra php.ini files automatically managed per system and shell user.\n * PHP: FPM workers in 5.5, 5.4 and 5.3 will use 'ondemand' mode by default.\n * PHP: Use separate FPM pools per Octopus instance.\n * PHP: Use TCP Socket mode for all FPM pools and Port mode for legacy vhosts.\n * Protect ~/.drush and other important directories and symlinks from changes.\n * Redis: Allow to exclude cache bins on the fly, per site or per platform.\n * Save 295 seconds on BOA Install and Upgrade.\n * Set and auto-manage strict permissions on some important config files.\n * Set PHP CLI version in the /bin/websh wrapper on the fly.\n * Use Two-Factor-like Authentication logic for Chive DB Manager access.\n * Improve `sqlmagic fix file.sql` to properly replace INSERT INTO with\n INSERT IGNORE INTO (a workaround for duplicate keys in the DB dump)\n * Use the same trick with modules/local-allow.info to temporarily make\n civicrm.settings.php writable, if exists.\n\n# Changes in this release:\n\n * Add ~/static/trash/* to automatic daily cleanup.\n * Add coder to auto-disabled modules -- see #2068771\n * Allow 'drush uli' as root, but deny root access to Drush by default.\n * Disable D8 install via _ALLOW_UNSUPPORTED until next release.\n * Do not enable SYNFLOOD protection by default.\n * Do not force old_short_name in any profile file directly.\n * Firewall: Allow to connect to Apple Push Notification service (APNs)\n * Issue #289 - Update lshell env_path for RVM and install/update global gems.\n * Issue #292 - Open standard RTMP port 1935.\n * Lshell: Use latest Drush 6 (master) by default and remove other versions.\n * Nginx and PHP-FPM: Better default timeout limits.\n * Nginx: Add apk, pxl, ipa to known mime types / download extensions.\n * Nginx: Use text/xml mime type for .xml URLs and restore other mime defaults.\n * Open local access for web based sites cron.\n * Open outgoing port 2525 for custom SMTP connections.\n * Percona DB server is no longer supported.\n * PHP: Always build from sources.\n * PHP: Disable 5.2 FPM if installed, but not used.\n * PHP: Only critical errors are enabled by default in the CLI mode.\n * PHP: Reloading FPM hourly no longer makes any sense.\n * PHP: Remove support for deprecated APC and Memcached.\n * PHP: Restore MailParse support - 2.1.6\n * PHP: Use aggressive disable_functions defaults (further tuned per FPM pool).\n * Redis: Integration module (the modern variant) upgrade to 7.x-2.x-o8-2.6-A\n * Redis: Use modern version with enabled fast lock and aggressive flush mode.\n * Remove insecure exception for wkhtmltopdf uploaded in the user space.\n * Rename master repository on GitHub from legacy nginx-for-drupal to boa.\n * Set _STRICT_BIN_PERMISSIONS=YES by default.\n * Upgrade Compass Tools on every upgrade, not just on new BOA release.\n * Use 60s opcache.revalidate_freq by default to save disk I/O on live sites.\n * Use Ruby Version Manager (RVM) by default to manage Compass Tools etc.\n * Use RVM for global gem installation and updates.\n * Use search_api_solr-7.x-1.4 for new installs.\n * Use web based cron by default to benefit from Zend OPcache.\n * Do not check existence nor auto-config Purge/Expire unless INI variable\n purge_expire_auto_configuration is set to TRUE (automatically, when\n the module is detected as enabled).\n * New naming convention for Ubercart 3.x platforms: [ud2] to support upgrades\n from uberdrupal profile, and [aq3] to support upgrades from acquia profile.\n Note that you have to choose Vanilla Testing profile to see [ud2] or\n Vanilla Minimal to see [aq3] platform in the Add Site form.\n * GitHub is now our main repository, we re-open the issue queue there\n for patches merge requests, while d.o has a code mirror status from now on.\n * Make it crystal clear that Ubuntu is barely supported, rarely tested and\n thus not recommended.\n * The \"Run cron\" extra task has been removed for security reasons. Site cron\n can be run either via standard, scheduled in Ægir procedure, which uses\n local, but web based request to the protected /cron.php URL, or on command\n line, or from the site admin area, as usual.\n\n# System upgrades in this release:\n\n * Bazaar Version Control System (bzr) 2.6.0\n * Collectd Graph Panel (CGP) master-30-03-2014\n * cURL 7.36.0 (if installed from sources)\n * Git 1.9.1 (if installed from sources)\n * Jetty 7.6.14, 8.1.14, 9.1.3\n * Limited Shell 0.9.16.5-om8\n * MariaDB 5.5.36\n * MySecureShell 1.32\n * Nginx 1.5.12\n * OpenSSH 6.6p1 (if installed from sources)\n * OpenSSL 1.0.1f (if installed from sources)\n * PHP 5.4.26\n * PHP 5.5.10\n * PHP: Imagick 3.1.2\n * PHP: ionCube loader 4.5.3\n * PHP: MongoDB 1.4.5 (optional add-on)\n * PHP: Zend OPcache master-09-03-2014\n * PHPRedis: master-22-03-2014\n * Redis 2.8.8\n * Ruby 2.1.1 (from now on compiled from sources)\n\n# Fixes in this release:\n\n * Add fix_collectd_nginx for Collectd config update.\n * Add missing panopoly_demo app in the Panopoly distro to fix broken install.\n * Add missing variables to active INI files, if needed.\n * Avoid way too long Speed Booster TTL for bots, especially for rss feeds.\n * Changing old_short_name mapping to: uberdrupal->testing and acquia->minimal\n * Do not force old_short_name if already set in db/drushrc.\n * Do not run swap clean when heavy tasks like cdp backup run.\n * Drush: Simplify and improve access restrictions logic when aliases are used.\n * Excessive and useless Drush internal cache clear in daily.sh removed.\n * Fix default PATH in all sub-scripts.\n * Fix for broken cURL from sources install logic.\n * Fix for drush make broken by websh fix for cd wildcard crash fix.\n * Fix for multi-IP cron access.\n * Fix missing /dev/fd early enough to avoid broken tasks in Ægir.\n * Fix the logic in manage_ip_auth_access()\n * Fix to avoid daily services maintenance/cron freeze if Jetty didn't stop.\n * Force backward compatible SERVER_SOFTWARE to silence core warnings.\n * Force OpenSSH rebuild on OpenSSL upgrade (if installed from sources).\n * Issue #1317322 - Filters UI broken.\n * Issue #1991908 - Fix the syslog flood caused by collectd df plugin.\n * Issue #2057213 - Use better SQL GRANT style.\n * Issue #2110589 - Unable to install BOA correctly on Debian 6.0 and OpenVZ\n * Issue #2141283 - Drush aliases like `drush dbup` no longer work properly.\n * Issue #2144801 - Display bug on add site.\n * Issue #2144947 - Install new Ruby for better compatibility with new gems.\n * Issue #2150557 - Make the check and update procedure for UseDNS safe.\n * Issue #2152383 - Fix for [js module] - add js_server_software variable.\n * Issue #2159881 - Drush is broken because Console_Table URL no longer works.\n * Issue #2161115 - AdvAgg: Strictly follow RFC 2616 14.21\n * Issue #2167141 - Do not exclude --with-ldap --with-gmp in the PHP on Wheezy.\n * Issue #2172089 - Fix for syntax error.\n * Issue #2173209 - Do not use legacy (removed) symlink for version check.\n * Issue #2175197 - Regex configuration not matching esi/ssi tags.\n * Issue #2177837 - process.max not set correctly for PHP 5.5 and 5.4\n * Issue #2182671 - Solr 4 with Jetty 8 does not start after upgrade.\n * Issue #2188907 - Update docs criteria for not rebuilding ssh, ssl, and curl.\n * Issue #2199229 - CiviCRM 4.4.4 Requires change in the Nginx configuration.\n * Issue #288 - SMTP Authentication Module depends on fsockopen.\n * Lshell: Fix for crash on wildcard cd.\n * Lshell: Remove symlinks for legacy drush_make.\n * Modules can be incorrectly whitelisted from dis by installation profile.\n * Nginx: Add exceptions for known video players.\n * Nginx: Avoid downtime on upgrade because of too low variables_hash_max_size\n * Nginx: Better gzip defaults.\n * Nginx: Default value of variables_hash_max_size is too low.\n * Nginx: Do not overwrite gzip_types.\n * Nginx: Improve fastcgi defaults.\n * Nginx: Remove too broad regex for 'flag' keyword in the URI.\n * Nginx: Send Access-Control-Allow-Origin * header also for /favicon.ico\n * Nginx: Use port 9090 in nginx_octopus_include.conf by default (PHP-FPM 5.3)\n * Nginx: Use Redirect 301 for legacy paths /sites/default/files/*\n * Once you have next 2.3.x installed, you can't downgrade to legacy 2.2.x\n * PHP: Add protection for instance level php.ini files.\n * PHP: Fix for broken build when --with-ldap is used.\n * PHP: Fix for broken dependencies in newer Debian and Ubuntu systems.\n * PHP: Fix for forced rebuild mode if lib curl is broken or updated with apt.\n * PHP: Fix for GEOS 3.4.2 and multi-version install.\n * PHP: Fix for legacy 5.2 logic.\n * PHP: Force 5.5 to use correct SQL drivers so its built-in will not be used.\n * PHP: Reduce duplicate rebuilds.\n * PHP: The --with-curlwrappers option has been removed in 5.5\n * Redis: Auto-Restart if socket is missing only when socket mode is enabled.\n * Redis: Exclude cache_form bin or it will break modules like ajax_comments.\n * Redis: Force clean restart daily, with long enough sleep time.\n * Redis: Restore pwd protection.\n * Redis: The cache_metatag bin needs aggressive flush mode -- see #2062379\n * Reduce system load during db backups with short delays between databases.\n * Remove collectd on major system upgrade even if /var/www/cgp doesn't exist.\n * Silence AIS (Adaptive Image Styles) module .htaccess requirements.\n * Sort and group cnf variables to bring some order into this chaos.\n * Symlink main drush wrapper to shared location outside of Master Instance.\n * Update for Redis bins exceptions logic.\n * Update system load check method in all scripts.\n * Use forced Jetty restart mode.\n * Use https in the welcome screen image src URL.\n * Use IPv4-strict hostname and IP checks only.\n\n\n# Known Issues on systems upgraded to BOA-2.2.0 release (all fixed)\n\n ==> Updated on Tue Apr 1 12:20:27 SGT 2014\n\n @=> Issues hot-fixed in stable (run 'barracuda up-stable system' to apply):\n\n * Compass Tools don't use correct paths to Ruby 2.1.1\n * Chive Authentication via SSH session doesn't work on some older instances.\n * PHP: Disabled 'create_function' may break some contrib modules or code.\n * PHP: Disabled 'assert' may cause warnings on features revert.\n * Cron for sites doesn't work on old instances without Nginx wildcard vhost.\n * The 'git pull' command is broken in limited shell.\n * FTPS (FTP over SSL) connections may experience TLS problems.\n * The 'rsync' command is broken in limited shell.\n * The drush dl foo can't be run outside of site directory.\n\n\n### Stable BOA-2.1.3 Release - Full Edition\n### Date: Thu Nov 21 17:55:47 SGT 2013\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n This release provides Drupal 7.24.1 and Pressflow 6.29.1 core security upgrade\n for all supported distributions. It also includes two updated platforms and\n several fixes for issues discovered since BOA-2.1.2 released 3 days ago, plus\n some clever improvements to help you automatically optimize all tables daily,\n or even automatically convert tables to-innodb or to-myisam, either per site\n or per platform, or per entire Octopus instance. There is also Purge Cruft\n Machine available to run some spring-cleaning daily with configurable TTL.\n\n Enjoy another super-fast and even more clever BOA Edition!\n\n# Updated Octopus platforms:\n\n ### Drupal 7.24.1\n\n Open Atrium 2.0.9 ------------ http://drupal.org/project/openatrium\n OpenScholar 3.9.3 ------------ http://openscholar.harvard.edu\n\n# New features and enhancements in this release:\n\n * Purge Cruft Machine moved to daily.sh agent and made configurable\n with _DEL_OLD_BACKUPS and _DEL_OLD_TMP per Octopus instance.\n\n If changed to any number greater than \"0\" it will automatically delete\n backups stored in the /data/disk/U/backups/ directory and in all hosted\n sites backup_migrate directories, during daily cleanup, if created more\n than X days ago, where X is a number of days defined in _DEL_OLD_BACKUPS.\n\n If \"0\" then this feature is disabled. It can't be configured via INI files,\n so you may need to submit support request if you want to customize this\n option set to 7 days by default on all hosted instances, as per our\n backups policy: https://omega8.cc/backups\n\n The same logic applies to _DEL_OLD_TMP which defines for how long the\n temporary files in all hosted sites files/tmp/ and private/temp/ directories\n are kept before deleting them during running daily maintenance.\n\n * Added sql_conversion_mode variable in the platform and site level INI\n to customize instance-wide mode optionally set via _SQL_CONVERT.\n\n This option allows to activate and/or customize DB tables conversion\n per site, per platform and via _SQL_CONVERT per Octopus instance.\n\n Supported values are: innodb and myisam (lowercase only!)\n Note that this conversion will run daily even if all tables have been\n already converted, so it will run OPTIMIZE on all tables, effectively.\n\n Related Issue #2126471 - Convert DB engine control files to ini format.\n\n# Changes in this release:\n\n * Allow to install unsupported distros only in head, not stable.\n * Contrib update: advagg-7.x-2.3\n * Map drush to drush6 on command line. You can still use drush4 and drush5.\n * New contrib: display_cache\n * New contrib: panels_content_cache\n * Nginx 1.5.7 -- security upgrade.\n * Use dev versions of CDN module with patch for AdvAgg 7 compatibility.\n * Use Drush 5 and 6 head until next release.\n\n# Fixes in this release:\n\n * Always cleanup temp downloads to avoid failed builds due to leftovers.\n * Always fix permissions on contrib on upgrade and in daily.sh agent.\n * Better auto-recovery when broken libcurl is detected.\n * Delete any tar/gz/zip files in modules|themes|libraries daily.\n * Delete dangerous local-allow.info file.\n * Display all active INI variables in HTTP headers on dev URLs.\n * Fix for cron auto-correction.\n * Fix for Feature Server broken due to incorrect context version downloaded.\n * Fix the logic for cURL install from sources.\n * Nginx: Add Access-Control-Allow-Origin header also for static .json\n * Nginx: Protect also .md files in modules|themes|libraries dirs.\n * Issue #2137583 - Permissions on the site directory are broken after running,\n how ironically, the Health Check task.\n * Issue #2138811 - Maintenance agent disables modules from its standard\n turn-off list, even if they are required by other modules, apps or features.\n\n# Known Issues on systems upgraded to initial BOA-2.1.3 release\n\n ==> Updated on Thu Nov 28 18:33:58 SGT 2013.\n\n @=> Issues which will trigger `barracuda up-stable system` if discovered:\n\n * PHP: Fix for broken cURL from sources install logic.\n * PHP: Fix for forced rebuild mode if lib curl is broken or updated.\n * PHP: Fix for legacy 5.2 rebuild required when broken libcurl is detected.\n * Use dummy variable instead of 'true' to avoid breaking the logic.\n\n @=> Issues which will NOT trigger `barracuda up-stable system` if discovered:\n\n * Add coder to the auto-disabled modules list -- see #2068771\n * Excessive and useless Drush internal cache clear in daily.sh\n * Issue #2141283 - Drush aliases like `drush dbup` no longer work properly.\n * Issue #8215957 - Invalid version type error in old Drush Make.\n * MariaDB 5.5.34 just released.\n * Redis: Incorrect permissions on the integration module directory.\n * Modules can be incorrectly whitelisted by installation profile and\n never disabled, while they should be.\n\n# HotFix for known post-upgrade issues\n\n Run the boa-fix-upgrade script when logged in as system root:\n\n $ cd;rm -f boa-fix-upgrade.sh.txt*\n $ wget -q -U iCab http://files.aegir.cc/update/boa-fix-upgrade.sh.txt\n $ bash boa-fix-upgrade.sh.txt\n\n This script is updated once there is any new regression or bug discovered,\n so it is safe and recommended to run it again if the list of known issues\n have been updated. Note that this script will detect and fix all Octopus\n instances on your system at once.\n\n\n### Stable BOA-2.1.2 Release - Full Edition\n### Date: Mon Nov 18 00:03:30 SGT 2013\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n This is primarily a bug-fix release and you should read release notes and\n also the changelog for both BOA-2.1.1 and BOA-2.1.0 for a context, especially\n if you are upgrading from BOA-2.0.9 or older release (we have tested upgrades\n from as old Editions as BOA-2.0.1, released on Dec 28 07:00:00 EST 2011).\n\n This Edition includes fixes for all Known Issues on systems already upgraded\n to initial BOA-2.1.1 release, plus some extra improvements and one updated\n platform (Managing News).\n\n Important new features include ability to use either legacy (default) or\n modern (highly recommended) version of Redis integration module.\n\n The reason we don't enable the modern version by default is that it may need\n some testing before using it on a complex Drupal sites. The modern version\n of Redis integration module comes with some great new features which allow\n you to configure flush mode per cache bin, with three modes available.\n\n Please refer to the module README for more information on all available\n advanced flush modes: http://bit.ly/1drmi35\n\n It also comes with super-fast lock backend, which can be enabled only when\n you are using the modern version, but still needs more improvements, so we\n auto-configure some exceptions on the fly, when it is used, to avoid known\n issues, as reported in the queue: https://drupal.org/node/2135545\n\n Please read also INI docs to understand how it works, and how to improve\n performance by enabling and tuning these settings: http://bit.ly/1bwfZZj\n\n Enjoy!\n\n# Updated Octopus platforms:\n\n ### Pressflow 6.28.3\n\n Managing News 1.2.4 ---------- http://drupal.org/project/managingnews\n\n# New features and enhancements in this release:\n\n * Redis: Modern integration module 7.x-2.5 with latest fixes from #2135545\n is available as an option with new INI variable: redis_use_modern\n\n * Redis: New option redis_flush_forced_mode to better control flush modes\n when redis_use_modern = TRUE\n\n * Add example for custom Speed Booster cache TTL configuration in the optional\n override.global.inc file. It can be used also in local.settings.php file.\n\n * Add detection and auto-config for the allow_private_file_downloads variable.\n * Issue #1978066 - Add _RESERVED_RAM variable for \"reserved\" memory.\n * Map all old_short_name profiles relations in the Ægir Provision directly.\n\n# Updated Ægir modules or extensions:\n\n * Newer aegir_custom_settings 6.x-2.3 with site clone added for client role.\n * Newer registry_rebuild 7.x-2.1 with fixed critical bug - see: #2130905\n\n# Changes in this release:\n\n * Auto-Disable views_cache_bully also when Ubercart is enabled.\n * Do not delete testing profile, we need it for acquia->testing upgrade path.\n * Do not map old_short_name on the Octopus level, it is moved to Provision.\n * Make ACTIVE INI files comments-free to never confuse them with templates.\n * Make the fix for known Feeds problem global, not just ManagingNews specific.\n * PHP: 5.4.22 and 5.5.6 as an option (for testing only).\n * PHP: Use latest (master) phpredis_new by default.\n * Redis: Default integration module version reverted to pre-7.x-2.0 release.\n * Redis: Force rebuild on system upgrade to update also Redis config.\n * Redis: Make redis_lock_enable available only when redis_use_modern = TRUE\n * Set opcache.revalidate_freq to 5 sec only on non-dev URLs by default.\n * Switch Ubercart 3 to use D7 Minimal instead if Standard to fix upgrade path.\n * Update prev release notes to explain importance of using latest Pressflow 6.\n\n# Fixes in this release:\n\n * Always fix permissions on contrib on upgrade and in daily.sh agent.\n * Avoid files checks for Drupal for Facebook and Domain Access by default.\n * Better auto-recovery when broken libcurl is detected.\n * Fix for cron auto-correction.\n * Fix for post-upgrade permissions issues affecting modules|themes|libraries.\n * Fix for too restrictive permissions in /data/all/000/*\n * Fix regression in the logic for dev URLs detection and auto-configuration.\n * Fix the forced contrib upgrade logic.\n * Fix the logic for cURL install from sources.\n * Improve procs monitoring agent with better whitelisting.\n * Improve sanitize_string() filtering to avoid issues with strong passwords.\n * Issue #1860706 - Native, unified support also for D6 lock backend.\n * Issue #2023895 - Do not kill java, only jetty and tomcat procs when needed.\n * Issue #2105477 - Allowed gem commands need custom aliases in lshell.\n * Issue #2134329 - Going from 2.0.9 to 2.1.1 does not update platforms.\n * Issue #2135545 - Lock Backend freezes the site on cache clear.\n * Issue #2136413 - Use -H to force correct HOME environment variable.\n * Issue #2136413 - Use sudo to avoid lshell protection in DB auto-conversion.\n * Make sure that /usr/local/bin is in the PATH.\n * Make the check_if_required test in daily.sh six (6) times faster.\n * Nginx: Fix too restrictive access policy for Ægir specific /hosting URI.\n * Redis: Add some debugging on dev URLs to make sure permissions are correct.\n * Redis: Added prefix support for lock backend.\n * Redis: Disable persistent mode to never use on-disk storage, see #2135545\n * Redis: Do not enable tcp-keepalive or weird things may happen, see #2135545\n * Redis: Exclude some bins to avoid issues with lock support, see #2135545\n * Redis: Missing default values on variable_get() calls causing D6 break.\n * Redis: Update docs and naming convention for modern integration module.\n * Silence cURL test in meta-installers.\n * Sync randpass with sanitize_string().\n * Set less restrictive permissions on civicrm.settings.php since\n provision_civicrm does not make the file writable temporarily as it should.\n\n# Known Issues on systems upgraded to initial BOA-2.1.2 release\n\n ==> Updated on Thu Nov 21 01:28:23 SGT 2013 with all fixes applied to stable.\n\n * Feature Server platform is broken since BOA-2.1.0 due to incorrect context\n module version downloaded via makefile. This bug affects only some instances\n upgraded to head and not stable, but since in the first 24 hours after\n BOA-2.1.2 release our static downloads were still out of sync on two of\n our mirrors, it is safe to assume that you should run the HotFix via\n boa-fix-upgrade.sh.txt anyway.\n\n * There is regression introduced in the maintenance agent logic, which\n results with dependency check effectively ignored. This may cause various\n disastrous effects, like disabling all modules chained via feature or\n via apps module, because apps module requires update module, which is\n normally disabled. While any feature which requires dblog or update module\n enabled is considered as a serious developer error and should be avoided,\n we have to respect all dependencies defined to never break any site by\n forcefully disabling modules.\n\n * Part of the Site Health Check task (the `drush6 status-report` command)\n breaks permissions on the site directory, which blocks any further tasks\n like Clone, Migrate and Backup. This regression was introduced in the\n BOA-2.1.0 release.\n\n# HotFix for known post-upgrade issues\n\n Run the boa-fix-upgrade script when logged in as system root:\n\n $ cd;rm -f boa-fix-upgrade.sh.txt*\n $ wget -q -U iCab http://files.aegir.cc/update/boa-fix-upgrade.sh.txt\n $ bash boa-fix-upgrade.sh.txt\n\n This script is updated once there is any new regression or bug discovered,\n so it is safe and recommended to run it again if the list of known issues\n have been updated. Note that this script will detect and fix all Octopus\n instances on your system at once.\n\n\n### Stable BOA-2.1.1 Release - Full Edition\n### Date: Sat Nov 9 17:00:00 EST 2013\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n There are some important bug fixes in this release, along with changes\n to the Auto-(En|Dis)able agent, explained in greater detail in embedded docs\n included in platform specific INI file template.\n\n Note that the system agent doesn't modify any existing and active INI file,\n so updated docs are included only in the updated each morning INI templates:\n default.boa_platform_control.ini and default.boa_site_control.ini\n\n You can find both INI templates also online at: https://omega8.cc/node/293\n\n We have also added some docs to help you if you experience any issues\n with cached, Views based pages and panels: https://omega8.cc/node/292\n\n Note also that since BOA-2.1.0 all D6 based sites are forced to use PHP 5.3.27\n on hosted and managed Ægir instances, even if they were previously configured\n to use deprecated, insecure, unstable and outdated PHP 5.2 for D6 based sites.\n\n This means that if you are using either too old D6 core (older than 6.28.x)\n some features will stop working, namely imagecache, /update.php and any\n feature which depends on contrib modules not yet compatible with PHP 5.3\n\n We have allowed to use PHP 5.2 for too long, to give enough time (in years)\n to upgrade to latest Pressflow 6.x version and we no longer can extend\n this allowance, for obvious security and systems stability reasons.\n\n Furthermore, sticking with PHP 5.2 would not allow us to use latest Ægir 2.x\n version (BOA still includes a bit older Ægir 2.x for backward compatibility),\n since newer Ægir versions need newer Drush (BOA still uses ancient Drush 4.6)\n and newer Drush requires newer PHP version.\n\n It is even more important because Drupal 8 will not run on older PHP nor Drush\n older than 7.x, so there is basically no choice other than make all your sites\n compatible with PHP 5.3, or you will miss all future BOA system upgrades.\n\n Now even PHP 5.3 is officially in the EOL (End-of-Live) phase, with only\n security fixes expected, but also only until July 2014 and then it will be\n completely deprecated, so we will have to switch to modern PHP 5.5, first\n introduced as an option, later this year.\n\n Upgrading to latest Pressflow 6.x is *very* easy. Just add all contrib modules\n you are using in your outdated 6.x platform to the latest Pressflow 6.x\n platform we provide by default, reverify the new platform, clone the site\n in the old platform, migrate the cloned copy to the new platform and if\n everything works fine, migrate also your live site. It will take less than\n 15 minutes and there is absolutely no excuse to not upgrade.\n\n If you experience issues with your site due to the old core used on now forced\n PHP 5.3, we can temporarily revert it to PHP 5.2 for the last time, but it is\n really a bad idea. Much better idea is to find those 15 minutes and upgrade\n your site, so we could continue to provide future upgrades and new amazing\n features also for your Ægir instance.\n\n Enjoy new, shiny BOA Edition!\n\n# Updated Octopus platforms:\n\n ### Drupal 7.23.3\n\n Open Atrium 2.0.4 ------------ http://drupal.org/project/openatrium\n Open Deals 1.31 -------------- http://drupal.org/project/opendeals\n OpenBlog 1.0-a3 -------------- http://drupal.org/project/openblog\n Recruiter 1.1.2 -------------- http://drupal.org/project/recruiter\n Spark 1.0-a10 ---------------- http://drupal.org/project/spark\n Totem 1.1.2 ------------------ http://drupal.org/project/totem\n\n ### Pressflow 6.28.3\n\n Commons 2.13.2 --------------- http://drupal.org/project/commons\n Open Atrium 1.7.2 ------------ http://drupal.org/project/openatrium\n\n# New features and enhancements in this release:\n\n * Document all system-level control files in docs/ctrl/system.ctrl\n * Fast Redis lock implementation is now enabled by default for D6 and D7.\n * Nginx: Add NAXSI (Nginx Anti XSS & SQL Injection) WAF as an option.\n * Use 100% static downloads in stable to remove dependency on github and d.o\n * Use extended connection check procedure before exit 1.\n * Use reliable Redis UP check via PING/PONG instead of pid file check.\n\n# Updated o_contrib modules:\n\n * Contrib update: httprl-6.x-1.13\n * Contrib update: httprl-7.x-1.13\n * Contrib update: redis-7.x-2.3\n * Contrib update: views_cache_bully-6.x-3.x\n * Contrib update: views_cache_bully-7.x-3.x\n * Contrib update: views_content_cache-7.x-3.0-alpha3\n\n# Changes in this release:\n\n * Introducing Pressflow 6.28.3 to include fix for #2130865\n * Updated INI docs for views_cache_bully and views_content_cache.\n * ProsePoint moved to unsupported.\n\n * Private files mode in D7 requires allow_private_file_downloads = TRUE in\n boa_site_control.ini or boa_platform_control.ini and is disabled by default.\n\n * Do not enable views_cache_bully and views_content_cache, unless special\n control files exist and related variables in the platform specific INI\n are not set to TRUE.\n\n * Auto-Disable views_cache_bully on sites with commerce module enabled, but\n allow to override it with ~/static/control/enable_views_cache_bully.info\n and views_cache_bully_dont_enable = FALSE\n\n# Fixes in this release:\n\n * All-in-One Site Health Check in Ægir not displayed for non-uid=1 users.\n * Always prepare shared D6 and D7 cores.\n * Always remove www. from the Redis cache key prefix.\n * Better check for not yet updated Octopus instances in a batch upgrade mode.\n * Check if ctools is enabled before attempting to enable views_content_cache.\n * Do not force HEAD on Precise.\n * Fix for /root/.upstart.cnf consistency.\n * Fix for PATH in aegir.sh\n * Fix still too aggressive procs monitoring.\n * Fix the check_if_required() logic in the Auto-Disable agent.\n * Improve all cURL based downloads with auto-continue mode.\n * Issue #1980250 - Fix for broken cache_page bin in Redis integration module.\n * Issue #2127237 - New Relic: Unable to initialize module on Debian Wheezy.\n * Issue #2128233 - Rsyslog is still installed and consumes all CPU on OpenVZ.\n * Issue #2128819 - Better exceptions in too aggressive process monitoring.\n * Make sure to never set any HTTP headers or redirects in the backend.\n * Nginx: Do not use separate location for /images/ URI shortcut.\n * Nginx: Fix for regression in \"Rewrite for legacy requests with /index.php\".\n * Nginx: Fix the logic for restricted access to /authorize.php and /update.php\n * Nginx: Map URI shortcuts early to avoid overrides in other locations.\n * Remove rsyslog on VZ, if installed.\n * Restore backward compatibility with IP and not wildcard based vhosts.\n * Use silent upgrade mode in _LENNY_TO_SQUEEZE and _SQUEEZE_TO_WHEEZY.\n * Issue #2127329 - AdvAgg (D6 version) presence in o_contrib should not\n auto-disable standard aggregation, unless the module is enabled.\n\n# Known Issues on systems upgraded to initial BOA-2.1.1 release\n\n ==> Updated on Tue Nov 12 14:44:16 EST 2013 with all fixes applied to stable.\n\n * Fast Redis lock may cause problems on node edit, with temporary error\n saying that the node was changed by \"another user\", because current\n implementation was not multisite-aware enough.\n\n * Views Cache Bully module, if enabled after upgrade to BOA-2.1.0, may break\n the cart and checkout on sites using Ubercart, and should be disabled\n automatically like it is done for Commerce based sites since BOA-2.1.1\n\n * The version of Redis integration module included: 7.x-2.3 causes warnings\n for D6 sites, visible either on dev URLs or on command line and may break\n some advanced Views configurations if custom caching is not yet enabled.\n It may also break menu updates due to not aggressive enough cache clear\n policy for cache_menu bin.\n\n * Permissions set daily on the civicrm.settings.php file are too restrictive\n and since provision_civicrm extension does not make this file writable\n before attempting to re-create it, as it should, all tasks on CiviCRM\n enabled sites fail.\n\n * Permissions on sites/all/{modules,theme,libraries} on newly added, empty\n platforms with no sites created yet, so not included in the running daily\n permissions fix, are initially not group writable, as they should be.\n\n * The check_if_required procedure in the running daily maintenance agent to\n detect if the module is required by any other module or feature or by\n installation profile, is 6 (six) slower than it should be and never disables\n devel module properly.\n\n * The running daily maintenance agent does not disable files checks for\n Drupal for Facebook (fb) and Domain Access modules as it should in the\n platform level INI file, unless those modules are detected.\n\n# HotFix for known post-upgrade issues\n\n Run the boa-fix-upgrade script when logged in as system root:\n\n $ cd;rm -f boa-fix-upgrade.sh.txt*\n $ wget -q -U iCab http://files.aegir.cc/update/boa-fix-upgrade.sh.txt\n $ bash boa-fix-upgrade.sh.txt\n\n This script is updated once there is any new regression or bug discovered,\n so it is safe and recommended to run it again if the list of known issues\n have been updated.\n\n You can also run another upgrade with \"barracuda up-stable system\" command,\n followed by \"octopus up-stable all both log\" since all fixes have been applied\n to current stable as well, but boa-fix-upgrade script is faster than running\n complete upgrade again.\n\n\n### Stable BOA-2.1.0 Release - Full Edition - Now NSA-proof\n### Date: Sat Nov 2 18:15:19 EDT 2013\n### Includes Ægir 2.x-boa-custom version.\n\n# Release Notes:\n\n There are some really important changes and improvements in this release\n you should be aware of before running your BOA system upgrade.\n\n Even if you are on a hosted BOA system with upgrades managed for you,\n it is very important to read at least this release notes.\n\n And if you are more curious, read also the giant changelog further below.\n\n Besides all changes, fixes and improvements, all currently supported\n Drupal distributions have been upgraded to use latest Drupal core versions.\n\n Plus, there are seven (7) NEW platforms included!\n\n#-### Control files to customize your BOA system per platform and per site\n\n Almost all control files are now replaced with two centralized,\n platform and site specific INI files, using standard PHP INI format.\n\n The platform specific INI file template with extensive documentation\n included, has filename default.boa_platform_control.ini and is located\n in the sites/all/modules directory.\n\n The site specific INI file template with extensive documentation\n included, has filename default.boa_site_control.ini and is located\n in the sites/foo.com/modules directory.\n\n Any existing control files, both on the platform and site level\n will be automatically converted into active INI files and then deleted\n to avoid confusion, also automatically, on the first run of the special\n maintenance script: /var/xdrago/daily.sh but defaults in the global.inc\n file will allow for smooth, fully automated transition.\n\n This change will improve customizing your BOA system maintainability\n and overall system performance/load thanks to minimized files checks.\n\n#-### Empty and not used platforms auto-cleanup\n\n BOA has finally the ability to auto-delete, during daily maintenance,\n which happens each morning (server time zone), all empty and not used\n platforms. While on all hosted instances the TTL (time-to-live) is set\n to 60 days (counted since last verify task date/time on the platform),\n it can be configured per instance in the /root/.USER.octopus.cnf file\n by changing value of _DEL_OLD_EMPTY_PLATFORMS variable to anything\n higher than 0 (days), which is default (and means the feature is OFF).\n\n Note that every Octopus instance upgrade re-verifies all existing platforms,\n so if you will configure the TTL to 90 days but you will run the upgrade\n every month or every two months, no platforms will ever be deleted.\n\n If you wish to have this TTL customized on the hosted instance, where\n it is set to 60 (days) by default, please open a support ticket via:\n https://omega8.cc/support\n\n Remotely managed BOA systems can have this feature enabled and configured\n upon request submitted via https://omega8.cc/support\n\n#-### All-in-One Site Health Check in your Ægir control panel\n\n You will notice a new Task available on every site page in your Ægir\n Control Panel, named \"Run health check\". This new task will run a few\n important tests on your site and will store all results in the Task Log,\n so you easily review all results by clicking on the \"View\" button to the\n right of the task, when it is complete. Make sure to check all details\n by clicking on the \"Expand\" links in the log.\n\n What are the tests included?\n\n 1. The \"drush clean-modules\" command will be run for you to make sure\n there is no module left in the system table as \"enabled\" while it\n no longer even exists on the system. This part will utilize (behind\n the scenes) extension: https://drupal.org/project/clean_missing_modules\n If it will find any such leftover, it will clean it up, automatically.\n\n 2. The \"drush6 pm-updatestatus\" command is a native Drush command which\n tells you if there are any waiting module/code updates in the site.\n Note: it will *not* upgrade anything, it is a check only.\n Of course there should be no updates waiting if you follow Ægir\n site upgrade best practices and your site's code is up to date.\n Yes, this check will automatically enable the \"update\" module for you,\n but it will not auto-disable it afterwards (to not break things in case\n it is required by some other module or feature).\n\n 3. The \"drush6 status-report\" command is a native Drush command\n which provides you a complete overview of your site status.\n Instead of logging into the site, you can review it easily here.\n\n 4. The \"drush6 updatedb-status\" command is a native Drush command\n which tells you if there are any waiting database updates in the site.\n Note: it will *not* apply these updates, it is a check only.\n Of course there should be no updates waiting if you follow Ægir\n site upgrade best practices, but who knows, hence the check.\n\n 5. The \"drush security-review\" command will run only on Drupal 7 based sites\n and provides some additional information by using (behind the scenes)\n this extension: https://drupal.org/project/security_review\n\n#-### PFS (Perfect Forward Secrecy) support in Nginx\n\n BOA now fully supports the most secure, yet still compatible with most\n used systems and browsers SSL configuration.\n\n All hosted BOA instances have been already upgraded automatically and\n you don't need to do anything to make it work -- it is already done\n for you -- both on any SSL enabled site with dedicated certificate\n and IP address and also on the standard, system-wide SSL proxy level,\n which is available for every hosted site -- just type HTTPS:// in the URL.\n\n On self-hosted instances it needs to be enabled by adding a line in your\n /root/.barracuda.cnf file: _NGINX_FORWARD_SECRECY=YES before the upgrade.\n Note that depending on the system used, it may auto-install some\n requirements like latest OpenSSL libraries and packages.\n\n Remotely managed BOA systems can have this feature enabled upon request\n submitted via https://omega8.cc/support\n\n#-### SPDY (new networking protocol) support in Nginx\n\n BOA now fully supports the advanced, new protocol which allows to run\n sites over HTTPS with much better performance than plain HTTP.\n\n While not all browsers support this protocol yet, it is already enabled\n by default on all hosted BOA instances (but obviously works only when you\n access the site via HTTPS:// in the URL).\n\n On self-hosted instances it needs to be enabled by adding a line in your\n /root/.barracuda.cnf file: _NGINX_SPDY=YES before the upgrade.\n Note that depending on the system used, it may auto-install some\n requirements like latest OpenSSL libraries and packages.\n\n Remotely managed BOA systems can have this feature enabled upon request\n submitted via https://omega8.cc/support\n\n#-### Zend OPcache replaced APC in PHP\n\n Newer versions of PHP already come with next generation opcode cache\n from Zend, which is now open-sourced and available also as an extension\n for older PHP versions, including 5.2 and 5.3\n\n BOA leverages this opportunity and now uses Zend OPcache instead of APC.\n\n This change is introduced automatically on all systems, both hosted\n and managed for you and also self-hosted.\n\n Only Debian Squeeze and Ubuntu Precise systems which are using PHP\n installed from packages and not from sources, so with _BUILD_FROM_SRC=NO\n set in the /root/.barracuda.cnf file, still use APC by default.\n You can install Zend OPcache by changing it to _BUILD_FROM_SRC=YES\n before running the upgrade.\n\n Note that Zend OPcache default configuration caches every script for\n 60 seconds, so any changes you will introduce, will be visible with\n up to 1 minute delay. However, if there is .dev. or .devel. in the site\n name, this delay is lowered automatically to just 1 second.\n\n You can change the default per site permanently by adding in the\n local.settings.php preferred value, for example, to set it to 10 seconds:\n ini_set('opcache.revalidate_freq', '10'); -- but remember that you will\n override default (1 second) for dev URLs using this method.\n\n Enjoy the most advanced, NSA-proof BOA Edition yet!\n\n\n# New Octopus platforms:\n\n ### Drupal 7.23.3\n\n Open Academy 1.0-rc3 --------- http://drupal.org/project/openacademy\n Open Atrium 2.0 -------------- http://drupal.org/project/openatrium\n OpenBlog 1.0-a2 -------------- http://drupal.org/project/openblog\n OpenScholar 3.8.1 ------------ http://openscholar.harvard.edu\n Recruiter 1.1 ---------------- http://drupal.org/project/recruiter\n Spark 1.0-a9 ----------------- http://drupal.org/project/spark\n Totem 1.1 -------------------- http://drupal.org/project/totem\n\n# Updated Octopus platforms:\n\n ### Drupal 7.23.3\n\n Commerce 1.20 ---------------- http://drupal.org/project/commerce_kickstart\n Commerce 2.9 ----------------- http://drupal.org/project/commerce_kickstart\n Commons 3.4 ------------------ http://drupal.org/project/commons\n Conference 1.0-a2 ------------ http://drupal.org/project/cod\n Drupal 7.23.3 ---------------- http://drupal.org/drupal-7.23\n Open Deals 1.27 -------------- http://drupal.org/project/opendeals\n Open Outreach 1.2 ------------ http://drupal.org/project/openoutreach\n OpenChurch 1.11-b14 ---------- http://drupal.org/project/openchurch\n Panopoly 1.0-rc5 ------------- http://drupal.org/project/panopoly\n Ubercart 3.5.1 --------------- http://drupal.org/project/ubercart\n\n ### Pressflow 6.28.2\n\n Commons 2.13 ----------------- http://drupal.org/project/commons\n Feature Server 1.2 ----------- http://bit.ly/fserver\n Managing News 1.2.3 ---------- http://drupal.org/project/managingnews\n Open Atrium 1.7.1 ------------ http://drupal.org/project/openatrium\n Pressflow 6.28.2 ------------- http://pressflow.org\n ProsePoint 0.46 -------------- http://prosepoint.org\n Ubercart 2.12.1 -------------- http://drupal.org/project/ubercart\n\n# New features and enhancements in this release:\n\n * Add a workaround for an edge case problem -- a missing /etc/resolv.conf\n * Add auto-config for AdvAgg on both Drupal 7 and Drupal 6.\n * Add command to check for available updates: `drushextra check updates`\n * Add gems for Omega 4 by default.\n * Add sass-globbing gem by default.\n * Allow to install latest OpenSSH from sources with _SSH_FROM_SOURCES\n * Allow to install latest OpenSSL from sources with _SSL_FROM_SOURCES\n * Anonymize lshell intro message.\n * Better code sharing with central core dirs for all built-in platforms.\n * BOA installer wrapper depends on curl instead of wget.\n * Do not stop/start cron if /root/.upstart.cnf control file exists.\n * Drush: Add embedded how-to for aliased commands.\n * Enable views_cache_bully and views_content_cache if views is enabled.\n * Firewall: Disable incoming ping/ICMP.\n * Firewall: Protect port 80 only with CONNLIMIT and remove it from PORTFLOOD.\n * Firewall: Update config template and enable port/syn flood protection\n * FTP: Allow to list/see up to 3000 files/subdirs in a directory.\n * Improve daily.sh performance.\n * Improve dist-upgrade procedure.\n * Improve docs/MODULES.txt\n * Improve meta-installers auto-update procedures.\n * Improve SQL limits auto-configuration.\n * Install pdnsd as a last service.\n * Issue #2000932 - Add also zen-grids.\n * Issue #2015553 - Fix the logic for protected registration of new accounts.\n * Issue #2044589 - SPDY Nginx support.\n * Issue #2052703 - Conversion from control files to ini includes.\n * Issue #2092599 - Switch to disable MySQL password reset on upgrades.\n * Issue #2105477 - Add support for bundler gem.\n * Issue #2116387 - Nginx and PHP: Improve system hardening.\n * Issue #2116395 - Nginx: Better protection and 404 instead of 403.\n * Issue #2118393 - Mark drush/cron as newrelic_background_job\n * Make Bazaar installation optional with BZR keyword required in _XTRAS_LIST\n * Nginx: Use forced HTTPS-only access for Chive and SQL Buddy.\n * PHP: Add experimental support for 5.4 and 5.5\n * PHP: Install Zend OPcache instead of deprecated APC by default.\n * PHP: Reload FPM hourly unless /root/.high_traffic.cnf exists.\n * Restart db server when backup is complete if /root/.my.optimize.cnf exists.\n * Restore support for Expire and Purge modules.\n * Shell: Add gunzip to allowed commands.\n * Shell: Disable mc on the fly unless /root/.allow.mc.cnf control file exists.\n * Shell: Use MySecureShell 1.31 for SFTP by default.\n * Try to download wrapper 4 times before it gives up.\n * Use MySQLTuner to better tune SQL configuration on install and upgrade.\n * Use sqlmagic to fix errors caused by duplicate keys in the db dump.\n * Use standard D7 profile for Ubercart 3 and update related contrib.\n * We no longer depend on drupal.org for any downloads.\n * Add optional, configurable per site, automated and smart (via sqlmagic tool)\n DB table format/engine conversion, enabled per instance with non-default\n _SQL_CONVERT=YES option.\n * Add support for _MODULES_SKIP variable and make the auto-disable agent\n much smarter to never disable any module defined as required by any other\n module or feature.\n * Improve auto-recovery from manual permissions/ownership big mistakes\n related to critical files and dirs.\n * Issue #2067193 - PFS (Perfect Forward Secrecy) support in Nginx with\n _NGINX_FORWARD_SECRECY=YES config option.\n * Use _DEL_OLD_EMPTY_PLATFORMS to enable and define auto-cleanup for old,\n empty platforms with no sites hosted, separately per Satellite instance\n (it does not affect Master instance).\n * Issue #2000932 - Add more Compass tools/extensions: (compass_radix,\n zurb-foundation) and make sure the gems are updated on upgrade.\n * Nginx: Add support for domain specific /robots.txt mapped to static\n files/$host.robots.txt to make it possible to manage it per domain\n also when Domain Access module is used.\n * Improve the logic for daily permissions fix (no longer enabled by default)\n and make it configurable via _PERMISSIONS_FIX variable.\n * Improve the logic for daily modules fix (still enabled by default)\n and make it configurable via _MODULES_FIX variable.\n * Generate static sites/foo.com/files/robots.txt file per site, which is\n mapped to /robots.txt\n\n# New and updated Ægir modules or extensions:\n\n * Add security_review extension\n * Use registry_rebuild 7.x-2.x\n\n# New o_contrib modules:\n\n * Add Advagg 6 and 7 to all platforms.\n * Add force_password_change to all platforms.\n * Add views_cache_bully to all platforms.\n\n# Changes in this release:\n\n * All D6 based sites are forced to use latest PHP 5.3.27 version.\n * Chive 1.3\n * cURL 7.33.0 as an option.\n * Drush 5.10.0 and 6.1.0 (available as drush5 and drush6)\n * Git 1.8.4.1\n * Lshell 0.9.16.4-om8\n * MariaDB 5.5.33a\n * Nginx 1.5.6\n * Nginx: ngx_cache_purge-2.1\n * OpenSSH 6.3p1 as an option.\n * Percona 5.5.33\n * PHP 5.4.21 and 5.5.5 as an option.\n * Redis 2.6.16\n * Vnstat 1.11\n * Deprecate CiviCRM as a separate platform.\n * Remove obsolete MartPlug distro.\n * Move OpenPublish to unsupported.\n * Move NodeStream to unsupported.\n * Do not include D6 core translations, never included also in D7 platforms.\n * Do not include notoriously buggy backup_migrate module.\n\n# Fixes in this release:\n\n * Add all extra, non-standard options in the barracuda.cnf docs template.\n * Add built-in support for Domain Access also for sites/all/modules/contrib\n * Add exception to support commerce_multicurrency module properly.\n * Add info about self-signed SSL certificate in the welcome email (again).\n * Add support for /usr/etc/sshd_config if exists.\n * Always force update_newrelic - even if there is no new PHP version.\n * Better check for GitHub partial downtime.\n * Better logic for clean resolvconf re-install when needed.\n * Contrib: Make the list readable.\n * Delete too old pid files if any exists.\n * Do not allow to break working DNS cache server with parent system overrides.\n * Do not allow to install OpenSSL and cURL from sources also on Precise.\n * Do not install rsyslog on VZ based VM.\n * Do not set session.cookie_secure on SSL requests for sites < D7\n * Enable dev mode also when HTTP_HOST begins with dev.\n * Firewall: Adjust some defaults to improve flood protection,\n * Firewall: Always upgrade, unless _CUSTOM_CONFIG_CSF is set to YES.\n * Firewall: Better support for auto-whitelisting multi-IP systems.\n * Firewall: Fix csf.uidignore file to whitelist important system uids.\n * Firewall: Fix for csf template on VZ.\n * Firewall: Improve some flood protection defaults.\n * Firewall: Improve whitelisted IPs msg.\n * Firewall: Remove deprecated monitoring for now closed port 25 (incoming).\n * Firewall: Update config template.\n * Firewall: VZ compatibility.\n * Fix for /etc/resolv.conf and curl requirement in the BOA Meta Installer.\n * Fix for cron tasks queue.\n * Fix for forced pdnsd and resolvconf upgrades.\n * Fix for incorrect nproc discovery results on some VM systems.\n * Fix for proper handling mysql connections leftovers.\n * Fix for selected packages hold status.\n * Fix for the auto-update logic -- now it is default.\n * Fix permissions for control files to avoid leftovers on delete task.\n * Fix permissions on default backup_migrate dirs.\n * Fix the auto-healing to avoid killing all php-fpm processes at midnight.\n * Fix the automatic generation of static robots.txt file per site.\n * Fix the daily enable/disable logic and use faster drush version.\n * Fix the logic for chained installs from sources on upgrade.\n * Fix the makefiles to avoid issues after d.o upgrade.\n * Fix the not really working auto-healing to properly restart mysqld.\n * Fix the not really working lshell logs monitor.\n * Force clean pdnsd and resolvconf reinstall when needed.\n * Force contrib update to include redis module stable release.\n * Force cURL and OpenSSH re-install from sources when OpenSSL is from src.\n * Force Git rebuild from sources if SSL/cURL was built from sources.\n * Force Lshell rebuild when OpenSSL is installed from sources.\n * Force MSS and FTP rebuild when OpenSSL is installed from sources.\n * Force Nginx, PHP and Pure-FTPd re-install when OpenSSL is from sources.\n * Force PHP-FPM restart if 9+ connections with 499 in the last 60 seconds.\n * Generate 2048 bit long DH parameters when _NGINX_FORWARD_SECRECY=YES\n * IDS monitor should use lower defaults after introducing last min checks.\n * Improve gem and bundler allowed/denied restrictions.\n * Improve procs monitoring and whitelist backend tasks properly.\n * Improvements for Ubercart 2 installation + contrib updates.\n * Install latest CGP, collectd 5 compatible.\n * Issue #1751916 - Add Spark 1.0-a9\n * Issue #1874786 - Fix for GNU Mailutils support.\n * Issue #1991312 - Fix support and auto-config for AdvAgg 7 and HTTPRL.\n * Issue #1991658 - Firewall: Close port 25 for incoming connections\n * Issue #1994346 - DoS protection for not cached URLs doesn't respect $scheme\n * Issue #1994346 - Fix the logic for SSESS/SESS prefix in the cookie name.\n * Issue #1995342 - X-Accel-Expires is never send when $expire_in_seconds == 0\n * Issue #2002678 - barracuda up-stable system adds annoying extra delay.\n * Issue #2005116 - 403 on every attempt to log in from Hostmaster homepage.\n * Issue #2015551 - Fix for broken dev mode support switch.\n * Issue #2015551 - Fix the keyword check used to trigger \"dev\" mode.\n * Issue #2020043 - Send PUT requests for *.json URI to Drupal.\n * Issue #2032379 - _AUTOPILOT=YES should be forced also for \"silent\" modes.\n * Issue #2083373 - drush dl foo --destination=/path/ should be restricted.\n * Issue #2101193 - Support Drupal for Facebook from sites/all/modules/contrib\n * Issue #2105259 - All Platforms Installation Fails with Permission Denied.\n * Issue #2116177 - Use phpredis 2.2.4\n * Lshell: Better settings for newer Drush versions.\n * Lshell: Fix for env_path\n * Lshell: version update and monitoring improvements.\n * Make sure o_contrib is updated also on head-to-head upgrades.\n * Make sure to rebuild PHP if cURL is installed from sources.\n * Make the upgrade email generic.\n * More compact code for downloads.\n * Move csf/lfd corrections after pdnsd install.\n * Move the giant modules list from README.txt to docs/MODULES.txt\n * Nginx: Add access protection for .txt files in the modules|themes|libraries.\n * Nginx: Add access protection with fast 404 also for authorize.php\n * Nginx: Add access protection with fast 404 for extra .php known URLs.\n * Nginx: Add example site specific config for legacy .php URIs 301 redirects.\n * Nginx: Better support for static and dynamic .json requests/URIs\n * Nginx: Deny spiders on glossary/* URI, as they are never allowed to crawl.\n * Nginx: Fix for dynamically generated PDFs.\n * Nginx: Fix for redirects for legacy URLs with asp/aspx extension.\n * Nginx: Improve auto-whitelisting in the access log monitor.\n * Nginx: Improve POST requests monitoring.\n * Nginx: Move AJAX and webform requests location after civicrm location.\n * Nginx: Normalize newlines and spacing when fixing proxy config files.\n * Nginx: Remove 'results' from the bots-protected URI regex.\n * Nginx: Remove deprecated conf.d directory, if exists.\n * Nginx: Replace legacy keyword gulag with neutral limreq everywhere.\n * Nginx: Replace the zone legacy name also in Provision.\n * Nginx: Rewrite legacy requests with /index.php to extension-free URL.\n * Nginx: The /admin* URI protection logic has been moved to global.inc\n * Nginx: Update gzip_types to list all expected mime.types\n * Nginx: Update headers for AdvAgg compatibility.\n * Nginx: Update mime.types\n * Nginx: Use more precise wildcard in paths for replacements.\n * PHP: 5.4 requires uploadprogress-1.0.3.1\n * PHP: Disable ionCube Loader for PHP 5.5\n * PHP: Do not force extensions re-install unless _PHP_FORCE_REINSTALL=YES\n * PHP: Fix config overrides for 5.4 and 5.5\n * PHP: Fix possible issues with legacy 5.2 support logic.\n * PHP: Fix unintended overrides in the ini files.\n * PHP: Force All Extensions Rebuild when _FROM_SOURCES=NO\n * PHP: Force APC instead of Zend OPcache on Squeeze/Precise on no-src install.\n * PHP: Force legacy version rebuild if exists.\n * PHP: Improve rebuild logic if SSL/cURL was built from sources.\n * PHP: Make sure that latest version of ionCube loader is installed.\n * PHP: Rebuild extensions also for 5.2, even if _PHP_MODERN_ONLY=YES\n * PHP: Set opcache.revalidate_freq to 1 second on dev alias/URL on the fly.\n * PHP: Start more FPM workers by default to avoid Nginx 499 and timeouts.\n * PHP: Use correct version of ioncube_loader for 5.4\n * PHP: Use pecl-jsmin-0.1.1 with newer PHP versions.\n * PHP: Zend OPcache is a zend_extension and needs full path in the php.ini\n * Redis: Make redis_client_password optional and none by default.\n * Reload PHP-FPM before auto-healing will force its restart after midnight.\n * Remove already deprecated platforms.\n * Remove insecure files from libraries/plupload/examples.\n * Remove lock files before adding new users.\n * Security updates for selected contrib on all affected D7 platforms.\n * Shell: Fix FTPS compatibility after switching to MySecureShell\n * Shell: Sync IdleTimeOut for MSS with SSH and FTPS default 15m.\n * Shorten some too long status messages.\n * Silent Mode Option: aegir == Only stock Ægir forced up-head upgrade.\n * Simplify vnstat setup.\n * Split usage monitor into two separate scripts.\n * SQL auto-healing should always stop-stop-start and not just restart it.\n * SQL: Allow the engine to manage correct innodb_thread_concurrency value.\n * SSH: Make sure that 'UseDNS no' is always set.\n * Sync $cookie_domain validation with Drupal 7 core.\n * Sync dates with BOA defaults.\n * Unify apt-get options order.\n * Update for Redis config template.\n * Update or create /etc/apt/sources.list early enough.\n * Update PHP and SQL config early enough to avoid issues during upgrade.\n * Use --force-yes option if apt-get -y is used.\n * Use correct version of /etc/apt/preferences\n * Use drush6 only when required.\n * Use extended GitHub tests on HEAD and non-stock build only.\n * Use forced symlinks mode if possible.\n * Use is_readable() check instead of file_exists() for all includes.\n * Use mirror downloads for all contrib and patches to make it faster.\n * Use more restrictive permissions on lshell log files.\n\n\n### Stable BOA-2.0.9 Release - Barracuda Edition\n### Date: Thu May 9 11:25:59 EDT 2013\n### Includes Ægir from BOA-2.0.8 Edition\n\n# This is the first Barracuda-only Edition, released to address important\n security issue with Nginx server and provide system level upgrades.\n\n This Edition will not upgrade Ægir Master nor Ægir Satellite Instances,\n because there was no new Drupal core released since BOA-2.0.8 Edition and\n there were not enough updates to built-in platforms or contrib accumulated.\n\n Releasing Barracuda-only Edition separately from full Edition allows us\n to address system/services security issues without any extra delay,\n while releasing Octopus-only Edition will allow us to provide Drupal core\n or Ægir version upgrades, without affecting system level services.\n\n There is also another reason why separate releases will be useful.\n BOA-2.0.9 is the last Edition where Ægir 2.x still uses old Drush 4.6\n in the backend. We need to sync BOA specific Ægir 2.x with upstream\n and finally switch to Drush 5, or even Drush 6, if possible.\n\n This change, however, may cause issues if you still host legacy Drupal 5\n or some old Drupal 6 sites, with either core or contrib not compatible\n with PHP 5.3, which is now used by default.\n\n That is why we plan to introduce ability to install older/previous\n Barracuda and/or Octopus release, if you need more time to upgrade.\n\n# New features and enhancements in this release:\n\n * Debian 7.0 Wheezy support.\n * Automated upgrade from Squeeze with _SQUEEZE_TO_WHEEZY=YES option.\n * Added config template with inline how-to in docs/cnf/barracuda.cnf\n * Added config template with inline how-to in docs/cnf/octopus.cnf\n * Added passwords encryption how-to in docs/BLOWFISH.txt\n * Added the list of symbols used on install in docs/PLATFORMS.txt\n * Forced mysql restart if there are too many high CPU mysqld processes.\n * Improved docs/NOTES.txt\n * Improved docs/README.txt\n * Install libpam-unix2 and libxcrypt1 by default.\n * Install s3cmd by default.\n * Issue #1974640 - Allow to use Midnight Commander for limited shell users.\n * Limited Shell Logs Monitor enabled by default.\n * Nginx: Check for Linux/Cdorked.A malware and delete if discovered.\n * Re-generate and sync Ægir passwords before and after instance upgrade.\n * The silent 'system' mode documented in docs/UPGRADE.txt\n * Allow to exclude platform from otherwise forced `drush en entitycache -y`\n if sites/all/modules/entitycache_dont_enable.info control file is present.\n\n# Changes in this release:\n\n * Nginx 1.5.0 - security upgrade for CVE-2013-2028\n * PHP 5.3.25\n * Redis 2.6.13\n * Do not disable update module in platforms known to include it as required.\n * Firewall: Open port 1129 for outgoing connections (some gateways need it).\n * Force syslog module as disabled by default and save some disk I/O.\n * Tune kernel to always use max RAM and not swap, if possible.\n\n# Fixes in this release:\n\n * Add outgoing port 25 SMTP to the list of requirements.\n * Firewall: Add truly permanent block for heavy abusers.\n * Fix for mytop support, available again on systems with MariaDB.\n * Fix permissions in the /data/all tree if required.\n * Fix the order of checks - they scan only the last (current) minute.\n * Force _STRONG_PASSWORDS=NO if locales still look broken on second check.\n * Improve detecting no longer running drush.php and/or cron PHP processes.\n * Improve fix_locales logic.\n * Improve global.inc symlinking on initial install and upgrade.\n * Improve messages displayed when fix_locales discovers broken locales.\n * Improve monitoring to avoid duplicate entries on low traffic systems.\n * Improve sanitize_string() filtering to avoid issues with strong passwords.\n * Improve syncpass tool - Update system user passwd and flush privileges.\n * Issue #1961226 - Warning: Could not change permissions of sites/all to 751.\n * Issue #1962458 - 403 for anonymous users on node/add.\n * Issue #1963044 - Force UTF-8 locales if not present/configured properly.\n * Issue #1974542 - Use /root/.home.no.wildcard.chmod.cnf control file.\n * Issue #1987936 - Restore ability to install PHP 5.2 for FPM and CLI.\n * Make sure that /dev/null is writable for everyone.\n * Make sure that all drushrc.php files are owned by Ægir system user.\n * Make sure that all expected sites/all/{modules,themes,libraries} dirs exist.\n * Make sure that DB server is restarted on upgrade after config tuning.\n * Make sure that pdnsd and resolvconf are properly installed.\n * Nginx: Remove duplicate Vary: Accept-Encoding headers.\n * Percona no longer supports older Ubuntu non-LTS releases.\n * PHP: Do not reload FPM every hour - it may cause error 502.\n * PHP: Fix paths depending on CLI version used.\n * PHP: Fix the extensions installation and upgrade logic.\n * PHP: Make sure that the FPM port is set correctly for D6 sites with 5.2\n * PHP: Properly uninstall all related packages when using source build.\n * PHP: Start more FPM workers on systems with enough RAM by default.\n * Purge bin logs before disabling them.\n * Run New Relic re-install early enough to avoid locking full-upgrade.\n * Sync the load limits for spiders and backend tasks.\n * The Java/Jetty monitor should use higher allowed limits by default.\n * Update apticron message to recommend system mode instead of full upgrade.\n * Update docs for _BUILD_FROM_SRC option.\n * Use aggressive enough Jetty restart procedure on nightly services reload.\n * Use correct status messages on install and upgrade.\n * Use installer and not Ægir version download on stable install/upgrade.\n\n\n### Stable Edition BOA-2.0.8\n### Date: Mon Apr 8 01:41:36 CEST 2013\n### Installs Ægir 2.x\n\n# Updated Octopus platforms:\n\n ### Drupal 7.22.1\n\n Commerce 2.6 ----------------- http://drupal.org/project/commerce_kickstart\n NodeStream 2.0-rc5 ----------- http://drupal.org/project/nodestream\n Open Deals 1.19 -------------- http://drupal.org/project/opendeals\n\n All other not listed above platforms are available with latest\n D6 or D7 core, even if there were no new distro version released.\n\n# Fixes:\n\n * Critical Issue #1962690 - Fix for broken Percona support.\n\n * Allow to use [a-z0-9] subdomains and not only [www] for IDN domain names.\n * Change the interval between platforms builds from 5 to 3 seconds.\n * Forced 1s Speed Booster TTL for vhosts behind local proxy is deprecated.\n * Move old firewall logs to backups to avoid crazy load after upgrade.\n * Nginx: Better exceptions handling in the Abuse Guard for js/shs modules.\n * PHP: CLI is at 5.3 since BOA-2.0.4, so symlink old 5.2 binary path to 5.3\n * Update _LENNY_TO_SQUEEZE major upgrade procedure.\n * Update contrib with login_security-7.x-1.2\n * Use static downloads for all distros in stable edition.\n\n\n### Stable Edition BOA-2.0.7\n### Date: Thu Apr 4 00:00:17 EDT 2013\n### Installs Ægir 2.x\n\n# Updated Octopus platforms:\n\n ### Drupal 7.22.1\n\n Commons 3.2 ------------------ http://drupal.org/project/commons\n\n All other not listed above platforms are available with latest\n D6 or D7 core, even if there were no new distro version released.\n\n# Fixes:\n\n * Create dot dirs and keys if not exist, plus known_hosts for system user.\n * Fix the sqlmagic regex to really convert only expected tables.\n * Issue #1958502 - Add missing symlinks to the new Drush extensions.\n * Issue #1960192 - Fix literal path replacement with sites/$new_url in D7.\n * Issues #1930670 #1958898 #1932616 - Fix for hosting_server_update_6200.\n * Taxonomy Edge update to 7.x-1.7 and 6.x-1.7\n * Update contrib in all D7 platforms to ctools-7.x-1.3 - security upgrade.\n\n\n### Stable Edition BOA-2.0.6\n### Date: Mon Apr 1 21:34:04 EDT 2013\n### Installs Ægir 2.x\n\n# New Octopus platforms:\n\n ### Drupal 7\n\n Commons 3.1 ------------------ http://drupal.org/project/commons\n\n# Updated Octopus platforms:\n\n ### Drupal 7\n\n CiviCRM 4.2.8 ---------------- http://civicrm.org\n Commerce 1.16 ---------------- http://drupal.org/project/commerce_kickstart\n Commerce 2.5 ----------------- http://drupal.org/project/commerce_kickstart\n Drupal 7.21.2 ---------------- http://drupal.org/drupal-7.21\n NodeStream 2.0-rc4 ----------- http://drupal.org/project/nodestream\n Open Deals 1.18 -------------- http://drupal.org/project/opendeals\n Open Outreach 1.0-rc10 ------- http://drupal.org/project/openoutreach\n OpenChurch 1.11-beta9 -------- http://drupal.org/project/openchurch\n Panopoly 1.0-rc4a ------------ http://drupal.org/project/panopoly\n Ubercart 3.4.1 --------------- http://drupal.org/project/ubercart\n\n ### Pressflow 6\n\n Acquia 6.28.1 ---------------- http://bit.ly/acquiadrupal\n Commons 2.12 ----------------- http://drupal.org/project/commons\n Feature Server 1.2 ----------- http://bit.ly/fserver\n Managing News 1.2.3 ---------- http://drupal.org/project/managingnews\n Open Atrium 1.7.1 ------------ http://drupal.org/project/openatrium\n Pressflow 6.28.1 ------------- http://pressflow.org\n ProsePoint 0.46 -------------- http://prosepoint.org\n Ubercart 2.11.1 -------------- http://drupal.org/project/ubercart\n\n All other not listed above platforms are available with latest\n D6 or D7 core, even if there were no new distro version released.\n\n# No longer supported Octopus platforms:\n\n The platforms listed below can be re-added when their maintainers\n will fix all critical issues and/or apply required updates:\n\n ELMS ------------------------- http://drupal.org/project/elms\n MartPlug --------------------- http://drupal.org/project/martplug\n Octopus Video ---------------- http://octopusvideo.org\n Open Academy ----------------- http://drupal.org/project/openacademy\n Open Enterprise -------------- http://drupal.org/project/openenterprise\n OpenPublic ------------------- http://drupal.org/project/openpublic\n OpenScholar ------------------ http://openscholar.harvard.edu\n Videola ---------------------- http://videola.tv\n\n# New features:\n\n * Add an option to allow cron based, unattended system-only upgrades.\n * Add randpass helper script.\n * Add support for wkhtmltoimage.\n * Add syncpass tool to repair broken instances after incomplete upgrade.\n * Allow to specify extra apt-get packages with _EXTRA_PACKAGES option.\n * Allow to tune PHP-CLI timeout in the BOND script with separate option.\n * Install auditd with aureport by default.\n * Issue #1479300 - Add optional LDAP support in Nginx.\n * Issue #1876418 - Support for High-performance JavaScript callback handler.\n * Issue #1916804 - Validated bypass of flood control based on tty.\n * Jetty: Make migration from Tomcat easy with _TOMCAT_TO_JETTY=YES\n * PHP: Allow to use _PHP_EXTRA_CONF for custom builds from src.\n * Redis: Add Lock Backend Support for Drupal 6 and Drupal 7.\n * Redis: Enable lock support if modules/redis_lock_enable.info exists.\n * Shell: Add extra Drush versions available as drush4, drush5 and drush6.\n * SOLR: Support for 1.x / Jetty 7, 3.x / Jetty 8 and 4.x / Jetty 9.\n * SOLR: Use Jetty 8 for Solr 4 on systems with Java 1.6 available.\n * SOLR: Use Jetty 9 for Solr 4 on systems with Java 1.7 available.\n * SQL: Add sqlmagic tool to fix SQL dumps and convert to/from InnoDB/MyISAM.\n * SQL: Make default_storage_engine configurable with _DB_ENGINE option.\n * Use Registry Rebuild with Fixed Redis Lock Support aware configuration.\n * Allow to force SERVER_NAME based $cookie_domain with special\n modules/cookie_domain.info control file per site.\n\n# New Ægir modules or extensions:\n\n * Add drush clean-modules command - clean_missing_modules extension.\n * Add drush_ecl extension - Drush Entity Cache Loader.\n * Add hosting_site_backup and provision_site_backup enabled by default.\n\n# Changes:\n\n * Git 1.8.2\n * MariaDB 5.5.30\n * Nginx 1.3.15\n * Percona 5.5.30\n * PHP 5.3.23\n * Redis 2.6.12\n * Deprecate CiviCRM 3.4.8 D6 - only available with _ALLOW_UNSUPPORTED=YES.\n * Do not force filefield_nginx_progress as enabled also for D7.\n * Drupal 8.0-dev-tested deprecated and moved to unsupported group.\n * ELMS 1.0-beta1 deprecated and moved to unsupported group.\n * Enable entitycache module by default.\n * Master Ægir: Re-create secure db password on every barracuda upgrade.\n * Master Ægir: Sync generating secure db password also on barracuda install.\n * Nginx: Set 24h Speed Booster cache TTL for spiders/bots by default.\n * NodeStream 1.5.1 deprecated and moved to unsupported group.\n * Open default MongoDB port 27017 for outgoing connections.\n * OpenScholar deprecated and moved to unsupported group.\n * PHP: Deprecate 5.2 also on upgrade.\n * PHP: Install MongoDB driver if MNG keyword is listed in _XTRAS_LIST.\n * PHP: Set _PHP_CLI_VERSION=5.3 by default.\n * PHP: Switch to forced CLI 5.3 and FPM 5.3 also in the custom config.\n * PHP: Switch to FPM 5.3 also for D6 sites by default.\n * Pressflow 5.23 deprecated and moved to unsupported group.\n * Redis: Re-create secure password on every barracuda upgrade.\n * Satellite Ægir: Re-create secure db password on every octopus upgrade.\n * SQL: Do not run DB OPTIMIZE unless /root/.my.optimize.cnf ctrl file exists.\n * SQL: Re-generate new secure mysql root password on every barracuda upgrade.\n * SQL: Use key_buffer = 2M by default.\n * SQL: Use more safe memory limits after introducing higher key_buffer_size\n * Use better names for various control files.\n * Watch crons running > 2 min and kill crons running > 3 min.\n * Split _XTRAS_LIST into two groups: included via ALL keyword and\n other which need to be listed explicitly.\n\n# Fixes:\n\n * Add Ksplice-aware kernel upgrade alert.\n * Add some delay to avoid race conditions when removing more zombies.\n * Allow higher system load before disabling access for spiders temporarily.\n * Always send upgrade log when running in the silent mode.\n * Avoid cron collisions and make sure all maintenance tasks run 0-6 AM.\n * Better and separate backup rotation on hostmaster upgrade.\n * Better check if Webmin GnuPG signing key has been added properly.\n * Better fix for $cookie_domain and DA compatibility.\n * Better protection for all ports usually targeted in brute force attacks.\n * Check if nproc is present and fall back to /proc/cpuinfo otherwise.\n * Clean swap on kernel tuning update.\n * Delete broken o_contrib symlinks before trying to recreate them.\n * Do not add and remove bind from /etc/sudoers since it is not supported.\n * Do not block @ in the limited shell - it breaks git foo git@bar etc.\n * Do not force _DEBUG_MODE=YES if not required.\n * Do not force _HTTP_WILDCARD=NO for stock install option.\n * Do not run extra IP checks for requests below $mininumber threshold.\n * Do not run initial apticron check in local install.\n * Do not run two mysql restarts in a row on mysql upgrade.\n * Downgrade to working wkhtmltopdf-0.10.0_rc2 and wkhtmltoimage-0.10.0_rc2\n * Drupal 7.x core with Field API memory optimization - see #1915646\n * Enable image_allow_insecure_derivatives to avoid issues with drupal-7.20\n * Fix apticron to suggest barracuda up-stable instead of apt-get upgrades.\n * Fix AWS system auto-discovery and auto-configuration.\n * Fix Drush 5.x and _USE_STOCK support.\n * Fix for Bazaar (bzr) 2.6b2 extensions build.\n * Fix for pdnsd install on Ubuntu Precise.\n * Fix the 32 long ALNUM password generation for lshell users.\n * Fix the hint to just display the uptrack command, not run it.\n * Force logrotate on demand if /var/log/syslog > 1GB\n * Force mysql tables check and upgrade before hostmaster upgrade.\n * Force proper pdnsd and resolvconf re-installation if needed.\n * Force proper resolvconf configuration to support and use pdnsd server.\n * FTPS on all modern systems requires lshell path added in /etc/shells.\n * Hostmaster/Octopus contrib modules are now added via Ægir makefile.\n * Improve autonomous IDS auto-cleaning and permanent block mgmt.\n * Improve compatibility testing with Drush 5 and Drush 6.\n * Improve kernel default tuning.\n * Improve Master Instance upgrade logic.\n * Improve mysqldump performance by default.\n * Improve the default strict configuration for $cookie_domain.\n * Improve Tomcat/Jetty self-healing to avoid stuck processes.\n * Install also hostmaster contrib when stock option is used.\n * Issue #1782034 - Use fixed version of the message_notify module.\n * Issue #1825018 - Disable binary logging and make it optional.\n * Issue #1871060 - CiviCRM 4.2.6 needs separate civicrml10n fix.\n * Issue #1873478 - Localhost install broken because getent test is used.\n * Issue #1875348 - Fix for Nginx 1.3.10 bug causing random segfaults.\n * Issue #1886920 - Fix the unrecognized option [service=system-auth] error.\n * Issue #1886920 - Pure-FTPd config broken because of deprecated pam_stack.so\n * Issue #1888380 - Deleted platform cache folder recreated automatically.\n * Issue #1889322 - Domain Access module breaks sites provisioning.\n * Issue #1897018 - Set Pin-Priority also in wrappers to fix also stable.\n * Issue #1897018 - Ubuntu Precise breaks install and upgrade.\n * Issue #1906760 - Incomplete access_log directive in the purge vhost.\n * Issue #1906900 - Nginx microcaching not disabled on prefixed admin URIs.\n * Issue #1909208 - Changed MariaDB GnuPG signing key hangs install/upgrade.\n * Issue #1913394 - Disable automatic CSF/LFD upgrade.\n * Issue #1913488 - Do not install GEOS PHP ext. unless explicitly listed.\n * Issue #1914294 - APC 3.1.14 disappeared from PECL - downgrade to 3.1.13\n * Issue #1918722 - Add diff command as allowed in the limited shell.\n * Issue #1920972 - Could not change permissions warnings on site verify.\n * Issue #1932388 - Use correct keyword PPY for Panopoly install.\n * Issue #1935388 - Use reliable check for Master Instance install path.\n * Issue #1947082 - Permissions are never fixed on the profile level.\n * Issue #1949740 - Make sure that cache_prefix for Redis is always set.\n * Issue #1952042 - Make strong passwords optional and not default.\n * Issue #1953248 - Extra Drush versions should be added properly.\n * Issue #1957762 - Upgrade to Bazaar (bzr) 2.6b2\n * Jetty: Tune memory limits automatically to avoid extra RAM requirements.\n * Keep all extra modules in the same profiles/hostmaster/modules directory.\n * Lshell: Allow ping command to help keep session active / auto-whitelist.\n * Make apticron aware of the BOA version currently running.\n * Make BOND aware of _CUSTOM_CONFIG_SQL if present.\n * Make Compass Tools available in the standard path, if installed.\n * Make sure that all removed zombies use unique dir names.\n * Make sure that all users home dirs are protected.\n * Make sure that now redundant hosting_backup_gc module is removed.\n * Make sure that SERVER_NAME is set to HTTP_HOST early enough, if required.\n * Make the errors monitor aware of system only upgrade mode.\n * Make URI filtering regex localization-aware in the global.inc\n * Nginx Security: BEAST attack protection and fix for PCI compliance.\n * Nginx: Another fix for broken imagecache paths in some imported sites.\n * Nginx: Better protection from DoS attempts on never cached uri.\n * Nginx: Do not block spiders on imagecache/styles URIs.\n * Nginx: Do not force use epoll - it is set on install properly.\n * Nginx: Do not force worker_connections. It will not work in the VM guest.\n * Nginx: Do not force worker_rlimit_nofile. It will not work in the VM guest.\n * Nginx: Force rebuild to include LDAP support if enabled via _NGINX_LDAP=YES\n * Nginx: Improve Abuse Guard to better protect from imagecache|styles flood.\n * Nginx: Improve no-cache exceptions for known AJAX and webform requests.\n * Nginx: Make json compatible with boost caching but dynamic for POST.\n * Nginx: Restore fast 404 for static json requests.\n * Nginx: Set workers number to available CPUs x2 with min/max defaults.\n * Nginx: Use default buffer=32k in the access_log for better performance.\n * Nginx: Use static /normal/ instead of dynamic /$device/ for Boost cache.\n * PHP: Enable more FPM workers by default for better performance.\n * PHP: Force php53-fpm restart if there is no master process running.\n * PHP: Many Drupal 7 based distros require 196M limit at minimum.\n * PHP: Never force php53-fpm restart when another script reloads it.\n * PHP: Use more safe limits on low memory systems.\n * Prevent turning the feature server site into a spam machine.\n * Protect also from not supported request types if Nginx server is busy.\n * Randomize tasks wait/start intervals better to avoid high system load.\n * Redis: Do not disable it on the fly when there is /nojs/ in the URI.\n * Redis: Double check if $cache_lock_path exists before using it.\n * Redis: No need to force exception for cache_menu bin.\n * Redis: Tune sysctl for better memory management by default.\n * Remove up to two last zombies on Master Instance upgrade.\n * Remove up to two last zombies on Satellite Instance upgrade.\n * Rename profiles to avoid confusion between Commons 2 and Commons 3.\n * Run drush @hostmaster hosting-dispatch during upgrade to sync things.\n * Send also OK report when running in the silent mode.\n * Set correct default DNS entry in /etc/hosts before running local install.\n * Shell: Fix for too restrictive Drush commands filtering.\n * Shell: Fix the broken Git support over SSH.\n * Shell: Fixed too restrictive permissions on the extra Drush directories.\n * SQL: Do not run the purge_binlogs script when binary logging is disabled.\n * SQL: Improve sqlmagic converter and allow it to use control files.\n * SQL: The sqlmagic_convert should not be available for extra lshell users.\n * SQL: Tune also key_buffer_size by default.\n * Sync generating secure passwords also for limited shell users.\n * Update csf.conf template.\n * Update self-healing for Tomcat/Jetty support.\n * Update welcome email template to better explain how to manage databases.\n * Use Boost with silenced false alarms.\n * Use Limited Shell branch with fixed tab completion.\n * Use public DNS during pdnsd (re)installation to avoid issues.\n * Whitelist /tmp/make_tmp.* in the csf.fignore to avoid false alarms.\n\n\n### Stable Edition BOA-2.0.5\n### Date: Sun Dec 23 15:35:46 EST 2012\n### Installs Ægir 2.0.5 compatible with Ægir 1.9\n\n# Updated Octopus platforms:\n\n Commerce 1.12.1 -------------- http://drupalcommerce.org\n Commerce 2.0 ----------------- http://drupalcommerce.org\n Commons 2.11 ----------------- http://acquia.com/drupalcommons\n Drupal 7.18.1 ---------------- http://drupal.org/drupal-7.18\n Open Deals 1.14 -------------- http://opendealsapp.com\n Open Outreach 1.0-rc7 -------- http://openoutreach.org\n OpenChurch 1.11-beta7 -------- http://openchurchsite.com\n Panopoly 1.0-rc3 ------------- http://drupal.org/project/panopoly\n Pressflow 6.27.1 ------------- http://pressflow.org\n ProsePoint 0.45 -------------- http://prosepoint.org\n Ubercart 2.11.1 -------------- http://ubercart.org\n Ubercart 3.3.1 --------------- http://ubercart.org\n\n All other not listed above platforms are available with latest\n D6 or D7 core, even if there were no new distro version released.\n\n# New Ægir modules or extensions:\n\n * Add drush clean-modules command - clean_missing_modules extension.\n\n# New o_contrib modules:\n\n * Add reroute_email module in both D6 and D7 contrib.\n\n# Changes:\n\n * Git 1.8.0.2\n * MariaDB 5.3.11 on Debian Lenny\n * MariaDB 5.5.28a\n * Nginx 1.3.9\n * PHP 5.3.20\n * Redis 2.6.7\n * Delete old tmp files in all sites daily.\n * Disable Expire and Purge modules by default - they are no longer needed.\n * Redis integration module updated to 7.x-2.0-beta2\n * There is no need to restart Redis and Tomcat hourly.\n * Use higher innodb_lock_wait_timeout by default - 120 instead of 50.\n * Use 1h instead of 30min default timeout for sql and php-cli to avoid\n breaking some extra long running backend tasks on some really big sites.\n\n# Fixes:\n\n * Allow more drush commands over SSH.\n * Always force drupal_http_request_fails to FALSE to avoid false alarm.\n * Better check for standalone vhosts firewall setup.\n * Better lshell forbidden list of keywords.\n * Better regex to deny wildcards with top-level or country level domains.\n * Check for existence of host_master and not host_master/001 directory.\n * Compass is not available on older OS versions.\n * Delete ltd-shell extra user/client if there is no site associated/owned.\n * Delete old symlinks in the client directory for no longer associated sites.\n * Fix broken usage.sh script - it does not enable/disable modules.\n * Fix date formatting also in the sqlcheck script.\n * Fix for some really old installs without .barracuda.cnf file.\n * Fix permissions for Boost cache directory with correct chmod.\n * Fix the hint - it should say to restart mysql.\n * Issue #1081266 - Avoid re-scanning modules directory.\n * Issue #1263602 - Force New Relic re-install on every upgrade, if used.\n * Issue #1460882 - Send .json requests to @drupal instead of =404.\n * Issue #1837418 - Fix permissions inside ~/.drush directory.\n * Issue #1837776 - Do not disable httprl module.\n * Issue #1837910 - Upload progress broken for all D6 sites.\n * Issue #1839122 - Disabling Redis on known AJAX calls breaks UI elements.\n * Issue #1839544 - Use language neutral checks for users, groups and hosts.\n * Issue #1841230 - BOA provides Apache Solr 1.4 with Tomcat 6.\n * Issue #1841246 - Fix csf.fignore file to whitelist /tmp/drush_*\n * Issue #1842554 - Replace broken links to Skitch screenshots.\n * Issue #1847682 - Fix extra Nginx config support in the Master Instance.\n * Issue #1850034 - Disable SYSLOG_CHECK in csf to avoid false alarms.\n * Issue #1857250 - Domain Access support is broken in the backend cli.\n * Issue #1857990 - Include reroute_email module in o_contrib by default.\n * Issue #1860100 - Use provision-backup-delete instead of backup_delete.\n * Issue #1865112 - Add drush clean-modules command.\n * Issue #1867264 - Too many Redis caching exceptions cause serious confusion.\n * Issue #1871060 - CiviCRM l10n should be moved to proper directory.\n * Lshell: Map drush mup to up instead of upc. Add new drush mupc map for upc.\n * Max supported version of Search API Solr search is 7.x-1.0-rc2\n * More complete permissions fix on install and upgrade.\n * More strict check for _LENNY_TO_SQUEEZE option.\n * Nginx: Better regex in the Nginx monitor.\n * Nginx: Exclude also files/progress path in the Nginx monitor.\n * Nginx: Fix rewrite rules in the CDN Far Future expiration support.\n * Nginx: Make sure that any older packages are uninstalled on upgrade.\n * Nginx: Make sure that default Nginx vhosts are deleted also on upgrade.\n * Nginx: Skip all logged media and download requests in the Nginx monitor.\n * PHP: Use high enough value for max_input_vars in PHP 5.3 by default.\n * Really fix the datestamp comparison logic on various systems.\n * Rebuild registry without --no-cache-clear option to avoid issues.\n * Redis: Check if Redis binary exists, not symlink.\n * Redis: Delete redis-server symlink to avoid failed Redis install.\n * Redis: Do not use all three extra exceptions on the hostmaster site.\n * Redis: Do not use sleep breaks during Redis full restart.\n * Redis: The cache_menu bin should be still excluded from Redis caching.\n * Redis: The hostmaster site needs exception for cache_class_cache bin.\n * Stop and Start CSF only if installed.\n * The locked auto-healing script needs to kill tomcat more aggressively.\n * Update csf.conf template.\n * Upgrade to ctools-6.x-1.10 in the hostmaster platform.\n * Use aliases in drush commands where possible.\n * Use better name for non-web New Relic app tracking.\n * You must remove remote_import extension from the source server.\n\n\n### Stable Edition BOA-2.0.4\n### Date: Thu Nov 8 18:31:01 EST 2012\n### Installs Ægir 2.0.4 compatible with Ægir 1.9\n\n# New Octopus platforms:\n\n Commerce 2.0-rc4 ------------- http://drupalcommerce.org\n\n# Updated Octopus platforms:\n\n CiviCRM 4.1.6-d6 ------------- http://civicrm.org\n CiviCRM 4.2.6-d7 ------------- http://civicrm.org\n Commerce 1.11.1 -------------- http://drupalcommerce.org\n Commons 2.10 ----------------- http://acquia.com/drupalcommons\n Conference 1.0-rc2 ----------- http://usecod.com\n Drupal 7.17.1 ---------------- http://drupal.org/drupal-7.17\n Drupal 8.0-dev-tested -------- http://bit.ly/drupal-eight\n ELMS 1.0-beta1 --------------- http://elms.psu.edu\n NodeStream 1.5.1 ------------- http://nodestream.org\n NodeStream 2.0-beta8 --------- http://nodestream.org\n Open Atrium 1.6.1 ------------ http://openatrium.com\n Open Deals 1.11 -------------- http://opendealsapp.com\n Open Outreach 1.0-rc6 -------- http://openoutreach.org\n OpenChurch 1.11-beta5 -------- http://openchurchsite.com\n OpenPublish 3.0-beta7 -------- http://openpublishapp.com\n OpenScholar 2.0-rc1 ---------- http://openscholar.harvard.edu\n Panopoly 1.0-rc2 ------------- http://drupal.org/project/panopoly\n Ubercart 2.10.1 -------------- http://ubercart.org\n Ubercart 3.2.1 --------------- http://ubercart.org\n\n* We plan to shorten BOA system release and upgrades cycle\n to 1-2 months max, so we have decided to remove support for some\n outdated distros. We have tried to manage both security and version\n updates for some abandoned or semi-abandoned distros, to keep them\n useful for you, but since it involves increasing amount of work\n because of cascades of no longer compatible patches and various\n dependencies, we have decided that it is time to stop doing it,\n if their original maintainers no longer care about their users.\n\n Here is a list of distros we no longer support:\n\n MartPlug ------------ http://drupal.org/project/martplug\n Octopus Video ------- http://octopusvideo.org\n Open Academy -------- http://drupal.org/project/openacademy\n Open Enterprise ----- http://drupal.org/project/openenterprise\n OpenPublic ---------- http://openpublicapp.com\n Videola ------------- http://videola.tv\n\n The platforms listed above can be re-added when their maintainers\n will fix all critical issues and/or apply required updates.\n\n# New features:\n\n * Add auto-healing support for Bind9.\n * Add LOCK/FROZEN check for PHP-FPM and Tomcat in the auto-healing.\n * Add option to force 15min Speed Booster cache TTL for anonymous visitors.\n * Add optional easy install of already supported Compass Tools.\n * Add support for aegir|platforms|both modes on octopus upgrade.\n * Allow for another one upgrade daily but only to add more platforms.\n * Allow to install unsupported distros with option _ALLOW_UNSUPPORTED=YES\n * Allow to install vanilla Ægir 2.x and Drush 5.7 with \"stock\" option.\n * Improved databases backup with added OPTIMIZE TABLE foo action per table.\n * New Relic PHP Agent version 3.0 compatibility.\n * Pseudo-streaming server-side support for Flash Video (FLV) and H.264/AAC.\n * Support for Wysiwyg Fields module.\n\n# New Ægir modules or extensions:\n\n * Add hosting_tasks_extra module and provision_tasks_extra extension.\n\n# New o_contrib modules:\n\n * Add login_security module in D7 contrib.\n * Add cdn module in both D6 and D7 contrib.\n\n# Changes:\n\n * Allow outgoing mysql connections by default.\n * APC 3.1.13\n * Chive 1.2\n * Do not bundle seckit module in o_contrib.\n * Do not enable Expire and Purge modules by default.\n * Enable Syslog module by default.\n * Git 1.8.0\n * MariaDB 5.3.9 on Debian Lenny\n * MariaDB 5.5.28\n * Nginx 1.3.8\n * Percona 5.5.28\n * PHP 5.3.18\n * Pure-FTPd 1.0.36\n * Redis 2.6.4\n * Remove not supported httprl module and disable if enabled.\n * The filefield_nginx_progress is forced-enabled in all D7 sites, again.\n * Use PHP-FPM 5.3 for Chive, Collectd and other non-Drupal sites.\n * Use php-cli 5.3 for drush on command line by default.\n You can still force 5.2 with --php=/usr/local/bin/php drush option.\n\n# Fixes:\n\n * Add cache_tax_image bin to no-redis-cache exceptions.\n * Add support for pdnsd in the VServer guest.\n * Allow all standard compass/sass commands in limited shell.\n * Auto-discover _NEWRELIC_KEY if not listed in .barracuda.cnf\n * Better auto-healing for php-fpm zombies edge case.\n * Better check for failed login attempts (when user exists).\n * Better permissions magic repair running daily.\n * Deny crawlers on search results pages - they may cause very high load.\n * Disable spinner if screen is used.\n * Do not force default Debian and Ubuntu mirrors even if _AUTOPILOT=YES.\n * Do not quote password in .my.cnf - it breaks mytop.\n * Do not use log/custom_cron for anything.\n * Do not use resolveip in the localhost mode.\n * Exclude cache_bootstrap and cache_pulled_tweets from Redis caching.\n * Fix for broken drush make edge case caused by leftovers.\n * Fix for broken Tika download URL.\n * Fix for civicrm_engage in D6.\n * Fix for Debian Lenny upgrade.\n * Fix for global.inc logic related to high traffic sites only.\n * Fix for NGX, PHP and SQL forced reinstall mode.\n * Fix for Pin-Priority in Squeeze.\n * Fix for sql abuse monitor.\n * Fix for the selectively forced upgrade mode.\n * Fix motd for Skynet fun.\n * Fix too restrictive lshell command filtering.\n * Force Pure-FTPd rebuild on every upgrade to avoid broken binary.\n * Force tomcat restart and reload php-fpm hourly.\n * Improve Domain module support.\n * Improve mysql crashed tables detection and repair in auto-healing.\n * Improve Nginx Abuse Guard by stopping those never cached POST DoS attacks.\n * Improve Nginx guard support for VServer guests.\n * Improved checkpoint info in Octopus.\n * Issue #1225380 - Do not truncate sessions table during db daily backup.\n * Issue #1472786 - SQL check ERROR and too many SQL check CLEAN notices.\n * Issue #1528726 - Fix for Redis support in all shared directories/code.\n * Issue #1540242 - Do not install conflicting libavcodec53 or libavcodec52.\n * Issue #1588060 - Make sure that /var/run is present in open_basedir.\n * Issue #1589052 - Incomplete PATH breaks standard tasks.\n * Issue #1590120 - Fix for java path changed in recent Ubuntu releases.\n * Issue #1591746 - Update GeoIP.dat file automatically.\n * Issue #1592646 - Enabled old cache backend integration module causes WSOD.\n * Issue #1592650 - Do not use Hide platforms with non-default profiles.\n * Issue #1592680 - Upload progress module breaks uploads on all D7 sites.\n * Issue #1593794 - New redis-only caching backend settings.\n * Issue #1593810 - Duplicate php-cli 5.3 binaries after upgrade.\n * Issue #1593980 - Remove invisible characters breaking localhost install.\n * Issue #1597580 - External/Aggressive caching in D6 breaks path_alias_cache.\n * Issue #1598676 - Collectd graphs broken.\n * Issue #1600426 - Cron is run every minute on all sites not yet defined.\n * Issue #1602142 - Do not use device specific keys for Redis cache entries.\n * Issue #1606146 - The manage_ltd_users.sh script locks important tasks.\n * Issue #1614162 - CRON Not Running on Octopus Satellites and Sites.\n * Issue #1643616 - APC is missing in the Ubuntu Precise based install.\n * Issue #1659452 - Add support for Ægir HTTPS header in the Speed Booster.\n * Issue #1663262 - Fix FMG install on Ubuntu Precise.\n * Issue #1679114 - New user name check in Octopus is too restrictive.\n * Issue #1689656 - Avoid caching /civicrm* and known webform requests.\n * Issue #1716004 - The zlib.output_compression should be disabled in 5.3\n * Issue #1728616 - Better CDN Far Future expiration support.\n * Issue #1777982 - Do not break wordpress_migrate module support.\n * Issue #1778712 - Better workaround for MariaDB 5.5.27 critical bug.\n * Issue #1784440 - Cannot stat scan_nginx when using BOND.sh.txt\n * Issue #1796420 - Do not break write access to the tcpdf cache directory.\n * Issue #1798288 - Provision-backup_delete could not be found.\n * Issue #1799116 - Standardize on installation vs. install profile.\n * Issue #1821866 - Force Nginx rebuild to include pseudo-streaming support.\n * Issue #1824888 - BOND.sh.txt breaks Nginx, SQL and PHP configuration.\n * Issue #1825298 - Redis: force rebuild from sources on version mismatch.\n * Issue #1825420 - Avoid the Use of undefined constant OctopusNoCacheID.\n * Issue #1825630 - Remove duplicate code causing false alarm.\n * Issue #1825992 - Redis cache is never cleared via php-cli.\n * Issue #1825998 - Improved auto-healing for Redis.\n * Issue #1835796 - Default cache headers break CloudFlare Always Online.\n * Make sure that path_alias_cache module takes precedence.\n * Make sure that PHP 5.2 is re-installed if required.\n * Monitor and kill too long running sites cron tasks.\n * Move away buagent init script if exists when Barracuda runs.\n * Nginx: Allow to include high level local configuration override.\n * Nginx: Better regex for exceptions in the abuse guard monitor.\n * Nginx: Block stupid spiders/downloaders with 403 error, not CSF.\n * Nginx: Deny known bots on some heavy URLs.\n * Nginx: FileField Nginx Progress 7.x-2.3 compatibility.\n * Nginx: Fix for broken images paths in civicrm.\n * Nginx: Fix for D6 upload progress support.\n * Nginx: Make the abuse monitor aware of possible lang code prefixes.\n * Nginx: Monitor and block if required also via-multi-proxy attacks.\n * Nginx: Remove packages on every upgrade to avoid duplicate re-installs.\n * Nginx: Remove redundant URL filtering.\n * Nginx: Send 403 for vbulletin URI to avoid Drupal heavy 404.\n * Nginx: Support for /contrib/ for wysiwyg helpers exceptions location.\n * Nginx: Use latest nginx-upload-progress-module v0.9.0\n * Nginx: Use ngx_cache_purge-1.6\n * PHP: Allow short_open_tag also in 5.3\n * PHP: Disable the original php5-fpm init script causing segfaults.\n * PHP: Fix for _FROM_SOURCES PHP-FPM 5.3 build.\n * PHP: Fix for the php53-fpm init script.\n * PHP: Force proper php53-fpm restart if required.\n * PHP: Install JSMin extension by default.\n * PHP: Install php-pear by default also in no-src based default install.\n * PHP: Load extensions in a safe, correct order.\n * PHP: Log killed php-fpm events.\n * PHP: Make sure that all builds use correct, fresh downloads.\n * PHP: Make sure that php53-fpm is disabled during apt-get based upgrade.\n * PHP: Make sure that suhosin.so is removed and jsmin.so added.\n * PHP: Remove duplicate and conflicting allow_call_time_pass_reference.\n * PHP: Remove php5-sasl extension causing segfaults.\n * PHP: Remove php5-suhosin from the stack - too many weird issues.\n * PHP: The realpath_cache_ttl should be as low for CLI as possible.\n * PHP: Use 2x higher limits in the tune_web_server_config logic.\n * Purge Redis cache hourly.\n * Randomize runner intervals.\n * Remove all control files on init to avoid aborted Octopus upgrades.\n * Remove any extra search directive from resolv.conf when pdnsd is installed.\n * Remove Dotdeb libmysqld-dev conflicting with Percona libmysqlclient-dev.\n * Remove not really working properly Boost separate mobile bins.\n * Remove not supported MTA only on initial install.\n * Remove old cache module from all old profiles.\n * Segfault monitor should not disable sites by default.\n * Serve .less files as static by default, no log.\n * Set hosting_advanced_cron_default_interval to 3 hours.\n * SQL: Use skip-name-resolve by default.\n * Support both HTTP_X_FORWARDED_PROTO and HTTPS.\n * The dev. should not disable Redis cache.\n * The missing /usr/bin/lshell entry may affect also Lucid.\n * There is no need to force Debian mirror.\n * Tune AdvAgg config - disable async mode and use JSMin by default.\n * Use autoselect for civicrm downloads.\n * Use DrupalDatabaseCache for some Redis bins to avoid confirmed issues.\n * Use higher default timeouts for php-cli and wait_timeout in mysql.\n * Use SERVER_NAME instead of HTTP_HOST header in the Redis cache key.\n * Use version specific directory for static downloads.\n * Yet another umask trick for shell and SFTP.\n\n\n### Stable Edition BOA-2.0.3\n### Date: Thu May 17 18:17:40 EST 2012\n### Installs Ægir 2.0.3 compatible with Ægir 1.9\n\n# There are major improvements and new features added in this BOA Edition.\n\n Here is the description of those most important/expected, while complete\n list of all changes, new features and fixes is available further below.\n\n * Caching backend has been simplified. We no longer use chained cache\n system with Memcached+Redis+database. New system uses only Redis cache\n and the same configuration for all Drupal 6 and Drupal 7 platforms.\n This new system doesn't require any extra module to be enabled in any site.\n Complete integration is already enabled by default for every platform/site\n installed by default and for every custom platform as before - the next\n day after first site on the custom platform has been created.\n You can disable this caching layer using the same modules/cache/NO.txt\n control file as before. While there is just one cache engine (Redis) used,\n there is also an automatic, instant failover to standard database caching,\n just in case Redis is not available for some reason. You can also disable\n Redis cache on the fly for debugging by adding ?noredis=1 to any URL.\n\n * We have added support for Drupal 8.x while still using modified\n Drush 4.6-dev version, so we can still support Drupal 5 on the same\n system, but on another Octopus instance.\n\n * You can choose different PHP version for PHP-FPM (web access)\n and PHP-CLI, for even greater control over compatibility with\n various Drupal major versions.\n\n * You can choose both PHP-FPM and PHP-CLI versions per Octopus instance,\n on the same system. And you can change those versions on upgrade.\n\n * Installing and upgrading BOA system has been greatly simplified.\n You can still configure and run both installers as before,\n but you can also use these new, shockingly simple command line tools\n to install Barracuda and Octopus at once, to install more Octopus\n instances, to run selective or batch upgrades of all Octopus instances etc.\n See docs/INSTALL.txt and docs/UPGRADE.txt for details.\n\n * We have added an 'easy install' configuration shortcuts for both\n standard (public) and localhost installs. You no longer need\n to read, understand and configure all options, unless you prefer\n to choose some non-default configuration options.\n\n * Default installs on Debian Squeeze and Ubuntu Precise use\n packages for PHP 5.3, so initial setup takes just 10-15 minutes.\n\n * You can easily grant limited shell and FTPS access for developers,\n simply by creating \"Clients\" in the Ægir control panel and define\n them as 'owners' of one or more sites. Their access will be limited\n to only sites they can manage, but only if you will send them their\n access credentials, which are independent of their Ægir control\n panel credentials and stored in the ~/users/ directory in your main account.\n You will find there files with passwords for every \"Client\" with at least\n one site attached. For example ~/users/o1.username file means that\n this Client's username for SSH and FTPS access is 'o1.username' while\n his password is stored in this file. This means that SSH/FTPS access\n is not granted automatically, but you can decide who should receive it.\n How to change any extra user's password? Simply delete his ~/users/o1.username\n file and wait up to 5 minutes - the system will re-create his account\n with new password. And how to delete the user completely? Simply\n delete this user \"Client\" account in the Ægir control panel and allow\n the system to delete also his SSH/FTPS access in the next 5 minutes.\n\n * We have added segfault monitor for php-fpm and nginx, enabled by default.\n It is pretty aggressive, because it disables vhost of any site causing\n segfault errors and sends email alert to the Octopus instance owner\n and server owner email addresses. Simple site re-verify in Ægir enables\n the site again - but until the next segfault only, so read the info\n included in the email alert message, if this will happen. If you prefer\n to not run this monitor: `rm -f /var/xdrago/monitor/check/segfault_alert`\n\n * Previously recommended site and platforms re-verify on Clone or Migrate\n is now fully automated. Ægir will run these extra tasks as a part\n of Clone or Migrate task, to make sure that there are no errors\n and that Ægir is using up-to-date information collected about\n platforms and sites. It also automatically fixes the known problem\n with domain aliases incorrectly written in the original and cloned sites,\n as reported in the Ægir queue: http://drupal.org/node/1004526\n\n * Apps are now fully supported. If the App is not downloaded yet, installing\n it via browser only requires write permissions, normally never available\n for the web server user, so you need to create an empty control file, either\n in sites/all/modules/apps-allow.info or sites/domain/modules/apps-allow.info\n and then run 'Reset password' task. It will open write access where required\n until the next site 'Verify' task will run . After installing the App,\n remember to re-Verify the site to restore default, safe permissions.\n\n * Custom local.settings.php file support uses similar logic with control file\n sites/domain/modules/local-allow.info and also 'Reset password' task.\n After running this task the local.settings.php file will be group writable,\n so you will be able to edit it also when logged in as limited shell user.\n Remember to run site Verify when done, to restore standard, safe permissions.\n Note that this file is created automatically, but is not open for write\n access by default.\n\n# Notes on new and updated platforms and new Drupal core:\n\n All 6.x and 7.x platforms have been updated with latest core,\n so they are all in fact new in this BOA Edition, but we list here\n only really new platforms or those with new version released\n since last BOA Edition, with one exception: we list also basic\n 6.26.2 and 7.14.2 platforms as new.\n\n NOTE: before you will try to upgrade any of your sites,\n please read our important how-to:\n\n http://omega8.cc/the-best-recipes-for-disaster-139\n http://omega8.cc/are-there-any-specific-good-habits-to-learn-116\n http://omega8.cc/managing-your-code-in-the-aegir-style-110\n\n REALLY, PLEASE READ IT TO AVOID SOME HEAVY HEADACHES!\n\n# New Octopus platforms:\n\n CiviCRM 4.1.2-d6 ------------- http://civicrm.org\n CiviCRM 4.1.2-d7 ------------- http://civicrm.org\n Drupal 7.14.2 ---------------- http://drupal.org/drupal-7.14\n Drupal 8.0-dev --------------- http://bit.ly/drupal-eight\n MartPlug 1.0-beta1b ---------- http://drupal.org/project/martplug\n Octopus Video 1.0-alpha6 ----- http://octopusvideo.org\n Panopoly 1.0-beta3 ----------- http://drupal.org/project/panopoly\n Pressflow 6.26.2 ------------- http://pressflow.org\n\n# Updated Octopus platforms:\n\n Acquia 6.26.2 ---------------- http://bit.ly/acquiadrupal\n CiviCRM 3.4.8-d6 ------------- http://civicrm.org\n CiviCRM 4.0.8-d7 ------------- http://civicrm.org\n Commerce 1.7.1 --------------- http://drupalcommerce.org\n Commons 2.6 ------------------ http://acquia.com/drupalcommons\n Feature Server 1.1 ----------- http://bit.ly/fserver\n Managing News 1.2.2 ---------- http://managingnews.com\n NodeStream 1.5 --------------- http://nodestream.org\n NodeStream 2.0-beta1 --------- http://nodestream.org\n Open Atrium 1.4.1 ------------ http://openatrium.com\n Open Deals 1.0-beta7e -------- http://opendealsapp.com\n Open Outreach 1.0-rc1 -------- http://openoutreach.org\n OpenChurch 1.10-alpha1 ------- http://openchurchsite.com\n OpenPublish 3.0-alpha8 ------- http://openpublishapp.com\n Ubercart 2.9.1 --------------- http://ubercart.org\n Ubercart 3.1.1 --------------- http://ubercart.org\n Videola 1.0-alpha3 ----------- http://videola.tv\n\n# New features:\n\n * Add Adaptive Image Styles support.\n * Add Compass compatibility in the limited shell (Compass is not installed by default).\n * Add ssh-copy-id and ssh-add commands as allowed over SSH.\n * Add X-Speed-Cache-Key header for Speed Booster debugging.\n * All Clone/Migrate forms in the Ægir control panel have useful inline help added.\n * Allow to easily re-start BOA failed install, just by running boa installer again.\n * Allow to install PHP 5.3 only with option _PHP_MODERN_ONLY=YES (default).\n * Deny HTTPS access on Nginx level for all known bots and crawlers.\n * Do not force HTTPS for Ægir if /data/conf/no-https-aegir.inc control file exists.\n * Fix system time hourly via auto-healing.\n * Install wkhtmltopdf by default - available at /usr/bin/wkhtmltopdf\n * Issue #1263602 - New Relic Server and Apps Monitor with per Site/Instance reporting.\n * Issue #1392498 - Use .barracuda.cnf to define YES/NO for some config overrides.\n * Issue #1428078 - Compatibility with resp_img module.\n * Issue #1436522 - Add option to set _PHP_CLI_VERSION.\n * Issue #1438906 - Add Imagick to PHP by default.\n * Issue #1463494 - Add support for radioactivity module.\n * Issue #1542712 - Automated wildcard DNS for easy localhost mode.\n * Lock temporarily almost all known crawlers on high load with error 503.\n * Make _NGINX_DOS_LIMIT configurable and allow higher load by default.\n * Make both 1 and 5 minute max allowed load configurable in the auto-healing.\n * Support for automatically managed extra SSH/FTPS accounts per Ægir Client.\n * The _LOAD_LIMIT used in the auto-healing system is now configurable.\n * The _SPEED_VALID_MAX used as a Speed Booster cache TTL is now configurable.\n * Ubuntu Precise 12.04 is fully supported.\n * Use nice default /root/.bashrc config.\n\n# New Ægir modules or extensions:\n\n * Add hosting_advanced_cron module - enabled by default.\n * Add hosting_civicrm_cron module - enabled by default.\n * Add hosting_task_gc module - enabled by default.\n * Add provision_cdn module and extension, by default not enabled.\n * Add remote_import and hosting_remote_import - not enabled by default.\n * Add revision_deletion module - automatically configured and enabled by default.\n * Registry Rebuild Drush extension - installed by default.\n\n# New o_contrib modules:\n\n * entitycache-7.x-1.x-dev\n * nocurrent_pass-7.x-1.0\n * speedy-7.x-1.0\n\n# Changes:\n\n * Acquia 7.x platform has been merged with Ubercart 3.\n * Always disable css_gzip, javascript_aggregator and performance modules.\n * Automate database server secure setup on initial install.\n * Disable /etc/cron.daily/mlocate by default.\n * Do not disable update module - it may break some features depending on it.\n * Do not enable filefield_nginx_progress module by default.\n * Do not remove Testing profile and use better naming convention for D7/D8.\n * Do not search for mirrors by default.\n * Drupal 8 compatible Drush 4.6-dev\n * GitHub availability is required also when another mirror is used by default.\n * Installing Git from sources is now optional.\n * Limited shell 0.9.15.1-sec-noreload\n * Lower default APC and Redis memory in VZ to 64MB to avoid/limit known VZ issues.\n * MariaDB and Percona 5.5\n * Modify Ubercart platform to include some contrib modules in the D6 version.\n * Nginx 1.3.0\n * Open Enterprise 1.0-beta3 is deprecated and not supported.\n * Plain FTP access disabled with FTPS-only mode available.\n * Pure-FTPd server install is now optional, but still default.\n * Send all known bots to $args free URLs.\n * Use _HTTP_WILDCARD=YES by default to match Ægir standard setup.\n\n# Fixes:\n\n * Abort all parent installers as soon as any sub-installer fails with fatal error.\n * Add $http_x_forwarded_proto to the cache key to never mix HTTP and HTTPS entries.\n * Add a list/chart in the readme for an easy overview of all included modules.\n * Add volatile updates to /etc/apt/sources.list for Squeeze.\n * All connection tests should be run after netcat is installed if not yet available.\n * Allow more than one IP to connect to the same FTPS account at the same time.\n * Allow some known php files also in profiles - a fix for Nginx config regression.\n * Always update nginx_speed_purge.conf file on upgrade.\n * Archive install and upgrade logs in /var/backups/\n * Avoid double dots in $cookie_domain.\n * Better detection of real visitor IP in the scan_nginx abuse guard.\n * Cache 403 response for 5s by default.\n * Count only valid requests in the scan_nginx abuse guard.\n * Disable caching in admin_menu module by default.\n * Disabled allow_url_fopen breaks drush dl.\n * Do not allow bots to create cache entries with long expire time.\n * Do not prompt for D6 or D7 vanilla platforms install if not defined in the config.\n * Explain in the email templates that plain FTP is no longer available.\n * Fix cart block issue in Ubercart.\n * Fix for Debian Lenny support - packages have been moved to archives.\n * Fix for slow networks/DNS in pdnsd cache default config.\n * Fix for VServer on _LENNY_TO_SQUEEZE upgrade.\n * Fix tune_memory_limits logic to really tune the config on low mem systems.\n * Follow some symlinks when running chmod/ownership repair daily.\n * Force global upgrade for Expire and Purge modules.\n * Force safe default settings for expire module.\n * Improved Lenny to Squeeze major upgrade support.\n * Increase allowed limit_conn for local purge requests.\n * Issue #1216420 - Incorrect lshell path in /etc/passwd breaks FTPS on Squeeze.\n * Issue #1317264 #1543118 - Uninstall Sendmail if exists to avoid breaking Postfix.\n * Issue #1377492 - Improve Install / Upgrade mode detection and move away any zombies.\n * Issue #1398050 - Use our mirror for all downloads on install and upgrade.\n * Issue #1436522 - Add missing php.ini for PHP-CLI 5.3\n * Issue #1440796 - Ægir support broken due to duplicate db update in Commons/OG.\n * Issue #1441366 - The _USE_SPEED_BOOSTER switch is deprecated.\n * Issue #1443284 - Early start of CSF may lockout the ssh user and break the install.\n * Issue #1445460 - Broken Git install on Ubuntu Lucid.\n * Issue #1451262 - Do not lock the access to phpinfo.\n * Issue #1472460 #1524738 - Nginx denies request methods: PUT, DELETE and OPTIONS.\n * Issue #1475416 - Unable to install Barracuda due to Ægir failed install.\n * Issue #1478984 - Add Access-Control-Allow-Origin header with wildcard where required.\n * Issue #1479188 - Octopus does not respect _DNS_SETUP_TEST setting on upgrade.\n * Issue #1505370 - Conflict between Mime Type and Document Type in Nginx.\n * Issue #1515762 - Nginx microcaching should skip all known AJAX requests.\n * Issue #1526382 - The _PHP_CLI_VERSION set in cnf file is not respected.\n * Issue #1527852 - Random WSOD on D7 sites with Redis enabled for anonymous visitors.\n * Issue #1528692 - Both cache_backport and redis modules are never added on upgrade.\n * Issue #1528726 - Redis caching backend should be unified across all instances.\n * Issue #1528996 - Nginx microcaching should use TTL 1s only for upstream errors.\n * Issue #1534306 - Duplicate directives break Dotdeb Nginx version.\n * Issue #1539512 - Keep custom Redis configuration during upgrade.\n * Issue #1540112 - HEAD install fails on Debian Squeeze 32bit.\n * Issue #1540242 - Add useful codecs to ffmpeg if enabled.\n * Issue #1541334 - Add kvm to supported virtualization systems.\n * Issue #1544144 - Use $server_name instead of $host in all sites/ paths.\n * Issue #1547878 - Port 11371 should be open for outgoing connections.\n * Issue #1553150 - Both php.ini and my.cnf config files get overridden upon upgrade.\n * Issue #1553166 - Disable incompatible mysql config options.\n * Issue #1554972 - PHP cli downgraded to 5.2 on upgrade with _PHP_MODERN_ONLY=YES\n * Issue #1556192 - Upgrade Entity API to head to fix issue with Drupal 7.14\n * Issue #1585348 - Disable openchurch_video_demo_content to avoid fatal error.\n * Kill nash-hotplug if running.\n * Lower some my.cnf defaults to better support low mem systems.\n * Make default myisam_sort_buffer_size big enough to run repair if required.\n * Make sure that /dev/null has correct permissions.\n * Pass some expected headers when using local proxy.\n * Remind people that they should use their own email address or exit early.\n * Remove deprecated Nginx config includes and use symlinks for backward compatibility.\n * Sanitize important variables early.\n * Save 330 seconds with 3x faster spinner.\n * Set hosting_queue_cron_frequency to 8888 weeks by default to really use schedule\n defined via hosting_advanced_cron module and never override it.\n * Share and symlink civicrm code.\n * Skip _AEGIR_LOGIN_URL in the debug mode - it is empty then.\n * Update mime.types for Nginx.\n * Use _FULL_FORCE_REINSTALL when recovering from broken/partial install automatically.\n * Use faster locations matching where possible in the Nginx config.\n * Use higher values for limit_conn in Nginx to avoid issues when required.\n * Use loglevel warning in Redis config.\n * Use safe placeholders to avoid issues on low-mem machines.\n\n\n### Stable Edition BOA-2.0.2\n### Date: Thu Feb 9 14:00:00 EST 2012\n### Installs Ægir 2.0.2\n\n# Note on new and updated platforms and new Drupal core:\n\n All 6.x and 7.x platforms have been updated with latest core,\n so they are all in fact new in this BOA Edition, but we list here\n only really new platforms or those with new version released\n since last BOA Edition, with one exception: we list also basic\n 6.24.1 and 7.12 platforms as new.\n\n Please note that instead of waiting for 6.25, we already\n included patches required to fix major issues with 6.24:\n\n http://drupal.org/node/1425868\n http://drupal.org/node/1425260\n\n Our Pressflow 6.24.1 +Extra version includes not only listed\n above patches, but also a few extra, performance related\n patches discussed here:\n\n http://groups.drupal.org/node/187209\n\n Note also that we renamed too basic Acquia 7.x platform to\n Ubercart 3.x platform. It is based on the same acquia install\n profile, but includes all contrib modules required for any\n basic Ubercart 3.x site.\n\n NOTE: before you will try to upgrade any of your sites,\n please read our important how-to:\n\n http://omega8.cc/the-best-recipes-for-disaster-139\n http://omega8.cc/are-there-any-specific-good-habits-to-learn-116\n http://omega8.cc/managing-your-code-in-the-aegir-style-110\n\n REALLY, PLEASE READ IT TO AVOID SOME HEAVY HEADACHES!\n\n# New Octopus platforms:\n\n Drupal 7.12 ------------------ http://drupal.org/drupal-7.12\n NodeStream 2.0-alpha6 -------- http://nodestream.org\n OpenPublish 3-alpha3 --------- http://openpublishapp.com\n Pressflow 6.24.1 ------------- http://pressflow.org\n Ubercart 3.0.1 --------------- http://ubercart.org\n\n# Updated Octopus platforms:\n\n Acquia Commons 2.4 ----------- http://acquia.com/drupalcommons\n Commerce Kickstart 1.3 ------- http://drupalcommerce.org\n ELMS 1.0-alpha6 -------------- http://elms.psu.edu\n Open Atrium 1.2.1 ------------ http://openatrium.com\n Open Deals 1.0-beta7 --------- http://opendealsapp.com\n Open Outreach 1.0-beta7a ----- http://openoutreach.org\n ProsePoint 0.43 -------------- http://prosepoint.org\n Videola 1.0-alpha2 ----------- http://videola.tv\n\n# New features:\n\n * Barracuda now supports Debian Lenny to Squeeze major upgrade.\n Of course you should create full backup image before running\n this major system upgrade, just in case, but all the rest\n is fully automated - it is enough to set advanced configuration\n option in Barracuda to _LENNY_TO_SQUEEZE=YES and run Barracuda\n as usual. It will upgrade your system to Squeeze and re-build\n everything, with almost no downtime during the upgrade.\n You will still need to reboot the server when it will complete\n all upgrades.\n\n Important: Debian Lenny reached EOL on February 6, 2012.\n Details: http://lists.debian.org/debian-announce/2012/msg00001.html\n\n * All new 7.x sites now run on latest PHP-FPM 5.3.10 by default.\n For existing sites it is enough to re-verify them in your\n Ægir control panel to get them on PHP-FPM 5.3.10 automatically.\n\n All existing and new 5.x sites run on the old PHP-FPM 5.2.17\n version by default and you can't change that.\n\n You can still choose between PHP-FPM 5.2.17 and 5.3.10 for\n all your 6.x sites - just let us know via http://omega8.cc/support\n that you wish to switch to 5.3.10 - but make sure first that all\n your 6.x sites are fully PHP 5.3 compatible. By default all\n 6.x sites still run on PHP-FPM 5.2.17.\n\n Of course you could choose 5.3.10 for 6.x sites on one Octopus\n instance and 5.2.17 on another - on the same server. Just one more\n reason to use Octopus built-in intelligence :)\n\n All of this works the same both for Ægir Master Instance\n and all Ægir Satellite Instances.\n\n * Both Speed Booster, Boost and Redis/Memcached supports separate\n caches per mobile device, so it is safe to use separate themes\n or content for mobile devices. We use simple logic to determine\n the kind of device and there are separate cache bins for\n mobile-tablet, mobile-smart and mobile-other.\n You can review it here: http://bit.ly/wYz6PG\n\n * Purge module is now enabled by default in all 6.x and also 7.x\n sites. Now Speed Booster works like a Boost - it expires\n immediately the cache for any node/page as soon as it has been\n edited or comment added. It also automatically expires the cache\n for the homepage and RSS feed at once. You no longer need to wait\n up to one hour for Speed Booster cache expiration. Plus, unlike\n in Boost, it purges all separate caches for all mobile devices\n along with non-mobile cache, at once. Now you have a good reason\n to disable Boost and use our crazy fast Speed Booster only.\n\n * You can use GeoIP data provided by your Nginx server\n in your custom code or modules with variables:\n $_SERVER['GEOIP_COUNTRY_CODE'] and $_SERVER['GEOIP_COUNTRY_NAME']\n to display content or block depending on the visitor's country.\n You can check/review it from your location also on command line\n with: 'curl -I http://your-domain' - you will see GeoIP headers.\n\n * You can safely manage Clients/Users attached to hosted sites\n in your Ægir interface. Make sure that all sites have its\n associated Client! Otherwise the site will be listed as available\n for all Clients/Users you have added. The site can lost its\n association with Client after Clone task if there is any\n non-alphanumeric value in the Client name, like &.\n\n * CloudFlare specific header 'CF-Connecting-IP' is now supported\n out of the box and available as standard $_SERVER['REMOTE_ADDR']\n in all 5.x, 6.x and 7.x platforms without any contrib module.\n\n * You can disable both Boost and Speed Booster on the fly\n by adding ?nocache=1 to any URL. Useful for debugging.\n\n * Speed Booster offers now also ESI microcaching, as explained\n in this article: http://groups.drupal.org/node/197478.\n This may enhance not only anonymous visitors, but also\n logged in users experience, since it allows you to separate\n microcache for ESI/SSI includes (valid for just 15 seconds)\n from both default Speed Booster cache for anonymous visitors\n (valid by default for 3 hours, unless purged on demand via\n recently introduced Purge/Expire modules) and also from\n Speed Booster cache per logged in user (valid for 60 seconds).\n The ESI module is included in all 6.x platforms but is not\n enabled and not configured automatically, so please consult\n its documentation for details on how to use it properly.\n\n Now you have three different levels of Speed Booster cache\n to leverage and deliver the 'live content' experience for\n all visitors, and still protect your server from DoS or\n simply high load caused by unexpected high traffic etc.\n\n * Automatic configuration of options required when Barracuda\n detects _VMFAMILY=AWS (Amazon EC2).\n\n * Both _NGINX_WORKERS and _PHP_FPM_WORKERS are now configurable.\n\n * You can avoid overwriting /etc/mysql/my.cnf with empty\n control file: $ touch /etc/mysql/custom.my.cnf\n\n * You can avoid overwriting /opt/php52/etc/php52.ini on upgrade\n with empty control file: $ touch /opt/etc/custom.php.ini\n\n * You can avoid overwriting /opt/php52/lib/php.ini on upgrade\n with empty control file: $ touch /opt/etc/custom.php.ini\n\n * You can avoid overwriting /opt/php53/etc/php53.ini on upgrade\n with empty control file: $ touch /opt/etc/custom.php53.ini\n\n * You can avoid overwriting /var/spool/cron/crontabs/root on upgrade\n by adding your extra/custom entries in the extra file:\n $ nano /var/xdrago/cron/custom.txt\n\n * You can avoid overwriting your CSF configuration on upgrade\n with empty control file: $ touch /var/log/custom.csf.log\n\n# New o_contrib modules:\n\n * taxonomy_edge-6.x-1.3 (with core patch)\n * taxonomy_edge-7.x-1.1 (with core patch)\n * purge-6.x-1.x\n * purge-7.x-1.x\n * expire-6.x-1.x\n * expire-7.x-1.x\n\n# Changes:\n\n * Nginx upgrade to 1.0.12\n * Lshell upgrade to 0.9.15-beta1\n * Percona upgrade to 5.5.19\n * Chive upgrade to 1.0.2\n * Git upgrade to 1.7.9\n * Suhosin upgrade to 0.9.33\n * Textile upgrade to 2.3\n * Mytop is now installed by default.\n * Drush based method for sites cron is more reliable and now set by default.\n * More compact naming for platforms in Octopus.\n * Speed Booster cache per logged in user now valid for only 60 seconds.\n * Speed Booster anonymous cache now valid for 3 hours, unless purged.\n * Extra $_COOKIE[OctopusCacheID] has been removed.\n * We use $cache_uid from parent map (Nginx) in fastcgi_cache_key.\n * Forced external caching only for Pressflow 6 core.\n * Octopus installs by default: D7P D7S D7D D6P D6S D6D OAM.\n * We no longer need to force Percona on Oneiric. MariaDB also works.\n * We no longer need to force MariaDB on Lenny and MariaDB Natty on Oneiric.\n * We no longer need to use Percona for Maverick on Natty and Oneiric.\n * We use _THIS_DB_HOST=localhost by default.\n * Secure/restricted access to manage users/clients is open by default\n in every Ægir Satellite Instance also for the extra non-uid=1 admin.\n * Users in every Ægir Satellite Instance are protected with userprotect\n and protect_critical_users modules.\n * Some default SQL limits have been increased.\n * The insecure D7 plugin manager is now forced as disabled by default.\n * The hosting_platform_pathauto module is now enabled in Ægir by default.\n * The provision_boost module is now added and enabled in Ægir by default.\n\n# Fixes:\n\n * Simplified Nginx config with 'modern', 'octopus' and 'legacy' templates.\n * Removed duplicate code and fixed caching logic for D5, D6 and D7.\n * Fixed logic for ESI microcache and Boost cache.\n * Removed imageinfo_cache module. It breaks platforms with imagecache module.\n * Disable deslash in globalredirect to avoid redirect loop.\n * Load IonCube also in php-cli.\n * Use core version in paths for all platforms.\n * Make sure that 301 redirects are only microcached - 5 seconds by default.\n * Do not run duplicate PHP-FPM rebuild on upgrade when there is\n no new DB server version installed/available.\n * Set boost_ignore_htaccess_warning to 1 by default.\n * Use provision_civicrm 6.x-1.x branch instead of outdated master.\n * Fix for broken regex on lshell.conf update per user.\n * All broken symlinks in the clients directory now deleted daily.\n * All broken symlinks in the lshell user home directory now deleted daily.\n * Avoid breaking Ægir upgrade because of high load.\n * Set correct loglevel for Redis to avoid useless I/O noise.\n * Add curl as allowed command to lshell default config.\n * Use faster download instead of git for Pressflow core.\n * Issue #1432668 - Octopus username should never start with a digit.\n * Issue #1408972 - Make nginx rewrites compatible with audio module.\n * Issue #1428990 - Load memcache in php-cli.\n * Issue #1408200 - AgrCache breaks aggregation and should be removed.\n * Issue #1420758 - Make sure that Nginx config includes are really used\n on initial Barracuda install.\n * Issue #1418608 - Add --with-xmlrpc in the PHP-FPM build by default.\n * Issue #1396204 - Add GeoIP support in Nginx by default\n * Issue #1394152 - Build PHP-FPM with --enable-calendar by default.\n * Issue #1392498 - Do not overwrite CSF configuration on Barracuda upgrade.\n\n# Recommendations:\n\n * Use _FORCE_GIT_MIRROR=github because it is 10x faster than others.\n\n\n### Stable Edition BOA-2.0.1\n### Date: Wed Dec 28 07:00:00 EST 2011\n### Installs Ægir 2.0.1\n\n# New Octopus platforms:\n\n ELMS 1.0-alpha5 -------------- http://elms.psu.edu\n Open Deals 1.0-alpha4 -------- http://opendealsapp.com\n Open Outreach 1.0-beta6 ------ http://openoutreach.org\n\n# Updated Octopus platforms:\n\n Acquia 7.10.10 --------------- http://bit.ly/acquiadrupal\n Acquia Commons 2.3 ----------- http://acquia.com/drupalcommons\n CiviCRM 3.4.8 ---------------- http://civicrm.org\n CiviCRM 4.0.8 ---------------- http://civicrm.org\n Commerce Kickstart 1.0-rc7 --- http://drupalcommerce.org\n Drupal 7.10 ------------------ http://drupal.org/drupal-7.0\n Managing News 1.2.1 ---------- http://managingnews.com\n NodeStream 1.1 --------------- http://nodestream.org\n Open Atrium 1.1.1 ------------ http://openatrium.com\n OpenChurch 1.22-a ------------ http://openchurchsite.com\n OpenScholar 2.0-beta13 ------- http://openscholar.harvard.edu\n ProsePoint 0.41 -------------- http://prosepoint.org\n\n# New features:\n\n * Speed Booster Purge Server for all Drupal 6.x based platforms\n with automatically configured support for all devices caching.\n * Enhanced Pressflow core for all bundled 6.22 based platforms,\n applied automatically also to already installed platforms:\n https://github.com/omega8cc/pressflow6\n * Added access to the \"clients\" directory with shortcuts/symlinks\n to all hosted sites per Ægir \"client\".\n\n# New o_contrib modules:\n\n * ESI for Nginx SSI - http://drupal.org/sandbox/mikeytown2/1328648\n * Purge for Speed Booster - http://drupal.org/project/purge\n * Expire for Speed Booster - http://drupal.org/project/expire\n\n# Changes:\n\n * Nginx upgrade to 1.0.11\n * MariaDB upgrade to 5.2.10\n * Percona upgrade to 5.5.18\n * Chive upgrade to 1.0.1\n * Pure-FTPd upgrade to 1.0.35\n * The syslog module is no longer enabled by default and added\n to the list of automatically disabled modules.\n\n# Fixes:\n\n * Mobile devices detection and caching improved.\n * Many fixes and enhancements for Speed Booster caching logic.\n * Many fixes and enhancements for Boost caching logic.\n * More reliable Nginx auto-healing.\n * Broken symlinks in the \"clients\" directory are now purged daily.\n * The preg_match for dev should check for dev. and devel. only.\n * Issue #1366564 - Use instance specific .octopus.cnf files.\n * Issue #1262988 - Use reliable test for upload progress availability.\n * Issue #1350028 - Make sure that all BOA pid files are removed on reboot.\n * Issue #1348906 - BOND script outdated _INSTALLER_VERSION variable fixed.\n * Issue #1321428 - Make sure that _SSH_PORT is written in /etc/ssh/sshd_config.\n\n\n### Stable Edition BOA-1.4S\n### Date: Mon, 24 October 2011 14:00:00 +0200\n### Installs Ægir stable 1.4S\n\n# Updated Octopus platforms:\n\n Acquia 7.8.7 ----------------- http://bit.ly/acquiadrupal\n Acquia Commons 2.2 ----------- http://acquia.com/drupalcommons\n CiviCRM 3.4.7 ---------------- http://civicrm.org\n CiviCRM 4.0.7 ---------------- http://civicrm.org\n Commerce Kickstart 1.0-rc4 --- http://drupalcommerce.org\n OpenPublic 1.0-beta3 --------- http://openpublicapp.com\n Ubercart 6.x-2.7 ------------- http://ubercart.org\n\n# New features:\n\n * Mobile devices detection for mobile-tablet, mobile-smart and mobile-other.\n * Mobile devices detection integrated with Redis/Memcached caches.\n * Mobile devices detection integrated with Boost cache.\n * Mobile devices detection integrated with Speed Booster cache.\n * Responsive Images 7.x module support.\n * New .barracuda.cnf and .octopus.cnf files for better configuration management.\n * Ubuntu Oneiric 11.10 is now fully supported.\n * Issue #1266912 - Support for Apache Solr Attachments - Tika.\n * Issue #1310082 - Disable XML Sitemap for dev automatically.\n * Support for fbconnect module.\n * Support testing->minimal->standard migrations for D7 out-of-the-box.\n * The Speed Booster $key_uri enhanced logic included in the default Nginx config.\n\n# Changes:\n\n * Nginx upgrade to 1.0.8\n * Create mobile cache separate subdirs for Boost by default.\n * _MODULES_ON and _MODULES_OFF now forced also for D7 sites.\n * Do not force hosting_ignore_default_profiles by default.\n * Some o_contrib modules received updates - use _O_CONTRIB_UP=YES to apply them.\n * Allow 'contrib' subdirectory in the modules path for allowed PHP files.\n * Issue #1309996 - Extended support for common modules locations/paths.\n * Issue #1305542 - Do not overwrite php.ini and my.cnf if control files exist.\n * Add collectd to the auto-healing monitor and automated restart.\n * Disable l10n_update module by default to avoid issues when d.o servers are down.\n * Updated docs/SOLR.txt to explain how to configure any core to support 7.x.\n * Duplicate parts of Nginx config moved to maps in the parent server.tpl.php file.\n * Add 'drush pmi' to the list of displayed/allowed commands.\n * Issue #1243068 - Allow to override in override.global.inc also Redis/Memcached etc.\n * Deny known crawlers on the HTTPS proxy level.\n\n# Fixes:\n\n * The wkhtmltopdf binary should be always executable if exists.\n * Issue #1238200 - Use custom _SSH_PORT only in TCP_IN.\n * Make sure the keys for MariaDB or Percona are added to avoid broken install.\n * Issue #1307664 - Test repo.percona.com and ftp.osuosl.org availability.\n * Issue #1262988 - Missing upload_progress_test.conf breaks upgrade for older installs.\n * Issue #1281896 - Add some missing video types to mime.types in the Nginx config.\n * Do not use path_alias_cache in the Hostmaster site to avoid broken URL aliases.\n * Issue #1270724 and #1263124 - really use /tmp directory during 'drush dl module'.\n * Do not break admin/reports/status/rebuild URL in D7.\n\n\n### Stable Edition 1.0-boa-T-8.10\n### Date: Mon, 5 September 2011 16:15:00 +0200.\n### Installs Ægir stable 1.3.1\n\n# New Octopus platforms:\n\n OpenChurch 1.21 -------------- http://openchurchsite.com\n\n# Updated Octopus platforms:\n\n Acquia 7.7.6 ----------------- http://bit.ly/acquiadrupal\n Acquia Commons 2.0 ----------- http://acquia.com/drupalcommons\n CiviCRM 3.4.5 ---------------- http://civicrm.org\n CiviCRM 4.0.5 ---------------- http://civicrm.org\n Conference 1.0-beta2 --------- http://usecod.com\n Drupal 7.8 ------------------- http://drupal.org/drupal-7.0\n Drupal Commerce 1.0 ---------- http://drupalcommerce.org\n OpenPublic 1.0-beta2 7.8 ----- http://openpublicapp.com\n Ubercart 2.6 6.22 ------------ http://ubercart.org\n\n# Changes:\n\n * Drush Make upgrade to 2.3\n * Drush upgrade to 4.5\n * Nginx upgrade to 1.0.6\n * MariaDB upgrade to 5.2.8\n * Higher limit_conn for AdvAgg to support high async connections rate.\n\n# Fixes:\n\n * Tomcat runs as a separate 'tomcat' user instead of root.\n * Issue #1250448 - Textile 7 requires Vars module.\n * Issue #1248432 - support for CNAME records in the DNS check.\n\n# New features:\n\n * HTTP/HTTPS redirects example in the override.global.inc file.\n * Enabled by default HTTPS and HTTP sessions/cookies for D7.\n * Issue #1243068 - Allow to override $cache_module_path.\n\n\n### Stable Edition 1.0-boa-T-8.9\n### Date: Sat, 30 July 2011 23:50:00 +0200.\n### Installs Ægir HEAD 1.2.1\n\n# Updated Octopus platforms:\n\n Drupal 7.7 ------------------- http://drupal.org/drupal-7.0\n Acquia 7.7.5 ----------------- http://bit.ly/acquiadrupal\n OpenPublic 1.0-beta1 7.7 ----- http://openpublicapp.com\n Drupal Commerce 1.0-rc1 ------ http://drupalcommerce.org\n Open Atrium 1.0 6.22 --------- http://openatrium.com\n ProsePoint 0.40 6.22 --------- http://prosepoint.org\n\n# Fixes:\n\n * Two critical cache related bugs fixed in Nginx 1.0.5.\n * Critical Issue #1222208 - broken web-based cron for sites.\n * Issue #1223506 - cloning a site looses client site ownership.\n * Missing jquery.ui symlink in Conference COD breaks install.\n * Issue #1230420 - do not purge /tmp too aggressively.\n * Issue #1234470 - SSL proxy didn't respect HTTP wildcard.\n * Boost's false alarm about permissions silenced.\n * Permissions for sites/domain/private/* also fixed daily.\n\n# Changes:\n\n * Nginx upgrade to 1.0.5\n * Chive upgrade to 0.5.1\n * Web-based method set by default for sites cron in Ægir.\n\n# New features:\n\n * Speed Booster Purge experimental backend can be installed,\n but is not used in production yet - see _PURGE_MODE flag\n and Issue #1048000.\n\n\n### Stable Edition 1.0-boa-T-8.8\n### Date: Thu, 15 July 2011 08:00:00 +0200\n### Installs Ægir stable 1.2\n\n# New Octopus platforms:\n\n Drupal 7.4 ------------------- http://drupal.org/drupal-7.0\n CiviCRM 3.4.4 ---------------- http://civicrm.org\n CiviCRM 4.0.4 ---------------- http://civicrm.org\n Videola 1.0-alpha1 ----------- http://videola.tv\n\n# Updated Octopus platforms:\n\n OpenPublic 1.0-beta1 7.4 ----- http://openpublicapp.com\n Drupal Commerce 1.0-beta4 ---- http://drupalcommerce.org\n Acquia Commons 1.7 ----------- http://acquia.com/drupalcommons\n Acquia 7.4.4 ----------------- http://bit.ly/acquiadrupal\n OpenScholar 2.0-beta11 ------- http://openscholar.harvard.edu\n Conference 1.0-beta1 --------- http://usecod.com\n\n# New features:\n\n * Speed Booster can be disabled per site or per platform.\n * Redis/Memcached can be disabled per site or per platform.\n * Redis/Memcached chained cache enabled also for anonymous visitors.\n * Support for private_upload module added.\n * Support for static sites/domain/files/robots.txt file per site #1173954.\n * New _HTTP_WILDCARD Barracuda option for Nginx configuration #1152316.\n * New _XTRAS_LIST Barracuda option to define extras to be used.\n * Scripts to add extra ftp or lshell standard or lshell master users.\n * New _PLATFORMS_LIST Octopus option to configure the list of platforms.\n * You can migrate sites between some installation profiles by default:\n Drupal/Pressflow -> Acquia\n Acquia -> Drupal/Pressflow\n Acquia -> CiviCRM 3\n Cocomore/CDC/DrupalCenter -> Pressflow\n * New _O_CONTRIB_UP Octopus option to upgrade last two contrib sets.\n\n# Changes:\n\n * Migration from commercedev to commerce_kickstart profile.\n * More system info stored in BOA logs to help with debugging.\n * Nginx config - deny access to /hosting/c/server_master.\n * Better how-to in the override.global.inc template.\n * Chive upgrade to 0.4.2\n * Nginx upgrade to 1.0.4\n\n# Fixes:\n\n * OpenPublic password policy issue fixed on site install.\n * OpenScholar missing libraries issue fixed.\n * Issue #1213094 - FServer platform missing module fixed.\n * Mollom problem when running via (SSL) proxy fixed.\n * Issue #1209150 - always use _MY_OWNIP when defined.\n * Issue #1208386 - fix for broken csf configuration template.\n * Boost cache write permissions after site migration fixed.\n * Nginx config - better support for CiviCRM.\n * Issue #1198572 - do not run SMTP check if _SMTP_RELAY_HOST is set.\n * Forced PHP-FPM rebuild on MariaDB 5.2.7 upgrade.\n * Issue #1196006 - fixed Nginx X-Accel-Redirect support.\n * Security Issue #1197172 - bypass access restrictions to protected files fixed.\n * Issue #1182680 - fixed support for backup_migrate module.\n * Issue #1182582 - fixed search paths for node.js, image.jpg etc.\n * Critical Issue #1183500 #1182660 - fall back to the wildcard * in Nginx.\n * Issue #962188 - Nginx version check in vhost.tpl.php now works.\n * Issue #1170498 - Extra config variable was missing in Nginx config templates.\n * Percona upgrade path fixed.\n * Broken dev version of the backup_migrate module replaced with stable.\n * Use correct platforms versions numbers in the ftp symlinks.\n\n\n### Stable Edition 1.0-boa-T-8.7\n### Date: Mon, 30 May 2011 11:40:00 +0200\n### Installs Ægir HEAD 1.1.2\n\n1. Fixed critical issue with MariaDB upgrade from 5.1 to 5.2\n2. Fixed critical issue with Nginx build.\n3. Fixed critical issue with Feature Server platform build.\n4. Added upgrade monitor.\n\n\n### Stable Edition 1.0-boa-T-8.6\n### Date: Sun, 29 May 2011 13:30:00 +0200\n### Installs Ægir HEAD 1.1.2\n\n----------------------------------------\n# Added or upgraded since January 2011\n----------------------------------------\n\n* Added support for install and upgrade to Percona Server 5.5\n* MariaDB server upgraded to version 5.2.6.\n* Nginx server upgraded to version Barracuda/1.0.2\n* Added support for Debian Squeeze and Ubunty Natty.\n* Open Atrium includes extra features:\n Atrium Folders: http://bit.ly/oafolders\n Ideation: http://bit.ly/oaideation\n\n* Hostmaster platform comes with ready to enable extra modules:\n http://drupal.org/project/hosting_backup_queue\n http://drupal.org/project/hosting_backup_gc\n http://drupal.org/project/hosting_upload\n\n* New Octopus platforms:\n\n OpenPublic 1.0-beta1 --------- http://openpublicapp.com\n NodeStream 1.0 --------------- http://nodestream.org\n Drupal Commons 1.6 ----------- http://acquia.com/drupalcommons\n OpenScholar 2.0-beta10-1 ----- http://openscholar.harvard.edu\n Conference 1.0-alpha3 -------- http://usecod.com\n Open Enterprise 1.0-beta3 ---- http://leveltendesign.com/enterprise\n Acquia 7.2.2 ----------------- http://bit.ly/acquiadrupal\n Drupal Commerce 1.0-beta3 ---- http://drupalcommerce.org\n\n* Basic Drupal 6 and Drupal 7 platforms now come in three instances,\n to make your standard workflow easier for: -dev, -stage and -prod,\n with correct suffix: D.00x, S.00x and P.00x in the platform name.\n\n* Speed Booster cache for 5.x, 6.x and 7.x Drupal platforms.\n This new feature adds super fast caching for anonymous visitors,\n and yes! - also for logged in users (cache per user) directly on\n the web server level - no Drupal module required.\n It works for all platforms, except of Ubercart, Commerce\n and any platform with ubercart in sites/all/modules/ubercart.\n\n* Support for secure ubercart keys location to use ../keys path.\n* The filefield_nginx_progress now also in every 7.x platform.\n* Drush upgraded to version 4.4\n* Drush Make upgraded to version 2.2\n* Redis cache server upgraded to version 2.0.5\n* PHP-FPM server upgraded to version 5.2.17\n* APC upgraded to version 3.1.9\n* Memcache extension replaced with memcached and libmemcached.\n* Chive database manager upgraded to version 0.4.1\n* Added support for robotstxt module in all new 6.x based platforms.\n* Drush gm / generate-makefile command added as allowed to lshell.\n* Git over ssh added as allowed to lshell.\n\n----------------------------------------\n# Improvements since January 2011\n----------------------------------------\n\n* Speed Booster now works also in the Ægir Master Instance.\n* Full Barracuda install takes only 30 minutes (tested on Linode).\n* Nginx abuse guard is now integrated with csf firewall.\n* Bots/crawlers are now denied on any \"dev\" type subdomain.\n* The pdnsd server install is now optional.\n* The csf/lfd firewall install is now optional.\n* Limited shell configuration is now updated on every upgrade.\n* Auto-tuning in Barracuda leaves more memory for MyISAM etc.\n* Ægir runs cron for D5 and D6 sites using Wget instead of Drush\n to leverage APC cache, while D7 can use built-in poormanscron.\n* Many improvements in the Speed Booster cache configuration.\n* Improved memcached/redis cache bins configuration.\n* The o_contrib modules now symlinked also in custom platforms.\n* Boost directories created automatically also in custom platforms.\n* Improved web server self-healing monitor.\n* PHP notices no longer displayed for dev subdomains, only errors.\n* Many improvements in the Nginx configuration - now it's faster.\n* Permissions on uploaded modules, themes and files are now\n automatically fixed every morning to help with post-import issues.\n* Almost all 6.x platforms now come with performance related\n modules already enabled and configured on site install by default.\n* Nginx config - now doesn't use php-fpm to serve fckeditor files.\n* Introduced possibility to add upgrade-safe custom Nginx rewrite\n rules to support transparent migration of legacy URLs/content.\n* Ægir Hostmaster control panel received extra caching and speed.\n* Better support for securepages 1.9 with forced secure cookies.\n* Better support for dynamically created base_url for http/https.\n* Too generic D7 profile names replaced with unique Drupal 7 names.\n* A few new commands have been added to your Ægir Drush Shell (SSH).\n* You can use git to manage the code and rsync to manage backups.\n* Useful new commands from Drush v.4 are now available.\n* Now it is possible to delete old sites backups created in Ægir.\n* You can access Ægir backups also via SSH or SFTP/FTPS.\n* You can cancel queued task in Ægir before it is started.\n* The \"dev\" anywhere in the subdomain enables all PHP errors.\n* You can use \"dev\" type alias for live site for easier debugging.\n* Added support for imagecache_external module.\n* It is possible to safely delete any not used platforms on request.\n* Access to static files allowed only for currently used domain.\n* Added crossdomain.xml in the root of every new platform.\n* New rewrite introduced to map /files to /sites/domain/files,\n /images to /sites/domain/files/images and\n /downloads to /sites/domain/files/downloads.\n* The standard /update.php works again, however using \"drush dbup\"\n command is recommended.\n* The \"drush mup\" command allows now to upgrade contributed modules.\n\n\n----------------------------------------\n# Fixes since January 2011\n----------------------------------------\n\n* Auto-healing no longer starts concurrent servers when InnoDB start\n takes more time on servers with big or many databases.\n* Hostname is no longer reverted to default on Linode and similar.\n* Barracuda supports now both old and new Mailx behavior.\n* All platforms paths and symlinks include core version numbers.\n* Fixed some memory issues with Virtuozzo family systems.\n* Fixed issue with broken site when non-lowercase domain was used\n on Migrate or Clone task.\n* Fixed upgrade path for Drupal 5\n* Fixed double slash in the images paths issue in the Pressflow core.\n* Speed Booster cookies shouldn't be sent for imagecache/styles\n and AdvAgg module dynamic requests.\n* Speed Booster shouldn't cache imagecache/styles and AdvAgg module\n dynamic requests on the Nginx level.\n* Nginx upgrade to 1.0.0 fixes known issue with random but very high\n CPU load on Nginx server configuration reload/restart.\n* Fix for critical bug causing sessions issues on older sites without\n $cookie_domain set in settings.php when speed booster is enabled.\n* The session.cookie_secure is no longer forced in D6 platforms.\n* Security issue #1098304 - domain aliases were not sanitized.\n* Nginx config - proper fix for broken wysiwyg pop-ups.\n* Fixed issue with Nginx configuration for private files access.\n* The authorize.php added to allowed php files - required in D7.\n* Known issue with paths to files not rewritten is now fixed.\n* Known issue with sites cron semaphore in Ægir now resolved.\n* Known issue with PHP notices breaking some Ægir tasks resolved.\n* Fixed web server rewrites to support \"ad\" module.\n* Fixed Ægir issue with .info and .pl domains extensions.\n* Drush make via SSH now works as expected.\n* Fixed Nginx issue with /system/ paths and static files or images.\n* Fixed issue with broken site when non-lowercase domain was used.\n\n\n----------------------------------------\n# Other changes\n----------------------------------------\n\n* Forced public downloads for all 6.x platforms, except of ubercart.\n* Boost crawler option is now denied for performance reasons.\n* Forced log-out on browser quit only for Ægir control panel.\n\n\n### Project and issue queue moved to Drupal.org\n### Date: Sat, 7 May 2011 14:00:00 +0200\n### http://drupal.org/project/barracuda\n### http://drupal.org/project/octopus\n\n### Stable Edition 1.0-boa-T-8.5\n### Date: Tue, 3 May 2011 14:30:00 +0200\n### Installs Ægir stable 1.1\n\n### Stable Edition 1.0-boa-T-8.4\n### Date: Sun, 1 May 2011 23:30:00 +0200\n### Installs Ægir stable 1.1\n\n### Stable Edition 1.0-boa-T-8.3\n### Date: Sat, 30 Apr 2011 20:15:00 +0200\n### Installs Ægir stable 1.1\n\n### Stable Edition 1.0-boa-T-8.2\n### Date: Tue, 26 Apr 2011 21:45:00 +0200\n### Installs Ægir stable 1.1\n\n### Stable Edition 1.0-boa-T-8.1\n### Date: Wed, 20 Apr 2011 19:30:00 +0200\n### Installs Ægir stable 1.1\n\n### Stable Edition 1.0-boa-T-8\n### Date: Mon, 18 Apr 2011 20:15:00 +0200\n### Installs Ægir stable 1.0\n\n### Stable Edition 1.0-boa-T-5\n### Date: Fri, 8 Apr 2011 19:15:00 +0200\n### Installs Ægir working HEAD after 1.0-rc6\n\n### Stable Edition 1.0-boa-T-2\n### Date: Wed, 6 Apr 2011 01:34:40 +0200\n### Installs Ægir working HEAD before 1.0-rc3\n\n### Stable Edition 1.0-boa-T\n### Date: Mon, 14 Mar 2011 02:43:15 +0100\n\n### Stable Edition 0.4-boa-C\n### Date: Thu, 10 Feb 2011 04:41:57 +0100\n\n###\nFor changes/improvements between 2010-09-24 and\n2010-12-31 please see comments in the commits history.\n###\n\n### Thu, 2010-09-23 17:30 - Edition 0.4-HEAD-A14.B\n\nAdded/Fixed: (upgrade for all pre-A14.A required)\n\n1. Introducing default SSL Wildcard Nginx Proxy.\n Works for all sites/hostmaster instances on\n the same server and can be used also for\n encrypted connections to Chive and Collectd.\n Doesn't interfere even with SSL enabled sites\n on the same IP (with separate certs).\n\n2. The redirects are now back and enhanced.\n Fully compatible with Nginx in any combination\n with aliases and SSL settings/modes.\n\n3. Barracuda and Octopus by default installs still\n Ægir HEAD, but the latest alpha14 also works.\n\n4. Octopus can define its separate IP address\n if available.\n\n5. Fixed issue with too aggressive Hot Sauce check,\n causing creating not shared copies of code\n for platforms on every install or upgrade.\n\n6. Barracuda and Octopus now allows to skip DNS\n test, to make it possible to install on any\n virtualbox with dynamic DNS/IP etc. There is\n no guarantee it will work, but another switch\n is now available, if someone needs it.\n\n7. Octopus can now turn off local Memcache and Redis\n caches and switch all sites to use defined remote\n caches.\n\n8. Forced /etc/apt/sources.list rewrite also before\n the Barracuda system upgrade.\n\n9. Fix for the already installed and possibly broken\n git-core.\n\n10. Fix for Ægir sites with .info domains, the path\n alias should now work without 403 error.\n\n\n### Fri, 2010-09-17 11:00 - Edition 0.4-HEAD-A14.A\n\nAdded/Fixed: (upgrade required)\n\n1. Barracuda and Octopus by default installs now\n Ægir HEAD to use the fix for critical issue\n on sites import. It will be included in alpha14,\n please don't use alpha13.\n\n2. Debian Lenny on 32bit systems works again.\n Fix for broken git-core after upgrade\n to version: 1:1.5.6.5-3+lenny3.1 on Lenny 32bit.\n\n3. Fix and better inline warnings/info about\n missing locales at Linode and RackSpaceCloud.\n\n4. More details in the installer log for better\n debugging and version tracking.\n\n5. E-mail address for alerts on database repair\n started by auto-healing now correctly replaced.\n\n6. Redis for Lenny now built from sources due to\n apt version moved already to Squeeze.\n\n7. Critical bugfix for failed platforms install\n when hostmaster is not upgraded.\n\n8. Introducing simple edition archive:\n http://omega8.cc/dev/bo-a14a.tar.gz\n\n9. Octopus now better supports using newer shared\n code for platforms and introduces new setting:\n _HOT_SAUCE to allow forced fresh/hot code.\n\n\n### Tue, 2010-09-12 21:50 - Edition 0.4-HEAD-A13.A\n\nAdded/Fixed: (upgrade recommended)\n\n1. Octopus now creates SSH/FTPS separate, non-aegir\n account for every Ægir Satellite Instance,\n with limited shell to avoid using commands\n like \"drush up\" since they should never be used\n on sites managed in the Ægir system.\n\n2. Octopus now by default sends a welcome email\n with some useful intro information and access\n details to the address defined as _CLIENT_EMAIL.\n\n3. When Octopus is used the first time to create\n an Ægir Satellite Instance, it doesn't allow\n to skip installing all platforms, since it is\n recommended to add all available platforms with\n initial install, for easier re-using the code\n by next Ægir Satellite Instances.\n\n4. The second and all future non-core Hostmaster\n installs allow to choose one or more platforms\n or to skip adding platforms at all.\n\n5. Octopus by default honors initial domain used\n for the Ægir Satellite Instance on every\n upgrade to avoid mistakes with using different\n copies of the script for different Ægir\n Satellite Instances upgrades.\n\n6. Also Barracuda will always honor initial\n domain used for the core Hostmaster to avoid\n mistakes on upgrade when you don't use\n the original version of the script.\n\n7. Better checks if the script is running as root.\n\n8. Removed memcache module since cache is used.\n\n9. SMTP connection test is now optional.\n\n10. Nginx version set to 0.8.50.\n\n11. By default Ægir 0.4-HEAD instead of alpha13\n is now installed to fix critical issues with\n importing sites.\n\n See also: http://drupal.org/node/907248\n\n12. Solr and Chive are now optional (Yes/no).\n\n13. Added optional install of Collectd monitor.\n\n14. Fixed issue with SSL mode.\n\n15. Better compatibility for upgrades from\n pre-Barracuda Nginx installs.\n\n16. Now it doesn't start cron before completing all\n install tasks to avoid breaking spinner.\n\n17. Both Barracuda and Octopus now can better\n support re-starting stopped install/upgrade.\n\n18. Octopus now refuses to run if defined domain\n doesn't resolve yet to the server IP address.\n\n19. Octopus now refuses to run on system not\n created initially by Barracuda installer.\n\n20. Custom FQDN hostname is now forced (if defined)\n in Barracuda before running DNS checks.\n\n21. Fix for some missing mime types in vanilla Nginx.\n\n22. Updated versions of Open Atrium, Drupal Commons\n and Cocomore Drupal distros installed by Octopus.\n\n23. Lowered memory defaults in the MariaDB configuration.\n\n\n### Tue, 2010-08-31 23:50 - Edition 0.4-HEAD-A12.D\n\nAdded/Fixed: (upgrade recommended because it works!)\n\n1. Upgrade of Ægir Master Instance by Barracuda\n and upgrade of Ægir Satellite Instances by Octopus\n finally works as expected.\n\n2. It is now possible to use Barracuda to install\n environment and Ægir Master Instance, to\n upgrade only environment, to upgrade only Ægir\n Master Instance, or both at the same time.\n\n3. Octopus now can separately install and/or upgrade\n any Ægir Satellite Instance or any platform\n on any instance, separately, using detailed prompt\n with version numbers and links to distributions\n home pages.\n\n4. New platform Cocomore Drupal added in Octopus:\n http://drupal.cocomore.com\n\n\n### Sat, 2010-08-28 20:15 - Edition 0.4-HEAD-A12.C\n\nAdded/Fixed: (upgrade recommended)\n\n1. By default Ægir 0.4-HEAD with Drush 3.3\n is now installed to fix critical issues with\n importing sites. The fix is also available\n as a patch for alpha12:\n http://drupal.org/node/882970#comment-3382542\n\n2. Both Barracuda and Octopus now allow to choose\n if the Ægir Hostmaster will be upgraded or not.\n\n3. Added versions numbers and links to all platforms\n Yes/no prompts.\n\n4. /tmp directory no longer used to avoid problems\n due to secure noexec mount.\n\n5. Improved readme and docs (in progress).\n\n6. Removed old, no longer supported installer.\n\n\n### Fri, 2010-08-27 04:15 - Edition 0.4-alpha12-A12.B\n\nAdded/Fixed: (upgrade optional)\n\n1. Octopus now allows to install or upgrade only Ægir\n Satellite Instance without any platforms added.\n\n2. Enabled again early exit on the first error to avoid\n confusing cascade of errors if something went wrong.\n\n3. Both Barracuda and Octopus runs now faster.\n\n\n### Thu, 2010-08-26 19:30 - Edition 0.4-alpha12-A12.A\n\nAdded/Fixed: (upgrade from previous versions recommended)\n\n1. Barracuda now includes multicore Apache Solr Search,\n Redis and Memcache.\n\n2. Barracuda now can upgrade packages selectively.\n Just run it again to upgrade the system and the\n Ægir Master Instance.\n\n3. Octopus can create many Ægir Satellite Instances\n on the same server, each with different set of platforms,\n but with ability to share the code between instances,\n so you can use this system even on the low end VPS.\n\n4. Chive database manager added by default with db.\n subdomain (may require dns entry or wildcard).\n\n\n### Thu, 2010-08-26 08:55 - Edition 0.4-alpha12-A12.A\n\nAdded/Fixed: (upgrade from previous versions recommended)\n\n1. By default Ægir 0.4-alpha12 with Drush 3.3\n is now installed.\n\n2. Introduced new Octopus and Barracuda installers.\n See README.txt for more information.\n Both are in pre-alpha debugging phase.\n\n3. All installers code and helpers now hosted on GitHub.\n\n\n### Thu, 2010-08-18 21:30 - Edition 0.4-HEAD-A11.B\n\nAdded/Fixed: (upgrade from previous versions recommended)\n\n1. By default Ægir 0.4-HEAD with Drush 3.3\n is now installed.\n\n2. Introduced support for Virtuozzo/OpenVZ IP address\n automatic discovery.\n\n\n### Thu, 2010-08-12 22:15 - Edition 0.4-alpha11-A11.A\n\nAdded/Fixed: (upgrade from previous versions recommended)\n\n1. By default Ægir 0.4-alpha11 with Drush 3.3\n is now installed.\n\n2. PHP-FPM version is now 5.2.14.\n\n3. Improved UX - only interesting status messages\n are now displayed.\n\n4. Hostmaster root directory now properly named using\n Ægir version: '-0.4-alpha11' or '-HEAD'.\n\n\n### Thu, 2010-08-12 06:10 - Edition 0.4-alpha10-A10.A\n\nAdded/Fixed: (upgrade from previous versions recommended)\n\n1. By default Ægir 0.4-alpha10 with Drush 3.3\n is now installed.\n\n2. Nginx version is now 0.8.49, MariaDB is 5.1.49\n and Drupal is 6.19.\n\n3. Fixed freezing request on the first /admin hit.\n\n4. Better tuned Nginx, PHP-FPM and MariaDB settings.\n\n5. Various small improvements in the code.\n\n\n### Thu, 2010-08-07 06:10 - Edition 0.4-alpha9-A9.F\n\nAdded/Fixed: (upgrade of existing installs not required)\n\n1. By default latest HEAD from git.aegirproject.org\n is now installed, due to critical bug found,\n see this for details: http://drupal.org/node/874716\n The default install will be reverted to 0.4-alpha10\n when it will be released. You can use 0.4-alpha9 with\n caution (just don't use remote servers new feature\n to stay safe).\n\n2. Fixed problem with setting up FQDN hostname on Linode\n based servers. The fix can help also with other\n providers probably.\n\n3. Installer now writes date and version used in file:\n /var/aegir/config/includes/installer_version.txt\n\n\n### Thu, 2010-08-05 22:00\n\nAdded/Fixed: (upgrade of existing installs not required)\n\n1. Fixed critical problem with Drush broken due to\n change of URL to the required php library:\n http://drupal.org/node/875196\n\n2. Ægir version is now configurable. By default latest\n 0.4-alpha9 will be installed, but it is also possible\n to install latest HEAD from git.aegirproject.org.\n\n3. Ægir front-end (sub)domain is now configurable and\n can be different than machine FQDN hostname.\n\n4. Machine FQDN hostname and IP is now configurable.\n\n5. Nginx version updated to 0.8.48.\n\n6. Fixed progress spinner on Ubuntu.\n\n7. Fixed problem with automatic ionCube loader\n discovery of required version 32/64 bit.\n\n\n### Mon, 2010-08-02 01:08\n\nAdded/Fixed:\n\n1. Added automatic, full support for Ubuntu Lucid and Karmic.\n\n2. If there is no FQDN hostname, we are trying to set it\n using reverse IP hostname, if exists.\n\n3. Now we are trying both `uname -n` and `hostname -f`\n to make sure if the FQDN hostname is already set,\n but not available with `uname -n` test.\n\n4. Added support for ionCube Loader with automatic\n discovery of required version 32/64 bit.\n\n\n### Sat, 2010-07-31 18:00\n\nAdded/Fixed:\n\n1. Simplified installer by removing unnecessary duplicate\n prompts in the original embedded install script.\n\n2. Check for SMTP outgoing port 25 now fully automated.\n\n3. Even more fun added :)\n\n\n### Fri, 2010-07-30 19:00\n\nAdded/Removed:\n\n1. New all-in-one installer for Debian 5.0 Lenny\n Ægir 0.4-alpha9 compatible.\n\n2. Removed deprecated scripts & how-to.\n\n\n### Sat, 2010-02-06 23:55\n\nAdded/Fixed:\n\n1. Missing --with-libevent=shared added in php-fpm-install.txt\n http://github.com/omega8cc/boa/issues/#issue/2\n\n2. Debian specific stuff added in php-fpm-install.txt to allow\n easy install on vanilla vps.\n\n3. Xcache replaced with APC and Memcache install added.\n\n\n### Wed, 2010-02-03 06:37\n\nAdded/Fixed:\n\n1. mkdir for required cache dirs added in nginx-install.txt\n http://github.com/omega8cc/boa/issues#issue/1\n\n\n### Fri, 2010-01-29 06:37\n\nAdded/Fixed:\n\n1. FCKeditor/CKEditor fix for .xml files.\n2. Security: deny direct access to backup_migrate directory.\n\n\n### Mon, 2010-01-11 01:46\n\n1. Added custom fix required only when using purl, spaces & og\n for modules: ajax_comments, watcher and fasttoggle.\n\n2. Simplified rewrite rules for location @drupal\n resolves also some problems with imagecache.\n\n3. Changed order of try_files for Boost\n to match newer version of dirs structure first.\n\n\n### Tue, 2009-12-01 16:19\n\nAdded/Fixed:\n\n1. Latest Boost compatibility for /cache/normal & /cache/perm.\n2. Json cache for Boost added.\n3. Fix for xml/feed Boost cache files with .html extension.\n4. Fix for xml/feed Boost cache correct mime type.\n"
},
{
"path": "DIFFERENT30Y.md",
"content": "# 30 Years of Heritage\n\nWe are unique within the hosting industry for many important reasons. Our 15 years of Ægir-based hosting, plus earlier experience with Adgrafix (the first company to offer a control panel for website management in 1995), have helped shape what makes us different today.\n\nFun fact: Robert “Bo” Bennett, the founder of Adgrafix, started as a self-taught programmer and created the world's first web hosting control panel entirely in Perl. We continued to build on that fundation for almost ten years, adding shopping cart and marketing tools and the early BOA version -- everything in Perl. Why not in PHP? Because PHP was still in its infancy, since its early prototype 1.0 was released in June 1995 by Rasmus Lerdorf, while Perl 4 had been out since 1991 and was already a stable, mature, widely adopted language used both for server tools, websites backend and frontend.\n\n![\"boa-on-excalibur\"](\"https://github.com/user-attachments/assets/cdf4f72b-6d7d-4712-895b-46f612be333f\")
\n\n## Why We’re Different\n\nWe avoid marketing noise. Think of us like your electricity provider — reliable, fast, essential. You know we’re there, running everything **silently and smoothly** in the background. No need for constant attention or distractions.\n\n## Focus, focus, focus — like no one else\n\nOur website has been running on GravCMS for years, but our hosting and associated service itself is 100% Drupal-focused — and has been for 15 years. Others have tried and failed to stay focused, adding WordPress and a dozen other platforms. That’s not how you become **best-in-class, fastest, and most trusted** by the open-source community.\n\n## Technological sovereignty\n\nWe take **Open Source seriously** — it’s not a buzzword for us. It’s about freedom from corporate control. Here's a short look back at our 15-year Ægir journey and 19 years with Drupal.\n\nOur BOA system is the most complete solution of its kind. It has been designed from the ground up to make Drupal hosting **faster, easier, safer, and more efficient** — especially for teams that don’t want to get lost in DevOps. It was always built on Debian OS, but we never accepted systemd, imposed by Red Hat. After years of battling, we switched fully to **Devuan** — the true Debian fork without systemd, built by Debian veterans.\n\nAt the same time, we stayed away from MariaDB, because it drifted away from MySQL compatibility and became vendor-focused. Instead, we adopted **Percona** — a truly open, compatible, and community-aligned database option. The same thing happened with Redis — the fast cache-in-memory server. As soon as Redis switched to a restrictive corporate license, we moved to the open-source **Valkey** fork.\n\nBottom line: BOA is **architected around technological freedom and independence**. We work for you — not for Oracle, Red Hat, investors or proprietary agendas. That matters, especially for universities, NGOs, and businesses who rely on no-compromise sovereignty. Make your high-traffic demanding Drupal sites **Lightning Fast and Secure** with our [**Pro Hosted Plans »**](https://omega8.cc/pro)\n\n![\"Ægir-BOA\"](\"https://github.com/user-attachments/assets/b2417cc7-2fb8-422c-96f8-71d12c1c2fd7\")
\n\n## Support for legacy Drupal versions\n\nWhile Drupal 7 users were largely abandoned by core developers without an upgrade path to Drupal 8 and beyond, we still fully support Pressflow 6 and Drupal 7. We even maintain our own improved core forks, provide Drupal 7 LTS, and made Drupal 7 compatible with PHP 8.4 ages ago. Make your legacy Drupal sites **Fast and Secure** with our [**Basic Hosted Plans »**](https://omega8.cc/basic)\n\n## Support for Ægir 3 and Drupal 11+\n\nMany believed Ægir 3 would never support Drupal 9 — until we made it work. Same for Drupal 10. This year, we did it again and added Drupal 11 support to Ægir — a “mission impossible” at first glance. We recently took over the technical stewardship of Ægir 3 project, ensuring its future is bright. Make your modern Drupal sites **Blazing Fast and Secure** with our [**Advanced Hosted Plans »**](https://omega8.cc/advanced)\n\n## 90-day backups running every six hours\n\nYour site backups (files + database) are securely stored via Backblaze with a full 90-day retention period — taken automatically every six hours. Far better than the industry-standard daily or weekly backups. You can also configure your own automatic backups, using any of 8 supported storage providers. Because there is no such thing in the universe like \"too many backups\".\n\n## Drupal codebase upgrades powered by Jenkins\n\nWe’ve built highly tailored CI/CD pipelines for Drupal, including custom Composer-based setups and multi-environment workflows. If you’ve never used CI/CD, we understand — it can be complex. The good news is that you can use it without any learning — if you’re tired of constant updates, PHP compatibility issues, or security patching — we can help using Jenkins wizardry in the backend, including same-day updates — check our [**Managed Drupal Updates Plans »**](https://omega8.cc/managed)\n\n**We’d be happy to show you how it all works and talk through how it could fit with your projects** — [**Contact Us Today! »**](https://omega8.cc/contact) to discuss your needs.\n\n"
},
{
"path": "DUALLICENSE.md",
"content": "# Dual License and BOA Branches Explained\n\n**BOA** remains a **Free/Libre Open Source Project**. While all of **BOA** code is **Free/Libre Open Source**, only the **BOA LTS** branch and **Ægir** are available without any cost or restrictions.\n\n- **LTS**: This public branch remains completely free to use without any commercial license, as it has been from the beginning (previously named HEAD or STABLE). This branch should be considered the **BOA Long Term Support** variant, with slow updates focused on security and bug fixes, and limited new features.\n\n- **DEV**: This public branch requires a commercial license for both installation and upgrades. It includes the latest features, security updates, bug fixes, and updated service versions. This branch should not be used in production without extensive testing.\n\n- **PRO**: This public branch requires a commercial license and is available only as an upgrade from either LTS or DEV (or previous HEAD/STABLE). It offers new releases once ready, closely following the tested DEV branch.\n\n- **OMM**: This private branch is managed separately, with some unused components removed and others added. It is generally simplified for easier maintenance and adheres to modern coding standards.\n\nYou can install only **BOA LTS** and then upgrade to **PRO** with a license from [Omega8.cc](https://omega8.cc/licenses).\n\n## **LTS** branch will enter a full code-freeze on December 31, 2025\n\nPlease note that **as of December 31, 2025, the LTS branch will enter a full code-freeze**. No further feature development or regular releases are planned for 2026. A possible re-evaluation may occur in 2027, but this should not be assumed.\n\nAfter the freeze, **only critical functional fixes within BOA itself will be considered**. There will be **no updates** for underlying components such as PHP, Percona, Nginx, Valkey, OpenSSL, OpenSSH, or related system libraries, although your barracuda will still be able to upgrade your system with newer Devuan packages.\n\nSeveral of the upcoming and most impactful features are planned **exclusively for BOA PRO**, as outlined in the [ROADMAP](https://github.com/omega8cc/boa/tree/5.x-dev/ROADMAP.md).\n\nFor continued access to new features, ongoing improvements, and a future-proof stack, [BOA PRO](https://omega8.cc/licenses) is the recommended upgrade path.\n\n## Practical Differences Between **LTS** and **PRO**\n\nOver time, **PRO** will be ahead of **LTS** as its name suggests.\n\nThe `BOA-5.9.1` release is the last parallel release including all features developed for **PRO**, so both **PRO** and **LTS** users will enjoy the same improvements, bug fixes, and new features.\n\nIn the future, new features will be regularly added to **PRO**, while **LTS** will receive only security updates and critical fixes for BOA itself. There may be exceptions, and some new features may find their way to **LTS**, but only as exceptions.\n\nThe **PRO** will be available in three main variants, and while all **BOA PRO** licenses will grant access to the same **BOA PRO** branch and features, they will differ in terms of available support levels.\n\n### **PRO** with **Basic Support**\n\nThis license is designed for **BOA** users familiar with managing and monitoring their own systems who don't need extended support, monitoring, or assistance in managing their **BOA** installation and updates. Our support is limited to the Issue Queue on GitHub without any kind of SLA or Best Effort guarantee.\n\nIdeal for: Small businesses or developers who need basic support and can handle issues independently or with community help.\n\n### **PRO** with **Advanced Support**\n\nThis license is designed for **BOA** users who are familiar with managing their own server but need assistance in handling their custom needs or fixing individual problems privately via our helpdesk at [Ægir Helpdesk](https://aegir.happyfox.com), without posting details on GitHub. There is no SLA guarantee, only a Best Effort guarantee. System local and remote uptime monitoring with Site24x7 is included.\n\nIdeal for: Medium to large businesses needing reliable support during business hours with quick response times for critical issues.\n\n### **PRO** with **Hands-Off Experience**\n\nThis license is for **BOA** users who prefer to delegate all the work needed to maintain their **BOA** server, including regular upgrades (both **BOA** and major OS upgrades), active monitoring, and responding to DoS incidents. It comes with a fully managed **BOA PRO** installation you can use without worrying about anything else, with our general SLA guarantee applied: [Omega8.cc SLA](https://omega8.cc/sla). System local and remote uptime monitoring with Site24x7 is included.\n\nIdeal for: Enterprises requiring comprehensive, around-the-clock support with quick response times for all issues.\n\nYou can obtain a **BOA PRO** license from [Omega8.cc](https://omega8.cc/licenses).\n\n## Upcoming **PRO-Only** Features\n\nCertain planned features are likely to be exclusive to **BOA PRO**. If these features are added to other **BOA** versions, it will be with a significant delay.\n\nCheck out the details in [ROADMAP](https://github.com/omega8cc/boa/tree/5.x-dev/ROADMAP.md)\n"
},
{
"path": "HTTP3.md",
"content": "# Strap in, your sites are getting an F1 engine\n\nWe’re rolling out a meaningful upgrade across BOA/Omega8.cc nodes: HTTP/3 and KTLS support.\n\nIf you run Drupal sites that should feel fast and responsive (and stay that way during spikes), this is genuinely good news. It’s not a “new feature in the control panel” kind of update — it’s the kind that improves the *experience* visitors have without you touching a single line of code.\n\n\n## Why this is a big deal\n\nNearly everything on the web is encrypted now (HTTPS). That’s great for security, but it also means every visit involves extra work just to establish and maintain that secure connection.\n\nThe upgrades are all about making secure browsing feel lighter and faster.\n\n### What visitors should notice\n\n* Faster “start” to loading (especially for first-time or returning visits after a while)\n* Smoother browsing on mobile and Wi-Fi (fewer annoying stalls when the connection quality changes)\n* More consistent performance during traffic spikes (less overhead spent on transport/encryption, more resources left for actual Drupal work)\n\n### Why it matters for *your server* too\n\n* More efficient HTTPS handling can mean lower CPU pressure in the busiest parts of the request path.\n* That translates into more headroom for PHP-FPM, caches, and database work when it really counts.\n\nIn short: faster for users, more efficient for servers, and no application changes required.\n\n![\"screenshot](\"https://github.com/user-attachments/assets/4e179e7b-97ac-4808-ace6-b0f29e6b66a8\")
\n\n## What’s being enabled (friendly version)\n\n### HTTP/3\n\nHTTP/3 is the newest “dialect” browsers can use to talk to your site. It’s designed for today’s reality: phones, roaming, Wi-Fi, variable quality connections.\n\nWhen a visitor’s browser supports HTTP/3, it can:\n\n* connect more quickly,\n* recover better from “internet wobble,”\n* and keep page loads feeling responsive even when conditions aren’t perfect.\n\nAnd the best part: browsers choose it automatically. Nobody needs to configure anything on their device.\n\n### KTLS\n\nKTLS helps the operating system handle part of the secure connection workload more efficiently. The result is simpler to describe than the internals:\n\n* less overhead\n* more throughput\n* better stability under load\n\nIt’s one of those improvements that quietly makes a platform feel “stronger” and less stressed during peak times.\n\n\n## What you need to do (this is the important part)\n\nWe’ll make sure the server side is ready after the upgrades — but to actually *apply* the new capabilities cleanly across your BOA/Ægir-managed stack, you need to run Verify so configurations are regenerated with the updated features.\n\n### After the maintenance completes:\n\n1. Log in to your Ægir Control Panel\n2. Go to Platforms → run Verify on all platforms you use to host sites\n3. Go to Sites → run Verify on your hosted sites\n\n * If you host many sites: use the bulk actions on the Sites list so you don’t have to click site-by-site.\n\nThis ensures your platform and site configs are refreshed and the upgraded stack is applied consistently.\n\n\n## “Will anything break?” (No — it’s designed not to)\n\n* If a browser supports HTTP/3, it will use it automatically.\n* If it doesn’t, it will quietly fall back to HTTP/2 or HTTP/1.1.\n* Your Drupal code stays the same.\n* Your visitors don’t have to do anything.\n\n\n## Want more detail?\n\nWe’ll publish our own concise, friendly explainer that goes deeper into:\n\n* what HTTP/3 changes in real-life browsing,\n* why KTLS improves HTTPS efficiency,\n* and how to confirm your browser is using HTTP/3.\n\nMore details: *(link coming soon — we’ll share it as soon as it’s live)*\n\n\n## Quick checklist (save this)\n\nAfter the system upgrade:\n\n1. Ægir → Platforms → Verify (all platforms)\n2. Ægir → Sites → Verify (use bulk actions if you have many sites)\n\nThat’s it. Once Verify is done, you’re ready to benefit automatically — and your visitors get a faster, smoother ride. Enjoy!\n\n\n"
},
{
"path": "OCTOPUS.sh.txt",
"content": "#!/bin/bash\n\n\n###----------------------------------------###\n###\n### Octopus Ægir Installer\n###\n### Copyright (C) 2009-2026 Omega8.cc\n### noc@omega8.cc www.omega8.cc\n###\n### This program is free software. You can\n### redistribute it and/or modify it under\n### the terms of the GNU GPL as published by\n### the Free Software Foundation, version 2\n### or later.\n###\n### This program is distributed in the hope\n### that it will be useful, but WITHOUT ANY\n### WARRANTY; without even the implied\n### warranty of MERCHANTABILITY or FITNESS\n### FOR A PARTICULAR PURPOSE. See the GNU GPL\n### for more details.\n###\n### You should have received a copy of the\n### GNU GPL along with this program.\n### If not, see http://www.gnu.org/licenses/\n###\n### Code: https://github.com/omega8cc/boa\n###\n###----------------------------------------###\n\nexport PATH=/usr/local/bin:/usr/local/sbin:/opt/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/libexec\nexport SHELL=/bin/bash\n\n###\n### Default values for main Octopus instance variables\n###\n\n_USER=o1\n_MY_OCTO_EMAIL=\"noc@omega8.cc\"\n_CLIENT_EMAIL=\"notify@omega8.cc\"\n_CLIENT_OPTION=POWER\n_CLIENT_SUBSCR=M\n_CLIENT_CORES=1\n\n###\n### Required by AegirSetupA script, running in\n### the same env, to avoid chicken/egg race.\n###\nexport _USER=\"${_USER}\"\n\n###\n### Drush and Redis Variables\n###\n\nexport _DRUSH_VERSION=8.5.0.5\nexport _REDIS_C_VERSION=com-19-04-2021\nexport _REDIS_L_VERSION=7.x-3.19.1\nexport _REDIS_N_VERSION=com-19-04-2021\nexport _REDIS_T_VERSION=8.x-1.8.2\nexport _REDIS_E_VERSION=8.x-1.11.2\n\n###\n### Drupal Core Versions\n###\n\nexport _SMALLCORE10_0_V=10.0.11\nexport _SMALLCORE10_1_V=10.1.8\nexport _SMALLCORE10_2_V=10.2.12\nexport _SMALLCORE10_3_V=10.3.14\nexport _SMALLCORE10_4_V=10.4.9\nexport _SMALLCORE10_5_V=10.5.8\nexport _SMALLCORE10_6_V=10.6.3\nexport _SMALLCORE11_1_V=11.1.9\nexport _SMALLCORE11_2_V=11.2.10\nexport _SMALLCORE11_3_V=11.3.3\nexport _SMALLCORE6_V=6.60.1\nexport _SMALLCORE7_V=7.105.1\nexport _SMALLCORE9_V=9.5.11\n\n###\n### Drupal Core Variables\n###\n\nexport _DRUPAL10_0=\"drupal-${_SMALLCORE10_0_V}\"\nexport _DRUPAL10_1=\"drupal-${_SMALLCORE10_1_V}\"\nexport _DRUPAL10_2=\"drupal-${_SMALLCORE10_2_V}\"\nexport _DRUPAL10_3=\"drupal-${_SMALLCORE10_3_V}\"\nexport _DRUPAL10_4=\"drupal-${_SMALLCORE10_4_V}\"\nexport _DRUPAL10_5=\"drupal-${_SMALLCORE10_5_V}\"\nexport _DRUPAL10_6=\"drupal-${_SMALLCORE10_6_V}\"\nexport _DRUPAL11_1=\"drupal-${_SMALLCORE11_1_V}\"\nexport _DRUPAL11_2=\"drupal-${_SMALLCORE11_2_V}\"\nexport _DRUPAL11_3=\"drupal-${_SMALLCORE11_3_V}\"\nexport _DRUPAL6=\"pressflow-${_SMALLCORE6_V}\"\nexport _DRUPAL7=\"drupal-${_SMALLCORE7_V}\"\nexport _DRUPAL9=\"drupal-${_SMALLCORE9_V}\"\n\nexport _DRUPAL6_D=\"${_DRUPAL6}-dev\"\nexport _DRUPAL6_P=\"${_DRUPAL6}-prod\"\nexport _DRUPAL6_S=\"${_DRUPAL6}-stage\"\n\nexport _DRUPAL7_D=\"${_DRUPAL7}-dev\"\nexport _DRUPAL7_P=\"${_DRUPAL7}-prod\"\nexport _DRUPAL7_S=\"${_DRUPAL7}-stage\"\n\nexport _DRUPAL9_D=\"${_DRUPAL9}-dev\"\nexport _DRUPAL9_P=\"${_DRUPAL9}-prod\"\nexport _DRUPAL9_S=\"${_DRUPAL9}-stage\"\n\nexport _DRUPAL10_0_D=\"${_DRUPAL10_0}-dev\"\nexport _DRUPAL10_0_P=\"${_DRUPAL10_0}-prod\"\nexport _DRUPAL10_0_S=\"${_DRUPAL10_0}-stage\"\n\nexport _DRUPAL10_1_D=\"${_DRUPAL10_1}-dev\"\nexport _DRUPAL10_1_P=\"${_DRUPAL10_1}-prod\"\nexport _DRUPAL10_1_S=\"${_DRUPAL10_1}-stage\"\n\nexport _DRUPAL10_2_D=\"${_DRUPAL10_2}-dev\"\nexport _DRUPAL10_2_P=\"${_DRUPAL10_2}-prod\"\nexport _DRUPAL10_2_S=\"${_DRUPAL10_2}-stage\"\n\nexport _DRUPAL10_3_D=\"${_DRUPAL10_3}-dev\"\nexport _DRUPAL10_3_P=\"${_DRUPAL10_3}-prod\"\nexport _DRUPAL10_3_S=\"${_DRUPAL10_3}-stage\"\n\nexport _DRUPAL10_4_D=\"${_DRUPAL10_4}-dev\"\nexport _DRUPAL10_4_P=\"${_DRUPAL10_4}-prod\"\nexport _DRUPAL10_4_S=\"${_DRUPAL10_4}-stage\"\n\nexport _DRUPAL10_5_D=\"${_DRUPAL10_5}-dev\"\nexport _DRUPAL10_5_P=\"${_DRUPAL10_5}-prod\"\nexport _DRUPAL10_5_S=\"${_DRUPAL10_5}-stage\"\n\nexport _DRUPAL10_6_D=\"${_DRUPAL10_6}-dev\"\nexport _DRUPAL10_6_P=\"${_DRUPAL10_6}-prod\"\nexport _DRUPAL10_6_S=\"${_DRUPAL10_6}-stage\"\n\nexport _DRUPAL11_1_D=\"${_DRUPAL11_1}-dev\"\nexport _DRUPAL11_1_P=\"${_DRUPAL11_1}-prod\"\nexport _DRUPAL11_1_S=\"${_DRUPAL11_1}-stage\"\n\nexport _DRUPAL11_2_D=\"${_DRUPAL11_2}-dev\"\nexport _DRUPAL11_2_P=\"${_DRUPAL11_2}-prod\"\nexport _DRUPAL11_2_S=\"${_DRUPAL11_2}-stage\"\n\nexport _DRUPAL11_3_D=\"${_DRUPAL11_3}-dev\"\nexport _DRUPAL11_3_P=\"${_DRUPAL11_3}-prod\"\nexport _DRUPAL11_3_S=\"${_DRUPAL11_3}-stage\"\n\nexport _SPINNER=NO\nexport _T_BUILD=SRC\nexport _USRG=users\nexport _WEBG=www-data\n\nif [ -n \"${STY+x}\" ]; then\n export _SPINNER=NO\nfi\n\nexport _F_TIME=\"$(date)\"\n\n\n###\n### Instance specific variables\n###\nexport _WEB=\"${_USER}.web\"\nexport _DOMAIN=\"${_USER}.$(cat /etc/hostname 2>/dev/null | tr -d '\\n' || hostname -f 2>/dev/null)\"\nexport _ROOT=\"/data/disk/${_USER}\"\nexport _THIS_DB_PORT=3306\nexport _octCnf=\"/root/.${_USER}.octopus.cnf\"\nexport _octInc=\"${_ROOT}/config/includes\"\nexport _octTpl=\"${_ROOT}/.drush/sys/provision/http/Provision/Config/Nginx\"\nexport _octSetTpl=\"${_ROOT}/.drush/sys/provision/Provision/Config/Drupal\"\n\n\n###\n### Helper variables\n###\nexport _bldPth=\"/opt/tmp/boa\"\nexport _crlGet=\"-L --max-redirs 3 -k -s --retry 9 --retry-delay 9 -A iCab\"\nexport _wgetGet=\"--max-redirect=3 --no-check-certificate -q --tries=9 --wait=9 --user-agent='iCab'\"\nexport _filIncO=\"octopus.sh.cnf\"\nexport _gCb=\"git clone --branch\"\nexport _gitHub=\"https://github.com/omega8cc\"\nexport _gitLab=\"https://gitlab.com/omega8cc\"\nexport _libFnc=\"${_bldPth}/lib/functions\"\nexport _tocIncO=\"${_filIncO}.${_USER}\"\nexport _vBs=\"/var/backups\"\n\n\n###\n### Avoid too many questions\n###\nexport DEBIAN_FRONTEND=noninteractive\nexport APT_LISTCHANGES_FRONTEND=none\nif [ -z \"${TERM+x}\" ]; then\n export TERM=vt100\nfi\n\n\n###\n### Clean pid files on exit\n###\n_clean_pid_exit() {\n if [ -n \"${1}\" ]; then\n echo \"REASON ${1} on $(date)\" >> /root/.octopus.sh.exit.exceptions.log\n [ -e \"/opt/tmp/boa\" ] && rm -rf /opt/tmp/*\n fi\n [ -e \"/run/boa_wait.pid\" ] && rm -f /run/boa_wait.pid\n [ -e \"/run/boa_run.pid\" ] && rm -f /run/boa_run.pid\n service cron start &> /dev/null\n exit 1\n}\n\n\n###\n### Panic on missing include\n###\n_panic_exit() {\n echo\n echo \" EXIT: Required lib file not available?\"\n echo \" EXIT: $1\"\n echo \" EXIT: Cannot continue\"\n echo \" EXIT: Bye (0)\"\n echo\n _clean_pid_exit _panic_exit_a\n}\n\n\n###\n### Include default settings and basic functions\n###\nif [ -e \"${_vBs}/${_tocIncO}\" ]; then\n source \"${_vBs}/${_tocIncO}\"\n _tInc=\"${_vBs}/${_tocIncO}\"\nelif [ -e \"${_vBs}/${_filIncO}\" ]; then\n source \"${_vBs}/${_filIncO}\"\n _tInc=\"${_vBs}/${_filIncO}\"\nelse\n _panic_exit \"${_tInc}\"\nfi\n\n\n###\n### Download helpers and libs\n###\nif [ \"${_OS_CODE}\" = \"excalibur\" ]; then\n _DB_SERVER=Percona\nelse\n _DB_SERVER=Percona\nfi\nif [ \"$(boa info | grep -c ${_DB_SERVER})\" -lt 3 ] || [ ! -e \"/usr/sbin/csf\" ]; then\n if [ ! -e \"/opt/tmp/boa/aegir/helpers/apt.conf.noi.nrml\" ] \\\n || [ ! -e \"/opt/tmp/boa/aegir/helpers/apt.conf.noi.dist\" ]; then\n _download_helpers_libs\n fi\nelse\n _download_helpers_libs\nfi\n\n\n###\n### Include shared functions\n###\n_FL=\"helper dns satellite\"\nfor f in ${_FL}; do\n [ -r \"${_libFnc}/${f}.sh.inc\" ] || _panic_exit \"${f}\"\n source \"${_libFnc}/${f}.sh.inc\"\ndone\n\n\n###\n### Welcome msg\n###\necho \" \"\n_msg \"Skynet Agent v.${_X_VERSION} on $(dmidecode -s system-manufacturer 2>&1) welcomes you aboard!\"\necho \" \"\nsleep 3\n\n\n###\n### Turn Off AppArmor while running octopus\n###\n_turn_off_apparmor_in_octopus\n\n\n###\n### Unlock sendmail for allow-snail group\n###\n_unlock_sendmail_for_snail\n\n\n###\n### Switch to dash while running octopus\n###\n_switch_to_dash_in_octopus\n\n\n###\n### More local default variables\n###\n_LASTNUM=001\n_LAST_HMR=001\n_LAST_ALL=001\n_DISTRO=001\n_HM_DISTRO=001\n_ALL_DISTRO=001\n_STATUS=INIT\n\n\n###\n### Misc checks\n###\n_satellite_check_php_compatibility\n_satellite_check_octopus_vs_barracuda_ver\n_satellite_if_head_github_connection_test\n_satellite_if_sql_exception_test\n_satellite_if_running_as_root_octopus\n_satellite_check_sanitize_user_name\n_satellite_if_localhost_mode_magic\n_satellite_check_sanitize_domain_name\n_satellite_detect_vm_family\n_check_git_repos\n\n\n###\n### Main procedures\n###\n_satellite_cnf\n_satellite_if_init_or_upgrade\n_satellite_if_major_upgrade\n_satellite_if_check_dns\n_satellite_checkpoint\n_satellite_pre_cleanup\n_satellite_make\n_satellite_post_cleanup\nexit 0\n\n\n###----------------------------------------###\n###\n### Octopus Ægir Installer\n### Copyright (C) 2009-2026 Omega8.cc\n### noc@omega8.cc www.omega8.cc\n###\n###----------------------------------------###\n"
},
{
"path": "README.md",
"content": "# Welcome to BOA!\n\nBOA stands for Barracuda, Octopus, and Ægir—a high-performance LEMP stack supporting Drupal from Pressflow 6 to the latest Drupal 11, as well as Backdrop CMS and Grav CMS (soon).\n\n## Strap in, your sites are getting an F1 engine\n\nWe’re rolling out a meaningful upgrade across BOA/Omega8.cc nodes: HTTP/3 and KTLS support. If you run Drupal sites that should feel fast and responsive (and stay that way during spikes), this is genuinely good news. Why this is a big deal? What visitors should notice? Why it matters for *your server* too [**Read the full story!**](https://github.com/omega8cc/boa/tree/5.x-dev/HTTP3.md)\n\n## 30 Years of Heritage\n\nWe are unique within the hosting industry for many important reasons. Our 15 years of Ægir-based hosting, plus earlier experience with Adgrafix (the first company to offer a control panel for website management in 1995), have helped shape what makes us different today. We take **Open Source seriously** — it’s not a buzzword for us. It’s about freedom from corporate control. Here's a short look back at our 15-year Ægir journey and 19 years with Drupal. [**Read the full story!**](https://github.com/omega8cc/boa/tree/5.x-dev/DIFFERENT30Y.md)\n\n## What is Ægir?\n\nÆgir, named after the Norse god of the sea, is an open-source hosting system for managing multiple Drupal sites. The name Ægir was chosen to reflect the relationship between Drupal's water drop logo, symbolizing individual sites, and Ægir's role as the god of the ocean, representing the hosting of many Drupal sites together. It automates tasks such as site installation, upgrades, and maintenance, making your life easier.\n\n**Announcement from Omega8.cc team**: [**The Future of Ægir 3 is Bryght!**](https://github.com/omega8cc/boa/tree/5.x-dev/ANNOUNCEMENT.md)\n\n### Key Features of Ægir:\n\n- **Site Management**: Manage multiple Drupal sites from a single interface.\n- **Automation**: Automate code deployment, database updates, and site backups.\n- **Scalability**: Easily scale your Drupal hosting infrastructure.\n- **Multitenancy**: Share a codebase across multiple sites with separate databases.\n- **Open-Source**: Customize and extend Ægir to fit your needs.\n- **Integration with Drush**: Use powerful command-line tools for site administration.\n\n\n\n## Why Barracuda?\n\nBarracuda is a specially tuned hosting environment for Ægir, designed to be lightning fast and agile, just like the barracuda fish known for its incredible speed and agility in the ocean.\n\n## Why Octopus?\n\nOctopus is a smart system designed to manage multiple Ægir instances within Barracuda. Just like the sea creature with eight limbs, Octopus allows you to create and manage many separate but connected Ægir instances, showcasing its intelligence and adaptability in efficiently handling complex hosting environments.\n\n## Dual License\n\n**BOA** remains a **Free/Libre Open Source Project**. While all of **BOA** code is **Free/Libre Open Source**, only the **BOA LTS** branch and **Ægir** are available without any cost or restrictions.\n\nCheck out the details in [**DUALLICENSE.md**](https://github.com/omega8cc/boa/tree/5.x-dev/DUALLICENSE.md).\n\n## BOA Priorities\n\n- **High Performance**: Ensure your sites run fast.\n- **Security**: Keep your sites and system secure.\n- **Automation**: Minimize daily maintenance with automated system and OS upgrades.\n\n## Multi-Ægir Hosting\n\nLeverage one Ægir Master Instance and multiple Satellite Instances. Use Satellite Instances to host your sites, as the Master holds the central Nginx configuration. Note: The 'Master' and 'Satellite' names in the Barracuda/Octopus context are not related to the multi-server Ægir features but to the multi-instance environment with virtual chroot/jail for each Ægir Satellite instance.\n\n## Installation Scripts\n\n- **BOA**: Runs Barracuda and Octopus to install complete BOA system.\n- **BARRACUDA**: Upgrades the system and the Ægir Master Instance.\n- **OCTOPUS**: Updates Ægir Instances + Drupal platforms.\n\n## Bug Reporting\n\nFollow the guidelines in [**docs/CONTRIBUTING.md**](https://github.com/omega8cc/boa/tree/5.x-dev/docs/CONTRIBUTING.md).\n\n## Requirements\n\n- Basic sysadmin skills and experience.\n- Willingness to accept BOA PI (paranoid idiosyncrasies).\n- Minimum 4 GB RAM and 2 CPUs (8 GB RAM and 4+ CPUs with Solr).\n- SSH (ed25519) keys for root are required by newer OpenSSH versions used in BOA.\n- Wget must be installed.\n- Open outgoing TCP ports: 25, 53, 80, 443.\n- Locales with UTF-8 support, otherwise en_US.UTF-8 (default) is forced.\n\n## Provided Services and Features\n\nCheck out the details in [**docs/PROVIDES.md**](https://github.com/omega8cc/boa/tree/5.x-dev/docs/PROVIDES.md).\n\n## Supported Virtualization Systems\n\n- Linux Containers (LXC)\n- Linux KVM guest\n- Microsoft Hyper-V\n- OpenVZ Containers\n- Parallels guest\n- Red Hat KVM guest\n- VirtualBox guest\n- VMware ESXi guest (but excluding vCloud Air)\n- VServer guest\n- Xen guest\n- Xen guest fully virtualized (HVM)\n- Xen paravirtualized guest domain\n\n## Supported Operating Systems\n\n\n\n### Devuan (recommended)\n\n- Excalibur (supported, but only with Percona 8.4)\n- Daedalus (default, with Percona 5.7, 8.0 or 8.4)\n- Chimaera (supported but upgrade recommended)\n- Beowulf (supported for upgrades)\n\n### Debian (for migration)\n\n- Trixie (supported only as a base for migration to Devuan)\n- Bookworm (supported only as a base for migration to Devuan)\n- Bullseye (supported only as a base for migration to Devuan)\n- Buster (supported only as a base for migration to Devuan)\n- Stretch (deprecated but still works, please upgrade to Chimaera)\n- Jessie (deprecated but still works, please upgrade to Chimaera)\n\n## Project Roadmap\n\nCheck out the details in [**ROADMAP.md**](https://github.com/omega8cc/boa/tree/5.x-dev/ROADMAP.md)\n\n## Documentation and Templates\n\n- Installation Instructions: [docs/INSTALL.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/INSTALL.md)\n- Upgrade Instructions: [docs/UPGRADE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/UPGRADE.md)\n- Major-Upgrade Instructions: [docs/MAJORUPGRADE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MAJORUPGRADE.md)\n- Importance of Keeping SKYNET Enabled in BOA: [docs/SKYNET.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SKYNET.md)\n- INI configuration per site: [docs/ini/site/INI.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/ini/site/INI.md)\n- INI configuration per platform: [docs/ini/platform/INI.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/ini/platform/INI.md)\n- Configuration Templates: [docs/cnf/barracuda.cnf](https://github.com/omega8cc/boa/tree/5.x-dev/docs/cnf/barracuda.cnf), [docs/cnf/octopus.cnf](https://github.com/omega8cc/boa/tree/5.x-dev/docs/cnf/octopus.cnf)\n- System Control Files Index: [docs/ctrl/system.ctrl](https://github.com/omega8cc/boa/tree/5.x-dev/docs/ctrl/system.ctrl)\n- How we build newer codebases for testing: [docs/BUILDTESTS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BUILDTESTS.md)\n\n## Documentation for BOA PRO\n\n- New Backups for BOA SysAdmin [docs/BACKUP_ROOT.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_ROOT.md)\n- New Backups for Octopus Lshell User [docs/BACKUP_USER.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_USER.md)\n- New Backups Retention Policy Configuration [docs/BACKUP_RETENTION.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_RETENTION.md)\n- Supported Regions and Bucket Creation Guidelines [docs/BACKUP_REGIONS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_REGIONS.md)\n\n## Additional Documentation\n\n- Composer How-To: [docs/COMPOSER.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/COMPOSER.md)\n- Dev-Mode Notes: [docs/DEVELOPMENT.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/DEVELOPMENT.md)\n- Drupal Contrib Modules: [docs/MODULES.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MODULES.md)\n- Extra Comments: [docs/CAVEATS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/CAVEATS.md)\n- FAQ: [docs/FAQ.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/FAQ.md)\n- Fast DB Operations: [docs/MYQUICK.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MYQUICK.md)\n- Fast Migrate/Clone: [docs/FASTTRACK.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/FASTTRACK.md)\n- Included Platforms: [docs/PLATFORMS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/PLATFORMS.md)\n- Let’s Encrypt: [docs/SSL.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SSL.md)\n- Live Disk Resize How-To: [docs/DISK_RESIZE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/DISK_RESIZE.md)\n- Migration (Octopus Instance): [docs/MIGRATE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MIGRATE.md)\n- Migration (Single Site): [docs/REMOTE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/REMOTE.md)\n- New Relic How-To: [docs/NEWRELIC.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/NEWRELIC.md)\n- Nginx Custom Rewrites: [docs/REWRITES.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/REWRITES.md)\n- PHP-CLI and Drush Configuration How-To: [docs/DRUSH-CLI.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/DRUSH-CLI.md)\n- PHP-FPM Configuration How-To: [docs/PHP-FPM.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/PHP-FPM.md)\n- Remote S3 Backups: [docs/BACKUPS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUPS.md)\n- Ruby Gems and NPM: [docs/GEM.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/GEM.md)\n- Security Settings: [docs/SECURITY.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SECURITY.md)\n- Self-Upgrade How-To: [docs/SELFUPGRADE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SELFUPGRADE.md)\n- SMTP SSL Error Debugging: [docs/SMTP_SSL_DEBUG.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SMTP_SSL_DEBUG.md)\n- Solr and Jetty How-To: [docs/SOLR.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SOLR.md)\n- SSH Encryption: [docs/BLOWFISH.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BLOWFISH.md)\n- VServer Cluster: [docs/CLUSTER.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/CLUSTER.md) (deprecated)\n\n## Useful Links\n\n- BOA User Handbook (legacy): [**Learn BOA**](https://learn.omega8.cc/library/good-to-know)\n- Ægir Docs (legacy): [**Ægir Project**](https://docs.aegirproject.org)\n\n## Maintainers\n\nBOA is maintained by [**Omega8.cc**](https://omega8.cc/about).\n\n## Credits\n\nThanks to the Ægir Project founders and developers. [**Ægir Team**](https://docs.aegirproject.org/community/core-team/).\n\n## Support\n\nSupport BOA development by purchasing a commercial license or using Omega8.cc hosted services. Check out [**Omega8.cc**](https://omega8.cc/compare) for more info.\n\nThank you for supporting BOA!\n"
},
{
"path": "ROADMAP.md",
"content": "# BOA Roadmap & Progress\n\nDocumenting ongoing, upcoming and completed tasks. Some tasks are relatively simple, while others are major undertakings that take weeks or months. Therefore, we are working on many things simultaneously.\n\nThis document highlights the most complex or important tasks we are working on or planning to undertake. Routine tasks such as debugging, fixing issues, and implementing small improvements are usually documented in the commit history and changelog, which are updated with each new BOA release.\n\nSeveral of the upcoming and most impactful features are planned **exclusively for BOA PRO**, as outlined below.\n\nPlease also note that **as of December 31, 2025, the LTS branch will enter a full code-freeze**. No further feature development or regular releases are planned for 2026. A possible re-evaluation may occur in 2027, but this should not be assumed.\n\nAfter the freeze, **only critical functional fixes within BOA itself will be considered**. There will be **no updates** for underlying components such as PHP, Percona, Nginx, Valkey, OpenSSL, OpenSSH, or related system libraries.\n\nFor continued access to new features, ongoing improvements, and a future-proof stack, **BOA PRO is the recommended upgrade path**.\n\n## IN PROGRESS (PRO only)\n\n- **Import from Classic Ægir**: Extend xboa to import from remote classic Ægir servers using Nginx or Apache (PRO)\n- **Backdrop CMS Support**: Implement Backdrop CMS as a supported platform (PRO)\n- **Grav CMS Support**: Introduce support for Grav CMS (command line only) (PRO)\n- **Optional AppArmor Support**: Enhanced security and accounts privilege separation (PRO)\n- **Tar Pipelines on Clone**: Use Tar Pipelines to create separate symlinked copies during site clone tasks (PRO)\n- **Ægir Admin Interface**: Transition the Ægir admin interface to Backdrop CMS (PRO)\n- **BO4D**: Offer a *BOA For Docker* version tailored for local development (PRO)\n- **DDEV Integration**: Add support for BOA-compatible configurations within DDEV (PRO)\n- **Documentation Consolidation**: Convert legacy and built-in docs into a unified Grav CMS site. (PRO)\n\n## RELEASED IN BOA PRO only\n\n- **Amazon S3 Alternatives**: Integrate support for AWS S3 eight (8) alternatives in `multiback` and `mybackup` (PRO)\n\n## MAJOR NEW FEATURES RELEASED IN BOA LTS/PRO\n\n- **HTTP/3 on QUIC with KTLS Magic**: Strap in, your sites are getting an F1 engine (PRO/LTS)\n- **Drupal 11 with Ægir 3**: They Said It Couldn’t Be Done — We Did It Anyway (PRO/LTS)\n- **Debian Trixie and Devuan Excalibur**: Ensure compatibility for installation and automated upgrades (PRO/LTS)\n- **Debian Bookworm and Devuan Daedalus**: Ensure compatibility for installation and automated upgrades (PRO/LTS)\n- **Percona for MySQL 8.4**: Add support for Percona Server 8.4, the new Percona LTS (PRO/LTS)\n- **Original MySQL 8.4**: Add support for original MySQL Server 8.4 on Trixie/Excalibur (PRO/LTS)\n- **Percona for MySQL 8.0**: Add support for Percona Server 8.0, necessary for Drupal 11 (PRO/LTS)\n- **Super Fast System AutoInit**: Facilitate easy upgrades to the latest Devuan before BOA installation (PRO/LTS)\n- **Use OpenSSL 3 by default**: Maintain compatibility with OpenSSL 1.1.1 for legacy PHP versions (PRO/LTS)\n\n## OTHER NEW FEATURES RELEASED IN BOA LTS/PRO\n\n- **PHP 8.5 Support**: Enhancing performance and supporting twelve PHP versions (PRO/LTS)\n- **PHP 8.4 Support**: Enhancing performance and supporting eleven PHP versions (PRO/LTS)\n- **PHP 8.3 Support**: Required for Drupal 11, enhancing performance and supporting ten PHP versions (PRO/LTS)\n- **Add instant SQL fallback for Valkey/Redis**: zero downtime during upgrades/restarts/etc\n- **Symlink Site Files**: Automatically symlink all site files to expedite migration tasks and conserve disk space (PRO/LTS)\n- **Solr 9 Support**: Add latest Solr Server 9 as supported via BOA automation (PRO/LTS)\n- **Ruby Gems and Node/NPM Support 3x Faster**: From 15 to 5 minutes, with improved security (PRO/LTS)\n- **Ægir Task for SQL Backup**: Enable classic mysqldump backups for individual site downloads (PRO/LTS)\n- **Drush 12/13 in Ægir Tasks**: Dynamically Utilize Site-Local Drush for `updatedb` Operations on Drupal 10+ (PRO/LTS)\n- **Documentation Conversion to Markdown**: Update all BOA documentation from legacy TXT to Markdown.\n"
},
{
"path": "aegir/conf/apparmor/opt.php56.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php56) to essential operations only.\n\n#include \n\n/opt/php56/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php56/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php56/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php56.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php56) to essential operations only.\n\n#include \n\n/opt/php56/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php56/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php56/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php70.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php70) to essential operations only.\n\n#include \n\n/opt/php70/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php70/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php70/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php70.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php70) to essential operations only.\n\n#include \n\n/opt/php70/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php70/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php70/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php71.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php71) to essential operations only.\n\n#include \n\n/opt/php71/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php71/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php71/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php71.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php71) to essential operations only.\n\n#include \n\n/opt/php71/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php71/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php71/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php72.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php72) to essential operations only.\n\n#include \n\n/opt/php72/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php72/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php72/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php72.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php72) to essential operations only.\n\n#include \n\n/opt/php72/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php72/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php72/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php73.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php73) to essential operations only.\n\n#include \n\n/opt/php73/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php73/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php73/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php73.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php73) to essential operations only.\n\n#include \n\n/opt/php73/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php73/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php73/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php74.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php74) to essential operations only.\n\n#include \n\n/opt/php74/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php74/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php74/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php74.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php74) to essential operations only.\n\n#include \n\n/opt/php74/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php74/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php74/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php80.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php80) to essential operations only.\n\n#include \n\n/opt/php80/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php80/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php80/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php80.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php80) to essential operations only.\n\n#include \n\n/opt/php80/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php80/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php80/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php81.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php81) to essential operations only.\n\n#include \n\n/opt/php81/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php81/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php81/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php81.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php81) to essential operations only.\n\n#include \n\n/opt/php81/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php81/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php81/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php82.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php82) to essential operations only.\n\n#include \n\n/opt/php82/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php82/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php82/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php82.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php82) to essential operations only.\n\n#include \n\n/opt/php82/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php82/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php82/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php83.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php83) to essential operations only.\n\n#include \n\n/opt/php83/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php83/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php83/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php83.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php83) to essential operations only.\n\n#include \n\n/opt/php83/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php83/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php83/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php84.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php84) to essential operations only.\n\n#include \n\n/opt/php84/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php84/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php84/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php84.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php84) to essential operations only.\n\n#include \n\n/opt/php84/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php84/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php84/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php85.bin.php",
"content": "# AppArmor profile for PHP-CLI\n# This profile restricts PHP-CLI (php85) to essential operations only.\n\n#include \n\n/opt/php85/bin/php flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by PHP-CLI\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability mknod,\n capability setgid,\n capability setuid,\n capability sys_ptrace,\n capability sys_resource,\n\n # Allow PHP-CLI to execute its own binary\n /opt/php85/bin/php mrix,\n\n # Allow PHP-CLI to signal/ptrace other processes\n ptrace (read) peer=/opt/php*/bin/php,\n signal (send) peer=unconfined,\n signal (send) peer=/usr/sbin/nginx,\n ptrace (read) peer=/opt/php*/sbin/php-fpm,\n ptrace (read) peer=/usr/bin/mysqld_safe,\n ptrace (read) peer=/usr/bin/redis-server,\n ptrace (read) peer=/usr/local/sbin/pure-ftpd,\n ptrace (read) peer=/usr/sbin/nginx,\n ptrace (read) peer=/usr/sbin/rsyslogd,\n ptrace (read) peer=/usr/sbin/unbound,\n ptrace (read) peer=unconfined,\n\n # Allow PHP-CLI to read required configuration files\n /data/disk/*/.subversion/ r,\n /data/disk/*/.subversion/* r,\n /etc/default/nginx r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/ldap/ldap.conf r,\n /etc/mailname r,\n /etc/mysql/conf.d/ r,\n /etc/mysql/conf.d/* r,\n /etc/mysql/my.cnf r,\n /etc/newrelic/upgrade_please.key r,\n /etc/nginx/conf.d/ r,\n /etc/nginx/conf.d/** r,\n /etc/nginx/fastcgi_params r,\n /etc/nginx/mime.types r,\n /etc/nginx/nginx.conf r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/main.cf r,\n /etc/ssl/private/ r,\n /etc/ssl/private/* r,\n /etc/ssl/private/nginx-wild-ssl.crt r,\n /etc/ssl/private/nginx-wild-ssl.dhp r,\n /etc/ssl/private/nginx-wild-ssl.key r,\n /etc/subversion/ r,\n /etc/subversion/* r,\n /etc/wgetrc r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /usr/local/share/git-core/templates/ r,\n /usr/local/share/git-core/templates/* r,\n /usr/local/share/git-core/templates/** r,\n /usr/share/GeoIP/GeoIP.dat r,\n /usr/share/GeoIP/GeoIPv6.dat r,\n /usr/share/GeoIP/GeoLite2-ASN.mmdb r,\n /usr/share/GeoIP/GeoLite2-City.mmdb r,\n /usr/share/GeoIP/GeoLite2-Country.mmdb r,\n /opt/php85/** r,\n\n # Allow PHP-CLI to read required user/access files\n /etc/login.defs r,\n /etc/pam.d/* r,\n /etc/passwd r,\n /etc/security/capability.conf r,\n /etc/security/limits.conf r,\n /etc/security/limits.d/ r,\n /etc/security/limits.d/* r,\n /etc/shadow r,\n /etc/sudo.conf r,\n /etc/sudoers r,\n /etc/sudoers.d/ r,\n /etc/sudoers.d/* r,\n /run/sudo/ts/ r,\n /run/sudo/ts/* r,\n\n # Allow PHP-CLI to execute some other binaries\n /usr/bin/symlinks mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/chown mrix,\n /bin/cp mrix,\n /bin/dash mrix,\n /bin/date mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/kmod mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/pidof mrix,\n /bin/rm mrix,\n /bin/run-parts mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /opt/local/bin/websh mrix,\n /data/disk/*/**/vendor/drush/drush/drush.php mrix,\n /etc/init.d/nginx mrix,\n /sbin/killall5 mrix,\n /sbin/unix_chkpwd mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/magick mrix,\n /usr/bin/mysql mrix,\n /usr/bin/patch mrix,\n /usr/bin/sudo mrix,\n /usr/bin/svn mrix,\n /usr/bin/tput mrix,\n /usr/bin/tr mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which mrix,\n /usr/bin/which.debianutils mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/fix-drupal-platform-ownership.sh mrix,\n /usr/local/bin/fix-drupal-platform-permissions.sh mrix,\n /usr/local/bin/fix-drupal-site-ownership.sh mrix,\n /usr/local/bin/fix-drupal-site-permissions.sh mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/lock-local-drush-permissions.sh mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/local/libexec/git-core/* mrix,\n /usr/local/libexec/git-core/** mrix,\n /usr/sbin/nginx mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-CLI to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty rw,\n /dev/urandom r,\n\n # Allow PHP-CLI to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-CLI to read and write its log files\n /var/log/php/** rw,\n /var/log/newrelic/php_agent.log rw,\n\n # Allow PHP-CLI to write to some other log/pid files\n /run/nginx.pid rw,\n /var/log/nginx/access.log rw,\n /var/log/nginx/error.log rw,\n\n # Allow PHP-CLI to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Allow PHP-CLI to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-CLI to access drush\n /data/disk/*/tools/drush/ r,\n /data/disk/*/tools/drush/* mrix,\n /data/disk/*/tools/drush/** r,\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n /var/aegir/drush/ r,\n /var/aegir/drush/* mrix,\n /var/aegir/drush/** r,\n\n # Allow PHP-CLI to access System Default Web Root\n\n /var/www/** r,\n owner /var/www/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Master Instance\n\n owner /var/aegir/.drush/ r,\n owner /var/aegir/.drush/* rw,\n owner /var/aegir/.drush/** rw,\n owner /var/aegir/.tmp/ r,\n owner /var/aegir/.tmp/* rw,\n owner /var/aegir/.tmp/** rw,\n owner /var/aegir/config/ r,\n owner /var/aegir/config/* rw,\n owner /var/aegir/config/** rw,\n owner /var/aegir/host_master-*/ r,\n owner /var/aegir/host_master-*/* rw,\n owner /var/aegir/host_master-*/** rw,\n owner /var/aegir/host_master/ r,\n owner /var/aegir/host_master/* rw,\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/ r,\n owner /var/aegir/platforms/* rw,\n owner /var/aegir/platforms/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n /data/disk/*/.bashrc r,\n\n owner /data/disk/*/.cache/**/pack-* l,\n owner /data/disk/*/static/**/pack-* l,\n\n owner /data/disk/*/log/ r,\n owner /data/disk/*/log/* rw,\n owner /data/disk/*/.*.pass.php r,\n owner /data/disk/*/.rnd rw,\n\n owner /data/disk/*/backups/ rwl,\n owner /data/disk/*/backups/* rwl,\n owner /data/disk/*/backups/** rwl,\n\n owner /data/disk/*/backup-exports/ rwl,\n owner /data/disk/*/backup-exports/* rwl,\n owner /data/disk/*/backup-exports/** rwl,\n\n owner /data/disk/*/.config/ rwl,\n owner /data/disk/*/.config/* rwl,\n owner /data/disk/*/.config/** rwl,\n\n owner /data/disk/*/.cache/ rwl,\n owner /data/disk/*/.cache/* rwl,\n owner /data/disk/*/.cache/** rwl,\n\n owner /data/disk/*/.drush/ rwl,\n owner /data/disk/*/.drush/* rwl,\n owner /data/disk/*/.drush/** rwl,\n\n owner /data/disk/*/.tmp/ rwl,\n owner /data/disk/*/.tmp/* rwl,\n owner /data/disk/*/.tmp/** rwl,\n\n owner /data/disk/*/clients/ rw,\n owner /data/disk/*/clients/* rw,\n owner /data/disk/*/clients/** rw,\n\n owner /data/disk/*/config/ rw,\n owner /data/disk/*/config/* rw,\n owner /data/disk/*/config/** rw,\n\n owner /data/disk/*/tools/le/ rw,\n owner /data/disk/*/tools/le/* rw,\n owner /data/disk/*/tools/le/** rw,\n\n # Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances\n\n owner /data/disk/*/aegir/ rw,\n owner /data/disk/*/aegir/* rw,\n owner /data/disk/*/aegir/** rw,\n\n # Allow PHP-CLI to read/write in the limited shell user home for Drush support\n\n owner /home/*/.drush/sites/ rw,\n owner /home/*/.drush/sites/* rw,\n owner /home/*/.drush/sites/** rw,\n\n owner /home/*/.drush/cache/ rw,\n owner /home/*/.drush/cache/* rw,\n owner /home/*/.drush/cache/** rw,\n\n owner /home/*/.tmp/ rw,\n owner /home/*/.tmp/* rw,\n owner /home/*/.tmp/** rw,\n\n # Allow PHP-CLI to read/write in the custom web root directories\n\n /data/disk/*/static/ rw,\n /data/disk/*/static/* rw,\n /data/disk/*/static/** rw,\n\n /data/disk/*/distro/ rw,\n /data/disk/*/distro/* rw,\n /data/disk/*/distro/** rw,\n\n /data/disk/*/platforms/ rw,\n /data/disk/*/platforms/* rw,\n /data/disk/*/platforms/** rw,\n\n # Allow PHP-CLI to read and write in the root tmp\n\n owner /root/.tmp/ rw,\n owner /root/.tmp/* rw,\n owner /root/.tmp/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/opt.php85.sbin.php-fpm",
"content": "# AppArmor profile for PHP-FPM\n# This profile restricts the PHP-FPM (php85) to essential operations only.\n\n#include \n\n/opt/php85/sbin/php-fpm flags=(attach_disconnected) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by PHP-FPM\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability kill,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n # Allow PHP-FPM to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n network inet stream,\n network inet6 stream,\n\n # Allow PHP-FPM to execute its own binary\n /opt/php85/sbin/php-fpm mrix,\n\n # Allow PHP-FPM to read its configuration files\n /data/conf/ r,\n /data/conf/** r,\n /etc/ImageMagick-6/log.xml r,\n /etc/ImageMagick-6/policy.xml r,\n /etc/ld.so.cache r,\n /etc/mailname r,\n /etc/newrelic/upgrade_please.key r,\n /etc/postfix/dynamicmaps.cf r,\n /etc/postfix/dynamicmaps.cf.d/ r,\n /etc/postfix/dynamicmaps.cf.d/* r,\n /etc/postfix/main.cf r,\n /home/*/.drush/** r,\n /opt/etc/fpm/** r,\n /var/spool/postfix/maildrop/ r,\n /var/spool/postfix/maildrop/* rw,\n /opt/php85/** r,\n\n # Allow PHP-FPM to execute some other binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/advdef mrix,\n /usr/bin/advpng mrix,\n /usr/bin/chromium mrix,\n /usr/bin/convert mrix,\n /usr/bin/id mrix,\n /usr/bin/jpegoptim mrix,\n /usr/bin/jpegtran mrix,\n /usr/bin/magick mrix,\n /usr/bin/optipng mrix,\n /usr/bin/pngcrush mrix,\n /usr/bin/pngquant mrix,\n /usr/lib/postfix/sbin/smtpd mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/wkhtmltoimage mrix,\n /usr/local/bin/wkhtmltopdf mrix,\n /usr/sbin/postdrop mrix,\n /usr/sbin/sendmail mrix,\n\n # Allow PHP-FPM to access some /dev\n /dev/null rw,\n /dev/random r,\n /dev/tty wr,\n /dev/urandom r,\n\n # Allow PHP-FPM to access its run directory\n /run/** rw,\n\n # Allow PHP-FPM to use tmp files\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow PHP-FPM to read and write its log files\n /var/log/newrelic/php_agent.log rw,\n /var/log/php/** rw,\n\n # Allow PHP-FPM to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow PHP-FPM to use /dev/shm for temporary storage\n /dev/shm/ r,\n /dev/shm/** rw,\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow PHP-FPM to read and write in the custom web root directories\n\n /var/www/** r,\n\n /var/aegir/host_master/** r,\n /var/aegir/platforms/** r,\n\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /data/disk/*/tools/le/** r,\n\n /data/all/ r,\n /data/all/* r,\n /data/all/** r,\n /data/conf/ r,\n /data/conf/* r,\n /data/conf/** r,\n\n owner /var/aegir/host_master/** rw,\n owner /var/aegir/platforms/** rw,\n\n owner /data/disk/*/aegir/** rw,\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n owner /var/www/** rw,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/sbin.dhclient",
"content": "# AppArmor profile for DHCP dhclient\n# This profile restricts DHCP dhclient (dhclient) to essential operations only.\n\n#include \n\n/{,usr/}sbin/dhclient flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Capabilities needed by DHCP dhclient\n capability net_bind_service,\n capability net_raw,\n capability dac_override,\n capability net_admin,\n\n network packet,\n network raw,\n\n @{PROC}/[0-9]*/net/ r,\n @{PROC}/[0-9]*/net/** r,\n\n # dhclient wants to update its threads with functional names\n owner @{PROC}/@{pid}/task/[0-9]*/comm rw,\n\n /{,usr/}sbin/dhclient mrix,\n /{,usr/}bin/bash mrix,\n\n /etc/dhclient.conf r,\n /etc/dhcp/ r,\n /etc/dhcp/** r,\n\n /var/lib/dhcp{,3}/dhclient* lrw,\n /{,var/}run/dhclient*.pid lrw,\n /{,var/}run/dhclient*.lease* lrw,\n\n # NetworkManager\n /{,var/}run/nm*conf r,\n /{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,\n /{,var/}run/NetworkManager/dhclient*.pid lrw,\n /var/lib/NetworkManager/dhclient*.conf lrw,\n /var/lib/NetworkManager/dhclient*.lease* lrw,\n signal (receive) peer=/usr/sbin/NetworkManager,\n ptrace (readby) peer=/usr/sbin/NetworkManager,\n\n # connman\n /{,var/}run/connman/dhclient*.pid lrw,\n /{,var/}run/connman/dhclient*.leases lrw,\n\n # synce-hal\n /usr/share/synce-hal/dhclient.conf r,\n\n # if there is a custom script, let it run unconfined\n /etc/dhcp/dhclient-script Uxr,\n\n # The dhclient-script shell script sources other shell scripts rather than\n # executing them, so we can't just use a separate profile for dhclient-script\n # with 'Uxr' on the hook scripts. However, for the long-running dhclient3\n # daemon to run arbitrary code via /sbin/dhclient-script, it would need to be\n # able to subvert dhclient-script or write to the hooks.d directories. As\n # such, if the dhclient3 daemon is subverted, this effectively limits it to\n # only being able to run the hooks scripts.\n /{,usr/}sbin/dhclient-script Uxr,\n\n # Run the ELF executables under their own unrestricted profiles\n /usr/lib/NetworkManager/nm-dhcp-client.action Pxrm,\n /usr/lib/connman/scripts/dhclient-script Pxrm,\n\n # Support the new executable helper from NetworkManager.\n /usr/lib/NetworkManager/nm-dhcp-helper Pxrm,\n signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,\n}\n\n# Profile for NetworkManager action\n/usr/lib/NetworkManager/nm-dhcp-client.action flags=(complain) {\n include \n include \n /usr/lib/NetworkManager/nm-dhcp-client.action mrix,\n\n /var/lib/NetworkManager/*lease r,\n signal (receive) peer=/usr/sbin/NetworkManager,\n ptrace (readby) peer=/usr/sbin/NetworkManager,\n network inet dgram,\n network inet6 dgram,\n}\n\n# Profile for NetworkManager helper\n/usr/lib/NetworkManager/nm-dhcp-helper flags=(complain) {\n include \n include \n /usr/lib/NetworkManager/nm-dhcp-helper mrix,\n\n /run/NetworkManager/private-dhcp rw,\n signal (send) peer=/sbin/dhclient,\n\n /var/lib/NetworkManager/*lease r,\n signal (receive) peer=/usr/sbin/NetworkManager,\n ptrace (readby) peer=/usr/sbin/NetworkManager,\n network inet dgram,\n network inet6 dgram,\n}\n\n# Profile for connman script\n/usr/lib/connman/scripts/dhclient-script flags=(complain) {\n include \n include \n /usr/lib/connman/scripts/dhclient-script mrix,\n network inet dgram,\n network inet6 dgram,\n}\n\n\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.chromium",
"content": "# File: /etc/apparmor.d/usr.bin.chromium\n\n#include \n\n/usr/bin/chromium flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Deny capability sys_ptrace\n deny capability sys_ptrace,\n\n # System paths chromium needs to operate\n /usr/bin/chromium mrix,\n /usr/lib/chromium/** mrix,\n\n # Temp usage\n owner /tmp/** rwk,\n owner /dev/shm/** rwk,\n\n # Proc/sys reads\n /proc/** r,\n /sys/** r,\n\n # Devices commonly accessed\n /dev/null rw,\n /dev/urandom r,\n /dev/random r,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Fonts + fontconfig\n /etc/fonts/** r,\n /usr/share/fonts/** r,\n /var/cache/fontconfig/** r,\n\n # Allow to read and write in the web root directories\n /var/www/** r,\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n\n owner /data/disk/*/distro/** rwk,\n owner /data/disk/*/platforms/** rwk,\n owner /data/disk/*/static/** rwk,\n owner /var/www/** rwk,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.freshclam",
"content": "# AppArmor profile for Freshclam service\n# This profile restricts Freshclam service (freshclam) to essential operations only.\n\n#include \n\n/usr/bin/freshclam flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n\n # Capabilities needed by Freshclam service\n capability chown,\n capability dac_override,\n capability net_admin,\n capability net_bind_service,\n capability setgid,\n capability setuid,\n\n network inet stream,\n network inet dgram,\n network inet6 stream,\n network inet6 dgram,\n\n # Allow execution of necessary shells and the freshclam binary\n /bin/dash mrix,\n /bin/bash mrix,\n /bin/sh mrix,\n /usr/bin/freshclam mrix,\n\n # Allow access to /dev\n /dev/log w,\n /dev/null rw,\n /dev/random r,\n /dev/urandom r,\n\n # Allow access to /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow access to temporary directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Deny access to samba specific directories\n deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwlk,\n\n # Allow read access to ClamAV configuration files\n /etc/clamav/clamd.conf r,\n /etc/clamav/freshclam.conf r,\n /etc/clamav/onerrorexecute.d/* mr,\n /etc/clamav/onupdateexecute.d/* mr,\n /etc/clamav/virusevent.d/* mr,\n\n # Allow read access to SSL libraries\n /usr/local/ssl3/lib64/libcrypto.so.* mr,\n /usr/local/ssl3/lib64/libssl.so.* mr,\n /usr/local/ssl3/openssl.cnf r,\n\n # Allow access to ClamAV directories and files\n /var/lib/clamav/ r,\n /var/lib/clamav/** rwk,\n /var/log/clamav/* rwk,\n /{,var/}run/clamav/clamd.ctl rw,\n /{,var/}run/clamav/freshclam.pid w,\n\n # Allow reading filesystems information\n @{PROC}/filesystems r,\n\n # Allow read/write access to ClamAV user directories\n owner /home/*/.clamtk/db/ r,\n owner /home/*/.clamtk/db/** rwk,\n owner /home/*/.klamav/database/ r,\n owner /home/*/.klamav/database/** rwk,\n owner @{PROC}/[0-9]*/status r,\n\n # Deny access to sensitive files and directories\n deny /etc/shadow* rwlx,\n deny /etc/passwd* rwlx,\n deny /root/** rwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.man",
"content": "# AppArmor profile for Man service\n# This profile restricts Man service (man) to essential operations only.\n\n#include \n\n/usr/bin/man flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n\n # Use a special profile when man calls anything groff-related. We only\n # include the programs that actually parse input data in a non-trivial\n # way, not wrappers such as groff and nroff, since the latter would need a\n # broader profile.\n /usr/bin/eqn mrCx -> &man_groff,\n /usr/bin/grap mrCx -> &man_groff,\n /usr/bin/pic mrCx -> &man_groff,\n /usr/bin/preconv mrCx -> &man_groff,\n /usr/bin/refer mrCx -> &man_groff,\n /usr/bin/tbl mrCx -> &man_groff,\n /usr/bin/troff mrCx -> &man_groff,\n /usr/bin/vgrind mrCx -> &man_groff,\n\n # Similarly, use a special profile when man calls decompressors and other\n # simple filters.\n /{,usr/}bin/bzip2 mrCx -> &man_filter,\n /{,usr/}bin/gzip mrCx -> &man_filter,\n /usr/bin/col mrCx -> &man_filter,\n /usr/bin/compress mrCx -> &man_filter,\n /usr/bin/iconv mrCx -> &man_filter,\n /usr/bin/lzip.lzip mrCx -> &man_filter,\n /usr/bin/tr mrCx -> &man_filter,\n /usr/bin/xz mrCx -> &man_filter,\n\n # Allow basic filesystem access, subject to DAC\n /** mrixwlk,\n unix,\n\n # Capabilities needed by Man service\n capability setuid,\n capability setgid,\n\n # Ordinary permission checks sometimes involve checking whether the\n # process has this capability, which can produce audit log messages.\n # Silence them.\n deny capability dac_override,\n deny capability dac_read_search,\n\n signal peer=@{profile_name},\n signal peer=/usr/bin/man//&man_groff,\n signal peer=/usr/bin/man//&man_filter,\n}\n\nprofile man_groff flags=(complain) {\n include \n include \n\n /usr/bin/eqn mrix,\n /usr/bin/grap mrix,\n /usr/bin/pic mrix,\n /usr/bin/preconv mrix,\n /usr/bin/refer mrix,\n /usr/bin/tbl mrix,\n /usr/bin/troff mrix,\n /usr/bin/vgrind mrix,\n\n /etc/groff/** r,\n /etc/papersize r,\n /usr/lib/groff/site-tmac/** r,\n /usr/share/groff/** r,\n\n /tmp/groff* rw,\n\n signal peer=/usr/bin/man,\n signal peer=/usr/bin/man//&man_groff,\n}\n\nprofile man_filter flags=(complain) {\n include \n include \n\n /{,usr/}bin/bzip2 mrix,\n /{,usr/}bin/gzip mrix,\n /usr/bin/col mrix,\n /usr/bin/compress mrix,\n /usr/bin/iconv mrix,\n /usr/bin/lzip.lzip mrix,\n /usr/bin/tr mrix,\n /usr/bin/xz mrix,\n\n # Manual pages can be more or less anywhere, especially with \"man -l\", and\n # there's no harm in allowing wide read access here since the worst it can\n # do is feed data to the invoking man process.\n /** r,\n\n # Allow writing cat pages.\n /var/cache/man/** rw,\n\n signal peer=/usr/bin/man,\n signal peer=/usr/bin/man//&man_filter,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.mysecureshell",
"content": "# AppArmor profile for MySecureShell\n# This profile restricts MySecureShell (mysecureshell) to essential operations only.\n\n#include \n\n/usr/bin/mysecureshell flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n include \n include \n include \n\n # Read access to its own config and logs\n /etc/ssh/sftp_config r,\n /etc/lshell.conf r,\n /var/log/lsh/ r,\n /var/log/lsh/* rw,\n /opt/php*/lib/php.ini r,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow MySecureShell to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Read/write access to user home\n /home/*/ r,\n /home/*/** rw,\n\n # Read/write access to SSH client files\n /home/*/.ssh/ r,\n /home/*/.ssh/** rw,\n\n # Read-only access to Drush aliases and php.ini files\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n\n # Drush access\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n\n # Read-only access to Octopus directories\n /data/disk/*/.drush/ r,\n /data/disk/*/.drush/** r,\n /data/disk/*/backups/ r,\n /data/disk/*/backups/** r,\n /data/disk/*/clients/ r,\n /data/disk/*/clients/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/static/ r,\n /data/disk/*/static/** r,\n\n # Allow write access to Octopus user directories and files\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/static/ r,\n owner /data/disk/*/static/** rw,\n owner /opt/user/npm/*/** rw,\n owner /opt/user/gems/*/** rw,\n owner /opt/user/gems/*/bin/** k,\n\n # Read/write access to Drush cache\n /home/*/.drush/cache/ r,\n /home/*/.drush/cache/** rw,\n\n # Deny access to critical system files\n deny /etc/shadow* rwlx,\n\n # Allow read access to user information files\n /etc/passwd r,\n /etc/group r,\n /etc/nsswitch.conf r,\n /etc/hosts r,\n\n # Allow read-only access to resolv.conf for DNS resolution\n /etc/resolv.conf r,\n\n # Temporary files and directories\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n\n # Deny execution of any shell or command not explicitly allowed\n deny /bin/bash x,\n deny /usr/bin/perl x,\n\n # Allow execution of necessary binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/mysecureshell mrix,\n /usr/bin/python* mrix,\n /usr/local/bin/lshell mrix,\n\n # Additional binaries allowed in Limited Shell\n /bin/bzip2 mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/cp mrix,\n /bin/echo mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/gunzip mrix,\n /bin/gzip mrix,\n /bin/ls mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/nano mrix,\n /bin/ping mrix,\n /bin/pwd mrix,\n /bin/rm mrix,\n /bin/rmdir mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /bin/true mrix,\n /data/disk/*/tools/drush/drush.php mrix,\n /opt/local/bin/mybackup mrix,\n /opt/local/bin/sqlmagic mrix,\n /opt/php*/bin/php mrix,\n /usr/bin/diff mrix,\n /usr/bin/du mrix,\n /usr/bin/env mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/mysql mrix,\n /usr/bin/mysqldump mrix,\n /usr/bin/node mrix,\n /usr/bin/openssl mrix,\n /usr/bin/passwd mrix,\n /usr/bin/patch mrix,\n /usr/bin/rsync mrix,\n /usr/bin/rvim mrix,\n /usr/bin/tput mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which.debianutils mrix,\n /usr/bin/zstd mrix,\n /usr/lib/node_modules/npm/bin/** mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/gem mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/git-receive-pack mrix,\n /usr/local/bin/git-upload-archive mrix,\n /usr/local/bin/git-upload-pack mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/scp mrix,\n /usr/local/bin/sftp mrix,\n /usr/local/bin/ssh mrix,\n /usr/local/bin/ssh-keygen mrix,\n owner /opt/user/gems/*/** mrix,\n owner /opt/user/npm/*/** mrix,\n\n # Deny execution of any other binaries\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.mysql",
"content": "# AppArmor profile for MySQL client\n# This profile restricts MySQL client (mysql) to essential operations only.\n\n#include \n\n/usr/bin/mysql flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by MySQL client\n capability net_bind_service,\n capability setgid,\n capability setuid,\n\n # Allow execution of the mysql binary\n /usr/bin/mysql mrix,\n\n # Allow execution of the mysqld binary\n /usr/sbin/mysqld mrix,\n\n # Allow execution of necessary utilities\n /bin/** mrix,\n /usr/bin/** mrix,\n /usr/sbin/** mrix,\n\n # Allow reading necessary directories\n /bin/ r,\n /usr/bin/ r,\n /usr/sbin/ r,\n /etc/inputrc r,\n\n # Allow MySQL to read its configuration files\n /etc/mysql/** r,\n /etc/mysql/conf.d/** r,\n /etc/mysql/mysql.conf.d/** r,\n\n # Allow MySQL to access its data directory\n /var/lib/mysql/ rwk,\n /var/lib/mysql/** rwk,\n\n # Allow MySQL to access its run directory\n /run/mysqld/ r,\n /run/mysqld/** rw,\n\n # Allow MySQL to access its tmp directory\n /tmp/ r,\n /tmp/** rw,\n\n # Allow MySQL to read system libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/mysql/plugin/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n /usr/share/mysql/** r,\n /usr/share/zoneinfo/** r,\n\n # Allow MySQL to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow MySQL to use /dev/shm for temporary storage\n /dev/shm/** rw,\n /dev/shm/ r,\n\n # Allow MySQL to read network-related configurations\n /etc/hosts.allow r,\n /etc/hosts.deny r,\n /etc/services r,\n\n # Disallow execution of binaries from /tmp and /var/tmp\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Deny access to various sensitive directories\n deny /boot/** mrwklx,\n\n # Deny access to various sensitive files\n deny /etc/shadow* rwlx,\n deny /etc/shadow- r,\n deny /etc/gshadow r,\n deny /etc/gshadow- r,\n\n # Allow reading the user's .my.cnf file\n /root/.my.cnf r,\n /home/*/.my.cnf r,\n\n # Allow writing to log files in user's home directory\n /home/*/.mysql_history rw,\n /root/.mysql_history rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.mysqld_safe",
"content": "# AppArmor profile for MySQLd starter\n# This profile restricts MySQLd starter (mysqld_safe) to essential operations only.\n\n#include \n\n/usr/bin/mysqld_safe flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by MySQLd starter\n capability dac_override,\n capability dac_read_search,\n capability setgid,\n capability setuid,\n capability sys_resource,\n capability sys_nice,\n\n network inet stream,\n network inet6 stream,\n\n # Allow MySQLd to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n # Allow mysqld_safe to read its configuration files\n /etc/mysql/** r,\n /etc/mysql/conf.d/** r,\n /etc/mysql/mysql.conf.d/** r,\n /etc/hosts.deny r,\n /etc/hosts.allow r,\n\n # Allow mysqld_safe to access its data directory\n /var/lib/mysql/ rwk,\n /var/lib/mysql/** rwk,\n\n # Allow mysqld_safe to access its run directory\n /run/mysqld/ r,\n /run/mysqld/** rw,\n\n # Allow mysqld_safe to write to its log files\n /var/log/mysql/ r,\n /var/log/mysql/** rw,\n\n # Allow mysqld_safe to access tmp directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow mysqld_safe to read system libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/mysql/plugin/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n /usr/share/mysql/** r,\n /usr/share/zoneinfo/** r,\n\n # Allow mysqld_safe to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow mysqld_safe to use /dev/shm for temporary storage\n /dev/shm/** rw,\n /dev/shm/ r,\n\n # Allow execution of mysqld_safe\n /usr/bin/mysqld_safe mrix,\n\n # Allow execution of the mysql binary\n /usr/bin/mysql mrix,\n\n # Allow execution of the mysqld binary\n /usr/sbin/mysqld mrix,\n\n # Allow execution of necessary utilities\n /bin/** mrix,\n /usr/bin/** mrix,\n /usr/sbin/** mrix,\n\n # Allow reading necessary directories\n /bin/ r,\n /usr/bin/ r,\n /usr/sbin/ r,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.newrelic-daemon",
"content": "# AppArmor profile for New Relic\n# This profile restricts the New Relic (newrelic-daemon) to essential operations only.\n\n#include \n\n/usr/bin/newrelic-daemon flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n\n # Capabilities needed by New Relic\n capability net_admin,\n capability setgid,\n capability setuid,\n\n network inet stream,\n network inet dgram,\n network inet6 stream,\n network inet6 dgram,\n\n # Allow execution of the newrelic-daemon binary\n /usr/bin/newrelic-daemon mrix,\n\n # Allow newrelic-daemon to read its configuration files\n /etc/newrelic/** r,\n\n # Allow newrelic-daemon to read system libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/lib64/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow newrelic-daemon to access /proc for necessary information\n /proc/** r,\n\n # Allow newrelic-daemon to access log files\n /var/log/newrelic/** rw,\n\n # Allow newrelic-daemon to use tmp files\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow newrelic-daemon to access run directory\n /run/newrelic/** rw,\n\n # Allow newrelic-daemon to access shared memory\n /dev/shm/** rw,\n /dev/shm/ r,\n\n # Disallow execution of binaries from /tmp and /var/tmp\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Deny access to various sensitive directories\n deny /boot/** mrwklx,\n deny /opt/** mrwklx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.node",
"content": "# AppArmor profile for Node/NPM\n# This profile restricts Limited Shell (lshell) to essential operations only.\n\n#include \n\n/usr/bin/node flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n\n # Capability permissions\n capability ipc_lock,\n capability sys_resource,\n\n # Network access\n network inet,\n\n # Allow read access to necessary libraries\n /etc/ssl/openssl.cnf r,\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow reading of environment variables\n /proc/** r,\n /sys/** r,\n\n # Specific file permissions\n owner /home/*/.npmrc r,\n\n # Temporary files and directories\n owner /home/*/.tmp/ r,\n owner /home/*/.tmp/** rw,\n\n # Miscellaneous\n /dev/urandom rw,\n /dev/null rw,\n /dev/tty rw,\n\n # Deny execution of any shell or command not explicitly allowed\n deny /bin/bash x,\n deny /bin/dash x,\n deny /bin/websh x,\n deny /usr/bin/perl x,\n deny /usr/bin/python* x,\n deny /usr/local/bin/ruby x,\n\n # Deny certain capabilities\n deny capability sys_chroot, # Deny changing root\n deny capability sys_admin, # Deny various system admin privileges\n deny capability setuid, # Deny changing user IDs\n deny capability setgid, # Deny changing group IDs\n deny capability kill, # Deny sending signals to arbitrary processes\n\n # Deny execution of binaries from these directories\n deny /home/*/.tmp/** m,\n deny /home/*/** m,\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Allow execution of npm etc\n /usr/bin/node mrix,\n /usr/bin/npm mrix,\n /opt/user/npm/*/ r,\n /opt/user/npm/*/** mrix,\n\n # Allow to read and write in the custom web root directories\n\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/platforms/** rw,\n owner /data/disk/*/static/** rw,\n\n # Deny access to various sensitive directories and files\n deny /boot/** mrwklx,\n deny /root/** mrwklx,\n deny /etc/shadow* rwlx,\n deny /etc/passwd* rwlx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.redis-server",
"content": "# AppArmor profile for Redis server\n# This profile restricts the Redis server (redis-server) to essential operations only.\n\n#include \n\n/usr/bin/redis-server flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Allow Redis to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n # Allow reading necessary kernel parameters\n /proc/sys/** r,\n /sys/devices/** r,\n /sys/kernel/** r,\n\n # Allow execution of redis-server binary\n /usr/bin/redis-server mrix,\n\n # Allow Redis to read its configuration file\n /etc/redis/redis.conf r,\n\n # Allow Redis to read and write its data files\n /var/lib/redis/** rwk,\n\n # Allow Redis to read and write its log files\n /var/log/redis/** rw,\n\n # Allow Redis to open TCP sockets on any address\n network inet stream,\n\n # Allow Redis to use syslog\n /dev/log w,\n /usr/bin/logger ixr,\n\n # Allow Redis to read system libraries\n /lib/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/local/sbin/* mrix,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow Redis to use /run for pid/sock files\n /run/redis/** rw,\n\n # Allow Redis to use tmp files\n /tmp/ r,\n /tmp/** rw,\n\n owner /proc/*/smaps r,\n owner /proc/*/stat r,\n owner /var/lib/redis/ r,\n owner /var/lib/redis/dump.rdb rw,\n owner /var/lib/redis/temp-*.rdb rw,\n owner /var/log/redis/redis-server.log rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.bin.valkey-server",
"content": "# AppArmor profile for Valkey server\n# This profile restricts the Valkey server (valkey-server) to essential operations only.\n\n#include \n\n/usr/bin/valkey-server flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Allow Valkey to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n # Allow reading necessary kernel parameters\n /proc/sys/** r,\n /sys/devices/** r,\n /sys/kernel/** r,\n\n # Allow execution of valkey-server binary\n /usr/bin/valkey-server mrix,\n\n # Allow Valkey to read its configuration file\n /etc/valkey/valkey.conf r,\n\n # Allow Valkey to read and write its data files\n /var/lib/valkey/** rwk,\n\n # Allow Valkey to read and write its log files\n /var/log/valkey/** rw,\n\n # Allow Valkey to open TCP sockets on any address\n network inet stream,\n\n # Allow Valkey to use syslog\n /dev/log w,\n /usr/bin/logger ixr,\n\n # Allow Valkey to read system libraries\n /lib/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/local/sbin/* mrix,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow Valkey to use /run for pid/sock files\n /run/valkey/** rw,\n\n # Allow Valkey to use tmp files\n /tmp/ r,\n /tmp/** rw,\n\n owner /proc/*/smaps r,\n owner /proc/*/stat r,\n owner /var/lib/valkey/ r,\n owner /var/lib/valkey/dump.rdb rw,\n owner /var/lib/valkey/temp-*.rdb rw,\n owner /var/log/valkey/valkey-server.log rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.local.bin.lshell",
"content": "# AppArmor profile for Limited Shell\n# This profile restricts Limited Shell (lshell) to essential operations only.\n\n#include \n\n/usr/local/bin/lshell flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n include \n include \n include \n\n # Read access to its own config and logs\n /etc/ssh/sftp_config r,\n /etc/lshell.conf r,\n /var/log/lsh/ r,\n /var/log/lsh/* rw,\n /opt/php*/lib/php.ini r,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /opt/php*/lib/php/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/ioncube/ioncube_loader_lin_*.so mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow Limited Shell to access /proc and /sys for necessary information\n /proc/ r,\n /proc/** r,\n /sys/ r,\n /sys/** r,\n\n # Read/write access to user home\n /home/*/ r,\n /home/*/** rw,\n\n # Read/write access to SSH client files\n /home/*/.ssh/ r,\n /home/*/.ssh/** rw,\n\n # Read-only access to Drush aliases and php.ini files\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n\n # Drush access\n /opt/tools/drush/** mrix,\n /usr/local/bin/cv.phar mrix,\n\n # Read-only access to Octopus directories\n /data/disk/*/.drush/ r,\n /data/disk/*/.drush/** r,\n /data/disk/*/backups/ r,\n /data/disk/*/backups/** r,\n /data/disk/*/clients/ r,\n /data/disk/*/clients/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/static/ r,\n /data/disk/*/static/** r,\n\n # Allow write access to Octopus user directories and files\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/static/ r,\n owner /data/disk/*/static/** rw,\n owner /opt/user/npm/*/** rw,\n owner /opt/user/gems/*/** rw,\n owner /opt/user/gems/*/bin/** k,\n\n # Read/write access to Drush cache\n /home/*/.drush/cache/ r,\n /home/*/.drush/cache/** rw,\n\n # Deny access to critical system files\n deny /etc/shadow* rwlx,\n\n # Allow read access to user information files\n /etc/passwd r,\n /etc/group r,\n /etc/nsswitch.conf r,\n /etc/hosts r,\n\n # Allow read-only access to resolv.conf for DNS resolution\n /etc/resolv.conf r,\n\n # Temporary files and directories\n /home/*/.tmp/ r,\n /home/*/.tmp/** rw,\n\n # Deny execution of any shell or command not explicitly allowed\n deny /bin/bash x,\n deny /usr/bin/perl x,\n\n # Allow execution of necessary binaries\n /bin/dash mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/mysecureshell mrix,\n /usr/bin/python* mrix,\n /usr/local/bin/lshell mrix,\n\n # Additional binaries allowed in Limited Shell\n /bin/bzip2 mrix,\n /bin/cat mrix,\n /bin/chmod mrix,\n /bin/cp mrix,\n /bin/echo mrix,\n /bin/egrep mrix,\n /bin/grep mrix,\n /bin/gunzip mrix,\n /bin/gzip mrix,\n /bin/ls mrix,\n /bin/mkdir mrix,\n /bin/mv mrix,\n /bin/nano mrix,\n /bin/ping mrix,\n /bin/pwd mrix,\n /bin/rm mrix,\n /bin/rmdir mrix,\n /bin/sed mrix,\n /bin/stty mrix,\n /bin/tar mrix,\n /bin/touch mrix,\n /bin/true mrix,\n /data/disk/*/tools/drush/drush.php mrix,\n /opt/local/bin/mybackup mrix,\n /opt/local/bin/sqlmagic mrix,\n /opt/php*/bin/php mrix,\n /usr/bin/diff mrix,\n /usr/bin/du mrix,\n /usr/bin/env mrix,\n /usr/bin/find mrix,\n /usr/bin/id mrix,\n /usr/bin/mysql mrix,\n /usr/bin/mysqldump mrix,\n /usr/bin/node mrix,\n /usr/bin/openssl mrix,\n /usr/bin/passwd mrix,\n /usr/bin/patch mrix,\n /usr/bin/rsync mrix,\n /usr/bin/rvim mrix,\n /usr/bin/tput mrix,\n /usr/bin/unzip mrix,\n /usr/bin/wget mrix,\n /usr/bin/which.debianutils mrix,\n /usr/bin/zstd mrix,\n /usr/lib/node_modules/npm/bin/** mrix,\n /usr/local/bin/composer mrix,\n /usr/local/bin/curl mrix,\n /usr/local/bin/gem mrix,\n /usr/local/bin/git mrix,\n /usr/local/bin/git-receive-pack mrix,\n /usr/local/bin/git-upload-archive mrix,\n /usr/local/bin/git-upload-pack mrix,\n /usr/local/bin/mydumper mrix,\n /usr/local/bin/myloader mrix,\n /usr/local/bin/scp mrix,\n /usr/local/bin/sftp mrix,\n /usr/local/bin/ssh mrix,\n /usr/local/bin/ssh-keygen mrix,\n owner /opt/user/gems/*/** mrix,\n owner /opt/user/npm/*/** mrix,\n\n # Deny execution of any other binaries\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.local.bin.ssh",
"content": "# AppArmor profile for SSH client\n# This profile restricts the SSH client (ssh) to essential operations only.\n\n#include \n\n/usr/local/bin/ssh flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n include \n include \n include \n\n # Allow execution of the ssh binary\n /usr/local/bin/ssh mrix,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Read access to SSH client configuration files\n /etc/ssh/ssh_config r,\n /etc/ssh/ssh_known_hosts r,\n /home/*/.ssh/** rw,\n\n # Allow network access for making outbound connections\n network inet stream,\n network inet6 stream,\n\n # Deny access to critical system files\n deny /etc/shadow* rwlx,\n\n # Allow read access to user information files\n /etc/passwd r,\n /etc/group r,\n /etc/nsswitch.conf r,\n /etc/hosts r,\n\n # Allow read-only access to resolv.conf for DNS resolution\n /etc/resolv.conf r,\n\n # Temporary files and directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow execution of necessary binaries\n /bin/dash mrix,\n /bin/sh mrix,\n /opt/local/bin/websh mrix,\n /usr/bin/id mrix,\n /usr/bin/mysecureshell mrix,\n /usr/local/bin/lshell mrix,\n /usr/local/bin/ssh-agent mrix,\n\n # Additional binaries used by SSH (e.g., scp, sftp)\n /usr/local/bin/scp mrix,\n /usr/local/bin/sftp mrix,\n\n # Deny execution of any other binaries\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.local.bin.wkhtmltoimage",
"content": "# File: /etc/apparmor.d/usr.local.bin.wkhtmltoimage\n# Template from https://wkhtmltopdf.org/apparmor.html\n\n#include \n\n/usr/local/bin/wkhtmltoimage flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Deny capability sys_ptrace\n deny capability sys_ptrace,\n\n # System paths wkhtmltoimage needs to operate\n /proc/*/maps r,\n /usr/local/bin/wkhtmltoimage mrix,\n /var/cache/fontconfig/* r,\n /tmp/** rwlk,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow to read and write in the web root directories\n /var/www/** r,\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n\n owner /data/disk/*/distro/** rwk,\n owner /data/disk/*/platforms/** rwk,\n owner /data/disk/*/static/** rwk,\n owner /var/www/** rwk,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.local.bin.wkhtmltopdf",
"content": "# File: /etc/apparmor.d/usr.local.bin.wkhtmltopdf\n# Template from https://wkhtmltopdf.org/apparmor.html\n\n#include \n\n/usr/local/bin/wkhtmltopdf flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Deny capability sys_ptrace\n deny capability sys_ptrace,\n\n # System paths wkhtmltopdf needs to operate\n /proc/*/maps r,\n /usr/local/bin/wkhtmltopdf mrix,\n /var/cache/fontconfig/* r,\n /tmp/** rwlk,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow to read and write in the web root directories\n /var/www/** r,\n /data/disk/*/aegir/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n\n owner /data/disk/*/distro/** rwk,\n owner /data/disk/*/platforms/** rwk,\n owner /data/disk/*/static/** rwk,\n owner /var/www/** rwk,\n\n /home/*.web/.aws/ r,\n /home/*.web/.aws/* rw,\n /home/*.web/.drush/ r,\n /home/*.web/.drush/* r,\n /home/*.web/.tmp/ r,\n /home/*.web/.tmp/* rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.local.sbin.pure-ftpd",
"content": "# AppArmor profile for Pure-FTPd server\n# This profile restricts Pure-FTPd server (pure-ftpd) to essential operations only.\n\n#include \n\n/usr/local/sbin/pure-ftpd flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n\n # Capabilities needed by Pure-FTPd server\n capability net_bind_service,\n capability setgid,\n capability setuid,\n capability mknod,\n\n network inet stream,\n network inet6 stream,\n\n # Allow Pure-FTPd to accept signal from PHP-CLI processes\n signal (receive) peer=/opt/php*/bin/php,\n\n # Allow execution of /bin/sh\n /bin/sh mrix,\n /opt/local/bin/websh mrix,\n\n # Allow access to /dev\n /dev/log w,\n /dev/urandom r,\n\n # Allow read access to system configuration and password files\n /etc/hostname r,\n /etc/hosts r,\n /etc/pure-ftpd.conf r,\n /etc/passwd r,\n /etc/group r,\n /etc/shadow r,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow read access to SSL certificates\n /etc/ssl/private/pure-ftpd.pem r,\n /etc/ssl/private/pure-ftpd-dhparams.pem r,\n\n # Allow reading necessary kernel parameters\n /proc/** r,\n /sys/** r,\n\n # Allow access to run directory\n /run/pure-ftpd.pid rw,\n /run/pure-ftpd/ r,\n /run/pure-ftpd/** rwk,\n\n # Allow access to temporary directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow write access to log files\n /var/log/pureftpd.log rw,\n\n # Allow execution of the pure-ftpd binary and configuration script\n /usr/local/sbin/pure-ftpd mrix,\n /usr/local/sbin/pure-config.pl mrix,\n\n # Allow read access to Octopus user directories and files\n /data/disk/*/.drush/ r,\n /data/disk/*/.drush/** r,\n /data/disk/*/backups/ r,\n /data/disk/*/backups/** r,\n /data/disk/*/clients/ r,\n /data/disk/*/clients/** r,\n /data/disk/*/distro/** r,\n /data/disk/*/static/ r,\n /data/disk/*/static/** r,\n /home/*/.drush/ r,\n /home/*/.drush/** r,\n /opt/tools/drush/** r,\n\n # Allow write access to Octopus user directories and files\n owner /data/disk/*/distro/** rw,\n owner /data/disk/*/static/ r,\n owner /data/disk/*/static/** rw,\n owner /home/*/ r,\n owner /home/*/.drush/cache/ r,\n owner /home/*/.drush/cache/** rw,\n owner /home/*/** rw,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.local.sbin.sshd",
"content": "# AppArmor profile for SSHd daemon\n# This profile restricts the SSHd daemon (sshd) to essential operations only.\n\n#include \n\n/usr/local/sbin/sshd flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n include \n include \n include \n include \n include \n\n # Allow execution of the sshd binary\n /usr/local/sbin/sshd mrix,\n\n # Capabilities needed by SSHd daemon\n capability audit_control,\n capability audit_write,\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability fowner,\n capability fsetid,\n capability kill,\n capability net_bind_service,\n capability setgid,\n capability setuid,\n capability sys_admin,\n capability sys_chroot,\n capability sys_resource,\n capability sys_tty_config,\n\n network inet stream,\n network inet6 stream,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Read/Write access\n /dev/null rw,\n /dev/ptmx rw,\n /dev/pts/* rw,\n /dev/tty rw,\n /dev/urandom r,\n /proc/** rw,\n /run/** rwk,\n /sys/** r,\n /tmp/ r,\n /tmp/** rw,\n /var/** r,\n /var/lib/sshd/** rw,\n\n # Read/Write owner access\n owner /** rwk,\n owner /etc/group rw,\n owner /etc/motd rw,\n owner /etc/passwd rw,\n owner /etc/shadow rw,\n owner /etc/ssh/* rw,\n owner /proc/*/oom_score_adj rw,\n owner /root/** rw,\n owner /run/sshd.pid rw,\n\n # Exec access\n /{media,mnt,opt,srv}/** mrix,\n /bin/* mrix,\n /opt/local/bin/* mrix,\n /usr/bin/* mrix,\n /usr/local/bin/* mrix,\n /usr/local/sbin/* mrix,\n /usr/sbin/* mrix,\n\n # Read access to SSH daemon configuration files\n /etc/default/locale r,\n /etc/environment r,\n /etc/hosts.allow r,\n /etc/hosts.deny r,\n /etc/modules.conf r,\n /etc/security/** r,\n /etc/ssh/* r,\n /etc/ssl/openssl.cnf r,\n\n # Write access to the PID file\n /run/sshd.pid rw,\n\n # Allow network access for accepting inbound connections\n network inet stream,\n network inet6 stream,\n\n # Allow reading user home directories and authorized keys\n /home/*/*/ r,\n /home/*/*/.ssh/ r,\n /home/*/.ssh/authorized_keys{,2} r,\n\n # Temporary files and directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n /dev/pts/[0-9]* rw,\n /etc/ssh/moduli r,\n @{PROC}/@{pid}/mounts r,\n /etc/motd r,\n /{,var/}run/motd{,.new} rw,\n /tmp/ssh-*/agent.[0-9]* rwl,\n /tmp/ssh-*[0-9]*/ w,\n\n # Allow execution of various shells\n /bin/ash rUx,\n /bin/bash rUx,\n /bin/bash2 rUx,\n /bin/bsh rUx,\n /bin/csh rUx,\n /bin/dash rUx,\n /bin/ksh rUx,\n /bin/sh rUx,\n /bin/tcsh rUx,\n /bin/zsh rUx,\n /bin/zsh4 rUx,\n /sbin/nologin rUx,\n /usr/bin/mysecureshell rUx,\n /usr/local/bin/lshell rUx,\n\n # Allow ptrace read access for necessary binaries\n ptrace read peer=unconfined,\n ptrace read peer=/opt/php*/bin/php,\n ptrace read peer=/opt/php*/sbin/php-fpm,\n ptrace read peer=/usr/bin/newrelic-daemon,\n ptrace read peer=/sbin/dhclient,\n ptrace read peer=/usr/bin/mysqld_safe,\n ptrace read peer=/usr/bin/mysqld,\n ptrace read peer=/usr/bin/redis-server,\n ptrace read peer=/usr/lib/jvm/java-11-openjdk-amd64/bin/java,\n ptrace read peer=/usr/lib/jvm/java-17-openjdk-amd64/bin/java,\n ptrace read peer=/usr/lib/jvm/java-21-openjdk-amd64/bin/java,\n ptrace read peer=/usr/lib/postfix/sbin/master,\n ptrace read peer=/usr/lib/postfix/sbin/pickup,\n ptrace read peer=/usr/lib/postfix/sbin/qmgr,\n ptrace read peer=/usr/local/sbin/pure-ftpd,\n ptrace read peer=/usr/sbin/nginx,\n ptrace read peer=/usr/sbin/unbound,\n\n ^EXEC flags=(complain) {\n # Include base abstractions\n include \n\n /bin/ash Ux,\n /bin/bash Ux,\n /bin/bash2 Ux,\n /bin/bsh Ux,\n /bin/csh Ux,\n /bin/dash Ux,\n /bin/ksh Ux,\n /bin/sh Ux,\n /bin/tcsh Ux,\n /bin/zsh Ux,\n /bin/zsh4 Ux,\n /sbin/nologin Ux,\n /usr/bin/mysecureshell Ux,\n /usr/local/bin/lshell Ux,\n }\n\n ^PRIVSEP flags=(complain) {\n # Include base and nameservice abstractions\n include \n include \n\n capability sys_chroot,\n capability setuid,\n capability setgid,\n }\n\n ^PRIVSEP_MONITOR flags=(complain) {\n # Include authentication, base, nameservice, and wutmp abstractions\n include \n include \n include \n include \n\n capability setuid,\n capability setgid,\n capability chown,\n\n /home/*/.ssh/authorized_keys{,2} r,\n /dev/ptmx rw,\n /dev/pts/[0-9]* rw,\n /dev/urandom r,\n /etc/hosts.allow r,\n /etc/hosts.deny r,\n /etc/ssh/moduli r,\n @{PROC}/@{pid}/mounts r,\n }\n\n ^AUTHENTICATED flags=(complain) {\n # Include authentication, consoles, nameservice, and wutmp abstractions\n include \n include \n include \n include \n\n capability sys_tty_config,\n capability setgid,\n capability setuid,\n\n /dev/log w,\n /dev/ptmx rw,\n /etc/default/passwd r,\n /etc/localtime r,\n /etc/writable/localtime r,\n /etc/login.defs r,\n /etc/motd r,\n /{,var/}run/motd{,.new} rw,\n /tmp/ssh-*/agent.[0-9]* rwl,\n /tmp/ssh-*[0-9]*/ w,\n }\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.sbin.clamd",
"content": "# AppArmor profile for Clamd service\n# This profile restricts Clamd service (clamd) to essential operations only.\n\n#include \n\n/usr/sbin/clamd flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Capabilities needed by Clamd service\n capability chown,\n capability dac_override,\n capability dac_read_search,\n capability setgid,\n capability setuid,\n capability sys_resource,\n\n network inet stream,\n network inet6 stream,\n network inet dgram,\n network inet6 dgram,\n\n # Allow execution of necessary shells and the clamd binary\n /bin/dash mrix,\n /bin/bash mrix,\n /bin/sh mrix,\n /usr/sbin/clamd mrix,\n\n # Allow access to /dev\n /dev/log w,\n /dev/null rw,\n /dev/random r,\n /dev/urandom r,\n\n # Allow access to /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow access to temporary directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow read access to necessary libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/libexec/** mr,\n /usr/local/include/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n\n # Allow access to ClamAV configuration and data\n /etc/clamav/clamd.conf r,\n /var/lib/amavis/tmp/** r,\n /var/lib/clamav/ r,\n /var/lib/clamav/** rwk,\n /var/log/clamav/* rwk,\n /var/spool/MIMEDefang/mdefang-*/Work/ r,\n /var/spool/MIMEDefang/mdefang-*/Work/** r,\n /var/spool/clamsmtp/* r,\n /var/spool/exim4/** r,\n /var/spool/havp/** r,\n /var/spool/p3scan/children/** r,\n /var/spool/qpsmtpd/* r,\n /{,var/}run/clamav/clamd.ctl w,\n /{,var/}run/clamav/clamd.pid w,\n\n # Allow read access to user directories\n /data/all/** r,\n /data/conf/* r,\n /data/disk/*/distro/** r,\n /data/disk/*/platforms/** r,\n /data/disk/*/static/** r,\n /home/*/ r,\n /home/*/** r,\n\n # Allow reading filesystems information\n @{PROC}/[0-9]*/status r,\n @{PROC}/filesystems r,\n\n # Deny access to sensitive files and directories\n deny /etc/shadow* rwlx,\n deny /etc/passwd* rwlx,\n deny /root/** rwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.sbin.mysqld",
"content": "# AppArmor profile for MySQLd server\n# This profile restricts MySQLd server (mysqld) to essential operations only.\n\n#include \n\n/usr/sbin/mysqld flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include \n\n # Capabilities needed by MySQLd server\n capability dac_override,\n capability dac_read_search,\n capability sys_resource,\n capability setgid,\n capability setuid,\n capability sys_nice,\n\n network inet stream,\n network inet6 stream,\n\n # Allow execution of mysqld_safe\n /usr/bin/mysqld_safe mrix,\n\n # Allow execution of the mysql binary\n /usr/bin/mysql mrix,\n\n # Allow execution of the mysqld binary\n /usr/sbin/mysqld mrix,\n\n # Allow execution of necessary utilities\n /bin/** mrix,\n /usr/bin/** mrix,\n /usr/sbin/** mrix,\n\n # Allow reading necessary directories\n /bin/ r,\n /usr/bin/ r,\n /usr/sbin/ r,\n\n # Allow MySQL to read its configuration files\n /etc/mysql/** r,\n /etc/mysql/conf.d/** r,\n /etc/mysql/mysql.conf.d/** r,\n\n # Allow MySQL to access its data directory\n /var/lib/mysql/ rwk,\n /var/lib/mysql/** rwk,\n\n # Allow MySQL to access its run directory\n /run/mysqld/ r,\n /run/mysqld/** rw,\n\n # Allow MySQL to write to its log files\n /var/log/mysql/ r,\n /var/log/mysql/** rw,\n\n # Allow MySQL to access its tmp directories\n /tmp/ r,\n /tmp/** rw,\n /var/tmp/** rw,\n\n # Allow MySQL to read system libraries\n /lib/** mr,\n /lib/x86_64-linux-gnu/** mr,\n /lib64/** mr,\n /usr/lib/** mr,\n /usr/lib/mysql/plugin/** mr,\n /usr/lib/x86_64-linux-gnu/** mr,\n /usr/local/lib/** mr,\n /usr/local/ssl/** mr,\n /usr/local/ssl3/** mr,\n /usr/share/mysql/** r,\n /usr/share/zoneinfo/** r,\n\n # Allow MySQL to access /proc and /sys for necessary information\n /proc/** r,\n /sys/** r,\n\n # Allow MySQL to use /dev/shm for temporary storage\n /dev/shm/** rw,\n /dev/shm/ r,\n\n # Allow MySQL to read network-related configurations\n /etc/hosts.allow r,\n /etc/hosts.deny r,\n /etc/services r,\n\n # Disallow execution of binaries from /tmp and /var/tmp\n deny /tmp/** m,\n deny /var/tmp/** m,\n\n # Deny access to various sensitive directories\n deny /boot/** mrwklx,\n deny /root/** mrwklx,\n\n # Catchall to deny everything else\n #deny /** rwklx,\n\n # Site-specific additions and overrides can be added below\n}\n"
},
{
"path": "aegir/conf/apparmor/usr.sbin.nginx",
"content": "# AppArmor profile for Nginx server\n# This profile restricts Nginx server (nginx) to essential operations only.\n\n#include \n\n/usr/sbin/nginx flags=(complain) {\n\n # Include common AppArmor abstractions\n include \n include \n include