Repository: omega8cc/boa
Branch: 5.x-dev
Commit: 0daf1f2a4803
Files: 616
Total size: 9.6 MB
Directory structure:
gitextract_47j2j2qw/
├── .gitignore
├── ANNOUNCEMENT.md
├── BARRACUDA.sh.txt
├── BOA.sh.txt
├── CHANGELOG.txt
├── DIFFERENT30Y.md
├── DUALLICENSE.md
├── HTTP3.md
├── OCTOPUS.sh.txt
├── README.md
├── ROADMAP.md
├── aegir/
│ ├── conf/
│ │ ├── apparmor/
│ │ │ ├── opt.php56.bin.php
│ │ │ ├── opt.php56.sbin.php-fpm
│ │ │ ├── opt.php70.bin.php
│ │ │ ├── opt.php70.sbin.php-fpm
│ │ │ ├── opt.php71.bin.php
│ │ │ ├── opt.php71.sbin.php-fpm
│ │ │ ├── opt.php72.bin.php
│ │ │ ├── opt.php72.sbin.php-fpm
│ │ │ ├── opt.php73.bin.php
│ │ │ ├── opt.php73.sbin.php-fpm
│ │ │ ├── opt.php74.bin.php
│ │ │ ├── opt.php74.sbin.php-fpm
│ │ │ ├── opt.php80.bin.php
│ │ │ ├── opt.php80.sbin.php-fpm
│ │ │ ├── opt.php81.bin.php
│ │ │ ├── opt.php81.sbin.php-fpm
│ │ │ ├── opt.php82.bin.php
│ │ │ ├── opt.php82.sbin.php-fpm
│ │ │ ├── opt.php83.bin.php
│ │ │ ├── opt.php83.sbin.php-fpm
│ │ │ ├── opt.php84.bin.php
│ │ │ ├── opt.php84.sbin.php-fpm
│ │ │ ├── opt.php85.bin.php
│ │ │ ├── opt.php85.sbin.php-fpm
│ │ │ ├── sbin.dhclient
│ │ │ ├── usr.bin.chromium
│ │ │ ├── usr.bin.freshclam
│ │ │ ├── usr.bin.man
│ │ │ ├── usr.bin.mysecureshell
│ │ │ ├── usr.bin.mysql
│ │ │ ├── usr.bin.mysqld_safe
│ │ │ ├── usr.bin.newrelic-daemon
│ │ │ ├── usr.bin.node
│ │ │ ├── usr.bin.redis-server
│ │ │ ├── usr.bin.valkey-server
│ │ │ ├── usr.local.bin.lshell
│ │ │ ├── usr.local.bin.ssh
│ │ │ ├── usr.local.bin.wkhtmltoimage
│ │ │ ├── usr.local.bin.wkhtmltopdf
│ │ │ ├── usr.local.sbin.pure-ftpd
│ │ │ ├── usr.local.sbin.sshd
│ │ │ ├── usr.sbin.clamd
│ │ │ ├── usr.sbin.mysqld
│ │ │ ├── usr.sbin.nginx
│ │ │ ├── usr.sbin.rsyslogd
│ │ │ └── usr.sbin.unbound
│ │ ├── dns/
│ │ │ ├── unbound
│ │ │ ├── unbound-helper
│ │ │ └── unbound.conf
│ │ ├── droplet/
│ │ │ └── droplet-agent
│ │ ├── etc/
│ │ │ └── etc-ImageMagick-6-policy.xml
│ │ ├── ftpd/
│ │ │ ├── ftpusers
│ │ │ ├── pure-config.pl.txt
│ │ │ └── pure-ftpd.conf
│ │ ├── global/
│ │ │ ├── global-10.inc
│ │ │ ├── global-11.inc
│ │ │ ├── global-6.inc
│ │ │ ├── global-7.inc
│ │ │ ├── global-8.inc
│ │ │ ├── global-9.inc
│ │ │ ├── global-extra.inc
│ │ │ ├── global-front-end.inc
│ │ │ ├── global-if-redis.inc
│ │ │ ├── global-if-valkey.inc
│ │ │ ├── global-ini.inc
│ │ │ ├── global-main.inc
│ │ │ ├── global-mode.inc
│ │ │ ├── global-newrelic.inc
│ │ │ ├── global-redis.inc
│ │ │ ├── global-settings.inc
│ │ │ ├── global-valkey.inc
│ │ │ ├── global.inc
│ │ │ ├── override.global.inc
│ │ │ └── settings.global.inc
│ │ ├── ini/
│ │ │ ├── default.boa_platform_control.ini
│ │ │ ├── default.boa_site_control.ini
│ │ │ └── panels.ini
│ │ ├── network/
│ │ │ └── networking
│ │ ├── nginx/
│ │ │ ├── fastcgi_params.txt
│ │ │ ├── mime.types
│ │ │ ├── nginx
│ │ │ ├── nginx-squeeze-init
│ │ │ ├── nginx.conf
│ │ │ ├── nginx_compact_include.conf
│ │ │ ├── nginx_high_load_off.conf
│ │ │ ├── nginx_speed_purge.conf
│ │ │ ├── nginx_sql_adminer.conf
│ │ │ ├── nginx_sql_buddy.conf
│ │ │ ├── nginx_sql_cgp.conf
│ │ │ ├── nginx_sql_chive.conf
│ │ │ └── nginx_wild_ssl.conf
│ │ ├── php/
│ │ │ ├── fpm-pool-common-legacy.conf
│ │ │ ├── fpm-pool-common-modern.conf
│ │ │ ├── fpm-pool-common.conf
│ │ │ ├── fpm-pool-foo-multi.conf
│ │ │ ├── fpm-pool-foo.conf
│ │ │ ├── fpm56-pool-www.conf
│ │ │ ├── fpm70-pool-www.conf
│ │ │ ├── fpm71-pool-www.conf
│ │ │ ├── fpm72-pool-www.conf
│ │ │ ├── fpm73-pool-www.conf
│ │ │ ├── fpm74-pool-www.conf
│ │ │ ├── fpm80-pool-www.conf
│ │ │ ├── fpm81-pool-www.conf
│ │ │ ├── fpm82-pool-www.conf
│ │ │ ├── fpm83-pool-www.conf
│ │ │ ├── fpm84-pool-www.conf
│ │ │ ├── fpm85-pool-www.conf
│ │ │ ├── newrelic.ini
│ │ │ ├── php56-cli.ini
│ │ │ ├── php56-fpm
│ │ │ ├── php56-fpm.conf
│ │ │ ├── php56.ini
│ │ │ ├── php70-cli.ini
│ │ │ ├── php70-fpm
│ │ │ ├── php70-fpm.conf
│ │ │ ├── php70.ini
│ │ │ ├── php71-cli.ini
│ │ │ ├── php71-fpm
│ │ │ ├── php71-fpm.conf
│ │ │ ├── php71.ini
│ │ │ ├── php72-cli.ini
│ │ │ ├── php72-fpm
│ │ │ ├── php72-fpm.conf
│ │ │ ├── php72.ini
│ │ │ ├── php73-cli.ini
│ │ │ ├── php73-fpm
│ │ │ ├── php73-fpm.conf
│ │ │ ├── php73.ini
│ │ │ ├── php74-cli.ini
│ │ │ ├── php74-fpm
│ │ │ ├── php74-fpm.conf
│ │ │ ├── php74.ini
│ │ │ ├── php80-cli.ini
│ │ │ ├── php80-fpm
│ │ │ ├── php80-fpm.conf
│ │ │ ├── php80.ini
│ │ │ ├── php81-cli.ini
│ │ │ ├── php81-fpm
│ │ │ ├── php81-fpm.conf
│ │ │ ├── php81.ini
│ │ │ ├── php82-cli.ini
│ │ │ ├── php82-fpm
│ │ │ ├── php82-fpm.conf
│ │ │ ├── php82.ini
│ │ │ ├── php83-cli.ini
│ │ │ ├── php83-fpm
│ │ │ ├── php83-fpm.conf
│ │ │ ├── php83.ini
│ │ │ ├── php84-cli.ini
│ │ │ ├── php84-fpm
│ │ │ ├── php84-fpm.conf
│ │ │ ├── php84.ini
│ │ │ ├── php85-cli.ini
│ │ │ ├── php85-fpm
│ │ │ ├── php85-fpm.conf
│ │ │ └── php85.ini
│ │ ├── redis/
│ │ │ ├── redis-server
│ │ │ ├── redis.conf
│ │ │ ├── redis4.conf
│ │ │ ├── redis5.conf
│ │ │ ├── redis6.conf
│ │ │ └── redis7.conf
│ │ ├── solr9/
│ │ │ ├── analysis-extras.mod
│ │ │ ├── analytics.mod
│ │ │ ├── clustering.mod
│ │ │ ├── cross-dc.mod
│ │ │ ├── extraction.mod
│ │ │ ├── gcs-repository.mod
│ │ │ ├── hadoop-auth.mod
│ │ │ ├── hdfs.mod
│ │ │ ├── jaegertracer-configurator.mod
│ │ │ ├── jwt-auth.mod
│ │ │ ├── langid.mod
│ │ │ ├── llm.mod
│ │ │ ├── ltr.mod
│ │ │ ├── opentelemetry.mod
│ │ │ ├── s3-repository.mod
│ │ │ ├── scripting.mod
│ │ │ └── sql.mod
│ │ ├── tpl/
│ │ │ ├── migration.html
│ │ │ ├── robots.txt
│ │ │ ├── setupmail.txt
│ │ │ ├── uc.html
│ │ │ └── upgrademail.txt
│ │ ├── valkey/
│ │ │ ├── valkey-server
│ │ │ ├── valkey7.conf
│ │ │ ├── valkey8.conf
│ │ │ └── valkey9.conf
│ │ ├── var/
│ │ │ ├── boa.bashrc.txt
│ │ │ ├── clean-boa-env
│ │ │ ├── crossdomain.xml
│ │ │ ├── csf.conf
│ │ │ ├── galera.cnf
│ │ │ ├── get.htaccess.txt
│ │ │ ├── logrotate.d.rsyslog.conf
│ │ │ ├── my.cnf.txt
│ │ │ ├── mysql
│ │ │ ├── mysql-notices.conf
│ │ │ ├── named.conf.options
│ │ │ ├── rsyslog.conf
│ │ │ ├── sftp_config
│ │ │ ├── ssh_config
│ │ │ ├── sshd_config
│ │ │ └── sysctl.conf
│ │ └── version/
│ │ ├── barracuda-release.txt
│ │ ├── barracuda-version.txt
│ │ ├── octopus-release.txt
│ │ ├── octopus-version.txt
│ │ ├── release.txt
│ │ └── version.txt
│ ├── helpers/
│ │ ├── Gemfile.txt
│ │ ├── apt-list-debian.txt
│ │ ├── apt.conf.noi.dist
│ │ ├── apt.conf.noi.nrml
│ │ ├── apt.conf.noninteractive
│ │ ├── cf-simple-hook.sh
│ │ ├── challenge-dns-email-hook.sh
│ │ ├── dehydrated
│ │ ├── dump_cdorked_config.c
│ │ ├── fix-fstab-to-uuid.sh
│ │ ├── hosting_cron.sql
│ │ ├── le-hook.sh
│ │ ├── make_client.php.txt
│ │ ├── make_client_3.php.txt
│ │ ├── make_home.php.txt
│ │ ├── make_platform.php.txt
│ │ ├── make_platform_3.php.txt
│ │ ├── mysql_root_pass_reset.sh
│ │ ├── mysqltuner5
│ │ ├── mysqltuner8
│ │ ├── rtoc.php.txt
│ │ ├── spinner
│ │ ├── systemtime
│ │ └── websh.sh.txt
│ ├── makefiles/
│ │ ├── civicrm-4.5-d6.make
│ │ ├── civicrm-4.5-d7.make
│ │ ├── civicrm-4.6-d6.make
│ │ ├── civicrm-4.6-d7.make
│ │ ├── civicrm-4.7-d6.make
│ │ ├── civicrm-4.7-d7.make
│ │ ├── civicrm-5.0-d6.make
│ │ ├── civicrm-5.0-d7.make
│ │ ├── civicrm-5.1-d7.make
│ │ ├── civicrm-5.2-d7.make
│ │ ├── civicrm-5.3-d7.make
│ │ ├── civicrm-5.35-d7.make
│ │ └── civicrm-5.9-d7.make
│ ├── patches/
│ │ ├── 0001-Print-site_footer-if-defined.patch
│ │ ├── 2106995-fatal-error-non-object-1.patch
│ │ ├── 6-core/
│ │ │ ├── SA-CORE-2018-002-D6.patch
│ │ │ ├── SA-CORE-2018-004-D6.patch
│ │ │ └── patch_commit_7a847db99f80.patch
│ │ ├── 7-core/
│ │ │ ├── 3143016-83-D7.patch
│ │ │ ├── SA-CORE-2014-005-D7.patch
│ │ │ ├── SA-CORE-2018-002-D7.patch
│ │ │ ├── SA-CORE-2018-004-D7.patch
│ │ │ ├── SA-CORE-2018-006-D7.patch
│ │ │ ├── drupal-2656548-21-php7.patch
│ │ │ └── patch_commit_b8a8a84ea9b3.patch
│ │ ├── 8-core/
│ │ │ ├── 0001-Symlink-core-support-test.patch
│ │ │ ├── SA-CORE-2018-002-D8.patch
│ │ │ ├── SA-CORE-2018-004-D8.patch
│ │ │ └── SA-CORE-2018-006-D8.patch
│ │ ├── 992540-3-reset_flood_limit_on_password_reset-drush.patch
│ │ ├── MailManagerReplacement.php.patch
│ │ ├── PHP-5.6.31-OpenSSL-1.1.0-compatibility-20170801.patch
│ │ ├── activity.patch
│ │ ├── apps_msg.patch
│ │ ├── bug62886.patch
│ │ ├── civicrm.drush.inc.patch.txt
│ │ ├── civicrm_engage.install
│ │ ├── commerce_kickstart.patch
│ │ ├── commons-1045778-fix-aegir-installs.patch
│ │ ├── commons-1060250-aegir-infinite-loop.patch
│ │ ├── commons_chicken_egg.patch
│ │ ├── disable_SSLv2_for_openssl_1_0_0.patch
│ │ ├── drupal-eleven-aegir-console-02.patch
│ │ ├── drupal-eleven-aegir-core-01.patch
│ │ ├── drupal-eleven-aegir-validator-03.patch
│ │ ├── drupal-ten-aegir-console-02.patch
│ │ ├── drupal-ten-aegir-core-01.patch
│ │ ├── drush-remote_make_files.patch
│ │ ├── drush_make-drush-4.x-fix-do7-compatibility.patch
│ │ ├── drush_make.drush.inc.patch
│ │ ├── features-1265168-19-roles.patch
│ │ ├── field_info_collate_fields-1400256-25.patch
│ │ ├── fpm_main.c.patch
│ │ ├── freetype.patch
│ │ ├── hosting_advanced_cron.patch
│ │ ├── hosting_cron.module
│ │ ├── hosting_cron_queue-reliability.patch
│ │ ├── hosting_le_vhost.drush.inc
│ │ ├── imagecache-1243258-5.patch
│ │ ├── imagefield_crop.patch
│ │ ├── julio_profile.patch
│ │ ├── my_config.h.patch
│ │ ├── mysql.provision.patch
│ │ ├── nik.patch
│ │ ├── object_conversion_menu_router_build-972536-1.patch
│ │ ├── octopus_video.patch
│ │ ├── og_update_6205_commons_fix.patch
│ │ ├── openacademy-search-off.patch
│ │ ├── openacademy.patch
│ │ ├── openaid-tpl.patch
│ │ ├── openenterprise.patch
│ │ ├── openoutreach.patch
│ │ ├── openpublic.patch
│ │ ├── openscholar.profile.patch
│ │ ├── openscholar_projects.profile.patch
│ │ ├── panopoly-search-off.patch
│ │ ├── panopoly-search-redis.patch
│ │ ├── patch_commit_6fabd31b0f81.patch
│ │ ├── patch_commit_fa47bad85589.patch
│ │ ├── php-8.1-openssl3.patch
│ │ ├── provision/
│ │ │ └── patch_commit_e4abc685f9b4.patch
│ │ ├── provision_hosting_le.drush.inc
│ │ ├── remove_usr1_usr2_fpm_unix.patch
│ │ ├── restaurant_demo.patch
│ │ ├── singular.mft.patch
│ │ ├── singular.patch
│ │ ├── skwashd.commons.patch
│ │ ├── taxonomy-6.20.patch
│ │ ├── taxonomy-6.26.patch
│ │ ├── taxonomy-7.12.patch
│ │ ├── taxonomy-7.7.patch
│ │ ├── ubercart-1167276-reroll.patch
│ │ ├── user.drush.inc.patch
│ │ ├── videola.patch
│ │ ├── views-853864_2.patch
│ │ ├── views-exposed-sorts-2037469-1.patch
│ │ ├── views-revert-broken-filter-or-groups-1766338-7.patch
│ │ └── views-unpack_options-cache-6.2-51.patch
│ ├── scripts/
│ │ ├── AegirSetupA.sh.txt
│ │ ├── AegirSetupB.sh.txt
│ │ ├── AegirSetupC.sh.txt
│ │ ├── AegirSetupM.sh.txt
│ │ ├── AegirUpgrade.sh.txt
│ │ └── run-xdrago
│ └── tools/
│ ├── BOND.sh.txt
│ ├── backup/
│ │ └── run/
│ │ ├── create_config_readme.sh
│ │ ├── create_credentials_templates.sh
│ │ ├── create_cron_entries.sh
│ │ ├── create_global_paths_config.sh
│ │ ├── create_readme.sh
│ │ ├── create_user_paths_config.sh
│ │ ├── duplicity_backup.sh
│ │ ├── duplicity_bundle_installer.sh
│ │ └── install_dependencies.sh
│ ├── bin/
│ │ ├── aptcleanup
│ │ ├── aptfast
│ │ ├── autobeowulf
│ │ ├── autochimaera
│ │ ├── autodaedalus
│ │ ├── autoexcalibur
│ │ ├── autoinit
│ │ ├── automini
│ │ ├── autosymlink
│ │ ├── autoupboa
│ │ ├── backboa
│ │ ├── backchain
│ │ ├── barracuda
│ │ ├── boa
│ │ ├── cluster
│ │ ├── codebasecheck
│ │ ├── copydbackup
│ │ ├── dcysetup
│ │ ├── dhcpfix
│ │ ├── duobackboa
│ │ ├── fancynow
│ │ ├── ffdevuan
│ │ ├── ffmirror
│ │ ├── fix-drupal-platform-ownership.sh
│ │ ├── fix-drupal-platform-permissions.sh
│ │ ├── fix-drupal-site-ownership.sh
│ │ ├── fix-drupal-site-permissions.sh
│ │ ├── fixmounts
│ │ ├── fixrepo
│ │ ├── killer
│ │ ├── loadguard
│ │ ├── lock-local-drush-permissions.sh
│ │ ├── lock.inc
│ │ ├── memorytuner
│ │ ├── mergecsf
│ │ ├── multiback
│ │ ├── mybackup
│ │ ├── mycnfup
│ │ ├── octopus
│ │ ├── perftest
│ │ ├── proxysql_galera_checker
│ │ ├── proxysql_node_monitor
│ │ ├── randpass
│ │ ├── renameaegirhost
│ │ ├── screenfetch
│ │ ├── setprio
│ │ ├── showdepend
│ │ ├── smtpgapps
│ │ ├── sqlclean
│ │ ├── sqlmagic
│ │ ├── syncpass
│ │ ├── synproxy
│ │ ├── synproxy_hook_fix
│ │ ├── synproxy_monitor
│ │ ├── synproxy_reassert
│ │ ├── synproxy_rollback
│ │ ├── synproxy_snapshot
│ │ ├── synproxy_status
│ │ ├── thinkdifferent
│ │ ├── updatesymlinks
│ │ ├── verifyvhostsdns
│ │ ├── vhostcheck
│ │ ├── vmnetfix
│ │ ├── weblogx
│ │ ├── webserver
│ │ ├── websh
│ │ ├── xboa
│ │ └── xcopy
│ ├── host/
│ │ ├── host-fire.sh
│ │ └── host-water.sh
│ └── system/
│ ├── checksql.pl
│ ├── clear.sh
│ ├── conf/
│ │ ├── SA-CORE-2014-005-D7.patch
│ │ ├── control-readme.txt
│ │ ├── https_proxy_le.conf
│ │ ├── lshell.conf
│ │ ├── pln_proxy.conf
│ │ ├── proxy.conf
│ │ ├── solr/
│ │ │ ├── apachesolr/
│ │ │ │ ├── solr4_drupal6/
│ │ │ │ │ ├── elevate.xml
│ │ │ │ │ ├── mapping-ISOLatin1Accent.txt
│ │ │ │ │ ├── protwords.txt
│ │ │ │ │ ├── schema.xml
│ │ │ │ │ ├── schema_extra_fields.xml
│ │ │ │ │ ├── schema_extra_types.xml
│ │ │ │ │ ├── solrconfig.xml
│ │ │ │ │ ├── solrconfig_extra.xml
│ │ │ │ │ ├── solrcore.properties
│ │ │ │ │ ├── stopwords.txt
│ │ │ │ │ └── synonyms.txt
│ │ │ │ ├── solr4_drupal7/
│ │ │ │ │ ├── elevate.xml
│ │ │ │ │ ├── mapping-ISOLatin1Accent.txt
│ │ │ │ │ ├── protwords.txt
│ │ │ │ │ ├── schema.xml
│ │ │ │ │ ├── schema_extra_fields.xml
│ │ │ │ │ ├── schema_extra_types.xml
│ │ │ │ │ ├── solrconfig.xml
│ │ │ │ │ ├── solrconfig_extra.xml
│ │ │ │ │ ├── solrcore.properties
│ │ │ │ │ ├── stopwords.txt
│ │ │ │ │ └── synonyms.txt
│ │ │ │ └── solr7_drupal7/
│ │ │ │ ├── elevate.xml
│ │ │ │ ├── mapping-ISOLatin1Accent.txt
│ │ │ │ ├── protwords.txt
│ │ │ │ ├── schema.xml
│ │ │ │ ├── schema_extra_fields.xml
│ │ │ │ ├── schema_extra_types.xml
│ │ │ │ ├── solrconfig.xml
│ │ │ │ ├── solrconfig_extra.xml
│ │ │ │ ├── solrcore.properties
│ │ │ │ ├── stopwords.txt
│ │ │ │ └── synonyms.txt
│ │ │ └── search_api_solr/
│ │ │ ├── solr4_drupal7/
│ │ │ │ ├── elevate.xml
│ │ │ │ ├── mapping-ISOLatin1Accent.txt
│ │ │ │ ├── protwords.txt
│ │ │ │ ├── schema.xml
│ │ │ │ ├── schema_extra_fields.xml
│ │ │ │ ├── schema_extra_types.xml
│ │ │ │ ├── solrconfig.xml
│ │ │ │ ├── solrconfig_extra.xml
│ │ │ │ ├── solrcore.properties
│ │ │ │ ├── stopwords.txt
│ │ │ │ └── synonyms.txt
│ │ │ ├── solr7_drupal10/
│ │ │ │ ├── elevate.xml
│ │ │ │ ├── schema.xml
│ │ │ │ ├── solrconfig.xml
│ │ │ │ └── solrcore.properties
│ │ │ ├── solr7_drupal7/
│ │ │ │ ├── elevate.xml
│ │ │ │ ├── mapping-ISOLatin1Accent.txt
│ │ │ │ ├── protwords.txt
│ │ │ │ ├── schema.xml
│ │ │ │ ├── schema_extra_fields.xml
│ │ │ │ ├── schema_extra_types.xml
│ │ │ │ ├── solrconfig.xml
│ │ │ │ ├── solrconfig_extra.xml
│ │ │ │ ├── solrcore.properties
│ │ │ │ ├── stopwords.txt
│ │ │ │ └── synonyms.txt
│ │ │ ├── solr7_drupal8/
│ │ │ │ ├── elevate.xml
│ │ │ │ ├── schema.xml
│ │ │ │ ├── solrconfig.xml
│ │ │ │ └── solrcore.properties
│ │ │ ├── solr7_drupal9/
│ │ │ │ ├── elevate.xml
│ │ │ │ ├── schema.xml
│ │ │ │ ├── solrconfig.xml
│ │ │ │ └── solrcore.properties
│ │ │ └── solr9_drupal10/
│ │ │ ├── elevate.xml
│ │ │ ├── schema.xml
│ │ │ ├── solrconfig.xml
│ │ │ └── solrcore.properties
│ │ └── ssl_proxy.conf
│ ├── cron/
│ │ └── crontabs/
│ │ └── root
│ ├── daily.sh
│ ├── graceful.sh
│ ├── guest-fire.sh
│ ├── guest-water.sh
│ ├── ip_access.sh
│ ├── log/
│ │ └── EMPTY.txt
│ ├── manage_ltd_users.sh
│ ├── manage_solr_config.sh
│ ├── minute.sh
│ ├── monitor/
│ │ └── check/
│ │ ├── escapecheck.pl
│ │ ├── escapecheck.sh
│ │ ├── hackcheck.pl
│ │ ├── hackcheck.sh
│ │ ├── hackftp.pl
│ │ ├── hackftp.sh
│ │ ├── java.sh
│ │ ├── mysql.sh
│ │ ├── nginx.sh
│ │ ├── nginx_guard.sh
│ │ ├── php.sh
│ │ ├── redis.sh
│ │ ├── scan_nginx.sh
│ │ ├── segfault_alert.pl
│ │ ├── sqlcheck.pl
│ │ ├── system.sh
│ │ ├── unbound.sh
│ │ └── valkey.sh
│ ├── move_sql.sh
│ ├── mysql_backup.sh
│ ├── mysql_cleanup.sh
│ ├── mysql_cluster_backup.sh
│ ├── mysql_repair.sh
│ ├── proc_num_ctrl.pl
│ ├── purge_binlogs.sh
│ ├── runner.sh
│ ├── second.sh
│ └── usage.sh
├── docs/
│ ├── BACKUPS.md
│ ├── BACKUP_REGIONS.md
│ ├── BACKUP_RETENTION.md
│ ├── BACKUP_ROOT.md
│ ├── BACKUP_USER.md
│ ├── BLOWFISH.md
│ ├── BRANCHES.md
│ ├── BUILDTESTS.md
│ ├── CAVEATS.md
│ ├── CLUSTER.md
│ ├── COMPOSER.md
│ ├── CONTRIBUTING.md
│ ├── DEVELOPMENT.md
│ ├── DISK_RESIZE.md
│ ├── DRUPALGEDDON.md
│ ├── DRUSH-CLI.md
│ ├── FAQ.md
│ ├── FASTTRACK.md
│ ├── FIXME.md
│ ├── GEM.md
│ ├── INSTALL.md
│ ├── IPv6.md
│ ├── MAJORUPGRADE.md
│ ├── MIGRATE.md
│ ├── MODULES.md
│ ├── MYQUICK.md
│ ├── NEWRELIC.md
│ ├── NOTES.md
│ ├── PHP-FPM.md
│ ├── PLATFORMS.md
│ ├── PROVIDES.md
│ ├── REMOTE.md
│ ├── REWRITES.md
│ ├── SECURITY.md
│ ├── SELFUPGRADE.md
│ ├── SKYNET.md
│ ├── SMTP_SSL_DEBUG.md
│ ├── SOLR.md
│ ├── SOLR_OPTIMIZE.md
│ ├── SSL.md
│ ├── UPGRADE.md
│ ├── cnf/
│ │ ├── barracuda.cnf
│ │ └── octopus.cnf
│ ├── ctrl/
│ │ ├── platform.ctrl
│ │ ├── site.ctrl
│ │ └── system.ctrl
│ └── ini/
│ ├── platform/
│ │ └── INI.md
│ └── site/
│ └── INI.md
├── lib/
│ ├── functions/
│ │ ├── dns.sh.inc
│ │ ├── firewall.sh.inc
│ │ ├── helper.sh.inc
│ │ ├── hotfix.sh.inc
│ │ ├── master.sh.inc
│ │ ├── nginx.sh.inc
│ │ ├── php.sh.inc
│ │ ├── redis.sh.inc
│ │ ├── satellite.sh.inc
│ │ ├── solr.sh.inc
│ │ ├── sql.sh.inc
│ │ ├── system.sh.inc
│ │ ├── valkey.sh.inc
│ │ └── xtra.sh.inc
│ └── settings/
│ ├── barracuda.sh.cnf
│ └── octopus.sh.cnf
└── releases/
├── BOA-5.6.0-PRO.md
├── BOA-5.7.11-PRO.md
├── BOA-5.8.5-PRO.md
└── BOA-5.9.1-PRO.md
================================================
FILE CONTENTS
================================================
================================================
FILE: .gitignore
================================================
# Ignore paths from OS X
.DS_Store
================================================
FILE: ANNOUNCEMENT.md
================================================
# The Future of Ægir 3 is Bryght!
*Announcement from Omega8.cc*
Omega8.cc is now the lead developer team for Ægir 3 running on BOA (Barracuda-Octopus-Ægir stack). We want to thank all past contributors who brought Ægir to life – your work makes today’s progress possible. Because of you, there is still a Bryght Future for Ægir.
## What to Expect
- **Active maintenance and development**: Ægir 3 on BOA is alive and under active development. [See Adam’s comments here](https://www.drupal.org/project/hostmaster/issues/3517915).
- **Migration made easier**: We are working to make it simple to migrate entire legacy Ægir instances (Apache or Nginx) into self-hosted BOA as Octopus Ægir.
- **Standalone Ægir with BOA features**: We are doing our best to enable many BOA-derived features within Ægir standalone, so users can pick their flavour without adopting the full BOA stack.
- **Modern compatibility**: The BOA-based fork already supports **Drupal 11** and **PHP 8.4**, using vanilla **Drush 13** for site installs and updates while still relying on forked and improved **Drush 8** for daily operations.
## Development & Community
Development of BOA stack components continues here on GitHub:
👉 https://github.com/omega8cc/boa
At the same time, we continue to leverage the Drupal.org issue queues so **the community effort continues there** too, and all BOA improvements can be systematically **backported**.
Ægir is still very much alive, and together we can keep its **Bryght** Future shining!
================================================
FILE: BARRACUDA.sh.txt
================================================
#!/bin/bash
###----------------------------------------###
###
### Barracuda Ægir Installer
###
### Copyright (C) 2009-2026 Omega8.cc
### noc@omega8.cc www.omega8.cc
###
### This program is free software. You can
### redistribute it and/or modify it under
### the terms of the GNU GPL as published by
### the Free Software Foundation, version 2
### or later.
###
### This program is distributed in the hope
### that it will be useful, but WITHOUT ANY
### WARRANTY; without even the implied
### warranty of MERCHANTABILITY or FITNESS
### FOR A PARTICULAR PURPOSE. See the GNU GPL
### for more details.
###
### You should have received a copy of the
### GNU GPL along with this program.
### If not, see http://www.gnu.org/licenses/
###
### Code: https://github.com/omega8cc/boa
###
###----------------------------------------###
export PATH=/usr/local/bin:/usr/local/sbin:/opt/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/libexec
export SHELL=/bin/bash
###
### Software versions
###
_ADMINER_VRN=4.8.1
_BZR_VRN=2.6.0
_CGP_VRN=master-22-07-2020
_CHIVE_VRN=1.3
_COMPOSER_VRN=2.8.2
_CSF_VRN=15.00
_CURL_VRN=8.20.0
_DB_SRC=repo.percona.com
###
###
_DRUSH_ELEVEN_VRN=11.6.0.9
_DRUSH_TEN_VRN=10.6.2.9
_DRUSH_EIGHT_VRN=8.5.0.5
_DRUSH_EIGHT_TEST_VRN=8.5.0-force
###
###
_GEOS_VRN=3.7.1
_GIT_VRN=2.51.0
_GOACCESS_VRN=1.9.4
_ICU_LEGACY_VRN=52_2
_ICU_MODERN_VRN=73-1
_IMAGE_MAGICK_VRN=7.1.1-7
_IMAGICK_OLD_VRN=3.1.2
_IMAGICK_VRN=3.8.1
_IONCUBE_VRN=15.0.0
_JETTY_7_VRN=7.6.17.v20150415
_JETTY_8_VRN=8.1.17.v20150415
_JETTY_9_VRN=9.2.16.v20160414
_JSMIN_PHP_LEGACY_VRN=2.0.1
_JSMIN_PHP_MODERN_VRN=3.1.0
_LIB_TIDY_VRN=5.2.0
_LIB_YAML_VRN=0.2.5
_LOGJ4_VRN=1.2.17
_LSHELL_VRN=0.10
_MAILPARSE_VRN=2.1.6
_NEW_RELIC_VRN=12.6.0.34
_NODE_VRN=v22.21.0
_MONGO_VRN=1.6.14
_MONGODB_VRN=1.2.5
_MSS_VRN=master-29-06-2024
_MYQUICK_VRN_ONE=0.19.3-3
_MYQUICK_VRN_TWO=0.21.3-2
_MYSQLTUNER_VRN=1.9.4
_NGINX_VRN=1.29.8
_OPENSSH_VRN=10.3p1
_OPENSSL_LEGACY_VRN=1.0.2u
_OPENSSL_EOL_VRN=1.1.1w
_OPENSSL_MODERN_VRN=3.5.6
_PERCONA_5_7_VRN=5.7
_PERCONA_8_0_VRN=8.0
_PERCONA_8_4_VRN=8.4
_PHP56_API=20131226
_PHP56_VRN=5.6.40
_PHP70_API=20151012
_PHP70_VRN=7.0.33
_PHP71_API=20160303
_PHP71_VRN=7.1.33
_PHP72_API=20170718
_PHP72_VRN=7.2.34
_PHP73_API=20180731
_PHP73_VRN=7.3.33
_PHP74_API=20190902
_PHP74_VRN=7.4.33
_PHP80_API=20200930
_PHP80_VRN=8.0.30
_PHP81_API=20210902
_PHP81_VRN=8.1.34
_PHP82_API=20220829
_PHP82_VRN=8.2.31
_PHP83_API=20230831
_PHP83_VRN=8.3.31
_PHP84_API=20240924
_PHP84_VRN=8.4.21
_PHP85_API=20250925
_PHP85_VRN=8.5.6
_PHP_APCU=5.1.27
_PHP_IGBINARY_EIGHT_FIVE=3.2.17
_PHP_IGBINARY_THREE=3.2.16
_PHP_IGBINARY_TWO=2.0.8
_PHP_MCRYPT=1.0.9
_PHPREDIS_SIX_LATEST_VRN=6.3.0
_PHPREDIS_SIX_MODERN_VRN=6.3.0
_PHPREDIS_SIX_LEGACY_VRN=6.0.2
_PHPREDIS_FIVE_VRN=5.3.7
_PHPREDIS_FOUR_VRN=4.3.0
_PHPREDIS_THREE_VRN=3.1.6
_PURE_FTPD_VRN=1.0.52
_PXC_VRN=1.4.16
_VALKEY_NINE_VRN=9.0.3
_VALKEY_EIGHT_VRN=8.1.4
_VALKEY_SEVEN_VRN=7.2.11
_REDIS_FOUR_VRN=4.0.14
_REDIS_FIVE_VRN=5.0.9
_REDIS_SIX_VRN=6.2.7
_REDIS_SEVEN_VRN=7.0.15
_RUBY_VRN=3.3.4
_SLF4J_VRN=1.7.21
_SOLR_1_VRN=1.4.1
_SOLR_3_VRN=3.6.2
_SOLR_4_VRN=4.9.1
_SOLR_7_VRN=7.7.3
_SOLR_9_VRN=9.8.1
_TWIGC_VRN=1.24.0
_UNBOUND_VRN=1.24.2
_UPROGRESS_LEGACY_VRN=1.0.3.1
_UPROGRESS_SEVEN_VRN=2.0.1.6
_UPROGRESS_EIGHT_VRN=2.0.2
_VNSTAT_VRN=2.13
_WKHTMLTOX_VRN=12.6-1
_YAML_PHP_LEGACY_VRN=1.3.2
_YAML_PHP_SEVENO_VRN=2.1.0
_YAML_PHP_MODERN_VRN=2.2.5
_ZLIB_VRN=1.3.1
###
### Default variables
###
_CUSTOM_NAME="nginx"
_DRUSH_VERSION="${_DRUSH_EIGHT_VRN}"
_DRUSH_VERSION_TEST="${_DRUSH_EIGHT_TEST_VRN}"
_FORCE_REDIS_RESTART=NO
_LOC_OS_CODE=""
_PURGE_ALL_THISHTIP=NO
export _SMALLCORE7_V=7.105.1
export _DRUPAL7="drupal-${_SMALLCORE7_V}"
_SPINNER=NO
_THIS_DB_PORT=3306
if [ -n "${STY+x}" ]; then
_SPINNER=NO
fi
###
### Helper variables
###
_aptLiSys="/etc/apt/sources.list"
_barCnf="/root/.barracuda.cnf"
_bldPth="/opt/tmp/boa"
_crlGet="-L --max-redirs 3 -k -s --retry 9 --retry-delay 9 -A iCab"
_wgetGet="--max-redirect=3 --no-check-certificate -q --tries=9 --wait=9 --user-agent='iCab'"
_aptAllow="--allow-unauthenticated"
_aptYesUnth="-y ${_aptAllow}"
_filIncB="barracuda.sh.cnf"
_gitHub="https://github.com/omega8cc"
_gitLab="https://gitlab.com/omega8cc"
_libFnc="${_bldPth}/lib/functions"
_locCnf="${_bldPth}/aegir/conf"
_mtrInc="/var/aegir/config/includes"
_mtrNgx="/var/aegir/config/server_master/nginx"
_mtrTpl="/var/aegir/.drush/sys/provision/http/Provision/Config/Nginx"
_pthLog="/var/log/boa"
_vBs="/var/backups"
###
### SA variables
###
_saCoreN="SA-CORE-2014-005"
_saCoreS="${_saCoreN}-D7"
_saIncDb="includes/database/database.inc"
_saPatch="/var/xdrago/conf/${_saCoreS}.patch"
###
### Avoid too many questions
###
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
if [ -z "${TERM+x}" ]; then
export TERM=vt100
fi
###
### Clean pid files on exit
###
_clean_pid_exit() {
if [ -n "${1}" ]; then
echo "REASON ${1} on $(date)" >> /root/.barracuda.sh.exit.exceptions.log
[ -e "/opt/tmp/boa" ] && rm -rf /opt/tmp/*
fi
[ -e "/run/boa_wait.pid" ] && rm -f /run/boa_wait.pid
[ -e "/run/boa_run.pid" ] && rm -f /run/boa_run.pid
service cron start &> /dev/null
_CNT=$(pgrep -fc 'tee -a /var/backups/barracuda-')
if (( _CNT > 1 )); then
pkill -f 'tee -a /var/backups/barracuda-'
fi
exit 1
}
###
### Panic on missing include
###
_panic_exit() {
echo
echo " EXIT: Required lib file not available?"
echo " EXIT: $1"
echo " EXIT: Cannot continue"
echo " EXIT: Bye (0)"
echo
_clean_pid_exit _panic_exit_a
}
###
### Include default settings and basic functions
###
[ -r "${_vBs}/${_filIncB}" ] || _panic_exit "${_vBs}/${_filIncB}"
source "${_vBs}/${_filIncB}"
###
### Download helpers and libs
###
if [ "${_OS_CODE}" = "excalibur" ]; then
_DB_SERVER=Percona
else
_DB_SERVER=Percona
fi
if [ "$(boa info | grep -c ${_DB_SERVER})" -lt 3 ] || [ ! -e "/usr/sbin/csf" ]; then
if [ ! -e "/opt/tmp/boa/aegir/helpers/apt.conf.noi.nrml" ] \
|| [ ! -e "/opt/tmp/boa/aegir/helpers/apt.conf.noi.dist" ]; then
_download_helpers_libs
fi
else
_download_helpers_libs
fi
###
### Include shared functions
###
_FL="helper dns system sql valkey redis nginx php solr master xtra firewall hotfix"
for f in ${_FL}; do
[ -r "${_libFnc}/${f}.sh.inc" ] || _panic_exit "${f}"
source "${_libFnc}/${f}.sh.inc"
done
###
### Make sure we are running as root
###
_if_running_as_root_barracuda
###
### Welcome msg
###
echo " "
_msg "Skynet Agent v.${_X_VERSION} on $(dmidecode -s system-manufacturer 2>&1) welcomes you aboard!"
echo " "
sleep 3
###
### Early procedures
###
_normalize_ip_name_variables
_mode_detection
_check_exception_mycnf
_virt_detection
_os_detection
_os_detection_minimal
_if_rebuild_src_on_major_os_upgrade
_if_long_generate_on_major_os_upgrade
###
### Quick php-idle ON/OFF procedure only
###
_if_php_idle_on_off
###
### Packages install/update on init
###
_sources_list_update
_basic_packages_install_on_init
_more_packages_install_on_init
_run_aptitude_full_upgrade
###
### Misc checks
###
_check_boa_php_compatibility
_check_boa_version
if [ "${_CHECKS_REMOTE_REPOS}" = "YES" ]; then
_check_github_for_aegir_head_mode
_check_db_src
_check_git_repos
fi
_check_ip_hostname
_check_prepare_dirs_permissions
###
### Turn Off AppArmor temporarily while running barracuda
###
if [ "${_OS_CODE}" = "stretch" ] || [ "${_OS_CODE}" = "jessie" ]; then
[ ! -e "/root/.turn_off_apparmor_in_octopus.cnf" ] && touch /root/.turn_off_apparmor_in_octopus.cnf
else
_turn_off_apparmor_temporarily
fi
###
### Optional major system upgrades
###
_early_sys_ctrl_mark
_if_post_major_os_upgrade
_if_major_os_upgrade
_normal_sys_ctrl_mark
###
### Upgrade only Ægir Master Instance (obsolete mode)
###
if [ "${_ALLOW_HEAVY_REBUILDS}" = "YES" ]; then
_if_upgrade_only_aegir_master
fi
###
### System packages install and update
###
_sys_packages_update
_if_proxysql_update
_sys_packages_install
_java_check_fix
_locales_check_fix
###
### Do not allow strong passwords until locales work properly
###
if [ "${_LOCALE_TEST}" = "BROKEN" ]; then
_STRONG_PASSWORDS=NO
fi
###
### Install key packages first
###
_run_aptitude_full_upgrade
_run_aptitude_deps_install
_kill_nash
###
### OpenSSL modern and legacy support
###
_LC_SSL_CTRL="/root/.install.legacy.openssl.cnf"
_MD_SSL_CTRL="/root/.install.modern.openssl.cnf"
if [ "${_STATUS}" = "INIT" ] || [ ! -x "/usr/local/ssl/bin/openssl" ]; then
if [ -e "${_MD_SSL_CTRL}" ]; then
chattr -i ${_MD_SSL_CTRL}
rm -f ${_MD_SSL_CTRL}
fi
touch ${_LC_SSL_CTRL}
_if_ssl_install_src
_sync_system_ssl_certs
_ssl_paths_sync
_ssl_crypto_lib_fix
_curl_install_src
fi
if [ -x "/usr/local/ssl/bin/openssl" ]; then
[ -e "${_LC_SSL_CTRL}" ] && rm -f ${_LC_SSL_CTRL}
fi
if [ "${_STATUS}" = "INIT" ] || [ ! -x "/usr/local/ssl3/bin/openssl" ]; then
if [ ! -e "${_LC_SSL_CTRL}" ]; then
if [ ! -e "${_MD_SSL_CTRL}" ]; then
touch ${_MD_SSL_CTRL}
chattr +i ${_MD_SSL_CTRL}
fi
fi
elif [ "${_STATUS}" = "UPGRADE" ]; then
if [ ! -e "/opt/php73/bin/php" ] \
&& [ ! -e "/opt/php72/bin/php" ] \
&& [ ! -e "/opt/php71/bin/php" ] \
&& [ ! -e "/opt/php70/bin/php" ] \
&& [ ! -e "/opt/php56/bin/php" ]; then
if [ ! -e "${_MD_SSL_CTRL}" ] \
&& [ ! -e "${_LC_SSL_CTRL}" ]; then
touch ${_MD_SSL_CTRL}
chattr +i ${_MD_SSL_CTRL}
fi
fi
if [ ! -x "/usr/local/ssl/bin/openssl" ] \
&& [ -e "${_LC_SSL_CTRL}" ]; then
if [ -e "${_MD_SSL_CTRL}" ]; then
chattr -i ${_MD_SSL_CTRL}
rm -f ${_MD_SSL_CTRL}
fi
fi
fi
if [ -x "/usr/local/ssl/bin/openssl" ] \
&& [ -x "/usr/local/ssl3/bin/openssl" ]; then
if [ ! -e "${_MD_SSL_CTRL}" ]; then
touch ${_MD_SSL_CTRL}
chattr +i ${_MD_SSL_CTRL}
fi
fi
###
### Install OpenSSL and cURL from sources
###
if [ "${_ALLOW_HEAVY_REBUILDS}" = "YES" ] || [ ! -x "/usr/local/ssl3/bin/openssl" ]; then
_if_ssl_install_src
_sync_system_ssl_certs
_ssl_paths_sync
_ssl_crypto_lib_fix
_curl_install_src
fi
###
### Install OpenSSH from sources
###
if [ "${_SSH_FROM_SOURCES}" = "YES" ] && [ "${_ALLOW_HEAVY_REBUILDS}" = "YES" ]; then
if [ "${_STATUS}" = "INIT" ] || [ "${_STATUS}" = "UPGRADE" ]; then
if [ "${_OS_DIST}" = "Debian" ] || [ "${_OS_DIST}" = "Devuan" ]; then
_sshd_install_src
_sshd_armour
fi
fi
fi
###
### Install Percona server
###
_db_server_install
###
### Finalize initial Percona server and tools setup
###
_init_sql_root_credentials
_sql_root_credentials_update
_myquick_install_upgrade
###
### Install other services
###
if [ "${_ALLOW_HEAVY_REBUILDS}" = "YES" ]; then
_nginx_install_upgrade
_nginx_initd_check
_nginx_mime_check_fix
if [ "${_VALKEY_MAJOR_RELEASE}" = "7" ] \
|| [ "${_VALKEY_MAJOR_RELEASE}" = "8" ] \
|| [ "${_VALKEY_MAJOR_RELEASE}" = "9" ]; then
_valkey_install_upgrade
else
_redis_install_upgrade
fi
_lshell_install_upgrade
_magick_install_upgrade
_php_install_deps
_php_libs_fix
_php_if_versions_cleanup_cnf
if [ "${_STATUS}" = "UPGRADE" ]; then
_php_ioncube_check_if_update
_php_check_if_rebuild
_mytop_install
fi
_php_install_upgrade
_php_config_check_update
_php_upgrade_all
_if_install_php_newrelic
_newrelic_check_fix
fi
_smtp_check
_xdrago_install_upgrade
_if_drupal_patches_update
_mc_panels_ini_update
###
### Download system-wide Drush versions
###
_drush_system_install_update
###
### Install or upgrade Ægir Master Instance
###
if [ "${_ALLOW_HEAVY_REBUILDS}" = "YES" ]; then
_aegir_master_install_upgrade
_aegir_bin_extra_check_fix
_nginx_wildcard_ssl_install
_nginx_config_update_fix
_aegir_master_display_login_link
fi
###
### Install or upgrade DNS cache server
###
if [ "${_STATUS}" = "UPGRADE" ]; then
_dns_unbound_install_upgrade
fi
###
### Install or upgrade csf/lfd monitoring
###
if [ "${_STATUS}" = "UPGRADE" ]; then
_csf_lfd_install_upgrade
fi
###
### Optional add-on services
###
if [ "${_STATUS}" = "INIT" ] || [ "${_STATUS}" = "UPGRADE" ]; then
if [ "${_ALLOW_HEAVY_REBUILDS}" = "YES" ]; then
_if_install_ftpd
_if_install_vnstat
_if_install_wkhtmltox
_if_install_chromium
_if_install_git_src
_if_install_ffmpeg
_if_install_bzr
[ ! -e "/root/.deny.java.cnf" ] && _if_install_upgrade_solr
_if_install_adminer
_if_install_chive
_if_install_sqlbuddy
_if_install_collectd
_if_install_webmin
_if_install_bind
_if_install_ruby
_if_install_node
_sftp_ftps_modern_fix
fi
fi
###
### Update rsyslog configuration
###
_rsyslog_config_update
###
### Install or uninstall AppArmor after barracuda install and upgrade
###
if [ -e "/root/.keep_apparmor_on.cnf" ] && [ ! -e "/root/.deny.apparmor.cnf" ]; then
[ ! -e "/root/.allow.apparmor.cnf" ] && touch /root/.allow.apparmor.cnf
if [ ! -e "/root/.run-to-excalibur.cnf" ] \
&& [ ! -e "/root/.run-to-daedalus.cnf" ] \
&& [ ! -e "/root/.run-to-chimaera.cnf" ] \
&& [ ! -e "/root/.run-to-beowulf.cnf" ]; then
if [ "${_OS_CODE}" != "stretch" ] && [ "${_OS_CODE}" != "jessie" ]; then
_if_install_apparmor
fi
fi
else
[ -e "/root/.allow.apparmor.cnf" ] && rm -f /root/.allow.apparmor.cnf
[ ! -e "/root/.deny.apparmor.cnf" ] && touch /root/.deny.apparmor.cnf
if [ "${_OS_CODE}" != "stretch" ] && [ "${_OS_CODE}" != "jessie" ]; then
_if_remove_apparmor
fi
fi
###
### Update barracuda log, tools and system settings
###
_pam_umask_check_fix
_pam_many_check_fix
_avatars_check_fix
_sysctl_update
_initd_update
_apticron_update
_barracuda_log_update
_find_server_city
###
### Complete system checks and cleanup
###
_complete
exit 0
###----------------------------------------###
###
### Barracuda Ægir Installer
### Copyright (C) 2009-2026 Omega8.cc
### noc@omega8.cc www.omega8.cc
###
###----------------------------------------###
================================================
FILE: BOA.sh.txt
================================================
#!/bin/bash
###----------------------------------------###
###
### BOA Meta Installer
###
### Copyright (C) 2009-2026 Omega8.cc
### noc@omega8.cc www.omega8.cc
###
### This program is free software. You can
### redistribute it and/or modify it under
### the terms of the GNU GPL as published by
### the Free Software Foundation, version 2
### or later.
###
### This program is distributed in the hope
### that it will be useful, but WITHOUT ANY
### WARRANTY; without even the implied
### warranty of MERCHANTABILITY or FITNESS
### FOR A PARTICULAR PURPOSE. See the GNU GPL
### for more details.
###
### You should have received a copy of the
### GNU GPL along with this program.
### If not, see http://www.gnu.org/licenses/
###
### Code: https://github.com/omega8cc/boa
###
###----------------------------------------###
###----------------------------------------###
### How To: run it with bash, not with sh ###
###----------------------------------------###
###
### $ wget -qO- http://files.aegir.cc/BOA.sh.txt | bash
###
###----------------------------------------###
### DON'T EDIT ANYTHING BELOW THIS LINE ###
###----------------------------------------###
export HOME=/root
export SHELL=/bin/bash
export PATH=/usr/local/bin:/usr/local/sbin:/opt/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/libexec
export _tRee=dev
export _xSrl=591devT01
export _rLsn="BOA-5.9.1"
export _bTs=591v02
###
### Avoid too many questions
###
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
if [ -z "${TERM+x}" ]; then
export TERM=vt100
fi
_NOW=$(date +%y%m%d-%H%M%S)
export _NOW=${_NOW//[^0-9-]/}
_TODAY=$(date +%y%m%d)
export _TODAY=${_TODAY//[^0-9]/}
#
_barCnf="/root/.barracuda.cnf"
_crlGet="-L --max-redirs 3 -k -s --retry 9 --retry-delay 9 -A iCab"
_wgetGet="--max-redirect=3 --no-check-certificate -q --tries=9 --wait=9 --user-agent='iCab'"
_aptAllow="--allow-unauthenticated"
_aptYesUnth="-y ${_aptAllow}"
_optBin="/opt/local/bin"
_usrBin="/usr/local/bin"
_xpthLog="/var/xdrago/log"
_pthLog="/var/log/boa"
_tBn="tools/bin"
_vBs="/var/backups"
_boaToolsPid="${_pthLog}/updateBOAtools.${_bTs}.ctrl.${_tRee}.${_xSrl}.pid"
_INITINS="/usr/bin/apt-get ${_aptAllow} -y install"
#
if [ ! -e "${_pthLog}/.migrated.txt" ] && [ -d "${_xpthLog}" ]; then
mkdir -p "${_pthLog}"
cp -a ${_xpthLog}/*.pid ${_pthLog}/
cp -a ${_xpthLog}/.*pid ${_pthLog}/
cp -a ${_xpthLog}/*.log ${_pthLog}/
cp -a ${_xpthLog}/*.txt ${_pthLog}/
cp -a ${_xpthLog}/usage ${_pthLog}/
cp -a ${_xpthLog}/daily ${_pthLog}/
cp -a ${_xpthLog}/core ${_pthLog}/
cp -a ${_xpthLog}/le ${_pthLog}/
touch "${_pthLog}/.migrated.txt"
fi
[ ! -d "${_pthLog}/usage" ] && mkdir -p "${_pthLog}/usage"
[ ! -d "${_pthLog}/daily" ] && mkdir -p "${_pthLog}/daily"
[ ! -d "${_pthLog}/core" ] && mkdir -p "${_pthLog}/core"
[ ! -d "${_pthLog}/le" ] && mkdir -p "${_pthLog}/le"
#
_eldirF="0001-Print-site_footer-if-defined.patch"
_eldirP="/var/xdrago/conf/${_eldirF}"
#
_tenCorePatchFname="drupal-ten-aegir-core-01.patch"
_tenCorePatchPath="/data/conf/patches/${_tenCorePatchFname}"
#
_tenConsolePatchFname="drupal-ten-aegir-console-02.patch"
_tenConsolePatchPath="/data/conf/patches/${_tenConsolePatchFname}"
#
_elevenCorePatchFname="drupal-eleven-aegir-core-01.patch"
_elevenCorePatchPath="/data/conf/patches/${_elevenCorePatchFname}"
#
_elevenConsolePatchFname="drupal-eleven-aegir-console-02.patch"
_elevenConsolePatchPath="/data/conf/patches/${_elevenConsolePatchFname}"
#
_elevenValidatorPatchFname="drupal-eleven-aegir-validator-03.patch"
_elevenValidatorPatchPath="/data/conf/patches/${_elevenValidatorPatchFname}"
#
_provLeInc="provision_hosting_le.drush.inc"
_provLeIncFull="/var/xdrago/conf/${_provLeInc}"
#
_hoLeInc="hosting_le_vhost.drush.inc"
_hoLeIncFull="/var/xdrago/conf/${_hoLeInc}"
#
_dehydName="dehydrated"
_dehydSrcPath="/var/xdrago/conf/${_dehydName}"
_legacyLeSh="/var/xdrago/conf/letsencrypt.sh"
_DEBUG_MODE=$([ -e "/root/.debug-barracuda-installer.cnf" ] && echo "YES" || echo "NO")
_os_detection_minimal() {
_APT_UPDATE="apt-get update"
_OS_CODE=$(lsb_release -ar 2>/dev/null | grep -i codename | cut -s -f2)
_OS_LIST="excalibur daedalus chimaera beowulf buster bullseye bookworm trixie"
for e in ${_OS_LIST}; do
if [ "${e}" = "${_OS_CODE}" ]; then
_APT_UPDATE="apt-get update --allow-releaseinfo-change"
fi
done
}
_apt_clean_update() {
${_APT_UPDATE} -qq 2>/dev/null
_CALLER_SCRIPT="$(basename "${BASH_SOURCE[-1]}")"
_CALLER_SCRIPT="${_CALLER_SCRIPT//[^a-zA-Z0-9._-]/_}"
date +%s > "/run/_latest_apt_clean_update.${_CALLER_SCRIPT}.pid"
}
_if_hosted_sys() {
_hName="$(cat /etc/hostname 2>/dev/null | tr -d '\n' || hostname -f 2>/dev/null)"
if [ -e "/root/.host8.cnf" ] \
|| [[ "${_hName}" =~ ".aegir.cc"($) ]]; then
_hostedSys=YES
else
_hostedSys=NO
fi
}
#
# Find server city.
_find_server_city() {
if [ -e "/root/.found_correct_city.cnf" ]; then
_LOC_CITY=$(cat /root/.found_correct_city.cnf 2>/dev/null | tr -d '\n')
else
if [ -e "/root/.found_correct_ipv4.cnf" ]; then
_LOC_IP=$(cat /root/.found_correct_ipv4.cnf 2>/dev/null | tr -d '\n')
_LOC_CITY=$(curl ${_crlGet} ipinfo.io/${_LOC_IP}/city 2>&1)
_LOC_CITY=$(echo -n ${_LOC_CITY} | tr -d "\n" 2>&1)
fi
if [ ! -z "${_LOC_CITY}" ]; then
_LOC_CITY=$(echo "${_LOC_CITY}" | tr ' ' '+' 2>&1)
echo ${_LOC_CITY} > /root/.found_correct_city.cnf
fi
fi
}
#
# Find correct IP.
_find_correct_ip() {
if [ -e "/root/.found_correct_ipv4.cnf" ]; then
_LOC_IP=$(cat /root/.found_correct_ipv4.cnf 2>/dev/null | tr -d '\n')
else
_LOC_IP=$(curl ${_crlGet} https://api.ipify.org | sed 's/[^0-9\.]//g')
if [ -z "${_LOC_IP}" ]; then
_LOC_IP=$(curl ${_crlGet} http://ipv4.icanhazip.com | sed 's/[^0-9\.]//g')
fi
if [ ! -z "${_LOC_IP}" ]; then
echo ${_LOC_IP} > /root/.found_correct_ipv4.cnf
fi
fi
if [ -n "${_LOC_IP}" ] && grep -qE "${_LOC_IP}\s" /etc/hosts; then
cp -af /etc/hosts /etc/.was.hosts
sed -i "s/^${_LOC_IP}.*//g" /etc/hosts
[ -x "/etc/init.d/unbound" ] && [ ! -e "/usr/etc/unbound/unbound.conf.d" ] && mkdir -p /usr/etc/unbound/unbound.conf.d
[ -x "/etc/init.d/unbound" ] && service unbound restart &> /dev/null
fi
}
_fix_dns_settings() {
[ ! -d "${_vBs}" ] && mkdir -p ${_vBs}
rm -f ${_vBs}/resolv.conf.tmp
if ! grep -q "nameserver 127.0.0.1" /etc/resolv.conf; then
if [ -x "/usr/sbin/unbound" ] && [ -e "/run/unbound/unbound.pid" ]; then
_FORCE_RESOLV_UPDATE=YES
else
_FORCE_RESOLV_UPDATE=NO
fi
fi
if ! grep -q "BOA-DNS-Config" /etc/resolv.conf || [ "${_FORCE_RESOLV_UPDATE}" = "YES" ]; then
echo "### BOA-DNS-Config ###" > ${_vBs}/resolv.conf.tmp
if [ -x "/usr/sbin/unbound" ] && [ -e "/run/unbound/unbound.pid" ]; then
echo "nameserver 127.0.0.1" >> ${_vBs}/resolv.conf.tmp
fi
echo "nameserver 1.1.1.1" >> ${_vBs}/resolv.conf.tmp
echo "nameserver 8.8.8.8" >> ${_vBs}/resolv.conf.tmp
echo "nameserver 9.9.9.9" >> ${_vBs}/resolv.conf.tmp
fi
if [ -e "${_vBs}/resolv.conf.tmp" ]; then
chattr -i /etc/resolv.conf
rm -f /etc/resolv.conf
cp -a ${_vBs}/resolv.conf.tmp /etc/resolv.conf
chmod 0644 /etc/resolv.conf
chattr +i /etc/resolv.conf
cp -a ${_vBs}/resolv.conf.tmp ${_vBs}/resolv.conf.vanilla
fi
if [ -x "/usr/sbin/unbound-control" ] \
&& [ -e "/etc/resolvconf/run/interface/lo.unbound" ]; then
unbound-control reload &> /dev/null
fi
}
_check_dns_settings() {
_EHU=NO
if ! grep -q "127.0.0.1 localhost" /etc/hosts; then
sed -i "s/^127.0.0.1.*//g" /etc/hosts
echo "" >> /etc/hosts
echo "127.0.0.1 localhost" >> /etc/hosts
_EHU=YES
fi
if grep -q "files.aegir.cc" /etc/hosts; then
sed -i "s/.*files.aegir.cc.*//g" /etc/hosts
_EHU=YES
fi
if grep -q "github" /etc/hosts; then
sed -i "s/.*github.*//g" /etc/hosts
_EHU=YES
fi
if [ "${_EHU}" = "YES" ]; then
echo >>/etc/hosts
sed -i "/^$/d" /etc/hosts
fi
if [ -L "/etc/resolv.conf" ]; then
_fix_dns_settings
return 1 # Exit the function but continue the script
fi
if [ -e "/root/.use.default.nameservers.cnf" ]; then
if [ -e "/root/.use.local.nameservers.cnf" ]; then
rm -f /root/.use.local.nameservers.cnf
fi
_USE_DEFAULT_DNS=YES
if ! grep -q "BOA-DNS-Config" /etc/resolv.conf; then
_fix_dns_settings
return 1 # Exit the function but continue the script
fi
fi
if [ -e "/root/.use.local.nameservers.cnf" ]; then
_USE_PROVIDER_DNS=YES
else
_REMOTE_DNS_TEST=$(host files.aegir.cc 1.1.1.1 -w 10 2>&1)
if ! grep -q "BOA-DNS-Config" /etc/resolv.conf; then
_fix_dns_settings
return 1 # Exit the function but continue the script
fi
fi
if [[ "${_REMOTE_DNS_TEST}" =~ "no servers could be reached" ]] \
|| [[ "${_REMOTE_DNS_TEST}" =~ "Host files.aegir.cc not found" ]] \
|| [ "${_USE_PROVIDER_DNS}" = "YES" ]; then
_fix_dns_settings
fi
}
_find_fast_mirror_early() {
_isNetc="$(which netcat)"
if [ ! -x "${_isNetc}" ] || [ -z "${_isNetc}" ]; then
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
_apt_clean_update
apt-get install netcat-traditional ${_aptYesUnth} &> /dev/null
fi
_ffMirr=/opt/local/bin/ffmirror
if [ -x "${_ffMirr}" ]; then
_ffList="/var/backups/boa-mirrors-2025-01.txt"
[ -d "/var/backups" ] || mkdir -p /var/backups
if [ ! -e "${_ffList}" ]; then
echo "eu.files.aegir.cc" > ${_ffList}
echo "us.files.aegir.cc" >> ${_ffList}
echo "ao.files.aegir.cc" >> ${_ffList}
fi
if [ -e "${_ffList}" ]; then
_BROKEN_FFMIRR_TEST=$(grep "stuff" ${_ffMirr} 2>&1)
if [[ "${_BROKEN_FFMIRR_TEST}" =~ "stuff" ]]; then
_CHECK_MIRROR=$(bash ${_ffMirr} < ${_ffList} 2>&1)
_CHECK_MIRROR=$(bash ${_ffMirr} < ${_ffList} 2>&1)
_USE_MIR="${_CHECK_MIRROR}"
[[ "${_USE_MIR}" =~ "printf" ]] && _USE_MIR="files.aegir.cc"
else
_USE_MIR="files.aegir.cc"
fi
else
_USE_MIR="files.aegir.cc"
fi
else
_USE_MIR="files.aegir.cc"
fi
_urlDev="http://${_USE_MIR}/dev"
_urlHmr="http://${_USE_MIR}/versions/${_tRee}/boa/aegir"
}
_extract_archive() {
if [ ! -z "$1" ]; then
case $1 in
*.tar.bz2) tar xjf $1 ;;
*.tar.gz) tar xzf $1 ;;
*.tar.xz) tar xvf $1 ;;
*.bz2) bunzip2 $1 ;;
*.rar) unrar x $1 ;;
*.gz) gunzip -q $1 ;;
*.tar) tar xf $1 ;;
*.tbz2) tar xjf $1 ;;
*.tgz) tar xzf $1 ;;
*.zip) unzip -qq $1 ;;
*.Z) uncompress $1 ;;
*.7z) 7z x $1 ;;
*) echo "'$1' cannot be extracted via >extract<" ;;
esac
rm -f $1
fi
}
#
# Download and extract from dev/contrib mirror.
_get_dev_contrib() {
if [ ! -z "$1" ]; then
_max_attempts=10
_attempt_num=1
_success=0
while [ ${_attempt_num} -le ${_max_attempts} ]; do
[ "${_DEBUG_MODE}" = "YES" ] && echo "DNLD: Attempt ${_attempt_num} of ${_max_attempts}: Downloading $1..."
if curl ${_crlGet} "${_urlDev}/${_tRee}/contrib/$1" -o "$1"; then
_success=1
break
else
[ "${_DEBUG_MODE}" = "YES" ] && echo "DNLD: Attempt ${_attempt_num} failed."
_attempt_num=$((_attempt_num+1))
if [ "${_attempt_num}" -le "${_max_attempts}" ]; then
[ "${_DEBUG_MODE}" = "YES" ] && echo "DNLD: Retrying in 9 seconds..."
sleep 9
fi
fi
done
if [ "${_success}" -eq 1 ]; then
_extract_archive "$1"
else
echo "OOPS: Failed to download ${_urlDev}/${_tRee}/contrib/$1 after ${_max_attempts} attempts"
return 1 # Exit the function but continue the script
fi
fi
}
#
# Download and extract archive from dev/src mirror.
_get_dev_src() {
if [ ! -z "$1" ]; then
_max_attempts=10
_attempt_num=1
_success=0
while [ ${_attempt_num} -le ${_max_attempts} ]; do
[ "${_DEBUG_MODE}" = "YES" ] && echo "DNLD: Attempt ${_attempt_num} of ${_max_attempts}: Downloading $1..."
if curl ${_crlGet} "${_urlDev}/src/$1" -o "$1"; then
_success=1
break
else
[ "${_DEBUG_MODE}" = "YES" ] && echo "DNLD: Attempt ${_attempt_num} failed."
_attempt_num=$((_attempt_num+1))
if [ "${_attempt_num}" -le "${_max_attempts}" ]; then
[ "${_DEBUG_MODE}" = "YES" ] && echo "DNLD: Retrying in 9 seconds..."
sleep 9
fi
fi
done
if [ "${_success}" -eq 1 ]; then
_extract_archive "$1"
else
echo "OOPS: Failed to download ${_urlDev}/src/$1 after ${_max_attempts} attempts"
return 1 # Exit the function but continue the script
fi
fi
}
_if_clean_boa_env() {
if [ ! -x "/etc/init.d/clean-boa-env" ]; then
curl ${_crlGet} "${_urlHmr}/conf/var/clean-boa-env" -o /etc/init.d/clean-boa-env
if [ -e "/etc/init.d/clean-boa-env" ]; then
chmod 700 /etc/init.d/clean-boa-env
chown root:root /etc/init.d/clean-boa-env
update-rc.d clean-boa-env defaults &> /dev/null
fi
fi
}
###
### Function to verify BOA keys
###
_verify_boa_keys() {
if [ -e "/root/.dev.server.cnf" ]; then
echo "PROC: _verify_boa_keys in BOA.sh.txt"
fi
if [ "${_tRee}" = "pro" ] || [ "${_tRee}" = "dev" ]; then
_if_hosted_sys
_allw=NO
_urlEnc="http://${_USE_MIR}/enc/2024"
_encName=$(echo ${_hName} \
| openssl md5 \
| awk '{ print $2}' \
| tr -d "\n" 2>&1)
if [[ "${_hName}" =~ ".aegir.cc"($) ]] \
|| [[ "${_hName}" =~ ".o8.io"($) ]] \
|| [[ "${_hName}" =~ ".boa.io"($) ]]; then
_allw=YES
fi
mkdir -p /var/opt
rm -f /var/opt/_encN*
curl ${_crlGet} "${_urlEnc}/${_encName}" -o /var/opt/_encN.${_encName}.tmp
wait
echo "${_hName}.${_encName}" > /var/opt/_encN_local.${_encName}.tmp
wait
if [ -e "/var/opt/_encN.${_encName}.tmp" ] && [ -e "/var/opt/_encN_local.${_encName}.tmp" ]; then
_diffTestIf=$(diff -w -B /var/opt/_encN.${_encName}.tmp /var/opt/_encN_local.${_encName}.tmp 2>&1)
if [ ! -z "${_diffTestIf}" ] && [ "${_allw}" = "NO" ]; then
echo
echo "Your system requires valid license for access to ${_rLsn}-${_tRee}"
echo "Please visit https://omega8.cc/licenses to purchase your own"
echo
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "/var/aegir/key/barracuda_key.txt" ]; then
mkdir -p /var/aegir/key
cat /var/opt/_encN_local.${_encName}.tmp > /var/aegir/key/barracuda_key.txt
fi
rm -f /var/opt/_encN*
exit 0
else
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "/var/aegir/key/barracuda_key.txt" ]; then
mkdir -p /var/aegir/key
cat /var/opt/_encN_local.${_encName}.tmp > /var/aegir/key/barracuda_key.txt
fi
fi
else
echo
echo "Your system requires valid license to use this BOA version (${_tRee})"
echo "Unfortunately it was not possible to verify your system status"
echo "Please contact our support but visit https://omega8.cc/licenses first"
echo
exit 0
fi
fi
}
_locales_check_fix_early() {
_isLoc="$(which locale)"
if [ ! -x "${_isLoc}" ] || [ -z "${_isLoc}" ]; then
apt-get update -qq &> /dev/null
${_INITINS} locales locales-all &> /dev/null
fi
_LOC_TEST=$(locale 2>&1)
if [[ "${_LOC_TEST}" =~ LANG=.*UTF-8 ]]; then
_LOCALE_TEST=OK
fi
if [[ "${_LOC_TEST}" =~ "Cannot" ]]; then
_LOCALE_TEST=BROKEN
fi
if [ "${_LOCALE_TEST}" = "BROKEN" ]; then
_LOCALE_GEN_TEST=$(grep -v "^#" /etc/locale.gen 2>&1)
if [[ ! "${_LOCALE_GEN_TEST}" =~ "en_US.UTF-8 UTF-8" ]]; then
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
fi
sed -i "/^$/d" /etc/locale.gen
locale-gen &> /dev/null
locale-gen en_US.UTF-8 &> /dev/null
# Explicitly enforce all locale settings
update-locale \
LANG=en_US.UTF-8 \
LC_CTYPE=en_US.UTF-8 \
LC_COLLATE=POSIX \
LC_NUMERIC=POSIX \
LC_TIME=en_US.UTF-8 \
LC_MONETARY=en_US.UTF-8 \
LC_MESSAGES=en_US.UTF-8 \
LC_PAPER=en_US.UTF-8 \
LC_NAME=en_US.UTF-8 \
LC_ADDRESS=en_US.UTF-8 \
LC_TELEPHONE=en_US.UTF-8 \
LC_MEASUREMENT=en_US.UTF-8 \
LC_IDENTIFICATION=en_US.UTF-8 \
LC_ALL= &> /dev/null
# Define all locale settings on the fly to prevent unnecessary
# warnings during installation of packages.
export LANG=en_US.UTF-8 &> /dev/null
export LC_CTYPE=en_US.UTF-8 &> /dev/null
export LC_COLLATE=POSIX &> /dev/null
export LC_NUMERIC=POSIX &> /dev/null
export LC_TIME=en_US.UTF-8 &> /dev/null
export LC_MONETARY=en_US.UTF-8 &> /dev/null
export LC_MESSAGES=en_US.UTF-8 &> /dev/null
export LC_PAPER=en_US.UTF-8 &> /dev/null
export LC_NAME=en_US.UTF-8 &> /dev/null
export LC_ADDRESS=en_US.UTF-8 &> /dev/null
export LC_TELEPHONE=en_US.UTF-8 &> /dev/null
export LC_MEASUREMENT=en_US.UTF-8 &> /dev/null
export LC_IDENTIFICATION=en_US.UTF-8 &> /dev/null
export LC_ALL= &> /dev/null
else
_LOCALE_GEN_TEST=$(grep -v "^#" /etc/locale.gen 2>&1)
if [[ ! "${_LOCALE_GEN_TEST}" =~ "en_US.UTF-8 UTF-8" ]]; then
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
fi
sed -i "/^$/d" /etc/locale.gen
locale-gen &> /dev/null
locale-gen en_US.UTF-8 &> /dev/null
# Explicitly enforce locale settings required for consistency
update-locale \
LANG=en_US.UTF-8 \
LC_CTYPE=en_US.UTF-8 \
LC_COLLATE=POSIX \
LC_NUMERIC=POSIX \
LC_ALL= &> /dev/null
# Define locale settings required for consistency also on the fly
export LC_COLLATE=POSIX &> /dev/null
export LC_NUMERIC=POSIX &> /dev/null
export LC_ALL= &> /dev/null
fi
_LOCALES_BASHRC_TEST=$(grep LC_COLLATE /root/.bashrc 2>&1)
if [[ ! "${_LOCALES_BASHRC_TEST}" =~ "LC_COLLATE" ]]; then
printf "\n" >> /root/.bashrc
echo "export LANG=en_US.UTF-8" >> /root/.bashrc
echo "export LC_CTYPE=en_US.UTF-8" >> /root/.bashrc
echo "export LC_COLLATE=POSIX" >> /root/.bashrc
echo "export LC_NUMERIC=POSIX" >> /root/.bashrc
echo "export LC_TIME=en_US.UTF-8" >> /root/.bashrc
echo "export LC_MONETARY=en_US.UTF-8" >> /root/.bashrc
echo "export LC_MESSAGES=en_US.UTF-8" >> /root/.bashrc
echo "export LC_PAPER=en_US.UTF-8" >> /root/.bashrc
echo "export LC_NAME=en_US.UTF-8" >> /root/.bashrc
echo "export LC_ADDRESS=en_US.UTF-8" >> /root/.bashrc
echo "export LC_TELEPHONE=en_US.UTF-8" >> /root/.bashrc
echo "export LC_MEASUREMENT=en_US.UTF-8" >> /root/.bashrc
echo "export LC_IDENTIFICATION=en_US.UTF-8" >> /root/.bashrc
echo "export LC_ALL=" >> /root/.bashrc
printf "\n" >> /root/.bashrc
fi
}
_if_fix_iptables_symlinks() {
###
### Fix for iptables paths backward compatibility
###
if [ -x "/sbin/iptables" ] && [ ! -e "/usr/sbin/iptables" ]; then
ln -sfn /sbin/iptables /usr/sbin/iptables
fi
if [ -x "/usr/sbin/iptables" ] && [ ! -e "/sbin/iptables" ]; then
ln -sfn /usr/sbin/iptables /sbin/iptables
fi
if [ -x "/sbin/iptables-save" ] && [ ! -e "/usr/sbin/iptables-save" ]; then
ln -sfn /sbin/iptables-save /usr/sbin/iptables-save
fi
if [ -x "/usr/sbin/iptables-save" ] && [ ! -e "/sbin/iptables-save" ]; then
ln -sfn /usr/sbin/iptables-save /sbin/iptables-save
fi
if [ -x "/sbin/iptables-restore" ] && [ ! -e "/usr/sbin/iptables-restore" ]; then
ln -sfn /sbin/iptables-restore /usr/sbin/iptables-restore
fi
if [ -x "/usr/sbin/iptables-restore" ] && [ ! -e "/sbin/iptables-restore" ]; then
ln -sfn /usr/sbin/iptables-restore /sbin/iptables-restore
fi
if [ -x "/sbin/ip6tables" ] && [ ! -e "/usr/sbin/ip6tables" ]; then
ln -sfn /sbin/ip6tables /usr/sbin/ip6tables
fi
if [ -x "/usr/sbin/ip6tables" ] && [ ! -e "/sbin/ip6tables" ]; then
ln -sfn /usr/sbin/ip6tables /sbin/ip6tables
fi
if [ -x "/sbin/ip6tables-save" ] && [ ! -e "/usr/sbin/ip6tables-save" ]; then
ln -sfn /sbin/ip6tables-save /usr/sbin/ip6tables-save
fi
if [ -x "/usr/sbin/ip6tables-save" ] && [ ! -e "/sbin/ip6tables-save" ]; then
ln -sfn /usr/sbin/ip6tables-save /sbin/ip6tables-save
fi
if [ -x "/sbin/ip6tables-restore" ] && [ ! -e "/usr/sbin/ip6tables-restore" ]; then
ln -sfn /sbin/ip6tables-restore /usr/sbin/ip6tables-restore
fi
if [ -x "/usr/sbin/ip6tables-restore" ] && [ ! -e "/sbin/ip6tables-restore" ]; then
ln -sfn /usr/sbin/ip6tables-restore /sbin/ip6tables-restore
fi
###
### Fix for iptables paths backward compatibility
###
}
###
### Prefer Devuan APT sources
###
_prefer_devuan_repositories() {
# Prefer Devuan; force base-files from Devuan (handles lower version vs Debian).
mkdir -p /etc/apt/preferences.d
cat >/etc/apt/preferences.d/99-prefer-devuan <<'EOF'
Package: *
Pin: release o=Devuan
Pin-Priority: 700
Package: base-files
Pin: release o=Devuan
Pin-Priority: 1001
EOF
_apt_clean_update
}
###
### Display not supported VM or bare metal info
###
_not_supported_virt() {
echo
echo "=== OOPS! ==="
echo
echo "You are running not supported virtualization system:"
echo " $1"
echo
echo "If you wish to try BOA on this system anyway,"
echo "please create an empty control file:"
echo " /root/.allow.any.virt.cnf"
echo
echo "Please be aware that it may not work at all,"
echo "or you can experience errors breaking BOA."
echo
echo "WARNING! BOA IS NOT DESIGNED TO RUN DIRECTLY ON A BARE METAL."
echo "WARNING! IT IS VERY DANGEROUS AND THUS EXTREMELY BAD IDEA!"
echo "WARNING! You are free to experiment but don't expect *ANY* support."
echo
echo "BOA is known to work well on:"
echo
echo " * Linux Containers (LXC)"
echo " * Linux KVM guest"
echo " * Microsoft Hyper-V"
echo " * OpenVZ Containers"
echo " * Parallels guest"
echo " * Red Hat KVM guest"
echo " * VirtualBox guest"
echo " * VMware ESXi guest (but excluding vCloud Air)"
echo " * VServer guest"
echo " * Xen guest fully virtualized (HVM)"
echo " * Xen guest"
echo " * Xen paravirtualized guest domain"
echo
echo "Bye"
echo
exit 1
}
# --- internal: print message only in debug mode
_msg() {
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "[virt-what-fix] $*"
fi
}
# --- internal: run virt-what under strace and parse the helper's exec path
_discover_with_strace() {
local _path_found=""
if ! command -v strace >/dev/null 2>&1; then
_msg "strace not available, skipping strace-based discovery"
echo ""
return 0
fi
# Temporarily extend PATH so virt-what can exec the helper for strace to see.
PATH="${PATH}:${_CANDIDATE_PATHS}" strace -f -qq -e trace=execve -o "${_TRACE}" virt-what >/dev/null 2>&1
# mawk-safe parsing: pull the first quoted arg from execve("…") and check suffix
if [ -s "${_TRACE}" ]; then
_path_found=$(
awk -v n="${_HELPER_NAME}" '
/execve\("/ {
# Find start of execve(" then extract up to next quote
i = index($0, "execve(\"")
if (i) {
s = substr($0, i + 8) # after execve("
j = index(s, "\"")
if (j) {
p = substr(s, 1, j - 1) # the path inside quotes
if (p ~ ("/" n "$")) { print p; exit }
}
}
}
' "${_TRACE}"
)
fi
rm -f "${_TRACE}"
if [ -n "${_path_found}" ] && [ -x "${_path_found}" ]; then
_msg "strace discovered helper at: ${_path_found}"
echo "${_path_found}"
return 0
fi
_msg "strace discovery failed"
echo ""
return 0
}
# --- internal: dpkg-based discovery (Debian/Devuan)
_discover_with_dpkg() {
local _p=""
if command -v dpkg >/dev/null 2>&1; then
_p=$(dpkg -L virt-what 2>/dev/null | grep -E "/${_HELPER_NAME}$" | head -n1)
if [ -n "${_p}" ] && [ -x "${_p}" ]; then
_msg "dpkg discovered helper at: ${_p}"
echo "${_p}"
return 0
fi
fi
echo ""
return 0
}
# --- internal: filesystem search fallback (bounded)
_discover_with_find() {
local _p=""
# Keep it bounded to /usr to stay fast/noisy-free.
_p=$(find /usr -maxdepth 4 -type f -name "${_HELPER_NAME}" 2>/dev/null | head -n1)
if [ -n "${_p}" ] && [ -x "${_p}" ]; then
_msg "find discovered helper at: ${_p}"
echo "${_p}"
return 0
fi
echo ""
return 0
}
# --- main: ensure symlink
_ensure_virt_what_helper_symlink() {
# If the symlink already exists and is working, nothing to do.
if [ -L "${_SYMLINK}" ] && [ -x "${_SYMLINK}" ] && [ -e "$(readlink -f "${_SYMLINK}")" ]; then
_msg "Symlink already present and valid: ${_SYMLINK} -> $(readlink -f "${_SYMLINK}")"
return 0
fi
local _helper_path=""
_helper_path="$(_discover_with_strace)"
if [ -z "${_helper_path}" ]; then
_helper_path="$(_discover_with_dpkg)"
fi
if [ -z "${_helper_path}" ]; then
_helper_path="$(_discover_with_find)"
fi
if [ -z "${_helper_path}" ]; then
echo "ERROR: Could not locate ${_HELPER_NAME} anywhere under /usr." 1>&2
return 1
fi
# Safety: if a non-symlink file already exists at the target, back it up once.
if [ -e "${_SYMLINK}" ] && [ ! -L "${_SYMLINK}" ]; then
_msg "Backing up existing non-symlink at ${_SYMLINK} to ${_SYMLINK}.orig"
mv -f "${_SYMLINK}" "${_SYMLINK}.orig"
fi
ln -sfn "${_helper_path}" "${_SYMLINK}"
if [ -x "${_SYMLINK}" ]; then
_msg "Symlink created: ${_SYMLINK} -> ${_helper_path}"
return 0
else
echo "ERROR: Failed to create working symlink ${_SYMLINK} -> ${_helper_path}" 1>&2
return 2
fi
}
###
### Fix VM system detection
###
_fix_virt_what() {
_VIRT_TEST="$(which virt-what)"
if [ -n "${_VIRT_TEST}" ] && [ -x "${_VIRT_TEST}" ]; then
_SHELL_TEST_A=$(grep -I -o "\#\!.*/usr/bin/sh" ${_VIRT_TEST} 2>&1)
_SHELL_TEST_B=$(grep -I -o "\#\!.*/bin/sh" ${_VIRT_TEST} 2>&1)
if [[ "${_SHELL_TEST_A}" =~ "/usr/bin/sh" ]]; then
sed -i "s/\/usr\/bin\/sh/\/bin\/dash/g" ${_VIRT_TEST}
fi
if [[ "${_SHELL_TEST_B}" =~ "/bin/sh" ]]; then
sed -i "s/\/bin\/sh/\/bin\/dash/g" ${_VIRT_TEST}
fi
_HELPER_NAME="virt-what-cpuid-helper"
_SYMLINK="/usr/sbin/${_HELPER_NAME}"
_TRACE="/tmp/virtwhat.$$.strace"
# Extra dirs we temporarily expose to PATH so virt-what can exec the helper for strace discovery
_CANDIDATE_PATHS="/usr/libexec:/usr/lib/x86_64-linux-gnu:/usr/lib64/virt-what:/usr/lib/virt-what"
if [ ! -e "${_SYMLINK}" ]; then
echo "INFO: virt-what tool requires small update, fixing..."
if ! command -v strace &> /dev/null; then
_apt_clean_update
apt-get install strace ${_aptYesUnth}
fi
_ensure_virt_what_helper_symlink
fi
fi
}
###
### Fix or install VM system detection
###
_fix_or_install_virt_what() {
_VIRT_TEST="$(which virt-what)"
if [ -n "${_VIRT_TEST}" ] && [ -x "${_VIRT_TEST}" ]; then
_fix_virt_what
else
echo "INFO: installing required virt-what tool ..."
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
_apt_clean_update
apt-get install virt-what ${_aptYesUnth}
wait
_fix_virt_what
fi
}
_check_virt() {
_fix_or_install_virt_what
_VIRT_TOOL="$(which virt-what)"
if [ -x "${_VIRT_TOOL}" ]; then
_VIRT_TEST=$(virt-what)
_VIRT_TEST=$(echo -n ${_VIRT_TEST} | fmt -su -w 2500 2>&1)
if [[ "${_VIRT_TEST}" =~ "program not found" ]]; then
echo "ERROR: virt-what says: ${_VIRT_TEST}"
echo "ERROR: virt-what detection fails for unknown reason"
fi
if [ ! -e "/root/.allow.any.virt.cnf" ]; then
if [ -e "/proc/self/status" ]; then
_VS_GUEST_TEST=$(grep -E "VxID:[[:space:]]*[0-9]{2,}$" /proc/self/status 2> /dev/null)
_VS_HOST_TEST=$(grep -E "VxID:[[:space:]]*0$" /proc/self/status 2> /dev/null)
fi
if [ ! -z "${_VS_HOST_TEST}" ] || [ ! -z "${_VS_GUEST_TEST}" ]; then
if [ -z "${_VS_HOST_TEST}" ] && [ ! -z "${_VS_GUEST_TEST}" ]; then
_VIRT_IS="Linux VServer guest"
else
if [ ! -z "${_VS_HOST_TEST}" ]; then
_not_supported_virt "Linux VServer host"
else
_not_supported_virt "unknown / not a virtual machine"
fi
fi
else
if [ -z "${_VIRT_TEST}" ] || [ "${_VIRT_TEST}" = "0" ]; then
_not_supported_virt "unknown / not a virtual machine"
elif [[ "${_VIRT_TEST}" =~ "xen-dom0" ]]; then
_not_supported_virt "Xen privileged domain"
elif [[ "${_VIRT_TEST}" =~ "linux_vserver-host" ]]; then
_not_supported_virt "Linux VServer host"
else
if [[ "${_VIRT_TEST}" =~ "xen xen-hvm" ]]; then
_VIRT_TEST="xen-hvm"
elif [[ "${_VIRT_TEST}" =~ "xen xen-domU" ]]; then
_VIRT_TEST="xen-domU"
elif [[ "${_VIRT_TEST}" =~ "virtualbox kvm" ]]; then
_VIRT_TEST="virtualbox"
elif [[ "${_VIRT_TEST}" =~ "hyperv qemu" ]]; then
_VIRT_TEST="hyperv"
elif [[ "${_VIRT_TEST}" =~ "kvm aws" ]]; then
_VIRT_TEST="kvm"
elif [[ "${_VIRT_TEST}" =~ "redhat kvm" ]]; then
_VIRT_TEST="redhat-kvm"
elif [[ "${_VIRT_TEST}" =~ "openvz lxc" ]]; then
_VIRT_TEST="openvz"
fi
case "${_VIRT_TEST}" in
hyperv) _VIRT_IS="Microsoft Hyper-V" ;;
kvm) _VIRT_IS="Linux KVM guest" ;;
lxc) _VIRT_IS="Linux Containers (LXC)" ;;
openvz) _VIRT_IS="OpenVZ Containers" ;;
parallels) _VIRT_IS="Parallels guest" ;;
redhat-kvm) _VIRT_IS="Red Hat KVM guest" ;;
virtualbox) _VIRT_IS="VirtualBox guest" ;;
vmware) _VIRT_IS="VMware ESXi guest" ;;
xen-domU) _VIRT_IS="Xen paravirtualized guest domain" ;;
xen-hvm) _VIRT_IS="Xen guest fully virtualized (HVM)" ;;
xen) _VIRT_IS="Xen guest" ;;
*) _not_supported_virt "${_VIRT_TEST}"
;;
esac
fi
fi
else
if [ -z "${_VIRT_TEST}" ] || [ "${_VIRT_TEST}" = "0" ]; then
_VIRT_TEST="unknown / not a virtual machine"
fi
fi
fi
}
###
### Make local OpenSSL new/legacy ssl/certs symlinked to system ssl/certs
###
_fix_sync_system_ssl_certs() {
if [ -e "/etc/ssl/certs/ca-certificates.crt" ] \
&& [ ! -e "/usr/local/ssl3/.old-certs" ] \
&& [ -d "/usr/local/ssl3/certs" ] \
&& [ ! -L "/usr/local/ssl3/certs" ]; then
mv -f /usr/local/ssl3/certs /usr/local/ssl3/.old-certs
ln -sfn /etc/ssl/certs /usr/local/ssl3/certs
fi
if [ -e "/etc/ssl/certs/ca-certificates.crt" ] \
&& [ ! -e "/usr/local/ssl/.old-certs" ] \
&& [ -d "/usr/local/ssl/certs" ] \
&& [ ! -L "/usr/local/ssl/certs" ]; then
mv -f /usr/local/ssl/certs /usr/local/ssl/.old-certs
ln -sfn /etc/ssl/certs /usr/local/ssl/certs
fi
}
_update_agents() {
_if_hosted_sys
if [ "${_hostedSys}" = "YES" ]; then
if [ ! -e "/root/.extended.firewall.exceptions.cnf" ]; then
echo host8 > /root/.extended.firewall.exceptions.cnf
fi
fi
if [ "${_VMFAMILY}" = "HOSTED" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -d "/data/u" ] \
&& [ -e "/var/xdrago" ]; then
[ ! -e "/root/.fast.cron.cnf" ] && echo ON > /root/.fast.cron.cnf
_PrTestPower=$(grep "POWER" /root/.*.octopus.cnf 2>&1)
_PrTestPhantom=$(grep "PHANTOM" /root/.*.octopus.cnf 2>&1)
_PrTestCluster=$(grep "CLUSTER" /root/.*.octopus.cnf 2>&1)
_PrTestUltra=$(grep "ULTRA" /root/.*.octopus.cnf 2>&1)
_PrTestMonster=$(grep "MONSTER" /root/.*.octopus.cnf 2>&1)
_InTest=$(ls /data/disk/*/static/control/cli.info | wc -l 2>&1)
_SQL_PSWD=$(cat /root/.my.pass.txt 2>/dev/null | tr -d '\n')
if [ "${_InTest}" -lt 9 ] \
&& [[ ! "${_PrTestPower}" =~ "POWER" ]] \
&& [[ ! "${_PrTestPhantom}" =~ "PHANTOM" ]] \
&& [[ ! "${_PrTestCluster}" =~ "CLUSTER" ]] \
&& [[ ! "${_PrTestUltra}" =~ "ULTRA" ]] \
&& [[ ! "${_PrTestMonster}" =~ "MONSTER" ]]; then
[ ! -e "/root/.fast.cron.cnf" ] && echo ${_InTest} > /root/.fast.cron.cnf
[ -e "/root/.hr.monitor.cnf" ] && rm -f /root/.hr.monitor.cnf
[ -e "/root/.slow.cron.cnf" ] && [ ! -e "/root/.slow.cron.cnf.protected" ] && rm -f /root/.slow.cron.cnf
[ -e "/root/.tg.cnf" ] && rm -f /root/.tg.cnf
mysql -u root -e "SET GLOBAL max_connect_errors = 555;"
mysql -u root -e "SET GLOBAL max_connections = 111;"
mysql -u root -e "SET GLOBAL max_user_connections = 111;"
mysql -u root -e "SET GLOBAL group_concat_max_len = 10000;"
fi
if [ "${_InTest}" -ge 9 ] && [ "${_InTest}" -le 50 ]; then
[ ! -e "/root/.fast.cron.cnf" ] && echo ${_InTest} > /root/.fast.cron.cnf
[ -e "/root/.hr.monitor.cnf" ] && rm -f /root/.hr.monitor.cnf
[ -e "/root/.slow.cron.cnf" ] && [ ! -e "/root/.slow.cron.cnf.protected" ] && rm -f /root/.slow.cron.cnf
[ -e "/root/.tg.cnf" ] && rm -f /root/.tg.cnf
mysql -u root -e "SET GLOBAL max_connect_errors = 777;"
mysql -u root -e "SET GLOBAL max_connections = 555;"
mysql -u root -e "SET GLOBAL max_user_connections = 111;"
mysql -u root -e "SET GLOBAL group_concat_max_len = 10000;"
fi
if [ "${_InTest}" -gt 50 ]; then
[ -e "/root/.fast.cron.cnf" ] && rm -f /root/.fast.cron.cnf
[ ! -e "/root/.tg.cnf" ] && echo ${_InTest} > /root/.tg.cnf
[ ! -e "/root/.hr.monitor.cnf" ] && echo ${_InTest} > /root/.hr.monitor.cnf
[ ! -e "/root/.slow.cron.cnf" ] && echo ${_InTest} > /root/.slow.cron.cnf
mysql -u root -e "SET GLOBAL max_connect_errors = 999;"
mysql -u root -e "SET GLOBAL max_connections = 777;"
mysql -u root -e "SET GLOBAL max_user_connections = 111;"
mysql -u root -e "SET GLOBAL group_concat_max_len = 10000;"
fi
if [[ "${_PrTestPower}" =~ "POWER" ]]; then
[ ! -e "/root/.tg.cnf" ] && echo ${_InTest} > /root/.tg.cnf
[ ! -e "/root/.fast.cron.cnf" ] && echo ${_InTest} > /root/.fast.cron.cnf
[ -e "/root/.hr.monitor.cnf" ] && rm -f /root/.hr.monitor.cnf
[ -e "/root/.slow.cron.cnf" ] && [ ! -e "/root/.slow.cron.cnf.protected" ] && rm -f /root/.slow.cron.cnf
mysql -u root -e "SET GLOBAL max_connect_errors = 555;"
mysql -u root -e "SET GLOBAL max_connections = 333;"
mysql -u root -e "SET GLOBAL max_user_connections = 111;"
mysql -u root -e "SET GLOBAL group_concat_max_len = 10000;"
fi
if [[ "${_PrTestPhantom}" =~ "PHANTOM" ]]; then
[ ! -e "/root/.tg.cnf" ] && echo ${_InTest} > /root/.tg.cnf
[ ! -e "/root/.fast.cron.cnf" ] && echo ${_InTest} > /root/.fast.cron.cnf
[ -e "/root/.hr.monitor.cnf" ] && rm -f /root/.hr.monitor.cnf
[ -e "/root/.slow.cron.cnf" ] && [ ! -e "/root/.slow.cron.cnf.protected" ] && rm -f /root/.slow.cron.cnf
mysql -u root -e "SET GLOBAL max_connect_errors = 777;"
mysql -u root -e "SET GLOBAL max_connections = 555;"
mysql -u root -e "SET GLOBAL max_user_connections = 333;"
mysql -u root -e "SET GLOBAL group_concat_max_len = 10000;"
fi
if [[ "${_PrTestCluster}" =~ "CLUSTER" ]]; then
[ ! -e "/root/.tg.cnf" ] && echo ${_InTest} > /root/.tg.cnf
[ ! -e "/root/.fast.cron.cnf" ] && echo ${_InTest} > /root/.fast.cron.cnf
[ -e "/root/.hr.monitor.cnf" ] && rm -f /root/.hr.monitor.cnf
[ -e "/root/.slow.cron.cnf" ] && [ ! -e "/root/.slow.cron.cnf.protected" ] && rm -f /root/.slow.cron.cnf
mysql -u root -e "SET GLOBAL max_connect_errors = 999;"
mysql -u root -e "SET GLOBAL max_connections = 777;"
mysql -u root -e "SET GLOBAL max_user_connections = 555;"
mysql -u root -e "SET GLOBAL group_concat_max_len = 10000;"
fi
mysql -u root -e "SET GLOBAL optimizer_switch='derived_merge=off';"
mysql -u root -e "SET GLOBAL sort_buffer_size = 262144;"
if [ -e "/root/.tg.cnf" ]; then
if [ ! -e "/root/.fixed_fpm_workers.cnf" ]; then
sed -i "s/^_PHP_FPM_WORKERS=.*/_PHP_FPM_WORKERS=100/g" ${_barCnf}
touch /root/.fixed_fpm_workers.cnf
fi
fi
if [ ! -e "/root/.high_traffic.cnf" ]; then
echo ${_InTest} > /root/.high_traffic.cnf
echo ${_InTest} > /root/.no.swap.clear.cnf
fi
[ -e "/root/.randomize_duplicity_full_backup_day.cnf" ] && rm -f /root/.randomize_duplicity_full_backup_day.cnf
[ -e "/root/.skip_duplicity_monthly_cleanup.cnf" ] && rm -f /root/.skip_duplicity_monthly_cleanup.cnf
[ -e "/root/.my.batch_innodb.cnf" ] && rm -f /root/.my.batch_innodb.cnf
[ -e "/root/.batch_innodb.cnf" ] && rm -f /root/.batch_innodb.cnf
[ -e "/root/.force.drupalgeddon.cnf" ] && rm -f /root/.force.drupalgeddon.cnf
[ -e "/root/.skip_cleanup.cnf" ] && rm -f /root/.skip_cleanup.cnf
[ -e "/root/.giant_traffic.cnf" ] && rm -f /root/.giant_traffic.cnf
[ -e "/root/.default.cnf" ] && rm -f /root/.default.cnf
[ -e "/root/.debug.cnf" ] && rm -f /root/.debug.cnf
if [ -e "/data/conf/override.global.inc" ] \
&& [ ! -e "/data/conf/.prev6.override.global.inc.off" ]; then
mv -f /data/conf/override.global.inc /data/conf/.prev6.override.global.inc.off
fi
# if [ ! -e "/data/conf/override.global.inc" ]; then
# echo " /data/conf/override.global.inc.tmp
# echo "" >> /data/conf/override.global.inc.tmp
# echo "\$use_valkey = TRUE;" >> /data/conf/override.global.inc.tmp
# chmod 644 /data/conf/override.global.inc.tmp
# mv -f /data/conf/override.global.inc.tmp /data/conf/override.global.inc
# fi
fi
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
_pthCtrl="/root/.remote_backups/ctrl"
if [ "${_tRee}" = "pro" ] || [ "${_tRee}" = "dev" ]; then
[ ! -e "${_pthCtrl}" ] && mkdir -p ${_pthCtrl}
[ ! -e "/root/.remote_backups/run" ] && mkdir -p /root/.remote_backups/run
else
rm -rf /root/.remote_backups
fi
[ ! -e "/var/xdrago/monitor/check" ] && mkdir -p /var/xdrago/monitor/check
[ ! -e "/var/xdrago/monitor/log" ] && mkdir -p /var/xdrago/monitor/log
if [ ! -e "${_pthLog}/.force.f89.${_tRee}.${_xSrl}.ctrl" ]; then
rm -f ${_pthLog}/*.ctrl.*.pid
touch ${_pthLog}/.force.f89.${_tRee}.${_xSrl}.ctrl
fi
[ ! -e "/var/xdrago/checksql.pl" ] && rm -f ${_pthLog}/checksql.pl.ctrl.*.pid
[ ! -e "/var/xdrago/clear.sh" ] && rm -f ${_pthLog}/clear.sh.ctrl.*.pid
[ ! -e "/var/xdrago/daily.sh" ] && rm -f ${_pthLog}/daily.sh.ctrl.*.pid
[ ! -e "/var/xdrago/graceful.sh" ] && rm -f ${_pthLog}/graceful.sh.ctrl.*.pid
[ ! -e "/var/xdrago/guest-fire.sh" ] && rm -f ${_pthLog}/guest-fire.sh.ctrl.*.pid
[ ! -e "/var/xdrago/guest-water.sh" ] && rm -f ${_pthLog}/guest-water.sh.ctrl.*.pid
[ ! -e "/var/xdrago/ip_access.sh" ] && rm -f ${_pthLog}/ip_access.sh.ctrl.*.pid
[ ! -e "/var/xdrago/manage_ltd_users.sh" ] && rm -f ${_pthLog}/manage_ltd_users.sh.ctrl.*.pid
[ ! -e "/var/xdrago/manage_solr_config.sh" ] && rm -f ${_pthLog}/manage_solr_config.sh.ctrl.*.pid
[ ! -e "/var/xdrago/minute.sh" ] && rm -f ${_pthLog}/minute.sh.ctrl.*.pid
[ ! -e "/var/xdrago/move_sql.sh" ] && rm -f ${_pthLog}/move_sql.sh.ctrl.*.pid
[ ! -e "/var/xdrago/mysql_backup.sh" ] && rm -f ${_pthLog}/mysql_backup.sh.ctrl.*.pid
[ ! -e "/var/xdrago/mysql_cleanup.sh" ] && rm -f ${_pthLog}/mysql_cleanup.sh.ctrl.*.pid
[ ! -e "/var/xdrago/mysql_cluster_backup.sh" ] && rm -f ${_pthLog}/mysql_cluster_backup.sh.ctrl.*.pid
[ ! -e "/var/xdrago/mysql_repair.sh" ] && rm -f ${_pthLog}/mysql_repair.sh.ctrl.*.pid
[ ! -e "/var/xdrago/proc_num_ctrl.pl" ] && rm -f ${_pthLog}/proc_num_ctrl.pl.ctrl.*.pid
[ ! -e "/var/xdrago/purge_binlogs.sh" ] && rm -f ${_pthLog}/purge_binlogs.sh.ctrl.*.pid
[ ! -e "/var/xdrago/runner.sh" ] && rm -f ${_pthLog}/runner.sh.ctrl.*.pid
[ ! -e "/var/xdrago/second.sh" ] && rm -f ${_pthLog}/second.sh.ctrl.*.pid
[ ! -e "/var/xdrago/usage.sh" ] && rm -f ${_pthLog}/usage.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/java.sh" ] && rm -f ${_pthLog}/java.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/mysql.sh" ] && rm -f ${_pthLog}/mysql.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/nginx.sh" ] && rm -f ${_pthLog}/nginx.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/php.sh" ] && rm -f ${_pthLog}/php.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/valkey.sh" ] && rm -f ${_pthLog}/valkey.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/redis.sh" ] && rm -f ${_pthLog}/redis.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/scan_nginx.sh" ] && rm -f ${_pthLog}/scan_nginx.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/system.sh" ] && rm -f ${_pthLog}/system.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/unbound.sh" ] && rm -f ${_pthLog}/unbound.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/escapecheck.sh" ] && rm -f ${_pthLog}/escapecheck.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/hackcheck.sh" ] && rm -f ${_pthLog}/hackcheck.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/hackftp.sh" ] && rm -f ${_pthLog}/hackftp.sh.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/segfault_alert.pl" ] && rm -f ${_pthLog}/segfault_alert.pl.ctrl.*.pid
[ ! -e "/var/xdrago/monitor/check/sqlcheck.pl" ] && rm -f ${_pthLog}/sqlcheck.pl.ctrl.*.pid
[ -e "/var/xdrago/proc_num_ctrl.cgi" ] && rm -f /var/xdrago/proc_num_ctrl.cgi
[ -e "/var/xdrago/checksql.cgi" ] && rm -f /var/xdrago/checksql.cgi
[ -e "/var/xdrago/mysql_hourly.sh" ] && rm -f /var/xdrago/mysql_hourly.sh
[ -e "/var/xdrago/monitor/check/sqlcheck" ] && rm -f ${_pthLog}/*.ctrl.*.pid
[ -e "/var/xdrago/monitor/check/sqlcheck" ] && rm -f /var/xdrago/monitor/check/*
[ -e "/var/xdrago/monitor/hackcheck.archive.log" ] && rm -f /var/xdrago/monitor/.scan_nginx_arch*
[ -e "/var/xdrago/monitor/hackcheck.archive.log" ] && mv -f /var/xdrago/monitor/*.log /var/xdrago/monitor/log/
fi
if [ -e "/root/.remote_backups/schedule/backup_schedule.txt" ] \
&& [ -d "/var/aegir/drush" ]; then
if grep -q "Out of memory: Killed process.*duplicity" /var/log/iptables.log; then
if [ ! -e "/root/.remote_backups/schedule/backup_schedule.txt-off" ]; then
cp -a /root/.remote_backups/schedule/backup_schedule.txt /root/.remote_backups/schedule/backup_schedule.txt-off
echo "# Backup schedule (service user) OFF" > /root/.remote_backups/schedule/backup_schedule.txt
chattr +i /root/.remote_backups/schedule/backup_schedule.txt
fi
else
if [ -e "/root/.remote_backups/schedule/backup_schedule.txt-off" ]; then
chattr -i /root/.remote_backups/schedule/backup_schedule.txt
rm -f /root/.remote_backups/schedule/backup_schedule.txt
mv /root/.remote_backups/schedule/backup_schedule.txt-off /root/.remote_backups/schedule/backup_schedule.txt
fi
fi
if [ "$(pgrep -fc duplicity)" -gt 0 ] \
&& [ "$(pgrep -fc dcysetup)" -lt 1 ] \
&& [ "$(pgrep -fc mybackup)" -lt 1 ] \
&& [ "$(pgrep -fc multiback)" -lt 1 ]; then
pkill -9 -f duplicity
rm -rf /tmp/duplicity*
rm -rf /root/.cache/duplicity/*/duplicity-*tempdir
rm -f /root/.cache/duplicity/*/lockfile
echo "$(date) Orphaned duplicity processes killed" >> /var/log/duplicity-cleanup.log
fi
fi
if ! grep -q "OFF" ${_optBin}/lock.inc; then
rm -f ${_pthLog}/lock.inc.sh.ctrl.*
fi
if [ ! -e "${_optBin}/lock.inc" ] \
|| [ ! -e "${_pthLog}/lock.inc.sh.ctrl.f98.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc foobar)
if (( _CNT > 0 )); then
echo "The foobar is running!"
else
if [ -e "${_optBin}/lock.inc" ]; then
mv -f ${_optBin}/lock.inc ${_optBin}/lock.inc.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/lock.inc" -o ${_optBin}/lock.inc
if [ -e "${_optBin}/lock.inc" ]; then
chmod 700 ${_optBin}/lock.inc
chown root:root ${_optBin}/lock.inc
touch ${_pthLog}/lock.inc.sh.ctrl.f98.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/lock.inc.old" ]; then
mv -f ${_optBin}/lock.inc.old ${_optBin}/lock.inc
fi
fi
fi
fi
if [ ! -e "${_optBin}/vmnetfix" ] \
|| [ ! -e "${_pthLog}/vmnetfix.sh.ctrl.f89.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc vmnetfix)
if (( _CNT > 0 )); then
echo "The vmnetfix is running!"
else
if [ ! -e "/etc/init.d/networking" ]; then
mkdir -p /etc/init.d
curl ${_crlGet} "${_urlHmr}/conf/network/networking" -o /etc/init.d/networking
chmod 0755 /etc/init.d/networking
chown root:root /etc/init.d/networking
update-rc.d networking defaults >/dev/null 2>&1 || true
fi
if [ -e "${_optBin}/vmnetfix" ]; then
mv -f ${_optBin}/vmnetfix ${_optBin}/vmnetfix.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/vmnetfix" -o ${_optBin}/vmnetfix
if [ -e "${_optBin}/vmnetfix" ]; then
chmod 700 ${_optBin}/vmnetfix
chown root:root ${_optBin}/vmnetfix
touch ${_pthLog}/vmnetfix.sh.ctrl.f89.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/vmnetfix.old" ]; then
mv -f ${_optBin}/vmnetfix.old ${_optBin}/vmnetfix
fi
fi
fi
fi
if [ ! -e "${_optBin}/screenfetch" ] \
|| [ ! -e "${_pthLog}/screenfetch.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc screenfetch)
if (( _CNT > 0 )); then
echo "The screenfetch is running!"
else
if [ -e "${_optBin}/screenfetch" ]; then
mv -f ${_optBin}/screenfetch ${_optBin}/screenfetch.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/screenfetch" -o ${_optBin}/screenfetch
if [ -e "${_optBin}/screenfetch" ]; then
chmod 700 ${_optBin}/screenfetch
chown root:root ${_optBin}/screenfetch
touch ${_pthLog}/screenfetch.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/screenfetch.old" ]; then
mv -f ${_optBin}/screenfetch.old ${_optBin}/screenfetch
fi
fi
fi
fi
if [ ! -e "${_optBin}/fixrepo" ] \
|| [ ! -e "${_pthLog}/fixrepo.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc fixrepo)
if (( _CNT > 0 )); then
echo "The fixrepo is running!"
else
if [ -e "${_optBin}/fixrepo" ]; then
mv -f ${_optBin}/fixrepo ${_optBin}/fixrepo.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/fixrepo" -o ${_optBin}/fixrepo
if [ -e "${_optBin}/fixrepo" ]; then
chmod 700 ${_optBin}/fixrepo
chown root:root ${_optBin}/fixrepo
touch ${_pthLog}/fixrepo.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/fixrepo.old" ]; then
mv -f ${_optBin}/fixrepo.old ${_optBin}/fixrepo
fi
fi
fi
fi
if [ ! -e "${_optBin}/renameaegirhost" ] \
|| [ ! -e "${_pthLog}/renameaegirhost.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc renameaegirhost)
if (( _CNT > 0 )); then
echo "The renameaegirhost is running!"
else
if [ -e "${_optBin}/renameaegirhost" ]; then
mv -f ${_optBin}/renameaegirhost ${_optBin}/renameaegirhost.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/renameaegirhost" -o ${_optBin}/renameaegirhost
if [ -e "${_optBin}/renameaegirhost" ]; then
chmod 700 ${_optBin}/renameaegirhost
chown root:root ${_optBin}/renameaegirhost
touch ${_pthLog}/renameaegirhost.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/renameaegirhost.old" ]; then
mv -f ${_optBin}/renameaegirhost.old ${_optBin}/renameaegirhost
fi
fi
fi
fi
if [ ! -e "${_optBin}/autosymlink" ] \
|| [ ! -e "${_pthLog}/autosymlink.sh.ctrl.f93.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc autosymlink)
if (( _CNT > 0 )); then
echo "The autosymlink is running!"
else
if [ -e "${_optBin}/autosymlink" ]; then
mv -f ${_optBin}/autosymlink ${_optBin}/autosymlink.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/autosymlink" -o ${_optBin}/autosymlink
if [ -e "${_optBin}/autosymlink" ]; then
chmod 700 ${_optBin}/autosymlink
chown root:root ${_optBin}/autosymlink
touch ${_pthLog}/autosymlink.sh.ctrl.f93.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/autosymlink.old" ]; then
mv -f ${_optBin}/autosymlink.old ${_optBin}/autosymlink
fi
fi
fi
fi
if [ ! -e "${_optBin}/updatesymlinks" ] \
|| [ ! -e "${_pthLog}/updatesymlinks.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc updatesymlinks)
if (( _CNT > 0 )); then
echo "The updatesymlinks is running!"
else
if [ -e "${_optBin}/updatesymlinks" ]; then
mv -f ${_optBin}/updatesymlinks ${_optBin}/updatesymlinks.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/updatesymlinks" -o ${_optBin}/updatesymlinks
if [ -e "${_optBin}/updatesymlinks" ]; then
chmod 700 ${_optBin}/updatesymlinks
chown root:root ${_optBin}/updatesymlinks
touch ${_pthLog}/updatesymlinks.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/updatesymlinks.old" ]; then
mv -f ${_optBin}/updatesymlinks.old ${_optBin}/updatesymlinks
fi
fi
fi
fi
if [ ! -e "${_optBin}/aptcleanup" ] \
|| [ ! -e "${_pthLog}/aptcleanup.sh.ctrl.f97.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc aptcleanup)
if (( _CNT > 0 )); then
echo "The aptcleanup is running!"
else
if [ -e "${_optBin}/aptcleanup" ]; then
mv -f ${_optBin}/aptcleanup ${_optBin}/aptcleanup.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/aptcleanup" -o ${_optBin}/aptcleanup
if [ -e "${_optBin}/aptcleanup" ]; then
chmod 700 ${_optBin}/aptcleanup
chown root:root ${_optBin}/aptcleanup
touch ${_pthLog}/aptcleanup.sh.ctrl.f97.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/aptcleanup.old" ]; then
mv -f ${_optBin}/aptcleanup.old ${_optBin}/aptcleanup
fi
fi
fi
fi
if [ ! -e "${_optBin}/loadguard" ] \
|| [ ! -e "${_pthLog}/loadguard.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc xloadguard)
if (( _CNT > 0 )); then
echo "The xloadguard is running!"
else
if [ -e "${_optBin}/loadguard" ]; then
mv -f ${_optBin}/loadguard ${_optBin}/loadguard.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/loadguard" -o ${_optBin}/loadguard
if [ -e "${_optBin}/loadguard" ]; then
chmod 700 ${_optBin}/loadguard
chown root:root ${_optBin}/loadguard
touch ${_pthLog}/loadguard.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/loadguard.old" ]; then
mv -f ${_optBin}/loadguard.old ${_optBin}/loadguard
fi
fi
fi
fi
if [ ! -e "${_optBin}/ffmirror" ] \
|| [ ! -e "${_pthLog}/ffmirror.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc xffmirror)
if (( _CNT > 0 )); then
echo "The xffmirror is running!"
else
if [ -e "${_optBin}/ffmirror" ]; then
mv -f ${_optBin}/ffmirror ${_optBin}/ffmirror.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/ffmirror" -o ${_optBin}/ffmirror
if [ -e "${_optBin}/ffmirror" ]; then
chmod 700 ${_optBin}/ffmirror
chown root:root ${_optBin}/ffmirror
touch ${_pthLog}/ffmirror.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/ffmirror.old" ]; then
mv -f ${_optBin}/ffmirror.old ${_optBin}/ffmirror
fi
fi
fi
fi
if [ ! -e "${_optBin}/ffdevuan" ] \
|| [ ! -e "${_pthLog}/ffdevuan.sh.ctrl.f95.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc xffdevuan)
if (( _CNT > 0 )); then
echo "The xffdevuan is running!"
else
if [ -e "${_optBin}/ffdevuan" ]; then
mv -f ${_optBin}/ffdevuan ${_optBin}/ffdevuan.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/ffdevuan" -o ${_optBin}/ffdevuan
if [ -e "${_optBin}/ffdevuan" ]; then
chmod 700 ${_optBin}/ffdevuan
chown root:root ${_optBin}/ffdevuan
touch ${_pthLog}/ffdevuan.sh.ctrl.f95.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/ffdevuan.old" ]; then
mv -f ${_optBin}/ffdevuan.old ${_optBin}/ffdevuan
fi
fi
fi
fi
if [ ! -e "${_optBin}/webserver" ] \
|| [ ! -e "${_pthLog}/webserver.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc xwebserver)
if (( _CNT > 0 )); then
echo "The xwebserver is running!"
else
if [ -e "${_optBin}/webserver" ]; then
mv -f ${_optBin}/webserver ${_optBin}/webserver.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/webserver" -o ${_optBin}/webserver
if [ -e "${_optBin}/webserver" ]; then
chmod 700 ${_optBin}/webserver
chown root:root ${_optBin}/webserver
touch ${_pthLog}/webserver.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/webserver.old" ]; then
mv -f ${_optBin}/webserver.old ${_optBin}/webserver
fi
fi
fi
fi
if [ ! -e "${_optBin}/xboa" ] \
|| [ ! -e "${_pthLog}/xboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc /local/bin/xboa)
if (( _CNT > 0 )); then
echo "The xboa is running!"
else
if [ -e "${_optBin}/xboa" ]; then
mv -f ${_optBin}/xboa ${_optBin}/xboa.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/xboa" -o ${_optBin}/xboa
if [ -e "${_optBin}/xboa" ]; then
chmod 700 ${_optBin}/xboa
chown root:root ${_optBin}/xboa
touch ${_pthLog}/xboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/xboa.old" ]; then
mv -f ${_optBin}/xboa.old ${_optBin}/xboa
fi
fi
fi
fi
if [ ! -e "${_optBin}/boa" ] \
|| [ ! -e "${_pthLog}/boa.sh.ctrl.f89.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc /local/bin/boa)
if (( _CNT > 0 )); then
echo "The boa is running!"
else
if [ -e "${_optBin}/boa" ]; then
mv -f ${_optBin}/boa ${_optBin}/boa.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/boa" -o ${_optBin}/boa
if [ -e "${_optBin}/boa" ]; then
chmod 700 ${_optBin}/boa
chown root:root ${_optBin}/boa
touch ${_pthLog}/boa.sh.ctrl.f89.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/boa.old" ]; then
mv -f ${_optBin}/boa.old ${_optBin}/boa
fi
fi
fi
fi
if [ ! -e "${_optBin}/barracuda" ] \
|| [ ! -e "${_pthLog}/barracuda.sh.ctrl.f93.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc /local/bin/barracuda)
if (( _CNT > 0 )); then
echo "The barracuda is running!"
else
if [ -e "${_optBin}/barracuda" ]; then
mv -f ${_optBin}/barracuda ${_optBin}/barracuda.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/barracuda" -o ${_optBin}/barracuda
if [ -e "${_optBin}/barracuda" ]; then
chmod 700 ${_optBin}/barracuda
chown root:root ${_optBin}/barracuda
touch ${_pthLog}/barracuda.sh.ctrl.f93.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/barracuda.old" ]; then
mv -f ${_optBin}/barracuda.old ${_optBin}/barracuda
fi
fi
fi
fi
if [ ! -e "${_optBin}/octopus" ] \
|| [ ! -e "${_pthLog}/octopus.sh.ctrl.f89.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc /local/bin/octopus)
if (( _CNT > 0 )); then
echo "The octopus is running!"
else
if [ -e "${_optBin}/octopus" ]; then
mv -f ${_optBin}/octopus ${_optBin}/octopus.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/octopus" -o ${_optBin}/octopus
if [ -e "${_optBin}/octopus" ]; then
chmod 700 ${_optBin}/octopus
chown root:root ${_optBin}/octopus
touch ${_pthLog}/octopus.sh.ctrl.f89.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/octopus.old" ]; then
mv -f ${_optBin}/octopus.old ${_optBin}/octopus
fi
fi
fi
fi
if [ ! -e "${_optBin}/perftest" ] \
|| [ ! -L "${_usrBin}/perftest" ] \
|| [ ! -e "${_pthLog}/perftest.sh.ctrl.f97.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc /local/bin/perftest)
if (( _CNT > 0 )); then
echo "The perftest is running!"
else
if [ -e "${_optBin}/perftest" ]; then
mv -f ${_optBin}/perftest ${_optBin}/perftest.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/perftest" -o ${_optBin}/perftest
if [ -e "${_optBin}/perftest" ]; then
chmod 700 ${_optBin}/perftest
chown root:root ${_optBin}/perftest
ln -sf ${_optBin}/perftest ${_usrBin}/perftest
rm -f ${_pthLog}/perftest.sh.ctrl.*
touch ${_pthLog}/perftest.sh.ctrl.f97.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/perftest.old" ]; then
mv -f ${_optBin}/perftest.old ${_optBin}/perftest
fi
fi
fi
fi
if [ ! -e "${_optBin}/aptfast" ] \
|| [ ! -e "${_pthLog}/aptfast.sh.ctrl.f98.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc /local/bin/aptfast)
if (( _CNT > 0 )); then
echo "The aptfast is running!"
else
if [ -e "${_optBin}/aptfast" ]; then
mv -f ${_optBin}/aptfast ${_optBin}/aptfast.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/aptfast" -o ${_optBin}/aptfast
if [ -e "${_optBin}/aptfast" ]; then
chmod 700 ${_optBin}/aptfast
chown root:root ${_optBin}/aptfast
touch ${_pthLog}/aptfast.sh.ctrl.f98.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/aptfast.old" ]; then
mv -f ${_optBin}/aptfast.old ${_optBin}/aptfast
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/backboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc duplicity)
if (( _CNT > 0 )); then
echo "The duplicity backup is running!"
else
if [ -e "${_optBin}/backboa" ]; then
mv -f ${_optBin}/backboa ${_optBin}/backboa.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/backboa" -o ${_optBin}/backboa
if [ -e "${_optBin}/backboa" ]; then
chmod 700 ${_optBin}/backboa
chown root:root ${_optBin}/backboa
touch ${_pthLog}/backboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/backboa.old" ]; then
mv -f ${_optBin}/backboa.old ${_optBin}/backboa
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/duobackboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc duplicity)
if (( _CNT > 0 )); then
echo "The duplicity backup is running!"
else
if [ -e "${_optBin}/duobackboa" ]; then
mv -f ${_optBin}/duobackboa ${_optBin}/duobackboa.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/duobackboa" -o ${_optBin}/duobackboa
if [ -e "${_optBin}/duobackboa" ]; then
chmod 700 ${_optBin}/duobackboa
chown root:root ${_optBin}/duobackboa
touch ${_pthLog}/duobackboa.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/duobackboa.old" ]; then
mv -f ${_optBin}/duobackboa.old ${_optBin}/duobackboa
fi
fi
fi
fi
if [ -e "/root/.remote_backups/schedule/backup_schedule.txt" ]; then
_BROKEN_UPDATE_TEST=$(grep "Under Construction" /root/.remote_backups/run/*.sh 2>&1)
if [ ! -z "${_BROKEN_UPDATE_TEST}" ]; then
rm -f ${_pthCtrl}/*.pid
fi
_BROKEN_UPDATE_TEST=$(grep "404 Not Found" /root/.remote_backups/run/*.sh 2>&1)
if [ ! -z "${_BROKEN_UPDATE_TEST}" ]; then
rm -f ${_pthCtrl}/*.pid
fi
fi
if [ -e "/root/.remote_backups/schedule/backup_schedule.txt" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/dcysetup.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc duplicity)
if (( _CNT > 0 )); then
echo "The duplicity backup is running!"
else
if [ -e "${_optBin}/dcysetup" ]; then
mv -f ${_optBin}/dcysetup ${_optBin}/dcysetup.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/dcysetup" -o ${_optBin}/dcysetup
if [ -e "${_optBin}/dcysetup" ]; then
chmod 700 ${_optBin}/dcysetup
chown root:root ${_optBin}/dcysetup
touch ${_pthCtrl}/dcysetup.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/dcysetup.old" ]; then
mv -f ${_optBin}/dcysetup.old ${_optBin}/dcysetup
fi
fi
fi
fi
if [ -e "/root/.remote_backups/schedule/backup_schedule.txt" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/multiback.sh.ctrl.f37.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc duplicity)
if (( _CNT > 0 )); then
echo "The duplicity backup is running!"
else
if [ -e "${_optBin}/multiback" ]; then
mv -f ${_optBin}/multiback ${_optBin}/multiback.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/multiback" -o ${_optBin}/multiback
if [ -e "${_optBin}/multiback" ]; then
chmod 700 ${_optBin}/multiback
chown root:root ${_optBin}/multiback
touch ${_pthCtrl}/multiback.sh.ctrl.f37.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/multiback.old" ]; then
mv -f ${_optBin}/multiback.old ${_optBin}/multiback
fi
fi
fi
fi
if [ -e "/root/.remote_backups/schedule/backup_schedule.txt" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/mybackup.sh.ctrl.f37.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc duplicity)
if (( _CNT > 0 )); then
echo "The duplicity backup is running!"
else
if [ -e "${_optBin}/mybackup" ]; then
mv -f ${_optBin}/mybackup ${_optBin}/mybackup.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/mybackup" -o ${_optBin}/mybackup
if [ -e "${_optBin}/mybackup" ]; then
chmod 755 ${_optBin}/mybackup
chown root:root ${_optBin}/mybackup
touch ${_pthCtrl}/mybackup.sh.ctrl.f37.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/mybackup.old" ]; then
mv -f ${_optBin}/mybackup.old ${_optBin}/mybackup
fi
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/install_dependencies.sh.ctrl.f48.${_tRee}.${_xSrl}.pid" ]; then
if [ -e "/root/.remote_backups/run/install_dependencies.sh" ]; then
mv -f /root/.remote_backups/run/install_dependencies.sh /root/.remote_backups/run/install_dependencies.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/install_dependencies.sh" -o /root/.remote_backups/run/install_dependencies.sh
if [ -e "/root/.remote_backups/run/install_dependencies.sh" ]; then
chmod 700 /root/.remote_backups/run/install_dependencies.sh
chown root:root /root/.remote_backups/run/install_dependencies.sh
touch ${_pthCtrl}/install_dependencies.sh.ctrl.f48.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/install_dependencies.sh.old" ]; then
mv -f /root/.remote_backups/run/install_dependencies.sh.old /root/.remote_backups/run/install_dependencies.sh
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/create_credentials_templates.sh.ctrl.f48.${_tRee}.${_xSrl}.pid" ]; then
rm -f /.backboa*
if [ -e "/root/.remote_backups/run/create_credentials_templates.sh" ]; then
mv -f /root/.remote_backups/run/create_credentials_templates.sh /root/.remote_backups/run/create_credentials_templates.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/create_credentials_templates.sh" -o /root/.remote_backups/run/create_credentials_templates.sh
if [ -e "/root/.remote_backups/run/create_credentials_templates.sh" ]; then
chmod 700 /root/.remote_backups/run/create_credentials_templates.sh
chown root:root /root/.remote_backups/run/create_credentials_templates.sh
touch ${_pthCtrl}/create_credentials_templates.sh.ctrl.f48.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/create_credentials_templates.sh.old" ]; then
mv -f /root/.remote_backups/run/create_credentials_templates.sh.old /root/.remote_backups/run/create_credentials_templates.sh
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/create_global_paths_config.sh.ctrl.f44.${_tRee}.${_xSrl}.pid" ]; then
if [ -e "/root/.remote_backups/run/create_global_paths_config.sh" ]; then
mv -f /root/.remote_backups/run/create_global_paths_config.sh /root/.remote_backups/run/create_global_paths_config.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/create_global_paths_config.sh" -o /root/.remote_backups/run/create_global_paths_config.sh
if [ -e "/root/.remote_backups/run/create_global_paths_config.sh" ]; then
chmod 700 /root/.remote_backups/run/create_global_paths_config.sh
chown root:root /root/.remote_backups/run/create_global_paths_config.sh
touch ${_pthCtrl}/create_global_paths_config.sh.ctrl.f44.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/create_global_paths_config.sh.old" ]; then
mv -f /root/.remote_backups/run/create_global_paths_config.sh.old /root/.remote_backups/run/create_global_paths_config.sh
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/create_user_paths_config.sh.ctrl.f48.${_tRee}.${_xSrl}.pid" ]; then
rm -f /.backboa*
if [ -e "/root/.remote_backups/run/create_user_paths_config.sh" ]; then
mv -f /root/.remote_backups/run/create_user_paths_config.sh /root/.remote_backups/run/create_user_paths_config.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/create_user_paths_config.sh" -o /root/.remote_backups/run/create_user_paths_config.sh
if [ -e "/root/.remote_backups/run/create_user_paths_config.sh" ]; then
chmod 700 /root/.remote_backups/run/create_user_paths_config.sh
chown root:root /root/.remote_backups/run/create_user_paths_config.sh
touch ${_pthCtrl}/create_user_paths_config.sh.ctrl.f48.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/create_user_paths_config.sh.old" ]; then
mv -f /root/.remote_backups/run/create_user_paths_config.sh.old /root/.remote_backups/run/create_user_paths_config.sh
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/create_cron_entries.sh.ctrl.f48.${_tRee}.${_xSrl}.pid" ]; then
if [ -e "/root/.remote_backups/run/create_cron_entries.sh" ]; then
mv -f /root/.remote_backups/run/create_cron_entries.sh /root/.remote_backups/run/create_cron_entries.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/create_cron_entries.sh" -o /root/.remote_backups/run/create_cron_entries.sh
if [ -e "/root/.remote_backups/run/create_cron_entries.sh" ]; then
chmod 700 /root/.remote_backups/run/create_cron_entries.sh
chown root:root /root/.remote_backups/run/create_cron_entries.sh
touch ${_pthCtrl}/create_cron_entries.sh.ctrl.f48.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/create_cron_entries.sh.old" ]; then
mv -f /root/.remote_backups/run/create_cron_entries.sh.old /root/.remote_backups/run/create_cron_entries.sh
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/create_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid" ]; then
if [ -e "/root/.remote_backups/run/create_readme.sh" ]; then
mv -f /root/.remote_backups/run/create_readme.sh /root/.remote_backups/run/create_readme.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/create_readme.sh" -o /root/.remote_backups/run/create_readme.sh
if [ -e "/root/.remote_backups/run/create_readme.sh" ]; then
chmod 700 /root/.remote_backups/run/create_readme.sh
chown root:root /root/.remote_backups/run/create_readme.sh
touch ${_pthCtrl}/create_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/create_readme.sh.old" ]; then
mv -f /root/.remote_backups/run/create_readme.sh.old /root/.remote_backups/run/create_readme.sh
fi
fi
fi
if [ -d "/root/.remote_backups/run" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthCtrl}/create_config_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid" ]; then
if [ -e "/root/.remote_backups/run/create_config_readme.sh" ]; then
mv -f /root/.remote_backups/run/create_config_readme.sh /root/.remote_backups/run/create_config_readme.sh.old
fi
curl ${_crlGet} "${_urlHmr}/tools/backup/run/create_config_readme.sh" -o /root/.remote_backups/run/create_config_readme.sh
if [ -e "/root/.remote_backups/run/create_config_readme.sh" ]; then
chmod 700 /root/.remote_backups/run/create_config_readme.sh
chown root:root /root/.remote_backups/run/create_config_readme.sh
touch ${_pthCtrl}/create_config_readme.sh.ctrl.f48.${_tRee}.${_xSrl}.pid
else
if [ -e "/root/.remote_backups/run/create_config_readme.sh.old" ]; then
mv -f /root/.remote_backups/run/create_config_readme.sh.old /root/.remote_backups/run/create_config_readme.sh
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/scan_nginx.sh.ctrl.f81.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/scan_nginx.sh /var/xdrago/monitor/check/scan_nginx.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/scan_nginx.sh" -o /var/xdrago/monitor/check/scan_nginx.sh
if [ -e "/var/xdrago/monitor/check/scan_nginx.sh" ]; then
chmod 700 /var/xdrago/monitor/check/scan_nginx.sh
chown root:root /var/xdrago/monitor/check/scan_nginx.sh
touch ${_pthLog}/scan_nginx.sh.ctrl.f81.${_tRee}.${_xSrl}.pid
if [ ! -e "/var/xdrago/monitor/log/.scan_nginx_arch.${_xSrl}.pid" ]; then
if [ -e "/var/xdrago/monitor/scan_nginx.archive.log" ]; then
mv -f /var/xdrago/monitor/scan_nginx.archive.log /var/xdrago/monitor/log/.scan_nginx_legacy.archive.f81.${_tRee}.${_xSrl}.log
fi
if [ -e "/var/xdrago/monitor/log/scan_nginx.archive.log" ]; then
mv -f /var/xdrago/monitor/log/scan_nginx.archive.log /var/xdrago/monitor/log/scan_nginx.archive.f81.${_tRee}.${_xSrl}.log
fi
rm -f /var/xdrago/monitor/log/.scan_nginx_arch*.pid
touch /var/xdrago/monitor/log/.scan_nginx_arch.${_xSrl}.pid
csf -df
wait
[ -e "/etc/csf/csfpost.d/synproxy.sh" ] && synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
fi
if [ ! -e "/var/xdrago/monitor/log/.hackcheck.arch.${_xSrl}.pid" ]; then
if [ -e "/var/xdrago/monitor/hackcheck.archive.log" ]; then
mv -f /var/xdrago/monitor/hackcheck.archive.log /var/xdrago/monitor/log/.scan_nginx_legacy.archive.f81.${_tRee}.${_xSrl}.log
fi
if [ -e "/var/xdrago/monitor/log/hackcheck.archive.log" ]; then
mv -f /var/xdrago/monitor/log/hackcheck.archive.log /var/xdrago/monitor/log/hackcheck.archive.f81.${_tRee}.${_xSrl}.log
fi
rm -f /var/xdrago/monitor/log/.hackcheck.arch*.pid
touch /var/xdrago/monitor/log/.hackcheck.arch.${_xSrl}.pid
csf -df
wait
[ -e "/etc/csf/csfpost.d/synproxy.sh" ] && synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
fi
else
mv -f /var/xdrago/monitor/check/scan_nginx.sh.old /var/xdrago/monitor/check/scan_nginx.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/java.sh.ctrl.f90.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/java.sh /var/xdrago/monitor/check/java.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/java.sh" -o /var/xdrago/monitor/check/java.sh
if [ -e "/var/xdrago/monitor/check/java.sh" ]; then
chmod 700 /var/xdrago/monitor/check/java.sh
chown root:root /var/xdrago/monitor/check/java.sh
touch ${_pthLog}/java.sh.ctrl.f90.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/java.sh.old /var/xdrago/monitor/check/java.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/mysql.sh.ctrl.f82.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/mysql.sh /var/xdrago/monitor/check/mysql.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/mysql.sh" -o /var/xdrago/monitor/check/mysql.sh
if [ -e "/var/xdrago/monitor/check/mysql.sh" ]; then
if [ -e "/root/.debug.cnf" ] && [ ! -e "/root/.default.cnf" ]; then
_DO_NOTHING=YES
else
if [ -e "/root/.high_load.cnf" ] \
&& [ ! -e "/root/.big_db.cnf" ] \
&& [ ! -e "/root/.tg.cnf" ]; then
sed -i "s/3600/300/g" /var/xdrago/monitor/check/mysql.sh
elif [ -e "/root/.big_db.cnf" ] || [ -e "/root/.tg.cnf" ]; then
_DO_NOTHING=YES
else
sed -i "s/3600/1800/g" /var/xdrago/monitor/check/mysql.sh
fi
fi
chmod 700 /var/xdrago/monitor/check/mysql.sh
chown root:root /var/xdrago/monitor/check/mysql.sh
touch ${_pthLog}/mysql.sh.ctrl.f82.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/mysql.sh.old /var/xdrago/monitor/check/mysql.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/nginx.sh.ctrl.f92.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/nginx.sh /var/xdrago/monitor/check/nginx.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/nginx.sh" -o /var/xdrago/monitor/check/nginx.sh
if [ -e "/var/xdrago/monitor/check/nginx.sh" ]; then
chmod 700 /var/xdrago/monitor/check/nginx.sh
chown root:root /var/xdrago/monitor/check/nginx.sh
touch ${_pthLog}/nginx.sh.ctrl.f92.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/nginx.sh.old /var/xdrago/monitor/check/nginx.sh
fi
fi
if [ ! -e "/var/xdrago/monitor/check/nginx_guard.sh" ]; then
rm -f ${_pthLog}/nginx_guard.sh.ctrl.*
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/nginx_guard.sh.ctrl.f98.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/nginx_guard.sh /var/xdrago/monitor/check/nginx_guard.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/nginx_guard.sh" -o /var/xdrago/monitor/check/nginx_guard.sh
if [ -e "/var/xdrago/monitor/check/nginx_guard.sh" ]; then
chmod 700 /var/xdrago/monitor/check/nginx_guard.sh
chown root:root /var/xdrago/monitor/check/nginx_guard.sh
touch ${_pthLog}/nginx_guard.sh.ctrl.f98.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/nginx_guard.sh.old /var/xdrago/monitor/check/nginx_guard.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/php.sh.ctrl.f85.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/php.sh /var/xdrago/monitor/check/php.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/php.sh" -o /var/xdrago/monitor/check/php.sh
if [ -e "/var/xdrago/monitor/check/php.sh" ]; then
chmod 700 /var/xdrago/monitor/check/php.sh
chown root:root /var/xdrago/monitor/check/php.sh
touch ${_pthLog}/php.sh.ctrl.f85.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/php.sh.old /var/xdrago/monitor/check/php.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/valkey.sh.ctrl.f87.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/valkey.sh /var/xdrago/monitor/check/valkey.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/valkey.sh" -o /var/xdrago/monitor/check/valkey.sh
if [ -e "/var/xdrago/monitor/check/valkey.sh" ]; then
chmod 700 /var/xdrago/monitor/check/valkey.sh
chown root:root /var/xdrago/monitor/check/valkey.sh
touch ${_pthLog}/valkey.sh.ctrl.f87.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/valkey.sh.old /var/xdrago/monitor/check/valkey.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/redis.sh.ctrl.f90.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/redis.sh /var/xdrago/monitor/check/redis.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/redis.sh" -o /var/xdrago/monitor/check/redis.sh
if [ -e "/var/xdrago/monitor/check/redis.sh" ]; then
chmod 700 /var/xdrago/monitor/check/redis.sh
chown root:root /var/xdrago/monitor/check/redis.sh
touch ${_pthLog}/redis.sh.ctrl.f90.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/redis.sh.old /var/xdrago/monitor/check/redis.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/system.sh.ctrl.f83.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/system.sh /var/xdrago/monitor/check/system.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/system.sh" -o /var/xdrago/monitor/check/system.sh
if [ -e "/var/xdrago/monitor/check/system.sh" ]; then
chmod 700 /var/xdrago/monitor/check/system.sh
chown root:root /var/xdrago/monitor/check/system.sh
touch ${_pthLog}/system.sh.ctrl.f83.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/system.sh.old /var/xdrago/monitor/check/system.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/unbound.sh.ctrl.f86.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/unbound.sh /var/xdrago/monitor/check/unbound.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/unbound.sh" -o /var/xdrago/monitor/check/unbound.sh
if [ -e "/var/xdrago/monitor/check/unbound.sh" ]; then
chmod 700 /var/xdrago/monitor/check/unbound.sh
chown root:root /var/xdrago/monitor/check/unbound.sh
touch ${_pthLog}/unbound.sh.ctrl.f86.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/unbound.sh.old /var/xdrago/monitor/check/unbound.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/escapecheck.sh.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/escapecheck.sh /var/xdrago/monitor/check/escapecheck.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/escapecheck.sh" -o /var/xdrago/monitor/check/escapecheck.sh
if [ -e "/var/xdrago/monitor/check/escapecheck.sh" ]; then
chmod 700 /var/xdrago/monitor/check/escapecheck.sh
chown root:root /var/xdrago/monitor/check/escapecheck.sh
touch ${_pthLog}/escapecheck.sh.ctrl.f99.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/escapecheck.sh.old /var/xdrago/monitor/check/escapecheck.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/hackcheck.sh.ctrl.f95.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/hackcheck.sh /var/xdrago/monitor/check/hackcheck.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/hackcheck.sh" -o /var/xdrago/monitor/check/hackcheck.sh
if [ -e "/var/xdrago/monitor/check/hackcheck.sh" ]; then
chmod 700 /var/xdrago/monitor/check/hackcheck.sh
chown root:root /var/xdrago/monitor/check/hackcheck.sh
touch ${_pthLog}/hackcheck.sh.ctrl.f95.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/hackcheck.sh.old /var/xdrago/monitor/check/hackcheck.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/hackftp.sh.ctrl.f98.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/hackftp.sh /var/xdrago/monitor/check/hackftp.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/hackftp.sh" -o /var/xdrago/monitor/check/hackftp.sh
if [ -e "/var/xdrago/monitor/check/hackftp.sh" ]; then
chmod 700 /var/xdrago/monitor/check/hackftp.sh
chown root:root /var/xdrago/monitor/check/hackftp.sh
touch ${_pthLog}/hackftp.sh.ctrl.f98.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/hackftp.sh.old /var/xdrago/monitor/check/hackftp.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/segfault_alert.pl.ctrl.f94.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/segfault_alert.pl /var/xdrago/monitor/check/segfault_alert.pl.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/segfault_alert.pl" -o /var/xdrago/monitor/check/segfault_alert.pl
if [ -e "/var/xdrago/monitor/check/segfault_alert.pl" ]; then
chmod 700 /var/xdrago/monitor/check/segfault_alert.pl
chown root:root /var/xdrago/monitor/check/segfault_alert.pl
touch ${_pthLog}/segfault_alert.pl.ctrl.f94.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/segfault_alert.pl.old /var/xdrago/monitor/check/segfault_alert.pl
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/sqlcheck.pl.ctrl.f94.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/monitor/check/sqlcheck.pl /var/xdrago/monitor/check/sqlcheck.pl.old
curl ${_crlGet} "${_urlHmr}/tools/system/monitor/check/sqlcheck.pl" -o /var/xdrago/monitor/check/sqlcheck.pl
if [ -e "/var/xdrago/monitor/check/sqlcheck.pl" ]; then
chmod 700 /var/xdrago/monitor/check/sqlcheck.pl
chown root:root /var/xdrago/monitor/check/sqlcheck.pl
touch ${_pthLog}/sqlcheck.pl.ctrl.f94.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/monitor/check/sqlcheck.pl.old /var/xdrago/monitor/check/sqlcheck.pl
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ ! -e "${_pthLog}/cv-phar-symlink.ctrl.${_tRee}.${_xSrl}.pid" ]; then
if [ -x "/usr/local/bin/cv.phar" ] \
&& [ -L "/usr/bin/cv" ]; then
_CV_SYMLINK=$(readlink -n /usr/bin/cv 2>&1)
_CV_SYMLINK=$(echo -n ${_CV_SYMLINK} | tr -d "\n" 2>&1)
if [ "${_CV_SYMLINK}" != "/usr/local/bin/cv.phar" ]; then
rm -f /usr/bin/cv
ln -sfn /usr/local/bin/cv.phar /usr/bin/cv
touch ${_pthLog}/cv-phar-symlink.ctrl.${_tRee}.${_xSrl}.pid
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ ! -e "${_pthLog}/drush8-classic-symlink.ctrl.${_tRee}.${_xSrl}.pid" ]; then
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -L "/usr/bin/drush8" ]; then
_DRUSH_SYMLINK=$(readlink -n /usr/bin/drush8 2>&1)
_DRUSH_SYMLINK=$(echo -n ${_DRUSH_SYMLINK} | tr -d "\n" 2>&1)
if [ "${_DRUSH_SYMLINK}" != "/opt/tools/drush/8/drush/drush.php" ]; then
rm -f /usr/bin/drush8
rm -f /usr/bin/drush
ln -sfn /opt/tools/drush/8/drush/drush.php /usr/bin/drush8
ln -sfn /opt/tools/drush/8/drush/drush.php /usr/bin/drush
touch ${_pthLog}/drush8-classic-symlink.ctrl.${_tRee}.${_xSrl}.pid
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/clean-boa-env.ctrl.f97.${_tRee}.${_xSrl}.pid" ]; then
mv -f /etc/init.d/clean-boa-env /var/xdrago/clean-boa-env.old
curl ${_crlGet} "${_urlHmr}/conf/var/clean-boa-env" -o /etc/init.d/clean-boa-env
if [ -e "/etc/init.d/clean-boa-env" ]; then
chmod 700 /etc/init.d/clean-boa-env
chown root:root /etc/init.d/clean-boa-env
touch ${_pthLog}/clean-boa-env.ctrl.f97.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/clean-boa-env.old /etc/init.d/clean-boa-env
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/mysql_backup.sh.ctrl.f88.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc mysql_backup.sh)
if (( _CNT > 0 )); then
echo "The mysql_backup.sh is running!"
else
mv -f /var/xdrago/mysql_backup.sh /var/xdrago/mysql_backup.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/mysql_backup.sh" -o /var/xdrago/mysql_backup.sh
if [ -e "/var/xdrago/mysql_backup.sh" ]; then
chmod 700 /var/xdrago/mysql_backup.sh
chown root:root /var/xdrago/mysql_backup.sh
touch ${_pthLog}/mysql_backup.sh.ctrl.f88.${_xSrl}.pid
else
mv -f /var/xdrago/mysql_backup.sh.old /var/xdrago/mysql_backup.sh
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/unbound-helper.ctrl.f95.${_xSrl}.pid" ]; then
mv -f /usr/libexec/unbound-helper /usr/libexec/unbound-helper.old
curl ${_crlGet} "${_urlHmr}/conf/dns/unbound-helper" -o /usr/libexec/unbound-helper
if [ -e "/usr/libexec/unbound-helper" ]; then
chmod 755 /usr/libexec/unbound-helper
chown root:root /usr/libexec/unbound-helper
touch ${_pthLog}/unbound-helper.ctrl.f95.${_xSrl}.pid
else
mv -f /usr/libexec/unbound-helper.old /usr/libexec/unbound-helper
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/mysql_cleanup.sh.ctrl.f92.${_xSrl}.pid" ]; then
mv -f /var/xdrago/mysql_cleanup.sh /var/xdrago/mysql_cleanup.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/mysql_cleanup.sh" -o /var/xdrago/mysql_cleanup.sh
if [ -e "/var/xdrago/mysql_cleanup.sh" ]; then
chmod 700 /var/xdrago/mysql_cleanup.sh
chown root:root /var/xdrago/mysql_cleanup.sh
touch ${_pthLog}/mysql_cleanup.sh.ctrl.f92.${_xSrl}.pid
else
mv -f /var/xdrago/mysql_cleanup.sh.old /var/xdrago/mysql_cleanup.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/mysql_cluster_backup.sh.ctrl.f91.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc mysql_cluster_backup.sh)
if (( _CNT > 0 )); then
echo "The mysql_cluster_backup.sh is running!"
else
mv -f /var/xdrago/mysql_cluster_backup.sh /var/xdrago/mysql_cluster_backup.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/mysql_cluster_backup.sh" -o /var/xdrago/mysql_cluster_backup.sh
if [ -e "/var/xdrago/mysql_cluster_backup.sh" ]; then
chmod 700 /var/xdrago/mysql_cluster_backup.sh
chown root:root /var/xdrago/mysql_cluster_backup.sh
touch ${_pthLog}/mysql_cluster_backup.sh.ctrl.f91.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/mysql_cluster_backup.sh.old /var/xdrago/mysql_cluster_backup.sh
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/runner.sh.ctrl.f86.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/runner.sh /var/xdrago/runner.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/runner.sh" -o /var/xdrago/runner.sh
if [ -e "/var/xdrago/runner.sh" ]; then
chmod 700 /var/xdrago/runner.sh
chown root:root /var/xdrago/runner.sh
touch ${_pthLog}/runner.sh.ctrl.f86.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/runner.sh.old /var/xdrago/runner.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/minute.sh.ctrl.f91.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/minute.sh /var/xdrago/minute.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/minute.sh" -o /var/xdrago/minute.sh
if [ -e "/var/xdrago/minute.sh" ]; then
chmod 700 /var/xdrago/minute.sh
chown root:root /var/xdrago/minute.sh
touch ${_pthLog}/minute.sh.ctrl.f91.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/minute.sh.old /var/xdrago/minute.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/second.sh.ctrl.f88.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/second.sh /var/xdrago/second.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/second.sh" -o /var/xdrago/second.sh
if [ -e "/var/xdrago/second.sh" ]; then
chmod 700 /var/xdrago/second.sh
chown root:root /var/xdrago/second.sh
touch ${_pthLog}/second.sh.ctrl.f88.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/second.sh.old /var/xdrago/second.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/ip_access.sh.ctrl.f93.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/ip_access.sh /var/xdrago/ip_access.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/ip_access.sh" -o /var/xdrago/ip_access.sh
if [ -e "/var/xdrago/ip_access.sh" ]; then
chmod 700 /var/xdrago/ip_access.sh
chown root:root /var/xdrago/ip_access.sh
touch ${_pthLog}/ip_access.sh.ctrl.f93.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/ip_access.sh.old /var/xdrago/ip_access.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/move_sql.sh.ctrl.f90.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/move_sql.sh /var/xdrago/move_sql.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/move_sql.sh" -o /var/xdrago/move_sql.sh
if [ -e "/var/xdrago/move_sql.sh" ]; then
chmod 700 /var/xdrago/move_sql.sh
chown root:root /var/xdrago/move_sql.sh
touch ${_pthLog}/move_sql.sh.ctrl.f90.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/move_sql.sh.old /var/xdrago/move_sql.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/mysql_repair.sh.ctrl.f95.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/mysql_repair.sh /var/xdrago/mysql_repair.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/mysql_repair.sh" -o /var/xdrago/mysql_repair.sh
if [ -e "/var/xdrago/mysql_repair.sh" ]; then
chmod 700 /var/xdrago/mysql_repair.sh
chown root:root /var/xdrago/mysql_repair.sh
touch ${_pthLog}/mysql_repair.sh.ctrl.f95.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/mysql_repair.sh.old /var/xdrago/mysql_repair.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/purge_binlogs.sh.ctrl.f93.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/purge_binlogs.sh /var/xdrago/purge_binlogs.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/purge_binlogs.sh" -o /var/xdrago/purge_binlogs.sh
if [ -e "/var/xdrago/purge_binlogs.sh" ]; then
chmod 700 /var/xdrago/purge_binlogs.sh
chown root:root /var/xdrago/purge_binlogs.sh
touch ${_pthLog}/purge_binlogs.sh.ctrl.f93.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/purge_binlogs.sh.old /var/xdrago/purge_binlogs.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/checksql.pl.ctrl.f95.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/checksql.pl /var/xdrago/checksql.pl.old
curl ${_crlGet} "${_urlHmr}/tools/system/checksql.pl" -o /var/xdrago/checksql.pl
if [ -e "/var/xdrago/checksql.pl" ]; then
chmod 700 /var/xdrago/checksql.pl
chown root:root /var/xdrago/checksql.pl
touch ${_pthLog}/checksql.pl.ctrl.f95.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/checksql.pl.old /var/xdrago/checksql.pl
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/clear.sh.ctrl.f85.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/clear.sh /var/xdrago/clear.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/clear.sh" -o /var/xdrago/clear.sh
if [ -e "/var/xdrago/clear.sh" ]; then
chmod 700 /var/xdrago/clear.sh
chown root:root /var/xdrago/clear.sh
touch ${_pthLog}/clear.sh.ctrl.f85.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/clear.sh.old /var/xdrago/clear.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/autoupboa.ctrl.f76.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc autoupboa)
if (( _CNT > 0 )); then
echo "The autoupboa is running!"
else
if [ -e "${_optBin}/autoupboa" ]; then
mv -f ${_optBin}/autoupboa ${_optBin}/autoupboa.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/autoupboa" -o ${_optBin}/autoupboa
if [ -e "${_optBin}/autoupboa" ]; then
chmod 700 ${_optBin}/autoupboa
chown root:root ${_optBin}/autoupboa
touch ${_pthLog}/autoupboa.ctrl.f76.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/autoupboa.old" ]; then
mv -f ${_optBin}/autoupboa.old ${_optBin}/autoupboa
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/fixmounts.ctrl.f98.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc fixmounts)
if (( _CNT > 0 )); then
echo "The fixmounts is running!"
else
if [ -e "${_optBin}/fixmounts" ]; then
mv -f ${_optBin}/fixmounts ${_optBin}/fixmounts.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/fixmounts" -o ${_optBin}/fixmounts
if [ -e "${_optBin}/fixmounts" ]; then
chmod 700 ${_optBin}/fixmounts
chown root:root ${_optBin}/fixmounts
touch ${_pthLog}/fixmounts.ctrl.f98.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/fixmounts.old" ]; then
mv -f ${_optBin}/fixmounts.old ${_optBin}/fixmounts
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/daily.sh.ctrl.f73.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/daily.sh /var/xdrago/daily.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/daily.sh" -o /var/xdrago/daily.sh
if [ -e "/var/xdrago/daily.sh" ]; then
chmod 700 /var/xdrago/daily.sh
chown root:root /var/xdrago/daily.sh
touch ${_pthLog}/daily.sh.ctrl.f73.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/daily.sh.old /var/xdrago/daily.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/graceful.sh.ctrl.f86.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/graceful.sh /var/xdrago/graceful.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/graceful.sh" -o /var/xdrago/graceful.sh
if [ -e "/var/xdrago/graceful.sh" ]; then
chmod 700 /var/xdrago/graceful.sh
chown root:root /var/xdrago/graceful.sh
touch ${_pthLog}/graceful.sh.ctrl.f86.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/graceful.sh.old /var/xdrago/graceful.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/usage.sh.ctrl.f80.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/usage.sh /var/xdrago/usage.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/usage.sh" -o /var/xdrago/usage.sh
if [ -e "/var/xdrago/usage.sh" ]; then
chmod 700 /var/xdrago/usage.sh
chown root:root /var/xdrago/usage.sh
touch ${_pthLog}/usage.sh.ctrl.f80.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/usage.sh.old /var/xdrago/usage.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/manage_ltd_users.sh.ctrl.f67.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/manage_ltd_users.sh /var/xdrago/manage_ltd_users.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/manage_ltd_users.sh" \
-o /var/xdrago/manage_ltd_users.sh
if [ -e "/var/xdrago/manage_ltd_users.sh" ]; then
chmod 700 /var/xdrago/manage_ltd_users.sh
chown root:root /var/xdrago/manage_ltd_users.sh
touch ${_pthLog}/manage_ltd_users.sh.ctrl.f67.${_tRee}.${_xSrl}.pid
[ -e "/run/manage_ltd_users.pid" ] && rm -f /run/manage_ltd_users.pid
[ -d "/var/backups/ltd/log" ] && rm -rf /var/backups/ltd/log
mkdir -p /var/backups/ltd/{conf,log,old}
else
mv -f /var/xdrago/manage_ltd_users.sh.old /var/xdrago/manage_ltd_users.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/manage_solr_config.sh.ctrl.f85.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/manage_solr_config.sh /var/xdrago/manage_solr_config.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/manage_solr_config.sh" \
-o /var/xdrago/manage_solr_config.sh
if [ -e "/var/xdrago/manage_solr_config.sh" ]; then
chmod 700 /var/xdrago/manage_solr_config.sh
chown root:root /var/xdrago/manage_solr_config.sh
touch ${_pthLog}/manage_solr_config.sh.ctrl.f85.${_tRee}.${_xSrl}.pid
rm -f /run/manage_solr_config.pid
else
mv -f /var/xdrago/manage_solr_config.sh.old /var/xdrago/manage_solr_config.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/proc_num_ctrl.pl.ctrl.f83.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/proc_num_ctrl.pl /var/xdrago/proc_num_ctrl.pl.old
curl ${_crlGet} "${_urlHmr}/tools/system/proc_num_ctrl.pl" \
-o /var/xdrago/proc_num_ctrl.pl
if [ -e "/var/xdrago/proc_num_ctrl.pl" ]; then
chmod 700 /var/xdrago/proc_num_ctrl.pl
chown root:root /var/xdrago/proc_num_ctrl.pl
touch ${_pthLog}/proc_num_ctrl.pl.ctrl.f83.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/proc_num_ctrl.pl.old /var/xdrago/proc_num_ctrl.pl
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/fast_shutdown.ctrl.${_tRee}.${_xSrl}.pid" ]; then
sed -i "s/.*opcache.fast_shutdown.*//g" /opt/etc/fpm/fpm-pool-commo*.conf
_PHP_V="85 84 83 82 81 80 74 73 72 71 70 56"
for e in ${_PHP_V}; do
if [ -e "/etc/init.d/php${e}-fpm" ] && [ -e "/opt/php${e}/bin/php" ]; then
service "php${e}-fpm" reload &> /dev/null
fi
done
_PHP_V="55 54 53"
for e in ${_PHP_V}; do
if [ -e "/etc/init.d/php${e}-fpm" ] && [ -e "/opt/php${e}/bin/php" ]; then
service "php${e}-fpm" force-quit &> /dev/null
fi
done
touch ${_pthLog}/fast_shutdown.ctrl.${_tRee}.${_xSrl}.pid
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -x "/usr/sbin/csf" ] \
&& [ -e "/etc/csf/csf.deny" ] \
&& [ ! -e "${_pthLog}/guest-fire.sh.ctrl.f92.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/guest-fire.sh /var/xdrago/guest-fire.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/guest-fire.sh" \
-o /var/xdrago/guest-fire.sh
if [ -e "/var/xdrago/guest-fire.sh" ]; then
chmod 700 /var/xdrago/guest-fire.sh
chown root:root /var/xdrago/guest-fire.sh
touch ${_pthLog}/guest-fire.sh.ctrl.f92.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/guest-fire.sh.old /var/xdrago/guest-fire.sh
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -x "/usr/sbin/csf" ] \
&& [ -e "/etc/csf/csf.deny" ] \
&& [ ! -e "${_pthLog}/guest-water.sh.ctrl.f89.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/guest-water.sh /var/xdrago/guest-water.sh.old
curl ${_crlGet} "${_urlHmr}/tools/system/guest-water.sh" \
-o /var/xdrago/guest-water.sh
if [ -e "/var/xdrago/guest-water.sh" ]; then
chmod 700 /var/xdrago/guest-water.sh
chown root:root /var/xdrago/guest-water.sh
touch ${_pthLog}/guest-water.sh.ctrl.f89.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/guest-water.sh.old /var/xdrago/guest-water.sh
fi
fi
if ! grep -q "whoami" /var/xdrago/conf/lshell.conf; then
rm -f ${_pthLog}/lshell.ctrl.*
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/lshell.ctrl.f91.${_tRee}.${_xSrl}.pid" ]; then
if [ -z "${_CUSTOM_CONFIG_LSHELL}" ] \
|| [ "${_CUSTOM_CONFIG_LSHELL}" = "NO" ]; then
mv -f /var/xdrago/conf/lshell.conf /var/xdrago/conf/lshell.conf.old
curl ${_crlGet} "${_urlHmr}/tools/system/conf/lshell.conf" \
-o /var/xdrago/conf/lshell.conf
if [ -e "/var/xdrago/conf/lshell.conf" ]; then
chmod 644 /var/xdrago/conf/lshell.conf
chown root:root /var/xdrago/conf/lshell.conf
touch ${_pthLog}/lshell.ctrl.f91.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/lshell.conf.old /var/xdrago/conf/lshell.conf
fi
fi
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
_BROKEN_UPDATE_TEST=$(grep "Under Construction" /var/xdrago/conf/fpm-pool* 2>&1)
if [ ! -z "${_BROKEN_UPDATE_TEST}" ]; then
rm -f /var/xdrago/conf/fpm-pool*
rm ${_pthLog}/multi.ctrl.*
rm ${_pthLog}/legacy.ctrl.*
rm ${_pthLog}/modern.ctrl.*
rm ${_pthLog}/single.ctrl.*
rm ${_pthLog}/common.ctrl.*
fi
_BROKEN_UPDATE_TEST=$(grep "404 Not Found" /var/xdrago/conf/fpm-pool* 2>&1)
if [ ! -z "${_BROKEN_UPDATE_TEST}" ]; then
rm -f /var/xdrago/conf/fpm-pool*
rm ${_pthLog}/multi.ctrl.*
rm ${_pthLog}/legacy.ctrl.*
rm ${_pthLog}/modern.ctrl.*
rm ${_pthLog}/single.ctrl.*
rm ${_pthLog}/common.ctrl.*
fi
_BROKEN_UPDATE_TEST=$(grep "max_execution_time" /var/xdrago/conf/fpm-pool* 2>&1)
if [ -z "${_BROKEN_UPDATE_TEST}" ]; then
rm -f /var/xdrago/conf/fpm-pool*
rm ${_pthLog}/multi.ctrl.*
rm ${_pthLog}/legacy.ctrl.*
rm ${_pthLog}/modern.ctrl.*
rm ${_pthLog}/single.ctrl.*
rm ${_pthLog}/common.ctrl.*
fi
_BROKEN_UPDATE_TEST=$(grep "max_accelerated_files" /var/xdrago/conf/fpm-pool* 2>&1)
if [ ! -z "${_BROKEN_UPDATE_TEST}" ]; then
rm -f /var/xdrago/conf/fpm-pool*
rm ${_pthLog}/multi.ctrl.*
rm ${_pthLog}/legacy.ctrl.*
rm ${_pthLog}/modern.ctrl.*
rm ${_pthLog}/single.ctrl.*
rm ${_pthLog}/common.ctrl.*
fi
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/common.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/conf/fpm-pool-common.conf /var/xdrago/conf/fpm-pool-common.conf.old
curl ${_crlGet} "${_urlHmr}/conf/php/fpm-pool-common.conf" \
-o /var/xdrago/conf/fpm-pool-common.conf
if [ -e "/var/xdrago/conf/fpm-pool-common.conf" ]; then
sed -i "s/127.0.0.1/127.0.0.1,${_LOC_IP}/g" /var/xdrago/conf/fpm-pool-common.conf
chmod 644 /var/xdrago/conf/fpm-pool-common.conf
chown root:root /var/xdrago/conf/fpm-pool-common.conf
touch ${_pthLog}/common.ctrl.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/fpm-pool-common.conf.old /var/xdrago/conf/fpm-pool-common.conf
fi
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/legacy.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/conf/fpm-pool-common-legacy.conf /var/xdrago/conf/fpm-pool-common-legacy.conf.old
curl ${_crlGet} "${_urlHmr}/conf/php/fpm-pool-common-legacy.conf" \
-o /var/xdrago/conf/fpm-pool-common-legacy.conf
if [ -e "/var/xdrago/conf/fpm-pool-common-legacy.conf" ]; then
sed -i "s/127.0.0.1/127.0.0.1,${_LOC_IP}/g" /var/xdrago/conf/fpm-pool-common-legacy.conf
chmod 644 /var/xdrago/conf/fpm-pool-common-legacy.conf
chown root:root /var/xdrago/conf/fpm-pool-common-legacy.conf
touch ${_pthLog}/legacy.ctrl.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/fpm-pool-common-legacy.conf.old /var/xdrago/conf/fpm-pool-common-legacy.conf
fi
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/modern.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/conf/fpm-pool-common-modern.conf /var/xdrago/conf/fpm-pool-common-modern.conf.old
curl ${_crlGet} "${_urlHmr}/conf/php/fpm-pool-common-modern.conf" \
-o /var/xdrago/conf/fpm-pool-common-modern.conf
if [ -e "/var/xdrago/conf/fpm-pool-common-modern.conf" ]; then
sed -i "s/127.0.0.1/127.0.0.1,${_LOC_IP}/g" /var/xdrago/conf/fpm-pool-common-modern.conf
chmod 644 /var/xdrago/conf/fpm-pool-common-modern.conf
chown root:root /var/xdrago/conf/fpm-pool-common-modern.conf
touch ${_pthLog}/modern.ctrl.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/fpm-pool-common-modern.conf.old /var/xdrago/conf/fpm-pool-common-modern.conf
fi
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/multi.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/conf/fpm-pool-foo-multi.conf /var/xdrago/conf/fpm-pool-foo-multi.conf.old
curl ${_crlGet} "${_urlHmr}/conf/php/fpm-pool-foo-multi.conf" \
-o /var/xdrago/conf/fpm-pool-foo-multi.conf
if [ -e "/var/xdrago/conf/fpm-pool-foo-multi.conf" ]; then
chmod 644 /var/xdrago/conf/fpm-pool-foo-multi.conf
chown root:root /var/xdrago/conf/fpm-pool-foo-multi.conf
touch ${_pthLog}/multi.ctrl.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/fpm-pool-foo-multi.conf.old /var/xdrago/conf/fpm-pool-foo-multi.conf
fi
fi
if [ -e "/opt/tools/drush" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/single.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/conf/fpm-pool-foo.conf /var/xdrago/conf/fpm-pool-foo.conf.old
curl ${_crlGet} "${_urlHmr}/conf/php/fpm-pool-foo.conf" \
-o /var/xdrago/conf/fpm-pool-foo.conf
if [ -e "/var/xdrago/conf/fpm-pool-foo.conf" ]; then
chmod 644 /var/xdrago/conf/fpm-pool-foo.conf
chown root:root /var/xdrago/conf/fpm-pool-foo.conf
touch ${_pthLog}/single.ctrl.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/fpm-pool-foo.conf.old /var/xdrago/conf/fpm-pool-foo.conf
fi
fi
if [ -e "/etc/ImageMagick-6/policy.xml" ] \
&& [ -e "/var/xdrago" ] \
&& [ ! -e "${_pthLog}/policymap-hf-06.ctrl.${_tRee}.${_xSrl}.pid" ]; then
_isCurlBin="$(which curl)"
chmod 755 ${_isCurlBin} &> /dev/null
chgrp root ${_isCurlBin} &> /dev/null
cp -af /etc/ImageMagick-6/policy.xml /var/xdrago/conf/etc-ImageMagick-6-policy.xml.hf-06.old
rm -f /var/xdrago/conf/etc-ImageMagick-6-policy.xml
curl ${_crlGet} "${_urlHmr}/conf/etc/etc-ImageMagick-6-policy.xml" \
-o /var/xdrago/conf/etc-ImageMagick-6-policy.xml
if [ -e "/var/xdrago/conf/etc-ImageMagick-6-policy.xml" ]; then
cp -af /var/xdrago/conf/etc-ImageMagick-6-policy.xml /etc/ImageMagick-6/policy.xml
chmod 644 /etc/ImageMagick-6/policy.xml
chown root:root /etc/ImageMagick-6/policy.xml
touch ${_pthLog}/policymap-hf-06.ctrl.${_tRee}.${_xSrl}.pid
_PHP_V="85 84 83 82 81 80 74 73 72 71 70 56"
for e in ${_PHP_V}; do
if [ -e "/etc/init.d/php${e}-fpm" ]; then
service "php${e}-fpm" reload &> /dev/null
fi
done
else
if [ -e "/var/xdrago/conf/etc-ImageMagick-6-policy.xml.hf-06.old" ]; then
cp -af /var/xdrago/conf/etc-ImageMagick-6-policy.xml.hf-06.old /etc/ImageMagick-6/policy.xml
fi
fi
fi
if [ -e "/opt/tools/drush" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/dispatch.ctrl.${_tRee}.${_xSrl}.pid" ]; then
sed -i "s/.*cache.*//g; s/.*cc drush.*//g; s/ *$//g; /^$/d" /data/disk/*/aegir.sh
touch ${_pthLog}/dispatch.ctrl.${_tRee}.${_xSrl}.pid
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/xdrago/conf/control-readme.txt" ] \
&& [ ! -e "${_pthLog}/control-readme.txt.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mv -f /var/xdrago/conf/control-readme.txt /var/xdrago/conf/control-readme.txt.old
curl ${_crlGet} "${_urlHmr}/tools/system/conf/control-readme.txt" -o /var/xdrago/conf/control-readme.txt
if [ -e "/var/xdrago/conf/control-readme.txt" ]; then
chmod 644 /var/xdrago/conf/control-readme.txt
chown root:root /var/xdrago/conf/control-readme.txt
touch ${_pthLog}/control-readme.txt.ctrl.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/conf/control-readme.txt.old /var/xdrago/conf/control-readme.txt
fi
fi
if [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/hosting.cron.queue.ctrl.f96.${_tRee}.${_xSrl}.pid" ]; then
_hQueueF="hosting_cron.module"
_hQueueP="/var/xdrago/conf/${_hQueueF}"
[ -e "${_hQueueP}" ] && _isPatchedTpl=$(grep "url_own" "${_hQueueP}")
if [ ! -e "${_hQueueP}" ] || [[ ! "${_isPatchedTpl}" =~ "url_own" ]]; then
curl ${_crlGet} "${_urlHmr}/patches/${_hQueueF}" -o ${_hQueueP}
fi
for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do
_tUsr=
_tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)
if [ -n "${_tUsr}" ] && [ "${_tUsr}" != "arch" ]; then
if [ -e "${_pthSysUsr}/log/hosting_cron_use_backend.txt" ]; then
rm -f ${_pthSysUsr}/log/hosting_cron_use_backend.txt
fi
_hmPlr=$(cat ${_pthSysUsr}/.drush/hostmaster.alias.drushrc.php \
| grep "root'" \
| cut -d: -f2 \
| awk '{ print $3}' \
| sed "s/[\,']//g" 2>&1)
_hmDir="${_hmPlr}/profiles/hostmaster/modules/aegir/hosting"
_hmQmd="${_hmDir}/cron/hosting_cron.module"
if [ -e "${_hmDir}/cron/hosting_cron.module.orig" ]; then
rm -f ${_hmDir}/cron/hosting_cron.module.orig
fi
if [ -e "${_hmDir}/cron/hosting_cron.module.rej" ]; then
rm -f ${_hmDir}/cron/hosting_cron.module.rej
fi
if [ -e "${_hmQmd}" ] && [ -e "${_hQueueP}" ]; then
_isPatched=$(grep "url_own" "${_hmQmd}")
if [[ ! "${_isPatched}" =~ "url_own" ]]; then
cp -a ${_hQueueP} ${_hmDir}/cron/
if [ -e "${_hmDir}/cron/${_hQueueF}" ]; then
sed -i "s/127.0.0.1/${_LOC_IP}/g" "${_hmDir}/cron/${_hQueueF}"
fi
fi
fi
fi
done
touch ${_pthLog}/hosting.cron.queue.ctrl.f96.${_tRee}.${_xSrl}.pid
fi
if [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/hosting.cron.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do
_tUsr=
_tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)
if [ -n "${_tUsr}" ] && [ "${_tUsr}" != "arch" ]; then
if [ -e "${_pthSysUsr}/log/hosting_cron_use_backend.txt" ]; then
rm -f ${_pthSysUsr}/log/hosting_cron_use_backend.txt
fi
fi
done
touch ${_pthLog}/hosting.cron.ctrl.f99.${_tRee}.${_xSrl}.pid
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/data/u" ] \
&& [ -e "/usr/sbin/csf" ] \
&& [ ! -e "${_pthLog}/fpm-cli.ctrl.${_tRee}.${_xSrl}.pid" ]; then
_usrGroup=users
[ -d "/var/backups/off-run/" ] && cp -a /var/backups/off-run/run* /var/xdrago/ &> /dev/null
for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do
_tUsr=
_tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)
if [ "${_tUsr}" != "arch" ]; then
if [ ! -e "${_pthSysUsr}/static/control/MyQuick.info" ] \
&& [ ! -e "${_pthSysUsr}/static/control/MyClassic.info" ]; then
echo ON > ${_pthSysUsr}/static/control/MyQuick.info
fi
if [ ! -e "${_pthSysUsr}/static/control/.disFastTrack.pid" ]; then
rm -f ${_pthSysUsr}/static/control/FastTrack.info
touch ${_pthSysUsr}/static/control/.disFastTrack.pid
fi
if [ ! -e "${_pthSysUsr}/static/control/FastTrack.info" ] \
&& [ ! -e "${_pthSysUsr}/static/control/ClassicTrack.info" ]; then
echo ON > ${_pthSysUsr}/static/control/ClassicTrack.info
fi
if [ -e "${_pthSysUsr}/static/control/fpm.info" ] \
&& [ ! -e "${_pthSysUsr}/static/control/cli.info" ]; then
cp ${_pthSysUsr}/static/control/fpm.info ${_pthSysUsr}/static/control/cli.info
fi
if [ -e "${_pthSysUsr}/log/CANCELLED" ] \
|| [ -e "${_pthSysUsr}/log/proxied.pid" ] \
|| [ ! -e "${_pthSysUsr}/static/control/cli.info" ]; then
if [ -e "/var/xdrago/run-${_tUsr}" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
[ -d "/var/backups/off-run" ] || mkdir -p /var/backups/off-run
mv -f /var/xdrago/run-${_tUsr} /var/backups/off-run/
fi
else
_dscUsr="/data/disk/${_tUsr}"
_ngxCnf="${_dscUsr}/config/includes/nginx_vhost_common.conf"
_NGINX_CNF_TEST=$(grep "foobaroff" ${_ngxCnf} 2>&1)
if [[ "${_NGINX_CNF_TEST}" =~ "foobaroff" ]]; then
_DO_NOTHING=YES
else
sed -i "s/args.*q=/args ~* \"foobaroff=/g" ${_ngxCnf}
fi
for _version in 84 85 83 82 81 74 56; do
if [ -x "/opt/php${_version}/bin/php" ]; then
if [ "${_version}" = "74" ]; then
_useCli="7.4"
_useFpm="7.4"
elif [ "${_version}" = "56" ]; then
_useCli="5.6"
_useFpm="5.6"
else
_useCli="8.${_version:1}"
_useFpm="8.${_version:1}"
fi
break
fi
done
if [ ! -e "${_dscUsr}/static/control/fpm.info" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
if [ -n "${_useFpm}" ]; then
echo ${_useFpm} > ${_dscUsr}/static/control/fpm.info
chown ${_tUsr}.ftp:${_usrGroup} ${_dscUsr}/static/control/fpm.info
chmod 0644 ${_dscUsr}/static/control/fpm.info
fi
fi
if [ ! -e "${_dscUsr}/static/control/cli.info" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
if [ -e "${_dscUsr}/static/control/fpm.info" ]; then
cp -af ${_dscUsr}/static/control/fpm.info ${_dscUsr}/static/control/cli.info
else
if [ -n "${_useCli}" ]; then
echo ${_useCli} > ${_dscUsr}/static/control/cli.info
chown ${_tUsr}.ftp:${_usrGroup} ${_dscUsr}/static/control/cli.info
chmod 0644 ${_dscUsr}/static/control/cli.info
fi
fi
fi
if [ ! -e "${_dscUsr}/static/control/.ctrl.${_tRee}.${_xSrl}.pid" ] \
&& [ -e "/home/${_tUsr}.ftp/clients" ]; then
mkdir -p ${_dscUsr}/static/control
chmod 755 ${_dscUsr}/static/control
if [ -e "/var/xdrago/conf/control-readme.txt" ]; then
cp -af /var/xdrago/conf/control-readme.txt \
${_dscUsr}/static/control/README.txt &> /dev/null
chmod 0644 ${_dscUsr}/static/control/README.txt
fi
chown -R ${_tUsr}.ftp:${_usrGroup} ${_dscUsr}/static/control
rm -f ${_dscUsr}/static/control/.ctrl.*
echo OK > ${_dscUsr}/static/control/.ctrl.${_tRee}.${_xSrl}.pid
fi
fi
fi
done
touch ${_pthLog}/fpm-cli.ctrl.${_tRee}.${_xSrl}.pid
fi
# Create the destination directory if it doesn't exist
[ -d "/var/backups/off-run" ] || mkdir -p /var/backups/off-run
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/data/u" ] \
&& [ -e "/usr/sbin/csf" ]; then
# Loop through all files matching the pattern /var/xdrago/run-USER
for _file in /var/xdrago/run-*; do
# Skip iteration if no files match the pattern
[ -e "${_file}" ] || continue
# Extract the _USER from the filename
_USER=${_file#/var/xdrago/run-}
# Define the paths to check
_USER_DIR="/data/disk/${_USER}"
_CANCELLED_FILE="${_USER_DIR}/log/CANCELLED"
_PROXIED_PID_FILE="${_USER_DIR}/log/proxied.pid"
_CLI_INFO_FILE="${_USER_DIR}/static/control/cli.info"
# Check the conditions
if [ ! -d "${_USER_DIR}" ] || \
[ -f "${_CANCELLED_FILE}" ] || \
[ -f "${_PROXIED_PID_FILE}" ] || \
[ ! -f "${_CLI_INFO_FILE}" ]; then
# Move the file if any condition is met
mv -f "${_file}" /var/backups/off-run/
fi
if grep -q "renice 0" "${_file}"; then
sed -i "s/renice 0/renice 9/g" "${_file}"
fi
done
fi
if [ -x "/opt/tools/drush/8/drush/drush.php" ] \
&& [ -e "${_provLeIncFull}" ] \
&& [ -e "${_hoLeIncFull}" ] \
&& [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/le_renewal_days_69.ctrl.${_tRee}.${_xSrl}.pid" ]; then
_leBasePath="profiles/hostmaster/modules/aegir/hosting_le"
_lePath="${_leBasePath}/drush/${_provLeInc}"
_leVhPath="${_leBasePath}/hosting_le_vhost/drush/${_hoLeInc}"
for _pthSysUsr in `find /data/disk/ -maxdepth 1 -mindepth 1 | sort`; do
if [ -e "${_pthSysUsr}/config/server_master/nginx/vhost.d" ] \
&& [ -e "${_pthSysUsr}/static/control/cli.info" ] \
&& [ ! -e "${_pthSysUsr}/log/proxied.pid" ] \
&& [ ! -e "${_pthSysUsr}/log/CANCELLED" ]; then
_tUsr=
_validReg=
_validIPr=
_tUsr=$(echo ${_pthSysUsr} | cut -d'/' -f4 | awk '{ print $1}' 2>&1)
_dscUsr="/data/disk/${_tUsr}"
_hmPf=$(cat ${_dscUsr}/.drush/hostmaster.alias.drushrc.php \
| grep "root'" \
| cut -d: -f2 \
| awk '{ print $3}' \
| sed "s/[\,']//g" 2>&1)
_locFile="${_hmPf}/${_lePath}"
if [ -e "${_locFile}" ] && [ -e "${_provLeIncFull}" ]; then
cp -af ${_provLeIncFull} ${_locFile}
chown ${_tUsr}:users ${_locFile}
chmod 0644 ${_locFile}
fi
_locVhFile="${_hmPf}/${_leVhPath}"
if [ -e "${_locVhFile}" ] && [ -e "${_hoLeIncFull}" ]; then
cp -af ${_hoLeIncFull} ${_locVhFile}
chown ${_tUsr}:users ${_locVhFile}
chmod 0644 ${_locVhFile}
fi
_leRoot="${_dscUsr}/tools/le"
_exeLe="${_leRoot}/dehydrated"
_dehydFull="${_leRoot}/${_dehydName}"
_legacyLeShFile="${_leRoot}/letsencrypt.sh"
_lockLeFile="${_leRoot}/lock"
_configIni="${_leRoot}/config"
_acctsDir="${_leRoot}/accounts"
_acctsDemoDir="${_leRoot}/accounts-demo"
_demoPid="${_leRoot}/.ctrl/ssl-demo-mode.pid"
_normalRegPid="${_leRoot}/.ctrl/normal-re6-register.pid"
_forcedRegPid="${_leRoot}/.ctrl/forced-re6-register.pid"
_onDemandRegPid="${_leRoot}/.ctrl/onDemand-register.pid"
_validIdn=$(grep "letsencrypt" ${_acctsDir}/*/account_id.json 2>&1)
_validReg=$(grep "valid" ${_acctsDir}/*/registration_info.json 2>&1)
_validIPr=$(grep "${_LOC_IP}" ${_acctsDir}/*/registration_info.json 2>&1)
_HOUR=$(date +%H 2>&1)
_HOUR=${_HOUR//[^0-9-]/}
if [ -e "${_dehydSrcPath}" ]; then
cp -af ${_dehydSrcPath} ${_dehydFull}
chown ${_tUsr}:users ${_dehydFull}
chmod 0700 ${_dehydFull}
fi
if [ -e "${_dehydFull}" ] \
&& [ ! -e "${_normalRegPid}" ]; then
if [ "${_HOUR}" = "5" ] \
|| [ "${_HOUR}" = "17" ] \
|| [ -e "${_onDemandRegPid}" ]; then
su -s /bin/bash - ${_tUsr} -c "bash ${_exeLe} --register --accept-terms"
wait
touch ${_normalRegPid}
fi
fi
if [ -e "${_lockLeFile}" ]; then
rm -f ${_lockLeFile}
sleep 1
fi
if [ -e "${_demoPid}" ]; then
rm -f ${_demoPid}
fi
if [ "${_HOUR}" = "11" ] \
|| [ "${_HOUR}" = "23" ] \
|| [ -e "${_onDemandRegPid}" ]; then
if [ -e "${_legacyLeShFile}" ] \
|| [ -e "${_acctsDemoDir}" ] \
|| [[ ! "${_validIdn}" =~ "letsencrypt" ]] \
|| [[ ! "${_validReg}" =~ "valid" ]] \
|| [[ ! "${_validIPr}" =~ "${_LOC_IP}" ]] \
|| [ ! -e "${_forcedRegPid}" ]; then
rm -f ${_legacyLeShFile}
rm -rf ${_acctsDemoDir}
rm -rf ${_acctsDir}
rm -f ${_leRoot}/.ctrl/.forced*
rm -f ${_leRoot}/.ctrl/.normal*
rm -f ${_leRoot}/.ctrl/forced*
rm -f ${_leRoot}/.ctrl/normal*
if [ -e "${_exeLe}" ]; then
su -s /bin/bash - ${_tUsr} -c "bash ${_exeLe} --register --accept-terms"
wait
touch ${_forcedRegPid}
touch ${_normalRegPid}
fi
fi
fi
fi
done
touch ${_pthLog}/le_renewal_days_69.ctrl.${_tRee}.${_xSrl}.pid
fi
if ! grep -q "defunct" /opt/local/bin/websh; then
rm -f ${_pthLog}/websh.ctrl.*
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_pthLog}/websh.ctrl.f72.${_tRee}.${_xSrl}.pid" ]; then
mv -f /opt/local/bin/websh /var/xdrago/websh.sh.old
curl ${_crlGet} "${_urlHmr}/helpers/websh.sh.txt" -o /opt/local/bin/websh
if [ -e "/opt/local/bin/websh" ] \
&& grep -i '_forward_to_dash' /opt/local/bin/websh &> /dev/null; then
chmod 755 /opt/local/bin/websh
chown root:root /opt/local/bin/websh
[ -x "/bin/websh" ] && [ ! -L "/bin/websh" ] && ln -sfn /opt/local/bin/websh /bin/websh
touch ${_pthLog}/websh.ctrl.f72.${_tRee}.${_xSrl}.pid
else
mv -f /var/xdrago/websh.sh.old /opt/local/bin/websh
fi
_WEB_SH="$(readlink -n /bin/sh)"
if [ -x "/opt/local/bin/websh" ] \
&& grep -i '_forward_to_dash' /opt/local/bin/websh &> /dev/null; then
if [ "${_WEB_SH}" != "/opt/local/bin/websh" ]; then
ln -sfn /opt/local/bin/websh /bin/sh
if [ -e "/usr/bin/sh" ]; then
ln -sfn /opt/local/bin/websh /usr/bin/sh
fi
[ -x "/bin/websh" ] && [ ! -L "/bin/websh" ] && ln -sfn /opt/local/bin/websh /bin/websh
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -x "/etc/cron.hourly/systemtime" ] \
&& [ ! -e "${_pthLog}/systemtime.ctrl.f95.${_tRee}.${_xSrl}.pid" ]; then
curl ${_crlGet} "${_urlHmr}/helpers/systemtime" -o /etc/cron.hourly/systemtime
if [ -e "/etc/cron.hourly/systemtime" ]; then
chmod 755 /etc/cron.hourly/systemtime
chown root:root /etc/cron.hourly/systemtime
service cron restart
touch ${_pthLog}/systemtime.ctrl.f95.${_tRee}.${_xSrl}.pid
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy.ctrl.f93.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy" ]; then
mv -f ${_optBin}/synproxy ${_optBin}/synproxy.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy" -o ${_optBin}/synproxy
if [ -e "${_optBin}/synproxy" ]; then
chmod 700 ${_optBin}/synproxy
chown root:root ${_optBin}/synproxy
touch ${_pthLog}/synproxy.ctrl.f93.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy.old" ]; then
mv -f ${_optBin}/synproxy.old ${_optBin}/synproxy
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy_rollback.ctrl.f94.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy_rollback" ]; then
mv -f ${_optBin}/synproxy_rollback ${_optBin}/synproxy_rollback.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy_rollback" -o ${_optBin}/synproxy_rollback
if [ -e "${_optBin}/synproxy_rollback" ]; then
chmod 700 ${_optBin}/synproxy_rollback
chown root:root ${_optBin}/synproxy_rollback
touch ${_pthLog}/synproxy_rollback.ctrl.f94.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy_rollback.old" ]; then
mv -f ${_optBin}/synproxy_rollback.old ${_optBin}/synproxy_rollback
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy_reassert.ctrl.f88.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy_reassert" ]; then
mv -f ${_optBin}/synproxy_reassert ${_optBin}/synproxy_reassert.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy_reassert" -o ${_optBin}/synproxy_reassert
if [ -e "${_optBin}/synproxy_reassert" ]; then
chmod 700 ${_optBin}/synproxy_reassert
chown root:root ${_optBin}/synproxy_reassert
touch ${_pthLog}/synproxy_reassert.ctrl.f88.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy_reassert.old" ]; then
mv -f ${_optBin}/synproxy_reassert.old ${_optBin}/synproxy_reassert
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy_hook_fix.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy_hook_fix" ]; then
mv -f ${_optBin}/synproxy_hook_fix ${_optBin}/synproxy_hook_fix.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy_hook_fix" -o ${_optBin}/synproxy_hook_fix
if [ -e "${_optBin}/synproxy_hook_fix" ]; then
chmod 700 ${_optBin}/synproxy_hook_fix
chown root:root ${_optBin}/synproxy_hook_fix
touch ${_pthLog}/synproxy_hook_fix.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy_hook_fix.old" ]; then
mv -f ${_optBin}/synproxy_hook_fix.old ${_optBin}/synproxy_hook_fix
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy_snapshot.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy_snapshot" ]; then
mv -f ${_optBin}/synproxy_snapshot ${_optBin}/synproxy_snapshot.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy_snapshot" -o ${_optBin}/synproxy_snapshot
if [ -e "${_optBin}/synproxy_snapshot" ]; then
chmod 700 ${_optBin}/synproxy_snapshot
chown root:root ${_optBin}/synproxy_snapshot
touch ${_pthLog}/synproxy_snapshot.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy_snapshot.old" ]; then
mv -f ${_optBin}/synproxy_snapshot.old ${_optBin}/synproxy_snapshot
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy_status.ctrl.f99.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy_status" ]; then
mv -f ${_optBin}/synproxy_status ${_optBin}/synproxy_status.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy_status" -o ${_optBin}/synproxy_status
if [ -e "${_optBin}/synproxy_status" ]; then
chmod 700 ${_optBin}/synproxy_status
chown root:root ${_optBin}/synproxy_status
touch ${_pthLog}/synproxy_status.ctrl.f99.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy_status.old" ]; then
mv -f ${_optBin}/synproxy_status.old ${_optBin}/synproxy_status
fi
fi
fi
fi
if [ -e "/var/xdrago/monitor/check" ] \
&& [ -d "/var/aegir/drush" ] \
&& [ ! -e "${_pthLog}/synproxy_monitor.ctrl.f98.${_tRee}.${_xSrl}.pid" ]; then
_CNT=$(pgrep -fc synproxy_rollback)
if (( _CNT > 0 )); then
echo "The synproxy_rollback is running!"
else
if [ -e "${_optBin}/synproxy_monitor" ]; then
mv -f ${_optBin}/synproxy_monitor ${_optBin}/synproxy_monitor.old
fi
curl ${_crlGet} "${_urlHmr}/tools/bin/synproxy_monitor" -o ${_optBin}/synproxy_monitor
if [ -e "${_optBin}/synproxy_monitor" ]; then
chmod 700 ${_optBin}/synproxy_monitor
chown root:root ${_optBin}/synproxy_monitor
touch ${_pthLog}/synproxy_monitor.ctrl.f98.${_tRee}.${_xSrl}.pid
else
if [ -e "${_optBin}/synproxy_monitor.old" ]; then
mv -f ${_optBin}/synproxy_monitor.old ${_optBin}/synproxy_monitor
fi
fi
fi
fi
_Dir="/data/all/000/modules"
_REDIS_E_VERSION=8.x-1.11.2
if [ -e "/var/xdrago/manage_solr_config.sh" ]; then
if [ ! -e "${_Dir}/redis_ten_eleven/ver-${_REDIS_E_VERSION}.${_xSrl}.info" ]; then
mkdir -p ${_Dir}
cd ${_Dir}
rm -rf ${_Dir}/redis_ten_eleven
_get_dev_contrib "redis_ten_eleven-${_REDIS_E_VERSION}.tar.gz"
echo update > ${_Dir}/redis_ten_eleven/ver-${_REDIS_E_VERSION}.${_xSrl}.info
find ${_Dir} -type d -exec chmod 0755 {} \; &> /dev/null
find ${_Dir} -type f -exec chmod 0644 {} \; &> /dev/null
touch ${_pthLog}/redis_ten_eleven.ctrl.${_xSrl}.log
fi
fi
_Dir="/data/all/000/modules"
_REDIS_T_VERSION=8.x-1.8.2
if [ -e "/var/xdrago/manage_solr_config.sh" ]; then
if [ ! -e "${_Dir}/redis_nine_ten/ver-${_REDIS_T_VERSION}.${_xSrl}.info" ]; then
mkdir -p ${_Dir}
cd ${_Dir}
rm -rf ${_Dir}/redis_nine_ten
_get_dev_contrib "redis_nine_ten-${_REDIS_T_VERSION}.tar.gz"
echo update > ${_Dir}/redis_nine_ten/ver-${_REDIS_T_VERSION}.${_xSrl}.info
find ${_Dir} -type d -exec chmod 0755 {} \; &> /dev/null
find ${_Dir} -type f -exec chmod 0644 {} \; &> /dev/null
touch ${_pthLog}/redis_nine_ten.ctrl.${_xSrl}.log
fi
fi
_Dir="/data/all/000/modules"
_REDIS_C_VERSION=com-19-04-2021
if [ -e "/var/xdrago/manage_solr_config.sh" ]; then
if [ ! -e "${_Dir}/redis_compr/ver-${_REDIS_C_VERSION}.${_xSrl}.info" ]; then
mkdir -p ${_Dir}
cd ${_Dir}
rm -rf ${_Dir}/redis_compr
_get_dev_contrib "redis_compr-${_REDIS_C_VERSION}.tar.gz"
echo update > ${_Dir}/redis_compr/ver-${_REDIS_C_VERSION}.${_xSrl}.info
find ${_Dir} -type d -exec chmod 0755 {} \; &> /dev/null
find ${_Dir} -type f -exec chmod 0644 {} \; &> /dev/null
touch ${_pthLog}/redis_compr.ctrl.${_xSrl}.log
fi
fi
_Dir="/data/all/000/modules"
_REDIS_L_VERSION=7.x-3.19.1
if [ -e "/var/xdrago/manage_solr_config.sh" ]; then
if [ ! -e "${_Dir}/redis_edge/ver-${_REDIS_L_VERSION}.${_xSrl}.info" ]; then
mkdir -p ${_Dir}
cd ${_Dir}
rm -rf ${_Dir}/redis_edge
_get_dev_contrib "redis_edge-${_REDIS_L_VERSION}.tar.gz"
echo update > ${_Dir}/redis_edge/ver-${_REDIS_L_VERSION}.${_xSrl}.info
find ${_Dir} -type d -exec chmod 0755 {} \; &> /dev/null
find ${_Dir} -type f -exec chmod 0644 {} \; &> /dev/null
touch ${_pthLog}/redis_edge.ctrl.${_xSrl}.log
fi
fi
_Dir="/data/all/000/modules"
_REDIS_N_VERSION=com-19-04-2021
if [ -e "/var/xdrago/manage_solr_config.sh" ]; then
if [ ! -e "${_Dir}/redis_eight/ver-${_REDIS_N_VERSION}.${_xSrl}.info" ]; then
mkdir -p ${_Dir}
cd ${_Dir}
rm -rf ${_Dir}/redis_eight
_get_dev_contrib "redis_eight-${_REDIS_N_VERSION}.tar.gz"
echo update > ${_Dir}/redis_eight/ver-${_REDIS_N_VERSION}.${_xSrl}.info
find ${_Dir} -type d -exec chmod 0755 {} \; &> /dev/null
find ${_Dir} -type f -exec chmod 0644 {} \; &> /dev/null
touch ${_pthLog}/redis_eight.ctrl.${_xSrl}.log
fi
fi
}
_fix_core_dgd() {
# sed -i "s/^_PERMISSIONS_FIX=.*/_PERMISSIONS_FIX=YES/g" ${_barCnf}
_saCoreS="${_saCoreN}-D7"
_saIncDb="includes/database/database.inc"
_saPatch="/var/xdrago/conf/${_saCoreS}.patch"
_saQCoreN="${_saCoreN}"
_saQCoreS="${_saQCoreN}-D8"
_saQIncDb="core/includes/database.inc"
_saQPatch="/var/xdrago/conf/${_saQCoreS}.patch"
_saXCoreN="${_saCoreN}"
_saXCoreS="${_saXCoreN}-D6"
_saXIncDb="includes/database.inc"
_saXPatch="/var/xdrago/conf/${_saXCoreS}.patch"
_saBCoreP="${_saCoreN}-provision"
_saBPatch="/var/xdrago/conf/${_saBCoreP}.patch"
# SA-CORE D8 patch
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_saQPatch}" ]; then
mkdir -p /var/xdrago/conf
curl ${_crlGet} "${_urlHmr}/patches/8-core/${_saQCoreS}.patch" -o ${_saQPatch}
fi
# SA-CORE D7 patch
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_saPatch}" ]; then
mkdir -p /var/xdrago/conf
curl ${_crlGet} "${_urlHmr}/patches/7-core/${_saCoreS}.patch" -o ${_saPatch}
fi
# SA-CORE D6 patch
# if [ -e "/var/xdrago" ] \
# && [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
# && [ ! -e "${_saXPatch}" ]; then
# mkdir -p /var/xdrago/conf
# curl ${_crlGet} "${_urlHmr}/patches/6-core/${_saXCoreS}.patch" -o ${_saXPatch}
# fi
# SA-CORE for Octopus hostmaster platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -d "/data/u" ] \
&& [ -e "${_saPatch}" ]; then
if [ -d "/data/all" ] \
&& [ ! -e "${_pthLog}/hostmaster-octopus-${_saCoreN}-fixed-d7.log" ]; then
for _File in `find /data/disk/*/aegir/distro/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
fi
done
touch ${_pthLog}/hostmaster-octopus-${_saCoreN}-fixed-d7.log
fi
cd
fi
# SA-CORE for Barracuda hostmaster platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saPatch}" ]; then
if [ -d "/data/all" ] \
&& [ ! -e "${_pthLog}/hostmaster-barracuda-${_saCoreN}-fixed-d7.log" ]; then
for _File in `find /var/aegir/host_master/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
fi
done
for _File in `find /var/aegir/hostmaster*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
fi
done
touch ${_pthLog}/hostmaster-barracuda-${_saCoreN}-fixed-d7.log
fi
cd
fi
# SA-CORE for built-in D7 platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saPatch}" ] \
&& [ ! -e "${_pthLog}/${_saCoreN}-fixed-d7.log" ]; then
if [ -d "/data/all/000/core" ]; then
for _Core in `find /data/all/000/core/drupal-7* \
-maxdepth 0 -mindepth 0 | sort`; do
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
done
elif [ -d "/data/disk/all/000/core" ]; then
for _Core in `find /data/disk/all/000/core/drupal-7* \
-maxdepth 0 -mindepth 0 | sort`; do
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
done
fi
touch ${_pthLog}/${_saCoreN}-fixed-d7.log
cd
fi
# SA-CORE for ancient D7 platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saPatch}" ]; then
if [ -d "/data/all" ] \
&& [ ! -e "${_pthLog}/legacy-${_saCoreN}-fixed-d7.log" ]; then
for _File in `find /data/all/*/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
fi
done
touch ${_pthLog}/legacy-${_saCoreN}-fixed-d7.log
elif [ -d "/data/disk/all" ] \
&& [ ! -e "${_pthLog}/legacy-${_saCoreN}-fixed-d7eee.log" ]; then
for _File in `find /data/disk/all/*/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
fi
done
touch ${_pthLog}/legacy-${_saCoreN}-fixed-d7eee.log
fi
cd
fi
# SA-CORE for custom D7 platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saPatch}" ]; then
if [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/batch-custom-${_saCoreN}-fixed-d7.log" ]; then
for _File in `find /data/disk/*/static/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/*/*/${_saIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saCoreS}-fix.info
fi
done
fi
cd
touch ${_pthLog}/batch-custom-${_saCoreN}-fixed-d7.log
fi
# SA-CORE for D8 platforms in ~/static
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saQPatch}" ]; then
if [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/batch-custom-${_saQCoreN}-fixed-d8.log" ]; then
for _File in `find /data/disk/*/static/*/${_saQIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/core.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saQCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saQPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/${_saQIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/core.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saQCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saQPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/${_saQIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/core.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saQCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saQPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/*/${_saQIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/core.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saQCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saQPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/*/*/${_saQIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/core.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saQCoreS}-fix.info" ]; then
cd ${_Core}
patch -p1 < ${_saQPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saQCoreS}-fix.info
fi
done
fi
cd
touch ${_pthLog}/batch-custom-${_saQCoreN}-fixed-d8.log
fi
# SA-CORE for built-in D6 platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saXPatch}" ] \
&& [ ! -e "${_pthLog}/${_saXCoreN}-finally-fixed-d6.log" ]; then
if [ -d "/data/all/000/core" ]; then
for _Core in `find /data/all/000/core/pressflow-6* \
-maxdepth 0 -mindepth 0 | sort`; do
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
done
elif [ -d "/data/disk/all/000/core" ]; then
for _Core in `find /data/disk/all/000/core/pressflow-6* \
-maxdepth 0 -mindepth 0 | sort`; do
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
done
fi
touch ${_pthLog}/${_saXCoreN}-finally-fixed-d6.log
cd
fi
# SA-CORE for ancient D6 platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saXPatch}" ]; then
if [ -d "/data/all" ] \
&& [ ! -e "${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6.log" ]; then
for _File in `find /data/all/*/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
fi
done
touch ${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6.log
elif [ -d "/data/disk/all" ] \
&& [ ! -e "${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6eee.log" ]; then
for _File in `find /data/disk/all/*/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] && [ ! -e "${_Core}/core" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
fi
done
touch ${_pthLog}/legacy-${_saXCoreN}-finally-fixed-d6eee.log
fi
cd
fi
# SA-CORE for custom D6 platforms
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ -e "${_saXPatch}" ]; then
if [ -d "/data/u" ] \
&& [ ! -e "${_pthLog}/batch-custom-${_saXCoreN}-finally-fixed-d6.log" ]; then
for _File in `find /data/disk/*/static/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saXCoreS}-fix-finally.info" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info
fi
done
for _File in `find /data/disk/*/static/*/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saXCoreS}-fix-finally.info" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saXCoreS}-fix-finally.info" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saXCoreS}-fix-finally.info" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info
fi
done
for _File in `find /data/disk/*/static/*/*/*/*/*/${_saXIncDb} \
-maxdepth 0 -mindepth 0 | sort`; do
_Core=$(echo ${_File} \
| sed 's/\/includes.*//g' \
| awk '{print $1}' 2> /dev/null)
if [ -d "${_Core}" ] \
&& [ ! -e "${_Core}/core" ] \
&& [ ! -e "${_Core}/profiles/${_saXCoreS}-fix-finally.info" ]; then
cd ${_Core}
patch -p1 < ${_saXPatch} &> /dev/null
echo fixed > ${_Core}/profiles/${_saXCoreS}-fix-finally.info
fi
done
fi
cd
touch ${_pthLog}/batch-custom-${_saXCoreN}-finally-fixed-d6.log
fi
}
_fix_ping_perms() {
if [ -e "/bin/ping" ]; then
_PING_TEST=$(ls -la /bin/ping | grep rwsr-xr-x 2>&1)
if [ -z "${_PING_TEST}" ]; then
chown root:root /bin/ping
chmod 4755 /bin/ping
fi
fi
}
_fix_fpm_process_max() {
if [ ! -e "${_pthLog}/process.max.ctrl.${_tRee}.${_xSrl}.pid" ]; then
sed -i "s/process.max =.*/process.max = 0/g" /opt/php*/etc/php*-fpm.conf
touch ${_pthLog}/process.max.ctrl.${_tRee}.${_xSrl}.pid
fi
}
_fix_node_in_lshell_access() {
if [ ! -e "${_pthLog}/node.lshell-fix-npx.ctrl.${_tRee}.${_xSrl}.pid" ] \
&& [ -e "/etc/lshell.conf" ]; then
_PrTestPhantom=$(grep "PHANTOM" /root/.*.octopus.cnf 2>&1)
_PrTestCluster=$(grep "CLUSTER" /root/.*.octopus.cnf 2>&1)
_PrTestUltra=$(grep "ULTRA" /root/.*.octopus.cnf 2>&1)
_PrTestMonster=$(grep "MONSTER" /root/.*.octopus.cnf 2>&1)
if [[ "${_PrTestPhantom}" =~ "PHANTOM" ]] \
|| [[ "${_PrTestCluster}" =~ "CLUSTER" ]] \
|| [[ "${_PrTestUltra}" =~ "ULTRA" ]] \
|| [[ "${_PrTestMonster}" =~ "MONSTER" ]] \
|| [ -e "/root/.allow.node.lshell.cnf" ]; then
_ALLOW_NODE=YES
else
_ALLOW_NODE=NO
sed -i \
-e "s/, 'node', 'npm', 'npx',/,/gi" \
-e "s/, 'scp',/,/gi" \
/etc/lshell.conf /var/xdrago/conf/lshell.conf
fi
touch ${_pthLog}/node.lshell-fix-npx.ctrl.${_tRee}.${_xSrl}.pid
fi
}
_fix_php_in_lshell_access() {
if [ ! -e "${_pthLog}/php.lshell-fix-php.ctrl.${_tRee}.${_xSrl}.pid" ] \
&& [ -e "/etc/lshell.conf" ]; then
_PrTestPhantom=$(grep "PHANTOM" /root/.*.octopus.cnf 2>&1)
_PrTestCluster=$(grep "CLUSTER" /root/.*.octopus.cnf 2>&1)
_PrTestUltra=$(grep "ULTRA" /root/.*.octopus.cnf 2>&1)
_PrTestMonster=$(grep "MONSTER" /root/.*.octopus.cnf 2>&1)
if [[ "${_PrTestPhantom}" =~ "PHANTOM" ]] \
|| [[ "${_PrTestCluster}" =~ "CLUSTER" ]] \
|| [[ "${_PrTestUltra}" =~ "ULTRA" ]] \
|| [[ "${_PrTestMonster}" =~ "MONSTER" ]] \
|| [ -e "/root/.allow.php.lshell.cnf" ]; then
_ALLOW_PHP=YES
else
_ALLOW_PHP=NO
sed -i \
-e "s/, 'php.*':.*php',/,/gi" \
-e "s/, '\/opt\/php.*',/,/gi" \
/etc/lshell.conf /var/xdrago/conf/lshell.conf
fi
touch ${_pthLog}/php.lshell-fix-php.ctrl.${_tRee}.${_xSrl}.pid
fi
}
_if_fix_lshell() {
if [ ! -e "/usr/local/etc/lshell.conf" ] \
&& [ ! -L "/usr/local/etc/lshell.conf" ] \
&& [ -e "/etc/lshell.conf" ]; then
[ ! -d "/usr/local/etc" ] && mkdir -p /usr/local/etc
ln -sfn /etc/lshell.conf /usr/local/etc/lshell.conf
fi
_LSHELL_VRN=0.10
_PATH_LSHELL="${_usrBin}/lshell"
_LSHELL_CHK_VRN=0.10
_LSHELL_FORCE_REINSTALL=NO
_isLshell="$(which lshell)"
_LSHELL_ITD=$(${_isLshell} --version 2>&1 \
| tr -d "\n" \
| cut -d"-" -f2 \
| awk '{ print $1}' 2>&1)
if [ -z "${_isLshell}" ] \
|| [ -z "${_PATH_LSHELL}" ] \
|| [ "${_LSHELL_ITD}" != "${_LSHELL_CHK_VRN}" ] \
|| [[ "${_LSHELL_ITD}" =~ "Traceback" ]] \
|| [[ "${_LSHELL_ITD}" =~ "bad interpreter" ]] \
|| [[ "${_LSHELL_ITD}" =~ "ImportError" ]]; then
_LSHELL_FORCE_REINSTALL=YES
fi
if [ "${_LSHELL_FORCE_REINSTALL}" = "YES" ]; then
[ -f "/etc/lshell.conf" ] && cp -af /etc/lshell.conf /etc/lshell.conf-bak-${_LSHELL_VRN}
_apt_clean_update
apt-get install python3-pip ${_aptYesUnth}
if [ -x "/usr/bin/pip3" ]; then
_usePip=/usr/bin/pip3
elif [ -x "/usr/local/bin/pip3" ]; then
_usePip=/usr/local/bin/pip3
fi
_PIP_TEST=$(${_usePip} --version 2>&1)
if [[ "${_PIP_TEST}" =~ "python 3.11" ]] \
|| [[ "${_PIP_TEST}" =~ "python 3.12" ]] \
|| [[ "${_PIP_TEST}" =~ "python 3.13" ]]; then
${_usePip} install --upgrade pip --root-user-action ignore
else
${_usePip} install --upgrade pip
fi
cd /var/opt
rm -rf lshell*
_get_dev_src "lshell-${_LSHELL_VRN}.tar.gz"
for _Files in `find /var/opt/lshell-${_LSHELL_VRN} -type f`; do
sed -i "s/kicked/logged/g" ${_Files} &> /dev/null
wait
sed -i "s/Kicked/Logged/g" ${_Files} &> /dev/null
wait
done
rm -rf /usr/local/lib/python*/site-packages/lshell*
rm -rf /usr/local/lib/python*/dist-packages/lshell*
cd /var/opt/lshell-${_LSHELL_VRN}
_PIP_TEST=$(${_usePip} --version 2>&1)
if [[ "${_PIP_TEST}" =~ "python 3.11" ]] \
|| [[ "${_PIP_TEST}" =~ "python 3.12" ]] \
|| [[ "${_PIP_TEST}" =~ "python 3.13" ]]; then
${_usePip} install . --break-system-packages --root-user-action ignore
else
${_usePip} install .
fi
[ -f "/etc/lshell.conf-bak-${_LSHELL_VRN}" ] && cp -af /etc/lshell.conf-bak-${_LSHELL_VRN} /etc/lshell.conf
rm -f /etc/logrotate.d/lshell
addgroup --system lshellg &> /dev/null
addgroup --system ltd-shell-more &> /dev/null
mkdir -p /var/log/lsh
chown :lshellg /var/log/lsh
chmod 770 /var/log/lsh &> /dev/null
# Kill all non-root logged-in users
who | awk '$1 !~ /^root$/ { cmd = "pkill -KILL -u " $1; system(cmd) }'
touch ${_pthLog}/lshell-fix-build-${_LSHELL_VRN}.log
fi
if [ -e "${_usrBin}/lshell" ]; then
chown root:users ${_usrBin}/lshell
chmod 750 ${_usrBin}/lshell
if [ ! -L "/usr/bin/lshell" ]; then
ln -sfn ${_usrBin}/lshell /usr/bin/lshell &> /dev/null
fi
fi
}
_fix_start_stop_ports_solr() {
if [ -x "/etc/init.d/solr9" ] && [ -e "/etc/default/solr9.in.sh" ]; then
_SOLR9_STOP_TEST=$(grep "STOP\.PORT=19099" /etc/default/solr9.in.sh 2>&1)
_SOLR9_WAIT_TEST=$(grep "SOLR_START_WAIT=" /etc/default/solr9.in.sh 2>&1)
if [ ! -e "/var/log/boa/solr9.in.004.fixed.pid" ] \
|| [[ ! "${_SOLR9_STOP_TEST}" =~ "19099" ]] \
|| [[ ! "${_SOLR9_WAIT_TEST}" =~ "10" ]]; then
sed -i "s/^SOLR_STOP_PORT.*//g" /etc/default/solr9.in.sh
sed -i "s/^SOLR_STOP_KEY.*//g" /etc/default/solr9.in.sh
sed -i "s/.*mycustomkey9.*//g" /etc/default/solr9.in.sh
sed -i "s/.*_WAIT.*//g" /etc/default/solr9.in.sh
echo "SOLR_OPTS=\"\$SOLR_OPTS -DSTOP.PORT=19099 -DSTOP.KEY=mycustomkey9\"" >> /etc/default/solr9.in.sh
echo "SOLR_START_WAIT=\"10\"" >> /etc/default/solr9.in.sh
echo "SOLR_STOP_WAIT=\"10\"" >> /etc/default/solr9.in.sh
echo "SOLR_WAIT_FOR_ZK=\"10\"" >> /etc/default/solr9.in.sh
sed -i "/^$/d" /etc/default/solr9.in.sh
echo "_restartSolr9 at $(date)" >> ${_pthLog}/_fix_start_stop_ports_solr.log
touch /var/log/boa/solr9.in.004.fixed.pid
service solr9 restart
fi
fi
if [ -x "/etc/init.d/solr7" ] && [ -e "/etc/default/solr7.in.sh" ]; then
_SOLR7_STOP_TEST=$(grep "STOP\.PORT=17077" /etc/default/solr7.in.sh 2>&1)
_SOLR7_WAIT_TEST=$(grep "SOLR_START_WAIT=" /etc/default/solr7.in.sh 2>&1)
if [ ! -e "/var/log/boa/solr7.in.004.fixed.pid" ] \
|| [[ ! "${_SOLR7_STOP_TEST}" =~ "17077" ]] \
|| [[ ! "${_SOLR7_WAIT_TEST}" =~ "10" ]]; then
sed -i "s/^SOLR_STOP_PORT.*//g" /etc/default/solr7.in.sh
sed -i "s/^SOLR_STOP_KEY.*//g" /etc/default/solr7.in.sh
sed -i "s/.*mycustomkey7.*//g" /etc/default/solr7.in.sh
sed -i "s/.*_WAIT.*//g" /etc/default/solr7.in.sh
echo "SOLR_OPTS=\"\$SOLR_OPTS -DSTOP.PORT=17077 -DSTOP.KEY=mycustomkey7\"" >> /etc/default/solr7.in.sh
echo "SOLR_START_WAIT=\"10\"" >> /etc/default/solr7.in.sh
echo "SOLR_STOP_WAIT=\"10\"" >> /etc/default/solr7.in.sh
echo "SOLR_WAIT_FOR_ZK=\"10\"" >> /etc/default/solr7.in.sh
sed -i "/^$/d" /etc/default/solr7.in.sh
echo "_restartSolr7 at $(date)" >> ${_pthLog}/_fix_start_stop_ports_solr.log
touch /var/log/boa/solr7.in.004.fixed.pid
service solr7 restart
fi
fi
if [ -x "/etc/init.d/jetty9" ]; then
_restartSolr4=FALSE
_ctrl_jetty_nr=$(ls -la /tmp/jetty-0.0.0.0-8099-solr.war* | wc -l 2>&1)
if [[ ! "${_ctrl_jetty_nr}" =~ "No such file" ]] && [ "${_ctrl_jetty_nr}" -gt 8 ]; then
_restartSolr4=TRUE
fi
if [ "${_restartSolr4}" = "TRUE" ]; then
if [ ! -x "/etc/init.d/jenkins" ] && [ ! -e "/var/lib/jenkins" ]; then
find /tmp -mindepth 1 -user jetty9 -exec rm -rf {} + 2>/dev/null
pkill -9 -f jetty9
echo "_restartSolr4 at $(date)" >> ${_pthLog}/_fix_start_stop_ports_solr.log
fi
fi
fi
}
_fix_log4j_solr7() {
_LOG4J_VRN=2.17.1
_DO_SOLR_RESTART=
if [ -x "/etc/init.d/solr7" ] && [ -e "/etc/default/solr7.in.sh" ]; then
if [ -e "/opt/solr-7.7.3" ] \
&& [ ! -e "/opt/solr-7.7.3/server/lib/ext/log4j-core-${_LOG4J_VRN}.jar" ]; then
cd /var/opt
rm -rf apache-log4j*
_get_dev_src "apache-log4j-${_LOG4J_VRN}-bin.tar.gz"
if [ -e "/var/opt/apache-log4j-${_LOG4J_VRN}-bin/log4j-core-${_LOG4J_VRN}.jar" ]; then
cd /var/opt/apache-log4j-${_LOG4J_VRN}-bin
[ -d "/var/backups/log4j/solr-7.7.3" ] || mkdir -p /var/backups/log4j/solr-7.7.3
mv -f /opt/solr-7.7.3/server/lib/ext/log4j* /var/backups/log4j/solr-7.7.3/
rm -f /opt/solr-7.7.3/contrib/prometheus-exporter/lib/log4j*
cp -af log4j-1.2-api-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/
cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/
cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.7.3/contrib/prometheus-exporter/lib/
cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/
cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.7.3/contrib/prometheus-exporter/lib/
cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.7.3/server/lib/ext/
cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.7.3/contrib/prometheus-exporter/lib/
chown root:root /opt/solr-7.7.3/server/lib/ext/log4j*
chown root:root /opt/solr-7.7.3/contrib/prometheus-exporter/lib/log4j*
_DO_SOLR_RESTART=YES
fi
fi
if [ -e "/opt/solr-7.6.0" ] \
&& [ ! -e "/opt/solr-7.6.0/server/lib/ext/log4j-core-${_LOG4J_VRN}.jar" ]; then
cd /var/opt
rm -rf apache-log4j*
_get_dev_src "apache-log4j-${_LOG4J_VRN}-bin.tar.gz"
if [ -e "/var/opt/apache-log4j-${_LOG4J_VRN}-bin/log4j-core-${_LOG4J_VRN}.jar" ]; then
cd /var/opt/apache-log4j-${_LOG4J_VRN}-bin
[ -d "/var/backups/log4j/solr-7.6.0" ] || mkdir -p /var/backups/log4j/solr-7.6.0
mv -f /opt/solr-7.6.0/server/lib/ext/log4j* /var/backups/log4j/solr-7.6.0/
rm -f /opt/solr-7.6.0/contrib/prometheus-exporter/lib/log4j*
cp -af log4j-1.2-api-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/
cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/
cp -af log4j-core-${_LOG4J_VRN}.jar /opt/solr-7.6.0/contrib/prometheus-exporter/lib/
cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/
cp -af log4j-slf4j-impl-${_LOG4J_VRN}.jar /opt/solr-7.6.0/contrib/prometheus-exporter/lib/
cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.6.0/server/lib/ext/
cp -af log4j-api-${_LOG4J_VRN}.jar /opt/solr-7.6.0/contrib/prometheus-exporter/lib/
chown root:root /opt/solr-7.6.0/server/lib/ext/log4j*
chown root:root /opt/solr-7.6.0/contrib/prometheus-exporter/lib/log4j*
_DO_SOLR_RESTART=YES
fi
fi
_RESULT_LOG4J=$(grep "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" /etc/default/solr7.in.sh 2>&1)
if [[ ! "${_RESULT_LOG4J}" =~ "LOG4J" ]]; then
echo "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" >> /etc/default/solr7.in.sh
fi
if [[ ! "${_RESULT_LOG4J}" =~ "LOG4J" ]] || [ ! -z "${_DO_SOLR_RESTART}" ]; then
#pkill -9 -f solr7
service solr7 restart &> /dev/null
fi
fi
}
_fix_authorized_keys() {
if [ ! -e "${_pthLog}/_fix_authorized_keys.ctrl.${_tRee}.${_xSrl}.pid" ]; then
chmod 0600 /home/*/.ssh/authorized_keys &> /dev/null
chmod 0700 /home/*/.ssh &> /dev/null
touch ${_pthLog}/_fix_authorized_keys.ctrl.${_tRee}.${_xSrl}.pid
fi
}
_fix_aio() {
_AIO_FIX=$(grep "fs.aio-max-nr" /etc/sysctl.conf 2>&1)
if [ -z "${_AIO_FIX}" ]; then
echo "fs.aio-max-nr = 1048576" >> /etc/sysctl.conf
fi
}
_fix_console_print() {
_PRK_FIX=$(grep "kernel.printk" /etc/sysctl.conf 2>&1)
if [ -z "${_PRK_FIX}" ]; then
echo "kernel.printk = 4 1 1 7" >> /etc/sysctl.conf
fi
}
_fix_java_symlinks() {
if [ "${_OS_CODE}" = "jessie" ] && [ -x "/usr/lib/jvm/java-7-openjdk/jre/bin/java" ]; then
if [ ! -e "/usr/bin/java" ] || [ ! -e "/etc/alternatives/java" ]; then
ln -sfn /usr/lib/jvm/java-7-openjdk/jre/bin/java /etc/alternatives/java
ln -sfn /etc/alternatives/java /usr/bin/java
echo fixed java symlinks for ${_OS_CODE}
fi
fi
if [ "${_OS_CODE}" = "stretch" ] && [ -x "/usr/lib/jvm/java-8-openjdk/jre/bin/java" ]; then
if [ ! -e "/usr/bin/java" ] || [ ! -e "/etc/alternatives/java" ]; then
ln -sfn /usr/lib/jvm/java-8-openjdk/jre/bin/java /etc/alternatives/java
ln -sfn /etc/alternatives/java /usr/bin/java
echo fixed java symlinks for ${_OS_CODE}
fi
fi
if [ "${_OS_CODE}" = "excalibur" ] \
|| [ "${_OS_CODE}" = "daedalus" ] \
|| [ "${_OS_CODE}" = "chimaera" ]; then
if [ ! -e "/usr/lib/jvm/java-21-openjdk" ] \
&& [ -d "/usr/lib/jvm/java-21-openjdk-amd64" ]; then
ln -sfn /usr/lib/jvm/java-21-openjdk-amd64 /usr/lib/jvm/java-21-openjdk
fi
if [ ! -e "/usr/bin/java21" ] \
&& [ -e "/usr/lib/jvm/java-21-openjdk-amd64/bin/java" ]; then
ln -sfn /usr/lib/jvm/java-21-openjdk-amd64/bin/java /usr/bin/java21
fi
if [ ! -e "/usr/lib/jvm/java-17-openjdk" ] \
&& [ -d "/usr/lib/jvm/java-17-openjdk-amd64" ]; then
ln -sfn /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/java-17-openjdk
fi
if [ ! -e "/usr/bin/java17" ] \
&& [ -e "/usr/lib/jvm/java-17-openjdk-amd64/bin/java" ]; then
ln -sfn /usr/lib/jvm/java-17-openjdk-amd64/bin/java /usr/bin/java17
fi
if [ ! -e "/usr/lib/jvm/java-11-openjdk" ] \
&& [ -d "/usr/lib/jvm/java-11-openjdk-amd64" ]; then
ln -sfn /usr/lib/jvm/java-11-openjdk-amd64 /usr/lib/jvm/java-11-openjdk
fi
if [ ! -e "/usr/bin/java11" ] \
&& [ -e "/usr/lib/jvm/java-11-openjdk-amd64/bin/java" ]; then
ln -sfn /usr/lib/jvm/java-11-openjdk-amd64/bin/java /usr/bin/java11
fi
if [ -x "/etc/init.d/jenkins" ] && [ -e "/var/lib/jenkins" ]; then
_LOOK_LIKE_JENKINS=TRUE
elif [ -e "/root/.look.like.jenkins.cnf" ]; then
_LOOK_LIKE_JENKINS=TRUE
else
_LOOK_LIKE_JENKINS=FALSE
fi
if [ "${_LOOK_LIKE_JENKINS}" = "TRUE" ] \
|| [ "${_OS_CODE}" = "daedalus" ] \
|| [ "${_OS_CODE}" = "excalibur" ]; then
if [ -x "/usr/lib/jvm/java-17-openjdk/bin/java" ] \
&& [ ! -e "/var/log/boa/.fixed-java17-symlinks.log" ]; then
if [ -e "/usr/lib/jvm/java-17-openjdk-amd64" ]; then
rm -f /usr/lib/jvm/default-java
ln -sfn /usr/lib/jvm/java-17-openjdk-amd64 /usr/lib/jvm/default-java
fi
ln -sfn /usr/lib/jvm/java-17-openjdk/bin/java /etc/alternatives/java
ln -sfn /etc/alternatives/java /usr/bin/java
touch /var/log/boa/.fixed-java17-symlinks.log
echo "Fixed Java 17 symlinks for ${_OS_CODE}"
fi
if [ -x "/usr/lib/jvm/java-21-openjdk/bin/java" ] \
&& [ ! -e "/var/log/boa/.fixed-java21-symlinks.log" ]; then
if [ -e "/usr/lib/jvm/java-21-openjdk-amd64" ]; then
rm -f /usr/lib/jvm/default-java
ln -sfn /usr/lib/jvm/java-21-openjdk-amd64 /usr/lib/jvm/default-java
fi
ln -sfn /usr/lib/jvm/java-21-openjdk/bin/java /etc/alternatives/java
ln -sfn /etc/alternatives/java /usr/bin/java
touch /var/log/boa/.fixed-java21-symlinks.log
echo "Fixed Java 21 symlinks for ${_OS_CODE}"
fi
else
if [ -x "/usr/lib/jvm/java-11-openjdk/bin/java" ]; then
if [ -e "/usr/lib/jvm/java-11-openjdk-amd64" ]; then
rm -f /usr/lib/jvm/default-java
ln -sfn /usr/lib/jvm/java-11-openjdk-amd64 /usr/lib/jvm/default-java
fi
if [ ! -e "/usr/bin/java" ] || [ ! -e "/etc/alternatives/java" ]; then
ln -sfn /usr/lib/jvm/java-11-openjdk/bin/java /etc/alternatives/java
ln -sfn /etc/alternatives/java /usr/bin/java
echo "Fixed Java 11 symlinks for ${_OS_CODE}"
fi
fi
fi
else
if [ -x "/usr/lib/jvm/java-11-openjdk/bin/java" ]; then
if [ ! -e "/usr/bin/java" ] || [ ! -e "/etc/alternatives/java" ]; then
ln -sfn /usr/lib/jvm/java-11-openjdk/bin/java /etc/alternatives/java
ln -sfn /etc/alternatives/java /usr/bin/java
echo "Fixed Java 11 symlinks for ${_OS_CODE}"
fi
fi
fi
}
_fix_composer_version() {
_COMPOSER_VRN=2.8.2
if [ -x "/usr/local/bin/composer" ]; then
_COMPOSER_IS=$(composer --no-interaction --version 2>&1 \
| tr -d "\n" \
| cut -d" " -f35 \
| awk '{ print $1}' 2>&1)
if [ "${_COMPOSER_IS}" != "${_COMPOSER_VRN}" ]; then
composer self-update ${_COMPOSER_VRN} &> /dev/null
fi
fi
}
_fix_sftp_server() {
if [ -e "/etc/ssh/sshd_config" ]; then
_SFTP_UMASK_TEST=$(grep "sftp-server -u 0002" /etc/ssh/sshd_config 2>&1)
if [[ ! "${_SFTP_UMASK_TEST}" =~ "sftp-server -u 0002" ]]; then
sed -i "s/^Subsystem.*//g" /etc/ssh/sshd_config
echo "Subsystem sftp /usr/lib/openssh/sftp-server -u 0002" >> /etc/ssh/sshd_config
sed -i "/^$/d" /etc/ssh/sshd_config
service ssh restart 2> /dev/null
fi
fi
}
_fix_wkhtml_perms() {
_WKHTML_ARRAY="/usr/local/bin/wkhtmltopdf \
/usr/bin/wkhtmltopdf \
/usr/bin/wkhtmltopdf-0.12.4 \
/usr/local/bin/wkhtmltoimage \
/usr/bin/wkhtmltoimage \
/usr/bin/wkhtmltoimage-0.12.4"
for _WKHTML_ITEM in ${_WKHTML_ARRAY}; do
if [ -x "${_WKHTML_ITEM}" ]; then
_PERM_TEST=$(ls -la ${_WKHTML_ITEM} | grep rwxr-xr-x 2>&1)
if [ -z "${_PERM_TEST}" ]; then
chgrp root ${_WKHTML_ITEM} &> /dev/null
chmod 755 ${_WKHTML_ITEM} &> /dev/null
fi
fi
done
}
_fix_wkhtml() {
if [ -x "/usr/local/bin/wkhtmltopdf" ] \
&& [ -L "/usr/bin/wkhtmltopdf" ]; then
rm -f /usr/bin/wkhtmltopdf
cp -af /usr/local/bin/wkhtmltopdf /usr/bin/wkhtmltopdf
chgrp root /usr/bin/wkhtmltopdf &> /dev/null
chmod 755 /usr/bin/wkhtmltopdf &> /dev/null
fi
if [ -x "/usr/local/bin/wkhtmltoimage" ] \
&& [ -L "/usr/bin/wkhtmltoimage" ]; then
rm -f /usr/bin/wkhtmltoimage
cp -af /usr/local/bin/wkhtmltoimage /usr/bin/wkhtmltoimage
chgrp root /usr/bin/wkhtmltoimage &> /dev/null
chmod 755 /usr/bin/wkhtmltoimage &> /dev/null
fi
if [ -x "/usr/local/bin/wkhtmltopdf" ] \
&& [ ! -e "/usr/bin/wkhtmltopdf" ]; then
cp -af /usr/local/bin/wkhtmltopdf /usr/bin/wkhtmltopdf
chgrp root /usr/bin/wkhtmltopdf &> /dev/null
chmod 755 /usr/bin/wkhtmltopdf &> /dev/null
fi
if [ -x "/usr/local/bin/wkhtmltoimage" ] \
&& [ ! -e "/usr/bin/wkhtmltoimage" ]; then
cp -af /usr/local/bin/wkhtmltoimage /usr/bin/wkhtmltoimage
chgrp root /usr/bin/wkhtmltoimage &> /dev/null
chmod 755 /usr/bin/wkhtmltoimage &> /dev/null
fi
if [ ! -x "/usr/local/bin/wkhtmltopdf" ] \
&& [ -x "/usr/bin/wkhtmltopdf" ]; then
rm -f /usr/local/bin/wkhtmltopdf
cp -af /usr/bin/wkhtmltopdf /usr/local/bin/wkhtmltopdf
chgrp root /usr/local/bin/wkhtmltopdf &> /dev/null
chmod 755 /usr/local/bin/wkhtmltopdf &> /dev/null
fi
if [ ! -x "/usr/local/bin/wkhtmltoimage" ] \
&& [ -x "/usr/bin/wkhtmltoimage" ]; then
rm -f /usr/local/bin/wkhtmltoimage
cp -af /usr/bin/wkhtmltoimage /usr/local/bin/wkhtmltoimage
chgrp root /usr/local/bin/wkhtmltoimage &> /dev/null
chmod 755 /usr/local/bin/wkhtmltoimage &> /dev/null
fi
}
_fix_eldir() {
if [ -e "/var/xdrago" ] \
&& [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ ! -e "${_eldirP}" ]; then
mkdir -p /var/xdrago/conf
curl ${_crlGet} "${_urlHmr}/patches/${_eldirF}" -o ${_eldirP}
fi
}
_if_drupal_patches_update() {
if [ -e "/var/xdrago" ]; then
_BROKEN_UPDATE_TEST_A=$(grep "Under Construction" /data/conf/patches/* 2>&1)
_BROKEN_UPDATE_TEST_B=$(grep "404 Not Found" /data/conf/patches/* 2>&1)
if [ ! -z "${_BROKEN_UPDATE_TEST_A}" ] \
|| [ ! -z "${_BROKEN_UPDATE_TEST_B}" ] \
|| [ ! -e "/data/conf/patches/ctrl.f96.${_tRee}.${_xSrl}.pid" ]; then
mkdir -p /data/conf/patches
rm -f /data/conf/patches/*
touch /data/conf/patches/ctrl.f96.${_tRee}.${_xSrl}.pid
fi
fi
}
_fix_drupal_core_ten() {
if [ -e "/var/xdrago" ]; then
if [ ! -e "${_tenCorePatchPath}" ]; then
mkdir -p /data/conf/patches
curl ${_crlGet} "${_urlHmr}/patches/${_tenCorePatchFname}" -o ${_tenCorePatchPath}
fi
if [ ! -e "${_tenConsolePatchPath}" ]; then
mkdir -p /data/conf/patches
curl ${_crlGet} "${_urlHmr}/patches/${_tenConsolePatchFname}" -o ${_tenConsolePatchPath}
fi
fi
}
_fix_drupal_core_eleven() {
if [ -e "/var/xdrago" ]; then
if [ ! -e "${_elevenCorePatchPath}" ]; then
mkdir -p /data/conf/patches
curl ${_crlGet} "${_urlHmr}/patches/${_elevenCorePatchFname}" -o ${_elevenCorePatchPath}
fi
if [ ! -e "${_elevenConsolePatchPath}" ]; then
mkdir -p /data/conf/patches
curl ${_crlGet} "${_urlHmr}/patches/${_elevenConsolePatchFname}" -o ${_elevenConsolePatchPath}
fi
if [ ! -e "${_elevenValidatorPatchPath}" ]; then
mkdir -p /data/conf/patches
curl ${_crlGet} "${_urlHmr}/patches/${_elevenValidatorPatchFname}" -o ${_elevenValidatorPatchPath}
fi
fi
}
_fix_pure_ftpd() {
if [ -e "/usr/local/etc/pure-ftpd.conf" ]; then
_PAM_AUTH=$(grep "^PAMAuthentication" /usr/local/etc/pure-ftpd.conf 2>&1)
if [ ! -z "${_PAM_AUTH}" ]; then
sed -i "s/^PAMAuthentication/# PAMAuthentication/g" /usr/local/etc/pure-ftpd.conf
killall -9 pure-ftpd &> /dev/null
fi
fi
}
_fix_hosting_le() {
if [ -d "/var/xdrago/conf" ]; then
if [ ! -e "${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid" ] \
|| [ ! -e "${_pthLog}/dehydrated-up01.ctrl.${_tRee}.${_xSrl}.pid" ] \
|| [ -e "/var/xdrago/${_provLeInc}" ] \
|| [ -e "/var/xdrago/${_hoLeInc}" ] \
|| [ -e "/var/xdrago/${_dehydName}" ] \
|| [ -e "/root/${_provLeInc}" ] \
|| [ -e "/root/hosting_le_vhost.drush.inc.ctrl.${_tRee}.${_xSrl}.pid" ] \
|| [ -e "/root/${_hoLeInc}" ] \
|| [ -e "${_legacyLeSh}" ] \
|| [ ! -e "${_dehydSrcPath}" ] \
|| [ ! -e "${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid" ]; then
mkdir -p /var/xdrago/conf
rm -f /var/xdrago/*.drush.inc*
rm -f /root/*.drush.inc*
rm -f ${_legacyLeSh}
rm -f ${_dehydSrcPath}.ctrl.${_tRee}.${_xSrl}.pid
rm -f ${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid
rm -f ${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid
curl ${_crlGet} "${_urlHmr}/helpers/${_dehydName}" -o ${_dehydSrcPath}.ctrl.${_tRee}.${_xSrl}.pid
cp -af ${_dehydSrcPath}.ctrl.${_tRee}.${_xSrl}.pid ${_dehydSrcPath}
curl ${_crlGet} "${_urlHmr}/patches/${_hoLeInc}" -o ${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid
cp -af ${_hoLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid ${_hoLeIncFull}
curl ${_crlGet} "${_urlHmr}/patches/${_provLeInc}" -o ${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid
if [ -e "${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid" ]; then
cp -af ${_provLeIncFull}.ctrl.${_tRee}.${_xSrl}.pid ${_provLeIncFull}
[ -e "${_provLeIncFull}" ] && touch ${_pthLog}/dehydrated-up01.ctrl.${_tRee}.${_xSrl}.pid
fi
fi
fi
}
_fix_newrelic() {
_PHP_EXT_DIR_84="/opt/php84/lib/php/extensions/no-debug-non-zts-20240924"
_NR_SO="/usr/lib/newrelic-php5/agent/x64/newrelic-20240924.so"
if [ -e "${_PHP_EXT_DIR_84}" ] \
&& [ -e "${_NR_SO}" ] \
&& [ ! -e "${_PHP_EXT_DIR_84}/newrelic.so" ]; then
ln -sfn ${_NR_SO} ${_PHP_EXT_DIR_84}/newrelic.so
service php84-fpm reload
fi
_PHP_EXT_DIR_74="/opt/php74/lib/php/extensions/no-debug-non-zts-20190902"
_NR_SO="/usr/lib/newrelic-php5/agent/x64/newrelic-20190902.so"
if [ -e "${_PHP_EXT_DIR_74}" ] \
&& [ -e "${_NR_SO}" ] \
&& [ ! -e "${_PHP_EXT_DIR_74}/newrelic.so" ]; then
ln -sfn ${_NR_SO} ${_PHP_EXT_DIR_74}/newrelic.so
service php74-fpm reload
fi
_PHP_EXT_DIR_71="/opt/php71/lib/php/extensions/no-debug-non-zts-20160303"
_NR_SO="/usr/lib/newrelic-php5/agent/x64/newrelic-20160303.so"
if [ -e "${_PHP_EXT_DIR_71}" ] \
&& [ ! -e "${_NR_SO}" ] \
&& [ -L "${_PHP_EXT_DIR_71}/newrelic.so" ]; then
rm -f ${_PHP_EXT_DIR_71}/newrelic.so
service php71-fpm reload
fi
_PHP_EXT_DIR_70="/opt/php70/lib/php/extensions/no-debug-non-zts-20151012"
_NR_SO="/usr/lib/newrelic-php5/agent/x64/newrelic-20151012.so"
if [ -e "${_PHP_EXT_DIR_70}" ] \
&& [ ! -e "${_NR_SO}" ] \
&& [ -L "${_PHP_EXT_DIR_70}/newrelic.so" ]; then
rm -f ${_PHP_EXT_DIR_70}/newrelic.so
service php70-fpm reload
fi
_PHP_EXT_DIR_56="/opt/php56/lib/php/extensions/no-debug-non-zts-20131226"
_NR_SO="/usr/lib/newrelic-php5/agent/x64/newrelic-20131226.so"
if [ -e "${_PHP_EXT_DIR_56}" ] \
&& [ ! -e "${_NR_SO}" ] \
&& [ -L "${_PHP_EXT_DIR_56}/newrelic.so" ]; then
rm -f ${_PHP_EXT_DIR_56}/newrelic.so
service php56-fpm reload
fi
}
_fix_leftovers() {
if [ -e "/data/disk/arch/static/control" ]; then
rm -rf /data/disk/arch/static
fi
}
_force_rebuild() {
if [ ! -e "${_pthLog}/forced.rebuild.glibc.txt" ]; then
echo "_GIT_FORCE_REINSTALL=YES" >> ${_barCnf}
echo "_NGX_FORCE_REINSTALL=YES" >> ${_barCnf}
echo "_PHP_FORCE_REINSTALL=YES" >> ${_barCnf}
echo "_SSH_FORCE_REINSTALL=YES" >> ${_barCnf}
echo "_SSL_FORCE_REINSTALL=YES" >> ${_barCnf}
rm -f ${_pthLog}/pure-ftpd-build*
rm -f ${_pthLog}/mss-build*
rm -f ${_pthLog}/lshell-build*
rm -f ${_pthLog}/redis-*
rm -f ${_pthLog}/valkey-*
touch ${_pthLog}/forced.rebuild.glibc.txt
fi
}
#
# Detect, remove, and report broken symlinks
_check_and_remove_broken_symlinks() {
local _dir=$1
# Find broken symlinks in the directory
_broken_symlinks=$(find "${_dir}" -maxdepth 1 -type l ! -exec test -e {} \; -print)
if [ -n "${_broken_symlinks}" ]; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "CLNP: Removing the following broken symlinks from ${_dir}:"
echo "CLNP: ${_broken_symlinks}"
fi
for _symlink in ${_broken_symlinks}; do
rm "${_symlink}"
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "CLNP: Removed broken symlink: ${_symlink}"
fi
done
# Set the _ifAnySymlinksCleaned variable to true since we removed broken symlinks
_ifAnySymlinksCleaned=YES
else
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "CLNP: No broken symlinks found in ${_dir}"
fi
fi
}
#
# Check and move disallowed versions
_check_and_move() {
local _dir=$1
# Determine the name of the backup subdirectory based on the source directory
local _backup_dir="${_backLegBase}$(echo "${_dir}" | tr '/' '_')"
# Find any libcurl.so files in the directory, excluding the allowed version and those without a complete version number
_found_versions=$(find "${_dir}" -maxdepth 1 -type f -name "libcurl.so.*" ! -name "${_allowedFile}" | grep -E "libcurl\.so\.[0-9]+\.[0-9]+\.[0-9]+$")
if [ -n "${_found_versions}" ]; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "CLNP: Moving the following disallowed versions from ${_dir} to ${_backup_dir}:"
echo "CLNP: ${_found_versions}"
fi
# Create the backup directory if it doesn't exist
mkdir -p "${_backup_dir}"
# Move each found version to the backup directory
for _file in ${_found_versions}; do
mv -f "${_file}" "${_backup_dir}/"
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "CLNP: Moved ${_file} to ${_backup_dir}/"
fi
done
# Set the _ifAnyFilesCleaned variable to true since we moved files
_ifAnyFilesCleaned=YES
else
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "CLNP: Only the allowed version (${_allowedFile}) is present in ${_dir}"
fi
fi
}
_if_reinstall_curl() {
_CURL_VRN=8.20.0
_CURL_INSTALL_REQUIRED=NO
if ! command -v lsb_release &> /dev/null; then
apt-get update -qq &> /dev/null
apt-get install lsb-release ${_aptYesUnth} -qq &> /dev/null
fi
_OS_CODE=$(lsb_release -ar 2>/dev/null | grep -i codename | cut -s -f2)
[ "${_OS_CODE}" = "wheezy" ] && _CURL_VRN=7.50.1
[ "${_OS_CODE}" = "jessie" ] && _CURL_VRN=7.71.1
[ "${_OS_CODE}" = "stretch" ] && _CURL_VRN=8.2.1
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ] \
&& [ "${_OS_CODE}" != "jessie" ] \
&& [ "${_OS_CODE}" != "stretch" ]; then
# Target version
_allowedFile="libcurl.so.4.8.0"
# Directories to check
_dirsToClean=("/usr/lib" "/usr/local/lib" "/usr/lib/x86_64-linux-gnu")
# Backup base directory
_backLegBase="/var/backups/legacy-libcurl-boa-${_NOW}"
# Variable to track if any files were moved
_ifAnyFilesCleaned=NO
# Variable to track if any broken symlinks were found and removed
_ifAnySymlinksCleaned=NO
# Iterate over the directories and apply the _check_and_move function
for _dir in "${_dirsToClean[@]}"; do
_check_and_move "${_dir}"
done
# Iterate over the directories and apply the _check_and_remove_broken_symlinks function
for _dir in "${_dirsToClean[@]}"; do
_check_and_remove_broken_symlinks "${_dir}"
done
# Export the _ifAnyFilesCleaned variable for later use
export _ifAnyFilesCleaned
# Export the _ifAnySymlinksCleaned variable for later use
export _ifAnySymlinksCleaned
fi
if [ "${_ifAnySymlinksCleaned}" = "YES" ] \
|| [ "${_ifAnyFilesCleaned}" = "YES" ]; then
ldconfig 2> /dev/null
_CURL_INSTALL_REQUIRED=YES
_bkLibcurlPre="/var/backups/legacy-libcurl-pre-${_CURL_VRN}-${_NOW}"
mkdir -p ${_bkLibcurlPre}
mv -f /usr/lib/x86_64-linux-gnu/libcurl.so* ${_bkLibcurlPre}/ &> /dev/null
mv -f /usr/lib/x86_64-linux-gnu/libcurl.la ${_bkLibcurlPre}/ &> /dev/null
mv -f /usr/lib/x86_64-linux-gnu/libcurl.a ${_bkLibcurlPre}/ &> /dev/null
fi
_isCurl=$(curl --version 2>&1)
if [[ ! "${_isCurl}" =~ "OpenSSL" ]] \
|| [[ "${_isCurl}" =~ "libcurl.so.4" ]] \
|| [ -z "${_isCurl}" ] \
|| [ "${_ifAnySymlinksCleaned}" = "YES" ] \
|| [ "${_ifAnyFilesCleaned}" = "YES" ] \
|| [ "${_CURL_INSTALL_REQUIRED}" = "YES" ]; then
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
echo "OOPS: cURL is broken! Re-installing.."
fi
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
echo "curl install" | dpkg --set-selections 2> /dev/null
_apt_clean_update
# Check for libssl1.0-dev and remove conditionally
if dpkg-query -W -f='${Status}' libssl1.0-dev 2>/dev/null | grep -q "install ok installed"; then
apt-get remove libssl1.0-dev -y --purge --auto-remove -qq 2>/dev/null
fi
apt-get autoremove -y 2> /dev/null
apt-get install libssl-dev ${_aptYesUnth} -qq 2> /dev/null
apt-get build-dep curl ${_aptYesUnth} 2> /dev/null
if [ ! -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
apt-get install curl --reinstall ${_aptYesUnth} -qq 2> /dev/null
fi
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
echo "INFO: Installing curl from sources..."
mkdir -p /var/opt
rm -rf /var/opt/curl*
cd /var/opt
wget ${_wgetGet} http://files.aegir.cc/dev/src/curl-${_CURL_VRN}.tar.gz &> /dev/null
tar -xzf curl-${_CURL_VRN}.tar.gz &> /dev/null
if [ -e "/root/.install.modern.openssl.cnf" ] \
&& [ -x "/usr/local/ssl3/bin/openssl" ]; then
_SSL_BINARY=/usr/local/ssl3/bin/openssl
else
_SSL_BINARY=/usr/local/ssl/bin/openssl
fi
if [ -e "/usr/local/ssl3/lib64/libssl.so.3" ]; then
_SSL_PATH="/usr/local/ssl3"
_SSL_LIB_PATH="${_SSL_PATH}/lib64"
else
_SSL_PATH="/usr/local/ssl"
_SSL_LIB_PATH="${_SSL_PATH}/lib"
fi
_PKG_CONFIG_PATH="${_SSL_LIB_PATH}/pkgconfig"
if [ -e "${_PKG_CONFIG_PATH}" ] \
&& [ -e "/var/opt/curl-${_CURL_VRN}" ]; then
cd /var/opt/curl-${_CURL_VRN}
LIBS="-ldl -lpthread" PKG_CONFIG_PATH="${_PKG_CONFIG_PATH}" ./configure \
--with-openssl \
--with-zlib=/usr \
--prefix=/usr/local &> /dev/null
make -j $(nproc) --quiet &> /dev/null
make --quiet install &> /dev/null
ldconfig 2> /dev/null
fi
fi
if [ -x "/usr/local/bin/curl" ] && [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
_CURL_ITD=$(/usr/local/bin/curl --version 2>&1 \
| tr -d "\n" \
| cut -d" " -f2 \
| awk '{ print $1}' 2>&1)
if [[ ! "${_CURL_ITD}" =~ OpenSSL ]]; then
echo "ERRR: /usr/local/bin/curl is broken"
echo "ERRR: Please install cURL and debug manually"
else
echo "GOOD: /usr/local/bin/curl works"
echo "curl hold" | dpkg --set-selections &> /dev/null
if [ -x "/usr/local/bin/curl" ]; then
if [ -x "/usr/bin/curl" ] && [ ! -L "/usr/bin/curl" ]; then
mv -f /usr/bin/curl /usr/bin/old-curl-$(date +%y%m%d-%H%M%S)
fi
ln -sfn /usr/local/bin/curl /usr/bin/curl
fi
if [ ! -e "${_SSL_PATH}/certs/ca-certificates.crt" ]; then
cp -af /etc/ssl/certs/* ${_SSL_PATH}/certs/ &> /dev/null
fi
if [ -e "/usr/local/lib/libcurl.so.4.8.0" ]; then
ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/libcurl.so
ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/libcurl.so.4
ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/libcurl.so.4.8.0
ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/x86_64-linux-gnu/libcurl.so
ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4
ln -sfn /usr/local/lib/libcurl.so.4.8.0 /usr/lib/x86_64-linux-gnu/libcurl.so.4.8.0
fi
if [ -e "/usr/local/lib/libcurl.a" ]; then
ln -sfn /usr/local/lib/libcurl.a /usr/lib/x86_64-linux-gnu/libcurl.a
ln -sfn /usr/local/lib/libcurl.a /usr/lib/libcurl.a
fi
if [ -e "/usr/local/lib/libcurl.la" ]; then
ln -sfn /usr/local/lib/libcurl.la /usr/lib/x86_64-linux-gnu/libcurl.la
ln -sfn /usr/local/lib/libcurl.la /usr/lib/libcurl.la
fi
ldconfig 2> /dev/null
if [ -e "/usr/local/include/curl/curl.h" ] \
&& [ -e "/usr/local/include/curl/easy.h" ] \
&& [ -d "/usr/include/x86_64-linux-gnu/curl" ] \
&& [ ! -L "/usr/include/x86_64-linux-gnu/curl" ]; then
_apt_clean_update
if dpkg-query -W -f='${Status}' libcurl4-openssl-dev 2>/dev/null | grep -q "install ok installed"; then
apt-get remove libcurl4-openssl-dev -y --purge --auto-remove -qq 2> /dev/null
fi
ln -sfn /usr/local/include/curl /usr/include/x86_64-linux-gnu/curl
ldconfig 2> /dev/null
fi
fi
fi
fi
}
_if_boa_key_tools_update_allowed() {
if [ -e "/root/.run-to-excalibur.cnf" ] \
|| [ -e "/root/.run-to-daedalus.cnf" ] \
|| [ -e "/root/.run-to-chimaera.cnf" ] \
|| [ -e "/root/.run-to-beowulf.cnf" ]; then
_BOA_KEY_TOOLS_UPDATE_ALLOWED=NO
else
_BOA_KEY_TOOLS_UPDATE_ALLOWED=YES
fi
}
_update_boa_tools() {
mkdir -p ${_usrBin}
if [ -e "${_pthLog}" ] && [ ! -e "${_pthLog}/updateFx30.ctrl.${_tRee}.${_xSrl}.pid" ]; then
_fxPp="fix-drupal-platform-permissions.sh"
_fxSp="fix-drupal-site-permissions.sh"
_fxPo="fix-drupal-platform-ownership.sh"
_fxSo="fix-drupal-site-ownership.sh"
_fxLo="lock-local-drush-permissions.sh"
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_fxPp}" -o ${_usrBin}/${_fxPp}
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_fxSp}" -o ${_usrBin}/${_fxSp}
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_fxPo}" -o ${_usrBin}/${_fxPo}
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_fxSo}" -o ${_usrBin}/${_fxSo}
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_fxLo}" -o ${_usrBin}/${_fxLo}
chmod 700 ${_usrBin}/${_fxPp}
chmod 700 ${_usrBin}/${_fxSp}
chmod 700 ${_usrBin}/${_fxPo}
chmod 700 ${_usrBin}/${_fxSo}
chmod 700 ${_usrBin}/${_fxLo}
touch ${_pthLog}/updateFx30.ctrl.${_tRee}.${_xSrl}.pid
fi
mkdir -p ${_optBin}
_boaBins="aptcleanup \
aptfast \
autobeowulf \
autochimaera \
autodaedalus \
autoexcalibur \
autoinit \
automini \
autosymlink \
autoupboa \
backboa \
backchain \
barracuda \
boa \
codebasecheck \
copydbackup \
dcysetup \
dhcpfix \
duobackboa \
fancynow \
ffdevuan \
ffmirror \
fixmounts \
fixrepo \
killer \
loadguard \
lock.inc \
memorytuner \
mergecsf \
multiback \
mybackup \
mycnfup \
mysqltuner5 \
mysqltuner8 \
octopus \
perftest \
randpass \
renameaegirhost \
screenfetch \
setprio \
smtpgapps \
sqlclean \
sqlmagic \
syncpass \
synproxy \
synproxy_hook_fix \
synproxy_monitor \
synproxy_reassert \
synproxy_rollback \
synproxy_snapshot \
synproxy_status \
thinkdifferent \
updatesymlinks \
verifyvhostsdns \
vhostcheck \
vmnetfix \
weblogx \
webserver \
websh \
xboa \
xcopy"
for _cbn in ${_boaBins}; do
if [ -e "${_optBin}/${_cbn}" ]; then
_CNT=$(pgrep -fc /local/bin/${_cbn})
if (( _CNT > 0 )); then
echo "The ${_cbn} is running!"
else
_CNT=$(pgrep -fc /var/xdrago/daily.sh)
if [ "${_cbn}" = "weblogx" ] && (( _CNT > 0 )); then
echo "The ${_cbn} and daily.sh is running!"
else
rm -f ${_optBin}/${_cbn}.new
if [ "${_cbn}" = "mysqltuner5" ] || [ "${_cbn}" = "mysqltuner8" ]; then
curl ${_crlGet} "${_urlHmr}/helpers/${_cbn}" -o ${_optBin}/${_cbn}.new
else
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_cbn}" -o ${_optBin}/${_cbn}.new
fi
mv -f ${_optBin}/${_cbn} ${_optBin}/${_cbn}.prev
mv -f ${_optBin}/${_cbn}.new ${_optBin}/${_cbn}
if [ -e "${_optBin}/${_cbn}" ]; then
chmod 755 ${_optBin}/${_cbn}
rm -f ${_optBin}/${_cbn}.prev
else
mv -f ${_optBin}/${_cbn}.prev ${_optBin}/${_cbn}
fi
fi
fi
else
if [ "${_cbn}" = "mysqltuner5" ] || [ "${_cbn}" = "mysqltuner8" ]; then
curl ${_crlGet} "${_urlHmr}/helpers/${_cbn}" -o ${_optBin}/${_cbn}
else
curl ${_crlGet} "${_urlHmr}/${_tBn}/${_cbn}" -o ${_optBin}/${_cbn}
fi
fi
done
if [ -e "${_optBin}/fixmounts" ] && [ ! -e "${_usrBin}/fixmounts" ]; then
rm -f ${_usrBin}/{aptcleanup*,autoinit*,automini*,backchain*,barracuda*,boa*,dhcpfix*,ffdevuan*,ffmirror*,fixmounts*}
rm -f ${_usrBin}/{aptfast*,killer*,loadguard*,perftest*,octopus*,screenfetch*,vmnetfix*,webserver*,websh*}
ln -sfn ${_optBin}/aptcleanup ${_usrBin}/aptcleanup
ln -sfn ${_optBin}/autoinit ${_usrBin}/autoinit
ln -sfn ${_optBin}/automini ${_usrBin}/automini
ln -sfn ${_optBin}/backchain ${_usrBin}/backchain
ln -sfn ${_optBin}/barracuda ${_usrBin}/barracuda
ln -sfn ${_optBin}/boa ${_usrBin}/boa
ln -sfn ${_optBin}/dhcpfix ${_usrBin}/dhcpfix
ln -sfn ${_optBin}/ffdevuan ${_usrBin}/ffdevuan
ln -sfn ${_optBin}/ffmirror ${_usrBin}/ffmirror
ln -sfn ${_optBin}/fixmounts ${_usrBin}/fixmounts
ln -sfn ${_optBin}/killer ${_usrBin}/killer
ln -sfn ${_optBin}/loadguard ${_usrBin}/loadguard
ln -sfn ${_optBin}/octopus ${_usrBin}/octopus
ln -sfn ${_optBin}/perftest ${_usrBin}/perftest
ln -sfn ${_optBin}/screenfetch ${_usrBin}/screenfetch
ln -sfn ${_optBin}/vmnetfix ${_usrBin}/vmnetfix
ln -sfn ${_optBin}/webserver ${_usrBin}/webserver
ln -sfn ${_optBin}/websh ${_usrBin}/websh
fi
if [ -e "/data/u" ]; then
if [ ! -e "${_usrBin}/dcysetup" ] && [ -e "${_optBin}/dcysetup" ]; then
ln -sfn ${_optBin}/dcysetup ${_usrBin}/dcysetup
fi
if [ ! -e "${_usrBin}/multiback" ] && [ -e "${_optBin}/multiback" ]; then
ln -sfn ${_optBin}/multiback ${_usrBin}/multiback
fi
if [ ! -e "${_usrBin}/mybackup" ] && [ -e "${_optBin}/mybackup" ]; then
ln -sfn ${_optBin}/mybackup ${_usrBin}/mybackup
fi
fi
echo "=== BOA executables permissions setup ==="
echo "Last updated: $(date)"
echo "Groups are organized by function."
# _AUTO (700): automatic install/upgrade helpers
chmod 700 ${_optBin}/{autobeowulf,autochimaera,autodaedalus,autoexcalibur,autoinit,automini,autoupboa}
# _BACKUP (700): backup helpers
chmod 700 ${_optBin}/{backboa,copydbackup,dcysetup,duobackboa,multiback}
# _CORE (700): core BOA tools
chmod 700 ${_optBin}/{barracuda,boa,ffdevuan,ffmirror,killer,octopus,webserver}
chmod 700 ${_optBin}/{loadguard,lock.inc,renameaegirhost,syncpass,weblogx,xboa,xcopy}
# _DB (700): performance and DB tuners
chmod 700 ${_optBin}/{memorytuner,mycnfup,mysqltuner5,mysqltuner8,perftest}
# _MAIL (700): mail + priority tools
chmod 700 ${_optBin}/{setprio,smtpgapps}
# _NET (700): network protection
chmod 700 ${_optBin}/synproxy*
# _SYS (700): system utilities
chmod 700 ${_optBin}/{aptfast,codebasecheck,dhcpfix,fancynow,fixmounts,fixrepo,mergecsf,screenfetch,vmnetfix}
# _SYS (700): cleanup tools
chmod 700 ${_optBin}/{aptcleanup,autosymlink,sqlclean,updatesymlinks,verifyvhostsdns,vhostcheck}
# _MISC (755): misc user-space utilities
chmod 755 ${_optBin}/{backchain,mybackup,randpass,sqlmagic,thinkdifferent,websh}
echo "Permissions applied successfully"
echo "=== End of BOA executables permissions setup ==="
}
# Ensure /usr/sbin/ipset and /sbin/ipset both resolve to the actual ipset binary.
_ensure_ipset_symlinks() {
_IPSET_REAL="$(command -v ipset 2>/dev/null || true)"
if [ -z "${_IPSET_REAL}" ]; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "ipset not installed; skipping symlink fixes"
fi
return 0
fi
# Resolve through any intermediate symlinks.
if [ -L "${_IPSET_REAL}" ]; then
_IPSET_REAL="$(readlink -f "${_IPSET_REAL}")"
fi
for _CAND in /usr/sbin/ipset /sbin/ipset; do
_PARENT="$(dirname "${_CAND}")"
[ -d "${_PARENT}" ] || mkdir -p "${_PARENT}"
# If the candidate *is* the real file, nothing to do.
if [ "${_CAND}" = "${_IPSET_REAL}" ]; then
continue
fi
# If it exists, check whether it already resolves to the right target.
if [ -e "${_CAND}" ] || [ -L "${_CAND}" ]; then
_TARGET="$(readlink -f "${_CAND}" 2>/dev/null || true)"
if [ "${_TARGET}" = "${_IPSET_REAL}" ]; then
continue
fi
fi
ln -sfn "${_IPSET_REAL}" "${_CAND}"
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "Linked ${_CAND} -> ${_IPSET_REAL}"
fi
done
}
_if_update_boa_key_tools_only() {
_check_dns_settings
_if_reinstall_curl
_CURL_TEST=$(curl -L -k -s \
--max-redirs 10 \
--retry 3 \
--retry-delay 10 \
-I "http://${_USE_MIR}" 2> /dev/null)
if [[ ! "${_CURL_TEST}" =~ "200 OK" ]]; then
if [[ "${_CURL_TEST}" =~ "unknown option was passed in to libcurl" ]]; then
echo "ERROR: cURL libs are out of sync! Re-installing.."
_if_reinstall_curl
fi
echo "ERROR: ${_USE_MIR} is not available, please try later"
exit 1
else
_urlHmr="http://${_USE_MIR}/versions/${_tRee}/boa/aegir"
fi
_LSB_TEST="$(which lsb_release)"
if [ ! -x "${_LSB_TEST}" ]; then
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
_apt_clean_update
apt-get install lsb-release ${_aptYesUnth} &> /dev/null
fi
_IPSET_TEST="$(which ipset)"
if [ ! -x "${_IPSET_TEST}" ]; then
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
_apt_clean_update
if [ -L "/sbin/ipset" ]; then
rm -f /sbin/ipset
fi
if [ -L "/usr/sbin/ipset" ]; then
rm -f /usr/sbin/ipset
fi
apt-get install ipset ${_aptYesUnth} &> /dev/null
fi
_ensure_ipset_symlinks
if [ -x "/usr/sbin/csf" ] \
&& [ -e "/etc/csf/csf.deny" ] \
&& [ ! -x "/etc/csf/csfpost.sh" ]; then
echo "" > /etc/csf/csfpost.sh
echo "iptables -t raw -A PREROUTING -p tcp --dport 21 -j CT --helper ftp" >> /etc/csf/csfpost.sh
echo "iptables -t raw -A OUTPUT -p tcp --dport 21 -j CT --helper ftp" >> /etc/csf/csfpost.sh
chmod 700 /etc/csf/csfpost.sh
_CSF_TEST="$(which csf)"
if [ -x "${_CSF_TEST}" ]; then
service clean-boa-env start &> /dev/null
_if_fix_iptables_symlinks
### csf -uf
### wait
_NFTABLES_TEST=$(iptables -V)
if [[ "${_NFTABLES_TEST}" =~ "nf_tables" ]]; then
if [ -e "/usr/sbin/iptables-legacy" ]; then
update-alternatives --set iptables /usr/sbin/iptables-legacy &> /dev/null
fi
if [ -e "/usr/sbin/ip6tables-legacy" ]; then
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy &> /dev/null
fi
if [ -e "/usr/sbin/arptables-legacy" ]; then
update-alternatives --set arptables /usr/sbin/arptables-legacy &> /dev/null
fi
if [ -e "/usr/sbin/ebtables-legacy" ]; then
update-alternatives --set ebtables /usr/sbin/ebtables-legacy &> /dev/null
fi
fi
sed -i "s/.*DHCP.*//g" /etc/csf/csf.allow
wait
sed -i "/^$/d" /etc/csf/csf.allow
if [ -e "/var/log/daemon.log" ]; then
_DHCP_LOG="/var/log/daemon.log"
else
_DHCP_LOG="/var/log/syslog"
fi
grep DHCPREQUEST "${_DHCP_LOG}" | awk '{print $12}' | sort -u | while read -r _IP; do
if [[ ${_IP} =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
IFS='.' read -r oct1 oct2 oct3 oct4 <<< "${_IP}"
if (( oct1 <= 255 && oct2 <= 255 && oct3 <= 255 && oct4 <= 255 )); then
echo "udp|out|d=67|d=${_IP} # Local DHCP out" >> /etc/csf/csf.allow
fi
fi
done
if [ -e "/etc/csf/csfpost.d/synproxy.sh" ]; then
csf -ra &> /dev/null
synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
else
csf -r &> /dev/null
fi
### Linux kernel TCP SACK CVEs mitigation
### CVE-2019-11477 SACK Panic
### CVE-2019-11478 SACK Slowness
### CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values
if [ -x "/usr/sbin/csf" ] && [ -e "/etc/csf/csf.deny" ]; then
_SACK_TEST=$(ip6tables --list | grep tcpmss)
if [[ ! "${_SACK_TEST}" =~ "tcpmss" ]]; then
sysctl net.ipv4.tcp_mtu_probing=0 &> /dev/null
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null
ip6tables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null
[ -e "/etc/csf/csfpost.d/synproxy.sh" ] && synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
fi
fi
fi
fi
if [ -x "/usr/sbin/csf" ] && [ -e "/etc/csf/csf.conf" ]; then
_CC_SRC_TEST=$(grep 'CC_SRC\ =' /etc/csf/csf.conf 2>&1)
### echo _CC_SRC_TEST 1 is "${_CC_SRC_TEST}"
if [[ ! ${_CC_SRC_TEST} =~ CC_SRC\ =\ \"2\" ]]; then
echo _CC_SRC_TEST 2 is "${_CC_SRC_TEST}"
service clean-boa-env start &> /dev/null
_if_fix_iptables_symlinks
### csf -uf
### wait
_NFTABLES_TEST=$(iptables -V)
if [[ "${_NFTABLES_TEST}" =~ "nf_tables" ]]; then
if [ -e "/usr/sbin/iptables-legacy" ]; then
update-alternatives --set iptables /usr/sbin/iptables-legacy &> /dev/null
fi
if [ -e "/usr/sbin/ip6tables-legacy" ]; then
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy &> /dev/null
fi
if [ -e "/usr/sbin/arptables-legacy" ]; then
update-alternatives --set arptables /usr/sbin/arptables-legacy &> /dev/null
fi
if [ -e "/usr/sbin/ebtables-legacy" ]; then
update-alternatives --set ebtables /usr/sbin/ebtables-legacy &> /dev/null
fi
fi
sed -i "s/^CC_SRC .*/CC_SRC = \"2\"/g" /etc/csf/csf.conf
wait
sed -i "s/^AUTO_UPDATES .*/AUTO_UPDATES = \"0\"/g" /etc/csf/csf.conf
if [ -e "/etc/csf/csfpost.d/synproxy.sh" ]; then
csf -ra &> /dev/null
synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
else
csf -r &> /dev/null
fi
fi
fi
_BOA_TOOLS_UPDATE=NO
if [ -e "${_pthLog}" ]; then
if [ ! -x "/opt/local/bin/xcopy" ] \
|| [ ! -e "${_boaToolsPid}" ]; then
_BOA_TOOLS_UPDATE=YES
fi
fi
[ ! -e "/var/aegir/.drush/hm.alias.drushrc.php" ] && _BOA_TOOLS_UPDATE=YES
if [ "${_BOA_TOOLS_UPDATE}" = "YES" ]; then
_update_boa_tools
[ -e "${_pthLog}" ] && rm -f ${_pthLog}/updateBOAtools*.pid
[ -e "${_pthLog}" ] && touch ${_boaToolsPid}
if [ "${1}" = "verbose" ] || [ -z "${1}" ]; then
echo
echo "BOA Meta Installers setup completed"
echo "Please check INSTALL.md and UPGRADE.md at https://github.com/omega8cc/boa"
echo "Bye"
echo
fi
fi
}
_boa_setup() {
_BENG_VS=NO
_VMFAMILY=NO
_RANDOMIZE=NO
_VM_TEST="$(uname -a)"
if [[ "${_VM_TEST}" =~ "-beng" ]]; then
_BENG_VS=YES
_RANDOMIZE=YES
fi
_if_hosted_sys
if [ "${_hostedSys}" = "YES" ]; then
_VMFAMILY=HOSTED
fi
_check_dns_settings
if [ -e "/var/aegir/.drush/hm.alias.drushrc.php" ]; then
[ -d /run/unbound ] || mkdir -p /run/unbound
[ -d /run/unbound ] && chown -R unbound:unbound /run/unbound
fi
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
_APT_CONFIG_FILE="/etc/apt/apt.conf.d/99ignorestrict"
# Desired configuration content
_DESIRED_APT_CONFIG='Acquire::AllowInsecureRepositories "true";
APT::Get::AllowUnauthenticated "true";
Aptitude::CmdLine::Fix-Broken "true";'
# Remove leading whitespace from each line
_CLEANED_DESIRED_APT_CONFIG=$(echo "${_DESIRED_APT_CONFIG}" | sed 's/^[[:space:]]\+//')
# Normalize the existing file content
if [[ -f "${_APT_CONFIG_FILE}" ]]; then
_CURRENT_APT_CONFIG=$(tr -d '[:space:]' < "${_APT_CONFIG_FILE}")
else
_CURRENT_APT_CONFIG=""
fi
# Normalize the cleaned desired configuration content
_NORMALIZED_DESIRED_APT_CONFIG=$(echo "${_CLEANED_DESIRED_APT_CONFIG}" | tr -d '[:space:]')
# Compare normalized contents and update if necessary
if [[ "${_CURRENT_APT_CONFIG}" != "${_NORMALIZED_DESIRED_APT_CONFIG}" ]]; then
echo "${_CLEANED_DESIRED_APT_CONFIG}" | tee "${_APT_CONFIG_FILE}" > /dev/null
fi
if [ ! -e "/var/aegir/.drush/hm.alias.drushrc.php" ] && [ ! -e "/var/xdrago/manage_solr_config.sh" ]; then
# apt-get remove unscd -y --purge --auto-remove -qq &> /dev/null
# apt-get remove dbus -y --purge --auto-remove -qq &> /dev/null
# if [ -e "/usr/share/dbus-1" ]; then
# rm -f /usr/share/dbus-1/*/*freedesktop*
# fi
userdel -r debian &> /dev/null
sed -i "s/^#startup_message off/startup_message off/g" /etc/screenrc &> /dev/null
fi
_isScreen=$(screen --version 2>&1)
if [[ ! "${_isScreen}" =~ "GNU" ]] || [ -z "${_isScreen}" ]; then
apt-get install screen -y &> /dev/null
apt-get install net-tools -y &> /dev/null
apt-get install hostname -y &> /dev/null
apt-get install ntpsec-ntpdate -y &> /dev/null
fi
_if_reinstall_curl
_CURL_TEST=$(curl -L -k -s \
--max-redirs 10 \
--retry 3 \
--retry-delay 10 \
-I "http://${_USE_MIR}" 2> /dev/null)
if [[ ! "${_CURL_TEST}" =~ "200 OK" ]]; then
if [[ "${_CURL_TEST}" =~ "unknown option was passed in to libcurl" ]]; then
echo "ERROR: cURL libs are out of sync! Re-installing.."
_if_reinstall_curl
fi
echo "ERROR: ${_USE_MIR} is not available, please try later"
exit 1
else
_urlHmr="http://${_USE_MIR}/versions/${_tRee}/boa/aegir"
fi
_if_clean_boa_env
_LSB_TEST="$(which lsb_release)"
if [ ! -x "${_LSB_TEST}" ]; then
if [ ! -e "/etc/apt/apt.conf.d/00sandboxoff" ] \
&& [ -e "/etc/apt/apt.conf.d" ]; then
echo "APT::Sandbox::User \"root\";" > /etc/apt/apt.conf.d/00sandboxoff
fi
_apt_clean_update
apt-get install lsb-release ${_aptYesUnth}
fi
### Fix or install VM system detection
_check_virt
_BOA_TOOLS_UPDATE=NO
if [ -e "${_pthLog}" ] && [ ! -e "${_boaToolsPid}" ]; then
_BOA_TOOLS_UPDATE=YES
fi
[ ! -e "/var/aegir/.drush/hm.alias.drushrc.php" ] && _BOA_TOOLS_UPDATE=YES
if [ "${_BOA_TOOLS_UPDATE}" = "YES" ]; then
_update_boa_tools
[ -e "${_pthLog}" ] && rm -f ${_pthLog}/updateBOAtools*.pid
[ -e "${_pthLog}" ] && touch ${_boaToolsPid}
echo
echo "BOA Meta Installers setup completed"
echo "Please check INSTALL.md and UPGRADE.md at https://github.com/omega8cc/boa"
echo "Bye"
echo
fi
}
_count_cpu() {
_CPU_INFO="$(grep -c processor /proc/cpuinfo)"
_CPU_INFO=${_CPU_INFO//[^0-9]/}
_NPROC_TEST="$(which nproc)"
if [ -z "${_NPROC_TEST}" ]; then
_CPU_NR="${_CPU_INFO}"
else
_CPU_NR=$(nproc 2>&1)
fi
_CPU_NR=${_CPU_NR//[^0-9]/}
if [ ! -z "${_CPU_NR}" ] \
&& [ ! -z "${_CPU_INFO}" ] \
&& [ "${_CPU_NR}" -gt "${_CPU_INFO}" ] \
&& [ "${_CPU_INFO}" -gt 0 ]; then
_CPU_NR="${_CPU_INFO}"
fi
if [ -z "${_CPU_NR}" ] || [ "${_CPU_NR}" -lt 1 ]; then
_CPU_NR=1
fi
mkdir -p /data/all
chmod 755 /data/all
echo ${_CPU_NR} > /data/all/cpuinfo
chmod 644 /data/all/cpuinfo
}
_sysctl_update() {
if [ ! -e "/root/.no.sysctl.update.cnf" ] \
&& [ ! -e "/var/backups/.sysctl.conf.mod-disable-ipv6-${_xSrl}.log" ]; then
[ -d "/var/backups" ] || mkdir -p /var/backups
cd /var/backups
rm -f /var/backups/sysctl.conf
curl ${_crlGet} "${_urlHmr}/conf/var/sysctl.conf" -o sysctl.conf
if [ -e "/var/backups/sysctl.conf" ]; then
cp -af /var/backups/sysctl.conf /etc/sysctl.conf
fi
if [ -e "/etc/security/limits.conf" ]; then
_IF_NF=$(grep '2097152' /etc/security/limits.conf 2>&1)
if [ ! -z "${_IF_NF}" ]; then
sed -i "s/.*2097152.*//g" /etc/security/limits.conf
wait
fi
_IF_NF=$(grep '524288' /etc/security/limits.conf 2>&1)
if [ -z "${_IF_NF}" ]; then
echo "* hard nofile 524288" >> /etc/security/limits.conf
echo "* soft nofile 524288" >> /etc/security/limits.conf
echo "root hard nofile 1048576" >> /etc/security/limits.conf
echo "root soft nofile 1048576" >> /etc/security/limits.conf
fi
_IF_NF=$(grep '65556' /etc/security/limits.conf 2>&1)
if [ -z "${_IF_NF}" ]; then
echo "* hard nproc 65556" >> /etc/security/limits.conf
echo "* soft nproc 65556" >> /etc/security/limits.conf
fi
fi
if [ -e "/boot/grub/grub.cfg" ] || [ -e "/boot/grub/menu.lst" ]; then
#echo never > /sys/kernel/mm/transparent_hugepage/enabled
if [ -e "/etc/sysctl.conf" ]; then
sysctl -p /etc/sysctl.conf &> /dev/null
fi
else
if [ -e "/etc/sysctl.conf" ]; then
sysctl -p /etc/sysctl.conf &> /dev/null
fi
fi
if [ -e "/etc/default/nginx" ]; then
_IF_ULNX=$(grep '524288' /etc/default/nginx 2>&1)
if [ -z "${_IF_ULNX}" ]; then
sed -i "s/^ULIMIT=.*//gi" /etc/default/nginx
wait
echo ULIMIT=\"-n 524288\" >> /etc/default/nginx
ulimit -n 524288 &> /dev/null
service nginx restart &> /dev/null
fi
fi
if [ -e "/etc/security/limits.d" ] \
&& [ ! -e "/etc/security/limits.d/solr9.conf" ]; then
echo "sshd soft nofile 524288" > /etc/security/limits.d/sshd.conf
echo "sshd hard nofile 999999" >> /etc/security/limits.d/sshd.conf
echo "redis soft nofile 65535" > /etc/security/limits.d/redis.conf
echo "redis hard nofile 524288" >> /etc/security/limits.d/redis.conf
echo "nginx soft nofile 524288" > /etc/security/limits.d/nginx.conf
echo "nginx hard nofile 999999" >> /etc/security/limits.d/nginx.conf
echo "jetty9 soft nofile 65535" > /etc/security/limits.d/jetty9.conf
echo "jetty9 hard nofile 524288" >> /etc/security/limits.d/jetty9.conf
echo "solr7 soft nofile 65535" > /etc/security/limits.d/solr7.conf
echo "solr7 hard nofile 524288" >> /etc/security/limits.d/solr7.conf
echo "solr9 soft nofile 65535" > /etc/security/limits.d/solr9.conf
echo "solr9 hard nofile 524288" >> /etc/security/limits.d/solr9.conf
echo "@www-data soft nofile 65535" > /etc/security/limits.d/www.conf
echo "@www-data hard nofile 524288" >> /etc/security/limits.d/www.conf
if [ -e "/etc/init.d/valkey-server" ]; then
service valkey-server restart &> /dev/null
elif [ -e "/etc/init.d/redis-server" ]; then
service redis-server restart &> /dev/null
fi
service nginx restart &> /dev/null
service ssh restart &> /dev/null
_PHP_V="85 84 83 82 81 80 74 73 72 71 70 56"
for e in ${_PHP_V}; do
if [ -e "/etc/init.d/php${e}-fpm" ]; then
service "php${e}-fpm" reload &> /dev/null
fi
done
fi
touch /var/backups/.sysctl.conf.mod-disable-ipv6-${_xSrl}.log
fi
}
###
### Load + normalize _INCIDENT_REPORT
###
### Legacy values:
### NO becomes OFF (see below)
### YES becomes MINI (see below)
###
### Current values:
### OFF == Total silence, no email alerts
### ALL == Very noisy, good for debugging
### MINI == Only the most important alerts (default)
### CRIT == Only critical if _lvl=ALERT
###
_normalize_incident_report() {
: "${_INCIDENT_REPORT:=MINI}"
_INCIDENT_REPORT="${_INCIDENT_REPORT^^}"
_INCIDENT_REPORT="${_INCIDENT_REPORT//[^A-Z]/}"
###
### Map legacy + validate
###
case "${_INCIDENT_REPORT}" in
NO) _INCIDENT_REPORT="OFF" ;;
YES) _INCIDENT_REPORT="MINI" ;;
OFF|ALL|MINI|CRIT) : ;;
*) _INCIDENT_REPORT="MINI" ;;
esac
}
# Function to notify about still running backup
_backup_waiting_notify() {
_hName="$(cat /etc/hostname 2>/dev/null | tr -d '\n' || hostname -f 2>/dev/null)"
_templog="${_bLogB}"
cat /root/.remote_backups/schedule/backup_schedule.txt > ${_templog}
ps axf | grep multiback >> ${_templog}
ps axf | grep duplicity >> ${_templog}
ls -la /tmp/duplicity-*-tempdir >> ${_templog}
tree /root/.cache/duplicity >> ${_templog}
ls -laR /root/.cache/duplicity >> ${_templog}
grep "Out of memory: Killed process.*duplicity" /var/log/iptables.log >> ${_templog}
boa info >> ${_templog}
if [ -n "${_MY_EMAIL}" ] && [ "${_INCIDENT_REPORT}" != "OFF" ]; then
s-nail -s "Multiback Waiting Report for [${_hName}] on $(date)" ${_MY_EMAIL} < ${_templog}
fi
}
# Load kTLS module only if it is not already loaded.
_load_ktls_module() {
if ! lsmod 2>/dev/null | awk '{print $1}' | grep -qx "tls"; then
if [ -e "/lib/modules/$(uname -r)/kernel/net/tls/tls.ko" ] \
|| modinfo tls >/dev/null 2>&1; then
modprobe -q tls >/dev/null 2>&1 || true
grep -qxF "tls" /etc/modules 2>/dev/null || printf '%s\n' "tls" >> /etc/modules
fi
fi
}
# Fix CSF config only if Quic HTTP3 support is not enabled yet
_csf_allow_quic_udp_443() {
_CSF_CONF="/etc/csf/csf.conf"
_CSF_CHANGED="NO"
if ! command -v csf >/dev/null 2>&1; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "INFO: csf not found - skipping UDP/443 (QUIC) firewall check"
fi
return 0
fi
if [ ! -s "${_CSF_CONF}" ]; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "WARN: ${_CSF_CONF} not found or empty - skipping"
fi
return 0
fi
_csf_add_port_to_list_var() {
# $1 = VAR (UDP_IN / UDP6_IN), $2 = PORT (443)
_VAR="${1}"
_PORT="${2}"
# Extract current value between quotes
_CUR="$(grep -E "^${_VAR}[[:space:]]*=" "${_CSF_CONF}" 2>/dev/null | head -n1 | sed -E 's/^[^"]*"([^"]*)".*$/\1/')"
# If var not present, do nothing
if ! grep -q -E "^${_VAR}[[:space:]]*=" "${_CSF_CONF}" 2>/dev/null; then
return 0
fi
# If already present as a whole list item, do nothing
if echo ",${_CUR}," | grep -q ",${_PORT},"; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "INFO: CSF ${_VAR} already includes ${_PORT}"
fi
return 0
fi
# Append port (handle empty list)
if [ -n "${_CUR}" ]; then
_NEW="${_CUR},${_PORT}"
else
_NEW="${_PORT}"
fi
# Replace only the FIRST matching line for this var, keep surrounding quotes
# Make a backup once (csf.conf.bak) if not already present
if [ ! -e "${_CSF_CONF}.bak" ]; then
cp -af "${_CSF_CONF}" "${_CSF_CONF}.bak"
fi
sed -i -E "0,/^${_VAR}[[:space:]]*=/{s|^(${_VAR}[[:space:]]*=[[:space:]]*\").*(\".*)|\1${_NEW}\2|}" "${_CSF_CONF}"
_CSF_CHANGED="YES"
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "INFO: CSF updated: ${_VAR}=\"${_NEW}\""
fi
}
# QUIC needs inbound UDP/443
_csf_add_port_to_list_var "UDP_IN" "443"
# If your CSF has separate IPv6 var, update it too
if grep -q -E '^UDP6_IN[[:space:]]*=' "${_CSF_CONF}" 2>/dev/null; then
_csf_add_port_to_list_var "UDP6_IN" "443"
fi
if [ "${_CSF_CHANGED}" = "YES" ]; then
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "INFO: Reloading CSF to apply UDP/443 change"
fi
csf -r >/dev/null 2>&1 || csf -ra >/dev/null 2>&1
else
if [ "${_DEBUG_MODE}" = "YES" ]; then
echo "INFO: CSF config unchanged"
fi
fi
return 0
}
###--------------------###
if [ "$(id -u)" -eq 0 ]; then
# Load kTLS module only if it is not already loaded
_load_ktls_module
# Fix CSF config only if Quic HTTP3 support is not enabled yet
_csf_allow_quic_udp_443
if ! command -v bc &> /dev/null; then
apt-get update -qq &> /dev/null
${_INITINS} bc &> /dev/null
fi
if ! command -v curl &> /dev/null; then
apt-get update -qq &> /dev/null
${_INITINS} curl &> /dev/null
fi
_find_correct_ip
_find_server_city
[ ! -e "/var/aegir/.drush/hm.alias.drushrc.php" ] && _locales_check_fix_early
_os_detection_minimal
_find_fast_mirror_early
_verify_boa_keys
### Prefer Devuan apt sources
if [ -d "/var/aegir" ] && [ ! -e "/etc/apt/preferences.d/99-prefer-devuan" ]; then
if grep -qi 'ID=devuan' /etc/os-release 2>/dev/null; then
_prefer_devuan_repositories
fi
fi
### Fix VM system detection
_check_virt
if [ -e "${_barCnf}" ]; then
source ${_barCnf}
_normalize_incident_report
fi
### Notify if multiback backups seem to run for too long
_DCY=$(pgrep -fc duplicity)
_MLT=$(pgrep -fc multiback)
if (( _DCY > 0 )) && (( _MLT > 0 )); then
_bLogA="/var/backups/multiback_waiting_queue.log"
_bLogB="/var/backups/tmp_multiback_waiting_queue.log"
if [ ! -e "${_bLogA}" ] && [ ! -e "${_bLogB}" ]; then
_backup_waiting_notify
fi
fi
### Make local OpenSSL new/legacy ssl/certs symlinked to system ssl/certs
if [ -d "/var/aegir" ]; then
_fix_sync_system_ssl_certs
fi
### Fix Solr 4/7/9 conflicting ports
if [ -d "/var/aegir" ]; then
_fix_start_stop_ports_solr
fi
### CVE-2021-44228 Log4j 2 Vulnerability
### CVE-2021-45046 Log4j 2 Vulnerability
### CVE-2021-45105 Log4j 2 Vulnerability
_fix_log4j_solr7
### Linux kernel TCP SACK CVEs mitigation
### CVE-2019-11477 SACK Panic
### CVE-2019-11478 SACK Slowness
### CVE-2019-11479 Excess Resource Consumption Due to Low MSS Values
if [ -x "/usr/sbin/csf" ] && [ -e "/etc/csf/csf.deny" ]; then
_SACK_TEST=$(ip6tables --list | grep tcpmss)
if [[ ! "${_SACK_TEST}" =~ "tcpmss" ]]; then
sysctl net.ipv4.tcp_mtu_probing=0 &> /dev/null
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null
ip6tables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP &> /dev/null
[ -e "/etc/csf/csfpost.d/synproxy.sh" ] && synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
fi
fi
### More aggressive mitigation affecting network performance
# if [ -e "/proc/sys/net/ipv4/tcp_sack" ]; then
# _SACK_TEST=$(cat /proc/sys/net/ipv4/tcp_sack 2>&1)
# _SACK_TEST=$(echo -n ${_SACK_TEST} | tr -d "\n" 2>&1)
# if [[ "${_SACK_TEST}" =~ "1" ]]; then
# echo "0" > /proc/sys/net/ipv4/tcp_sack
# fi
# fi
### Block known attackers IPs
_CSF_TEST="$(which csf)"
if [ -x "${_CSF_TEST}" ]; then
_IP_BLOCK="47.82.0.0/16 47.79.0.0/16 2.57.121.0/24 2.57.122.0/24 45.148.10.0/24 80.94.92.0/24 92.118.39.0/24 185.177.72.0/24"
for _IP in ${_IP_BLOCK}; do
_FW_TEST=$(csf -g ${_IP} 2>&1)
if [[ "${_FW_TEST}" =~ "DENY Match:${_IP} Setting" ]] \
&& [[ "${_FW_TEST}" =~ "csf.deny: ${_IP}" ]]; then
echo "${_IP} already denied for Brute force SSH/Web Server attacks"
else
csf -d ${_IP} do not delete Brute force SSH/Web Server attacks
[ -e "/etc/csf/csfpost.d/synproxy.sh" ] && synproxy_reassert -p "443 80" --no-quic -q &> /dev/null
fi
done
fi
### Linux kernel CVE-2017-2636 hotfix
if [ -e "/etc/modprobe.d" ] \
&& [ ! -e "/etc/modprobe.d/blacklist-n_hdlc.conf" ]; then
echo "install n_hdlc /bin/true" > /etc/modprobe.d/blacklist-n_hdlc.conf
rmmod n_hdlc &> /dev/null
fi
### Linux kernel CVE-2017-6074 hotfix
if [ -e "/etc/modprobe.d" ] \
&& [ ! -e "/etc/modprobe.d/blacklist-dccp-all.conf" ]; then
echo "install dccp /bin/true" > /etc/modprobe.d/blacklist-dccp-all.conf
echo "install dccp_diag /bin/true" >> /etc/modprobe.d/blacklist-dccp-all.conf
echo "install dccp_ipv4 /bin/true" >> /etc/modprobe.d/blacklist-dccp-all.conf
echo "install dccp_ipv6 /bin/true" >> /etc/modprobe.d/blacklist-dccp-all.conf
echo "install dccp_probe /bin/true" >> /etc/modprobe.d/blacklist-dccp-all.conf
rmmod dccp &> /dev/null
rmmod dccp_diag &> /dev/null
rmmod dccp_ipv4 &> /dev/null
rmmod dccp_ipv6 &> /dev/null
rmmod dccp_probe &> /dev/null
fi
if [ ! -e "/data/all/cpuinfo" ]; then
_count_cpu
fi
_if_boa_key_tools_update_allowed
if [ "${_BOA_KEY_TOOLS_UPDATE_ALLOWED}" = "YES" ] \
&& [ -e "/opt/etc/fpm/fpm-pool-common.conf" ] \
&& [ -e "/var/xdrago" ]; then
if [ ! -z "${_SKYNET_MODE}" ] && [ "${_SKYNET_MODE}" = "OFF" ]; then
if [ -n "${SSH_TTY+x}" ]; then
echo
echo "STATUS: BOA Skynet Agent is Inactive!"
echo
echo "HINT: Please remove the _SKYNET_MODE=OFF line from"
echo "HINT: ${_barCnf} to enable me again."
echo
echo "NOTE: Critically important BOA tools will be still updated"
echo
_if_update_boa_key_tools_only verbose
exit 0
else
_if_update_boa_key_tools_only silent
exit 0
fi
else
if [ -n "${SSH_TTY+x}" ]; then
echo
echo "STATUS: BOA Skynet Agent is Active, OK!"
echo
echo "HINT: You can add the _SKYNET_MODE=OFF line in"
echo "HINT: ${_barCnf} to disable me, if needed."
echo
fi
fi
else
if [ -z "$STY" ]; then
_SCREEN_INIT=YES
fi
fi
if [ -d "/.newrelic" ]; then
rm -rf /.newrelic
fi
chmod a+w /dev/null
if [ ! -e "/dev/fd" ]; then
if [ -e "/proc/self/fd" ]; then
rm -rf /dev/fd
ln -sfn /proc/self/fd /dev/fd
fi
fi
if [ "${_BOA_KEY_TOOLS_UPDATE_ALLOWED}" = "YES" ]; then
_boa_setup
fi
if [ "${_BOA_KEY_TOOLS_UPDATE_ALLOWED}" = "YES" ] \
&& [ -e "/var/log/barracuda_log.txt" ]; then
_fix_sftp_server
_fix_ping_perms
_fix_fpm_process_max
_if_fix_lshell
_fix_node_in_lshell_access
# _fix_php_in_lshell_access
_fix_authorized_keys
_fix_aio
_fix_console_print
_fix_java_symlinks
_fix_composer_version
_fix_wkhtml
_fix_wkhtml_perms
_fix_eldir
_if_drupal_patches_update
_fix_drupal_core_ten
_fix_drupal_core_eleven
_fix_pure_ftpd
_fix_hosting_le
_fix_newrelic
_fix_leftovers
_update_agents
_sysctl_update
# _saCoreN="SA-CORE-2018-002"
# _fix_core_dgd
# sleep 3
# _saCoreN="SA-CORE-2018-004"
# _fix_core_dgd
# sleep 3
# _saCoreN="SA-CORE-2018-006"
# _fix_core_dgd
# sleep 3
# _saCoreN="SA-CORE-2019-004"
# _fix_core_dgd
# sleep 3
# _saCoreN="3143016-83"
# _fix_core_dgd
fi
if [ ! -e "/etc/ssl/private/4096.dhp" ] && [ -d "/var/xdrago" ]; then
echo "Generating 4096.dhp -- it may take a very long time..."
openssl dhparam -out /etc/ssl/private/4096.dhp 4096 > /dev/null 2>&1 &
fi
if [ -e "/etc/ssl/private/4096.dhp" ]; then
chown -R root:ssl-cert /etc/ssl/private
chmod 640 /etc/ssl/private/*
chmod 710 /etc/ssl/private
fi
if [ ! -e "/root/.upstart.cnf" ]; then
service cron reload &> /dev/null
fi
if [ "${_SCREEN_INIT}" = "YES" ]; then
if [ "${_DEBUG_MODE}" != "YES" ]; then
clear
fi
echo
echo "The system is ready for BOA installation!"
echo
echo "We will start screen session for you automatically"
echo "to avoid problems with dropped SSH connections"
echo "during BOA stack installation, which may take up to"
echo "45-60 minutes, depending on your server speed."
echo
echo "If your connection will drop, simply log in again"
echo "and re-attach your session with 'screen -R' command."
echo
echo "Enjoy!"
echo
if [ -x "/usr/sbin/aa-teardown" ]; then
aa-teardown &> /dev/null
fi
else
exit 0
fi
else
echo "ERROR: This script should be run as a root user"
exit 1
fi
================================================
FILE: CHANGELOG.txt
================================================
###
### Stable BOA-5.9.1-pro/lts - HTTP/3 Edition
### Date: Sun Feb 8 10:02:06 PM NZDT 2026 in Auckland
### Welcome Fast Lane HTTPS: HTTP/3 and KTLS
### 333 commits since BOA-5.8.5-pro
###
@=> 4 NEW, 12 UPDATED, 32 TOTAL Drupal distros/platforms available
While most of you typically build your own codebases/platforms with Composer
these days, we still deliver a list of 32 platforms ready to use in your Ægir.
Since these platforms are updated only with BOA releases, they are not really
intended for production use per se, because you typically need a faster
lifecycle to keep your sites secure.
However, they provide a wide range of testing playgrounds, because you can
install only those you wish to test or use, and reinstall if needed, with
the help of our BOA-only feature that allows you to upgrade your Ægir
on demand with two simple control files, as described in the built-in docs
you can always find in ~/static/control/README.txt.
The complete list of 32 is further below, in the section "Drupal platforms
available for installation".
@=> Going Local with Infrastructure
We’ve expanded our network considerably to meet the growing expectations of
the Data Sovereignty movement. This isn’t just about adding more cities
to our hosting map — it’s also about going local with infrastructure
wherever we can.
We no longer rely solely on big-name vendors and hyperscalers. Instead, we’re
gradually migrating to local providers and data centers in every country where
we offer hosted BOA for Drupal.
For example, in Canada you can now choose not only Toronto, but also Montreal,
Calgary, and Vancouver. In Australia, it’s no longer just Sydney — we also
offer Adelaide, Brisbane, and Perth.
We’ve also added an excellent facility in New Zealand.
Of course, we continue to support our original Singapore location and still
offer EU, UK, and US options.
@=> Usage disk/sql limits x2 + Aero and Archive plans added to hosted BOA
It's worth mentioning that our hosted BOA plans have received a huge upgrade:
several new locations have been added around the world, our vendors are now
local (instead of the previous US-only hyperscalers), and an entirely new
Archive Tier has been added for those looking to host collections of
low-traffic sites at low cost.
Take a look if you are interested: https://omega8.cc/hosted
@=> New BOA-5.9.1 PRO/LTS Release
Yes, we said that BOA-LTS would enter complete code freeze for 2026, but
we think that the major new features and many security updates introduced in
the last two months must be shared with the entire community before we enter
a less rapid feature development cycle for the next few months.
The future of 100% Open Source Drupal hosting is brighter than ever!
With BOA-5.9.1 PRO/LTS, we proudly deliver full HTTP/3 and KTLS support —
a fundamental change in the way modern browsers communicate with modern
HTTPS web servers — along with the latest OpenSSL 3.5 LTS, which made it
possible, a clever and very professional tool to diagnose your server hardware
performance in the context of BOA-specific requirements and capabilities,
and many critical security and bug fixes related to system components.
This groundbreaking feature not only pushes the boundaries of what BOA
can achieve but also reaffirms our commitment to staying ahead of the curve
for modern Drupal deployments.
We are thrilled to introduce BOA-5.9.1 PRO/LTS, our 8th release under the
new branch structure and dual licensing model. It merges 2 months of
intense development from the DEV branch, delivering 333 commits packed
with powerful features, critical fixes, and enhancements.
Thank you to everyone who supports our work by purchasing a BOA PRO license:
https://omega8.cc/boapro.
@=> Key Improvements Explained
* HTTP/3 and KTLS support. If you run Drupal sites that should feel fast and
responsive (and stay that way during spikes), this is genuinely good news.
Why is this a big deal? What should visitors notice?
Read the full story: https://github.com/omega8cc/boa/tree/5.x-dev/HTTP3.md
* Percona 8.4 comes to Excalibur. We no longer need vanilla MySQL 8.4 now that
Percona has released its own build for Debian Trixie, which can be used on
Devuan Excalibur. There is no MySQL-to-Percona upgrade option yet, though.
Please note that we still recommend Devuan Daedalus as the most versatile
system, which can also support Percona 8.0 and 5.7.
* Curious if your VM is good enough to fully benefit from BOA optimisations
and deliver a first-class Drupal hosting environment? There’s a deep
hardware and network analysis tool available: simply type `perftest` as root.
* From now on, all BOA installers will download their components as packaged
batches instead of dozens of separate little modules. They will also no longer
rely on fetching complete repositories from GitHub, instead downloading only
the latest packaged code from our mirrors. You can revert to the old method
by changing _DL_MODE=BATCH to _DL_MODE=GIT in /root/.barracuda.cnf
@=> New Features
* Add chromium as alternative for wkhtmltopdf
* Add Java 21 for Solr 9 and Jenkins
* Add kTLS support in Nginx config
* Add Red Hat KVM guest to supported virtualization systems
* Allow access to site-specific well-known/mta-sts.txt file
* Enable quic/http3 support in Nginx
* Percona 8.4 comes to Excalibur to replace vanilla MySQL 8.4
@=> New Improvements
* Add _disable_systemd_networkd_for_next_boot
* Add _init_debian_networkd_handoff in autoinit
* Add _install_net_rollback in vmnetfix
* Add aptfast as multi-lane aptitude wrapper for faster downloads
* Add ciphers required by kTLS in Nginx
* Add triple check for base-files
* Improve and modernize Nginx build configuration options
* Improve autoinit support for some vendors with _init_sysv_net_repair
* Improve autoinit with _init_sysv_insserv_repair
* Improve DHCP/NAT support in vmnetfix
* Improve ffmirror
* Improve reliability of autoinit on 10+ vendors tested
* Improve usage info
* Improve vmnetfix with _iface_has_dhcp_for_if
* Modernize 301 redirects
* Nginx: extend log_format to include protocol used
* Prefer ifupdown over ifupdown2
* Simplify and sync _if_off_apparmor/_turn_off_apparmor
* Special-case Java 11/17/21 force install if version is too old
* Sync Ægir naming convention
* Sync config for GeoLite2
* Uninstall cloud-utils if not required -- makes reboot faster
* Update networking with vmnetfix early
* Update SSL proxy vhosts if KTLS is missing
* Use _DL_MODE=BATCH by default
* Use Java 21 also on older systems if installed
@=> Changes
* Add strict locking to /etc/resolv.conf
* Enable access_log in proxy so DoS-guard can still work
* Prioritize modern ed25519 SSH keys
* Run /var/xdrago/clear.sh every 3 minutes
* Run /var/xdrago/ip_access.sh every 2 minutes
* Run /var/xdrago/manage_ltd_users.sh every minute
* Run /var/xdrago/manage_solr_config.sh every minute
* Switch default PHP to 8.4
* Turn off AppArmor in autoinit phase
* Use nginx restart instead of quietupgrade
@=> Upgrades
* cURL 8.17.0
* cURL 8.18.0
* GoAccess 1.9.4
* ionCube 15.0.0 (up to PHP 8.4)
* Nginx 1.29.4
* Nginx 1.29.5
* OpenSSL 3.4.4
* OpenSSL 3.5.6 LTS
* PHP 8.1.34
* PHP 8.2.30
* PHP 8.3.29
* PHP 8.3.30
* PHP 8.4.16
* PHP 8.4.17
* PHP 8.5.1
* PHP 8.5.2
* screenFetch 3.9.9
* Sync dehydrated updates
* Valkey 9.0.1
* Valkey 9.0.2
@=> Important Fixes
* Block language-prefix chain URL mutation crawlers spam
* Block node-chain URL mutation crawlers spam
* Fix for PHP 5.6 in Block node and language-prefix chain URL mutation spam
* Percona 8.4 from Trixie requires percona-telemetry-agent
* Remove unconditional _apt_clean_update running every 3 minutes
* Removing all .drush.inc files under modules/contrib/webform
* Restore less noisy _manage_sec_access_paths
* Restore nginx auto-reload after PHP version update
* Sync all PHP logs backup/cleanup after upgrade to force PHP-FPM reload
* Use _check_virt/_not_supported_virt early
@=> Drupal platforms available for installation -- docs/PLATFORMS.md
## Drupal 11
CK3 - [Commerce 3.2.0] with core (11.3.3) (UPDATED)
CMS - [Drupal CMS 2.0.0] with core (11.3.3) (NEW)
DE1 - [Drupal 11.1.9] with Drush included -- dev/stage/prod
DE2 - [Drupal 11.2.10] with Drush included -- dev/stage/prod (UPDATED)
DE3 - [Drupal 11.3.3] with Drush included -- dev/stage/prod (NEW)
SCR - [Sector 11.0.x-dev] with core (11.3.3) (UPDATED)
THR - [Thunder 8.3.1] with core (11.3.3) (UPDATED)
VBX - [Varbase 10.1.0] with core (11.3.1) (NEW)
## Drupal 10
CK2 - [Commerce v.2] with core (10.1.8)
DX0 - [Drupal 10.0.11] with Drush included -- dev/stage/prod
DX1 - [Drupal 10.1.8] with Drush included -- dev/stage/prod
DX2 - [Drupal 10.2.12] with Drush included -- dev/stage/prod
DX3 - [Drupal 10.3.14] with Drush included -- dev/stage/prod
DX4 - [Drupal 10.4.9] with Drush included -- dev/stage/prod
DX5 - [Drupal 10.5.8] with Drush included -- dev/stage/prod (UPDATED)
DX6 - [Drupal 10.6.3] with Drush included -- dev/stage/prod (NEW)
DXP - [DXPR Marketing 10.3.0] with core (10.3.6)
EZC - [EzContent 2.2.15] with core (10.3.6)
FOS - [farmOS 3.5.1] with core (10.6.2) (UPDATED)
LGV - [LocalGov 3.4.0] with core (10.6.3) (UPDATED)
OCS - [OpenCulturas 2.5.4] with core (10.5.8) (UPDATED)
OFD - [OpenFed 12.2.4] with core (10.2.10)
SOC - [Social 12.4.5] with core (10.2.10)
VB9 - [Varbase 9.1.13] with core (10.6.1) (UPDATED)
## Drupal 9
DL9 - [Drupal 9.5.11] -- dev/stage/prod
OLS - [OpenLucius 2.0.0] with core (9.5.11)
OPG - [Opigno LMS 3.1.0] with core (9.5.11)
## Drupal 7
CK1 - [Commerce v.1] with core (7.105.1) (UPDATED)
DL7 - [Drupal 7.105.1] -- dev/stage/prod (UPDATED)
UC7 - [Ubercart 3.13] with core (7.105.1) (UPDATED)
## Drupal 6
DL6 - [Pressflow 6.60.1] -- dev/stage/prod
UC6 - [Ubercart 2.15] with core (6.60.1)
###
### Stable BOA-5.8.5-pro/lts - 30 Years of Heritage Edition
### Date: Mon Dec 1 09:58:58 AM AEDT 2025 in Sydney
### Welcome Devuan Excalibur and PHP 8.5
### 1092 commits since BOA-5.7.12-pro
###
@=> 30 Years of Heritage -- Why We’re Different
We are unique within the hosting industry for many important reasons.
Our 15 years of Ægir-based hosting, plus earlier experience with Adgrafix
(the first company to offer a control panel for website management in 1995),
have helped shape what makes us different today.
We take Open Source seriously, it's not a buzzword for us. It's about freedom
from corporate control. Here's a short look back at our 15-year Ægir journey
and 19 years with Drupal.
Read the full story: https://bit.ly/different30y
@=> The Future of Ægir 3 is Bryght!
Omega8.cc is now the lead developer team for Ægir 3 running on BOA
(Barracuda-Octopus-Ægir stack). We want to thank all past contributors
who brought Ægir to life – your work makes today’s progress possible.
Because of you, there is still a Bryght Future for Ægir. What to Expect?
Read the full story: https://bit.ly/aegirbryghtfuture
@=> New BOA-5.8.5 PRO/LTS Release
The future of Drupal hosting is here! With BOA-5.8.5 PRO/LTS, we proudly
deliver both full Drupal 11 support integrated with Ægir and latest PHP 8.5,
now available on the latest Devuan Excalibur / Debian Trixie system.
This groundbreaking feature not only pushes the boundaries of what the BOA
can achieve but also reaffirms our commitment to staying ahead of the curve
for modern Drupal deployments.
Powered by Percona 8.4 and fine-tuned to leverage the latest innovations
across the stack, this update sets a new standard for hosting next-generation
Drupal applications while continuing to fully support legacy Drupal versions,
ensuring smooth operations for every site in your ecosystem, old or new.
We are thrilled to introduce BOA-5.8.5 PRO/LTS, our 7th release under the
new branch structure and dual licensing model. It merges four months of
intense development from the DEV branch, delivering 1092 commits packed
with powerful features, critical fixes, and enhancements.
Thank you to everyone who supports our work by purchasing a BOA PRO license:
https://omega8.cc/boapro.
As always, this announcement highlights only the most impactful changes.
For a full breakdown, explore the complete commit history.
@=> Key Improvements Explained
* Any expected downtime during barracuda system upgrades has been reduced
from 2-3 minutes to 10-14 seconds on average thanks to our improvements
across the board in the BOA system logic.
* BOA now consistently pauses Ægir tasks queue if any system-backend tasks
are running -- this includes any barracuda/octopus upgrades, the heavy
daily.sh script and nightly DB backups, so no Ægir tasks should ever
collide with those important system tasks.
* The auto-healing system has been rewritten from scratch and greatly
improved for precision, stability and protection from race conditions,
with added smart cooldown pause to avoid unnecessary interventions.
* The _SKYNET_MODE=OFF now strictly blocks any updates otherwise applied
via the autoupboa tool running every 6 minutes, but also blocks any attempt
to run barracuda or octopus upgrades, even if invoked manually.
* Many vendor-specific issues affecting BOA installation on VPS platforms
have been addressed for both older and newer Devuan/Debian releases,
especially for the autoinit procedure recommended as the first step.
* We no longer hardcode Devuan's own APT sources lottery alias deb.devuan.org
and instead test and pick reputable mirrors to use the fastest in the
given server's location.
* We limit the messaging noise generated by various parts of the new
auto-healing system by switching the _INCIDENT_REPORT to NO by default,
so only really critical incidents like service restarts caused by OOM
(out of memory) incidents are still reported.
* The legacy _XTRAS_LIST logic has been improved with changes documented.
Now _XTRAS_LIST is by default EMPTY and extended only minimally depending
on mode, so almost no BOA xtras are installed by default like before.
* The _CUSTOM_CONFIG_CSF should protect only /etc/csf/csf.conf.
Previously it blocked CSF/LFD upgrades completely while it should protect
only the main config file. If the protected config file becomes incompatible
as a result, it’s the system admin's responsibility to update it manually.
* New control file /root/.dont.touch.permissions.cnf allows blocking any
otherwise defined/run actions globally by taking precedence over any other
settings in .barracuda.cnf and site/platform-level INI files.
@=> New Features
* Add _UPGRADE_MODE=FAST/FULL mode to speed up barracuda upgrades
* Add /data/conf/sites-cron-off.ctrl to turn off all sites wget-cron
* Add autosymlink tool to automate symlinking sites files directories
* Add cooldown to max/critical load actions in auto-healing
* Add dhcpfix tool used to fix vendor-specific forced-dns issues if needed
* Add Droplet Agent to auto-healing
* Add environment_indicator to Ægir hostmaster control panel
* Add ffdevuan tool to update the list of reliable and fastest mirrors
* Add instant SQL fallback for Valkey/Redis to global-valkey.inc
* Add loadguard as future auto-healing orchestrator for testing
* Add new dedicated tools: aptcleanup and vmnetfix in autoinit
* Add support for python 3.13
* Add synproxy tool: SYNPROXY (TCP/443/80) + QUIC limiter (UDP/443) for CSF
* Add system level /root/.dont.touch.permissions.cnf
* Allow _LOCAL_DEVUAN_MIRROR but use _find_fast_devuan_mirror otherwise
* Auto-enable/disable slow_query_log with /root/.mysqladmin.monitor.cnf
* PHP 8.5 Support is ready
* Protect from any autoupboa updates when _SKYNET_MODE=OFF
* Protect from any barracuda updates when _SKYNET_MODE=OFF
* Protect from any octopus updates when _SKYNET_MODE=OFF
* Use MySQL 8.4 from Trixie on Excalibur until Percona releases own version
@=> New Improvements
* Add "How we build newer codebases for testing" in docs/BUILDTESTS.md
* Add waiting before running octopus upgrade on init
* Always check if /etc/hosts update is needed
* Always use _spawn_detached procedure for Perl scripts
* Always use nohup for detached Bash scripts
* Build OpenSSL 3 w/o no-comp, no-hw
* Check LE status and run another octopus upgrade if needed on boa install
* Do not install Git from sources on BOA install
* Do not send email on Spider Protection on/off
* Enable APCu by default
* Improve Ægir accelerated task queue
* Make Solr/Java versions mapping strict
* No automatic task queue on CI instance
* Notify if multiback backups seem to run for too long
* Pause Ægir queue when /run/boa_run.pid is present
* Pause Ægir queue when daily.sh runs
* Pause Ægir tasks queue during system DB backups
* Prevent a flood of alerts on services up/down status if uptime < 15 min
* Reload nginx if access log is missing or empty
* Run _CHECK_MIRROR twice to prime DNS cache before the final speed test
* Run _satellite_download_for_local_build only once on install
* Run auto-healing only on fully installed system
* Run improved scan_nginx.sh every 5 seconds
* Save CPU cycles by disabling never used master Ægir cron/task queue
* Sync /root/.allow.clamav.cnf and /root/.deny.clamav.cnf logic
* Update APT sources on each upgrade
* Update Devuan mirrors daily
* Upgrade some held packages if needed and then rebuild from sources
* Use _find_fast_devuan_mirror by default but static for archived beowulf
* Use 180s opcache.revalidate_freq for heavy apps like CiviCRM
* Use 60s opcache.revalidate_freq by default
* Use Atomic lock/unlock to prevent TOCTOU race conditions globally
* Use separate verbose logs for barracuda/octopus upgrade details and errors
* Use special /var/log/boa/reset_no_new_password.pid to allow auto-healing
@=> Changes
* Add New Relic support for PHP 8.4
* Add Pinterest to $is_crawler list in Nginx configuration
* Always log all barracuda/octopus upgrades, even self-upgrades
* Debian Buster has been archived already
* Display BOA Skynet Agent mesages only for logged in root
* Do not automate /root/.force.reinstall.cnf
* Don't invoke old proc_num_ctrl (replaced by new-generation auto-healing)
* Don't run codebasecheck daily unless /root/.allow-codebasecheck.cnf exists
* Drop legacy IMAP in PHP on Excalibur
* Force _VALKEY_MAJOR_RELEASE=9 unless _CUSTOM_CONFIG_VALKEY=YES
* Force slow Ægir tasks cron mode on VM with 4GB RAM or less
* Move APCu config to parent INI
* Move Zend OPcache config to parent INI
* Remove 60s wait on boa reboot
* Remove Percona 8.3 support
* Restore the _SQLMONITOR feature
* Turn _INCIDENT_REPORT globally off by default
* Use _BINLOG_KEEP_HOURS 24
* Use Ægir install check for /var/aegir/.drush/hm.alias.drushrc.php
* Use cache.backend.chainedfast for selected bins
* Use slower _iteration in second.sh in auto-healing system
@=> Upgrades
* Commerce 3.2.0 with core 11.2.8
* CSF/LFD 15.00
* cURL 8.16.0
* Drupal 10.4.9
* Drupal 10.5.6
* Drupal 11.1.9
* Drupal 11.2.8
* Drupal 7.103.2 +Extra core
* Drupal 7.105.1 +Extra core LTS
* Drupal CMS 1.2.8 with core 11.2.8
* Duplicity 3.0.6
* farmOS 3.4.6 with core 10.4.9
* Git 2.51.0
* LocalGov 3.3.1 with core 10.5.6
* New Relic 12.2.0.27
* Nginx 1.29.1
* Nginx 1.29.3
* Node v22.20.0
* Node v22.21.0
* OpenCulturas 2.5.4 with core 10.5.6
* Openjdk 11.0.29
* OpenSSH 10.2p1
* OpenSSL 3.4.3
* PHP 8.3.24
* PHP 8.3.25
* PHP 8.3.26
* PHP 8.3.27
* PHP 8.3.28
* PHP 8.4.11
* PHP 8.4.12
* PHP 8.4.13
* PHP 8.4.14
* PHP 8.4.15
* PHP APCu 5.1.27
* PHP igbinary 3.2.16
* PHP igbinary 3.2.17 for 8.5
* PHP imagick 3.8.0
* PHP Yaml Pecl 2.2.5
* PHP_MCRYPT 1.0.9 for 7.3 and newer
* PHPREDIS 6.3.0
* Pure-FTPd 1.0.52
* Python 3.13.9 for Duplicity
* REDIS integration module 8.x-1.11.2 for Drupal 11.x
* Sector 11.0.x-dev with core 11.2.8
* Thunder 8.2.6 with core 11.2.8
* Unbound 1.24.1
* Unbound 1.24.2
* Valkey 7.2.11
* Valkey 9.0.0
* Varbase 10.0.8 with core 10.5.6
* Varbase 9.1.12 with core 10.5.2
* vnStat 2.13
@=> Important Fixes
* Add _fix_stop_solr to Fix Solr 7/9 conflicting ports
* Add _if_drupal_patches_update — fixes #1892
* Allow cron web based requests even with HTTP Basic enabled in Ægir
* Always call updatedb with -y in Ægir Provision backend
* Always fix /etc/hosts before checking /etc/hostname
* Auto-update hostname if doesn’t match /etc/hostname
* Cron-only PHP entrypoint for Drupal 8+ w/ auth_basic turned off on the fly
* Detect and fix broken downloads in /data/conf/patches/ — fixes #1906
* Do not add date stamps to scripts — fixes #1891
* Do not run duplicate unbound-control reload
* Don't execute daily.sh until all installation procedures are finalized
* Duplicity backups: replace --file-to-restore w/ --path-to-restore (#1901)
* Fix access control for packages view in Ægir control panel
* Fix broken _XTRAS_LIST logic and document changes
* Hotfix for legacy vnStat installs — fixes #1908
* Improve _if_mydumper_is_locked procedure action/reporting in auto-healing
* Improve _solr_health_check_fix to detect stale pid files
* Install igbinary before redis extension to avoid redis ext build failure
* Install key DNS tools early with autoinit
* Java 17 should be set as default on Daedalus
* Limited Shell wrapper for Drush improvements — fixes #1907
* Make local OpenSSL new/legacy ssl/certs symlinked to system ssl/certs
* Remove duplicate unbound auto-healing
* Remove Permissions-Policy headers from Nginx level
* Remove server own IP from /etc/hosts if exists
* Set /etc/hostname before barracuda install
* Stop displaying useless expired one-time login link on boa install
* The _CUSTOM_CONFIG_CSF should protect only /etc/csf/csf.conf
* The maxmemory update for Valkey was missing — fixes #1893
* Update Nodejs/NPM install logic to always force upstream — fixes #1910
* Use drupal-ten-aegir-core-01.patch for Drupal 11.1.x
* Use strict check for virt-what tool
@=> Drupal platforms available for installation -- docs/PLATFORMS.md
## Drupal 11
CK3 - [Commerce 3.2.0] with core (11.2.8) (NEW)
CMS - [Drupal CMS 1.2.8] with core (11.2.8) (NEW)
DE1 - [Drupal 11.1.9] with Drush included -- dev/stage/prod (NEW)
DE2 - [Drupal 11.2.8] with Drush included -- dev/stage/prod (NEW)
SCR - [Sector 11.0.x-dev] with core (11.2.8) (NEW)
THR - [Thunder 8.2.6] with core (11.2.8) (NEW)
## Drupal 10
CK2 - [Commerce v.2] with core (10.1.8)
DX0 - [Drupal 10.0.11] with Drush included -- dev/stage/prod
DX1 - [Drupal 10.1.8] with Drush included -- dev/stage/prod
DX2 - [Drupal 10.2.12] with Drush included -- dev/stage/prod
DX3 - [Drupal 10.3.14] with Drush included -- dev/stage/prod
DX4 - [Drupal 10.4.9] with Drush included -- dev/stage/prod (NEW)
DX5 - [Drupal 10.5.6] with Drush included -- dev/stage/prod (NEW)
DXP - [DXPR Marketing 10.3.0] with core (10.3.6)
EZC - [EzContent 2.2.15] with core (10.3.6)
FOS - [farmOS 3.4.6] with core (10.4.9) (NEW)
LGV - [LocalGov 3.3.1] with core (10.5.6) (NEW)
OCS - [OpenCulturas 2.5.4] with core (10.5.6) (NEW)
OFD - [OpenFed 12.2.4] with core (10.2.10)
SOC - [Social 12.4.5] with core (10.2.10)
VB9 - [Varbase 9.1.12] with core (10.5.2) (NEW)
VBX - [Varbase 10.0.8] with core (10.5.6) (NEW)
## Drupal 9
DL9 - [Drupal 9.5.11] -- dev/stage/prod
OLS - [OpenLucius 2.0.0] with core (9.5.11)
OPG - [Opigno LMS 3.1.0] with core (9.5.11)
## Drupal 7
CK1 - [Commerce v.1] with core (7.105.1) (NEW)
DL7 - [Drupal 7.105.1] -- dev/stage/prod (NEW)
UC7 - [Ubercart 3.13] with core (7.105.1) (NEW)
## Drupal 6
DL6 - [Pressflow 6.60.1] -- dev/stage/prod
UC6 - [Ubercart 2.15] with core (6.60.1)
###
### Stable BOA-5.7.12-pro - Full Edition
### Date: Tue Jul 29 08:44:02 AM AEST 2025 in Sydney
###
@=> New BOA-5.7.12 PRO Release
This maintenance release delivers critical hot-fixes and essential
component upgrades to ensure maximum stability and compatibility across
all environments.
Immediate upgrade of both Barracuda and Octopus is strongly recommended
to benefit from these fixes and avoid potential issues.
@=> Important Fixes
* Add _elevenValidatorPatch to fix Drupal 11 CMS distro fatal error
* Fix typo in --with-avif for PHP 8.1+ — fixes #1881
* Removing all .drush.inc files only in Drupal 11 -- fixes #1885 and #5
@=> Changes
* Back to non-phar drush8 to restore PHP-CLI live PHP switch capability
@=> Upgrades
* Drush 8.5.0.4 classic
* Unbound 1.23.1
###
### Stable BOA-5.7.11-pro - Full Edition
### Date: Fri Jul 25 06:53:03 PM BST 2025 in London
### Welcome Drupal 11—Ægir Mission Impossible—Again!
###
@=> New BOA-5.7.11 PRO Release
Drupal 11 with Ægir 3: They Said It Couldn’t Be Done — We Did It Anyway
The future of Drupal hosting is here! With BOA-5.7.11 PRO, we proudly deliver
what many thought impossible—full Drupal 11 support integrated with Ægir 3.
This groundbreaking feature not only pushes the boundaries of what the BOA
can achieve but also reaffirms our commitment to staying ahead of the curve
for modern Drupal deployments.
This release marks a major milestone: for the first time, BOA users can
seamlessly install, manage, and scale Drupal 11 sites with all the automation,
performance, and reliability you’ve come to expect.
Powered by Percona 8 and fine-tuned to leverage the latest innovations
across the stack, this update sets a new standard for hosting next-generation
Drupal applications while continuing to fully support legacy Drupal versions,
ensuring smooth operations for every site in your ecosystem, old or new.
We are thrilled to introduce BOA-5.7.11 PRO, our 5th release under the
new branch structure and dual licensing model. It merges seven months of
intense development from the DEV branch, delivering over 340 commits packed
with powerful features, critical fixes, and enhancements.
Thank you to everyone who supports our work by purchasing a BOA PRO license:
https://omega8.cc/boapro.
As always, this announcement highlights only the most impactful changes.
For a full breakdown, explore the complete commit history.
@=> New Features
* Drupal 11 support (requires Percona 8)
* Install or update CiviCRM CLI Tool phar
* MultiCore Apache Solr 9 support
* Use Valkey and drop Redis support
* Write usage reports also to ~/static/usage/
@=> Improvements
* Add _mysql_high_load procedure
* Add --with-avif to compatible PHP versions 8.1+
* Add check for downloaded dehydrated script integrity
* Add fstab helper for Linode Volumes
* Add mysql root password reset helper
* Allow to force symlinks mode with empty /data/conf/force_symlinks.conf
* Drupal 10+ core patches files are no longer added to codebase
* Drupal 11 site installation details including admin pwd in the task log
* Drupal 11 site is installed via site-platform-local Drush
* Improve _PHP_CLI detection, also from static/control/cli.info
* Improve permissions fix to include parent dir if app root != web root
* Local Drush locking/unlocking no longer adds control files in codebase
* Lock Local Drush and Symfony Console Input/Style in daily.sh
* Lock/Unlock Local Drush is more reliable with both Provision and bash
* More robust support for real IP detection behind vaious proxies
* Symfony Console Input/Style locking more reliable with live diff/patch
* Use faster SQL auto-healing for Too many connections
* Use older CSF/LFD for legacy systems
* Use queue.redis_reliable but only for core D8 to D10
@=> Changes
* Always use system Drush 8 PHAR instead of Ægir local Drush
* Install System Drush 8 as PHAR (self-contained)
* Mark Apache Solr 4 with Jetty 9 as (deprecated)
* Solr is no longer included via ALL keyword in the _XTRAS_LIST
@=> Upgrades
* CSF 14.24
* cURL 8.14.1
* dehydrated 0.7.3
* Drush 8.5.0.4
* MultiCore Apache Solr 9.8.1
* Nginx 1.29.0
* OpenSSH 10.0p2
* OpenSSL 3.4.2
* PHP 8.1.33
* PHP 8.2.29
* PHP 8.3.23
* PHP 8.4.10
* Valkey 7.2.10
@=> Important Fixes
* Allow LE with HTTP Basic Auth fixed by Naurisr in #1790
* Remove too aggressive bots protection on /civicrm URLs
@=> Drupal platforms available for installation -- docs/PLATFORMS.md
## Drupal 11
CK3 - [Commerce v.3] with core (11.2.2)
DE2 - [Drupal 11.2.2]
SCR - [Sector 11.0.x-dev] with core (11.2.0)
THR - [Thunder 8.2.1] with core (11.2.2)
## Drupal 10
CK2 - [Commerce v.2] with core (10.1.8)
DX0 - [Drupal 10.0.11]
DX1 - [Drupal 10.1.8]
DX2 - [Drupal 10.2.12]
DX3 - [Drupal 10.3.14]
DX4 - [Drupal 10.4.8]
DX5 - [Drupal 10.5.1]
DXP - [DXPR Marketing 10.3.0] with core (10.3.6)
EZC - [EzContent 2.2.15] with core (10.3.6)
FOS - [farmOS 3.3.1] with core (10.3.6)
LGV - [LocalGov 3.1.3] with core (10.5.1)
OCS - [OpenCulturas 2.2.1] with core (10.3.6)
OFD - [OpenFed 12.2.4] with core (10.2.10)
SOC - [Social 12.4.5] with core (10.2.10)
VBX - [Varbase 10.0.6] with core (10.5.1)
VB9 - [Varbase 9.1.10] with core (10.5.1)
## Drupal 9
DL9 - [Drupal 9.5.11]
OLS - [OpenLucius 2.0.0] with core (9.5.11)
OPG - [Opigno LMS 3.1.0] with core (9.5.11)
## Drupal 7
CK1 - [Commerce v.1] with core (7.103.1)
DL7 - [Drupal 7.103.1]
UC7 - [Ubercart 3.13] with core (7.103.1)
## Drupal 6
DL6 - [Pressflow 6.60.1]
UC6 - [Ubercart 2.15] with core (6.60.1)
###
### Stable BOA-5.6.0-pro - Full Edition
### Date: Tue Dec 31 06:12:44 AM AEDT 2024 in Sydney
### Happy New Year!
###
@=> New BOA-5.6.0 PRO Release – Happy New Year!
We're thrilled to introduce BOA-5.6.0 PRO, our latest release and the fourth
under our new branch structure and dual licensing model.
This PRO release brings the project fully in sync with the DEV branch,
which has been actively developed over the past two months, incorporating
over 750 commits since BOA-5.5.0.
We extend our heartfelt thanks to all of you who support our work
by purchasing a BOA Pro license: https://omega8.cc/boapro.
As always, this announcement covers only the most impactful new features,
critical fixes, and enhancements. For a comprehensive list of all updates,
please refer to the full commit history.
@=> New Features
* Active Sites Databases Backups are available in ~/static/files/dbackup/
* Add experimental support for Cloudflare R2 Object Storage
* Add mergecsf tool to join and de-duplicate legacy csf configuration
* Add perftest tool to test hardware performance within VM
* Add php-cli access for [grp:ltd-shell-more]
* Add smtpgapps tool to install and configure msmtp on Devuan
* Add support for all AWS S3 regions, including dual-stack endpoints
* Add support for php-rebuild or php-reinstall on barracuda upgrade
* Add support for separate /root/.deny.solr7.cnf and /root/.deny.jetty9.cnf
* Add verifyvhostsdns tool to check all vhosts for aliases with invalid DNS
* New Relic Integration for Drupal with Drush Compatibility (8, 12, 13)
* PHP 8.4 is fully supported and installed by default
* Remote System Backups use `global`, `data` and optional `custom` buckets
* Completely New Backups! There is too much to cover, so please refer to
our extensive new documentation pages for all details.
This new feature is exclusive to BOA PRO and will not be ported to LTS.
New PRO Backups for BOA SysAdmin:
https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_ROOT.md
New PRO Backups for Octopus Lshell User:
https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_USER.md
New PRO Backups Retention Policy Configuration:
https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_RETENTION.md
New PRO Backups Supported Regions and Bucket Creation Guidelines:
https://github.com/omega8cc/boa/tree/5.x-pro/docs/BACKUP_REGIONS.md
@=> Improvements
* Add _backup_waiting_notify to make admin aware of the backup status
* Add _csf_lfd_gateway_allow()
* Add _linode_vm_postinstall()
* Add _turn_off_apparmor unless /root/.keep_apparmor_on.cnf
* Add /etc/cron.hourly/systemtime
* Add auto-restore of backup_schedule
* Add boa info to all backup reports
* Add cleanup for /var/lib/redis/ on OOM incident
* Add d7security_client-7.x-1.3 to o_contrib_seven and Hostmaster
* Add early aa-teardown on init to make sure that AppArmor is turned off
* Add function to auto-repair incomplete backup sets
* Add local Ægir Third Party Libraries
* Add more checks to make sure that OpenSSL is fully up to date
* Add support for /root/.turn.off.auto.update.cnf
* Add support for cloudflare-dns-ssl-py.info and cloudflare-dns-ssl-sh.info
* Add wkhtmltox_0.12.6.1-3 for Daedalus
* Ægir Hostmaster: Log wget cron runs
* Ægir Provision: Install local Drush automatically on platform verify and unlock
* Always run dist-upgrade twice -- helps with slow access to Devuan servers
* Configure backups --concurrency dynamically
* Disable _if_start_screen with noscreen in the args
* Disable backup_schedule on systems with too low free RAM
* Do not install CSF until BOA installation is complete on Linode
* Do not install csf/lfd on Linode early
* Do not reinstall Duplicity unless /root/.force.duplicity.reinstall.cnf exists
* Drupal 7 now supports and expects Trusted Host Patterns
* Improve all wget/curl downloads with proper re-try logic
* Improve and simplify _switch_php()
* Improve sysctl.conf template
* Improve tools/le/hooks/cloudflare logic
* Install or upgrade csf/lfd monitoring early
* Install wkhtmltopdf from packages first to get all dependencies
* Integrate original _SKYNET_MODE docs/history
* More fixes in the vdrush wrapper to support Drush 13
* Move /data/disk/arch to global and /home to data backups
* Move certain log scanners from the slow minute.sh to fast second.sh loop
* Replace direct exec with _forward_to_shell in shell wrapper
* Report also on newrelic-daemon and monagent versions in boa info
* Run guest-water.sh right after CSF install or upgrade
* Run orphaned duplicity processes cleanup separately
* Sync _sql_busy_detection with max_connect_errors
* Sync barracuda.cnf templates and docs
* Sync sshd restart procedure across all scripts
* Update barracuda config with missing vars if any
* Update email template to remove confusing legacy details
* Update xboa email templates
* Use include/exclude instead of exclude/include logic
* Use just one graceful csf restart on upgrade
* Use newer, supported --copy-links option in Duplicity
* Use noscreen in non-interactive scripts launched by parent scripts or cron
* Waiting 8 minutes before attempting to run enforced post-install upgrade
@=> Changes
* Add docs/IPv6.md to explain why BOA disables IPv6 by default
* Disable confusing hosting_client_send_welcome with non-working login link
* Disable memory swap when running duplicity
* Disable no longer supported GSSAPIAuthentication in SSH config
* Disable performance_schema for Percona 5.7 but enable for 8.0+
* Disable ssl_stapling and fix http2 directive
* Do not auto-re-enable swap
* Enforce Composer 2.8.2 (because 2.8.3+ breaks previously working builds)
* Force sysctl.conf.mod-disable-ipv6
* Introducing the New BOA Branching Scheme -- see docs/BRANCHES.md
* Move /bin/websh to /opt/local/bin/websh
* Newest Python should be installed only with barracuda or backup tools
* Remove hosting_cron_use_backend.txt support
* Remove no longer supported legacy _SCOUT_KEY
* Remove no longer supported legacy HHVM
* Set SOLR WAIT to 8s to speed up reboot and services restarts
* The oldest NewRelic supported PHP version is 7.2
* Update and Sync nice/renice logic for scripts and services
* Update boa-mirrors-2024-12.txt
* Updates for lshell.conf template
* Use gzip to compress classic myslqdump backups
* Use zero tolerance mode for SSH/FTP failed login attempts
* Use zstd to compress mydumper sql backups
* We have now doubled the disk space in all our hosted plans
@=> Upgrades
* Composer 2.8.2
* cURL 8.11.1
* Drupal 7.103.1
* Drush 8.5.0.1
* Duplicity 3.0.3.2
* ionCube 14.0.0 (up to PHP 8.3)
* New Relic 11.4.0.17
* Nginx 1.27.3
* OpenSSL 3.4.0
* PHP 8.1.31
* PHP 8.2.27
* PHP 8.3.15
* PHP 8.4.2
* PHP APCu 5.1.24
* PHP MCRYPT 1.0.7
* Unbound 1.23.1
* Use phpredis 4.3.0 with PHP 5.6
* Use phpredis 6.1.0 for 7.4 and newer
@=> Important Fixes
* Ægir Hostmaster: Improve hosting_cron_queue reliability
* Ægir Hostmaster: Unset variables at the end of the loop
* Ægir Provision: Add backup mode ctrl file cleanup on clone and migrate
* Ægir Provision: Add more supported compression variants
* Ægir Provision: Do not confuse PDO and MySQLi conventions
* Ægir Provision: Fix Drush 13 support by invoking vendor/drush/drush/drush.php
* Ægir Provision: Follow symlinks to include all files in custom backup task only
* Ægir Provision: Improve function revoke()
* Ægir Provision: Prioritize '.tar.zst' as provision_backup_suffix
* Ægir Provision: Use supported localhost in can_grant_privileges()
* Allow _php_if_versions_cleanup_cnf if Master Ægir was not upgraded yet
* Barracuda downgrade protection should not rely on key/barracuda_key.txt
* Constant E_STRICT is deprecated in PHP 8.4
* Disable shell wrapper on system stop/start early
* Double check if /etc/init.d/nginx is really updated
* Excessive email notifications due to DHCP error checks #1829
* Final fixes in shell wrapper make it rock solid again
* Fix and sync all apt options
* Fix autoinit conflicting functions
* Fix for --enable-redis-lzf also in _php_extensions_update()
* Fix for counting symlinked files in resources usage monitoring
* Fix for duplicate http2 in all vhosts on upgrade
* Fix for platforms deployed using Manage with Git method
* Fix for SFTP chroot by using external mode in Subsystem sftp
* Fix the bug in the shell wrapper when composer is both a command and argument
* Fix the logic for Devuan base-files update for Daedalus
* Fix the logic in _ifnames_grub_check_sync()
* Improve the http2/ssl_stapling logic
* Legacy MCRYPT can’t be used with PHP 8.4
* Make sure that both web and app root dirs are group writable
* Make sure we add keys in a new line in xboa
* More capabilities to satisfy complex composer tasks
* Octopus downgrade protection should not rely on tools/key/octopus_key.txt
* Patch hosting_cron.module automatically to make web cron 100% reliable
* Remove duplicate ssl directives in all vhosts templates
* Sync include/openssl extended check for latest version
* Sync max allowed PHP-FPM versions running (11)
* Sync maxBooleanClauses for new Solr cores to 4096
* Sync PHP 8.3 precedence -- it's still default version
* Use dash by default and limit the use of _forward_to_shell
###
### Stable BOA-5.5.0-pro - Full Edition
### Date: Sat 26 Oct 2024 09:49:51 AM PDT in Santa Clara
###
@=> New BOA-5.5.0 PRO Release – Thank You for Your Support!
We're thrilled to introduce BOA-5.5.0 PRO, our latest release and the third
under our new branch structure and dual licensing model.
This PRO release brings the project fully in sync with the DEV branch,
which has been actively developed over the past several months, incorporating
nearly 400 commits since BOA-5.4.0.
BOA-5.5.0 PRO also comes equipped with 26 Ægir-ready platforms, supporting
either Drupal core alone or various popular Drupal distributions—seven of
which are new! These platforms include options like Commerce, DXPR Marketing,
EzContent, farmOS, LocalGov, OpenCulturas, OpenFed, OpenLucius, Opigno LMS,
Sector, Social, Thunder, Ubercart, and Varbase.
We extend our heartfelt thanks to all of you who support our work
by purchasing a BOA Pro license: https://omega8.cc/boapro.
As always, this announcement covers only the most impactful new features,
critical fixes, and enhancements. For a comprehensive list of all updates,
please refer to the full commit history.
@=> New Features
* Added codebasecheck tool for codebase compatibility check with Percona 8.0
* Added Drush 13 support by invoking vendor/drush/drush/drush.php directly
* Added dedicated memorytuner (for testing for now)
* Added mysqltuner5 and mysqltuner8
* Added bash version scan_nginx.sh -- the Nginx DoS Guard
* Added support for more granular load limits like 1.2 2.5 3.
* Added support for non-standard /hdd mount point
* Added support for /mnt/ paths in Drush
* Added sqlclean and vhostcheck tools for root
* SQL Adminer access moved to Octopus Ægir HTTPS vhost URL at /sqladmin
* Added incident_email_report() feature to all monitor/check/ scripts
* Allow SSH based access authorization to SQL Adminer at new /sqladmin/ URL
* Added incident detection and email reporting for LE certs renewal failures
* Added screen auto-start in boa, barracuda and octopus
* Added support for Percona 8.4 LTS (for testing only, you should use 8.0)
* Added support for Percona 8.3 (for testing only, you should use 8.0)
* Added support for Percona 8.0 (production ready)
@=> Improvements
* Added _redis_cold_restart to mysql restart in the monitor/check/ scripts
* Rewrite the code used to install many new Drupal distros in Octopus
* Added Troubleshooting Docs in docs/FIXME.md (more entries soon)
* Faster _sql_busy_detection() in the monitor/check/ scripts
* Added _mysql_downgrade_protection() to avoid downgrade from Percona 8.0
* Many improvements in the Nginx DoS Guard in the monitor/check/ scripts
* Do not use fast firewall block unless /root/.instant.csf.block.cnf
* Pause some new monitors sub-tasks during BOA upgrades and backups
* Use underscore as prefix for all functions and camelCase vars
* Block only relevant ports using the monitor/check/ scripts
* Added docs on _NGINX_DOS_ variables
* Added doc on PHP versions management — fixes #1807
* Added separate docs/PHP-FPM.md and docs/DRUSH-CLI.md
* Added docs on Importance of Keeping SKYNET Enabled in BOA
* Added _CPU_TASK_RATIO to the CPU logic in auto-healing scripts
* Display currently used GRUB config in boa info
* Make the not_supported_virt() BOLD ENOUGH in boa info
* Added WARNING if /root/.allow.any.virt.cnf exists in boa info
* Display _DSK Usage for relevant partitions only in boa info
* Improved _XSY System Uptime/Load/Kernel/Disk/Memory Report in boa info
* Added Lshell version to boa info
* Always attach basic boa info report to barracuda upgrade log/email
* Improve check_php_rebuild() and add separate check_php_ssl_version()
* Explained _INCIDENT_EMAIL_REPORT variable
* Explained _SQL_MAX_TTL variable
* Explained _SQL_LOW_MAX_TTL variable
* Split big minute.sh into smaller auto-healing scripts
* Added procedure to fix empty or missing .dhp files
* Improved /root/.dont.use.fancy.bash.login.cnf logic
* Improved the octopus upgrade email tpl
* Added Key Services Uptime Report to boa info
* Pretty large defunct code cleanup
@=> Changes
* Install python3-full packages
* Duplicity: Remove Python 2 support and require OpenSSL 3
* Remove restrictions for opcache_compile_file (Grav CMS support)
* Removed legacy manage_ip_auth_access() for SQL Adminer access
* PHP 8.3 is the new default version
* Prefer system default Python3 for Lshell and src build for Duplicity
* Always run ifnames_grub_check_sync in DEMO mode unless ctrl file exists
* Remove chrony if preinstalled
* PHP 8.1 is the max version supported on Stretch and Jessie
* New Relic removed support for legacy PHP 7.0 and 7.1
* Run _update_boa_tools only when new serial or pid key is detected
* Redis extension 8.x-1.8.2 (with not needed db schema update reverted)
* Disabled backboa install in auto mode
* Allow all 7.x PHP versions on legacy (Debian) systems
* Amazon EC2 No Longer Supported (system crashes, doesn't support Devuan)
* Use legacy PHP 7.x by default on legacy Debian systems
@=> Upgrades
* Lshell 0.10
* Composer 2.8.1
* Unbound 1.21.1
* OpenSSL 3.3.2
* PHP 8.3.13
* PHP 8.2.25
* PHP 8.1.30
* OpenSSH 9.9p1
* Python 3.12.5 (for Duplicity)
* cURL 8.10.1
* Nginx 1.27.2
* ionCube 13.3.1 (also for PHP 8.3)
* MyQuick 0.16.7-3
* CSF 14.21
* Duplicity 3.0.2
@=> Important Fixes
* Fix PATH in the websh wrapper (fixes git and OpenSSL issues)
* Fix for _PHP_FPM_TIMEOUT logic
* Remove apt-listchanges on Debian (for legacy systems with broken debconf)
* Improve _if_fix_python() procedure logic
* Fix the logic for _update_boa_tools on init
* Do not remove usage.sh — fixes #1824
* Add cleanup for exclude.tag (could result with no files on clone)
* Do not restart sshd every minute
* Do not reload nginx every few minutes by default
* cURL version upgrade should happen only with barracuda upgrade
* Fix for too broad cleanup in /var/xdrago/log/
* Ignore all dynamic requests related to css/js while they are generated
* Do not log redirects (Nginx)
* Inconsistent checks for SSL version in check_php_rebuild — fixes #1815
* Use _CURL_VRN=7.50.1 for Wheezy compatibility
* Use separate log for mysql notices — fixes #1805
* Add built-in /run/unbound setup — fixes #1804
* Percona 5.7 still depends on legacy packages naming — fixes #1808
* Compatibility with legacy Python 3.5
@=> Drupal platforms available for installation -- docs/PLATFORMS.md
* Commerce Kickstart 2.77 (7.101.1)
* Commerce Base 2.40 (10.1.8)
* Commerce Kickstart 3.0.0 (10.3.6)
* DXPR Marketing 10.3.0 (10.3.6)
* EzContent 2.2.15 (10.3.6)
* farmOS 3.3.1 (10.3.6)
* LocalGov 3.0.11 (10.3.6)
* OpenCulturas 2.2.1 (10.3.6)
* OpenFed 12.2.4 (10.2.10)
* OpenLucius 2.0.0 (9.5.11)
* Opigno LMS 3.1.0 (9.5.11)
* Sector 10.0.0-rc5 (10.2.10)
* Social 12.4.5 (10.2.10)
* Thunder 7.3.7 (10.3.6)
* Ubercart 2.15 (6.60.1)
* Ubercart 3.13 (7.101.1)
* Varbase 9.1.6 (10.3.6)
* Varbase 10.0.2 (10.3.6)
* Pressflow 6.60.1 (core only)
* Drupal 7.101.1 (core only)
* Drupal 9.5.11 (core only)
* Drupal 10.0.11 (core only)
* Drupal 10.1.8 (core only)
* Drupal 10.2.10 (core only)
* Drupal 10.3.6 (core only)
* Drupal 10.4.x-dev (core only)
###
### Stable BOA-5.4.0-pro - Full Edition
### Date: Wed 14 Aug 2024 06:24:03 AM AEST in Sydney
###
@=> New BOA PRO Release & Comparison with LTS and DEV Branches
We are excited to announce the release of BOA-5.4.0 PRO and BOA-5.4.0 LTS,
marking the second release under our new branch structure and dual licensing
model, which began with BOA-5.2.0.
These new PRO and LTS versions bring the project fully up to date with the
DEV branch, which has been actively developed over the past several months.
As always, this announcement highlights only the most significant new features,
critical fixes, and improvements. For a detailed list of all changes,
please refer to the commit history.
@=> New Features
* Simplify and speed up BOA install/upgrades -- please check all details in
the updated and greatly improved documentation:
docs/INSTALL.md
docs/UPGRADE.md
docs/SELFUPGRADE.md
docs/MAJORUPGRADE.md
* AppArmor BOA integration for more strict system protection (needs docs)
* Barracuda install without Octopus is now possible -- docs/INSTALL.md
* Enable instant php-cli version switch for Ægir backend -- docs/DRUSH.md
* Improve Ruby Gems and Node/NPM security and speed x3 -- docs/GEM.md
* Let's Encrypt for Ægir Hostmaster installed automatically -- docs/SSL.md
* Let's Encrypt Live Mode is enabled by default -- docs/SSL.md
* Add three manual backup modes in Ægir (incomplete feature at the moment)
* New Relic support with Octopus/Platform/Site Config -- docs/NEWRELIC.md
* Restore _AEGIR_UPGRADE_ONLY {aegir} as supported barracuda upgrade mode
* Restore {aegir|platforms|both} as supported octopus upgrade modes
* Security Considerations for Multi-Ægir Systems -- docs/SECURITY.md
* Use /root/.deny.clamav.cnf to auto-disable clamav if installed
* Use /root/.deny.java.cnf to auto-disable Solr and Jetty if not used
* Drush 12 in Ægir Tasks: Dynamically Utilize Site-Local Drush for
the updatedb Operations on Drupal 10+ (needs docs).
For now here is a brief explanation on how it works:
# Both Migrate and Clone tasks in Ægir by default run the updatedb
with Ægir own Drush 8 in the final deploy internal procedure.
# This may cause unexpected issues in Drupal 10 and newer versions, so
we have added a switch which allows you to tell Ægir to skip running
`updatedb` on Drupal 10+ -- either globally with empty control file
~/static/control/DisAutoUpDb.info or per site with empty control file
~/static/control/sitename_DisAutoUpDb.info where `sitename` is the site
main domain name used in its Drush alias. You could then unlock the
Site-Local Drush and run it manually with `vdrush` in the platform
app root (not web root) to better control what happens on `updatedb`
using command: `vdrush @site-alias updatedb`
# Automatic mode does it even better for Drupal 10+ Here's how it works,
given no control file listed above exists:
1. Platform Verify task locks Site-Local Drush and patches Drupal core.
2. If the site is migrated to different platform or cloned to different
platform, Ægir will check if **both old and new** platforms have
the Site-Local Drush in their codebases.
3. If Site-Local Drush is detected in both platforms Ægir will unlock
Drush in both platforms, will also revert the Drupal core patch it
normally needs to use its own Drush 8.
4. Now Ægir will run the Site-Local Drush for `updatedb` command and
will report all details in the task log in the admin interface.
5. Once the `updatedb` is complete, Ægir will automatically apply
the Drupal core patch again and will lock Site-Local Drush, so you
could run any other tasks in the control panel as usual. Magic!
@=> Drupal platforms available for installation -- docs/PLATFORMS.md
* Drupal 10.4.x-dev
* Drupal 10.3.1
* Drupal 10.2.7
* Drupal 10.1.8
* Drupal 10.0.11
* Social 12.4.2 (10.2.6)
* Thunder 7.3.0 (10.3.1)
* Varbase 10.0.0 (10.3.1)
* Varbase 9.1.3 (10.2.6)
* Drupal 9.5.11
* OpenLucius 2.0.0 (9.5.11)
* Opigno LMS 3.1.0 (9.5.11)
* Commerce 1.72
* Commerce 2.77
* Drupal 7.101.1
* Ubercart 3.13
* Pressflow 6.60.1
* Ubercart 2.15
@=> Improvements
* Add better protection from duplicate sql tasks
* Improve Ægir tasks messages to identify new improvements in the backend
* Update Drush 10+ aliases on the fly within Ægir deploy procedure
* Add BOA Roadmap & Progress Update in ROADMAP.md
* Add bring_all_ram_cpu_online
* Add CSF self-update debugging log in /var/backups/csf/water/
* Add Dual License and BOA Branches Explained in DUALLICENSE.md
* Add INI (platform level) docs in docs/ini/platform/INI.md
* Add INI (site level) docs in docs/ini/site/INI.md
* Add killer script for hanging apt-get update
* Add support for /root/.force.queue.runner.cnf
* Add switch_to_bash_in_octopus
* Detect and remove stale pid faster
* Display also system-manufacturer in the welcome messages and reports
* Do not lower proc nice on init and major OS upgrades
* Do not restart slow starting services during major OS upgrade
* Execute post-install octopus auto-upgrade on boa and octopus install
* Explain how upgrades affect BOA special shell wrapper
* Improve and simplify is_logged_in early check in global.inc
* Improve rsyslog to use separate log files for cron, mail, lfd, iptables
* Limit noise printed in the console
* Protect csf.allow from removing custom entries
* Rewrite and improve all BOA project docs to use Markdown
* Rewrite and improve the main README.md
* Simplify upgrade docs
* Turn Off AppArmor while running octopus
* Update tests for Amazon EC2 environment detection
* Use `drush11 aliases` or `drush11 sa` for Drupal 8+ core and PHP 8.2+
* Use new `fancynow` welcome screen only for interactive root sessions
* Nginx: Sync js/css aggregation support
* Nginx: Sync static files regex
@=> Changes and Upgrades
* Add compatibility with Redis 8.x-1.7.1
* Add igbinary support to PHP 5.6
* Add recommended security and privacy HTTP headers in Nginx config
* Add required now $settings['state_cache'] = TRUE; in global.inc
* Adjust patches and PHP versions
* AdvAgg is no longer added to D8+ o_contrib
* Barracuda upgrade after boa install is now automated
* Build OpenSSH from sources by default
* cURL 8.9.1
* Disable man-db/auto-update to speed up also autoinit and boa install
* Duplicity 3.0.0
* Force mysql root password update on barracuda upgrade
* Git 2.45.2
* Image Optimize toolkit binaries are now included by default
* Install Python 3.12.4 for Duplicity
* ionCube 13.0.4
* Launch daily.sh automatically after barracuda upgrade
* Lshell 0.9.18.10
* MySecureShell master-29-06-2024
* New Relic 19.9.9.93
* New Relic no longer supports PHP 5.6
* Nginx 1.27.0
* Nginx: http2 is now a separate directive
* OpenSSL 3.0.14 LTS
* Re-enable cleanup for GHOST distros revisions
* Remove /etc/apt/preferences
* Remove cloud-utils if detected
* Remove legacy i386/x32 support
* Remove no longer supported MariaDB code
* Remove not used mysql_hourly.sh
* Removing old boa-init no longer needed after introducing fast autoinit
* Removing systemd cleanup from boa, now handled by the fast autoinit
* Replace mail with s-nail
* Replace pdnsd with unbound
* Restrict also find/scp to prevent lshell escape
* Upgrade to openjdk 11.0.24
* Use /etc/ssh for OpenSSH built from sources (no new server keys, finally)
* Use maximum compatible PhpRedis versions for legacy PHP
* Use PermitRootLogin prohibit-password
* We no longer allow to install BOA on Debian to avoid confusion
* We no longer override server sshd keys to avoid confusion
* Nginx: Remove the legacy X-XSS-Protection header
* Nginx: block bytedance and PetalBot aggressive crawlers
@=> Important Fixes
* Add python3.5 compatibility for Stretch
* Add second cron entry for critically important /var/xdrago/clear.sh
* Add support for legacy python3.4
* Always copy hostmaster LE cert to /etc/ssl/private/ if just updated
* Avoid any AppArmor code on legacy Debian systems
* Bash 5.2 compatibility
* Detect broken GIT early and reinstall from sources
* Do not install PHP 8.2 8.3 with _OPENSSL_EOL_VRN and _OPENSSL_LEGACY_VRN
* Do not use --with-http_v3_module for Nginx on legacy systems
* Do not use --with-imap for PHP on Jessie
* Do not use --with-imap for PHP on major upgrade on any OS
* Do not use --with-sodium for PHP on Jessie
* Fix confusing ICU logic
* Fix for ignored nofile limits
* Fix for iptables paths backward compatibility
* Fix for non-blocking ntpdate
* Fix New Relic APT config
* Fix Percona apt config logic
* Fix platforms symlinking in the limited shell account
* Fix Pure-FTPD install and config
* Force crontab update on major OS upgrade
* Improve resolvconf auto-config
* Let's Encrypt actually supports wildcard names already
* Make sure that _PHP_SINGLE_INSTALL exists before disabling other versions
* Modernize Percona keys logic
* Nginx: Sync http2 in legacy tpl
* Remove blocking cnf file if php-max is used
* Show PHP patch results on _DEBUG_MODE=YES
* Sync for python3.11
* Sync PHP extensions existence check directly, not just via ctrl files
* Sync PhpRedis build options with versions compatibility
* Sync with python3.9
* Update wkhtmltopdf versions logic
* Use cURL 7.71.1 on Jessie
* Use cURL 8.2.1 on Stretch
* Use OpenSSH 8.3p1 on Jessie
* Use OpenSSH 9.3p1 on Stretch
* Use OpenSSL 1.0.2u on Jessie
* Use OpenSSL 1.1.1w on Stretch
* Fix for composer.json and composer.lock protection
###
### Stable BOA-5.3.0-pro - Full Edition
### Date: Mon 12 Aug 2024 05:33:46 AM AEST in Sydney
###
@=> New BOA LTS Release & Comparison with PRO and DEV Branches
We are excited to announce the release of the latest BOA LTS version,
marking the first LTS release since the introduction of our new branch
structure and dual licensing model, which began with the BOA-5.2.0 release.
This LTS version brings the project up to date with BOA-5.3.0-pro, which
has been available for several months. Both BOA-5.3.0-pro and BOA-5.3.0-lts
are officially released today.
Looking ahead, BOA-5.4.0-pro will be released within the next 48 hours,
incorporating all recent developments from the DEV branch.
Please note that the project README and documentation displayed on GitHub
by default apply primarily to the BOA DEV branch, and shortly to BOA PRO.
These do not cover BOA LTS. If you are working with the LTS version, ensure
you switch to the appropriate branch to access legacy documentation
relevant to BOA LTS.
As always, we highlight only the most critical fixes and improvements in
this announcement. For a comprehensive list of changes, please refer to
the commit history.
@=> New Features
* PHP 8.3 Support
* Update sFTP password and password expiration date with temporary pid file
~/static/control/run-sftp-password-update.pid
Now the main Octopus limited shell user can easily self-update password
based access if still has working SSH keys but lost working password.
New password will be written to ~/static/control/new-USER-password.txt
* Add boa cleanup {detect|purge} {user|batch} to automate Octopus instances
cleanup. Requires existence of /data/disk/USER/log/CANCELLED file and
no vhosts existing in /data/disk/USER/config/server_master/nginx/vhost.d/
It will archive only config files and delete everything else, but will not
delete any databases nor db users (yet).
@=> Improvements
* Add ltd-shell account client access to moved sites files in static/files
* Always install legacy OpenSSL first and force new on upgrade
* Disable man-db/auto-update to speed up barracuda upgrades
* MySQL: Disable performance_schema by default
* MySQL: Do not run mysql_cleanup.sh on servers with >100 dbs
* Nginx DoS-Guard: Add ignore_admin to protect site admin activity
* Nginx DoS-Guard: Catch typical hack probe requests early
* Nginx DoS-Guard: Detect and block ‘unknown’ IPs requests
* Nginx DoS-Guard: Track and block 500/403/404 flood
* Prepare for but do not enable http3/quic yet
* Use cold solr7 restart only on barracuda upgrade
@=> Changes and Upgrades
* Build PHP --with-bz2
* Build Redis with --enable-redis-lzf --enable-redis-igbinary
* Composer 2.7.7
* cURL 8.7.1
* Drupal 7.101.1
* Enable ClassicTrack for Ægir tasks by default
* ionCube 13.0.2
* Nginx 1.26.0
* OpenSSH 9.8p1
* OpenSSL LTS with 3.0.13 (new default version)
* PHP 8.1.29
* PHP 8.2.22
* PHP 8.3.10
* PHP APCu 5.1.23
* PHP igbinary 3.2.15
* PHP imagick 3.7.0
* Ruby 3.3.4
* Use _USE_FPM=1024 as minimum
* Use phpredis 6.0.2 for 7.2 and newer
@=> Important Fixes
* Add clamd/freshclam to auto-healing
* Add cleanup for ctrl files blocking PHP upgrade
* Always check if all /var/xdrago/* scripts are present or force update
* Always install openjdk-11-jre-headless
* Fix for vdrush @site updb in Drush 12
* Fix protection from duplicate sql backups
* Legacy PHP versions require legacy OpenSSL version
* More protection from race conditions in auto-healing
* Remove old auto-healing pids if detected
* Restore ULIMIT in nginx init.d
* Sync autoupboa cron to not collide with sql backups
* The adduser no longer automates —home
* Use only php-fpm reload instead of start on upgrade
* Use PHP 7.4 in run_drush8_cmd if available
###
### Stable BOA-5.2.0 - Full Edition
### Date: Wed 03 Apr 2024 02:11:56 PM CEST in Warsaw
###
@=> Notes on new available BOA branches and licenses
BOA is available in three main branches, but only LTS for installation:
* LTS which remains completely free to use without any kind of license
as it was from the beginning (previously named HEAD or STABLE).
This branch should be considered as BOA LTS with slow updates, focused
on both security and bug fixes, but very limited new features additions.
* DEV which requires paid license for both install and upgrade and includes
the latest features, security and bug fixes and installed services versions.
This branch shouldn't be used in production without extensive testing.
* PRO which requires paid license and is available only as an upgrade
from either LTS or DEV (or previous HEAD/STABLE) is the branch with regular
monthly or bi-monthly releases, closely following tested DEV branch.
Once you install BOA LTS and want to upgrade to PRO with license obtained
from https://omega8.cc/licenses you will need to use up-pro command.
Once you install BOA LTS or PRO and want to upgrade to DEV with license
from https://omega8.cc/licenses you will need to use up-dev command.
Old commands using in-head, in-stable, up-head and up-stable no longer work
to avoid confusion and have been replaced with in-lts and up-lts in all
installation and upgrade scripts.
Please make sure to read updated docs/INSTALL.txt and docs/UPGRADE.txt
@=> New Features
* Add autodaedalus tool for easy automated major system upgrades
* Add Linux Containers (LXC) guest as supported (tested only by others)
* Add mysql_cleanup running hourly to keep known caches overhead at minimum
* Add OpenVZ Containers guest as supported (tested only by others)
* Add support for ~/static/control/disable_user_register_protection.info
* Add support for du command in limited shell with /root/.allow.du.cnf
* Debian Bookworm and Devuan Daedalus support (needs further testing)
* Full Drupal 10.2 support for install and upgrades from Drupal 9 and 10
@=> Improvements
* Add control/enable-drush-sa.info for native drush sa command
* Add hyperv qemu and kvm aws as supported
* Add ltd-shell alias vdrush:vendor/bin/drush
* Do not enforce newrelic_background_job(FALSE)
* Document BOA planned features in the ROADMAP.txt
* Document Drush usage in docs/DRUSH.txt
* Make it clear that only Devuan Chimaera should be used in production
* New Relic: Separate Web and Drush stats
* Purge firewall deny rules before reboot for faster system restart
* README rewrite and improvements
@=> Changes and Upgrades
* Ægir D10 Platforms: 3x Drupal core 10.0.11
* Ægir D10 Platforms: 3x Drupal core 10.1.8
* Ægir D10 Platforms: 3x Drupal core 10.2.4
* Ægir D10 Platforms: Social 12.2.2 with core 10.2.4
* Ægir D10 Platforms: Thunder 7.2.0 with core 10.2.4
* Ægir D10 Platforms: Varbase 9.1.1 with core 10.2.4
* Disable support for several built-in legacy D7 distros
* Do not enable /root/.fast.cron.cnf by default
* Drush 8.4.12.9
* Nginx 1.24.0
* Nginx: update ssl_ciphers remove 4 weak but leave 2 to support Safari 6-8
* OpenSSH 9.7p1
* OpenSSL LTS with 3.0.13 (prepare, optional)
* PHP 8.1.27
* PHP 8.2.17
* Redis 7.0.15
* Remove legacy Ubuntu support
@=> Important Fixes
* Always revert to iptables-legacy from nf_tables
* Fix for broken cURL self-healing
* Fix for cURL/libcurl version conflict
* Force Nginx cold restart if status is locked
* Improve auto-healing for duplicate move_sql and mysql_backup
* Improve downgrade_protection
* Revert "Sync /etc/security/limits.conf"
* Update Drush yml sites aliases also for Ægir system user
###
### Stable BOA-5.1.0 - Full Edition
### Date: Sat 04 Nov 2023 03:26:41 PM CET in Warsaw
###
### Documenting details in progress...
###
@=> New Features
* Automatically detect and add known web-root dir names on Add New Platform
* Lock Drush in any platform with Ægir task: Verify + Lock Drush
* Manage pid files in platforms web-root for Drush Lock/Unlock status
* Unlock Drush in any platform with new Ægir task: Unlock Local Drush
@=> Improvements
* Document ~/static/control/FastTrack.info in docs/FASTTRACK.txt
* Improve BOA forks compatibility with standalone Ægir paths
* Improve tasks labels in the Ægir control panel
* Use Ægir backend built-in chmod for Unlock Drush w/o external scripts
@=> Changes and Upgrades
* Ægir D10 Platforms: 3x Drupal core 10.1.6
* Ægir D10 Platforms: Social 12.0.0-rc3 with core 10.0.11
* Ægir D10 Platforms: Thunder 7.1.2 with core 10.1.6
* Ægir D10 Platforms: Varbase 9.0.16 with core 10.1.6
* Enable hosting_site_backup_manager Ægir extension by default again
* Fix permissions and ownership on every Platform Verify for Drupal 8/9/10
* OpenSSL 3.1.4
* PHP 8.1.25
* PHP 8.2.12
@=> Important Fixes
* Added missing web-root paths in built-in platforms for Drupal 9/10
* Fix the ability to rename existing platforms in the Ægir control panel
* Multiple fixes for built-in permissions and ownership Ægir scripts
###
### Stable BOA-5.0.0 - Full Edition
### Date: Thu 26 Oct 2023 09:55:22 PM CEST in Warsaw
###
### Documenting details in progress...
###
@=> New Features
* Add support for verbose Drush like 'drush -vvv @site status'
* Ægir in BOA is now fully compatible with PHP 8.1 and 8.2
* Do not purge cache tables listed in /root/.my.cache.exceptions.cnf
* Drupal 10 is fully supported (needs docs)
* Drupal 10 platforms available: Thunder, Varbase, Drupal 10.1 and 10.0
* Make system reboot much faster, also with 'boa reboot' command
* OpenSSL 3.x optional/test support with /root/.install.modern.openssl.cnf
@=> Improvements
* Always install latest Composer on barracuda upgrade
* Enable ~/static/control/FastTrack.info by default (needs docs)
* Minimize services downtime on upgrade using soft reload only if possible
* Site Local Drush is no longer removed on platform Verify (only locked)
* Use 'barracuda php-idle disable' to speed up major upgrades
@=> Changes and Upgrades
* Ægir D10 Platforms: 3x Drupal core 10.0.11
* Ægir D10 Platforms: 3x Drupal core 10.1.5
* Ægir D10 Platforms: Thunder 7.1.2 with core 10.1.5
* Ægir D10 Platforms: Varbase 9.0.16 with core 10.1.5
* Ægir D7 Platforms: Commerce 1.72 with core 7.98.1
* Ægir D7 Platforms: Commerce 2.77 with core 7.98.1
* Ægir D7 Platforms: Guardr 2.57 with core 7.98.1
* Ægir D7 Platforms: OpenOutreach 1.69 with core 7.98.1
* Ægir D7 Platforms: Opigno LMS 1.59 with core 7.98.1
* Ægir D7 Platforms: Panopoly 1.92 with core 7.98.1
* Ægir D7 Platforms: Ubercart 3.13 with core 7.98.1
* Ægir D9 Platforms: 3x Drupal 9.5.11
* Ægir D9 Platforms: OpenLucius 2.0.0 with core 9.5.11
* Ægir D9 Platforms: Opigno LMS 3.1.0 with core 9.5.11
* Ægir D9 Platforms: Social 11.9.14 with core 9.5.11
* BOA requires at least PHP 7.4 or newer as default version
* Change redis_perm_ttl from 6h to 24h
* Do not inlcude advagg/cdn in o_contrib_eight
* Drupal 10: add minimum patch for core
* Drupal 10: disable not working yet welcome email on install
* Drupal 10: fix compatibility and add missing code in Drush 8
* Drupal 10: lock vendor/drush
* Drupal 10: lock vendor/symfony/console/Input
* Drupal 10: replace psr/log in core with Drush 8 version
* Drush Launcher is not supported anymore so removed
* Enable /root/.fast.cron.cnf by default (needs docs)
* Remove confusing -bin suffix from Drush 10+ (needs docs)
* Set _PURGE_BACKUPS default to 14 or 7 on hosted BOA
* Set Composer Install Support in Ægir Backend as disabled by default
* The redis_use_modern is no longer optional in the INI files
* Update vendor code in the Ægir backend / Provision
* Use _STRONG_PASSWORDS=YES by default
* Use _USE_MYSQLTUNER=NO by default
@=> Important Fixes
* Do not enable redis on D7/D6 automatically, it works anyway
* Fast DNS Cache Server (pdnsd) install is no longer optional since 2014 (!)
* Fix for hosting_cron_queue() with ADV_CRON_MAX_PLL logic
* Make sure that expired password will not hang backend task
* Nginx: Add missing no-cache checks from @cache to @drupal
* Nginx: Move exceptions to the /index.php location
* Nginx: The css/js aggregation logic has changed in Drupal 10.1
###
### Cutting Edge BOA-5.0.0-dev - Initial Edition
### Date: Sat 06 May 2023 08:42:31 AM EEST in Kyiv
### Слава Україні!
###
### Documenting details in progress...
###
@=> New Features
* Add 'barracuda php-idle disable/enable' (needs docs)
* Automatic BOA System Major Upgrade Tool -- see docs/UPGRADE.txt
* Debian Bullseye and Buster support
* Devuan Chimaera and Beowulf support (systemd-free Debian alternative)
* Make Composer running with PHP defined in ~/static/control/cli.info
* Make PHP-CLI for Composer and Drush configurable on the fly (needs docs)
* New multi-step BOA install procedure -- see docs/INSTALL.txt
* PHP 8.2 support
@=> Major Improvements
* Barracuda first upgrade after boa install no longer requires reboot
* Use all available CPU cores for much faster PHP, Nginx, OpenSSL etc builds
@=> Important Changes
* BOA requires the classic network interface naming convention (needs docs)
* Disable all nightly codebase cleanup procedures
* Nginx: Add PATCH to allowed $request_method list
* Nginx: Remove deprecated upload_progress support
* Remove AdvAgg and CDN from D9+ o_contrib
* Rewrite the _PHP_MULTI_INSTALL cleanup to make it optional (needs docs)
* Stop running any Drush operations on Drupal 8+ in daily.sh
* Switch to Redis Server 7.x by default
* The php-all should no longer include 7.3 and older versions (needs docs)
* Ubuntu support is deprecated
* Use php-max to install ALL nine (9) PHP versions (needs docs)
@=> Important Fixes
* Discover the system IPv4 once and store in a file
* Fix several issues with ~/static/control/MyQuick.info logic
* Maintain csf.allow/ignore backup on serial update in /var/backups/csf/
* Nginx: Fix protected access to /update.php
* Nginx: Protect composer.json if exists in the Drupal web-root
###
### NEW BOA-4.2.0-stable - Full Edition
### Date: Sat 06 May 2023 07:42:19 AM EEST in Ivano-Frankivsk
### Слава Україні!
###
### Documenting details in progress...
###
@=> New Features
* Add 'barracuda php-idle disable/enable' (needs docs)
* Automatic BOA System Major Upgrade Tool -- see docs/UPGRADE.txt
* Debian Bullseye and Buster support
* Devuan Chimaera and Beowulf support (systemd-free Debian alternative)
* Make Composer running with PHP defined in ~/static/control/cli.info
* Make PHP-CLI for Composer and Drush configurable on the fly (needs docs)
* New multi-step BOA install procedure -- see docs/INSTALL.txt
* PHP 8.2 support
@=> Major Improvements
* Barracuda first upgrade after boa install no longer requires reboot
* Use all available CPU cores for much faster PHP, Nginx, OpenSSL etc builds
@=> Important Changes
* BOA requires the classic network interface naming convention (needs docs)
* Disable all nightly codebase cleanup procedures
* Remove AdvAgg and CDN from D9+ o_contrib
* Rewrite the _PHP_MULTI_INSTALL cleanup to make it optional (needs docs)
* Stop running any Drush operations on Drupal 8+ in daily.sh
* Switch to Redis Server 7.x by default
* The php-all should no longer include 7.3 and older versions (needs docs)
* Ubuntu support is deprecated
* Use php-max to install ALL nine (9) PHP versions (needs docs)
@=> Important Fixes
* Discover the system IPv4 once and store in a file
* Maintain csf.allow/ignore backup on serial update in /var/backups/csf/
###
### Stable BOA-4.1.4-rel - Full Edition
### Date: Fri Dec 10 22:30:49 CET 2021 in Warsaw
###
### Documenting details in progress...
###
@=> New Features
*
*
*
@=> Major Improvements
*
*
*
@=> Important Changes
*
*
*
@=> Important Fixes
*
*
*
### Stable BOA-4.1.3 Release - Full Edition
### Date: Thu Sep 24 18:51:49 CEST 2020
### Milestone URL: https://github.com/omega8cc/boa/milestones/4.1.3
# Release Notes:
This BOA release is a second transitional release before switching to rolling
release policy. Detailed changelog will follow.
This BOA update provides latest PHP versions, system updates, including
security fixes, many bug fixes, latest Ægir version ..but no Ægir platforms
are installed by default anymore, unless their keywords are listed in the file
~/static/control/platforms.info (please read further below for details)
TL;DR
* Yes, blazing fast site clone/migrate mode is available even for giant sites!
* Yes, BOA still supports Pressflow 6 (LTS version only!)
* No, we no longer install any supported distros as platforms by default.
@=> Super fast site cloning and migration mode (NEW!)
It is now possible to enable blazing fast migrations and cloning even sites
with complex and giant databases with this empty control file:
~/static/control/MyQuick.info
By the way, how fast is the super-fast? It's faster than you would expect!
We have seen it speeding up the clone and migrate tasks normally taking
1-2 hours to... even 3-6 minutes! Yes, that's how fast it's!
This file, if exists, will enable a super fast per table and parallel DB
dump and import, although without leaving a conventional complete database
dump file in the site archive normally created by Ægir when you run
not only the backup task, but also clone, migrate and delete tasks, hence
also restore task will not work anymore.
We need to emphasise this again: with this control file present all normally
super slow tasks will become blazing fast, but at the cost of not keeping
an archived complete database dump file in the archive of the site directory
where it would be otherwise included.
Of course the system still maintains nightly backups of all your sites
using the new split sql dump archives, but with this control file present
you won't be able to use restore task in Ægir, because the site archive
won't include the database dump -- you can still find that sql dump split
into per table files in the backups directory, though, in the subdirectory
with timestamp added, so you can still access it manually, if needed.
@=> Drupal platforms and Composer support
We no longer install any supported Drupal distros as platforms by default, but
you can customize Octopus platform list via control file, which will be used
on the next Octopus upgrade (you can request it individually if you are on
hosted Ægir service):
~/static/control/platforms.info
This file, if exists and contains a list of symbols used to define supported
platforms, allows to control/override the value of _PLATFORMS_LIST variable
normally defined in the /root/.${_USER}.octopus.cnf file, which can't be
modified by the Ægir instance owner with no system root access.
IMPORTANT: If used, it will replace/override the value defined on initial
instance install and all previous upgrades. It takes effect on every future
Octopus instance upgrade, which means that you will miss all newly added
distributions, if they will not be listed also in this control file.
Supported values which can be written in this file, listed in a single line
or one per line:
Drupal 9 based
THR ----------- Thunder
Drupal 8 based
LHG ----------- Lightning
OPG ----------- Opigno LMS
SOC ----------- Social
VBE ----------- Varbase
Drupal 7 based
D7P D7S D7D --- Drupal 7 prod/stage/dev
AGV ----------- aGov
CME ----------- Commerce v.2
CS7 ----------- Commons
DCE ----------- Commerce v.1
GDR ----------- Guardr
OA7 ----------- OpenAtrium
OAD ----------- OpenAid
OLS ----------- OpenLucius
OOH ----------- OpenOutreach
OPC ----------- OpenPublic
OPO ----------- Opigno LMS
PPY ----------- Panopoly
RST ----------- Restaurant
UC7 ----------- Ubercart
Drupal 6 based
D6P D6S D6D --- Pressflow (LTS) prod/stage/dev
DCS ----------- Commons
UCT ----------- Ubercart
You can also use special keyword 'ALL' instead of any other symbols to have
all available platforms installed, including newly added in all future BOA
system releases.
Examples:
ALL
LHG VBE D7P D7S D7D
Composer will now use PHP 7.3 by default, and you can find many useful hints at:
https://github.com/omega8cc/boa/blob/master/docs/COMPOSER.txt
IMPORTANT: You must switch your ~/static/control/cli.info to 7.2 or newer
PHP version (BOA hosted on Omega8.cc comes with 7.4, 7.3 and 7.2), because
D8 based distros require at least PHP 7.2 -- this also means that to run
the sites installed after switching cli.info to 7.2 or newer, you will also
need to either switch your ~/static/control/fpm.info to 7.2 or newer, or
more probably, to not break any existing sites not compatible with PHP 7.2+
you will need to list these D8 sites names in ~/static/control/multi-fpm.info
Please check for more information:
https://learn.omega8.cc/how-to-quickly-switch-php-to-newer-version-330
BOA supports Drupal 8 codebases both with classic directory structure like
in Drupal 7 and also Drupal 8 distros you can download from Drupal.org, but
if you use Composer based codebase with different structure, the platform path
is not the codebase root directory, but the subdirectory where you see the
Drupal own index.php and "core" subdirectory. It can be platform-name/web or
platform-name/docroot or something similar depending on the distro design.
### Stable BOA-4.1.2 Release - Full Edition
### Date: Tue Sep 22 05:30:08 CEST 2020
### Milestone URL: https://github.com/omega8cc/boa/milestones/4.1.2
# Release Notes:
This BOA release is a transitional release before switching to rolling
release policy. Detailed changelog will follow.
### Stable BOA-4.0.1 Release - Full Edition
### Date: Mon May 6 01:14:59 CEST 2019
### Milestone URL: https://github.com/omega8cc/boa/milestones/4.0.1
# Release Notes:
This BOA release provides three new PHP versions, system updates, including
security fixes, many bug fixes, latest Ægir version, plus all included
Drupal distributions updated to latest versions, and supplied with latest
Drupal 7 or Drupal 8 core, if possible. Yes, BOA still supports Pressflow 6.
Yes, Debian Stretch is supported. No newer Ubuntu releases are supported yet.
Yes, we have added Solr 7 support and every 5 minutes updates!
Four Drupal 8 based popular distributions have been included by default,
plus much improved Composer support and automatic permissions-fix-magic
on Platform and Site Verify tasks. No more manual fixes!
By the way, Composer will now use PHP 7.3 by default, and you can find
many useful hints at:
https://github.com/omega8cc/boa/blob/master/docs/COMPOSER.txt
Big improvements and changes are coming to (auto)managing Solr cores too!
Solr cores are are now created every 5 minutes if needed, instead of during
the nightly procedure only, and Solr 7 is used by default. Existing Solr 4
cores will continue to work as before, but the system will create new Solr 7
cores for all compatible sites, and will update the sites/foo.com/solr.php
accordingly. For existing Solr 4 cores there can be namespace conflicts,
so please make sure to check the updated sites/foo.com/solr.php file and
adjust your site configuration if needed.
Note: If you are using WinSCP and/or Putty on Windows, or Transmit/Coda
by Panic on a Mac, please check the Known Issues section at the bottom of this
BOA-4.0.1 release notes.
@=> Solr 7 and Solr 4 support changes and improvements
Both Solr 7 and Solr 4 powered by Jetty 9 server are available. Supported
integration modules are limited to latest versions of either search_api_solr
(D8/Solr7 and D7/Solr7 ) or apachesolr (D7/Solr4 and D6/Solr4).
Currently supported versions are listed below:
https://ftp.drupal.org/files/projects/search_api_solr-8.x-2.7.tar.gz
https://ftp.drupal.org/files/projects/search_api_solr-7.x-1.14.tar.gz
https://ftp.drupal.org/files/projects/apachesolr-7.x-1.11.tar.gz
https://ftp.drupal.org/files/projects/apachesolr-6.x-3.1.tar.gz
Note that you still need to add preferred integration module along with
any its dependencies in your codebase since this feature doesn't modify
your platform or site - it only creates Solr core with configuration
files provided by integration module: schema.xml and solrconfig.xml etc.
Important: search_api_solr-8.x-2.x is different from all previous versions,
as it requires Composer to install the module and its dependencies, then
you will need to configure it, and only then you will be able to generate
customized Solr core config files, which you should upload in the path:
sites/foo.com/files/solr/ and wait 5-10 minutes to have them activated
on the Solr 7 core the system will create for you.
This will affect the running every 5 minutes auto-installer, hence
no need to wait until next morning to be able to use new Solr core. Win!
Once the Solr core is ready to use, you will find a special file in your
site directory: sites/foo.com/solr.php with details on how to access
your new Solr core with correct credentials.
Side note: the sites/foo.com/solr.php will be automatically deleted on every
site Verify task in Ægir, to prevent copying it across with incorrect
access credentials when you clone the site. As soon as the site is verified,
its sites/foo.com/solr.php will get re-created automatically within 5-10 min.
and the cloned site will also get its own Solr core created.
For more details please check the docs at:
https://github.com/omega8cc/boa/blob/master/docs/SOLR.txt
@=> Drupal 8.7.0 platforms and Composer support
Since BOA-4.0.1 new Drupal 8.7.0 based platforms are included:
Lightning 3.3.0 -------------- https://drupal.org/project/lightning
Thunder 8.2.39 --------------- https://drupal.org/project/thunder
Varbase 8.6.8 ---------------- https://drupal.org/project/varbase
Social 8.5.1 (8.6.15 core) --- https://drupal.org/project/social
IMPORTANT: You must switch your ~/static/control/cli.info to 7.1 or newer
PHP version (BOA hosted on Omega8.cc comes with 7,1, 7.2 and 7.3), because
D8 based distros require at least PHP 7.1 -- this also means that to run
the sites installed after switching cli.info to 7.1 or newer, you will also
need to either switch your ~/static/control/fpm.info to 7.1 or newer, or
more probably, to not break any existing sites not compatible with PHP 7.1+
you will need to list these D8 sites names in ~/static/control/multi-fpm.info
Please check for more information:
https://learn.omega8.cc/how-to-quickly-switch-php-to-newer-version-330
BOA supports Drupal 8 codebases both with classic directory structure like
in Drupal 7 and also Drupal 8 distros you can download from Drupal.org, but
if you use Composer based codebase with different structure, the platform path
is not the codebase root directory, but the subdirectory where you see the
Drupal own index.php and "core" subdirectory. It can be platform-name/web or
platform-name/docroot or something similar depending on the distro design.
As you have discovered if you have already tried, the path you should use
in Ægir when adding Composer based codebase as a platform is the directory
where index.php resides, so effectively anything above that directory is not
available for web requests and thus safely protected.
The information from Ægir project docs saying "When verifying a platform,
Ægir runs composer install if a composer.json file is found." doesn't apply
to BOA. We have disabled this. There are several reasons, most importantly:
a/ having this feature enabled is actually against the codebase management
workflow in Ægir, because it may modify codebase on a live site,
b/ some tasks launch verify many times during clone and migrate, which
results with giant overhead and conflicts if we allowed it to run composer
install many times in parallel,
c/ from our experience, having this poorly implemented feature enabled breaks
clone and migration tasks between platforms when both have the composer.json
file. It just doesn't make any sense in our opinion. The implementation
should be improved to make it actually work similarly to Drush Makefiles.
You should think about Composer like it was Drush Make replacement, and you
should not re-build nor upgrade the codebase on a platform with sites already
hosted. Just use it to build new codebases and then add them as platforms
when the build works without errors.
@=> Important PHP versions availability changes
Still on PHP 5.6? You should switch to PHP 7.3 — It’s twice as fast as 5.6!
But don't switch blindly -- even sites already running on PHP 7.0 before
are most probably not ready for PHP 7.2 or 7.3 without proper fixes.
Note: BOA-4.0.1 release removes PHP 5.3, 5.4 and 5.5, if installed.
In addition to still supported, even if officially deprecated 5.6 and 7.0
versions, this release adds support for PHP 7.3, 7.2 and 7.1
Please check the PHP officially supported versions list at:
http://php.net/supported-versions.php
In our limited testing Drupal 7 core version included in this release works
without noticeable issues with both PHP 7.2 and 7.3, although many contrib
modules may not be ready to switch your instance to 7.3 or 7.2 just yet,
especially if you have not used PHP 7.0 already.
We recommend to test your sites clones with newer PHP versions using BOA
multi-PHP-version support via ~/static/control/multi-fpm.info before
switching your instance to use 7.3 or 7.2 by default.
Please check for more information:
https://learn.omega8.cc/how-to-quickly-switch-php-to-newer-version-330
We still include Pressflow 6 platforms, because in the meantime the LTS
community support made the latest Pressflow 6 version compatible with PHP 7.2
If you still have a reason to use Drupal 6 core, we recommend to use
our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus
@=> BOA release policy changes
In over 15 months since BOA-3.2.2 release we have tested a more agile
approach with Rolling Release policy for BOA system part known as Barracuda.
We have implemented many changes and updates only in BOA HEAD and used
carefully tested HEAD in production. This worked flawlessly and allowed us
to keep all BOA hosted and maintained systems continuosly updated without
waiting for stable release.
BOA project is very complex, build atop of many packages and individually
built from sources components, plus other projects like Ægir, Drush and
Drupal core and distributions -- each of them with their own release policy.
After years of efforts to keep healthy balance between providing necessary
upgrades and avoiding BOA users maintenance fatigue due to frequent releases,
which usually results with skipping releases which has many adverse effects,
including requirement to keep new versions backward compatible with 2-3 years
old releases, we have decided that it's time to introduce Rolling Release
policy for Barracuda while still using standard point releases policy for
Octopus installer, which covers Ægir, Drush and Drupal platforms updates.
We will still use point releases for Barracuda when there will be major
changes introduced, like deprecating old PHP versions or changing components
like Let's Encrypt integration agents or methods.
BOA project docs will be updated to reflect these changes once another
standard point release is made either for Octopus, Barracuda or both.
The docs will explain how to run Barracuda system continuous updates properly.
# New features:
* Add auto-cleanup for empty old platforms in /var/aegir
* Add experimental support for autoslave and cache_consistent
* Add initial Composer docs
* Add jsmin support for PHP7 #1250
* Add mongodb extension for PHP 7 and Drupal 8.2.x support #1127
* Add redis_oom_check() to monitoring
* Add set_composer_manager_vendor_dir INI variable
* Add support for include/exclude filelist for duplicity. #1159
* Add support for Percona 5.7 and use MariaDB 10.1 by default
* Add UTF8MB4 Convert Drush extension #1047
* Automatically check and remove drush from codebase
* Debian Stretch support #1176
* Do not run Verify daily if ~/static/control/noverify.info exists
* Install ClamAV daemon by default
* PHP 7.3, 7.2 and 7.1 Support #1126
* Run manage_solr_config.sh every 5 minutes
* Update Solr with BOA #1305
* Use _DB_BACKUPS_TTL variable for local and cluster db backups rotation
# Changes:
* Add innodb_default_row_format = dynamic — fixes #1366
* Advanced Nginx microcaching to improve cache HITs #1271
* Change to dashes in bucket names and upgrade boto/duplicity #1247
* Create fpm.info and cli.info ctrl files on Octopus install
* Deprecate MariaDB 5.5 and force 10.1 instead
* Enable uploadprogress.so for testing on PHP 7+
* Force Composer to use PHP 7.2 if available #1213
* Higher PHP CLI limits to make Composer happy
* Increase default TTLs to make BOA more friendly for big sites
* Make DNS Cache Server pdnsd optional -- needs DCS keyword in _XTRAS_LIST
* Minimum 4 GB RAM and 2 CPU (with Solr minimum 8 GB RAM and 4+ CPU rec.)
* Re-verify LE enabled sites daily
* Refresh the tasks list more frequently
* Remove deprecated PHP versions #801
* Remove problematic opcache.fast_shutdown
* Remove ultimate_cron and background_process from the blacklist
* Replace Google DNS servers for Cloudflare DNS servers #1317
* Replace the complex public IP detection with an external API #1089
* Set PHP CLI to FPM version if only FPM is defined
* SQL: disable innodb_adaptive_hash_index by default
* Upgrade imagick to 3.4.3 for PHP7 support #1253
* Use /root/.backboa.autoupdate by default
* Use utf8mb4/utf8mb4_general_ci by default
# System upgrades:
* Adminer 4.7.0
* CSF/LFD 12.10
* Drush 8.2.3.1
* Galera 10.0.37
* Lshell 0.9.18.9
* MariaDB Server 10.1.39
* MariaDB Server 10.2.19
* MariaDB Server 10.3.14
* MySQLTuner 1.7.15
* Nginx 1.16.0
* Node.js v10.x LTS
* OpenSSH Server 8.0p1
* OpenSSL 1.0.2r for Nginx
* PHP 7.3.5, 7.2.18, 7.1.29, 7.0.33, 5.6.40
* PHP Redis extension 4.2.0
* Pure-FTPd 1.0.49
* Redis Module 8.x mod-05-02-2019
* Redis Server 4.0.14
* Ruby 2.6.0
* Use latest Duplicity and dependencies
# Fixes:
* Add fix_ping_perms()
* Add libzip-dev to satisfy PHP 7.3 requirements
* Add nginx config to mitigate SA-CORE-2018-002
* Add patches for CORE-2018-004 and SA-CORE-2018-002
* Add procedure satellite_fix_broken_entity_module()
* Add re_set_default_php_cli() procedure
* Add redis_slow_check()
* Ajax 200 parsererror on every Drupal site #1344
* Avoid potentially problematic --force-yes for apt-get
* Backboa AWS S3 backup integration no longer working #1138
* Backboa not installed #1310
* Backboa: Certificate error #1141
* Cannot switch php-cli, cannot create varbase composer project. #1308
* Check sshd not ssh version
* CiviCRM 4.7 not working under BOA #1223
* Crawlers see 403 on public path #1329
* Debian 9 (Stretch) _apt user + _STRICT_BIN_PERMISSIONS errors #1352
* Do not lock old/all hostmaster platforms automatically
* Downgrade MySecureShell until we can figure out compatibility issues
* Errors using site with CiviCRM #1304
* Extra cleanup for any codebase level drush copy
* Fix for empty old hostmaster platforms cleanup
* Fix for incomplete logic in multi-fpm mode
* Fix for jessie-backports
* Fix SA-CORE-2018-006 for D8 and D7
* Fix the site specific composer_manager dir also for D8
* Fix to include gitlab.com in ~/.ssh/known_hosts
* Improve gpg keys handling
* Improve pdnsd self-repair procedures
* Infinite loop on INFO: Retrieving F1656F24C74CD1D8 key.. #1323
* Known issues with contrib module Redirect in Drupal 8 and BOA #1239
* Make sure redis-server is up immediately after upgrade
* Make sure that ~/.rvmrc is fixed
* Make sure that composer permissions are fixed
* Make sure that the ownership on static/control is correct
* Make sure to fix Redis permissions
* Nginx: the "ssl" directive is deprecated since 1.15.0
* No live certificates from Let's Encrypt #1255
* No Web Server is added when BOA is installed locally #1306
* PSA-2018-003: Drupal core security release #1283
* Remove deprecated option UsePrivilegeSeparation if exists
* Restore Jessie default apt mode on Stretch+
* Solr dir is not defined in in setup_solr() #1370
* SSHD - use without-password for backward compatibility
* Switching out DNS servers caused breakage #1318
* Sync permissions fix on platform verify for D8, D7, D6
* Sync Solr 7 memory management logic
* The _PERMISSIONS_FIX var gets overridden to YES daily basis #1311
* The innodb_lazy_drop_table has been deprecated in Percona
* Update ~/static/control/README.txt if needed
* Update boa info [more] for current years #1248
* Update lshell.config to not break valid D8 specific Drush commands
* Update, sync and de-duplicate Zend OPcache config directives
* Updated default robots.txt #1172
* Use gpg2 directly instead of deprecated apt-key
* Use IP directly as a last fallback
* xboa migrate Solr 7 data #1376
# Known issues:
* SSH/SFTP WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
In short, nothing to worry about, but please read on how to fix this:
https://learn.omega8.cc/2019-remote-host-identification-ssh-388
* PHP 7.1+ can't be installed w/ MariaDB 10.2+ until compatibility is fixed:
https://jira.mariadb.org/browse/MDEV-14555
* Existing Solr 4 cores may experience namespace conflicts.
Please make sure to check the updated sites/foo.com/solr.php file
and adjust your site configuration if needed.
* Error decoding SFTP packet -- affects WinSCP/Putty
We recommend to use CybderDuck for reliable SFTP access.
For known fix please check https://bit.ly/2HMGd6u -- quote below:
>>>>>
Basically we need to set the ‘Preferred SFTP protocol version’ to 3.
How to do this:
Edit the connection in WinSCP
Open the Advanced menu
Choose Advanced
This will bring up a new popup.
Under Environment click on SFTP
Change ‘Preferred SFTP protocol version’ to 3
Save the changes.
>>>>>
* SFTP connection doesn't work with Transmit nor Coda by Panic software.
We have not figured out the workaround yet, so we recommend using
working alternatives on a Mac, like Cyberduck or ForkLift.
* The filefield_nginx_progress module, which is deprecated for years,
no longer works and breaks upload fields. The module has been removed
from the supported modules list, and will be automatically disabled
if active in any D7 site daily, so we recommend to use the current
similar alternative (even if not so fancy) included now by default:
https://www.drupal.org/project/file_resup
### Stable BOA-3.2.2 Release - Full Edition
### Date: Sat Jan 20 11:03:34 PST 2018
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.2
# Release Notes:
This BOA release provides system security upgrades, many bug fixes,
latest Ægir version, plus all supported Drupal distributions updated
to latest versions, and supplied with latest Drupal 7 core, if possible.
Thanks to Drush 8.1.15-dev we support also the newest Drupal 8.4.4 core.
@=> Important changes planned in the next BOA feature release
BOA-3.2.2 is the last release still supporting PHP 5.3, 5.4 and 5.5 versions.
These versions will be *removed* in the next release, and instead
there will be support for PHP 7.1 and 7.2 added.
Future releases will no longer include Pressflow 6 platforms, but Pressflow 6
will be fully supported, and can still use PHP 5.6 -- We recommend to use
our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus
# Changes:
* Add support for WOFF 2.0
* Commerce 2.51
* Guardr 2.40
* OpenAtrium 2.624
* Panopoly 1.49
# System upgrades:
* Adminer 4.3.1
* Galera 10.0.33
* MariaDB 10.1.30
* MariaDB 10.2.12
* MariaDB 5.5.59
* Nginx 1.13.8
* OpenSSL 1.0.2n (used only in Nginx)
* PHP 5.6.33
* PHP 7.0.27
* PHP extension for Redis 3.1.6
* Pure-FTPd 1.0.49
* Redis Server 4.0.6
* Ruby 2.4.2
* Use Redis integration mod-30-12-2017 (D7)
# Fixes:
* Add mongo to the list of permissions exceptions, if installed
* Do not delete empty platforms if ~/static/control/platforms.info is used
* Do not restart Redis daily if /root/.high_traffic.cnf exists
* Fix Drupal 8 detection for distros with vendor dir moved out of docroot
* Fix requirements for the latest compass version
* Hints config update
* LE not renewing expired certificates due to IPv6 DNS entries -- #1179
* Notifications about new BOA editions are sent to notify@omega8.cc -- #1219
* Override fastcgi_params to make geoip headers work again
* Redirect module conflict with manual cron execution in D8 -- #1215
* Remove hmac-ripemd160 MAC, deprecated in OpenSSH 7.6 -- #1217
* The _SSH_ARMOUR=YES not compatible with OpenSSH 7.6 -- #1218
* Update keys for rvm.io
* Update LE License to LE-SA-v1.2-November-15-2017.pdf
* Use advagg-7.x-2.30
* Use modified rvm-installer.sh for user-level installations
* Use reroute_email-7.x-1.3
* Use rvm_silence_path_mismatch_check_flag=1
### Stable BOA-3.2.1 Release - Full Edition
### Date: Sat Oct 7 19:58:53 PDT 2017
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.1
# Release Notes:
This BOA release provides system security upgrades, many bug fixes,
latest Ægir version, plus all supported Drupal distributions updated
to latest versions, and supplied with latest Drupal 7 core, if possible.
Thanks to Drush 8.1.15-dev we support also the newest Drupal 8.4 core.
@=> Important changes planned in the next BOA release
BOA-3.2.1 is the last release still supporting PHP 5.3, 5.4 and 5.5 versions.
These versions will be *removed* in the next release, and instead
there will be support for PHP 7.1 and 7.2 added.
Future releases will no longer include Pressflow 6 platforms, but Pressflow 6
will be fully supported, and can still use PHP 5.6 -- We recommend to use
our version: https://github.com/omega8cc/pressflow6/tree/pressflow-plus
@=> Drupal 6 vanilla core is deprecated starting with BOA-3.2.1
Drupal 6 vanilla core is no longer supported. It was never really supported,
but could still work. Those running Drupal 6 instead of supported Pressflow 6
will notice that their site displays only the homepage and all links/menus
no longer display expected content. This change is a result of new rewrite
in the Nginx configuration, required to properly support both Drupal 8 and
Drupal 7. Time to migrate to latest, included in this release, Pressflow 6!
# Changes:
* Add chained commands to forbidden list in lshell
* Add Nginx Headers More module support
* Add support for --include/exclude-filelist for duplicity -- #1158
* Add support for upcoming MariaDB 10.2
* Auto-update duplicity if installed
* Deny bots on non-prod domains, not only on aliases -- #1178
* Do not pause the tasks queue during mysql backup
* Do not truncate queue and accesslog tables by default
* Enable New Relic integration for PHP 7.0
* Install ipset to improve CSF performance
* mongodb.so for D8.2 and PHP7.0 -- #1128
* Run 3 queue tasks in parallel by default
* Use redis_scan_enable = FALSE by default
# System upgrades:
* CSF 10.22
* Drush micro-8-07-10-2017
* Galera 10.0.32
* MariaDB 10.1.28
* MariaDB 10.2.9
* MariaDB 5.5.57
* Nginx 1.13.5
* Node 6.x version bump -- #1129
* OpenSSH 7.6p1
* OpenSSL 1.0.2l (used only in Nginx)
* PHP 5.6.31
* PHP 7.0.24
* PHP extension for Redis 3.1.4
* Pure-FTPd 1.0.46
* Redis Server 4.0.2
* Update Redis module for Drupal 8
* Upgrade drush to support Drupal 8.4 -- #1206
* Upgrade wkhtmltopdf and wkhtmltoimage to 0.12.4
# Fixes:
* Add SSH (RSA) keys how-to
* Add support for tar.xz archives
* Add symlink suggested in #999
* Allow a bit higher load limits for queue runner
* Barracuda is not installing ipset so csf doesn't work -- #1203
* Deprecate no longer working distros
* Disable innodb_corrupt_table_action in 10.2
* Do not enable entitycache in the Commons distro
* Exclude special https.* proxy vhosts from daily cleanup
* Fix permissions on password files for HTTP Basic Auth -- #1187
* Fix syntax and race conditions in fire/water
* Galera compatibility: do not edit mysql.user directly
* Improve CSF race conditions protection
* Improve default system cron queue
* Improve repo.psand.net/pubkey update
* Improved PHP OPCache default configuration
* Linux kernel CVE-2017-2636 hotfix
* Linux kernel CVE-2017-6074 hotfix
* Make sure that not supported tools are not re-installed on VServer
* Move excludes first as they are more specific than includes -- #1168
* PHP not installed after Wheezy to Jessie upgrade -- #999
* Redirect module breaks Drupal 8 sites in BOA if present -- #1061
* Remove --numeric-ids option from xboa -- #1146
* Restart DB server on upgrade only if config has changed
* Run fast enough fire.sh again
* Silence mysql cleanup output -- #1180
* Site in subdirectory cookie is not set correctly -- #1211
* Sync PHP disable_functions across all versions
* Update default robots.txt -- #1172
* Use --skip-add-locks — Galera Cluster compatibility
* Use absolutely graceful MySQLD restart procedure
* VServer 4.1.42-vs2.3.8.6-beng compatibility
* Wait for MySQLD availability before running DB backup
* Whitelist known search engines bots IPs
### Stable BOA-3.2.0 Release - Full Edition
### Date: Sun Feb 26 09:11:39 PST 2017
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.2.0
# Release Notes:
This BOA release provides many new features, system security upgrades, many
improvements and bug fixes, latest Ægir version, plus all supported Drupal
platforms updated to latest versions, and supplied with latest Drupal 7 core,
if possible.
The reason we list here also new features and changes already listed in
previous BOA-3.1.4 version is that they were supposed to be included in this
(3.2.0) release, since we normally don't include new features in bugfix
releases, but we had to publish more bugfix/security releases in the 3.1.x
series than initially expected, while new features were already pushed to HEAD
in anticipation of delayed 3.2.0 release.
We have also moved some new features originally intended to be included
in the (3.2.0) release to the next 3.3.0 milestone, which is expected
in about one month after 3.2.0 release.
@=> Magic permissions fix now happens on-the-fly
The most interesting new Ægir feature is probably the ability to fix files
permissions and ownership on any site and platform, without waiting for
the running daily magic fix. Now it happens on-the-fly, when you run normal
platform and site Verify tasks.
@=> MariaDB 10.1 is now the new default version
If you are already running 10.0, BOA will upgrade it to _DB_SERIES=10.1
but if you still run _DB_SERIES=5.5 it will continue to use MariaDB 5.5
on your system (not recommended).
# New features and enhancements:
* Add Microsoft Hyper-V to supported virtualization systems
* Add support for _HOURLY_DB_BACKUPS=YES via Percona XtraBackup
* Add support for ‘boa version’ command
* Add support for /root/.my.batch_innodb.cnf weekly procedure
* Add support for /root/.my.restart_after_optimize.cnf procedure
* Add support for fix_ownership and fix_permissions on-the-fly
* Add support for latest 3.18.44-vs2.3.7.5-beng VS kernel
* Add support for latest 4.1.33-vs2.3.8.5.2-beng VS kernel
* Add support for the Open Lucius Distribution to Ægir —- #888
* Add support for the Opigno LMS Distribution to Ægir —- #953
* Automatically whitelist CloudFlare and Sucuri IPs (faster version)
* Bundle Opigno LMS dependencies: TinCanPHP and pdf.js
* Configure _INNODB_LOG_FILE_SIZE automatically
* Docs for Twig Debbuging in Drupal 8.2.x and BOA #1085
* Improve InnoDB performance
* Improve Let's Encrypt docs
* Include advagg, cdn, and robotstxt in o_contrib_eight -- #1096
* Install ClamAV and RKhunter by default —- #1019
* Make boost cache clearing configurable via _CLEAR_BOOST variable -- #1115
* MariaDB 10.1 support (new default version) -- #866
* Open LDAP ports 389 and 3268 for outgoing TCP connections
* Speed up mysql stop/start
* Update S3 regions list for backboa backups
* Use blazing fast Redis (SCAN) method on wildcard cache delete
* Use Redis_CacheCompressed mode, if available (saves a ton of RAM)
# Changes:
* Allow to run global OPTIMIZE only once per month, on the last Sunday
* Always update barracuda, boa and octopus wrappers, ignore _SKYNET_MODE=OFF
* Enable ARCHIVE Storage Engine in MariaDB 10.1
* Force _CUSTOM_CONFIG_SQL=NO on MariaDB major upgrade/reinstall
* Remove exception for cache_form bin in Redis configuration
* Remove no longer supported textile module
* Run db OPTIMIZE only weekly, if configured
* Use bzip2 also for standard db backups
* Use lower system load limit for queue runner
* Use MySQLTuner to configure SQL limits — enabled by default
# System upgrades:
* CSF/LFD 9.30
* Drupal 7.54.2
* Drush micro-8-07-02-2017
* Duplicity 0.7.11 (please run 'backboa install' to upgrade)
* MariaDB 10.1.21
* MariaDB 5.5.54
* MariaDB Galera Cluster 10.0.29
* Nginx 1.11.10
* OpenSSL 1.0.2k (used only in Nginx)
* PHP 5.6.30
* PHP 7.0.16
* Pure-FTPd 1.0.45
* Redis 3.2.8
* Redis D8/D7 integration mod-09-02-2017
* Use ImageMagick 7.0.4-6 if built from sources
* Use Redis integration mod-14-02-2017 (D7)
# Fixes:
* Can't add clients on BOA3 -- #926
* Do not add newer InnoDB settings when old server version is in use -- #1122
* Do not disable site_readonly daily on migrated instances
* Fix the not working hostmaster LE cert auto-update (typo)
* Force vnstat restart on version upgrade
* Improve disable_chattr() and enable_chattr() logic
* Improve docs/FAQ.txt as suggested in #1119
* Improve userprotect initial-only setup -- #926
* MariaDB server not running properly alert -- #1122
* Migration should re-use Let's Encrypt certs in HTTPS proxy vhosts -- #1106
* Randomize SQL backup schedule
* Rebuild hosting_custom_settings feature after enabling Redis on install
* Sync db server (optional) restart with optimize
* Sync max_execution_time for PHP-FPM
* Sync max_input_time for PHP-FPM
* Update docs/SSL.txt -- #1109
* Whitelist /dev/urandom in open_basedir
### Stable BOA-3.1.4 Release - Full Edition
### Date: Tue Dec 20 14:09:21 PST 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.4
### Latest hotfix added on: Wed Dec 21 12:44:58 PST 2016
# Release Notes:
This BOA release provides system security upgrades, many improvements
and bug fixes, latest Ægir version, plus all supported Drupal platforms
updated to latest versions, and supplied with latest Drupal 7 core,
if possible.
@=> Magic permissions fix now happens on-the-fly
The most interesting new Ægir feature included in this release is probably
the ability to fix files permissions and ownership on any site and platform,
without waiting for the running daily magic fix. Now it happens on-the-fly,
when you run normal platform and site Verify tasks.
@=> MariaDB 10.1 is now the new default version
If you are already running _DB_SERIES=10.0, this BOA release will upgrade it
to _DB_SERIES=10.1 -- but if you still run _DB_SERIES=5.5 it will continue
to use MariaDB 5.5 on your system.
# New features and enhancements:
* Add Microsoft Hyper-V to supported virtualization systems
* Add support for ‘boa version’ command
* Add support for fix_ownership and fix_permissions on-the-fly
* Add support for latest 3.18.44-vs2.3.7.5-beng VS kernel
* Add support for latest 4.1.33-vs2.3.8.5.2-beng VS kernel
* Automatically whitelist CloudFlare and Sucuri IPs (faster version)
* Configure _INNODB_LOG_FILE_SIZE automatically
* MariaDB 10.1 support (new default version) -- #866
* Use Redis_CacheCompressed mode, if available (saves a ton of RAM)
# Changes:
* Always update barracuda, boa and octopus wrappers, ignore _SKYNET_MODE=OFF
* Enable ARCHIVE Storage Engine in MariaDB 10.1
* Force _CUSTOM_CONFIG_SQL=NO on MariaDB major upgrade/reinstall
* Remove no longer supported textile module
* Run db OPTIMIZE only weekly, if configured
* Use MySQLTuner to configure SQL limits — enabled by default
# System upgrades:
* CSF 9.28
* Drush micro-8-17-12-2016
* MariaDB 10.1.20
* MariaDB Galera Cluster 10.0.28
* Nginx 1.11.7
* OpenSSH 7.4p1 (if installed from sources)
* OpenSSL 1.0.2j (used only in Nginx)
* PHP 5.6.29
* PHP 7.0.14
* PHPRedis 3.1.0
* Redis 3.2.6
* Use mydropwizard-6.x-1.6
* Use Redis module mod-20-12-2016
# Fixes:
* Allow to run downgrade to _DB_SERIES 5.5 (experimental, not recommended!)
* Always reinstall cURL from packages if broken
* AMP support -- #948
* Archive PHP logs in /var/backups/php-logs/
* Check if bind should be installed early enough
* Do not enable innodb-defragment — it may crash the server
* Fix for check_root_keys_pwd()
* Fix for disable_chattr()
* Fix for missing PHP config regression -- #1105
* Fix for VnStat sysconfdir
* Fix the check in detect_deprecated_php()
* Ignore search lines to avoid breaking pdnsd config -- #1069
* Improve SQL defaults
* Make sure innodb_buffer_pool_instances is always defined
* Migration between installation profiles -- #1076
* Monitor more lines when /root/.hr.monitor.cnf exists
* Multiply already high opcache.max_accelerated_files
* Nginx: Set Access-Control-Allow-Origin header only for static files
* Remove duplicate config updates and restarts
* Remove various tmp/dot files breaking du command
* Sync the new on-the-fly permissions magic with BOA daily.sh logic
* The .git/* files are downloadable -- #1091
* Triple check that all sql tables are upgraded
* Update JS module to 7.x-2.1 -- #586
* Update migrate docs to avoid issues with already migrated instances
* Use long enough wait times for big SQL servers restarts
* Use Open Atrium own patched Drupal core -- #1083
### Stable BOA-3.1.3 Release - Barracuda Edition
### Date: Mon Sep 12 17:54:50 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.3
# Release Notes:
This BOA release provides important security upgrades and bug fixes.
You should upgrade via 'barracuda up-stable system' immediately.
Note: Octopus upgrade is **not** included in this BOA release.
Technically, even by running normal system update with previous BOA release
you would apply all security upgrades, since they are provided by MariaDB
packages, and thus enforced no matter if we release new BOA version, or not,
so we are doing this purely to make sure that all users have been alerted
about the situation affecting their systems.
# Changes:
* Move Nginx cache cleanup to daily cleanup procedure
* Use standard hourly schedule for self-update in clear.sh
# System upgrades:
* Add all Tika versions from 1.1 to 1.13 in /opt/tika9/
* MariaDB 10.0.27 (critical security upgrade)
* MariaDB Galera Cluster 10.0.27 (critical security upgrade)
* MongoDB database driver 1.6.14 for all PHP versions < 7 -- fixes #981
* Pure-FTPd 1.0.43
# Fixes:
* Check if curl works and re-install if needed before running auto-update
* Log LE renewal attempts
* Log out all users after lshell em upgrade
* Make sure that cURL is always listed in packages
* Move permissions fix overrides check to the correct place
* Nginx: default FastCGI cache levels value may exhaust all inodes -- #2791885
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.1.2 Release - Full Edition
### Date: Sat Aug 20 14:43:43 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.2
### Latest hotfix added on: Thu Aug 25 09:17:59 PDT 2016
# Release Notes:
This BOA release provides system security upgrades, improvements
and bug fixes, plus all supported Drupal platforms updated to latest
versions, and supplied with latest Drupal 7 core.
@=> You can use NPM to install Grunt/Gulp/Bower -- #1028 by @pricejn2 (thanks!)
Now the same ~/static/control/compass.info file will activate not only
RVM, which can be used to install Compass Tools, but also NPM, which
can be used to install Grunt/Gulp/Bower.
You will need to re-initialize your account to have it added, by
deleting the control file, and adding it again after ~10 minutes.
More details: https://github.com/omega8cc/boa/blob/master/docs/RVM.txt
@=> Redis integration works with Drupal 8 -- with no effort on your side
We have added a smart activation procedure, to meet the D8 Redis module
requirements. The system will add Redis integration to your Drupal 8
sites automatically, but will keep it inactive, until the module will be
installed properly, during nightly system autonomous maintenance.
This means that Redis will start working in every existing and newly
installed Drupal 8 site with some initial delay, to get things installed
in the correct order, and still without any effort on your side.
# Other enhancements:
* Add mydropwizard to Drush extensions for Drush Make D6 support
* Add support for Drupal 8 specific development.services.yml file
* Allow to configure stable/head BOA auto-upgrades via _AUTO_VER variable
* Compatibility with Multi-byte UTF-8 support in Drupal 7
# Changes:
* Add Adminer database manager and deprecate Chive manager -- #1036
* Enable Let's Encrypt LIVE mode via ~/static/control/ssl-live-mode.info
* Force /root/.use.curl.from.packages.cnf to install cURL from packages
* Run db sqlmagic auto conversion also on test/dev sites, if activated
# System upgrades:
* CSF 9.11
* Drush micro-8-23-07-2016
* Lshell 0.9.18.8 (security update for shell escalation issues)
* MariaDB 10.0.26
* MariaDB 5.5.51
* Mysqltuner v1.6.15
* Nginx 1.11.3
* OpenSSH 7.3p1 (if installed from sources)
* PHP 5.5.38
* PHP 5.6.25
* PHP 7.0.10
* PHPRedis dev5-11-08-2016
* PHPRedis dev7-11-08-2016
* Redis 3.2.3
* Redis D8 integration mod-12-08-2016
* vnStat 1.15
# Fixes:
* Avoid race conditions on web system user update
* Debian Jessie 8.3+ needs grub update -- fixes #912
* Detection of Amazon AWS / EC2 instance -- fixes #930
* Disable Redis integration until module is installed (D8 only)
* Do not force --default-character-set=utf8 -- see #1020
* Don’t set $MANPATH when npm support is enabled
* Fix for openssh-sftp-server status on Jessie
* FMG installation hangs on keyring install -- fixes #1050
* Force InnoDB in sqlmagic for Drupal 7+ -- see #1020
* Ignore ~/control/multi-fpm.info on too old Octopus (2.4) instances
* Linux Kernel CVE-2016-5696 mitigation
* Mitigate httpoxy vulnerability
* Nginx: Fix for not working autodiscover flood protection
* Nginx: Fix for the add_header inheritance
* Nginx: Improve fastcgi_cache_valid TTL settings
* Octopus auto-upgrade should set _AUTOPILOT=YES on the fly -- fixes #1041
* Remove deprecated MyISAM exceptions in sqlmagic command
* Run detect_cdorked_malware() only if /usr/sbin/nginx exists
* Run registry-rebuild directly after hostmaster upgrade
* Single _tmp_ dir is enough to require forced cleanup (Drush cache)
* Sync keyring install command with BOA standard -- #1052
* Sync modules auto en/dis for Drupal 8
* Update check_boa_php_compatibility()
* Upgrade to panels-7.x-3.7 (security) in all distros using the module
* Whitelist elFinder requests
* Workaround for aegir_backup_export_path
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.1.1 Release - Full Edition
### Date: Wed Jun 22 12:24:17 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.1
### Latest hotfix added on: Fri Jun 24 06:01:07 PDT 2016
# Release Notes:
This BOA release provides system security upgrades, improvements
and bug fixes, plus all supported Drupal platforms updated to latest
versions, and supplied with latest Drupal 7 core (security release).
# New features and enhancements:
* Add _SSH_ARMOUR feature
* Add strict check for supported virtualization systems
* Allow to install ImageMagick from sources when _MAGICK_FROM_SOURCES=YES
# Changes:
* Deprecate support for old Solr versions <4
* Switch cluster support to 3.x
# System upgrades:
* Drush micro-8-15-06-2016
* MariaDB 5.5.50
* Nginx 1.11.1
* PHP 5.5.37
* PHP 5.6.23
* PHP 7.0.8
* Redis 3.2.1
# Fixes:
* Add compatibility with magick src
* Add ToC (Table of Contents) for the Let's Encrypt section in docs/SSL.txt
* Downgrade JSmin from 2.0.1 to 2.0.0 -- fixes #993
* Fix for legacy cluster support
* Fix for virtualbox detection -- see #972
* Fix permissions on sites directories
* Fix sites/all/drush permissions compatibility with Drush 8.2
* Improve protection for custom solrconfig.xml and schema.xml -- fixes #969
* Migration: xboa supports only Ægir 2.x -- #960
* Reinstall default-jre on major OS upgrade, if needed -- fixes #986
* Remote Drush support regression -- fixes #984
* The ~/static/control/README.txt is not updated on octopus upgrade #965
* Update docs/SOLR.txt to match currently supported procedures -- fixes #963
* Use st_runner() wrapper only for apt-get/aptitude
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.1.0 Release - Full Edition
### Date: Thu May 26 16:41:40 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.1.0
### Latest hotfix added on: Mon May 30 08:55:03 PDT 2016
@=> Includes Ægir Hostmaster 3.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes new features, system upgrades, improvements
and bug fixes, with most notable features and changes listed below.
All supported Drupal platforms have been updated to latest versions.
@=> Let's Encrypt free SSL certificates are supported directly in Ægir
@=> PHP-FPM version can be switched per site hosted on the same instance
@=> Both Ægir control panel and its backend are compatible with PHP 7.0.7
@=> Support for forced Drush cache clear in the Ægir backend
@=> BOA can run Debian Wheezy to Debian Jessie upgrades easily
More details on new features, enhancements and changes can be found below.
###
#-### Let's Encrypt free SSL certificates are supported directly in Ægir
###
You can find these important Let's Encrypt topics discussed below:
# Introduction
# How it works?
# How to add Letsencrypt.org SSL certificate to hosted site?
# How to add Letsencrypt.org SSL certificate to the Ægir Hostmaster site?
# How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site?
# Are there any requirements, limitations or exceptions?
# How to enable live mode?
# How to replace Let's Encrypt certificate with custom certificate?
[ Available also at: https://omega8.cc/node/381 ]
This BOA release opens a new era in SSL support for all hosted Drupal sites.
The old method of creating SSL proxy vhosts is officially deprecated,
as explained in the docs/SSL.txt how-to:
NOTE ###===>>>
The old how-to is still useful if you prefer to use SSL termination separated
from your Ægir system, or if you don't want to use built-in Letsencrypt.org
SSL certificates support (available since BOA-3.1.0).
But if you can use Letsencrypt.org SSL certificates, or you are willing to use
also built-in BOA feature which allows you to replace Letsencrypt.org SSL
certificate with any third-party certificate per site, while still managing SSL
via Ægir control panel (for redirects, forced/required SSL mode), we highly
recommend to use Ægir built-in SSL support, which is enabled and ready to use
in all Octopus instances since BOA-3.1.0 release.
NOTE ###===>>>
* How it works?
BOA leverages letsencrypt.sh utility to talk to Letsencrypt.org servers,
and on the Ægir side it's using new `hosting_le` extension, which replaces
self-signed SSL certificates generated by Ægir with Let's Encrypt ones.
You can find more information on both at these URLs:
https://github.com/lukas2511/letsencrypt.sh
https://github.com/omega8cc/hosting_le
* How to add Letsencrypt.org SSL certificate to hosted site?
In your Ægir control panel please go to the site's node Edit tab, then
under `SSL Settings > Encryption` choose either `Enabled` or `Required`,
if you want to enable HTTP->HTTPS redirection on the fly. Now click `Save`
and wait until you will see the Verify task completed. Done!
NOTE: SSL Settings are not available in the Add Site form, only in Edit.
* How to add Letsencrypt.org SSL certificate to the Ægir Hostmaster site?
!!! WARNING
!!! ###===>>> Don't enable SSL option for the Hostmaster site in Ægir
!!! WARNING
Let's Encrypt SSL for Ægir control panel is handled in BOA outside of
the control panel, and you should never enable it within control panel.
During octopus upgrade you will see this message, explaining what to do:
BOA [02:44:59] ==> UPGRADE B: Letsencrypt SSL initial mode: DEMO
BOA [02:44:59] ==> UPGRADE B: LE -- No real SSL certs will be generated
BOA [02:44:59] ==> UPGRADE B: LE -- To enable live SSL mode, please delete file:
BOA [02:44:59] ==> UPGRADE B: LE -- /data/disk/o1/tools/le/.ctrl/ssl-demo-mode.pid
BOA [02:44:59] ==> UPGRADE B: LE -- Then run octopus forced upgrade
* How to modify/renew Letsencrypt.org SSL certificate for SSL enabled site?
When you modify aliases or redirections, Ægir will re-create the SSL
certificate on the fly, to match current settings and aliases to list.
BOA runs auto-renewal checks for you weekly, and forces renewal if there is
less than 30 days to the certificate expiration date (Let's Encrypt certs
are valid for up to 90 days before they have to be renewed).
Also every Verify task against SSL enabled site runs this check on the fly.
* Are there any requirements, limitations or exceptions?
Yes, there are some:
* All aliases must have valid DNS names pointing to your server IP address
* Even with aliases redirection enabled all aliases are listed as SAN names
* Avoid renaming SSL-enabled sites; move aliases between site's clones instead
* Before you rename a site, disable SSL first; then re-enable once it's renamed
NOTE: The Subject Alternative Names (SAN) is a feature which allows to issue
multi-domain / multi-subdomain SSL certificates -- it is automated in BOA.
Let's Encrypt API for live, real certificates has its own requirements
and limits you should be aware of. Please visit their website for details:
https://letsencrypt.org/docs/rate-limits/
To make this new BOA feature easy to test before you will be ready to
generate real, live SSL certificates, BOA comes with Let's Encrypt demo
mode enabled by default, so it will not hit limits enforced for live,
real Let's Encrypt SSL certificates. It allows to generate "fake" certs,
similar to self-signed certificate used in BOA by default.
NOTE: All sites with one or more keywords (listed below) in the site's
main name (this exception rule doesn't apply to aliases) will be ignored,
and they will receive only self-signed SSL certificates generated by Ægir,
once you will switch their SSL settings to `Enabled` or `Required`.
`.(dev|devel|temp|tmp|temporary|test|testing|stage|staging).`
Examples: `foo.temp.bar.org`, `foo.test.bar.org`, `foo.dev.bar.org`
NOTE: This exception rule doesn't apply to aliases which are not used
as a redirection target. Even aliases with listed special keywords in their
names will be listed as SAN entries, as long as they are valid DNS names.
* How to enable live mode?
It is enough to delete the `[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid`
control file and run Verify task on any SSL enabled site again.
NOTE: If you are on hosted BOA, you don't have an access to this location
on your system, so please open a ticket at: https://omega8.cc/support
You could switch it back and forth to demo/live mode by adding and deleting
the control file, and it will re-register your system via Let's Encrypt API,
but we have not tested how it may affect already generated live certificates
once you will run the switch many times, so please try not to abuse
this feature.
It is important to remember that once you will switch the Let's Encrypt mode
to demo from live, or from live to demo, by adding or removing the
`[aegir_root]/tools/le/.ctrl/ssl-demo-mode.pid` control file, it will not
replace all previously issued certificates instantly, because certificates
are updated, if needed, only when you (or the BOA system for you during its
daily maintenance, if used) will run Verify tasks on SSL enabled sites.
These BOA specific Verify tasks are normally scheduled to run weekly,
between Monday and Sunday, depending on the first character in the site's
main name, so both live and demo certificates may still work in parallel
for SSL enabled sites until it will be their turn to run Verify and update
the certificate according to currently set Let's Encrypt mode.
NOTE: You may find some helpful details in the Verify task log -- look for
lines with `[hosting_le]` prefix.
* How to replace Let's Encrypt certificate with custom certificate?
1. Create an empty control file (replace `example.com` with your site name):
`[aegir_root]/tools/le/.ctrl/dont-overwrite-example.com.pid`
2. Replace `privkey.pem` symlink with single file containing your custom
certificate key -- use `privkey.pem` as a filename in the directory:
`[aegir_root]/tools/le/certs/example.com/`
3. Replace `fullchain.pem` symlink with single file containing your custom
certificate and all intermediate certificates beneath it -- use
`fullchain.pem` as a filename in the same directory:
`[aegir_root]/tools/le/certs/example.com/`
4. Run Verify task for your site in the Ægir control panel. Done!
NOTE: If you are on hosted BOA, you don't have an access to this location
on your system, so please open a ticket at: https://omega8.cc/support
###
#-### Support for PHP-FPM version switch per Octopus instance (also per site)
###
### ~/static/control/fpm.info
###
### This file, if exists and contains supported and installed PHP-FPM version,
### will be used by running every 2-3 minutes system agent to switch PHP-FPM
### version used for serving web requests by this Octopus instance.
###
### IMPORTANT: If used, it will switch PHP-FPM for all Drupal sites
### hosted on the instance, unless multi-fpm.info control file also exists.
###
### Supported values for single PHP-FPM mode which can be written in this file:
###
### 7.0
### 5.6
### 5.5
### 5.4
### 5.3
###
### NOTE: There must be only one line and one value (like: 7.0) in this file.
### Otherwise it will be ignored.
###
### It is now possible to make all installed PHP-FPM versions available
### simultaneously for sites on the Octopus instance with additional
### control file:
###
### ~/static/control/multi-fpm.info
###
### This file, if exists, will switch all hosted sites to highest
### available PHP-FPM version within the 5.3-5.6 range, with ability
### to override PHP-FPM version per site, if the site's name is listed
### in this additional control file, as shown below:
###
### foo.com 7.0
### bar.com 5.5
### old.com 5.3
###
### NOTE: Each line in the multi-fpm.info file must start with main site name,
### followed by single space, and then the PHP-FPM version to use.
###
###
#-### Support for PHP-CLI version switch per Octopus instance (all sites)
###
### ~/static/control/cli.info
###
### This file, while similar to fpm.info, if exists and contains supported
### and installed PHP version, will be used by running every 2-3 minutes
### system agent to switch PHP-CLI version for this Octopus instance, but
### it will do this for all hosted sites. There is no option to switch this
### or override per site hosted.
###
### NOTE: While current Ægir version 3.x included in BOA works fine with
### latest PHP 7.0, many hosted sites, especially using Pressflow 6 core or
### older Drupal 7 core without required patch we have included since 7.43.2,
### will not work properly and Ægir tasks run against those sites may fail,
### so it's recommended to use PHP-CLI 5.6, unless you have verified that all
### sites on the instance support PHP 7.0 without issues.
###
### Supported values which can be written in this file:
###
### 7.0
### 5.6
### 5.5
### 5.4
### 5.3
###
### There must be only one line and one value (like: 5.6) in this control file.
### Otherwise it will be ignored.
###
###
#-### Support for forced Drush cache clear in the Ægir backend
###
### ~/static/control/clear-drush-cache.info
###
### Octopus instance will pause all scheduled tasks in its queue, if it will
### detect a platform build from the makefile in progress, to make sure
### that no other running task could break the build.
###
### This is great, until there will be a broken build, and Drush will fail
### to clean up all leftovers from its .tmp/cache directory, which in turn
### will pause all tasks in the queue for up to 24-48 hours, until the cache
### directory will be automatically purged by running daily cleanup tasks,
### designed to not touch anything not old enough (24 hours at minimum)
### to not break any running builds.
###
### If you need to unlock the tasks queue by forcefully removing everything
### from the Ægir backend Drush cache, you can create an empty control file:
### ~/static/control/clear-drush-cache.info
###
###
#-### BOA can run Debian Wheezy to Debian Jessie upgrades easily
###
This feature works like it worked before for `_LENNY_TO_SQUEEZE=YES` and then
for `_SQUEEZE_TO_WHEEZY=YES`. But make sure you follow all the steps exactly
as listed below:
1. Upgrade both barracuda and octopus to current stable:
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
$ barracuda up-stable
$ octopus up-stable all both
NOTE: You can upgrade octopus selectively, if you still need one running
the old stable BOA-2.4.9 version, example:
$ octopus up-2.4 o1 force
$ octopus up-stable o2 force
$ octopus up-stable o3 force
2. Add to your /root/.barracuda.cnf this line:
_WHEEZY_TO_JESSIE=YES
3. Run another barracuda upgrade with command:
$ barracuda up-stable
4. If there are no errors reported, try to run manual update:
$ aptitude update
$ aptitude full-upgrade
It should tell you that there are no packages to upgrade left.
5. Reboot your system (preferably via remote console)
$ reboot
6. Run barracuda upgrade again:
$ barracuda up-stable
7. Try to run manual update:
$ aptitude update
$ aptitude full-upgrade
It should tell you that there are no packages to upgrade left.
8. Congrats! You are running BOA stable on Debian Jessie.
# New features and enhancements:
* Add all aliases as Subject Alternative Names in Let's encrypt certs -- #941
* Add auto-renewal procedure for Let's encrypt certs -- #942
* Add option to exclude *.tar.gz Drush archives in backboa -- #936
* Add Restaurant 1.11
* Add support for arbitrarily selected redirection targets as valid SSL names
* Allow to define PHP-FPM version per site hosted -- #935
* Allow to use drush7 and drush8 on command line directly
* Even with redirection enabled all aliases are listed as SAN names -- #964
* Feature: _WHEEZY_TO_JESSIE major upgrade procedure -- #870
* Let's encrypt support -- #500
* New Relic integration compatibility with multi-FPM mode
* Support for forced Drush cache clear in the Ægir backend
* Use Let's encrypt for Hostmaster site (after Octopus upgrade) -- #940
# Changes:
* Do not allow XtraDB to crash the server due to single broken cache table
* Nginx: Use faster 301/302 redirects
* Nginx: Use only TLSv1.1 TLSv1.2
* Redis: Exclude cache_form bin again to avoid rare issues with contrib
* Use dynamic httpredir.debian.org mirrors
# System upgrades:
* cURL 7.49.0 (if installed from sources)
* Jetty 9.2.16.v20160414
* Nginx 1.11.0
* PHP 5.5.36
* PHP 5.6.22
* PHP 7.0.7
* Redis 3.2.0
* SLF4J 1.7.21
# Fixes:
* Add compatibility with "config.sh" renamed to "config" in letsencrypt.sh
* Add ssl_trusted_certificate directive required by ssl_stapling
* Add warning: "Don't enable SSL option for the Hostmaster site in Ægir" -- #962
* Check if parent dir exists before touching ctrl file -- #945
* Do not clear drush cache on every hosting-dispatch -- #943
* Do not create Letsencrypt cert for Hostmaster if still in demo mode
* Do not force PHP rebuild on new cURL install from sources
* Drush is broken error -- clear drush cache before testing it -- #946
* Fix for backward compatibility with FPM pool tpl in 2.4
* Fix for Chive auth (via SSH) access filtering
* Fix for conflicting Jetty libs
* Fix ownership and attr on usr home dirs / subdirs
* Improve sub-accounts zombie cleanup
* Let's Encrypt SSL - switching from demo to live -- #959
* Make backboa sub-tasks delays optional and disable them by default -- #919
* Nginx: Fix for ssl_dhparam if/else logic
* Remove deprecated wildcard HTTPS warning
* Run registry-rebuild before updatedb with --no-cache-clear -- #938
* Set LE mode to DEMO on initial setup -- both on octopus install and upgrade
* Skynet upgrades for limited shell configuration -- #950
* Something is stuck after BOA upgrade to 3.0.2 -- #951
* The makefile based platform creation fails with permissions error -- #943
* The site's files should have Ægir backend user as an owner
* Use strict paths checks to avoid running chown/chmod on parent dirs
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.x
### Stable BOA-3.0.2 Release - Full Edition
### Date: Tue May 3 22:26:09 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.2
### Latest hotfix added on: Fri May 6 08:42:13 PDT 2016
@=> Includes Ægir Hostmaster 3.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades, improvements
and bug fixes. All supported platforms have been updated to latest versions.
@=> Latest Drupal 7 core version used in BOA in all built-in platforms is
compatible with latest PHP 7.0.6 -- you can switch your Octopus instance
easily via fpm.info control file: https://omega8.cc/node/330 but please
don't use 7.0 in cli.info, because it is not supported in the Ægir
backend yet. PHP 7.0 can't be used if you have any Pressflow 6 site.
# New features and enhancements:
* Add idna_convert to hostmaster for IDN domain names auto-conversion -- #916
* Allow to disable redis.path.inc feature via INI variable -- #815
* Drupal 7.43.2 (with PHP 7 compatibility patch)
* PHP 7 compatibility improvements -- #716
* Pressflow 6.38.2 (only version update)
* Truncate giant watchdog tables
# Changes:
* Disable (temporarily) support for outdated ERPAL distro
* Disable auto-upgrade for legacy Octopus instances
* Disable page cache only in hostmaster
* Disable PAMAuthentication in pure-ftpd
* Force PHP 5.6 or 5.5 cli.info in Octopus 2.4.9
* Force Redis SOCKET mode if PORT was used before
* Redis module mod-03-05-2016
* Redis: Limit methods to define site prefix
* Redis: Use maxmemory-policy volatile-ttl
* Set redis_client_base
* Use Redis in hostmaster
* Use standard profile by default
# System upgrades:
* Drush micro-8-24-04-2016
* MariaDB 10.0.25
* MariaDB 5.5.49
* MariaDB Galera Cluster 10.0.25
* Nginx 1.9.15
* OpenSSL 1.0.2h (used only in custom built Nginx)
* PHP 5.5.35
* PHP 5.6.21
* PHP 7.0.6
# Fixes:
* Add check_boa_php_compatibility() procedure -- fixes #906
* Add patch for registration error (Commons)
* Avoid duplicate entries in hosting_cron on hostmaster install -- #928
* Cron not running on cloned sites -- fixes #922
* Disable hosting-pause / Provision -- not needed in BOA, may hang upgrade
* Do not force TERM
* Do not set $conf['redis_eval_enabled'] = TRUE;
* Enable _DEBUG_MODE=YES on Octopus upgrade from BOA-2.4.9
* Experimental hosting_git error, platform not installed -- fixes #904
* Improve the provision_autoload_register_prefix check
* Make sure that auto-generated robots.txt is OK -- fixes #925
* Make sure that hostmaster cron is never disabled
* Make sure to not set PHP 7 as system default
* Restart php-fpm on upgrade as soon as possible
* Run registry-rebuild directly after hostmaster-migrate
* Run update_php_cli_cron() twice
* Use inetutils-syslogd on VZ systems -- fixes #905
* Use syncpass during hostmaster upgrade
* Workaround for hostmaster upgrade from 2.x
# Known problems:
https://github.com/omega8cc/boa/milestones/3.1.1
### Stable BOA-3.0.1 Release - Full Edition
### Date: Mon Apr 11 18:49:43 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.1
@=> Includes Ægir Hostmaster 3.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes important fixes and improvements in the upgrade
procedure from BOA-2.4.9 and in the initial install procedures, along with
support for latest Drupal 8.0.x and 8.1.x as custom platforms you can create
in the ~/static directory tree. We list here also all hot-fixes applied
after initial BOA-3.0.1 release.
@=> BOA will not include built-in Drupal 8 platforms until Drupal 8 will
support symlinks in the codebase, like all previous core versions.
@=> Octopus Ægir instances hosted on Power Engine option will *not* receive
upgrade to BOA-3.x unless requested via https://omega8.cc/support
to prevent issues with (often) customized Hostmaster modules not ready
for Drupal 7 based Ægir control panel. All hosted BOA systems will still
continue to receive the Barracuda system upgrades.
@=> It is possible to host previous stable BOA-2.4.9 Octopus instances
on systems with Barracuda upgraded to BOA-3.0.1
# Known problems:
https://github.com/omega8cc/boa/milestones/3.0.2
# New features and enhancements:
* Allow boa in-octopus to specify version {stable|head|2.4}
# Changes:
* Allow to execute compass over SSH
* Allow to upload dot-files via SFTP
* Remove/don't install not used blocks in Hostmaster
# System upgrades:
* Add mydropwizard-6.x-1.4 to all existing D6 platforms
* Drush micro-8-08-04-2016
* Lshell 0.9.18.3 -- #895
* Nginx 1.9.14
* PHP 5.5.34
* PHP 5.6.20
* PHP 7.0.5 (for testing only)
* Redis module 7.x-3.12
# Fixes:
* 3.0.0 clean install is broken -- #899
* boa in-2.4 fails to install on Debian Jessie -- #898
* Can't git pull -- #890
* CiviCRM error on verification D6 site -- #897
* D7 API compatibility fix for node_save() in Hostmaster
* Do not switch default PHP to 7.0 if installed
* Drush issues: no aliases available -- #887
* Fix for 3.x to 3.x upgrades
* Fix for FPM master proc monitor
* Fix for input filters upgrade path
* Fix for series test to avoid downgrade attempts
* Fix the legacy install mode -- #898
* Less and more no longer allowed -- #896
* Limit the list of allowed_shell_escape commands
* Missing VBO options -- #892
* Overlay header title not showing -- #889
* Problems installing rvm / compass -- #895
* Remove deprecated sftp restriction
* Require BOA-2.4.9 before upgrade to BOA-3.x also in barracuda -- #886
* Switch octopus upgrade mode automatically to legacy if needed
* tar and gunzip fails because of permission denied -- #894
* Use Drush 8 on command line -- #887
* vi and vim both open nano instead of vim -- #893
### Stable BOA-3.0.0 Release - Full Edition
### Date: Wed Mar 30 10:48:54 PDT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/3.0.0
### Latest hotfix added on: Wed Apr 6 17:40:12 PDT 2016
@=> Includes Ægir Hostmaster 3.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 8 customized for BOA
# Release Notes:
This BOA release includes complete Ægir 3 with Drush 8, and introduces
full support for latest Drupal 8.0.5 and Drupal 8.1.0-beta2 as custom
platforms you can create in the ~/static directory tree.
@=> BOA will not include built-in Drupal 8 platforms until Drupal 8 will
support symlinks in the codebase, like all previous core versions.
@=> All supported Ægir platforms have been updated to their latest releases
@=> Octopus Ægir instances hosted on Power Engine option will *not* receive
upgrade to BOA-3.x unless requested via https://omega8.cc/support
to prevent issues with (often) customized Hostmaster modules not ready
for Drupal 7 based Ægir control panel. All hosted BOA systems will still
continue to receive the Barracuda system upgrades.
@=> It is possible to host previous stable BOA-2.4.9 Octopus instances
on systems with Barracuda upgraded to BOA-3.0.0
# Known problems:
https://github.com/omega8cc/boa/milestones/3.0.1
While clean 3.0.0 install worked in our tests before the release, it doesn't
work for others. Until this problem is fixed properly without regressions,
we are switching boa installer back to 2.4.9, which makes getting 3.0.0
on initial installation a two step operation: first 'boa in-stable' install
to get 2.4.9, and then 'barracuda up-stable' plus 'octopus up-stable' upgrade
to get 3.0.0, because upgrades for barracuda and octopus from 2.4.9 to 3.0.0
work fine.
This also means that 'boa in-octopus' will still install the legacy 2.4.9
octopus extra instances, and you can upgrade them to 3.0.0 with standard
'octopus up-stable' mode.
It is still possible to test/debug boa 3.0.0 clean installs -- just create
an empty /root/.debug-boa-installer.cnf file before running the installer.
# New features and enhancements:
* Add Hosting Git optional feature -- fixes #753
* Add mydropwizard module to D6 o_contrib by default
* Add support for ap-northeast-2 Asia Pacific (Seoul) S3
* Add support for PHP 7.0 -- experimental ! -- fixes #716
* Add support for VServer kernel 4.1.19-vs2.3.8.4-beng
* BOA with Ægir Hostmaster 3.x -- fixes #715
* Switch to Drush 8 for Drupal 8 -- fixes #729
* Allow to randomize duplicity full backup schedule
* Monitor and block SSH connections flood
* Run registry-rebuild in drush_provision_drupal_post_provision_deploy()
# Changes:
* Add linkchecker module to Contrib [F]orce[D]isabled
* Deny sudo/su switch if used for root access - fixes #879
* Do not install / remove auditd on VServer systems
* Do not install / remove udev on VServer systems
* Merge hosting_advanced_cron into Ægir core cron
* Use Redis 7.x-3.x integration module
# System upgrades:
* Boto 2.39.0-fix-python-2.7.9 (please run 'backboa install' to upgrade)
* CSF 8.16
* Drush mini-8-08-03-2016
* Duplicity 0.7.06 (please run 'backboa install' to upgrade)
* Lshell 0.9.18.3
* MongoDB database driver 1.6.13 for all PHP versions < 7 -- fixes #521
* Nginx 1.9.14
* OpenSSH 7.2p2 (if installed from sources)
* OpenSSL 1.0.2g (used only in custom built Nginx)
* PHP 5.5.34
* PHP 5.6.20
* PHP 7.0.5 (for testing only)
* Twig C extension for PHP - v.1.24.0
* Use PHP jsmin 2.0.1 ext with newer PHP versions - fixes #878
# Fixes:
* [system] sync fix_locales for root -- fixes #880
* Add mydropwizard-6.x-1.4 to all existing D6 platforms
* Auto-Update lshell.conf on all systems
* Fix for 3.x to 3.x upgrades
* Fix for entitycache 1.2 to 1.5 upgrade problem #868
* Fix for FPM master proc monitor
* Fix for series test to avoid downgrade attempts
* Numerous lshell problems -- fixes #896 #895 #894 #893 #890
* Problems installing rvm / compass -- fixes #895
* Require 2.4.9 before upgrade to 3.0.0 also in barracuda -- fixes #886
* Restart rsyslog/sysklogd aggressively enough
* Switch boa meta installer to 2.4.9 until #899 is fixed
* Switch octopus upgrade mode automatically to legacy if needed
* Sync max_user_connections
* Update map $http_user_agent $is_crawler
* Use Drush 7 on command line until #887 is fixed
### Stable BOA-2.4.9 Release - Full Edition
### Date: Sat Feb 27 15:22:11 GMT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.9
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes latest Drupal 7 and Pressflow 6 security updates,
along with bug fixes and other system software updates.
@=> All supported Ægir platforms have been updated to their latest releases
@=> What are BOA plans for Drupal 6 support after February 24th, 2016?
We will support Drupal/Pressflow 6 in all new releases, as long as
available PHP versions will allow to use it (we run our own Pressflow 6
based site on PHP 5.6 for many months with zero issues). For more details
please check: https://github.com/omega8cc/boa/issues/824
@=> Even if deprecated PHP versions are still included in this release,
any Octopus instance running PHP older than 5.5 will not be able to
receive upgrade to BOA-2.4.9, as announced before -- Please switch your
Octopus to PHP 5.6 or at least 5.5 to be able to upgrade not only
the Barracuda system part of BOA, but also Octopus Satellite --
The how-to can be found at: https://omega8.cc/node/330
@=> Drupal 8 support for custom platforms in the ~/static directory tree
will be included, along with Drush 8 and Hostmaster 3.x in the upcoming
BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
Note: BOA will not include built-in Drupal 8 platforms until Drupal 8
will support symlinks in the codebase, like all previous core versions
# System upgrades:
* MariaDB Galera Cluster 10.0.24
* Nginx 1.9.12
# Fixes:
* Do not force Ruby with RVM for root on every upgrade
* SQL max_user_connections autoconf value can be too low -- fixes #873
### Stable BOA-2.4.8 Release - Full Edition
### Date: Sat Feb 20 11:28:05 GMT 2016
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.8
### Latest hotfix added on: Mon Feb 22 18:28:51 GMT 2016
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes,
with most notable features and changes listed below.
@=> Debian 8 Jessie is fully supported, but includes only PHP 5.5 and 5.6
@=> All supported Ægir platforms have been updated with latest Drupal cores
@=> Even if deprecated PHP versions are still included in this release,
any Octopus instance running PHP older than 5.5 will not be able to
receive upgrade to BOA-2.4.8, as announced before -- Please switch your
Octopus to PHP 5.6 or at least 5.5 to be able to upgrade not only
the Barracuda system part of BOA, but also Octopus Satellite --
The how-to can be found at: https://omega8.cc/node/330
@=> Drupal 8 support for custom platforms in the ~/static directory tree
will be included, along with Drush 8 and PHP 7 in the *upcoming*
BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
Note: BOA will not include built-in Drupal 8 platforms until Drupal 8
will support symlinks in the codebase, like all previous core versions
@=> What are BOA plans for Drupal 6 support after February 24th, 2016?
We will support Drupal/Pressflow 6 in all new releases, as long as
available PHP versions will allow to use it (we run our own Pressflow 6
based site on PHP 5.6 for many months with zero issues). For more details
please check: https://github.com/omega8cc/boa/issues/824
# Changes:
* Add "boa info" and 'boa info more' helper command
* Add branch support in the boa wrapper
* Allow to force re-install with /root/.force.reinstall.cnf present
* Allow to run existing Octopus 2.4 on the upcoming Barracuda 3.0
* Deny Octopus upgrade unless it is running on a compatible PHP version 5.5+
* Full backboa backups are scheduled on Sunday, unless custom _AWS_FLC is set
* Full duobackboa backups will run on Saturday, unless custom _AWS_FLC is set
* Make base nice configurable via _B_NICE variable
* Nginx: Sync htaccess level protection with Drupal core
* Nginx: Update map $http_user_agent $is_crawler
* Only instance already running 2.4.8 can upgrade to upcoming 3.0.0
* Remove no longer supported T1lib in PHP
* Remove support for deprecated OS versions -- fixes #802
* Replace in-legacy and up-legacy with version specific commands
* Revert "Issue #2377819: Gzipping backups suppresses file permissions errors"
* Run minimal modules en/dis procedure on Wednesday and full on Saturday
* Skip legacy PHP 5.3 and 5.4 on Jessie
* Support for Debian 8 Jessie -- fixes #702
* The _MODULES_FIX variable is set to YES by default
* The _PERMISSIONS_FIX variable is set to YES by default -- fixes #593
# System upgrades:
* Git 2.7.0 (if installed from sources)
* MariaDB 10.0.24
* MariaDB 5.5.48
* Nginx 1.9.11
* OpenSSH 7.1p2 (if installed from sources)
* OpenSSL 1.0.2f (used only in custom built Nginx)
* PHP 5.5.32
* PHP 5.6.18
* PHP: Imagick 3.3.0
* Redis 3.0.7
* Ruby 2.3.0
# Fixes:
* Add duobackboa docs
* Add missing libs in Jessie
* Allow to install a specific PHP version on a local install -- fixes #848
* Allow to run upgrade from not really 3.x HEAD to 2.4.8
* Automate /root/.force.reinstall.cnf and improve docs
* Disable Octopus 3.x specific version check (tmp) for 2.4.8
* Disable spinner on Jessie
* Do not force rebuild on systems installed with 2.4.8
* Do not kill long running php-fpm childs
* Do not run the old D7 core fix on newer BOA versions -- fixes #842
* Do not wait for simple sed replacements -- fixes #838
* Fix a typo in some locCnf variable calls -- fixes #854
* Fix for ignored boa_platform_control.ini
* Fix for MariaDB version check
* Fix for not working S3 bucket connection test
* Fix for process.max and pm.max_children
* Fix for undefined locCnf variable in BOND - fixes #748
* Fix the logic in mysql_proc_kill()
* Fix too aggressive Jetty monitoring
* Force clean rsyslog/sysklogd restart if required
* Force rebuild for affected services built from sources -- CVE-2015-7547
* Improve backup sub-tasks randomized schedule
* Improve initial install how-to with screen
* Locales check should not be used with screen session -- fixes #871
* Nginx: Remove duplicate $args on redirects
* Nginx: Workaround for broken autocomplete
* Remove dependency on _MODULES_FIX=YES -- fixes #592
* Remove no longer used _SSL_FROM_SOURCES logic
* Remove systemd on Debian Jessie -- fixes #840
* Restart syslog hourly
* Run drush cache cleanup only once per account
* Speed up backup tasks by removing extra conn_test
* Speed up backup tasks by running extended cleanup and reporting weekly
* Speed up initial setup procedure
* Sync wait randomizer max value
* Upgrade wkhtmltopdf and wkhtmltoimage to 0.12.3 - fixes #858
* Use date %u day of week (1..7); 1 is Monday
* Whitelist missing upload progress path
### Stable BOA-2.4.7 Release - Full Edition
### Date: Fri Dec 4 08:09:21 PST 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.7
### Latest hotfix added on: Thu Dec 10 10:10:26 PST 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes,
with most notable features and changes listed below.
@=> All supported Ægir platforms have been updated with latest Drupal cores
@=> Drupal 8 support for custom platforms in the ~/static directory tree
will be included, along with Drush 8 and PHP 7 in the *upcoming*
BOA-3.0.0 release: https://github.com/omega8cc/boa/milestones/3.0.0
@=> This BOA release (2.4.7) is the last release which still supports
deprecated PHP versions: 5.3 and 5.4 -- You should switch to PHP 5.6
or at least 5.5 as soon as possible, or you will not be able to upgrade
to newer BOA versions after 2.4.7 -- https://omega8.cc/node/330
@=> What are BOA plans for Drupal 6 support after February 24th, 2016?
We will support Drupal/Pressflow 6 in all new releases, as long as
available PHP versions will allow to use it (we run our own Pressflow 6
based site on PHP 5.6 for many months with zero issues). For more details
please check: https://github.com/omega8cc/boa/issues/824
@=> SSH (RSA) keys for root are required by newer OpenSSH versions used in BOA
BOA installs SSH from sources by default (Debian only). This means that
password based access for root will not work once BOA is installed or
upgraded to current stable version. It is a result of OpenSSH changes
in recent releases and not BOA specific change. BOA will deny the initial
install and Barracuda will refuse to run upgrade if it detects that system
root has no SSH (RSA) keys added and only password based access is available.
You can still modify this behaviour in /usr/etc/sshd_config but future
OpenSSH versions may still revert such changes, so it is not recommended.
@=> BOA switched from SPDY to HTTP/2 + PFS on all supported OS versions
# Changes:
* Allow to disable SQL monitoring with /root/.no.sql.cpu.limit.cnf -- #799
* Disable page caching on the fly where needed
* Disable temporarily support for broken Restaurant distro
* Do not rebuild features and entities on cache clear
* Document new requirement: SSH (RSA) keys for root -- fixes #786 #833
* Make ioncube_loader optional and disable by default with _PHP_IONCUBE=NO
* Nginx SSL: enable OCSP stapling by default
* Nginx SSL: enable OCSP stapling for existing HTTPS vhosts
* Nginx: Add ssl_dhparam to existing vhosts, if needed
* Nginx: HTTP/2 replaces SPDY -- fixes #624
* PHP: Add YAML extension with LibYAML
* Preserve customized /etc/sysctl.conf -- fixes #789
* Run modules ON/OFF only weekly -- requires _MODULES_FIX=YES (default is NO)
* Run most of crontab, install and upgrade tasks with low priority using
nice and ionice -- fixes #780
# System upgrades:
* cURL 7.45.0 (if installed from sources)
* GEOS 3.5.0 (requires _PHP_GEOS=YES)
* Git 2.6.1 (if installed from sources)
* MariaDB 10.0.22
* MariaDB 5.5.47
* MariaDB Galera Cluster 10.0.22
* Nginx 1.9.7
* OpenSSL 1.0.2e (used only in custom built Nginx)
* PHP 5.5.30
* PHP 5.6.16
* Redis 3.0.5
# Fixes:
* Add /root/.skip_cleanup.cnf support
* Add feature branch testing in HEAD
* Avoid load spikes caused by long running tasks
* Avoid race conditions on multi-line sed replacement -- fixes #806
* Clean up any remaining procs zombies
* Clean up postfix queue to get rid of bounced emails
* Disable ioncube and opcache for HHVM
* Disable Redis for Hostmaster in the backend
* Do not allow to install non-standard OpenSSH on Ubuntu
* Do not break /data/all/cpuinfo permissions on Octopus upgrade
* Do not run 'apt-get autoremove' automatically
* Do not use wrapper for dot-files cleanup
* Document better BOA aggressive installation behavior -- fixes #811
* Document boa in-octopus command -- fixes #817
* Don't strip $args from $request_uri in redirects
* Fix cron schedule for upgrades
* Fix for /etc/sudoers on _SQUEEZE_TO_WHEEZY
* Fix for broken Git on Ubuntu
* Fix for DNS on _SQUEEZE_TO_WHEEZY
* Fix for not working PHP rebuild check
* Fix for not working syncpass tool
* Fix for Ruby rebuild on _SQUEEZE_TO_WHEEZY
* Fix PHP deprecated warning in D8 -- fixes #804
* Ignore 'env COLUMNS' sent by Drush remotely -- fixes #373
* Ignore daily.sh in clear.sh
* Improve _SQUEEZE_TO_WHEEZY procedure -- #627
* Improve cron tasks schedule
* Improve daily cleanup performance + support for /root/.giant_traffic.cnf
* Improve devpts check -- fixes #788
* Improve docs/MIGRATE.txt
* Improve resolv.conf auto-recovery procedure
* Improve system check -- fixes #811
* Move Redis restart procedure to correct script
* PHP: Add missing path to open_basedir for CLI
* Remove debug code to not kill the initial install
* Remove not working /etc/logrotate.d/lshell -- fixes #823
* Update advagg auto configuration variables -- fixes #792
* Update boa/lib/functions/helper.sh.inc with current OS -- fixes #787
* Update FPM workers autoconf logic
* Update the cache cleanup logic
* Use better placeholder for solr_integration_module variable
* Use correct DPkg::Options for dist-upgrade -- fixes #627
* Use known MySQLTuner version -- fixes #827
* Use LibYAML 0.1.6
* Use opcache.restrict_api
* Use sha256 for self-signed certs
### Stable BOA-2.4.6 Release - Full Edition
### Date: Sat Sep 19 11:09:09 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.6
### Latest hotfix added on: Mon Sep 21 05:18:33 PDT 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes.
All supported Ægir platforms have been updated with latest Drupal cores.
# Changes:
* Add Twig C extension to PHP - v.1.22.1
* Allow to customize auto-upgrades mode
* Disable support for broken OpenScholar and Recruiter
* Open default Postgres port for outgoing connections
* Remove support for deprecated Feature Server distro
* Remove support for deprecated OpenAcademy distro
* Remove support for deprecated OpenBlog distro
* Remove support for deprecated OpenChurch v.1 distro
* Remove support for deprecated OpenDeals distro
* Use distro specific Drupal core for problematic distros
# System upgrades:
* cURL 7.44.0 (if installed from sources)
* Duplicity 0.7.05 (please run 'backboa install' to upgrade)
* Jetty 7.6.17.v20150415
* Jetty 8.1.17.v20150415
* MariaDB 10.0.21
* MariaDB 5.5.45
* MariaDB Galera Cluster 10.0.21
* Nginx 1.9.4
* OpenSSH 7.1p1 (if installed from sources)
* PHP 5.6.13, 5.5.29, 5.4.45
* PHP: ionCube loader 5.0.18
* Pure-FTPd 1.0.42
* Redis 3.0.4
* Ruby 2.2.3, 2.0.0-p647
* Use pecl-jsmin-1.1.0
# Fixes:
* Allow to re-install deleted D7/D6 platforms when dev doesn't exist
* Do not install phpunit -- it adds many PHP tools we don't need
* Drush requires php-eval to run drush_find_tmp() in sql-sync
* Fix apache cleanup
* Fix invalid regex in the INI docs
* Improve auto-healing for SSHd
* Improve Nginx DoS an DDoS protection
* Improve pdnsd auto-healing
* Improve SSL Docs to add more detail about multidomain certificates #757
* Issue #766 - Fix for broken boa in-octopus procedure
* Nginx: Fix support for s3/files/styles (s3fs)
* Restart PHP-FPM if too many running childs are detected
* Sync .htaccess with D7 core
* Sync keywords for exceptions in daily.sh with global.inc
* Use short sleep on firewall temp blocks cleanup
### Stable BOA-2.4.5 Release - Full Edition
### Date: Fri Jul 10 11:25:43 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.5
### Latest hotfix added on: Fri Jul 10 14:49:11 PDT 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes PHP security upgrade for versions 5.6, 5.5 and 5.4
plus security upgrade for Redis server and four updated Octopus platforms.
Support for Drupal 8 is temporarily removed, because now it would require
an upgrade to Drush 8, which in turn completely removes support for PHP 5.3,
while it's still more important to support legacy Pressflow 6 sites, if they
are not ready to move beyond PHP 5.3 yet, than trying to support some
(too fast) moving targets like Drupal 8 beta, and Drush 8 head.
# Updated Octopus platforms:
Commerce 2.26 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.28 ----------------- https://drupal.org/project/commons
OpenAtrium 2.43 -------------- https://drupal.org/project/openatrium
Panopoly 1.25 ---------------- https://drupal.org/project/panopoly
# Changes:
* Drupal 8 is not supported until we can switch to Drush 8 and remove PHP 5.3
# System upgrades:
* Nginx 1.9.2
* PHP 5.4.43
* PHP 5.5.27
* PHP 5.6.11
* Redis 3.0.2
### Stable BOA-2.4.4 Release - Full Edition
### Date: Fri Jul 3 12:08:29 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.4
### Latest hotfix added on: Thu Jul 9 10:28:42 PDT 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes several important system upgrades and bug fixes.
All supported Ægir platforms have been updated with latest Drupal cores.
This version automatically switches all hosted sites to PHP 5.5 on systems
hosted and managed remotely by Omega8.cc support team, unless you have
explicitly switched your Octopus instance to use PHP version you prefer.
Using PHP older than 5.5 is strongly discouraged, for security, stability and
performance reasons.
# Changes:
* Do not change mysql root password by default -- workaround for #642
* Enable advagg_async_generation by default
* Logic update for /root/.high_traffic.cnf
* Redis Integration Module: Update to version mod-26-06-2015
* Use modern ssl_ciphers in all templates by default
# System upgrades:
* cURL 7.43.0 (if installed from sources)
* Drush mini-7-30-06-2015 -- fixes #734
* MariaDB 5.5.44
* MariaDB Galera Cluster 10.0.20
* Nginx 1.9.1
* OpenSSH 6.9p1 (if installed from sources)
* OpenSSL 1.0.1p (if installed from sources)
* PHP 5.4.42
* PHP 5.5.26
* PHP 5.6.10
* PHPRedis master-27-06-2015
* Pure-FTPd 1.0.41
* vnStat 1.14
# Fixes:
* Add 'grep' to overssh -- a list of commands allowed to execute over SSH
* Broken pdnsd configuration breaks DNS resolver -- fixes #701
* Do not force update_agents()
* Do not modify rkey/debug args in barracuda log/system upgrade mode
* Don't remove Drupal 6 core themes -- fixes #738
* Fix for legacy vnStat config
* Fixed backboa/duobackboa retrieve from remote host -- fixes #741
* Improve system cron tasks queue
* Incorrect permissions on /usr/bin/optipng - fixes #722
* Mitigate LOGJAM - fixes #723
* Restart Postfix after system DNS update -- #701
* Skip daily reload on high traffic instances
* Sync SQL connection limits with _PHP_FPM_WORKERS variable - fixes #699
* Use _AWS_URL to properly handle us-east-1 exception
* Use 2048 bit where possible - see #723
* Use better default value for advagg_cache_level - fixes #726
### Stable BOA-2.4.3 Release - Full Edition
### Date: Tue May 19 13:40:40 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.3
### Latest hotfix added on: Fri Jun 5 04:43:50 PDT 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release is focused on Ægir platforms update with latest Drupal core
included. There are also a few system updates and bug fixes, as listed below.
# Changes:
* Redis Integration Module: Update to version mod-08-05-2015
* Use HTTPS intermediate mode to support legacy systems like XP/IE8 - see #718
# System upgrades:
* Drush mini-7-08-05-2015
* MariaDB 10.0.19
* MariaDB Galera Cluster 10.0.19
* PHP 5.4.41
* PHP 5.5.25
* PHP 5.6.9
* Redis 3.0.1
# Fixes:
* CiviCRM known bugs and regressions fixed
* Improve drush aliases cleanup
* Redis: sync net.core.somaxconn with tcp-backlog
* sqlmagic: do not escape backslashes and EOL character - fixes #672
* SQL dump definer regexp causes invalid SQL during migrate/clone - #2497091
* Fix for backward compatibility with old Galera versions
### Stable BOA-2.4.2 Release - Full Edition
### Date: Mon Apr 27 11:12:09 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.2
### Latest hotfix added on: Fri May 1 02:07:54 PDT 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7 customized for BOA
# Release Notes:
This BOA release includes 15 updated Ægir platforms with latest Drupal core,
2 new features and enhancements, 13 new software versions, 3 other changes,
plus over 20 bug fixes.
# Updated Octopus platforms:
aGov 1.7 --------------------- https://drupal.org/project/agov
Commerce 1.36 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.23 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.24 ----------------- https://drupal.org/project/commons
Commons 3.25 ----------------- https://drupal.org/project/commons
Guardr 2.11 ------------------ https://drupal.org/project/guardr
OpenAid 2.1 ------------------ https://drupal.org/project/openaid
OpenAtrium 2.33 -------------- https://drupal.org/project/openatrium
OpenChurch 1.17-b2 ----------- https://drupal.org/project/openchurch
OpenChurch 2.1-b7 ------------ https://drupal.org/project/openchurch
OpenOutreach 1.19 ------------ https://drupal.org/project/openoutreach
OpenPublic 1.5 --------------- https://drupal.org/project/openpublic
Panopoly 1.21 ---------------- https://drupal.org/project/panopoly
Recruiter 1.6 ---------------- https://drupal.org/project/recruiter
Restaurant 1.0-b12 ----------- https://drupal.org/project/restaurant
@=> NOTE: Drupal 8 support is broken in this release, because latest Drush
doesn't support older Drupal 8 beta versions, while new D8 beta is not
released and tested yet, and we really need latest Drush to fix broken
D6->D7 upgrade path, so we could prepare for full Ægir 3, which comes
with D7 in the frontend.
# New features and enhancements:
* Re-create files/robots.txt if older than 7 days
* Restore default DNS when /root/.use.default.nameservers.cnf exists
# Changes:
* Enable SPDY and PFS by default - fixes #545
* Use GitLab as a secondary mirror
* Whitelist drush pm-updatestatus
# System upgrades:
* cURL 7.42.1 (if installed from sources)
* Drush mini-7-25-04-2015
* Duplicity 0.7.02 (please run 'backboa install' to upgrade)
* MariaDB 5.5.43
* MariaDB Galera Cluster 10.0.17
* MySecureShell master-20-03-2015
* Nginx 1.8.0
* OpenSSH 6.8p1 (if installed from sources)
* OpenSSL 1.0.2a (if installed from sources)
* PHP 5.6.8, 5.5.24, 5.4.40
* PHPRedis master-18-03-2015
* Redis 3.0.0
* Ruby 2.2.2
# Fixes:
* Add service cron start to migrate docs - fixes #654
* BOA.sh.txt should update installers when invoked interactively - fixes #644
* Do not add Google DNS when custom DNS is expected
* Do not count requests for images derivatives if private files mode is used
* Do not create conflicting plain HTTP proxy for single IP mode - fixes #465
* Force csf/lfd update before and after running barracuda upgrade - fixes #685
* How to enable permanent redirect to HTTPS with single IP - #465
* Improve DNS self-healing magic - see #674
* Improve FPM auto-healing to properly detect conflicting instances
* Make sure that dl mirrors never get blocked
* Nginx: Stop the POST flood to /autodiscover/autodiscover.xml
* Nginx: Use dummy db fastcgi_param placeholders if any of them is empty
* Remove aggresive firewall cleanup - fixes #688
* Remove onetime fix intended to sync new defaults - fixes #678
* Update absolute URLs to files for sites cloned/migrated/renamed
* Update composer on barracuda upgrade
* Use _TOMCAT_TO_JETTY=NO in cnf template to avoid confusion - see #676
* Use correct placeholder in the xboa proxy - fixes #655
* Use MAIN_SITE_NAME instead of possibly fake SERVER_NAME - see #385
* Where to add the SSL redirect configuration snippet - fixes #681
### Stable BOA-2.4.1 Release - Full Edition
### Date: Sun Mar 8 14:56:51 PDT 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.1
### Latest hotfix added on: Wed Mar 11 11:58:52 PDT 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7.0.0-alpha9 customized for BOA
# Release Notes:
This new BOA release includes one new and 12 updated Ægir platforms,
8 new features and enhancements, 15 new software versions, 10 other changes,
plus over 38 bug fixes, with most notable features and changes listed below:
@=> Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups
@=> Add SSL with TLS/SNI on server with one IP, multiple certificates support
@=> Add support for Octopus batch migration - see docs/MIGRATE.txt for details
@=> Allow to use _PHP_GEOS=YES with all PHP versions
# New Octopus platforms:
OpenAid 2.0 ------------------ https://drupal.org/project/openaid
# Updated Octopus platforms:
Commerce 1.33 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.21 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.22 ----------------- https://drupal.org/project/commons
Commons 3.22 ----------------- https://drupal.org/project/commons
Drupal 8.0.0-b7 -------------- https://drupal.org/drupal-8.0
Guardr 2.8 ------------------- https://drupal.org/project/guardr
OpenAtrium 2.32 -------------- https://drupal.org/project/openatrium
OpenChurch 2.1-b5 ------------ https://drupal.org/project/openchurch
OpenOutreach 1.16 ------------ https://drupal.org/project/openoutreach
OpenScholar 3.20.0 ----------- http://theopenscholar.org
Panopoly 1.18 ---------------- https://drupal.org/project/panopoly
Recruiter 1.5 ---------------- https://drupal.org/project/recruiter
# New features and enhancements:
* Add compatibility with latest VS beng kernel
* Add duobackboa with /root/.duobackboa.cnf file to run duplicate backups
* Add support for multivalued fields in SOLR 4 - pull request #626
* Add support for mysqladmin proc logging
* Add support for Octopus batch migration - see docs/MIGRATE.txt for details
* Add support for scout/mysql monitoring
* CSF: Add popular ports 222 and 2222 to TCP_OUT by default
* SSL with TLS/SNI on server with one IP, multiple certificates - fixes #465
# Changes:
* Allow to run automated SQL conversion only weekly
* Allow to use _PHP_GEOS=YES with all PHP versions
* Do not send extra nocache cookie on GET requests
* Drush mini-7-07-03-2015
* Make barracuda wrapper available on initial install to avoid confusion
* Nginx: Update for crawlers exceptions list
* Redis Integration Module: Update to version mod-05-03-2015
* Remove dependency on legacy Drush 4
* Use latest Apache Solr Search 6.x-3.x config
* Use latest Apache Solr Search 7.x-1.x config
# System upgrades:
* Apache Solr 4.9.1
* cURL 7.41.0 (if installed from sources)
* Git 2.3.0 (if installed from sources)
* Jetty 9.2.7.v20150116
* MariaDB 10.0.17
* MariaDB 5.5.42
* MariaDB Galera Cluster 10.0.17
* Nginx 1.7.10
* OpenSSL 1.0.2 (if installed from sources)
* PHP 5.4.38
* PHP 5.5.22
* PHP 5.6.6
* PHP: ionCube loader 4.7.4
* Pure-FTPd 1.0.37
* Ruby 2.2.1
* Use duplicity 0.7.01 and boto 2.36.0 - fixes #630
* Vnstat 1.13
# Fixes:
* [provision] False "load on system too heavy" messages - fixes #619
* [provision] Issue #2350695 - Profile is registered twice, also as a module
* [provision] Nginx: Remove webform keyword from regex locations - fixes #599
* Add also manage_ltd_users to the list - fixes #616
* Avoid installing New Relic with no valid license key provided - fixes #608
* Do not add no longer used symlink
* Do not create conflicting plain HTTP proxy for single IP mode - fixes #465
* Do not delete backboa while duplicity is running
* Do not replace any contrib in latest OA - fixes #2420131
* Do not run D7 core hotfix on already fixed instances
* Fix for legacy systems autoupdate logic
* Fix for missing chattr -i on web user update
* Fix for missing datestamp
* Fix for too dangerous pdnsd auto-config logic
* Fix pdnsd restarts procedures - fixes #610
* Fix permissions for pdnsd if needed
* Fix variable in autoupboa - pull request #629
* Force php.ini update
* Hotfix for cluster instances
* Hotfix for OpenSSL/cURL versions out of sync
* How to enable permanent redirect to HTTPS with single IP - #465
* Issue #2425963 - Broken slider in Commerce Kickstart 2.21
* Make sure that @hostmaster alias works after migration
* Provide a patch for older civicrm versions to make them Drush 7 compatible
* Randomize backups schedule to avoid issues with AWS limits
* Reload nginx service automatically - #465
* Remove conflicting pdnsd restarts to avoid race conditions - fixes #610
* Remove deprecated sysctl options
* Remove post-install leftovers if needed
* Single PHP-version installation fails - fixes #598
* Typo - fixes #539
* Unable to connect to SOLR on latest head - fixes #623
* Update installers as expected, also with _SKYNET_MODE=OFF - fixes #644
* Update meta-installers for new stable
* Update the upgrade procedure how-to - fixes ##616
* Use civicrm-4.5.6 compatible with Drush 7
* Use correct AWS Endpoint when us-east-1 Region is specified
* Use correct open_basedir for lshell user - fixes #603
* Use separate loops for symlinks and ghost cleanup
* Workaround for EntityMalformedException in Open Outreach - fixes #229
* Workaround for missing interface/lo.pdnsd on legacy systems
* Workaround for SA-CONTRIB-2015-063 - Webform - Cross Site Scripting
### Stable BOA-2.4.0 Release - Full Edition
### Date: Wed Feb 4 20:30:04 CET 2015
### Milestone URL: https://github.com/omega8cc/boa/milestones/2.4.0
### Latest hotfix added on: Sat Feb 21 10:18:15 UTC 2015
@=> Includes Ægir Hostmaster 2.x-head with improvements
@=> Includes Ægir Provision 3.x-head with improvements
@=> Includes Drush 7.0.0-alpha8 customized for BOA
# Release Notes:
This new BOA release includes 7 updated Ægir platforms, over 28 new features
and enhancements, 12 new software versions, over 36 important changes, plus
over 100 bug fixes, with most notable features and changes listed below:
@=> Added Support for latest Drupal 8.0.0-beta with D8B platform keyword
@=> Added Support for latest Drupal 8.0.0-dev with D8D platform keyword
@=> Added Support for latest PHP 5.6
@=> BOA can auto-detect its fastest download mirror on install, upgrade etc.
@=> BOA Code Refactoring to make it modular and easier to read (in progress)
@=> BOA Skynet auto-updates can be turned off with _SKYNET_MODE=OFF
@=> Cron is run only for live sites with no tmp, temp, dev, test etc keywords
@=> Force single PHP version with command keyword on install and upgrade
@=> Introducing Support for HHVM -- see docs/HHVM.txt for details.
@=> PHP 5.5 is used by default on new installs instead of old 5.3
@=> PHP-FPM (and HHVM) runs now as a separate, very limited system user
@=> Removed Support for legacy PHP 5.2
@=> Sites Names Exceptions and Special Keywords have changed
@=> The _MODULES_FIX variable is set to NO by default
@=> The _PERMISSIONS_FIX variable is set to NO by default
@=> The built-in registry-rebuild on every Verify task is not run by default
@=> The Dev-Mode works only for site aliases, no longer for main site name
Please read further below for more details.
# Caveats for self-hosted BOA:
We recommend to proceed with major upgrade procedure as follows:
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
$ barracuda up-stable
$ barracuda up-stable system
$ octopus up-stable all both
$ bash /var/xdrago/manage_ltd_users.sh
$ bash /var/xdrago/daily.sh
# Updated Octopus platforms:
aGov 1.6 --------------------- https://drupal.org/project/agov
Commerce 1.32 (with 1.11) ---- https://drupal.org/project/commerce_kickstart
Guardr 2.7 ------------------- https://drupal.org/project/guardr
OpenAtrium 2.26 -------------- https://drupal.org/project/openatrium
OpenChurch 1.17-b1 ----------- https://drupal.org/project/openchurch
OpenPublic 1.4 --------------- https://drupal.org/project/openpublic
Panopoly 1.15 ---------------- https://drupal.org/project/panopoly
# New features and enhancements:
* Add backboa variables to configure full backup cycle and log verbosity.
* Add Backdrop CMS compatibility in global.inc (experimental)
* Add Drupal 8 compatibility in global.inc
* Add Drush Make Local - fixes #332
* Add safe_cache_form_clear Drush extension by default - fixes #568
* Add support for writable .aws directory in the web user home.
* Allow to set _PHP_SINGLE_INSTALL on command line - on install and upgrade.
* Allow to use both platform specific and ALL keyword in _PLATFORMS_LIST.
* BOA auto-selects the fastest download mirror on install, upgrade and update.
* Detect critically low free RAM and forcefully restart services if needed.
* Detect OOM incidents and forcefully restart services if needed.
* Improve backboa with AWS connection testing.
* Install latest D8-dev with D8D keyword specified.
* Monitor and rotate PHP error logs if too big (over 1 GB).
* Monitor the number of master PHP-FPM processes and force restart if needed.
* New 'nodns' option to skip DNS and SMTP checks on the fly.
* Nginx: Add support for images derivatives with URI shortcuts - fixes #481
* Nginx: Add support for URI shortcuts for sites in subdirectories.
* PHP: Add HHVMinfo.
* PHP: Add support for latest 5.6
* PHP: Allow to define version to install and use on command line - fixes #536
* PHP: Disable not used CLI versions if _PHP_SINGLE_INSTALL is defined.
* PHP: Disable not used FPM and CLI versions.
* PHP: HHVM experimental support - fixes #443
* Provide default value for composer_manager_vendor_dir variable - fixes #385
* Redis: Allow to configure remote IP via _REDIS_LISTEN_MODE /cluster support.
* Use cron scheduler fast mode (every 10 sec) if /root/.fast.cron.cnf exists.
* Use Drush Make Local for Hostmaster with download mirrors auto-detection.
# Changes:
* Alter the cron_interval for existing sites to match Ægir default.
* Change required exceptions keywords to .temporary. and .testing.
* Dev mode detection and URLs protection - now works only for aliases.
* Do not display .cnf files contents if _DEBUG_MODE is not set to YES.
* Do not restart Redis daily if /root/.high_traffic.cnf exists - fixes #533
* Drush 7 is now used by default instead of Drush 6.
* Drush: Upgrade to mini-7-02-02-2015
* Force _TOMCAT_TO_JETTY=YES - fixes #570
* Hostmaster: Use Drush Make Local instead of downloading contrib with Drush
* Limit status messages verbosity if _DEBUG_MODE is not set to YES
* Make it possible to opt-out from BOA Skynet auto-updates - fixes #557
* Nginx: Block SEOkicks crawler.
* PHP: Always use by default version 5.5
* PHP: Disable legacy 5.2 version if installed.
* PHP: Ignore --with-curlwrappers defined in _PHP_EXTRA_CONF for 5.5 and 5.6
* PHP: Rebuild to remove --with-curlwrappers unless added in _PHP_EXTRA_CONF
* PHP: Remove no longer working custom config protection - see #559
* PHP: Tune FPM defaults for speed and RAM optimization.
* PHP: Use built-in Zend OPcache in 5.5
* PHP: Use built-in Zend OPcache in 5.6
* Redis Integration Module: Update to version mod-14-12-2014
* Reload system cron hourly.
* Remove deprecated RC4 from ssl_protocols.
* Remove the _O_CONTRIB_UP variable/feature.
* Run cron for 3 sites at once max.
* Set _MODULES_FIX=NO by default
* Set _PERMISSIONS_FIX=NO by default
* Site mode detection and cron protection - cron works only for live sites
* Split huge BARRACUDA script into lib includes.
* Switch to special limited system user also in PHP-FPM mode - fixes #551
* There is no need to update drupalgeddon every 5 minutes.
* Use 86400 as a default cron_interval to sync with Drupal default.
* Use MySQLTuner only if _USE_MYSQLTUNER=YES is set in .barracuda.cnf
* Use provision_civicrm 6.x-2.x directly.
* Use separate versioning for Ægir extensions download URLs.
* Run built-in registry-rebuild on Verify only if empty ctrl file
sites/all/modules/registry-rebuild.ini exists.
# System upgrades:
* cURL 7.40.0 (if installed from sources)
* Git 2.2.1 (if installed from sources)
* MariaDB 10.0.16
* MariaDB 5.5.42
* MariaDB Galera Cluster 10.0.16
* Nginx 1.7.9
* PHP 5.4.37
* PHP 5.5.21
* PHP 5.6.5
* PHP: ionCube loader 4.7.3
* Redis 2.8.19
* Ruby 2.2.0
# Fixes:
* Add CONTRIBUTING.txt guidelines.
* Add in docs/HINTS.txt Helper locations to avoid 404 on legacy images paths.
* Add still missing updates for migrated instances.
* Add warning about vCloud Air incompatibility with Drupal.
* Aliases are wiped out after site rename - fixes #542
* Allow slower DNS response.
* Always disable spinner when running boa in-octopus.
* Avoid broken install on D8 core where sites/all doesn't exist by default.
* Avoid confusing EXIT: You must specify already installed PHP version.
* Avoid sed warnings in old stable and legacy modes.
* Backward compatibility with Drush 6.
* Block attempts to lookup /etc/passwd via web shell.
* Check only LANG environment variable in locale test - fixes #584
* Compare $new_uri with d()->name and not d()->uri in the Site Rename Check.
* Delete duplicity ghost pid file if older than 2 days.
* Do not confuse D7 with D8 or Backdrop CMS.
* Do not force cURL reinstall from packages - fixes #565
* Do not try to add platforms nodes if no new platform has been installed.
* Do not update backboa if duplicity is running.
* Document when to use /root/.fast.cron.cnf
* Drupal 8 removed drupal_mail()
* Drupal 8 requires container_yamls defined.
* Drupal 8 requires read permissions in sites/all
* Drupal 8 requires trusted_host_patterns defined in settings.php
* Drupal 8 with $clean_urls=1 should use /cron/ URI.
* Drush 7 requires composer.
* Fix and Improve Squeeze to Wheezy upgrade procedure.
* Fix for $HOME detection if not set for some reason.
* Fix for Drush aliases protection.
* Fix for octopus batch upgrade mode.
* Fix for octopus single upgrade mode.
* Fix for pdnsd install/update logic.
* Fix missing symlinks after broken openjdk-6 upgrade.
* Fix path to PHP-CLI if needed.
* Fix public IP auto-detection on AWS in Octopus.
* Fix the logic for aegir/platforms upgrade mode.
* Fix the logic for TMPDIR set on the fly - fixes #552
* Fix: LANGUAGE (en_US.UTF-8) is not compatible with LC_ALL (). Disabling it.
* Force _PHP_MULTI_INSTALL to match defined _PHP_FPM_VERSION on cluster nodes.
* Force _THIS_DB_HOST=localhost on AWS.
* HHVM: Add /home/ to open_basedir so access to the .tmp works - fixes #569
* HHVM: Add workarounds for potential security issues - fixes #443
* Improve Ægir tasks scheduling and load spikes protection.
* Improve docs for backboa.
* Improve pdnsd configuration update by removing non-IP lines early enough.
* Improve procs monitor.
* Improve web wrapper.
* Increase inotify defaults to improve lsyncd support.
* Issue #2372653: Add --no-autocommit when dumping MySQL tables.
* Jetty: Detect if running as zombie and force restart if needed.
* Make sure that AcceptEnv is set in sshd_config.
* Make sure to never run cron on just cloned site.
* MariaDB patch is no longer needed.
* Monitor lsyncd and xinetd if installed and expected to run.
* Never delete tmp dirs to avoid Drush/PHP segfaults and race conditions.
* Nginx: Add missing variables in subdirectory config template.
* Nginx: Fix for D8-specific /cron/ location regex.
* Nginx: Force clean URLs for Drupal 8.
* Nginx: Helper locations to avoid 404 on legacy images paths (subdir only)
* Nginx: Hide X-Drupal-Cache-Tags header.
* Nginx: Use safe fallback for mysteriously empty $db_port
* PHP: Avoid version guessing for Octopus when _PHP_SINGLE_INSTALL is used.
* PHP: Make sure that _PHP_SINGLE_INSTALL takes precedence.
* PHP: OPcache configuration for Drupal 8 - fixes #419
* PHP: Re-install libmagickwand-dev to avoid broken extension build.
* PHP: The fallback version should be detected and not hardcoded.
* Prevent 'Could not change permissions' warnings with CiviCRM - fixes #523
* Remove Drupal 8 specific code from settings template used in older Drupal.
* Remove known sensitive credentials from barracuda upgrade log.
* Revert "Issue #2313327: Fixed Unknown options for provision-verify."
* Run agents update on cluster nodes.
* Run single mirror check - fixes #565
* RVM: Install also eventmachine-1.0.3
* Set files paths on D8 install to avoid using system default /tmp.
* Silence confusing noise - fixes #589
* Skip auto-update for agents not compatible with older versions.
* Skip extra SQL connection test on AWS.
* Standardize platforms version and naming convention.
* Support for _NGINX_NAXSI is experimental (don't use)
* Symlinks directories expected by Drush/Ægir in D8 root.
* Sync defaults for hosting_advanced_cron_default_interval
* Syntax error - fixes #587
* Syntax error - fixes #588
* The _NGINX_FORWARD_SECRECY=YES is ignored on Debian Wheezy - fixes #591
* The /login suffix is no longer supported in Drupal 8 and results with 404.
* The backend verify sub-task breaks site import for Drupal 8.
* Tomcat is not used anymore - see #570
* Use consistent stderr 2 stdout redirects in grep checks.
* Use correct _THIS_DB_HOST on master instance.
* Use correct pid file in procs monitor.
* Use correct user to run drush test commands.
* Use extended display mode for messages longer than 200 chars.
* Use faster mysqldump mode/flags.
* Use mirror to download complete vendor directory for Drush 7.
* Use more intuitive PHP keyword naming convention.
* Use mutatable interface in install_8.inc - fxes #2409085
* Use recommended releases for views404 and views_accelerator - fixes #578
* Use release specific o_contrib downloads.
* Use safe tmp cleanup to avoid race conditions.
* Where to set _USE_MYSQLTUNER variable - fixes #594
### Stable BOA-2.3.8 Release - Full Edition
### Date: Sat Nov 29 09:58:45 SGT 2014
### Includes Ægir 2.x-head with improvements
# Release Notes:
This new BOA release includes new features, improvements and bug fixes.
#-### Support for optional Drupalgeddon daily checks on all hosted D7 sites
~/static/control/drupalgeddon.info
Previously enabled by default, now requires this control file to still
run daily, because it may generate some false positives not always possible
to avoid or silence, so it no longer makes sense to run this check daily,
especially after BOA has run it automatically for a month and finally even
disabled automatically all clearly compromised sites.
Note that your system administrator may still enable this with root level
control file /root/.force.drupalgeddon.cnf, so it will still run, even
if you will not create the Octopus instance level empty control file:
~/static/control/drupalgeddon.info
Please note that current version of Drupalgeddon Drush extension needs
the 'update' module to be enabled to avoid even more false positives,
so BOA will enable the 'update' module temporarily while running this
check, which in turn will result with even more emails notices sent
to the site admin email, if these notices are enabled.
#-### Support for automated BOA upgrades: weekly and one-time
You can configure BOA to run automated upgrades to latest stable version
for both Barracuda and all Octopus instances with three variables, empty
by default. All three variables must be defined to enable auto-upgrade.
You can set _AUTO_UP_MONTH and _AUTO_UP_DAY to any date in the past
if you wish to enable only weekly system upgrades.
Remember that one-time upgrades will include complete upgrade to latest BOA
stable for Barracuda and all Octopus instances, while weekly upgrade is
designed to run only 'barracuda up-stable system' upgrade.
_AUTO_UP_WEEKLY= #------ Day of week (1-7) for weekly system upgrades
_AUTO_UP_MONTH= #------- Month (1-12) to define date of one-time upgrade
_AUTO_UP_DAY= #--------- Day (1-31) to define date of one-time upgrade
All three variables should be added in your /root/.barracuda.cnf file.
# Updated Octopus platforms:
ERPAL 2.2 -------------------- https://drupal.org/project/erpal
# New features and enhancements in this release:
* Support for automated BOA upgrades: weekly and one-time.
# Changes in this release:
* Drupalgeddon daily checks on all hosted D7 sites are now optional.
# Fixes in this release:
* Issue #508 - The _EASY_HOSTNAME is not required in local install mode.
* Issue #516 - Do not break binaries detection with 'which'.
### Stable BOA-2.3.7 Release - Full Edition
### Date: Tue Nov 25 15:44:48 PST 2014
### Includes Ægir 2.x-head with improvements
# Release Notes:
This new BOA release includes updated versions of all supported Drupal
platforms to provide latest Drupal 7.34 and Pressflow 6.34 cores, plus
new features, improvements and bug fixes.
We recommend that you upgrade your D7 sites using this safe workflow:
https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
For up-to-date information on #Drupageddon please check:
https://omega8.cc/drupageddon-psa-2014-003-342
#-### Support for locking/unlocking web server write access in all codebases
This new, auto-enabled by default protection will enhance your system
security, especially for sites in custom platforms you maintain
in the ~/static directory tree.
It is important to understand that your web server / PHP-FPM runs as your
shell/ftps user, although with a different group. This allows to maintain
virtual chroot for Octopus instances, which significantly improves security.
However, it had a serious drawback: the web server had write access in all
your platforms codebases located in the ~/static directory tree, because
all files you have uploaded there have the same owner.
While it allows you to use code management which requires web hooks, it also
opens a door for possible attack vectors, like for the infamous #drupageddon
disaster, where Drupal allowed attackers to create .php files intended
to be used as backdoors in future attacks - inside your codebase.
Even if it could affect only custom platforms you maintain in the ~/static
directory tree, since all built-in Octopus platforms always had Drupal core
completely write-protected, plus, even if created by attacking bot, these
extra .php files are completely useless for attackers, because BOA default
restricted configuration doesn't allow to execute not whitelisted, unknown
.php files, having codebase writable by your web server is still dangerous,
because at least theoretically it may open a possibility to overwrite valid
.php files, so they could be used as an entry point in a future attack.
BOA now protects all your codebases by reverting (daily) ownership on all
files and directories in your codebase (modules and themes) so they are
owned by the Ægir backend user and not your shell/ftps user.
While this new default procedure protects all your codebases in the ~/static
directory tree, and even in the sites/all directory tree, and even in the
sites/foo.com/modules|themes tree in all your built-in Octopus platforms,
you can still manage the code and themes with your main and extra shell
accounts as usual, because your codebase is still group writable, and your
shell accounts are members of the group not available for the web server.
You can easily disable this default daily procedure with a single switch:
~/static/control/unlock.info
You can also exclude any custom platform you maintain in the ~/static
directory tree from this global procedure by adding an empty skip.info
control file in the given platform root directory, so all other platforms
are still protected, and only excluded platform is open for write access
also for the web server. But normally you should never need this unlock!
Please note that this procedure will not affect any platform if you have
the non-default _PERMISSIONS_FIX=NO setting in your /root/.barracuda.cnf
file. It will also skip any platform with fix_files_permissions_daily
variable set to FALSE in the given platform active INI file.
# Updated Octopus platforms:
Commerce 1.32 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.20 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.21 ----------------- https://drupal.org/project/commons
Commons 3.20 ----------------- https://drupal.org/project/commons
Guardr 2.5 ------------------- https://drupal.org/project/guardr
Open Atrium 2.25 ------------- https://drupal.org/project/openatrium
Open Outreach 1.13 ----------- https://drupal.org/project/openoutreach
Panopoly 1.14 ---------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
* Support for locking/unlocking web server write access in all codebases.
# Changes in this release:
* Do not force site_readonly to be disabled on non-dev sites.
# System upgrades in this release:
* MariaDB 10.0.15
# Fixes in this release:
* Allow any single site to use 1/2 of available SQL connections max.
* Clean up dot files after installing or updating RVM.
* Do not run extra updates on systems running latest head version.
* Improve ghost sites cleanup.
* Issue #467 - Centralize control files outside of codebases tree.
* Issue #498 - ERPAL: Fatal error: Unsupported operand types.
* Issue #499 - RVM: Add oily_png gem version 1.1.1
* Issue #504 - Add docs/RVM.txt
* Issue #504 - Remove ~/.rvm/scripts/notes script breaking lshell.
* Issue #509 - Do not delete anything from hostmaster site level modules.
* It is safe to run manage_ltd_users every minute.
* Never touch hostmaster aliases and vhosts even they appear broken.
* Nginx: Fix for possible problem with files/imagecache in legacy D6 sites.
* Use gnupg2 by default.
* Use latest Ruby 2.1.x or 2.0.x available.
* Use verbose RVM install mode to improve debugging.
### Stable BOA-2.3.6 Release - Full Edition
### Date: Mon Nov 17 08:11:17 SGT 2014
### Includes Ægir 2.x-head with improvements
# Release Notes:
This new BOA release includes updated versions of all supported Drupal
platforms to provide latest Drupal 7.33 core, plus great new features,
improvements and bug fixes.
We recommend that you upgrade your D7 sites using this safe workflow:
https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
For up-to-date information on #Drupageddon please check:
https://omega8.cc/drupageddon-psa-2014-003-342
#-### Support for automated, encrypted, daily backups to Amazon S3
* This new feature is available on self-hosted BOA and hosted Power Engines.
* Note that provided 'backboa' tool uses symmetric password-only encryption.
* You can configure AWS Region you prefer to use and Backup Rotation policy.
It will archive all directories required to restore your data (sites files,
databases archives, Nginx configuration and more) on a freshly installed BOA:
/etc /var/aegir /var/www /home /data
It will start to run nightly at 2:08 AM (server time) only once you will add
five required _AWS_* variables in the /root/.barracuda.cnf file and run the
special command 'backboa install' while logged in as root.
To restore any file from backups created with 'backboa' tool, you can use
the same script on the same or any other BOA server.
Please read docs/BACKUPS.txt at https://github.com/omega8cc/boa for details.
# Updated Octopus platforms:
Commons 3.19 ----------------- https://drupal.org/project/commons
Open Atrium 2.24 ------------- https://drupal.org/project/openatrium
Open Deals 1.35 -------------- https://drupal.org/project/opendeals
OpenChurch 1.15 -------------- https://drupal.org/project/openchurch
OpenChurch 2.0-b2 ------------ https://drupal.org/project/openchurch
OpenScholar 3.16.0 ----------- http://theopenscholar.org
Panopoly 1.13 ---------------- https://drupal.org/project/panopoly
Restaurant 1.0-b10 ----------- https://drupal.org/project/restaurant
Ubercart 2.14 ---------------- https://drupal.org/project/ubercart
Ubercart 3.8 ----------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
* Add support for automated, encrypted, daily backups to Amazon S3.
* Automatic shutdown for sites with known #Drupageddon users/roles added.
* Drush drupalgeddon extension added in all accounts.
* Make _STRONG_PASSWORDS length configurable: 8-128, YES (32), NO (8).
* Support for web and db clusters with MariaDB Galera (work in progress).
* Apply SA-CORE-2014-005 hot-fix daily everywhere, also on BOA (any version)
servers left on the auto-pilot.
# Changes in this release:
* Do not force site_readonly to be disabled on non-dev sites.
* Ignore disabled sites in daily monitoring and healing procedures.
* Remove support for abandoned Managing News distro.
* Remove support for abandoned Open Atrium 6.x distro.
* Remove support for abandoned Spark distro.
* Remove support for abandoned Totem distro.
* Set _PERMISSIONS_FIX=YES by default, so important fixes can be applied.
* Update BOA wrappers hourly.
# System upgrades in this release:
* cURL 7.39.0 (if installed from sources)
* Drush: Upgrade command line version 6 to mini-6-30-10-2014
* Nginx 1.7.7
* PHP 5.4.35
* PHP 5.5.19
* PHP: Zend OPcache master-08-11-2014
# Fixes in this release:
* Add scout user if _SCOUT_KEY is not empty or cron entry exists.
* Always escape dots in preg_replace() to not truncate www. by mistake.
* Check if directory tree exists before running extended checks/fixes.
* Clear drush cache directly before running hostmaster-migrate.
* Disable scout if installed and enable later.
* Do not export LC_CTYPE on initial install.
* Do not use Redis on provision-save.
* Fix for edge case when incorrect permissions were set in custom platform.
* Fix for openatrium-7.x-2.22-7.32.1
* Fix for site_readonly mode in migrated instances.
* Force setting to avoid issues with not expected to work RVM self-update.
* Hint for Apache Solr Attachments and Java path possible confusion.
* Improve web wrapper filtering.
* Issue #2163979 - Check if field_info_field_map() is available.
* Issue #2373923 - HTTPS and aliases redirection problem with Nginx.
* Issue #438 - PHP: Remove support for 5.5 built-in Zend OPcache.
* Issue #452 - PHP build could be broken also with MariaDB newer than 5.5.40
* Issue #456 - Aliases redirection: problems with AdvAgg paths.
* Issue #457 - Aliases redirection: 404 file not found for resources.
* Issue #461 - Remote Import needs Drush strict=0 mode.
* Issue #463 - The yajl-ruby gem needs native binaries building.
* Issue #480 - Normalize /etc/hosts to avoid FQDN mapped to 127.0.1.1
* Issue #490 - Nginx: Block semalt botnet.
* Issue #496 - RVM 1.26.0 introduces signed releases (rvm: not found error).
* Make sure that hostmaster site usage is not counted.
* Move DB GRANTS setup for master instance to the correct level.
* Move redis server daily restart to daily.sh agent.
* Nginx: Fail if required db creds are empty to never create a broken vhost.
* Remove hardcoded DNS for files.aegir.cc
* Strict Permissions on All Binaries are default, not optional.
* There is no point in running MySQLTuner on initial install.
* Whitelist mysql command for overssh in lshell.
### Stable BOA-2.3.5 Release - Full Edition
### Date: Wed Oct 15 16:28:25 PDT 2014
### Includes Ægir 2.1 with improvements
### Latest hotfix added on: Thu Oct 16 08:55:02 PDT 2014
# Release Notes:
This new BOA release includes important updates and bug fixes.
* All new Drupal 7 platforms received Drupal core security upgrade.
For details please read: https://www.drupal.org/SA-CORE-2014-005
* All existing Drupal 7 built-in platforms will receive a hot-fix for
this known vulnerability: https://www.drupal.org/SA-CORE-2014-005
once you will run 'barracuda up-stable' command on your server.
This procedure is automated on hosted and managed Ægir at Omega8.cc
* Your custom D7 platforms created in the ~/static directory tree
will be checked in the next 12 hours after the upgrade, and if you
have not applied this patch yet, it will be applied automatically
for you - but only if there is at least one active site present
in the given custom D7 platform. Note that while this procedure is
automated on hosted and managed Ægir at Omega8.cc, on self-hosted
BOA systems it will work only if you will set _PERMISSIONS_FIX=YES
in /root/.barracuda.cnf (default is NO)
We recommend that you upgrade your D7 sites using safe workflow:
https://omega8.cc/your-drupal-site-upgrade-safe-workflow-298
# Updated Octopus platforms:
aGov 1.5 --------------------- https://drupal.org/project/agov
Commerce 1.31 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.19 ---------------- https://drupal.org/project/commerce_kickstart
ERPAL 2.1 -------------------- https://drupal.org/project/erpal
Guardr 1.14 ------------------ https://drupal.org/project/guardr
Open Atrium 2.22 ------------- https://drupal.org/project/openatrium
Open Outreach 1.12 ----------- https://drupal.org/project/openoutreach
OpenPublic 1.2 --------------- https://drupal.org/project/openpublic
Panopoly 1.12 ---------------- https://drupal.org/project/panopoly
Recruiter 1.3 ---------------- https://drupal.org/project/recruiter
# New features and enhancements in this release:
* Explain that Solr self-provisioning works only if _MODULES_FIX=YES is set.
* Reverify all sites daily if /root/.force.sites.verify.cnf ctrl file exists
and _PERMISSIONS_FIX=YES is set in /root/.barracuda.cnf (default is NO)
# Changes in this release:
* Security: Remove support for SSLv3 due to POODLE vulnerability.
* Disable Redis in Hostmaster until we will fix the Views based pages/blocks.
* Disable site_readonly for non-dev sites by default.
* Drush: Upgrade command line version 6 to mini-6-04-10-2014
* Enable AllowUserFXP in Pure-FTPd config by default.
* Remove support for already deprecated non-LTS Ubuntu versions.
* Run manage_ip_auth_access only once per minute.
* The INI variable redis_flush_forced_mode is enabled by default (again).
* Use sysklogd instead of rsyslog on Ubuntu.
# System upgrades in this release:
* MariaDB 5.5.40
* Nginx 1.7.6
* OpenSSH 6.7p1 (if installed from sources)
* OpenSSL 1.0.1j (if installed from sources) - security upgrade.
* PHP 5.5.18
* PHPRedis: master-03-10-2014
# Fixes in this release:
* Add auto-detection of Legacy Ruby patch level update on old systems.
* Add cleanup for ghost/broken sites dirs leftovers.
* Add missing cleanup for backup_migrate leftovers.
* Always cleanup pid files on exit/abort.
* Apply patch for SA-CORE-2014-005 in all shared D7 cores/built-in platforms.
* Compass Tools: Install 1.9.3 ffi expected by older themes.
* Fix db_port entry in all vhosts hourly.
* Fix for broken erpal-7.x-2.0-7.31.1
* Fix for broken site level drushrc.php file.
* Fix for false alarm caused by ghost sites leftovers.
* Fix for incorrect hash filtering on systems with OpenSSL built from sources.
* Fix locales: Numerous fixes and improvements -- thanks ar-jan!
* Fix typo in REVISIONS.
* Force site Verify via frontend if drushrc.php has been fixed.
* Issue #435 - SQL: Remove deprecated table_cache +update table_open_cache
* Issue #440 - Improve innodb_buffer_pool_size calculation and add 10%
* Issue #441 - New Relic is not disabled after removing newrelic.info file.
* Issue #442 - Skip locked/fpmcheck if /root/.high_traffic.cnf exists.
* Issue #444 - PHP: Remove useless sed replacement in pool.d/www{*}.conf
* Issue #445 - Remote Import: update 6.x-2.x branch for Ægir 2.x and Drush 6
* Issue #447 - Export LANG, LANGUAGE and all LC_ environment variables.
* Issue #447 - Improve locales consistency.
* Issue #447 - Set default LC_CTYPE and LC_COLLATE environment variables.
* Issue #447 - Simplify locales configuration on Ubuntu.
* Issue #448 - Enforce locale settings by configuring defaults.
* Issue #452 - PHP build is broken with latest MariaDB 5.5.40
* Make sure that db_port is never empty and defaults to 3306.
* Make sure that firewall monitoring scripts never run simultaneously.
* Make sure that standard caching is enabled in hostmaster.
* Pause hostmaster tasks when RVM install for any user is running.
* PHP: Do not run rebuilds if not needed.
* PHP: Fix for broken upgrade logic on libcurl or libssl packages upgrade.
* Remove acquia_connector from latest Commons to avoid broken installs.
* Remove all legacy gems and re-install RVM/Ruby for root from scratch.
* Remove legacy replacement to avoid converting symlinked includes into files.
* SQL: Use correct defaults if MySQLTuner test failed.
* Workaround for Drupal flood using 127.0.0.1 for all requests behind proxy.
### Stable BOA-2.3.4 Release - Full Edition
### Date: Wed Oct 15 09:51:08 PDT 2014
### Includes Ægir 2.1 with improvements
Release Notes and changelog for BOA-2.3.4 has been merged into BOA-2.3.5
above after security upgrades related to OpenSSL and SSLv3 have been added
shortly after 2.3.4 release.
### Stable BOA-2.3.3 Release - Full Edition
### Date: Sat Sep 27 01:25:46 PDT 2014
### Includes Ægir 2.1 with improvements
# Release Notes:
This BOA Edition includes important fixes to address some issues discovered
after BOA-2.3.1 release. Please read also the release notes for BOA-2.3.1
further below before running the upgrade!
#-### Important details on CiviCRM versions compatibility and profiles support
* All BOA-2.3.x Editions fully support latest CiviCRM 4.5.0 for Drupal 7.
* CiviCRM for Drupal 6 is not supported because of known CiviCRM issues.
* CiviCRM support for Drupal 7 works great when added in sites/all/modules
* CiviCRM support for Drupal 7 also works when added in profiles/foo/modules
but no CiviCRM cron is currently managed until this known issue is fixed,
therefore BOA-2.3.3 will check all platforms on the Octopus instance and if
it will detect any with CiviCRM added in the installation profile directory
tree, it will refuse to upgrade such instance to not break things for those
using currently not fully supported CiviCRM codebase structure.
# New Octopus platforms:
OpenChurch 2.0-b1 ------------ https://drupal.org/project/openchurch
# Updated Octopus platforms:
ERPAL 2.0 -------------------- https://drupal.org/project/erpal
Guardr 1.13 ------------------ https://drupal.org/project/guardr
Open Outreach 1.11 ----------- https://drupal.org/project/openoutreach
OpenChurch 1.14 -------------- https://drupal.org/project/openchurch
OpenPublic 1.0-rc5 ----------- https://drupal.org/project/openpublic
OpenScholar 3.15.1 ----------- http://theopenscholar.org
# New features and enhancements in this release:
* Add makefiles for CiviCRM 4.4.7
* Add makefiles for CiviCRM 4.5.0
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-27-09-2014
* Restart SSH hourly.
* The INI variable redis_flush_forced_mode is now disabled by default.
* Use aegir_custom_settings-6.x-3.12
* Use Provision CiviCRM boa-2.3.3-dev
# System upgrades in this release:
* MariaDB 10.0.14
* Nginx 1.7.5
* PHP 5.4.33
* PHP 5.5.17
* PHPRedis: master-02-09-2014
* Redis 2.8.17
# Fixes in this release:
* Add extra cleanup for Drush related caches.
* Always respect _SSH_PORT if set.
* Always start cron before aborting on error.
* Do not add duplicate cron entry for runner.sh
* Do not allow system only upgrades if Master Instance is still on 2.2.x
* Do not disable _DNS_SETUP_TEST
* Enable path_alias_cache by default also in the hostmaster site.
* Fix for broken pdnsd configuration if wrong IPs are detected.
* Fix for insufficient permissions on files/civicrm/ConfigAndLog
* Fix for insufficient permissions on files/civicrm/custom
* Fix for insufficient permissions on files/civicrm/dynamic
* Fix for missing cron entry for Scout, if _SCOUT_KEY is not empty.
* Fix the not working procedure to revert hostmaster features.
* Force problematic gems install to add them on accounts with enabled RVM.
* Fox for Java version for Jetty 9 on newer systems.
* Hardcode files.aegir.cc DNS entry.
* Improve docs/ctrl/system.ctrl readability.
* Install openjdk on CI instances by default.
* Issue #411 - Unable to update Octopus Instance - Reports PHP on 5.2
* Issue #423 - Make sure that innodb_buffer_pool_size is not smaller than 64M
* Issue #424 - Update mysqltuner.pl to support MariaDB 10.0
* Make sure that lsb-release is installed properly.
* Make the check_civicrm_compatibility more reliable to avoid false alarms.
* New Relic not enabled if no custom ~/static/control/{fpm|cli}.info exists.
* Nginx: Auto-Switch to wildcard all vhosts existing in the Master Instance.
* Nginx: Avoid any downtime on upgrade by using www53.fpm.socket temporarily.
* Nginx: Convert all config templates to wildcard mode in legacy instances.
* Nginx: Convert all Octopus vhosts to wildcard mode on Barracuda upgrade.
* Nginx: Convert config to use PHP 5.2 if the instance still depends on it.
* Nginx: Delete ghost, outdated or broken config includes in all instances.
* Nginx: Delete ghost, outdated or broken vhosts in all instances.
* Nginx: Force special vhosts access rules rebuild hourly.
* Nginx: Improve wildcard conversion procedure on some really old instances.
* Purge all ghost delete tasks before running hostmaster-migrate / upgrade.
* Purge Drush related caches cleanly when needed.
* Recreate possibly broken vhosts.
* Remove duplicate cron entry for runner.sh to avoid critical system load.
* Remove legacy replacement to not convert config symlinks into regular files.
* Run check_civicrm_compatibility only on upgrade.
* Single feature revert may not be enough.
* Update contrib in Open Atrium D7 to maintain upgrade path.
* Update cron defaults and remove legacy code.
* Update default SSL Wildcard Nginx Proxy to use wildcard listen mode.
* Use strict regex in vhosts listen mode conversion to not break ports.
### Stable BOA-2.3.2 Release - Full Edition
### Date: Thu Sep 18 15:16:33 PDT 2014
### Includes Ægir 2.1 with improvements
Release Notes and changelog for BOA-2.3.2 has been merged into BOA-2.3.3
above after several hotfixes and various updates have been added shortly
after 2.3.2 release to address all identified post-release issues.
### Stable BOA-2.3.1 Release - Full Edition
### Date: Sun Sep 14 15:53:25 SGT 2014
### Includes Ægir 2.1 with improvements
### Latest hotfix added on: Mon Sep 15 19:10:07 SGT 2014
# Release Notes:
This major BOA Edition introduces many new features, changes and fixes.
You should carefully read about some caveats further below **before** running
this major upgrade on your system. Please secure a fresh system backup first.
If you haven't run full barracuda+octopus upgrade to latest BOA Stable
Edition yet, don't use any partial/system upgrade modes.
Once new BOA Stable is released, you must run *full* upgrades with commands:
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
$ barracuda up-stable
$ octopus up-stable all both
@=> Key new features:
* BOA-2.3.1 comes with new, shiny Ægir 2.1 stable version!
* Support for Drupal sites in subdirectories is enabled by default
* Solr 4 cores can be added/updated/deleted via site level INI settings
* Super-easy to use New Relic support with per Octopus license key
* Ability to add new Octopus instances with new, simple command syntax
@=> Ægir control panel new features:
* The list of sites is searchable by name or installation profile
* Sites have dedicated tabs: Backups, Task log, Edit and Packages
* Platform have tabs: Add site, Clients, Task log, Edit and Packages
* You can schedule tasks against filtered sites in batches
* Scheduling tasks in batches is available also on the platform view
* Scheduling tasks in batches is available also on the profile view
* Scheduling tasks in batches is available also on the client view
* You can schedule tasks also against platforms in batches
* You can safely apply db updates via 'Run db updates' task on any site
* The new 'Clients' menu item allows to list and manage sub-accounts
* Profiles are listed with both human-readable and machine names
* It is now possible to choose any existing alias or the main site name
as a redirect target, but without the need to rename the site --
it will just re-verify the site and create new vhost automatically
@=> Ægir control panel changes:
* The hosting/signup form is still available but not included in the menu
* The node/add/site form is no longer included in the main menu
* The optional pseudo-CDN-aliases feature is now disabled by default
@=> Other important changes:
* Support for PHP 5.2 has been officially deprecated
* The www53 PHP-FPM pool has been switched from port to default socket mode
* All existing vhosts must use wildcard in the Nginx 'listen' directive
* Legacy mode for Install and Upgrade moves to 2.2.x branch
* DB credentials are no longer in settings.php, only in drushrc.php
* Latest Drush 6 version is used in the Ægir backend by default
But what if you are not ready for this major upgrade and you would like
to have more time for testing, but still be able to run system upgrades,
thus effectively still using previous version 2.2.9 ?
#-### Legacy mode for Install and Upgrade moves to 2.2.x branch
From now on, the 'legacy' install and upgrade mode available in all meta-
installers will utilize branch 2.2.x instead of deprecated 2.1.x series.
This means that starting with meta installers updated to use BOA-2.3.1
version you can use commands like shown below to update Barracuda, Octopus
and also to install more Octopus instances, while still using version 2.2.9:
$ boa in-legacy public server.mydomain.org my@email o1
$ barracuda up-legacy system
$ octopus up-legacy o1
$ boa in-legacy public server.mydomain.org my@email o2 mini
etc.
Remember to update your meta-installers first!
$ cd;wget -q -U iCab http://files.aegir.cc/BOA.sh.txt;bash BOA.sh.txt
Note also that if you will upgrade to current 'stable', it is not possible
to downgrade back to the 'old stable' with 'legacy' mode, so please proceed
with care!
Remember also that current legacy version will not receive any further
updates, even for security issues (besides those provided as packages by
your OS vendor - Debian or Ubuntu, which will still work), because it is
already different enough from current 2.3.1 stable, so we can't reliably
maintain both with working upgrade path.
#-### Caveats: This upgrade will force wildcard in the Nginx 'listen' directive
If you have old enough BOA system which still uses legacy IP mode and not
a wildcard in the Nginx 'listen' directive, which is both Ægir and BOA
standard for a long time already, this upgrade will fix the problem and
update directives only in vhosts known and controlled by BOA.
If you have any other vhosts, located in standard or non-standard Nginx/BOA
directories for vhosts, you have to update them manually after upgrade to
BOA-2.3.0 or newer, or they will take over all other vhosts on the system
and cause redirects to /install.php which results with Nginx error 403 or 404,
depending on the prior configuration.
It will happen because IP based 'listen' directive in Nginx has higher
priority, and will mess things horribly if there are vhosts using wildcard
and some using the main system IP address.
What and how to replace? Here are the commands you need to run as root:
$ sed -i "s/.*listen.*:80;/ listen \*:80;/g" /path/to/vhost.file
$ service nginx reload
Note: this **doesn't** affect special vhosts for SSL enabled sites, if used,
because they are designed to use IP based 'listen' directives to provide
separation between SSL enabled IPs and their associated certificates,
while their associated 'upstream' block may even point to either local or
remote IP address, so there is no wildcard to use in this case, and it will
not conflict with all other vhosts managed by Ægir, because all SSL enabled
vhosts listen on other IP addresses than the main system IP, which is
by default used by all vhosts with wildcard in the 'listen' directive.
The problem may happen only when you have vhosts using wildcard and also
some vhosts using **main** system IP address in the 'listen' directive,
which may happen also unintentionally during upgrade to BOA-2.3.0 or never,
if there are either vhosts BOA doesn't control, or there are ghost vhosts
not yet purged if you didn't upgrade to BOA-2.2.9 before, or there are
some disabled sites, so their vhosts will not be re-created by Ægir
during this major upgrade (because only active sites can be re-verified).
While BOA will fix also any such ghost vhosts anyway, it will not be able
to detect and fix vhosts outside of the standard directories managed by Ægir.
#-### Ability to add new Octopus instances with new, simple command syntax
It is now possible to add stable Octopus instances w/o forcing Barracuda
upgrade, plus optionally with no platforms added by default -- usage:
$ boa {in-octopus} {email} {o2} {mini|max|none}
#-### The www53 PHP-FPM pool has been switched from port to default socket mode.
Note that we are breaking backward compatibility here, so it will cause
downtime on upgrade from any too old BOA version, until you will upgrade also
Octopus instance(s) and update any other non-standard vhosts or includes
still using legacy port mode for 'fastcgi_pass' Nginx directive.
If you have 'fastcgi_pass 127.0.0.1:9090;' in any custom vhost or Nginx
include file on the Octopus instance, you should replace it with:
fastcgi_pass unix:/var/run/o1.fpm.socket;
where 'o1' is your corresponding Octopus system username.
Note that if you have custom vhosts or includes in the Ægir Master Instance,
you should instead replace 'fastcgi_pass 127.0.0.1:9090;' with:
fastcgi_pass unix:/var/run/www53.fpm.socket;
where '53' is related to PHP version defined via _PHP_FPM_VERSION in your
/root/.barracuda.cnf file. Note that while variable has a dot, the socket
name doesn't.
#-### Support for PHP 5.2 has been officially deprecated
While Barracuda 2.3.1 can continue to run and even upgrade if needed also
the very old PHP 5.2 version, only Octopus instances running at least PHP 5.3
or newer in both FPM and CLI mode can be upgraded to Octopus 2.3.1 Edition.
If you are still using PHP 5.2 in your Octopus instance, you will not
receive Ægir nor Drupal Platforms upgrade, but the Barracuda part of your
system will receive upgrade to 2.3.1 anyway, so it will be ready to support
your outdated Octopus instance upgrade as soon as you will switch it to
modern and secure PHP version -- which is easy!
Let's quote the original how-to for reference:
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
This allows to easily switch PHP version by the instance owner w/o system
admin (root) help. All you need to do is to create ~/static/control/fpm.info
and ~/static/control/cli.info file with a single line telling the system
which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
Only one of them can be set, but you can use separate versions for web access
(fpm.info) and the Ægir backend (cli.info). The system will switch versions
defined via these control files in 5 minutes or less. We use external control
files and not any option in the Ægir interface to make sure you will never
lock yourself by switching to version which may cause unexpected problems.
#-### Support for New Relic monitoring with per Octopus instance license key
This new feature will disable global New Relic monitoring by deactivating
server-level license key, so it can safely auto-enable or auto-disable it
every 5 minutes, but per Octopus instance -- for all sites hosted on
the given instance -- when a valid license key is present in the special
new ~/static/control/newrelic.info control file.
Please note that valid license key is a 40-character hexadecimal string
that New Relic provides when you sign up for an account.
To disable New Relic monitoring for the Octopus instance, simply delete
its ~/static/control/newrelic.info control file and wait a few minutes.
Please note that on a self-hosted BOA you still need to add your valid
license key as _NEWRELIC_KEY in the /root/.barracuda.cnf file and run
system upgrade with at least 'barracuda up-stable' first. This step is
not required on Omega8.cc hosted service, where New Relic agent is already
pre-installed for you.
#-### Solr 4 cores can be added/updated/deleted via site level INI settings
;;
;; This option allows to activate Solr 4 core configuration for the site.
;;
;; Only Solr 4 powered by Jetty server is available. Supported integration
;; modules are limited to latest versions of either search_api_solr (D7 only)
;; or apachesolr (will use Drupal core specific version automatically).
;;
;; Currently used versions are listed below:
;;
;; https://ftp.drupal.org/files/projects/search_api_solr-7.x-1.6.tar.gz
;; https://ftp.drupal.org/files/projects/apachesolr-7.x-1.7.tar.gz
;; https://ftp.drupal.org/files/projects/apachesolr-6.x-3.0.tar.gz
;;
;; Note that you still need to add preferred integration module along with
;; any its dependencies in your codebase since this feature doesn't modify
;; your platform or site - it only creates Solr core with configuration
;; files provided by integration module: schema.xml and solrconfig.xml
;;
;; This setting affects only the running daily maintenance system behaviour,
;; so you need to wait until next morning to be able to use new Solr 4 core.
;;
;; Once the Solr core is ready to use, you will find a special file in your
;; site directory: sites/foo.com/solr.php with details on how to access
;; your new Solr core with correct credentials.
;;
;; The site with enabled Solr core can be safely migrated between platforms,
;; integration module can be moved within your codebase and even upgraded,
;; as long as it is using compatible schema.xml and solrconfig.xml files.
;;
;; Supported values for the solr_integration_module variable:
;;
;; apachesolr
;; search_api_solr
;;
;; To delete existing Solr core simply comment out this line.
;; The system will cleanly delete existing Solr core next morning.
;;
;; IMPORTANT if you are using self-hosted BOA: _MODULES_FIX=YES must be set
;; in the /root/.barracuda.cnf file (this is default value) to make this
;; feature active.
;;
;solr_integration_module = your_module_name_here
;;
;; This option allows to auto-update your Solr 4 core configuration files:
;;
;; schema.xml
;; solrconfig.xml
;;
;; If there is new release for either apachesolr or search_api_solr, your
;; Solr core will not be automatically upgraded to use newer schema.xml and
;; solrconfig.xml, unless allowed by switching solr_update_config to YES.
;;
;; This option will be ignored if you will set solr_custom_config to YES.
;;
;solr_update_config = NO
;;
;; This option allows to protect custom Solr 4 core configuration files:
;;
;; schema.xml
;; solrconfig.xml
;;
;; To use customized version of either schema.xml or solrconfig.xml, you need
;; to switch solr_custom_config to YES below and if you are using hosted
;; Ægir service, submit a support ticket to get these files updated with
;; your custom versions. On self-hosted BOA simply update these files directly.
;;
;; Please remember to use Solr 4 compatible config files.
;;
;solr_custom_config = NO
# Updated Octopus platforms:
aGov 1.4 --------------------- https://drupal.org/project/agov
Guardr 1.12 ------------------ https://drupal.org/project/guardr
Open Academy 1.1 ------------- https://drupal.org/project/openacademy
Restaurant 1.0-b9 ------------ https://drupal.org/project/restaurant
Ubercart 3.7 ----------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
* Ability to add new Octopus instances with new, simple command syntax
* Add default aggressive php-fpm monitoring + /root/.no.fpm.cpu.limit.cnf
* Allow to define always disabled modules via _MODULES_FORCE variable.
* Better wait limits on connection testing for slow network / long distance.
* Issue #1927522 - Add support for easy Solr cores self-management.
* Issue #362 - Add imageapi_optimize binaries via IMG in _XTRAS_LIST
* Issue #376 - Add New Relic support with per Octopus instance license key.
* Make firewall management faster with randomized schedule.
* Procs monitor runs every 3 seconds.
* Run mysql_proc_control every 5 seconds for better results.
* You can safely apply db updates via 'Run db updates' task on any site.
# Changes in this release:
* DB credentials are no longer visible in settings.php, only in drushrc.php
* Delete default profiles in the hostmaster platform.
* Disable _DEBUG_MODE if not enabled on the fly.
* Disable newrelic-sysmond unless /root/.enable.newrelic.sysmond.cnf exists.
* Drush: Upgrade command line version 6 to mini-6-14-09-2014
* Nginx: Remove deprecated code - _HTTP_WILDCARD is already used by default.
* Nginx: Use limit_conn protection only for known dynamic requests.
* Redis Integration Module (cache_backport): Update to version 6.x-1.0-rc2
* Redis Integration Module: Update to version mod-12-09-2014
* Remove _ALLOW_UNSUPPORTED legacy and no longer working properly feature.
* Remove dependency on Update Manager globally.
* Remove deprecated multi-instance labels in the New Relic configuration.
* Replace old hosting_civicrm_cron with newer hosting_civicrm module.
* Set hosting_default_profile to 'minimal' to improve Ubercart 3 visibility.
* The www53 PHP-FPM pool has been switched from port to default socket mode.
* Use Provision CiviCRM boa-2.3.1-dev
# System upgrades in this release:
* cURL 7.38.0 (if installed from sources)
* Git 2.1.0 (if installed from sources)
* Jetty 7.6.16.v20140903
* Jetty 8.1.16.v20140903
* Jetty 9.2.3.v20140905
* PHP 5.3.29 EOL! Please read: http://php.net/archive/2014.php#id2014-08-14-1
* PHP 5.4.32
* PHP 5.5.16
* Redis 2.8.14
# Fixes in this release:
* Add cleanup for _GIT_FORCE_REINSTALL if added in .barracuda.cnf
* Add missing drush cache-clear drush to improve upgrade path.
* Add new features in the README.txt
* Add wheezy to the exceptions list where required.
* Allow to clear drush cache without directory restrictions.
* Always set correct TMP path for supported users.
* Cleanup for cron pid files in user specific .tmp dirs.
* Count properly also symlinked files directories (improved).
* D6 colorbox module requires old 1.3.18 library.
* Delete drush_make leftovers.
* Delete duplicate menu items on upgrade.
* Do not allow to install SSH from sources on Trusty to avoid problems.
* Do not skip daily.sh during barracuda system only update.
* Eldir theme: Use max width for buttons, if possible.
* Explain why installing RVM may take longer than expected.
* Fix cleanup for drush aliases in sub-accounts.
* Fix daily cleanup for user specific .tmp directories.
* Fix docs/HINTS.txt
* Fix for broken mariadb.list
* Fix for broken, way too aggressive PHP-FPM monitoring.
* Fix for ghost dirs cleanup.
* Fix for ghost vhosts cleanup.
* Fix for missing symlinks to existing platforms.
* Fix for not working protection from blocking local IPs on multi-IP systems.
* Fix for subdirs_support universal check.
* Fix for unreliable _IS_OLD check on Octopus instances upgrade.
* Fix for warning "Could not create directory ." on Hostmaster site Verify.
* Fix the fields order in the site edit form.
* Fix the regex to not whitelist unexpected IP ranges inadvertently.
* Force cURL rebuild if installed with outdated OpenSSL version.
* Guard against destructive or insecure tasks run on the hostmaster site.
* Improve cleanup for empty platforms directories.
* Improve monitoring to protect against convert trying to overload the system.
* Issue #2330781 - Use Drush dt() wrapper instead of not always available t()
* Issue #357 - Fix the logic for Git (re)install from sources.
* Issue #360 - Exclude special --CDN vhosts from daily cleanup.
* Issue #361 - Update and improve docs/FAQ.txt
* Issue #369 - Automatically download and fix /bin/websh if missing.
* Issue #369 - Restore classic /bin/sh symlink automatically if needed.
* Issue #373 - Set correct TMP, TEMP, TMPDIR env variables in limited shell.
* Issue #373 - Too restrictive lshell forbidden list breaks drush sql-sync.
* Issue #380 - Nameserver / pdnsd problem -- Fixes also Issue #2007990.
* Issue #381 - Zend OPcache forced adds useless noise in the log.
* Issue #388 - Version 6.x-2.x of provision_civicrm requires hosting_civicrm
* Issue #389 - hosting_civicrm breaks site install form with confusing error.
* Issue #390 - Duplicate platforms nodes are created after upgrade to 2.3.0
* Issue #395 - Validate username isn't reserved before running install script.
* Issue #396 - Locale isn't getting set properly.
* Issue #397 - Not actually prompted for platforms during installation.
* Issue #398 - Make locales setup/fix for Debian always OS compatible.
* Issue #399 - The hitimes gem needs to be pre-installed to support Omega4.
* Issue #400 - CiviCRM is not installed on 2.3.0
* Issue #401 - Create sites/all/* subdirs in Hostmaster early enough.
* Issue #402 - Fix for ghost or disabled vhosts which still listen on IP.
* Issue #405 - Installer hangs due to yes/no dialog - "Untrusted packages"
* Issue #406 - Force keyring reinstall also upon 'GPG error'.
* Issue #407 - Fix for 'username is already taken' error on a local VM install
* Issue #408 - Fix for multiple funny typos. Thanks ar-jan!
* Make it clear that subdomain and subdirectory name must be identical.
* Make sure that keys subdirectory exists to avoid active platforms cleanup.
* Make the PHP-FPM processes monitor less aggressive by default.
* New Relic not enabled if no custom ~/static/control/{fpm|cli}.info exists.
* Nginx: Add config symlinks only on legacy instances.
* Nginx: Add cron access support for subdir sites.
* Nginx: Convert all vhosts to wildcard mode on Barracuda upgrade.
* Nginx: Disable monitoring for POST requests related to cart/checkout URI.
* Nginx: Do not touch nginx_wild_ssl.conf during this upgrade.
* Nginx: Improve wildcard conversion procedure on some really old instances.
* Nginx: Remove deprecated code and config templates.
* Nginx: Sanitize aliases in vhost_disabled.tpl.php to avoid warnings.
* Nginx: Update config includes to match optional BOA features improvements.
* Nginx: Update unified configuration templates in Provision to unfork BOA.
* Nginx: Update vhosts templates to match BOA improvements.
* PHP: Avoid unintended duplicate rebuilds.
* PHP: Sync disable_functions list.
* Protect sites/all/drush
* Provision: Backport provision_hosting_feature_enabled()
* Provision: Remove legacy subdir code and update checks.
* Redis config should sync with PHP-CLI, not PHP-FPM.
* Remove legacy procs monitoring code.
* Remove no longer needed limreq global fixes.
* Remove no longer needed/used contrib updates.
* Remove redundant file_exists() if is_readable() is also used.
* Replace old hosting_civicrm_cron with newer hosting_civicrm module.
* Restart pdnsd before running barracuda upgrade.
* Restore BOA formatting for tasks log to improve readability.
* Restore BOA naming convention and docs in Hostmaster.
* Restore BOA naming convention for Installation profiles in Hostmaster.
* Restore BOA strict _hosting_valid_fqdn* testing procedures in Hostmaster.
* Restore BOA weight defaults in the form in Hostmaster.
* Restore punycode in Hostmaster.
* Restore tasks sort to always show tasks scheduled and running at the top.
* Sanitize cli.info and fpm.info
* Set _PLATFORMS_LIST properly.
* Silence early sed replacements to avoid confusion.
* Simplify colorbox-1.3.18 download.
* Simplify colorbox-1.5.13 download.
* Switch branch on the fly and add support for Ægir vanilla mode.
* Sync /tmp access restrictions.
* The hosting_civicrm_cron is now a submodule and should be also auto-enabled.
* The wildcard transition **doesn't** affect vhosts for SSL enabled sites.
* There is no need to force backend clone from GitHub on initial upgrade.
* Update for the Hostmaster welcome page.
* Update FPM monitoring settings.
* Use as short labels on the site node as possible.
* Use control files properly to not run redundant Jetty/Solr upgrade.
* Use correct paths to platform level drushrc.php file.
* Use correct Provision version on initial upgrade to 2.3.0
* Use Drush6 with @hostmaster.
* Use is_dir() instead of file_exists() when checking directory existence.
* Use is_file() and is_link() instead of file_exists() before trying unlink()
* Use is_readable() and file_exists() instead of file_exists() for backup.
* Use is_readable() check instead of insufficient file_exists() for includes.
* Use is_readable() instead of file_exists() when checking alias existence.
* Install latest Git even if not specified via _XTRAS_LIST but previous
version built from sources is detected.
* Issue #2278847 - Derivatives can't be created on install with Drush and
Ægir or when no vhost is available yet (Drupal Commons)
### Stable BOA-2.3.0 Release - Full Edition
### Date: Mon Sep 8 08:42:01 PDT 2014
### Includes Ægir 2.1 with improvements
Release Notes and changelog for BOA-2.3.0 has been merged into BOA-2.3.1
above after several hotfixes and some great new features have been added
shortly after 2.3.0 release to address all identified post-release issues.
### Stable BOA-2.2.9 Release - Full Edition
### Date: Wed Aug 6 17:08:10 PDT 2014
### Includes Ægir 2.x-boa-custom version.
### Latest hotfix added on: Fri Aug 15 09:37:04 PDT 2014
# Release Notes:
This release includes updated versions of all supported Drupal platforms to
provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,
bug fixes, and many updated Octopus platforms.
NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
yet, and new Drupal core has been released to fix security issues, followed
by yet another release to fix serious regressions, followed by yet another
security release, we have decided to make it available to everyone and release
yet another stable BOA-2.2.x Edition.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Ægir version with built-in Drush 6
support, sites in subdirectories, and many Ægir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# Updated Octopus platforms:
aGov 1.2 --------------------- https://drupal.org/project/agov
Commerce 1.29 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.17 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.20 ----------------- https://drupal.org/project/commons
Commons 3.17 ----------------- https://drupal.org/project/commons
ERPAL 2.0-b5 ----------------- https://drupal.org/project/erpal
Guardr 1.11 ------------------ https://drupal.org/project/guardr
Open Atrium 2.21 ------------- https://drupal.org/project/openatrium
Open Outreach 1.10 ----------- https://drupal.org/project/openoutreach
OpenPublic 1.0-rc4 ----------- https://drupal.org/project/openpublic
Panopoly 1.11 ---------------- https://drupal.org/project/panopoly
Restaurant 1.0-b2 ------------ https://drupal.org/project/restaurant
# New features and enhancements in this release:
* Allow to define always disabled modules via _MODULES_FORCE variable.
* Eldir: Add subtle 3D and round some edges.
* Eldir: Improve spacing and hide useless headers.
* Fix permissions on sites/all/{modules,libraries,themes} on Platform Verify.
* Make firewall management faster with randomized schedule.
* Merge pull request #362 from pricejn2/imageapi-optimize-binaries
* RVM: Add exceptions for gems which can't be installed in Limited Shell.
* Shell: Compass Tools: Allow to access guard.
* Shell: Improve config to better support advanced Drush commands over SSH.
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-14-08-2014
* Nginx: Add DBot to is_crawler list.
* Remove no longer supported NodeStream distro.
* Run complete modules-dis-list weekly (Saturday) and basic list daily.
# System upgrades in this release:
* MariaDB 10.0.13
* MariaDB 5.5.39
* Nginx 1.7.4
* OpenSSL 1.0.1i (if installed from sources)
* PHP: ionCube loader 4.6.1
* PHP: Zend OPcache master-30-07-2014
# Fixes in this release:
* Add cleanup for .tmp in sub-accounts.
* Add cleanup for drush-backups leftovers.
* Add cleanup for various /var/backups/* leftovers.
* Add daily auto-cleanup for ghost vhosts, platforms and drush aliases.
* Add exception for symlinked /data/all
* Add hint for HTTPS-only mode forced in local.settings.php
* Allow to clear drush cache without directory restrictions.
* Avoid "Is a directory" noise in the log.
* Commons 2.20 has changed its profile name from drupal_commons to commons.
* Do not modify site_footer on hostmaster upgrade.
* Do not rename the legacy Commons profile name.
* Fix -mtime expected values.
* Fix cleanup for .restore vhost leftovers.
* Fix cleanup for drush aliases in sub-accounts.
* Fix for unreliable _IS_OLD check on Octopus instances upgrade.
* Fix Nginx monitor to respect all whitelisted POST requests in both modes.
* Fix permissions on sites/all/{modules,libraries,themes} globally.
* Fix weird typo in global.inc
* Improve cleanup for empty platforms directories.
* Improve RVM cleanup.
* Issue #2278847 - Derivatives (Drupal Commons) can't be created on install.
* Issue #334 - Backported provision_civicrm #1485920
* Issue #334 - Delete the civicrm_class_loader variable after deploying.
* Issue #334 - Install civicrm in any location (sites/ profiles + contrib).
* Issue #360 - Exclude special --CDN vhosts from daily cleanup.
* Make sure that /keys subdirectory exists to avoid active platforms cleanup.
* Make sure that local IPs are never blocked by mistake.
* Never touch websh wrapper to avoid high load because of redirect loop.
* Nginx: Detected $device is not used in Boost config, only in Speed Booster.
* Nginx: Fix limreq also for some really old vhosts.
* Nginx: Modify only vhosts known as included in the protected mode.
* Remove /var/run/daily-fix.pid if exists when it shouldn't.
* Remove debugging mode in old codebases cleanup.
* Remove no longer needed/used contrib updates.
* Restore default websh wrapper symlink as fast as possible.
* Run manage_ltd_users every 3 minutes instead of every minute.
* Simplify colorbox-1.3.18 download.
* Simplify colorbox-1.5.13 download.
* Uninstall css_emimage only on hostmaster upgrade.
* Update and improve docs/FAQ.txt
* Update regex for exceptions in Nginx monitoring.
### Stable BOA-2.2.8 Release - Full Edition
### Date: Sat Jul 26 15:31:29 PDT 2014
### Includes Ægir 2.x-boa-custom version.
### Latest hotfix added on: Tue Aug 5 14:47:17 PDT 2014
# Release Notes:
This release includes updated versions of all supported Drupal platforms to
provide latest Drupal 7 and Pressflow 6 core, plus some changes, improvements,
bug fixes, and six (6) updated Octopus platforms.
NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
yet, and new Drupal core has been released to fix security issues, followed by
yet another release to fix serious regressions, we have decided to make it
available to everyone and release yet another stable BOA-2.2.x Edition.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Ægir version with built-in Drush 6
support, sites in subdirectories, and many Ægir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# Updated Octopus platforms:
Commerce 1.28 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.16 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.16 ----------------- https://drupal.org/project/commons
Open Outreach 1.8 ------------ https://drupal.org/project/openoutreach
OpenBlog 1.0-v3 -------------- https://drupal.org/project/openblog
Panopoly 1.8 ----------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
* Allow to force OpenSSL etc. re-install with _SSL_FORCE_REINSTALL=YES
* Auto-Move no longer used shared codebases to /var/backups/codebases-cleanup
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-29-07-2014
* Issue #334 - Update provision_civicrm version - code by ixiam - thanks!
* Redis Integration Module: Update to version mod-21-07-2014
* Uninstall css_emimage in hostmaster to avoid broken upgrades.
* Update for Contrib [F]orce[D]isabled modules list.
* Use more aggressive defaults for _PURGE_BACKUPS and _PURGE_TMP if not set.
# System upgrades in this release:
* PHP 5.4.31
* PHP 5.5.15
# Fixes in this release:
* Add auto-cleanup for civimail ghost leftovers.
* Add cleanup drush aliases in the main SSH account properly.
* Add cleanup for RVM archives and logs.
* Fix for default value on hot fix update.
* Fix for dev regression - it shouldn't set $conf['cache'] on valid dev URLs.
* Fix the logic for custom _DEL_OLD_EMPTY_PLATFORMS defaults.
* Issue #333 - Update BOA changelog URL shortcut.
* Nginx: Automate SPDY test to determine if OpenSSL re-install is required.
* Nginx: Silence access log for already protected /civicrm admin requests.
* Remove special one-time variables if set, once used.
* RVM: Install OS compatible Ruby version + various related adjustments.
* Silence useless noise in the log.
* Sync firewall limits.
### Stable BOA-2.2.7 Release - Full Edition
### Date: Thu Jul 17 03:11:47 CEST 2014
### Includes Ægir 2.x-boa-custom version.
### Latest hotfix added on: Fri Jul 18 18:21:40 CDT 2014
# Release Notes:
This release includes some nice new features, improvements, bug fixes, one
new Octopus platform, five (5) updated Octopus platforms, along with latest
Drupal core security upgrades for all supported platforms.
NOTE: Since the first Edition in the BOA-2.3.x series is not ready for release
yet, and new Drupal core has been released today to fix security issues,
we have decided to make it available to everyone and release yet another
stable BOA-2.2.x series Edition.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Ægir version with built-in Drush 6
support, sites in subdirectories, and many Ægir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# New Octopus platforms:
OpenPublic 1.0-b23 ----------- https://drupal.org/project/openpublic
# Updated Octopus platforms:
Commerce 1.27 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.15 ----------------- https://drupal.org/project/commons
ERPAL 2.0-b4 ----------------- https://drupal.org/project/erpal
Guardr 1.9 ------------------- https://drupal.org/project/guardr
Open Deals 1.33 -------------- https://drupal.org/project/opendeals
# New features and enhancements in this release:
* Add early auto-repair procedure if Provision is missing for any reason.
* Add support for Debian Squeeze LTS updates.
* Add support for Debian Squeeze Stable Proposed Updates.
* Add views_accelerator in all D7 platforms by default via o_contrib bundle.
* Issue #307 - Support for Compass Tools via RVM with local user gems.
* Make $conf['cache'] configurable via disable_drupal_page_cache INI variable.
# Changes in this release:
* Nginx: Send Boost compatible Cache-Control headers also with Speed Booster.
This is to mimic Drupal core behaviour when full-page cache is disabled,
even if it is not really disabled via disable_drupal_page_cache INI variable.
Note that Speed Booster continues to ignore Cache-Control headers sent by
Drupal backend, as before, to force its own TTL set via INI variable:
speed_booster_anon_cache_ttl or in the custom local.settings.php code.
* Add css_emimage to hostmaster makefile to remove dependency on o_contrib.
* Do not upgrade existing o_contrib, only add new if missing in old platforms.
* Drush: Upgrade command line version 6 to mini-6-16-07-2014
* Limited Shell configuration update.
* Nginx: Do not log HTTPS redirects.
* PHP: AutoRemove 5.2 from _PHP_MULTI_INSTALL if no instance is using it.
* Prefer dash if available.
* Redis Integration Module: Update to version mod-10-07-2014
* The ?nocache=1 in the URL should also force $conf['cache'] = 0; on the fly.
* Update lfd default configuration.
# System upgrades in this release:
* cURL 7.37.1 (if installed from sources)
* Nginx 1.7.3
* PHP 5.4.30
* PHP 5.5.14
* PHPRedis: master-06-07-2014
* Redis 2.8.13
# Fixes in this release:
* Authorized IPs detection - it should ignore serial/remote console logins.
* BND --- Bind9 DNS Server (available on Debian only).
* Clear packages cache more aggressively to avoid issues during OS upgrades.
* Configure RVM env properly if installed in the user home directory.
* Contrib update: filefield-6.x-3.13
* Disable redis integration during hostmaster upgrade.
* Do not allow known bots to activate nocache and noredis URLs behaviour.
* Do not use css_emimage in hostmaster to avoid broken upgrades.
* Fix for o_contrib update logic.
* Fix for possible permissions problem with redis log file.
* Fix incorrect version in the permissions fix.
* Fix legacy test logic to allow head instances to upgrade to another 2.2.x
* Fix regex in procs monitor.
* Fix the check for legacy systems on upgrade.
* Force keyring reinstall if reported as broken.
* Issue #316 - Octopus upgrade fails because of missing cd $_ROOT/.drush/sys
* Issue #319 - XTRAS_LIST settings are being overwritten (Ubuntu).
* Issue #320 - Compass Tools available on Squeeze, Wheezy, Precise and Trusty.
* Issue #324 - HTTPS results in redirect loop on AWS due to ignored _MY_OWNIP.
* Issue #328 - The /bin/sh symlink modified daily causes false lfd alarm.
* Make it clear that we recommend and support Debian 64bit.
* Make sure that redis and cache_backport are available for hostmaster.
* Purge no longer used jdk leftovers.
* Readme improvements.
* Remove no longer needed tmp chown -R
* Remove no longer used /data/src directory.
* Remove remote_import if found if the wrong directory.
* Sanitize logs lines before analyzing them.
* The list of platforms symbols can be in a single line or one per line.
* There is no need to force SHELL in the websh wrapper.
* Update nginx documentation URL.
* Use static ftp.debian.org instead of unreliable http.debian.net mirrors.
### Stable BOA-2.2.6 Release - Full Edition
### Date: Sat Jun 21 06:14:18 PDT 2014
### Includes Ægir 2.x-boa-custom version.
### Latest hotfix added on: Mon Jul 14 14:54:04 CDT 2014
# Release Notes:
This release includes great new features, improvements, important changes,
many bug fixes, plus 3 new and 7 updated Octopus platforms.
IMPORTANT! This is the last Edition in the 2.2.x series, which marks the end
of Drupal 5, PHP 5.2 and Drush 4 support. Next Edition will open 2.3.x series,
which will allow us to provide newer Ægir version with built-in Drush 6
support, sites in subdirectories, and many Ægir User Interface improvements.
If you still host any Drupal 5 sites or you are using PHP 5.2 for D6 sites,
you will not be able to upgrade to the next 2.3.x Edition and you will have to
stay on the 'legacy' BOA 2.2.x version, which will receive only system
security upgrades, but no further feature nor bugfix releases.
This also means that from now on the 'legacy' 2.2.x version will no longer
receive Drupal core upgrades, even if there will be security core releases.
It is time to upgrade away from Drupal 5 and away from PHP 5.2, if still used.
# New Octopus platforms:
aGov 1.0-rc8 ----------------- https://drupal.org/project/agov
ERPAL 2.0-b2 ----------------- https://drupal.org/project/erpal
Restaurant 1.0-a5 ------------ https://drupal.org/project/restaurant
# Updated Octopus platforms:
Commerce 2.15 ---------------- https://drupal.org/project/commerce_kickstart
Commons 2.18 ----------------- https://drupal.org/project/commons
Commons 3.14 ----------------- https://drupal.org/project/commons
Guardr 1.5 ------------------- https://drupal.org/project/guardr
Open Atrium 2.19 ------------- https://drupal.org/project/openatrium
Open Outreach 1.7 ------------ https://drupal.org/project/openoutreach
Panopoly 1.6 ----------------- https://drupal.org/project/panopoly
# New features and enhancements in this release:
* Drush aliases based workflows are now supported also remotely over SSH.
This is significant improvement since we have added automatically generated
and updated Drush aliases for the on-the-server use in BOA-2.2.0
* Add gems: compass_radix v2 and compass_twitter_bootstrap
* Add support for automatic Scout App upgrade on RVM/Ruby/Gems upgrade.
* Install headless JRE and only if Solr is expected to run.
* Issue #2268889 - Allow to whitelist IPs for chive, cgp and sqlbuddy access.
* Issues #2248907 #1299526 - Allow to use comments for admin notes.
* Nginx: Disable proxy_buffering to avoid useless extra layer in local proxy.
* SQL: Allow to change InnoDB log file size via _INNODB_LOG_FILE_SIZE variable
* Use better subdirectory tree for Drush extensions.
* Add support for disable_user_register_protection INI variable on the
platform level - on self-hosted BOA and Power Engines only.
* Issue #2240277 - Customize Octopus platforms list via control file.
~/static/control/platforms.info
This file, if exists and contains a single line with supported platforms
symbols, allows to control/override the value of _PLATFORMS_LIST variable
normally defined in the /root/.${_USER}.octopus.cnf file, which can't be
modified by the Ægir instance owner with no system root access.
IMPORTANT: If used, it will replace/override the value defined on initial
instance install and all previous upgrades. It takes effect on every
future Octopus instance upgrade, which means that you will miss all newly
added distributions, if they will not be listed also in this control file.
Supported values which can be written in this file - remember: all in a
single line, space separated, so not one per line, as listed below
only for readability:
# D7P D7S D7D --- Drupal 7 prod/stage/dev
# D6P D6S D6D --- Pressflow 6 p/s/d
# AGV ----------- aGov
# CME ----------- Commerce v.2
# CS7 ----------- Commons 7
# DCE ----------- Commerce v.1
# DCS ----------- Commons 6
# ERP ----------- ERPAL
# FSR ----------- Feature Server
# GDR ----------- Guardr
# MNS ----------- Managing News
# OA7 ----------- Open Atrium D7
# OAM ----------- Open Atrium D6
# OAY ----------- Open Academy
# OBG ----------- OpenBlog
# OCH ----------- OpenChurch
# ODS ----------- Open Deals
# OOH ----------- Open Outreach
# OSR ----------- OpenScholar
# PPY ----------- Panopoly
# RER ----------- Recruiter
# RST ----------- Restaurant
# SRK ----------- Spark
# TTM ----------- Totem
# UC7 ----------- Ubercart D7
# UCT ----------- Ubercart D6
You can also use special keyword 'ALL' to have all available platforms
installed, including newly added in the future BOA system releases.
Examples:
ALL
D7P D6P OAM MNS OOH RST
* Issue #314 - Make _BACKEND_ITEMS configurable via _BACKEND_ITEMS_LIST
You can whitelist extra binaries to make them available for web server
requests, in addition to already whitelisted, known as safe binaries.
NOTE: This feature is available only on self-hosted BOA systems.
Please be aware that you could easily open security holes by whitelisting
commands which may provide access to otherwise not available parts of
the system, because the exec() in PHP doesn't respect other limitations
like open_basedir directive.
You should list only filenames, not full paths, for example:
_BACKEND_ITEMS_LIST="git foo bar"
# Changes in this release:
* Add memcache, memcache_admin to the list of automatically disabled modules.
* Add support for Debian Squeeze LTS updates.
* Add support for Debian Squeeze Stable Proposed Updates.
* Add varnish to the list of automatically disabled modules.
* Add watchdog_live to the list of automatically disabled modules.
* Disable and remove not used init scripts on known VM systems.
* Drush: Upgrade command line version 6 to mini-6-21-06-2014
* Fast DNS Cache Server (pdnsd) install is no longer optional.
* Install only vanilla core platforms by default (can be overridden)
* Nginx: Update default limit_conn settings.
* Nginx: Use only newer control file to force DoS monitor aggressive mode.
* Sync permissions with new defaults in the hardened setup.
* Update files ownership to match defaults in the hardened setup.
* Use dynamic mirror selection provided by Debian instead of forced static.
* The BOA project has moved to Github!
We no longer use repositories and issue queues on drupal.org, in an effort
to avoid fragmentation and duplication. We have moved all downloads used
by Barracuda and Octopus to our mirrors a few months ago, and it helped to
make BOA faster and more reliable during both system install and upgrades.
The next step is to use http://boa.readthedocs.org as a new home for all
future documentation efforts - it will build the docs, including printable
versions, on the fly, using dedicated Github repository as a backend, where
you can help migrate existing docs and improve them, both via boa-docs
project issue queue and pull requests:
https://github.com/omega8cc/boa-docs
We also encourage you to use drupal.stackexchange.com for BOA support:
http://drupal.stackexchange.com/questions/tagged/aegir
Please use our Github project for contributing code, reporting bugs,
and also suggesting new features and ideas:
https://github.com/omega8cc/boa
# System upgrades in this release:
* cURL 7.37.0 (if installed from sources)
* MariaDB 10.0.12
* MariaDB 5.5.38
* MySecureShell 1.33
* Nginx 1.7.2
* OpenSSL 1.0.1h (if installed from sources)
* PHP 5.4.29
* PHP 5.5.13
* PHP: Zend OPcache master-28-05-2014
* Redis 2.8.11
* Ruby 2.1.2
# Fixes in this release:
* Add caveats to docs/REMOTE.txt
* Add explicit whitelisting in websh wrapper to avoid any edge case problems.
* Add info about Two-Factor Auth for Chive in the welcome email template.
* Add missing exceptions in global.inc and simplify docs/REMOTE.txt
* Add missing wrapper exceptions required by daily.sh script.
* Clean up packages cache on finale()
* Create symlink for boa wrapper on the initial install only.
* Delete daily both files and directories in the ~/static/trash/
* Do not remove bundler in CI instances if /root/.keep.bundler.cnf exists.
* Explain that _ALLOW_UNSUPPORTED works only with head.
* Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
* Fix for already installed Open Atrium 2.18 7.28.1
* Fix for Postfix configuration.
* Fix incorrect version in the permissions fix.
* Fix permissions after every upgrade.
* Fix permissions and owner/group required for feeds (upload) support.
* Fix regex in procs monitor.
* Force apticron re-install if apticron.conf is outdated.
* Generate /data/all/cpuinfo daily to be used in Provision.
* GPL Ghostscript should be available for the web (PHP-FPM) access.
* Issue #2248037 - Add Platform and Site INI files Templates on Verify task.
* Issue #2262935 - Modules dir must be group writable in custom platforms.
* Issue #315 - Upgrading from older versions of BOA fails
* Issue #316 - Upgrade fails because of missing cd $_ROOT/.drush/sys line.
* Issue #319 - XTRAS_LIST settings are being overwritten (Ubuntu)
* Issue #324 - HTTPS results in redirect loop on AWS due to ignored _MY_OWNIP.
* PHP: Add protection from switching to not installed CLI or FPM version.
* PHP: Do not block getenv function.
* Provision: Use /data/all/cpuinfo generated by BOA daily, if exists.
* Remove redundant downloads silencer.
* Remove remote_import if found in the wrong directory.
* Sanitize logs lines before analyzing them.
* SQL: Do not run update_innodb_log_file_size() if the size is the same.
* Sync BOND with BARRACUDA.
* Update for switch_to_bash procedure.
* Use already downloaded patches.
* Use Debian release specific proposed-updates.
* Use full path to sqlmagic in daily.sh to avoid 'command not found' error.
* Use static ftp.debian.org instead of unreliable http.debian.net mirrors.
* Fix for authorized IPs detection in the protected vhosts logic - it should
ignore serial/remote console logins.
* Provision: Use higher hardcoded threshold to avoid breaking tasks due to
high load on multi-CPU systems when provision can't determine the real load.
### Stable BOA-2.2.5 Release - Full Edition
### Date: Thu May 8 11:59:23 PDT 2014
### Includes Ægir 2.x-boa-custom version.
### Latest hotfix added on: Sat May 10 09:05:19 PDT 2014
# Release Notes:
This release includes no new features, but does include bug fixes plus latest
Drupal 7.28.1 and Pressflow 6.31.2 core in all built-in Octopus platforms.
There are also three updated distributions included, as listed below.
We also list here all hot-fixes applied to previous stable after its release.
# Important - Read This First! (for self-hosted BOA only)
If you haven't run full barracuda+octopus upgrade to latest BOA Stable
Edition yet, don't use any partial upgrade modes explained in docs/UPGRADE.txt
Once new BOA Stable is released, you must run *full* upgrades with commands:
$ barracuda up-stable
$ octopus up-stable all both
For silent, logged mode with email message sent once the upgrade is
complete, but no progress is displayed in the terminal window, you can run
alternatively, starting with screen session to avoid incomplete upgrade
if your SSH session will be closed for any reason before the upgrade
will complete:
$ screen
$ barracuda up-stable log
$ octopus up-stable all both log
Note that the silent, non-interactive mode will automatically say Y/Yes
to all prompts and is thus useful to run auto-upgrades scheduled in cron.
If you have skipped some recent BOA releases, and you have new default config
option: _PERMISSIONS_FIX=NO in your /root/.barracuda.cnf configuration file,
plus, you are not sure if you follow best practices for managing permissions
as recommended in our docs: https://omega8.cc/node/116 then we recommend
that you change it to _PERMISSIONS_FIX=YES temporarily, or even permanently
if your VPS is fast enough, and then run this powerful script as root:
$ bash /var/xdrago/daily.sh
Note that BOA 'legacy' mode is still at version 2.1.3
# Updated Octopus platforms:
Commons 3.12 ----------------- https://drupal.org/project/commons
Open Atrium 2.18 ------------- https://drupal.org/project/openatrium
Open Outreach 1.6 ------------ https://drupal.org/project/openoutreach
# Changes in this release:
* Add rsyslog/sysklogd to auto-healing procedures.
* Make the aggressive scan_nginx mode optional and use old mode by default.
* Nginx: Add HiScan to blocked crawlers list.
* Nginx: Add Riddler to blocked crawlers list.
* PHP: Use pm.process_idle_timeout = 10s for speed and RAM optimization.
# System upgrades in this release:
* MySecureShell 1.33
* PHP 5.4.28
* PHP 5.5.12
# Fixes in this release:
* Always define _PHP_CN variable properly.
* Firewall: Sync CONNLIMIT for web ports with updated limit_conn in Nginx.
* Fix for _NGINX_DOS_LIMIT logical error in the scan_nginx template.
* Force Pure-FTPd server re-install if key files are missing for any reason.
* Issue #2237167 - Improve authorized IPs detection in all protected vhosts.
* Issue #2262935 - Modules dir must be group writable in custom platforms.
* Nginx: Do not overwrite custom symlinks to the Under Construction template.
* Nginx: Update limit_conn in all instances and vhosts on Barracuda upgrade.
* PHP: Delete pear in legacy paths, if still exists.
* PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
* Postfix: Force re-install if broken permissions detected on upgrade.
* Pressflow 6: Fix #GH 84 by using drupal_page_is_cacheable().
* Pressflow 6: Merge pull request #GH 85 from pressflow/SA-CORE-2014-002-fix.
* Pressflow 6: Remove duplicate openid_update_6001().
* Revert "Force MariaDB 5.5 re-install".
* Set the TERM env variable if missing to avoid errors.
* Skip packages set on hold when running apticron.
* The ~/static/control must be writeable by lshell user to manage ctrl files.
* Add extra cron semaphore to prevent concurrent cron invocations via
multiple running runner.sh instances.
### Stable BOA-2.2.4 Release - Full Edition
### Date: Wed Apr 30 17:03:36 PDT 2014
### Includes Ægir 2.x-boa-custom version.
### Latest hotfix added on: Fri May 2 04:54:25 PDT 2014
# Release Notes:
This release includes several bug fixes along with five updated platforms,
plus some hot-fixes applied to previous stable after its release. We have
also added a fix for known problem is recent Drupal 7.27 [#2245331] hence
the change from Drupal 7.27.1 to 7.27.2 in all D7 platforms.
# Updated Octopus platforms:
### Drupal 7.27.2
Commerce 1.25 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.14 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.11 ----------------- https://drupal.org/project/commons
Panopoly 1.5 ----------------- https://drupal.org/project/panopoly
### Pressflow 6.31.1
Commons 2.17 ----------------- https://drupal.org/project/commons
Note: Always read and follow upgrade procedure if explained in the distro
release notes, like for Panopoly 1.5 at https://drupal.org/node/2255133
# New o_contrib modules:
* print-6.x-1.19 (includes patch to auto-detect /usr/bin/wkhtmltopdf)
* print-7.x-2.0 (includes patch to auto-detect /usr/bin/wkhtmltopdf)
# New features and enhancements in this release:
* Support for session.gc_maxlifetime configurable via INI files.
You can control session garbage collector (EOL) per site and per platform.
The value (in seconds) of the session_gc_eol variable is used as
session.gc_maxlifetime value and specifies the number of seconds after which
data will be seen as 'garbage' and potentially cleaned up, resulting with
$_SESSION variable discarded and affected authenticated users logged out.
BOA default defined in the system level global.inc file is 86400 == 24h.
# Changes in this release:
* Drush: Upgrade command line version 6 to mini-6-26-04-2014
* Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)
* Nginx: Use more aggressive limits against spambots trying to rgstr accounts.
* Redis: Integration module (the modern variant) upgrade to 7.x-2.x-o8-2.6-B
# System upgrades in this release:
* Nginx 1.7.0
* PHP 5.5.12
* Redis 2.8.9
# Fixes in this release:
* Add symlinks in the home directory if missing (every 5 minutes).
* Add warning that Compass Tools install and upgrade may take a LONG time.
* Always define _PHP_CN variable properly.
* Do not delete symlinks to wrappers to avoid false LFD alarms.
* Fix for 'Force backward compatible SERVER_SOFTWARE'.
* Fix in websh for _IN_PATH logic to not break backend Drush tasks.
* Fix the logic for wrappers update and symlinks.
* Improve status messages to display when silent mode is used on upgrade.
* Improve whitelisting in the websh wrapper.
* Issue #2238805 - Command filtering - no word containing *drush* is allowed.
* Issue #2241495 - wkhtmltopdf stopped working after upgrade.
* Issue #2247997 - Update docs/REMOTE.txt with workaround for websh issue.
* Issue #2250397 - Always follow (limited) redirects in cURL requests.
* Issue #GH-304 - [rvm] use $_RUBY_VERSION as default.
* Issue #GH-305 - Check disk usage before running install/upgrade.
* Issue #GH-306 - Allow ruby 1.8 to remain installed.
* Nginx: Allow to configure keywords for aggressive requests rate monitoring.
* Nginx: Do not overwrite custom symlinks to the Under Construction template.
* Nginx: Sync FastCGI timeouts with other Nginx and PHP-FPM defaults.
* PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.
* PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)
* PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0
* PHP: Better defaults for realpath_cache_ttl and realpath_cache_size.
* PHP: Fix for CVE-2014-0185 privilege escalation in FPM (doesn't affect BOA)
* PHP: pm.max_children was not properly updated on FPM version self-switch.
* PHP: Sync incorrect default_socket_timeout with max_execution_time (180s).
* PHP: Use 30s for pm.process_idle_timeout - it prevents too high RAM usage.
* PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.
* Postfix: Force re-install if broken permissions detected on upgrade.
* Prevent duplicate cron invocations with more strict delays.
* Restart rsyslog once the install or upgrade is complete.
* Set the TERM env variable if missing to avoid errors.
* Shell: Proper fix for wildcard in the path (cd command only)
* Standardize install and upgrade for Chive, SQL Buddy and CGP.
* Sync Redis timeout with default FPM timeout (180s).
* Sync SQL connect_timeout with default mysql.connect_timeout in PHP (60s).
* The ~/static/control must be writeable by lshell user to manage ctrl files.
* Update the logic for multi-version PHP support in BOND.
* Update the logic for multi-version PHP support in docs/REMOTE.txt
### Stable BOA-2.2.3 Release - Full Edition
### Date: Fri Apr 18 12:57:40 PDT 2014
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
This release includes several bug fixes and security upgrades both for the
system services and Drupal core, along with three updated platforms and new
features, including support for MariaDB 10.0 and Ubuntu 14.04 LTS Trusty.
# Updated Octopus platforms:
### Drupal 7.27.1
Guardr 1.3 ------------------- https://drupal.org/project/guardr
Open Atrium 2.17 ------------- https://drupal.org/project/openatrium
Recruiter 1.2 ---------------- https://drupal.org/project/recruiter
# New features and enhancements in this release:
* Add docs/FAQ.txt
* Add support for MariaDB 10.0 or 5.5 install via _DB_SERIES variable.
* Add support for Ubuntu 14.04 LTS Trusty.
* Improve auto-healing for multi-version PHP-FPM setup.
* Improve docs/UPGRADE.txt
* Improve health check for protected vhosts during live SSH-auth update.
* Nginx: More aggressive limits against spambots trying to register accounts.
# Changes in this release:
* Issue #GH-299 - Force disable LESS developer mode on production sites.
* Move custom scripts to /opt/local/bin/
* Nginx: Use higher defaults for limit_conn to avoid error 503 (CloudFlare)
* Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1
* PHP: Do not use separate FPM pool for cron if _PHP_FPM_DENY is empty.
# System upgrades in this release:
* MariaDB 5.5.37
# Fixes in this release:
* Add 'exit 0' line if missing.
* Add /opt/local/bin to PATH by default.
* Add symlinks for wrappers only temporarily.
* Add warning that Compass Tools install and upgrade may take a LONG time.
* Better gem uninstall options.
* Compass: Multiple fixes for various expected gems versions install/upgrades.
* Do not override lshell env_path in websh wrapper.
* Do not use monitored bin path for custom scripts to avoid LFD false alarms.
* Extra db GRANT for 127.0.0.1 not added when migrating site.
* Improve auto-healing to create required directories in /var/run/ if missing.
* Issue #2230269 - New Jetty 9 version overrides JETTY_PORT=8099 with 8080.
* Issue #2235991 - Drush make needs better exceptions in websh wrapper.
* Issue #2236475 - Clarify what the Legacy mode really means.
* Issue #2238965 - Add missing path to switch_to_bash().
* Issue #2241013 - Git commands should be whitelisted in websh wrapper.
* Issue #2241495 - wkhtmltopdf stopped working after upgrade.
* Issue #GH-301 - Update the list of restricted keywords for Octopus username.
* Issue #GH-304 - [rvm] use $_RUBY_VERSION as default.
* Make sure that permissions on Chive Manager dir/files are correct.
* Note: _SSL_FROM_SOURCES=YES is ignored and not needed on Wheezy and Precise.
* PHP: Add /opt/local/bin/php tmp symlink on barracuda/octopus upgrade.
* PHP: Allow to set custom _PHP_FPM_TIMEOUT but not lower than 60 (in seconds)
* PHP: Always respect _PHP_FPM_WORKERS variable if set to numeric value > 0
* PHP: pm.max_children was not properly updated on FPM version self-switch.
* PHP: Variable _PROCESS_MAX_FPM is not used on the Satellite Instance level.
* Remove the line with header TABLE_NAME (sqlmagic).
* Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.
* Shell: Allow to run 'drush cache-clear drush' in any directory.
* The _PHP_MODERN_ONLY variable is no longer used.
* Ubuntu 14.04 LTS Trusty requires MariaDB 10.0
* Use hostname -b instead of deprecated hostname -v.
### Stable BOA-2.2.2 Release - Barracuda Edition
### Date: Tue Apr 8 07:24:18 PDT 2014
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
This is a bug-fix only release to address issues discovered after recent
major BOA-2.2.0 and subsequent BOA-2.2.1 Releases.
The most important problem fixed in this Release is related to known OpenSSL
security issue, which has been fixed in OpenSSL 1.0.1g
To learn more please visit: http://heartbleed.com
@=> Note for those on self-hosted BOA (skip this if you are on a hosted Ægir)
We recommend that you enable _SSL_FROM_SOURCES=YES option in your system
/root/.barracuda.cnf file, to always build latest OpenSSL from sources.
Note that it will also trigger OpenSSH and cURL install from sources, plus
subsequent PHP rebuild to include latest SSL libraries.
Note that _SSL_FROM_SOURCES=YES will not force the build from sources on
Debian Wheezy and Ubuntu Precise, to avoid confirmed conflicts and because
both OS versions already provide custom, patched OpenSSL packages.
This Release doesn't include any updates to the Octopus installer, so there is
no point in running full upgrade. It is enough to run the barracuda only,
system upgrade in the "silent mode" with:
$ screen
$ barracuda up-stable system
The system will send you an email with results when the upgrade is complete,
but there will be no upgrade progress displayed in the console. You can watch
it, if you prefer, with command (DATE/TIME are placeholders for real values):
$ tail -f /var/backups/reports/up/barracuda/DATE/barracuda-up-DATE-TIME.log
# System upgrades in this release:
* Nginx 1.5.13
* OpenSSL 1.0.1g (if installed from sources)
* PHP 5.4.27
* PHP 5.5.11
# Fixes in this release:
* Chive Authentication via SSH session may break Nginx due to race conditions.
* Drush specific dt() wrapper is required in Provision for custom platforms.
* Fix Compass Tools support for Omega (gems dependencies via bundle install).
* Fix default shell for system level cron tasks.
* Fix for csf firewall compatibility test.
* Force better health check on protected vhosts on live SSH-auth update.
* Improved health check for protected vhosts during live SSH-auth update.
* Issue #2229555 - On fresh boa install link missing durring install.
* Issue #2229715 - Tasks queue doesn't work on the Master Instance.
* Issue #2231093 - Add new line before 'UseDNS no' in the sshd_config file.
* Issue #2235991 - Drush make needs better exceptions in websh wrapper.
* Issue #294 - New Relic ext not installed even if _NEWRELIC_KEY is not empty.
* Nginx: Backup and re-create default wildcard SSL cert/key with rsa:4096
* Nginx: Generate 4096 bit long DH parameters when _NGINX_FORWARD_SECRECY=YES
* Normalize localhost entry in /etc/hosts to avoid FQDN mapped to 127.0.0.1
* PHP: Better default workers limits for the ondemand mode.
* PHP: max_input_time should be set to 180 and not 60, by default.
* PHP: Zend OPcache directive opcache.enable=1 must be set in all ini files.
* Reset PATH to avoid RVM overrides after Compass Tools install/upgrade.
* The 'scp' command is broken in limited shell.
* Too broad whitelisting breaks commands in limited shell with 'tmp' keyword.
* Too restrictive open_basedir defaults break access to valid PEAR paths.
* Too restrictive open_basedir defaults break access to valid Tika paths.
* Use rsa:4096 by default in self-signed certs for Nginx and FTPS.
### Stable BOA-2.2.1 Release - Full Edition
### Date: Tue Apr 1 10:28:45 SGT 2014
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
This is a bug-fix only release to address issues discovered after recent
major BOA-2.2.0 Release.
# Fixes in this release:
* Chive Authentication via SSH session doesn't work on some older instances.
* Compass Tools don't use correct paths to Ruby 2.1.1
* Cron for sites doesn't work on old instances without Nginx wildcard vhost.
* FTPS (FTP over SSL) connections may experience TLS problems.
* PHP: Disabled 'assert' may cause warnings on features revert.
* PHP: Disabled 'create_function' may break some contrib modules or code.
* The 'git pull' command is broken in limited shell.
* The 'rsync' command is broken in limited shell.
* The 'drush dl foo' command can't be run outside of site directory.
# Known Issues on systems upgraded to BOA-2.2.1 (and 2.2.0) releases
==> Updated on Tue Apr 8 01:26:47 PDT 2014
@=> Issues fixed in BOA head (running the hotfix in stable is enough):
* Chive Authentication via SSH session may break Nginx due to race conditions.
* Drush specific dt() wrapper is required in Provision for custom platforms.
* Issue #2229715 - Tasks queue doesn't work on the Master Instance.
* PHP: max_input_time should be set to 180 and not 60, by default.
* The 'scp' command is broken in limited shell.
* Too broad whitelisting breaks commands in limited shell with 'tmp' keyword.
* Too restrictive open_basedir defaults break access to valid Tika paths.
* Zend OPcache directive opcache.enable=1 must be set in all php.ini files.
To fix all those problems you can run as root on self-hosted system:
$ wget -q -U iCab http://files.aegir.cc/update/boa221fix.txt
$ bash boa221fix.txt
We have fixed this on all hosted and remotely managed Ægir instances already.
@=> Other issues fixed in BOA head (run 'barracuda up-head system' to apply):
* PHP: New Relic extension not installed even if _NEWRELIC_KEY is not empty.
* Too restrictive open_basedir defaults break access to valid PEAR paths.
### Stable BOA-2.2.0 Release - Full Edition
### Date: Mon Mar 31 06:44:08 SGT 2014
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
There are many important changes and improvements in this release
you should be aware of *before* running your BOA system upgrade.
Even if you are on a hosted BOA system with upgrades managed for you,
it is very important to read at least this extensive release notes.
Here is a list of topics covered in detail further below:
* New 'legacy' mode available for installs and upgrades
* Important Note For Those Using Our Hosted Ægir Service!
* Custom php.ini protection has changed and will not honor old settings
* Barracuda no longer supports Percona since 2.2.0 release
* Support for PHP FPM/CLI version safe switch per Octopus instance
* All PHP FPM workers in 5.5, 5.4 and 5.3 now use the 'ondemand' mode
* Drush aliases are now automatically copied to all relevant accounts
* Drush is now restricted to use only trusted modules installed by default
* The ~/.drush and other important directories and symlinks are protected
* Support for safely configurable cache bins exceptions in Redis
* Two-Factor-like Authentication to protect access to Chive DB Manager
* Support for session.cookie_lifetime configurable via INI files
* Support for files permissions-fix exceptions via platform level INI file
* High-performance JavaScript callback handler (js) in all platforms
And if you are more curious, read also the big changelog further below,
which covers only a small number of over 560 commits since BOA-2.1.3 release.
But what if you are not ready for this major upgrade and you would like
to have more time for testing, but still be able to run system upgrades,
thus effectively still using previous version 2.1.3 with standard command
'barracuda up-stable system', as explained in the docs/UPGRADE.txt?
#-### New 'legacy' mode available for installs and upgrades
We are introducing special 'legacy' mode both for BOA installs and upgrades.
This means that starting with BOA-2.2.0 you can use commands like:
$ boa in-legacy public server.mydomain.org my@email o1
$ barracuda up-legacy system
$ octopus up-legacy o1
etc.
These special 'legacy' commands allow you to install and/or upgrade the 'old
stable', once the 'new stable' is released. But only until another 'stable'
is released, of course. Thus you can use it only as an interim solution
if you are not yet ready for latest 'stable' BOA Edition, for any reason,
but you want to update at least the low level system packages, kernel etc.
Note also that if you will upgrade to current 'stable', it is not possible
to downgrade back to the 'old stable' with 'legacy' mode, so please proceed
with care!
This option will be particularly important once we release *next* major BOA
Edition. It will come with terminated support for Drush 4, Drupal 5 and, yes,
PHP 5.2 (finally). This step is required to use latest Drush 6+ with supported
Drupal cores versions and supported PHP versions, which in fact is required
to introduce the real Ægir 2.0 in BOA -- we are still using older, customized
for backward compatibility, Ægir 2 HEAD version, so it is time to move on and
stay up to date with everything, get new features like ability to manage
Drupal sites in subdirectories etc.
Once that *next* major BOA Edition is released, we will freeze the 'legacy'
mode at 2.2.x series level, which will receive only security upgrades and
no further feature nor bugfix releases. At that point you will have to stick
to the 'legacy' BOA version if you will need to run PHP 5.2 and Drupal 5
with Ægir based on Drush 4. It will be still possible, but not recommended
and not really supported, besides security related issues outside of Drupal.
This also means that at that point the 'legacy' version will no longer
receive Drupal core upgrades, even if there will be security core releases.
Note that we don't use the term "major release" in the known convention
for versions naming. It is because the first digit, for historical reasons,
refers to the Ægir version supported, the second digit refers to BOA stack
major release, and the last digit refers to both feature and bugfix BOA
stack upgrades.
#-### Important Note For Those Using Our Hosted Ægir Service!
NOW is the time (and last chance) to upgrade all your legacy Drupal 5 sites
and outdated Drupal 6 sites still not compatible with at least PHP 5.3,
because once we upgrade to the *next* major BOA Edition, it will be no longer
possible to still run Drupal sites not compatible with PHP 5.3 -- there
were literally years of this legacy support provided, and this finally
comes to the end, because we will not use the BOA 'legacy' mode on our own
servers. It will be still available for remotely managed 'Ægir on Your Own
Server' option, though, but only on request: https://omega8.cc/support
#-### Custom php.ini protection has changed and will not honor old settings
If you have custom settings in any of your php.ini files protected with
old variable in the /root/.barracuda.cnf, make a backup of your ini files
before running this upgrade. While these files will not get overwritten,
they will no longer be used, because we have introduced new, standardized
directory structure to properly support multi-PHP-versions systems.
Respective php.ini files are now located in /opt/phpXX/etc/phpXX.ini
for FPM and /opt/phpXX/lib/php.ini for CLI, where XX is 55, 54, 53 or 52,
depending on the versions listed via _PHP_MULTI_INSTALL variable in the
/root/.barracuda.cnf file. Also the variables used to protect ini files
from being overwritten have changed to _CUSTOM_CONFIG_PHPXX.
If you need any non-standard settings in any of active ini files, don't
overwrite them with the old files, but rather carefully review and apply
only the differences you need.
#-### Barracuda no longer supports Percona since 2.2.0 release
If you have used Percona before, Barracuda will force upgrade to MariaDB 5.5
and PHP rebuild automatically. We plan to add possibility to install
MariaDB 10.0 once released as stable and tested. MariaDB is the default
DB server in Barracuda for a long time already.
#-### Support for PHP FPM/CLI version safe switch per Octopus instance
This allows to easily switch PHP version by the instance owner w/o system
admin (root) help. All you need to do is to create ~/static/control/fpm.info
and ~/static/control/cli.info file with a single line telling the system
which available PHP version should be used (if installed): 5.5 or 5.4 or 5.3
Only one of them can be set, but you can use separate versions for web access
(fpm.info) and the Ægir backend (cli.info). The system will switch versions
defined via these control files in 5 minutes or less. We use external control
files and not any option in the Ægir interface to make sure you will never
lock yourself by switching to version which may cause unexpected problems.
Note that the same version will be used in all platforms and all sites hosted
on the same Octopus instance. Why not to try latest and greatest PHP 5.5 now?
#-### All PHP FPM workers in 5.5, 5.4 and 5.3 now use the 'ondemand' mode
This change will help to better manage memory use, especially on systems with
multiple PHP versions running in parallel. This will also free resources
and allocate them dynamically only when requests are coming and only to
the active FPM pools. Note that the 'ondemand' mode doesn't affect Zend
OPcache, because it is managed by the parent process(es) which stay(s) active.
The net result is that on a vanilla BOA install, without non-hostmaster sites
running, the complete stack consumes just ~200 MB of RAM (in total, so with
MariaDB, Redis and Nginx etc. included) with all three PHP-FPM versions
running in parallel: 5.5, 5.4 and 5.3:
CPU[#* 2.0%]
Mem[|||||||||||||###***********************************209/1002MB]
Swp[ 0/0MB]
magic:~# ps axf | grep fpm
8380 ? Ss 0:00 php-fpm: master process (/opt/php55/etc/php55-fpm.conf)
8391 ? Ss 0:00 php-fpm: master process (/opt/php54/etc/php54-fpm.conf)
8402 ? Ss 0:00 php-fpm: master process (/opt/php53/etc/php53-fpm.conf)
magic:~#
#-### Drush aliases are now automatically copied to all relevant accounts
While Ægir manages Drush aliases for its backend needs, they are normally
not available for the main nor the extra shell users on the instance.
But starting with 2.2.0, BOA automatically manages copies of all Drush
aliases, by adding them, updating or removing, every 5 minutes, once it
detects that there are changes applied, like: the site has been migrated
to another platform, or associated client/owner has been updated, etc.
You no longer need to `cd` to the respective site directory to perform
some available Drush tasks. Just check the available aliases list with
`drush aliases` and then enjoy the beauty of `drush @foo.com command` syntax.
#-### Drush is now restricted to use only trusted modules installed by default
Note: this change affects only Ægir backend/system user, typically o1,
while all other limited shell accounts are not affected, because they are
already individually jailed with protected custom php.ini and special
Drush wrappers and settings.
This means that you can skip this section if you are on a hosted Ægir.
Customized Drush now included in BOA by default, will be able to use only
extensions/commands bundled with contrib modules which are either a part
of modules added in every platform via shared o_contrib/o_contrib_seven
symlink located in the platform core modules directory, or are included
in the built-in platforms installation profiles space, or in the system
account, protected .drush sub-directory.
This means that any Drush extension/command bundled with contrib module
uploaded to the sites/all/modules space in all built-in platforms will be
ignored and not available on command line for the backend user. The same
applies to site level contrib space, if used.
Additionally, any Drush extension/command bundled with custom platforms
located in the ~/static directory tree will be completely ignored by Drush,
no matter where uploaded: core, profiles, sites/all or sites/foo.com space.
This is not a problem in hosted environments, where users normally never
should have an access to the Ægir backend user, anyway.
If you have any reason to use Drush on command line as an Ægir backend/system
user, for example to escape limited shell restrictions, we recommend to
install vanilla Drush 6, for example in /opt/tools/drush/vanilla/drush/ and
then symlink it into /usr/local/bin/ with custom name, so it will be available
automatically in your backend o1 user's PATH.
Further improvements to secure sites and instances in a completely locked
virtual jails are planned in next BOA releases, which will address all other
known and even potential security issues in Ægir.
#-### The ~/.drush and other important directories and symlinks are protected
There are directories, files and symlinks which should be protected from
any changes and managed exclusively by the BOA system. The reasons may vary
from security to avoidable support requests when the less experienced user
will delete his sites or platforms symlinks, while they can't be easily nor
automatically recreated. It also prevents the sub-accounts users from using
their account home directory as a private upload/archive disk space.
#-### Support for safely configurable cache bins exceptions in Redis
Sometimes you may want to exclude some problematic cache bins from Redis
so they will use default SQL engine, at least until related issue will be
fixed either in your contrib code or in the Redis integration module.
Normally you had to edit the local.settings.php file which is both tedious
and dangerous because of extra steps: https://omega8.cc/node/230 to add
a line, for example: $conf['cache_class_cache_foo'] = 'DrupalDatabaseCache';
Plus, it had to be done for every site separately.
Now you can simply list the cache bins to exclude, comma separated, either
in the site or platform level active INI file.
Example: redis_exclude_bins = "cache_views,cache_foo,cache_bar"
#-### Two-Factor-like Authentication to protect access to Chive DB Manager
We are introducing Two-Factor-like Authentication logic - now extended also
to protect Chive DB Manager, Collectd Graph Panel and SQL Buddy DB Manager.
You must be logged in via SSH and run any auto-continuos command, for example:
`ping -i 30 google.com` to keep the access open for your IP address.
Why is this important?
While BOA forces HTTPS connection for Chive, anyone who knows the URL can
access it and attempt to either run brute-force attack to get into your
site's database, or at least attempt to hammer the server and cause DoS-like
effects, at least until the system will block his IP on the firewall.
The other important reason is that your site's DB credentials change only
when you migrate or rename the site, and otherwise remain intact. Now, what
if you have an employee or a freelancer whom you no longer want to be able
to access your site? If you think that deleting his SFTP sub-account is
enough, think again. He still can access your site's database via Chive, if
he knows the site's DB credentials and the Chive URL.
But now it's no longer possible. Only the visitor who is able to successfully
authenticate himself via SSH, and keeps active SSH session, will be able
to access the Chive URL. The rest of the world will see just dummy Nginx 403
Access Denied error.
And in case you are using self-hosted BOA, the same protection is applied
also to Collectd Graph Panel and SQL Buddy DB Manager.
#-### Support for session.cookie_lifetime configurable via INI files
You can control session cookies expiration (TTL) per site and per platform.
The value (in seconds) of the session_cookie_ttl variable is used as
session.cookie_lifetime value.
BOA default defined in the system level global.inc file is 86400 == 24h.
We also recommend that you enable and configure built-in session_expire
module, which allows you to keep the sessions DB table tidy. Make sure that
TTL set via session_cookie_ttl variable is *lower* than TTL configured
in the session_expire module, because the module does not care about PHP
settings and simply deletes old entries from the sessions table on cron run.
#-### Support for files permissions-fix exceptions via platform level INI file
You can opt-out from globally enabled daily-permissions-fix procedure per
platform with new fix_files_permissions_daily variable.
This feature can be useful when you prefer to manage custom platform in
a monolithic codebase mode in Git, so forcing permissions could conflict
with your workflow or development tools. Otherwise you should never disable
this to avoid issues with Ægir tasks related to sites on this platform.
Note that the system level option _PERMISSIONS_FIX (introduced in BOA-2.1.0
and set to NO by default) should be also enabled with YES in the system level
/root/.barracuda.cnf file, if you prefer to have permissions fixed in all
sites on all platforms, except those with fix_files_permissions_daily = FALSE
set in the platform level, active INI file.
#-### High-performance JavaScript callback handler (js) in all platforms
All platforms, both built-in and custom in the ~/static directory tree, enjoy
automatically added High-performance JavaScript callback handler (js) support,
which requires extra /js.php file in the platform root and also proper Nginx
rewrites. The module itself is also included in the built-in o_contrib bundle.
All you need is to enable the module, if recommended by any other module,
and enjoy much faster page generation, where possible. You can review the
full list of modules which will benefit from this great helper module on its
project page: https://drupal.org/project/js
Enjoy another super-fast and even more powerful BOA Edition!
# New Octopus platforms:
### Drupal 7.26.4
Guardr 1.1 ------------------- https://drupal.org/project/guardr
# Updated Octopus platforms:
### Drupal 7.26.4
Commerce 1.24 ---------------- https://drupal.org/project/commerce_kickstart
Commerce 2.13 ---------------- https://drupal.org/project/commerce_kickstart
Commons 3.9.1 ---------------- https://drupal.org/project/commons
Drupal 7.26.4 ---------------- https://drupal.org/drupal-7.26
Open Academy 1.0 ------------- https://drupal.org/project/openacademy
Open Atrium 2.15 ------------- https://drupal.org/project/openatrium
Open Deals 1.32 -------------- https://drupal.org/project/opendeals
Open Outreach 1.5 ------------ https://drupal.org/project/openoutreach
OpenBlog 1.0-a3 -------------- https://drupal.org/project/openblog
OpenChurch 1.12 -------------- https://drupal.org/project/openchurch
OpenScholar 3.12.1 ----------- http://theopenscholar.org
Panopoly 1.2 ----------------- https://drupal.org/project/panopoly
Recruiter 1.1.2 -------------- https://drupal.org/project/recruiter
Spark 1.0-b1 ----------------- https://drupal.org/project/spark
Totem 1.1.2 ------------------ https://drupal.org/project/totem
Ubercart 3.6 ----------------- https://drupal.org/project/ubercart
### Pressflow 6.30.1
Commons 2.16 ----------------- https://drupal.org/project/commons
Feature Server 1.2 ----------- http://bit.ly/fserver
Managing News 1.2.4 ---------- https://drupal.org/project/managingnews
Open Atrium 1.7.2 ------------ https://drupal.org/project/openatrium
Pressflow 6.30.1 ------------- http://pressflow.org
Ubercart 2.13 ---------------- https://drupal.org/project/ubercart
# New features and enhancements in this release:
* Add High-performance JavaScript callback handler (js) in all platforms.
* Add session_expire module to shared contrib space in all platforms.
* Add support for session.cookie_lifetime configurable via INI variable.
* Allow to control swap clear with control file /root/.no.swap.clear.cnf
* Auto-Update all BOA install and upgrade wrappers daily.
* Default system /bin/sh symlink target replaced with /bin/websh wrapper.
* Disable tcp_slow_start_after_idle for better SPDY performance.
* Improve the logic in the global.inc for faster processing.
* Issue #1217486 - Add o_contrib symlinks on platform Verify task.
* Issue #1310054 - Add support for drush aliases in all lshell accounts.
* Issue #2148335 - Add Default Localhost Vhost.
* Issue #2166641 - Make hard-coded load thresholds configurable.
* Issue #2170079 - Use _CUSTOM_CONFIG_LSHELL to protect lshell.conf template.
* Issue #2226919 - Custom Platforms in Version Control (skip permissions fix).
* Lshell: Update /etc/lshell.conf only when required instead of every 5 min.
* Manage extra db GRANT for 127.0.0.1 to allow SSH tunneling for SQL access.
* New option _REDIS_LISTEN_MODE to configure PORT or SOCKET mode globally.
* Nginx: Add support for protected PHP-FPM monitor.
* Nginx: Force aggressive no-cache headers for the under construction page.
* Nginx: Switch to buffered logging when /root/.high_traffic.cnf exists.
* PHP: Add support for FPM/CLI version safe switch per Octopus instance.
* PHP: Allow to install and run all supported versions: 5.5, 5.4, 5.3, 5.2
* PHP: Extra php.ini files automatically managed per system and shell user.
* PHP: FPM workers in 5.5, 5.4 and 5.3 will use 'ondemand' mode by default.
* PHP: Use separate FPM pools per Octopus instance.
* PHP: Use TCP Socket mode for all FPM pools and Port mode for legacy vhosts.
* Protect ~/.drush and other important directories and symlinks from changes.
* Redis: Allow to exclude cache bins on the fly, per site or per platform.
* Save 295 seconds on BOA Install and Upgrade.
* Set and auto-manage strict permissions on some important config files.
* Set PHP CLI version in the /bin/websh wrapper on the fly.
* Use Two-Factor-like Authentication logic for Chive DB Manager access.
* Improve `sqlmagic fix file.sql` to properly replace INSERT INTO with
INSERT IGNORE INTO (a workaround for duplicate keys in the DB dump)
* Use the same trick with modules/local-allow.info to temporarily make
civicrm.settings.php writable, if exists.
# Changes in this release:
* Add ~/static/trash/* to automatic daily cleanup.
* Add coder to auto-disabled modules -- see #2068771
* Allow 'drush uli' as root, but deny root access to Drush by default.
* Disable D8 install via _ALLOW_UNSUPPORTED until next release.
* Do not enable SYNFLOOD protection by default.
* Do not force old_short_name in any profile file directly.
* Firewall: Allow to connect to Apple Push Notification service (APNs)
* Issue #289 - Update lshell env_path for RVM and install/update global gems.
* Issue #292 - Open standard RTMP port 1935.
* Lshell: Use latest Drush 6 (master) by default and remove other versions.
* Nginx and PHP-FPM: Better default timeout limits.
* Nginx: Add apk, pxl, ipa to known mime types / download extensions.
* Nginx: Use text/xml mime type for .xml URLs and restore other mime defaults.
* Open local access for web based sites cron.
* Open outgoing port 2525 for custom SMTP connections.
* Percona DB server is no longer supported.
* PHP: Always build from sources.
* PHP: Disable 5.2 FPM if installed, but not used.
* PHP: Only critical errors are enabled by default in the CLI mode.
* PHP: Reloading FPM hourly no longer makes any sense.
* PHP: Remove support for deprecated APC and Memcached.
* PHP: Restore MailParse support - 2.1.6
* PHP: Use aggressive disable_functions defaults (further tuned per FPM pool).
* Redis: Integration module (the modern variant) upgrade to 7.x-2.x-o8-2.6-A
* Redis: Use modern version with enabled fast lock and aggressive flush mode.
* Remove insecure exception for wkhtmltopdf uploaded in the user space.
* Rename master repository on GitHub from legacy nginx-for-drupal to boa.
* Set _STRICT_BIN_PERMISSIONS=YES by default.
* Upgrade Compass Tools on every upgrade, not just on new BOA release.
* Use 60s opcache.revalidate_freq by default to save disk I/O on live sites.
* Use Ruby Version Manager (RVM) by default to manage Compass Tools etc.
* Use RVM for global gem installation and updates.
* Use search_api_solr-7.x-1.4 for new installs.
* Use web based cron by default to benefit from Zend OPcache.
* Do not check existence nor auto-config Purge/Expire unless INI variable
purge_expire_auto_configuration is set to TRUE (automatically, when
the module is detected as enabled).
* New naming convention for Ubercart 3.x platforms: [ud2] to support upgrades
from uberdrupal profile, and [aq3] to support upgrades from acquia profile.
Note that you have to choose Vanilla Testing profile to see [ud2] or
Vanilla Minimal to see [aq3] platform in the Add Site form.
* GitHub is now our main repository, we re-open the issue queue there
for patches merge requests, while d.o has a code mirror status from now on.
* Make it crystal clear that Ubuntu is barely supported, rarely tested and
thus not recommended.
* The "Run cron" extra task has been removed for security reasons. Site cron
can be run either via standard, scheduled in Ægir procedure, which uses
local, but web based request to the protected /cron.php URL, or on command
line, or from the site admin area, as usual.
# System upgrades in this release:
* Bazaar Version Control System (bzr) 2.6.0
* Collectd Graph Panel (CGP) master-30-03-2014
* cURL 7.36.0 (if installed from sources)
* Git 1.9.1 (if installed from sources)
* Jetty 7.6.14, 8.1.14, 9.1.3
* Limited Shell 0.9.16.5-om8
* MariaDB 5.5.36
* MySecureShell 1.32
* Nginx 1.5.12
* OpenSSH 6.6p1 (if installed from sources)
* OpenSSL 1.0.1f (if installed from sources)
* PHP 5.4.26
* PHP 5.5.10
* PHP: Imagick 3.1.2
* PHP: ionCube loader 4.5.3
* PHP: MongoDB 1.4.5 (optional add-on)
* PHP: Zend OPcache master-09-03-2014
* PHPRedis: master-22-03-2014
* Redis 2.8.8
* Ruby 2.1.1 (from now on compiled from sources)
# Fixes in this release:
* Add fix_collectd_nginx for Collectd config update.
* Add missing panopoly_demo app in the Panopoly distro to fix broken install.
* Add missing variables to active INI files, if needed.
* Avoid way too long Speed Booster TTL for bots, especially for rss feeds.
* Changing old_short_name mapping to: uberdrupal->testing and acquia->minimal
* Do not force old_short_name if already set in db/drushrc.
* Do not run swap clean when heavy tasks like cdp backup run.
* Drush: Simplify and improve access restrictions logic when aliases are used.
* Excessive and useless Drush internal cache clear in daily.sh removed.
* Fix default PATH in all sub-scripts.
* Fix for broken cURL from sources install logic.
* Fix for drush make broken by websh fix for cd wildcard crash fix.
* Fix for multi-IP cron access.
* Fix missing /dev/fd early enough to avoid broken tasks in Ægir.
* Fix the logic in manage_ip_auth_access()
* Fix to avoid daily services maintenance/cron freeze if Jetty didn't stop.
* Force backward compatible SERVER_SOFTWARE to silence core warnings.
* Force OpenSSH rebuild on OpenSSL upgrade (if installed from sources).
* Issue #1317322 - Filters UI broken.
* Issue #1991908 - Fix the syslog flood caused by collectd df plugin.
* Issue #2057213 - Use better SQL GRANT style.
* Issue #2110589 - Unable to install BOA correctly on Debian 6.0 and OpenVZ
* Issue #2141283 - Drush aliases like `drush dbup` no longer work properly.
* Issue #2144801 - Display bug on add site.
* Issue #2144947 - Install new Ruby for better compatibility with new gems.
* Issue #2150557 - Make the check and update procedure for UseDNS safe.
* Issue #2152383 - Fix for [js module] - add js_server_software variable.
* Issue #2159881 - Drush is broken because Console_Table URL no longer works.
* Issue #2161115 - AdvAgg: Strictly follow RFC 2616 14.21
* Issue #2167141 - Do not exclude --with-ldap --with-gmp in the PHP on Wheezy.
* Issue #2172089 - Fix for syntax error.
* Issue #2173209 - Do not use legacy (removed) symlink for version check.
* Issue #2175197 - Regex configuration not matching esi/ssi tags.
* Issue #2177837 - process.max not set correctly for PHP 5.5 and 5.4
* Issue #2182671 - Solr 4 with Jetty 8 does not start after upgrade.
* Issue #2188907 - Update docs criteria for not rebuilding ssh, ssl, and curl.
* Issue #2199229 - CiviCRM 4.4.4 Requires change in the Nginx configuration.
* Issue #288 - SMTP Authentication Module depends on fsockopen.
* Lshell: Fix for crash on wildcard cd.
* Lshell: Remove symlinks for legacy drush_make.
* Modules can be incorrectly whitelisted from dis by installation profile.
* Nginx: Add exceptions for known video players.
* Nginx: Avoid downtime on upgrade because of too low variables_hash_max_size
* Nginx: Better gzip defaults.
* Nginx: Default value of variables_hash_max_size is too low.
* Nginx: Do not overwrite gzip_types.
* Nginx: Improve fastcgi defaults.
* Nginx: Remove too broad regex for 'flag' keyword in the URI.
* Nginx: Send Access-Control-Allow-Origin * header also for /favicon.ico
* Nginx: Use port 9090 in nginx_octopus_include.conf by default (PHP-FPM 5.3)
* Nginx: Use Redirect 301 for legacy paths /sites/default/files/*
* Once you have next 2.3.x installed, you can't downgrade to legacy 2.2.x
* PHP: Add protection for instance level php.ini files.
* PHP: Fix for broken build when --with-ldap is used.
* PHP: Fix for broken dependencies in newer Debian and Ubuntu systems.
* PHP: Fix for forced rebuild mode if lib curl is broken or updated with apt.
* PHP: Fix for GEOS 3.4.2 and multi-version install.
* PHP: Fix for legacy 5.2 logic.
* PHP: Force 5.5 to use correct SQL drivers so its built-in will not be used.
* PHP: Reduce duplicate rebuilds.
* PHP: The --with-curlwrappers option has been removed in 5.5
* Redis: Auto-Restart if socket is missing only when socket mode is enabled.
* Redis: Exclude cache_form bin or it will break modules like ajax_comments.
* Redis: Force clean restart daily, with long enough sleep time.
* Redis: Restore pwd protection.
* Redis: The cache_metatag bin needs aggressive flush mode -- see #2062379
* Reduce system load during db backups with short delays between databases.
* Remove collectd on major system upgrade even if /var/www/cgp doesn't exist.
* Silence AIS (Adaptive Image Styles) module .htaccess requirements.
* Sort and group cnf variables to bring some order into this chaos.
* Symlink main drush wrapper to shared location outside of Master Instance.
* Update for Redis bins exceptions logic.
* Update system load check method in all scripts.
* Use forced Jetty restart mode.
* Use https in the welcome screen image src URL.
* Use IPv4-strict hostname and IP checks only.
# Known Issues on systems upgraded to BOA-2.2.0 release (all fixed)
==> Updated on Tue Apr 1 12:20:27 SGT 2014
@=> Issues hot-fixed in stable (run 'barracuda up-stable system' to apply):
* Compass Tools don't use correct paths to Ruby 2.1.1
* Chive Authentication via SSH session doesn't work on some older instances.
* PHP: Disabled 'create_function' may break some contrib modules or code.
* PHP: Disabled 'assert' may cause warnings on features revert.
* Cron for sites doesn't work on old instances without Nginx wildcard vhost.
* The 'git pull' command is broken in limited shell.
* FTPS (FTP over SSL) connections may experience TLS problems.
* The 'rsync' command is broken in limited shell.
* The drush dl foo can't be run outside of site directory.
### Stable BOA-2.1.3 Release - Full Edition
### Date: Thu Nov 21 17:55:47 SGT 2013
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
This release provides Drupal 7.24.1 and Pressflow 6.29.1 core security upgrade
for all supported distributions. It also includes two updated platforms and
several fixes for issues discovered since BOA-2.1.2 released 3 days ago, plus
some clever improvements to help you automatically optimize all tables daily,
or even automatically convert tables to-innodb or to-myisam, either per site
or per platform, or per entire Octopus instance. There is also Purge Cruft
Machine available to run some spring-cleaning daily with configurable TTL.
Enjoy another super-fast and even more clever BOA Edition!
# Updated Octopus platforms:
### Drupal 7.24.1
Open Atrium 2.0.9 ------------ http://drupal.org/project/openatrium
OpenScholar 3.9.3 ------------ http://openscholar.harvard.edu
# New features and enhancements in this release:
* Purge Cruft Machine moved to daily.sh agent and made configurable
with _DEL_OLD_BACKUPS and _DEL_OLD_TMP per Octopus instance.
If changed to any number greater than "0" it will automatically delete
backups stored in the /data/disk/U/backups/ directory and in all hosted
sites backup_migrate directories, during daily cleanup, if created more
than X days ago, where X is a number of days defined in _DEL_OLD_BACKUPS.
If "0" then this feature is disabled. It can't be configured via INI files,
so you may need to submit support request if you want to customize this
option set to 7 days by default on all hosted instances, as per our
backups policy: https://omega8.cc/backups
The same logic applies to _DEL_OLD_TMP which defines for how long the
temporary files in all hosted sites files/tmp/ and private/temp/ directories
are kept before deleting them during running daily maintenance.
* Added sql_conversion_mode variable in the platform and site level INI
to customize instance-wide mode optionally set via _SQL_CONVERT.
This option allows to activate and/or customize DB tables conversion
per site, per platform and via _SQL_CONVERT per Octopus instance.
Supported values are: innodb and myisam (lowercase only!)
Note that this conversion will run daily even if all tables have been
already converted, so it will run OPTIMIZE on all tables, effectively.
Related Issue #2126471 - Convert DB engine control files to ini format.
# Changes in this release:
* Allow to install unsupported distros only in head, not stable.
* Contrib update: advagg-7.x-2.3
* Map drush to drush6 on command line. You can still use drush4 and drush5.
* New contrib: display_cache
* New contrib: panels_content_cache
* Nginx 1.5.7 -- security upgrade.
* Use dev versions of CDN module with patch for AdvAgg 7 compatibility.
* Use Drush 5 and 6 head until next release.
# Fixes in this release:
* Always cleanup temp downloads to avoid failed builds due to leftovers.
* Always fix permissions on contrib on upgrade and in daily.sh agent.
* Better auto-recovery when broken libcurl is detected.
* Delete any tar/gz/zip files in modules|themes|libraries daily.
* Delete dangerous local-allow.info file.
* Display all active INI variables in HTTP headers on dev URLs.
* Fix for cron auto-correction.
* Fix for Feature Server broken due to incorrect context version downloaded.
* Fix the logic for cURL install from sources.
* Nginx: Add Access-Control-Allow-Origin header also for static .json
* Nginx: Protect also .md files in modules|themes|libraries dirs.
* Issue #2137583 - Permissions on the site directory are broken after running,
how ironically, the Health Check task.
* Issue #2138811 - Maintenance agent disables modules from its standard
turn-off list, even if they are required by other modules, apps or features.
# Known Issues on systems upgraded to initial BOA-2.1.3 release
==> Updated on Thu Nov 28 18:33:58 SGT 2013.
@=> Issues which will trigger `barracuda up-stable system` if discovered:
* PHP: Fix for broken cURL from sources install logic.
* PHP: Fix for forced rebuild mode if lib curl is broken or updated.
* PHP: Fix for legacy 5.2 rebuild required when broken libcurl is detected.
* Use dummy variable instead of 'true' to avoid breaking the logic.
@=> Issues which will NOT trigger `barracuda up-stable system` if discovered:
* Add coder to the auto-disabled modules list -- see #2068771
* Excessive and useless Drush internal cache clear in daily.sh
* Issue #2141283 - Drush aliases like `drush dbup` no longer work properly.
* Issue #8215957 - Invalid version type error in old Drush Make.
* MariaDB 5.5.34 just released.
* Redis: Incorrect permissions on the integration module directory.
* Modules can be incorrectly whitelisted by installation profile and
never disabled, while they should be.
# HotFix for known post-upgrade issues
Run the boa-fix-upgrade script when logged in as system root:
$ cd;rm -f boa-fix-upgrade.sh.txt*
$ wget -q -U iCab http://files.aegir.cc/update/boa-fix-upgrade.sh.txt
$ bash boa-fix-upgrade.sh.txt
This script is updated once there is any new regression or bug discovered,
so it is safe and recommended to run it again if the list of known issues
have been updated. Note that this script will detect and fix all Octopus
instances on your system at once.
### Stable BOA-2.1.2 Release - Full Edition
### Date: Mon Nov 18 00:03:30 SGT 2013
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
This is primarily a bug-fix release and you should read release notes and
also the changelog for both BOA-2.1.1 and BOA-2.1.0 for a context, especially
if you are upgrading from BOA-2.0.9 or older release (we have tested upgrades
from as old Editions as BOA-2.0.1, released on Dec 28 07:00:00 EST 2011).
This Edition includes fixes for all Known Issues on systems already upgraded
to initial BOA-2.1.1 release, plus some extra improvements and one updated
platform (Managing News).
Important new features include ability to use either legacy (default) or
modern (highly recommended) version of Redis integration module.
The reason we don't enable the modern version by default is that it may need
some testing before using it on a complex Drupal sites. The modern version
of Redis integration module comes with some great new features which allow
you to configure flush mode per cache bin, with three modes available.
Please refer to the module README for more information on all available
advanced flush modes: http://bit.ly/1drmi35
It also comes with super-fast lock backend, which can be enabled only when
you are using the modern version, but still needs more improvements, so we
auto-configure some exceptions on the fly, when it is used, to avoid known
issues, as reported in the queue: https://drupal.org/node/2135545
Please read also INI docs to understand how it works, and how to improve
performance by enabling and tuning these settings: http://bit.ly/1bwfZZj
Enjoy!
# Updated Octopus platforms:
### Pressflow 6.28.3
Managing News 1.2.4 ---------- http://drupal.org/project/managingnews
# New features and enhancements in this release:
* Redis: Modern integration module 7.x-2.5 with latest fixes from #2135545
is available as an option with new INI variable: redis_use_modern
* Redis: New option redis_flush_forced_mode to better control flush modes
when redis_use_modern = TRUE
* Add example for custom Speed Booster cache TTL configuration in the optional
override.global.inc file. It can be used also in local.settings.php file.
* Add detection and auto-config for the allow_private_file_downloads variable.
* Issue #1978066 - Add _RESERVED_RAM variable for "reserved" memory.
* Map all old_short_name profiles relations in the Ægir Provision directly.
# Updated Ægir modules or extensions:
* Newer aegir_custom_settings 6.x-2.3 with site clone added for client role.
* Newer registry_rebuild 7.x-2.1 with fixed critical bug - see: #2130905
# Changes in this release:
* Auto-Disable views_cache_bully also when Ubercart is enabled.
* Do not delete testing profile, we need it for acquia->testing upgrade path.
* Do not map old_short_name on the Octopus level, it is moved to Provision.
* Make ACTIVE INI files comments-free to never confuse them with templates.
* Make the fix for known Feeds problem global, not just ManagingNews specific.
* PHP: 5.4.22 and 5.5.6 as an option (for testing only).
* PHP: Use latest (master) phpredis_new by default.
* Redis: Default integration module version reverted to pre-7.x-2.0 release.
* Redis: Force rebuild on system upgrade to update also Redis config.
* Redis: Make redis_lock_enable available only when redis_use_modern = TRUE
* Set opcache.revalidate_freq to 5 sec only on non-dev URLs by default.
* Switch Ubercart 3 to use D7 Minimal instead if Standard to fix upgrade path.
* Update prev release notes to explain importance of using latest Pressflow 6.
# Fixes in this release:
* Always fix permissions on contrib on upgrade and in daily.sh agent.
* Avoid files checks for Drupal for Facebook and Domain Access by default.
* Better auto-recovery when broken libcurl is detected.
* Fix for cron auto-correction.
* Fix for post-upgrade permissions issues affecting modules|themes|libraries.
* Fix for too restrictive permissions in /data/all/000/*
* Fix regression in the logic for dev URLs detection and auto-configuration.
* Fix the forced contrib upgrade logic.
* Fix the logic for cURL install from sources.
* Improve procs monitoring agent with better whitelisting.
* Improve sanitize_string() filtering to avoid issues with strong passwords.
* Issue #1860706 - Native, unified support also for D6 lock backend.
* Issue #2023895 - Do not kill java, only jetty and tomcat procs when needed.
* Issue #2105477 - Allowed gem commands need custom aliases in lshell.
* Issue #2134329 - Going from 2.0.9 to 2.1.1 does not update platforms.
* Issue #2135545 - Lock Backend freezes the site on cache clear.
* Issue #2136413 - Use -H to force correct HOME environment variable.
* Issue #2136413 - Use sudo to avoid lshell protection in DB auto-conversion.
* Make sure that /usr/local/bin is in the PATH.
* Make the check_if_required test in daily.sh six (6) times faster.
* Nginx: Fix too restrictive access policy for Ægir specific /hosting URI.
* Redis: Add some debugging on dev URLs to make sure permissions are correct.
* Redis: Added prefix support for lock backend.
* Redis: Disable persistent mode to never use on-disk storage, see #2135545
* Redis: Do not enable tcp-keepalive or weird things may happen, see #2135545
* Redis: Exclude some bins to avoid issues with lock support, see #2135545
* Redis: Missing default values on variable_get() calls causing D6 break.
* Redis: Update docs and naming convention for modern integration module.
* Silence cURL test in meta-installers.
* Sync randpass with sanitize_string().
* Set less restrictive permissions on civicrm.settings.php since
provision_civicrm does not make the file writable temporarily as it should.
# Known Issues on systems upgraded to initial BOA-2.1.2 release
==> Updated on Thu Nov 21 01:28:23 SGT 2013 with all fixes applied to stable.
* Feature Server platform is broken since BOA-2.1.0 due to incorrect context
module version downloaded via makefile. This bug affects only some instances
upgraded to head and not stable, but since in the first 24 hours after
BOA-2.1.2 release our static downloads were still out of sync on two of
our mirrors, it is safe to assume that you should run the HotFix via
boa-fix-upgrade.sh.txt anyway.
* There is regression introduced in the maintenance agent logic, which
results with dependency check effectively ignored. This may cause various
disastrous effects, like disabling all modules chained via feature or
via apps module, because apps module requires update module, which is
normally disabled. While any feature which requires dblog or update module
enabled is considered as a serious developer error and should be avoided,
we have to respect all dependencies defined to never break any site by
forcefully disabling modules.
* Part of the Site Health Check task (the `drush6 status-report` command)
breaks permissions on the site directory, which blocks any further tasks
like Clone, Migrate and Backup. This regression was introduced in the
BOA-2.1.0 release.
# HotFix for known post-upgrade issues
Run the boa-fix-upgrade script when logged in as system root:
$ cd;rm -f boa-fix-upgrade.sh.txt*
$ wget -q -U iCab http://files.aegir.cc/update/boa-fix-upgrade.sh.txt
$ bash boa-fix-upgrade.sh.txt
This script is updated once there is any new regression or bug discovered,
so it is safe and recommended to run it again if the list of known issues
have been updated. Note that this script will detect and fix all Octopus
instances on your system at once.
### Stable BOA-2.1.1 Release - Full Edition
### Date: Sat Nov 9 17:00:00 EST 2013
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
There are some important bug fixes in this release, along with changes
to the Auto-(En|Dis)able agent, explained in greater detail in embedded docs
included in platform specific INI file template.
Note that the system agent doesn't modify any existing and active INI file,
so updated docs are included only in the updated each morning INI templates:
default.boa_platform_control.ini and default.boa_site_control.ini
You can find both INI templates also online at: https://omega8.cc/node/293
We have also added some docs to help you if you experience any issues
with cached, Views based pages and panels: https://omega8.cc/node/292
Note also that since BOA-2.1.0 all D6 based sites are forced to use PHP 5.3.27
on hosted and managed Ægir instances, even if they were previously configured
to use deprecated, insecure, unstable and outdated PHP 5.2 for D6 based sites.
This means that if you are using either too old D6 core (older than 6.28.x)
some features will stop working, namely imagecache, /update.php and any
feature which depends on contrib modules not yet compatible with PHP 5.3
We have allowed to use PHP 5.2 for too long, to give enough time (in years)
to upgrade to latest Pressflow 6.x version and we no longer can extend
this allowance, for obvious security and systems stability reasons.
Furthermore, sticking with PHP 5.2 would not allow us to use latest Ægir 2.x
version (BOA still includes a bit older Ægir 2.x for backward compatibility),
since newer Ægir versions need newer Drush (BOA still uses ancient Drush 4.6)
and newer Drush requires newer PHP version.
It is even more important because Drupal 8 will not run on older PHP nor Drush
older than 7.x, so there is basically no choice other than make all your sites
compatible with PHP 5.3, or you will miss all future BOA system upgrades.
Now even PHP 5.3 is officially in the EOL (End-of-Live) phase, with only
security fixes expected, but also only until July 2014 and then it will be
completely deprecated, so we will have to switch to modern PHP 5.5, first
introduced as an option, later this year.
Upgrading to latest Pressflow 6.x is *very* easy. Just add all contrib modules
you are using in your outdated 6.x platform to the latest Pressflow 6.x
platform we provide by default, reverify the new platform, clone the site
in the old platform, migrate the cloned copy to the new platform and if
everything works fine, migrate also your live site. It will take less than
15 minutes and there is absolutely no excuse to not upgrade.
If you experience issues with your site due to the old core used on now forced
PHP 5.3, we can temporarily revert it to PHP 5.2 for the last time, but it is
really a bad idea. Much better idea is to find those 15 minutes and upgrade
your site, so we could continue to provide future upgrades and new amazing
features also for your Ægir instance.
Enjoy new, shiny BOA Edition!
# Updated Octopus platforms:
### Drupal 7.23.3
Open Atrium 2.0.4 ------------ http://drupal.org/project/openatrium
Open Deals 1.31 -------------- http://drupal.org/project/opendeals
OpenBlog 1.0-a3 -------------- http://drupal.org/project/openblog
Recruiter 1.1.2 -------------- http://drupal.org/project/recruiter
Spark 1.0-a10 ---------------- http://drupal.org/project/spark
Totem 1.1.2 ------------------ http://drupal.org/project/totem
### Pressflow 6.28.3
Commons 2.13.2 --------------- http://drupal.org/project/commons
Open Atrium 1.7.2 ------------ http://drupal.org/project/openatrium
# New features and enhancements in this release:
* Document all system-level control files in docs/ctrl/system.ctrl
* Fast Redis lock implementation is now enabled by default for D6 and D7.
* Nginx: Add NAXSI (Nginx Anti XSS & SQL Injection) WAF as an option.
* Use 100% static downloads in stable to remove dependency on github and d.o
* Use extended connection check procedure before exit 1.
* Use reliable Redis UP check via PING/PONG instead of pid file check.
# Updated o_contrib modules:
* Contrib update: httprl-6.x-1.13
* Contrib update: httprl-7.x-1.13
* Contrib update: redis-7.x-2.3
* Contrib update: views_cache_bully-6.x-3.x
* Contrib update: views_cache_bully-7.x-3.x
* Contrib update: views_content_cache-7.x-3.0-alpha3
# Changes in this release:
* Introducing Pressflow 6.28.3 to include fix for #2130865
* Updated INI docs for views_cache_bully and views_content_cache.
* ProsePoint moved to unsupported.
* Private files mode in D7 requires allow_private_file_downloads = TRUE in
boa_site_control.ini or boa_platform_control.ini and is disabled by default.
* Do not enable views_cache_bully and views_content_cache, unless special
control files exist and related variables in the platform specific INI
are not set to TRUE.
* Auto-Disable views_cache_bully on sites with commerce module enabled, but
allow to override it with ~/static/control/enable_views_cache_bully.info
and views_cache_bully_dont_enable = FALSE
# Fixes in this release:
* All-in-One Site Health Check in Ægir not displayed for non-uid=1 users.
* Always prepare shared D6 and D7 cores.
* Always remove www. from the Redis cache key prefix.
* Better check for not yet updated Octopus instances in a batch upgrade mode.
* Check if ctools is enabled before attempting to enable views_content_cache.
* Do not force HEAD on Precise.
* Fix for /root/.upstart.cnf consistency.
* Fix for PATH in aegir.sh
* Fix still too aggressive procs monitoring.
* Fix the check_if_required() logic in the Auto-Disable agent.
* Improve all cURL based downloads with auto-continue mode.
* Issue #1980250 - Fix for broken cache_page bin in Redis integration module.
* Issue #2127237 - New Relic: Unable to initialize module on Debian Wheezy.
* Issue #2128233 - Rsyslog is still installed and consumes all CPU on OpenVZ.
* Issue #2128819 - Better exceptions in too aggressive process monitoring.
* Make sure to never set any HTTP headers or redirects in the backend.
* Nginx: Do not use separate location for /images/ URI shortcut.
* Nginx: Fix for regression in "Rewrite for legacy requests with /index.php".
* Nginx: Fix the logic for restricted access to /authorize.php and /update.php
* Nginx: Map URI shortcuts early to avoid overrides in other locations.
* Remove rsyslog on VZ, if installed.
* Restore backward compatibility with IP and not wildcard based vhosts.
* Use silent upgrade mode in _LENNY_TO_SQUEEZE and _SQUEEZE_TO_WHEEZY.
* Issue #2127329 - AdvAgg (D6 version) presence in o_contrib should not
auto-disable standard aggregation, unless the module is enabled.
# Known Issues on systems upgraded to initial BOA-2.1.1 release
==> Updated on Tue Nov 12 14:44:16 EST 2013 with all fixes applied to stable.
* Fast Redis lock may cause problems on node edit, with temporary error
saying that the node was changed by "another user", because current
implementation was not multisite-aware enough.
* Views Cache Bully module, if enabled after upgrade to BOA-2.1.0, may break
the cart and checkout on sites using Ubercart, and should be disabled
automatically like it is done for Commerce based sites since BOA-2.1.1
* The version of Redis integration module included: 7.x-2.3 causes warnings
for D6 sites, visible either on dev URLs or on command line and may break
some advanced Views configurations if custom caching is not yet enabled.
It may also break menu updates due to not aggressive enough cache clear
policy for cache_menu bin.
* Permissions set daily on the civicrm.settings.php file are too restrictive
and since provision_civicrm extension does not make this file writable
before attempting to re-create it, as it should, all tasks on CiviCRM
enabled sites fail.
* Permissions on sites/all/{modules,theme,libraries} on newly added, empty
platforms with no sites created yet, so not included in the running daily
permissions fix, are initially not group writable, as they should be.
* The check_if_required procedure in the running daily maintenance agent to
detect if the module is required by any other module or feature or by
installation profile, is 6 (six) slower than it should be and never disables
devel module properly.
* The running daily maintenance agent does not disable files checks for
Drupal for Facebook (fb) and Domain Access modules as it should in the
platform level INI file, unless those modules are detected.
# HotFix for known post-upgrade issues
Run the boa-fix-upgrade script when logged in as system root:
$ cd;rm -f boa-fix-upgrade.sh.txt*
$ wget -q -U iCab http://files.aegir.cc/update/boa-fix-upgrade.sh.txt
$ bash boa-fix-upgrade.sh.txt
This script is updated once there is any new regression or bug discovered,
so it is safe and recommended to run it again if the list of known issues
have been updated.
You can also run another upgrade with "barracuda up-stable system" command,
followed by "octopus up-stable all both log" since all fixes have been applied
to current stable as well, but boa-fix-upgrade script is faster than running
complete upgrade again.
### Stable BOA-2.1.0 Release - Full Edition - Now NSA-proof
### Date: Sat Nov 2 18:15:19 EDT 2013
### Includes Ægir 2.x-boa-custom version.
# Release Notes:
There are some really important changes and improvements in this release
you should be aware of before running your BOA system upgrade.
Even if you are on a hosted BOA system with upgrades managed for you,
it is very important to read at least this release notes.
And if you are more curious, read also the giant changelog further below.
Besides all changes, fixes and improvements, all currently supported
Drupal distributions have been upgraded to use latest Drupal core versions.
Plus, there are seven (7) NEW platforms included!
#-### Control files to customize your BOA system per platform and per site
Almost all control files are now replaced with two centralized,
platform and site specific INI files, using standard PHP INI format.
The platform specific INI file template with extensive documentation
included, has filename default.boa_platform_control.ini and is located
in the sites/all/modules directory.
The site specific INI file template with extensive documentation
included, has filename default.boa_site_control.ini and is located
in the sites/foo.com/modules directory.
Any existing control files, both on the platform and site level
will be automatically converted into active INI files and then deleted
to avoid confusion, also automatically, on the first run of the special
maintenance script: /var/xdrago/daily.sh but defaults in the global.inc
file will allow for smooth, fully automated transition.
This change will improve customizing your BOA system maintainability
and overall system performance/load thanks to minimized files checks.
#-### Empty and not used platforms auto-cleanup
BOA has finally the ability to auto-delete, during daily maintenance,
which happens each morning (server time zone), all empty and not used
platforms. While on all hosted instances the TTL (time-to-live) is set
to 60 days (counted since last verify task date/time on the platform),
it can be configured per instance in the /root/.USER.octopus.cnf file
by changing value of _DEL_OLD_EMPTY_PLATFORMS variable to anything
higher than 0 (days), which is default (and means the feature is OFF).
Note that every Octopus instance upgrade re-verifies all existing platforms,
so if you will configure the TTL to 90 days but you will run the upgrade
every month or every two months, no platforms will ever be deleted.
If you wish to have this TTL customized on the hosted instance, where
it is set to 60 (days) by default, please open a support ticket via:
https://omega8.cc/support
Remotely managed BOA systems can have this feature enabled and configured
upon request submitted via https://omega8.cc/support
#-### All-in-One Site Health Check in your Ægir control panel
You will notice a new Task available on every site page in your Ægir
Control Panel, named "Run health check". This new task will run a few
important tests on your site and will store all results in the Task Log,
so you easily review all results by clicking on the "View" button to the
right of the task, when it is complete. Make sure to check all details
by clicking on the "Expand" links in the log.
What are the tests included?
1. The "drush clean-modules" command will be run for you to make sure
there is no module left in the system table as "enabled" while it
no longer even exists on the system. This part will utilize (behind
the scenes) extension: https://drupal.org/project/clean_missing_modules
If it will find any such leftover, it will clean it up, automatically.
2. The "drush6 pm-updatestatus" command is a native Drush command which
tells you if there are any waiting module/code updates in the site.
Note: it will *not* upgrade anything, it is a check only.
Of course there should be no updates waiting if you follow Ægir
site upgrade best practices and your site's code is up to date.
Yes, this check will automatically enable the "update" module for you,
but it will not auto-disable it afterwards (to not break things in case
it is required by some other module or feature).
3. The "drush6 status-report" command is a native Drush command
which provides you a complete overview of your site status.
Instead of logging into the site, you can review it easily here.
4. The "drush6 updatedb-status" command is a native Drush command
which tells you if there are any waiting database updates in the site.
Note: it will *not* apply these updates, it is a check only.
Of course there should be no updates waiting if you follow Ægir
site upgrade best practices, but who knows, hence the check.
5. The "drush security-review" command will run only on Drupal 7 based sites
and provides some additional information by using (behind the scenes)
this extension: https://drupal.org/project/security_review
#-### PFS (Perfect Forward Secrecy) support in Nginx
BOA now fully supports the most secure, yet still compatible with most
used systems and browsers SSL configuration.
All hosted BOA instances have been already upgraded automatically and
you don't need to do anything to make it work -- it is already done
for you -- both on any SSL enabled site with dedicated certificate
and IP address and also on the standard, system-wide SSL proxy level,
which is available for every hosted site -- just type HTTPS:// in the URL.
On self-hosted instances it needs to be enabled by adding a line in your
/root/.barracuda.cnf file: _NGINX_FORWARD_SECRECY=YES before the upgrade.
Note that depending on the system used, it may auto-install some
requirements like latest OpenSSL libraries and packages.
Remotely managed BOA systems can have this feature enabled upon request
submitted via https://omega8.cc/support
#-### SPDY (new networking protocol) support in Nginx
BOA now fully supports the advanced, new protocol which allows to run
sites over HTTPS with much better performance than plain HTTP.
While not all browsers support this protocol yet, it is already enabled
by default on all hosted BOA instances (but obviously works only when you
access the site via HTTPS:// in the URL).
On self-hosted instances it needs to be enabled by adding a line in your
/root/.barracuda.cnf file: _NGINX_SPDY=YES before the upgrade.
Note that depending on the system used, it may auto-install some
requirements like latest OpenSSL libraries and packages.
Remotely managed BOA systems can have this feature enabled upon request
submitted via https://omega8.cc/support
#-### Zend OPcache replaced APC in PHP
Newer versions of PHP already come with next generation opcode cache
from Zend, which is now open-sourced and available also as an extension
for older PHP versions, including 5.2 and 5.3
BOA leverages this opportunity and now uses Zend OPcache instead of APC.
This change is introduced automatically on all systems, both hosted
and managed for you and also self-hosted.
Only Debian Squeeze and Ubuntu Precise systems which are using PHP
installed from packages and not from sources, so with _BUILD_FROM_SRC=NO
set in the /root/.barracuda.cnf file, still use APC by default.
You can install Zend OPcache by changing it to _BUILD_FROM_SRC=YES
before running the upgrade.
Note that Zend OPcache default configuration caches every script for
60 seconds, so any changes you will introduce, will be visible with
up to 1 minute delay. However, if there is .dev. or .devel. in the site
name, this delay is lowered automatically to just 1 second.
You can change the default per site permanently by adding in the
local.settings.php preferred value, for example, to set it to 10 seconds:
ini_set('opcache.revalidate_freq', '10'); -- but remember that you will
override default (1 second) for dev URLs using this method.
Enjoy the most advanced, NSA-proof BOA Edition yet!
# New Octopus platforms:
### Drupal 7.23.3
Open Academy 1.0-rc3 --------- http://drupal.org/project/openacademy
Open Atrium 2.0 -------------- http://drupal.org/project/openatrium
OpenBlog 1.0-a2 -------------- http://drupal.org/project/openblog
OpenScholar 3.8.1 ------------ http://openscholar.harvard.edu
Recruiter 1.1 ---------------- http://drupal.org/project/recruiter
Spark 1.0-a9 ----------------- http://drupal.org/project/spark
Totem 1.1 -------------------- http://drupal.org/project/totem
# Updated Octopus platforms:
### Drupal 7.23.3
Commerce 1.20 ---------------- http://drupal.org/project/commerce_kickstart
Commerce 2.9 ----------------- http://drupal.org/project/commerce_kickstart
Commons 3.4 ------------------ http://drupal.org/project/commons
Conference 1.0-a2 ------------ http://drupal.org/project/cod
Drupal 7.23.3 ---------------- http://drupal.org/drupal-7.23
Open Deals 1.27 -------------- http://drupal.org/project/opendeals
Open Outreach 1.2 ------------ http://drupal.org/project/openoutreach
OpenChurch 1.11-b14 ---------- http://drupal.org/project/openchurch
Panopoly 1.0-rc5 ------------- http://drupal.org/project/panopoly
Ubercart 3.5.1 --------------- http://drupal.org/project/ubercart
### Pressflow 6.28.2
Commons 2.13 ----------------- http://drupal.org/project/commons
Feature Server 1.2 ----------- http://bit.ly/fserver
Managing News 1.2.3 ---------- http://drupal.org/project/managingnews
Open Atrium 1.7.1 ------------ http://drupal.org/project/openatrium
Pressflow 6.28.2 ------------- http://pressflow.org
ProsePoint 0.46 -------------- http://prosepoint.org
Ubercart 2.12.1 -------------- http://drupal.org/project/ubercart
# New features and enhancements in this release:
* Add a workaround for an edge case problem -- a missing /etc/resolv.conf
* Add auto-config for AdvAgg on both Drupal 7 and Drupal 6.
* Add command to check for available updates: `drushextra check updates`
* Add gems for Omega 4 by default.
* Add sass-globbing gem by default.
* Allow to install latest OpenSSH from sources with _SSH_FROM_SOURCES
* Allow to install latest OpenSSL from sources with _SSL_FROM_SOURCES
* Anonymize lshell intro message.
* Better code sharing with central core dirs for all built-in platforms.
* BOA installer wrapper depends on curl instead of wget.
* Do not stop/start cron if /root/.upstart.cnf control file exists.
* Drush: Add embedded how-to for aliased commands.
* Enable views_cache_bully and views_content_cache if views is enabled.
* Firewall: Disable incoming ping/ICMP.
* Firewall: Protect port 80 only with CONNLIMIT and remove it from PORTFLOOD.
* Firewall: Update config template and enable port/syn flood protection
* FTP: Allow to list/see up to 3000 files/subdirs in a directory.
* Improve daily.sh performance.
* Improve dist-upgrade procedure.
* Improve docs/MODULES.txt
* Improve meta-installers auto-update procedures.
* Improve SQL limits auto-configuration.
* Install pdnsd as a last service.
* Issue #2000932 - Add also zen-grids.
* Issue #2015553 - Fix the logic for protected registration of new accounts.
* Issue #2044589 - SPDY Nginx support.
* Issue #2052703 - Conversion from control files to ini includes.
* Issue #2092599 - Switch to disable MySQL password reset on upgrades.
* Issue #2105477 - Add support for bundler gem.
* Issue #2116387 - Nginx and PHP: Improve system hardening.
* Issue #2116395 - Nginx: Better protection and 404 instead of 403.
* Issue #2118393 - Mark drush/cron as newrelic_background_job
* Make Bazaar installation optional with BZR keyword required in _XTRAS_LIST
* Nginx: Use forced HTTPS-only access for Chive and SQL Buddy.
* PHP: Add experimental support for 5.4 and 5.5
* PHP: Install Zend OPcache instead of deprecated APC by default.
* PHP: Reload FPM hourly unless /root/.high_traffic.cnf exists.
* Restart db server when backup is complete if /root/.my.optimize.cnf exists.
* Restore support for Expire and Purge modules.
* Shell: Add gunzip to allowed commands.
* Shell: Disable mc on the fly unless /root/.allow.mc.cnf control file exists.
* Shell: Use MySecureShell 1.31 for SFTP by default.
* Try to download wrapper 4 times before it gives up.
* Use MySQLTuner to better tune SQL configuration on install and upgrade.
* Use sqlmagic to fix errors caused by duplicate keys in the db dump.
* Use standard D7 profile for Ubercart 3 and update related contrib.
* We no longer depend on drupal.org for any downloads.
* Add optional, configurable per site, automated and smart (via sqlmagic tool)
DB table format/engine conversion, enabled per instance with non-default
_SQL_CONVERT=YES option.
* Add support for _MODULES_SKIP variable and make the auto-disable agent
much smarter to never disable any module defined as required by any other
module or feature.
* Improve auto-recovery from manual permissions/ownership big mistakes
related to critical files and dirs.
* Issue #2067193 - PFS (Perfect Forward Secrecy) support in Nginx with
_NGINX_FORWARD_SECRECY=YES config option.
* Use _DEL_OLD_EMPTY_PLATFORMS to enable and define auto-cleanup for old,
empty platforms with no sites hosted, separately per Satellite instance
(it does not affect Master instance).
* Issue #2000932 - Add more Compass tools/extensions: (compass_radix,
zurb-foundation) and make sure the gems are updated on upgrade.
* Nginx: Add support for domain specific /robots.txt mapped to static
files/$host.robots.txt to make it possible to manage it per domain
also when Domain Access module is used.
* Improve the logic for daily permissions fix (no longer enabled by default)
and make it configurable via _PERMISSIONS_FIX variable.
* Improve the logic for daily modules fix (still enabled by default)
and make it configurable via _MODULES_FIX variable.
* Generate static sites/foo.com/files/robots.txt file per site, which is
mapped to /robots.txt
# New and updated Ægir modules or extensions:
* Add security_review extension
* Use registry_rebuild 7.x-2.x
# New o_contrib modules:
* Add Advagg 6 and 7 to all platforms.
* Add force_password_change to all platforms.
* Add views_cache_bully to all platforms.
# Changes in this release:
* All D6 based sites are forced to use latest PHP 5.3.27 version.
* Chive 1.3
* cURL 7.33.0 as an option.
* Drush 5.10.0 and 6.1.0 (available as drush5 and drush6)
* Git 1.8.4.1
* Lshell 0.9.16.4-om8
* MariaDB 5.5.33a
* Nginx 1.5.6
* Nginx: ngx_cache_purge-2.1
* OpenSSH 6.3p1 as an option.
* Percona 5.5.33
* PHP 5.4.21 and 5.5.5 as an option.
* Redis 2.6.16
* Vnstat 1.11
* Deprecate CiviCRM as a separate platform.
* Remove obsolete MartPlug distro.
* Move OpenPublish to unsupported.
* Move NodeStream to unsupported.
* Do not include D6 core translations, never included also in D7 platforms.
* Do not include notoriously buggy backup_migrate module.
# Fixes in this release:
* Add all extra, non-standard options in the barracuda.cnf docs template.
* Add built-in support for Domain Access also for sites/all/modules/contrib
* Add exception to support commerce_multicurrency module properly.
* Add info about self-signed SSL certificate in the welcome email (again).
* Add support for /usr/etc/sshd_config if exists.
* Always force update_newrelic - even if there is no new PHP version.
* Better check for GitHub partial downtime.
* Better logic for clean resolvconf re-install when needed.
* Contrib: Make the list readable.
* Delete too old pid files if any exists.
* Do not allow to break working DNS cache server with parent system overrides.
* Do not allow to install OpenSSL and cURL from sources also on Precise.
* Do not install rsyslog on VZ based VM.
* Do not set session.cookie_secure on SSL requests for sites < D7
* Enable dev mode also when HTTP_HOST begins with dev.
* Firewall: Adjust some defaults to improve flood protection,
* Firewall: Always upgrade, unless _CUSTOM_CONFIG_CSF is set to YES.
* Firewall: Better support for auto-whitelisting multi-IP systems.
* Firewall: Fix csf.uidignore file to whitelist important system uids.
* Firewall: Fix for csf template on VZ.
* Firewall: Improve some flood protection defaults.
* Firewall: Improve whitelisted IPs msg.
* Firewall: Remove deprecated monitoring for now closed port 25 (incoming).
* Firewall: Update config template.
* Firewall: VZ compatibility.
* Fix for /etc/resolv.conf and curl requirement in the BOA Meta Installer.
* Fix for cron tasks queue.
* Fix for forced pdnsd and resolvconf upgrades.
* Fix for incorrect nproc discovery results on some VM systems.
* Fix for proper handling mysql connections leftovers.
* Fix for selected packages hold status.
* Fix for the auto-update logic -- now it is default.
* Fix permissions for control files to avoid leftovers on delete task.
* Fix permissions on default backup_migrate dirs.
* Fix the auto-healing to avoid killing all php-fpm processes at midnight.
* Fix the automatic generation of static robots.txt file per site.
* Fix the daily enable/disable logic and use faster drush version.
* Fix the logic for chained installs from sources on upgrade.
* Fix the makefiles to avoid issues after d.o upgrade.
* Fix the not really working auto-healing to properly restart mysqld.
* Fix the not really working lshell logs monitor.
* Force clean pdnsd and resolvconf reinstall when needed.
* Force contrib update to include redis module stable release.
* Force cURL and OpenSSH re-install from sources when OpenSSL is from src.
* Force Git rebuild from sources if SSL/cURL was built from sources.
* Force Lshell rebuild when OpenSSL is installed from sources.
* Force MSS and FTP rebuild when OpenSSL is installed from sources.
* Force Nginx, PHP and Pure-FTPd re-install when OpenSSL is from sources.
* Force PHP-FPM restart if 9+ connections with 499 in the last 60 seconds.
* Generate 2048 bit long DH parameters when _NGINX_FORWARD_SECRECY=YES
* IDS monitor should use lower defaults after introducing last min checks.
* Improve gem and bundler allowed/denied restrictions.
* Improve procs monitoring and whitelist backend tasks properly.
* Improvements for Ubercart 2 installation + contrib updates.
* Install latest CGP, collectd 5 compatible.
* Issue #1751916 - Add Spark 1.0-a9
* Issue #1874786 - Fix for GNU Mailutils support.
* Issue #1991312 - Fix support and auto-config for AdvAgg 7 and HTTPRL.
* Issue #1991658 - Firewall: Close port 25 for incoming connections
* Issue #1994346 - DoS protection for not cached URLs doesn't respect $scheme
* Issue #1994346 - Fix the logic for SSESS/SESS prefix in the cookie name.
* Issue #1995342 - X-Accel-Expires is never send when $expire_in_seconds == 0
* Issue #2002678 - barracuda up-stable system adds annoying extra delay.
* Issue #2005116 - 403 on every attempt to log in from Hostmaster homepage.
* Issue #2015551 - Fix for broken dev mode support switch.
* Issue #2015551 - Fix the keyword check used to trigger "dev" mode.
* Issue #2020043 - Send PUT requests for *.json URI to Drupal.
* Issue #2032379 - _AUTOPILOT=YES should be forced also for "silent" modes.
* Issue #2083373 - drush dl foo --destination=/path/ should be restricted.
* Issue #2101193 - Support Drupal for Facebook from sites/all/modules/contrib
* Issue #2105259 - All Platforms Installation Fails with Permission Denied.
* Issue #2116177 - Use phpredis 2.2.4
* Lshell: Better settings for newer Drush versions.
* Lshell: Fix for env_path
* Lshell: version update and monitoring improvements.
* Make sure o_contrib is updated also on head-to-head upgrades.
* Make sure to rebuild PHP if cURL is installed from sources.
* Make the upgrade email generic.
* More compact code for downloads.
* Move csf/lfd corrections after pdnsd install.
* Move the giant modules list from README.txt to docs/MODULES.txt
* Nginx: Add access protection for .txt files in the modules|themes|libraries.
* Nginx: Add access protection with fast 404 also for authorize.php
* Nginx: Add access protection with fast 404 for extra .php known URLs.
* Nginx: Add example site specific config for legacy .php URIs 301 redirects.
* Nginx: Better support for static and dynamic .json requests/URIs
* Nginx: Deny spiders on glossary/* URI, as they are never allowed to crawl.
* Nginx: Fix for dynamically generated PDFs.
* Nginx: Fix for redirects for legacy URLs with asp/aspx extension.
* Nginx: Improve auto-whitelisting in the access log monitor.
* Nginx: Improve POST requests monitoring.
* Nginx: Move AJAX and webform requests location after civicrm location.
* Nginx: Normalize newlines and spacing when fixing proxy config files.
* Nginx: Remove 'results' from the bots-protected URI regex.
* Nginx: Remove deprecated conf.d directory, if exists.
* Nginx: Replace legacy keyword gulag with neutral limreq everywhere.
* Nginx: Replace the zone legacy name also in Provision.
* Nginx: Rewrite legacy requests with /index.php to extension-free URL.
* Nginx: The /admin* URI protection logic has been moved to global.inc
* Nginx: Update gzip_types to list all expected mime.types
* Nginx: Update headers for AdvAgg compatibility.
* Nginx: Update mime.types
* Nginx: Use more precise wildcard in paths for replacements.
* PHP: 5.4 requires uploadprogress-1.0.3.1
* PHP: Disable ionCube Loader for PHP 5.5
* PHP: Do not force extensions re-install unless _PHP_FORCE_REINSTALL=YES
* PHP: Fix config overrides for 5.4 and 5.5
* PHP: Fix possible issues with legacy 5.2 support logic.
* PHP: Fix unintended overrides in the ini files.
* PHP: Force All Extensions Rebuild when _FROM_SOURCES=NO
* PHP: Force APC instead of Zend OPcache on Squeeze/Precise on no-src install.
* PHP: Force legacy version rebuild if exists.
* PHP: Improve rebuild logic if SSL/cURL was built from sources.
* PHP: Make sure that latest version of ionCube loader is installed.
* PHP: Rebuild extensions also for 5.2, even if _PHP_MODERN_ONLY=YES
* PHP: Set opcache.revalidate_freq to 1 second on dev alias/URL on the fly.
* PHP: Start more FPM workers by default to avoid Nginx 499 and timeouts.
* PHP: Use correct version of ioncube_loader for 5.4
* PHP: Use pecl-jsmin-0.1.1 with newer PHP versions.
* PHP: Zend OPcache is a zend_extension and needs full path in the php.ini
* Redis: Make redis_client_password optional and none by default.
* Reload PHP-FPM before auto-healing will force its restart after midnight.
* Remove already deprecated platforms.
* Remove insecure files from libraries/plupload/examples.
* Remove lock files before adding new users.
* Security updates for selected contrib on all affected D7 platforms.
* Shell: Fix FTPS compatibility after switching to MySecureShell
* Shell: Sync IdleTimeOut for MSS with SSH and FTPS default 15m.
* Shorten some too long status messages.
* Silent Mode Option: aegir == Only stock Ægir forced up-head upgrade.
* Simplify vnstat setup.
* Split usage monitor into two separate scripts.
* SQL auto-healing should always stop-stop-start and not just restart it.
* SQL: Allow the engine to manage correct innodb_thread_concurrency value.
* SSH: Make sure that 'UseDNS no' is always set.
* Sync $cookie_domain validation with Drupal 7 core.
* Sync dates with BOA defaults.
* Unify apt-get options order.
* Update for Redis config template.
* Update or create /etc/apt/sources.list early enough.
* Update PHP and SQL config early enough to avoid issues during upgrade.
* Use --force-yes option if apt-get -y is used.
* Use correct version of /etc/apt/preferences
* Use drush6 only when required.
* Use extended GitHub tests on HEAD and non-stock build only.
* Use forced symlinks mode if possible.
* Use is_readable() check instead of file_exists() for all includes.
* Use mirror downloads for all contrib and patches to make it faster.
* Use more restrictive permissions on lshell log files.
### Stable BOA-2.0.9 Release - Barracuda Edition
### Date: Thu May 9 11:25:59 EDT 2013
### Includes Ægir from BOA-2.0.8 Edition
# This is the first Barracuda-only Edition, released to address important
security issue with Nginx server and provide system level upgrades.
This Edition will not upgrade Ægir Master nor Ægir Satellite Instances,
because there was no new Drupal core released since BOA-2.0.8 Edition and
there were not enough updates to built-in platforms or contrib accumulated.
Releasing Barracuda-only Edition separately from full Edition allows us
to address system/services security issues without any extra delay,
while releasing Octopus-only Edition will allow us to provide Drupal core
or Ægir version upgrades, without affecting system level services.
There is also another reason why separate releases will be useful.
BOA-2.0.9 is the last Edition where Ægir 2.x still uses old Drush 4.6
in the backend. We need to sync BOA specific Ægir 2.x with upstream
and finally switch to Drush 5, or even Drush 6, if possible.
This change, however, may cause issues if you still host legacy Drupal 5
or some old Drupal 6 sites, with either core or contrib not compatible
with PHP 5.3, which is now used by default.
That is why we plan to introduce ability to install older/previous
Barracuda and/or Octopus release, if you need more time to upgrade.
# New features and enhancements in this release:
* Debian 7.0 Wheezy support.
* Automated upgrade from Squeeze with _SQUEEZE_TO_WHEEZY=YES option.
* Added config template with inline how-to in docs/cnf/barracuda.cnf
* Added config template with inline how-to in docs/cnf/octopus.cnf
* Added passwords encryption how-to in docs/BLOWFISH.txt
* Added the list of symbols used on install in docs/PLATFORMS.txt
* Forced mysql restart if there are too many high CPU mysqld processes.
* Improved docs/NOTES.txt
* Improved docs/README.txt
* Install libpam-unix2 and libxcrypt1 by default.
* Install s3cmd by default.
* Issue #1974640 - Allow to use Midnight Commander for limited shell users.
* Limited Shell Logs Monitor enabled by default.
* Nginx: Check for Linux/Cdorked.A malware and delete if discovered.
* Re-generate and sync Ægir passwords before and after instance upgrade.
* The silent 'system' mode documented in docs/UPGRADE.txt
* Allow to exclude platform from otherwise forced `drush en entitycache -y`
if sites/all/modules/entitycache_dont_enable.info control file is present.
# Changes in this release:
* Nginx 1.5.0 - security upgrade for CVE-2013-2028
* PHP 5.3.25
* Redis 2.6.13
* Do not disable update module in platforms known to include it as required.
* Firewall: Open port 1129 for outgoing connections (some gateways need it).
* Force syslog module as disabled by default and save some disk I/O.
* Tune kernel to always use max RAM and not swap, if possible.
# Fixes in this release:
* Add outgoing port 25 SMTP to the list of requirements.
* Firewall: Add truly permanent block for heavy abusers.
* Fix for mytop support, available again on systems with MariaDB.
* Fix permissions in the /data/all tree if required.
* Fix the order of checks - they scan only the last (current) minute.
* Force _STRONG_PASSWORDS=NO if locales still look broken on second check.
* Improve detecting no longer running drush.php and/or cron PHP processes.
* Improve fix_locales logic.
* Improve global.inc symlinking on initial install and upgrade.
* Improve messages displayed when fix_locales discovers broken locales.
* Improve monitoring to avoid duplicate entries on low traffic systems.
* Improve sanitize_string() filtering to avoid issues with strong passwords.
* Improve syncpass tool - Update system user passwd and flush privileges.
* Issue #1961226 - Warning: Could not change permissions of sites/all to 751.
* Issue #1962458 - 403 for anonymous users on node/add.
* Issue #1963044 - Force UTF-8 locales if not present/configured properly.
* Issue #1974542 - Use /root/.home.no.wildcard.chmod.cnf control file.
* Issue #1987936 - Restore ability to install PHP 5.2 for FPM and CLI.
* Make sure that /dev/null is writable for everyone.
* Make sure that all drushrc.php files are owned by Ægir system user.
* Make sure that all expected sites/all/{modules,themes,libraries} dirs exist.
* Make sure that DB server is restarted on upgrade after config tuning.
* Make sure that pdnsd and resolvconf are properly installed.
* Nginx: Remove duplicate Vary: Accept-Encoding headers.
* Percona no longer supports older Ubuntu non-LTS releases.
* PHP: Do not reload FPM every hour - it may cause error 502.
* PHP: Fix paths depending on CLI version used.
* PHP: Fix the extensions installation and upgrade logic.
* PHP: Make sure that the FPM port is set correctly for D6 sites with 5.2
* PHP: Properly uninstall all related packages when using source build.
* PHP: Start more FPM workers on systems with enough RAM by default.
* Purge bin logs before disabling them.
* Run New Relic re-install early enough to avoid locking full-upgrade.
* Sync the load limits for spiders and backend tasks.
* The Java/Jetty monitor should use higher allowed limits by default.
* Update apticron message to recommend system mode instead of full upgrade.
* Update docs for _BUILD_FROM_SRC option.
* Use aggressive enough Jetty restart procedure on nightly services reload.
* Use correct status messages on install and upgrade.
* Use installer and not Ægir version download on stable install/upgrade.
### Stable Edition BOA-2.0.8
### Date: Mon Apr 8 01:41:36 CEST 2013
### Installs Ægir 2.x
# Updated Octopus platforms:
### Drupal 7.22.1
Commerce 2.6 ----------------- http://drupal.org/project/commerce_kickstart
NodeStream 2.0-rc5 ----------- http://drupal.org/project/nodestream
Open Deals 1.19 -------------- http://drupal.org/project/opendeals
All other not listed above platforms are available with latest
D6 or D7 core, even if there were no new distro version released.
# Fixes:
* Critical Issue #1962690 - Fix for broken Percona support.
* Allow to use [a-z0-9] subdomains and not only [www] for IDN domain names.
* Change the interval between platforms builds from 5 to 3 seconds.
* Forced 1s Speed Booster TTL for vhosts behind local proxy is deprecated.
* Move old firewall logs to backups to avoid crazy load after upgrade.
* Nginx: Better exceptions handling in the Abuse Guard for js/shs modules.
* PHP: CLI is at 5.3 since BOA-2.0.4, so symlink old 5.2 binary path to 5.3
* Update _LENNY_TO_SQUEEZE major upgrade procedure.
* Update contrib with login_security-7.x-1.2
* Use static downloads for all distros in stable edition.
### Stable Edition BOA-2.0.7
### Date: Thu Apr 4 00:00:17 EDT 2013
### Installs Ægir 2.x
# Updated Octopus platforms:
### Drupal 7.22.1
Commons 3.2 ------------------ http://drupal.org/project/commons
All other not listed above platforms are available with latest
D6 or D7 core, even if there were no new distro version released.
# Fixes:
* Create dot dirs and keys if not exist, plus known_hosts for system user.
* Fix the sqlmagic regex to really convert only expected tables.
* Issue #1958502 - Add missing symlinks to the new Drush extensions.
* Issue #1960192 - Fix literal path replacement with sites/$new_url in D7.
* Issues #1930670 #1958898 #1932616 - Fix for hosting_server_update_6200.
* Taxonomy Edge update to 7.x-1.7 and 6.x-1.7
* Update contrib in all D7 platforms to ctools-7.x-1.3 - security upgrade.
### Stable Edition BOA-2.0.6
### Date: Mon Apr 1 21:34:04 EDT 2013
### Installs Ægir 2.x
# New Octopus platforms:
### Drupal 7
Commons 3.1 ------------------ http://drupal.org/project/commons
# Updated Octopus platforms:
### Drupal 7
CiviCRM 4.2.8 ---------------- http://civicrm.org
Commerce 1.16 ---------------- http://drupal.org/project/commerce_kickstart
Commerce 2.5 ----------------- http://drupal.org/project/commerce_kickstart
Drupal 7.21.2 ---------------- http://drupal.org/drupal-7.21
NodeStream 2.0-rc4 ----------- http://drupal.org/project/nodestream
Open Deals 1.18 -------------- http://drupal.org/project/opendeals
Open Outreach 1.0-rc10 ------- http://drupal.org/project/openoutreach
OpenChurch 1.11-beta9 -------- http://drupal.org/project/openchurch
Panopoly 1.0-rc4a ------------ http://drupal.org/project/panopoly
Ubercart 3.4.1 --------------- http://drupal.org/project/ubercart
### Pressflow 6
Acquia 6.28.1 ---------------- http://bit.ly/acquiadrupal
Commons 2.12 ----------------- http://drupal.org/project/commons
Feature Server 1.2 ----------- http://bit.ly/fserver
Managing News 1.2.3 ---------- http://drupal.org/project/managingnews
Open Atrium 1.7.1 ------------ http://drupal.org/project/openatrium
Pressflow 6.28.1 ------------- http://pressflow.org
ProsePoint 0.46 -------------- http://prosepoint.org
Ubercart 2.11.1 -------------- http://drupal.org/project/ubercart
All other not listed above platforms are available with latest
D6 or D7 core, even if there were no new distro version released.
# No longer supported Octopus platforms:
The platforms listed below can be re-added when their maintainers
will fix all critical issues and/or apply required updates:
ELMS ------------------------- http://drupal.org/project/elms
MartPlug --------------------- http://drupal.org/project/martplug
Octopus Video ---------------- http://octopusvideo.org
Open Academy ----------------- http://drupal.org/project/openacademy
Open Enterprise -------------- http://drupal.org/project/openenterprise
OpenPublic ------------------- http://drupal.org/project/openpublic
OpenScholar ------------------ http://openscholar.harvard.edu
Videola ---------------------- http://videola.tv
# New features:
* Add an option to allow cron based, unattended system-only upgrades.
* Add randpass helper script.
* Add support for wkhtmltoimage.
* Add syncpass tool to repair broken instances after incomplete upgrade.
* Allow to specify extra apt-get packages with _EXTRA_PACKAGES option.
* Allow to tune PHP-CLI timeout in the BOND script with separate option.
* Install auditd with aureport by default.
* Issue #1479300 - Add optional LDAP support in Nginx.
* Issue #1876418 - Support for High-performance JavaScript callback handler.
* Issue #1916804 - Validated bypass of flood control based on tty.
* Jetty: Make migration from Tomcat easy with _TOMCAT_TO_JETTY=YES
* PHP: Allow to use _PHP_EXTRA_CONF for custom builds from src.
* Redis: Add Lock Backend Support for Drupal 6 and Drupal 7.
* Redis: Enable lock support if modules/redis_lock_enable.info exists.
* Shell: Add extra Drush versions available as drush4, drush5 and drush6.
* SOLR: Support for 1.x / Jetty 7, 3.x / Jetty 8 and 4.x / Jetty 9.
* SOLR: Use Jetty 8 for Solr 4 on systems with Java 1.6 available.
* SOLR: Use Jetty 9 for Solr 4 on systems with Java 1.7 available.
* SQL: Add sqlmagic tool to fix SQL dumps and convert to/from InnoDB/MyISAM.
* SQL: Make default_storage_engine configurable with _DB_ENGINE option.
* Use Registry Rebuild with Fixed Redis Lock Support aware configuration.
* Allow to force SERVER_NAME based $cookie_domain with special
modules/cookie_domain.info control file per site.
# New Ægir modules or extensions:
* Add drush clean-modules command - clean_missing_modules extension.
* Add drush_ecl extension - Drush Entity Cache Loader.
* Add hosting_site_backup and provision_site_backup enabled by default.
# Changes:
* Git 1.8.2
* MariaDB 5.5.30
* Nginx 1.3.15
* Percona 5.5.30
* PHP 5.3.23
* Redis 2.6.12
* Deprecate CiviCRM 3.4.8 D6 - only available with _ALLOW_UNSUPPORTED=YES.
* Do not force filefield_nginx_progress as enabled also for D7.
* Drupal 8.0-dev-tested deprecated and moved to unsupported group.
* ELMS 1.0-beta1 deprecated and moved to unsupported group.
* Enable entitycache module by default.
* Master Ægir: Re-create secure db password on every barracuda upgrade.
* Master Ægir: Sync generating secure db password also on barracuda install.
* Nginx: Set 24h Speed Booster cache TTL for spiders/bots by default.
* NodeStream 1.5.1 deprecated and moved to unsupported group.
* Open default MongoDB port 27017 for outgoing connections.
* OpenScholar deprecated and moved to unsupported group.
* PHP: Deprecate 5.2 also on upgrade.
* PHP: Install MongoDB driver if MNG keyword is listed in _XTRAS_LIST.
* PHP: Set _PHP_CLI_VERSION=5.3 by default.
* PHP: Switch to forced CLI 5.3 and FPM 5.3 also in the custom config.
* PHP: Switch to FPM 5.3 also for D6 sites by default.
* Pressflow 5.23 deprecated and moved to unsupported group.
* Redis: Re-create secure password on every barracuda upgrade.
* Satellite Ægir: Re-create secure db password on every octopus upgrade.
* SQL: Do not run DB OPTIMIZE unless /root/.my.optimize.cnf ctrl file exists.
* SQL: Re-generate new secure mysql root password on every barracuda upgrade.
* SQL: Use key_buffer = 2M by default.
* SQL: Use more safe memory limits after introducing higher key_buffer_size
* Use better names for various control files.
* Watch crons running > 2 min and kill crons running > 3 min.
* Split _XTRAS_LIST into two groups: included via ALL keyword and
other which need to be listed explicitly.
# Fixes:
* Add Ksplice-aware kernel upgrade alert.
* Add some delay to avoid race conditions when removing more zombies.
* Allow higher system load before disabling access for spiders temporarily.
* Always send upgrade log when running in the silent mode.
* Avoid cron collisions and make sure all maintenance tasks run 0-6 AM.
* Better and separate backup rotation on hostmaster upgrade.
* Better check if Webmin GnuPG signing key has been added properly.
* Better fix for $cookie_domain and DA compatibility.
* Better protection for all ports usually targeted in brute force attacks.
* Check if nproc is present and fall back to /proc/cpuinfo otherwise.
* Clean swap on kernel tuning update.
* Delete broken o_contrib symlinks before trying to recreate them.
* Do not add and remove bind from /etc/sudoers since it is not supported.
* Do not block @ in the limited shell - it breaks git foo git@bar etc.
* Do not force _DEBUG_MODE=YES if not required.
* Do not force _HTTP_WILDCARD=NO for stock install option.
* Do not run extra IP checks for requests below $mininumber threshold.
* Do not run initial apticron check in local install.
* Do not run two mysql restarts in a row on mysql upgrade.
* Downgrade to working wkhtmltopdf-0.10.0_rc2 and wkhtmltoimage-0.10.0_rc2
* Drupal 7.x core with Field API memory optimization - see #1915646
* Enable image_allow_insecure_derivatives to avoid issues with drupal-7.20
* Fix apticron to suggest barracuda up-stable instead of apt-get upgrades.
* Fix AWS system auto-discovery and auto-configuration.
* Fix Drush 5.x and _USE_STOCK support.
* Fix for Bazaar (bzr) 2.6b2 extensions build.
* Fix for pdnsd install on Ubuntu Precise.
* Fix the 32 long ALNUM password generation for lshell users.
* Fix the hint to just display the uptrack command, not run it.
* Force logrotate on demand if /var/log/syslog > 1GB
* Force mysql tables check and upgrade before hostmaster upgrade.
* Force proper pdnsd and resolvconf re-installation if needed.
* Force proper resolvconf configuration to support and use pdnsd server.
* FTPS on all modern systems requires lshell path added in /etc/shells.
* Hostmaster/Octopus contrib modules are now added via Ægir makefile.
* Improve autonomous IDS auto-cleaning and permanent block mgmt.
* Improve compatibility testing with Drush 5 and Drush 6.
* Improve kernel default tuning.
* Improve Master Instance upgrade logic.
* Improve mysqldump performance by default.
* Improve the default strict configuration for $cookie_domain.
* Improve Tomcat/Jetty self-healing to avoid stuck processes.
* Install also hostmaster contrib when stock option is used.
* Issue #1782034 - Use fixed version of the message_notify module.
* Issue #1825018 - Disable binary logging and make it optional.
* Issue #1871060 - CiviCRM 4.2.6 needs separate civicrml10n fix.
* Issue #1873478 - Localhost install broken because getent test is used.
* Issue #1875348 - Fix for Nginx 1.3.10 bug causing random segfaults.
* Issue #1886920 - Fix the unrecognized option [service=system-auth] error.
* Issue #1886920 - Pure-FTPd config broken because of deprecated pam_stack.so
* Issue #1888380 - Deleted platform cache folder recreated automatically.
* Issue #1889322 - Domain Access module breaks sites provisioning.
* Issue #1897018 - Set Pin-Priority also in wrappers to fix also stable.
* Issue #1897018 - Ubuntu Precise breaks install and upgrade.
* Issue #1906760 - Incomplete access_log directive in the purge vhost.
* Issue #1906900 - Nginx microcaching not disabled on prefixed admin URIs.
* Issue #1909208 - Changed MariaDB GnuPG signing key hangs install/upgrade.
* Issue #1913394 - Disable automatic CSF/LFD upgrade.
* Issue #1913488 - Do not install GEOS PHP ext. unless explicitly listed.
* Issue #1914294 - APC 3.1.14 disappeared from PECL - downgrade to 3.1.13
* Issue #1918722 - Add diff command as allowed in the limited shell.
* Issue #1920972 - Could not change permissions warnings on site verify.
* Issue #1932388 - Use correct keyword PPY for Panopoly install.
* Issue #1935388 - Use reliable check for Master Instance install path.
* Issue #1947082 - Permissions are never fixed on the profile level.
* Issue #1949740 - Make sure that cache_prefix for Redis is always set.
* Issue #1952042 - Make strong passwords optional and not default.
* Issue #1953248 - Extra Drush versions should be added properly.
* Issue #1957762 - Upgrade to Bazaar (bzr) 2.6b2
* Jetty: Tune memory limits automatically to avoid extra RAM requirements.
* Keep all extra modules in the same profiles/hostmaster/modules directory.
* Lshell: Allow ping command to help keep session active / auto-whitelist.
* Make apticron aware of the BOA version currently running.
* Make BOND aware of _CUSTOM_CONFIG_SQL if present.
* Make Compass Tools available in the standard path, if installed.
* Make sure that all removed zombies use unique dir names.
* Make sure that all users home dirs are protected.
* Make sure that now redundant hosting_backup_gc module is removed.
* Make sure that SERVER_NAME is set to HTTP_HOST early enough, if required.
* Make the errors monitor aware of system only upgrade mode.
* Make URI filtering regex localization-aware in the global.inc
* Nginx Security: BEAST attack protection and fix for PCI compliance.
* Nginx: Another fix for broken imagecache paths in some imported sites.
* Nginx: Better protection from DoS attempts on never cached uri.
* Nginx: Do not block spiders on imagecache/styles URIs.
* Nginx: Do not force use epoll - it is set on install properly.
* Nginx: Do not force worker_connections. It will not work in the VM guest.
* Nginx: Do not force worker_rlimit_nofile. It will not work in the VM guest.
* Nginx: Force rebuild to include LDAP support if enabled via _NGINX_LDAP=YES
* Nginx: Improve Abuse Guard to better protect from imagecache|styles flood.
* Nginx: Improve no-cache exceptions for known AJAX and webform requests.
* Nginx: Make json compatible with boost caching but dynamic for POST.
* Nginx: Restore fast 404 for static json requests.
* Nginx: Set workers number to available CPUs x2 with min/max defaults.
* Nginx: Use default buffer=32k in the access_log for better performance.
* Nginx: Use static /normal/ instead of dynamic /$device/ for Boost cache.
* PHP: Enable more FPM workers by default for better performance.
* PHP: Force php53-fpm restart if there is no master process running.
* PHP: Many Drupal 7 based distros require 196M limit at minimum.
* PHP: Never force php53-fpm restart when another script reloads it.
* PHP: Use more safe limits on low memory systems.
* Prevent turning the feature server site into a spam machine.
* Protect also from not supported request types if Nginx server is busy.
* Randomize tasks wait/start intervals better to avoid high system load.
* Redis: Do not disable it on the fly when there is /nojs/ in the URI.
* Redis: Double check if $cache_lock_path exists before using it.
* Redis: No need to force exception for cache_menu bin.
* Redis: Tune sysctl for better memory management by default.
* Remove up to two last zombies on Master Instance upgrade.
* Remove up to two last zombies on Satellite Instance upgrade.
* Rename profiles to avoid confusion between Commons 2 and Commons 3.
* Run drush @hostmaster hosting-dispatch during upgrade to sync things.
* Send also OK report when running in the silent mode.
* Set correct default DNS entry in /etc/hosts before running local install.
* Shell: Fix for too restrictive Drush commands filtering.
* Shell: Fix the broken Git support over SSH.
* Shell: Fixed too restrictive permissions on the extra Drush directories.
* SQL: Do not run the purge_binlogs script when binary logging is disabled.
* SQL: Improve sqlmagic converter and allow it to use control files.
* SQL: The sqlmagic_convert should not be available for extra lshell users.
* SQL: Tune also key_buffer_size by default.
* Sync generating secure passwords also for limited shell users.
* Update csf.conf template.
* Update self-healing for Tomcat/Jetty support.
* Update welcome email template to better explain how to manage databases.
* Use Boost with silenced false alarms.
* Use Limited Shell branch with fixed tab completion.
* Use public DNS during pdnsd (re)installation to avoid issues.
* Whitelist /tmp/make_tmp.* in the csf.fignore to avoid false alarms.
### Stable Edition BOA-2.0.5
### Date: Sun Dec 23 15:35:46 EST 2012
### Installs Ægir 2.0.5 compatible with Ægir 1.9
# Updated Octopus platforms:
Commerce 1.12.1 -------------- http://drupalcommerce.org
Commerce 2.0 ----------------- http://drupalcommerce.org
Commons 2.11 ----------------- http://acquia.com/drupalcommons
Drupal 7.18.1 ---------------- http://drupal.org/drupal-7.18
Open Deals 1.14 -------------- http://opendealsapp.com
Open Outreach 1.0-rc7 -------- http://openoutreach.org
OpenChurch 1.11-beta7 -------- http://openchurchsite.com
Panopoly 1.0-rc3 ------------- http://drupal.org/project/panopoly
Pressflow 6.27.1 ------------- http://pressflow.org
ProsePoint 0.45 -------------- http://prosepoint.org
Ubercart 2.11.1 -------------- http://ubercart.org
Ubercart 3.3.1 --------------- http://ubercart.org
All other not listed above platforms are available with latest
D6 or D7 core, even if there were no new distro version released.
# New Ægir modules or extensions:
* Add drush clean-modules command - clean_missing_modules extension.
# New o_contrib modules:
* Add reroute_email module in both D6 and D7 contrib.
# Changes:
* Git 1.8.0.2
* MariaDB 5.3.11 on Debian Lenny
* MariaDB 5.5.28a
* Nginx 1.3.9
* PHP 5.3.20
* Redis 2.6.7
* Delete old tmp files in all sites daily.
* Disable Expire and Purge modules by default - they are no longer needed.
* Redis integration module updated to 7.x-2.0-beta2
* There is no need to restart Redis and Tomcat hourly.
* Use higher innodb_lock_wait_timeout by default - 120 instead of 50.
* Use 1h instead of 30min default timeout for sql and php-cli to avoid
breaking some extra long running backend tasks on some really big sites.
# Fixes:
* Allow more drush commands over SSH.
* Always force drupal_http_request_fails to FALSE to avoid false alarm.
* Better check for standalone vhosts firewall setup.
* Better lshell forbidden list of keywords.
* Better regex to deny wildcards with top-level or country level domains.
* Check for existence of host_master and not host_master/001 directory.
* Compass is not available on older OS versions.
* Delete ltd-shell extra user/client if there is no site associated/owned.
* Delete old symlinks in the client directory for no longer associated sites.
* Fix broken usage.sh script - it does not enable/disable modules.
* Fix date formatting also in the sqlcheck script.
* Fix for some really old installs without .barracuda.cnf file.
* Fix permissions for Boost cache directory with correct chmod.
* Fix the hint - it should say to restart mysql.
* Issue #1081266 - Avoid re-scanning modules directory.
* Issue #1263602 - Force New Relic re-install on every upgrade, if used.
* Issue #1460882 - Send .json requests to @drupal instead of =404.
* Issue #1837418 - Fix permissions inside ~/.drush directory.
* Issue #1837776 - Do not disable httprl module.
* Issue #1837910 - Upload progress broken for all D6 sites.
* Issue #1839122 - Disabling Redis on known AJAX calls breaks UI elements.
* Issue #1839544 - Use language neutral checks for users, groups and hosts.
* Issue #1841230 - BOA provides Apache Solr 1.4 with Tomcat 6.
* Issue #1841246 - Fix csf.fignore file to whitelist /tmp/drush_*
* Issue #1842554 - Replace broken links to Skitch screenshots.
* Issue #1847682 - Fix extra Nginx config support in the Master Instance.
* Issue #1850034 - Disable SYSLOG_CHECK in csf to avoid false alarms.
* Issue #1857250 - Domain Access support is broken in the backend cli.
* Issue #1857990 - Include reroute_email module in o_contrib by default.
* Issue #1860100 - Use provision-backup-delete instead of backup_delete.
* Issue #1865112 - Add drush clean-modules command.
* Issue #1867264 - Too many Redis caching exceptions cause serious confusion.
* Issue #1871060 - CiviCRM l10n should be moved to proper directory.
* Lshell: Map drush mup to up instead of upc. Add new drush mupc map for upc.
* Max supported version of Search API Solr search is 7.x-1.0-rc2
* More complete permissions fix on install and upgrade.
* More strict check for _LENNY_TO_SQUEEZE option.
* Nginx: Better regex in the Nginx monitor.
* Nginx: Exclude also files/progress path in the Nginx monitor.
* Nginx: Fix rewrite rules in the CDN Far Future expiration support.
* Nginx: Make sure that any older packages are uninstalled on upgrade.
* Nginx: Make sure that default Nginx vhosts are deleted also on upgrade.
* Nginx: Skip all logged media and download requests in the Nginx monitor.
* PHP: Use high enough value for max_input_vars in PHP 5.3 by default.
* Really fix the datestamp comparison logic on various systems.
* Rebuild registry without --no-cache-clear option to avoid issues.
* Redis: Check if Redis binary exists, not symlink.
* Redis: Delete redis-server symlink to avoid failed Redis install.
* Redis: Do not use all three extra exceptions on the hostmaster site.
* Redis: Do not use sleep breaks during Redis full restart.
* Redis: The cache_menu bin should be still excluded from Redis caching.
* Redis: The hostmaster site needs exception for cache_class_cache bin.
* Stop and Start CSF only if installed.
* The locked auto-healing script needs to kill tomcat more aggressively.
* Update csf.conf template.
* Upgrade to ctools-6.x-1.10 in the hostmaster platform.
* Use aliases in drush commands where possible.
* Use better name for non-web New Relic app tracking.
* You must remove remote_import extension from the source server.
### Stable Edition BOA-2.0.4
### Date: Thu Nov 8 18:31:01 EST 2012
### Installs Ægir 2.0.4 compatible with Ægir 1.9
# New Octopus platforms:
Commerce 2.0-rc4 ------------- http://drupalcommerce.org
# Updated Octopus platforms:
CiviCRM 4.1.6-d6 ------------- http://civicrm.org
CiviCRM 4.2.6-d7 ------------- http://civicrm.org
Commerce 1.11.1 -------------- http://drupalcommerce.org
Commons 2.10 ----------------- http://acquia.com/drupalcommons
Conference 1.0-rc2 ----------- http://usecod.com
Drupal 7.17.1 ---------------- http://drupal.org/drupal-7.17
Drupal 8.0-dev-tested -------- http://bit.ly/drupal-eight
ELMS 1.0-beta1 --------------- http://elms.psu.edu
NodeStream 1.5.1 ------------- http://nodestream.org
NodeStream 2.0-beta8 --------- http://nodestream.org
Open Atrium 1.6.1 ------------ http://openatrium.com
Open Deals 1.11 -------------- http://opendealsapp.com
Open Outreach 1.0-rc6 -------- http://openoutreach.org
OpenChurch 1.11-beta5 -------- http://openchurchsite.com
OpenPublish 3.0-beta7 -------- http://openpublishapp.com
OpenScholar 2.0-rc1 ---------- http://openscholar.harvard.edu
Panopoly 1.0-rc2 ------------- http://drupal.org/project/panopoly
Ubercart 2.10.1 -------------- http://ubercart.org
Ubercart 3.2.1 --------------- http://ubercart.org
* We plan to shorten BOA system release and upgrades cycle
to 1-2 months max, so we have decided to remove support for some
outdated distros. We have tried to manage both security and version
updates for some abandoned or semi-abandoned distros, to keep them
useful for you, but since it involves increasing amount of work
because of cascades of no longer compatible patches and various
dependencies, we have decided that it is time to stop doing it,
if their original maintainers no longer care about their users.
Here is a list of distros we no longer support:
MartPlug ------------ http://drupal.org/project/martplug
Octopus Video ------- http://octopusvideo.org
Open Academy -------- http://drupal.org/project/openacademy
Open Enterprise ----- http://drupal.org/project/openenterprise
OpenPublic ---------- http://openpublicapp.com
Videola ------------- http://videola.tv
The platforms listed above can be re-added when their maintainers
will fix all critical issues and/or apply required updates.
# New features:
* Add auto-healing support for Bind9.
* Add LOCK/FROZEN check for PHP-FPM and Tomcat in the auto-healing.
* Add option to force 15min Speed Booster cache TTL for anonymous visitors.
* Add optional easy install of already supported Compass Tools.
* Add support for aegir|platforms|both modes on octopus upgrade.
* Allow for another one upgrade daily but only to add more platforms.
* Allow to install unsupported distros with option _ALLOW_UNSUPPORTED=YES
* Allow to install vanilla Ægir 2.x and Drush 5.7 with "stock" option.
* Improved databases backup with added OPTIMIZE TABLE foo action per table.
* New Relic PHP Agent version 3.0 compatibility.
* Pseudo-streaming server-side support for Flash Video (FLV) and H.264/AAC.
* Support for Wysiwyg Fields module.
# New Ægir modules or extensions:
* Add hosting_tasks_extra module and provision_tasks_extra extension.
# New o_contrib modules:
* Add login_security module in D7 contrib.
* Add cdn module in both D6 and D7 contrib.
# Changes:
* Allow outgoing mysql connections by default.
* APC 3.1.13
* Chive 1.2
* Do not bundle seckit module in o_contrib.
* Do not enable Expire and Purge modules by default.
* Enable Syslog module by default.
* Git 1.8.0
* MariaDB 5.3.9 on Debian Lenny
* MariaDB 5.5.28
* Nginx 1.3.8
* Percona 5.5.28
* PHP 5.3.18
* Pure-FTPd 1.0.36
* Redis 2.6.4
* Remove not supported httprl module and disable if enabled.
* The filefield_nginx_progress is forced-enabled in all D7 sites, again.
* Use PHP-FPM 5.3 for Chive, Collectd and other non-Drupal sites.
* Use php-cli 5.3 for drush on command line by default.
You can still force 5.2 with --php=/usr/local/bin/php drush option.
# Fixes:
* Add cache_tax_image bin to no-redis-cache exceptions.
* Add support for pdnsd in the VServer guest.
* Allow all standard compass/sass commands in limited shell.
* Auto-discover _NEWRELIC_KEY if not listed in .barracuda.cnf
* Better auto-healing for php-fpm zombies edge case.
* Better check for failed login attempts (when user exists).
* Better permissions magic repair running daily.
* Deny crawlers on search results pages - they may cause very high load.
* Disable spinner if screen is used.
* Do not force default Debian and Ubuntu mirrors even if _AUTOPILOT=YES.
* Do not quote password in .my.cnf - it breaks mytop.
* Do not use log/custom_cron for anything.
* Do not use resolveip in the localhost mode.
* Exclude cache_bootstrap and cache_pulled_tweets from Redis caching.
* Fix for broken drush make edge case caused by leftovers.
* Fix for broken Tika download URL.
* Fix for civicrm_engage in D6.
* Fix for Debian Lenny upgrade.
* Fix for global.inc logic related to high traffic sites only.
* Fix for NGX, PHP and SQL forced reinstall mode.
* Fix for Pin-Priority in Squeeze.
* Fix for sql abuse monitor.
* Fix for the selectively forced upgrade mode.
* Fix motd for Skynet fun.
* Fix too restrictive lshell command filtering.
* Force Pure-FTPd rebuild on every upgrade to avoid broken binary.
* Force tomcat restart and reload php-fpm hourly.
* Improve Domain module support.
* Improve mysql crashed tables detection and repair in auto-healing.
* Improve Nginx Abuse Guard by stopping those never cached POST DoS attacks.
* Improve Nginx guard support for VServer guests.
* Improved checkpoint info in Octopus.
* Issue #1225380 - Do not truncate sessions table during db daily backup.
* Issue #1472786 - SQL check ERROR and too many SQL check CLEAN notices.
* Issue #1528726 - Fix for Redis support in all shared directories/code.
* Issue #1540242 - Do not install conflicting libavcodec53 or libavcodec52.
* Issue #1588060 - Make sure that /var/run is present in open_basedir.
* Issue #1589052 - Incomplete PATH breaks standard tasks.
* Issue #1590120 - Fix for java path changed in recent Ubuntu releases.
* Issue #1591746 - Update GeoIP.dat file automatically.
* Issue #1592646 - Enabled old cache backend integration module causes WSOD.
* Issue #1592650 - Do not use Hide platforms with non-default profiles.
* Issue #1592680 - Upload progress module breaks uploads on all D7 sites.
* Issue #1593794 - New redis-only caching backend settings.
* Issue #1593810 - Duplicate php-cli 5.3 binaries after upgrade.
* Issue #1593980 - Remove invisible characters breaking localhost install.
* Issue #1597580 - External/Aggressive caching in D6 breaks path_alias_cache.
* Issue #1598676 - Collectd graphs broken.
* Issue #1600426 - Cron is run every minute on all sites not yet defined.
* Issue #1602142 - Do not use device specific keys for Redis cache entries.
* Issue #1606146 - The manage_ltd_users.sh script locks important tasks.
* Issue #1614162 - CRON Not Running on Octopus Satellites and Sites.
* Issue #1643616 - APC is missing in the Ubuntu Precise based install.
* Issue #1659452 - Add support for Ægir HTTPS header in the Speed Booster.
* Issue #1663262 - Fix FMG install on Ubuntu Precise.
* Issue #1679114 - New user name check in Octopus is too restrictive.
* Issue #1689656 - Avoid caching /civicrm* and known webform requests.
* Issue #1716004 - The zlib.output_compression should be disabled in 5.3
* Issue #1728616 - Better CDN Far Future expiration support.
* Issue #1777982 - Do not break wordpress_migrate module support.
* Issue #1778712 - Better workaround for MariaDB 5.5.27 critical bug.
* Issue #1784440 - Cannot stat scan_nginx when using BOND.sh.txt
* Issue #1796420 - Do not break write access to the tcpdf cache directory.
* Issue #1798288 - Provision-backup_delete could not be found.
* Issue #1799116 - Standardize on installation vs. install profile.
* Issue #1821866 - Force Nginx rebuild to include pseudo-streaming support.
* Issue #1824888 - BOND.sh.txt breaks Nginx, SQL and PHP configuration.
* Issue #1825298 - Redis: force rebuild from sources on version mismatch.
* Issue #1825420 - Avoid the Use of undefined constant OctopusNoCacheID.
* Issue #1825630 - Remove duplicate code causing false alarm.
* Issue #1825992 - Redis cache is never cleared via php-cli.
* Issue #1825998 - Improved auto-healing for Redis.
* Issue #1835796 - Default cache headers break CloudFlare Always Online.
* Make sure that path_alias_cache module takes precedence.
* Make sure that PHP 5.2 is re-installed if required.
* Monitor and kill too long running sites cron tasks.
* Move away buagent init script if exists when Barracuda runs.
* Nginx: Allow to include high level local configuration override.
* Nginx: Better regex for exceptions in the abuse guard monitor.
* Nginx: Block stupid spiders/downloaders with 403 error, not CSF.
* Nginx: Deny known bots on some heavy URLs.
* Nginx: FileField Nginx Progress 7.x-2.3 compatibility.
* Nginx: Fix for broken images paths in civicrm.
* Nginx: Fix for D6 upload progress support.
* Nginx: Make the abuse monitor aware of possible lang code prefixes.
* Nginx: Monitor and block if required also via-multi-proxy attacks.
* Nginx: Remove packages on every upgrade to avoid duplicate re-installs.
* Nginx: Remove redundant URL filtering.
* Nginx: Send 403 for vbulletin URI to avoid Drupal heavy 404.
* Nginx: Support for /contrib/ for wysiwyg helpers exceptions location.
* Nginx: Use latest nginx-upload-progress-module v0.9.0
* Nginx: Use ngx_cache_purge-1.6
* PHP: Allow short_open_tag also in 5.3
* PHP: Disable the original php5-fpm init script causing segfaults.
* PHP: Fix for _FROM_SOURCES PHP-FPM 5.3 build.
* PHP: Fix for the php53-fpm init script.
* PHP: Force proper php53-fpm restart if required.
* PHP: Install JSMin extension by default.
* PHP: Install php-pear by default also in no-src based default install.
* PHP: Load extensions in a safe, correct order.
* PHP: Log killed php-fpm events.
* PHP: Make sure that all builds use correct, fresh downloads.
* PHP: Make sure that php53-fpm is disabled during apt-get based upgrade.
* PHP: Make sure that suhosin.so is removed and jsmin.so added.
* PHP: Remove duplicate and conflicting allow_call_time_pass_reference.
* PHP: Remove php5-sasl extension causing segfaults.
* PHP: Remove php5-suhosin from the stack - too many weird issues.
* PHP: The realpath_cache_ttl should be as low for CLI as possible.
* PHP: Use 2x higher limits in the tune_web_server_config logic.
* Purge Redis cache hourly.
* Randomize runner intervals.
* Remove all control files on init to avoid aborted Octopus upgrades.
* Remove any extra search directive from resolv.conf when pdnsd is installed.
* Remove Dotdeb libmysqld-dev conflicting with Percona libmysqlclient-dev.
* Remove not really working properly Boost separate mobile bins.
* Remove not supported MTA only on initial install.
* Remove old cache module from all old profiles.
* Segfault monitor should not disable sites by default.
* Serve .less files as static by default, no log.
* Set hosting_advanced_cron_default_interval to 3 hours.
* SQL: Use skip-name-resolve by default.
* Support both HTTP_X_FORWARDED_PROTO and HTTPS.
* The dev. should not disable Redis cache.
* The missing /usr/bin/lshell entry may affect also Lucid.
* There is no need to force Debian mirror.
* Tune AdvAgg config - disable async mode and use JSMin by default.
* Use autoselect for civicrm downloads.
* Use DrupalDatabaseCache for some Redis bins to avoid confirmed issues.
* Use higher default timeouts for php-cli and wait_timeout in mysql.
* Use SERVER_NAME instead of HTTP_HOST header in the Redis cache key.
* Use version specific directory for static downloads.
* Yet another umask trick for shell and SFTP.
### Stable Edition BOA-2.0.3
### Date: Thu May 17 18:17:40 EST 2012
### Installs Ægir 2.0.3 compatible with Ægir 1.9
# There are major improvements and new features added in this BOA Edition.
Here is the description of those most important/expected, while complete
list of all changes, new features and fixes is available further below.
* Caching backend has been simplified. We no longer use chained cache
system with Memcached+Redis+database. New system uses only Redis cache
and the same configuration for all Drupal 6 and Drupal 7 platforms.
This new system doesn't require any extra module to be enabled in any site.
Complete integration is already enabled by default for every platform/site
installed by default and for every custom platform as before - the next
day after first site on the custom platform has been created.
You can disable this caching layer using the same modules/cache/NO.txt
control file as before. While there is just one cache engine (Redis) used,
there is also an automatic, instant failover to standard database caching,
just in case Redis is not available for some reason. You can also disable
Redis cache on the fly for debugging by adding ?noredis=1 to any URL.
* We have added support for Drupal 8.x while still using modified
Drush 4.6-dev version, so we can still support Drupal 5 on the same
system, but on another Octopus instance.
* You can choose different PHP version for PHP-FPM (web access)
and PHP-CLI, for even greater control over compatibility with
various Drupal major versions.
* You can choose both PHP-FPM and PHP-CLI versions per Octopus instance,
on the same system. And you can change those versions on upgrade.
* Installing and upgrading BOA system has been greatly simplified.
You can still configure and run both installers as before,
but you can also use these new, shockingly simple command line tools
to install Barracuda and Octopus at once, to install more Octopus
instances, to run selective or batch upgrades of all Octopus instances etc.
See docs/INSTALL.txt and docs/UPGRADE.txt for details.
* We have added an 'easy install' configuration shortcuts for both
standard (public) and localhost installs. You no longer need
to read, understand and configure all options, unless you prefer
to choose some non-default configuration options.
* Default installs on Debian Squeeze and Ubuntu Precise use
packages for PHP 5.3, so initial setup takes just 10-15 minutes.
* You can easily grant limited shell and FTPS access for developers,
simply by creating "Clients" in the Ægir control panel and define
them as 'owners' of one or more sites. Their access will be limited
to only sites they can manage, but only if you will send them their
access credentials, which are independent of their Ægir control
panel credentials and stored in the ~/users/ directory in your main account.
You will find there files with passwords for every "Client" with at least
one site attached. For example ~/users/o1.username file means that
this Client's username for SSH and FTPS access is 'o1.username' while
his password is stored in this file. This means that SSH/FTPS access
is not granted automatically, but you can decide who should receive it.
How to change any extra user's password? Simply delete his ~/users/o1.username
file and wait up to 5 minutes - the system will re-create his account
with new password. And how to delete the user completely? Simply
delete this user "Client" account in the Ægir control panel and allow
the system to delete also his SSH/FTPS access in the next 5 minutes.
* We have added segfault monitor for php-fpm and nginx, enabled by default.
It is pretty aggressive, because it disables vhost of any site causing
segfault errors and sends email alert to the Octopus instance owner
and server owner email addresses. Simple site re-verify in Ægir enables
the site again - but until the next segfault only, so read the info
included in the email alert message, if this will happen. If you prefer
to not run this monitor: `rm -f /var/xdrago/monitor/check/segfault_alert`
* Previously recommended site and platforms re-verify on Clone or Migrate
is now fully automated. Ægir will run these extra tasks as a part
of Clone or Migrate task, to make sure that there are no errors
and that Ægir is using up-to-date information collected about
platforms and sites. It also automatically fixes the known problem
with domain aliases incorrectly written in the original and cloned sites,
as reported in the Ægir queue: http://drupal.org/node/1004526
* Apps are now fully supported. If the App is not downloaded yet, installing
it via browser only requires write permissions, normally never available
for the web server user, so you need to create an empty control file, either
in sites/all/modules/apps-allow.info or sites/domain/modules/apps-allow.info
and then run 'Reset password' task. It will open write access where required
until the next site 'Verify' task will run . After installing the App,
remember to re-Verify the site to restore default, safe permissions.
* Custom local.settings.php file support uses similar logic with control file
sites/domain/modules/local-allow.info and also 'Reset password' task.
After running this task the local.settings.php file will be group writable,
so you will be able to edit it also when logged in as limited shell user.
Remember to run site Verify when done, to restore standard, safe permissions.
Note that this file is created automatically, but is not open for write
access by default.
# Notes on new and updated platforms and new Drupal core:
All 6.x and 7.x platforms have been updated with latest core,
so they are all in fact new in this BOA Edition, but we list here
only really new platforms or those with new version released
since last BOA Edition, with one exception: we list also basic
6.26.2 and 7.14.2 platforms as new.
NOTE: before you will try to upgrade any of your sites,
please read our important how-to:
http://omega8.cc/the-best-recipes-for-disaster-139
http://omega8.cc/are-there-any-specific-good-habits-to-learn-116
http://omega8.cc/managing-your-code-in-the-aegir-style-110
REALLY, PLEASE READ IT TO AVOID SOME HEAVY HEADACHES!
# New Octopus platforms:
CiviCRM 4.1.2-d6 ------------- http://civicrm.org
CiviCRM 4.1.2-d7 ------------- http://civicrm.org
Drupal 7.14.2 ---------------- http://drupal.org/drupal-7.14
Drupal 8.0-dev --------------- http://bit.ly/drupal-eight
MartPlug 1.0-beta1b ---------- http://drupal.org/project/martplug
Octopus Video 1.0-alpha6 ----- http://octopusvideo.org
Panopoly 1.0-beta3 ----------- http://drupal.org/project/panopoly
Pressflow 6.26.2 ------------- http://pressflow.org
# Updated Octopus platforms:
Acquia 6.26.2 ---------------- http://bit.ly/acquiadrupal
CiviCRM 3.4.8-d6 ------------- http://civicrm.org
CiviCRM 4.0.8-d7 ------------- http://civicrm.org
Commerce 1.7.1 --------------- http://drupalcommerce.org
Commons 2.6 ------------------ http://acquia.com/drupalcommons
Feature Server 1.1 ----------- http://bit.ly/fserver
Managing News 1.2.2 ---------- http://managingnews.com
NodeStream 1.5 --------------- http://nodestream.org
NodeStream 2.0-beta1 --------- http://nodestream.org
Open Atrium 1.4.1 ------------ http://openatrium.com
Open Deals 1.0-beta7e -------- http://opendealsapp.com
Open Outreach 1.0-rc1 -------- http://openoutreach.org
OpenChurch 1.10-alpha1 ------- http://openchurchsite.com
OpenPublish 3.0-alpha8 ------- http://openpublishapp.com
Ubercart 2.9.1 --------------- http://ubercart.org
Ubercart 3.1.1 --------------- http://ubercart.org
Videola 1.0-alpha3 ----------- http://videola.tv
# New features:
* Add Adaptive Image Styles support.
* Add Compass compatibility in the limited shell (Compass is not installed by default).
* Add ssh-copy-id and ssh-add commands as allowed over SSH.
* Add X-Speed-Cache-Key header for Speed Booster debugging.
* All Clone/Migrate forms in the Ægir control panel have useful inline help added.
* Allow to easily re-start BOA failed install, just by running boa installer again.
* Allow to install PHP 5.3 only with option _PHP_MODERN_ONLY=YES (default).
* Deny HTTPS access on Nginx level for all known bots and crawlers.
* Do not force HTTPS for Ægir if /data/conf/no-https-aegir.inc control file exists.
* Fix system time hourly via auto-healing.
* Install wkhtmltopdf by default - available at /usr/bin/wkhtmltopdf
* Issue #1263602 - New Relic Server and Apps Monitor with per Site/Instance reporting.
* Issue #1392498 - Use .barracuda.cnf to define YES/NO for some config overrides.
* Issue #1428078 - Compatibility with resp_img module.
* Issue #1436522 - Add option to set _PHP_CLI_VERSION.
* Issue #1438906 - Add Imagick to PHP by default.
* Issue #1463494 - Add support for radioactivity module.
* Issue #1542712 - Automated wildcard DNS for easy localhost mode.
* Lock temporarily almost all known crawlers on high load with error 503.
* Make _NGINX_DOS_LIMIT configurable and allow higher load by default.
* Make both 1 and 5 minute max allowed load configurable in the auto-healing.
* Support for automatically managed extra SSH/FTPS accounts per Ægir Client.
* The _LOAD_LIMIT used in the auto-healing system is now configurable.
* The _SPEED_VALID_MAX used as a Speed Booster cache TTL is now configurable.
* Ubuntu Precise 12.04 is fully supported.
* Use nice default /root/.bashrc config.
# New Ægir modules or extensions:
* Add hosting_advanced_cron module - enabled by default.
* Add hosting_civicrm_cron module - enabled by default.
* Add hosting_task_gc module - enabled by default.
* Add provision_cdn module and extension, by default not enabled.
* Add remote_import and hosting_remote_import - not enabled by default.
* Add revision_deletion module - automatically configured and enabled by default.
* Registry Rebuild Drush extension - installed by default.
# New o_contrib modules:
* entitycache-7.x-1.x-dev
* nocurrent_pass-7.x-1.0
* speedy-7.x-1.0
# Changes:
* Acquia 7.x platform has been merged with Ubercart 3.
* Always disable css_gzip, javascript_aggregator and performance modules.
* Automate database server secure setup on initial install.
* Disable /etc/cron.daily/mlocate by default.
* Do not disable update module - it may break some features depending on it.
* Do not enable filefield_nginx_progress module by default.
* Do not remove Testing profile and use better naming convention for D7/D8.
* Do not search for mirrors by default.
* Drupal 8 compatible Drush 4.6-dev
* GitHub availability is required also when another mirror is used by default.
* Installing Git from sources is now optional.
* Limited shell 0.9.15.1-sec-noreload
* Lower default APC and Redis memory in VZ to 64MB to avoid/limit known VZ issues.
* MariaDB and Percona 5.5
* Modify Ubercart platform to include some contrib modules in the D6 version.
* Nginx 1.3.0
* Open Enterprise 1.0-beta3 is deprecated and not supported.
* Plain FTP access disabled with FTPS-only mode available.
* Pure-FTPd server install is now optional, but still default.
* Send all known bots to $args free URLs.
* Use _HTTP_WILDCARD=YES by default to match Ægir standard setup.
# Fixes:
* Abort all parent installers as soon as any sub-installer fails with fatal error.
* Add $http_x_forwarded_proto to the cache key to never mix HTTP and HTTPS entries.
* Add a list/chart in the readme for an easy overview of all included modules.
* Add volatile updates to /etc/apt/sources.list for Squeeze.
* All connection tests should be run after netcat is installed if not yet available.
* Allow more than one IP to connect to the same FTPS account at the same time.
* Allow some known php files also in profiles - a fix for Nginx config regression.
* Always update nginx_speed_purge.conf file on upgrade.
* Archive install and upgrade logs in /var/backups/
* Avoid double dots in $cookie_domain.
* Better detection of real visitor IP in the scan_nginx abuse guard.
* Cache 403 response for 5s by default.
* Count only valid requests in the scan_nginx abuse guard.
* Disable caching in admin_menu module by default.
* Disabled allow_url_fopen breaks drush dl.
* Do not allow bots to create cache entries with long expire time.
* Do not prompt for D6 or D7 vanilla platforms install if not defined in the config.
* Explain in the email templates that plain FTP is no longer available.
* Fix cart block issue in Ubercart.
* Fix for Debian Lenny support - packages have been moved to archives.
* Fix for slow networks/DNS in pdnsd cache default config.
* Fix for VServer on _LENNY_TO_SQUEEZE upgrade.
* Fix tune_memory_limits logic to really tune the config on low mem systems.
* Follow some symlinks when running chmod/ownership repair daily.
* Force global upgrade for Expire and Purge modules.
* Force safe default settings for expire module.
* Improved Lenny to Squeeze major upgrade support.
* Increase allowed limit_conn for local purge requests.
* Issue #1216420 - Incorrect lshell path in /etc/passwd breaks FTPS on Squeeze.
* Issue #1317264 #1543118 - Uninstall Sendmail if exists to avoid breaking Postfix.
* Issue #1377492 - Improve Install / Upgrade mode detection and move away any zombies.
* Issue #1398050 - Use our mirror for all downloads on install and upgrade.
* Issue #1436522 - Add missing php.ini for PHP-CLI 5.3
* Issue #1440796 - Ægir support broken due to duplicate db update in Commons/OG.
* Issue #1441366 - The _USE_SPEED_BOOSTER switch is deprecated.
* Issue #1443284 - Early start of CSF may lockout the ssh user and break the install.
* Issue #1445460 - Broken Git install on Ubuntu Lucid.
* Issue #1451262 - Do not lock the access to phpinfo.
* Issue #1472460 #1524738 - Nginx denies request methods: PUT, DELETE and OPTIONS.
* Issue #1475416 - Unable to install Barracuda due to Ægir failed install.
* Issue #1478984 - Add Access-Control-Allow-Origin header with wildcard where required.
* Issue #1479188 - Octopus does not respect _DNS_SETUP_TEST setting on upgrade.
* Issue #1505370 - Conflict between Mime Type and Document Type in Nginx.
* Issue #1515762 - Nginx microcaching should skip all known AJAX requests.
* Issue #1526382 - The _PHP_CLI_VERSION set in cnf file is not respected.
* Issue #1527852 - Random WSOD on D7 sites with Redis enabled for anonymous visitors.
* Issue #1528692 - Both cache_backport and redis modules are never added on upgrade.
* Issue #1528726 - Redis caching backend should be unified across all instances.
* Issue #1528996 - Nginx microcaching should use TTL 1s only for upstream errors.
* Issue #1534306 - Duplicate directives break Dotdeb Nginx version.
* Issue #1539512 - Keep custom Redis configuration during upgrade.
* Issue #1540112 - HEAD install fails on Debian Squeeze 32bit.
* Issue #1540242 - Add useful codecs to ffmpeg if enabled.
* Issue #1541334 - Add kvm to supported virtualization systems.
* Issue #1544144 - Use $server_name instead of $host in all sites/ paths.
* Issue #1547878 - Port 11371 should be open for outgoing connections.
* Issue #1553150 - Both php.ini and my.cnf config files get overridden upon upgrade.
* Issue #1553166 - Disable incompatible mysql config options.
* Issue #1554972 - PHP cli downgraded to 5.2 on upgrade with _PHP_MODERN_ONLY=YES
* Issue #1556192 - Upgrade Entity API to head to fix issue with Drupal 7.14
* Issue #1585348 - Disable openchurch_video_demo_content to avoid fatal error.
* Kill nash-hotplug if running.
* Lower some my.cnf defaults to better support low mem systems.
* Make default myisam_sort_buffer_size big enough to run repair if required.
* Make sure that /dev/null has correct permissions.
* Pass some expected headers when using local proxy.
* Remind people that they should use their own email address or exit early.
* Remove deprecated Nginx config includes and use symlinks for backward compatibility.
* Sanitize important variables early.
* Save 330 seconds with 3x faster spinner.
* Set hosting_queue_cron_frequency to 8888 weeks by default to really use schedule
defined via hosting_advanced_cron module and never override it.
* Share and symlink civicrm code.
* Skip _AEGIR_LOGIN_URL in the debug mode - it is empty then.
* Update mime.types for Nginx.
* Use _FULL_FORCE_REINSTALL when recovering from broken/partial install automatically.
* Use faster locations matching where possible in the Nginx config.
* Use higher values for limit_conn in Nginx to avoid issues when required.
* Use loglevel warning in Redis config.
* Use safe placeholders to avoid issues on low-mem machines.
### Stable Edition BOA-2.0.2
### Date: Thu Feb 9 14:00:00 EST 2012
### Installs Ægir 2.0.2
# Note on new and updated platforms and new Drupal core:
All 6.x and 7.x platforms have been updated with latest core,
so they are all in fact new in this BOA Edition, but we list here
only really new platforms or those with new version released
since last BOA Edition, with one exception: we list also basic
6.24.1 and 7.12 platforms as new.
Please note that instead of waiting for 6.25, we already
included patches required to fix major issues with 6.24:
http://drupal.org/node/1425868
http://drupal.org/node/1425260
Our Pressflow 6.24.1 +Extra version includes not only listed
above patches, but also a few extra, performance related
patches discussed here:
http://groups.drupal.org/node/187209
Note also that we renamed too basic Acquia 7.x platform to
Ubercart 3.x platform. It is based on the same acquia install
profile, but includes all contrib modules required for any
basic Ubercart 3.x site.
NOTE: before you will try to upgrade any of your sites,
please read our important how-to:
http://omega8.cc/the-best-recipes-for-disaster-139
http://omega8.cc/are-there-any-specific-good-habits-to-learn-116
http://omega8.cc/managing-your-code-in-the-aegir-style-110
REALLY, PLEASE READ IT TO AVOID SOME HEAVY HEADACHES!
# New Octopus platforms:
Drupal 7.12 ------------------ http://drupal.org/drupal-7.12
NodeStream 2.0-alpha6 -------- http://nodestream.org
OpenPublish 3-alpha3 --------- http://openpublishapp.com
Pressflow 6.24.1 ------------- http://pressflow.org
Ubercart 3.0.1 --------------- http://ubercart.org
# Updated Octopus platforms:
Acquia Commons 2.4 ----------- http://acquia.com/drupalcommons
Commerce Kickstart 1.3 ------- http://drupalcommerce.org
ELMS 1.0-alpha6 -------------- http://elms.psu.edu
Open Atrium 1.2.1 ------------ http://openatrium.com
Open Deals 1.0-beta7 --------- http://opendealsapp.com
Open Outreach 1.0-beta7a ----- http://openoutreach.org
ProsePoint 0.43 -------------- http://prosepoint.org
Videola 1.0-alpha2 ----------- http://videola.tv
# New features:
* Barracuda now supports Debian Lenny to Squeeze major upgrade.
Of course you should create full backup image before running
this major system upgrade, just in case, but all the rest
is fully automated - it is enough to set advanced configuration
option in Barracuda to _LENNY_TO_SQUEEZE=YES and run Barracuda
as usual. It will upgrade your system to Squeeze and re-build
everything, with almost no downtime during the upgrade.
You will still need to reboot the server when it will complete
all upgrades.
Important: Debian Lenny reached EOL on February 6, 2012.
Details: http://lists.debian.org/debian-announce/2012/msg00001.html
* All new 7.x sites now run on latest PHP-FPM 5.3.10 by default.
For existing sites it is enough to re-verify them in your
Ægir control panel to get them on PHP-FPM 5.3.10 automatically.
All existing and new 5.x sites run on the old PHP-FPM 5.2.17
version by default and you can't change that.
You can still choose between PHP-FPM 5.2.17 and 5.3.10 for
all your 6.x sites - just let us know via http://omega8.cc/support
that you wish to switch to 5.3.10 - but make sure first that all
your 6.x sites are fully PHP 5.3 compatible. By default all
6.x sites still run on PHP-FPM 5.2.17.
Of course you could choose 5.3.10 for 6.x sites on one Octopus
instance and 5.2.17 on another - on the same server. Just one more
reason to use Octopus built-in intelligence :)
All of this works the same both for Ægir Master Instance
and all Ægir Satellite Instances.
* Both Speed Booster, Boost and Redis/Memcached supports separate
caches per mobile device, so it is safe to use separate themes
or content for mobile devices. We use simple logic to determine
the kind of device and there are separate cache bins for
mobile-tablet, mobile-smart and mobile-other.
You can review it here: http://bit.ly/wYz6PG
* Purge module is now enabled by default in all 6.x and also 7.x
sites. Now Speed Booster works like a Boost - it expires
immediately the cache for any node/page as soon as it has been
edited or comment added. It also automatically expires the cache
for the homepage and RSS feed at once. You no longer need to wait
up to one hour for Speed Booster cache expiration. Plus, unlike
in Boost, it purges all separate caches for all mobile devices
along with non-mobile cache, at once. Now you have a good reason
to disable Boost and use our crazy fast Speed Booster only.
* You can use GeoIP data provided by your Nginx server
in your custom code or modules with variables:
$_SERVER['GEOIP_COUNTRY_CODE'] and $_SERVER['GEOIP_COUNTRY_NAME']
to display content or block depending on the visitor's country.
You can check/review it from your location also on command line
with: 'curl -I http://your-domain' - you will see GeoIP headers.
* You can safely manage Clients/Users attached to hosted sites
in your Ægir interface. Make sure that all sites have its
associated Client! Otherwise the site will be listed as available
for all Clients/Users you have added. The site can lost its
association with Client after Clone task if there is any
non-alphanumeric value in the Client name, like &.
* CloudFlare specific header 'CF-Connecting-IP' is now supported
out of the box and available as standard $_SERVER['REMOTE_ADDR']
in all 5.x, 6.x and 7.x platforms without any contrib module.
* You can disable both Boost and Speed Booster on the fly
by adding ?nocache=1 to any URL. Useful for debugging.
* Speed Booster offers now also ESI microcaching, as explained
in this article: http://groups.drupal.org/node/197478.
This may enhance not only anonymous visitors, but also
logged in users experience, since it allows you to separate
microcache for ESI/SSI includes (valid for just 15 seconds)
from both default Speed Booster cache for anonymous visitors
(valid by default for 3 hours, unless purged on demand via
recently introduced Purge/Expire modules) and also from
Speed Booster cache per logged in user (valid for 60 seconds).
The ESI module is included in all 6.x platforms but is not
enabled and not configured automatically, so please consult
its documentation for details on how to use it properly.
Now you have three different levels of Speed Booster cache
to leverage and deliver the 'live content' experience for
all visitors, and still protect your server from DoS or
simply high load caused by unexpected high traffic etc.
* Automatic configuration of options required when Barracuda
detects _VMFAMILY=AWS (Amazon EC2).
* Both _NGINX_WORKERS and _PHP_FPM_WORKERS are now configurable.
* You can avoid overwriting /etc/mysql/my.cnf with empty
control file: $ touch /etc/mysql/custom.my.cnf
* You can avoid overwriting /opt/php52/etc/php52.ini on upgrade
with empty control file: $ touch /opt/etc/custom.php.ini
* You can avoid overwriting /opt/php52/lib/php.ini on upgrade
with empty control file: $ touch /opt/etc/custom.php.ini
* You can avoid overwriting /opt/php53/etc/php53.ini on upgrade
with empty control file: $ touch /opt/etc/custom.php53.ini
* You can avoid overwriting /var/spool/cron/crontabs/root on upgrade
by adding your extra/custom entries in the extra file:
$ nano /var/xdrago/cron/custom.txt
* You can avoid overwriting your CSF configuration on upgrade
with empty control file: $ touch /var/log/custom.csf.log
# New o_contrib modules:
* taxonomy_edge-6.x-1.3 (with core patch)
* taxonomy_edge-7.x-1.1 (with core patch)
* purge-6.x-1.x
* purge-7.x-1.x
* expire-6.x-1.x
* expire-7.x-1.x
# Changes:
* Nginx upgrade to 1.0.12
* Lshell upgrade to 0.9.15-beta1
* Percona upgrade to 5.5.19
* Chive upgrade to 1.0.2
* Git upgrade to 1.7.9
* Suhosin upgrade to 0.9.33
* Textile upgrade to 2.3
* Mytop is now installed by default.
* Drush based method for sites cron is more reliable and now set by default.
* More compact naming for platforms in Octopus.
* Speed Booster cache per logged in user now valid for only 60 seconds.
* Speed Booster anonymous cache now valid for 3 hours, unless purged.
* Extra $_COOKIE[OctopusCacheID] has been removed.
* We use $cache_uid from parent map (Nginx) in fastcgi_cache_key.
* Forced external caching only for Pressflow 6 core.
* Octopus installs by default: D7P D7S D7D D6P D6S D6D OAM.
* We no longer need to force Percona on Oneiric. MariaDB also works.
* We no longer need to force MariaDB on Lenny and MariaDB Natty on Oneiric.
* We no longer need to use Percona for Maverick on Natty and Oneiric.
* We use _THIS_DB_HOST=localhost by default.
* Secure/restricted access to manage users/clients is open by default
in every Ægir Satellite Instance also for the extra non-uid=1 admin.
* Users in every Ægir Satellite Instance are protected with userprotect
and protect_critical_users modules.
* Some default SQL limits have been increased.
* The insecure D7 plugin manager is now forced as disabled by default.
* The hosting_platform_pathauto module is now enabled in Ægir by default.
* The provision_boost module is now added and enabled in Ægir by default.
# Fixes:
* Simplified Nginx config with 'modern', 'octopus' and 'legacy' templates.
* Removed duplicate code and fixed caching logic for D5, D6 and D7.
* Fixed logic for ESI microcache and Boost cache.
* Removed imageinfo_cache module. It breaks platforms with imagecache module.
* Disable deslash in globalredirect to avoid redirect loop.
* Load IonCube also in php-cli.
* Use core version in paths for all platforms.
* Make sure that 301 redirects are only microcached - 5 seconds by default.
* Do not run duplicate PHP-FPM rebuild on upgrade when there is
no new DB server version installed/available.
* Set boost_ignore_htaccess_warning to 1 by default.
* Use provision_civicrm 6.x-1.x branch instead of outdated master.
* Fix for broken regex on lshell.conf update per user.
* All broken symlinks in the clients directory now deleted daily.
* All broken symlinks in the lshell user home directory now deleted daily.
* Avoid breaking Ægir upgrade because of high load.
* Set correct loglevel for Redis to avoid useless I/O noise.
* Add curl as allowed command to lshell default config.
* Use faster download instead of git for Pressflow core.
* Issue #1432668 - Octopus username should never start with a digit.
* Issue #1408972 - Make nginx rewrites compatible with audio module.
* Issue #1428990 - Load memcache in php-cli.
* Issue #1408200 - AgrCache breaks aggregation and should be removed.
* Issue #1420758 - Make sure that Nginx config includes are really used
on initial Barracuda install.
* Issue #1418608 - Add --with-xmlrpc in the PHP-FPM build by default.
* Issue #1396204 - Add GeoIP support in Nginx by default
* Issue #1394152 - Build PHP-FPM with --enable-calendar by default.
* Issue #1392498 - Do not overwrite CSF configuration on Barracuda upgrade.
# Recommendations:
* Use _FORCE_GIT_MIRROR=github because it is 10x faster than others.
### Stable Edition BOA-2.0.1
### Date: Wed Dec 28 07:00:00 EST 2011
### Installs Ægir 2.0.1
# New Octopus platforms:
ELMS 1.0-alpha5 -------------- http://elms.psu.edu
Open Deals 1.0-alpha4 -------- http://opendealsapp.com
Open Outreach 1.0-beta6 ------ http://openoutreach.org
# Updated Octopus platforms:
Acquia 7.10.10 --------------- http://bit.ly/acquiadrupal
Acquia Commons 2.3 ----------- http://acquia.com/drupalcommons
CiviCRM 3.4.8 ---------------- http://civicrm.org
CiviCRM 4.0.8 ---------------- http://civicrm.org
Commerce Kickstart 1.0-rc7 --- http://drupalcommerce.org
Drupal 7.10 ------------------ http://drupal.org/drupal-7.0
Managing News 1.2.1 ---------- http://managingnews.com
NodeStream 1.1 --------------- http://nodestream.org
Open Atrium 1.1.1 ------------ http://openatrium.com
OpenChurch 1.22-a ------------ http://openchurchsite.com
OpenScholar 2.0-beta13 ------- http://openscholar.harvard.edu
ProsePoint 0.41 -------------- http://prosepoint.org
# New features:
* Speed Booster Purge Server for all Drupal 6.x based platforms
with automatically configured support for all devices caching.
* Enhanced Pressflow core for all bundled 6.22 based platforms,
applied automatically also to already installed platforms:
https://github.com/omega8cc/pressflow6
* Added access to the "clients" directory with shortcuts/symlinks
to all hosted sites per Ægir "client".
# New o_contrib modules:
* ESI for Nginx SSI - http://drupal.org/sandbox/mikeytown2/1328648
* Purge for Speed Booster - http://drupal.org/project/purge
* Expire for Speed Booster - http://drupal.org/project/expire
# Changes:
* Nginx upgrade to 1.0.11
* MariaDB upgrade to 5.2.10
* Percona upgrade to 5.5.18
* Chive upgrade to 1.0.1
* Pure-FTPd upgrade to 1.0.35
* The syslog module is no longer enabled by default and added
to the list of automatically disabled modules.
# Fixes:
* Mobile devices detection and caching improved.
* Many fixes and enhancements for Speed Booster caching logic.
* Many fixes and enhancements for Boost caching logic.
* More reliable Nginx auto-healing.
* Broken symlinks in the "clients" directory are now purged daily.
* The preg_match for dev should check for dev. and devel. only.
* Issue #1366564 - Use instance specific .octopus.cnf files.
* Issue #1262988 - Use reliable test for upload progress availability.
* Issue #1350028 - Make sure that all BOA pid files are removed on reboot.
* Issue #1348906 - BOND script outdated _INSTALLER_VERSION variable fixed.
* Issue #1321428 - Make sure that _SSH_PORT is written in /etc/ssh/sshd_config.
### Stable Edition BOA-1.4S
### Date: Mon, 24 October 2011 14:00:00 +0200
### Installs Ægir stable 1.4S
# Updated Octopus platforms:
Acquia 7.8.7 ----------------- http://bit.ly/acquiadrupal
Acquia Commons 2.2 ----------- http://acquia.com/drupalcommons
CiviCRM 3.4.7 ---------------- http://civicrm.org
CiviCRM 4.0.7 ---------------- http://civicrm.org
Commerce Kickstart 1.0-rc4 --- http://drupalcommerce.org
OpenPublic 1.0-beta3 --------- http://openpublicapp.com
Ubercart 6.x-2.7 ------------- http://ubercart.org
# New features:
* Mobile devices detection for mobile-tablet, mobile-smart and mobile-other.
* Mobile devices detection integrated with Redis/Memcached caches.
* Mobile devices detection integrated with Boost cache.
* Mobile devices detection integrated with Speed Booster cache.
* Responsive Images 7.x module support.
* New .barracuda.cnf and .octopus.cnf files for better configuration management.
* Ubuntu Oneiric 11.10 is now fully supported.
* Issue #1266912 - Support for Apache Solr Attachments - Tika.
* Issue #1310082 - Disable XML Sitemap for dev automatically.
* Support for fbconnect module.
* Support testing->minimal->standard migrations for D7 out-of-the-box.
* The Speed Booster $key_uri enhanced logic included in the default Nginx config.
# Changes:
* Nginx upgrade to 1.0.8
* Create mobile cache separate subdirs for Boost by default.
* _MODULES_ON and _MODULES_OFF now forced also for D7 sites.
* Do not force hosting_ignore_default_profiles by default.
* Some o_contrib modules received updates - use _O_CONTRIB_UP=YES to apply them.
* Allow 'contrib' subdirectory in the modules path for allowed PHP files.
* Issue #1309996 - Extended support for common modules locations/paths.
* Issue #1305542 - Do not overwrite php.ini and my.cnf if control files exist.
* Add collectd to the auto-healing monitor and automated restart.
* Disable l10n_update module by default to avoid issues when d.o servers are down.
* Updated docs/SOLR.txt to explain how to configure any core to support 7.x.
* Duplicate parts of Nginx config moved to maps in the parent server.tpl.php file.
* Add 'drush pmi' to the list of displayed/allowed commands.
* Issue #1243068 - Allow to override in override.global.inc also Redis/Memcached etc.
* Deny known crawlers on the HTTPS proxy level.
# Fixes:
* The wkhtmltopdf binary should be always executable if exists.
* Issue #1238200 - Use custom _SSH_PORT only in TCP_IN.
* Make sure the keys for MariaDB or Percona are added to avoid broken install.
* Issue #1307664 - Test repo.percona.com and ftp.osuosl.org availability.
* Issue #1262988 - Missing upload_progress_test.conf breaks upgrade for older installs.
* Issue #1281896 - Add some missing video types to mime.types in the Nginx config.
* Do not use path_alias_cache in the Hostmaster site to avoid broken URL aliases.
* Issue #1270724 and #1263124 - really use /tmp directory during 'drush dl module'.
* Do not break admin/reports/status/rebuild URL in D7.
### Stable Edition 1.0-boa-T-8.10
### Date: Mon, 5 September 2011 16:15:00 +0200.
### Installs Ægir stable 1.3.1
# New Octopus platforms:
OpenChurch 1.21 -------------- http://openchurchsite.com
# Updated Octopus platforms:
Acquia 7.7.6 ----------------- http://bit.ly/acquiadrupal
Acquia Commons 2.0 ----------- http://acquia.com/drupalcommons
CiviCRM 3.4.5 ---------------- http://civicrm.org
CiviCRM 4.0.5 ---------------- http://civicrm.org
Conference 1.0-beta2 --------- http://usecod.com
Drupal 7.8 ------------------- http://drupal.org/drupal-7.0
Drupal Commerce 1.0 ---------- http://drupalcommerce.org
OpenPublic 1.0-beta2 7.8 ----- http://openpublicapp.com
Ubercart 2.6 6.22 ------------ http://ubercart.org
# Changes:
* Drush Make upgrade to 2.3
* Drush upgrade to 4.5
* Nginx upgrade to 1.0.6
* MariaDB upgrade to 5.2.8
* Higher limit_conn for AdvAgg to support high async connections rate.
# Fixes:
* Tomcat runs as a separate 'tomcat' user instead of root.
* Issue #1250448 - Textile 7 requires Vars module.
* Issue #1248432 - support for CNAME records in the DNS check.
# New features:
* HTTP/HTTPS redirects example in the override.global.inc file.
* Enabled by default HTTPS and HTTP sessions/cookies for D7.
* Issue #1243068 - Allow to override $cache_module_path.
### Stable Edition 1.0-boa-T-8.9
### Date: Sat, 30 July 2011 23:50:00 +0200.
### Installs Ægir HEAD 1.2.1
# Updated Octopus platforms:
Drupal 7.7 ------------------- http://drupal.org/drupal-7.0
Acquia 7.7.5 ----------------- http://bit.ly/acquiadrupal
OpenPublic 1.0-beta1 7.7 ----- http://openpublicapp.com
Drupal Commerce 1.0-rc1 ------ http://drupalcommerce.org
Open Atrium 1.0 6.22 --------- http://openatrium.com
ProsePoint 0.40 6.22 --------- http://prosepoint.org
# Fixes:
* Two critical cache related bugs fixed in Nginx 1.0.5.
* Critical Issue #1222208 - broken web-based cron for sites.
* Issue #1223506 - cloning a site looses client site ownership.
* Missing jquery.ui symlink in Conference COD breaks install.
* Issue #1230420 - do not purge /tmp too aggressively.
* Issue #1234470 - SSL proxy didn't respect HTTP wildcard.
* Boost's false alarm about permissions silenced.
* Permissions for sites/domain/private/* also fixed daily.
# Changes:
* Nginx upgrade to 1.0.5
* Chive upgrade to 0.5.1
* Web-based method set by default for sites cron in Ægir.
# New features:
* Speed Booster Purge experimental backend can be installed,
but is not used in production yet - see _PURGE_MODE flag
and Issue #1048000.
### Stable Edition 1.0-boa-T-8.8
### Date: Thu, 15 July 2011 08:00:00 +0200
### Installs Ægir stable 1.2
# New Octopus platforms:
Drupal 7.4 ------------------- http://drupal.org/drupal-7.0
CiviCRM 3.4.4 ---------------- http://civicrm.org
CiviCRM 4.0.4 ---------------- http://civicrm.org
Videola 1.0-alpha1 ----------- http://videola.tv
# Updated Octopus platforms:
OpenPublic 1.0-beta1 7.4 ----- http://openpublicapp.com
Drupal Commerce 1.0-beta4 ---- http://drupalcommerce.org
Acquia Commons 1.7 ----------- http://acquia.com/drupalcommons
Acquia 7.4.4 ----------------- http://bit.ly/acquiadrupal
OpenScholar 2.0-beta11 ------- http://openscholar.harvard.edu
Conference 1.0-beta1 --------- http://usecod.com
# New features:
* Speed Booster can be disabled per site or per platform.
* Redis/Memcached can be disabled per site or per platform.
* Redis/Memcached chained cache enabled also for anonymous visitors.
* Support for private_upload module added.
* Support for static sites/domain/files/robots.txt file per site #1173954.
* New _HTTP_WILDCARD Barracuda option for Nginx configuration #1152316.
* New _XTRAS_LIST Barracuda option to define extras to be used.
* Scripts to add extra ftp or lshell standard or lshell master users.
* New _PLATFORMS_LIST Octopus option to configure the list of platforms.
* You can migrate sites between some installation profiles by default:
Drupal/Pressflow -> Acquia
Acquia -> Drupal/Pressflow
Acquia -> CiviCRM 3
Cocomore/CDC/DrupalCenter -> Pressflow
* New _O_CONTRIB_UP Octopus option to upgrade last two contrib sets.
# Changes:
* Migration from commercedev to commerce_kickstart profile.
* More system info stored in BOA logs to help with debugging.
* Nginx config - deny access to /hosting/c/server_master.
* Better how-to in the override.global.inc template.
* Chive upgrade to 0.4.2
* Nginx upgrade to 1.0.4
# Fixes:
* OpenPublic password policy issue fixed on site install.
* OpenScholar missing libraries issue fixed.
* Issue #1213094 - FServer platform missing module fixed.
* Mollom problem when running via (SSL) proxy fixed.
* Issue #1209150 - always use _MY_OWNIP when defined.
* Issue #1208386 - fix for broken csf configuration template.
* Boost cache write permissions after site migration fixed.
* Nginx config - better support for CiviCRM.
* Issue #1198572 - do not run SMTP check if _SMTP_RELAY_HOST is set.
* Forced PHP-FPM rebuild on MariaDB 5.2.7 upgrade.
* Issue #1196006 - fixed Nginx X-Accel-Redirect support.
* Security Issue #1197172 - bypass access restrictions to protected files fixed.
* Issue #1182680 - fixed support for backup_migrate module.
* Issue #1182582 - fixed search paths for node.js, image.jpg etc.
* Critical Issue #1183500 #1182660 - fall back to the wildcard * in Nginx.
* Issue #962188 - Nginx version check in vhost.tpl.php now works.
* Issue #1170498 - Extra config variable was missing in Nginx config templates.
* Percona upgrade path fixed.
* Broken dev version of the backup_migrate module replaced with stable.
* Use correct platforms versions numbers in the ftp symlinks.
### Stable Edition 1.0-boa-T-8.7
### Date: Mon, 30 May 2011 11:40:00 +0200
### Installs Ægir HEAD 1.1.2
1. Fixed critical issue with MariaDB upgrade from 5.1 to 5.2
2. Fixed critical issue with Nginx build.
3. Fixed critical issue with Feature Server platform build.
4. Added upgrade monitor.
### Stable Edition 1.0-boa-T-8.6
### Date: Sun, 29 May 2011 13:30:00 +0200
### Installs Ægir HEAD 1.1.2
----------------------------------------
# Added or upgraded since January 2011
----------------------------------------
* Added support for install and upgrade to Percona Server 5.5
* MariaDB server upgraded to version 5.2.6.
* Nginx server upgraded to version Barracuda/1.0.2
* Added support for Debian Squeeze and Ubunty Natty.
* Open Atrium includes extra features:
Atrium Folders: http://bit.ly/oafolders
Ideation: http://bit.ly/oaideation
* Hostmaster platform comes with ready to enable extra modules:
http://drupal.org/project/hosting_backup_queue
http://drupal.org/project/hosting_backup_gc
http://drupal.org/project/hosting_upload
* New Octopus platforms:
OpenPublic 1.0-beta1 --------- http://openpublicapp.com
NodeStream 1.0 --------------- http://nodestream.org
Drupal Commons 1.6 ----------- http://acquia.com/drupalcommons
OpenScholar 2.0-beta10-1 ----- http://openscholar.harvard.edu
Conference 1.0-alpha3 -------- http://usecod.com
Open Enterprise 1.0-beta3 ---- http://leveltendesign.com/enterprise
Acquia 7.2.2 ----------------- http://bit.ly/acquiadrupal
Drupal Commerce 1.0-beta3 ---- http://drupalcommerce.org
* Basic Drupal 6 and Drupal 7 platforms now come in three instances,
to make your standard workflow easier for: -dev, -stage and -prod,
with correct suffix: D.00x, S.00x and P.00x in the platform name.
* Speed Booster cache for 5.x, 6.x and 7.x Drupal platforms.
This new feature adds super fast caching for anonymous visitors,
and yes! - also for logged in users (cache per user) directly on
the web server level - no Drupal module required.
It works for all platforms, except of Ubercart, Commerce
and any platform with ubercart in sites/all/modules/ubercart.
* Support for secure ubercart keys location to use ../keys path.
* The filefield_nginx_progress now also in every 7.x platform.
* Drush upgraded to version 4.4
* Drush Make upgraded to version 2.2
* Redis cache server upgraded to version 2.0.5
* PHP-FPM server upgraded to version 5.2.17
* APC upgraded to version 3.1.9
* Memcache extension replaced with memcached and libmemcached.
* Chive database manager upgraded to version 0.4.1
* Added support for robotstxt module in all new 6.x based platforms.
* Drush gm / generate-makefile command added as allowed to lshell.
* Git over ssh added as allowed to lshell.
----------------------------------------
# Improvements since January 2011
----------------------------------------
* Speed Booster now works also in the Ægir Master Instance.
* Full Barracuda install takes only 30 minutes (tested on Linode).
* Nginx abuse guard is now integrated with csf firewall.
* Bots/crawlers are now denied on any "dev" type subdomain.
* The pdnsd server install is now optional.
* The csf/lfd firewall install is now optional.
* Limited shell configuration is now updated on every upgrade.
* Auto-tuning in Barracuda leaves more memory for MyISAM etc.
* Ægir runs cron for D5 and D6 sites using Wget instead of Drush
to leverage APC cache, while D7 can use built-in poormanscron.
* Many improvements in the Speed Booster cache configuration.
* Improved memcached/redis cache bins configuration.
* The o_contrib modules now symlinked also in custom platforms.
* Boost directories created automatically also in custom platforms.
* Improved web server self-healing monitor.
* PHP notices no longer displayed for dev subdomains, only errors.
* Many improvements in the Nginx configuration - now it's faster.
* Permissions on uploaded modules, themes and files are now
automatically fixed every morning to help with post-import issues.
* Almost all 6.x platforms now come with performance related
modules already enabled and configured on site install by default.
* Nginx config - now doesn't use php-fpm to serve fckeditor files.
* Introduced possibility to add upgrade-safe custom Nginx rewrite
rules to support transparent migration of legacy URLs/content.
* Ægir Hostmaster control panel received extra caching and speed.
* Better support for securepages 1.9 with forced secure cookies.
* Better support for dynamically created base_url for http/https.
* Too generic D7 profile names replaced with unique Drupal 7 names.
* A few new commands have been added to your Ægir Drush Shell (SSH).
* You can use git to manage the code and rsync to manage backups.
* Useful new commands from Drush v.4 are now available.
* Now it is possible to delete old sites backups created in Ægir.
* You can access Ægir backups also via SSH or SFTP/FTPS.
* You can cancel queued task in Ægir before it is started.
* The "dev" anywhere in the subdomain enables all PHP errors.
* You can use "dev" type alias for live site for easier debugging.
* Added support for imagecache_external module.
* It is possible to safely delete any not used platforms on request.
* Access to static files allowed only for currently used domain.
* Added crossdomain.xml in the root of every new platform.
* New rewrite introduced to map /files to /sites/domain/files,
/images to /sites/domain/files/images and
/downloads to /sites/domain/files/downloads.
* The standard /update.php works again, however using "drush dbup"
command is recommended.
* The "drush mup" command allows now to upgrade contributed modules.
----------------------------------------
# Fixes since January 2011
----------------------------------------
* Auto-healing no longer starts concurrent servers when InnoDB start
takes more time on servers with big or many databases.
* Hostname is no longer reverted to default on Linode and similar.
* Barracuda supports now both old and new Mailx behavior.
* All platforms paths and symlinks include core version numbers.
* Fixed some memory issues with Virtuozzo family systems.
* Fixed issue with broken site when non-lowercase domain was used
on Migrate or Clone task.
* Fixed upgrade path for Drupal 5
* Fixed double slash in the images paths issue in the Pressflow core.
* Speed Booster cookies shouldn't be sent for imagecache/styles
and AdvAgg module dynamic requests.
* Speed Booster shouldn't cache imagecache/styles and AdvAgg module
dynamic requests on the Nginx level.
* Nginx upgrade to 1.0.0 fixes known issue with random but very high
CPU load on Nginx server configuration reload/restart.
* Fix for critical bug causing sessions issues on older sites without
$cookie_domain set in settings.php when speed booster is enabled.
* The session.cookie_secure is no longer forced in D6 platforms.
* Security issue #1098304 - domain aliases were not sanitized.
* Nginx config - proper fix for broken wysiwyg pop-ups.
* Fixed issue with Nginx configuration for private files access.
* The authorize.php added to allowed php files - required in D7.
* Known issue with paths to files not rewritten is now fixed.
* Known issue with sites cron semaphore in Ægir now resolved.
* Known issue with PHP notices breaking some Ægir tasks resolved.
* Fixed web server rewrites to support "ad" module.
* Fixed Ægir issue with .info and .pl domains extensions.
* Drush make via SSH now works as expected.
* Fixed Nginx issue with /system/ paths and static files or images.
* Fixed issue with broken site when non-lowercase domain was used.
----------------------------------------
# Other changes
----------------------------------------
* Forced public downloads for all 6.x platforms, except of ubercart.
* Boost crawler option is now denied for performance reasons.
* Forced log-out on browser quit only for Ægir control panel.
### Project and issue queue moved to Drupal.org
### Date: Sat, 7 May 2011 14:00:00 +0200
### http://drupal.org/project/barracuda
### http://drupal.org/project/octopus
### Stable Edition 1.0-boa-T-8.5
### Date: Tue, 3 May 2011 14:30:00 +0200
### Installs Ægir stable 1.1
### Stable Edition 1.0-boa-T-8.4
### Date: Sun, 1 May 2011 23:30:00 +0200
### Installs Ægir stable 1.1
### Stable Edition 1.0-boa-T-8.3
### Date: Sat, 30 Apr 2011 20:15:00 +0200
### Installs Ægir stable 1.1
### Stable Edition 1.0-boa-T-8.2
### Date: Tue, 26 Apr 2011 21:45:00 +0200
### Installs Ægir stable 1.1
### Stable Edition 1.0-boa-T-8.1
### Date: Wed, 20 Apr 2011 19:30:00 +0200
### Installs Ægir stable 1.1
### Stable Edition 1.0-boa-T-8
### Date: Mon, 18 Apr 2011 20:15:00 +0200
### Installs Ægir stable 1.0
### Stable Edition 1.0-boa-T-5
### Date: Fri, 8 Apr 2011 19:15:00 +0200
### Installs Ægir working HEAD after 1.0-rc6
### Stable Edition 1.0-boa-T-2
### Date: Wed, 6 Apr 2011 01:34:40 +0200
### Installs Ægir working HEAD before 1.0-rc3
### Stable Edition 1.0-boa-T
### Date: Mon, 14 Mar 2011 02:43:15 +0100
### Stable Edition 0.4-boa-C
### Date: Thu, 10 Feb 2011 04:41:57 +0100
###
For changes/improvements between 2010-09-24 and
2010-12-31 please see comments in the commits history.
###
### Thu, 2010-09-23 17:30 - Edition 0.4-HEAD-A14.B
Added/Fixed: (upgrade for all pre-A14.A required)
1. Introducing default SSL Wildcard Nginx Proxy.
Works for all sites/hostmaster instances on
the same server and can be used also for
encrypted connections to Chive and Collectd.
Doesn't interfere even with SSL enabled sites
on the same IP (with separate certs).
2. The redirects are now back and enhanced.
Fully compatible with Nginx in any combination
with aliases and SSL settings/modes.
3. Barracuda and Octopus by default installs still
Ægir HEAD, but the latest alpha14 also works.
4. Octopus can define its separate IP address
if available.
5. Fixed issue with too aggressive Hot Sauce check,
causing creating not shared copies of code
for platforms on every install or upgrade.
6. Barracuda and Octopus now allows to skip DNS
test, to make it possible to install on any
virtualbox with dynamic DNS/IP etc. There is
no guarantee it will work, but another switch
is now available, if someone needs it.
7. Octopus can now turn off local Memcache and Redis
caches and switch all sites to use defined remote
caches.
8. Forced /etc/apt/sources.list rewrite also before
the Barracuda system upgrade.
9. Fix for the already installed and possibly broken
git-core.
10. Fix for Ægir sites with .info domains, the path
alias should now work without 403 error.
### Fri, 2010-09-17 11:00 - Edition 0.4-HEAD-A14.A
Added/Fixed: (upgrade required)
1. Barracuda and Octopus by default installs now
Ægir HEAD to use the fix for critical issue
on sites import. It will be included in alpha14,
please don't use alpha13.
2. Debian Lenny on 32bit systems works again.
Fix for broken git-core after upgrade
to version: 1:1.5.6.5-3+lenny3.1 on Lenny 32bit.
3. Fix and better inline warnings/info about
missing locales at Linode and RackSpaceCloud.
4. More details in the installer log for better
debugging and version tracking.
5. E-mail address for alerts on database repair
started by auto-healing now correctly replaced.
6. Redis for Lenny now built from sources due to
apt version moved already to Squeeze.
7. Critical bugfix for failed platforms install
when hostmaster is not upgraded.
8. Introducing simple edition archive:
http://omega8.cc/dev/bo-a14a.tar.gz
9. Octopus now better supports using newer shared
code for platforms and introduces new setting:
_HOT_SAUCE to allow forced fresh/hot code.
### Tue, 2010-09-12 21:50 - Edition 0.4-HEAD-A13.A
Added/Fixed: (upgrade recommended)
1. Octopus now creates SSH/FTPS separate, non-aegir
account for every Ægir Satellite Instance,
with limited shell to avoid using commands
like "drush up" since they should never be used
on sites managed in the Ægir system.
2. Octopus now by default sends a welcome email
with some useful intro information and access
details to the address defined as _CLIENT_EMAIL.
3. When Octopus is used the first time to create
an Ægir Satellite Instance, it doesn't allow
to skip installing all platforms, since it is
recommended to add all available platforms with
initial install, for easier re-using the code
by next Ægir Satellite Instances.
4. The second and all future non-core Hostmaster
installs allow to choose one or more platforms
or to skip adding platforms at all.
5. Octopus by default honors initial domain used
for the Ægir Satellite Instance on every
upgrade to avoid mistakes with using different
copies of the script for different Ægir
Satellite Instances upgrades.
6. Also Barracuda will always honor initial
domain used for the core Hostmaster to avoid
mistakes on upgrade when you don't use
the original version of the script.
7. Better checks if the script is running as root.
8. Removed memcache module since cache is used.
9. SMTP connection test is now optional.
10. Nginx version set to 0.8.50.
11. By default Ægir 0.4-HEAD instead of alpha13
is now installed to fix critical issues with
importing sites.
See also: http://drupal.org/node/907248
12. Solr and Chive are now optional (Yes/no).
13. Added optional install of Collectd monitor.
14. Fixed issue with SSL mode.
15. Better compatibility for upgrades from
pre-Barracuda Nginx installs.
16. Now it doesn't start cron before completing all
install tasks to avoid breaking spinner.
17. Both Barracuda and Octopus now can better
support re-starting stopped install/upgrade.
18. Octopus now refuses to run if defined domain
doesn't resolve yet to the server IP address.
19. Octopus now refuses to run on system not
created initially by Barracuda installer.
20. Custom FQDN hostname is now forced (if defined)
in Barracuda before running DNS checks.
21. Fix for some missing mime types in vanilla Nginx.
22. Updated versions of Open Atrium, Drupal Commons
and Cocomore Drupal distros installed by Octopus.
23. Lowered memory defaults in the MariaDB configuration.
### Tue, 2010-08-31 23:50 - Edition 0.4-HEAD-A12.D
Added/Fixed: (upgrade recommended because it works!)
1. Upgrade of Ægir Master Instance by Barracuda
and upgrade of Ægir Satellite Instances by Octopus
finally works as expected.
2. It is now possible to use Barracuda to install
environment and Ægir Master Instance, to
upgrade only environment, to upgrade only Ægir
Master Instance, or both at the same time.
3. Octopus now can separately install and/or upgrade
any Ægir Satellite Instance or any platform
on any instance, separately, using detailed prompt
with version numbers and links to distributions
home pages.
4. New platform Cocomore Drupal added in Octopus:
http://drupal.cocomore.com
### Sat, 2010-08-28 20:15 - Edition 0.4-HEAD-A12.C
Added/Fixed: (upgrade recommended)
1. By default Ægir 0.4-HEAD with Drush 3.3
is now installed to fix critical issues with
importing sites. The fix is also available
as a patch for alpha12:
http://drupal.org/node/882970#comment-3382542
2. Both Barracuda and Octopus now allow to choose
if the Ægir Hostmaster will be upgraded or not.
3. Added versions numbers and links to all platforms
Yes/no prompts.
4. /tmp directory no longer used to avoid problems
due to secure noexec mount.
5. Improved readme and docs (in progress).
6. Removed old, no longer supported installer.
### Fri, 2010-08-27 04:15 - Edition 0.4-alpha12-A12.B
Added/Fixed: (upgrade optional)
1. Octopus now allows to install or upgrade only Ægir
Satellite Instance without any platforms added.
2. Enabled again early exit on the first error to avoid
confusing cascade of errors if something went wrong.
3. Both Barracuda and Octopus runs now faster.
### Thu, 2010-08-26 19:30 - Edition 0.4-alpha12-A12.A
Added/Fixed: (upgrade from previous versions recommended)
1. Barracuda now includes multicore Apache Solr Search,
Redis and Memcache.
2. Barracuda now can upgrade packages selectively.
Just run it again to upgrade the system and the
Ægir Master Instance.
3. Octopus can create many Ægir Satellite Instances
on the same server, each with different set of platforms,
but with ability to share the code between instances,
so you can use this system even on the low end VPS.
4. Chive database manager added by default with db.
subdomain (may require dns entry or wildcard).
### Thu, 2010-08-26 08:55 - Edition 0.4-alpha12-A12.A
Added/Fixed: (upgrade from previous versions recommended)
1. By default Ægir 0.4-alpha12 with Drush 3.3
is now installed.
2. Introduced new Octopus and Barracuda installers.
See README.txt for more information.
Both are in pre-alpha debugging phase.
3. All installers code and helpers now hosted on GitHub.
### Thu, 2010-08-18 21:30 - Edition 0.4-HEAD-A11.B
Added/Fixed: (upgrade from previous versions recommended)
1. By default Ægir 0.4-HEAD with Drush 3.3
is now installed.
2. Introduced support for Virtuozzo/OpenVZ IP address
automatic discovery.
### Thu, 2010-08-12 22:15 - Edition 0.4-alpha11-A11.A
Added/Fixed: (upgrade from previous versions recommended)
1. By default Ægir 0.4-alpha11 with Drush 3.3
is now installed.
2. PHP-FPM version is now 5.2.14.
3. Improved UX - only interesting status messages
are now displayed.
4. Hostmaster root directory now properly named using
Ægir version: '-0.4-alpha11' or '-HEAD'.
### Thu, 2010-08-12 06:10 - Edition 0.4-alpha10-A10.A
Added/Fixed: (upgrade from previous versions recommended)
1. By default Ægir 0.4-alpha10 with Drush 3.3
is now installed.
2. Nginx version is now 0.8.49, MariaDB is 5.1.49
and Drupal is 6.19.
3. Fixed freezing request on the first /admin hit.
4. Better tuned Nginx, PHP-FPM and MariaDB settings.
5. Various small improvements in the code.
### Thu, 2010-08-07 06:10 - Edition 0.4-alpha9-A9.F
Added/Fixed: (upgrade of existing installs not required)
1. By default latest HEAD from git.aegirproject.org
is now installed, due to critical bug found,
see this for details: http://drupal.org/node/874716
The default install will be reverted to 0.4-alpha10
when it will be released. You can use 0.4-alpha9 with
caution (just don't use remote servers new feature
to stay safe).
2. Fixed problem with setting up FQDN hostname on Linode
based servers. The fix can help also with other
providers probably.
3. Installer now writes date and version used in file:
/var/aegir/config/includes/installer_version.txt
### Thu, 2010-08-05 22:00
Added/Fixed: (upgrade of existing installs not required)
1. Fixed critical problem with Drush broken due to
change of URL to the required php library:
http://drupal.org/node/875196
2. Ægir version is now configurable. By default latest
0.4-alpha9 will be installed, but it is also possible
to install latest HEAD from git.aegirproject.org.
3. Ægir front-end (sub)domain is now configurable and
can be different than machine FQDN hostname.
4. Machine FQDN hostname and IP is now configurable.
5. Nginx version updated to 0.8.48.
6. Fixed progress spinner on Ubuntu.
7. Fixed problem with automatic ionCube loader
discovery of required version 32/64 bit.
### Mon, 2010-08-02 01:08
Added/Fixed:
1. Added automatic, full support for Ubuntu Lucid and Karmic.
2. If there is no FQDN hostname, we are trying to set it
using reverse IP hostname, if exists.
3. Now we are trying both `uname -n` and `hostname -f`
to make sure if the FQDN hostname is already set,
but not available with `uname -n` test.
4. Added support for ionCube Loader with automatic
discovery of required version 32/64 bit.
### Sat, 2010-07-31 18:00
Added/Fixed:
1. Simplified installer by removing unnecessary duplicate
prompts in the original embedded install script.
2. Check for SMTP outgoing port 25 now fully automated.
3. Even more fun added :)
### Fri, 2010-07-30 19:00
Added/Removed:
1. New all-in-one installer for Debian 5.0 Lenny
Ægir 0.4-alpha9 compatible.
2. Removed deprecated scripts & how-to.
### Sat, 2010-02-06 23:55
Added/Fixed:
1. Missing --with-libevent=shared added in php-fpm-install.txt
http://github.com/omega8cc/boa/issues/#issue/2
2. Debian specific stuff added in php-fpm-install.txt to allow
easy install on vanilla vps.
3. Xcache replaced with APC and Memcache install added.
### Wed, 2010-02-03 06:37
Added/Fixed:
1. mkdir for required cache dirs added in nginx-install.txt
http://github.com/omega8cc/boa/issues#issue/1
### Fri, 2010-01-29 06:37
Added/Fixed:
1. FCKeditor/CKEditor fix for .xml files.
2. Security: deny direct access to backup_migrate directory.
### Mon, 2010-01-11 01:46
1. Added custom fix required only when using purl, spaces & og
for modules: ajax_comments, watcher and fasttoggle.
2. Simplified rewrite rules for location @drupal
resolves also some problems with imagecache.
3. Changed order of try_files for Boost
to match newer version of dirs structure first.
### Tue, 2009-12-01 16:19
Added/Fixed:
1. Latest Boost compatibility for /cache/normal & /cache/perm.
2. Json cache for Boost added.
3. Fix for xml/feed Boost cache files with .html extension.
4. Fix for xml/feed Boost cache correct mime type.
================================================
FILE: DIFFERENT30Y.md
================================================
# 30 Years of Heritage
We are unique within the hosting industry for many important reasons. Our 15 years of Ægir-based hosting, plus earlier experience with Adgrafix (the first company to offer a control panel for website management in 1995), have helped shape what makes us different today.
Fun fact: Robert “Bo” Bennett, the founder of Adgrafix, started as a self-taught programmer and created the world's first web hosting control panel entirely in Perl. We continued to build on that fundation for almost ten years, adding shopping cart and marketing tools and the early BOA version -- everything in Perl. Why not in PHP? Because PHP was still in its infancy, since its early prototype 1.0 was released in June 1995 by Rasmus Lerdorf, while Perl 4 had been out since 1991 and was already a stable, mature, widely adopted language used both for server tools, websites backend and frontend.
## Why We’re Different
We avoid marketing noise. Think of us like your electricity provider — reliable, fast, essential. You know we’re there, running everything **silently and smoothly** in the background. No need for constant attention or distractions.
## Focus, focus, focus — like no one else
Our website has been running on GravCMS for years, but our hosting and associated service itself is 100% Drupal-focused — and has been for 15 years. Others have tried and failed to stay focused, adding WordPress and a dozen other platforms. That’s not how you become **best-in-class, fastest, and most trusted** by the open-source community.
## Technological sovereignty
We take **Open Source seriously** — it’s not a buzzword for us. It’s about freedom from corporate control. Here's a short look back at our 15-year Ægir journey and 19 years with Drupal.
Our BOA system is the most complete solution of its kind. It has been designed from the ground up to make Drupal hosting **faster, easier, safer, and more efficient** — especially for teams that don’t want to get lost in DevOps. It was always built on Debian OS, but we never accepted systemd, imposed by Red Hat. After years of battling, we switched fully to **Devuan** — the true Debian fork without systemd, built by Debian veterans.
At the same time, we stayed away from MariaDB, because it drifted away from MySQL compatibility and became vendor-focused. Instead, we adopted **Percona** — a truly open, compatible, and community-aligned database option. The same thing happened with Redis — the fast cache-in-memory server. As soon as Redis switched to a restrictive corporate license, we moved to the open-source **Valkey** fork.
Bottom line: BOA is **architected around technological freedom and independence**. We work for you — not for Oracle, Red Hat, investors or proprietary agendas. That matters, especially for universities, NGOs, and businesses who rely on no-compromise sovereignty. Make your high-traffic demanding Drupal sites **Lightning Fast and Secure** with our [**Pro Hosted Plans »**](https://omega8.cc/pro)
## Support for legacy Drupal versions
While Drupal 7 users were largely abandoned by core developers without an upgrade path to Drupal 8 and beyond, we still fully support Pressflow 6 and Drupal 7. We even maintain our own improved core forks, provide Drupal 7 LTS, and made Drupal 7 compatible with PHP 8.4 ages ago. Make your legacy Drupal sites **Fast and Secure** with our [**Basic Hosted Plans »**](https://omega8.cc/basic)
## Support for Ægir 3 and Drupal 11+
Many believed Ægir 3 would never support Drupal 9 — until we made it work. Same for Drupal 10. This year, we did it again and added Drupal 11 support to Ægir — a “mission impossible” at first glance. We recently took over the technical stewardship of Ægir 3 project, ensuring its future is bright. Make your modern Drupal sites **Blazing Fast and Secure** with our [**Advanced Hosted Plans »**](https://omega8.cc/advanced)
## 90-day backups running every six hours
Your site backups (files + database) are securely stored via Backblaze with a full 90-day retention period — taken automatically every six hours. Far better than the industry-standard daily or weekly backups. You can also configure your own automatic backups, using any of 8 supported storage providers. Because there is no such thing in the universe like "too many backups".
## Drupal codebase upgrades powered by Jenkins
We’ve built highly tailored CI/CD pipelines for Drupal, including custom Composer-based setups and multi-environment workflows. If you’ve never used CI/CD, we understand — it can be complex. The good news is that you can use it without any learning — if you’re tired of constant updates, PHP compatibility issues, or security patching — we can help using Jenkins wizardry in the backend, including same-day updates — check our [**Managed Drupal Updates Plans »**](https://omega8.cc/managed)
**We’d be happy to show you how it all works and talk through how it could fit with your projects** — [**Contact Us Today! »**](https://omega8.cc/contact) to discuss your needs.
================================================
FILE: DUALLICENSE.md
================================================
# Dual License and BOA Branches Explained
**BOA** remains a **Free/Libre Open Source Project**. While all of **BOA** code is **Free/Libre Open Source**, only the **BOA LTS** branch and **Ægir** are available without any cost or restrictions.
- **LTS**: This public branch remains completely free to use without any commercial license, as it has been from the beginning (previously named HEAD or STABLE). This branch should be considered the **BOA Long Term Support** variant, with slow updates focused on security and bug fixes, and limited new features.
- **DEV**: This public branch requires a commercial license for both installation and upgrades. It includes the latest features, security updates, bug fixes, and updated service versions. This branch should not be used in production without extensive testing.
- **PRO**: This public branch requires a commercial license and is available only as an upgrade from either LTS or DEV (or previous HEAD/STABLE). It offers new releases once ready, closely following the tested DEV branch.
- **OMM**: This private branch is managed separately, with some unused components removed and others added. It is generally simplified for easier maintenance and adheres to modern coding standards.
You can install only **BOA LTS** and then upgrade to **PRO** with a license from [Omega8.cc](https://omega8.cc/licenses).
## **LTS** branch will enter a full code-freeze on December 31, 2025
Please note that **as of December 31, 2025, the LTS branch will enter a full code-freeze**. No further feature development or regular releases are planned for 2026. A possible re-evaluation may occur in 2027, but this should not be assumed.
After the freeze, **only critical functional fixes within BOA itself will be considered**. There will be **no updates** for underlying components such as PHP, Percona, Nginx, Valkey, OpenSSL, OpenSSH, or related system libraries, although your barracuda will still be able to upgrade your system with newer Devuan packages.
Several of the upcoming and most impactful features are planned **exclusively for BOA PRO**, as outlined in the [ROADMAP](https://github.com/omega8cc/boa/tree/5.x-dev/ROADMAP.md).
For continued access to new features, ongoing improvements, and a future-proof stack, [BOA PRO](https://omega8.cc/licenses) is the recommended upgrade path.
## Practical Differences Between **LTS** and **PRO**
Over time, **PRO** will be ahead of **LTS** as its name suggests.
The `BOA-5.9.1` release is the last parallel release including all features developed for **PRO**, so both **PRO** and **LTS** users will enjoy the same improvements, bug fixes, and new features.
In the future, new features will be regularly added to **PRO**, while **LTS** will receive only security updates and critical fixes for BOA itself. There may be exceptions, and some new features may find their way to **LTS**, but only as exceptions.
The **PRO** will be available in three main variants, and while all **BOA PRO** licenses will grant access to the same **BOA PRO** branch and features, they will differ in terms of available support levels.
### **PRO** with **Basic Support**
This license is designed for **BOA** users familiar with managing and monitoring their own systems who don't need extended support, monitoring, or assistance in managing their **BOA** installation and updates. Our support is limited to the Issue Queue on GitHub without any kind of SLA or Best Effort guarantee.
Ideal for: Small businesses or developers who need basic support and can handle issues independently or with community help.
### **PRO** with **Advanced Support**
This license is designed for **BOA** users who are familiar with managing their own server but need assistance in handling their custom needs or fixing individual problems privately via our helpdesk at [Ægir Helpdesk](https://aegir.happyfox.com), without posting details on GitHub. There is no SLA guarantee, only a Best Effort guarantee. System local and remote uptime monitoring with Site24x7 is included.
Ideal for: Medium to large businesses needing reliable support during business hours with quick response times for critical issues.
### **PRO** with **Hands-Off Experience**
This license is for **BOA** users who prefer to delegate all the work needed to maintain their **BOA** server, including regular upgrades (both **BOA** and major OS upgrades), active monitoring, and responding to DoS incidents. It comes with a fully managed **BOA PRO** installation you can use without worrying about anything else, with our general SLA guarantee applied: [Omega8.cc SLA](https://omega8.cc/sla). System local and remote uptime monitoring with Site24x7 is included.
Ideal for: Enterprises requiring comprehensive, around-the-clock support with quick response times for all issues.
You can obtain a **BOA PRO** license from [Omega8.cc](https://omega8.cc/licenses).
## Upcoming **PRO-Only** Features
Certain planned features are likely to be exclusive to **BOA PRO**. If these features are added to other **BOA** versions, it will be with a significant delay.
Check out the details in [ROADMAP](https://github.com/omega8cc/boa/tree/5.x-dev/ROADMAP.md)
================================================
FILE: HTTP3.md
================================================
# Strap in, your sites are getting an F1 engine
We’re rolling out a meaningful upgrade across BOA/Omega8.cc nodes: HTTP/3 and KTLS support.
If you run Drupal sites that should feel fast and responsive (and stay that way during spikes), this is genuinely good news. It’s not a “new feature in the control panel” kind of update — it’s the kind that improves the *experience* visitors have without you touching a single line of code.
## Why this is a big deal
Nearly everything on the web is encrypted now (HTTPS). That’s great for security, but it also means every visit involves extra work just to establish and maintain that secure connection.
The upgrades are all about making secure browsing feel lighter and faster.
### What visitors should notice
* Faster “start” to loading (especially for first-time or returning visits after a while)
* Smoother browsing on mobile and Wi-Fi (fewer annoying stalls when the connection quality changes)
* More consistent performance during traffic spikes (less overhead spent on transport/encryption, more resources left for actual Drupal work)
### Why it matters for *your server* too
* More efficient HTTPS handling can mean lower CPU pressure in the busiest parts of the request path.
* That translates into more headroom for PHP-FPM, caches, and database work when it really counts.
In short: faster for users, more efficient for servers, and no application changes required.
## What’s being enabled (friendly version)
### HTTP/3
HTTP/3 is the newest “dialect” browsers can use to talk to your site. It’s designed for today’s reality: phones, roaming, Wi-Fi, variable quality connections.
When a visitor’s browser supports HTTP/3, it can:
* connect more quickly,
* recover better from “internet wobble,”
* and keep page loads feeling responsive even when conditions aren’t perfect.
And the best part: browsers choose it automatically. Nobody needs to configure anything on their device.
### KTLS
KTLS helps the operating system handle part of the secure connection workload more efficiently. The result is simpler to describe than the internals:
* less overhead
* more throughput
* better stability under load
It’s one of those improvements that quietly makes a platform feel “stronger” and less stressed during peak times.
## What you need to do (this is the important part)
We’ll make sure the server side is ready after the upgrades — but to actually *apply* the new capabilities cleanly across your BOA/Ægir-managed stack, you need to run Verify so configurations are regenerated with the updated features.
### After the maintenance completes:
1. Log in to your Ægir Control Panel
2. Go to Platforms → run Verify on all platforms you use to host sites
3. Go to Sites → run Verify on your hosted sites
* If you host many sites: use the bulk actions on the Sites list so you don’t have to click site-by-site.
This ensures your platform and site configs are refreshed and the upgraded stack is applied consistently.
## “Will anything break?” (No — it’s designed not to)
* If a browser supports HTTP/3, it will use it automatically.
* If it doesn’t, it will quietly fall back to HTTP/2 or HTTP/1.1.
* Your Drupal code stays the same.
* Your visitors don’t have to do anything.
## Want more detail?
We’ll publish our own concise, friendly explainer that goes deeper into:
* what HTTP/3 changes in real-life browsing,
* why KTLS improves HTTPS efficiency,
* and how to confirm your browser is using HTTP/3.
More details: *(link coming soon — we’ll share it as soon as it’s live)*
## Quick checklist (save this)
After the system upgrade:
1. Ægir → Platforms → Verify (all platforms)
2. Ægir → Sites → Verify (use bulk actions if you have many sites)
That’s it. Once Verify is done, you’re ready to benefit automatically — and your visitors get a faster, smoother ride. Enjoy!
================================================
FILE: OCTOPUS.sh.txt
================================================
#!/bin/bash
###----------------------------------------###
###
### Octopus Ægir Installer
###
### Copyright (C) 2009-2026 Omega8.cc
### noc@omega8.cc www.omega8.cc
###
### This program is free software. You can
### redistribute it and/or modify it under
### the terms of the GNU GPL as published by
### the Free Software Foundation, version 2
### or later.
###
### This program is distributed in the hope
### that it will be useful, but WITHOUT ANY
### WARRANTY; without even the implied
### warranty of MERCHANTABILITY or FITNESS
### FOR A PARTICULAR PURPOSE. See the GNU GPL
### for more details.
###
### You should have received a copy of the
### GNU GPL along with this program.
### If not, see http://www.gnu.org/licenses/
###
### Code: https://github.com/omega8cc/boa
###
###----------------------------------------###
export PATH=/usr/local/bin:/usr/local/sbin:/opt/local/bin:/usr/bin:/usr/sbin:/bin:/sbin:/usr/libexec
export SHELL=/bin/bash
###
### Default values for main Octopus instance variables
###
_USER=o1
_MY_OCTO_EMAIL="noc@omega8.cc"
_CLIENT_EMAIL="notify@omega8.cc"
_CLIENT_OPTION=POWER
_CLIENT_SUBSCR=M
_CLIENT_CORES=1
###
### Required by AegirSetupA script, running in
### the same env, to avoid chicken/egg race.
###
export _USER="${_USER}"
###
### Drush and Redis Variables
###
export _DRUSH_VERSION=8.5.0.5
export _REDIS_C_VERSION=com-19-04-2021
export _REDIS_L_VERSION=7.x-3.19.1
export _REDIS_N_VERSION=com-19-04-2021
export _REDIS_T_VERSION=8.x-1.8.2
export _REDIS_E_VERSION=8.x-1.11.2
###
### Drupal Core Versions
###
export _SMALLCORE10_0_V=10.0.11
export _SMALLCORE10_1_V=10.1.8
export _SMALLCORE10_2_V=10.2.12
export _SMALLCORE10_3_V=10.3.14
export _SMALLCORE10_4_V=10.4.9
export _SMALLCORE10_5_V=10.5.8
export _SMALLCORE10_6_V=10.6.3
export _SMALLCORE11_1_V=11.1.9
export _SMALLCORE11_2_V=11.2.10
export _SMALLCORE11_3_V=11.3.3
export _SMALLCORE6_V=6.60.1
export _SMALLCORE7_V=7.105.1
export _SMALLCORE9_V=9.5.11
###
### Drupal Core Variables
###
export _DRUPAL10_0="drupal-${_SMALLCORE10_0_V}"
export _DRUPAL10_1="drupal-${_SMALLCORE10_1_V}"
export _DRUPAL10_2="drupal-${_SMALLCORE10_2_V}"
export _DRUPAL10_3="drupal-${_SMALLCORE10_3_V}"
export _DRUPAL10_4="drupal-${_SMALLCORE10_4_V}"
export _DRUPAL10_5="drupal-${_SMALLCORE10_5_V}"
export _DRUPAL10_6="drupal-${_SMALLCORE10_6_V}"
export _DRUPAL11_1="drupal-${_SMALLCORE11_1_V}"
export _DRUPAL11_2="drupal-${_SMALLCORE11_2_V}"
export _DRUPAL11_3="drupal-${_SMALLCORE11_3_V}"
export _DRUPAL6="pressflow-${_SMALLCORE6_V}"
export _DRUPAL7="drupal-${_SMALLCORE7_V}"
export _DRUPAL9="drupal-${_SMALLCORE9_V}"
export _DRUPAL6_D="${_DRUPAL6}-dev"
export _DRUPAL6_P="${_DRUPAL6}-prod"
export _DRUPAL6_S="${_DRUPAL6}-stage"
export _DRUPAL7_D="${_DRUPAL7}-dev"
export _DRUPAL7_P="${_DRUPAL7}-prod"
export _DRUPAL7_S="${_DRUPAL7}-stage"
export _DRUPAL9_D="${_DRUPAL9}-dev"
export _DRUPAL9_P="${_DRUPAL9}-prod"
export _DRUPAL9_S="${_DRUPAL9}-stage"
export _DRUPAL10_0_D="${_DRUPAL10_0}-dev"
export _DRUPAL10_0_P="${_DRUPAL10_0}-prod"
export _DRUPAL10_0_S="${_DRUPAL10_0}-stage"
export _DRUPAL10_1_D="${_DRUPAL10_1}-dev"
export _DRUPAL10_1_P="${_DRUPAL10_1}-prod"
export _DRUPAL10_1_S="${_DRUPAL10_1}-stage"
export _DRUPAL10_2_D="${_DRUPAL10_2}-dev"
export _DRUPAL10_2_P="${_DRUPAL10_2}-prod"
export _DRUPAL10_2_S="${_DRUPAL10_2}-stage"
export _DRUPAL10_3_D="${_DRUPAL10_3}-dev"
export _DRUPAL10_3_P="${_DRUPAL10_3}-prod"
export _DRUPAL10_3_S="${_DRUPAL10_3}-stage"
export _DRUPAL10_4_D="${_DRUPAL10_4}-dev"
export _DRUPAL10_4_P="${_DRUPAL10_4}-prod"
export _DRUPAL10_4_S="${_DRUPAL10_4}-stage"
export _DRUPAL10_5_D="${_DRUPAL10_5}-dev"
export _DRUPAL10_5_P="${_DRUPAL10_5}-prod"
export _DRUPAL10_5_S="${_DRUPAL10_5}-stage"
export _DRUPAL10_6_D="${_DRUPAL10_6}-dev"
export _DRUPAL10_6_P="${_DRUPAL10_6}-prod"
export _DRUPAL10_6_S="${_DRUPAL10_6}-stage"
export _DRUPAL11_1_D="${_DRUPAL11_1}-dev"
export _DRUPAL11_1_P="${_DRUPAL11_1}-prod"
export _DRUPAL11_1_S="${_DRUPAL11_1}-stage"
export _DRUPAL11_2_D="${_DRUPAL11_2}-dev"
export _DRUPAL11_2_P="${_DRUPAL11_2}-prod"
export _DRUPAL11_2_S="${_DRUPAL11_2}-stage"
export _DRUPAL11_3_D="${_DRUPAL11_3}-dev"
export _DRUPAL11_3_P="${_DRUPAL11_3}-prod"
export _DRUPAL11_3_S="${_DRUPAL11_3}-stage"
export _SPINNER=NO
export _T_BUILD=SRC
export _USRG=users
export _WEBG=www-data
if [ -n "${STY+x}" ]; then
export _SPINNER=NO
fi
export _F_TIME="$(date)"
###
### Instance specific variables
###
export _WEB="${_USER}.web"
export _DOMAIN="${_USER}.$(cat /etc/hostname 2>/dev/null | tr -d '\n' || hostname -f 2>/dev/null)"
export _ROOT="/data/disk/${_USER}"
export _THIS_DB_PORT=3306
export _octCnf="/root/.${_USER}.octopus.cnf"
export _octInc="${_ROOT}/config/includes"
export _octTpl="${_ROOT}/.drush/sys/provision/http/Provision/Config/Nginx"
export _octSetTpl="${_ROOT}/.drush/sys/provision/Provision/Config/Drupal"
###
### Helper variables
###
export _bldPth="/opt/tmp/boa"
export _crlGet="-L --max-redirs 3 -k -s --retry 9 --retry-delay 9 -A iCab"
export _wgetGet="--max-redirect=3 --no-check-certificate -q --tries=9 --wait=9 --user-agent='iCab'"
export _filIncO="octopus.sh.cnf"
export _gCb="git clone --branch"
export _gitHub="https://github.com/omega8cc"
export _gitLab="https://gitlab.com/omega8cc"
export _libFnc="${_bldPth}/lib/functions"
export _tocIncO="${_filIncO}.${_USER}"
export _vBs="/var/backups"
###
### Avoid too many questions
###
export DEBIAN_FRONTEND=noninteractive
export APT_LISTCHANGES_FRONTEND=none
if [ -z "${TERM+x}" ]; then
export TERM=vt100
fi
###
### Clean pid files on exit
###
_clean_pid_exit() {
if [ -n "${1}" ]; then
echo "REASON ${1} on $(date)" >> /root/.octopus.sh.exit.exceptions.log
[ -e "/opt/tmp/boa" ] && rm -rf /opt/tmp/*
fi
[ -e "/run/boa_wait.pid" ] && rm -f /run/boa_wait.pid
[ -e "/run/boa_run.pid" ] && rm -f /run/boa_run.pid
service cron start &> /dev/null
exit 1
}
###
### Panic on missing include
###
_panic_exit() {
echo
echo " EXIT: Required lib file not available?"
echo " EXIT: $1"
echo " EXIT: Cannot continue"
echo " EXIT: Bye (0)"
echo
_clean_pid_exit _panic_exit_a
}
###
### Include default settings and basic functions
###
if [ -e "${_vBs}/${_tocIncO}" ]; then
source "${_vBs}/${_tocIncO}"
_tInc="${_vBs}/${_tocIncO}"
elif [ -e "${_vBs}/${_filIncO}" ]; then
source "${_vBs}/${_filIncO}"
_tInc="${_vBs}/${_filIncO}"
else
_panic_exit "${_tInc}"
fi
###
### Download helpers and libs
###
if [ "${_OS_CODE}" = "excalibur" ]; then
_DB_SERVER=Percona
else
_DB_SERVER=Percona
fi
if [ "$(boa info | grep -c ${_DB_SERVER})" -lt 3 ] || [ ! -e "/usr/sbin/csf" ]; then
if [ ! -e "/opt/tmp/boa/aegir/helpers/apt.conf.noi.nrml" ] \
|| [ ! -e "/opt/tmp/boa/aegir/helpers/apt.conf.noi.dist" ]; then
_download_helpers_libs
fi
else
_download_helpers_libs
fi
###
### Include shared functions
###
_FL="helper dns satellite"
for f in ${_FL}; do
[ -r "${_libFnc}/${f}.sh.inc" ] || _panic_exit "${f}"
source "${_libFnc}/${f}.sh.inc"
done
###
### Welcome msg
###
echo " "
_msg "Skynet Agent v.${_X_VERSION} on $(dmidecode -s system-manufacturer 2>&1) welcomes you aboard!"
echo " "
sleep 3
###
### Turn Off AppArmor while running octopus
###
_turn_off_apparmor_in_octopus
###
### Unlock sendmail for allow-snail group
###
_unlock_sendmail_for_snail
###
### Switch to dash while running octopus
###
_switch_to_dash_in_octopus
###
### More local default variables
###
_LASTNUM=001
_LAST_HMR=001
_LAST_ALL=001
_DISTRO=001
_HM_DISTRO=001
_ALL_DISTRO=001
_STATUS=INIT
###
### Misc checks
###
_satellite_check_php_compatibility
_satellite_check_octopus_vs_barracuda_ver
_satellite_if_head_github_connection_test
_satellite_if_sql_exception_test
_satellite_if_running_as_root_octopus
_satellite_check_sanitize_user_name
_satellite_if_localhost_mode_magic
_satellite_check_sanitize_domain_name
_satellite_detect_vm_family
_check_git_repos
###
### Main procedures
###
_satellite_cnf
_satellite_if_init_or_upgrade
_satellite_if_major_upgrade
_satellite_if_check_dns
_satellite_checkpoint
_satellite_pre_cleanup
_satellite_make
_satellite_post_cleanup
exit 0
###----------------------------------------###
###
### Octopus Ægir Installer
### Copyright (C) 2009-2026 Omega8.cc
### noc@omega8.cc www.omega8.cc
###
###----------------------------------------###
================================================
FILE: README.md
================================================
# Welcome to BOA!
BOA stands for Barracuda, Octopus, and Ægir—a high-performance LEMP stack supporting Drupal from Pressflow 6 to the latest Drupal 11, as well as Backdrop CMS and Grav CMS (soon).
## Strap in, your sites are getting an F1 engine
We’re rolling out a meaningful upgrade across BOA/Omega8.cc nodes: HTTP/3 and KTLS support. If you run Drupal sites that should feel fast and responsive (and stay that way during spikes), this is genuinely good news. Why this is a big deal? What visitors should notice? Why it matters for *your server* too [**Read the full story!**](https://github.com/omega8cc/boa/tree/5.x-dev/HTTP3.md)
## 30 Years of Heritage
We are unique within the hosting industry for many important reasons. Our 15 years of Ægir-based hosting, plus earlier experience with Adgrafix (the first company to offer a control panel for website management in 1995), have helped shape what makes us different today. We take **Open Source seriously** — it’s not a buzzword for us. It’s about freedom from corporate control. Here's a short look back at our 15-year Ægir journey and 19 years with Drupal. [**Read the full story!**](https://github.com/omega8cc/boa/tree/5.x-dev/DIFFERENT30Y.md)
## What is Ægir?
Ægir, named after the Norse god of the sea, is an open-source hosting system for managing multiple Drupal sites. The name Ægir was chosen to reflect the relationship between Drupal's water drop logo, symbolizing individual sites, and Ægir's role as the god of the ocean, representing the hosting of many Drupal sites together. It automates tasks such as site installation, upgrades, and maintenance, making your life easier.
**Announcement from Omega8.cc team**: [**The Future of Ægir 3 is Bryght!**](https://github.com/omega8cc/boa/tree/5.x-dev/ANNOUNCEMENT.md)
### Key Features of Ægir:
- **Site Management**: Manage multiple Drupal sites from a single interface.
- **Automation**: Automate code deployment, database updates, and site backups.
- **Scalability**: Easily scale your Drupal hosting infrastructure.
- **Multitenancy**: Share a codebase across multiple sites with separate databases.
- **Open-Source**: Customize and extend Ægir to fit your needs.
- **Integration with Drush**: Use powerful command-line tools for site administration.
## Why Barracuda?
Barracuda is a specially tuned hosting environment for Ægir, designed to be lightning fast and agile, just like the barracuda fish known for its incredible speed and agility in the ocean.
## Why Octopus?
Octopus is a smart system designed to manage multiple Ægir instances within Barracuda. Just like the sea creature with eight limbs, Octopus allows you to create and manage many separate but connected Ægir instances, showcasing its intelligence and adaptability in efficiently handling complex hosting environments.
## Dual License
**BOA** remains a **Free/Libre Open Source Project**. While all of **BOA** code is **Free/Libre Open Source**, only the **BOA LTS** branch and **Ægir** are available without any cost or restrictions.
Check out the details in [**DUALLICENSE.md**](https://github.com/omega8cc/boa/tree/5.x-dev/DUALLICENSE.md).
## BOA Priorities
- **High Performance**: Ensure your sites run fast.
- **Security**: Keep your sites and system secure.
- **Automation**: Minimize daily maintenance with automated system and OS upgrades.
## Multi-Ægir Hosting
Leverage one Ægir Master Instance and multiple Satellite Instances. Use Satellite Instances to host your sites, as the Master holds the central Nginx configuration. Note: The 'Master' and 'Satellite' names in the Barracuda/Octopus context are not related to the multi-server Ægir features but to the multi-instance environment with virtual chroot/jail for each Ægir Satellite instance.
## Installation Scripts
- **BOA**: Runs Barracuda and Octopus to install complete BOA system.
- **BARRACUDA**: Upgrades the system and the Ægir Master Instance.
- **OCTOPUS**: Updates Ægir Instances + Drupal platforms.
## Bug Reporting
Follow the guidelines in [**docs/CONTRIBUTING.md**](https://github.com/omega8cc/boa/tree/5.x-dev/docs/CONTRIBUTING.md).
## Requirements
- Basic sysadmin skills and experience.
- Willingness to accept BOA PI (paranoid idiosyncrasies).
- Minimum 4 GB RAM and 2 CPUs (8 GB RAM and 4+ CPUs with Solr).
- SSH (ed25519) keys for root are required by newer OpenSSH versions used in BOA.
- Wget must be installed.
- Open outgoing TCP ports: 25, 53, 80, 443.
- Locales with UTF-8 support, otherwise en_US.UTF-8 (default) is forced.
## Provided Services and Features
Check out the details in [**docs/PROVIDES.md**](https://github.com/omega8cc/boa/tree/5.x-dev/docs/PROVIDES.md).
## Supported Virtualization Systems
- Linux Containers (LXC)
- Linux KVM guest
- Microsoft Hyper-V
- OpenVZ Containers
- Parallels guest
- Red Hat KVM guest
- VirtualBox guest
- VMware ESXi guest (but excluding vCloud Air)
- VServer guest
- Xen guest
- Xen guest fully virtualized (HVM)
- Xen paravirtualized guest domain
## Supported Operating Systems
### Devuan (recommended)
- Excalibur (supported, but only with Percona 8.4)
- Daedalus (default, with Percona 5.7, 8.0 or 8.4)
- Chimaera (supported but upgrade recommended)
- Beowulf (supported for upgrades)
### Debian (for migration)
- Trixie (supported only as a base for migration to Devuan)
- Bookworm (supported only as a base for migration to Devuan)
- Bullseye (supported only as a base for migration to Devuan)
- Buster (supported only as a base for migration to Devuan)
- Stretch (deprecated but still works, please upgrade to Chimaera)
- Jessie (deprecated but still works, please upgrade to Chimaera)
## Project Roadmap
Check out the details in [**ROADMAP.md**](https://github.com/omega8cc/boa/tree/5.x-dev/ROADMAP.md)
## Documentation and Templates
- Installation Instructions: [docs/INSTALL.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/INSTALL.md)
- Upgrade Instructions: [docs/UPGRADE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/UPGRADE.md)
- Major-Upgrade Instructions: [docs/MAJORUPGRADE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MAJORUPGRADE.md)
- Importance of Keeping SKYNET Enabled in BOA: [docs/SKYNET.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SKYNET.md)
- INI configuration per site: [docs/ini/site/INI.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/ini/site/INI.md)
- INI configuration per platform: [docs/ini/platform/INI.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/ini/platform/INI.md)
- Configuration Templates: [docs/cnf/barracuda.cnf](https://github.com/omega8cc/boa/tree/5.x-dev/docs/cnf/barracuda.cnf), [docs/cnf/octopus.cnf](https://github.com/omega8cc/boa/tree/5.x-dev/docs/cnf/octopus.cnf)
- System Control Files Index: [docs/ctrl/system.ctrl](https://github.com/omega8cc/boa/tree/5.x-dev/docs/ctrl/system.ctrl)
- How we build newer codebases for testing: [docs/BUILDTESTS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BUILDTESTS.md)
## Documentation for BOA PRO
- New Backups for BOA SysAdmin [docs/BACKUP_ROOT.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_ROOT.md)
- New Backups for Octopus Lshell User [docs/BACKUP_USER.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_USER.md)
- New Backups Retention Policy Configuration [docs/BACKUP_RETENTION.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_RETENTION.md)
- Supported Regions and Bucket Creation Guidelines [docs/BACKUP_REGIONS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUP_REGIONS.md)
## Additional Documentation
- Composer How-To: [docs/COMPOSER.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/COMPOSER.md)
- Dev-Mode Notes: [docs/DEVELOPMENT.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/DEVELOPMENT.md)
- Drupal Contrib Modules: [docs/MODULES.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MODULES.md)
- Extra Comments: [docs/CAVEATS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/CAVEATS.md)
- FAQ: [docs/FAQ.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/FAQ.md)
- Fast DB Operations: [docs/MYQUICK.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MYQUICK.md)
- Fast Migrate/Clone: [docs/FASTTRACK.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/FASTTRACK.md)
- Included Platforms: [docs/PLATFORMS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/PLATFORMS.md)
- Let’s Encrypt: [docs/SSL.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SSL.md)
- Live Disk Resize How-To: [docs/DISK_RESIZE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/DISK_RESIZE.md)
- Migration (Octopus Instance): [docs/MIGRATE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/MIGRATE.md)
- Migration (Single Site): [docs/REMOTE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/REMOTE.md)
- New Relic How-To: [docs/NEWRELIC.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/NEWRELIC.md)
- Nginx Custom Rewrites: [docs/REWRITES.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/REWRITES.md)
- PHP-CLI and Drush Configuration How-To: [docs/DRUSH-CLI.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/DRUSH-CLI.md)
- PHP-FPM Configuration How-To: [docs/PHP-FPM.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/PHP-FPM.md)
- Remote S3 Backups: [docs/BACKUPS.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BACKUPS.md)
- Ruby Gems and NPM: [docs/GEM.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/GEM.md)
- Security Settings: [docs/SECURITY.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SECURITY.md)
- Self-Upgrade How-To: [docs/SELFUPGRADE.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SELFUPGRADE.md)
- SMTP SSL Error Debugging: [docs/SMTP_SSL_DEBUG.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SMTP_SSL_DEBUG.md)
- Solr and Jetty How-To: [docs/SOLR.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/SOLR.md)
- SSH Encryption: [docs/BLOWFISH.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/BLOWFISH.md)
- VServer Cluster: [docs/CLUSTER.md](https://github.com/omega8cc/boa/tree/5.x-dev/docs/CLUSTER.md) (deprecated)
## Useful Links
- BOA User Handbook (legacy): [**Learn BOA**](https://learn.omega8.cc/library/good-to-know)
- Ægir Docs (legacy): [**Ægir Project**](https://docs.aegirproject.org)
## Maintainers
BOA is maintained by [**Omega8.cc**](https://omega8.cc/about).
## Credits
Thanks to the Ægir Project founders and developers. [**Ægir Team**](https://docs.aegirproject.org/community/core-team/).
## Support
Support BOA development by purchasing a commercial license or using Omega8.cc hosted services. Check out [**Omega8.cc**](https://omega8.cc/compare) for more info.
Thank you for supporting BOA!
================================================
FILE: ROADMAP.md
================================================
# BOA Roadmap & Progress
Documenting ongoing, upcoming and completed tasks. Some tasks are relatively simple, while others are major undertakings that take weeks or months. Therefore, we are working on many things simultaneously.
This document highlights the most complex or important tasks we are working on or planning to undertake. Routine tasks such as debugging, fixing issues, and implementing small improvements are usually documented in the commit history and changelog, which are updated with each new BOA release.
Several of the upcoming and most impactful features are planned **exclusively for BOA PRO**, as outlined below.
Please also note that **as of December 31, 2025, the LTS branch will enter a full code-freeze**. No further feature development or regular releases are planned for 2026. A possible re-evaluation may occur in 2027, but this should not be assumed.
After the freeze, **only critical functional fixes within BOA itself will be considered**. There will be **no updates** for underlying components such as PHP, Percona, Nginx, Valkey, OpenSSL, OpenSSH, or related system libraries.
For continued access to new features, ongoing improvements, and a future-proof stack, **BOA PRO is the recommended upgrade path**.
## IN PROGRESS (PRO only)
- **Import from Classic Ægir**: Extend xboa to import from remote classic Ægir servers using Nginx or Apache (PRO)
- **Backdrop CMS Support**: Implement Backdrop CMS as a supported platform (PRO)
- **Grav CMS Support**: Introduce support for Grav CMS (command line only) (PRO)
- **Optional AppArmor Support**: Enhanced security and accounts privilege separation (PRO)
- **Tar Pipelines on Clone**: Use Tar Pipelines to create separate symlinked copies during site clone tasks (PRO)
- **Ægir Admin Interface**: Transition the Ægir admin interface to Backdrop CMS (PRO)
- **BO4D**: Offer a *BOA For Docker* version tailored for local development (PRO)
- **DDEV Integration**: Add support for BOA-compatible configurations within DDEV (PRO)
- **Documentation Consolidation**: Convert legacy and built-in docs into a unified Grav CMS site. (PRO)
## RELEASED IN BOA PRO only
- **Amazon S3 Alternatives**: Integrate support for AWS S3 eight (8) alternatives in `multiback` and `mybackup` (PRO)
## MAJOR NEW FEATURES RELEASED IN BOA LTS/PRO
- **HTTP/3 on QUIC with KTLS Magic**: Strap in, your sites are getting an F1 engine (PRO/LTS)
- **Drupal 11 with Ægir 3**: They Said It Couldn’t Be Done — We Did It Anyway (PRO/LTS)
- **Debian Trixie and Devuan Excalibur**: Ensure compatibility for installation and automated upgrades (PRO/LTS)
- **Debian Bookworm and Devuan Daedalus**: Ensure compatibility for installation and automated upgrades (PRO/LTS)
- **Percona for MySQL 8.4**: Add support for Percona Server 8.4, the new Percona LTS (PRO/LTS)
- **Original MySQL 8.4**: Add support for original MySQL Server 8.4 on Trixie/Excalibur (PRO/LTS)
- **Percona for MySQL 8.0**: Add support for Percona Server 8.0, necessary for Drupal 11 (PRO/LTS)
- **Super Fast System AutoInit**: Facilitate easy upgrades to the latest Devuan before BOA installation (PRO/LTS)
- **Use OpenSSL 3 by default**: Maintain compatibility with OpenSSL 1.1.1 for legacy PHP versions (PRO/LTS)
## OTHER NEW FEATURES RELEASED IN BOA LTS/PRO
- **PHP 8.5 Support**: Enhancing performance and supporting twelve PHP versions (PRO/LTS)
- **PHP 8.4 Support**: Enhancing performance and supporting eleven PHP versions (PRO/LTS)
- **PHP 8.3 Support**: Required for Drupal 11, enhancing performance and supporting ten PHP versions (PRO/LTS)
- **Add instant SQL fallback for Valkey/Redis**: zero downtime during upgrades/restarts/etc
- **Symlink Site Files**: Automatically symlink all site files to expedite migration tasks and conserve disk space (PRO/LTS)
- **Solr 9 Support**: Add latest Solr Server 9 as supported via BOA automation (PRO/LTS)
- **Ruby Gems and Node/NPM Support 3x Faster**: From 15 to 5 minutes, with improved security (PRO/LTS)
- **Ægir Task for SQL Backup**: Enable classic mysqldump backups for individual site downloads (PRO/LTS)
- **Drush 12/13 in Ægir Tasks**: Dynamically Utilize Site-Local Drush for `updatedb` Operations on Drupal 10+ (PRO/LTS)
- **Documentation Conversion to Markdown**: Update all BOA documentation from legacy TXT to Markdown.
================================================
FILE: aegir/conf/apparmor/opt.php56.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php56) to essential operations only.
#include
/opt/php56/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php56/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php56/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php56.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php56) to essential operations only.
#include
/opt/php56/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php56/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php56/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php70.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php70) to essential operations only.
#include
/opt/php70/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php70/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php70/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php70.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php70) to essential operations only.
#include
/opt/php70/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php70/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php70/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php71.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php71) to essential operations only.
#include
/opt/php71/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php71/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php71/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php71.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php71) to essential operations only.
#include
/opt/php71/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php71/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php71/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php72.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php72) to essential operations only.
#include
/opt/php72/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php72/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php72/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php72.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php72) to essential operations only.
#include
/opt/php72/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php72/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php72/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php73.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php73) to essential operations only.
#include
/opt/php73/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php73/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php73/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php73.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php73) to essential operations only.
#include
/opt/php73/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php73/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php73/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php74.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php74) to essential operations only.
#include
/opt/php74/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php74/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php74/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php74.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php74) to essential operations only.
#include
/opt/php74/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php74/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php74/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php80.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php80) to essential operations only.
#include
/opt/php80/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php80/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php80/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php80.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php80) to essential operations only.
#include
/opt/php80/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php80/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php80/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php81.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php81) to essential operations only.
#include
/opt/php81/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php81/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php81/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php81.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php81) to essential operations only.
#include
/opt/php81/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php81/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php81/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php82.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php82) to essential operations only.
#include
/opt/php82/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php82/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php82/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php82.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php82) to essential operations only.
#include
/opt/php82/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php82/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php82/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php83.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php83) to essential operations only.
#include
/opt/php83/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php83/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php83/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php83.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php83) to essential operations only.
#include
/opt/php83/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php83/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php83/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php84.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php84) to essential operations only.
#include
/opt/php84/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php84/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php84/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php84.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php84) to essential operations only.
#include
/opt/php84/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php84/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php84/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php85.bin.php
================================================
# AppArmor profile for PHP-CLI
# This profile restricts PHP-CLI (php85) to essential operations only.
#include
/opt/php85/bin/php flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by PHP-CLI
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
capability sys_ptrace,
capability sys_resource,
# Allow PHP-CLI to execute its own binary
/opt/php85/bin/php mrix,
# Allow PHP-CLI to signal/ptrace other processes
ptrace (read) peer=/opt/php*/bin/php,
signal (send) peer=unconfined,
signal (send) peer=/usr/sbin/nginx,
ptrace (read) peer=/opt/php*/sbin/php-fpm,
ptrace (read) peer=/usr/bin/mysqld_safe,
ptrace (read) peer=/usr/bin/redis-server,
ptrace (read) peer=/usr/local/sbin/pure-ftpd,
ptrace (read) peer=/usr/sbin/nginx,
ptrace (read) peer=/usr/sbin/rsyslogd,
ptrace (read) peer=/usr/sbin/unbound,
ptrace (read) peer=unconfined,
# Allow PHP-CLI to read required configuration files
/data/disk/*/.subversion/ r,
/data/disk/*/.subversion/* r,
/etc/default/nginx r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/ldap/ldap.conf r,
/etc/mailname r,
/etc/mysql/conf.d/ r,
/etc/mysql/conf.d/* r,
/etc/mysql/my.cnf r,
/etc/newrelic/upgrade_please.key r,
/etc/nginx/conf.d/ r,
/etc/nginx/conf.d/** r,
/etc/nginx/fastcgi_params r,
/etc/nginx/mime.types r,
/etc/nginx/nginx.conf r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/main.cf r,
/etc/ssl/private/ r,
/etc/ssl/private/* r,
/etc/ssl/private/nginx-wild-ssl.crt r,
/etc/ssl/private/nginx-wild-ssl.dhp r,
/etc/ssl/private/nginx-wild-ssl.key r,
/etc/subversion/ r,
/etc/subversion/* r,
/etc/wgetrc r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/usr/local/share/git-core/templates/ r,
/usr/local/share/git-core/templates/* r,
/usr/local/share/git-core/templates/** r,
/usr/share/GeoIP/GeoIP.dat r,
/usr/share/GeoIP/GeoIPv6.dat r,
/usr/share/GeoIP/GeoLite2-ASN.mmdb r,
/usr/share/GeoIP/GeoLite2-City.mmdb r,
/usr/share/GeoIP/GeoLite2-Country.mmdb r,
/opt/php85/** r,
# Allow PHP-CLI to read required user/access files
/etc/login.defs r,
/etc/pam.d/* r,
/etc/passwd r,
/etc/security/capability.conf r,
/etc/security/limits.conf r,
/etc/security/limits.d/ r,
/etc/security/limits.d/* r,
/etc/shadow r,
/etc/sudo.conf r,
/etc/sudoers r,
/etc/sudoers.d/ r,
/etc/sudoers.d/* r,
/run/sudo/ts/ r,
/run/sudo/ts/* r,
# Allow PHP-CLI to execute some other binaries
/usr/bin/symlinks mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/chown mrix,
/bin/cp mrix,
/bin/dash mrix,
/bin/date mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/kmod mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/pidof mrix,
/bin/rm mrix,
/bin/run-parts mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/opt/local/bin/websh mrix,
/data/disk/*/**/vendor/drush/drush/drush.php mrix,
/etc/init.d/nginx mrix,
/sbin/killall5 mrix,
/sbin/unix_chkpwd mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/magick mrix,
/usr/bin/mysql mrix,
/usr/bin/patch mrix,
/usr/bin/sudo mrix,
/usr/bin/svn mrix,
/usr/bin/tput mrix,
/usr/bin/tr mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which mrix,
/usr/bin/which.debianutils mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/fix-drupal-platform-ownership.sh mrix,
/usr/local/bin/fix-drupal-platform-permissions.sh mrix,
/usr/local/bin/fix-drupal-site-ownership.sh mrix,
/usr/local/bin/fix-drupal-site-permissions.sh mrix,
/usr/local/bin/git mrix,
/usr/local/bin/lock-local-drush-permissions.sh mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/local/libexec/git-core/* mrix,
/usr/local/libexec/git-core/** mrix,
/usr/sbin/nginx mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-CLI to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty rw,
/dev/urandom r,
# Allow PHP-CLI to use tmp files
/tmp/ r,
/tmp/** rw,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-CLI to read and write its log files
/var/log/php/** rw,
/var/log/newrelic/php_agent.log rw,
# Allow PHP-CLI to write to some other log/pid files
/run/nginx.pid rw,
/var/log/nginx/access.log rw,
/var/log/nginx/error.log rw,
# Allow PHP-CLI to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Allow PHP-CLI to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-CLI to access drush
/data/disk/*/tools/drush/ r,
/data/disk/*/tools/drush/* mrix,
/data/disk/*/tools/drush/** r,
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
/var/aegir/drush/ r,
/var/aegir/drush/* mrix,
/var/aegir/drush/** r,
# Allow PHP-CLI to access System Default Web Root
/var/www/** r,
owner /var/www/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Master Instance
owner /var/aegir/.drush/ r,
owner /var/aegir/.drush/* rw,
owner /var/aegir/.drush/** rw,
owner /var/aegir/.tmp/ r,
owner /var/aegir/.tmp/* rw,
owner /var/aegir/.tmp/** rw,
owner /var/aegir/config/ r,
owner /var/aegir/config/* rw,
owner /var/aegir/config/** rw,
owner /var/aegir/host_master-*/ r,
owner /var/aegir/host_master-*/* rw,
owner /var/aegir/host_master-*/** rw,
owner /var/aegir/host_master/ r,
owner /var/aegir/host_master/* rw,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/ r,
owner /var/aegir/platforms/* rw,
owner /var/aegir/platforms/** rw,
# Allow PHP-CLI to read/write in the Ægir Backend on Octopus Instances
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
/data/disk/*/.bashrc r,
owner /data/disk/*/.cache/**/pack-* l,
owner /data/disk/*/static/**/pack-* l,
owner /data/disk/*/log/ r,
owner /data/disk/*/log/* rw,
owner /data/disk/*/.*.pass.php r,
owner /data/disk/*/.rnd rw,
owner /data/disk/*/backups/ rwl,
owner /data/disk/*/backups/* rwl,
owner /data/disk/*/backups/** rwl,
owner /data/disk/*/backup-exports/ rwl,
owner /data/disk/*/backup-exports/* rwl,
owner /data/disk/*/backup-exports/** rwl,
owner /data/disk/*/.config/ rwl,
owner /data/disk/*/.config/* rwl,
owner /data/disk/*/.config/** rwl,
owner /data/disk/*/.cache/ rwl,
owner /data/disk/*/.cache/* rwl,
owner /data/disk/*/.cache/** rwl,
owner /data/disk/*/.drush/ rwl,
owner /data/disk/*/.drush/* rwl,
owner /data/disk/*/.drush/** rwl,
owner /data/disk/*/.tmp/ rwl,
owner /data/disk/*/.tmp/* rwl,
owner /data/disk/*/.tmp/** rwl,
owner /data/disk/*/clients/ rw,
owner /data/disk/*/clients/* rw,
owner /data/disk/*/clients/** rw,
owner /data/disk/*/config/ rw,
owner /data/disk/*/config/* rw,
owner /data/disk/*/config/** rw,
owner /data/disk/*/tools/le/ rw,
owner /data/disk/*/tools/le/* rw,
owner /data/disk/*/tools/le/** rw,
# Allow PHP-CLI to read/write in the Ægir Frontend on Octopus Instances
owner /data/disk/*/aegir/ rw,
owner /data/disk/*/aegir/* rw,
owner /data/disk/*/aegir/** rw,
# Allow PHP-CLI to read/write in the limited shell user home for Drush support
owner /home/*/.drush/sites/ rw,
owner /home/*/.drush/sites/* rw,
owner /home/*/.drush/sites/** rw,
owner /home/*/.drush/cache/ rw,
owner /home/*/.drush/cache/* rw,
owner /home/*/.drush/cache/** rw,
owner /home/*/.tmp/ rw,
owner /home/*/.tmp/* rw,
owner /home/*/.tmp/** rw,
# Allow PHP-CLI to read/write in the custom web root directories
/data/disk/*/static/ rw,
/data/disk/*/static/* rw,
/data/disk/*/static/** rw,
/data/disk/*/distro/ rw,
/data/disk/*/distro/* rw,
/data/disk/*/distro/** rw,
/data/disk/*/platforms/ rw,
/data/disk/*/platforms/* rw,
/data/disk/*/platforms/** rw,
# Allow PHP-CLI to read and write in the root tmp
owner /root/.tmp/ rw,
owner /root/.tmp/* rw,
owner /root/.tmp/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/opt.php85.sbin.php-fpm
================================================
# AppArmor profile for PHP-FPM
# This profile restricts the PHP-FPM (php85) to essential operations only.
#include
/opt/php85/sbin/php-fpm flags=(attach_disconnected) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by PHP-FPM
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability kill,
capability setgid,
capability setuid,
capability sys_resource,
# Allow PHP-FPM to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
network inet stream,
network inet6 stream,
# Allow PHP-FPM to execute its own binary
/opt/php85/sbin/php-fpm mrix,
# Allow PHP-FPM to read its configuration files
/data/conf/ r,
/data/conf/** r,
/etc/ImageMagick-6/log.xml r,
/etc/ImageMagick-6/policy.xml r,
/etc/ld.so.cache r,
/etc/mailname r,
/etc/newrelic/upgrade_please.key r,
/etc/postfix/dynamicmaps.cf r,
/etc/postfix/dynamicmaps.cf.d/ r,
/etc/postfix/dynamicmaps.cf.d/* r,
/etc/postfix/main.cf r,
/home/*/.drush/** r,
/opt/etc/fpm/** r,
/var/spool/postfix/maildrop/ r,
/var/spool/postfix/maildrop/* rw,
/opt/php85/** r,
# Allow PHP-FPM to execute some other binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/advdef mrix,
/usr/bin/advpng mrix,
/usr/bin/chromium mrix,
/usr/bin/convert mrix,
/usr/bin/id mrix,
/usr/bin/jpegoptim mrix,
/usr/bin/jpegtran mrix,
/usr/bin/magick mrix,
/usr/bin/optipng mrix,
/usr/bin/pngcrush mrix,
/usr/bin/pngquant mrix,
/usr/lib/postfix/sbin/smtpd mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/wkhtmltoimage mrix,
/usr/local/bin/wkhtmltopdf mrix,
/usr/sbin/postdrop mrix,
/usr/sbin/sendmail mrix,
# Allow PHP-FPM to access some /dev
/dev/null rw,
/dev/random r,
/dev/tty wr,
/dev/urandom r,
# Allow PHP-FPM to access its run directory
/run/** rw,
# Allow PHP-FPM to use tmp files
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow PHP-FPM to read and write its log files
/var/log/newrelic/php_agent.log rw,
/var/log/php/** rw,
# Allow PHP-FPM to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow PHP-FPM to use /dev/shm for temporary storage
/dev/shm/ r,
/dev/shm/** rw,
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow PHP-FPM to read and write in the custom web root directories
/var/www/** r,
/var/aegir/host_master/** r,
/var/aegir/platforms/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/data/disk/*/tools/le/** r,
/data/all/ r,
/data/all/* r,
/data/all/** r,
/data/conf/ r,
/data/conf/* r,
/data/conf/** r,
owner /var/aegir/host_master/** rw,
owner /var/aegir/platforms/** rw,
owner /data/disk/*/aegir/** rw,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
owner /var/www/** rw,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /etc/shadow* rwlx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/sbin.dhclient
================================================
# AppArmor profile for DHCP dhclient
# This profile restricts DHCP dhclient (dhclient) to essential operations only.
#include
/{,usr/}sbin/dhclient flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Capabilities needed by DHCP dhclient
capability net_bind_service,
capability net_raw,
capability dac_override,
capability net_admin,
network packet,
network raw,
@{PROC}/[0-9]*/net/ r,
@{PROC}/[0-9]*/net/** r,
# dhclient wants to update its threads with functional names
owner @{PROC}/@{pid}/task/[0-9]*/comm rw,
/{,usr/}sbin/dhclient mrix,
/{,usr/}bin/bash mrix,
/etc/dhclient.conf r,
/etc/dhcp/ r,
/etc/dhcp/** r,
/var/lib/dhcp{,3}/dhclient* lrw,
/{,var/}run/dhclient*.pid lrw,
/{,var/}run/dhclient*.lease* lrw,
# NetworkManager
/{,var/}run/nm*conf r,
/{,var/}run/sendsigs.omit.d/network-manager.dhclient*.pid lrw,
/{,var/}run/NetworkManager/dhclient*.pid lrw,
/var/lib/NetworkManager/dhclient*.conf lrw,
/var/lib/NetworkManager/dhclient*.lease* lrw,
signal (receive) peer=/usr/sbin/NetworkManager,
ptrace (readby) peer=/usr/sbin/NetworkManager,
# connman
/{,var/}run/connman/dhclient*.pid lrw,
/{,var/}run/connman/dhclient*.leases lrw,
# synce-hal
/usr/share/synce-hal/dhclient.conf r,
# if there is a custom script, let it run unconfined
/etc/dhcp/dhclient-script Uxr,
# The dhclient-script shell script sources other shell scripts rather than
# executing them, so we can't just use a separate profile for dhclient-script
# with 'Uxr' on the hook scripts. However, for the long-running dhclient3
# daemon to run arbitrary code via /sbin/dhclient-script, it would need to be
# able to subvert dhclient-script or write to the hooks.d directories. As
# such, if the dhclient3 daemon is subverted, this effectively limits it to
# only being able to run the hooks scripts.
/{,usr/}sbin/dhclient-script Uxr,
# Run the ELF executables under their own unrestricted profiles
/usr/lib/NetworkManager/nm-dhcp-client.action Pxrm,
/usr/lib/connman/scripts/dhclient-script Pxrm,
# Support the new executable helper from NetworkManager.
/usr/lib/NetworkManager/nm-dhcp-helper Pxrm,
signal (receive) peer=/usr/lib/NetworkManager/nm-dhcp-helper,
}
# Profile for NetworkManager action
/usr/lib/NetworkManager/nm-dhcp-client.action flags=(complain) {
include
include
/usr/lib/NetworkManager/nm-dhcp-client.action mrix,
/var/lib/NetworkManager/*lease r,
signal (receive) peer=/usr/sbin/NetworkManager,
ptrace (readby) peer=/usr/sbin/NetworkManager,
network inet dgram,
network inet6 dgram,
}
# Profile for NetworkManager helper
/usr/lib/NetworkManager/nm-dhcp-helper flags=(complain) {
include
include
/usr/lib/NetworkManager/nm-dhcp-helper mrix,
/run/NetworkManager/private-dhcp rw,
signal (send) peer=/sbin/dhclient,
/var/lib/NetworkManager/*lease r,
signal (receive) peer=/usr/sbin/NetworkManager,
ptrace (readby) peer=/usr/sbin/NetworkManager,
network inet dgram,
network inet6 dgram,
}
# Profile for connman script
/usr/lib/connman/scripts/dhclient-script flags=(complain) {
include
include
/usr/lib/connman/scripts/dhclient-script mrix,
network inet dgram,
network inet6 dgram,
}
================================================
FILE: aegir/conf/apparmor/usr.bin.chromium
================================================
# File: /etc/apparmor.d/usr.bin.chromium
#include
/usr/bin/chromium flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Deny capability sys_ptrace
deny capability sys_ptrace,
# System paths chromium needs to operate
/usr/bin/chromium mrix,
/usr/lib/chromium/** mrix,
# Temp usage
owner /tmp/** rwk,
owner /dev/shm/** rwk,
# Proc/sys reads
/proc/** r,
/sys/** r,
# Devices commonly accessed
/dev/null rw,
/dev/urandom r,
/dev/random r,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Fonts + fontconfig
/etc/fonts/** r,
/usr/share/fonts/** r,
/var/cache/fontconfig/** r,
# Allow to read and write in the web root directories
/var/www/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
owner /data/disk/*/distro/** rwk,
owner /data/disk/*/platforms/** rwk,
owner /data/disk/*/static/** rwk,
owner /var/www/** rwk,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Catchall to deny everything else
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.bin.freshclam
================================================
# AppArmor profile for Freshclam service
# This profile restricts Freshclam service (freshclam) to essential operations only.
#include
/usr/bin/freshclam flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
# Capabilities needed by Freshclam service
capability chown,
capability dac_override,
capability net_admin,
capability net_bind_service,
capability setgid,
capability setuid,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
# Allow execution of necessary shells and the freshclam binary
/bin/dash mrix,
/bin/bash mrix,
/bin/sh mrix,
/usr/bin/freshclam mrix,
# Allow access to /dev
/dev/log w,
/dev/null rw,
/dev/random r,
/dev/urandom r,
# Allow access to /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow access to temporary directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Deny access to samba specific directories
deny /{,var/}run/samba/{gencache,unexpected}.tdb mrwlk,
# Allow read access to ClamAV configuration files
/etc/clamav/clamd.conf r,
/etc/clamav/freshclam.conf r,
/etc/clamav/onerrorexecute.d/* mr,
/etc/clamav/onupdateexecute.d/* mr,
/etc/clamav/virusevent.d/* mr,
# Allow read access to SSL libraries
/usr/local/ssl3/lib64/libcrypto.so.* mr,
/usr/local/ssl3/lib64/libssl.so.* mr,
/usr/local/ssl3/openssl.cnf r,
# Allow access to ClamAV directories and files
/var/lib/clamav/ r,
/var/lib/clamav/** rwk,
/var/log/clamav/* rwk,
/{,var/}run/clamav/clamd.ctl rw,
/{,var/}run/clamav/freshclam.pid w,
# Allow reading filesystems information
@{PROC}/filesystems r,
# Allow read/write access to ClamAV user directories
owner /home/*/.clamtk/db/ r,
owner /home/*/.clamtk/db/** rwk,
owner /home/*/.klamav/database/ r,
owner /home/*/.klamav/database/** rwk,
owner @{PROC}/[0-9]*/status r,
# Deny access to sensitive files and directories
deny /etc/shadow* rwlx,
deny /etc/passwd* rwlx,
deny /root/** rwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.bin.man
================================================
# AppArmor profile for Man service
# This profile restricts Man service (man) to essential operations only.
#include
/usr/bin/man flags=(complain) {
# Include common AppArmor abstractions
include
# Use a special profile when man calls anything groff-related. We only
# include the programs that actually parse input data in a non-trivial
# way, not wrappers such as groff and nroff, since the latter would need a
# broader profile.
/usr/bin/eqn mrCx -> &man_groff,
/usr/bin/grap mrCx -> &man_groff,
/usr/bin/pic mrCx -> &man_groff,
/usr/bin/preconv mrCx -> &man_groff,
/usr/bin/refer mrCx -> &man_groff,
/usr/bin/tbl mrCx -> &man_groff,
/usr/bin/troff mrCx -> &man_groff,
/usr/bin/vgrind mrCx -> &man_groff,
# Similarly, use a special profile when man calls decompressors and other
# simple filters.
/{,usr/}bin/bzip2 mrCx -> &man_filter,
/{,usr/}bin/gzip mrCx -> &man_filter,
/usr/bin/col mrCx -> &man_filter,
/usr/bin/compress mrCx -> &man_filter,
/usr/bin/iconv mrCx -> &man_filter,
/usr/bin/lzip.lzip mrCx -> &man_filter,
/usr/bin/tr mrCx -> &man_filter,
/usr/bin/xz mrCx -> &man_filter,
# Allow basic filesystem access, subject to DAC
/** mrixwlk,
unix,
# Capabilities needed by Man service
capability setuid,
capability setgid,
# Ordinary permission checks sometimes involve checking whether the
# process has this capability, which can produce audit log messages.
# Silence them.
deny capability dac_override,
deny capability dac_read_search,
signal peer=@{profile_name},
signal peer=/usr/bin/man//&man_groff,
signal peer=/usr/bin/man//&man_filter,
}
profile man_groff flags=(complain) {
include
include
/usr/bin/eqn mrix,
/usr/bin/grap mrix,
/usr/bin/pic mrix,
/usr/bin/preconv mrix,
/usr/bin/refer mrix,
/usr/bin/tbl mrix,
/usr/bin/troff mrix,
/usr/bin/vgrind mrix,
/etc/groff/** r,
/etc/papersize r,
/usr/lib/groff/site-tmac/** r,
/usr/share/groff/** r,
/tmp/groff* rw,
signal peer=/usr/bin/man,
signal peer=/usr/bin/man//&man_groff,
}
profile man_filter flags=(complain) {
include
include
/{,usr/}bin/bzip2 mrix,
/{,usr/}bin/gzip mrix,
/usr/bin/col mrix,
/usr/bin/compress mrix,
/usr/bin/iconv mrix,
/usr/bin/lzip.lzip mrix,
/usr/bin/tr mrix,
/usr/bin/xz mrix,
# Manual pages can be more or less anywhere, especially with "man -l", and
# there's no harm in allowing wide read access here since the worst it can
# do is feed data to the invoking man process.
/** r,
# Allow writing cat pages.
/var/cache/man/** rw,
signal peer=/usr/bin/man,
signal peer=/usr/bin/man//&man_filter,
}
================================================
FILE: aegir/conf/apparmor/usr.bin.mysecureshell
================================================
# AppArmor profile for MySecureShell
# This profile restricts MySecureShell (mysecureshell) to essential operations only.
#include
/usr/bin/mysecureshell flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
include
include
include
# Read access to its own config and logs
/etc/ssh/sftp_config r,
/etc/lshell.conf r,
/var/log/lsh/ r,
/var/log/lsh/* rw,
/opt/php*/lib/php.ini r,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow MySecureShell to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Read/write access to user home
/home/*/ r,
/home/*/** rw,
# Read/write access to SSH client files
/home/*/.ssh/ r,
/home/*/.ssh/** rw,
# Read-only access to Drush aliases and php.ini files
/home/*/.drush/ r,
/home/*/.drush/** r,
# Drush access
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
# Read-only access to Octopus directories
/data/disk/*/.drush/ r,
/data/disk/*/.drush/** r,
/data/disk/*/backups/ r,
/data/disk/*/backups/** r,
/data/disk/*/clients/ r,
/data/disk/*/clients/** r,
/data/disk/*/distro/** r,
/data/disk/*/static/ r,
/data/disk/*/static/** r,
# Allow write access to Octopus user directories and files
owner /data/disk/*/distro/** rw,
owner /data/disk/*/static/ r,
owner /data/disk/*/static/** rw,
owner /opt/user/npm/*/** rw,
owner /opt/user/gems/*/** rw,
owner /opt/user/gems/*/bin/** k,
# Read/write access to Drush cache
/home/*/.drush/cache/ r,
/home/*/.drush/cache/** rw,
# Deny access to critical system files
deny /etc/shadow* rwlx,
# Allow read access to user information files
/etc/passwd r,
/etc/group r,
/etc/nsswitch.conf r,
/etc/hosts r,
# Allow read-only access to resolv.conf for DNS resolution
/etc/resolv.conf r,
# Temporary files and directories
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
# Deny execution of any shell or command not explicitly allowed
deny /bin/bash x,
deny /usr/bin/perl x,
# Allow execution of necessary binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/mysecureshell mrix,
/usr/bin/python* mrix,
/usr/local/bin/lshell mrix,
# Additional binaries allowed in Limited Shell
/bin/bzip2 mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/cp mrix,
/bin/echo mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/gunzip mrix,
/bin/gzip mrix,
/bin/ls mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/nano mrix,
/bin/ping mrix,
/bin/pwd mrix,
/bin/rm mrix,
/bin/rmdir mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/bin/true mrix,
/data/disk/*/tools/drush/drush.php mrix,
/opt/local/bin/mybackup mrix,
/opt/local/bin/sqlmagic mrix,
/opt/php*/bin/php mrix,
/usr/bin/diff mrix,
/usr/bin/du mrix,
/usr/bin/env mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/mysql mrix,
/usr/bin/mysqldump mrix,
/usr/bin/node mrix,
/usr/bin/openssl mrix,
/usr/bin/passwd mrix,
/usr/bin/patch mrix,
/usr/bin/rsync mrix,
/usr/bin/rvim mrix,
/usr/bin/tput mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which.debianutils mrix,
/usr/bin/zstd mrix,
/usr/lib/node_modules/npm/bin/** mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/gem mrix,
/usr/local/bin/git mrix,
/usr/local/bin/git-receive-pack mrix,
/usr/local/bin/git-upload-archive mrix,
/usr/local/bin/git-upload-pack mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/scp mrix,
/usr/local/bin/sftp mrix,
/usr/local/bin/ssh mrix,
/usr/local/bin/ssh-keygen mrix,
owner /opt/user/gems/*/** mrix,
owner /opt/user/npm/*/** mrix,
# Deny execution of any other binaries
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.bin.mysql
================================================
# AppArmor profile for MySQL client
# This profile restricts MySQL client (mysql) to essential operations only.
#include
/usr/bin/mysql flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by MySQL client
capability net_bind_service,
capability setgid,
capability setuid,
# Allow execution of the mysql binary
/usr/bin/mysql mrix,
# Allow execution of the mysqld binary
/usr/sbin/mysqld mrix,
# Allow execution of necessary utilities
/bin/** mrix,
/usr/bin/** mrix,
/usr/sbin/** mrix,
# Allow reading necessary directories
/bin/ r,
/usr/bin/ r,
/usr/sbin/ r,
/etc/inputrc r,
# Allow MySQL to read its configuration files
/etc/mysql/** r,
/etc/mysql/conf.d/** r,
/etc/mysql/mysql.conf.d/** r,
# Allow MySQL to access its data directory
/var/lib/mysql/ rwk,
/var/lib/mysql/** rwk,
# Allow MySQL to access its run directory
/run/mysqld/ r,
/run/mysqld/** rw,
# Allow MySQL to access its tmp directory
/tmp/ r,
/tmp/** rw,
# Allow MySQL to read system libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/mysql/plugin/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
/usr/share/mysql/** r,
/usr/share/zoneinfo/** r,
# Allow MySQL to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow MySQL to use /dev/shm for temporary storage
/dev/shm/** rw,
/dev/shm/ r,
# Allow MySQL to read network-related configurations
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/services r,
# Disallow execution of binaries from /tmp and /var/tmp
deny /tmp/** m,
deny /var/tmp/** m,
# Deny access to various sensitive directories
deny /boot/** mrwklx,
# Deny access to various sensitive files
deny /etc/shadow* rwlx,
deny /etc/shadow- r,
deny /etc/gshadow r,
deny /etc/gshadow- r,
# Allow reading the user's .my.cnf file
/root/.my.cnf r,
/home/*/.my.cnf r,
# Allow writing to log files in user's home directory
/home/*/.mysql_history rw,
/root/.mysql_history rw,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.bin.mysqld_safe
================================================
# AppArmor profile for MySQLd starter
# This profile restricts MySQLd starter (mysqld_safe) to essential operations only.
#include
/usr/bin/mysqld_safe flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by MySQLd starter
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_resource,
capability sys_nice,
network inet stream,
network inet6 stream,
# Allow MySQLd to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
# Allow mysqld_safe to read its configuration files
/etc/mysql/** r,
/etc/mysql/conf.d/** r,
/etc/mysql/mysql.conf.d/** r,
/etc/hosts.deny r,
/etc/hosts.allow r,
# Allow mysqld_safe to access its data directory
/var/lib/mysql/ rwk,
/var/lib/mysql/** rwk,
# Allow mysqld_safe to access its run directory
/run/mysqld/ r,
/run/mysqld/** rw,
# Allow mysqld_safe to write to its log files
/var/log/mysql/ r,
/var/log/mysql/** rw,
# Allow mysqld_safe to access tmp directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow mysqld_safe to read system libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/mysql/plugin/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
/usr/share/mysql/** r,
/usr/share/zoneinfo/** r,
# Allow mysqld_safe to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow mysqld_safe to use /dev/shm for temporary storage
/dev/shm/** rw,
/dev/shm/ r,
# Allow execution of mysqld_safe
/usr/bin/mysqld_safe mrix,
# Allow execution of the mysql binary
/usr/bin/mysql mrix,
# Allow execution of the mysqld binary
/usr/sbin/mysqld mrix,
# Allow execution of necessary utilities
/bin/** mrix,
/usr/bin/** mrix,
/usr/sbin/** mrix,
# Allow reading necessary directories
/bin/ r,
/usr/bin/ r,
/usr/sbin/ r,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.bin.newrelic-daemon
================================================
# AppArmor profile for New Relic
# This profile restricts the New Relic (newrelic-daemon) to essential operations only.
#include
/usr/bin/newrelic-daemon flags=(complain) {
# Include common AppArmor abstractions
include
include
# Capabilities needed by New Relic
capability net_admin,
capability setgid,
capability setuid,
network inet stream,
network inet dgram,
network inet6 stream,
network inet6 dgram,
# Allow execution of the newrelic-daemon binary
/usr/bin/newrelic-daemon mrix,
# Allow newrelic-daemon to read its configuration files
/etc/newrelic/** r,
# Allow newrelic-daemon to read system libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/lib64/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow newrelic-daemon to access /proc for necessary information
/proc/** r,
# Allow newrelic-daemon to access log files
/var/log/newrelic/** rw,
# Allow newrelic-daemon to use tmp files
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow newrelic-daemon to access run directory
/run/newrelic/** rw,
# Allow newrelic-daemon to access shared memory
/dev/shm/** rw,
/dev/shm/ r,
# Disallow execution of binaries from /tmp and /var/tmp
deny /tmp/** m,
deny /var/tmp/** m,
# Deny access to various sensitive directories
deny /boot/** mrwklx,
deny /opt/** mrwklx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.bin.node
================================================
# AppArmor profile for Node/NPM
# This profile restricts Limited Shell (lshell) to essential operations only.
#include
/usr/bin/node flags=(complain) {
# Include common AppArmor abstractions
include
include
# Capability permissions
capability ipc_lock,
capability sys_resource,
# Network access
network inet,
# Allow read access to necessary libraries
/etc/ssl/openssl.cnf r,
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow reading of environment variables
/proc/** r,
/sys/** r,
# Specific file permissions
owner /home/*/.npmrc r,
# Temporary files and directories
owner /home/*/.tmp/ r,
owner /home/*/.tmp/** rw,
# Miscellaneous
/dev/urandom rw,
/dev/null rw,
/dev/tty rw,
# Deny execution of any shell or command not explicitly allowed
deny /bin/bash x,
deny /bin/dash x,
deny /bin/websh x,
deny /usr/bin/perl x,
deny /usr/bin/python* x,
deny /usr/local/bin/ruby x,
# Deny certain capabilities
deny capability sys_chroot, # Deny changing root
deny capability sys_admin, # Deny various system admin privileges
deny capability setuid, # Deny changing user IDs
deny capability setgid, # Deny changing group IDs
deny capability kill, # Deny sending signals to arbitrary processes
# Deny execution of binaries from these directories
deny /home/*/.tmp/** m,
deny /home/*/** m,
deny /tmp/** m,
deny /var/tmp/** m,
# Allow execution of npm etc
/usr/bin/node mrix,
/usr/bin/npm mrix,
/opt/user/npm/*/ r,
/opt/user/npm/*/** mrix,
# Allow to read and write in the custom web root directories
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
owner /data/disk/*/distro/** rw,
owner /data/disk/*/platforms/** rw,
owner /data/disk/*/static/** rw,
# Deny access to various sensitive directories and files
deny /boot/** mrwklx,
deny /root/** mrwklx,
deny /etc/shadow* rwlx,
deny /etc/passwd* rwlx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.bin.redis-server
================================================
# AppArmor profile for Redis server
# This profile restricts the Redis server (redis-server) to essential operations only.
#include
/usr/bin/redis-server flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Allow Redis to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
# Allow reading necessary kernel parameters
/proc/sys/** r,
/sys/devices/** r,
/sys/kernel/** r,
# Allow execution of redis-server binary
/usr/bin/redis-server mrix,
# Allow Redis to read its configuration file
/etc/redis/redis.conf r,
# Allow Redis to read and write its data files
/var/lib/redis/** rwk,
# Allow Redis to read and write its log files
/var/log/redis/** rw,
# Allow Redis to open TCP sockets on any address
network inet stream,
# Allow Redis to use syslog
/dev/log w,
/usr/bin/logger ixr,
# Allow Redis to read system libraries
/lib/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/local/sbin/* mrix,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow Redis to use /run for pid/sock files
/run/redis/** rw,
# Allow Redis to use tmp files
/tmp/ r,
/tmp/** rw,
owner /proc/*/smaps r,
owner /proc/*/stat r,
owner /var/lib/redis/ r,
owner /var/lib/redis/dump.rdb rw,
owner /var/lib/redis/temp-*.rdb rw,
owner /var/log/redis/redis-server.log rw,
# Catchall to deny everything else
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.bin.valkey-server
================================================
# AppArmor profile for Valkey server
# This profile restricts the Valkey server (valkey-server) to essential operations only.
#include
/usr/bin/valkey-server flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Allow Valkey to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
# Allow reading necessary kernel parameters
/proc/sys/** r,
/sys/devices/** r,
/sys/kernel/** r,
# Allow execution of valkey-server binary
/usr/bin/valkey-server mrix,
# Allow Valkey to read its configuration file
/etc/valkey/valkey.conf r,
# Allow Valkey to read and write its data files
/var/lib/valkey/** rwk,
# Allow Valkey to read and write its log files
/var/log/valkey/** rw,
# Allow Valkey to open TCP sockets on any address
network inet stream,
# Allow Valkey to use syslog
/dev/log w,
/usr/bin/logger ixr,
# Allow Valkey to read system libraries
/lib/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/local/sbin/* mrix,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow Valkey to use /run for pid/sock files
/run/valkey/** rw,
# Allow Valkey to use tmp files
/tmp/ r,
/tmp/** rw,
owner /proc/*/smaps r,
owner /proc/*/stat r,
owner /var/lib/valkey/ r,
owner /var/lib/valkey/dump.rdb rw,
owner /var/lib/valkey/temp-*.rdb rw,
owner /var/log/valkey/valkey-server.log rw,
# Catchall to deny everything else
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.local.bin.lshell
================================================
# AppArmor profile for Limited Shell
# This profile restricts Limited Shell (lshell) to essential operations only.
#include
/usr/local/bin/lshell flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
include
include
include
# Read access to its own config and logs
/etc/ssh/sftp_config r,
/etc/lshell.conf r,
/var/log/lsh/ r,
/var/log/lsh/* rw,
/opt/php*/lib/php.ini r,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/opt/php*/lib/php/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/ioncube/ioncube_loader_lin_*.so mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow Limited Shell to access /proc and /sys for necessary information
/proc/ r,
/proc/** r,
/sys/ r,
/sys/** r,
# Read/write access to user home
/home/*/ r,
/home/*/** rw,
# Read/write access to SSH client files
/home/*/.ssh/ r,
/home/*/.ssh/** rw,
# Read-only access to Drush aliases and php.ini files
/home/*/.drush/ r,
/home/*/.drush/** r,
# Drush access
/opt/tools/drush/** mrix,
/usr/local/bin/cv.phar mrix,
# Read-only access to Octopus directories
/data/disk/*/.drush/ r,
/data/disk/*/.drush/** r,
/data/disk/*/backups/ r,
/data/disk/*/backups/** r,
/data/disk/*/clients/ r,
/data/disk/*/clients/** r,
/data/disk/*/distro/** r,
/data/disk/*/static/ r,
/data/disk/*/static/** r,
# Allow write access to Octopus user directories and files
owner /data/disk/*/distro/** rw,
owner /data/disk/*/static/ r,
owner /data/disk/*/static/** rw,
owner /opt/user/npm/*/** rw,
owner /opt/user/gems/*/** rw,
owner /opt/user/gems/*/bin/** k,
# Read/write access to Drush cache
/home/*/.drush/cache/ r,
/home/*/.drush/cache/** rw,
# Deny access to critical system files
deny /etc/shadow* rwlx,
# Allow read access to user information files
/etc/passwd r,
/etc/group r,
/etc/nsswitch.conf r,
/etc/hosts r,
# Allow read-only access to resolv.conf for DNS resolution
/etc/resolv.conf r,
# Temporary files and directories
/home/*/.tmp/ r,
/home/*/.tmp/** rw,
# Deny execution of any shell or command not explicitly allowed
deny /bin/bash x,
deny /usr/bin/perl x,
# Allow execution of necessary binaries
/bin/dash mrix,
/opt/local/bin/websh mrix,
/usr/bin/mysecureshell mrix,
/usr/bin/python* mrix,
/usr/local/bin/lshell mrix,
# Additional binaries allowed in Limited Shell
/bin/bzip2 mrix,
/bin/cat mrix,
/bin/chmod mrix,
/bin/cp mrix,
/bin/echo mrix,
/bin/egrep mrix,
/bin/grep mrix,
/bin/gunzip mrix,
/bin/gzip mrix,
/bin/ls mrix,
/bin/mkdir mrix,
/bin/mv mrix,
/bin/nano mrix,
/bin/ping mrix,
/bin/pwd mrix,
/bin/rm mrix,
/bin/rmdir mrix,
/bin/sed mrix,
/bin/stty mrix,
/bin/tar mrix,
/bin/touch mrix,
/bin/true mrix,
/data/disk/*/tools/drush/drush.php mrix,
/opt/local/bin/mybackup mrix,
/opt/local/bin/sqlmagic mrix,
/opt/php*/bin/php mrix,
/usr/bin/diff mrix,
/usr/bin/du mrix,
/usr/bin/env mrix,
/usr/bin/find mrix,
/usr/bin/id mrix,
/usr/bin/mysql mrix,
/usr/bin/mysqldump mrix,
/usr/bin/node mrix,
/usr/bin/openssl mrix,
/usr/bin/passwd mrix,
/usr/bin/patch mrix,
/usr/bin/rsync mrix,
/usr/bin/rvim mrix,
/usr/bin/tput mrix,
/usr/bin/unzip mrix,
/usr/bin/wget mrix,
/usr/bin/which.debianutils mrix,
/usr/bin/zstd mrix,
/usr/lib/node_modules/npm/bin/** mrix,
/usr/local/bin/composer mrix,
/usr/local/bin/curl mrix,
/usr/local/bin/gem mrix,
/usr/local/bin/git mrix,
/usr/local/bin/git-receive-pack mrix,
/usr/local/bin/git-upload-archive mrix,
/usr/local/bin/git-upload-pack mrix,
/usr/local/bin/mydumper mrix,
/usr/local/bin/myloader mrix,
/usr/local/bin/scp mrix,
/usr/local/bin/sftp mrix,
/usr/local/bin/ssh mrix,
/usr/local/bin/ssh-keygen mrix,
owner /opt/user/gems/*/** mrix,
owner /opt/user/npm/*/** mrix,
# Deny execution of any other binaries
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.local.bin.ssh
================================================
# AppArmor profile for SSH client
# This profile restricts the SSH client (ssh) to essential operations only.
#include
/usr/local/bin/ssh flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
include
include
include
# Allow execution of the ssh binary
/usr/local/bin/ssh mrix,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Read access to SSH client configuration files
/etc/ssh/ssh_config r,
/etc/ssh/ssh_known_hosts r,
/home/*/.ssh/** rw,
# Allow network access for making outbound connections
network inet stream,
network inet6 stream,
# Deny access to critical system files
deny /etc/shadow* rwlx,
# Allow read access to user information files
/etc/passwd r,
/etc/group r,
/etc/nsswitch.conf r,
/etc/hosts r,
# Allow read-only access to resolv.conf for DNS resolution
/etc/resolv.conf r,
# Temporary files and directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow execution of necessary binaries
/bin/dash mrix,
/bin/sh mrix,
/opt/local/bin/websh mrix,
/usr/bin/id mrix,
/usr/bin/mysecureshell mrix,
/usr/local/bin/lshell mrix,
/usr/local/bin/ssh-agent mrix,
# Additional binaries used by SSH (e.g., scp, sftp)
/usr/local/bin/scp mrix,
/usr/local/bin/sftp mrix,
# Deny execution of any other binaries
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.local.bin.wkhtmltoimage
================================================
# File: /etc/apparmor.d/usr.local.bin.wkhtmltoimage
# Template from https://wkhtmltopdf.org/apparmor.html
#include
/usr/local/bin/wkhtmltoimage flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Deny capability sys_ptrace
deny capability sys_ptrace,
# System paths wkhtmltoimage needs to operate
/proc/*/maps r,
/usr/local/bin/wkhtmltoimage mrix,
/var/cache/fontconfig/* r,
/tmp/** rwlk,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow to read and write in the web root directories
/var/www/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
owner /data/disk/*/distro/** rwk,
owner /data/disk/*/platforms/** rwk,
owner /data/disk/*/static/** rwk,
owner /var/www/** rwk,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Catchall to deny everything else
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.local.bin.wkhtmltopdf
================================================
# File: /etc/apparmor.d/usr.local.bin.wkhtmltopdf
# Template from https://wkhtmltopdf.org/apparmor.html
#include
/usr/local/bin/wkhtmltopdf flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Deny capability sys_ptrace
deny capability sys_ptrace,
# System paths wkhtmltopdf needs to operate
/proc/*/maps r,
/usr/local/bin/wkhtmltopdf mrix,
/var/cache/fontconfig/* r,
/tmp/** rwlk,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow to read and write in the web root directories
/var/www/** r,
/data/disk/*/aegir/** r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
owner /data/disk/*/distro/** rwk,
owner /data/disk/*/platforms/** rwk,
owner /data/disk/*/static/** rwk,
owner /var/www/** rwk,
/home/*.web/.aws/ r,
/home/*.web/.aws/* rw,
/home/*.web/.drush/ r,
/home/*.web/.drush/* r,
/home/*.web/.tmp/ r,
/home/*.web/.tmp/* rw,
# Catchall to deny everything else
#deny /** rwklx,
}
================================================
FILE: aegir/conf/apparmor/usr.local.sbin.pure-ftpd
================================================
# AppArmor profile for Pure-FTPd server
# This profile restricts Pure-FTPd server (pure-ftpd) to essential operations only.
#include
/usr/local/sbin/pure-ftpd flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
# Capabilities needed by Pure-FTPd server
capability net_bind_service,
capability setgid,
capability setuid,
capability mknod,
network inet stream,
network inet6 stream,
# Allow Pure-FTPd to accept signal from PHP-CLI processes
signal (receive) peer=/opt/php*/bin/php,
# Allow execution of /bin/sh
/bin/sh mrix,
/opt/local/bin/websh mrix,
# Allow access to /dev
/dev/log w,
/dev/urandom r,
# Allow read access to system configuration and password files
/etc/hostname r,
/etc/hosts r,
/etc/pure-ftpd.conf r,
/etc/passwd r,
/etc/group r,
/etc/shadow r,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow read access to SSL certificates
/etc/ssl/private/pure-ftpd.pem r,
/etc/ssl/private/pure-ftpd-dhparams.pem r,
# Allow reading necessary kernel parameters
/proc/** r,
/sys/** r,
# Allow access to run directory
/run/pure-ftpd.pid rw,
/run/pure-ftpd/ r,
/run/pure-ftpd/** rwk,
# Allow access to temporary directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow write access to log files
/var/log/pureftpd.log rw,
# Allow execution of the pure-ftpd binary and configuration script
/usr/local/sbin/pure-ftpd mrix,
/usr/local/sbin/pure-config.pl mrix,
# Allow read access to Octopus user directories and files
/data/disk/*/.drush/ r,
/data/disk/*/.drush/** r,
/data/disk/*/backups/ r,
/data/disk/*/backups/** r,
/data/disk/*/clients/ r,
/data/disk/*/clients/** r,
/data/disk/*/distro/** r,
/data/disk/*/static/ r,
/data/disk/*/static/** r,
/home/*/.drush/ r,
/home/*/.drush/** r,
/opt/tools/drush/** r,
# Allow write access to Octopus user directories and files
owner /data/disk/*/distro/** rw,
owner /data/disk/*/static/ r,
owner /data/disk/*/static/** rw,
owner /home/*/ r,
owner /home/*/.drush/cache/ r,
owner /home/*/.drush/cache/** rw,
owner /home/*/** rw,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.local.sbin.sshd
================================================
# AppArmor profile for SSHd daemon
# This profile restricts the SSHd daemon (sshd) to essential operations only.
#include
/usr/local/sbin/sshd flags=(complain) {
# Include common AppArmor abstractions
include
include
include
include
include
include
include
include
# Allow execution of the sshd binary
/usr/local/sbin/sshd mrix,
# Capabilities needed by SSHd daemon
capability audit_control,
capability audit_write,
capability chown,
capability dac_override,
capability dac_read_search,
capability fowner,
capability fsetid,
capability kill,
capability net_bind_service,
capability setgid,
capability setuid,
capability sys_admin,
capability sys_chroot,
capability sys_resource,
capability sys_tty_config,
network inet stream,
network inet6 stream,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Read/Write access
/dev/null rw,
/dev/ptmx rw,
/dev/pts/* rw,
/dev/tty rw,
/dev/urandom r,
/proc/** rw,
/run/** rwk,
/sys/** r,
/tmp/ r,
/tmp/** rw,
/var/** r,
/var/lib/sshd/** rw,
# Read/Write owner access
owner /** rwk,
owner /etc/group rw,
owner /etc/motd rw,
owner /etc/passwd rw,
owner /etc/shadow rw,
owner /etc/ssh/* rw,
owner /proc/*/oom_score_adj rw,
owner /root/** rw,
owner /run/sshd.pid rw,
# Exec access
/{media,mnt,opt,srv}/** mrix,
/bin/* mrix,
/opt/local/bin/* mrix,
/usr/bin/* mrix,
/usr/local/bin/* mrix,
/usr/local/sbin/* mrix,
/usr/sbin/* mrix,
# Read access to SSH daemon configuration files
/etc/default/locale r,
/etc/environment r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/modules.conf r,
/etc/security/** r,
/etc/ssh/* r,
/etc/ssl/openssl.cnf r,
# Write access to the PID file
/run/sshd.pid rw,
# Allow network access for accepting inbound connections
network inet stream,
network inet6 stream,
# Allow reading user home directories and authorized keys
/home/*/*/ r,
/home/*/*/.ssh/ r,
/home/*/.ssh/authorized_keys{,2} r,
# Temporary files and directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
/dev/pts/[0-9]* rw,
/etc/ssh/moduli r,
@{PROC}/@{pid}/mounts r,
/etc/motd r,
/{,var/}run/motd{,.new} rw,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
# Allow execution of various shells
/bin/ash rUx,
/bin/bash rUx,
/bin/bash2 rUx,
/bin/bsh rUx,
/bin/csh rUx,
/bin/dash rUx,
/bin/ksh rUx,
/bin/sh rUx,
/bin/tcsh rUx,
/bin/zsh rUx,
/bin/zsh4 rUx,
/sbin/nologin rUx,
/usr/bin/mysecureshell rUx,
/usr/local/bin/lshell rUx,
# Allow ptrace read access for necessary binaries
ptrace read peer=unconfined,
ptrace read peer=/opt/php*/bin/php,
ptrace read peer=/opt/php*/sbin/php-fpm,
ptrace read peer=/usr/bin/newrelic-daemon,
ptrace read peer=/sbin/dhclient,
ptrace read peer=/usr/bin/mysqld_safe,
ptrace read peer=/usr/bin/mysqld,
ptrace read peer=/usr/bin/redis-server,
ptrace read peer=/usr/lib/jvm/java-11-openjdk-amd64/bin/java,
ptrace read peer=/usr/lib/jvm/java-17-openjdk-amd64/bin/java,
ptrace read peer=/usr/lib/jvm/java-21-openjdk-amd64/bin/java,
ptrace read peer=/usr/lib/postfix/sbin/master,
ptrace read peer=/usr/lib/postfix/sbin/pickup,
ptrace read peer=/usr/lib/postfix/sbin/qmgr,
ptrace read peer=/usr/local/sbin/pure-ftpd,
ptrace read peer=/usr/sbin/nginx,
ptrace read peer=/usr/sbin/unbound,
^EXEC flags=(complain) {
# Include base abstractions
include
/bin/ash Ux,
/bin/bash Ux,
/bin/bash2 Ux,
/bin/bsh Ux,
/bin/csh Ux,
/bin/dash Ux,
/bin/ksh Ux,
/bin/sh Ux,
/bin/tcsh Ux,
/bin/zsh Ux,
/bin/zsh4 Ux,
/sbin/nologin Ux,
/usr/bin/mysecureshell Ux,
/usr/local/bin/lshell Ux,
}
^PRIVSEP flags=(complain) {
# Include base and nameservice abstractions
include
include
capability sys_chroot,
capability setuid,
capability setgid,
}
^PRIVSEP_MONITOR flags=(complain) {
# Include authentication, base, nameservice, and wutmp abstractions
include
include
include
include
capability setuid,
capability setgid,
capability chown,
/home/*/.ssh/authorized_keys{,2} r,
/dev/ptmx rw,
/dev/pts/[0-9]* rw,
/dev/urandom r,
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/ssh/moduli r,
@{PROC}/@{pid}/mounts r,
}
^AUTHENTICATED flags=(complain) {
# Include authentication, consoles, nameservice, and wutmp abstractions
include
include
include
include
capability sys_tty_config,
capability setgid,
capability setuid,
/dev/log w,
/dev/ptmx rw,
/etc/default/passwd r,
/etc/localtime r,
/etc/writable/localtime r,
/etc/login.defs r,
/etc/motd r,
/{,var/}run/motd{,.new} rw,
/tmp/ssh-*/agent.[0-9]* rwl,
/tmp/ssh-*[0-9]*/ w,
}
}
================================================
FILE: aegir/conf/apparmor/usr.sbin.clamd
================================================
# AppArmor profile for Clamd service
# This profile restricts Clamd service (clamd) to essential operations only.
#include
/usr/sbin/clamd flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Capabilities needed by Clamd service
capability chown,
capability dac_override,
capability dac_read_search,
capability setgid,
capability setuid,
capability sys_resource,
network inet stream,
network inet6 stream,
network inet dgram,
network inet6 dgram,
# Allow execution of necessary shells and the clamd binary
/bin/dash mrix,
/bin/bash mrix,
/bin/sh mrix,
/usr/sbin/clamd mrix,
# Allow access to /dev
/dev/log w,
/dev/null rw,
/dev/random r,
/dev/urandom r,
# Allow access to /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow access to temporary directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow read access to necessary libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/libexec/** mr,
/usr/local/include/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
# Allow access to ClamAV configuration and data
/etc/clamav/clamd.conf r,
/var/lib/amavis/tmp/** r,
/var/lib/clamav/ r,
/var/lib/clamav/** rwk,
/var/log/clamav/* rwk,
/var/spool/MIMEDefang/mdefang-*/Work/ r,
/var/spool/MIMEDefang/mdefang-*/Work/** r,
/var/spool/clamsmtp/* r,
/var/spool/exim4/** r,
/var/spool/havp/** r,
/var/spool/p3scan/children/** r,
/var/spool/qpsmtpd/* r,
/{,var/}run/clamav/clamd.ctl w,
/{,var/}run/clamav/clamd.pid w,
# Allow read access to user directories
/data/all/** r,
/data/conf/* r,
/data/disk/*/distro/** r,
/data/disk/*/platforms/** r,
/data/disk/*/static/** r,
/home/*/ r,
/home/*/** r,
# Allow reading filesystems information
@{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
# Deny access to sensitive files and directories
deny /etc/shadow* rwlx,
deny /etc/passwd* rwlx,
deny /root/** rwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.sbin.mysqld
================================================
# AppArmor profile for MySQLd server
# This profile restricts MySQLd server (mysqld) to essential operations only.
#include
/usr/sbin/mysqld flags=(complain) {
# Include common AppArmor abstractions
include
include
include
# Capabilities needed by MySQLd server
capability dac_override,
capability dac_read_search,
capability sys_resource,
capability setgid,
capability setuid,
capability sys_nice,
network inet stream,
network inet6 stream,
# Allow execution of mysqld_safe
/usr/bin/mysqld_safe mrix,
# Allow execution of the mysql binary
/usr/bin/mysql mrix,
# Allow execution of the mysqld binary
/usr/sbin/mysqld mrix,
# Allow execution of necessary utilities
/bin/** mrix,
/usr/bin/** mrix,
/usr/sbin/** mrix,
# Allow reading necessary directories
/bin/ r,
/usr/bin/ r,
/usr/sbin/ r,
# Allow MySQL to read its configuration files
/etc/mysql/** r,
/etc/mysql/conf.d/** r,
/etc/mysql/mysql.conf.d/** r,
# Allow MySQL to access its data directory
/var/lib/mysql/ rwk,
/var/lib/mysql/** rwk,
# Allow MySQL to access its run directory
/run/mysqld/ r,
/run/mysqld/** rw,
# Allow MySQL to write to its log files
/var/log/mysql/ r,
/var/log/mysql/** rw,
# Allow MySQL to access its tmp directories
/tmp/ r,
/tmp/** rw,
/var/tmp/** rw,
# Allow MySQL to read system libraries
/lib/** mr,
/lib/x86_64-linux-gnu/** mr,
/lib64/** mr,
/usr/lib/** mr,
/usr/lib/mysql/plugin/** mr,
/usr/lib/x86_64-linux-gnu/** mr,
/usr/local/lib/** mr,
/usr/local/ssl/** mr,
/usr/local/ssl3/** mr,
/usr/share/mysql/** r,
/usr/share/zoneinfo/** r,
# Allow MySQL to access /proc and /sys for necessary information
/proc/** r,
/sys/** r,
# Allow MySQL to use /dev/shm for temporary storage
/dev/shm/** rw,
/dev/shm/ r,
# Allow MySQL to read network-related configurations
/etc/hosts.allow r,
/etc/hosts.deny r,
/etc/services r,
# Disallow execution of binaries from /tmp and /var/tmp
deny /tmp/** m,
deny /var/tmp/** m,
# Deny access to various sensitive directories
deny /boot/** mrwklx,
deny /root/** mrwklx,
# Catchall to deny everything else
#deny /** rwklx,
# Site-specific additions and overrides can be added below
}
================================================
FILE: aegir/conf/apparmor/usr.sbin.nginx
================================================
# AppArmor profile for Nginx server
# This profile restricts Nginx server (nginx) to essential operations only.
#include
/usr/sbin/nginx flags=(complain) {
# Include common AppArmor abstractions
include
include
include